Building a Home Lab for Vulnerability Management with Nessus Essentials

Description

Vulnerability management is a continuous and systematic practice that involves identifying, evaluating, reporting, and addressing cybersecurity vulnerabilities present in endpoints, workloads, and systems. MITRE, a renowned organization in the cybersecurity domain, provides invaluable frameworks such as the Common Vulnerabilities and Exposures (CVE) and the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework, which are instrumental in understanding and mitigating vulnerabilities and threats.

The main focus of this project was to acquire practical skills in using Tenable Nessus Essentials and to become proficient in vulnerability scanning and applying remediation techniques. Throughout the project, I emphasized two critical stages of the "Vulnerability Management Lifecycle". To accomplish this, I employed Nessus Essentials to conduct vulnerability scans on local VMs hosted on VMware Workstation Pro. The process included running credentialed scans to identify vulnerabilities, taking necessary actions to resolve some of the discovered issues, and conducting a follow-up rescan to validate the successful remediation efforts.

Helpful Links:

• VMWare Workstation Pro: https://www.vmware.com/products/workstation-player/workstation-player-evaluation.html

• Windows 10: https://www.microsoft.com/en-us/software-download/windows10

• Nessus Essentials: https://www.tenable.com/products/nessus/nessus-essentials

I am going to start by setting up the virtual machine (VM). To do this, I downloaded and installed VMWare Workstation Pro.

Upon launching VMWare Workstation Pro, I proceeded by selecting "Create a New Virtual Machine" and then chose the previously downloaded Windows ISO file. I configured the remaining settings according to my preferences and concluded the setup by clicking on "Finish."

Subsequently, I successfully concluded the installation of Windows 10 on the virtual machine (VM).

I decided to ping the VM from my native computer to check if there was proper communication with it. The reason behind this was to ensure that if I couldn't ping the VM, it would also affect Nessus' ability to run its scans. Regrettably, the pings timed out, indicating that there was no current connection established between my native PC and the VM.

The lack of connection on my PC is attributed to the active firewall on the VM, which is currently blocking all connection attempts.

To continue with the lab, I disabled the firewalls by opening "Windows Firewall with Advanced Security" and clicking on "Windows Defender Firewall Properties." Then, I turned "off" the "Firewall State" for Domain, Private, and Public profiles. After making these changes, I retried the ping, and this time it was successful.

Since the VM was set up, I proceeded to install Nessus. After signing up earlier, I received a download link and activation code for Nessus Essentials. I downloaded the installation file and then initiated the setup. It took approximately an hour to complete the installation and compilation of the plugins.

In Nessus Essentials, I start by creating a new scan, opting for a "basic network scan". I name it "Windows 10 Single Host" and input the virtual machine's IP address as the target. Although am doing a manual scan, it's possible to do schedule regular scans, which would be more apt to organizations. Customization options include scanning common or all ports, with the latter taking more time.

There's a range of settings to explore. The credentials page allows me to enter the virtual machine's username and password. By providing these credentials, Nessus can perform a more comprehensive scan, examining the registry, file system, and other aspects to discover potential vulnerabilities arising from "deprecated software or insecure services".

Upon completing the Nessus scan, approximately 17 vulnerabilities were detected on the virtual machine. Notably, critical vulnerabilities like CVE-2023-35365, CVE-2023-35366, and CVE-2023-35367 were identified, posing severe risks such as remote code execution in Windows RRAS and privilege elevation in Windows Win32k, according to MITRE's CVE database.

The severity levels of these vulnerabilities were indicated by different colors in the scan results: blue for information, green for low, yellow for medium, orange for high, and red for critical. This color-coded system facilitated the swift identification of vulnerability severity, aiding in prioritizing and addressing the most critical issues promptly.

The approach varies by organization. Many prioritize "critical and high-level issues", sometimes overlooking medium or low-severity concerns due to the overwhelming volume of urgent matters. This can result in reduced focus on less critical vulnerabilities. Additionally, as "no credentials" were used for the scan, some vulnerabilities within the VM might not be detected.

Next, I'm going to set up the virtual machine to accept "authenticated scans." After that, I'll configure the VM for credentialed scans and provide "necessary credentials to Nessus". Once everything is set up, I'll attempt to rescan the virtual machine with credentials and compare the results with the previous scans I have examined. This process will allow me to gain a deeper understanding of the "security posture of the system and identify potential vulnerabilities" that were not visible in the previous scans.

On the VM, I will go to "services.msc" to start this process and enable Remote Registry. Enabling Remote Registry will allow Nessus to connect to the VM's registry and perform a proper scan for vulnerabilities, including identifying insecure connections or deprecated cipher suites.

After completing the steps for enabling Remote Registry and scanning for insecure configurations, the next action is to disable User Account Control (UAC). However, I strongly advise against disabling UAC, as it could compromise the system's security. Instead, consider using the "Run as administrator" option when required for tasks that need elevated privileges.

Next, I will open the registry and add a key (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\LocalAccountTokenFilterPolicy) that will allow the remote account to establish a connection. After that, I'll connect to the registry and add another key to further disable User Account Control (UAC) for the remote account. This adjustment will facilitate the connection during our scan process.

Next, I will proceed to "Enable file and printer sharing". Enabling file and printer sharing on Windows is advantageous for Nessus assessments. This capability empowers Nessus to access shared files, amplifying scan precision and breadth through the analysis of configurations and logs.

After implementing these modifications to the VM, I proceeded to commence an additional scan using Nessus. Additionally, I provided the VM's "username and password" as credentials. This inclusion allows Nessus to access essential information stored within the VM's registry, leading to a thorough and precise scan.

This latest scan has revealed approximately "4 Critical vulnerabilities," . This increase is attributed to the Nessus's ability to delve deeper into the VM, made possible by the utilization of credentials.

Let's take a quick look at a selection of these vulnerabilities.

Severity : Critical - KB5028166: Windows 10 Version 20H2 / Windows 10 Version 21H2... Security Update: The system is exposed to remote code execution vulnerabilities (CVE-2023-35365, CVE-2023-35366, CVE-2023-35367) in Windows RRAS, information disclosure (CVE-2023-21526) in Windows Netlogon, and privilege elevation (CVE-2023-21756) in Windows Win32k.

Severity : High - Microsoft Windows HEIF Image Extensions RCE (March 2022): The Windows HEIF Image Extension app on the remote host is vulnerable to remote code execution. An attacker exploiting this vulnerability could execute arbitrary code. To exploit the vulnerability, a program must process a specially crafted file.

Severity : Medium - Microsoft Paint 3D Multiple Vulnerabilities (June 2021): The Windows 'Paint 3D' app installed on the remote host is affected by multiple remote code execution vulnerabilities. An attacker can exploit these to bypass authentication and execute unauthorized arbitrary commands.

Severity : Medium - Windows Snip & Sketch/ Snipping Tool CVE-2023-28303: An information disclosure vulnerability exists in Windows Snip & Sketch (Windows 10) and Snipping Tool (Windows 11) where parts of a cropped image that were to be removed are not completely deleted and can be restored if saved to the cropped image file.

Severity : Info - Microsoft Windows SMB Service Detection: The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network.

Before addressing these vulnerabilities, I'll purposely install three outdated software versions: an older Firefox, VLC player, and Adobe Reader. This intentional installation will create vulnerabilities, illustrating the risks of outdated software.

Upon re-running Nessus, the latest scan report reveals a "notable" surge in "Critical" vulnerabilities. This spike is largely a result of the deliberately installed outdated software. In the report's "Remediations" section, Nessus underscores this concern and provides guidance to address the vulnerabilities by upgrading the outdated software versions.

I will initiate the remediation process by "uninstalling outdated software and ensuring that Windows 10 is updated to the latest version". This proactive approach aims to address as many vulnerabilities as possible and enhance the overall security posture.

Upon addressing the vulnerability issues, I conducted another scan, and I'm pleased to report that all "CRITICAL, HIGH, and MEDIUM" vulnerabilities have been successfully mitigated. This outcome validates the effectiveness of the measures I implemented to tackle the vulnerabilities.

Here's a final comparison among the four scans conducted during this lab. Notably, many of the previously alerted vulnerabilities have now been resolved, showcasing the significant improvement achieved through the process.

In the course of this project, I have gained valuable insights into the vulnerability management and its pivotal role in maintaining robust cybersecurity. The project revolved around configuring and utilizing Nessus for vulnerability assessments, shedding light on crucial aspects of this process.

1. Vulnerability Basics: I learned how to scan, identify, and remediate vulnerabilities effectively.

2. Outdated Software Impact: Outdated software significantly contributes to vulnerabilities, stressing the need for timely updates.

3. Scanning and Remediation: Scanning and remediating emerged as core steps in vulnerability management.

4. Automation Efficiency: Automation streamlines tasks like updating third-party apps and Windows.

5. Collaboration and Policies: Collaboration across departments and established standards are essential in larger organizations.

6. Secure Build Standard: Building security before production minimizes vulnerability risks.

7. Mitigating Real Risks: The project underscored the importance of promptly addressing vulnerabilities to mitigate real risks.

8. Real-world Significance: Vulnerability management's practical implications protect systems and data.

In conclusion, this project has not only served as a valuable learning experience but has also deepened my understanding of vulnerability management and its complexities, while also highlighting effective risk mitigation strategies. The hands-on approach provided practical insights that will undoubtedly prove invaluable in future cybersecurity endeavors.

Moreover, this project underscores the significance of utilizing resources such as MITRE's CVE database and the MITRE ATT&CK framework in vulnerability management practices. By integrating insights from MITRE , organizations can significantly enhance their ability to identify, prioritize, and address vulnerabilities effectively. This proactive approach ultimately serves to safeguard systems and data from emerging threats in the constantly evolving cybersecurity landscape.

Thank you for taking the time to read this article. Your feedback and suggestions are greatly appreciated!

#Cybersecurity #VulnerabilityManagement #Nessus #MITRE #Microsoft