# Vulnerability Scanning Vulnerability scanning identifies potential vulnerabilities in network devices (routers, firewalls, switches), servers, workstations, and applications. Scanners **do not exploit** vulnerabilities (with minor exceptions) — a human must validate findings to confirm real issues vs. false positives. Scans run a combination of **static tests** (version-based CVE lookup — can miss backported patches) and **dynamic tests** (sends benign payloads like weak creds, SQLi, command injection — a hit means likely vulnerable). Run both **unauthenticated and authenticated scans** on a continuous schedule. Authenticated scans with a high-privilege account (`root`/`Administrator`) return the maximum vulnerability coverage since the scanner has full access to the host. *** ## Nessus [Nessus Essentials](https://community.tenable.com/s/article/Nessus-Essentials) — free version, limited to 16 hosts. ### Setup ```bash # Download from https://www.tenable.com/downloads/nessus?loginAttempted=true dpkg -i Nessus--ubuntu910_amd64.deb sudo systemctl start nessusd.service # Browse to https://localhost:8834 # Get activation code: https://www.tenable.com/products/nessus/activation-code ``` ### Scan Types Templates fall into three categories: **Discovery**, **Vulnerabilities**, **Compliance**. | Template | Use | | ------------------------ | ---------------------------------------------------------- | | Host Discovery | Identify live hosts and open ports | | Basic Network Scan | General-purpose vuln scan | | Advanced Scan | Fully customized, no pre-configured recommendations | | Credentialed Patch Audit | Authenticated patch-level check | | Web Application Tests | Web app scanning (can set custom user-agent, RFI test URL) | | Malware Scan | Detect malware on hosts | Full template descriptions: [Tenable Docs](https://docs.tenable.com/nessus/Content/ScanAndPolicyTemplates.htm) ### Scan Configuration **Discovery tab:** * Host Discovery: optionally skip fragile devices (printers, Novell Netware, OT devices). * Port Scanning: common ports, all ports, or custom range. * Service Discovery: "Probe all ports to find services" is on by default. Can also detect expiring/revoked SSL/TLS certs. **Assessment tab:** * Web app scanning toggle (custom user-agent, crawl start path, exclusions). * Brute-force authentication with provided username/password lists or credential-based auth via Hydra. * User enumeration: SAM Registry, ADSI, WMI queries, RID brute-forcing (set start/end UIDs). **Advanced tab:** * **Safe checks** enabled by default — prevents checks that could crash targets. * Throttle scan if network congestion detected. * Stop scanning unresponsive hosts. * Scan IPs in random order. * Performance: network timeout (default 5s), max checks per host (default 4), max hosts per scan (default 30). ### Scan Policies Custom scan configurations saved as reusable templates. Create via **Policies → New Policy → Advanced Scan**, customize settings/credentials/plugins, then save. Available under **Scan Templates → User Defined** when creating new scans. Policies can be imported/exported between Nessus instances. ### Plugins Written in [NASL](https://en.wikipedia.org/wiki/Nessus_Attack_Scripting_Language). Rated: Critical, High, Medium, Low, Info. Searchable database: [tenable.com/plugins](https://www.tenable.com/plugins). **Plugin Rules** — exclude false positives from results while keeping the detection active for other hosts: * **Resources → Plugin Rules → New Rule**: specify host, plugin ID, and action (`Hide this result`). * Useful for known-safe configurations (e.g., DirectAccess intentionally using null cipher suites, self-signed certs on internal services). ### Credentialed Scanning | Protocol | Auth Methods | | ------------------ | ----------------------------------------------------------- | | SSH | Password, public key, certificate, Kerberos | | Windows | Password, Kerberos, LM hash, NTLM hash | | Databases | Oracle, PostgreSQL, DB2, MySQL, SQL Server, MongoDB, Sybase | | Plaintext services | FTP, HTTP (form-based), IMAP, IPMI, Telnet | For Windows: options to never send creds in the clear, disable NTLMv1. Confirm successful auth by checking Nessus output for messages like "Credentialed checks enabled for MSSQL on port 1433". ### Reports & Export | Format | Notes | | ---------- | ------------------------------------------------------------------------- | | PDF / HTML | Executive Summary or custom report with severity, CVSS, plugin details | | CSV | Selectable columns — useful for Splunk import or stakeholder distribution | | `.nessus` | XML with scan settings + plugin outputs | | `.db` | `.nessus` + KB + Audit Trail + attachments | Reports are supplementary data, not a final client deliverable. **CLI export** via the Nessus REST API: ```bash # https://raw.githubusercontent.com/eelsivart/nessus-report-downloader/master/nessus6-report-downloader.rb ./nessus_downloader.rb # Interactive: enter server IP, port (8834), creds, select scan IDs and format (Nessus/HTML/PDF/CSV/DB) ``` *** ## OpenVAS [OpenVAS](https://www.openvas.org/) by Greenbone Networks — open-source vulnerability scanner with the Greenbone Security Assistant (GSA) web UI. ### Setup ```bash sudo apt-get update && apt-get -y full-upgrade sudo apt-get install gvm && openvas gvm-setup # Takes ~30 minutes, generates admin password at the end gvm-start # Web UI at https://localhost:9392 ``` ### Scan Configurations | Config | Purpose | | -------------------- | ----------------------------------------------------------------------------------------------------------- | | **Base** | Enumerate host status and OS info. No vuln checks. | | **Discovery** | Identify services, hardware, ports, software. No vuln checks. | | **Host Discovery** | Only tests if host is alive (ping-based). No vuln checks. | | **System Discovery** | Deeper than Discovery — identifies OS and hardware. | | **Full and fast** | **Recommended** — uses NVT intelligence to select the best checks based on accessible ports. Safest option. | OpenVAS uses **NVT (Network Vulnerability Test) Families** — categories for Windows, Linux, Web Apps, etc. ### Configuration Workflow 1. **Configurations → Targets**: add individual hosts or host lists. Set ports, auth creds, and alive test method (default uses NVT `Ping Host`). 2. **Scans → New Task**: select scan config, target, schedule. Run the task. 3. **Scans → Reports**: view results with severity, OS info, ports, services. ### Reports & Export Export formats: XML, CSV, PDF, ITG, TXT. **Convert XML to Excel** with [openvasreporting](https://github.com/TheGroundZero/openvasreporting): ```bash python3 -m openvasreporting -i report-.xml -f xlsx ``` Generates an Excel doc with severity summary, pie charts, and a table of contents listing each vulnerability with CVSS and affected hosts. *** ## Scanning Best Practices **Before scanning:** * Communicate with client/stakeholders about sensitive or legacy hosts that should be excluded or scanned separately (off-hours, different config). * Get written approval and define scope. **Mitigating common issues:** * Firewall shows all ports open or none → create an Advanced Scan and **disable "Ping the remote host"** (skips ICMP liveness check). * Some firewalls return ICMP Unreachable → Nessus interprets as live host, creating informational false positives. * Target under heavy load → reduce **Max Concurrent Checks Per Host** in Performance Options. * Legacy/fragile systems → exclude from scan or use `nessusd.rules` ([docs](https://community.tenable.com/s/article/What-is-the-Nessus-rules-file?language=en_US)). * **Never** run [Denial of Service checks](https://www.tenable.com/plugins/nessus/families/Denial%20of%20Service) unless explicitly requested. Always enable **safe checks**. **Monitor network impact** with `vnstat`: ```bash sudo apt install vnstat sudo vnstat -l -i eth0 # Compare rx/tx before and during a scan — a single-host scan can generate ~300 kbit/s and 800+ packets/sec ``` Keep detailed scan logs in case an incident must be investigated.