When it comes to vulnerability scanning, I think it is safe to say, that every penetration-tester throughout his/her career came across Nessus. Doesn’t matter where you look for a “vulnerability scanner” – Nessus will be on that list. With an annual subscription fee of a whopping 4.569,84€ for their professional license, it is quite a pricy one. Of course, Tenable offers the possibility of testing their vulnerability scanner for “free“, however only for a 7 days period, which does make it a bit inflexible for beginners.
To keep things clear – I am not here to advocate for or against Nessus. If it is the “best” or not, is nothing I will judge. However, we all can agree that new-commers will have to use it eventually and this is why I would like to show, how you can easily get your hands on a limited free license (yet more flexible), allowing you to take your time and get some hands-on experience with it.
Get a limited license
An essential license (Tenable terminology for a limited free license) allows you to use the scanner with the same high-speed & in-depth assessment capabilities that Nessus subscribers have. You are not able to perform compliance checks or content audits, however this is irrelevant for a beginner’s experience.
The actual limitation consists in the fact that a maximum of 16 IPs only can be scanned.
It doesn’t matter if you scan 16 at once or do 16 individual IP scans – this is up to you!
You can either sign-up during the setup process itself (will be mentioned below) – however, I would like to point out that there is a sign-up page on Tenable’s website as well. As it is quite hard to find (I wonder why), I leave the link here for you: https://www.tenable.com/products/nessus/nessus-essentials.
Visiting it, should look like this:
(In case you don’t see any input fields on the right side, try it again in Firefox or Chrome, as for instance using Brave caused the form to disappear – at least with my privacy setting😅)
After signing up, you will receive an email containing your activation code – the “Download Nessus” button can be ignored, as we download it from Docker Hub.
Setup with Docker
As I like to use docker a lot, which I would highly recommend for any beginner out there – as it allows you to try a lot of different technologies quick & easy. Therefore I will set up Nessus within a container, instead of installing it natively on my system – this will make it easier, managing the installation and keeping things clean and in order. An installation guide for Docker Desktop can be found on their official website here: https://docs.docker.com/desktop/.
If you finished installing Docker Desktop and it is up & running – pull (lingo for “downloading“) the latest docker image via command line (if you are signed in with a Docker Hub account, you can even search for it within the GUI itself):
docker pull tenableofficial/nessus:latestThe download may take a moment. To start a new container via command line, we will:
- use the docker “run” command
- name the container “nessus” (to stay organized)
- specify the port to access the web interface later on
- state the image name, which we used to download before
docker run --name nessus -p 8834:8834 tenableofficial/nessus:latestAlternatively you can create the container within the Docker Desktop GUI:
Click on “Images” (left side) & then “Run” of the previously downloaded Nessus image.
This will open a modal window – here you can name the container as you like & specify any port-number (I used the default port of Nessus: 8834). Afterwards click on “Run“.
In either cases (starting a container via command line or the GUI), you should see a new line in the “Containers” section. Here you are able to start/stop/delete the container later on as well.
Activate your license
As the container has started, we can navigate to Nessus’ web interface, by visiting: https://localhost:8834/ (change the port, in case you used a different one). Important to say is, that you have to use “https” and not just “http“, as the communication will be encrypted – with a self-signed certificate, hence you’ll be greeted by a privacy warning – this can be ignored, by clicking “Advanced” & “Accept the Risk and Continue“:
While (re)starting Nessus, it usually will do an initialization process (i.e.: checking if a license is present) – in case it did not complete yet, you will see something similar to this. Just give it a second.
The moment Nessus has finished updating, it will offer you a few different setup options – here we choose “Nessus Essentials“.
If you purchased a different license, select as needed – the rest of the process should be the same.
As mentioned above, you could sign up here as well & get a license. As we already have one, let’s click “Skip“.
Enter your activation code & click “Continue“.
Nessus will ask you to set a username & password. Make sure to set a strong password, if you plan on hosting it publicly available.
Once this is done, it will start downloading the latest plugin versions and perform another initialization. This can take some time – grab a drink.
When everything is done – you should see a login screen. Now you can use your previously defined login credentials and sign in.
Congratulations – you have successfully set up & activated Nessus inside a docker container!
Configure a Scan
As Nessus offers a wide variety of scan templates – depending on service or architecture you are targeting – the most commonly used template is “Advanced Scan“. Explaining each and every template and its underlying configuration options, goes way beyond this write-up. If you are curious, I’d advise you to check out the documentation and get more insights there: https://docs.tenable.com/nessus/Content/ScanAndPolicyTemplates.htm
Targeting beginners, I would like to guide you through an example configuration. Feel free to experiment yourself at any point, try different options, observe how the results differ and what insights they will offer you.
Little disclaimer upfront – this configuration is not THE IDEAL one – however it will give you a rough idea on how to setup one. It is always recommended to adjust your scan configuration in regards your scanning target – keep the following things in mind:
- What technology will you be testing? Try to target it specifically! Avoid unnecessary scans.
- Ask the client, if the system might be a little sensitive to heavy network load – lower the scan speed accordingly!
- Do you need an in-depth scan? Maybe a light-weight scan will give you enough information to progress manually & you will have results much quicker.
- Never ever, ever & again EVER rely on the scan results! Take them with a grain of salt. Please always verify the identified issues manually, as best as you can and cross-challenge them.
- A vulnerability scan will not replace a manual pentest – therefore do the work & find issues yourself. Scanners are used to give a guidance, set the perimeter & help with generic issues, however the leg work still needs to be done by yourself.
In this example, we would like to:
- perform a full-range port-scan (per default, Nessus will also perform a service discovery)
- scan web app(s), in case web services were detected
- slow down Nessus’ scan speed, in case some network congestions were experienced
Everything else we ignore for now and leave it either disabled or use the default options – again, have a look at the documentation.
To create a new scan – click on “(+) New Scan” in the top right corner:
Within the “Scan Template” view, you will be presented with a lot of different options. Have a look and find out what each are used for.
Again – target the right technology!
The one we are interested in for now, is “Advanced Scan” – as here, most common scan options can be configured.
Initially we set a name & define targets to scan. The targets field is very flexible and allows you to specify ranges, single IPs and different IPs from different subnets – even at once if needed. A mixed example could be:
192.168.1.12
10.8.0.73
10.8.0.75-10.8.0.80
Click on “Discovery” (left menu option), followed by “Port Scanning“. Again feel free to have a look at all the other options – but for now it is not needed.
As you might see – most of the check-boxes are pre-selected. Let’s keep it this way, I would only recommend changing the “Port scan range” from “default” to either “1-65535” or “all“. So a full-range scan will be done.
The default scan type is set to “SYN” – which is the fastest option.
“TCP” scan are a bit slower, however a bit more thorough, which might lead to more reliable results.
In case you would like to do a “UDP” scan as well, keep in mind, due to the protocol’s nature, it will take much longer. If needed, don’t do a full range scan with Nessus, rather use nmap for this task.
(Learn the differences – could be an interview question 😉).
Typically, I always use the “Web Applications” assessment option – you will find a lot of web apps inside a corporate network as well.
First you need toggle it to “On” and click “Enable generic web application tests“. This will allow you to specify further options.
The following settings might seem aggressive, which they are – however, many “stable” or “productive” releases, should be able to stand up to a more thorough scan. Have a chat with your client beforehand and ask, if there are any known issues. If any doubts are raised – hit it off with generic tests, without all the extra settings.
Let’s try all HTTP methods, test for parameter pollution & embedded web servers. On top we would like to discover as much as possible, therefore Nessus should not stop, if it found a flaw (“first flaw“) already.
Before we finally start the scan – as we are aware, that a higher amount of scans will happen, we configure Nessus within the “Advanced” tab to slow down in case some network congestions are registered.
All other settings are untouched and kept with their default options.
Now we are ready to start the scan immediately or save it for later. In case you want to schedule it, you will find this configuration option within the “Basic” -> “Generic” menu section.
Click the drop-down icon (the arrow next to “Save“) & “Launch” to start right away or “Save” to scan later.
Scan Results
Nessus continuously updates the list of hosts and found vulnerabilities while scanning – so you can already take a look and get an idea of what is happening. When the scan has finished – it should look similar to this. I used an actual client scan (renamed it), to show you some actual results:
When you click on your scan, you should be presented with a list of vulnerable hosts (the tab already tells us, 130 hosts were up – doesn’t mean all are vulnerable). This view offers an interesting overview, as you are able to spot the most vulnerable hosts quickly. In this example below – it is immediately clear, that host “192.168.7.54” has at least one critical vulnerability. This can help prioritizing your testing workflow.
Clicking the “Vulnerabilities” tab, you see all vulnerabilities, which Nessus was able to identify. As the tab already suggests – 219 vulnerabilities were found in total.
You might have noticed the pie chart on the right hand side, showing you the true distribution of vulnerability types (critical, high, medium, low & info). The biggest share is taken by “Info” vulnerabilities. These kind of vulnerabilities (also referred to as “issues“), usually serve (as the name suggests) in an informative way. This is Nessus’s way of telling you, which technologies it was able to identify per host and port – however, knowing this, doesn’t make it is necessarily vulnerability. There you might find results such as port scans, screenshots from potential RDP sessions and many other things (depending on the identified services). Always have a look at them, to get an idea what system you are working with.
Taking a look at a vulnerability itself (freely select one within the list), Nessus will give you some information regarding the vulnerability (such as a description, how to mitigate it & more). This can be helpful later on, when you enter the final stage of your pentest – REPORTING 😁.
In this case, the server was identified to be an Microsoft SQL Server, which is running in an unsupported version. Within the “Output“-section, you’ll get further information (in this case a detected version – in others, you’ll get a payload which triggered the issue in the first place). Underneath, you’ll find a list of affected hosts & the ports the service is running on – which points you into the right direction, if you decide to target the host later on.
As well – you can either click here on the host IP itself, to get a list of vulnerabilities just affecting this dedicated host or select one within the “Hosts” tab. In this overall “Vulnerability” view, you’ll get all identified issues aggregated and all affected hosts within.
Now what?
Now it is up to you – reproduce the setup, scan your own systems (which you own or have the allowance to do so) with your Nessus setup and find out what vulnerabilities they are affected by. Have fun & try to play with different scan settings, to get more and more familiar with it. In case of any questions – feel free to drop a comment here or on twitter.
Enjoy & be creative!
I hope you liked this write-up and it was somehow informative for you.
Any feedback is appreciated – thanks guys!
Payload Café 