In this lesson, I'll discuss Nessus. Nessus is one of the most commonly used vulnerability scanners, it also is a threat detector, compliance checker, auditor. It has nearly 90,000 different plugins that it can run against different operating systems and software, web applications. Network appliances, such as switches and routers, etc. It can look at the security posture of many different things. Now a vulnerability scanner, as we've talked about in the previous week looks at the vulnerabilities of a system. It looks at patch levels, it looks at software versions, it looks at insecure ports. Nessus can also detect threats within anything it scans. So a credential check from Nessus may turn up a vulnerable connection out to some malware for example. The compliance checker that it has built into it looks at different compliance tools that may be out there. So DISA STIGs for example are a good example of how we may look at compliance. PCI compliance is built-in as well. It can also audit systems for configuration items. So when we've used Nessus before, it's looking at the configurations on all of our switches to make sure that they're in compliance and audited in compliance with the center for information security to make sure that there's no vulnerabilities. The 90,000 plugins, like I said could be anything, like FTP, router switches, almost anything that is digital it can look at, anything that has an IP address. How does the university use Nessus? Nessus is an auditing tool for us, it audits for vulnerabilities, it audits for patches, it audits for different pieces of software. I've used it before to scan for different vulnerabilities, such as Heartbleed, Shellshock, WannaCry. And we look at different systems saying here's all the systems that are vulnerable and not just looking at the patch level from what Microsoft, for example, tells us. We actually put it in place about seven years ago because we wanted to look at the patch levels of all computers around campus. Those that were on the domain and those that were not on the domain. For penetration testing, Nessus creates a lot of noise but what it does is minimize false positives. So you can look at a piece of software and say, this is actually vulnerable or this port is close or that port is closed. It also helps to identify false negatives where for the example that I just shared, Microsoft was telling us, yes your system is patched, but Nessus was telling us that it was not patched. It also kind identified what exploits can compromise the vulnerabilities that are found such as exploits in metasploit and core-impact. It's also good at creating executive summaries and information that'll help us patch the system. So let's take a look at Nessus real quick. This is our professional edition of Nessus, its Nessus 6. We've used Nessus all the way from Nessus on. Let's look at scan I've already created here before we go into the results. My target is going to be probably my most important thing that I want to remember when I'm actually actively scanning a system for vulnerabilities, because I want to make sure that I get the right system. We can do credentialed and uncredentialed scans and I'm going to show you both of those based on what I have done with the system that we're going to use in the next video for Metasploit. I took the credentials out, but if I wanted to put SSH credentials in here I could use a public key, I could use a password, I could add Windows credentials but I'm not going to do that at this time. The differences between credentialed and uncredentialed scanning is credential scanning actually will look at the patch level of the system and the versions of software on the system. So it has much fewer force positives and much fewer force negative as well My compliance, like I mentioned before, we can actually look at or import DISA STIGs or CIS data, as well and look at auditing our different systems for compliance. Move over to the Plugins tab. The Plugins tab looks at the, it's the thing that actually does the checking. So if we are pretty sure that we don't have AIX in our environment we can disable that. We can disable CentOS if it's not CentOS. The system that I happen to be scanning is a Debian system, so I'm definitely going to leave Debian checked. But I'm just going to leave all the rest of these checked here but I can add a whole lot more. I can add FTP, I can add firewalls, HPs one, Windows especially, Windows or Microsoft Bulletins as well. But we can add all different kinds of plugins to Nessus to determine what the system is and what it's doing. Let's go to my scan directory here and let's look at uncredentialed scan. This is what the uncredentialed scan came back with. Uncredentialed or any scans that we put through the system are going to be raided from critical all the way to informational. So critical, high, medium, low, and informational. Our informational gives us a lot of information about the system because it's trying many of those different plugins. So it looks like we can do service detection. Looks like an FTP server is running on port 21. It looks like it's running an FTP server. It looks like it's using a web server as well, VNC and IRC as well. Let's look at a couple other ones here. I'm going to go down to, looks like VNC. VNC is not a good server to have running on a server because it can, well people typically forget about them. Looks like VSFTP is also running version 2.3.4. And we're actually going to use this in our next video to exploit the system. But what I want you to also understand is look how many critical vulnerabilities there are just in the uncredentialed scan. If I switch back over, and I'm going to go back to scans, and go back to history. I want to just show you what the credentialed scan looked at. The credentialed scan shows 339 vulnerabilities, because it's able to look at the entirety of the system and actually log in. So notice how we have much higher critical and high vulnerabilities. Something that a system might not tell us if it was an uncredentialed scan. Most of these are going to be patches for the operating system itself. So it looks like this version is 8.0.4. So what I want you to understand about Nessus is it that it's a very powerful tool that allows us to not only do intelligence or better intelligence gathering, but it allows us to verify all the vulnerabilities that could be on this system. One other thing I do want to show you is this rogue shell backdoor detection. Nessus will try to log in when it can. So looks like it was able to use information in the plugin to actually log into this system. It say categorized as a rogue shell backdoor.
