Nessus Scan
|

Preparing Your Nessus Scan: Credentialed Nessus Scan

ByAndrew Lugsden
Nessus Scan

What is Nessus

Nessus is a vulnerability assessment tool developed by Tenable. It can be used to run a Nessus scan against your devices, to look for vulnerabilities, as either a one-off scan or on a recurring schedule, providing email notifications when each scan has been completed.

The results of your Nessus vulnerability scanner can then be used to fix vulnerabilities and security weaknesses identified in your systems, using the helpful output of the security scan which guides you when implementing solutions.

Nessus is also a common tool used by pen testers. Where you arrange a security test using a penetration tester, there is a high likelihood they will be using Nesuss or other security tools.

Nessus has several different licenses available which have different applications and features

Table of Contents
    This article includes information regarding Tenable products.  Forge Secure is now a Tenable partner and reseller which should be taken into account with any reviews or recommendations.

    Nessus Essentials

    Nessus Essentials is a free implementation, designed to conduct vulnerability assessments against a maximum of 16 IP Addresses and is useful as a non-commercial solution for scans against a small number of devices.

    Nessus Professional

    Nessus Professional removes the IP Address restrictions and introduces a series of compliance audits and security audits which, in addition to finding vulnerabilities, can be used to bring your devices in line with several compliance standards.

    Nessus Expert

    Nessus Expert includes additional features to assess your external infrastructure, web applications, and cloud solutions, and conduct discovery scans to map out your external attack surface.

    Tenable

    Tenable Vulnerability Management

    Rather than previous solutions which use a single device as a Nessus server to scan other devices used for your business.

    The Vulnerability Management solution uses Nessus Agents, or software, installed on multiple devices. These devices scan themselves and report the collected information to a central Nessus cloud location.

    These Agents can improve the scan performance and reliability as it removes the requirement for continued network connectivity.

    The Importance of Vulnerability Scanning

    Nessus Vulnerability Scanning

    Conducting regular vulnerability scans is an important part of any security strategy. It is a common occurrence that updates for software and operating systems are not always automatically applied. Other vulnerabilities can be introduced through insecure configurations, weak credentials, and from other sources.

    Having a solution in place to regularly check your devices for known vulnerabilities is therefore of critical importance to ensure you have a level of protection from common vulnerabilities and attacks from possible cyber threats.

    Regular security scans are also a common requirement of multiple compliance standards. Developing a security strategy that incorporates vulnerability scanning can therefore align you with multiple compliance requirements you may need to achieve.

    Being able to carry out your own vulnerability assessment, is also cost-effective. Security practitioners can provide services for maintaining a vulnerability assessment, and there are benefits to working with specialist security professionals.

    However, there is a cost involved when working with a third party. Where you are looking for a cost-effective approach to some of your security requirements, running and maintaining your own vulnerability scanner, will be incredibly beneficial.

    Nessus offers a great solution for running your own vulnerability scanning solution, however, where you may need to set up a solution on a minimal budget, OpenVAS offers an alternative scanning product that can be set up with no license fees. The installation of OpenVAS is described in further detail here.

    Installing Nessus

    Installing Nessus Scanner

    Nessus provides an automated process for operating systems such as Windows, Mac, and a variety of Linux platforms, which allows you to install Nessus in a simple user-friendly, and streamlined process.

    Once successfully installed a web page will then be presented to the user, where they can create their user account to access Nessus and login to the Nessus interface.

    You will need to set up an account with Tenable and receive your activation code to use the software, regardless of whether you are using the free Essentials version or the Professional version.

    Running a Basic Nessus Scan

    A basic Nessus scan can be launched initially to look for specific vulnerabilities and security holes within the devices you use for your business.

    You will need to know the address of the devices that you are targeting to begin your first scan and allow Nessus to find vulnerabilities. This may be an IP Address, IP Address range, or web domain. A detailed guide on setting up your first Nessus scan is provided here.

    With the required address information added, you can save your scan settings and launch your scan.

    This will then begin a discovery process, where Nessus conducts a network scan and attempts to connect to your devices.

    Once connected, Nessus will run through a series of plug-ins looking for vulnerabilities, misconfiguration errors, and issues that could be exploited by malicious hackers.

    The Nessus Scan Results

    Nessus Scan Report

    Nessus detects vulnerabilities within your devices and will provide a set of scan results that you can view while the scan is running or wait until the scan has finished to review them.

    After selecting your scan from the main dashboard you will see a list of hosts with a reported number of vulnerabilities for each device.

    Vulnerabilities are categorised into, Critical issues, High Impact, Medium Impact, Low Impact, and Informational.

    After selecting an individual host, or the Vulnerabilities tab, you will have visibility of the individual issues that have been reported for your device.

    You can then select the individual vulnerabilities, that will provide you with a description and recommended solution for the issue.

    As part of your business security strategy, it is recommended to work through each identified vulnerability for your devices and implement a solution.

    Configuring An Authenticated Vulnerability Scan

    Credentialed Nessus Scan

    Nessus provides the option to run a credentialed scan. This is where you can enter valid credentials for your devices, and when Nessus connects to the device, it will log in and conduct a series of authenticated checks.

    This process can be useful as it allows Nesuss to report additional issues that an unauthenticated scan would not be able to identify.

    These authenticated issues may include, outdated software and configuration issues, which may be exploited through several vectors such as a Phishing attack delivering a malicious file to a user.

    There can be several common issues that cause your authenticated scan to not run correctly. Where this happens your results will be incomplete and you will not have full visibility of the vulnerabilities which impact your device.

    Confirming Successful Authentication

    Authenticated Nessus Scan

    Confirming your Authenticated Nessus scan has run successfully and has been able to establish authenticated access to your device requires a review of the Informational items that are listed within your scan results.

    Although the specific names of informational items can slightly change over time, the following guide should help to identify where potential issues arise with your Nessus scan.

    It should be noted that where you log in to Windows devices using a Microsoft Azure Active Directory account these solutions may not work.

    As Azure accounts typically do not store a traditional user account on the Windows device when Nessus attempts to log in over SMB, it will not be able to authenticate.

    For these scenarios, you can look into configuring local accounts specifically for the use of Nessus scans, or you can utilize Nessus Agents on your devices, which will not need to authenticate in the same manner.

    Mac and Linux Authenticated Vulnerability Scanner

    SSH Authenticated Nessus Scan

    For Mac and a variety of Linux operating systems, there are typically only a couple of relatively straightforward issues to address.

    To log in to these operating systems, Nessus will attempt to authenticate over the Secure Shell (SSH) service, which is typically set up on port 22.

    Once connected to SSH, Nessus will then attempt to authenticate with the credentials provided within the Nessus credentials tab.

    • Problem: Ensure the SSH service is running
    • Nessus Output: Nessus SYN scanner
    • Solution: Nessus SYN scanner shows port 22 running
      • Where the SSH service is not found, it will not appear in the Nessus SYN scanner output.
      • Typically SSH runs over port 22, and so the output for the Nessus SYN scanner should include “Port 22/tcp was found to be open”.
      • Editing the settings for your target device to enable the SSH service will resolve this issue.
      • For a Mac,
        • Access System Settings,
        • Search for ‘Sharing’,
        • Select the ‘Remote Login’ option.
      • For Linux operating systems the specific command or process can vary, and it is recommended to refer to the vendor documentation for the specific OS version in use.
    • Problem: Ensure you have entered the correct credentials
    • Nessus Output: Target Credential Status by Authentication Protocol – Failure for Provided Credentials
    • Solution: Where the credentials were incorrectly entered into the Nessus scan configuration, you can reenter the credentials to account for this issue.
    • Problem: Ensure your credentials have the correct permissions
    • Nessus Output: Target Credential Issues by Authentication Protocol – Insufficient Privilege
    • Solution: Where the user account does not have the necessary permissions for the scan to run, the user permissions can be updated on your target device or a different user account can be entered into your scan configurations.

    Windows Authenticated Vulnerability Scanner

    Windows Authenticated Nessus Scan

    When running a credentialed scan against Windows devices there can be a series of issues that can occur with your scan which result in Nessus running with limited access to your target devices.

    Other than entering the wrong credentials, the following common problems can also interfere with your Nessus vulnerability assessment.

    • Problem: SMB Service Not Accessible
    • Nessus Output: Nessus SYN scanner
    • Solution: To identify this issue:
      • Select the Nessus SYN scanner informational item.
      • Review the Output for the item.
      • Port 445 should not be listed within the ports that were found to be open.
    • Nessus works using the SMB service running on port 445 to authenticate to your target Windows device.
    • Where this service is not accessible, Nessus will not be able to authenticate and will only perform unauthenticated scans.
    • The firewall settings on your target Windows device can be updated to allow access to this service. For security concerns, you may want to reset your firewall settings to restrict access once the scan has been completed.
      • From the Windows Search bar open “Windows Defender Firewall”
      • Take note of which firewall is active for your device, Domain, Private, or Public.
      • Select “Allow an app or feature through Windows Defender Firewall”
      • Select the option to ‘Change Settings’
      • Scroll to “File and Printer Sharing”
      • Select the check box on the left to enable this service to be accessible
      • Select the check box on the right that applies to your connected firewall, Domain, Private, or Public.
    • Solved Nessus Output: Nessus SYN scanner
      • Your output should now contain “Port 445/tcp was found to be open”
    • Problem: Windows Management Instrumentation (WMI) Not Accessible
    • Nessus Output: WMI Not Available
    • Solution: Where Nessus conducts an authenticated scan, it will attempt to run several commands using WMI. Where this is inaccessible, it can limit the information-gathering activities of Nessus.
    • This issue is often caused by the service not being accessible through the built-in Windows Firewall. The firewall settings can therefore be updated to allow this, although you may also want to remove this option after your scans have been completed.
      • From the Windows Search bar open “Windows Defender Firewall”
      • Take note of which firewall is active for your device, Domain, Private, or Public.
      • Select “Allow an app or feature through Windows Defender Firewall”
      • Select the option to ‘Change Settings’
      • Scroll to “Windows Management Instrumentation (WMI)”
      • Select the check box on the left to enable this service to be accessible
      • Select the check box on the right that applies to your connected firewall, Domain, Private, or Public.
    • Solved Nessus Output: WMI Available
    • Problem: No Password Entered Into Nessus Configuration
    • Nessus Output: Target Credential Status by Authentication Protocol – No Credentials Provided
    • Solution: Select the Configure option within your scan, select the Credentials tab, and enter your Windows Credentials.
    • Solved Nessus Output: Target Credential Status by Authentication Protocol – Valid Credentials Provided
    • Problem: Wrong Password Entered Into Nessus Configuration
    • Nessus Output: Target Credential Status by Authentication Protocol – Failure for Provided Credentials
    • Solution:
      • Select the Configure option within your scan,
      • Select the Credentials tab,
      • Reenter your valid Windows Credentials.
      • It should also be noted that where your password contains a UK pound symbol (£), this issue will always occur, and the only solution is to change your user password to not contain the pound symbol.
    • Solved Nessus Output: Target Credential Status by Authentication Protocol – Valid Credentials Provided
    • Problem: Insufficient Permissions for the Provided Account
    • Nessus Output: Microsoft Windows SMB Registry Not Fully Accessible Detection
    • Nessus Output: Nessus Windows Scan Not Performed with Admin Privileges
    • Solution: This issue will occur where the account you have entered is not in the Administrators group for your target device.
      You can add the user to the Administrators group on the Windows device or enter alternative credentials for a user in the Admins group.
    • Solved Nessus Output: Microsoft Windows ‘Administrators’ Group User List
      This output item will show the names of each administrator for the target Windows device.
      The username entered into the Nessus scanner configurations should appear here if running the scan with the necessary admin permissions.
    • Problem: Windows Registry LocalAccountTokenFilterpolicy
    • Nessus Output: Microsoft Windows SMB Registry Not Fully Accessible Detection
    • Nessus Output: Nessus Windows Scan Not Performed with Admin Privileges
    • Solution: Even when providing an administrator account, this issue will present itself with the same output as an account that isn’t in the administrator group.
    • The issue is caused by a security measure in Windows devices, where local administrator accounts are not permitted, by default, to remotely log in to the Windows device.
    • You can edit the Windows registry for the target Windows device to allow this remote login, but you should consider the security impacts of this and whether you want to maintain this setting after the scanner has finished.
      • Access “Registry Editor” from the Windows search bar, and open with the “Run as Administrator” option.
      • Navigate the different registry keys to the following location:
      • “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System”
      • Within the ‘System’ subkey add a new DWORD (32-bit) Value.
      • Change the name of this value to ‘LocalAccountTokenFilterPolicy’
      • Right-click this key and modify its value to ‘1’
      • Restart your device and the registry edits will be applied to the device for your next scan.
    • Solved Nessus Output: Microsoft Windows SMB Registry Remotely Accessible
      This output item will be listed before and after this issue is resolved, however, the two items stating that the registry wasn’t fully accessible, and not performed with admin permissions will disappear.
    • Problem: Windows Registry Not Accessible
    • Nessus Output: Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry
    • Solution: To carry out an authenticated scan, Nessus will attempt to access the Remote Registry service. Where this is not possible, you can edit the running services on your target Windows device.
      • Access ‘Services’ from the Windows search bar.
      • Scroll through the different services, until you find ‘Remote Registry’
      • Right-click and access the properties for this service.
      • Change the Startup type to manual or automatic and click Apply.
      • Click the Start option for the service, and you should see ‘Service Status’ change to ‘Running’
    • Solved Nessus Output: Microsoft Windows SMB Registry Remotely Accessible

    Generating Vulnerability Scan Reports

    Generate Nessus Scan Output

    Nessus provides some useful options to download your scanning results as a HTML report, CSV list, or XML formatted data.

    This provides you with the flexibility to incorporate your results into other solutions you may make use of.

    A central documented list of issues that you or your team can work with, allows for a vulnerability management system to be implemented and reported security issues to be resolved.

    Running Scans for Compliance Requirements

    Nessus provides options within the Professional and Expert versions to run vulnerability scans that work towards your compliance requirements.

    In addition to the vulnerability scanner, Nessus can conduct a series of audit checks to review how your systems are configured in line with multiple best practice standards.

    These compliance checks are then marked as a pass or fail based on the configured compliance audit, allowing you to manage the configuration of your devices on a much more granular level, and to prepare in advance for any compliance-based security audits such as ISO 27001 or Cyber Essentials Plus preparation.

    Configure Custom Audit Checks

    Where you may also have a specific check that you want to conduct against your devices, Nessus provides a scripting language that allows you to customize the compliance checks that are carried out.

    After adding these custom files to your Nessus configuration, these additional checks are then carried out during your next scan and will appear as new vulnerabilities within your list of findings.

    Developing A Vulnerability Management Strategy

    While vulnerability scanning provides some much-needed and critical information to your business related to its current state of security, scanning alone is not a complete security solution.

    Regular scanning needs to be combined with multiple approaches, and incorporated into an overall security strategy.

    Conclusion

    Nessus for Vulnerability Management

    While Nessus isn’t the only security tool available, it is a commonly used scanning tool that can produce vulnerability information for a range of solutions such as your infrastructure web applications, and cloud environments.

    Vulnerability scanning can be a cost-effective solution to provide you with up-to-date security information throughout the year and can be managed through automation to provide a continuous stream of vulnerability data, alerting you of critical issues that may arise within your business.

    While a vulnerability scan is a critical part of managing your business’s security solution, it is not a complete security solution on its own and should be incorporated into a larger vulnerability management system and defense-in-depth approach to ensure your continued security.

    Where you have any further questions regarding different cybersecurity solutions, our consultants are available to address any concerns you may have.

    Contact Us Today

    Vulnerability scanning forms a critical part of a vulnerability management program, but cannot act as a direct replacement for manual Penetration Testing.

    Penetration Testing will typically find more vulnerabilities than a scanning product alone, and can also minimize the reporting of false positives, and provide context around the vulnerabilities that are reported.

    Directly buying annual licenses through Tenable has a starting price of around $5,000 USD or £4,000 GBP depending on the license, however, it can be worth contacting companies involved in the Tenable Partner Program as there can often be more affordable prices available.

    There are many vulnerability scanners available, some of which are specific to a certain device type or service, rather than have broad coverage.

    Other scanners can require a more manual setup and configuration process but cost less, and others can be managed for you but cost more.

    The following post can be reviewed for further information on vulnerability scans, “A Vulnerability Scan Guide”

    Similar Posts