Nessus Scanning and ChatGPT Aided Shellshock Vulnerability Exploit

Nessus and scanning/exploiting a target on Offsec Proving Grounds Play

What is Nessus?

Nessus is a vulnerability scanner that can scan and asses the complete attack surface of a target. With Nessus, you can scan a network for potential vulnerabilities, and even automatically exploit these discovered vulnerabilities. It supports different type of scans like Host Scan, Basic Network Scan, Malware Scan, Active Directory Scan, etc. It is a great tool for enumerating a target network and discovering potential ways to gain access.

Setting up Nessus

Nessus can be installed on Windows, Linux, Mac, Docker and even on Kasm Workspaces. Kasm is a docker container streaming platform for streaming desktops, browsers and applications to your web browser.

You can install Kasm Workspaces on your Linux machine with four simple commands by following the official installation guide here.

If you’d like to install Nessus on your machine directly (without Docker or Kasm), you can follow the installation guide here.

If you’re setting up Nessus on Kasm, you need to edit some minor configurations. Go to Admin -> Workspaces and edit the Nessus image. For the “Docker Exec Config”, use this configuration:

{"first_launch": { "cmd": "bash -c 'sudo apt-get update -y && sudo apt-get install -y openvpn  && sudo apt-get install -y iputils-ping'"}}

For “Docker Run Config Override”, use this configuration:

{"user":"root","cap_add":["NET_ADMIN"],"devices":["dev/net/tun","/dev/net/tun"],"privileged":true}

These configurations will enable you to use OpenVPN within the Nessus container spawned in Kasm.

On the first launch of Nessus, you need to register for Nessus Essentials to be able to use it for free.

You will then need to submit your name and email to receive an activation code.

Once the registration process is complete, Nessus will download all the plugins and compile them. This is going to take a lot of time — it took me 2 hours! So be patient, I guess.

Once the plugins are downloaded and compiled, you will be able to start scanning.

Scan and Exploit

We will perform our first scan on a machine called “Sumo” from Proving Grounds Play, which is a free platform offered by Offsec to practice hacking. Once you signup on Proving Grounds Play, you can download your universal VPN pack to be able to connect to the PG Play’s network and scan the target.

To connect using OpenVPN, use the following command:

sudo openvpn universal.ovpn

Now, create a new “Basic Network Scan” on Nessus, set the target to the IP address of the “Sumo” machine on PG Play.

Once the scan is complete, you can see that Nessus was able to find multiple vulnerabilities of different severities.

We’ll focus on the “GNU Bash Environment Variable Handling Code Injection (Shellshock)” vulnerability that Nessus identified.

Upon opening the report, you can see that Nessus was actually able to exploit this vulnerability. The report also clearly states the exact malicious request that Nessus sent in order to exploit the vulnerability.

Let’s try to replicate this request to see if the exploit is actually working.

I asked ChatGPT to give me a CURL one-liner command based on the HTTP request.

Upon running this CURL command, I got a response from the target that proves that the exploit worked. The response contains the output of the command injected in the request.

Using this exploit, one can inject and run arbitrary commands on the target and even get reverse shell access on the target by doing so.

So just like that, with Nessus, we were able to scan a target, find potential vulnerabilities and even get a detailed report on how to exploit one of these vulnerabilities.