Using Nessus

This section assumes that the user has installed both the Nessus client and the server. No instruction on these topics will be provided as it is well-covered in other books and the Nessus documentation itself. Nessus has two areas in the user interface: Scan and Report. The function of each is self-explanatory. Figure 1 shows the scan target window. It allows the user to enter a host IP address, DNS name, IP address range, subnet specification, or an input file with a list of hosts/IP addresses. Each of these target specifications are saved so that scans can be repeated in the future.
Figure 1: Nessus target selection panel.
Next, the user can define the parameters of the scan by creating a scan policy. Shown in Figure 2, this policy contains:
  • Basic options about the scan (aggressiveness, packet captures, types of port scans, logging, etc).
  • Credentials if white box testing is to be performed.
  • Plug-in selection to employ the latest and most relevant checks. The library of plug-ins for Nessus is extensive. The key to efficient scanning is to select only the plug-ins needed for the target network.
  • Network congestion control settings (simultaneous connections, time outs, target disengagement rules).
  • Advanced parameter settings for various protocols and checks.
Figure 2: Nessus Scan Policy plugin selection.
Once all of these parameters are selected, the scan can be performed. When complete, the report is available in a hierarchical, navigable format. This report can also be exported to HTML. The report is easy to read, as shown in Figure 3. This example entry from the report shows the port and protocol used to obtain the information, SSL forNessus (tcp/1241). Then, the report shows that the Supported SSL Cipher Suites plug-in was used to find the vulnerability. In this case, it is not actually a vulnerability but an enumeration. After that, the remainder of the report item is self-explanatory. A very nice feature of Nessus is that it shows the output from the plug-in, which in this case reveals the extent of the information that was revealed by the SSL service. Even better than this, for the technically inclined analyst, the Nessus ID will link to the details of the plug-in on the Tenable Web site. This plug-in also has source code that can be reviewed so that the method of checking can be fully understood.

Figure 3: Nessus vulnerability details report.

Popular Posts