Nessus tutorial – Vulnerability scanning with Nessus

This is a short nessus tutorial to help you get to grips with nessus. Nessus is a vulnerability scanner. Nessus can scan your assets for network security vulnerabilities. Nessus allows you to be proactive in securing your base so that all your base belongs to you :D

Nessus tutorial quick links:

• installing Nessus
• picking a feed
• a quick overview of Nessus web fronted
• configuring a Nessus policy
• initiating a scan
• resources

Nessus tutorial: Installing Nessus

You can download Nessus from nessus.org. Nessus installs on windows and Linux and osx.

If you have already installed nessus, then you can keep it updated by running:

/opt/nessus/sbin/nessuscli update

if nessus needs a ‘core upgrade’ then you can run

service nessusd stop
/opt/nessus/sbin/nessuscli update

Nessus tutoral: Picking a Feed

Once you install Nessus you need to activate a ‘feed’ before you can use it. The feed will keep your Nessus plugins up-to-date with the latest security issues.
There are two options for this:

1. Professional feed
2. Home feed

The professional feed will give you access to lots of nice plugins. The home feed will give you lots of plugins, but not quite as many as the pro feed does. You need to pick one. Once you register Nessus will send you an email with an activation code in it and instructions on how to activate your feed. Once activated Nessus will take a while to load on first run. This is normal.

Nessus Front-end

When you have Nessus up and running you will want to scan something. This is a Nessus tutorial after all, so ill begin:

Nessus splits its web front end into 4 sections:
Reports, Scans, Policies and Users

Reports are just that – this section contains the reports from all the past scans that you have run against a target or a set of targets.

Scans are where you configure the settings to run a new scan (eg running an XSS check against your own website)

Policies are where you configure the things that you would like to run during the scans configured above. eg you could make a policy for ‘pci compliance’ and another for ‘front end XSS checks’

Users give the system some permission control over which policies users can run.

Nessus tutorial: Nessus Policies

The policy section uses plugins. One for each type of test. There are lots and lots of plugins and lots and lots of settings to choose from, but ill give you a basic set to get you started.

• point your browser at https://localhost:8834
• login
• goto policies
• click ‘add’
• give your policy a name, like ‘basic scan’
• make your new policy ‘shared’
• give your new policy a description

You now need to set some things for your policy

• enable ‘save knowledge base’
• enable ‘safe checks’ so that you don’t cripple your own server
• enable silent dependencies’
• enable ‘log scan details to server’
• enable ‘stop host scan on disconnect’
• enable ‘avoid sequential scans’
• enable ‘Reduce parallel connections on congestion’
• enable ‘use kernel congestion detection’ if you run linux
• enable ‘syn scan’
• enable ‘snmp scan’
• enable ‘netstat scan’
• enable ‘netstat wmi scan’
• enable ‘ping host’

All the options and setting descriptions are available in the Nessus user manual [page 11]

By default Nessus loads all plugins. The next thing you want to do is

• click on ‘plugins on the left
• go to the bottom and click ‘uncheck all’
• enable ‘cgi abuses’
• enable ‘cgi abuses: XSS’
• enable ‘gain a shell remotely’
• enable ‘Service detection’
• enable ‘Settings’
• enable ‘Web Servers’
• you can enable ‘local security checks’ for the OS of your server, eg Slackware local security checks.

Each of the plugins in Nessus comes with a description, so if you don’t know what it is, just select it and read the description

The next step is to click ‘Preferences’ on the right.

• from the drop down select ‘Do not scan fragile devices’
• make sure both are unchecked.
• from the drop down select ‘Global variable settings’
• enable ‘enable CGI scanning’
• enable ‘Enable Experimental scripts’
• enable ‘Thorough tests (slow)’
• make ‘report verbosity’ be ‘verbose’
• from the drop down select ‘Web Application Tests Settings’
• enable ‘Enable web application tests’
• enable ‘send POST requests’
• enable ‘HTTP parameter pollution’

Hit ‘submit’ to save all the settings.

Once you have configured a policy it is then available to users with sufficient permissions to use as ‘parameters’ for a scan. Once you have set up the policies correctly then you don’t need to set them up every time!!!

I’m not going to explain what these are, there is lots of information available, and if you do know what they are then good =)

Nessus tutorial: Nessus Scans

Once you have a policy in place you can initiate a scan:

• go to the scans tab
• hit ‘add’
• give your new scan a name – this is the name that will appear in the report’s section with the results of your scan
• select the type ‘run now’ – you can also set scheduled scans if you like
• select your previously created policy
• type in a target hostname, ip-address or range of ip-addresses etc
• click ‘launch scan’ to start your scan!

Wait for the scan to complete and then go to the reports tab to view the results =)

Nessus Tutorial: Resources

I’ve found a few good nessus tutorial that explain to you how the parameters work and how to start scanning your sites for different vulnerabilities

Very good tutorial showing you how to install nessus in backtrack linux

http://www.symantec.com/connect/articles/introduction-nessus has some good info; though a bit outdated

There is, of course http://www.nessus.org/documentation/ which has lots of info

http://www.tenable.com/blog/how-to-audit-an-internet-facing-server-with-nessus is excellent.

http://www.tenable.com/blog/scanning-web-applications-that-require-authentication is a must.

Hopefully this nessus tutorial for beginners sets you on the path to finding and patching vulnerabilities in your assets and provides a high-level security view over your machines – You might want to check my metasploit beginners tutorial