1 00:00:00,350 --> 00:00:02,240 In this demonstration, you're going to see 2 00:00:02,240 --> 00:00:04,960 how Nessus is used to conduct a vulnerability scan 3 00:00:04,960 --> 00:00:06,670 on a small office network. 4 00:00:06,670 --> 00:00:08,950 Now, Nessus is a vulnerability scanning tool 5 00:00:08,950 --> 00:00:11,210 that comes with a complete suite of features. 6 00:00:11,210 --> 00:00:13,080 Beyond scanning, it also can keep track 7 00:00:13,080 --> 00:00:15,050 of your past vulnerabilities and reports, 8 00:00:15,050 --> 00:00:17,780 and it gives you a lot of great management functionality. 9 00:00:17,780 --> 00:00:19,960 For the Security+ exam, you don't need to learn 10 00:00:19,960 --> 00:00:21,270 how to operate this tool. 11 00:00:21,270 --> 00:00:23,780 But if you end up getting a job as a security analyst, 12 00:00:23,780 --> 00:00:25,070 you're going to be using Nessus 13 00:00:25,070 --> 00:00:27,670 or another tool like Qualysguard, OpenVAS, 14 00:00:27,670 --> 00:00:29,220 or another vulnerability scanner 15 00:00:29,220 --> 00:00:31,620 to perform a lot of your daily job functions. 16 00:00:31,620 --> 00:00:33,510 So, let's jump into the lab environment 17 00:00:33,510 --> 00:00:35,840 and learn just a little bit more about Nessus. 18 00:00:35,840 --> 00:00:37,820 Now, there's a couple of tabs here. 19 00:00:37,820 --> 00:00:39,200 We have the Reports tabs, 20 00:00:39,200 --> 00:00:41,120 which will show us any complete reports 21 00:00:41,120 --> 00:00:42,980 that we have already done before. 22 00:00:42,980 --> 00:00:44,510 Now if we have multiple reports, 23 00:00:44,510 --> 00:00:46,630 we can actually compare those reports. 24 00:00:46,630 --> 00:00:48,830 So this is very helpful in vulnerability management. 25 00:00:48,830 --> 00:00:50,890 I might have a scan for last week, 26 00:00:50,890 --> 00:00:52,900 and then I have from this week. 27 00:00:52,900 --> 00:00:55,650 And so I can open up the one from before, 28 00:00:55,650 --> 00:00:57,520 compare it to the one I just did, 29 00:00:57,520 --> 00:00:59,300 and then see what the difference is 30 00:00:59,300 --> 00:01:01,054 where this one I might have had 31 00:01:01,054 --> 00:01:04,060 one vulnerability here and one vulnerability there. 32 00:01:04,060 --> 00:01:05,960 I can see if those vulnerabilities have been fixed 33 00:01:05,960 --> 00:01:08,410 by the system administration team. 34 00:01:08,410 --> 00:01:10,500 So that's one of the ways you can use this tool, 35 00:01:10,500 --> 00:01:12,890 is by going back and looking at that historical data. 36 00:01:12,890 --> 00:01:14,620 You can also download these reports 37 00:01:14,620 --> 00:01:16,540 if you need to give them to the system administrators, 38 00:01:16,540 --> 00:01:19,880 either by email or through your file share. 39 00:01:19,880 --> 00:01:21,330 Now, when you go to your scans, 40 00:01:21,330 --> 00:01:22,760 this is where your scans will be run. 41 00:01:22,760 --> 00:01:24,850 Now we don't have any scans set yet, 42 00:01:24,850 --> 00:01:27,070 because we haven't set any policies. 43 00:01:27,070 --> 00:01:28,290 So the first thing I want to do 44 00:01:28,290 --> 00:01:30,960 is go over to my Policies tab. 45 00:01:30,960 --> 00:01:32,800 In here, we already have a couple of 46 00:01:32,800 --> 00:01:33,890 scans that are set up. 47 00:01:33,890 --> 00:01:35,430 We have web app test. 48 00:01:35,430 --> 00:01:38,890 We have preparing for our PCI-DSS audits. 49 00:01:38,890 --> 00:01:41,920 We have internal networks scans or external network scans. 50 00:01:41,920 --> 00:01:44,700 These are all templates that are provided by Tenable. 51 00:01:44,700 --> 00:01:46,670 Now, instead of using those, 52 00:01:46,670 --> 00:01:48,370 I'm going to show you how you can create your own 53 00:01:48,370 --> 00:01:51,190 by clicking on add and giving it a name. 54 00:01:51,190 --> 00:01:53,303 We're going to call this Windows Scan. 55 00:01:54,470 --> 00:01:58,050 And I'm going to use Scan to Windows machines 56 00:01:58,050 --> 00:01:59,890 that are in this network. 57 00:01:59,890 --> 00:02:01,860 And you can actually set the port scanners 58 00:02:01,860 --> 00:02:04,520 with doing TCP scans or SN/MP scans, 59 00:02:04,520 --> 00:02:05,730 whatever you want. 60 00:02:05,730 --> 00:02:08,240 I'm going to leave the default settings here right now 61 00:02:08,240 --> 00:02:10,150 just so that we can get going with this. 62 00:02:10,150 --> 00:02:11,860 Now we're going to click on credentials. 63 00:02:11,860 --> 00:02:14,610 This is where you would put in your SMB account, 64 00:02:14,610 --> 00:02:16,850 which would be your username and password 65 00:02:16,850 --> 00:02:18,940 if you're going to do a credentialed scan. 66 00:02:18,940 --> 00:02:20,080 We talked about this before 67 00:02:20,080 --> 00:02:22,500 where sometimes the scanners are going to be blocked 68 00:02:22,500 --> 00:02:24,200 by defenses in route, 69 00:02:24,200 --> 00:02:25,880 such as you're trying to do it 70 00:02:25,880 --> 00:02:27,560 from an attacker's perspective, 71 00:02:27,560 --> 00:02:29,550 you would not use a credential scan. 72 00:02:29,550 --> 00:02:31,300 But as a vulnerability manager, 73 00:02:31,300 --> 00:02:34,110 you would want to use a credentialed scan, possibly, 74 00:02:34,110 --> 00:02:35,480 so you can get more information 75 00:02:35,480 --> 00:02:38,890 on what vulnerabilities exist so you can solve those. 76 00:02:38,890 --> 00:02:41,760 Now, the important here is going to be your plug=ins. 77 00:02:41,760 --> 00:02:42,860 And you can see these are green 78 00:02:42,860 --> 00:02:44,450 because they're enabled right now. 79 00:02:44,450 --> 00:02:47,560 Let's scroll down here to the Windows plugin, 80 00:02:47,560 --> 00:02:50,430 and you can see that all of these different plugins, 81 00:02:50,430 --> 00:02:52,680 each of these is a different vulnerability 82 00:02:52,680 --> 00:02:54,080 that it's trying to exploit, 83 00:02:54,080 --> 00:02:58,600 or find out if that exist inside of that server. 84 00:02:58,600 --> 00:03:01,280 So, we can turn on a plugin or turn of a plugin 85 00:03:01,280 --> 00:03:02,750 just by clicking the Disable, 86 00:03:02,750 --> 00:03:05,000 and you can see the Windows family has gone away. 87 00:03:05,000 --> 00:03:06,710 Because I'm going to do the Windows family, 88 00:03:06,710 --> 00:03:09,740 I'm just going to take everything else out right now, 89 00:03:09,740 --> 00:03:10,833 and disable them. 90 00:03:12,840 --> 00:03:16,703 So I can click on what I want, and then click on Disable. 91 00:03:21,210 --> 00:03:22,043 So you get the idea. 92 00:03:22,043 --> 00:03:22,900 We could turn things on 93 00:03:22,900 --> 00:03:24,640 or turn things off as needed. 94 00:03:24,640 --> 00:03:26,470 For instance, since I know I'm going to be scanning Windows, 95 00:03:26,470 --> 00:03:28,410 do I need to look at the CentOS? 96 00:03:28,410 --> 00:03:29,510 Probably not, right? 97 00:03:29,510 --> 00:03:31,730 Because I don't have a CentOS device. 98 00:03:31,730 --> 00:03:32,730 You get the idea. 99 00:03:32,730 --> 00:03:34,610 So you can actually hit Disable All 100 00:03:34,610 --> 00:03:36,240 and everything will be disabled, 101 00:03:36,240 --> 00:03:38,010 and then you can turn on just what you want. 102 00:03:38,010 --> 00:03:40,130 In my case, I'm just going to scan 103 00:03:40,130 --> 00:03:42,820 for these three Windows plugins 104 00:03:42,820 --> 00:03:44,870 to make our scan go much quicker. 105 00:03:44,870 --> 00:03:46,150 And these three families actually have 106 00:03:46,150 --> 00:03:47,980 3,000 different vulnerabilities 107 00:03:47,980 --> 00:03:50,380 that we're going to be scanning for. 108 00:03:50,380 --> 00:03:51,860 The last thing is Preferences. 109 00:03:51,860 --> 00:03:54,360 If you have domain controller passwords and usernames, 110 00:03:54,360 --> 00:03:56,090 you can check those as well. 111 00:03:56,090 --> 00:03:57,720 So, I'm going to go ahead and submit that. 112 00:03:57,720 --> 00:04:00,140 And now you can see that I have this Window Scan 113 00:04:00,140 --> 00:04:02,890 which is a private policy that I have created 114 00:04:02,890 --> 00:04:04,893 and it's set by the user which is me. 115 00:04:05,840 --> 00:04:08,000 Now we're going to go ahead and go to Scan 116 00:04:08,000 --> 00:04:09,740 and we're going to add a new scan. 117 00:04:09,740 --> 00:04:13,260 Here's where we can do your scans. 118 00:04:13,260 --> 00:04:15,080 You'll give it a name so you'll know what it is, 119 00:04:15,080 --> 00:04:16,180 and you can schedule it. 120 00:04:16,180 --> 00:04:18,400 You can use a templated one or run it now. 121 00:04:18,400 --> 00:04:19,270 I'm going to run it now, 122 00:04:19,270 --> 00:04:21,400 but if you want to do it, you could schedule it, 123 00:04:21,400 --> 00:04:23,300 and you can schedule it based on 124 00:04:23,300 --> 00:04:26,530 every day, every week, every month, every year, 125 00:04:26,530 --> 00:04:27,633 or just once. 126 00:04:28,490 --> 00:04:30,500 In our case, we're going to run it now. 127 00:04:30,500 --> 00:04:32,190 We're going to select the policy we want, 128 00:04:32,190 --> 00:04:33,810 and we're going to use the policy that we just created, 129 00:04:33,810 --> 00:04:35,470 which was Windows Scan, 130 00:04:35,470 --> 00:04:37,150 and I'm going to give it the targets. 131 00:04:37,150 --> 00:04:41,270 Now you can give it the entire range of an IP address. 132 00:04:41,270 --> 00:04:46,270 For instance, if I had the 10.3.1.0/24 range, 133 00:04:46,540 --> 00:04:50,283 that's going to scan all 256 clients inside that subnet. 134 00:04:51,330 --> 00:04:53,830 In my case, there's two that I want to scan, 135 00:04:53,830 --> 00:04:56,090 the 10.3.1.6 136 00:04:56,090 --> 00:04:57,283 and the 10.3.2.3. 137 00:04:58,160 --> 00:05:00,720 The first one is a Windows 2003 Server, 138 00:05:00,720 --> 00:05:04,420 the second one is a Windows 2012 Server. 139 00:05:04,420 --> 00:05:07,610 And you can also lanch a Browse for a text file 140 00:05:07,610 --> 00:05:10,110 or a comma-separated value file 141 00:05:10,110 --> 00:05:11,560 with all of your IPs, 142 00:05:11,560 --> 00:05:13,030 and use those as your target files 143 00:05:13,030 --> 00:05:16,140 so you don't have to type them in individually each time. 144 00:05:16,140 --> 00:05:17,850 I'm going to go ahead and launch the scan, 145 00:05:17,850 --> 00:05:18,683 and it's going to go ahead 146 00:05:18,683 --> 00:05:20,420 and take a couple of minutes here to run the scan 147 00:05:20,420 --> 00:05:22,060 because it does take a while. 148 00:05:22,060 --> 00:05:23,800 It is to reach out to each machine 149 00:05:23,800 --> 00:05:27,910 and run those 3,300 or so vulnerabilities against it 150 00:05:27,910 --> 00:05:30,270 to identify which ones they have 151 00:05:30,270 --> 00:05:31,990 and which ones are active. 152 00:05:31,990 --> 00:05:33,610 So, I'm going to go ahead and pause the video here 153 00:05:33,610 --> 00:05:35,610 and come back when the scan is complete. 154 00:05:40,190 --> 00:05:41,060 Alright. 155 00:05:41,060 --> 00:05:43,410 That scan only took about a minute actually. 156 00:05:43,410 --> 00:05:45,910 And so, once it finishes, it clears it from our scans 157 00:05:45,910 --> 00:05:48,530 because there's no more scheduled scans, 158 00:05:48,530 --> 00:05:51,190 but it does show up now in our reports. 159 00:05:51,190 --> 00:05:55,770 And you can see there TestScan has just completed at 16:57. 160 00:05:55,770 --> 00:05:57,610 And again, we can go ahead and double click it 161 00:05:57,610 --> 00:05:58,980 if we want to browse it, 162 00:05:58,980 --> 00:06:02,053 and we'll see which scans have which vulnerabilities. 163 00:06:02,940 --> 00:06:04,450 Here you can see the vulnerability count. 164 00:06:04,450 --> 00:06:06,110 For instance, here there's 12, 165 00:06:06,110 --> 00:06:07,610 and you can see the criticality. 166 00:06:07,610 --> 00:06:10,420 By default, it's going to show you based on criticality 167 00:06:10,420 --> 00:06:12,550 most critical to least critical, 168 00:06:12,550 --> 00:06:15,140 and they go from critical to high, to medium, 169 00:06:15,140 --> 00:06:17,370 to low, or informational. 170 00:06:17,370 --> 00:06:18,890 And you'll see the number of counts 171 00:06:18,890 --> 00:06:20,860 or the number of vulnerabilities that exist. 172 00:06:20,860 --> 00:06:22,840 This can be a helpful view, 173 00:06:22,840 --> 00:06:25,370 but the one I actually prefer is the host view 174 00:06:25,370 --> 00:06:27,460 from a vulnerability management perspective. 175 00:06:27,460 --> 00:06:28,900 So when I go ahead and click on Host View, 176 00:06:28,900 --> 00:06:31,330 you can see right away which of these servers 177 00:06:31,330 --> 00:06:33,230 is the most vulnerable. 178 00:06:33,230 --> 00:06:35,080 Which one do you think it is? 179 00:06:35,080 --> 00:06:37,560 That's right, it's the 10.3.1.6 180 00:06:37,560 --> 00:06:40,850 which I told you was a Windows 2003 Server, 181 00:06:40,850 --> 00:06:43,770 and a 2003 Server is very vulnerable. 182 00:06:43,770 --> 00:06:45,760 There are seven critical vulnerabilities, 183 00:06:45,760 --> 00:06:50,000 one high, one medium, and then 17 informational. 184 00:06:50,000 --> 00:06:54,050 If I look at the 2008 server on the other hand, 185 00:06:54,050 --> 00:06:56,100 we have zero criticals, zero high, 186 00:06:56,100 --> 00:06:58,900 zero medium, and zero low, and only 18 informational. 187 00:06:58,900 --> 00:07:01,970 It's a much more secure server. 188 00:07:01,970 --> 00:07:03,560 And so, we can actually look at it and go, 189 00:07:03,560 --> 00:07:06,680 if I had to apply resources to one of these servers 190 00:07:06,680 --> 00:07:08,280 and I only had a certain amount of time and money, 191 00:07:08,280 --> 00:07:10,050 which one would I fix first? 192 00:07:10,050 --> 00:07:11,650 I would fix the 2003 Server 193 00:07:11,650 --> 00:07:14,920 because it has more vulnerabilities that can be exploited 194 00:07:14,920 --> 00:07:16,780 by a known adversary. 195 00:07:16,780 --> 00:07:19,040 Now if you want to dig into each of those vulnerabilities, 196 00:07:19,040 --> 00:07:19,873 which you'll need to, 197 00:07:19,873 --> 00:07:21,710 to be able to figure out what's wrong with it, 198 00:07:21,710 --> 00:07:24,660 you can then click on it and dig in a little bit deeper. 199 00:07:24,660 --> 00:07:27,260 So, let's say I wanted to fix this one. 200 00:07:27,260 --> 00:07:30,980 This is a very common vulnerability, the MS08-067. 201 00:07:30,980 --> 00:07:32,310 I can click on that. 202 00:07:32,310 --> 00:07:33,760 It will show up the information 203 00:07:33,760 --> 00:07:35,120 of what the vulnerability is. 204 00:07:35,120 --> 00:07:37,970 It tells me it's arbitrary code execution. 205 00:07:37,970 --> 00:07:39,120 It gives me a description of it, 206 00:07:39,120 --> 00:07:40,960 which is actually remote code execution 207 00:07:40,960 --> 00:07:45,360 against Windows 2000, XP, 2003, Vista, and 2008 208 00:07:45,360 --> 00:07:47,090 if you don't have a patch installed. 209 00:07:47,090 --> 00:07:48,570 It's a critical risk factor, 210 00:07:48,570 --> 00:07:52,050 which means I want to fix it right away as soon as I can, 211 00:07:52,050 --> 00:07:54,480 and the CVS... 212 00:07:54,480 --> 00:07:55,313 Excuse me. 213 00:07:55,313 --> 00:07:57,820 The CVSS Base Score is a 10, 214 00:07:57,820 --> 00:08:00,700 which tells you it is very, very critical. 215 00:08:00,700 --> 00:08:04,420 And you can see here that it doesn't apply to any virus, 216 00:08:04,420 --> 00:08:06,670 but it does affect your, 217 00:08:06,670 --> 00:08:08,850 it could affect your confidentiality and integrity 218 00:08:08,850 --> 00:08:10,610 and things of that nature. 219 00:08:10,610 --> 00:08:12,220 Now as you scroll down a little bit further, 220 00:08:12,220 --> 00:08:15,650 you actually get a link to what the IAVA is, 221 00:08:15,650 --> 00:08:19,800 which tells you what the military or government version 222 00:08:19,800 --> 00:08:21,040 of how to fix this is, 223 00:08:21,040 --> 00:08:24,890 the Microsoft vulnerability which is MS08-067, 224 00:08:24,890 --> 00:08:27,970 and the CWE which is number 94. 225 00:08:27,970 --> 00:08:29,390 And you can cross reference these 226 00:08:29,390 --> 00:08:31,300 in the vulnerability database. 227 00:08:31,300 --> 00:08:33,610 Pull that up if you're connected to the internet, 228 00:08:33,610 --> 00:08:35,050 and it will tell you exactly 229 00:08:35,050 --> 00:08:37,120 what is wrong and how to fix it. 230 00:08:37,120 --> 00:08:39,010 In our case, because it's this one, 231 00:08:39,010 --> 00:08:41,130 that is going to tell us that we can go to Microsoft 232 00:08:41,130 --> 00:08:43,820 and download something to fix it. 233 00:08:43,820 --> 00:08:45,400 Now, how is it exploited? 234 00:08:45,400 --> 00:08:47,300 Well, lots of things have an exploit for it. 235 00:08:47,300 --> 00:08:48,650 Canvas has an exploit for it. 236 00:08:48,650 --> 00:08:50,590 Core Impact has an exploit for it. 237 00:08:50,590 --> 00:08:52,670 Metasploit has an exploit for it. 238 00:08:52,670 --> 00:08:54,460 And if any of these things have this exploit, 239 00:08:54,460 --> 00:08:56,190 it's a public vulnerability 240 00:08:56,190 --> 00:08:58,570 which means we should really, really be worried about it, 241 00:08:58,570 --> 00:09:00,990 because any script kiddie can basically attack us 242 00:09:00,990 --> 00:09:02,560 using this vulnerability. 243 00:09:02,560 --> 00:09:05,160 So, you can see how you can really dig in deep here 244 00:09:05,160 --> 00:09:07,060 with the vulnerability scans, 245 00:09:07,060 --> 00:09:10,440 either based on individual scan, by looking at the host, 246 00:09:10,440 --> 00:09:12,960 or digging into the particular vulnerability 247 00:09:12,960 --> 00:09:15,400 and knowing which plugin was used 248 00:09:15,400 --> 00:09:17,770 and what patch needs to be applied. 249 00:09:17,770 --> 00:09:18,910 If you take this information 250 00:09:18,910 --> 00:09:20,540 and give it to your system administrators, 251 00:09:20,540 --> 00:09:22,560 they can implement a change control process, 252 00:09:22,560 --> 00:09:24,350 implement the bug fix, 253 00:09:24,350 --> 00:09:26,750 and get you into a less vulnerable state 254 00:09:26,750 --> 00:09:28,910 where you'll go through and scan again 255 00:09:28,910 --> 00:09:33,512 to see how that looks as you compare the two scans. 256 00:09:33,512 --> 00:09:35,850 (electronic music)