Nessus

April 6, 2010, by | Start Discussion


A world-leader in active scanners, Nessus features high-speed discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis of your security posture.

Nessus scanners can be distributed throughout an entire enterprise, inside DMZs and across physically separated networks, launching the Nessus GUI.

Key features

      Key features include remote and local (authenticated) security checks, a client/server architecture with a GTK graphical interface, and an embedded scripting language for writing your own plug-ins or understanding the existing ones.
 

  • Agent less Patch, Configuration, Content Auditing
  • High Speed Vulnerability Identification
  • Complete Network Assessment and Discovery
  • Up-to-date security vulnerability database
  • Remote AND local security.
  • Scalable
  • Each security test is written as an external plug-in, written in NASL.
  • NASL: The Nessus Security Scanner includes NASL, (Nessus Attack Scripting Language) a language designed to write security test easily and quickly.
  • Smart service recognition: Nessus recognizes  services running on a non-standard port

Checks for multiple services: If a host runs the same service twice or more, Nessus will test all of them. Several scanners on the market still consider that a host can only run one server type at once.

  • Full SSL support
  • Non-destructive OR thorough Nessus gives you the choice between performing a regular non-destructive security audit on a routine basis, or to throw everything you can at a remote host to see how it will  withstand attacks from intruders.
  • The biggest user base

Launching the Nessus GUI

To launch the NessusClient GUI, perform the following:

Windows – click on the “Nessus Client” icon on the desktop. Alternatively, it can be found via Start -> Programs -> Tenable Network Security -> Nessus -> Nessus Client

Connection Manager

To begin scanning, click the “Connect…” button at the bottom to establish a connection to a Nessus Server. This will bring up the Connection Manager window that displays configured Nessus Servers:

After the initial installation, the Connection Manager will list a single Nessus Server (localhost or “Local Server” on Mac OS X ) to connect to.

The Windows version of the NessusClient is pre-configured with the local Nessus Server login and password.

Please see the “Nessus 4.0 Installation Guide” for more information. Click on the “Edit” button if you need to edit the connection information or change the Nessus login or password. Click on the “Save” button to save the connection configuration. Selecting a server and clicking the „Connect‟ button will establish the connection and authenticate to the Nessus Server.

The “Connection name” only reflects how the entry will be displayed in the Connection Manager list. The “Host name” can be a host name or IP address. The Login and Password should be the credentials for the remote Nessus Server, not a user account on the machine. An alternative to credential based authentication is the use of a SSL certificate. This can be configured by clicking the “SSL Setup…” button and providing the paths to the relevant files:
 
Save the configuration and click on the displayed scanner name to select it, then click on “Connect”. A window will appear displaying the connection attempt as follows:

Policy Overview

A Nessus “policy”  consists of configuration options related to performing a vulnerability scan. These options include, but are not limited to:
 

  • Parameters that control technical aspects of the scan such as timeouts, number of hosts, type of port scanner and more.
  • Credentials for local scans (Windows, SSH, more), authenticated Oracle Database scans, HTTP, FTP, POP, IMAP or Kerberos based authentication.
  • Granular plug-in based scan specifications.
  • Database compliance policy checks, report verbosity, service detection scan settings, Unix compliance checks and more.

Creating a Policy

Once you have connected to a Nessus server, you can create a custom policy by clicking on the “+” (Add Policy) button under the box with the heading “Select a scan policy:”. The “Edit Policy” window will be displayed as follows:

Note that there are six configuration tabs: Policy, Options, Credentials, Plug-in Selection, Network and Advanced. For most environments, the default settings do not need to be modified, but they provide more granular control over the Nessus scanner operation. These tabs are described below.
 
The “Save” button on the “Edit Policy” window will not save the policy to a .nessus file. If the policy is not saved to a file, it will not be available after you close the current session of the NessusClient.
 
Use the “Policy name” field to set the name that will be displayed in the NessusClient to identify the policy.

The check box option “Share this policy across multiple sessions” refers only to Nessus sessions on the local workstation, and only for the current user. Using this option means that this policy will be displayed as one of the default policies listed whenever the NessusClient is started or whenever the “New Session” option is selected from the main menu. In order for this setting to take effect, a policy must be saved from the main Nessus Client window, via the main menu (either “Save” or “Save As…” from the “File” option).

Please see the section titled “Generating and Using .nessus Files” for more information on saving policies, using this feature.

By default, all passwords associated with the policy are encrypted. If the policy is saved to a .nessus file and that .nessus file is then copied to a different NessusClient, all passwords in the policy will be unusable by the second Nessus scanner as it will be unable to decrypt them.

To resolve this issue, the “Save the passwords as clear text” option is provided. When selected, if the policy is saved to a .nessus file, all passwords will be saved in to the file in clear text. The policy may then be copied to a second Nessus Client and then modified to encrypt the passwords for security.

The “Comments” box can be used to put any personal comments or information about the policy.
Options

The Options tab allows you to set global parameters related to Nessus behaviour and the plug-ins being run by Nessus.

Option Description


Number of hosts in parallel Sets the maximum number of hosts that will be scanned simultaneously.
Number of checks in parallel Sets the maximum number of plug-ins that will be run on each host simultaneously. Nessus can run at very high speed performing scans. Due to network limitations, particularly over WANs, you may need to slow the scans to optimize Nessus performance and avoid adverse impact on your  network.
Port scanner range Specifies which ports to scan. This option is useful to scan for particular vulnerabilities on specific ports. The default port range is to scan TCP ports defined in the nessus- services file. You can use a range such as “137-139” and separate individual ports or ranges with a comma “137-139,445,80” leaving out the quotes on each example.
 
Safe checks
Specifies that devices which have been identified to be adversely affected by scanning are not scanned. For example, a scan of a printer may result in the printer needing to be restarted. Using the Safe Checks option would prevent a device detected as a printer from being scanned.
Designate hosts by their DNS name Enables the ability to specify a list of DNS named assets as your “Network(s) to scan” on the Scan tab rather than a single IP address or IP address ranges.
Consider unscanned ports as closed When scanning for vulnerabilities on particular ports, this option tells the Nessus scanner that all other ports are closed. This prevents plug-ins that are targeted at ports outside your designated range from triggering. For example, if the port scanner range is set to “1-1024”, using this option would prevent any plug-ins that check port 8080 from launching. Otherwise a plug-in that checks this port will cause Nessus to scan it if it is open.
Save knowledge base on disk This option tells the Nessus scanner to save the scan information to the Nessus server knowledge base for later use.
Log details of the scan on the server Saves the details of the scan on the Nessus server. The resulting file can be checked to confirm that particular plug-ins were used and hosts were scanned.
Port scanners to use: This section of options allows you to choose the way you wish to query your scan targets for open ports.
Nessus SNMP scanner This option will scan targets looking for a SNMP response. Nessus will attempt to guess the settings during a scan. If the setting is known and configured under the Advanced Tabs SNMP settings menu item, this will facilitate plug-ins that search for known SNMP vulnerabilities and produce more detailed audit results. For example, there are many Cisco router checks which determine the vulnerabilities present by examining the version of the returned SNMP string. This information is necessary for these audits.
Nessus SYN Scanner This option engages Nessus built in SYN scanner to identify open ports on the targets. SYN scans are a popular method for conducting port scans and generally considered to be a bit less intrusive than TCP scans.
Nessus TCP Scanner This option engages Nessus built in TCP scanner to identify open ports on the targets. This scanner is optimized and has some self tuning features. Further configuration for this scanner can be set under the Advanced Tabs , Nessus TCP scanner menu item.
Netstat ‘scanner’  This option uses netstat to check for open ports. It relies on the netstat port being available or a SSH connection to the target. This scan type is intended for Unix-based systems.
Ping the remote host This option enables the pinging of remote hosts on multiple ports to determine if they are alive.
SYN Scan Causes the scanner to send a SYN packet to the port and waits for an ACK reply. If it does not receive the reply within a defined time range, it will consider the port closed. This is particularly useful when scanning through a firewall.
Scan for LaBrea tarpitted hosts LaBrea tarpits are a form of a honeypot. They are typically deployed to slow scanners down and present false hosts. With this feature enabled Nessus will attempt to identify such systems within certain parameters and not scan them.

 
Credentials

Server Message Block (SMB) is a file sharing protocol that allows computers to share information transparently across the network. The “Windows credentials” drop-down menu item has settings to provide Nessus with information such as SMB account name, password and domain name. Providing this information to Nessus will allow it to find local information from a remote Windows host. For example, using credentials enables Nessus to determine if important security patches have been applied. Only expert security personnel should modify other SMB parameters from default settings.

If a maintenance SMB account is created with limited administrator privileges, Nessus can easily and securely scan multiple domains.

Plug-in Selection

The Plug-in Selection tab enables the user to choose specific security checks by “family”  or individual checks.

When selecting specific plug-ins, Nessus will display a menu list of all available families and the individual plug-ins that comprise that family. Click on the Plus “+” sign to expand the plug-in family and view its plug-ins. Click on the Minus “-” sign to collapse the plug-in family and hide the plug-ins from view.

if the box besides the plug-in family item shows a check then the family and all its plug-ins are enabled completely. As new plug-ins for that family are received via the feed, they will automatically be enabled.

If the box is empty, then that family, as well as all of the plug-ins within that family, are  disabled.

If the box next to the plug-in family shows a square inside the box, then some of the plug-ins are enabled while others are not. If new plug-ins are received via the feed, they will not be enabled by default.
Network

The Network tab is very useful to help tweak the settings for maximum results with minimal network interference. By default Nessus will use whatever processing and networking power the hardware will provide to it. This can

sometimes cause system overload and slow response times. These settings help to fine tune Nessus to maximize efficiency.

Advanced Tab

The advanced tab includes means for granular control over scan settings. Selecting an item from the drop-down menu will display further configuration items for the selected category. Note that this is a dynamic list of configuration options which is dependent on the plug-ins feed, audit policies and additional functionality that the connected Nessus scanner has access to. A scanner with a ProfessionalFeed may have more  advanced configuration options available than a scanner configured with the HomeFeed. This list may also change as plug-ins are added or modified.

Creating a Scan Target List

To create a scan target address list, click on the Plus sign (“+”) button under the box titled “Networks to Scan”. The “Edit Target” menu will appear prompting for information on the scan target. There are four options to choose from to enter the scan target:

 Single host – The host can be identified as either a host name or an IP address in CIDR format. If an IP address is used, it must be entered in dotted decimal format (e.g. 192.168.10.10 instead of 1921681010). If a host name is used it must be a valid entry that is resolvable on the server or use a fully qualified domain name such as nessus.tenable.com.

IP Range – A range of IPs can be entered. Enter the start address and the end address in the appropriate fields.

Subnet – The IP address can be entered with a network mask following the address.

Hosts in file – A file with a list of hosts can be used by clicking on “Select file…” to browse for the file. Select the file and click on “Open”.

After you have entered the host click on “Save”.

For example, to scan the machine running Nessus, choose the “Single host” option and enter the internal IP address 127.0.0.1.

You may enter multiple scan targets in the address list and selectively check off the ones you want to use for each scan.

Generating and Using .nessus Files

Once you have created a policy and list of scan target addresses, you can save the configuration in the .nessus file format from the main NessusClient window by selecting “File” and then “Save As…” from the main menu.

To access the saved .nessus file on future sessions, simply go to “File” and “Open”. On Windows systems, the saved .nessus files are stored in C:Documents and Settings<username>My DocumentsTenableNessus Client. On Linux systems, the saved .nessus files are stored under the user’s home directory (e.g., /root/my_policy.nessus).

Launching a Scan

To launch a scan, simply select the policy and network targets that you wish to use from the main page and click on the “Scan Now” button.

Image source:

http://upload.wikimedia.org/wikipedia/commons/f/f5/Hercules_shooting_the…

Prasanna is an Information Security professional since past 5 years. She works as an Identity and Access management professional for Accenture. Prasanna is a Sun Certified Integrator for Identity Manager 7.1. Her experience includes working with Sun Identity Manager, Oracle Identity Manager, Sun Directory Server, risk assessment, auditing, vulnerability scanners and creating reports for vulnerabilities and suggested patches.

Leave a Reply