How To Install Nessus Vulnerability Scanner

In our previous post we showed how to download and verify the hash of the Home edition of Nessus, and here we will show how to install, setup and run your first scan. This is a very basic setup to get you up and running quickly with the free version of Nessus. If you are going to be using in a live production environment, don’t use this guide.

If you have not read the initial post go here then come back.

You should be where we left off which is just after checking our hash and confirming against the checksum as below

Get used to running the “ls” cmd to check the directory you are in and that you have access to the correct files.

We “ls” to check as mentioned above then use “dpkg -i” which will de-package and then install Nessus.

While that runs and installs we need to go back to tenable.com and get an activation code.

Fill in the details and wait for your email with the activation code.

Go back to your Terminal where the install should now have completed. Check the Window for errors and if there are none we are good to continue.

Run the following “/etc/init.d/nessusd start”

Nessus is now running, so open a browser on the same machine and go to https://localhost:8834 and you should get the login screen.

Create a Username and a Password to login  for the first time (don’t forget these!) and you will get the activation page.

Leave the scanner type, and enter your activation key which you will have received by email.

If correct you will see the next screen, now is the time to make a coffee as this stage may take some time as Nessus sets up.

Once completed you will see the “New Scan” screen.

Select New Scan as shown, then select “Basic Network Scan”. This will allow us to do a basic scan of our internal home network.

We will need to find out the IP of our network for the next step, the easiest way to do this is to use either “ifconfig” on a Linux box or “ipconfig” on a Windows box. Run this from a Terminal Window and make a note of your ip address. (This is a simple step so if unsure how to do it you really shouldn’t be installing Nessus to be honest!)

Name and description can be whatever you want, but the IP Address in the targets box needs to be the IP address you want to scan. In the example it shows “192.168.0.0-255” which means that we are going to scan every address on our network. The scan an individual host you would use a single address, for example “192.168.0.5”. Now save as shown below and you’ll go back to the main page.

To start your scan click the chevron, as outlined below, then wait for your scan to complete.

Once the scan completes, the real fun starts!

How to verify a file hash in Linux

We have recently shown how to do this in Windows so we will now show how to do this in Linux. Here we will be using Kali but it will work with most Linux distros.

We want to download the free Home Version of Nessus but want to make sure the file has not been tampered with before we install.

We browse to the download site and download the version we need but also copy the hash checksums to simple text files for comparison later. You can do this by simply copying to your clipboard and then paste into a blank text file.

We will download everything to our download folder to make things simple. Once everything is done you should have 3 files in your download folder as shown below.

Now off to the cmd line so open a Terminal and “cd” to the Downloads folder as shown, then use “ls” to list the directory to also confirm you are in the correct location and the correct files are there.

Now we run “sha256sum Nessus-7.2.0-debian6_amd64.deb”. The cmd part is “sha256sum” and the next part is just the file name you want to hash.

You should see the output of the cmd which is your file hash to compare to the one from the site that you had copied earlier.

Now copy that hash output and paste underneath the one you have from the site. We used sha256sum and so will need to compare against the sha256 checksum. 

As you can see, the highlighted one is our output, and they are a perfect match. Excellent, we can now install Nessus with confidence that it has not been tampered with or had malicious code added.

Our next post will see us install Nessus.

 

How to add SCSI drive to Ubuntu Server

While messing about in my home lab I found I needed to add a SCSI drive to a virtual machine and had no idea how to do it. Although this doesn’t have anything to do with security I’ve posted it here as I know I will definitely need to do this again at some point. Here we have already attached the new VHD to a SCSI connection in the Virtual machine management console, so the disk is physically connected but needs to be formatted, labelled, and initialised.

To list all connected disks run

ls /dev/sd*

this will return the following

If you are unsure which is the new disk, then the easiest way to check is to disconnect the new SCSI drive and run this command, then reconnect the disk and run the same command again and compare the results. The disk that wasn’t there the first time is obviously your new disk. The disks should be labelled “sd” then with a corresponding letter. The primary disk is usually “sda” with the partitions numbered – so sda1 would be the first partition on the first disk. In our example sdb is our new disk so we will be applying changes to this, if your disk is named differently then you will need top replace “sdb” with the name of your own disk in the following instructions.

Once we have identified the new disk we are ready to launch “fdisk” utility.

sudo fdisk /dev/sdb

Always look at the help menus when using new tools as it will help you gain an understanding of it rather than just blindly following instructions. Help menu is shown below

From here we type “n” for a new partition, then “p” for primary and accept all the defaults.

You must then select “w” to write and save the changes, if you don’t do this then the partition will not be created.

Now that we’ve created our partition we need to create the file system

sudo mkfs.ext3 -L DATA /dev/sdb1

The “-L” switch sets the partition label, here we have used “DATA” but you can chose anything, and we are setting it on our new partition which is “/dev/sdb1”

Now we mount the filesystem

sudo mount /dev/sdb1/DATA

To check the location is mounted we can run

Df -l

Next we make a directory

sudo mkdir /Documents

The final thing we need to do is change a configuration so that this new location is mounted every time the server is restarted.

We do this by editing the following file.

sudo nano /etc/fstab

Then add the following line as shown below. (If you named your partition differently then use your label name instead

/dev/sdb1          /Data        auto       defaults    0  0

That’s it. Check this config by restarting your machine then running the list disk, and show mounted commands again and you should see that your new partition is already mounted as shown in the screen shots below.

 

 

 

DDEAUTO Opens Webpage

We have already posted about DDEAUTO, but thought we’d show another one just as it’s slightly different.

If a document opens and you are greeted by a pop up of any kind, then I’d say 99 times out of a hundred, it’s going to be a malicious exploit and you should just close and delete the document immediately and run a full Anti-Virus scan with at least 3 different free scanners.

Then 2 weeks later re-run all the scans again.

The DDEAUTO Exploit in all Microsoft Office Documents

This is the new exploit which is everywhere at the moment.

It’s a little different to the typical Macro exploits which are normally used.

In general you will need to click on 2 pop ups to allow the exploit to run, however since writing this I have played around a bit more and managed to get it down to only one pop up.

The point here in this video however is to show that if you read what the pop up says, you should not be clicking on it in any circumstances.

It’s true that some documents are linked dynamically to keep all data in linked sheets up to date. However if you are using one of these you would normally know about it.

If you don’t normally use documents with linked data and you open one which asks you to allow linked data, don’t just click OK! If you know who sent it, ask them what it is, and if you don’t know where it came from you probably should even be opening the attachment in the first place!

Then after clicking yes to the first pop up, we receive a second one, this is generally where the exploit will run. Ours is very obviously named for the sake of this demonstration, but an attacker would be trying their best to disguise it.

We hope that by watching this video you will be a little bit more educated and perhaps won’t click on that pop up box if you receive one of these emails!

Enjoy the Video.

Excel Malicious Macro Attachment

Hello again.

It’s 2017 and we are still enabling Macros in documents we receive via email! (Come on people!)

Anyways, there are still people out there who don’t believe a macro can be used this way, so here is a quick video you can show them.

In this short clip a user receives an email from Jerry.random@uk-company.com, but you can clearly see it actually came from a gmail address, and it contains an Excel invoice attachment.

In this example we have Excel set to not allow Macros to run automatically, but we are aware that a lot of people don’t use this setting (you nut-cases!).

Notice that nothing happens until the Macro is enabled!

Don’t enable a macro unless you are 100% sure of what it is.

The Excel sheet contains a simple macro which opens IE and goes to a website. This demonstrates how easy it is for an attacker to use a macro to either install malware or ransomware.  We have used this method in our demo as it is very quick and visual and seems to get the point across better than a more complicated example.

Fake URL in Email

IT’s 2017 and we are still clicking on links in emails!

This is a quick video to demonstrate how a link in an email displaying one address can take you somewhere completely different!

We’re going to follow this up with some videos showing malicious attachments.

Don’t trust emails!

Exchange 2016. New Install Issues.

Recently I did a test install of Exchange 2016 and ran into a few problems which drove me mad for a while as the issues and symptoms did not give any clue as to how they were eventually resolved!

I did a fresh install on a stand alone Hyper-V Virtual Server with 4000 GB of static RAM, 4 processor cores and a 40GB VHD.

Microsoft recommends a minimum of 8GB for mailbox role, (see here) but I couldn’t believe it would actually need this much on a test Server, and I’ve always used way less than the recommended for initial test installs as they will be under no stress at all.

The install seemed to go fine, all the prerequestites were installed by the downloaded media, and the server restarted. On trying the open the webpanel I was continually told that there was a memory error, and to try again later. I ramped up the RAM 1GB at a time but I couldn’t login to the panel until the Server had the full 8GB assigned.

After creating my first test mailbox whenever I tried to send an email I received the below error:

“You don’t have permission”? WTF after going round and round in circles looking at users permissions believing that I needed to assign user permissions I found an obscure forum post which pointed me in the right direction. The solution was to remove the secondary DNS entry from the Exchange Servers network adapter! After removing this and then restarting the server the error disappeared.

I was now able to login and send emails internally and externally, however I was not able to receive emails either internal or external. I wasn’t getting any bouncebacks which could have given me some information on what was going on, I double checked my external DNS and MX records but all were correct.

In the end I used the Microsoft Connectivity Tool and this pointed out my issue immediately, and the issue was disk space. Even though the Exchange server had only 1 mailbox and nothing else installed, 40GB wasn’t enough! I checked disk space and there was plenty of room, but after digging a bit deeper it turns out that Exchange needs a percentage of free disk space and so the VHD had to be expanded. Once this was increased I finally had a working Exchange Server. Hope this helps out someone else as this drove me crazy for a few hours and the errors were not pointing me in the right direction.