Vulnerability Scanning with Nessus¶

Note: This guide is based on OffSec PEN-200 (OSCP) training materials, adapted and rephrased for educational purposes.

Table of Contents¶

Introduction
Installing Nessus
Nessus Components
Performing Vulnerability Scans
Analyzing Results
Authenticated Scans
Working with Plugins
Best Practices

Introduction¶

Nessus is an industry-leading vulnerability scanner with over 67,000 CVEs and 168,000 plugins. This guide covers Nessus Essentials (free version) which has limitations compared to Professional:

Essentials Limitations: - Maximum 16 IP addresses - Some templates unavailable - Limited enterprise features

Note: Concepts apply to most commercial scanners despite version differences.

Installing Nessus¶

System Requirements¶

Recommended: - 4 CPU cores, 8GB RAM

Minimum (for labs): - 2 CPU cores, 4GB RAM

Installation on Kali Linux¶

1. Download Installer - Visit Tenable website - Select: Linux - Debian - amd64 (or Ubuntu - arch64 for ARM) - Download .deb package and checksum

2. Verify Checksum

cd ~/Downloads
echo "<sha256_hash> Nessus-<version>-debian10_amd64.deb" > sha256sum_nessus
sha256sum -c sha256sum_nessus

Expected: Nessus-<version>-debian10_amd64.deb: OK

3. Install Package

sudo apt install ./Nessus-<version>-debian10_amd64.deb

4. Start Service

sudo systemctl start nessusd.service

5. Initial Configuration - Navigate to: https://127.0.0.1:8834 - Accept self-signed certificate warning - Click "Continue" for default settings - Select "Register for Nessus Essentials" - Enter email and request activation code - Create admin account (strong password required) - Wait for plugin download and compilation (takes time)

Nessus Components¶

Dashboard Tabs¶

Scans Tab: - View/manage scans - Create new scans - Review results

Settings Tab: - SMTP configuration - Advanced options - License information - Concurrent user settings

Scan Templates¶

Templates are grouped into three categories:

1. Discovery - Host Discovery: List live hosts and open ports

2. Vulnerabilities - Basic Network Scan: Recommended general-purpose template - Advanced Scan: Fully customizable, no defaults - Advanced Dynamic Scan: Uses plugin filters instead of manual selection - Specific vulnerability scans (e.g., PrintNightmare, Zerologon)

3. Compliance (Enterprise only) - Policy compliance auditing

Nessus Plugins¶

Plugins are NASL (Nessus Attack Scripting Language) programs that detect vulnerabilities. Each plugin belongs to a plugin family (e.g., Web Servers, Ubuntu Local Security Checks).

Performing Vulnerability Scans¶

Basic Network Scan¶

1. Create Scan - Click "New Scan" - Select "Basic Network Scan"

2. Configure Basic Settings - Name: Descriptive scan name - Targets: IP addresses (supports single IP, ranges, CIDR, comma-separated, FQDNs)

Example:

<target_ip_1>,<target_ip_2>,<target_ip_range>

3. Customize Discovery Settings

Default template scans common ports. To scan specific ports: - Click "Discovery" settings - Select "Custom" from dropdown - Set "Port scan range": 80,443 - Enable "Consider unscanned ports as closed"

UDP Scanning: - Disabled by default - Increases scan duration significantly - Difficult to distinguish open from filtered UDP ports

4. Disable Host Discovery (if hosts known to be up) - Navigate: Discovery > Host Discovery - Toggle "Ping the remote host" to Off

5. Assessment Settings - Brute forcing disabled by default - Creates significant network traffic - Highly noticeable

6. Launch Scan - Click arrow next to "Save" - Select "Launch"

7. Monitor Progress - Status shows "Running" in dashboard - Options to pause or stop - Status changes to "Completed" when finished

Analyzing Results¶

Results Dashboard¶

Hosts Page (default view): - Lists all scanned hosts - Visual vulnerability distribution - Security status overview

Viewing Host Details: - Click on host IP - Shows vulnerability list - Severity column indicates criticality - MIXED severity: Grouped findings

Grouped Findings: - Count column shows number of vulnerabilities - Click to expand group - Click individual vulnerability for details

Detailed Vulnerability Information¶

Each finding includes: - Description: Vulnerability details - Solution: Remediation steps - Risk Information: CVSS score, severity - Exploit Status: Known exploits - References: CVE, links, advisories - Plugin Information: Plugin ID, family - Output: Detection evidence

VPR Top Threats¶

Vulnerability Priority Rating (VPR) provides top 10 most critical vulnerabilities across all targets. Helps prioritize remediation efforts.

Note: Feature availability depends on Nessus version.

Remediations Page¶

Provides remediation strategies for detected vulnerabilities: - Update instructions - Configuration changes - Mitigation steps - Patch information

History Page¶

Lists all scans with current configuration: - Compare previous results - Track remediation progress - Review historical data

Generating Reports¶

1. Click "Report" Button

2. Select Template: - Detailed Vulnerabilities By Host: Comprehensive findings per host - Complete List By Host: Summary without extensive details - Executive Summary: High-level overview - Custom templates: Various structures and focuses

3. Select Format: - PDF - HTML - CSV - NessusDB

4. Generate and Download

Additional Functions¶

Audit Trail: Analyzes plugin behavior, reduces false negatives
Export Data: Multiple formats for further analysis
Scan Configuration: Modify settings
Re-launch: Run scan again

Authenticated Scans¶

Authenticated scans provide deeper visibility and reduce false positives by logging into targets with valid credentials.

Why Authenticate?¶

Benefits: - Detects missing patches - Identifies vulnerable local software - Checks configuration issues - Reduces false positives

Considerations: - Creates significant system noise (logs, AV alerts) - Requires proper target configuration - Needs privileged accounts for best results

Credentialed Patch Audit Template¶

Pre-configured for local security checks without external vulnerability testing.

Difference from Basic Network Scan with Credentials: - Only performs local security checks - No external perspective scanning - Focuses on patches and outdated applications

Configuration Example: Linux Target¶

1. Create New Scan - Select "Credentialed Patch Audit"

2. Basic Settings - Name: Descriptive name - Target: <target_ip>

3. Credentials Tab - Host Category: SSH - Authentication Method: Password - Username: <username> - Password: <password> - Elevate privileges with: sudo - Sudo user: root - Sudo password: <password>

4. Launch Scan

Authentication Methods by Platform¶

Platform	Primary Methods	Secondary
Linux/macOS	SSH (password/key)	N/A
Windows	SMB, WMI	SSH
Network Devices	SNMP, SSH	Telnet
Databases	DB credentials	N/A

Windows-Specific Considerations¶

Firewall: - Ensure scanner can connect - Allow SMB/WMI traffic

Antivirus: - May flag scan as malicious - Add exceptions or temporarily disable - Document AV configuration

User Account Control (UAC): - Interferes with privileged access - Configure to allow Nessus - Consult Tenable documentation

Analyzing Authenticated Results¶

Disable Grouping for detailed view: - Click settings wheel - Select "Disable Groups"

Typical Findings: - Missing OS patches (by OS version and patch number) - Vulnerable applications (Firefox, curl, etc.) - Plugin family: " Local Security Checks" - Configuration issues - Privilege escalation risks

Working with Plugins¶

Dynamic Plugin Filters¶

Instead of manually selecting plugins, use filters to target specific vulnerabilities.

Example: Scanning for CVE-2021-3156 (Sudo Privilege Escalation)¶

1. Create Advanced Dynamic Scan - Select "Advanced Dynamic Scan" template

2. Configure Name and Target

3. Add Credentials (same as authenticated scan)

4. Dynamic Plugins Tab - Left dropdown: CVE - Middle dropdown: Equals (or Contains) - Right field: CVE-2021-3156 - Click "Preview Plugins"

5. Combine Filters (optional) - Click "+" to add filter - Filter 2 - Left: Plugin Family - Filter 2 - Right: Ubuntu Local Security Checks - Click "Preview Plugins" again

Note: Filter combination may not work in all Nessus versions.

6. Review Plugin Details - Click dropdown to view selected plugins - Shows affected versions, descriptions, Plugin IDs - Click plugin for detailed information

7. Launch and Review Results - Findings show specified vulnerability only - Plugin output includes: - Detection method - Version information - Exploitation confirmation (or lack thereof)

Important: Many plugins detect based on version numbers without exploitation attempts. Manually verify findings to confirm exploitability.

Best Practices¶

Pre-Scan Planning¶

1. Define Scope - Confirm IP ranges - Verify accessibility - Check authorization

2. Coordinate with Teams - Notify system administrators - Schedule maintenance windows - Establish communication channels - Have emergency contacts

3. Configure Appropriately - Match scan type to objective - Use appropriate credentials - Set scan windows - Configure notifications

During Scans¶

Monitor: - Scan progress - System stability - Network impact - Error messages

Be Prepared to: - Pause/stop scans if issues arise - Adjust scan settings - Communicate with stakeholders

Post-Scan Actions¶

1. Verify Findings - Check for false positives - Confirm critical vulnerabilities - Test exploitability when authorized

2. Document - Export results in multiple formats - Generate appropriate reports - Note scan configurations - Record any issues encountered

3. Prioritize Remediation - Use VPR/CVSS scores - Consider exploit availability - Assess business impact - Create remediation timeline

Security Considerations¶

Credential Management: - Use dedicated service accounts - Implement least privilege - Secure credential storage - Rotate credentials post-assessment - Log authentication attempts

Scan Impact: - Start conservative - Test non-critical systems first - Monitor system resources - Have rollback procedures - Document any disruptions

False Positive Handling: - Don't dismiss without verification - Understand detection methods - Consider backported patches - Document reasoning

Quick Reference¶

Common Scan Configurations¶

Basic Unauthenticated Scan:

Template: Basic Network Scan
Targets: <ip_list>
Ports: 80,443 (or specific requirements)
Host Discovery: Off (if hosts known)

Authenticated Linux Scan:

Template: Credentialed Patch Audit
Target: <ip>
SSH: <username>/<password>
Sudo: enabled with password

Dynamic Plugin Scan:

Template: Advanced Dynamic Scan
Filter: CVE equals <CVE-ID>
Optional: Plugin Family = <specific-family>
Credentials: As required

Workflow Summary¶

Plan: Define scope, coordinate with teams
Configure: Select template, set targets, add credentials if needed
Customize: Adjust ports, timing, plugins
Launch: Start scan during appropriate window
Monitor: Watch progress, check for issues
Analyze: Review findings, understand severity
Verify: Confirm critical vulnerabilities
Report: Generate appropriate documentation
Remediate: Work with teams on fixes
Re-scan: Verify remediation

Summary¶

Nessus provides comprehensive vulnerability scanning capabilities with extensive plugin coverage. Nessus Essentials offers sufficient functionality for learning and small environments despite limitations.

Key Concepts: - Templates accelerate configuration - Authenticated scans provide deeper visibility - Dynamic plugin filters enable targeted scanning - Results require manual verification - Proper planning minimizes disruption - Coordination with stakeholders is essential

Remember: - Verify findings manually - Understand scan impact - Coordinate with system owners - Document thoroughly - Prioritize based on risk - Follow up on remediation

Nessus complements manual testing and should be part of a comprehensive security assessment strategy.

Content derived from OffSec PEN-200 courseware