Scanning and Exploiting Vulnerabilities with Nessus

What is Nessus?

Nessus is a vulnerability scanner that can scan and assess the complete attack surface of a target. With Nessus, you can scan a network for potential vulnerabilities, and even automatically exploit these discovered vulnerabilities. It supports different types of scans like Host Scan, Basic Network Scan, Malware Scan, Active Directory Scan, etc. It is a great tool for enumerating a target network and discovering potential ways to gain access.

Setting up Nessus

Nessus can be installed on Windows, Linux, Mac, Docker, and even on a Raspberry Pi!. I prefer using it with Windows

Step 1: Download Nessus Essentials

• Open a web browser and navigate to the Tenable website.
• Click on the “Download Nessus Essentials” button to initiate the download process.

• You will be prompted to create a Tenable account or log in if you already have one. Follow the instructions to complete the registration/login process.
• Once logged in, you will be able to download the Nessus Essentials installer for Windows.

Step 2: Run the Installer

• Locate the downloaded Nessus Essentials installer file on your Windows system (usually in the “Downloads” folder).
• Double-click on the installer file to launch the installation wizard.
• If prompted by User Account Control (UAC), click “Yes” to allow the installer to make changes to your system.
• The installation wizard will guide you through the installation process. Click “Next” to proceed.

Step 3: Accept the License Agreement

• Read the Nessus Essentials License Agreement carefully.
• If you agree to the terms of the license agreement, select the checkbox indicating your acceptance.
• Click “Next” to continue with the installation.

Step 4: Choose Installation Directory

• By default, Nessus Essentials will be installed in the C:\Program Files\Tenable\Nessus directory.

• If you wish to change the installation directory, click on the “Change” button and select a different location.
• Click “Next” to proceed.

Step 5: Start the Installation

• Review the installation summary to ensure that all settings are correct.
• Click on the “Install” button to begin the installation process.

• The installer will extract and install the necessary files to your system. This may take a few moments to complete.

Step 6: Complete the Installation

• Once the installation is complete, click on the “Finish” button to exit the installer.
• Nessus Essentials is now installed on your Windows system.

Step 7: Access Nessus Web Interface

• Open a web browser on your Windows system.
• In the address bar, type https://localhost:8834 and press Enter.
• You will be redirected to the Nessus login page.

On the first launch of Nessus, you need to register for Nessus Essentials to be able to use it for free.

You will then need to submit your name and email to receive an activation code.

Once the registration process is complete, Nessus will download all the plugins and compile them. This is going to take a lot of time - it took me 2 hours! So be patient.

Once the plugins are downloaded and compiled, you will be able to start scanning.

Scan and Exploit

We will perform our first scan on a machine called “Sumo” from Proving Grounds Play, which is a free platform offered by OffSec to practice hacking. Once you sign up on Proving Grounds Play, you can download your universal VPN pack to connect to the PG Play network and scan the target.

To connect using OpenVPN, use the following command:

sudo openvpn universal.ovpn

Now, create a new “Basic Network Scan” on Nessus, setting the target to the IP address of the “Sumo” machine on PG Play.

Once the scan is complete, you can see that Nessus was able to find multiple vulnerabilities of different severities.

We’ll focus on the “GNU Bash Environment Variable Handling Code Injection (Shellshock)” vulnerability that Nessus identified.

Upon opening the report, you can see that Nessus was actually able to exploit this vulnerability. The report also clearly states the exact malicious request that Nessus sent in order to exploit the vulnerability.

Let’s try to replicate this request to see if the exploit is actually working.So i asked ChatGPT to give me a CURL one-liner command based on the HTTP request.

Upon running this CURL command, I got a response from the target that proves that the exploit worked. The response contains the output of the command injected in the request.

Using this exploit, one can inject and run arbitrary commands on the target and even get reverse shell access on the target by doing so.

So just like that, with Nessus, we were able to scan a target, find potential vulnerabilities, and even get a detailed report on how to exploit one of these vulnerabilities.