Tenable Nessus Tips and Tricks (+Script Auto-Installation) - NETSEC

Latest

NETSEC

Learning, Sharing, Creating

Cybersecurity Memo

Thursday, May 30, 2024

Tenable Nessus Tips and Tricks (+Script Auto-Installation)

Nessus is Tenable's entry level product and is intended for vulnerability assessment – not vulnerability management. It provides ad-hoc scanning, suitable for small organizations that need to do infrequent scans, penetration testers, consultants and even developers who are scanning clients on a one to one type basis.

  • It is a single user solution. It can be shared but only one user at a time.
  • Nessus provides unlimited IP scanning – no bands or limits. You just point it at your network and it can scan as many IPs as you want.
  • It is for on-premise deployment - It is not a cloud hosted SaaS solution.


This post summarizes the tips and tricks I found useful during working on Tenable Nessus. 



Feature Comparism among Nessus (Pro, Expert), TVM, TSC, Tenable One




CNAPP


CLOUD-NATIVE APPLICATION PROTECTION PLATFORM (CNAPP) includes:
  • - CWP
  • - CSPM
  • - CIEM + JIT
  • - KSPM
  • - DSPM
  • - CDR
  • - IaC / DevSecOps


Nessus Product Feature Comparism




NESSUS PROFESSIONALNESSUS EXPERT
Designed forPentesters, Consultants, and Small and Medium-sized Business (SMB's)Pentesters, Consultants, Developers and Small and Medium-sized  Business (SMB's)
Real-Time Vulnerability UpdatesYesYes
Vulnerability ScanningYesYes
Prebuilt policies used for scanning
YesYes. Also has an additional 500 prebuilt policies for cloud infrastructure scanning
Scan Cloud Infrastructure
Yes, through the CLI*
(*Command Line Interface)
Yes
External Attack Surface ScanningNoYes



Change Nessus Pro Session Timeout

Default inactivity time is 30 minutes. To change it to 60 minutes, run following commands from admin mode:

PS C:\Program Files\Tenable\Nessus> .\nessuscli fix --secure --set xmlrpc_idle_session_timeout=60
Successfully set 'xmlrpc_idle_session_timeout' to '60'.
The Nessus web server will be restarted.
PS C:\Program Files\Tenable\Nessus>


Restart the web service. 

Set Group Severity to Highest Severity in Group


To set group severity types to the highest severity within the group:

scan_vulnerability_groups = yes : enable grouping

scans_vulnerability_groups_mixed = no : set group severity to the highest severity in the group


Filter For Vulnerabilities

You have to play All / Any, is equale to, is not equale to , those options to create your customized filters. 



How to find out failed login hosts

A quick check:

  • Plugin 19506 Nessus Scan information : Along with other information, this give you a quick summary of CREDENTIALS YES/NO

 


If you have a failure, then review other Plugins to find out the cause, Here are some Plugins worth looking at

  • 110723 No Credentials Provided
  • 110095 Authentication Success
  • 104410 Authentication Failure(s) for Provided Credentials
  • 110385 Authentication Success Insufficient Access
  • 21745 Authentication Failure - Local Checks Not Run
  • 117885 Authentication Success with Intermittent Failure
  • 10394 Microsoft Windows SMB Log In Possible

 

Failed 66 is from  plugin 19506's output with "Credential Check: No".

Create filters to filter failed credential check machines using Plugin ID: 19506:
This will shows all failed credential check machines, including Windows, Linux, Devices, etc. 


How to Quickly Find Out Machines OS and Those Failed Credential Check

 Plugin ID: 11936



How to quickly find out Windows machines which failed login using provided credentials?

1. Filter plugin 19506, then search "Credential Check: No" in Plugin Output column. Copy all filtered machine's IPs out to a new sheet's column.
2. Clear Filter. Filter plugin 11936, then seach "Windows" in Plugin Output column. Copy all filtered machine's IPs out to a new sheet's column. 
3. Create a column "Is it windows?" to check if we can find one existing in both Columns, A & D. 

Filter Windows Machines using Plugin ID 11936.



Create Nessus Instance in Low End VPS

GCP Free tier:

Google Free Tier: e2-micro (0.25 -2 vcpu, 1 core, 1 GB memory)

  • 1 non-preemptible e2-micro VM instance per month in one of the following US regions:
    • Oregon: us-west1
    • Iowa: us-central1
    • South Carolina: us-east1
  • 30 GB-months standard persistent disk
  • 1 GB of outbound data transfer from North America to all region destinations (excluding China and Australia) per month
  • Compute Engine free tier does not charge for an external IP address.

Installation steps

1 Create your GCP VM





2 Connect to VM


Update system (Optional)

  • apt update -y && apt upgrade -y  

SWAP size increase: (Optional)
  • wget https://raw.githubusercontent.com/51sec/swap/main/swap.sh && bash swap.sh


3 Install Observability - Ops Agent (Optional)

You will be able to see much more metrics from your VPS, such as memory usage. 

4 Install Nessus using an auto-installation script from Github

Three commands from the cli session: 

  • curl https://raw.githubusercontent.com/51sec/nessus-special/main/ubuntu.sh -o ubuntu.sh
  • chmod +x ubuntu.sh
  • ./ubuntu.sh


One line command:

  • curl https://raw.githubusercontent.com/51sec/nessus-special/main/ubuntu.sh -o ubuntu.sh && chmod +x ubuntu.sh && ./ubuntu.sh

Access Tenable Nessus Web GUI:

https://<Public IP>:12345

GITHUB Repository: https://github.com/51sec/nessus-special


Screenshots for oberability tab and settings page:

Total hours until all plug-ins compiled in a low end VPS (GCP E2-Micro, 1vCPU/1G RAM/30G Standard Disk):  about 9 hours (from 2pm - 11pm)


Settings:


Warning for minimum requirements not met. 

Dring a scan:
CPU load is 2% and maximum memory usage is about 180MB. 


Here is the GCP's observability:


Auto-installation Script Issue:

Each time, when the system reboot, the whole Plugins compiling process will need to start from beginning. In this case, if you are using a low end vps such as GCP e2-micro instance, it will take another 9 hours before it completed all compiling tasks. 

How to Update Plugin-set:

Since auto update for plugin has been disabled, you will not be able to use Web Gui or normal way to update your plugins. You will just need to re-run the script. No need to delete anything before re-run. 
  • re-run the installation scrip. 

VPR (Vulnerability Priority Rating)

Difference Between CVSS Severity and Vulnerability Priority Rating (VPR) in Nessus

The failure of CVSS Scoring

Predictive Prioritization Using VPR
Threat Recency - how recently have there been attacks utilizing this vul?
Threat Intensity - number and frequncy of recent events (very low to very high)
Threat Sources - What data was used
Exploit Code Maturity - Parallels CVSS (Unproven - high)
Product Coverage - Number of unique products (Low -very high)



Videos



YouTube Video: One Line Command To Deploy Tenable Nessus In Low End Free Linux VPS



References

  • https://www.tenable.com/webinars
  • https://www.tenable.com/education

Read more

Subscribe via email

Author Image

About Netsec
Netsec - Learning, Sharing, Creating!

-
Tags:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)