Network Scanning Using Nessus

Posted: December 25, 2012 in Network Security

What is Nessus

If you are looking for vulnerability scanner, you might have came across several expensive commercial products and tools, with wide range of features and benefits.

If a full featured free vulnerability scanner is on your mind, then it’s time to know about Nessus. The article covers installation, configuring and select policies, starting a scan, analyzing the reports using NESSUS Vulnerability Scanner.

Nessus was founded by Renuad Deraison in the year 1998 to provide to the Internet community a free remote security scanner. It is one of the full fledged vulnerability scanners which allow you to detect potential vulnerabilities in the systems. Nessus is the world’s most popular vulnerability scanning tool and supported by most of the research teams around the world.

The tool is free of cost and non-commercial for non-enterprises.  Nessus uses web interface to set up, scan and view repots. It has one of the largest vulnerability knowledge bases and because of this KB the tool is very popular.

Key Features:

  • Identifies Vulnerabilities that allow a remote attacker to access sensitive information from the system.
  • Checks whether the systems in the network has the latest software patches.
  • Tries with Default passwords, common passwords, on systems account
  • Configuration audits
  • Vulnerability analysis
  • Mobile Device audits
  • Customized reporting

For more details on the features of Nessus visit: http://www.tenable.com/products/nessus/nessus-product-overview/nessus-features

Operating Systems that Supports Nessus

Microsoft Windows XP/Vista/7
Linux
Mac OS X (10.5 and higher).
Free BSD
Sun Solaris and many more

Installation & Configuration

  • You can download the Nessus home feed (free) or professional feed from the following link:

http://www.tenable.com/products/nessus/

  • Once you download the Nessus tool, you need to register with nessus official web-site for generating the activation key which is required to use Nessus tool. You can do it from the following link

(http://www.tenable.com/products/nessus/nessus-plugins/obtain-an-activation-code)

  • Click on “Nessus for Home” and enter the required details.
  • An e-mail with an activation key will be sent to your mail.
  • Install the tool. (Installation of nessus tool will be quite confusing where tutorials should be useful).For installation guidelines goto: (http://static.tenable.com/documentation/nessus_5.0_installation_guide.pdf). Check for your operating system and follow the steps mentioned in the PDF
  • Open the Nessus in the browser, normally it runs on the port 8834.

(http://localhost:8834/WelcomeToNessus-Install/welcome) and follow the screen.

  • Create an account with Nessus
  • Enter the activation code you have obtained by registering with the Nessus website. Also you can configure the proxy if needed by giving proxy hostname, proxy username and password.
  • Then scanner gets registered with Tenable and creates user.
  • Then downloads the necessary plugins.  (It takes some time for downloading the plugins, while you are watching the screen you can go through vast list of resources we have for nessus users)

Once the plug-ins are downloaded then it will automatically redirects you to a login screen. Provide the Username and password that you have created earlier to login.

Running the Tool:

Nessus gives you lots of choices when it comes to running the actual vulnerability scan. You’ll be able to scan individual computers, ranges of IP addresses or complete subnets. There are over 1200 vulnerability plugins with Nessus using which you’ll be able to specify individual or set of vulnerabilities to test for. In contrast to other tools nessus won’t assume for explicit services running on common ports instead it will try to exploit the vulnerabilities.

One of the foundations for discovering the vulnerabilities in the network are:

  • Knowing which systems exist
  • Knowing which ports are open and which listening services are available in those ports
  • Determining which Operating System is running in the remote machine

Once you login to the Nessus using web-interface, you will be able to see different options like

  • Policies –Using which you can configure the options required for scan
  • Scans -for adding different scans
  •  Reports -for analyzing the results

Basic workflow of Nessus tool is to Login, Create or Configure the Policy, Run the Scan and Analyze the Results.

POLICIES:

Policies are nothing but the vulnerability tests that you can perform on the target machine. By default Nessus has 4 policies.

n1

Figure shows the default polices that comes with Nessus tool.

External Network Scan:

The policy is pre-configured in such a way that Nessus scans externally facing hosts, which provides services to the host. It scans all 65,535 ports of the target machine. It is also configured with Plugins required for web application vulnerabilities test like XSS.

Internal Network Scan:

This policy is configured to scan large internal networks with many hosts, services, embedded systems like printers, etc… This policy scans only standard ports instead of scanning all 65,535 ports.

Web App Tests:

Nessus uses this policy to detect different types of vulnerabilities exist in web applications. It has the capability to spider the entire web site and discovers the content and links in the application. Once the spider process has been completed then Nessus starts to discover the vulnerabilities that exist in the application.

Prepare for PCI DSS audits:

This policy consists of PCI DSS (Payment Card Industry Data Security Standards) enabled. Nessus compares the results with the standards and produces a report for the scan. The scan doesn’t guarantee for a secure infrastructure.  Industries or Organizations preparing for PCI-DSS can use this policy to prepare their network and systems.

Apart from these pre-configured policies you can also upload a policy by clicking on “Upload” or configure your own policy as per your scan requirement by clicking on “New Policy”.

Configuring the Policy:

  • Click on the policies tab on the top of the screen
  • Click on the New Policy button to create a new policy

Under the General settings tab select the “setting type” based on scan requirement, like Port Scanning, Performance scanning etc… Based on the type Nessus prompts different options that has to be filled. For example ‘Port Scanning’ has the following options

n2

Figure shows configuring options of Port Scanning

Enter the port scan range. By default Nessus scans all the TCP ports in /etc/services file. You can limit the ports by specifying it manually (like 20-30). You have different scanners like Nessus SNMP scanner, SSH scanner, ping remote host, TCP Scanner, SYN scanner, etc…. Enable by checking the check box as per the scan requirement.

  •  Enter the credentials for scan to use. You can use single set of credentials of multiple set of credentials if you have. You can also work it out without entering the credentials.
  • The plugins tab has number of plugins. By default Nessus will have all the plugins enabled. You can enable or disable all the plugins at a time or enable few from the plug-in family as per the scan you’d like to perform. You can also disable some unwanted plugins from the plug-in family by clicking on particular plug-in.

n3

Figure shows the sub-plugins for the plugin Backdoors

In the above Figure the green one shows the parent plugin and the blue once shows the sub-plugins or the plugins under the plugin (backdoor). You can enable or disable by simply clicking on the enabled button.

  • In the Preferences, you are provided with a drop down box to select different types of plugins. Select the plugin based on the scan requirement and specify the settings as per the plugins requirement. Click finish once completed. For example: configure the database

n4

Figure shows the configuration of Database settings plugin

SCANS:

Once you are done with configuring the policies as per your scan requirement, you need to configure the scan details properly. You can do it under Scan tab

Under the Scan tab, you can create a new scan by clicking “New Scan” on the top right.  Then a pop up appears where you need to enter the details like Scan Name,  Scan Type, Scan Policy, Target.

  • Scan Name: The name that you are willing to give to the scan
  • Scan Type:  You have options to RUN the scan instantly by selecting “RUN NOW”. Or you can make a template which you can launch later when you are willing to run. All the templates are moved under the TEMPLATE tab beside the SCAN tab.
  • Scan Policy: Select the policy that you have configured previous in the policies section.
  • Select Target: Enter the target machine which you are planning to test. Depending upon the targets Nessus takes time to scan the targets.

Results:

Once the scanning process has been completed successfully, results can be analyzed from RESULTS.

  • Once the scan has been completed, you can see the name of the scan under the results section. Clicking on the name to see the report.
  • Hosts: Specifies all the target systems you have scanned
  • Vulnerabilities: Displays all the vulnerabilities on the target machine that has been tested
  • Export Results: You can export the results into difference formats like html, pdf, etc…  You can also select an individual section or complete result to export based on your requirement.
Let us try out an example now

I have configured a policy named “Basic Scan”. We have many options while configuring or building the policy like port scanners, performance of the tool, Advanced etc.

n5

Figure shows configuration settings of Port Scanning for the policy “Basic Scan”

You don’t need credentials now, so skip the credentials tab and move to Plugins tab. You need to configure the specific plug-in as per the scan requirement that you are willing to perform on remote machine.

n6

Figure shows the plugins I have enabled for the policy “Basic Scan”. I have enabled few plugins for windows machine scan.

n7

Figure shows the configuring the Scan.

I have configured the scan to run instantly with the policy that I have created earlier. And the scan target specify the IP address I am willing to scan

Once all the details has been entered click on Create Scan which shows the Scan is running as shown in the below Figure.

n8

Once the scanning has been completed then you can see the results in Results tab. Below Figure shows the same

n9

Double clicking on the title displays the scan results.

n10

Figure shows the Hosts details. It includes all the targets that you have scanned during the test. Double clicking on the host address displays the vulnerabilities Nessus have identified during the test. You can also click on Vulnerabilities tab to check out the vulnerabilities.

n11

Figure shows the Vulnerabilities that Nessus found during its scan. Based on the Risk Nessus marks it as high, medium, info etc… Clicking on the Vulnerability gives you brief description of it.

For example let us go with Netstat portscanner, displays you the following information

n12

Figure shows the ports opened in the target machine.

In the same manner you can analyze complete details by clicking on the vulnerabilities. Nessus also suggests the solutions or remedies for the vulnerabilities with few references.

Conclusion

Nessus is a tool which automates the process of scanning the network and web applications for the vulnerabilities also suggests solutions for the vulnerabilities that are identified during the scan.

I have written an article for infosec institute about this. Complete article is available at infosec institute. Take a look at the web application security course offered by infosecinstitute.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s