A brief introduction to the Nessus vulnerability scanner
Nessus is one of the many vulnerability scanners used during vulnerability assessments and penetration testing engagements, including malicious attacks. This article will focus on this vulnerability scanner, discussing the fundamentals that one needs to have before getting started with the tool, the different scanning capabilities that it provides, what it takes to run the tool and how results appear once scans are complete.
Please note that this article does not in any way serve as a comprehensive guide to Nessus, but as an overview.
Nessus products brief
Nessus is sold by Tenable Security. The tool is free for non-enterprise use; however, for enterprise consumption, there are options that are priced differently. The following are the available options at your disposal:
- Tenable.io is a subscription-based service. It allows different teams to share scanners, schedules, scan policies and scan results. Tenable also contains what was previously known as Nessus Cloud, which used to be Tenable’s Software-as-a-Service solution. Tenable.io also allows for the customization of workflows for effective vulnerability management.
- Nessus Agents provide a flexible way of scanning hosts within your environment without necessarily having to provide credentials to hosts. The agents enable scans to be carried out even when the hosts are offline. The application areas of these agents are wide. Consider environments that lack traditional malware protection, such as antivirus solutions — the overhead these agents exert within hosts is quite small. Here, agents take up minimal system resources within the hosts they are installed in, whilst still providing adequate malware protection.
- Nessus Professional is the most commonly-deployed vulnerability assessment solution across the industry. This solution helps you perform high-speed asset discovery, target profiling, configuration auditing, malware detection, sensitive data discovery and so much more. Nessus Professional runs on client devices such as laptops and can be effectively used by your security departments within your organization.
- Nessus Manager is used to provide the capabilities of the Nessus Professional solution along with numerous additional vulnerability management and collaboration features. However, Nessus Manager is no longer sold as of February 1st, 2018. This solution was used within organizations to collaborate and share information between different departments within the organization. It provided the ability to monitor company assets as well as devices in hard-to-reach environments.
These products discussed above offer multiple services that range from Web application scanning to mobile device scanning, cloud environment scanning, malware detection, control systems auditing (including SCADA and embedded devices) and configuration auditing and compliance checks.
Fundamentals of the Nessus vulnerability scanner
For us to appreciate the capabilities Nessus offers, we need to understand some fundamentals. We will first discuss the user interface and take a look at how to install Nessus on Linux and Windows Operating Systems.
1. Installation on Linux
The downloadable installer can be found here for Linux-based systems. You need to make sure you know the distribution of Linux you are running in order to choose which installer to download. For instance, this article covers the Debian file system that Kali Linux is based on, so we will be downloading the *.deb installer file. We are also running a 64-bit version of Kali Linux; you’ll need to find out the architecture you are running.
As of the writing of this article, the latest version of Nessus is 8.0.0.
Once the package file has been downloaded, you may install it from within the Linux terminal using the command below:
$ sudo dpkg -i Nessus-8.0.0-debian6_i386.deb
If you are using any other version of Linux, use the commands below:
For RedHat version 6:
# rpm -ivh Nessus-<version number>-es6.x86_64.rpm
For FreeBSD version 10:
# pkg add Nessus-<version number>-fbsd10-amd64.txz
After installation on your Linux system, be sure to start up the Nessus daemon as shown below:
For Red Hat, CentOS, Oracle Linux, Fedora, SUSE and FreeBSD, use the command below:
# service nessusd start
For Debian/Kali and Ubuntu, use the command below:
# /etc/init.d/nessusd start
2. Installation on Windows
You can obtain the Windows installer here. Remember to download according to your architecture and operating system. Once downloaded, double-click on the installer and finish the installation by going through the wizard. You might be prompted to install WinPcap; if so, proceed with that installation as well.
Understanding the user interface
After installation and during your first run, you will be required to activate your product based on the license type you intend to install.
After the license is activated, it is time to get down to running your Nessus scanner.
The Nessus user interface is primarily made up of two main pages: the scans page and the settings page. These pages allow you to manage scan configurations and set up the scanner according to how you would like it to perform within your system. You access these pages from the tab panel shown below.
1. Scans page
This page will allow you to create your new scans and manage them. You will also note that at the bottom left section of your screen, you have sections that allow you to configure policies that will apply to your scans, define plugin rules and monitor your scanners and agents as well. When you create a new scan or policy, a Scan Template or Policy Template appears.
2. Settings page
Your settings page will contain configuration information, allowing you to define settings for your LDAP, Proxy and SMTP server for additional functionality and integration within your network.
At the bottom of your left screen, you will also have access to your account, users and group settings.
Vulnerability scanning with Nessus
Nessus performs its scans by utilizing plugins, which run against each host on the network in order to identify vulnerabilities. Plugins can be thought of as individual pieces of code that Nessus uses to conduct individual scan types on targets. Plugins are numerous and wide in their capabilities. For instance, a plugin could be launched and targeted at a host to:
- Identify which operating systems and services are running on which ports
- Identify which software components are vulnerable to attacks (FTP, SSH, SMB and more)
- Identify if compliance requirements are met on various hosts
The steps that are followed during scanning can be summarized in the image below:
When you launch a scan, Nessus goes through a series of steps.
Step 1: Nessus will retrieve the scan settings. The settings will define the ports to be scanned, the plugins to be enabled and policy preferences definitions.
Step 2: Nessus will then perform host discovery to determine the hosts that are up. The protocols used in host discovery will be ICMP, TCP, UDP and ARP. You can specify these per your desires.
Step 3: Nessus then performs a port scan of each host that is discovered to be up. You can also define which ports you will want to be scanned. Ports can be defined in ranges or individually, with valid ports ranging from 1 to 65535.
Step 4: Nessus will then perform service detection to determine the services that are running behind each port on each host discovered
Step 5: Nessus then performs operating system detection.
Step 6: Once all the steps are complete, Nessus runs each host against a database of known vulnerabilities in an attempt to discover which host contains which vulnerabilities.
The image below summarizes these steps:
Configuring a Nessus scan
Nessus gives you the ability to configure your scan based on different scan and policy templates. You can find the description of each scan template here. These templates will determine the settings that will be found within the scan policy settings. The following are the general settings that can be accessed:
Basic: With this setting, you can specify security-related and organizational aspects of the scan or policy. These aspects will include the name of the scan, the targets of the scan, whether or not it is scheduled and who has access to it. Locate the sections available within the basic settings here.
Discovery: This is where you would define the ports to be scanned and the methods to be used while conducting this discovery. There are some sections within this setting that you should take a look at. They can be found here.
Assessment: This setting allows you to determine the type of vulnerability scan to perform and how they are performed. Nessus will check the susceptibility of Web applications to attacks and other systems to brute-force attacks as well. This setting has sections that allow you to customize general scans to Windows, SCADA, Web applications, and even brute-force checks.
Report: This setting will allow you to determine how scan reports are generated and the information that should be included within them.
Advanced: Here you will define scan efficiency and the operations that the scan should perform. You will also be able to enable scan debugging here. You can find more information on the sections contained in this setting here.
Launching a Nessus scan
To perform a vulnerability scan, you would need to navigate your browser to the link https://localhost:8834. See below:
Hit the “New Scan” button above, then select the type of scan to perform from the numerous templates available.
The templates shown above will be limited within the free version of Nessus. Your license will determine the version of Nessus you use. These templates will be more in number and capability for the commercial version.
As can be seen above, you would then issue your targets. Nessus is capable of performing scans on multiple targets separated by commas or issued in CIDR format. Once done, you will be redirected to the screen below.
Click the “play” icon to launch your configured scan. It is possible to have multiple configured scans, allowing you to perform multiple scans. In the screen above, we configured just one scan. Below, you can however see results from two hosts summarizing the severity and instances of issues discovered.
(This has been included to demonstrate how results from multiple hosts appear).
Nessus even allows you to drill down to specific hosts and vulnerabilities and get more information on how they were discovered, together with recommendations on how to patch identified risks. See below:
The Nessus Vulnerability Scanner is one of the most common vulnerability scanners in the cybersecurity industry today. The functionality that you get, especially with the commercial version, is total guarantee of value for your money. While it is also important to confirm your vulnerability hits by running other vulnerability scanners against your targets to eliminate the possibility of any false positives, Nessus’s functions justify its popularity.