In this homelab project, I will use VirtualBox to create a vulnerable Windows 10 virtual machine, which I will scan for vulnerabilities using Nessus Essentials. Once I identify the vulnerabilities, I will remediate them and rescan the VM. This project is my demonstrating the following steps of the Vulnerabilty Management Lifecycle (Discover & Remediate).
Disclaimer: There are several security configurations made during this project to optimize for time. These steps should not be implemented in a production environment without proper authorization and preparation.
First priority is to download and run the Nesses Essentials installer file. Installation will take some time to complete, so while that is going, we can setup our Windows 10 VM and configure while we wait.
When configuring the VM in VirtualBox, we want to set the network adapter to be bridged, so that we can be on the same network as the host machine. This makes it easier for the Nessus installation to communicate with our VM.
Once the VM is setup, we'll do an initial ping from our host machine to verify that we're able to communicate with the VM, but as we can see below, it looks like our ICMP packets aren't going through.
This is most likely because the Windows 10 firewall is enabled, blocking all inbound connection attempts. This is good that the firewall is doing what it's supposed to do, but for this homelab, we need that turned of, so we will proceed to disable it. Please note that disabling this should never be done in a production environment. The security risk and implications are huge, but luckily this is a localized homelab environment, and the VM will be purged later.
Now that the firewall is disabled, let's retry pinging the VM with our host machine.
Success, we get a response from our VM!
By now, Nessus Essentials should be fully initialized. Next step is to create a new scan with the following configurations:
- Name -
Windows 10 Single Host - Targets -
<VIRTUAL_MACHINE_IP> - Scan Type -
Port scan(common ports) - Everything else -
default
We now save the scan and then proceed to launch it.
Scan results show 27 results, with 26 of them being Info and 1 of them being Low. Since we did not use credentials in this scan, we may not be able to see what is actually vulnerable in the VM. The Info results can be a indicators for a combination of things we don't have proper credentials for and may not necessarily be vulnerabilities that require immediate attention.
Looking at one of the INFO results we can see that the Target Credential Status By Authentication Procotol was triggered because we did not actually provide any credentials for this scan.
Next we need to confgure the VM to be able to accept authenticated scans and provide the Windows credentials used for auth to Nessus.
Nessus Documentation: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm
We will reference the Nessus documentation to complete the configuration by doing the following:
- Enable Remote Registry
- Enable all file & folder sharing
- Disable User Account Controls
- Adding
LocalAccountTokenFilterPolicyDWORD in Windows registry
In Services we need to go into Remote Registry, double click Properties, change Startup to Automatic and finally start the service.
In Advanced sharing settings we make sure all file, folder, and printer sharing is enabled.
In User Account Control Settings we pull the slider all the way down to "Never notify me".
In the Registry Editor, in the following path (Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System),We will need to add a DWORD value and name it LocalAccountTokenFilterPolicy and give it a value of 1.
After all of that, we will restart the VM to apply the changes we made.
NOTE: For some reason, there appears to be a glitch with Nessus Essentials, where running reconfigured scans we have run prior with a different config would result in empty results. My solution was to move all scans from My Scans into the Trash, create a new scan in My Scans and then run it without issue.
With everything configured on the VM, we now go back to Nessus and configure a new scan and add our Windows credentials we created when setting up the VM and we run the scan again.
New scan results show way more vulnerabilities than the initial scan, since it is able to scan deeper into the system with the credentials we provided.
Credentialed Scan Results
Non-Credentialed Scan Results
Before trying to remediate any vulnerabilites, I want to first install a deprecated version of Firefox on our VM, run another scan, and then observe the results post-scan.
Install an older version of Firefox: https://support.mozilla.org/en-US/kb/install-older-version-firefox
In this instance I decided to go with version 3.6.11, but as long as we install an older version of Firefox. After runing the scan we see a lot of new alerts and vulnerabilites with 90 being critical!
Here's a comparison of the scan results, showing a progressive increase in alerts & vulnerabilites as we added credentials to the scan and then executed it post deprecated sofwtare install.
If we drill down into the alerts and vulnerabilties, we can observe that most of the Critical alerts are from the Firefox app.
In order to remediate some of the vulnerabilities observed, we can either update Firefox, or uninstall it from our VM. For the project, we will go ahead and uninstall Firefox.
For any Windows vulnerabilities, I decided to update Windows.
After a restart and a few more installs, our VM is fully updated.
We run one final scan to see that our remediations definitely work, reducing the amount of critical, High, and Medium results. Even though there are a few stragglers, which I will remediate another time, the results show that our remediations were successful.
Nessus is a powerful vulernability scanner that allows us to proactively detect and remediate vulnerabilities that we may not see through manual means. The results show that with proper vulnerability management, we can significantly reduce the attack surface of our assets and ensure continuous security across the board.