Install and Perform Basic Network Scans with Nessus

As required by my first InfoSec assignment, I downloaded and used Nessus in order to get a very brief understanding of how to use the software. This allowed me to use it to scan my local devices for vulnerabilities, as well as preparing for future lectures.

What is Nessus?

Nessus is a proprietary tool by Tenable for scanning remote hosts for up-to-date vulnerabilities, including 0-days. There is no “student” edition, only “essentials”, which limits the maximum IP scanned in 90 days to 16 IPs. (More than enough for learning, right?) It’s free (price), everyone can download and use it.

Install Nessus

As instructed in the Install Nessus manual, run the installer downloaded from Nessus’ Download page. Make sure you downloaded the correct version for your operating system. For example, I am on Kubuntu 21.04, so I download the latest version for up to Ubuntu 20.04 for AMD64 architecture. (They didn’t list 21.04 but it works)

For Ubuntu the installation process is rather straightforward, there is no options to choose from. Install the deb package and launch nessusd service with the following command.

sudo systemctl start nessusd

If you do not include sudo you’ll be prompted for password anyway, so include sudo.

Next we can launch our scanner through the browser. Nessus listens to port 8834 by default, so we need to connect to localhost:8834 to do startup configuration.

Nessus by default requires a https connection. So if you did not type https:// when connecting, or that your browser did not redirect to https for you, the following will happen:

You may see a warning page when you try to access the https version, it’s a security precaution by the browser, because the ssl cert is self-signed and it cannot verify the authority of the host. Accept the risk and continue – we have no choice anyway.

Nessus will ask which version you are deploying, we are choosing Nessus Essentials since we haven’t paid for anything else.

Then it will you to get an activation code. Skip it instead, because somehow this doesn’t always work and you may get no e-mail from Tenable at all. The online Nessus Essentials registeration page is more reliable. After you received the activation code by e-mail, enter it in the next page.

After that Nessus will do first-time start up process, updating and compiling new plugins as well as setting up a user account.

Perform Basic Network Scan

A startup dialogue will greet you when Nessus is done updating plugins:

This dialogue prompts us to perform host discovery, discovering devices to perform further scans. What I did was inputting my router’s default gateway 192.168.50.1, yours may vary, just put that in and hit Submit. Refrain from performing unauthorized host discovery.

Nessus immediately starts discovering available hosts for scanning. If you disabled device discovery from any of your devices, the initial scan may not return their addresses. Disable VPN as well, they may have impact on the results.

This is not the initial scan, I have to perform a new scan to avoid reusing materials for my assignment. Ports will not be shown in the result for the first Host Discovery scan.

From here you can select a host and launch a scan against it. Select the host you want to scan, and choose Create Scan from the More dropdown menu.

Here you’ll see lots of options available. Choose Basic Network Scan as it is the objective.

Everything will be configure automatically, just give this scan a name and hit Save or Launch from the dropdown menu.

Bingo! We just launched our first Basic Network Scan against our devices – in this case my desktop computer. The scanner scans all common ports by default, so you need to give it some time. Grab a cup of chocolate and a few slices of toasts, wait for the scan to finish. Why chocolate? Because I dislike coffee.

Breaking Down the Scan Results

Finish up our cup of chocolate, we’ll see the scan is finished! You can see the scan results in this page, it is divided in 3 parts by default. Inside green rectangle are details for the scan, showing you the scan type, severity base used, time used, and level of vulnerabilities, etc. Inside the orange rectangle are results, which you need to inspect for further informations. Finally, the tabs in blue rectangle allow you to navigate between different results quickly.

For Hosts there is only 1 result because we chose only 1 target to scan for (192.168.50.152).

Then we can move on to the Vulnerabilities tab. Here you can see both INFO and other types of vulnerabilities discovered. INFO means the scanner discovered some non-vulnerabilities information when performing the scan. Click on one of them and you can see the details of the item.

For example, I want to see what this hostname this address reports, I choose the third info, Host Fully Qualified Domain Name (FQDN) Resolution.

This allows us to see the output of actual scan. 192.168.50.152 resolves as karsten-kbt-pc is the result, below this output is the port and host related to said output. Nessus also includes a brief description about this information.

After we’re done, we may also want to export our report for documenting and future refrence, hit the Report button on the top right corner and choose either of the three formats. For example the PDF and HTML option can help you generate a professional looking executive summary.

While the CSV option will include more details for inspection.

Summary

This tool is relatively easy to use and did help me assess the security of my home network. I did discover a few vulnerabilities in my devices like IP cams. I will definitely play around with it more and discover what I can do with Nessus.