Vulnerability Assessment and Exploitation with Nessus and Metasploit

In today’s rapidly evolving cybersecurity landscape, the importance of regular vulnerability assessments cannot be overstated. For this project, we will be simulating a real-world scenario where a company, XYZ Corp, undergoes a vulnerability assessment to identify potential weaknesses in its network. During the assessment, a vulnerable machine was identified within the network, and by leveraging these weaknesses, we were able to demonstrate how an attacker could potentially exploit them to gain unauthorized access.

This project aims to highlight the critical role of vulnerability management in maintaining a robust security posture and ensuring that corporate assets are protected from malicious actors.

2. Project Objective

The primary objectives of this project are as follows:

Demonstrate the Process of Vulnerability Assessment: Using Nessus Essentials, we will scan the network to identify vulnerabilities present in the systems.
Highlight the Risks of Unpatched Vulnerabilities: We will exploit specific vulnerabilities, such as those found in VNC and UnrealIRCd, to show how attackers can gain unauthorized access.
Increase Awareness of Vulnerability Management: By showcasing the potential damage of unpatched vulnerabilities, this project aims to underscore the importance of regular vulnerability assessments and timely patching in corporate environments.
Provide Practical Insights: Through hands-on exploitation using Metasploit, we aim to provide a practical understanding of how attackers can leverage vulnerabilities to compromise systems.

3. Legal Disclaimer

This project is conducted in a controlled environment, and all activities performed are for educational purposes only. Unauthorized use of these techniques on networks or systems you do not own or have explicit permission to test is illegal and unethical. The findings and results presented in this project should be used to strengthen cybersecurity defenses, not to exploit them.

4. Network Architecture and Setup

4.1 Overview of the Network Setup

The network used in this project simulates a typical corporate environment, consisting of an OPNsense firewall, an Ubuntu machine running Nessus Essentials, a Metasploitable2 virtual machine, and a Parrot OS machine running Metasploit.

Each component serves a specific role:

OPNsense Firewall: Acts as the network's security perimeter, controlling inbound and outbound traffic and protecting internal systems from unauthorized access.
Ubuntu Machine with Nessus Essentials: This system is used to perform vulnerability scanning across the network, identifying potential security weaknesses in connected devices.
Metasploitable2: A vulnerable virtual machine used to simulate an unpatched system within the network. It contains multiple security flaws, making it an ideal target for exploitation.
Parrot OS with Metasploit: A penetration testing environment used to exploit identified vulnerabilities and demonstrate the risks associated with unpatched systems.

4.2 Network Diagram

5. Key Terminologies Explained

Vulnerability: A vulnerability is a weakness or flaw in a system, software, or network that can be exploited by an attacker to gain unauthorized access or perform malicious activities. Vulnerabilities can arise due to coding errors, misconfigurations, or unpatched software.
Exploit: An exploit is a piece of code or a technique used by attackers to take advantage of a vulnerability in a system. Exploits are designed to breach security measures and allow unauthorized actions, such as executing arbitrary code or gaining elevated privileges.
Metasploitable2: Metasploitable2 is a purposely vulnerable virtual machine that is commonly used for testing security tools and learning how to exploit vulnerabilities. It contains numerous pre-configured vulnerabilities, making it an ideal target for practicing penetration testing techniques.
Metasploit: Metasploit is a widely used open-source framework for developing, testing, and executing exploits against known vulnerabilities. It provides a comprehensive set of tools for penetration testers to simulate attacks and assess the security posture of systems.
Vulnerability Assessment: A vulnerability assessment is the process of identifying, classifying, and prioritizing vulnerabilities in a system, network, or application. It typically involves using automated tools, like Nessus, to scan for known vulnerabilities and provide a detailed report for remediation.
Vulnerability Management: Vulnerability management is an ongoing process of identifying, assessing, prioritizing, and mitigating vulnerabilities in systems and networks. It involves regular scanning, timely patching, and implementing security best practices to reduce the risk of exploitation.

6. Initial Configuration and Setup

Nessus is a Vulnerability Scanning Tool developed by Tenable Incorporation. It is an open-source, subscription-based software that scans all ports on a computer/server for known vulnerabilities and exploits and presents reports in various manners.

Nessus uses a constantly updating database of exploits and vulnerabilities to scan for possible exploits. Furthermore, it is a beginner-friendly tool as it does not require advanced knowledge of operating systems or command line tools. As a result, it is one of the finest tools used for the Reconnaissance/Enumeration stage of a Security Penetration Test.

Now, as Nessus is a proprietary tool, it comes in different availabilities. There are three tiers of Nessus available, based on the number of tools provided; they are:

Nessus Essentials
Nessus Professional
Nessus Expert

The Nessus Essentials is the free version of the Nessus tool, and it contains all the necessary tools for regular vulnerability scans. The Nessus Professional is the next best version available, providing more functionalities than the free version. It is suitable for Professional Penetration Testers and security practitioners. The last one, Nessus Expert, is the complete set of functionalities provided by Nessus and is ideal for IT departments of small enterprises, etc.

For demonstration, we shall use the Nessus Essential version of the tool. However, the installation process is similar for every performance.

Prerequisites

To continue with this Project, we will need to meet the following requirements:

A server or virtual machine running Ubuntu 22.04 version, either the Desktop Distro or its Server substitute.
The machine must have a minimum of 4 GB of RAM available. Although Tenable recommends 8 GB of RAM, 4 GB is enough for comparatively smaller scans.
The Ubuntu machine should have at least 5 GB of space only to install the Nessus Essentials tool.
The system should have at least four dual-core processors. Anything over that will speed up the tests only.
The minimum processor speed for running Nessus on a system should be 1 GHz or more.
The Ubuntu machine should have a non-root user account, as it is a secure practice not to use the superuser(root) and access it.
(Optional) For performing the vulnerability scan later on in this tutorial, there should be another machine (Ubuntu machine used for the same purpose as well in this tutorial) to perform the scan upon. The target machine should also have a non-root user account and access to the root account.
A supported browser (Google Chrome, Mozilla Firefox) should be installed in the Ubuntu machine. We are using the Mozilla Firefox in this tutorial.

Now, let us head on to the installation part of this tutorial.

Installing the Nessus Essentials Tool

After meeting the requirements mentioned in the previous section, we shall install the Nessus Tool on our Ubuntu machine.

We shall first download the installation package for Ubuntu using curl:

sudo curl --request GET --url 'https://www.tenable.com/downloads/api/v2/pages/nessus/files/Nessus-10.4.2-ubuntu1404_amd64.deb' --output /tmp/'Nessus-10.4.2-ubuntu1404_amd64.deb'

This has downloaded the Nessus installation files in the /tmp folder. Now, we shall use the dpkg to install Nessus on our Ubuntu machine. Type the following command to install it in the system:

sudo dpkg -i /tmp/Nessus-10.4.2-ubuntu1404_amd64.deb

After this, the Nessus tool is installed, and now, we need to restart the Nessusd service. Type the following command:

sudo /bin/systemctl start nessusd.service

Now, you can access Nessus in your local browser using the Localhost or the IP Address of the VM continue the configuration using the Activation code and create an administrator account.

Note: Port 8834 is the default port of Nessus

7. Conducting a Network Vulnerability Scan with Nessus

Nessus recommends all users conduct a host discovery to make sure what hosts are in your network. Discovery scans output information associated with IP addresses, operating systems, open ports, and FQDN. Users can then decide what host the user targets to conduct a vulnerability scan.

Click on “Host Discovery”

Enter the name, specify the IP address range of the network you want to scan, and start the scan, In our case I will be scanning for hots in the range 192.168.1.0/24:

We can see here that it is in progress, we will wait for it to finish:

Once the scan is finished, we can see the machines that Nessus found for us, there is a vulnerable machine with some open ports with the IP address 192.168.1.101:

8. Credentialed vs. Non-Credentialed Scanning

8.1 Performing a Non-Credentialed Scanning

Choose “Basic Network Scan”

As this is just a basic scan, there are very few fields to fill in, in this case the Name and Targets fields.

We will set the name to "Metasploitable".
We will set the Target IP to 192.168.1.101

We will leave all other settings such as Discovery, Assessment, Report, and Advanced on the default and launch the scan:

Wait patiently… Go grab a cup of coffee and come back later because this is going to take a while.

Finally… After a long wait, the scan is done:

Click on the scan to view the detailed report of the scan:

From the image below, you can see that it found:

11 Critical vulnerabilities, 7 High, 26 Medium, 9 Low, and 29 info’s — info means it’s useful to know, but might not be vulnerable

Select the ‘Vulnerabilities’ tab, and you can click on each vulnerability type to see more info about that specific vulnerability

8.2 Performing a Credentialed Scanning

Now we are going to run another scan, similar to the one above, but this time using credentials:

Click on the Credentials section, we will fill in the SSH and FTP credentials, in this case 'msfadmin' in the username and password as shown in the screenshots below:

Fill now the FTP username and password, and lunch the Scan:

After the scan with credentials has finished, we can see that it has found more vulnerabilities than a scan without credentials, as mentioned earlier, without credentials, we found 11 Critical vulnerabilities, 7 High, 26 Medium, 9 Low, and 29 info’s, Now we have 30 Critical vulnerabilities, 95 High, 144 Medium, 18 Low, and 184 info’s.

9. Exploiting Vulnerabilities Identified by Nessus

9.1 Exploiting VNC Vulnerability

Referring to the vulnerabilities that we have found, we can see that there is a critical vulnerability that Nessus had detected, the machine is using the word 'password' as the password of the VNC server:

Using our attacker machine (Parrot OS), we will use VNC Viewer and fill in the IP address of the vulnerable machine:

We will click on “Continue”

As shown in Nessus, the machine uses the word "password" as the password, so we enter the password as the password:

Here we have exploited that vulnerability and we can do whatever we want to the machine using its terminal:

9.2 Exploiting UnrealIRCd Vulnerability

Referring again to the vulnerabilities that we have found, we can see that there is a critical vulnerability that Nessus had detected, the UnrealIRCd vulnerability CVE-2010-2075

Click on the Vulnerability to see more details

On the attacker's machine, we will use Metasploit to exploit this vulnerability, starting by issuing the search command from msfconsole, followed by unrealircd:

We see Metasploit has a working module for this vulnerability. The next step is to use the module, set the appropriate options as follows, and execute the exploit:

use exploit/unix/irc/unreal_ircd_3281_backdoor
set RHOSTS 192.168.1.101 (typically the IP Address of the vulnerable machine)

We will then use the 'show payloads' command to discover all the payloads that can be used to exploit this vulnerability:

We will set the payload to 'payload/cmd/unix/bind_perl' using the set payload command, the Run to exploit:

Here we have exploited the vulnerability and gained a remote shell over the machine, using "hostname" and "ip a" we can confirm that we have a reverse shell over the Metasploitable 2:

10. Importance of Ongoing Vulnerability Management

In the ever-evolving world of cybersecurity, the significance of vulnerability management cannot be understated. Vulnerability management is a proactive process that helps organizations identify and address security weaknesses before they can be exploited by malicious actors.

By continuously monitoring and scanning for vulnerabilities, companies can ensure that their systems are up-to-date and protected against known threats. This ongoing process not only mitigates the risk of attacks but also facilitates compliance with industry standards and regulations. Additionally, effective vulnerability management helps in maintaining the integrity and confidentiality of sensitive data, which is pivotal for building trust with clients and stakeholders.

11. Conclusion: Lessons Learned and Best Practices

In conclusion, this project has demonstrated the critical importance of vulnerability assessments and the potential risks associated with unpatched vulnerabilities. Through hands-on exploitation using Metasploit, we have seen how easily attackers can take advantage of weaknesses in a network.

To safeguard against such threats, organizations must adopt a proactive approach to vulnerability management. This includes regular scanning, timely patching, and continuous monitoring of systems. By doing so, companies can enhance their security posture and reduce the likelihood of successful attacks. Ultimately, the goal is to create a resilient environment where vulnerabilities are promptly addressed, and security is continuously improved.

Mouad lahrach