CompTIA CYSA+ CS0-002 – Analyzing Output from Vulnerability Scanners Part 3

  • By
  • March 22, 2023
0 Comment

6. OpenVAS and Qualys (OBJ 1.4)

Openvoss and qualis. In the last lesson we talked about Nessus, which is a commercially available scanner. In this lesson, I want to talk about two more OpenVAS and Qualis. Now, Nessus began its life as an open source software project, which means it was available for anybody to download and modify its source code. And the whole community worked as building that product together. At a certain point though, Nestus society, they want to switch and they became a commercially viable product. And so they started charging money for commercial users to use it and they gave it away for home users. Now when that happened, another product took up and this is known as Open Voss. Openvoss is an open source vulnerability scanner that began its development when Nestus’s codebase was split.

And they split, Nessus went into the commercial realm and Openvoss went into the open source realm. And from that point forward, Openvoss has stayed as an open source product. Now, Openvoss looks a lot like an old school Nessus. If you look at some of the older versions of Nessus, they actually looked almost identical. Over time, Nessus has upgraded their user interface so it looks different, but they still do basically the same functions. So if I look here on the screen, you can see an example of what Open boss looks like. You can see that we get a nice report with some donut rings and some bar graphs of all the different vulnerabilities we found and then we can dig into those and get the information on each of the hosts. Now the other product I want to talk about here real quick is Qualis.

Now, Qalis is a cloud based vulnerability management solution with installed sensor agents at various points in your network. And then those sensors upload data to the cloud platform and you go to this cloud platforms website to do your analysis. When you do that, it looks something like this. Again, it’s another UI similar to what you saw with Nessus. We have some bar graphs and some charts. We can see what’s vulnerable. We can see what the top vulnerabilities are and the top tickets were working and we can see the most vulnerable hosts. We know which ones we should look at first. This is the idea of using one of these dashboards to really help you identify what you need to do. Now again, this was a very short lesson and it was just to introduce you to the idea that there are other vulnerability scanners out there.

For the exam, you don’t need to know a specific vulnerability scanner in depth. You don’t need to be able to use Nestus or OpenVAS or Qualis or any of the other scanners out there, but you should be comfortable reading the common outputs from each of them in your findings. Now, for the exam, you’re not going to get a specific assessment tools output, but instead you’re going to get something that looks more whitewashed into a common denominator of what a vulnerability scanner’s output might look like. Now, what do I mean by that? Well, if you’ve already taken the A plus exam back in the day, you might have gotten a question that said, go set up email on a smartphone or on a tablet.

And if you did that, they didn’t give you an iOS email client or an Android email client. They gave you something that kind of looked like both, but it kind of looked like neither. It was just a generic email program. Now, the same thing is going to apply here with CYSA. They’re not going to give you a Nessus output or a Qualis output or an Openvoss output, but they’re going to give you a lot of the same information from that output in a different format. So if you’re comfortable using any of those three tools, you’re going to do fine on the exam when you get the output they’re going to give you to be able to do your own analysis and pick the right answer.

7. Assessing Scan Outputs (OBJ 1.4)

Scan outputs. In this lesson I’m going to show you how to assess scan outputs. And so instead of using Nessus, we’re going to go ahead and use Openboss to see how that one looks a little bit different. Now in this one I’m going to go a little bit more in depth than I did last time because I’m going to show you everything from creating the Scan account, configuring its permissions, setting up Openvoss and then looking at the results that come from that scan. Let’s jump into the environment and get started. First we need to go ahead and configure our scan accounts. So I’m going to open up DC One and then use my Active Directory users and computers area. And from here I’m going to right click on Users and select New and then Group. When I do this, I’m going to enter my name for my group.

I’m going to call it SEC Glo Scan and this is the group name we’re going to use for our auditors who are going to perform our scans. Now, when we look at the scope of this, it should be Global and the type should be selected as Security. Once that’s done, go ahead and hit OK. Next we’re going to right click on Users and select New and then User. Here we’re going to enter in the full name and Username as Scan. Then I’m going to click Next and we’re going to enter a password. Now I’m going to uncheck the user must change password and check the password Never Expires and then click none and then Finish. This is a common setting when you’re setting up a scan account. Now when you do this, make sure you’re using a good strong password because again, we’re not requiring people to change their password here and the password will never expire.

So something long and strong and complicated would be a great use case here. Next, we’re going to right click the scan object that we just created that User, and we’re going to select Add to Group here we’re going to type in SEC Glo Scan and then click Check Name. Once that’s underlined click OK and then we’ll be able to hit OK again. Now we can close the active directory. Users and computers console Next we’re going to go into the server manager and select Tools Group Policy Management. This will allow us to go and manage our group policies. Once we’re in here, then rightclick the computer’s ou container and select Create a GPO in this domain and link it here. When we get to the box, we’re going to go ahead and call it something. In this case, five one five support. Scanning policy.

If you remember, five One Five Support is going to be our fictional company that we’re using in most of our examples here. Now we’re going to expand the computer configuration and then Policies and then Windows settings, then security settings, then local policies and then user rights assignment. Once you do that, double click the Deny log on locally. This is going to make sure that we’re not going to allow people to log on to the local machines. As an administrator, we can only do it remotely by using our scanning engine. We’re going to check the defined these policy settings box and then click AG Users or groups. Again, we’re going to type in our group which is SEC glo Scan and click OK, and then OK to confirm the main dialog.

At this point we can double click the Deny log on through Remote Desktop Services because again, we don’t want people logging onto these machines. And we’re going to check the Define these policy settings box and click AG user or group. Again, we’re going to put in our group SEC glo Scan and click OK. And then OK once more under Security Settings, we’re going to select the Registry node. We’re going to right click in the empty pane and select Add Key. From here we’re going to select Users and click OK. Then we’ll click Advanced and click Add. Then we can select a principal. Again, we’re going to type in SEC glo Scan and click OK. From the type box we’re going to select Deny. From the Appliance tubeless box, we’re going to ensure this object and child objects is selected.

Now, at this point, we can select the show advanced permissions and we’re going to check the following boxes set value, create subkey, create link, delete, change permissions and take ownership. And then we’ll confirm all the dialog boxes. This allows us to create those keys that we need inside the Registry to give us the right permissions for a scanner. Next, we’re going to right click in the empty pane and again select Add Key. From here we’re going to select Machine and click OK. Then click Advanced and Add and select a principal. Once more we’re going to type in SEC glo Scan and click OK. From the type box we’re going to select Deny. And for the Applies to list box we’re going to select this object and child objects. Then we’re going to click the show advanced permissions and make sure we check the following boxes set value, create subkey, create link, delete, change, and take ownership.

Once more, confirm all the dialog boxes. And now we have Set the right permissions. So at this point we have now created a user and a group with the right permissions that we can use for our scanners anytime we want to do Credentialed scans. Now we’re going to use the user account SEC glo Scan inside the group SEC glo Scan because that is our scanning account. So any host on the network will allow us to connect using administrative credentials when we’re using the Scan account. And it gives us local administrative rights to the Registry across all the computers in this domain. Now that we’ve finished creating the Scan account, we need to go into Openvoss and start using it. So we’re going to go over to my Openvoss scanning machine and we’re going to go to the web page ten dot, one dot, zero 243, which is my local account.

When you’re using Openvoss, you’re going to do it through a web page that then interacts with the server and the program on that local machine. Once we’re there, I’m going to log in with my admin user and my password. Now, once I’m in the system, you can see the dashboard, and there isn’t much information here because I haven’t done any scans yet. First, I want to go to Configuration under the menu and then select Credentials. From here, I want to select New Credential. And then in that dialog box, I’m going to add a new account known as SEC Glo Scan. That user account we just created. Now, from the Allow Insecure Use options, I’m going to select yes because I want to find every vulnerability in my systems, not just the ones that might not cause problems.

Then in the Username box, I’m going to type five one five Support, which is my domain scan. And in the password box, I’m going to type my password. Now, notice the scan is that user account we created. After we do this, click Save. Now that we have our credentials saved, we can now go and configure a scan scope and sensitivity. When we do this, we’re going to decide what group of targets we want to go after with our vulnerability scanning. So we’re going to click on Configuration and then select Targets. Here. I’m going to click new target. Then in that web dialog, I’m going to type in the name five one five supporthost Windows. Because I’m going to do a scan across all my hosts inside my network that are Windows based.

Next to the host, I’m going to select Manual and type in the IP address that I want to scan. In this case, ten 100:24, which is my subnet that contains all my Windows hosts. Next, I can click to exclude some hosts. So I’m going to select Manual and type in ten 10 254. Comma ten 10 243. Now, the 243 machine is the box I’m actually scanning with. So I don’t want to actually scan this as part of my host because it’s actually an excluded area. It is my vulnerability scanner. Then under Credentials, I’m going to select SEC Glo Scan because that is one that we have authorized as that administrative scanning account. And then I’m going to click on Save now, next, I’m going to go in the configuration menu and click Scan Configs. Here. We’re going to take a few minutes to just browse the default scan configurations, but we’re not going to make any changes here.

From the scans, I can select Tasks, and from the task there’s going to be a wizard prompt that appears. If it does, just close it. Next, click on New Tasks and then select New Task. In the New Task dialog box, we’re going to type in the name that we want to call this, in this case, five one five supporthost windows Full. Then from the Scan Targets box, we’re going to select the group we’ve just set up five one five supporthost Windows. From the scan configuration box, we’re going to ensure that we select Full and Fast, which is the type of vulnerability scan we want to conduct. And then we’ll click Save and finally we’ll click Play, which will start our scan. Now, because I’m using the Community Edition here, I don’t have the ability to schedule tasks. That’s a feature of the Pro version of this tool.

So if you’re going to be using this on your own home network, you’re going to have to actually remember to start up the scan yourself at designated intervals instead of having to do it for you automatically. Now, it’ll usually take a couple of minutes or even longer to perform these scans because it’s connecting to each machine inside my scope and being able to test them for those vulnerabilities. So I’m going to speed this up here so you don’t have to wait as long. Once you’re done, you’re going to get back the results by going ahead and looking at the scan report. Click on Scan and then results. Once you do that, you’ll see a dashboard with four key areas. The top left is all the results by severity class. So in this case, you could see I had 163 total vulnerabilities. I had seven high, 26 medium, five low, and the rest of these were log or informational content.

Then in the middle we have a word cluster. These are words that are coming to us based on all those vulnerabilities that were found. And so I could see, for instance, that Windows occurred a lot because these were Windows scans. So that was a very large word. So it’s a very quick visual way to say, oh, I have an issue with Ssltls or I have an issue with SSH, or whatever that vulnerability is. That’s really taking up most of your cluster there inside the words. Then on the top right side, you have the results shown based on the severity inside of CVSS. So it goes from nonappable low and then one through ten. And so you could see very quickly how dangerous things are on your network. Now, what I really find useful is that bottom part.

Now, in the bottom part, we’re seeing the results ten at a time. And in those results we are going to see, in this case, ten out of 163. You’ll have the name of the vulnerability, you’ll have the severity, you’ll have the quality of detection, you’ll have the host IP, the name which is the DNS name of your server and then the location and when that was created. This is information again at the top level, but you can drill down and see additional detail by clicking on the names of those vulnerabilities. So now that we’ve done a quick look at our results, let’s go ahead and take a look by filtering to find out anything associated with a particular host. For example, if I wanted to find all the vulnerabilities for the host at ten 10 one, I could go into the filter box, type host equals ten 10 one and click Update Filter.

This is all the vulnerabilities associated with my domain controller. Now, you’ll see there’s not many here. Why is that? Well, because we really only did an uncredentialed scan against the domain controller. We gave ourselves permissions with that scan account to have administrative rights on everything in the network except the domain controller. So the domain controller is getting an uncredentialed scan while everything else is getting a Credentialed scan. Now, let’s take a look, for instance, at the null session vulnerability. When we click on that, we can see that because the guest account is enabled, there is a serious configuration here. And because this is a domain controller, this is quite, quite alarming.

This is something that definitely should not be there on a domain controller, which is why there’s a high severity and it’s something we should fix quite quickly. Now, the next thing we want to do is we want to filter out and adjust our string here. So instead of looking at the domain controller at ten 10 one, let’s go ahead and make that ten 10 two. When we do that, you’re going to see a lot more severe results. This is because we had administrative credentials and we did a Credentialed scan. Now, when we did this on a host, we’re going to see a lot more vulnerabilities because we have administrative rights. In this case, we see a lot of them that have high severity in the ten range or the nine range. Now, we can go in and look at these by clicking on those reports.

And if you have internet access connected to this, you can actually go and research those different CVE’s to figure out what you should do. For example, if we look at the vulnerability in the filter and we want to find everything that’s affected by a particular vulnerability, instead of looking at it by host, we can type in vulnerability till day quote and then the name of the vulnerability. In my case I’m going to use 401-3389 and then end quote. Once I do that, I click the Update Filter button and you will see that I have a hit for PC Two, which is running Windows Seven. And this is bad news because this is the same vulnerability that was used by WannaCry, which is known as a terminal blue. This is a big bad vulnerability that allows remote code execution on a system.

So this is one that if you find in your network, you want to make sure you get it patched up pretty quickly. Now, additionally, we can look at the same results by instead of looking at the vulnerability number based on the knowledge base that Microsoft uses, we can instead look at it based on a CVE. For example, I know that the Wanna Cry vulnerability is CVE 2017 144, so I can go into the filter box, type tilde quote CVE 2017-0144 quote and hit Update filter. Now, I’m going to find any machines that match that CVE. This is really useful if there’s some new big bad vulnerability that comes out and you want to test all your systems for that particular vulnerability. For example, I was working in a large organization when the Apache Struts vulnerability came out a couple of years ago.

We wanted to identify across our millions of endpoints which ones were vulnerable to this attack. So we were able to do a search looking just for that one CVE as we looked across our network and scanned and that way we could find those and patch those quickly. So hopefully you’ve enjoyed this short lesson on learning how to configure your scanner and use a scanner using OpenVAS and the GreenBorn Community Edition. As I said, another lesson I recommend you download this program and scan your own network. Play with it. Get comfortable reading these different results and reading these reports because it would be totally fair for the exam to give you an output from one of these results.

Comments
* The most recent comment are at the top

Interesting posts

The Growing Demand for IT Certifications in the Fintech Industry

The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »

CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared

In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »

The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?

If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »

SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification

As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »

CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?

The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »

Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?

The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »

img