Doug Vitale Tech Blog

Tenable Nessus

If Nmap is the most popular free network scanning tool, then Nessus by Tenable is undoubtedly the most widely used commercial security application. Nessus is designed to comprehensively scan network hosts for vulnerabilities and generate reports based on its findings. During its scans, Nessus probes ports and checks for potential software flaws that could be exploited by hackers or malware. Some of these flaws include outdated and vulnerable software, improper configurations such as accounts with default passwords or without password protection, and the presence of risky services or daemons. In this way Nessus is very similar to BeyondTrust Retina; however, these two tools have very different user interfaces and Nessus is undoubtedly more popular and widely used, as multiple surveys on SecTools.org have shown over the years.

Nessus is available for both Linux and Windows. On both operating systems, Nessus operates as a server and as a client. The Nessus server (a Windows service or a Linux daemon called nessusd) performs the actual scanning while the client presents the user with an interface and passes commands to the server. The Nessus server utilizes plugins to determine which flaws exist on the target hosts. Plugins are small programs that look for specific vulnerabilities (Nessus contains tens of thousands of them). When Nessus can connect to the Internet it automatically downloads the latest plugins which will enable it to recognize and report on the latest known software weaknesses (such as those disclosed by Mitre). There is even an embedded scripting language (known as NASL) for writing your own custom plugins.

Nessus login interface

Nessus v5.x login interface

Nessus login interface

Nessus v4.4.x login interface


Jump to:


History of Nessus

Nessus was first released in 1998. Versions 1 and 2 were distributed as free and open source software (FOSS). Starting with version 3 in 2005, Tenable closed public access to the source code and began charging subscription fees for the plugin “registered feed” (a free “home feed” is still available for non-commercial installations of Nessus). Paying customers ($1500 annually) receive the latest plugins from Tenable along with technical support. Further differences between the two feeds are described here.

Starting with version 4, the Nessus client moved from standard application format to a web-based (runs in a browser) format that utilizes Adobe Flash. Nessus v5 was released in February 2012. Starting with v5.2, the Nessus interface is based on HTML5.


Installing and using Nessus

Tenable provides clear installation instructions in the Nessus Installation Guide, so they will not be needlessly reproduced here. You can download the guide for version 5.x below.

Before you can initiate a scan, you need to first make sure that the Nessus server is running on your PC. On Linux you can do this by entering the command ps -ef | grep nessusd. If nessusd isn’t running, enter the command /sbin/service nessusd start (Red Hat/Fedora), /etc/rc.d/nessusd start (SuSE), or /etc/init.d/nessusd start (Debian, Ubuntu, Solaris). In Windows, click the Menu button, type in services.msc, scroll to Tenable Nessus and make sure the status is ‘running’. If not, right-click on the Nessus line and choose ‘Start’. In Windows you can alternately check to see if nessusd.exe and nessus-service.exe are running in the Task Manager (click ‘Show processes from all users’).

Nessus Windows service

Nessus in the Windows Services Console

Additionally, in Nessus 4 you can use the Nessus Server Manager interface to start or stop the Nessus server as well as to create user accounts for program usage.
Nessus v4 Service Manager interface

Nessus v4 Service Manager

Once the server is running in the background, you are ready to launch the Nessus client. Open your web browser and go to https://your_IP_address:8834/ or https://localhost:8834/ (the Nessus server listens on port 8834). Bypass the message about the server’s certificate (Internet Explorer) or the untrusted connection (Firefox). You will then be presented with the login screen shown above. To proceed, you must have created a user account to use in the Nessus server (see the ‘Manage Users’ button in the Nessus Server Manager above).

When you have authenticated to the Nessus server, you will see the interface shown below and you will be ready to create scan policies and configure scans.

Nessus main interface

Nessus v5.x client main interface

Nessus v4.x client main interface

Nessus v4.x client main interface

Before you can launch a scan, you need to first configure a scan policy. This policy controls the options and features the scan will utilize when Nessus starts inspecting the target hosts. You can tailor the scan policies to be appropriate for the targets based on their operating systems, installed software, and network functions. For example, if you are scanning a group of Windows server hosts, you can configure a scan policy that is appropriate for the Windows operating system. If you are scanning a cluster of Linux servers running Apache, you can configure a scan policy that is appropriate for Linux and the Apache web server software.

To create a scan policy, click ‘Policies’ to get started. You will see the first page of the Policy creation interface.

Nessus policy creation wizards

Nessus policy creation wizards

Nessus v4.x scan policy creation - first page

Nessus v4.x scan policy creation - first page

The default choices for Nessus policy creations are:

  • Host Discovery – identifies live hosts and open ports.
  • Basic Network Scan – for users scanning internal or external hosts.
  • Credentialed Patch Audit – log in to systems and enumerate missing software updates.
  • Web Application Tests – for users performing generic web application scans.
  • Windows Malware Scan – for users searching for malware on Windows systems.
  • Mobile Device Scan – for users of Apple Profile Manager, ADSI, or Good MDM.
  • Prepare for PCI DSS Audits – for users preparing to audit against PCI DSS compliance.
  • Advanced Policy – for users who want total control of their policy configuration.

As you can see, there are a great many ways to configure the scan policy. Take your time going through these options as they will influence the speed of your scans as well as the kind of results you will get at the end. On networks with good connectivity, try decreasing the network timeouts from 5 to 3 seconds. If you are targeting servers that have a lot of horse power, try increasing the max checks per host from 5 to 10 or higher. You can also specify exactly which ports you want Nessus to probe, and you can enable or disable TCP, UDP, or SYN scans.

If you want the scan to login to the target hosts, you need to provide it valid credentials to use. You do this on the credentials page depicted below. This is something you should definitely try to enable. When Nessus can log in to the target hosts using administrative/root credentials, it will find many more vulnerabilities than otherwise.

Nessus prompt for scan authentication

Nessus v5.x prompt for scan authentication

Nessus v4.x scan policy creation - second page

Nessus v4.x scan policy creation - second page

The plugins page is where you will need to spend some time enabling or disabling the plugins that are applicable to the scan you are about to run. You will need to have detailed knowledge of the target hosts, the software installed on them, and the services they provide. You will need to know at least which operating systems they are running. You should also find out if any of them are web servers, database servers, networking devices such as routers, firewalls, etc. Then scroll through the list shown below and select the plugins you want Nessus to utilize.

Nessus plugin options

Nessus v5.x plugin options

Nessus v4.x scan policy creation - third page

Nessus v4.x scan policy creation - third page

The last step in creating a scan policy is to configure the general scanning options in Preferences.

Nessus preferences

Nessus v5.x scanning preferences

Nessus scan policy creation - fourth page

Nessus scan policy creation - fourth page

When you have finished with the Preferences, click ‘Save’ and you will now see the policy you just created under ‘Policies’ in the main Nessus client interface.

Now that your scan policy is done and ready to be used, you need to apply it to an actual scan by clicking the ‘Scans’ link in the main client interface. The scan properties simply consist of the target hosts (either IP addresses, IP ranges, or host names) and the time the scan should run (either immediately or at a scheduled time).

Nessus scan settings

Nessus v5.x scan settings

Nessus v4.x scan creation options

Nessus v4.x scan creation options

The names of your custom scan policies will appear in the ‘Policy’ drop-down menu. You can then specify your targets by either typing them into the ‘Targets’ box or by browsing to a text file (‘Add file’) containing the target IP addresses or host names.

After you have launched the scan, Nessus will start doing its thing. It will ping the target hosts, probe the ports, and attempt to identify the operating systems and detect the running services. You can monitor the progress of the entire scan or you can click a particular host to see its particular progress.

Nessus scan in progress

Nessus v5.x scan in progress

Nessus v4.x scan progress - all targets

Nessus v4.x scan progress - all targets

Nessus scan single target view

Nessus v5.x scan single target view

Nessus v4.x scan progress - single host

Nessus v4.x scan progress - single host

When the scan completes, you can browse through the scan results within the Nessus client or you can export the results to .nessus, .db, PDF, CSV, and HTML format. Reports in the .nessus format are XML-based and use an expanded set of XML tags to make extracting and parsing information more granular.

Nessus v4.x report generation options

Nessus v4.x report generation options


The standard HTML report format is shown below.
Nessus v4.x HTML report

Nessus v4.x HTML report


Nessus command line options

The command to start the Nessus server on Linux and Solaris is: /opt/nessus/sbin/nessus-service -D. You must have root privileges to do so. The command to stop the server is: /sbin/service nessusd stop (Red Hat, Fedora), /etc/init.d/nessusd stop (Debian, Ubuntu, and Solaris), or /etc/rc.d/nessusd stop (SuSE).

The standard nessusd command syntax in Linux is:

nessus/sbin/nessus-service [-vhD] [-c <config-file>] [-p <port-number>] [-a <address>] [-S <ip[,ip,...]>]

Nessusd command options

Description

-a [address] When starting the nessusd server, this option tells the server to only listen to connections on the specified IP address.
-c [config-file] Specifies the server-side nessusd configuration file to use when starting the server. It allows for the use of an alternate configuration file instead of the standard /opt/nessus/etc/nessus/nessusd.conf.
-D When starting the nessusd server, this option will make the server run in the background (daemon mode).
-h Shows a summary of the nessusd commands.
--ipv4-only Sets nessusd to only listen on an IPv4 socket.
--ipv6-only Sets nessusd to only listen on an IPv6 socket.
-K Sets a master password for the scanner.
-l Displays the plugin feed license information.
-p [port-number] When starting the nessusd server, this option will tell the server to listen for client connections on the port specified rather than the default port 1241.
-q Operates in quiet mode, suppressing all messages to stdout.
-R Forces a re-processing of the plugins.
-S <ip[,ip2,…]> When starting the nessusd server, forces Nessus to use the IP address provided as the source IP address. This option is only useful if you have a multihomed host with multiple IP addresses that you would like to use instead of the default one. For this setup to work, the host running nessusd must have multiple NICs with these IP addresses set.
-t Checks the time stamp of each plugin when starting up to only compile newly updated plugins.
-v Displays the Nessus version number.

.
You can invoke the Nessus client on Linux and Solaris with the command /opt/nessus/bin/nessus or on Windows with the command %programfiles%\Tenable\Nessus\nessus. To run a scan using the command line interface, you must run the scan in batch mode (with the -q switch).

The standard nessus command syntax is:

nessus –q [-pPS] <host> <port> <user> <password> <targets-file> <result-file>

Nessus client command options

Description

--dot-nessus [file] Always provided as the first parameter passed to the nessus binary to indicate that a .nessus file will be used. [File] is the location and name of the .nessus file to be used.
-h Displays the Nessus help message.
-i [input.[html|txt|nessus|nbe] Specifies an input file for report conversion.
--list-policies Provides the names of all scan policies contained in the designated .nessus file. Used in conjunction with --dot-nessus, as in the command: /opt/nessus/bin/nessus --dot-nessus scan.nessus –-list-policies.
--list-reports Provide the names of all reports contained in the designated .nessus file. Used in conjunction with --dot-nessus, as in the command: /opt/nessus/bin/nessus --dot-nessus scan.nessus –-list-reports.
-o [output.[html|txt|nessus|nbe] Specifies an output file for report conversion.
-p Obtains a list of the plugins installed on the Nessus server.
-P Obtains a list of the server and plugin preferences.
--policy-name [policy] This parameter is provided when launching a scan from the command line where [policy] is the name of a policy contained in the designated .nessus file.Note that the policy name provided must be the exact policy name, including single quotes, as what is displayed when using the --list-policies parameter. A sample command would be: nessus --dot-nessus scan.nessus --policy-name ‘Full Safe w/ Compliance’ <host> <port> <user> <password> <results-file>
-q Enables batch mode which runs the Nessus scan non-interactively.
-S Issues SQL output for -p and -P.
-T [type] Specifies the format type of the scan report (options are nbe, nessus, html, or text).
--target-file [file] Overrides the targets contained in the designated .nessus file and uses those contained in [file].
-v Displays the Nessus version number.
-V Makes the batch mode display status messages on the screen.
-x Disables the checking of SSL certificates.


OpenVAS

OpenVAS (Open Vulnerability Assessment Server) is often mentioned in the same context as Nessus. OpenVAS is a free, open source vulnerability assessor (released under the GNU GPL license). Once known as GNessUs, OpenVAS is a fork of Nessus 2.2 (when Nessus was free and open source). OpenVAS will be covered by a forthcoming article on this website.


Further reference

If you experience difficulty or errors using Nessus, be sure to consult the Nessus Frequently Asked Questions (FAQs). Then have a look at the Nessus user guide:

If your problem persists, visit the Nessus support forum to see if anyone has had experience with it before, or make a post to ask for help.

Once you are comfortable creating and launching vulnerability scans with Nessus, you should explore the links below to take your knowledge of Nessus to the next level.

Code.google.com, vulnerability-check script scans like Nessus
GDSsecurity.com, Using Nessus to Audit VMware vSphere Configurations
Github.com, Lapith, a simple Nessus results viewer
InfoSecInstitute.com, Network scanning with Nessus 5.0
Redspin.com, NBEsort.rb for Nessus
Seccubus.com, Seccubus, Nessus report automation and analysis
Tenable.com, Scanning large networks with Nessus
Tenable.com, Enabling Nessus on BackTrack 5
Tenable.com, Integrating Nessus with BackTrack 5’s tools
Tenable.com, Busting Nessus myths
Tenable.com, Importing NMAP XML results into Nessus
Tenable.com, Nessus-related blog entry list
Tenable.com, Using Nmap within Nessus
Toolswatch.org, RISU v1.4.5, formerly NessusDB, released (also see Github.com)
Youtube.com, Tenable Network Security videos


Recommended reading

If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book using the links below. Thanks!

Nessus Network Auditing on Amazon Nessus Network Auditing Nessus, Snort, and Ethereal on Amazon Nessus, Snort, & Ethereal

Network Security Auditing on Amazon Network Security Auditing Network Security Assessment on Amazon Network Security Assessment

Security Warrior on Amazon Security Warrior Security Power Tools on Amazon Security Power Tools

About these ads

Written by Doug Vitale

March 2, 2012 at 2:08 PM

%d bloggers like this: