Nessus is Tenable's entry level product and is intended for vulnerability assessment – not vulnerability management. It provides ad-hoc scanning, suitable for small organizations that need to do infrequent scans, penetration testers, consultants and even developers who are scanning clients on a one to one type basis.
- It is a single user solution. It can be shared but only one user at a time.
- Nessus provides unlimited IP scanning – no bands or limits. You just point it at your network and it can scan as many IPs as you want.
- It is for on-premise deployment - It is not a cloud hosted SaaS solution.
This post summarizes the tips and tricks I found useful during working on Tenable Nessus.
| NESSUS PROFESSIONAL | NESSUS EXPERT | |
|---|---|---|
| Designed for | Pentesters, Consultants, and Small and Medium-sized Business (SMB's) | Pentesters, Consultants, Developers and Small and Medium-sized Business (SMB's) |
| Real-Time Vulnerability Updates | Yes | Yes |
| Vulnerability Scanning | Yes | Yes |
| Prebuilt policies used for scanning | Yes | Yes. Also has an additional 500 prebuilt policies for cloud infrastructure scanning |
| Scan Cloud Infrastructure | Yes, through the CLI* (*Command Line Interface) | Yes |
| External Attack Surface Scanning | No | Yes |
Set Group Severity to Highest Severity in Group
To set group severity types to the highest severity within the group:
Set the advanced setting scans_vulnerability_groups_mixed to no.
scans_vulnerability_groups_mixed = no : set group severity to the highest severity in the group
How to find out failed login hosts
A quick check:
Failed 66 is from plugin 19506's output with "Credential Check: No".
- Plugin 19506 Nessus Scan information : Along with other information, this give you a quick summary of CREDENTIALS YES/NO
If you have a failure, then review other Plugins to find out the cause, Here are some Plugins worth looking at
- 110723 No Credentials Provided
- 110095 Authentication Success
- 104410 Authentication Failure(s) for Provided Credentials
- 110385 Authentication Success Insufficient Access
- 21745 Authentication Failure - Local Checks Not Run
- 117885 Authentication Success with Intermittent Failure
- 10394 Microsoft Windows SMB Log In Possible
Create filters to filter failed credential check machines using Plugin ID: 19506:
How to Quickly Find Out Machines OS and Those Failed Credential Check
Plugin ID: 11936
How to quickly find out Windows machines which failed login using provided credentials?
1. Filter plugin 19506, then search "Credential Check: No" in Plugin Output column. Copy all filtered machine's IPs out to a new sheet's column.
2. Clear Filter. Filter plugin 11936, then seach "Windows" in Plugin Output column. Copy all filtered machine's IPs out to a new sheet's column.
3. Create a column "Is it windows?" to check if we can find one existing in both Columns, A & D.
Filter Windows Machines using Plugin ID 11936.
Create Nessus Instance in Low End VPS
GCP Free tier:
Google Free Tier: e2-micro (0.25 -2 vcpu, 1 core, 1 GB memory)
- 1 non-preemptible
e2-microVM instance per month in one of the following US regions:- Oregon:
us-west1 - Iowa:
us-central1 - South Carolina:
us-east1
- Oregon:
- 30 GB-months standard persistent disk
- 1 GB of outbound data transfer from North America to all region destinations (excluding China and Australia) per month
- Compute Engine free tier does not charge for an external IP address.
Installation steps
1 Create your GCP VM
2 Connect to VM
- apt update -y && apt upgrade -y
- wget https://raw.githubusercontent.com/51sec/swap/main/swap.sh && bash swap.sh
3 Install Observability - Ops Agent (Optional)
You will be able to see much more metrics from your VPS, such as memory usage.
4 Install Nessus using an auto-installation script from Github
Three commands from the cli session:
- curl https://raw.githubusercontent.com/51sec/nessus-special/main/ubuntu.sh -o ubuntu.sh
- chmod +x ubuntu.sh
- ./ubuntu.sh
One line command:
- curl https://raw.githubusercontent.com/51sec/nessus-special/main/ubuntu.sh -o ubuntu.sh && chmod +x ubuntu.sh && ./ubuntu.sh
Access Tenable Nessus Web GUI:
https://<Public IP>:12345
GITHUB Repository: https://github.com/51sec/nessus-special
Screenshots for oberability tab and settings page:
Total hours until all plug-ins compiled in a low end VPS (GCP E2-Micro, 1vCPU/1G RAM/30G Standard Disk): about 9 hours (from 2pm - 11pm)
Settings:
Warning for minimum requirements not met.
Dring a scan:
CPU load is 2% and maximum memory usage is about 180MB.
Here is the GCP's observability:
Auto-installation Script Issue:
Each time, when the system reboot, the whole Plugins compiling process will need to start from beginning. In this case, if you are using a low end vps such as GCP e2-micro instance, it will take another 9 hours before it completed all compiling tasks.
How to Update Plugin-set:
Since auto update for plugin has been disabled, you will not be able to use Web Gui or normal way to update your plugins. You will just need to re-run the script. No need to delete anything before re-run.
- re-run the installation scrip.
VPR (Vulnerability Priority Rating)
Difference Between CVSS Severity and Vulnerability Priority Rating (VPR) in NessusThe failure of CVSS Scoring
Predictive Prioritization Using VPR
Threat Intensity - number and frequncy of recent events (very low to very high)
Threat Sources - What data was used
Exploit Code Maturity - Parallels CVSS (Unproven - high)
Product Coverage - Number of unique products (Low -very high)
Videos
YouTube Video: One Line Command To Deploy Tenable Nessus In Low End Free Linux VPS (Simple & Easy) #netsec
References
- https://www.tenable.com/webinars
- https://www.tenable.com/education
No comments:
Post a Comment