Vulnerability Scanning
Manual and Automated vulnerability scanning.
Overview
- Detect if a target is up and running
- Conduct a full or partial port scan
- Identify the operating system
- Attempt to identify running services
- Do signature-matching to discover vulnerabilities
Automated scanner can discover vulnerabilities automatically based on vulnerable signatures, e.g. some version of app that's known to be vulnerable. But automated scanner can also have false positive or false negatives, probably due to signature miss match, so update vulnerability database before every engagement. (Efficient! Fast!)
Nessus
Vulnerability scanner, 130,000 plugins.
Download .deb from tenable website, and install with apt.
sudo /etc/init.d/nessusd start then go to localhost:8834.
Advanced, add exception in browser.
Use Nessus essentials.
Defining Target
There are many types of scan. Start with basic network scan.
Configure Scan Definitions
By default, only scan common port, but can be modified in Discovery, select custom, set port range to 0-65535 (all ports).
Scan all TCP port with syn scan, no UDP. (faster but may miss)
Unauthenticated Scanning With Nessus
Save->Launch
Authenticated Scanning With Nessus
Require valid target credentials.
Use Credentialed Patch Audit. Also search for out dated apps that may be vulnerable.
Scanning with Individual Nessus Plugin
Nmap
A Nessus alternative.
There is a lib of scripts. /usr/share/nmap/scripts/
script.db: index
Manual test is still required