In my last blog post, I mentioned about Nessus licenses and installation processes. Today, I would like to write about usage of Nessus.
After you register and activate the nessus server, it will start to download and then update the plugins. Plug-ins are kind of virus signatures. Plug-ins test the common vulnerabilities on a machine. Nessus plugins are written on Nessus Attack Scripting Language (NASL). [It might be a good idea to have articles for how to write NASL too.]
Updating plug-ins (for the first time) can take up to 20 minutes so be patient.
Start Nessus Client from Start->Applications->Tenable->Nessus Client.
Click the ‘+’ sign at the left. This will bring ‘Target Window’ where we can set which targets we want to scan.
We have 4 options that we can use the scan the network. The first one is single host. You can use the hostname or the IP address. (example.com or 18.104.22.168)
Second option is IP range. Basically, we can provide a valid ip range such as 192.168.0.1-192.168.0.254.
We can also scan a subnet by providing its network and subnet address. (Network Address: 192.168.0.0; Subnet mask: 255.255.255.0)
We can provide host names or IP we want to scan in a text file. This is beneficial if you already have the list of the machines you want to scan and don’t want to scan all the network.
Choose what ever option you like and then click ‘Save’.
Connecting to the Nessus Server
We will use ‘connection manager’ to connect to the Nessus server.
First, click the Connect button at the lower left side. It should bring connection manager.
As you see, by default we can connect the localhost. (since I have running nessus server on the local machine I will use this option.) If we have our server on a different machine than local machine, then click plus sign at the bottom left side.
You can name the new connection and choose the authentication method you want. You can simply use password based authentication or SSL based authentication.
After you set up the connection, click ‘Save’. You should see a ‘New Certificate Window’ if you are connecting to the server first time. Click ‘Yes’ and login to the server.
Now, we need to add a new policy. Click the plus sign at the right side and save this policy as Default Policy. In this way, you will always have the default policy in the policy section. Let’s create a more specific policy. We will scan a Linux server (CentOS) which has Apache and MySQL on it.
To create a new specific policy for our example, click the plus sign again and then hit ‘Plugin Selection’ tab. The server we are scanning is a CentOS Linux. So we don’t need to have Local Security Checks Plug-ins for Windows, Fedora, Redhat, Ubuntu and Debian. Uncheck all of these (Of course you will uncheck the ones except your OS). Same thing goes with IIS Webserver. Now, click Policy tab and save this Policy as Linux_CentOS Policy.
Important Note: The “Denial of Service” family contains some plugins (all of DoS plugins are enabled by default) that could cause outages on a corporate network if the “Safe Checks” option (Safe Check is also enabled by default-it is under the Options tab) is not enabled, but does contain some useful checks that will not cause any harm. The “Denial of Service” family can be used in conjunction with “Safe Checks” to ensure that any potentially dangerous plug-ins are not run. However, it is recommended that the “Denial of Service” family not be used on a production network.
Let’s start scanning by clicking ‘Scan now’ button at the below.
After scan completes, you can see the result under the ‘Report’ section.
Nessus found one medium and 8 low risks. Usually, you can ignore the low risk and you can ignore the medium risk for some cases.Orange color on a port number (in our example, it is port 80 ) means the highest risk is medium. Red means highest risk is a ‘high risk’ (!) and black means it is a ‘low risk’.
Nessus gives the important information about possible vulnerabilities. You will see Synopsis, Description, Solution, Risk Factor and Plugin Output on the report.
We can sort the output based on Vulnerabilities, hosts, ports, IPs (one host can have more than one IP, right!) by using ‘View Template’ button on the lower right side.
We can export the report as html which is useful. We can also get CVE output and create an excel file if it is some thing you want. ( I prefer creating excel files using csv templates on Nessus, it makes my report more customizable)
In this blog post, we learned how to configure a Nessus client and connect it to a Nessus server, how to scan networks, and how to read Nessus reports. In the next blog post(s), we look into more details about scanning progress and user management on Nessus.