THIS LAB’S OBJECTIVES
• Learning how to use Nessus vulnerability scanner to find vulnerabilities on a target host.
Nessus Vulnerability Scanner:
• We are going to install the latest Nessus vulnerability scanner.
We can download the latest Nessus package generated for Debian 6 Linux distribution from the Nessus website (http://www.nessus.org/products/nessus/nessus-download-agreement).
To install this package, we must move from the home directory to the download directory where the package is and then issue the following command:
root@kali:/home/kali# dpkg -i Nessus-8.12.1-debian6_i386.deb
root@kali:/home/kali# dpkg -i Nessus-8.12.1-debian6_i386.deb
root@kali:/home/kali# /bin/systemctl start nessusd.service
root@kali:/home/kali# /bin/systemctl start nessusd.service
Then we go to our browser and connect to https://localhost:8834. You will be prompted with a warning about the SSL certificate, allow the exception and proceed.
Proceed to the Nessus page to create a Nessus admin credential. Select Nessus Essentials – this is a free vulnerability scanner that provides an entry point for vulnerability assessment (N.B. You are limited to only 16 IP Scans!).
Once you have registered successfully, you will receive an activation code. Type your activation code to begin downloading the latest plugins.
Now that we have Nessus fully downloaded, we can begin our scans. Click on the New Scan button. Then we click on Basic Network Scan and input the following:
• Name: Metasploitable2 Scan
• Description: Basic Network Scan
• Folder: My Scans
• Targets: ###.###.###.###
There are additional options that can enable us to customise our scan for specific requirements, we will come back to those later. Save your scan and click on the launch button to begin.
Click on a scan name while it is running to see the hosts and general vulnerability information.
Once complete, click on each vulnerability to get more detailed information.
What is significant about this tool is that it provides information about available exploits.
Spend some time to understand the features available and how to use them.
Web Content Scanner:
We are going to explore some common tools for scanning web objects.
• We will start with DIRB which uses a dictionary to scan known web objects.
root@kali:/home/kali# dirb http://[target-host]
root@kali:/home/kali# dirb http://[target-host]
This command will use the default wordlist against the target host. Dirb takes a lot of time to complete scans depending on the number of directories on the target web server. There are several hotkeys that can help you decide how long you want to keep a scan running for:
• ‘n’ = Go to next directory.
• ‘q’ = Stop scan and save current state.
• ‘r’ = Return remaining scan statistics.
• Dirbuster is another tool for web content scanning but with more functionality and parameters to tweak.
We can attempt to use the same target host, set the number of threads to 20 and select a wordlist from the following directory:
/usr/share/dirbuster/wordlists/
We can also use the DIRB common wordlist in Dirbuster for a more effective scan.
/usr/share/wordlists/dirb/common.txt
The next step would be to open the discovered directories in a browser. We will be able to see files and folders in all directories and analyse all its contents.
• Finally, we will use Netcat to interact with webservers and retrieve the server banner.
root@kali:/home/kali# nc [Target IP] 80
HEAD / HTTP/1.0
root@kali:/home/kali# nc [Target IP] 80
HEAD / HTTP/1.0
What type of information does this command provide?
We can also retrieve the top-level page on the webserver with this command:
root@kali:/home/kali# nc [Target IP] 80
GET / HTTP/1.0
root@kali:/home/kali# nc [Target IP] 80
GET / HTTP/1.0
Rpcclient:
• Rpcclient is a Linux tool used for executing client-side MS-RPC functions. A null session is a connection with a samba or SMB server that does not require authentication with a password.
root@kali:/home/kali# rpcclient -U “” [Target IP]
root@kali:/home/kali# rpcclient -U “” [Target IP]
When prompted for a password, press enter to continue (The U option defines a null username).
• Following this, command line will change to the rpcclient, use the querdominfo command to retrieve information about the domain, server and all users on the target machine.
rpcclient $> querydominfo
rpcclient $> querydominfo
How many user account are available on the metasploitable system?
• To retrieve a list of all users run the following command:
rpcclient $> enumdomusers
rpcclient $> enumdomusers
• To query user info of any account run the following command:
rpcclient $> queryuser [username]
rpcclient $> queryuser [username]
Nikto2
• root@kali:/home/kali# nikto
root@kali:/home/kali# nikto
This will display all the options with their extended features.
• root@kali:/home/kali# nikto -h http://172.16.43.156 -p 80
root@kali:/home/kali# nikto -h http://172.16.43.156 -p 80
What are the other options? Attempt them and take note of the output.
Password Sniffing:
Password sniffing is a special type of auxiliary module that listens on the network interface and looks for passwords sent over various protocols such as FTP, IMAP, POP3, and SMB. It also provides an option to import previously dumped network traffic in “.pcap” format and look for credentials within.