Tenable Nessus Tips and Tricks (+Script Auto-Installation)

Nessus is Tenable's entry level product and is intended for vulnerability assessment – not vulnerability management. It provides ad-hoc scanning, suitable for small organizations that need to do infrequent scans, penetration testers, consultants and even developers who are scanning clients on a one to one type basis.

• It is a single user solution. It can be shared but only one user at a time.
• Nessus provides unlimited IP scanning – no bands or limits. You just point it at your network and it can scan as many IPs as you want.
• It is for on-premise deployment - It is not a cloud hosted SaaS solution.

This post summarizes the tips and tricks I found useful during working on Tenable Nessus. 

Related Posts:

• Tenable Web Application Cerdential Scans For Web Appications and APIs
• Tenable Lab Steps and Notes - Part 1 (Discovery, NNM, Assessment, Plugins, Compliance, VPR, Analysis)
• Tenable Lab Steps and Notes - Part 2 (Dashboards, Reports, Core, Nessus, NNM, Agent, Scanner Groups)
• Tenable Vulnerability Management Specialist - Discovery, Assessment, Analysis, Compliance, Dashboard, Reports, Core, Nessus, Agent, NNM, Access Control
• Tenable PCI Scans (Internal and External)
• Tenable Vulnerability Management Tips and Tricks, Performance Tuning, Agent, Troubleshooting
• Tenable Nessus Tips and Tricks (+Script Auto-Installation)
• Tenable Nessus Auto Installation Special Scripts on Linux and How to Install on Windows
• Tenable Nessus Professional / Expert Installation (Web Application Scanning, Special Version in Linux etc)
• Tenable Vulnerability Management (Tenable.io) Basics Including Sensor and Agent Installation

Feature Comparism among Nessus (Pro, Expert), TVM, TSC, Tenable One

CNAPP

CLOUD-NATIVE APPLICATION PROTECTION PLATFORM (CNAPP) includes:

• - CWP
• - CSPM
• - CIEM + JIT
• - KSPM
• - DSPM
• - CDR
• - IaC / DevSecOps

Nessus Product Feature Comparism

	NESSUS PROFESSIONAL	NESSUS EXPERT
Designed for	Pentesters, Consultants, and Small and Medium-sized Business (SMB's)	Pentesters, Consultants, Developers and Small and Medium-sized  Business (SMB's)
Real-Time Vulnerability Updates	Yes	Yes
Vulnerability Scanning	Yes	Yes
Prebuilt policies used for scanning	Yes	Yes. Also has an additional 500 prebuilt policies for cloud infrastructure scanning
Scan Cloud Infrastructure	Yes, through the CLI* (*Command Line Interface)	Yes
External Attack Surface Scanning	No	Yes

Change Nessus Pro Session Timeout

Default inactivity time is 30 minutes. To change it to 60 minutes, run following commands from admin mode:

PS C:\Program Files\Tenable\Nessus> .\nessuscli fix --secure --set xmlrpc_idle_session_timeout=60

Successfully set 'xmlrpc_idle_session_timeout' to '60'.

The Nessus web server will be restarted.

PS C:\Program Files\Tenable\Nessus>

Restart the web service. 

Set Group Severity to Highest Severity in Group

To set group severity types to the highest severity within the group:

• Set the advanced setting scans_vulnerability_groups_mixed to no.

scan_vulnerability_groups = yes : enable grouping

scans_vulnerability_groups_mixed = no : set group severity to the highest severity in the group

Filter For Vulnerabilities

You have to play All / Any, is equale to, is not equale to , those options to create your customized filters. 

How to find out failed login hosts

A quick check:

• Plugin 19506 Nessus Scan information : Along with other information, this give you a quick summary of CREDENTIALS YES/NO

 

If you have a failure, then review other Plugins to find out the cause, Here are some Plugins worth looking at

• 110723 No Credentials Provided
• 110095 Authentication Success
• 104410 Authentication Failure(s) for Provided Credentials
• 110385 Authentication Success Insufficient Access
• 21745 Authentication Failure - Local Checks Not Run
• 117885 Authentication Success with Intermittent Failure
• 10394 Microsoft Windows SMB Log In Possible

 

Failed 66 is from  plugin 19506's output with "Credential Check: No".

Create filters to filter failed credential check machines using Plugin ID: 19506:

This will shows all failed credential check machines, including Windows, Linux, Devices, etc. 

How to Quickly Find Out Machines OS and Those Failed Credential Check

 Plugin ID: 11936

How to quickly find out Windows machines which failed login using provided credentials?

1. Filter plugin 19506, then search "Credential Check: No" in Plugin Output column. Copy all filtered machine's IPs out to a new sheet's column.

2. Clear Filter. Filter plugin 11936, then seach "Windows" in Plugin Output column. Copy all filtered machine's IPs out to a new sheet's column. 

3. Create a column "Is it windows?" to check if we can find one existing in both Columns, A & D. 

Filter Windows Machines using Plugin ID 11936.

Create Nessus Instance in Low End VPS

GCP Free tier:

Google Free Tier: e2-micro (0.25 -2 vcpu, 1 core, 1 GB memory)

• 1 non-preemptible e2-micro VM instance per month in one of the following US regions:
  • Oregon: us-west1
  • Iowa: us-central1
  • South Carolina: us-east1
• 30 GB-months standard persistent disk
• 1 GB of outbound data transfer from North America to all region destinations (excluding China and Australia) per month
• Compute Engine free tier does not charge for an external IP address.

Installation steps

1 Create your GCP VM

2 Connect to VM

Update system (Optional)

• apt update -y && apt upgrade -y  

SWAP size increase: (Optional)

• wget https://raw.githubusercontent.com/51sec/swap/main/swap.sh && bash swap.sh

3 Install Observability - Ops Agent (Optional)

You will be able to see much more metrics from your VPS, such as memory usage. 

4 Install Nessus using an auto-installation script from Github

Three commands from the cli session: 

• curl https://raw.githubusercontent.com/51sec/nessus-special/main/ubuntu.sh -o ubuntu.sh
• chmod +x ubuntu.sh
• ./ubuntu.sh

One line command:

• curl https://raw.githubusercontent.com/51sec/nessus-special/main/ubuntu.sh -o ubuntu.sh && chmod +x ubuntu.sh && ./ubuntu.sh

Access Tenable Nessus Web GUI:

https://<Public IP>:12345

GITHUB Repository: https://github.com/51sec/nessus-special

Screenshots for oberability tab and settings page:

Total hours until all plug-ins compiled in a low end VPS (GCP E2-Micro, 1vCPU/1G RAM/30G Standard Disk):  about 9 hours (from 2pm - 11pm)

Settings:

Warning for minimum requirements not met. 

Dring a scan:

CPU load is 2% and maximum memory usage is about 180MB. 

Here is the GCP's observability:

Auto-installation Script Issue:

Each time, when the system reboot, the whole Plugins compiling process will need to start from beginning. In this case, if you are using a low end vps such as GCP e2-micro instance, it will take another 9 hours before it completed all compiling tasks. 

How to Update Plugin-set:

Since auto update for plugin has been disabled, you will not be able to use Web Gui or normal way to update your plugins. You will just need to re-run the script. No need to delete anything before re-run. 

• re-run the installation scrip. 

VPR (Vulnerability Priority Rating)

Difference Between CVSS Severity and Vulnerability Priority Rating (VPR) in Nessus

The failure of CVSS Scoring

Predictive Prioritization Using VPR

Threat Recency - how recently have there been attacks utilizing this vul?

Threat Intensity - number and frequncy of recent events (very low to very high)

Threat Sources - What data was used

Exploit Code Maturity - Parallels CVSS (Unproven - high)

Product Coverage - Number of unique products (Low -very high)

Videos

YouTube Video: One Line Command To Deploy Tenable Nessus In Low End Free Linux VPS

References

• https://www.tenable.com/webinars
• https://www.tenable.com/education