How to Use Nessus to Scan a Network for Vulnerabilities

Nessus is touted as the world’s most popular vulnerability scanner, used by over 75,000 organizations globally. This tool offers comprehensive computer vulnerability scanning services and continuously updates its vulnerability database. Unlike traditional vulnerability scanning software, Nessus can perform system vulnerability analysis and scans both locally and remotely. Nessus is also one of the essential tools for penetration testing. Therefore, this chapter will introduce the installation, configuration, and initiation of Nessus for you to easily use Nessus to scan a network for vulnerabilities.

Preparation: Install Nessus

To identify vulnerabilities on the target system, Nessus relies on feeds for vulnerability checks. The official Nessus website provides two versions: Home and Professional.

  • Home Version: The Home version is for non-commercial or personal use. It is suitable for individual users and non-professional environments.
  • Professional Version: The Professional version is for commercial use and includes support and additional features such as wireless concurrent connections.

This section uses the Home version of Nessus to demonstrate Nessus installation. The specific steps are as follows:

Step 1.Download the Nessus Package: Download Nessus. Enter this address in a browser to display the interface shown in Figure 1.1.

How to Use Nessus to Scan a Network for Vulnerabilities
Figure 1.1

Step2. In the interface under “Download Nessus” on the left side, click on “Linux” and select the Nessus-5.2.6-debian6_i386.deb package, as shown in Figure 1.2.

Figure 1.2

Step3. Click the Nessus-5.2.6-debian6_i386.deb package to display the interface shown in Figure 1.3.

Figure 1.3

Step 4. Click the “Agree” button to start the download. Save the downloaded package to your desired location.

Step 5. Install the Nessus package using the following command:

   root@kali:~# dpkg -i Nessus-5.2.6-debian6_i386.deb

If you see similar output, the Nessus package has been successfully installed. Nessus is installed in the /opt/nessus directory by default.

Step 6. Start Nessus with the following command:

   root@kali:~# /etc/init.d/nessusd start

The output will indicate that the Nessus service has started.

Note: Before using Nessus, you must have a registration code. The method to obtain an activation code was introduced in Chapter 2.

Step 7. Activate Nessus with the following command:

   root@Kali:~# /opt/nessus/bin/nessus-fetch --register 9CC8-19A0-01A7-D4C1-4521

Step 8. Create a user for Nessus with the following command:

   root@Kali:~# /opt/nessus/sbin/nessus-adduser

Step9. Log in to Nessus by entering the address https://:8834 or https://:8834 in your browser.

After these steps, Nessus is configured and ready to scan various vulnerabilities. Before scanning, create scan policies and tasks. The next section will introduce how to create policies and scan tasks.

How to Use Nessus to Scan a Network for Vulnerabilities: Step-byStep

Step 1. Add a Policy

The steps to add a policy are as follows:

A. Log in to Nessus. Enter the address https://192.168.41.234:8834/ in the browser’s address bar to display the interface shown in Figure 1.4.

Figure 1.4

B. Click “I Understand the Risks” to display the interface shown in Figure 1.5.

Figure 1.5

C. Click “Add Exception” to display the interface shown in Figure 1.6.

Figure 5.6

D. Click “Confirm Security Exception” to display the interface shown in Figure 1.7.

Figure 1.7

E. Enter the username and password you created earlier, then click “Sign In” to display the interface shown in Figure 1.8.

Figure 1.8

F. Switch to the “Policies” tab to display the interface shown in Figure 1.9.

Figure 1.9

H. Click “New Policy” to display the interface shown in Figure 1.10.

Figure 1.10

I. Select the type of policy to create. Choose “Advanced Policy” and click the icon to display the interface shown in Figure 1.11.

Figure 1.11

J. Set the policy name, visibility, and description (optional). Set the policy name to “Local Vulnerability Assessment” and visibility to “private.” Then click the “Plugins” tab on the left to display the interface shown in Figure 1.12.

Figure 1.12

Visibility options:

  • Private: Only you can use this policy.
  • Shared: Other users can also use this policy.

K. All plugins are enabled by default. Click “Disable All” to disable all plugins, then enable the specific plugins needed, such as “Debian Local Security Checks” and “Default Unix Accounts,” as shown in Figure 1.13

Figure 1.13

L .Click “Save” to display the interface shown in Figure 1.14.

Figure 1.14

M. The new policy “Local Vulnerability Assessment” is now created successfully.

Step 2. Create a Nessus Scan Task

After creating a policy, you need to create a scan task to perform vulnerability scanning. The steps are as follows:

A. Switch to the “Scans” tab to display the interface shown in Figure 5.15.

Figure 5.15

B. Since no scan tasks exist, click “New Scan” to display the interface shown in Figure 5.16.

Figure 5.16

C. Set the scan task name, policy, folder, and target. Set them to “Sample Scan,” “Local Vulnerability Assessment” (the previously created policy), “My Scans,” and “192.168.41.0/24” respectively. Click “Launch” to display the interface shown in Figure 5.17.

Figure 5.17

D. The scan task status “Running” indicates that the “Sample Scan” task has been successfully added.

Step 3. UseNessus to Scan Local Vulnerabilities

After introducing the installation, configuration, login, and creation of policies and scan tasks, you can start scanning for security vulnerabilities. This section lists the necessary plugins and analyzes the scan information for scanning local vulnerabilities.

The steps for scanning local vulnerabilities are as follows:

A. Create a policy named “Local Vulnerability Assessment.”

B. Add the necessary plugins:

a. Ubuntu Local Security Checks: Scans local Ubuntu security checks.

b. Default Unix Accounts: Scans default Unix accounts.

C. Create a scan task named “Sample Scan.”

D. Scan for vulnerabilities. After the task completes, the interface shown in Figure 5.18 is displayed.

Figure 5.18

E. Double-click the scan task name “Sample Scan” to display detailed information, as shown in Figure 5.19.

Figure 5.19

F. The scan results show three hosts. The “Vulnerability” column indicates the number of findings. Detailed information, including host IP, OS type, and scan times, is displayed. The pie chart shows the severity of vulnerabilities. For more information, click any address in the “Host” column, as shown in Figure 5.20.

Figure 5.20

G. Click the “INFO” button to display specific vulnerability details, as shown in Figure 5.21.

Figure 5.21

H. This page displays the description of the vulnerability and the information that was scanned. For example, ports 68, 8834, and 15774 are turned on the host. Nessus also allows you to view vulnerability information in Nessus, PDF, HTML, CSV, and Nessus DB file formats. Here’s how to export the file:

Click on the Export button in Figure 5.20 and select the format of the export file. Select the PDF format here, click the PDF command, and the interface as shown in Figure 5.22 will be displayed.

Figure 5.22

I. The interface is divided into two sections, including Available Content and Report Content. This screen shows the contents that can be included in the exported PDF file, including host summary information, host vulnerabilities, and plug-in vulnerabilities. In Figure 5.22, drag the content to be exported to the Report Content box with the mouse, and the interface shown in Figure 5.23 will be displayed.

Figure 5.23

J. The interface shows what will be exported. Click the Export button and the interface as shown in Figure 5.24 will be displayed

Figure 5.24

K. Click the Save File button on this page and specify the location where the file is saved, that is, the PDF file is exported successfully.

Step 4. Use Nessus to Scan a Network for Vulnerabilities

If you want to use Nessus to attack a widespread vulnerability, you need to configure an assessment vulnerability list and specify an assessment list to obtain information. This section describes configuring Nessus to look for network vulnerabilities on target hosts, which are referred to as target hosts or other network protocols.

Example 5-2: The following describes how to scan for network vulnerabilities.

(1) Create a policy named Internal Network Scan.

(2) Add the required plug-in programs, as shown in Table 5-1.

Table 5-1 Required plug-in programs

CISCOSCAN THE CISCO SYSTEM
DNSScan the DNS server
Default Unix AccountsScan for local default user accounts and passwords
FTPScan the FTP server
FirewallsScan proxy firewalls
Gain a shell remotelyScan the remotely obtained shell
GeeralScan for frequently used services
NetwareScan the network operating system
Peer-To-Peer File SharingScan for shared file detection
Policy ComplianceScan PCI DSS and SCAP information
SCADAScan Settings Management Tool
SMTP ProblemsScan for SMTP issues
SNMPScan for SNMP-related information
Service DetectionScanning service reconnaissance
SettingsScan the basic settings

(3) Create a new scan task named Network Scan.

(4) The scan result is shown in Figure 5.25.

Figure 5.25 Network scan results

(5) From this interface, you can see that there are two serious vulnerabilities. If you want to analyze the vulnerability in detail, we recommend that you export this information as a file.

Step 5. Scans for Vulnerabilities in Specified Linux Systems

This section describes how to use Nessus to scan for vulnerabilities on a given Linux system.

Example 5-3: The following describes how to scan for vulnerabilities in a specified Linux system.

(1) Use Metasploitable 2.0 as the target host. Users can also use other versions of Linux.

(2) Create a Linux Vulnerability Scan policy.

(3) Add the required plug-in programs, as shown in Table 5-2.

Table 5-2 Required plug-in programs

BackdoorsScan for secret messages
Brute Force AttacksBrute force attacks
CentOSo Local Security ChecksScan for local security vulnerabilities in CentOS
DNSScan the DNS server
Debian Local Security ChecksScan for local security vulnerabilities in Debian systems
Default Unix AccountsScans for default Unix user accounts
Denial of ServiceScan for denied services
FTPScan the FTP server
Fedora Local Security ChecksScan Fedora systems for local security vulnerabilities
FirewallsScan firewalls
FreeBSD Local Security ChecksScan the FreeBSD system for local security vulnerabilities
Gain a shell remotelyScan remotely obtained shells
GeneralScan for vulnerabilities
Gentoo Local Security ChecksScan Gentoo systems for local security vulnerabilities
HP-UX Local Security ChecksScan HP-UX systems for local security vulnerabilities
Mandriva Local Security ChecksScan Mandriva systems for local security vulnerabilities
MiscScan for complex vulnerabilities
Red Hat Local Security ChecksScan Red Hat systems for local security vulnerabilities
SMTP PorblemsScan for SMTP issues
SNMPScan for SNMP vulnerabilities
Scientific Linux Local Security ChecksScans the Scentifichlinux system for local security vulnerabilities
Slackware Local Security ChecksSlack systems are scanned for local security vulnerabilities
Solaris Local Security ChecksScan Solaris systems for local security vulnerabilities
SuSE Local Security ChecksScan the SuSE system for local security vulnerabilities
Ubuntu Local Security ChecksScan for local security vulnerabilities in Ubuntu
Web ServersScan the web server

(4) Create a Linux Vulnerability Scan task.

(5) Scan for vulnerabilities, as shown in Figure 5.26.

Figure 5.26 Specifying the Linux system scan result

(6) From this page, you can see that a total of 6 hosts have been scanned for vulnerabilities. Among them, there are seven serious vulnerabilities on host 192.168.41.142. The percentage of vulnerabilities can be found in the fan graph in the lower right corner. Again, users can view the details of the vulnerability using the two methods described earlier.

Step 6. Scan for Vulnerabilities in Specified Windows Systems

This section describes how to use Nessus to scan for vulnerabilities on a specified Windows system.

Example 5-4: Use Nessus to scan for vulnerabilities in a specified Windows system. In this example, the Windows 7 system is used as the target host. The following describes the scanning steps.

(1) Create a new policy named Windows Vulnerability Scan.

(2) Add the required plug-in programs, as shown in Table 5-3.

Table 5-3 Required plug-in programs

DNSScan the DNS server
DatabasesScan the database
Denial of ServiceScan for denied services
FTPScan the FTP server
SMTP ProblemsScan for SMTP issues
SNMPScan SNMP
SettingsScan settings information
Web ServersScan Webb Sepheus
WindowsScan Windows
Windows:Microsoft BulletinsScan Windows for Microsoft announcements
Windows:User managementScan for Windows User Management

(3) Start scanning for vulnerabilities. The results of the scan are shown in Figure 5.27.

Figure 5.27 Scanning results of Windows system

(4) From this interface, you can see the vulnerability of host 192.168.41.1, and there is a serious vulnerability in the host. Similarly, you can use the two methods described above to view the details of the vulnerability and modify the vulnerability on the host.