Information
Room#
- Name: Nessus
- Profile: tryhackme.com
- Difficulty: Easy
- Description: Learn how to set up and use Nessus, a popular vulnerability scanner.
Write-up
Overview#
Install tools used in this WU on BlackArch Linux:
pikaur -S nessusNavigation and Scans#
What is the name of the button which is used to launch a scan?
Answer: new scan
The blue button on the top right corner.
What side menu option allows us to create custom templates?
Answer: policies
The first item in the resources section.
What menu allows us to change plugin properties such as hiding them or changing their severity?
Answer: plugin rules
The second item in the resources section.
In the 'Scan Templates' section after clicking on 'New Scan', what scan allows us to see simply what hosts are alive?
Answer: host discovery
Explicit name.
One of the most useful scan types, which is considered to be 'suitable for any host'?
Answer: basic network scan
Not really the most useful, I'm using the advanced one every time.
What scan allows you to 'Authenticate to hosts and enumerate missing updates'?
Answer: credentialed patch audit
Explicit name.
What scan is specifically used for scanning Web Applications?
Answer: web application tests
Explicit name.
Scanning!#
Create a new 'Basic Network Scan' targeting the deployed VM. What option can we set under 'BASIC' (on the left) to set a time for this scan to run? This can be very useful when network congestion is an issue.
Answer: schedule
Just do as told.
Under 'DISCOVERY' (on the left) set the 'Scan Type' to cover ports 1-65535. What is this type called?
Answer: port scan (all ports)
Just do as told.
What 'Scan Type' can we change to under 'ADVANCED' for lower bandwidth connection?
Answer: scan low bandwidth links
Just do as told.
After the scan completes, which 'Vulnerability' in the 'Port scanners' family can we view the details of to see the open ports on this host?
Answer: Nessus SYN scanner
Same type of scan we always do with nmap.
What Apache HTTP Server Version is reported by Nessus?
Answer: 2.4.99
Check the Apache HTTP Server Version module.
Scanning a Web Application!#
What is the plugin id of the plugin that determines the HTTP server type and version?
Answer: 10107
id of the HTTP Server Type and Version plugin.
What authentication page is discovered by the scanner that transmits credentials in cleartext?
Answer: /login.php
Check the Web Server Transmits Cleartext Credentials plugin.
What is the file extension of the config backup?
Answer: .bak
Check the Backup Files Disclosure plugin.
Which directory contains example documents? (This will be in a php directory)
Answer: /external/phpids/0.6/docs/examples/
Check the Browsable Web Directories plugin.
What vulnerability is this application susceptible to that is associated with X-Frame-Options?
Answer: Clickjacking
Check the Web Application Potentially Vulnerable to Clickjacking module.