Summary: This guide will review vulnerability management and its importance in an organization. It will also be teaching to utilize a vulnerability scanning tool called Nessus. This tool aims to quickly and easily find vulnerabilities, classify them, and remediate them. We will achieve this using a host machine running Nessus and a target machine running Windows 10.
Vulnerability management: Briefly, vulnerability management is the ongoing life cycle of detecting vulnerabilities, assessing assets and risks, and finding the best ways to remediate them to an acceptable risk tolerance. This ensures that the organization can deal with the vulnerabilities before a threat actor can exploit it, which can cause major damage to the organization in multiple aspects. There are six phases of vulnerability management.
Click here to learn the six phases: https://www.microsoft.com/en-ca/security/business/security-101/what-is-vulnerability-management
Nessus: An open-source tool that scans for security vulnerabilities and classifies the risks while showing methods to remediate them.
Installing Nessus:
Proceed to the link below and fill out the necessary information. Then go into your mail and download it from there.
https://www.tenable.com/products/nessus/nessus-essentials
After installation, it should open in your browser. Go ahead and log in, and your screen should look something like this:
Preparation:
We will be scanning another host that is not connected to a domain. I will be using a Windows 10 virtual machine.
On the target machine, go to Windows Defender Firewall with advanced security → Widows Defender firewall properties → Set the domain firewall state of the domain, private, and public profile off.
Note: This is to allow Nessus to connect to my machine and is great security risk but should only be done for testing purposes. If you wish, you can create a rule in the firewall that does not block the scanner source IP.
Ping your target by going to command prompt →(targets IP address).
Non Credentialed scan
A non-credentialed scan will scan the target but on a surface level. It gives an outside view of the target’s environment, not going into much detail.
- To scan your device, go to Nessus → New Scan → Basic Network Scan. Enter a name for your scan, an optional description, and then the IP address of the target.
You can customize your scan in the settings, such as doing a scheduled scan or even scanning all ports by going to discovery → port scan(all ports).
2. click Save → launch Icon. While you wait for it to complete, you can click on the scan and see its progress.
You can see that each vulnerability is colour-coded, indicating the severity of each vulnerability.
3. Click on the scan to see the list of vulnerabilities it has detected. Info is not generally considered a vulnerability rather simply states a fact.
You can click on any of them to learn more about each one.
For example, here you can see that SMB signing is not required. SMB signing protects the integrity between the SMB client and server. It also gives a solution.
Credentialed scan:
A credentialed scan provides an in-depth scan of the machine, going into the roots of the device to find vulnerabilities. This scan requires administrative access and uses valid user credentials to execute.
We are going to allow the single host target to allow authenticated scans.
You can also find these instructions on the Official Tenable Nessus website. https://community.tenable.com/s/article/Scanning-with-non-default-Windows-Administrator-Account?language=en_US
- Go to Services → enable remote registry. This will allow the scanner to connect and scan the registry.
- Open share across devices → Enable network discovery and file and printer sharing.
- Go to user account control → bring the bar down to never notify. This is not good to do in a cooperative environment but rather to get the best results.
- Open registry editor → locate the following: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
5. create a DWORD called LocalAccountTokenFilterPolicy and set the value to 1.
6. Return to Nessus and create a new scan or configure the previous one.
7. Set up the name, description, and target as previously done.
8. go to Credentials → Windows → Enter the username and password of the target. You can also configure the credentialed scan, but I will leave it as default.
9. Save the scan and then launch it.
Compared to the non-credentialed scan, the results will give you a more comprehensive and accurate analysis.
You can also further test Nessus by downloading an older software version on the target machine and scanning it.
Here, I downloaded an older version of Mozilla Firefox and reran the scan. You can see there are many more critical vulnerabilities.
Here, Firefox causes the majority of the critical vulnerabilities. I can click on each of them to get more information, including a description as to why it was triggered, what attacks can occur, and the solution.
Thank you for reading. Hope it helps!