The objective of this lab exercise was to improve my familiarity with Vulnerability Management. I chose Nessus to do this lab because I already had some experience with Nessus during my time at University and with TryHackme, so I wanted to further my skills on Nessus. The setup featured Nessus Essentials software, VMWare Workstation Player, and a Windows 10 ISO. I followed the Nessus tutorial made by Josh Madakor.
After setting up Nessus Essentials and the Windows 10 VM, I used the "Create a new scan" function in Nessus to begin looking for Vulnerabilites in the VM. I selected the basic network scan to start off.
I put "Windows 10 Host" as the name and the IP address of the target Windows 10 VM, which we find in the VM with the ipconfig command on the command prompt.
This scan can also be scheduled, create notifications, scan with credentials entered, assess web vulnerabilities and more. For this time I left everything as default. After saving the scan, it was time to launch it. The scan took a few minutes to complete, and found 31 "info" vulnerabilities, and 2 "medium" vulnerabilities.
Looking at one of them, "SMB Signing not required", it provides an explanation, a solution, and some links to get further info about this vulnerability. Next, the same scan was done again but with credentials of the VM entered this time, to search for even more vulnerabilities that it could not do in the previous scan. We will have to configure the VM for credentials scans.
Firstly, remote registry is enabled on Services, which will allow the scan to connect to the registry, to look for vulnerable/insecure configs.
We then go to User Account control settings and change to never notify.
Lastly, we go to the Registry Editor to add a key that further disables user account control. Within Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, we will create a DWORD called "LocalAccountTokenFilterPolicy", then set its value to 1.
The VM is now ready for a scan with credentials provided. I input the username and password of the VM into the configure section of the same scan, then ran it again.
The credentials scan had more found vulnerabilites as it could look at the file system, services, registry etc.
The medium and higher vulnerabilities featued registry issues, softwares needing updates, windows secuirty, ip forwarding enabled in firewall, and smb signing not required.
The fixes for them were simple and explained in the details of each vulnerability.
Before fixing these vulnerabilites, I downloaded an old version of Firefox to the VM to see what Nessus would find in a scan with this installed.
The scan this time found much more vulnerabilities, 82 critical, 85 high, and 17 medium.
In total, Nessus found a massive 171 vulnerabilites for this version of Firefox. The simple and obvious remedy for this is to either uninstall this or upgrade it, so there aren't any difficult steps in the remediation stage. However it was good to see just how dangerous it could be to not have updated software on your systems.
In the remediation stage, I started off by uninstalling Firefox via the control panel, then installed all pending windows updates.
A further scan revealed much less serious vulnerabilities, but some more was to be done with some more medium and above vulnerabilities detected. I therefore uninstalled Internet Explorer and disabled it in the group policy editor, as that had a critical vulnerability. I then added and enabled the registry value EnableCertPaddingCheck, which prevents a remote code execution vulnerability involving the WinVerifyTrust function (CVE-2013-3900). I uninstalled VMware tools, and deleted Curl as the installed Curl version was vulnerable to denial of service attacks. I disabled IP forwarding by setting the key "IPEnableRouter" to 0 in the registry, which can prevent firewall bypassing. Lastly, I enabled "Digitally sign communications (always)", which ensures signing in is required on the remote SMB server.
After all the changes, the final scan found no significant vulnerabilities.
This lab was very useful in giving me experience in the use of Nessus for Vulnerability management, and the remediation process for vulnerabilities so thanks again to Josh Madakor for the tutorial. https://youtu.be/lT6Px9zJM3s?si=uqU9ak2nk3LsHvPq