• Nessus Essentials - limited to up for 16 hosts
  • runs as a system service
  • default port: 8834

Scan Templates#

Using Scan Templates we can pick a scan type, e.g.:

  • host discovery
  • basic network scan
  • advanced scan
  • malware scan
  • web application tests
  • User Defined scans
    • the predefined Scan Policies

Host Discovery Scan#

Here we are defining the targets we want to scan, the schedule, discovery options, reporting, plugins and more.

Discovery Tab#

With Custom -> Host Discovery we can enable scanning for fragile devices like Network Printers.

⚠️ Use with caution. This often results in printing out garbage, leaving the devices unusable

Basic Network Scan#

Discovery Tab#

Service Discovery#
  • ⚠️ As a default, the Probe all ports is selected. Some applications or services could crash as a result of probing
  • searching for SSL/TLS services is enabled by default and Nessus can be set to identify expiring/revoked certs

Assessment Tab#

Allows to enable scanning the Web Applications (with custom User-Agent if needed)

We can also attempt to authenticate against discovered services using either the already looted credentials (the Credentials tab) or a brute-force attack.

We can enable user enumeration using different methods, including RID Brute Forcing in Windows tab.

Advanced Tab#

Allows to disable safe checks (should be used with care, as the checks may negatively impact the target device and/or network), throttle the scans, stop attempting to scan the seemingly unresponsive hosts, make Nessus to pick up IPs from the list randomly etc.

Scan Policies#

In Policies we can define the Scan Policies - the reusable, preconfigured scans that allow us to configure specific options and enable particular plugins.

These are useful for creating different scan scenarios (e.g. less/more aggressive scans, focused scans, scans using the particular sets of creds etc.).

We can reuse them from Scan Templates -> User Defined.

Plugins#

Written in Nessus Attack Scripting Language, plugins can target new vulnerabilities and CVEs and provide information about the impact, remediation and a way to confirm the existence of a particular issue.

We can browse Nessus’ plugins through Tenable Plugins Database.

⚠️ The results may, and probably will include false-positives.

We can create Plugin Rules that affect the severity of any plugin if we need to exclude it from the scan results while keeping it enabled for other hosts.

Exporting#

We can create a PDF/HTML report including the Executive Summary with a list of affected hosts, vulnerabilities count, severity, CVSS score and plugins used.

We can also export selected columns to CSV for future processing, e.g. in Splunk.

We can also export scans to .nessus (based on XML; contains the scan settings and outputs) and .db (including KB and Audit Trail).

For an ease of use we can export all of the above using the CLI, or, even better, the nessus-report-downloader.rb.

Drawbacks and issues#

Scans can have a negative impact on the network, affect the sensitive/legacy hosts and provide false positives. We may need to fine-tune the scans, exclude some sensitive hosts, scan the high availability hosts outside of regular business hours etc.

false positives#

Some firewalls will affect the scan results showing either all or no ports open, or respond with an ICMP Unreachable that makes Nessus to interpret the host as a live one and provide many false-positives. Usually we can fix that with disabling ICMP in Discovery -> Host Discovery -> Ping Methods (this will prevent the scan from using ICMP).

sensitive networks and hosts#

For sensitive networks/heavy load hosts we can adjust the Performance Options and Max Concurrent Checks Per Host.

For sensitive hosts such as printers we can disable scanning the printers and other Fragile Devices. We can also remove the particular hosts from the target scope (or from within nessusd.rules).

We should avoid the Denial of Service checks. The best way to do so is to enable the aforementioned Safe Checks.