Nessus in real world situations

Pen tests are not always performed in straightforward environments. In the case of internal network scans, it is not uncommon to be given restricted access to a host from which to carry out the scanning. In such situations, common tasks can become a pain. These include:

  • Updating Nessus when the host has no Internet connection
  • Accessing Nessus when no flash is installed
  • The restricted Windows desktop prohibits installation where admin-level access is required

Here are some tips to help in performing a good Nessus set-up even in the most restrictive of environments.

Step 1: Copying Nessus

In this scenario, we are on a restricted Windows desktop, and we only have SSH access to the host which has to perform the Nessus scanning.

Tip 1: Although WinSCP requires admin to install it, you can simply copy the file and run the binary, WinSCP.exe directly!

We can also use Netcat. The Unix host should already have “ncat”, and on the Windows machine you can use “nc.exe” which has no dependencies and requires no installation. You can download nc.exe from: http://joncraton.org/blog/46/netcat-for-windows

Note that some AVs will flag it, nc.exe currently has a detection rate of 23/47 on VirusTotal.

Assuming you can copy & paste the RPM (previously downloaded from Tenable) onto the Windows box, simply run the following from the Windows command prompt in the folder where nc.exe and the rpm files are:

C:\Users\penTester\Desktop\ncat>nc unix_server_ip 12345 < Nessus-5.2.1-es4.i386.rpm

Replacing unix_server_ip above with the proper IP.

And on the Unix side, run the following:

ncat –l –p 12345 > Nessus-5.2.1-es4.i386.rpm

Now the trick is to Ctrl-C this command line when the file has completed (we need to do this because we did not use the –w parameter; but in my experience using this will cause on a partial transfer. This method always worked for me).

For example, I open another SSH to the host and “ls –al” the directory where the file is being saved. If the file size is right, the transfer is completed and you can Ctrl-C.

Fun to know, but using WinSCP is the right way to go.

Step 2: Installing Nessus

In this example (note I am using an outdated 5.2.1 version), let us install with rpm as follows:

rpm -ivh Nessus-5.2.1-es4.i386.rpm

Step 3: Create an admin user in Nessus

These are the credentials we will use in the Nessus web interface

/opt/nessus/sbin/nessus-adduser

Step 4: Update the plug-ins

Run the following:

/opt/nessus/bin/nessus-fetch –challenge

Copy the Challenge code shown. Paste it in the following URL: https://plugins.nessus.org/offline.php

This will give you two files: “nessus-fetch.rc” and “all-2.0.tar.gz”. The Tenable documentation for offline updates is here:

http://static.tenable.com/documentation/Nessus_Activation_Code_Installation.pdf

http://www.tenable.com/products/nessus/documentation/activation-code-installation

Copy nessus-fetch.rc into /opt/nessus/etc/nessus/

Copy all-2.0.tar.gz into /opt/nessus/sbin/

using WinSCP (or the Netcat method if you feel like it).

Run the two following commands:

/opt/nessus/bin/nessus-fetch --register-offline /opt/nessus/etc/nessus/nessus-fetch.rc
/opt/nessus/sbin/nessus-update-plugins all-2.0.tar.gz

Step 5: Run Nessus

/etc/init.d/nessusd start

If the Windows machine is locked down, it may not have Adobe’s Flash player installed. To access the Nessus UI (after setting up the SSH tunnel of course), use Firefox portable and specify the html5 interface in the URL, as follows:

https://localhost:8834/html5.html

You can obtain portable Firefox from: http://portableapps.com/

Step 6: Bonus, exclude specific hosts from Nessus scans

There may be times where some IPs need to be excluded, perhaps it’s the IP of another pen testing host on the network, or perhaps your host is multi-homed. Here is how to have Nessus skip over those IPs:

Stop Nessus:

service nessusd stop

Edit the Nessus file “/opt/nessus/etc/nessus/nessusd.rules”

nano /opt/nessus/etc/nessus/nessusd.rules

Add the IPs there.

If you have them selected in your Windows clipboard, you can paste these in Nano with <Shift><Insert>.

When the scanner reaches those IPs it will display a warning as follows:

Nessus skipped an IP

Nessus skipped an IP

The format of the IPs can use CIDR notation, here the IP 10.36.128.151 is excluded:

reject 10.36.128.151/32

Restart Nessus as follows:

service nessusd start

https://twitter.com/0utlaw

This entry was posted in Computers and Internet. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s