If Nmap is the most popular free network scanning tool, then Nessus by Tenable is undoubtedly the most widely used commercial security application. Nessus is designed to comprehensively scan network hosts for vulnerabilities and generate reports based on its findings. During its scans, Nessus probes ports and checks for potential software flaws that could be exploited by hackers or malware. Some of these flaws include outdated and vulnerable software, improper configurations such as accounts with default passwords or without password protection, and the presence of risky services or daemons. In this way Nessus is very similar to eEye Retina; however, these two tools have very different user interfaces and Nessus is undoubtedly more popular and widely used, as multiple surveys on SecTools.org have shown over the years.
Nessus is available for both Linux and Windows. On both operating systems, Nessus operates as a server and as a client. The Nessus server (a Windows service or a Linux daemon called
nessusd) performs the actual scanning while the client presents the user with an interface and passes commands to the server. The Nessus server utilizes plugins to determine which flaws exist on the target hosts. Plugins are small programs that look for specific vulnerabilities (Nessus contains tens of thousands of them). When Nessus can connect to the Internet it automatically downloads the latest plugins which will enable it to recognize and report on the latest known software weaknesses (such as those disclosed by Mitre). There is even an embedded scripting language (known as NASL) for writing your own custom plugins.
- Installing and using Nessus
- Nessus command line options
- Further reference
- Recommended reading
History of Nessus
Nessus was first released in 1998. Versions 1 and 2 were distributed as free and open source software (FOSS). Starting with version 3 in 2005, Tenable closed public access to the source code and began charging subscription fees for the plugin “registered feed” (a free “home feed” is still available for non-commercial installations of Nessus). Paying customers ($1500 annually) receive the latest plugins from Tenable along with technical support. Further differences between the two feeds are described here.
Starting with version 4, the Nessus client moved from standard application format to a web-based (runs in a browser) format that makes heavy use of Flash.
Installing and using Nessus
Tenable provides clear installation instructions in the Nessus Installation Guide, so they will not be needlessly reproduced here. You can download the guides for versions 4.4 and 5.0 below.
- Nessus 4.4 Installation Guide (2.3 MB PDF)
- Nessus 5.0 Installation and Configuration Guide (2.2 MB PDF)
Before you can initiate a scan, you need to first make sure that the Nessus server is running on your PC. On Linux you can do this by entering the command ps -ef | grep nessusd. If
nessusd isn’t running, enter the command /sbin/service nessusd start (Red Hat/Fedora), /etc/rc.d/nessusd start (SuSE), or /etc/init.d/nessusd start (Debian, Ubuntu, Solaris). In Windows, click the Menu button, type in services.msc, scroll to
Tenable Nessus and make sure the status is ‘running’. If not, right-click on the Nessus line and choose ‘Start’. In Windows you can alternately check to see if
nessusd.exe is running in the Task Manager. Additionally, in Nessus 4 you can use the Nessus Server Manager interface to start or stop the Nessus server as well as to create user accounts for program usage.
Once the server is running in the background, you are ready to launch the Nessus client. Open your web browser and go to https://your_IP_address:8834/ or https://localhost:8834/ (the Nessus server listens on port 8834). Bypass the message about the server’s certificate (Internet Explorer) or the untrusted connection (Firefox). You will then be presented with the login screen shown above. To proceed, you must have created a user account to use in the Nessus server (see the ‘Manage Users’ button in the Nessus Server Manager above).
When you have authenticated to the Nessus server, you will see the interface shown below and you will be ready to create scan policies and configure scans.
Before you can launch a scan, you need to first configure a scan policy. This policy controls the options and features the scan will utilize when Nessus starts inspecting the target hosts. You can tailor the scan policies to be appropriate for the targets based on their operating systems, installed software, and network functions. For example, if you are scanning a group of Windows server hosts, you can configure a scan policy that is appropriate for the Windows operating system. If you are scanning a cluster of Linux servers running Apache, you can configure a scan policy that is appropriate for Linux and the Apache web server software.
To create a scan policy, click ‘Policies’ to get started. You will see the first page of the Policy creation interface.
As you can see, there are a great many ways to configure the scan policy. Take your time going through these options as they will influence the speed of your scans as well as the kind of results you will get at the end. On networks with good connectivity, try decreasing the network timeouts from 5 to 3 seconds. If you are targeting servers that have a lot of horse power, try increasing the max checks per host from 5 to 10 or higher. You can also specify exactly which ports you want Nessus to probe, and you can enable or disable TCP, UDP, or SYN scans.
If you want the scan to login to the target hosts, you need to provide it valid credentials to use. You do this on the credentials page depicted below. This is something you should definitely try to enable. When Nessus can log in to the target hosts using administrative/root credentials, it will find many more vulnerabilities than otherwise.
The plugins page is where you will need to spend some time enabling or disabling the plugins that are applicable to the scan you are about to run. You will need to have detailed knowledge of the target hosts, the software installed on them, and the services they provide. You will need to know at least which operating systems they are running. You should also find out if any of them are web servers, database servers, networking devices such as routers, firewalls, etc. Then scroll through the list shown below and select the plugins you want Nessus to utilize.
The last step in creating a scan policy is to configure the general options in Preferences.
When you have finished with the Preferences, click ‘Submit’ and you will now see the policy you just created under ‘Policies’ in the main Nessus client interface (shown five images above).
Now that your scan policy is done and ready to be used, you need to apply it to an actual scan by clicking the ‘Scans’ link in the main client interface. The scan properties simply consist of the target hosts (either IP addresses, IP ranges, or host names) and the time the scan should run (either immediately or at a scheduled time).
The names of your custom scan policies will appear in the ‘Please select a scan policy’ drop-down menu. You can then specify your targets by either typing them into the ‘Scan Targets’ box or by browsing to a text file containing the target IP addresses or host names.
After you have launched the scan, Nessus will start doing its thing. It will ping the target hosts, probe the ports, and attempt to identify the operating systems and detect the running services. You can monitor the progress of the entire scan or you can click a particular host to see its particular progress.
When the scan completes, you can browse through the scan results within the Nessus client or you can export the results to .nessus, .nbe, or HTML format.
The standard HTML report format is shown below.
Nessus command line options
The command to start the Nessus server on Linux and Solaris is: /opt/nessus/sbin/nessus-service -D. You must have root privileges to do so. The command to stop the server is: /sbin/service nessusd stop (Red Hat, Fedora), /etc/init.d/nessusd stop (Debian, Ubuntu, and Solaris), or /etc/rc.d/nessusd stop (SuSE).
The standard nessusd command syntax in Linux is:
nessus/sbin/nessus-service [-vhD] [-c <config-file>] [-p <port-number>] [-a <address>] [-S <ip[,ip,...]>]
Nessusd command options
|-a [address]||When starting the
|-c [config-file]||Specifies the server-side
|-D||When starting the
|-h||Shows a summary of the nessusd commands.|
||Sets nessusd to only listen on an IPv4 socket.|
||Sets nessusd to only listen on an IPv6 socket.|
|-K||Sets a master password for the scanner.|
|-l||Displays the plugin feed license information.|
|-p [port-number]||When starting the
|-q||Operates in quiet mode, suppressing all messages to stdout.|
|-R||Forces a re-processing of the plugins.|
|-S <ip[,ip2,...]>||When starting the
|-t||Checks the time stamp of each plugin when starting up to only compile newly updated plugins.|
|-v||Displays the Nessus version number.|
You can invoke the Nessus client on Linux and Solaris with the command /opt/nessus/bin/nessus or on Windows with the command %programfiles%\Tenable\Nessus\nessus. To run a scan using the command line interface, you must run the scan in batch mode (with the -q switch).
The standard nessus command syntax is:
nessus –q [-pPS] <host> <port> <user> <password> <targets-file> <result-file>
Nessus client command options
||Always provided as the first parameter passed to the
|-h||Displays the Nessus help message.|
|-i [input.[html|txt|nessus|nbe]||Specifies an input file for report conversion.|
||Provides the names of all scan policies contained in the designated
||Provide the names of all reports contained in the designated
|-o [output.[html|txt|nessus|nbe]||Specifies an output file for report conversion.|
|-p||Obtains a list of the plugins installed on the Nessus server.|
|-P||Obtains a list of the server and plugin preferences.|
||This parameter is provided when launching a scan from the command line where [policy] is the name of a policy contained in the designated
|-q||Enables batch mode which runs the Nessus scan non-interactively.|
|-S||Issues SQL output for -p and -P.|
|-T [type]||Specifies the format type of the scan report (options are nbe, nessus, html, or text).|
||Overrides the targets contained in the designated
|-v||Displays the Nessus version number.|
|-V||Makes the batch mode display status messages on the screen.|
|-x||Disables the checking of SSL certificates.|
OpenVAS (Open Vulnerability Assessment Server) is often mentioned in the same context as Nessus. OpenVAS is a free, open source vulnerability assessor (released under the GNU GPL license). Once known as GNessUs, OpenVAS is a fork of Nessus 2.2 (when Nessus was free and open source). OpenVAS will be covered by a forthcoming article on this website.
If you experience difficulty or errors using Nessus, be sure to consult the Nessus Frequently Asked Questions (FAQs). Then have a look at the Nessus user guide for the version you are using:
If your problem persists, visit the Nessus support forum to see if anyone has had experience with it before, or make a post to ask for help.
Once you are comfortable creating and launching vulnerability scans with Nessus, you should explore the links below to take your knowledge of Nessus to the next level.
InfoSecInstitute.com, Network scanning with Nessus 5.0
Redspin.com, NBEsort.rb for Nessus
Tenable.com, Scanning large networks with Nessus
Tenable.com, Enabling Nessus on BackTrack 5
Tenable.com, Integrating Nessus with BackTrack 5′s tools
Tenable.com, Busting Nessus myths
Tenable.com, Importing NMAP XML results into Nessus
Tenable.com, Nessus-related blog entry list
Toolswatch.org, RISU v1.4.5, formerly NessusDB, released (also see Github.com)
Archive.org, When, how, and why (not) to use Nmap with Nessus (possibly no longer relevant)
If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book using the links below. Thanks!