iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (2)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
Scanning with Nessus
  • chroniccommand
    Posts: 1,389
    [-- Intro --]
    Welcome to the Nessus scanning quick guide. In this guide I'll show you blackhats how to use Tenable Nessus to scan websites // IP's for vulnerabilities. For this guide I'll be using http://sugarmegs.org/

    [-- Installing Nessus --]
    For this tutorial I'll be using a Windows 7 machine, instead of my normal Linux, because the free version works a lot better on Windows. Now to the actual installing part. Step one, obtaining Nessus. To download Nessus, visit http://www.nessus.org/download/ and download it. Then install it like you'd install any other program.

    [-- Setting up --]
    Now to set up your Nessus server. Open the Nessus Server Manager that should be on your desktop(If its not look on C:\Program Files\Tenable\Nessus for it)
    Once you have that open, update your plugins. If "Allow remote users to connect to this Nessus server" is unchecked, check it. Now hit the "Manage users button". Click the + symbol, and fill in the Username, Password and make it Administrator. Now just save that user and close that dialog box and start the Nessus server(This may take a couple seconds)

    [-- Logging in --]
    Now to log into the Nessus interface. Just click on the Nessus Client on your desktop, or go to https://localhost:8834/ (This should be the default)
    Now log in with your new credentials for that new user you added. You should end up on that Nessus interface.

    [-- Adding a policy --]
    A policy will be used to scan the target with plugins used by Nessus. Click the policy tab and add a new one. Click safe checks box to make sure your scan doesn't DoS or harm the target in any way, then click next. Fill in any optional info you may need in this window such as credentials, and select next. The next box is for the plugins. I prefer to add all, but you can sift through them to choose any you want. Next, type a username and password for database settings, and click submit. Congrats, you've made a policy for scanning.

    [-- Scanning --]
    Now to actually scan the target for vulnerabilities. Go to your desktop and make a new text document, and add the IP of the site. The IP for SugarMegs is 69.38.143.62. Just add the IP and save the file. Now go to the scans tab and hit Add. Type any name in the Name field. I'm just gonna make it "Sugar". For Type, hit run now. Policy is gonna be your new policy you've made. Hit browse for the IP file and navigate to that text document, and hit upload. Now, just hit launch scan and let it run. I recommend going to the reports tab and double clicking your current scan to see how its going.

    [-- Now what? --]

    Once your done scanning, you can exploit it. Double click on the scan and hit "Download Report". In the dropdown box, you can select a few things. For an html detailed report, hit Detailed HTML report(By finding). If you want to add it to Metasploit to autopwn it, save it as .nessus




    Enjoy your scanning ;)
    -Chroniccommand
  • Xin
    Posts: 3,251
    Nice guide :) good to see you back chronic
    Xin
  • Bursihido
    Posts: 406
    great guide bro Thanks :)
  • chroniccommand
    Posts: 1,389
    said:


    great guide bro Thanks :)



    Thanks for the feedback.
  • rockie
    Posts: 4
    thank you for sharing.
  • McKittrick
    Posts: 194
    do any of you agree that Metasploit and VAS pretty much exceed Nessus these days? maybe it's just me
  • Sh3llc0d3
    Posts: 1,910
    -Moved-
    Network Security -> Tutorials
  • undead
    Posts: 822
    Nice guide chroniccommand
Add a Comment