Tenable Lab Steps and Notes - Part 1 (Discovery, NNM, Assessment, Plugins, Compliance, VPR, Analysis) - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Saturday, August 24, 2024

Tenable Lab Steps and Notes - Part 1 (Discovery, NNM, Assessment, Plugins, Compliance, VPR, Analysis)

This post is to record Tenable VM Lab information for future reference.



 Related Posts:

LAB Introduction

Topology:

Lab Scope:

  • 1. WAS
  • 2. Compliance
  • 3. PCI
  • 4. Network-based scans
  • 5. Connector Data

 
Targets:
  • pub-target-1.labs.university.tenable.com [23.22.154.225]
  • For PCI:  target1.pubtarg.tenablesecurity.com [44.241.194.21]

Windows Environment Configuration for Credentialed Scan


There are several parts to this configuration and this guide will concentrate using the group policy management tool as a way of configuring the environment. All the configuration settings can be added to the one Group Policy Object.

If you don’t have Active Directory, then you can configure all your machines locally using the Local Group Policy Editor functionality.

This guide also assumes that you are using the built in Windows firewall, if you are using another endpoint firewall such as that from your Antivirus vendor, then add exceptions accordingly.

The steps to configure the environment are as follows:

  • Create a dedicated Nessus administrator account which has full local access to Windows machines.
  • Ensuring network profile is configured as ‘Private’
  • Allow WMI access through the firewall
  • Allow File and Print Sharing through the firewall
  • Create a ‘LocalAccountTokenFilterPolicy’ registry entry
  • Configure Remote Registry service

Creating dedicated Nessus account

Create a domain user and group and name them accordingly, then make the new user is a member of the new group.

Expand your GPO and go to Computer configuration -> Windows Settings -> Security Settings -> Restricted Groups, right click and select ‘Add Group’ and select the group you have just created. This will open up the below screen, add the group, if its not already there then select the button Add button and add ‘builtin\administrators’.

Local administrator group

Click OK to save.

Ensuring network profile is configured as ‘Private’

Expand your GPO and go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Network List Manager Policies. Select the network that are using within your business, by default this will be ‘Network’. Click on the ‘Network Location’ tab and then change the location type to ‘Private’.

Once changed, click ok to save.

Network Profile

Allow WMI access through the firewall

Go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security. In the right pane, expand Windows Firewall with Advanced Security until Inbound Rules visible. Right-click on it.

  • Choose New Rule …
  • Select Predefined and Windows Management Instrumentation (WMI) in the list
  • Click Next
  • Tick all the Windows Management Instrumentation-rules in the list (usually 3 pieces)
  • Click Next
  • Select Allow the Connection
  • Click Finish

WMI through firewall

Allow File and Print Sharing through the firewall

Go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security. In the right pane, expand Windows Firewall with Advanced Security until Inbound Rules visible. Right-click on it.

  • Choose New Rule …
  • Select Predefined and File and Printer Sharing in the list
  • Click Next
  • Tick all the Windows Management Instrumentation-rules in the list (usually 3 pieces)
  • Click Next
  • Select Allow The Connection
  • Click Finish

File and Print Sharing

Create a ‘LocalAccountTokenFilterPolicy’ registry entry

Go to Computer Configuration -> Preferences -> Windows Settings -> Registry, right click on the right pane and select new -> registry item.

  • For the Key path enter: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • For the value name enter: LocalAccountTokenFilterPolicy.
  • For the value type, change to: REG_DWORD
  • For the value data enter: 1

Click OK to save.

Registry Entry

Configure Remote Registry service

Go to Computer Configuration -> Preferences -> Control Panel Settings -> Services, right click on the right pane and select New -> Service.

  • Change Startup to Automatic.
  • Select the Service name: Remote Registry
  • Change Service Action to automatic
  • Click Ok to save

New Service

And that’s it, once one wait for the changes to propagate around your environment. This will require a computer restart to take effect.



Host Discovery


Step-by-step Instructions for Operating System Scan:

No credentials


1. Ensure you are logged into Tenable Vulnerability Management via cloud.tenable.com with the
credentials provided.
2. Click the Vulnerability Management icon in the workspace.
3. Click the Menu icon, and under Vulnerability Management select Scans .
4. Click + Create Scan .
5. Click Host Discovery .
6. Type Operating System Discovery - HQ in the Name fi
7. Click the fi under Description and change to This is an operating system discovery scan of HQ-
10.0.0.0/24 .
8. Click the Scanner drop-down and select AWS-Student-Lab-Scanner_Scanner .
9. Type 10.0.0.0/24 in the Targets fi
10. Click Discovery on the left.
11. Select OS Identification from the Scan Type fi
12. Click Save & Launch .
13. It will take a few minutes for the scan to complete. Proceed to the next task, then come back and answer
the challenge questions. Once completed, click Operating System Discovery - HQ , and then click See
All Details .




Scan results: (It took 16 minutes to complete  in a OS Identification discovery scan)


OS Identified


Step-by-step Instructions for Creating and Launch a port discovery scan:

1. Ensure you are logged into Tenable Vulnerability Management via cloud.tenable.com with the
credentials provided.
2. Click the Menu icon, and select Scans .
3. Mouse over Operating System Discovery - HQ , click the More icon (three vertical dots) and select Copy .
a. Note: The Copy option will not be available while the scan is in a running state.
4. Click on My Scans .
5. Click Copy .
6. Click on My Scans on the left.
7. Mouse over Copy of Operating System Discovery - HQ and click the edit (pencil) icon on the right.
8. Delete the contents in the Name fi and put in Port Discovery - HQ .
9. Click the fi under Description and change to This is port discovery scan of HQ- 10.0.0.0/24 .
10. Click the slider to the right of Schedule to disable the schedule.
11. Click Discovery on the left.
12. Select Port scan (all ports) from the Scan Type field
13. Click Save & Launch .

It took 8 minutes to complete this scan. 


Part 1: Task 1
1. Did this scan provide information on any additional plugins? If so, which ones?
● OS Identification
2. Click Vulns by Asset and click one of the assets to access the Asset Details page . Then click the
Download button underneath KB and open the downloaded fi in a text editor. Notice the line that says
Launched . What do you think this means?
● This indicates that that specific plugin has been launched against the target.
3. Is all of 10.0.0.0/24 scanned by this scan?
● Yes.
Part 1: Task 2
1. Open the Knowledge Base (KB) article for one of the assets that returned three (3) results, like you did above. Do you see more results? If so, why?
● Yes. More plugins needed to run to identify the operating system.
Part 3: Task 1
1. Is this scan as safe as a default host discovery scan?
● No. With a complete port scan, you may unintentionally interfere with services that are not
designed to handle port scanning.
2. If this scan caused a service to crash, does that service have any vulnerabilities?
● Yes. By definition, if you can scan a port and cause a service to cease operating, that is a denial-
of-service vulnerability.


Step-by-step Instructions to Create tag based on IP address classless inter-domain routering (CIDR) range:

1. Ensure you are logged into Tenable Vulnerability Management via cloud.tenable.com with the
credentials provided.
2. Click Vulnerability Management from the Workspace view.
3. Click the Menu icon located in the upper left corner.
4. Look underneath Explore, and click Assets .
5. Look underneath Assets (at the top), and click the Show Filter Controls icon to expand the
Filters panel.
6. Click Select Filters .
7. Search for and select IPv4 Address , and then click the X to close the fi box.
8. Scroll down to the IPv4 Address fi and type 10.0.0.0/24 , underneath is equal to .
9. Hover the mouse over the top right corner of the Licensed fi and click Remove .
10. Hover the mouse over the top right corner of the Last Seen fi and click Remove .
11. Click Apply (at the top).
12. Click the Tag icon located at the top, to the right of Saved Filters .
13. Click Select or create Category , and type Regions . Then, select Create “Regions” .
14. Type HQ in the fi to the right of Regions , and then select Create “HQ” .
15. Click Save .






Step-by-step Instructions to Set Filters and save Filter query:

1. Click Vulnerability Management from the Workspace view.
2. Click the Menu icon located in the upper left corner.
3. Look underneath Explore , and click Assets .
4. Look underneath Assets (at the top), and click the Show Filter Controls icon to expand the
Filters panel.
5. Click Select Filters .
6. Search for and select Tags (it may already be selected).
7. Search for and select Operating System (it may already be selected).
8. Click the X to close the fi box.
9. Scroll down to Tags , and click underneath is equal to .
10. Select Regions , and then HQ underneath Tag Values .
11. Locate the Operating System fi and type *indows* underneath is equal to .
12. Locate the Assessed vs. Discovered fi and select Discovered Only .
13. Click Apply . Note: There may be no results - this is fi
14. Click the X inside the box to remove the Licensed is equal to Yes fi
a. Notice the difference?
15. Click Saved Filters (at the top).
16. Click Save .
17. Type Unscanned Windows HQ Assets , and click the check mark to save.


1. If you perform a host discovery scan using the tag Regions:HQ as the target, will it scan the entire IP of
range 10.0.0.0/24?
● It depends on what you select in the scan. If you select “Existing tagged assets only”, then the
scan will only assess previously discovered assets in the range 10.0.0.0/24. You need to be sure
to select the “Targets defined by tags” option to ensure that the entire IPv4 range defined in the
tag will be scanned. Please note that when you select this option, the scan will only assess tags
if the tag contains a rule of either IPv4 address, IPv6 address, or DNS.
2. How would you create a tag using the HQ IP range and Linux systems?
● Set your fi to “IPv4 Address is equal to 10.0.0.0/24” and “Operating System is equal to *inux*”


Step-by-step Instructions to Identify Assets Discovered by a Connector:
1. Ensure you are logged into Tenable Vulnerability Management via cloud.tenable.com with the
credentials provided.
2. Click the Tenable Vulnerability Management icon in the workspace.
3. Click the Menu icon in the upper left corner and select Assets, underneath Explore .
4. Click Hosts (this should be the default).
5. Click the X to remove the default fi of Licensed:is equal to Yes (at the top, underneath Advanced ).
6. Look underneath Assets (at the top), and click the Show Filter Controls icon to expand the
Filters panel.
7. Look underneath Source , and select Cloud Discovery Connector. (Operand should already be set to is
equal to .)
8. Click Apply (at the top).
9. Click the Saved Filters , and then Save.
10. Type Connector Assets in the text fi
11. Click the check mark .


Step-by-step Instructions to Identify Unscanned Assets:

1. Click the Menu icon.
2. Click Assets , underneath Explore .
3. Click Saved Filters and select Connector Assets .
4. Click Advanced , next to Connector Assets .
5. Click the Filters text fi at the top and add the text AND SOURCE IS NOT EQUAL TO NESSUS SCAN .
a. HINT : Once you click the Advanced Filter fi prompts should appear to help you.
6. Click Apply .
7. Click the fi labeled Connector Assets.
8. Select Save as New .
9. Click the empty text fi and type Unscanned Assets by Source
10. Click the check mark .

Part 1: Task 1
1. What fi are these assets sorted on?
● Last seen
2. Can you use this fi to create a scan?
● Yes, however you must create a tag using the fi fi Also, newly discovered assets would
not be included - you could only use the “Existing Tagged Assets” option. The reason for this is
for discovery, to use the “Targets defined by tags” option, you are required to use one of the
following fi IPv4 Address, IPv6 Address, or DNS.
3. Why did you remove the Licensed fi
● If the asset is discovered, but has not had a vulnerability scan, it does not count against your
license.
Part 1: Task 2
1. Does this correctly identify all unscanned assets?
● No. It is possible an asset has been scanned using an agent and it would still be on this list. You
would need to go to the Agent and look at the second fi line to make sure that you identified
unscanned assets properly.
1. What other fi could you use to identify unscanned assets?
● The Assessed vs. Discovered fi is more accurate than Source. “Assessed vs. Discovered is
equal to Discovered Only” means that the asset was seen by a connector, agent, or discovery
scan, but has not yet had a vulnerability assessment scan run against it.
Part 1: Task 3
2. What would you do if you just wanted to identify unscanned assets in HQ, if HQ is 10.0.0.0/24?
● Modify the rules with an additional item, IPV4 address is 10.0.0.0/24, and change the value to
Unscanned - HQ.
3. Is there another way you could create this tag?
● Yes, you could also create the tag using Rules under Settings>Tagging .




Tenable Nessus Network Monitor


Features:

  • Operate 24x7
  • Require access to a SPAN / Mirror port for data
  • Scans network traffic for cyber risk data
  • Two operational modes: 
    • Host discovery
      • assets discovered in this mode will not count against your license
      • safest option to start with to ensure sensor setup is correct
    • Full
      • NNM will report on vulnerabilities it sees via the network
      • Good option for fragile devices that can not be scanned

Identityfing unscanned assets

  • Source is equal to (Cloud Discovery Connector, NNM, ServiceNow, etc.) AND Source is not (Nessus Scan, Nessus Agent) 
  • Assessed vs. Discovered Only

Step-by-step Instructions to  Identify Assets Discovered by Tenable Nessus Network Monitor:

1. Ensure you are logged into Tenable Vulnerability Management via cloud.tenable.com with the
credentials provided.
2. Click the Menu button, and select Assets , underneath Explore .
3. Click the X to remove the default fi of Licensed:is equal to Yes (at the top, underneath Advanced ).
4. Look above Hosts , click the Filters icon to expand the Filters panel.
5. Look underneath Source , scroll down, and click the check mark next to NNM . (If the Source fi is not
visible, click Select Filters to search for and select it.)
6. Click Apply (at the top).
7. Click the Saved Filters , and then Save.
8. Type Tenable Nessus Network Monitor Assets in the text fi
9. Click the check mark .


Step-by-step Instructions to Identify Assets for Old Authenticated Scan Results:

1. With the saved fi Tenable Nessus Network Monitor Assets still set, click the Filters icon,
underneath Hosts , to expand the Filters panel.
2. Click Select Filters and select Last Authenticated Scan .
a. Click the X to close the Select Filters section.
3. Look under Last Authenticated Scan , click within last and select does not exist .
4. Click Apply .
5. Click Tenable Nessus Network Monitor Assets [EDITED] , and select Save as New .
6. Type Nessus Network Monitor-No authenticated scan
7. Click the check mark .




Answers:
Part 1: Task 1
1. What changes if the Licensed=Yes filter is re-applied? Why?
● The number of filtered results is greatly reduced, to those that only count against the license.
This is because Tenable Nessus Network Monitor detected Plugin ID findings that are considered vulnerability findings and not just host discovery, for these assets.
2. What is the difference between assets identified using Tenable Nessus Network Monitor and assets
using the connector?
● Assets identified by Tenable Nessus Network Monitor are identified using network traffic;
Assets identified by the connector are identified using information in the cloud platform
configuration.
Part 1: Task 2
1. What is the difference between the query of unscanned assets you created in Part 1 and the query you
saved here?
● The query in part 1 focused on assets that had no Tenable Nessus Network Monitor scan; this
could be authenticated or unauthenticated. The second query focuses entirely on assets where
no authenticated scan had been run.
2. How would you treat the results of these two fi differently?
● For the unscanned assets, investigate why the asset was not being scanned, even if just a port
scan. For the No authenticated scan , check to see if credentials are failing, and why.



Summary:

● There are several options when using the Host Discovery Scan Template. 

● Cloud connectors can be used to identify assets in cloud environments. 

● Tenable Nessus Network Monitor can be used in networks to identify assets, as well as gather cyber risk data. 

● Third-party data can be imported for purposes of identify assets within an organization.



Vulnerability Assessment Best Practices

 


Step-by-step Instructions to Create a Non-Credentialed Vulnerability Assessment:

Log in to Tenable Vulnerability Management and create a non-credentialed scan of 10.0.0.0/24 (HQ).
1. Ensure you are logged into Tenable Vulnerability Management via cloud.tenable.com with the
credentials provided.
2. Click the Vulnerability Management icon in the workspace.
3. Click Quick Actions and select Create a VM Scan .
4. Click Basic Network Scan .
5. Type Non-Credentialed Scan of HQ in the Name field
6. Click the Scanner drop-down and select AWS-Student-Lab-Scanner_Scanner .
7. Type 10.0.0.0/24 in the Targets field
8. Click Save and Launch .
a. Note: It will take a few minutes for the scan to complete. Proceed to the next task, then come
back and answer the challenge questions.


Task 2 - Create Credentials

In this task, you will create credentials for credentialed scanning. The credentials for Microsoft Windows are scanadmin /Tenable123! . Credentials for Linux are scanadmin /Tenable123! with privilege elevation sudo and a username of root .
Step-by-step Instructions:
1. Click the Menu icon in the upper left corner, and select Settings .
2. Click Credentials from the Scanning section.
3. Click + Create Credential (at the top right).
4. Scroll down the Select Credential Type panel that expanded on the right.
5. Click Windows , underneath Host .
6. Type HQ Windows Credentials in the Enter a Name field
7. Type scanadmin in the USERNAME field
8. Type Tenable123! in the PASSWORD field
9. Click Create .
10. Click + Create Credential (at the top right).
11. Type SSH and press <Enter> in the Search field
12. Click SSH .
13. Type HQ Linux Credentials in the Enter a Name field
14. Select Password from the AUTHENTICATION METHOD drop-down.
15. Type scanadmin in the USERNAME field
16. Type Tenable123! in the PASSWORD (UNSAFE!) field (Note: The word “unsafe” is here because best practices call for keypair authentication to Linux hosts whenever possible.)
17. Select sudo from the ELEVATE PRIVILEGES WITH drop-down.
18. Type root In the SUDO USER field
19. Click Create .



Task 3 - Credentialed Vulnerability Assessment

In this task, you will perform a credentialed scan of 10.0.0.0/24 (HQ) using the credentials created in the previous task.
Step-by-step Instructions:
1. Ensure you are logged into Tenable Vulnerability Management via cloud.tenable.com with the
credentials provided.
2. Click Vulnerability Management .
3. Click Quick Actions .
4. Click Create a VM Scan .
5. Click Basic Network Scan from the Vulnerability Scans (Common) section.
6. Type Credentialed Scan of HQ In the Name field
7. Click the Scanner drop-down and select AWS-Student-Lab-Scanner_Scanner .
8. Type 10.0.0.0/24 In the Targets fi
9. Navigate to the menu located on the left, and click Credentials .
10. Click plus sign (+) to the right of Add Credentials .
11. Open the Managed Credentials drop-down from the Select Credential Type panel that expanded on the right.
12. Click HQ Linux Credentials . (You may need to mouse over the credentials to fi them.)
13. Click HQ Windows Credentials . (You may need to mouse over the credentials to fi them.)
14. Click the X in the upper right corner of the Select Credential Type panel to close.
15. Click Save & Launch .




Answer Key
Part 1: Task 1
1. Go to the scan results for Non-Credentialed Scan of HQ. Where can you find how long it took to run the scan?
● Go to History and look at the scan entry. It has a start time, an end time and a duration.
2. Where can you find the number of assets that were scanned?
● Go to Vulns by Asset. In the lower right corner, it indicates the number of assets.
3. Where can you verify that this was a non-credentialed scan?
● Go to Vulns by Plugin and click Nessus Scan Information. For any host, click the icon underneath
Output. In the output, there is a line that reads “Credentialed checks : No”.

Part 1: Task 2
1. Assuming these credentials are administrative in nature, will using these credentials be sufficient for
best practices in vulnerability assessment?
● Yes
2. In the Credentials section, there is the option to use plaintext credentials for Linux hosts. Is this safe?
● No, using the plaintext options will potentially expose the username and password to packet
snffing applications.

Part 1: Task 3
1. Examine the scan results. Is there a way you can confirm that the credentials worked properly?
● Yes, there are several plugins that report on whether credentials worked. Some examples are
Plugin IDs 19506, 117887 and 141118.
2. Is there a way to determine from these scan results whether an agent is installed on an asset? Why
might you want this information?
● Yes, if you search on “Plugin Name contains Agent” you can identify plugins that report on
whether an agent is installed on the asset. You can use this information to avoid scanning an
asset twice.




Advanced Network Scan Options - Assessment

At the end of this exercise, you will be able to:
● Create an advanced network scan with a modified max checks per host
● Create a scan with safe checks disabled


Part 1: Task 1 - Create an Advanced Network Scan with a Modified Max Checks Per Host

Create a scan policy named “Fast Vulnerability Assessment” using the Advanced Network Scan Policy template, with max simultaneous checks per host set to 50 and max simultaneous hosts set to 160. Set the network timeout value to 1 second.

Step-by-step Instructions:
1. Ensure you are logged into Tenable Vulnerability Management via cloud.tenable.com with the credentials provided.
2. Click Vulnerability Management .
3. Click Quick Actions and select Create a VM Scan .
4. Click Advanced Network Scan from the Vulnerability Scans (Common) section.
5. Type Fast Vulnerability Assessment in the Name field
6. Click the Scanner drop-down and select AWS-Student-Lab-Scanner_Scanner .
7. Type 10.0.0.0/24 In the Targets fi
8. Navigate to the Settings menu located on the left, and click Discovery .
9. Enable Use fast network discovery .
10. Disable ARP ping.
11. Disable ICMP ping.

12. Navigate to the Settings menu located on the left, and click Advanced .
13. Enable Stop scanning hosts that become unresponsive during scan .
14. Type 1 in the Network Timeout (In Seconds) field
15. Type 50 in the Max Simultaneous Checks per Host field
16. Type 160 in the Max Simultaneous Hosts per Scan field
17. Navigate to the Settings menu located on the left, and click Credentials .
18. Click plus sign (+) to the right of Add Credentials .
19. Open the Managed Credentials drop-down from the Select Credential Type panel that expanded on the right.
20. Click HQ Linux Credentials . (You may need to mouse over the credentials to find them.)
21. Click HQ Windows Credentials . (You may need to mouse over the credentials to find them.)
22. Click the X in the upper right corner of the Select Credential Type panel to close.
23. Click Save & Launch .
a. Note: It will take a few minutes for the scan to complete. Proceed to the next task, then come
back and answer the challenge questions.


Part 1: Task 2 - Create a Scan with Safe Checks Disabled

Create a scan named “Vulnerability Assessment with Unsafe Checks Enabled” using the Advanced Network
Scan template, with safe checks disabled.
Step-by-step Instructions:
1. Click the Quick Actions and select Create a VM Scan .
2. Click Advanced Network Scan from the Vulnerability Scans (Common) section.
3. Type Vulnerability Assessment with Unsafe Checks Enabled in the Name fi
4. Click the Scanner drop-down and select AWS-Student-Lab-Scanner_Scanner .
5. Type 10.0.0.0/24 in the Targets fi
6. Navigate to the Settings menu located on the left, and click Advanced .
7. Disable Enable Safe Checks .
8. Navigate to the Settings menu located on the left, and click Credentials .
9. Click the plus sign (+) to the right of Add Credentials .
10. Open the Managed Credentials drop-down from the Select Credential Type panel that expanded on the
right.
11. Click HQ Linux Credentials . (You may need to mouse over the credentials to fi them.)
12. Click HQ Windows Credentials . (You may need to mouse over the credentials to fi them.)
13. Click the X in the upper right corner of the Select Credential Type panel to close.
14. Click Save & Launch .


Part 1: Task 1
1. What possible impact did changing the Max Simultaneous Checks per Host have on scanning assets?
● Scanned assets may have greater loads on them during the scan.
2. What possible impact did changing the Max Simultaneous Hosts per Scan have on scanning assets?
● More network traŨc may be generated during the scan.
3. What impact does adding credentials have on the speed of the scan?
● If the scanner can log in with the credentials you have added, then the native Netstat or WMI
port scanner will be used, instead of the slower TCP scanner.
Part 1: Task 2
1. What concerns are there with this scan?
● This scan is more likely to interfere with the operation of the assets being scanned.
2. Are there specific types of assets you might want to consider using this scan on?
● Assets that are on public Internet Protocol (IP) addresses and exposed to the internet should be
scanned using this option in order to reduce their cyber risk.
3. Can you disable safe checks using any other scan template?
● Yes, this option is also available in the Basic Network Scan template, as well as the Credentialed
Patch Audit, and a few others. In those cases to see the option, you will need to select “custom”
mode from the Advanced tab, under Settings. This option is NOT available to select in the Host
Discovery scan.


Advanced Network Scan Options - Plugins

At the end of this exercise, you will be able to:
● Create a scan with a plugin family enabled
● Perform a remediation scan
● Create a scan with an individual plugin enabled
● Use the Tenable online Plugin Database to research plugins

Part 1: Task 1 - Create a Denials of Service Family Plugin Scan

Log into Tenable Vulnerability Management and create a scan of the plugins in the Denials of Service family.
Step-by-step Instructions:
1. Ensure you are logged into Tenable Vulnerability Management via cloud.tenable.com with the
credentials provided.
2. Click Vulnerability Management .
3. Click Quick Actions and select Create a VM Scan .
4. Click Advanced Network Scan .
5. Enter DNS Scan HQ in the Name fi
6. Select AWS-Student-Lab-Scanner_Scanner from the Scanner drop-down list.
7. Type 10.0.0.0/24 in the Targets fi
8. Click Plugins on the left.
9. Click the slider to the right of All Enabled to disable all plugins.
10. Click the slider to the right of DNS .
11. Click the slider to the right of General .
12. Click the slider to the right of Service Detection .
13. Click the slider to the right of Settings .
14. Click Save and Launch .


Part 1: Task 2 - Perform a Remediation Scan of a Vulnerability

Locate the SSL Certificate “Cannot be trusted” vulnerability, and perform a remediation scan.
Step-by-step Instructions:
1. Sign into cloud.tenable.com with the credentials provided.
2. Click Vulnerability Management .
3. Click the Menu (located in the upper-right corner) and select Findings .
4. Click on the fi control, and search for and select IPv4 Address .
5. Click on the X to close the fi box.
6. In the IPv4 Address fi type 10.0.0.7 underneath is equal to .
7. Click Apply .
8. Click the Actions menu to the right of one of the SSL Certificate Cannot Be… and select Launch
Remediation Scan .
9. Select AWS-Student-Lab-Scanner_Scanner from the Scanner drop-down list.
10. Click in the Targets fi and replace the contents with 10.0.0.7 .
11. Click Save and Launch .



Part 2: Task 1 - Create a Scan for Expired SSL Certificates

Log into Tenable Vulnerability Management and create a scan for expired SSL certificates using plugin
ID15901.
Step-by-step Instructions:
1. Sign into cloud.tenable.com with the credentials provided.
2. Click Vulnerability Management .
3. Click Quick Actions and select Create a VM Scan .
4. Click Advanced Network Scan .
5. Enter Expired Certificate Scan HQ in the Name fi
6. Select AWS-Student-Lab-Scanner_Scanner from the Scanner drop-down list.
7. Type 10.0.0.0/24 in the Targets fi
8. Click Plugins on the left.
9. Click the slider to the right of All Enabled to disable all plugins.
10. Click General .
11. Type 15901 in the General fi and enter.
12. Check the Status box.
13. Click Save and Launch .


Part 3: Task 1 - Determine whether Plugin 15901 requires credentials
Use tenable.com/plugins to determine whether plugin ID 15901 requires credentials.
Step-by-step Instructions:
1. Go to www.tenable.com/plugins .
2. Type 15901 in the Search fi and press Enter .
3. Click the 15901 ID.


Part 1: Task 1
1. Why enable entire plugin families?
● So that if any new plugins are later added to those families, those vulnerabilities will also be
assessed.
2. Why did we enable the plugin families General, Service Detection and Settings, in addition to DNS?
● These families contain the plugins that give us information on whether or not our scans ran
properly.
Part 1: Task 2
1. Has the vulnerability been remediated?
● No.
2. What are some challenges with performing remediation scans?
(There are several possible answers to this question, here are some examples:)
● You have to remember to select the appropriate scanner.
● You have to remember whether or not the scan requires credentials.
● Scanning for individual vulnerabilities is an ineŨcient use of scanner time.
● When scanning an asset with multiple IPs, you have to make sure you have the right IP address.
Part 2: Task 1
1. How many expired certificates were reported in the scan?
● 0.
Part 3: Task 1
1. How can we determine whether plugin 15901 requires credentials?
● The type is "remote."
2. When was this plugin first published?
● December 3, 2004




Assessment with Agents


Part 1: Task 1 - Create an Agent Group

In order to perform a vulnerability assessment using agents, agents must be placed in an agent group.
Step-by-step Instructions:
1. Ensure you are logged into Tenable Vulnerability Management via cloud.tenable.com with the
credentials provided.
2. Click Vulnerability Management .
3. Click Menu , and then select Settings .
4. Click Sensors from the Scanning section.
5. Click Nessus Agents on the left.
6. Click Agent Groups .
7. Click +Add Agent Group .
8. Type Sales Team in the Group Name fi
9. Click Save .
10. Click Sales Team .
11. Click +Assign Agents .
12. Select both (yourname)_Linux and (yourname)_Windows agents.
13. Click Assign .


Part 2: Task 2 - Create and Launch an Agent Vulnerability Assessment

Once agents have been placed in a group, vulnerability assessments can be performed on those assets.
Step-by-step Instructions:
1. Click Quick Actions and select Create a VM Scan .
2. Click Nessus Agent from the top tabs.
a. Note: The default is on Nessus Scanner.
3. Click Basic Agent Scan .
4. Type Sales Team Vulnerability Assessment in the Name fi
5. Select Sales Team from the Agent Groups drop-down.
6. Select 15 minutes from the drop-down below Scan Type/Scan Window .
7. Click Save & Launch .



Part 1: Task 1
1. How can you determine if a given agent is available to be scanned?
● In the agent group list, check to see if 'Online' is listed, underneath Status.
2. Can an individual agent be in multiple groups?
● Yes.
Part 1: Task 2
1. What impact does reducing the scan window to 15 minutes have on the scan? Why would you want to
change the scan window value?
● By changing the scan window to 15 minutes, if an agent does not connect to Tenable
Vulnerability Management within 15 minutes of the start of the scan, the agent will not be
assessed and will not appear in the results.
○ You can extend the scan window for environments where agent connectivity might be
sporadic, to ensure hosts are assessed. In environments where connectivity is more
reliable, the scan window can be reduced to speed up completion of the scan.
2. Were there any assets with agents that did not get scanned?
● No.
3. Were credentialed checks run?
● Yes. All Agent scans are credentialed scans by default.



Compliance Scans


Part 1: Task 1 - Create a Windows Compliance Scan

Create a compliance scan using a CIS Windows Server 2016 MS audit fi from a template.
Step-by-step Instructions:
1. Ensure you are logged into Tenable Vulnerability Management via cloud.tenable.com with the
credentials provided.
2. Click Vulnerability Management .
3. Click the Quick Actions and select Create a VM Scan .
4. Click Policy Compliance Auditing .
5. Type CIS Windows 2016 in the Name field
6. Click the Scanner drop-down and select AWS-Student-Lab-Scanner_Scanner .
7. Type 10.0.0.0/24 in the Targets field
8. Click Credentials from the Scanning section on the left.
9. Click plus sign (+) to the right of Add Credentials .
10. Open the Managed Credentials drop-down from the Select Credential Type panel that expanded on the
right.
11. Click HQ Windows Credentials . (You may need to mouse over the credentials to fi them.)
12. Click the X in the upper right corner of the Select Credential Type panel to close.
13. Click Compliance from the Settings menu located on the left.
14. Click the plus sign (+) to the right of Add Compliance Audits .
15. Type CIS Microsoft Windows Server 2016 MS L1 in the Search fi and press Enter on your keyboard.
16. Select CIS Microsoft Windows Server 2016 MS L1 v2.0.0 from the Windows drop-down.
a. Note: This audit occasionally updates. If the exact match is not available, select whichever
version is the most recent, for example instead of v2.0.0. It may be 2.0.1, or something similar.
17. Add the phrase For Official Use Only in the Logon Window Text field
18. Click Save .
19. Click Save & Launch .

Part 2: Task 1 - Create an Agent Group for Windows Hosts

Create an agent group called Windows Hosts, with the Windows host in the group.
Step-by-step Instructions:
1. Click the Menu button in the upper left corner, and select Settings .
2. Click Sensors .
3. Click Nessus Agents on the left.
4. Click Agent Groups .
5. Click +Add Agent group .
6. Type Windows Hosts in the Group Name fi
7. Click Save .
8. Click the group Windows Hosts .
9. Click Assign Agents .
10. Select {yourname}_Windows .
a. You may need to hover your mouse over the Name to see the full name.
11. Click Assign .


Part 2: Task 2 - Create an Agent Compliance Scan for the Windows Host

Create a CIS 2016 Server Compliance scan that uses the agent.
Step-by-step Instructions:
1. Click Quick Actions and select Create a VM Scan .
2. Click Nessus Agent (at the top).
3. Click Policy Compliance Auditing .
4. Type CIS Windows 2016 Agent in the Name fi
5. Click the Agent Groups drop-down and select Windows Hosts .
6. Click Compliance from the Settings menu located on the left.
7. Click the plus sign (+) to the right of Add Compliance Audits .
8. Type CIS Microsoft Windows Server 2016 MS L1 in the Search fi and press Enter on your keyboard.
9. Select CIS Microsoft Windows Server 2016 MS L1 v2.0.0 (or the latest version) from the Windows
drop-down.
10. Click Save .
11. Click Save & Launch .


Part 1: Task 1
1. Did the scan return any results for hosts other than the Windows Server 2016 host? How could you
create a scan that did not use these results?
● Yes. Scan based upon a tag of Windows Server 2016 hosts, rather than an IP range.
2. How would you adjust this scan to check for your organization’s login banner?
● Edit the scan, go to the Compliance section, and click the CIS entry. Set the login banner on the
right, and save.
Part 2: Task 1
1. How many agent groups is the Windows agent in?
● 2
2. Does this pose any problems or challenges? If so, how might you resolve them?
● Someone might scan the asset twice, if they selected multiple agent groups in one scan. Label
your agent groups to make it clear what they are used for, ex. "Windows_hosts_for_compliance."
Part 2: Task 2
1. Are there any apparent differences between performing a compliance assessment with an agent, as
opposed to an active scan?
● Yes, for an agent compliance assessment you do not have to add credentials, as all agent scans
are credentialed by default.
2. In what cases might you want to use an agent instead of an active scan?
● Transient assets, or assets that have unreliable internet connectivity.



Custom Compliance

At the end of this module, you will be able to:
● Create an audit fi
● Create and launch a compliance scan using a custom audit f

Part 1: Task 1 - Create an Audit File to Check Minimum Password Length on Windows Hosts

Using a text editor, create an audit fi that checks for a minimum password length of 15 characters on
Windows hosts.
Step-by-step Instructions:
1. Open a text editor on your local machine. DO NOT use Windows Notepad , as it inserts extraneous
characters that will interfere with the creation of the audit fi If you don’t have an editor, Vim is freely
available for most platforms, from multiple sources. For Mac, try BBEdit or Sublime Text . On Windows,
search for and install Notepad++ .
2. Create a fi with the following contents:
<check_type:"Windows" version:"2">
<group_policy:"Password Length Compliance check">
<custom_item>
type: PASSWORD_POLICY
description: "Minimum password length"
value_type: POLICY_DWORD
value_data: 15
password_policy: MINIMUM_PASSWORD_LENGTH
</custom_item>
</group_policy>
</check_type>
3. Save the fi as Windows_password.audit .


Part 1: Task 2 - Create a Scan Using the New Audit File

Step-by-step Instructions:
1. Ensure you are logged into Tenable Vulnerability Management via cloud.tenable.com with the
credentials provided.
2. Click Vulnerability Management
3. Click Quick Actions and select Create a VM Scan .
4. Click Policy Compliance Auditing .
5. Type Password Length Check in the Name fi
6. Click the Scanner drop-down and select AWS-Student-Lab-Scanner_Scanner .
7. Type 10.0.0.0/24 in the Targets fi
8. Click Credentials from the Settings menu located on the left.
9. Click the plus sign (+) to the right of Add Credentials .
10. Open the Managed Credentials drop-down from the expanded Select Credential Type panel.
11. Click HQ Windows Credentials . (You may need to mouse over the credentials to fi them.)
12. Click the X in the upper right corner of the Select Credential Type panel to close.
13. Click Compliance from the Settings menu located on the left.
14. Click the plus sign (+) to the right of Add Compliance Audits .
15. Scroll down the list to the right and click the Windows drop-down.
16. Click (Upload a custom Windows audit fi .
17. Click Add File .
18. Locate the fi Windows_password.audit and upload it.
19. Click Save .
20. Click Save & Launch .


Part 1: Task 1
1. What is an easy way to create controls in an audit fi
● Take an existing audit fi look for a similar control and modify it.
2. Did the check give a solution? How would you change the audit fi to provide this information?
(Hint : See page 414 of the Compliance Checks Reference Guide located here .)
● No. Add additional information in the description tag.
Part 1: Task 2
1. Did the Windows server 2016 host pass the control?
● No.
2. What was the minimum password length on the Windows Server 2016 host, vs. the policy value?
● The host minimum password length (output) is 0, and the policy value is 15 characters.


Compliance Analysis


At the end of this module, you will be able to:
● Analyze compliance audit results
● Create an exported report from your failed audit results

Part 1: Task 1 - Create an Exported Report for all Failed Results for a Specific Audit File
Using fi and the export scheduler, create a report that displays only the failed results for a particular
audit fi
Step-by-step Instructions:
1. Ensure you are logged into Tenable Vulnerability Management via cloud.tenable.com with the
credentials provided.
2. Click Vulnerability Management .
3. Click the Menu button to select Findings , under Explore .
4. Click the Host Audits tab.
5. Click the Filter icon to expand the fi control panel.
6. Scroll down to the Result fi and select the checkbox for Failed .
7. Click Select Filters , and select Audit File . Then, click the X.
8. Enter *Server_2016* in the Audit File fi underneath is equal to .
9. Click Apply .
10. Click Saved Filters , and then Save .
11. Enter CIS MS Server 2016 Failed Checks , then click the check mark .
12. Select the checkbox at the top of the list, to the left of {number} Host Audits to select all of the fi
results, and then click Select all [number] host audits .
13. Click Export .
14. Rename the export as MS 2016 Failed Audits .
15. Select CSV format.
16. Click the down arrow next to Configurations .
17. Select Benchmark Version .
18. Click Export .


Optional Advanced Problems
This section is optional and can be completed during any free time you may have available while taking this
course.
TOTAL ESTIMATED OPTIONAL EXERCISE TIME: 30:00 MINUTES
Task 1 - Limit the Scope of a Windows File Contents Search
In a Windows file content search, you can limit which directories are searched by using the directive
include_paths. Refer to the Nessus Compliance Checks Reference Guide . Create an audit file that only
searches c:\windows\users and c:\Documents and Settings for credit card numbers. Then, upload
this audit file to Tenable Vulnerability Management, create a policy and scan companyname-hq.
Note: There are several different ways to complete this task.
Task 2 - Check to Ensure All Windows Hosts in Headquarters are Windows Server 2016
Check to make sure that all the Windows hosts in HQ are Windows server 2016. Hint : The CIS Windows Server 2016 benchmark that was used earlier in this lab has a conditional that can be used to model a check.
Task 3 - Create a Conditional in an Audit File
Create an audit fi that has a control that says, “If the operating system is Windows 2016, then the minimum password length must be 16 characters.”


Answer Key
Part 1: Task 1
1. Is it possible to schedule your export?
● Yes. In the Export pop-out, enable the slider next to schedule .
2. How can you filter on audit checks that are related to passwords?
● Use the Audit Name filter and wildcards. For example, Audit Name is equal to *password* .



 Prioritization with VPR

At the end of this exercise, you will be able to:
● Use various tools in Tenable Vulnerability Management to prioritize remediation actions.

Part 1: Task 1 - Create a Filter for VPR 9 or Higher Items

Create a fi for VPR 9 or higher items.
Step-by-step Instructions:
1. Ensure you are logged into Tenable Vulnerability Management via cloud.tenable.com with the
credentials provided.
2. Click the Vulnerability Management tile in the workspace.
3. Click Menu in the upper left corner.
4. Click Findings underneath Explore .
5. Click the Filter icon, underneath Vulnerabilities , to open the Filters panel.
6. Click Select Filters .
7. Search for and select the checkbox next to VPR .
8. Click the X to close the Select Filters pop-out.
9. Click Is Equal to in the VPR fi and select Is Greater Than or Equal To .
10. Type 9 in the fi below.
11. Click Apply .
12. Click Saved Filters (at the top, to the right of the Filter icon) and click Save .
13. Type VPR 9 or Higher Items .
14. Click the check mark .
15. Click the Filter icon to close the Filters panel.

Part 1: Task 2 - Identify and Report on Assets

Now that you have identified the VPR 9 or higher vulnerabilities, you want to know which assets have those
vulnerabilities. Create a report for these assets.
Step-by-step Instructions:
1. Click Asset , next to Group By (at the top, just underneath the Filter icon).
2. Select the checkbox at the top to select all [number] Assets (The exact number may vary slightly in the
lab environment).
a. Note: This will only select the first 50 assets grouped. To select all, click Select all [Number]
assets .
3. Click Export .
4. Change the name to Assets with VPR 9 or Higher .
5. Select CSV .
6. Click to enable the Schedule slider.
7. Click the date and select tomorrow’s date .
8. Click the time , and select midnight .
9. Select your current Timezone .
10. Click Daily and select Weekly on {Day} .
11. Click Schedule Export .

Answer Key

Part 1: Task 1
1. Is the highest VPR item at the top of the list?
● No
2. What other fi is available for sorting on this table?
● Last Seen, Name, Severity
3. How can you change the sort column on the table?
● Click a column header.
Part 1: Task 2
1. When new assets are discovered with VPR 9 or higher items, will they be reported on automatically?
● No, only the selected assets will be reported





CVSS and Advanced Analysis Filters

At the end of this exercise, you will be able to:
● Use various tools in Tenable Vulnerability Management to prioritize remediation actions:
○ Common Vulnerability Scoring System (CVSS) impact analysis
○ Remediation analysis

Part 1 - Impact Analysis

Management is concerned about Denial of Service vulnerabilities in critical assets. In this section, create a filter to identify Denial of Service vulnerabilities in critical assets using CVSS v3 vector information and the Critical Asset tag. Then, create a dashboard widget showing these vulnerabilities.
Part 1: Task 1 - Create a Filter for Denial of Service Vulnerabilities Using CVSSv3 Vectors
Create a fi for Denial of Service vulnerabilities using CVSSv3 vector analysis in Critical vulnerabilities.
Save this fi as “DOS vulns in critical assets.”
Step-by-step Instructions:
1. Ensure you are logged into Tenable Vulnerability Management via cloud.tenable.com with the
credentials provided.
2. Click Menu in the upper left corner.
3. Click Findings underneath Explore .
4. Click Advanced (at the top).
5. In the text bar to the right of Saved Filters , select and clear all text, so that you see only the grayed-out text Enter filter query ,
6. Type CVSSv3 Vector is equal to *A:H* OR CVSSv3 Vector is equal to *A:L* in the Enter fi query text field
7. Press Enter .
8. Click Saved Filters (at the top, to the right of the Filter icon) and click Save . (You may instead see Save
as New , if the previous saved query is still selected.)
9. Type DOS vulns in the text field
10. Click the check mark .


Part 2 - Remediation Analysis

Applying temporary fi or workarounds can be time consuming. In this section, show items where there is only an
oŨcial patch.
Part 2: Task 1 - Create a Filter for OŨcial Fixes for CVSSv3 and CVSSv2
Create a fi using CVSSv3 or CVSSv2 that only shows vulnerabilities where there is an oŨcial fi
Step-by-step Instructions:
1. Click Menu in the upper left corner.
2. Click Findings underneath Explore .
3. Click Advanced (to the right of Saved Filters ).
a. Note: If you are still in the Advanced fi mode from the previous task, click the X to the right
of the query text to clear it. Then, proceed to the next step.
4. Type CVSSv2 Temporal Vector is equal to *RL:OF* OR CVSSv3 Temporal Vector is equal to *RL:O* in the Enter filter query fi and then press Enter .
5. Click Saved Filters .
a. Note: You may see DOS vulns [Edited] instead of Saved Filters . In that case, click that, and then
Save as New .
6. Click Save , and type OŨcial Fixes in the text fi
7. Click the check mark .


Part 2: Task 2 - Identify Vulnerabilities Where There is No Fix
Search for vulnerabilities where there is no fi This information allows you to develop other mitigation
actions to protect assets.
Step-by-step instructions:
1. Click Menu in the upper left corner.
2. Click Findings underneath Explore .
3. Click Advanced (to the right of Saved Filters ).
a. Note: If you are still in the Advanced fi mode from the previous task, click the X to the right
of the query text to clear it. Then, proceed to the next step.
4. Type CVSSv2 Temporal Vector is equal to *RL:U* OR CVSSv3 Temporal Vector is equal to *RL:U* in the Enter fi query fi and then press Enter .
5. Click Saved Filters .
a. Note: If you have continued from the previous task, you may see OŨcial Fixes [Edited] instead
of Saved Filters . In that case, click that, and then Save as New .
6. Click Save , and type Vulnerabilities where there is no fi in the text fi
7. Click the check mark .

 
Part 3 - Mixed Analysis
In this section, combine multiple items into one fi to look for specific impacts.
Part 3: Task 1 - Create a Filter for VPR Critical Items that Allow for Denial of Service
Identify VPR 9 or higher items that allow for Denial of Service using CVSS v3, and save this as a fi called
Critical Denial of Service Vulnerabilities.
Step-by-step Instructions:
1. Click Menu in the upper left corner.
2. Click Findings underneath Explore .
3. Click Advanced (to the right of Saved Filters ).
a. Note: If you are still in the Advanced fi mode from the previous task, click the X to the right
of the query text to clear it. Then, proceed to the next step.
4. Type VPR is greater than or equal to 9 AND (CVSSv3 Vector is equal to *A:L* OR CVSSv3 Vector is
equal to *A:H* OR CVSSv3 Vector is equal to *A:M*) in the Enter fi query fi and then press Enter .
5. Click the Saved Filters (or the drop-down from the previous saved search).
6. Click Save (or Save as New ), then type Critical Denial of Service Vulnerabilities in the text fi that
appears.
7. Click the check mark .


Part 3: Task 2 - Identify Critical Denial of Service Vulnerabilities Where There is No Fix
Be aware of vulnerabilities that exist where there is no fi so you can take the appropriate remediation
actions.
Step-by-step instructions:
1. Click Menu in the upper left corner.
2. Click Findings underneath Explore .
3. Click the Filter icon, underneath Host Vulnerabilities , to open the Filters panel.
a. If the icon is disabled, click Advanced to toggle back to Basic mode.
4. Click Select Filters .
5. Type CVSS in the Find Filters fi and select the checkbox for CVSSv3 Temporal Vector .
6. Click the X to close the Select Filters box.
7. Locate the CVSSv3 Temporal Vector fi and type *RL:U* underneath is equal to .
8. Click Apply .
9. Click the Saved Filters (or the drop-down from the previous saved search).
10. Click Save (or Save as New ), then type DOS vulns with no fi in the text fi that appears.
11. Click the check mark .

Answer Key
Part1: Task 1
1. Click the VPR until the highest rated VPR item is at the top. Are there vulnerabilities that have a Critical
(i.e., greater than 9) VPR rating?
● Yes
2. Click the fi vulnerability and look at CVSS v3 vector. How can you tell whether this is a High or Low
availability issue?
● Look at the CVSS vector value and look for A:H A:L. If it is A:H, it is High. If it is A:L, it is Low.
Part 2: Task 1
1. What does the acronym RL stand for in the fi
● Remediation Level
2. If you wanted to fi vulnerabilities where there was no fi what would you search on?
● RL:U
Part 2: Task 2
1. What kind of actions could you take when there is no direct remediation available?
● Improved fi protection, Access Control Lists (ACLs) for the asset, or intrusion protection
system (IPS) rules.
2. What other business units might want this information?
● There are several possible answers, including Incident Response, Legal, the CISO and System
Administrators.
Part 3: Task 1
1. Are the vulnerabilities sorted by VPR?
● Not by default.
2. Is there a way to export a report on a single vulnerability in this list?
● Yes, a couple of ways:
i. Click the More (three vertical dots) icon in the Actions column to the far right of the
vulnerability, then select Export.
ii. Select the checkbox to the far left of the vulnerability, then click Export at the top. This
method has the advantage of allowing you to select multiple vulnerabilities as well.
Part 3: Task 2
1. Does this fi identify all Critical Denial of Service vulnerabilities where there is no fi
● No, if the vulnerability has a CVSS v2 but no CVSS v3 value, it will not be identified.
2. How can you identify assets that have Critical Denial of Service vulnerabilities where there is no fi
● Click By Asset, or click the Plugin for a list of affected assets for that plugin.



No comments:

Post a Comment