image for Vulnerability scanning with nessus tutorial
Vulnerability scanning with nessus tutorial

Vulnerability scanning with nessus tutorial

Nessus is a vulnerability scanner.

Nessus can scan your website, or network for vulnerabilities.
Nessus allows you to be proactive in securing your base so that all your base belongs to you :D

jump to:

Installing Nessus

You can get Nessus from nessus.org. nessus installs on windows and Linux and osx.

Picking a Feed

Once you install Nessus you need to activate a ‘feed’ before you can use it.
The feed will keep your Nessus plugins up-to-date with the latest security issues.
There are two options for this:

  1. Professional feed
  2. Home feed

The professional feed will give you access to lots of nice plugins, the home feed will give you lots of plugins, but not quite as many as the pro feed does. you need to pick one. once you register Nessus will send you an email with an activation code in it and instructions on how to activate your feed. once activated Nessus will take a while to load on first run. this is normal.

Nessus Front-end

When you have Nessus up and running you will want to scan something. this is a Nessus tutorial after all, so ill begin:

Nessus splits its web front end into 4 sections:
Reports, Scans, Policies and Users

Reports are just that – this section contains the reports from all the past scans that you have run against a target or a set of targets.

Scans are where you configure the settings to run a new scan (eg running an XSS check against your own website)

Policies are where you configure the things that you would like to run during the scans configured above. eg you could make a policy for ‘pci compliance’ and another for ‘front end XSS checks’

Users are to give the system some permission control over which policies users can run.

Nessus Policies

The policy section uses plugins. one for each type of test.
there are lots and lots of plugins and lots and lots of settings to choose from, but ill give you a basic set to get you started.

  • point your browser at https://localhost:8834
  • login
  • goto policies
  • click ‘add’
  • give your policy a name, like ‘basic scan’
  • make your new policy ‘shared’
  • give your new policy a description

You now need to set some things for your policy

  • enable ‘save knowledge base’
  • enable ‘safe checks’ so that you don’t cripple your own server
  • enable silent dependencies’
  • enable ‘log scan details to server’
  • enable ‘stop host scan on disconnect’
  • enable ‘avoid sequential scans’
  • enable ‘Reduce parallel connections on congestion’
  • enable ‘use kernel congestion detection’ if you run linux
  • enable ‘syn scan’
  • enable ‘snmp scan’
  • enable ‘netstat scan’
  • enable ‘netstat wmi scan’
  • enable ‘ping host’

All of the options and setting descriptions are available in the Nessus user manual: http://static.tenable.com/documentation/nessus_4.4_user_guide.pdf [page 11]

By default Nessus loads all plugins. so the next thing you want to do is

  • click on ‘plugins on the left
  • go to the bottom and click ‘uncheck all’
  • enable ‘cgi abuses’
  • enable ‘cgi abuses: XSS’
  • enable ‘gain a shell remotely’
  • enable ‘Service detection’
  • enable ‘Settings’
  • enable ‘Web Servers’
  • you can enable ‘X local security checks’ where X is the OS of your server, eg CentOs local security checks or Slackware local security checks.

Each of the plugins in Nessus comes with a description, so if you don’t know what it is, just select it and read the description

The next step is to click ‘Preferences’ on the right.

  • from the drop down select ‘Do not scan fragile devices’
  • make sure both are unchecked.
  • from the drop down select ‘Global variable settings’
  • enable ‘enable CGI scanning’
  • enable ‘Enable Experimental scripts’
  • enable ‘Thorough tests (slow)’
  • make ‘report verbosity’ be ‘verbose’
  • from the drop down select ‘Web Application Tests Settings’
  • enable ‘Enable web application tests’
  • enable ‘send POST requests’
  • enable ‘HTTP parameter pollution’

Hit ‘submit’ to save all the settings.

Once you have configured a policy it is then available to users with sufficient permissions to use as ‘parameters’ for a scan. Once you have set up the policies correctly then you don’t need to set them up every time!!!

I’m not going to explain what these are, there is lots of information available, and if you do know what they are then good =)

Nessus Scans

Once you have a policy in place you can initiate a scan:

  • go to the scans tab
  • hit ‘add’
  • give your new scan a name – this is the name that will appear in the report’s section with the results of your scan
  • select the type ‘run now’ – you can also set scheduled scans if you like
  • select your previously created policy
  • type in a target hostname, ip-address or range of ip-addresses etc
  • click ‘launch scan’ to start your scan!

Wait for the scan to complete and then go to the reports tab to view the results =)

Nessus Resources

I’ve found a few good tutorials that explain to you how the parameters work and how to start scanning your sites for different vulnerabilities

very good tutorial showing you how to install nessus in backtrack linux

http://www.symantec.com/connect/articles/introduction-nessus has some good info; though a bit outdated

there is, of course http://www.nessus.org/documentation/ which has lots of info

http://www.tenable.com/blog/how-to-audit-an-internet-facing-server-with-nessus is excellent.

and http://www.tenable.com/blog/scanning-web-applications-that-require-authentication is a must.

  • http://www.moe.co.uk Jacko

    Nessus appears to be used at a lot of the PCI compliance testing places, so, it is a good one to run yourself.

    • Jaizon Lubaton

      Thanks for this!

  • Jaizon Lubaton

    Thanks, Your basic policy configuration, is what i need to check for PCI Compliance

  • commonSense

    This is not a tutorial. It simply shows a user how to configure Nessus like you do. It teaches nothing.

    • http://jonathansblog.co.uk jonathan

      it doesnt teach anything, except how to setup nessus like i do for testing basic pci compliance. rtard.