Welcome back to my blog. Today, I completed another cybersecurity project covering the concepts of Vulnerability Management. This project focuses on Vulnerability Management specifically using Nessus to perform a vulnerability assessment on Windows virtual machine.
Vulnerability Management is identifying, assessing, reporting, and remediating security vulnerabilities found in networks and systems. This is not a one-time thing. It is an ongoing process because new vulnerabilities are found every day. Cybercriminals can exploit these vulnerabilities to gain entry into systems to launch cyber attacks. You can read more about Vulnerability Management here.
Vulnerability management is an important part of cybersecurity because it looks for vulnerabilities within the networks or systems to remediate them as quickly as possible. This is done by performing a vulnerability assessment. Vulnerability assessment identifies threats and risks they pose by using a vulnerability scanning tool (e.g Nessus). These findings are used to implement cybersecurity policies to stop/prevent cybercriminals to launch cyberattacks, but remember that cyberattacks are inevitable.
Now, that we understand Vulnerability Management and its importance. We can perform a vulnerability assessment on windows virtual machine using the vulnerability scanner, Nessus. First, we have to download the following software: Nessus, Windows VM, and a virtual machine platform. For this project, I used VM Workstation 16 Player. However, you can use whatever platform you like. You can follow the tutorial here or follow the instructions below.
- Download Nessus on your computer and Windows VM on your virtual machine. I download Nessus on my Windows computer and download Windows VM on VMWare Workstation 16 Player. Here are the links to download Nessus, the Windows VM, and VMware Workstation 16 Player.
- Save the Nessus url (it starts with localhost:..) after you make your account.
- In the Windows VM, set the network adapter to a bridged network.
Troubleshoot #1: If you get download failed for Nessus, then you have to run the command: C:\Program Files\Tenable\Nessus\nessuscli.exe update. On your computer, go to command prompt and run it as administrator. Next, find the location of the Nessus file by going to OS (C:) directory. Finally, run the command and refresh the Nessus url. It should prompt you to the Nessus login page.
Troubleshoot #2: If you are unable to get internet on your Windows VM, then used this link to troubleshoot.
2. After Windows VM, VMware, and Nessus are installed, get the Window’s VM IP Address. To find the IP address, go to the command prompt and use the command ipconfig (look for the label => IPv4 Address).
3. Once you have the IP address, ping the window’s VM IP address from your host computer. If you get no output, it is because the Windows VM firewall is blocking the connection. Therefore, the firewall needs to be disabled. To disable the firewall, open wf.msc and click on Window Defender Firewall Properties. Next, turn off the firewall state for Domain Profile, Private Profile, and Public Profile. After the firewall has been turned off, you should be able to ping your Window’s VM from your host computer.
4. In Nessus, click on create new scan. Then, click on basic network scan. Here is where you name the scan and add the Window’s VM IP address into the box labeled Targets. Then, click save and click launch now for Nessus to start scanning. After the scan is completed, you can view the results shown in the picture below.
Nessus found medium and info vulnerabilities seen in the picture above. The info label means that it’s not necessarily a vulnerability but you should be aware of them. The medium label means that the results are inconclusive because Nessus couldn’t determine if the test passed or failed. Overall, the scan concludes that there is no threat due to no vulnerabilities have been found seen in the picture below.
The results are not surprising because Nessus performed a non-credential scan. A non-credential scan doesn’t need credentials(e.g username and password) to perform a scan. It provides a quick overview of vulnerabilities found due to only having access to scan network services exposed by the host. However, this scan misses most vulnerabilities within the system.
After completing a non-credential scan, a credential scan can be run.
A credential scan uses an admin account to perform a thorough scan within the network. To run a credential scan on Nessus, the Windows VM needs to be configured first. These configurations are done for Nessus to find vulnerabilities within the insecure network.
- Open Services. msc and find the remote registry. Then, select automatic, click apply, click on start, and click ok.
- Open Advanced Sharing Settings. In private and public network profiles, select turn on for file and printer sharing and network settings.
- Open User Account Control. Pull the panel all the way to never notify and select ok.
- Open Registry Editor, click on HKEY_LOCAL_MACHINE, click on software, click on Microsoft, click on Windows, click on Current Versions, click on Policies, and click on System. In the folder labeled system, right-click to select DWord to add LocalAccountTokenFilterPolicy. Finally, click on LocalAccountTokenFilterPolicy and set the value to 1.
- Restart the Windows VM and log in again.
Once the insecure configurations are set, Nessus can now be configured to run a credential scan.
- In Nessus, go to my scans. You should see the scan you created. Click on the box and click on the More option. Next, click on Configure and select credentials. Here is where you are going to add the Windows VM username and password. If you don’t know the username of Windows VM, then go to the command prompt and use the command whoami to find the username.
- Click save and click launch now for Nessus to start scanning. After the scan is completed, you can view the results shown in the picture below.
Immediately, there is a difference between the non-credential scan results and the credential scan. The results show that there are high and critical vulnerabilities found within the mixed folder, a remediations tab is present, the number of vulnerabilities found doubled from 17 to 36, and the time for the scan to complete took longer as well.
The mixed label means that vulnerabilities in a group have differing severities. Vulnerabilities are grouped together due to having similarities such as Common Platform Enumeration (CPE), service, application, and protocol. You can learn more about it in the link here. Within the mixed vulnerabilities folders, there are high and critical vulnerabilities found within the network seen in the picture below.
Details about the critical vulnerabilities are shown in the pictures below.
Nessus concluded that the threat level is high due to various vulnerabilities found seen in the picture below.
Also, Nessus provides steps to fix the issue located in the remediations tab shown in the picture below. The update, install KB5017308, will fix the vulnerabilities that allow privilege escalation and denial of service within the Window system.
The credential scan shows a more detailed overview of found vulnerabilities compared to the non-credential scan. A credential scan has access to scan within the network. Therefore, it can identify more vulnerabilities (e.g determine which systems are out of date on patch installation) making it more accurate. This is why cybersecurity professionals prefer credential scans over non-credential scans. This information can be used to build secure defense systems to prevent cyberattacks.
In this project, I learned the following: how to use Nessus, the difference between a non-credential scan and a credential scan, and the importance of vulnerability management by performing vulnerability assessments. Vulnerability assessments are part of vulnerability management because organizations can use them to identify and remediate vulnerabilities to protect themselves from cybersecurity breaches and unauthorized access.
Here are some ways that organizations can implement to prevent cybersecurity breaches by keeping your software up-to-date including third-party software as well, practicing the concept of least privilege, developing a strong password policy, and security awareness training for all employees.
Shout out to the following people: Simon, Guerline, and Josh Madakor. Simon and Guerline worked with me on this project. Josh Madakor provided the tutorial for this project. Please follow Simon, Guerline, and Josh on LinkedIn. Also, please follow Josh on his Youtube channel. He provides beginner-friendly cybersecurity projects that you can add to your resume to help you land your first cybersecurity role.
Thank you for reading my blog. Please give my blog a follow. Enjoy the rest of your day.