Pen tests are not always performed in straightforward environments. In the case of internal network scans, it is not uncommon to be given restricted access to a host from which to carry out the scanning. In such situations, common tasks can become a pain. These include:
- Updating Nessus when the host has no Internet connection
- Accessing Nessus when no flash is installed
- The restricted Windows desktop prohibits installation where admin-level access is required
Here are some tips to help in performing a good Nessus set-up even in the most restrictive of environments.
Step 1: Copying Nessus
In this scenario, we are on a restricted Windows desktop, and we only have SSH access to the host which has to perform the Nessus scanning.
Tip 1: Although WinSCP requires admin to install it, you can simply copy the file and run the binary, WinSCP.exe directly!
We can also use Netcat. The Unix host should already have “ncat”, and on the Windows machine you can use “nc.exe” which has no dependencies and requires no installation. You can download nc.exe from: http://joncraton.org/blog/46/netcat-for-windows
Note that some AVs will flag it, nc.exe currently has a detection rate of 23/47 on VirusTotal.
Assuming you can copy & paste the RPM (previously downloaded from Tenable) onto the Windows box, simply run the following from the Windows command prompt in the folder where nc.exe and the rpm files are:
C:\Users\penTester\Desktop\ncat>nc unix_server_ip 12345 < Nessus-5.2.1-es4.i386.rpm
Replacing unix_server_ip above with the proper IP.
And on the Unix side, run the following:
ncat –l –p 12345 > Nessus-5.2.1-es4.i386.rpm
Now the trick is to Ctrl-C this command line when the file has completed (we need to do this because we did not use the –w parameter; but in my experience using this will cause on a partial transfer. This method always worked for me).
For example, I open another SSH to the host and “ls –al” the directory where the file is being saved. If the file size is right, the transfer is completed and you can Ctrl-C.
Fun to know, but using WinSCP is the right way to go.
Step 2: Installing Nessus
In this example (note I am using an outdated 5.2.1 version), let us install with rpm as follows:
rpm -ivh Nessus-5.2.1-es4.i386.rpm
Step 3: Create an admin user in Nessus
These are the credentials we will use in the Nessus web interface
Step 4: Update the plug-ins
Run the following:
Copy the Challenge code shown. Paste it in the following URL: https://plugins.nessus.org/offline.php
This will give you two files: “nessus-fetch.rc” and “all-2.0.tar.gz”. The Tenable documentation for offline updates is here:
Copy nessus-fetch.rc into /opt/nessus/etc/nessus/
Copy all-2.0.tar.gz into /opt/nessus/sbin/
using WinSCP (or the Netcat method if you feel like it).
Run the two following commands:
/opt/nessus/bin/nessus-fetch --register-offline /opt/nessus/etc/nessus/nessus-fetch.rc /opt/nessus/sbin/nessus-update-plugins all-2.0.tar.gz
Step 5: Run Nessus
If the Windows machine is locked down, it may not have Adobe’s Flash player installed. To access the Nessus UI (after setting up the SSH tunnel of course), use Firefox portable and specify the html5 interface in the URL, as follows:
You can obtain portable Firefox from: http://portableapps.com/
Step 6: Bonus, exclude specific hosts from Nessus scans
There may be times where some IPs need to be excluded, perhaps it’s the IP of another pen testing host on the network, or perhaps your host is multi-homed. Here is how to have Nessus skip over those IPs:
service nessusd stop
Edit the Nessus file “/opt/nessus/etc/nessus/nessusd.rules”
Add the IPs there.
If you have them selected in your Windows clipboard, you can paste these in Nano with <Shift><Insert>.
When the scanner reaches those IPs it will display a warning as follows:
The format of the IPs can use CIDR notation, here the IP 10.36.128.151 is excluded:
Restart Nessus as follows:
service nessusd start