🔍Vulnerability Assessment

Overview

Vulnerability Assessment is a critical phase in penetration testing that identifies security weaknesses in systems, networks, and applications. This guide focuses on Nessus Professional, the industry-standard vulnerability scanner, with emphasis on credentialed scanning and advanced configuration.

Key Objectives:

• Identify known vulnerabilities (CVEs)

• Assess security misconfigurations

• Evaluate authentication mechanisms

• Prioritize security risks by severity

• Generate comprehensive reports for remediation

---

Nessus Professional

Why Nessus?

Industry Standard Features:

• 145,973+ Plugins - Covers 58,391 CVE IDs and 30,696 Bugtraq IDs

• NASL Scripting - Nessus Attack Scripting Language for custom checks

• Credentialed Scanning - Deep system analysis with legitimate access

• Professional Reporting - Executive and technical reports

• Continuous Updates - Daily plugin updates from Tenable

• Compliance Scanning - PCI DSS, HIPAA, SOX, CIS benchmarks

Installation and Setup

# Download Nessus Professional from Tenable
# https://www.tenable.com/products/nessus

# Install on Kali Linux
sudo dpkg -i Nessus-X.X.X-debian6_arm64.deb

# Start Nessus service
sudo systemctl enable nessusd
sudo systemctl start nessusd

# Access web interface
https://localhost:8834

Initial Configuration:

1. Create admin account with strong credentials

2. Enter activation code (Professional license required)

3. Download plugins (automatic update process)

4. Configure scan policies for different scenarios

---

Scan Policies

Overview

Scan policies are customized scan configurations that can be saved, reused, and shared. They allow penetration testers to create targeted scans for specific scenarios while maintaining consistency across assessments.

Benefits:

• Consistency - Standardized scanning approach

• Efficiency - Pre-configured settings for common scenarios

• Customization - Tailored scans for specific environments

• Portability - Export/import between Nessus scanners

Creating Custom Scan Policies

Step 1: Policy Creation

# Navigate to Policies tab
Policies → New Policy → Advanced Scan

# Policy Configuration:
# - Name: HTB_Professional_Scan
# - Description: Comprehensive credentialed scan for penetration testing
# - Folder: User Defined

Step 2: Basic Settings

# Discovery Settings:
Port Scan (common ports): Enabled
Port Scan (all ports): Enabled for critical assets
Network Ping: Enabled
TCP Ping: Enabled
Service Recognition: Enabled

# Assessment Settings:
General: All vulnerability families enabled
Web Applications: Enabled for web servers
Windows: Enabled for Windows targets
Unix: Enabled for Linux/Unix targets

Step 3: Advanced Settings

# Performance Settings:
Max simultaneous hosts per scan: 5 (adjust based on network)
Max simultaneous checks per host: 5
Network timeout (seconds): 5
Max checks per host: Unlimited
Read timeout (seconds): 10

# Scan Options:
Safe checks: Disabled (for comprehensive testing)
Stop host enumeration on unresponsive host: Enabled
Designate hosts by their DNS name: Enabled
Log scan details to server: Enabled

Specialized Scan Policies

Stealth Scan Policy

# Policy Name: HTB_Stealth_Scan
# Description: Low-impact scanning for sensitive environments

# Configuration:
- Reduce scan speed to avoid detection
- Enable safe checks only
- Limit concurrent connections
- Use TCP connect() scans instead of SYN scans
- Disable aggressive service detection

Web Application Focused Policy

# Policy Name: HTB_WebApp_Scan
# Description: Focused on web application vulnerabilities

# Plugin Families:
- Web Servers: Enabled
- CGI abuses: Enabled
- CGI abuses : XSS: Enabled
- General: Web-related plugins only
- Settings: Enable web app testing

Internal Network Policy

# Policy Name: HTB_Internal_Credentialed
# Description: Comprehensive internal network assessment

# Configuration:
- All plugin families enabled
- Credentialed scanning enabled
- Compliance checks enabled
- Malware detection enabled
- Local security checks enabled

---

Nessus Plugins

Plugin Architecture

Nessus Attack Scripting Language (NASL):

• Custom vulnerability checks written in specialized language

• Severity ratings: Critical, High, Medium, Low, Info

• Vulnerability intelligence: CVE mapping, exploit availability

• Remediation guidance: Specific steps to fix identified issues

Plugin Families

Family	Description	Use Case
Web Servers	HTTP/HTTPS server vulnerabilities	Web application testing
Windows	Windows OS and service vulnerabilities	Windows infrastructure
Backdoors	Known backdoor and malware detection	Compromise assessment
Databases	Database-specific vulnerabilities	Database security testing
General	Miscellaneous vulnerability checks	Comprehensive scanning
Denial of Service	DoS vulnerability testing	Availability testing
Default Unix Accounts	Default account detection	Configuration assessment
SCADA	Industrial control system security	Critical infrastructure

Plugin Management

Plugin Rules for False Positive Management

# Navigate to Resources → Plugin Rules

# Example: Exclude SSL Self-Signed Certificate for internal hosts
Rule Configuration:
- Host: internal.company.com
- Plugin ID: 57582
- Action: Hide this result
- Expiration: 90 days
- Comment: Internal PKI uses self-signed certificates by design

Common False Positive Exclusions

# Microsoft DirectAccess SSL Configuration
Plugin ID: 20007
Hosts: directaccess.company.com
Reason: Null ciphers by design for performance

# Internal DNS Servers
Plugin ID: 35703
Hosts: dns1.internal.com, dns2.internal.com
Reason: Internal recursive DNS by design

# Development Environments
Plugin ID: Multiple
Hosts: dev-*.company.com
Reason: Development environment exceptions

---

Credentialed Scanning

Overview

Credentialed scanning provides legitimate authenticated access to target systems, enabling Nessus to perform comprehensive security assessments that are impossible with network-only scanning.

Benefits:

• Deep system analysis - Local security configurations

• Patch level assessment - Missing security updates

• Configuration auditing - Security policy compliance

• Local privilege escalation - Misconfigured permissions

• Malware detection - File system analysis

Authentication Methods

SSH Authentication (Linux/Unix)

# SSH Password Authentication
Authentication Method: Password
Username: scanner
Password: test1234
Privilege Escalation: sudo
sudo Password: test1234

# SSH Public Key Authentication
Authentication Method: Public Key
Username: scanner
SSH Public Key: [Upload public key file]
SSH Private Key: [Upload private key file]
Passphrase: [If private key is encrypted]

SSH Key Generation

# Generate SSH key pair for scanning
ssh-keygen -t rsa -b 4096 -C "nessus-scanner@company.com"

# Copy public key to target systems
ssh-copy-id scanner@target-host

# Configure Nessus with private key
# Upload id_rsa (private key) to Nessus credentials

Windows Authentication

# Windows Password Authentication
Authentication Method: Password
Username: administrator
Password: test1234
Domain: COMPANY
Auth Type: NTLM

# Windows Hash Authentication (Pass-the-Hash)
Authentication Method: LM Hash
Username: administrator
LM Hash: [32-character LM hash]
NTLM Hash: [32-character NTLM hash]
Domain: COMPANY

Kerberos Authentication

# Kerberos Configuration
Authentication Method: Kerberos
Username: scanner@COMPANY.COM
Password: test1234
KDC IP: 10.10.10.100
KDC Port: 88
KDC Transport: UDP
Realm: COMPANY.COM

Database Credentialed Scanning

Microsoft SQL Server

# SQL Server Configuration
Database Type: Microsoft SQL Server
Server: 10.10.10.50
Port: 1433
Authentication Type: SQL Server
Username: sa
Password: test1234
Windows Authentication: Disabled

# Verification in Nessus Output:
# "Info: Microsoft SQL Server login possible"
# "Credentialed checks enabled for MSSQL on port 1433"

MySQL/MariaDB

# MySQL Configuration
Database Type: MySQL
Server: 10.10.10.51
Port: 3306
Username: root
Password: test1234
Database: information_schema

PostgreSQL

# PostgreSQL Configuration
Database Type: PostgreSQL
Server: 10.10.10.52
Port: 5432
Username: postgres
Password: test1234
Database: postgres
SSL Mode: Require

Oracle Database

# Oracle Configuration
Database Type: Oracle
Server: 10.10.10.53
Port: 1521
Username: system
Password: test1234
SID: ORCL
TNS Names File: [Optional tnsnames.ora upload]

Web Application Authentication

HTTP Basic Authentication

# Basic Auth Configuration
Authentication Method: Basic
Username: admin
Password: test1234
Login URL: https://webapp.company.com/admin

HTTP Form-Based Authentication

# Form Auth Configuration
Authentication Method: Login Form
Username: admin
Password: test1234
Login Page: /login.php
Username Parameter: username
Password Parameter: password
Submit Page: /process_login.php
Logout Page: /logout.php
Logout Pattern: "Successfully logged out"

HTTP Header Authentication

# Custom Header Auth
Authentication Method: HTTP Headers
Headers:
  Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
  X-API-Key: ABC123456789DEF
  User-Agent: Nessus-Scanner/10.4

Verification of Credentialed Access

Successful Authentication Indicators

# SSH Authentication Success
Plugin Output: "Successful login with provided credentials"
Info Plugin: "It was possible to log into the remote host"

# Windows Authentication Success  
Plugin Output: "Nessus was able to log into the Windows host"
Info Plugin: "SMB login successful with provided credentials"

# Database Authentication Success
Plugin Output: "Credentialed checks enabled for MSSQL on port 1433"
Version Detection: "Microsoft SQL Server 2019 - 15.0.2000.5"

Authentication Failure Troubleshooting

# Common SSH Issues:
- Wrong username/password
- SSH key permissions (chmod 600 private key)
- SSH service not running
- Firewall blocking port 22
- Account locked or disabled

# Common Windows Issues:
- UAC preventing admin access
- Windows Firewall blocking WMI
- Account not in Administrators group
- NTLM authentication disabled
- Account password expired

# Common Database Issues:
- Database service not running
- Wrong port configuration
- User lacks necessary permissions
- SSL/TLS configuration mismatch
- Network connectivity issues

---

HTB Academy Lab Configuration

Lab Credentials

Linux Systems

# HTB Academy Lab Credentials
Username: htb-student_adm
Password: dummy123
Privilege Escalation: sudo
Access Type: SSH on port 22

Windows Systems

# HTB Academy Lab Credentials
Username: administrator
Password: dummy123
Domain: HTB
Access Type: SMB/WMI authentication

Pre-configured Scans

Note: HTB Academy provides pre-configured credentialed scans to save time during the lab exercises. These scans demonstrate:

1. Linux Credentialed Scan - Using htb-student_adm account

2. Windows Credentialed Scan - Using administrator account

3. Comparison Analysis - Credentialed vs. non-credentialed results

---

Advanced Scanning Techniques

Compliance Scanning

PCI DSS Compliance

# PCI DSS Configuration
Compliance Standard: PCI DSS v3.2.1
Scan Type: Internal Network Scan
Required Plugins:
- Payment Card Industry (PCI) DSS
- SSL/TLS Configuration
- Default Account Detection
- Vulnerability Assessment

CIS Benchmarks

# CIS Benchmark Configuration
Benchmark: CIS Microsoft Windows 10 Enterprise
Level: Level 1 (Basic)
Customization: Company-specific modifications
Output: Pass/Fail for each control

Malware Detection

# Enable Malware Detection
Settings → Discovery → Host Discovery
Enable: "Scan for malware"
Methods:
- File hash analysis
- Behavioral detection
- Known malware signatures
- Suspicious process identification

Patch Management Assessment

# Windows Patch Assessment
Plugin Families: Windows : Microsoft Bulletins
Credentialed: Required for accurate results
Output: Missing security updates by severity
Integration: Microsoft WSUS/SCCM data

# Linux Patch Assessment  
Plugin Families: Red Hat Local Security Checks
                Ubuntu Local Security Checks
                Debian Local Security Checks
Package Managers: yum, apt, zypper analysis

---

Scan Results Analysis

Vulnerability Prioritization

Risk-Based Analysis

# Priority 1: Critical Vulnerabilities
- Remote code execution
- Authentication bypass
- Privilege escalation
- SQL injection (high impact)

# Priority 2: High Vulnerabilities
- Information disclosure
- Cross-site scripting (stored)
- Insecure cryptographic storage
- Missing security patches

# Priority 3: Medium Vulnerabilities
- Configuration weaknesses
- Cross-site scripting (reflected)
- Weak authentication mechanisms
- Information leakage

# Priority 4: Low/Info Vulnerabilities
- Banner disclosure
- SSL certificate information
- Directory listing enabled
- Verbose error messages

CVSS Score Integration

# CVSS v3.1 Metrics
Base Score: 0.0 - 10.0
Temporal Score: Exploit availability adjustment
Environmental Score: Business impact consideration

# Risk Rating:
- 9.0-10.0: Critical
- 7.0-8.9: High  
- 4.0-6.9: Medium
- 0.1-3.9: Low

False Positive Management

Common False Positives

# SSL/TLS Configuration
Issue: "SSL Certificate Cannot Be Trusted"
Reality: Internal PKI with valid trust chain
Action: Create plugin rule to exclude internal CAs

# Network Services
Issue: "Telnet Service Detection"
Reality: Legacy equipment requiring Telnet
Action: Document business justification

# Web Applications
Issue: "Web Application Potentially Vulnerable to Cross-site Scripting"
Reality: Input validation present but not detected
Action: Manual verification and documentation

Verification Methods

# Manual Verification Steps:
1. Reproduce findings using manual testing
2. Analyze application source code (if available)
3. Consult with system administrators
4. Review security controls documentation
5. Perform additional targeted testing

---

Reporting and Documentation

Executive Summary Report

# Executive Report Elements:
- Risk overview and business impact
- Summary of critical findings
- Compliance status assessment
- Recommended remediation timeline
- Security posture improvement metrics

Technical Report

# Technical Report Elements:
- Detailed vulnerability descriptions
- Proof-of-concept evidence
- Step-by-step reproduction steps
- Technical remediation guidance
- References to CVE/CWE databases

Custom Report Templates

# Report Customization:
Templates → Create New Template
Sections:
- Cover page with company branding
- Executive summary
- Methodology description
- Detailed findings by severity
- Appendices with raw data

Compliance Reports

# Compliance-Specific Reports:
- PCI DSS Audit Report
- SOX IT Controls Assessment
- HIPAA Security Risk Analysis
- ISO 27001 Vulnerability Management
- NIST Cybersecurity Framework

---

Integration with CPTS Methodology

Workflow Integration

Phase 1: Post-Enumeration Assessment

# After completing enumeration phases:
1. Service Enumeration (ports, services, versions)
2. Web Application Enumeration (technology stack)
3. Database Enumeration (database versions, configurations)

# Input to Vulnerability Assessment:
- Target IP ranges and hostnames
- Service inventory with versions
- Authentication credentials (if obtained)
- Technology stack information

Phase 2: Vulnerability Scanning

# Scanning Strategy:
1. Network discovery scan (validate enumeration)
2. Basic vulnerability scan (unauthenticated)
3. Credentialed vulnerability scan (if credentials available)
4. Web application vulnerability scan
5. Database vulnerability scan (if databases identified)

Phase 3: Results Correlation

# Correlate with Enumeration Findings:
- Verify service versions match enumeration
- Cross-reference web technologies with vulnerabilities
- Identify authentication mechanisms to target
- Prioritize vulnerabilities based on attack path

Exploitation Planning

# Vulnerability-to-Exploit Mapping:
Critical Findings → Immediate exploitation attempts
High Findings → Secondary exploitation targets
Medium/Low → Post-exploitation persistence opportunities

# Documentation for Exploitation:
- Affected services and versions
- Proof-of-concept availability
- Exploit complexity and requirements
- Potential impact and business risk

---

Best Practices

Scanning Ethics and Safety

# Pre-Scan Considerations:
1. Obtain written authorization for testing
2. Define scan scope and exclusions
3. Schedule scans during maintenance windows
4. Coordinate with IT teams and security operations
5. Prepare incident response procedures

Performance Optimization

# Network Considerations:
- Scan during off-peak hours
- Limit concurrent connections
- Use scan throttling for sensitive systems
- Monitor network bandwidth utilization
- Coordinate with network operations teams

Credential Security

# Secure Credential Management:
1. Use dedicated scanning accounts with minimal privileges
2. Rotate scanning credentials regularly
3. Implement strong password policies
4. Monitor scanning account usage
5. Disable accounts when not in use

Quality Assurance

# Scan Validation:
1. Review scan completeness and coverage
2. Verify credentialed vs. uncredentialed results
3. Cross-reference with known vulnerabilities
4. Validate high-severity findings manually
5. Document scan limitations and exclusions

---

Tools Summary

Tool	Purpose	Use Case
Nessus Professional	Comprehensive vulnerability scanning	Primary vulnerability assessment
Nessus Essentials	Limited free version	Small environment testing
Tenable.io	Cloud-based vulnerability management	Enterprise continuous monitoring
Nessus Agent	Continuous monitoring	Internal asset assessment

---

Key Takeaways

1. Credentialed scanning provides significantly more comprehensive results than network-only scans

2. Custom scan policies enable consistent and targeted vulnerability assessments

3. Plugin management is essential for reducing false positives and improving accuracy

4. Authentication verification ensures credentialed scans are functioning properly

5. Risk-based prioritization focuses remediation efforts on the most critical vulnerabilities

6. Integration with enumeration phases provides comprehensive security assessment

7. Proper documentation supports effective vulnerability management programs

---

References

• Tenable Nessus User Guide

• HTB Academy: Vulnerability Assessment

• NIST SP 800-40: Guide to Enterprise Patch Management

• OWASP Vulnerability Scanning Guide

• PCI DSS Vulnerability Scanning Procedures

• SANS Vulnerability Assessment Methodologies