Vulnerability scanning is the process of detecting weaknesses in running services. Once you know the details of the target web server, such as the IP address, open ports, running services, and versions of these services, you can then check these services for vulnerabilities. This is the last step to be performed before exploiting the web server. Vulnerability scanning is most commonly completed by using automated tools loaded with a collection of exploit and fuzzing signatures, or plug-ins. These plug-ins probe the target computer’s services to see how they will react to possible attack. I f a service reacts in a certain way, the vulnerability scanner is triggered and knows not only that the service is vulnerable, but also the exact exploit that makes it vulnerable.
This is very similar to how antivirus works on your home computer. When a program tries to execute on your computer, the antivirus product checks its collection of known malicious signatures and makes a determination if the program is a virus or not. Vulnerability scanners and antivirus products are only as good as the signatures that they are using to check with. I f the plug-ins of your vulnerability scanner are out-of-date, the results will not be 100% accurate. I f the plug-ins flag something as a false positive, the results will not be 100% legitimate. I f the plug-ins miss an actual vulnerability, the results will not be 100% legitimate. I’m sure you get the drift by now! I t’s critical that you understand vulnerability scannings place in the total landscape of hacking. Very advanced hackers don’t rely on a vulnerability scanner to find exploitable vulnerabilities; instead they perform manual analysis to find vulnerabilities in software packages and then write their own exploit code. This is outside the scope of this book, but in order to climb the mountain of elite hacking, you will need to become comfortable with fuzzing, debugging, reverse engineering, custom shell code, and manual exploitation. These topics will be discussed in more detail in the final chapter of this
book to give you guidance moving forward.
We will be using Nessus, one of the most popular vulnerability scanners available, to
complete the vulnerability scanning step. However, hackers who use vulnerability
scanners will always be a step behind of the cutting edge of security because you have to
wait for scanner vendors to write a plug-in that will detect any new vulnerability before it
gets patched. I t is very common to read about a new exploit and mere hours later have a
Nessus plug-in deployed to check for this new vulnerability. Better yet, often times you
will read about the new vulnerability and the corresponding Nessus plug-in in the same
story! When you use the free Home Feed edition of Nessus, your plug-ins will be delayed
7 days, so your results will be slightly different compared to the pay-for Professional Feed
edition of the scanner for the most recent vulnerabilities.
The process to install Nessus is very straightforward and once it’s configured it will run as
a persistent service in Backtrack. You can download the installer for the free home
version of Nessus at http://www.nessus.org The ProfessionalFeed version of Nessus is
approximately $1,500 per year, but you can use the HomeFeed version to assess your own
personal servers. I f you are going to perform vulnerability scanning as part of your job or
anywhere outside your personal network, you need to purchase the ProfessionalFeed
You must pick your activation code based on the operating system that the Nessus
service will be running on. For this book, you are using a 32-bit virtual machine of
BackTrack 5 that is based on Ubuntu (version 10.04 at the time of this writing). O nce
you’ve selected the correct operating system version, your activation code will be emailed
to you. Keep this email in a safe place, as you will need the activation code in the
upcoming Nessus configuration steps. A quick rundown of the installation process for
Nessus is described in the following steps.
1. Save the Nessus installer (.deb file for BackTrack) in the root directory
2. Open a terminal and run the ls command and note the.deb file is in the root
3. Run the dpkg –i Nessus-5.0.3-ubuntu910_i386.deb command to install Nessus
O nce you have installed Nessus, you must start the service before using the tool. You will
only have to issue the /etc/init.d/nessusd start command in a terminal once and then
Nessus will run as a persistent service on your system. O nce the service is running, the
following steps introduce how to configure Nessus.
1. In a browser, go to https://127.0.0.1:8834/ to start the Nessus configuration
2. When prompted, create a Nessus administrator user. For this book, we will create
the root user with a password of toor.
3. Enter the activation code for the HomeFeed from your email.
4. Log in as the root user after the configuration completes.
Once you’ve logged into Nessus, the first task is to specify what plug-ins will be used in
the scan. We will be performing a safe scan on our localhost, which includes all selected
plug-ins but will not attempt actual exploitation. This is a great approach for a proof-ofconcept
scan and ensures that we will have less network outages due to active
exploitation. Follow these steps to set up the scan policy and the actual scan in Nessus.
1. Click Scans menu item to open the scans menu.
2. Click New Scan to define a new scan, enter localhost check for the name of the
scan, select Internal Network Scan for the Scan Policy, and enter 127.0.0.1 as the
scan target as shown.
3. Click the Create Scan button in the lower left of the screen to fire the scan at the