Nessus Vulnerability Scanner
What Is Nessus?
Nessus is one of the most popular vulnerability scanners out there and it is developed by Tenable. This is an open-source vulnerability scanner that will raise an alert if it discovers any vulnerabilities that malicious hackers could use to gain access to any device that is connected to a given network. Nessus addresses one of the Basic CIS Critical Security Controls which is Continuous Vulnerability Management.
Why Use Nessus?
Nessus is a fantastic tool for administrators that are in charge of a domain (group of computers) that are connected to the internet. Nessus is best used in this type of setting to check for vulnerabilities that may be easily exploitable and to help harden the environment. It is important to understand however that Nessus is part of a security solution and is not a complete security solution. Ultimately, Nessus will do its part in checking for vulnerabilities, but it is then up to you to then go ahead and patch the vulnerabilities to prevent them from becoming exploited.
Nessus Steps:
- Port Scanning - the scanner is going to go out there and determine what hosts are alive and what ports are open on those hosts
- Service Detection - will send out probes to see what application is running on that port, along with the version number, and the name of the application
- Vulnerability Identification - will compare what it discovers with each of the services detected on each host and will compare it against Nessus’ database of known vulnerabilities of those applications and version numbers
- Probing - try to further identify if there are false positives and whether that vulnerability indeed exists
Warning: It is important and ethical to only scan networks that you have written permission to scan as this can get you into legal trouble.
Nessus Project at the IT Service Desk
I interestingly ran into a situation at my IT Service Desk job for UC Davis about a month ago where I was asked by our IT Security Analyst to remediate a Microsoft vulnerability. She provided me with what Nessus found and then I was responsible for actually going to find the computer and providing the patch. Nessus in this situation actually had provided a recommended mitigation strategy for the vulnerability which worked perfectly. I did not know entirely what Nessus was capable of in terms of scope. Now I understand after going through the TryHackMe room what Nessus can provide and then why I had to actually go and patch the vulnerability. This project at the IT Service Desk intrigued me so I decided to use Nessus on my home network, which I will discuss later in this post.
What Are Some of the Scans Available With Nessus?
Host Discovery — a simple scan to discover live hosts and any open ports
Basic Network Scan — performs a full system scan that is suitable for any host
Malware Scan — performs a scan for malware on Windows and Unix systems
Web Application Tests — scan for published and unknown web vulnerabilities
There are many more scans available but these are the primary scans that I used when going through the TryHackMe room.
What Are the Vulnerability Categories?
There are 5 categories that vulnerabilities fall under as shown in the image above. These vulnerabilities are based on the vulnerability's static CVSSv2 or CVSSv3 score, depending on the configuration. Obviously critical ratings require the most attention and should be immediately looked at. However, the Info rating should not be taken lightly. It is still important to see what is being mentioned with these and to not skip over those in this category. The Info category gives a great deal of data on the way that things are configured and can be used as an opportunity to verify. Pentesters also will be able to receive plenty of useful information from the Info category and even just by completing a Nessus scan.
Nessus TryHackMe Room
This room in the Cyber Defense Pathway on TryHackMe was incredible. I enjoyed seeing what Nessus can be used for. This room only covered the Nessus Essentials version, which is free, so not every feature is included. The main limitation is that only 16 IP addresses can be scanned. Obviously, this would not be sufficient in most corporate environments.
Nessus can really do so much and I only scratched the surface. Nessus is often considered to be similar to NMAP, but it really is capable of so much more. It can do things like credential scanning which is when we actually have an account that has privileges, which are usually administrator privileges so that we can log in and run system checks. This will be looking for more specific items within the operating system that we wouldn’t be able to see externally from the device. Credentialed scans give the most validity and should be used when running in an IT environment as an administrator to know best for what vulnerabilities need to be patched, etc. I have also heard that Nessus can be an extremely useful tool for compliance. Nessus in paid versions can go through and identity and scan for the configurations needed for say HIPPA compliance, which I think is a super neat feature to help in automating the process. This really helps in preventing going box to box to check on group policy configurations.
In this TryHackMe room, I was able to walk through the Nessus GUI and really see some of the scan types that Nessus covers. I was able to run a “Basic Network Scan” on a machine that I had to remote into (TryHackMe’s machine). In this scan, I was responsible for discovering all ports and used the scan low bandwidth links feature. After completing this scan, I was able to discover that an Apache HTTP Server was reported as a vulnerability by Nessus. The question related to this was looking for me to find the Apache HTTP Server Version number reported by Nessus, and I was able to find that it was 2.4.99. Below is a screenshot of some of the questions I was able to answer when running a Basic Network Scan on TryHackMe’s VM given in the room.
Scanning My Home Network
I ran a basic network scan on my host and this is what I was able to find.
As we can see in the image above, I have some vulnerabilities that are listed with severity of HIGH. Immediately what caught my attention was the Adobe Creative Cloud Desktop and Microsft Visual Studio Code vulnerabilities. These are both applications that I don’t use frequently. I had thought that I had uninstalled Adobe Creative Cloud Desktop in the past, but it appears that I didn’t do a proper uninstall. For Microsoft Visual Studio Code, I simply don’t use the application enough and must have not had automatic updates turned on. I decided to go ahead and uninstall Microsoft Visual Studio Code altogether. Below I will dig a little deeper into the Adobe vulnerability.
I had not even realized that I had Adobe Creative Cloud Desktop installed on my device and hence is the reason why it was behind on updates. Nessus allowed me to catch that this is a vulnerability because it is not updated to the most recent version. Specifically, we can see that Nessus provides the vulnerabilities which are CVE-2021–21068, CVE-2021–21078, and CVE-2021–21069. Because I am running Adobe Creative Cloud Desktop 5.4 it is susceptible to the vulnerabilities that I listed. Nessus also provides a solution which is “Upgrade to Adobe Creative Cloud Desktop version 5.4.” However, I am just going to download the official uninstaller and delete this altogether because I do not use this particular application and would prefer to not have something like this happen again. Also, I would like to note that a remediation tab is directly next to the vulnerabilities tab. What is shown in the remediation tab is the exact same as the solution given on the page that I posted above.
I would also like to highlight this section below.
This is from the same Adobe vulenrabitliy that I was looking at above. However, I took a screenshot and zoomed in more to highlight these sections. The Risk Information section is useful because it gives information like the risk factor, and the different ratings that have been given to the specific vulnerability. Also, directly below is Vulnerability Information. This section highlights some key facts like the patch publish date and when the vulnerabitly itself was published or found. This can be useful information to see how long a vulnerabtily might have been roaming around. Finally, we get to the Reference Information. This section is awesome because it provides further details from NIST.
Below is a screenshot of when I click on the CVE-2021–21069 vulnerabtily to find out more information.
In this screenshot, we can see that we receive more information on the vulnerability. We see that any versions prior to 5.3 for Adobe Creative Cloud Desktop Application are affected by a local privilege escalation vulnerability which could allow an attacker to call functions against the installer to perform high privileged actions. This is a big deal because privilege escalation is no joke and can allow the attacker to do some nefarious things, so it makes sense why the base score is as high as it is. The vendor website also is useful information to find the solution to the vulnerability if there is one.
Why Do I Think Nessus Is Useful?
Nessus is a fantastic tool for security professionals to be able to go out and find any vulenrabtilies that may be floating around within your environment. Nessus can be scheduled to scan automatically and can even email the scan reports to someone in the event that red flags occurred, but this can be customized to ones liking. Something that I found particularly cool is that Nessus displays the vulenrabitles in real time, so you don’t have to wait for the scanning to be fully complete before getting results. Nessus is a fascinating tool that I plan to continue using and would love to learn more about.
Thank you for taking the time to read this posting on Nessus and I hope you were able to learn or refresh on this incredible vulnerability scanner.
Sources:
https://www.cs.cmu.edu/~dwendlan/personal/nessus.html
