Welcome back, my aspiring cyberwarriors!
One of the keys to being successful as a hacker, pentester, or cyber warrior is the ability to find vulnerabilities or flaws in the target system. Vulnerabilities are holes or weaknesses that can be exploited (hacked). We have looked at several ways to do that including various Web application vulnerability testers such as Nikto and searching through vulnerability databases such as www.securityfocus.com, but here we want to be more specific. What if we had a tool that could scan a system or network and report back to us all its vulnerabilities—that could be a gold mine for us, and we do have such a tool (or tools)!
They are generally referred as vulnerability scanners. These tools maintain a database of known vulnerabilities and then scan the target systems for them. If they find any, they then generate a detailed report of the vulnerabilities found, allowing us to simply choose the appropriate attack, then exploit the system or network.
There are numerous vulnerability assessment tools on the market, including the ever popular Nessus, which began as an open source project and is now a commercial product from Tenable. Other vulnerability scanners include Retina, ISS, Acunetix, as well as many others.
In this tutorial, we will be using Rapid7's Nexpose tool. Rapid7 is the same company that produces Metasploit, and one of the key advantages if you are a Metasploit user is the way that Nexpose integrates its results into it.
We will be using Nexpose in a Windows 7 environment, but Nexpose can also be used in a Linux/UNIX environment. In addition, although I will be demonstrating it here on my local area network hacking lab, it can just as easily be used against public-facing IP's.
Step 1: Download & Register Nexpose
To begin, download Nexpose from Rapid7's website, which you can do here. Rapid7 produces multiple editions of Nexpose—we will be using the free community edition.
Once you have completed the download, install it on your Windows system.
As Nexpose installs, it will pop up a wizard like the below. Simply follow the instructions as they come up.
It does a system check first—note that it recommends 8GB of RAM. Accept the license agreement, then select Type and destination of Nexpose. In this case, I chose Nexpose Security Console with local Scan Engine.
Next, select the default value for the database on port 5432, and finally, create a username and password to use for this application. After you've got that all squared away, Nexpose will begin to extract files to your system.
When you see the screen below, you have successfully installed Nexpose and are ready to begin scanning for vulnerabilities.
Step 2: Restart Your System
The first step toward scanning your network is to restart your system, after which Nexpose will be ready to use.
Make certain that Nexpose has been started by going to your Windows Start button, selecting All Programs, then Rapid7.
Click on Start Nexpose Service to start Nexpose in the background.
Step 3: Navigate to Port 3780 in Your Browser
Now , navigate to http://localhost:3780, where you will access Nexpose from your browser. This will open a screen like the one below and Nexpose will begin to update its database of known vulnerabilities.
Be patient, this can take a while as all the vulnerabilities are loaded into the database. Then, Nexpose will compile the vulnerability checks, which means more waiting.
Finally, you will see a screen asking for your credentials. Enter the username and password you entered when you installed Nexpose.
When you registered at Rapid7 to download the software, you provided your name and email address. Nexpose emailed you a product key, so enter it here to activate Nexpose.
When you see this screen, you are ready to start scanning.
Step 4: Scan the Targets
Next, click on Home button in the upper left corner.
Now click on "New Static Site".
Click on "Assets", then click on "View", and finally, click on "New Site". Here you will enter the network or IP addresses you want to scan. This community edition allows us to scan up to 32 IP addresses.
Step 5: View the Results
Now that the scan is complete, we're ready for the good part that makes all our effort worthwhile. Nexpose has scanned all the computers on the list or network and found all the vulnerabilities we need to know to hack these targets.
Click on reports on the top line menu and select to place the report in PDF format.
When we do, a report like the following is generated and opened.
Over twenty pages long, this report will detail all the potential vulnerabilities on the target systems or network.
You can see what the Executive Summary looks like below.
We can then scroll down through this report to view the numerous vulnerabilities the scanner found. Here is an example of one:
Summary
Vulnerability scanners like Nexpose were designed to assist security engineers to identify potential vulnerabilities in their systems and networks, but the smart hacker can use them to identify potential targets and their vulnerabilities.
No more guessing which exploit to use, Nexpose and these scanners can pinpoint not only the vulnerability, but also the exploit used to hack the system.