Hunnic Cyber - Logo

Nessus Through a Transparent Proxy

There are, on occasions, times when you will need to proxy Nessus (Netsparker or similar tools) through a VPS or an ec2 instance in the cloud if your originating IP is blocked when trying to scan a web app.

There are a number of ways to do this, however if you are struggling to get the inbuilt Nessus proxy to work, and tools like TinyProxy and similar are giving you SSL issues, then this solution, albeit long winded, may save you some time.

What we are going to do is set up an ec2 instance, point our domain at it, install Nginx and set up a transparent proxy using proxy-pass without SSL verification.

Once this is set up, you can then simply scan port 443 of your ec2 instance, and the HTTPS traffic will be proxied through to the application you are targeting.

So let's get an ec2 instance set up using the free Tier. You can follow the steps here to initiate an ec2 instance.

Firstly login and select your region based on your preferences.

Next you will want to launch an instance:

Once you have selected this you will want to choose and Amazon Machine Image - we will be using an Ubuntu 18.04 image:

Next choose the free tier eligable - selecting this will allow you to launch the instance and run it for the length of the time of your engagement, and likely not result in any expense: 

Next you will need to configure instance details, storage and tags, for all of which the default configuration is fine.

Next comes Security Groups. Here you should allow port 80 from anywhere (we will need this for Letsencrypt), port 22 and port 443 only from the IPs of your box and your Nessus instance.

Next comes the Review, where you can create your AWS Key pair - name it accordingly and download it.

Once this is done, go to your domain name provider, and point an A record at the IP address of your ec2 instance.

AWS will give you this information or alternavitely you can SSH into your ec2 instance and type:

curl icanhazip.com

And the output will be the public IP address of your ec2 instance. 

Once the DNS records have propogated, you can begin to install Nginx and get your Letsencrypt certification in the following steps

First update:

apt-get update

Next install nginx: 

apt-get install nginx

Next add the certbot repository:

sudo add-apt-repository ppa:certbot/certbot

You’ll need to press ENTER to accept.

Install Certbot’s Nginx package with apt:

sudo apt install python-certbot-nginx

Next you will want to get the SSL certificate for your domain using certbot:

sudo certbot --nginx -d your_domain -d www.your_domain

Once this has run, and you have selected a further option or two, you should see the following message:

IMPORTANT
NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/your_domain/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/your_domain/privkey.pem Your cert will expire on 2018-07-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

 Now you will want to edit the relevant Nginx conf file for your site:

vim /etc/nginx/sites-enabled/Default

Replace the conf file with the following, using your own domain and certitifcates in lines that Letsencrypt generated and changing YOUR_TARGET_IP_HERE to the box you want to scan:

server {

        # include snippets/snakeoil.conf;
        location / {
                # First attempt to serve request as file, then

                proxy_pass https://YOUR_TARGET_IP_HERE;
                proxy_ssl_verify off;

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/your_domain/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/your_domain/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = your_domain) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80 ;
        listen [::]:80 ;
    server_name your-domain;
    return 404; # managed by Certbot
}

Then restart Nginx:

service nginx restart

If at this point you have done everything right you should be able to cURL your own domain and recieve the index page of the application sitting behind the proxy.

Final step is to firewall Port 80, and only allow connections to port 22 & 443 from your working machine and Nessus IP.

Now you should be able to scan transparently through the ec2 instance if you have a blocked IP from your Nessus or other toolsets. Note, you will also be able to any other tools that generate HTTPS traffic to enumerate through the proxy.

Should you be blocked again, then you can assign a new Elastic IP (docs here) and simply change the A record of your domain to the new IP address.