Vulnerability scanning is part of penetration testing. A vulnerability scanner is an automated program designed to look for weaknesses in computer systems, networks, and applications. There are many vulnerability scanners available for penetration Testing. But here we use Metasploit framework for scanning vulnerability.
Various operating systems respond differently because of the different networking implementations in use. These unique responses that vulnerability scanner uses to determine the operating system version and even its patch level. A vulnerability scanner can also use a given set of user credentials to log into the remote system and enumerate the software and services to determine whether they are patched.
The scanner presents a report outlining any vulnerability detected on the system. That report can be useful for both network administrators and penetration testers.
Nessus is the vulnerability management solution to analyze vulnerabilities, controls, and configurations to find who, what, and where of IT security risk. Tenable Network Security offers multiple versions of Nessus.
Metasploit’s Nessus plug-in lets you launch scans and pull information from Nessus scans via console.
After you have downloaded and installed Nessus, open your web browser and navigate to https://localhost:8834
Accept the certificate warning, and log into Nessus using the credentials you created during installation.
You should see the Nessus login window, as shown below.
You should see the Nessus window after login, as shown below.
Creating a Nessus Scan Policy:
Before beginning a scan, you first need to create a Nessus scan policy. On the Policies tab, click the green Add button to open the policy configuration window and select Basic Network Scan shown below:
Basic Scan contains three steps to configure Basic Network Scan Policy. So we select Basic Network Scan from the list and fill details shown as below:
Now next step is select scan type. In this case we scan internal Network Scan, So we choose Internal from dropdown list as shown bellow :
Now final step is fill credentials to detect missing patches and client-side Vulnerabilities As show below:
When you are done with your selections, click Submit to save the new policy. Your newly added policy should be displayed under Policies.
Running a Nessus Scan:
After you have created a scan policy, you are ready to configure a scan.
Select the Scans tab, and then click the New Scan button to open the scan configuration window. Fill credentials as shown bellow button:
In our example, we are scanning only one host, but you can also enter IP address ranges in CIDR notation or even upload a file containing the addresses of the targets you want to scan. When you are satisfied with the scan configuration, click Launch.
After the scan is complete, click on scan and then you can see its status. Now import report as shown below:
Importing Results into the Metasploit Framework:
Click the Export button to save the results to your hard drive. The default file format for Nessus reports is “.nessus” that can be supported by Metasploit. So export report as Nessus as shown below:
Load msfconsole, and import the Nessus results file by entering db_import followed by the report filename.
#msf> db_import nessus_report_test.nessus
To verify that the scanned host and vulnerability data was imported properly, enter hosts as shown next. This should output a brief listing with the target IP address, the number of services detected, and the number of vulnerabilities found by Nessus.
For a complete listing of the vulnerability data that was imported into Metasploit. Enter vulns command as shown below:
If you are lazy to work with GUI in Nessus, don’t worry you can work with metasploit by loading nessus plugin.
Scanning Vulnerability using Nessus Metasploit’s Plug-in:
The Nessus allows you to control Nessus completely through the Metasploit Framework. Run scans, interpret results, and launch attacks based on the vulnerabilities identified through Nessus.
First destroy the existing database. We can destroy database using Workspace command to do same. So delete previous pentesting results as shown below:
#msf > workspace -d default
Load the Nessus plug-in by running load nessus and Running the command nessus_help will display all of the commands that e plug-in supports. As shown below:
#msf > load nessus
#msf > nessus_help
Before starting a scan with nessus plug-in, you first need to authenticate to your Nessus server using nessus_connect command.
#msf > nessus_connect sathish:bhuvi@localhost:8834
As with the GUI version of Nessus, you need to initiate a scan using a defined policy by its policy ID number. To list the available scan policies on the server, use nessus_policy_list
#msf > nessus_policy_list
Take policy ID to use for your scan, and then launch a new scan with nessus_scan_new followed by the policy number, a name for your scan, and your target IP address as shown below.
#msf > nessus_scan_new
While your scan is in progress, you can see its status by running the nessus_scan_status command. When this command’s output responds with “No Scans Running,” as shown next, you will know that your scan has completed.
#msf > nessus_scan_new 2 test 192.168.31.20
After the scan has completed, you can list the available scan reports with the nessus_report_list command. Identify the ID of the report you want to import and enter nessus_report_get to download the report and import it into the Metasploit database automatically.
#msf > nessus_report_get ID
You can use hosts to verify that the scan data was imported successfully.
We can check all vulnerabilities by typing vulns command. As you can see above tutorials Metasploit is power full framework for penetration tester.
A vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses. And it’s a part of penetration testing. If you do not know target vulnerability then you cannot success most of the time during your penetration testing process.