Tenable Nessus Tips and Tricks (+Script Auto-Installation)

Nessus is Tenable's entry level product and is intended for vulnerability assessment – not vulnerability management. It provides ad-hoc scanning, suitable for small organizations that need to do infrequent scans, penetration testers, consultants and even developers who are scanning clients on a one to one type basis.

• It is a single user solution. It can be shared but only one user at a time.
• Nessus provides unlimited IP scanning – no bands or limits. You just point it at your network and it can scan as many IPs as you want.
• It is for on-premise deployment - It is not a cloud hosted SaaS solution.

This post summarizes the tips and tricks I found useful during working on Tenable Nessus. For Cloud version Tenable Vulnerability Managenet solution :  Tenable Vulnerability Management Tips and Tricks, Performance Tuning, Agent, Troubleshooting

Related Posts:

• Tenable Web Application Cerdential Scans For Web Appications and APIs
• Tenable Lab Steps and Notes - Part 1 (Discovery, NNM, Assessment, Plugins, Compliance, VPR, Analysis)
• Tenable Lab Steps and Notes - Part 2 (Dashboards, Reports, Core, Nessus, NNM, Agent, Scanner Groups)
• Tenable Vulnerability Management Specialist - Discovery, Assessment, Analysis, Compliance, Dashboard, Reports, Core, Nessus, Agent, NNM, Access Control
• Tenable PCI Scans (Internal and External)
• Tenable Vulnerability Management Tips and Tricks, Performance Tuning, Agent, Troubleshooting
• Tenable Nessus Tips and Tricks (+Script Auto-Installation)
• Tenable Nessus Auto Installation Special Scripts on Linux and How to Install on Windows
• Tenable Nessus Professional / Expert Installation (Web Application Scanning, Special Version in Linux etc)
• Tenable Vulnerability Management (Tenable.io) Basics Including Sensor and Agent Installation

Feature Comparism among Nessus (Pro, Expert), TVM, TSC, Tenable One

CNAPP

CLOUD-NATIVE APPLICATION PROTECTION PLATFORM (CNAPP) includes:

• - CWP
• - CSPM
• - CIEM + JIT
• - KSPM
• - DSPM
• - CDR
• - IaC / DevSecOps

Nessus Product Feature Comparism

	NESSUS PROFESSIONAL	NESSUS EXPERT
Designed for	Pentesters, Consultants, and Small and Medium-sized Business (SMB's)	Pentesters, Consultants, Developers and Small and Medium-sized  Business (SMB's)
Real-Time Vulnerability Updates	Yes	Yes
Vulnerability Scanning	Yes	Yes
Prebuilt policies used for scanning	Yes	Yes. Also has an additional 500 prebuilt policies for cloud infrastructure scanning
Scan Cloud Infrastructure	Yes, through the CLI* (*Command Line Interface)	Yes
External Attack Surface Scanning	No	Yes

Disable Certain Plugins Using nessusd.rules

The nessusd.rules file is an editable, text-based file used to configure Nessus scans to allow and reject ports, IP addresses, IP ranges, plugins, and targets. Please note that if the scans are launching from Tenable.sc or Tenable.io, all scans that use this Nessus scanner will be subject to the nessusd.rules file.

By default, based on your operating system, the nessusd.rules file can be found in the following locations:

• Linux

  /opt/nessus/etc/nessus/nessusd.rules 

• Windows (default location)

  C:\ProgramData\Tenable\Nessus\conf\nessusd.rules

  Note: The ProgramData folder is by default a hidden folder in Windows. In addition, the path specified is the default but can vary if Nessus was installed on another drive (i.e. E:\Programdata\...\). For more information, see the Microsoft article Show hidden files.

Note: https://community.tenable.com/s/article/What-is-the-Nessus-rules-file?language=en_US

root@az-h-22ub:/opt/nessus_agent/etc/nessus# cat nessusd.rules
#
# Nessus rules
#
#
# Target Syntax: accept|reject address/netmask:port[-port_max]
#
# Reject any target on 10.42.123.x
#   reject 10.42.123.0/24
# Reject connecting to port 80 for 10.0.0.1
#   reject 10.0.0.1:80
# Reject connecting to ports 8000 - 10000 (inclusive) for any host in the 192.168.0.0/24 subnet
#   reject 192.168.0.0/24:8000-10000
# Reject connecting to ports 1 - 1024 (inclusive) for the host 2001:db8::abcd
#   reject [2001:db8::abcd]:1-1024
#
#
# Plugin Syntax: plugin-accept|plugin-reject id[-id_max]
#
# Reject plugin #10335
#   plugin-reject 10335
# Allow plugins #10000 through #40000 (inclusive)
#   plugin-accept 10000-40000
#
#
# Default Rule Syntax (if no other rules apply): default accept|reject
#
# Accept everything else
#   default accept
# Reject everything else
#   default reject

default accept

How to backup / restore Configuration and Scan Results

Export / Import .nessus or .db file

You can import an exported Tenable Nessus (.nessus) or Tenable Nessus DB (.db) scan. With an imported scan, you can view scan results, export new reports for the scan, rename the scan, and update the description. You cannot launch imported scans or update policy settings.

You can also import .nessus files as policies. For more information, see Import a Policy.

Backup

The Nessus back up includes the following back up folders:

• /nessus/var/nessus/users/admin/auth/admin
• /nessus/var/nessus/users/admin/auth/rules
• /nessus/var/nessus/users/admin/policies.db

Using the Nessus CLI, you can back up your Tenable Nessus to restore it later on any system, even if it is a different operating system. When you back up Tenable Nessus, your license information and settings are preserved. Tenable Nessus does not back up scan results.

Change Nessus Pro Session Timeout

Default inactivity time is 30 minutes. To change it to 60 minutes, run following commands from admin mode:

PS C:\Program Files\Tenable\Nessus> .\nessuscli fix --secure --set xmlrpc_idle_session_timeout=60

Successfully set 'xmlrpc_idle_session_timeout' to '60'.

The Nessus web server will be restarted.

PS C:\Program Files\Tenable\Nessus>

Restart the web service. 

Set Group Severity to Highest Severity in Group

To set group severity types to the highest severity within the group:

• Set the advanced setting scans_vulnerability_groups_mixed to no.

scan_vulnerability_groups = yes : enable grouping

scans_vulnerability_groups_mixed = no : set group severity to the highest severity in the group

Filter For Vulnerabilities

You have to play All / Any, is equale to, is not equale to , those options to create your customized filters. 

How to find out failed login hosts

A quick check:

• Plugin 19506 Nessus Scan information : Along with other information, this give you a quick summary of CREDENTIALS YES/NO

 

If you have a failure, then review other Plugins to find out the cause, Here are some Plugins worth looking at

• 110723 No Credentials Provided
• 110095 Authentication Success
• 104410 Authentication Failure(s) for Provided Credentials
• 110385 Authentication Success Insufficient Access
• 21745 Authentication Failure - Local Checks Not Run
• 117885 Authentication Success with Intermittent Failure
• 10394 Microsoft Windows SMB Log In Possible

 

Failed 66 is from  plugin 19506's output with "Credential Check: No".

Create filters to filter failed credential check machines using Plugin ID: 19506:

This will shows all failed credential check machines, including Windows, Linux, Devices, etc. 

How to Quickly Find Out Machines OS and Those Failed Credential Check

 Plugin ID: 11936

How to quickly find out Windows machines which failed login using provided credentials?

1. Filter plugin 19506, then search "Credential Check: No" in Plugin Output column. Copy all filtered machine's IPs out to a new sheet's column.

2. Clear Filter. Filter plugin 11936, then seach "Windows" in Plugin Output column. Copy all filtered machine's IPs out to a new sheet's column. 

3. Create a column "Is it windows?" to check if we can find one existing in both Columns, A & D. 

Filter Windows Machines using Plugin ID 11936.

Create Nessus Instance in Low End VPS

GCP Free tier:

Google Free Tier: e2-micro (0.25 -2 vcpu, 1 core, 1 GB memory)

• 1 non-preemptible e2-micro VM instance per month in one of the following US regions:
  • Oregon: us-west1
  • Iowa: us-central1
  • South Carolina: us-east1
• 30 GB-months standard persistent disk
• 1 GB of outbound data transfer from North America to all region destinations (excluding China and Australia) per month
• Compute Engine free tier does not charge for an external IP address.

Installation steps

1 Create your GCP VM

2 Connect to VM

Update system (Optional)

• apt update -y && apt upgrade -y  

SWAP size increase: (Optional)

• wget https://raw.githubusercontent.com/51sec/swap/main/swap.sh && bash swap.sh

3 Install Observability - Ops Agent (Optional)

You will be able to see much more metrics from your VPS, such as memory usage. 

4 Install Nessus using an auto-installation script from Github

Three commands from the cli session: 

• curl https://raw.githubusercontent.com/51sec/nessus-special/main/ubuntu.sh -o ubuntu.sh
• chmod +x ubuntu.sh
• ./ubuntu.sh

One line command:

• curl https://raw.githubusercontent.com/51sec/nessus-special/main/ubuntu.sh -o ubuntu.sh && chmod +x ubuntu.sh && ./ubuntu.sh

Access Tenable Nessus Web GUI:

https://<Public IP>:12345

GITHUB Repository: https://github.com/51sec/nessus-special

Screenshots for oberability tab and settings page:

Total hours until all plug-ins compiled in a low end VPS (GCP E2-Micro, 1vCPU/1G RAM/30G Standard Disk):  about 9 hours (from 2pm - 11pm)

Settings:

Warning for minimum requirements not met. 

Dring a scan:

CPU load is 2% and maximum memory usage is about 180MB. 

Here is the GCP's observability:

Auto-installation Script Issue:

Each time, when the system reboot, the whole Plugins compiling process will need to start from beginning. In this case, if you are using a low end vps such as GCP e2-micro instance, it will take another 9 hours before it completed all compiling tasks. 

How to Update Plugin-set:

Since auto update for plugin has been disabled, you will not be able to use Web Gui or normal way to update your plugins. You will just need to re-run the script. No need to delete anything before re-run. 

• re-run the installation scrip. 

VPR (Vulnerability Priority Rating)

Difference Between CVSS Severity and Vulnerability Priority Rating (VPR) in Nessus

The failure of CVSS Scoring

Predictive Prioritization Using VPR

Threat Recency - how recently have there been attacks utilizing this vul?

Threat Intensity - number and frequncy of recent events (very low to very high)

Threat Sources - What data was used

Exploit Code Maturity - Parallels CVSS (Unproven - high)

Product Coverage - Number of unique products (Low -very high)

Software Inventory

Initially, a good way to determine this is to check certain plugins, such as:

- For Windows • Plugin ID 20811: Microsoft Windows Installed Software Enumeration (credentialed check) - https://www.tenable.com/plugins/nessus/20811 • Plugin ID 178102: Microsoft Windows Installed Software Version Enumeration - https://www.tenable.com/plugins/nessus/178102

- For Linux • Software Enumeration (SSH) - https://www.tenable.com/plugins/nessus/22869 In addition, when performing such checks, it is good to consider: 1. Running a credentialed scan. Leading practices for vulnerability assessment call for credentialed scan of hosts wherever possible. By being authenticated, the scanner could extract more information from the target host. 2. Enabling Thorough Test This allows the scanner to search additional folders deeper into the scan to find the required file needed to enumerate the version information. • Assessment Scan Settings - Perform thorough tests (may disrupt your network or impact scan speed) https://docs.tenable.com/nessus/Content/AssessmentSettings.htm#GNAccuracy Video： • Create Software Inventory with Nessus Professional - https://www.youtube.com/watch?v=3Jh06W6H2Bw

Videos

YouTube Video: One Line Command To Deploy Tenable Nessus In Low End Free Linux VPS

References

• https://www.tenable.com/webinars
• https://www.tenable.com/education