Nessus Training Session 2 - Scanning and Reporting Prepared by Ramsey Dow <ramsey@casaba.com> for NWACC Contents Configuring Ubuntu for Authenticated Scanning Configuring Windows for Authenticated Scanning Configuring Ubuntu for Authenticated Scanning Install OpenSSH server Nessus will perform authenticated checks over an SSH connection, so you must be running sshd. sudo apt-get -y install openssh-server Now let s update the SSH server s configuration. Specifically, we are going to disable remote root logins and enable authorized key files for public key login. sudo vim /etc/ssh/sshd_config The following regular expressions will change a specific yes to a no and uncomment the line that begins with #AuthorizedKeysFiles. If typing regular expressions is too painful for you, feel free to use the arrow keys to move to the specific lines and make the changes yourself. :%s/rootlogin yes/rootlogin no :%s/^#authorized/authorized Write the file back to disk and exit. :wq
Restart the SSH server. sudo service ssh restart Create Nessus user sudo adduser --shell /bin/bash --gecos Nessus --home /home/nessus nessus sudo usermod -a -G staff,sudo nessus sudo chmod 0770 /home/nessus sudo visudo Add the following line to the User privilege specification: nessus ALL=(ALL:ALL) ALL Our nessus user needs the same level of privileges as the root user. Save the file to disk and exit. :wq Logout of your user account. Now login as the nessus user. Create the.ssh directory. mkdir.ssh chmod 0700.ssh Create an SSH key pair for the nessus user. cd.ssh ssh-keygen -C 'Nessus auditing key' -t rsa -b 2048 -f nessus_rsa
Be sure to supply a strong password to protect the private key from theft. Copy the public key to ~/.ssh/authorized_keys to permit logins over the network. cp nessus_rsa.pub authorized_keys chmod 0600 authorized_keys You need to copy both keys, public and private, to your Nessus server. I show how to do this in the Scanning handout. You can log out of the nessus account now. Testing ssh with your public key You might wish to test out ssh using your new public key. I tend to do this when setting up new servers to ensure that everything is working as expected. When failures occur I like to have already ruled out as many common cases as possible. First, change your working path to your.ssh directory: cd ~/.ssh If you don t have a ~/.ssh directory then create it manually: mkdir ~/.ssh chmod 0700 ~/.ssh Once you ve changed your working directory to ~/.ssh you can download your keys from the remote Nessus server. Fetch the public key first: scp nessus@nessus_server:.ssh/nessus_rsa.pub. Replace NESSUS_SERVER with the address of the Nessus scan server. Enter your password when prompted. Now fetch the private key. We ll use a shell trick to save some typing:
^.pub^ This simply takes the previous command, removes the.pub from the end, and executes the rest. It s as if we typed scp user@remote_host:.ssh/nessus_rsa. Now that you have downloaded your keys you can test them out. ssh -i ~/.ssh/nessus_rsa nessus@10.0.1.125 id With any luck you will be prompted for the nessus password. Once that s been successfully entered you should see the user and group names and numeric ID associated with the nessus account, e.g.: uid=1001(nessus) gid=1001(nessus) groups=1001(nessus),27(sudo),50(staff) Configuring Windows for Authenticated Scanning Create Nessus user These steps illustrate how to create a standalone user for Nessus auditing. In a domain environment you will want to create a domain user instead. Instructions for this process are documented under Configuring a Domain Account for Authenticated Scanning in the Nessus Credential Checks for Unix and Windows guide. Click Start > Administrative Tools Double-click Computer Management Expand Local Users and Groups Select Users Right-click and select New User Enter Nessus as the User name Enter Nessus auditing account as the Description Enter a strong password Uncheck the User must change password at next logon checkbox Click the Create button Now you need to add the Nessus user to the Local Administrators group.
Right-click on the Nessus user and select Properties Click on the Member Of tab Enter administrators in the text field and click the Check Names button Click the OK button Verify System Configuration This is set by default in Server 2012 R2, but it is important that this be configured appropriately. So we will check it as a matter of course. Run the Group Policy Object Editor. Type Windows-R to bring up the Run dialog Enter gpedit.msc and click the OK button Expand Windows Settings under Computer Configuration Expand Security Settings Expand Local Policies Select Security Options Verify that Network access: Sharing and security model for local accounts is set to Classic - Local users authenticate as themselves. The next steps apply to Windows versions from Vista onward. First, we must enable File and Printer Sharing under Windows Firewall. Click Start > Control Panel Double-click on Windows Firewall Click on Allow an app or feature through Windows Firewall Click the File and Printer Sharing checkbox Click the OK button Next we need to make some additional configuration changes using the Group Policy Object Editor. Type Windows-R to bring up the Run dialog Enter gpedit.msc and click the OK button Expand Administrative Templates under Computer Configuration Expand Network Expand Network Connections Expand Windows Firewall Select Standard Profile Double-click on Windows Firewall : Allow inbound file and printer exception
Click on the Enabled radio button to enable this setting Click the OK button Let s check one more setting while still in the Group Policy Object Editor. Select Administrative Templates > Network > Network Connections Verify that Prohibit use of Internet connection firewall on your DNS domain is either Disabled or Not Configured. The Remote Registry service must be enabled. It is set to Automatic by default in Server 2012 R2. Authenticated scanning require it to be set to either Automatic or Manual, not Disabled. Click Start > Administrative Tools Double-click Services Verify that Remote Registry is not set to Disabled If it is set it to either Automatic or Manual If set to Manual, Nessus can enable the service just for the duration of the scan using plugin IDs 42897 and 42898. For Server 2012 R2 we can leave the default setting as is. Finally, we need to address UAC. You can disable it, but that is not recommended, Instead we need a way to manage it in the context of remote logins. Luckily, Microsoft has provided a solution for us. Type Windows-R to bring up the Run dialog Enter regedit and click the OK button Navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system Create a new REG_DWORD key with the name LocalAccountTokenFilterPolicy Set its value to decimal 1 Basically, we are toggling UAC for local accounts. Refer to UAC and Remote logon http://blogs.msdn.com/b/vistacompatteam/archive/2006/09/22/766945.aspx for additional details.
Configure Scan Policy with Windows Credentials Login to your Nessus server using an administrator account and follow these steps to add Windows credentials to a scan policy. Click on the Policies button Click on the policy you wish to add credentials to Click on the Credentials tab Windows credentials come up as the default view Enter the user name and password in the SMB account and SMB password fields, respectively Click the Update button and you should be good to go Now scans run using this policy will be able to execute commands directly on the remote server.