-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathNessus
92 lines (49 loc) · 2.4 KB
/
Nessus
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#Task 3 Navigation and Scans
- What is the name of the button which is used to launch a scan?
new scan
- What side menu option allows us to create custom templates?
policies
- What menu allows us to change plugin properties such as hiding them or changing their severity?
plugin rules
- In the 'Scan Templates' section after clicking on 'New Scan', what scan allows us to see simply what hosts are alive?
host discovery
- One of the most useful scan types, which is considered to be 'suitable for any host'?
basic network scan
- What scan allows you to 'Authenticate to hosts and enumerate missing updates'?
Credentialed Patch Audit
- What scan is specifically used for scanning Web Applications?
web application tests
#Task 4 Scanning!
Run a Network Scan!
Use BASIC NETWORK SCAN
- Create a new 'Basic Network Scan' targeting the deployed VM. What option can we set under 'BASIC' (on the left) to set a time for this scan to run? This can be very useful when network congestion is an issue.
answer: schedule
- Under 'DISCOVERY' (on the left) set the 'Scan Type' to cover ports 1-65535. What is this type called?
port scan (all ports)
- After the scan completes, which 'Vulnerability' in the 'Port scanners' family can we view the details of to see the open ports on this host?
Nessus SYN scanner
- What Apache HTTP Server Version is reported by Nessus?
hint: Apache/2.4.25 (Debian) <--wrong
answer right: 2.4.99
#Task 5 Scanning a Web Application!
Run a Web Application scan on the VM!
Use Web Applications Tests
- What is the plugin id of the plugin that determines the HTTP server type and version?
10107
- What authentication page is discovered by the scanner that transmits credentials in cleartext?
login.php
- What is the file extension of the config backup?
Backup Files Disclosure
Output
It is possible to read the following backup file :
- File : /config/config.inc.php.bak
URL : http://10.10.93.230/config/config.inc.php.bak
answer: .bak
- Which directory contains example documents? (This will be in a php directory)
/external/phpids/0.6/docs/examples/
- What vulnerability is this application susceptible to that is associated with X-Frame-Options?
Clickjacking
https://tryhackme.com/room/rpnessusredux
https://github.com/hackerrishad/TryHackMe-RP-Nessus-Write-Up
https://blog.raw.pm/en/TryHackMe-Nessus-write-up/
https://www.thedutchhacker.com/nessus-on-tyhackme/