In this lab, I prepared a system environment with flaws such as installing outdated softwares on an unpatched operating system. Then made concerted and continuous efforts to scan for vulnerabilities and performed remediation processes in order to lower susceptibility.
- Prepare Nessus Vulnerability Management Scanner
- Prepare Client Virtual Machine
- Perform Basic Scan against the Windows 10 VM
- Setup the VM To Accept Authenticated Scans and Install Outdated Softwares
- Perform Vulnerability Scan after providing credentials to Nessus
- Compare and Remediate Vulnerabilities
- Verify Remediations
- Nessus Essentials
- VMware Workstation Player
- MS Windows 10 ISO
- Download and install VMWare player.
- Download Window 10 ISO
- Download, install Nessus on local machine after registering and receiving activation code.
- Next on the installation welcome page that displays, Click connect via SSL, advanced, proceed to localhost.
- Then click next and select - Register for Nessus Essentials, then click continue.
- Then provide activation code from your email. Then create username and password. Next, Nessus download plugins to finish setup.
- Install and launch VMware Workstation Player on your local machine to setup Windows 10 virtual machine. Click Player → File → New Virtual Machine → Browse then select the ISO image → Next → Add the name → disk size → Next → Customize Hardware (set Memory,CPU, Network Adaptor:Bridge (so that both VM and local machine can communicate with each other)) → Finish.
- As VM launches, click next and complete the installation of Windows 10 Pro accordingly, including username and password.
-
This first basic scan is to confirm that all the setup is in order and you can get a scan result. First we locate its IP4 address by login into the VM: In the search field on the Start bar → type CMD → ipconfig.
-
Ping the VM from our local machine in this case; using
ping 10.0.0.187 -tto confirm if we can reach it. But it timeouts.
-
We would need to disable the internal firewall in the VM. Type wf.msc in the search bar on the VM to launch the Windows defender firewall console. To disable the firewall properties we turn off the firewall state for the Domain Profile, Private Profile and Public Profile. After this, notice that the IP pinging stops timing out showing that the VM is now reachable.
-
Next, perform a basic scan to confirm that the settings are in order: At Nesses Essentials web portal, click New Scan → Basic Network Scan → Add Name (You can name it any name), Targets (add the IP of the windows 10 VM) → Save. Click on the play button to launch the scan.
-
Further vulnerabilities are detected when credentials are used than the basic scan with no credentials. When the scan has finished we can click on it to display the scan results. Nessus uses colours to indicate the vulnerabilty severity level. Critical, High, Medium, Low and Info. We can also click on the Vulnerability tab next to the Host tab to see more details. We can click on each result listed, review the description and implement the suggested solution to remediate the vulnerability. Clicking the 'Target Credential Status...', from the description and output, we see that Nessus detected SMB on port 445 but no credentials were provided. SMB local checks were not enabled.
-
Next, we go to the VM and launch the Services pane by typing services in the search bar. Enable Remote Registry and turn it on (this will allow the scanner to connect to the VM registry and crawl to look for insecure configurations): Double click on it → Start Type: Automatic → Apply/Start → OK → Close services pane.
-
Ensure file and printer sharing are turned on the VM.
-
Change notification settings to 'Never notify' in the User Account Control Settings, to disable it on the VM.
-
Add a Key to the registry to further disable user account control for the remote account that will be used to connect to the computer. Go to HKEY_LOCAL_MACHINE → SOFTWARE → Microsoft → Windows → CurrentVersion → Policies → System → then create 'LocalAccountTokenFilterPolicy' and set the value to 1. Then Restart the VM.
- Install outdated softwares. Like, VLC player version 1.1.7, Firefox, Adobe reader version 10
-
Configure the last Basic scan parameters in preparation for authenticated scan. Click on Windows 10 Single Host (i.e the last scan) → Configure → Credentials → click Windows → Add Username and Password → Save.
-
Then run the scan again. We have enable credential scanning and configured the VM to accept remote scans. Nessus scans the common open ports, inspect the registry, inspect the services and file systems to discover vulnerabilities.
-
After Nessus has complete the scan, click on it to view the scan details. We see that from the latest scan the VM has 43 critical vulnerabilities, out of wich 42 marked as high, 9 vulerabilities marked as medium and 188 marked as info. From the foregoing we can see that credential scan allows more granular scan and enables more vulnerabilities to be discovered.
-
Click on the Vulnerabilities tab to see the list of findings. By clicking on each we see the details and suggested steps for remidiation. We can also click on the Remidiations tab and see the high level steps to take immediate to lower the vulnerabilities, like (patching) run Windows O/S updates till there are no updates, upgrading Firefox, Adobe and VLC player to the latest version or uninstalling the softwares if they are no more being used.
- Log back into your Win10-Vulnerable VM
Install the latest version of all softwares and restart the VM (or uninstall the outdated software Adobe Reader, VLC Player, and Firefox). Run Windows updated over and over again, untill there are no more updates. Restart the VM and verify remediations by runing another scan via Nessus. Check the scan details, apply remidiation steps. Take these steps till vulnerabilities report is low or at an acceptable level.
Vulnerability management is about continuously searching for vulnerabilities and taking remediations steps. In an organization or enterprise network, it is important to have third party/ operating systems patching setup, tested and deployed at regular intervals especially putting in place automated patching after taking the remidiation steps. Also, there will be the need to put in place standards and procedures while working with variuos departments, performing automated network and resources scans (using possibly a domain account) to continously identify and remidiate vulnerabilities, using a secured build standard updates (already remidiated) before they are applied especially to production environments.