Penetration Testing using Nessus
Nessus is one of the best Vulnerability Scanners out there and is a product that is used by many professional penetration testers and auditors. Its a product of Tenable Security and is now primarily for commercial use however you can try a trial version for a week just to try it out. If you plan on going pro at some point, and a full-featured vulnerability scanner is on your mind, then it’s probably best for you to know about Nessus. Nessus is primarily used for conducting External Vulnerability Assessments but also has other features such as Internal Vulnerability Scanning, Malware detection and other neat features during a Penetration testing project.
For a quick background on Nessus , Nessus was founded by Renuad Deraison in 1998 to provide the Internet community with a free remote security scanner. Nessus is the world’s most popular vulnerability scanning tool and also the most widely used. Moreover Nessus can also be run on multiple operating systems and can be installed on your windows machine or Kali Linux if you want.
It uses a web interface to set up, scan, and view reports. It has one of the largest vulnerability knowledge bases available; because of this KB, the tool is very popular.
Nessus Key features
- Identifies vulnerabilities that allow a remote attacker to access sensitive information from the system
- Checks whether the systems in the network have the latest software patches
- Tries with default passwords, common passwords, on systems account
- Configuration audits
- Vulnerability analysis
- Mobile device audits
- Customized reporting
For more details on the features of Nessus, you can visit: http://www.tenable.com/products/nessus-vulnerability-scanner.
Installation and configuration
- Download the Nessus home feed (free) or professional feed here.
Once you download the Nessus, you need to register with the Nessus official website to generate the activation key, which is required to use the Nessus tool. Click here to generate the Activation Key .
- Follow the instructions on the page and the activation key will be emailed to you on your email ID .
- Install Nessus by following the steps and Instructions on the Screen .
Once Nessus is installed and activated , Nessus can be accessed in the browser and normally it runs on port 8834. URL : http://localhost:8834
- Create an account with Nessus.
- Enter the activation code you have obtained by registering with the Nessus website. Also you can configure the proxy if needed by giving proxy hostname, proxy username, and password.
- Then the scanner gets registered with Tenable and creates a user.
- Download the necessary plug-in. (It takes some time to download the plug-in; while you are watching the screen, you can go through the vast list of resources we have for Nessus users).
Once the plug-ins are downloaded, it will automatically redirect you to a login screen. Provide the username and password that you have created earlier to login.
Thats it and the most powerful Vulnerability scanner is ready to be used for Penetration testing.
Nessus Tutorial : Penetration Testing and Vulnerability Assessment
Running Nessus :
Nessus will give you lot of options when it comes to running the actual vulnerability scan. Nessus comes with 4 types of basic scans (which themselves are very powerful) and also allows the user to create their own custom scans and hence gives the power to the user. With Nessus Vulnerability Scanner you can scan individual computers, ranges of IP addresses, or complete subnets. There are over 1200 vulnerability plug-ins with Nessus, which allow you to specify an individual vulnerability or a set of vulnerabilities to test for.
Here an important thing to note is that, distinguished from other tools, Nessus won’t assume that explicit services run on common ports; instead, it will try to exploit the vulnerabilities.
Foundations for discovering the vulnerabilities in the network are:
- Which hosts are live
- What ports are Open and what services are running on what Ports
- What Operating system is running in the remote machine
Once you have loged into the Nessus web interface, you will be able to see various options, such as:
- Policies–Using which you can configure the options required for scan
- Scans–for adding different scans
- Reports–for analyzing the results
The basic workflow of Nessus tool is to Login, Create or Configure the Policy, Run the Scan, and Analyze the Results.
Policies are the vulnerability tests that you can perform on the target machine. By default, Nessus has a few different policies for you to choose from. We will cover a few here.
External network scan
This in built policy scans externally-facing hosts that provide services to the host. The External Network Scan Policy will scan all 65,535 ports of the target machine. It is also configured with plug-ins required for web application vulnerabilities tests such as XSS.
Internal network scan
This policy is configured to scan large internal networks with many hosts, services, embedded systems like printers, etc. This policy scans only standard ports instead of scanning all 65,535 ports.
Web app tests
Nessus uses this policy to detect different types of vulnerabilities existing in web applications. It has the capability to spider the entire website to discover the content and links in the application. Once the spider process has been completed, Nessus starts to discover the vulnerabilities that exist in the application.
Prepare for PCI DSS audits
This policy has PCI DSS (Payment Card Industry Data Security Standards) enabled. Nessus compares the results with the standards and produces a report for the scan. The scan doesn’t guarantee a secure infrastructure. Industries or organizations preparing for PCI-DSS can use this policy to prepare their network and systems.
Apart from these pre-configured policies, you can also upload a policy by clicking on “Upload” or configure your own policy for your specific scan requirements by clicking on “New Policy.”
Once the policies have been configured as per your scan requirement, you need to configure the scan details properly. This can be done quickly under the Scans Tab:
When you go to the Scan tab, you can create a new scan by clicking “New Scan” on the top right. Then a pop-up appears where you need to enter the details, such as Scan Name, Scan Type, Scan Policy, and Target.
- Scan Name: The name that you want to give to the scan.
- Scan Type: You have options to run the scan immediately by selecting “RUN NOW.” Or you can make a template which you can launch later when you want to run the scan. All the templates are moved under the Template tab beside the Scan tab.
- Scan Policy: Select the policy that you have configured previously in the policies section.
- Select Target: Enter the target machine that you are planning to test. Depending upon the targets, Nessus takes time to scan the targets.
Once the scanning process has been completed successfully, results can be analyzed.
- You can see the name of the scan under the Results section. Click on the name to see the report.
- Hosts–Specifies all the target systems you have scanned.
- Vulnerabilities–Displays all the vulnerabilities on the target machine that has been tested.
- Export Results–You can export the results into various formats such as html, pdf, etc. You can also select an individual section or complete result to export based on your requirement.
Nessus has become an Industry standard for Vulnerability Assessments for large organizations over the years. It is important for an information security researcher to understand Nessus in detail to get the most out of it.