# Vulnerability Assessment ## **Overview** Vulnerability Assessment is a critical phase in penetration testing that identifies security weaknesses in systems, networks, and applications. This guide focuses on Nessus Professional, the industry-standard vulnerability scanner, with emphasis on credentialed scanning and advanced configuration. **Key Objectives:** * Identify known vulnerabilities (CVEs) * Assess security misconfigurations * Evaluate authentication mechanisms * Prioritize security risks by severity * Generate comprehensive reports for remediation *** ## **Nessus Professional** ### **Why Nessus?** **Industry Standard Features:** * **145,973+ Plugins** - Covers 58,391 CVE IDs and 30,696 Bugtraq IDs * **NASL Scripting** - Nessus Attack Scripting Language for custom checks * **Credentialed Scanning** - Deep system analysis with legitimate access * **Professional Reporting** - Executive and technical reports * **Continuous Updates** - Daily plugin updates from Tenable * **Compliance Scanning** - PCI DSS, HIPAA, SOX, CIS benchmarks ### **Installation and Setup** ```bash # Download Nessus Professional from Tenable # https://www.tenable.com/products/nessus # Install on Kali Linux sudo dpkg -i Nessus-X.X.X-debian6_arm64.deb # Start Nessus service sudo systemctl enable nessusd sudo systemctl start nessusd # Access web interface https://localhost:8834 ``` **Initial Configuration:** 1. **Create admin account** with strong credentials 2. **Enter activation code** (Professional license required) 3. **Download plugins** (automatic update process) 4. **Configure scan policies** for different scenarios *** ## **Scan Policies** ### **Overview** Scan policies are customized scan configurations that can be saved, reused, and shared. They allow penetration testers to create targeted scans for specific scenarios while maintaining consistency across assessments. **Benefits:** * **Consistency** - Standardized scanning approach * **Efficiency** - Pre-configured settings for common scenarios * **Customization** - Tailored scans for specific environments * **Portability** - Export/import between Nessus scanners ### **Creating Custom Scan Policies** #### **Step 1: Policy Creation** ```bash # Navigate to Policies tab Policies → New Policy → Advanced Scan # Policy Configuration: # - Name: HTB_Professional_Scan # - Description: Comprehensive credentialed scan for penetration testing # - Folder: User Defined ``` #### **Step 2: Basic Settings** ```bash # Discovery Settings: Port Scan (common ports): Enabled Port Scan (all ports): Enabled for critical assets Network Ping: Enabled TCP Ping: Enabled Service Recognition: Enabled # Assessment Settings: General: All vulnerability families enabled Web Applications: Enabled for web servers Windows: Enabled for Windows targets Unix: Enabled for Linux/Unix targets ``` #### **Step 3: Advanced Settings** ```bash # Performance Settings: Max simultaneous hosts per scan: 5 (adjust based on network) Max simultaneous checks per host: 5 Network timeout (seconds): 5 Max checks per host: Unlimited Read timeout (seconds): 10 # Scan Options: Safe checks: Disabled (for comprehensive testing) Stop host enumeration on unresponsive host: Enabled Designate hosts by their DNS name: Enabled Log scan details to server: Enabled ``` ### **Specialized Scan Policies** #### **Stealth Scan Policy** ```bash # Policy Name: HTB_Stealth_Scan # Description: Low-impact scanning for sensitive environments # Configuration: - Reduce scan speed to avoid detection - Enable safe checks only - Limit concurrent connections - Use TCP connect() scans instead of SYN scans - Disable aggressive service detection ``` #### **Web Application Focused Policy** ```bash # Policy Name: HTB_WebApp_Scan # Description: Focused on web application vulnerabilities # Plugin Families: - Web Servers: Enabled - CGI abuses: Enabled - CGI abuses : XSS: Enabled - General: Web-related plugins only - Settings: Enable web app testing ``` #### **Internal Network Policy** ```bash # Policy Name: HTB_Internal_Credentialed # Description: Comprehensive internal network assessment # Configuration: - All plugin families enabled - Credentialed scanning enabled - Compliance checks enabled - Malware detection enabled - Local security checks enabled ``` *** ## **Nessus Plugins** ### **Plugin Architecture** **Nessus Attack Scripting Language (NASL):** * **Custom vulnerability checks** written in specialized language * **Severity ratings:** Critical, High, Medium, Low, Info * **Vulnerability intelligence:** CVE mapping, exploit availability * **Remediation guidance:** Specific steps to fix identified issues ### **Plugin Families** | Family | Description | Use Case | | ------------------------- | -------------------------------------- | ------------------------- | | **Web Servers** | HTTP/HTTPS server vulnerabilities | Web application testing | | **Windows** | Windows OS and service vulnerabilities | Windows infrastructure | | **Backdoors** | Known backdoor and malware detection | Compromise assessment | | **Databases** | Database-specific vulnerabilities | Database security testing | | **General** | Miscellaneous vulnerability checks | Comprehensive scanning | | **Denial of Service** | DoS vulnerability testing | Availability testing | | **Default Unix Accounts** | Default account detection | Configuration assessment | | **SCADA** | Industrial control system security | Critical infrastructure | ### **Plugin Management** #### **Plugin Rules for False Positive Management** ```bash # Navigate to Resources → Plugin Rules # Example: Exclude SSL Self-Signed Certificate for internal hosts Rule Configuration: - Host: internal.company.com - Plugin ID: 57582 - Action: Hide this result - Expiration: 90 days - Comment: Internal PKI uses self-signed certificates by design ``` #### **Common False Positive Exclusions** ```bash # Microsoft DirectAccess SSL Configuration Plugin ID: 20007 Hosts: directaccess.company.com Reason: Null ciphers by design for performance # Internal DNS Servers Plugin ID: 35703 Hosts: dns1.internal.com, dns2.internal.com Reason: Internal recursive DNS by design # Development Environments Plugin ID: Multiple Hosts: dev-*.company.com Reason: Development environment exceptions ``` *** ## **Credentialed Scanning** ### **Overview** Credentialed scanning provides legitimate authenticated access to target systems, enabling Nessus to perform comprehensive security assessments that are impossible with network-only scanning. **Benefits:** * **Deep system analysis** - Local security configurations * **Patch level assessment** - Missing security updates * **Configuration auditing** - Security policy compliance * **Local privilege escalation** - Misconfigured permissions * **Malware detection** - File system analysis ### **Authentication Methods** #### **SSH Authentication (Linux/Unix)** ```bash # SSH Password Authentication Authentication Method: Password Username: scanner Password: test1234 Privilege Escalation: sudo sudo Password: test1234 # SSH Public Key Authentication Authentication Method: Public Key Username: scanner SSH Public Key: [Upload public key file] SSH Private Key: [Upload private key file] Passphrase: [If private key is encrypted] ``` #### **SSH Key Generation** ```bash # Generate SSH key pair for scanning ssh-keygen -t rsa -b 4096 -C "nessus-scanner@company.com" # Copy public key to target systems ssh-copy-id scanner@target-host # Configure Nessus with private key # Upload id_rsa (private key) to Nessus credentials ``` #### **Windows Authentication** ```bash # Windows Password Authentication Authentication Method: Password Username: administrator Password: test1234 Domain: COMPANY Auth Type: NTLM # Windows Hash Authentication (Pass-the-Hash) Authentication Method: LM Hash Username: administrator LM Hash: [32-character LM hash] NTLM Hash: [32-character NTLM hash] Domain: COMPANY ``` #### **Kerberos Authentication** ```bash # Kerberos Configuration Authentication Method: Kerberos Username: scanner@COMPANY.COM Password: test1234 KDC IP: 10.10.10.100 KDC Port: 88 KDC Transport: UDP Realm: COMPANY.COM ``` ### **Database Credentialed Scanning** #### **Microsoft SQL Server** ```bash # SQL Server Configuration Database Type: Microsoft SQL Server Server: 10.10.10.50 Port: 1433 Authentication Type: SQL Server Username: sa Password: test1234 Windows Authentication: Disabled # Verification in Nessus Output: # "Info: Microsoft SQL Server login possible" # "Credentialed checks enabled for MSSQL on port 1433" ``` #### **MySQL/MariaDB** ```bash # MySQL Configuration Database Type: MySQL Server: 10.10.10.51 Port: 3306 Username: root Password: test1234 Database: information_schema ``` #### **PostgreSQL** ```bash # PostgreSQL Configuration Database Type: PostgreSQL Server: 10.10.10.52 Port: 5432 Username: postgres Password: test1234 Database: postgres SSL Mode: Require ``` #### **Oracle Database** ```bash # Oracle Configuration Database Type: Oracle Server: 10.10.10.53 Port: 1521 Username: system Password: test1234 SID: ORCL TNS Names File: [Optional tnsnames.ora upload] ``` ### **Web Application Authentication** #### **HTTP Basic Authentication** ```bash # Basic Auth Configuration Authentication Method: Basic Username: admin Password: test1234 Login URL: https://webapp.company.com/admin ``` #### **HTTP Form-Based Authentication** ```bash # Form Auth Configuration Authentication Method: Login Form Username: admin Password: test1234 Login Page: /login.php Username Parameter: username Password Parameter: password Submit Page: /process_login.php Logout Page: /logout.php Logout Pattern: "Successfully logged out" ``` #### **HTTP Header Authentication** ```bash # Custom Header Auth Authentication Method: HTTP Headers Headers: Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... X-API-Key: ABC123456789DEF User-Agent: Nessus-Scanner/10.4 ``` ### **Verification of Credentialed Access** #### **Successful Authentication Indicators** ```bash # SSH Authentication Success Plugin Output: "Successful login with provided credentials" Info Plugin: "It was possible to log into the remote host" # Windows Authentication Success Plugin Output: "Nessus was able to log into the Windows host" Info Plugin: "SMB login successful with provided credentials" # Database Authentication Success Plugin Output: "Credentialed checks enabled for MSSQL on port 1433" Version Detection: "Microsoft SQL Server 2019 - 15.0.2000.5" ``` #### **Authentication Failure Troubleshooting** ```bash # Common SSH Issues: - Wrong username/password - SSH key permissions (chmod 600 private key) - SSH service not running - Firewall blocking port 22 - Account locked or disabled # Common Windows Issues: - UAC preventing admin access - Windows Firewall blocking WMI - Account not in Administrators group - NTLM authentication disabled - Account password expired # Common Database Issues: - Database service not running - Wrong port configuration - User lacks necessary permissions - SSL/TLS configuration mismatch - Network connectivity issues ``` *** ## **HTB Academy Lab Configuration** ### **Lab Credentials** #### **Linux Systems** ```bash # HTB Academy Lab Credentials Username: htb-student_adm Password: dummy123 Privilege Escalation: sudo Access Type: SSH on port 22 ``` #### **Windows Systems** ```bash # HTB Academy Lab Credentials Username: administrator Password: dummy123 Domain: HTB Access Type: SMB/WMI authentication ``` ### **Pre-configured Scans** **Note:** HTB Academy provides pre-configured credentialed scans to save time during the lab exercises. These scans demonstrate: 1. **Linux Credentialed Scan** - Using htb-student\_adm account 2. **Windows Credentialed Scan** - Using administrator account 3. **Comparison Analysis** - Credentialed vs. non-credentialed results *** ## **Advanced Scanning Techniques** ### **Compliance Scanning** #### **PCI DSS Compliance** ```bash # PCI DSS Configuration Compliance Standard: PCI DSS v3.2.1 Scan Type: Internal Network Scan Required Plugins: - Payment Card Industry (PCI) DSS - SSL/TLS Configuration - Default Account Detection - Vulnerability Assessment ``` #### **CIS Benchmarks** ```bash # CIS Benchmark Configuration Benchmark: CIS Microsoft Windows 10 Enterprise Level: Level 1 (Basic) Customization: Company-specific modifications Output: Pass/Fail for each control ``` ### **Malware Detection** ```bash # Enable Malware Detection Settings → Discovery → Host Discovery Enable: "Scan for malware" Methods: - File hash analysis - Behavioral detection - Known malware signatures - Suspicious process identification ``` ### **Patch Management Assessment** ```bash # Windows Patch Assessment Plugin Families: Windows : Microsoft Bulletins Credentialed: Required for accurate results Output: Missing security updates by severity Integration: Microsoft WSUS/SCCM data # Linux Patch Assessment Plugin Families: Red Hat Local Security Checks Ubuntu Local Security Checks Debian Local Security Checks Package Managers: yum, apt, zypper analysis ``` *** ## **Scan Results Analysis** ### **Vulnerability Prioritization** #### **Risk-Based Analysis** ```bash # Priority 1: Critical Vulnerabilities - Remote code execution - Authentication bypass - Privilege escalation - SQL injection (high impact) # Priority 2: High Vulnerabilities - Information disclosure - Cross-site scripting (stored) - Insecure cryptographic storage - Missing security patches # Priority 3: Medium Vulnerabilities - Configuration weaknesses - Cross-site scripting (reflected) - Weak authentication mechanisms - Information leakage # Priority 4: Low/Info Vulnerabilities - Banner disclosure - SSL certificate information - Directory listing enabled - Verbose error messages ``` #### **CVSS Score Integration** ```bash # CVSS v3.1 Metrics Base Score: 0.0 - 10.0 Temporal Score: Exploit availability adjustment Environmental Score: Business impact consideration # Risk Rating: - 9.0-10.0: Critical - 7.0-8.9: High - 4.0-6.9: Medium - 0.1-3.9: Low ``` ### **False Positive Management** #### **Common False Positives** ```bash # SSL/TLS Configuration Issue: "SSL Certificate Cannot Be Trusted" Reality: Internal PKI with valid trust chain Action: Create plugin rule to exclude internal CAs # Network Services Issue: "Telnet Service Detection" Reality: Legacy equipment requiring Telnet Action: Document business justification # Web Applications Issue: "Web Application Potentially Vulnerable to Cross-site Scripting" Reality: Input validation present but not detected Action: Manual verification and documentation ``` #### **Verification Methods** ```bash # Manual Verification Steps: 1. Reproduce findings using manual testing 2. Analyze application source code (if available) 3. Consult with system administrators 4. Review security controls documentation 5. Perform additional targeted testing ``` *** ## **Reporting and Documentation** ### **Executive Summary Report** ```bash # Executive Report Elements: - Risk overview and business impact - Summary of critical findings - Compliance status assessment - Recommended remediation timeline - Security posture improvement metrics ``` ### **Technical Report** ```bash # Technical Report Elements: - Detailed vulnerability descriptions - Proof-of-concept evidence - Step-by-step reproduction steps - Technical remediation guidance - References to CVE/CWE databases ``` ### **Custom Report Templates** ```bash # Report Customization: Templates → Create New Template Sections: - Cover page with company branding - Executive summary - Methodology description - Detailed findings by severity - Appendices with raw data ``` ### **Compliance Reports** ```bash # Compliance-Specific Reports: - PCI DSS Audit Report - SOX IT Controls Assessment - HIPAA Security Risk Analysis - ISO 27001 Vulnerability Management - NIST Cybersecurity Framework ``` *** ## **Integration with CPTS Methodology** ### **Workflow Integration** #### **Phase 1: Post-Enumeration Assessment** ```bash # After completing enumeration phases: 1. Service Enumeration (ports, services, versions) 2. Web Application Enumeration (technology stack) 3. Database Enumeration (database versions, configurations) # Input to Vulnerability Assessment: - Target IP ranges and hostnames - Service inventory with versions - Authentication credentials (if obtained) - Technology stack information ``` #### **Phase 2: Vulnerability Scanning** ```bash # Scanning Strategy: 1. Network discovery scan (validate enumeration) 2. Basic vulnerability scan (unauthenticated) 3. Credentialed vulnerability scan (if credentials available) 4. Web application vulnerability scan 5. Database vulnerability scan (if databases identified) ``` #### **Phase 3: Results Correlation** ```bash # Correlate with Enumeration Findings: - Verify service versions match enumeration - Cross-reference web technologies with vulnerabilities - Identify authentication mechanisms to target - Prioritize vulnerabilities based on attack path ``` ### **Exploitation Planning** ```bash # Vulnerability-to-Exploit Mapping: Critical Findings → Immediate exploitation attempts High Findings → Secondary exploitation targets Medium/Low → Post-exploitation persistence opportunities # Documentation for Exploitation: - Affected services and versions - Proof-of-concept availability - Exploit complexity and requirements - Potential impact and business risk ``` *** ## **Best Practices** ### **Scanning Ethics and Safety** ```bash # Pre-Scan Considerations: 1. Obtain written authorization for testing 2. Define scan scope and exclusions 3. Schedule scans during maintenance windows 4. Coordinate with IT teams and security operations 5. Prepare incident response procedures ``` ### **Performance Optimization** ```bash # Network Considerations: - Scan during off-peak hours - Limit concurrent connections - Use scan throttling for sensitive systems - Monitor network bandwidth utilization - Coordinate with network operations teams ``` ### **Credential Security** ```bash # Secure Credential Management: 1. Use dedicated scanning accounts with minimal privileges 2. Rotate scanning credentials regularly 3. Implement strong password policies 4. Monitor scanning account usage 5. Disable accounts when not in use ``` ### **Quality Assurance** ```bash # Scan Validation: 1. Review scan completeness and coverage 2. Verify credentialed vs. uncredentialed results 3. Cross-reference with known vulnerabilities 4. Validate high-severity findings manually 5. Document scan limitations and exclusions ``` *** ## **Tools Summary** | Tool | Purpose | Use Case | | ----------------------- | ------------------------------------ | -------------------------------- | | **Nessus Professional** | Comprehensive vulnerability scanning | Primary vulnerability assessment | | **Nessus Essentials** | Limited free version | Small environment testing | | **Tenable.io** | Cloud-based vulnerability management | Enterprise continuous monitoring | | **Nessus Agent** | Continuous monitoring | Internal asset assessment | *** ## **Key Takeaways** 1. **Credentialed scanning** provides significantly more comprehensive results than network-only scans 2. **Custom scan policies** enable consistent and targeted vulnerability assessments 3. **Plugin management** is essential for reducing false positives and improving accuracy 4. **Authentication verification** ensures credentialed scans are functioning properly 5. **Risk-based prioritization** focuses remediation efforts on the most critical vulnerabilities 6. **Integration with enumeration** phases provides comprehensive security assessment 7. **Proper documentation** supports effective vulnerability management programs *** ## **References** * Tenable Nessus User Guide * HTB Academy: Vulnerability Assessment * NIST SP 800-40: Guide to Enterprise Patch Management * OWASP Vulnerability Scanning Guide * PCI DSS Vulnerability Scanning Procedures * SANS Vulnerability Assessment Methodologies