Getting ready

In order to perform this activity, you will have to satisfy the following prerequisites on your machine:

• Installing Nessus
• Getting network access to the hosts on which the scans are to be performed

In order to install Nesus, you can follow the instructions provided in Chapter 2, Understanding Network Scanning Tools. This will allow you to download a compatible version of Nessus and install all the required plugins. In order to check whether your machine has Nessus installed on it already, open the search bar and search for the Nessus Web Client. Once found and clicked on, this will be opened in the default browser window:

If you are sure Nessus is correctly installed, you can use the https://localhost:8834 URL directly in your browser to open the Nessus Web Client. If you are unable to locate the Nessus Web Client, you should remove and re-install Nessus. For the removal of Nessus and installation instructions, refer to chapter 2, Understanding Network Scanning Tools. If you have located the Nessus Web Client and are unable to open it in the browser window, you need to check whether the Nessus service is running in the Windows services utility, as shown here:

You can also start and stop Nessus as per your requirements by using the services utility. In order to further confirm the installation using the command-line interface, you can navigate to the installation directory to see and access Nessus command-line utilities:

It is always recommended to have administrator or root-level credentials to provide the scanner access to all system files. This will allow the scanner to perform a deeper scan and populate better results compared to a non-credentialed scan. The policy compliance module is only available in paid versions of Nessus, such as Nessus Professional or Nessus Manager. For these, you will have to purchase an activation key from Tenable and update it in the Settings page, as shown here:

Click on the Edit button to open a window and enter the new activation code purchased from Tenable:

In order to test the scans, we need to install a virtual machine. In order to run a virtual machine, I would recommend using VMware, which can be downloaded and installed from https://www.vmware.com/products/workstation-pro/workstation-pro-evaluation.html.

For the test system, readers can download Metasploitable (a vulnerable virtual machine by Rapid 7) from https://information.rapid7.com/download-metasploitable-2017.html. Apply the following steps to open Metasploitable. This provides various components, including an operating system, a database, and a vulnerable application, which will help us to test the recipes in the current chapter:

1. Unzip the downloaded Metasploitable package:

2. Open the .vmx file using the installed VMware Workstation or VMware Player:

3. Log in using msfadmin/msfadmin as the username and password: