Best Hacking Tools Of 2017: Nessus Vulnerability Scanner

Nessus Vulnerability Scanner

Developed by Tenable Network Security, this tool is one of the most popular vulnerability scanners on he market. Tenable provides different versions, depending on your needs: Nessus Home, Nessus Professional, Nessus Manager, and Nessus Cloud.

You can use Nessus to scan multiple types of vulnerabilities that include remote access flaw detection, misconfiguration alert, denial of services against TCP/IP stack, preparation of PCI DSS audits, malware detection, sensitive data searches, etc. Nessus can also call a popular external tools.

Nessus is supported by a variety of platforms including Windows, Mac OS, and popular Linux distributions like Debian, Ubuntu, Kali Linux, etc.

You can get more information and download the Nessus Home (free) tool here. The commercial version is available here.

Comparison of Nessus and OpenVAS CVE Differences

OpenVAS - SeniorDBA

When looking at a solution to managing vulnerabilities on your network, you want a solution that will find relevant vulnerabilities and will provide adequate information about known vulnerabilities that will help you mitigate any issues quickly.

In this article by Alexander Leonov, we see the results of the comparison between Nessus and OpenVAS. OpenVAS is free, but Nessus costs you money.

Why I call this comparison fast and primitive? I don’t define the structure of KBs for this product and don’t carefully map one nasl script to another. I suppose it may be a theme for another posts. Instead I am looking at the CVE links. If two scanners detect can the same vulnerabilities, they should have the same CVE links in all the NASL scripts, right? In reality we have a great difference between the products and more than a half of the CVEs can’t be detected by using both of them.

All CVEs: 80196
OpenVAS CVE links: 29240
Nessus CVE links: 35032
OpenVAS vs. Nessus: 3787;25453;9579

We can get group of the NASL scripts, “connected” with the links to the same CVEs. There are also thousands of NASL scripts in OpenVAS and Nessus that have some CVE links and can’t be mapped anyhow to the script in different KB.

All NASL plugins:
OpenVAS: 49747
Nessus: 81349

Mapped plugins: 38207 OpenVAS and 50896 Nessus
Not mapped OpenVAS plugins: 2673
Not mapped Nessus plugins: 6639

You can read the entire article here.

Vulnerability Scanners and HTTP Headers

Network Scans - SeniorDBA

Compliance requirements dictate that companies must perform quarterly internal and external network vulnerability scans. There are a variety of tools that can be used for this purpose, but Nessus is a popular solution.

In this article by Roger McClinton, we get his take on a recent vulnerability listed in this tool.

This week Tenable released a new “plugin” (what they call a vulnerability detection) named “Web Server HTTP Header Information Disclosure”, plugin id 88099. In spite of even the title saying it only an information disclosure vulnerability, they rate this a medium.  In my environment that means we need to address it.  I think its a little crazy for an information disclosure vulnerability to be rated that high. It turns out Tenable has ceded vulnerability severity ratings to the CVSS system.  So because this has a CVSS score of 5 it has to be rated moderate.

Now with SecurityCenter, I’d be able to change the security severity of this detection.  I’m not sure that’s possible in Nessus.  Even so, when scanning servers for other people, you cant just change the results of the scan.  And now the problem, the other party’s security people don’t have the ability to make rational security decisions.  They just want all the detections gone.

You can read the entire article here.

Nessus Default Settings

Nessus is a third-party comprehensive network vulnerability scanner which was developed and maintained by Tenable Network Security. It costs about $2200 per year for enterprise customers, but there is a free version for personal use.

Tenable Network Security’s team of research engineers keeps the Nessus vulnerability scanner up to date with the latest network and host security audits available. Nessus includes the latest security tests for publicly available security patches, disclosed vulnerabilities, and common worms.

Nessus default Advanced Settings:

Setting Name Description Default
allow_post_scan_editing Allows a user to make edits to scan results after the scan completes. yes
auto_enable_dependencies Automatically activate the plugins that are depended on. If disabled, not all plugins may run despite being selected in a scan policy. yes
auto_update Automatic plugin updates. If enabled and Nessus is registered, fetch the newest plugins from plugins.nessus.org automatically. Disable if the scanner is on an isolated network that is not able to reach the Internet. yes
auto_update_delay Number of hours to wait between two updates. Four (4) hours is the minimum allowed interval. 24
cgi_path During the testing of web servers, use this colon delimited list of CGI paths. /cgi-bin:/scripts
checks_read_timeout Read timeout for the sockets of the tests. 5
disable_ui Disables the user interface on managed scanners. no
disable_ntp Disable the old NTP legacy protocol. yes
disable_xmlrpc Disable the new XMLRPC (Web Server) interface. no
dumpfile Location of a dump file for debugging output if generated. C:\ProgramData\Tenable\Nessus\nessus\logs\nessusd.dump
global.max_hosts Maximum number of simultaneous checks against each host tested. 2150
global.max_scans If set to non-zero, this defines the maximum number of scans that may take place in parallel. Note: If this option is not used, no limit is enforced. 0
global.max_simult_tcp_sessions Maximum number of simultaneous TCP sessions between all scans. Note: If this option is not used, no limit is enforced. 50
global.max_web_users If set to non-zero, this defines the maximum of (web) users who can connect in parallel. Note: If this option is not used, no limit is enforced. 1024
listen_address IPv4 address to listen for incoming connections. If set to 127.0.0.1, this will restrict access to local connections only. 0.0.0.0
log_whole_attack Log every detail of the attack? Helpful for debugging issues with the scan, but this may be disk intensive. no
logfile Location where the Nessus log file is stored. C:\ProgramData\Tenable\Nessus\nessus\logs\nessusd.messages
max_hosts Maximum number of hosts checked at one time during a scan. 5
max_checks Maximum number of simultaneous checks against each host tested. 5
nasl_log_type Direct the type of NASL engine output in nessusd.dump. normal
nasl_no_signature_check Determines if Nessus will consider all NASL scripts as being signed. Selecting “yes” is unsafe and not recommended. no
nessus_udp_scanner.max_run_time Used to specify the maximum run time, in seconds, for the UDP port scanner. If the setting is not present, a default value of 365 days (31536000 seconds) is used instead. 31536000
non_simult_ports Specifies ports against which two plugins cannot not be run simultaneously. 139, 445, 3389
optimize_test Optimize the test procedure. Changing this to “no” will cause scans to take longer and typically generate more false positives. yes
plugin_upload Designate if admin users may upload plugins. yes
plugins_timeout Maximum lifetime of a plugin’s activity (in seconds). 320
port_range Range of the ports the port scanners will scan. Can use keywords “default” or “all”, as well as a comma delimited list of ports or ranges of ports. default
purge_plugin_db Determines if Nessus will purge the plugin database at each update. This directs Nessus to remove, re-download, and re-build the plugin database for each update. Choosing yes will cause each update to be considerably slower. no
qdb_mem_usage Directs Nessus to use more or less memory when idle. If Nessus is running on a dedicated server, setting this to “high” will use more memory to increase performance. If Nessus is running on a shared machine, settings this to “low” will use considerably less memory, but at the price of a moderate performance impact. low
reduce_connections_on_congestion Reduce the number of TCP sessions in parallel when the network appears to be congested. no
report_crashes Anonymously report crashes to Tenable. yes
When set to yes, Nessus crash information is sent to Tenable to identify problems. Personal nor system-identifying information is sent to Tenable.
rules Location of the Nessus Rules file (nessusd.rules). C:\ProgramData\Tenable\Nessus\conf\nessusd.rules
safe_checks Safe checks rely on banner grabbing rather than active testing for a vulnerability. yes
silent_dependencies If enabled, the list of plugin dependencies and their output are not included in the report. A plugin may be selected as part of a policy that depends on other plugins to run. By default, Nessus will run those plugin dependencies, but will not include their output in the report. Setting this option to no will cause both the selected plugin, and any plugin dependencies to all appear in the report. yes
slice_network_addresses If this option is set, Nessus will not scan a network incrementally (10.0.0.1, then 10.0.0.2, then 10.0.0.3, and so on) but will attempt to slice the workload throughout the whole network (e.g., it will scan 10.0.0.1, then 10.0.0.127, then 10.0.0.2, then 10.0.0.128, and so on). no
ssl_cipher_list Nessus only supports ‘strong’ SSL ciphers when connecting to port 8834. strong
stop_scan_on_disconnect Stop scanning a host that seems to have been disconnected during the scan. no
stop_scan_on_hang Stop a scan that seems to be hung. no
throttle_scan Throttle scan when CPU is overloaded. yes
www_logfile Location where the Nessus Web Server (user interface) log is stored. C:\ProgramData\Tenable\Nessus\nessus\logs\www_server.log
xmlrpc_idle_session_timeout XMLRPC Idle Session Timeout in minutes. Value defaults to 30 minutes. If the value is set to zero (0), the default value of 30 minutes will still apply. There is no maximum limit for this value. 30
xmlrpc_listen_port Port for the Nessus Web Server to listen to (new XMLRPC protocol). 8834