If you are looking for a vulnerability scanner, you might have came across several expensive commercial products and tools, with wide range of features and benefits. If a full featured free vulnerability scanner is on your mind, then it’s time to know about Nessus. The article covers installation, configuring and select policies, starting a scan, analyzing the reports using NESSUS Vulnerability Scanner.
Nessus was founded by Renuad Deraison in the year 1998 to provide to the Internet community a free remote security scanner. It is one of the full fledged vulnerability scanners which allow you to detect potential vulnerabilities in the systems. Nessus is the world’s most popular vulnerability scanning tool and supported by most of the research teams around the world.
The tool is free of cost and non-commercial for non-enterprises. Nessus uses web interface to set up, scan and view repots. It has one of the largest vulnerability knowledge bases and because of this KB the tool is very popular.
Nessus supports wide range of operating systems that include Windows XP/7, Linux, Mac OS X, Sun Solaris, etc.
- Identifies Vulnerabilities that allow a remote attacker to access sensitive information from the system.
- Checks whether the systems in the network has the latest software patches.
- Tries with Default passwords, common passwords, on systems account
- Configuration audits.
- Vulnerability analysis.
- Mobile Device audits.
- Customized reporting.
Installation & Configuration:
- You can download the Nessus home feed (free) or professional feed from Nessus website.
- Once you download the Nessus home tool, you need to register for generating an activation key. The activation key will be sent to your email id.
- Install the tool (Installation of nessus tool will be quite confusing and the installation guide comes handy).
- Open the Nessus in the browser, normally it runs on the port 8834 -
http://localhost:8834/WelcomeToNessus-Install/welcome and follow the screen.
- Create an account with Nessus.
- Enter the activation code you have obtained by registering with the Nessus website. Also you can configure the proxy if needed by giving proxy hostname, proxy username and password.
- Then scanner gets registered and creates the user account.
- Then downloads the necessary plugins (It takes some time for downloading the plugins).
- Once the plug-ins are downloaded then it will automatically redirects you to a login screen. Provide the Username and password that you have created earlier to login.
Running the Tool:
Nessus gives you lots of choices when it comes to running the actual vulnerability scan. You’ll be able to scan individual computers, ranges of IP addresses or complete subnets. There are over 1200 vulnerability plugins with Nessus using which you’ll be able to specify individual or set of vulnerabilities to test for. In contrast to other tools Nessus won’t assume for explicit services running on common ports instead it will try to exploit the vulnerabilities.
One of the foundations for discovering the vulnerabilities in the network are:
- Knowing which systems exist
- Knowing which ports are open and which listening services are available in those ports
- Determining which Operating System is running in the remote machine
Once you log into the Nessus using web-interface, you will be able to see different options like,
- Policies –Using which you can configure the options required for scan
- Scans -for adding different scans
- Reports -for analyzing the results
Basic workflow of Nessus tool is to Login, Create or Configure the Policy, Run the Scan and Analyze the Results.
Policies are nothing but the vulnerability tests that you can perform on the target machine. By default Nessus has 4 policies.
Above figure shows the default polices that comes with Nessus tool.
External Network Scan:
The policy is pre-configured in such a way that Nessus scans externally facing hosts, which provides services to the host. It scans all 65,535 ports of the target machine. It is also configured with Plugins required for web application vulnerabilities tests like XSS.
Internal Network Scan:
This policy is configured to scan large internal networks with many hosts, services, embedded systems like printers, etc… This policy scans only standard ports instead of scanning all 65,535 ports.
Web App Tests:
Nessus uses this policy to detect different types of vulnerabilities exist in the web applications. It has the capability to spider the entire web site and discovers the content and links in the application. Once the spider process has been completed then Nessus starts to discover the vulnerabilities that exist in the application.
Prepare for PCI DSS audits:
This policy consists of PCI DSS (Payment Card Industry Data Security Standards) enabled. Nessus compares the results with the standards and produces a report for the scan. The scan doesn’t guarantee for a secure infrastructure. Industries or Organizations preparing for PCI-DSS can use this policy to prepare their network and systems.
Apart from these pre-configured policies you can also upload a policy by clicking on “Upload” or configure your own policy as per your scan requirement by clicking on “New Policy”.
Configuring the Policy:
- Click on the policies tab on the top of the screen
- Click on the New Policy button to create a new policy
Under the General settings tab select the “setting type” based on scan requirement, like Port Scanning, Performance scanning etc… Based on the type Nessus prompts different options that has to be filled. For example ‘Port Scanning’ has the following options
Above figure shows configuring options of Port Scanning.
Enter the port scan range. By default Nessus scans all the TCP ports in /etc/services file. You can limit the ports by specifying it manually (like 20-30). You have different scanners like Nessus SNMP scanner, SSH scanner, ping remote host, TCP Scanner, SYN scanner, etc…. Enable by selecting the check box as per the scan requirement.
- Enter the credentials for scan to use. You can use single set of credentials or multiple set of credentials if you have. You can also work it out without entering the credentials.
- The plugins tab has number of plugins. By default Nessus will have all the plugins enabled. You can enable or disable all the plugins at a time or enable few from the plug-in family as per the scan you’d like to perform. You can also disable some unwanted plugins from the plug-in family by clicking on particular plug-in.
The above figure shows the sub-plugins for the plugin Backdoors.
In the above Figure the green one shows the parent plugin and the blue once shows the sub-plugins or the plugins under the plugin (backdoor). You can enable or disable by simply clicking on the enabled button.
- In the Preferences, you are provided with a drop down box to select different types of plugins. Select the plugin based on the scan requirement and specify the settings as per the plugins requirement. Click finish once completed. For example: configure the database.
The above figure shows the configuration of Database settings plugin.
Once you are done with configuring the policies as per your scan requirement, you need to configure the scan details properly. You can do it under Scan tab.
Under the Scan tab, you can create a new scan by clicking New Scan on the top right. Then a pop up appears where you need to enter the details like Scan Name, Scan Type, Scan Policy & Target.
- Scan Name: The name that you are willing to give to the scan.
- Scan Type: You have options to RUN the scan instantly by selecting RUN NOW. Or you can make a template which you can launch later when you are willing to run. All the templates are moved under the TEMPLATE tab beside the SCAN tab.
- Scan Policy: Select the policy that you have configured previous in the policies section.
- Select Target: Enter the target machine which you are planning to test. Depending upon the targets Nessus takes time to scan the targets.
Once the scanning process has been completed successfully, results can be analyzed from RESULTS menu.
- Once the scan has been completed, you can see the name of the scan under the results section. Click on the name to see the report.
- Hosts: Specifies all the target systems that you have scanned.
- Vulnerabilities: Displays all the vulnerabilities on the target machine that has been tested.
- Export Results: You can export the results into difference formats like html, pdf, etc… You can also select an individual section or complete result to export based on your requirement.
Let us try out an example now-
I have configured a policy named Basic Scan. We have many options while configuring or building the policy like port scanners, performance of the tool, Advanced etc.
The above figure shows configuration settings of Port Scanning for the policy Basic Scan.
You don’t need credentials now, so skip the credentials tab and move to Plugins tab. You need to configure the specific plug-in as per the scan requirement that you are willing to perform on remote machine.
The above figure shows the plugins that I have enabled for the policy Basic Scan. I have enabled few plugins for windows machine scan.
The above figure shows the configuration of the Scan.
I have configured the scan to run instantly with the policy that I have created earlier. And the scan target specify the IP address I am willing to scan.
Once all the details has been entered click on Create Scan which shows the Scan is running as shown in the below Figure.
Once the scanning has been completed then you can see the results in Results tab. Below Figure shows the same.
Double clicking on the title displays the scan results.
The above figure shows the Hosts details. It includes all the targets that you have scanned during the test. Double clicking on the host address displays the vulnerabilities Nessus have identified during the test. You can also click on Vulnerabilities tab to check out the vulnerabilities.
The above figure shows the Vulnerabilities that Nessus found during its scan. Based on the Risk Nessus marks it as high, medium, info etc… Clicking on the Vulnerability gives you brief description of it.
For example let us go with Netstat portscanner, displays you the following information
The above figure shows the ports opened in the target machine.
In the same manner you can analyze complete details by clicking on the vulnerabilities. Nessus also suggests the solutions or remedies for the vulnerabilities with few references.
Nessus is a tool which automates the process of scanning the network and web applications for the vulnerabilities also suggests solutions for the vulnerabilities that are identified during the scan.