Part1 Preface
Hello everyone, my name is ABC_123. The official account has been officially renamed "Xitan Laboratory", please stay tuned. In daily penetration testing or security service work, AWVS and Nessus scanners are often used. One is to scan web vulnerabilities, and the other is to scan system vulnerabilities. These scanners are generally not installed directly in the physical machine, because some vulnerability scanning plug-ins will be accidentally killed by anti-virus software, and will open many services and slow down the physical machine. Therefore, most friends will install them in the VMWare virtual machine and wait until You can just open the virtual machine when needed, but this also causes many problems . For example, as soon as you open the Nessus scanner, the virtual machine disconnects from the network after 5 or 10 minutes, or the scan results are not accurate on the physical machine. Today ABC_123 will summarize this type of issues, all based on experience.
It is recommended that everyone set the public account "Xitan Laboratory" as a star, otherwise you may not see it! Because official accounts can now display large image push only for frequently read and starred official accounts. How to operate: Click [...] in the upper right corner, and then click [Set as Star].
Part2 Technical Research Process
Proper steps to set up bridging
When using a scanner in a VMware virtual machine, it is best to use bridge mode instead of NAT mode. Seeing this, many netizens may be dismissive, "Who doesn't know how to set up bridge mode?", but VMware still has a big pitfall here , and it took a long time to solve this problem. While working on a project in 2016, as soon as the scanner was turned on for some colleagues' VMware virtual machines, the virtual machines would be disconnected from the Internet in about 5 minutes. Later, I spent 2 days changing various settings of the VMware software one by one, and tested repeatedly, and finally found that the problem was in the "automatic" mode of "Bridge Mode" . Below, ABC_123 gives a reliable and problem-free operation step.
The first thing is to select " Bridge Mode " and then check " Copy Physical Network Connection Status ".
Next, there is actually the most critical step, which is to manually select the bridge network card:
The first step is to check the network card name of the physical machine. Execute the " ipconfig /all " command to check the physical network card of this machine. It is obviously "TAP-Windows Adapter V9".
Next, click " Virtual Network Editor " under the " Edit " menu .
Then you can see that the option behind " Bridged to " defaults to " Automatic ". Based on experience, we found that this is the reason why VMware disconnects from the Internet as soon as the scanner is opened.
Here we need to manually select the "TAP-Windows Adapter V9" network card of our physical machine. Then click the " OK " button all the way and it's OK.
After practice, after this setting, VMware will not be disconnected from the network 5 minutes after the missed scan.
Use a network cable to connect and try not to use wifi
I have tried to install an AWVS and Nessus scanner on a physical machine. When connected to wifi, it is no problem to use AWVS to scan web vulnerabilities. However, when using Nessus to scan system vulnerabilities, the wifi will definitely crash after a few minutes. At this time, it is necessary Restart the wireless device. This indicates that when using the scanner, try to use a network cable connection.
Other solutions
For example, reducing parallel tasks of the scanner, missing scanning of a single website task at a time, upgrading wifi network equipment hardware, upgrading bandwidth, etc. I will not go into details.
Try to use bridge mode without NAT
This mainly refers to the article published by Shad0wpf_ on freebuf "Analysis of false alarms of Nmap detecting host survival under VMware NAT network" . ABC_123 reproduced it and found that there are indeed related problems. It also proved once again that it is better to choose bridge mode as much as possible. , when scanning in NAT mode, you will encounter the following scanner false alarm problems:
1In virtual machine NAT mode, the TTL value obtained by the ping command is always 128.
2 Nmap's survival judgment will show that all IPs are alive, causing false positives.
nmap -sP 8.131.x.x/24 -n
3 The result of nmap identifying the operating system is inaccurate.
Use the nmap 8.131.xx -p 3389,21,445 -n -O command to detect a Windows host. In NAT mode, nmap determines the operating system and the results are as follows. It is obviously a Windows system, but under NAT it is actually determined to be a Linux system :
In bridge mode, nmap determines the operating system and the results are as follows:
It is obvious that in bridge mode, nmap identifies the operating system type more accurately.
Part3 Summary
1. These vulnerability scanners still require time to study. For example, installing Nessus on a vps, and putting assets in for full-port scanning with authorization, often yields unexpected results.
2. Before using these scanners to carry out missed scanning work, be sure to communicate with Party A's customers. Try to choose it during non-working hours to avoid peak business hours. It is best to scan at night, because some scanners will send some malformed information . Data packets may cause the collapse of business services .
3. During the internal network leakage scanning process, some systems have not been changed in 10 or 20 years. Using nmap to detect a service may cause the business to freeze. Therefore, it is necessary to evaluate the customer's business situation in advance. When necessary, the business is still priority.
The public account focuses on sharing network security technology, including APT event analysis, red team attack and defense, blue team analysis, penetration testing, code audit, etc. One article per week, 99% original, so stay tuned.
Contact me: 0day123abc#gmail.com(replace # with @)