Tenable Nessus Tips and Tricks (+Script Auto-Installation) - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo
Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

Thursday, May 30, 2024

Tenable Nessus Tips and Tricks (+Script Auto-Installation)

Nessus is Tenable's entry level product and is intended for vulnerability assessment – not vulnerability management. It provides ad-hoc scanning, suitable for small organizations that need to do infrequent scans, penetration testers, consultants and even developers who are scanning clients on a one to one type basis.

  • It is a single user solution. It can be shared but only one user at a time.
  • Nessus provides unlimited IP scanning – no bands or limits. You just point it at your network and it can scan as many IPs as you want.
  • It is for on-premise deployment - It is not a cloud hosted SaaS solution.

This post summarizes the tips and tricks I found useful during working on Tenable Nessus. For Cloud version Tenable Vulnerability Managenet solution :  Tenable Vulnerability Management Tips and Tricks, Performance Tuning, Agent, Troubleshooting


Related Posts:

Feature Comparism among Nessus (Pro, Expert), TVM, TSC, Tenable One




CNAPP


CLOUD-NATIVE APPLICATION PROTECTION PLATFORM (CNAPP) includes:
  • - CWP
  • - CSPM
  • - CIEM + JIT
  • - KSPM
  • - DSPM
  • - CDR
  • - IaC / DevSecOps


Nessus Product Feature Comparism




NESSUS PROFESSIONALNESSUS EXPERT
Designed forPentesters, Consultants, and Small and Medium-sized Business (SMB's)Pentesters, Consultants, Developers and Small and Medium-sized  Business (SMB's)
Real-Time Vulnerability UpdatesYesYes
Vulnerability ScanningYesYes
Prebuilt policies used for scanning
YesYes. Also has an additional 500 prebuilt policies for cloud infrastructure scanning
Scan Cloud Infrastructure
Yes, through the CLI*
(*Command Line Interface)
Yes
External Attack Surface ScanningNoYes



Disable Certain Plugins Using nessusd.rules

The nessusd.rules file is an editable, text-based file used to configure Nessus scans to allow and reject ports, IP addresses, IP ranges, plugins, and targets. Please note that if the scans are launching from Tenable.sc or Tenable.ioall scans that use this Nessus scanner will be subject to the nessusd.rules file.

By default, based on your operating system, the nessusd.rules file can be found in the following locations:

  • Linux
    /opt/nessus/etc/nessus/nessusd.rules 
  • Windows (default location)
    C:\ProgramData\Tenable\Nessus\conf\nessusd.rules

    Note: The ProgramData folder is by default a hidden folder in Windows. In addition, the path specified is the default but can vary if Nessus was installed on another drive (i.e. E:\Programdata\...\). For more information, see the Microsoft article Show hidden files.


Note: https://community.tenable.com/s/article/What-is-the-Nessus-rules-file?language=en_US



root@az-h-22ub:/opt/nessus_agent/etc/nessus# cat nessusd.rules
#
# Nessus rules
#
#
# Target Syntax: accept|reject address/netmask:port[-port_max]
#
# Reject any target on 10.42.123.x
#   reject 10.42.123.0/24
# Reject connecting to port 80 for 10.0.0.1
#   reject 10.0.0.1:80
# Reject connecting to ports 8000 - 10000 (inclusive) for any host in the 192.168.0.0/24 subnet
#   reject 192.168.0.0/24:8000-10000
# Reject connecting to ports 1 - 1024 (inclusive) for the host 2001:db8::abcd
#   reject [2001:db8::abcd]:1-1024
#
#
# Plugin Syntax: plugin-accept|plugin-reject id[-id_max]
#
# Reject plugin #10335
#   plugin-reject 10335
# Allow plugins #10000 through #40000 (inclusive)
#   plugin-accept 10000-40000
#
#
# Default Rule Syntax (if no other rules apply): default accept|reject
#
# Accept everything else
#   default accept
# Reject everything else
#   default reject

default accept



How to backup / restore Configuration and Scan Results

Export / Import .nessus or .db file

    You can import an exported Tenable Nessus (.nessus) or Tenable Nessus DB (.db) scan. With an imported scan, you can view scan results, export new reports for the scan, rename the scan, and update the description. You cannot launch imported scans or update policy settings.

    You can also import .nessus files as policies. For more information, see Import a Policy.

    Backup

    The Nessus back up includes the following back up folders:
    • /nessus/var/nessus/users/admin/auth/admin
    • /nessus/var/nessus/users/admin/auth/rules
    • /nessus/var/nessus/users/admin/policies.db

    Using the Nessus CLI, you can back up your Tenable Nessus to restore it later on any system, even if it is a different operating system. When you back up Tenable Nessus, your license information and settings are preserved. Tenable Nessus does not back up scan results.




    Change Nessus Pro Session Timeout

    Default inactivity time is 30 minutes. To change it to 60 minutes, run following commands from admin mode:

    PS C:\Program Files\Tenable\Nessus> .\nessuscli fix --secure --set xmlrpc_idle_session_timeout=60
    Successfully set 'xmlrpc_idle_session_timeout' to '60'.
    The Nessus web server will be restarted.
    PS C:\Program Files\Tenable\Nessus>


    Restart the web service. 

    Set Group Severity to Highest Severity in Group



    scan_vulnerability_groups = yes : enable grouping

    scans_vulnerability_groups_mixed = no : set group severity to the highest severity in the group


    Filter For Vulnerabilities

    You have to play All / Any, is equale to, is not equale to , those options to create your customized filters. 



    How to find out failed login hosts

    A quick check:

    • Plugin 19506 Nessus Scan information : Along with other information, this give you a quick summary of CREDENTIALS YES/NO

     


    If you have a failure, then review other Plugins to find out the cause, Here are some Plugins worth looking at

    • 110723 No Credentials Provided
    • 110095 Authentication Success
    • 104410 Authentication Failure(s) for Provided Credentials
    • 110385 Authentication Success Insufficient Access
    • 21745 Authentication Failure - Local Checks Not Run
    • 117885 Authentication Success with Intermittent Failure
    • 10394 Microsoft Windows SMB Log In Possible

     

    Failed 66 is from  plugin 19506's output with "Credential Check: No".

    Create filters to filter failed credential check machines using Plugin ID: 19506:
    This will shows all failed credential check machines, including Windows, Linux, Devices, etc. 


    How to Quickly Find Out Machines OS and Those Failed Credential Check

     Plugin ID: 11936



    How to quickly find out Windows machines which failed login using provided credentials?

    1. Filter plugin 19506, then search "Credential Check: No" in Plugin Output column. Copy all filtered machine's IPs out to a new sheet's column.
    2. Clear Filter. Filter plugin 11936, then seach "Windows" in Plugin Output column. Copy all filtered machine's IPs out to a new sheet's column. 
    3. Create a column "Is it windows?" to check if we can find one existing in both Columns, A & D. 

    Filter Windows Machines using Plugin ID 11936.



    Create Nessus Instance in Low End VPS

    GCP Free tier:

    Google Free Tier: e2-micro (0.25 -2 vcpu, 1 core, 1 GB memory)

    • 1 non-preemptible e2-micro VM instance per month in one of the following US regions:
      • Oregon: us-west1
      • Iowa: us-central1
      • South Carolina: us-east1
    • 30 GB-months standard persistent disk
    • 1 GB of outbound data transfer from North America to all region destinations (excluding China and Australia) per month
    • Compute Engine free tier does not charge for an external IP address.

    Installation steps

    1 Create your GCP VM





    2 Connect to VM


    Update system (Optional)

    • apt update -y && apt upgrade -y  

    SWAP size increase: (Optional)
    • wget https://raw.githubusercontent.com/51sec/swap/main/swap.sh && bash swap.sh


    3 Install Observability - Ops Agent (Optional)

    You will be able to see much more metrics from your VPS, such as memory usage. 

    4 Install Nessus using an auto-installation script from Github

    Three commands from the cli session: 

    • curl https://raw.githubusercontent.com/51sec/nessus-special/main/ubuntu.sh -o ubuntu.sh
    • chmod +x ubuntu.sh
    • ./ubuntu.sh


    One line command:

    • curl https://raw.githubusercontent.com/51sec/nessus-special/main/ubuntu.sh -o ubuntu.sh && chmod +x ubuntu.sh && ./ubuntu.sh

    Access Tenable Nessus Web GUI:

    https://<Public IP>:12345

    GITHUB Repository: https://github.com/51sec/nessus-special


    Screenshots for oberability tab and settings page:

    Total hours until all plug-ins compiled in a low end VPS (GCP E2-Micro, 1vCPU/1G RAM/30G Standard Disk):  about 9 hours (from 2pm - 11pm)


    Settings:


    Warning for minimum requirements not met. 

    Dring a scan:
    CPU load is 2% and maximum memory usage is about 180MB. 


    Here is the GCP's observability:


    Auto-installation Script Issue:

    Each time, when the system reboot, the whole Plugins compiling process will need to start from beginning. In this case, if you are using a low end vps such as GCP e2-micro instance, it will take another 9 hours before it completed all compiling tasks. 

    How to Update Plugin-set:

    Since auto update for plugin has been disabled, you will not be able to use Web Gui or normal way to update your plugins. You will just need to re-run the script. No need to delete anything before re-run. 
    • re-run the installation scrip. 

    VPR (Vulnerability Priority Rating)

    Difference Between CVSS Severity and Vulnerability Priority Rating (VPR) in Nessus

    The failure of CVSS Scoring

    Predictive Prioritization Using VPR
    Threat Recency - how recently have there been attacks utilizing this vul?
    Threat Intensity - number and frequncy of recent events (very low to very high)
    Threat Sources - What data was used
    Exploit Code Maturity - Parallels CVSS (Unproven - high)
    Product Coverage - Number of unique products (Low -very high)



    Software Inventory


    Initially, a good way to determine this is to check certain plugins, such as:

    - For Windows • Plugin ID 20811: Microsoft Windows Installed Software Enumeration (credentialed check) - https://www.tenable.com/plugins/nessus/20811 • Plugin ID 178102: Microsoft Windows Installed Software Version Enumeration - https://www.tenable.com/plugins/nessus/178102


    - For Linux • Software Enumeration (SSH) - https://www.tenable.com/plugins/nessus/22869 In addition, when performing such checks, it is good to consider: 1. Running a credentialed scan. Leading practices for vulnerability assessment call for credentialed scan of hosts wherever possible. By being authenticated, the scanner could extract more information from the target host. 2. Enabling Thorough Test This allows the scanner to search additional folders deeper into the scan to find the required file needed to enumerate the version information. • Assessment Scan Settings - Perform thorough tests (may disrupt your network or impact scan speed) https://docs.tenable.com/nessus/Content/AssessmentSettings.htm#GNAccuracy Video: • Create Software Inventory with Nessus Professional - https://www.youtube.com/watch?v=3Jh06W6H2Bw


    Videos



    YouTube Video: One Line Command To Deploy Tenable Nessus In Low End Free Linux VPS



    References

    • https://www.tenable.com/webinars
    • https://www.tenable.com/education

    No comments:

    Post a Comment