1. OVAL (Open Vulnerability Assessment Language
- The goal of the OVAL language is to have a three-step structure during the assessment process that consists of:
1) Identifying a system's configurations for testing
2) Evaluating the current system's state
3) Disclosing the information in a report.
- The OVAL definitions are recorded in an XML format
- The 4 main classes of OVAL definitions consist of:
1) OVAL vulnerability definitions
2) OVAL compliance definitions
3) OVAL inventory definitions
4) OVAL patch definitions
2. Common Vulnerabilities and Exposures (CVE)
- A publicly available information security international standard used to evaluate and detail the system's current state and issues.
1) Stages of obtaining a CVE
(1) Identify if CVE is required and relevant
- Identify if the issue found is a vulnerability. According to the CVE team, a vulnerability in the context of the CVE program is indicated by code that can be exploited, resulting in a negative impact to confidentiaility, integrity, or availability.
- Research should verify there is not a CVE ID already in the CVE database.
(2) Reach out to affected product vendor
(3) Identify if request should be for vendor CNA or third party CNA
(4) Requesting CVE ID through CVE web form
- The CVE team has a form that can be filled out online if the methods above do not work for CVE requests.
(5) Confimation of CVE form
(6) Receival of CVE ID
- Please note that the CVE ID is not public yet at this stage
(7) Public disclosure of CVE ID
- This stage ensures that all associated parties are aware of the problem before being publicly disclosed
(8) Announcing the CVE
(9) Providing information to the CVE team
- The CVE team asks that the researcher help provide additional information to be used in the official CVE listing on the website.
3. Nessus
1) Downloading Nessus
https://www.tenable.com/downloads/nessus?loginAttempted=true
Download Tenable Nessus
Download Nessus and Nessus Manager
www.tenable.com
2) Requesting free license
- Visit the activation code page to request a Nessus Activation Code, which is necessary to get the free version of Nessus
https://www.tenable.com/products/nessus/activation-code
Obtain an Activation Code | Nessus®
Download Nessus vulnerability assessment solution for the modern attack surface. Trusted by tens of thousands of organizations worldwide.
www.tenable.com
3) Installing package
yeon0815@htb[/htb]$ dpkg -i Nessus-8.15.1-ubuntu910_amd64.deb
Selecting previously unselected package nessus.
(Reading database ... 132030 files and directories currently installed.)
Preparing to unpack Nessus-8.15.1-ubuntu910_amd64.deb ...
Unpacking nessus (8.15.1) ...
Setting up nessus (8.15.1) ...
Unpacking Nessus Scanner Core Components...
Created symlink /etc/systemd/system/nessusd.service → /lib/systemd/system/nessusd.service.
Created symlink /etc/systemd/system/multi-user.target.wants/nessusd.service → /lib/systemd/system/nessusd.service.4) Starting Nessus
yeon0815@htb[/htb]$ sudo systemctl start nessusd.service5) Accessing Nessus
- To access Nessus, we can navigate to https://localhost:8834
6) Exporting Nessus Scans
yeon0815@htb[/htb]$ ./nessus_downloader.rb7) Scanning Issues
- Some firewalls will cause us to receive scan results showing either all ports open or no ports open. If this happens, a quick fix is often to configure an Advanced Scan and disable the Ping the remote host option. This will stop the scan from using ICMP to verify that the host is live. Some firewalls may return an "ICMP Unreachable" message that Nessus will interpret as a live host and provide many false-positive informational findings.
- we can avoid scanning legacy systems and choose the options not to scan printers.
8) Network Impact
- It is essential to keep in mind the potential impact of vulnerability scanning on a network. This can be measured using vnstat
yeon0815@htb[/htb]$ sudo apt install vnstatyeon0815@htb[/htb]$ sudo vnstat -l -i eth0