Scanning Vulnerabilities and Discovering Backdoors with Nessus

Metasploitable 2 Walkthrough (Part-3)

In this walkthrough, I will be showing how to scan for vulnerabilities and backdoors on target machines using “Tenable Nessus” network vulnerability scanner.

Nessus can quickly and accurately identify vulnerabilities, configuration issues and malware in physical, virtual and cloud environments to help you prioritize what to fix first. 

Combine Nessus with Kali Linux to build a superior pen testing toolkit that provides deep insight into your network systems.

Tenable Nessus has two edition, “Nessus Essentials” and “Nessus Professional”.

“Nessus Essentials” edition is free and you can download it from:

https://www.tenable.com/products/nessus/nessus-essentials

You will need to register with your email address. After successfully registration, Nessus will send you the License Key to activate the “essential edition” to you email inbox.

If you need help with Nessus installation and activation, you can check this out:

https://www.youtube.com/watch?v=FcW2s7VpBio

Detecting Vulnerabilities & Backdoors with “Tenable Nessus”

Nessus installation will take a while since it need’s to update it’s plugins during installation.

You need to wait until the login portal appears and it will ask for your credentials to login.

You have to provide the credentials during Nessus installation.

After successful installation of Nessus, you need to start the Nessus Scanner service from terminal;

 “service nessusd start”

Then open your web browser and navigate to; “https://localhost:8834”

Nessus Web UI

Login into Nessus with your credentials.

You will see like this.

You can add the scans from this screen. Just click “Create a new scan” or “New Scan” at the right side of the toolbar.

You will see like this below.

Choose “Basic Network Scan”.

You will need to provide, the name of the scanning task , Description , and the target IP address.

After that, click save.

You will see like this below.

Just click the start button.

It will start scanning of the target for vulnerabilities.

You can check its progress and findings by clicking that scan task.

As we can see the scanning progress is 4% now, and it already find some vulnerabilities.

The vulnerabilities are measured in 5 severities.

Red is critical. 

Orange is high. 

Yellow is Medium.

Green is low. 

Blue is informational.

Critical and High vulnerabilities are most likely to be exploitable.

As Metasploitable 2 is an intentionally vulnerable Machine, we will see many Critical and High vulnerabilities.

All right, our scan task is finish. Let’s see the results.

There we go, there are too many Critical and High vulnerabilities as we can see in Nessus scanning results.

9 critical vulnerabilities, 5 high vulnerabilities, 23 medium vulnerabilities, 8 low vulnerabilities

We can see the detail of a vulnerability by clicking it.

It will show you the service version, port number, how is it vulnerable and is it exploitable. 

And it also shows you how to exploit the vulnerability.

As we can see in above scan result , The vulnerability is “Debian OpeSSH/OpenSSL Random Number Generator Weakness”

Severity is Ctitical, Type is Remote and you can get a shell after successful exploit.

It will suggest you how to fix it in solution section. And it shows you which tool you should use to exploit the vulnerability (In this case; Core Impact)

It also shows you about the exploit Reference Informations. So you can “Google” about the vulnerability.

Apart from software version vulnerabilities in our above scanning results, there are two interesting Critical vulnerabilities as Nessus identified them as “Backdoors”.

That is what we will figure out how to exploit in this walkthrough.

Backdoor

What is a backdoor?

A backdoor is a technique in which a system security mechanism is bypassed undetectably to access a computer or its data.

A backdoor is an intentional or unintentional program installed on a machine, which allows unauthorized remote access to the machine without being detected.

A developer may create a backdoor so that an application or operating system can be accessed for troubleshooting or other purposes. 

However, attackers often use backdoors that they detect or install themselves as part of an exploit.

Let’s see what we can do with those “Backdoors” in Metasploitable 2.

As we can see in above result , Nessus detect “Bind Shell Backdoor” and it’s listening on the remote port without any authentications.

That backdoor is listening the connections from port “1524”.

We can see “Nessus” is successfully connected to the backdoor and it gets root access in its scan result output.

Let’s see for ourselves. Fire up Terminal in Kali.

We need to use a tool called “Netcat” for this job.

“netcat 192.168.164.133 1524”

There we go, we are successfully connected to Metasploitable 2 without any authentications and we gain root access on the machine.

That is what “Backdoor” does. 

It was an intentionally installed program running on a pre-defined port, and it’s ready to accept the connections, with or without authentications.

Sometimes, hackers left the “Backdoors” intentionally after they had successfully exploited the target machines, so that they can regain access to the machine at any time.

Alright, enough about “Backdoors”, time to explain about “Netcat”.

Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.

It can create almost any kind of connection you would need and has several interesting built-in capabilities, like we did, connecting to the open backdoor port.

It can also grab the “Banners” during “Information Gathering” steps.

It’s widely used by Network Administrators as well as Hackers and Penetration Testers.

Its syntax is pretty simple in our above command, “netcat host_ip port_number”.

You can learn further about “Netcat” by typing “netcat –help” from terminal.

Alright, let’s move on to another backdoor found by Nessus.

As we can see in result, “UnrealIRCD Backdoor” is also listening on port “6667”.

In our previous “Backdoor” exploitation, “Bind Shellshock” backdoor is planted intentionally.

But this time it’s different, UnrealIRCd 3.2.8.1 contains backdoor. 

This backdoor allows a person to execute ANY command with the privileges of the user running the ircd. 

The backdoor can be executed regardless of any user restrictions.

We can see Nessus is able to identified the backdoor, but it is not able to connect to the shell.

Let’s find out why.

“netcat 192.168.164.133 6667”

Although the port is up and open, but we are not getting any shell access.

Let’s get back to previous Nessus scanning result.

There we go, Nessus suggest us we can exploit this vulnerability with “Metasploit” module “UnrealIRCD 3.2.8.1 Backdoor Command Execution”, or we can use “Immunity Canvas”.

CVE-ID is “CVE-2010-2075”.

Let’s find this exploit in Metasploit.

Launch Terminal,

Start “Metasploit”

“msfconsole”

Let’s see if we can find the exploit.

“search CVE-2010-2075”

There we go, we got the exploit.

“exploit/multi/irc/unreal_ircd_3281_backdoor”

We will use this exploit and let’s see what are the requirements for the exploit.

“use exploit/multi/irc/unreal_ircd_3281_backdoor”

Let’s see what are the requirements for the exploit.

“show options”

The exploit only needs target machine ip address “RHOSTS” to exploit. Let’s set it.

“set RHOSTS 192.168.164.133”

Run the exploit and let Metasploit do the job.

“exploit”

There we go, exploit successful and we got shell access to Metasploitable 2.

We got root access on our target.

That’s how scary backdoors are.

Best practice is, always look out and scan for the leftover “Backdoors” if your machine get hacked or anyone you knows get hacked.

You can scan your system using “Nessus” or any other available antivirus scanners or trojans and backdoors scanners.

Good luck hunting “Backdoors”. See you in the next walkthrough.