Terrascan
Need to tick a box to download it.
Scans code for infrastructure as code (IAC)
Used to scan an GIT repo URL for example.
- Log level: set the verbosity
- IAC type: select arm cft, docker, k8s etc
- Remote type: git, s3, gcs, http, terraform-registry
Attack surface discovery
- A and AAAA
- MX
- NS
- PRT
- CNAME
- SOA etc
- Click more > create scan
- Select a basic or advanced network scan
- The targets field automatically populates
- Now we can run the normal Nessus scan on the targets we discovered
Web application scanning
- Traditional will suggest patches/software upgrades to fix the problem .
- WAS will show you leaks but further investigation will be needed from there. You will need to work with the customer/developer
- Identify web server
- Known web app (wordpress, joomla etc)
- Vulnerabilities on the known web apps
- Spider through website to understand the layout
- identify forms (CGI etc)
- Pass parameters at forms
- Identify vulnerabilities in the web app forms etc
- Connect to website
- Connect to login form
- Login
- Preform tests
- Looking for SQL injection / XSS / Session mgmt
- Like a traditional scan we get more info from a credentialed scan
- WAS could have bad affects
- Run on test/staging site (avoid live environment)
- Scans can ddos/overload web servers/apps (rate limit the scan, run OOH)
- Run with read only user
- Backup before starting scan
- Scan a mirror of the site (test site etc)
- Maintenance window for scan
- Light scan first followed by scan tuning
- Get website sub domains
- run config scan
- run overview scan (get creds)
- develop scan policy
- follow up scans (code can change over time)
- Keep WAS up to date
- You need to have docker installed on your nessus server
- Tick enable WAS
- It will download the image
- Risk assessment
- Compliance requirements (credit card data requires PCIDSS, others may require CIS etc)
- Data sensitivity
- Technology stack
- Specific vulnerabilities
- Checks HTTP headers available
- XSS checks
- HTTPS enforced ?
- quick to run, good first step
- Look for proper implementation of SSL/TLS on your web server
- Measured against industry standards
- Runs quickly too, good for regular checks
- Discovery scan
- Spider and inventory all web pages / files / folders / sub domains
- Results stored in sitemap.csv
- The bigger the site, the longer the scan takes
- Similar to config audit scan
- Checks common security standards
- Checks HTTP/SSL/TLS/DNS configs
- Includes config audit, overview and SSL/TLS scans
- Takes a long time depending on site size
- Plugin family options for all web app plugins
- The most detailed scan
Scans for special cases
- New scan > web app tab
- choose "overview"
- provide URL
- scan name
- target URL
- New scn > web app tab
- choose "Web app config audit"
- scan name
- target URL
- New scn > web app tab
- choose "SSL_TLS"
- scan name
- target URL
- New scn > web app tab
- choose "scan" scan
- scan name
- target URL
credentialed web app scan
- Credentialed scans are important as it looks deeper looks at all the user pages /forms etc
- Identify
- can break sites so best to run on a copy of the live site
- Basic/NTLM auth (type username and password). NTLM stronger than basic.
- Nessus supports cookie based auth
- Use web browser to login
- Copy cookie
- Name+Contecnt
- chrome://settings/siteData
- Check limitations (https, NoScript, expiration etc)
- Form based auth (manual and selenium scripting)
- login url and form paramaters
- you can use selenium script
- plugin 98033 detects a form
- You will give details there
- login page
- creds (username and password), field name; field value
- pattern for success (regex)
- Page to veryify active
- pattern to verify active (regex)
- All patterns are regex
- Selenium is used for scripting browser automation
- Selenium IDE browsers extension (record, edit and play back)
Selenium scripting
- Chrome extension makes it easier
- create a new test project (givename)
- enter Url and click start recording
- login and do you actions
- open tool again and stop recording in top right
- give the script a name
- save it for use later
Using the script in a credentialed scan
- New scan > web app tab
- choose "scan"
- enter scan name
- enter URL
- credentials tab
- select web authentication
- Select authentication method: Selenium Authentication
- You can upload your script file here
- Enter the page to verify auth worked
- Enter pattern to verify active session: Sign off (text or regex) text method is case in-sensitive
- save scan and launch
- On our results
- filter for selenium in the info we should see it succeeded
- Give screenshots and other details of login.
- This page is good if auth fails to figure out what is wrong
credentialed scan without a script (policy config)
- New scan > web app tab
- Choose "Scan"
- Give the scan a name
- Enter the URL
- Click credentials and click
- Choose authentication method "login form"
- Login page url: (the page where the username and password is entered)
- You can give login paramaters in a .json file
- simple example {'uid'.'admin','passw'.admin'}
- Pattern to verify successful auth "Sign off"
- url for active session
- Pattern to verify active session "Sign off"
- Save and run scan
- check vulnerbilites
- filter for authenticaiton
- The info "Login form authenticaiton succeeded"
- You will see details here
- Filter for failed to see details of the login failed