Vulnerability Scanning
Vulnerability scanning identifies potential vulnerabilities in network devices (routers, firewalls, switches), servers, workstations, and applications. Scanners do not exploit vulnerabilities (with minor exceptions) — a human must validate findings to confirm real issues vs. false positives.
Scans run a combination of static tests (version-based CVE lookup — can miss backported patches) and dynamic tests (sends benign payloads like weak creds, SQLi, command injection — a hit means likely vulnerable).
Run both unauthenticated and authenticated scans on a continuous schedule. Authenticated scans with a high-privilege account (root/Administrator) return the maximum vulnerability coverage since the scanner has full access to the host.
Nessus
Nessus Essentials — free version, limited to 16 hosts.
Setup
# Download from https://www.tenable.com/downloads/nessus?loginAttempted=true
dpkg -i Nessus-<version>-ubuntu910_amd64.deb
sudo systemctl start nessusd.service
# Browse to https://localhost:8834
# Get activation code: https://www.tenable.com/products/nessus/activation-codeScan Types
Templates fall into three categories: Discovery, Vulnerabilities, Compliance.
Host Discovery
Identify live hosts and open ports
Basic Network Scan
General-purpose vuln scan
Advanced Scan
Fully customized, no pre-configured recommendations
Credentialed Patch Audit
Authenticated patch-level check
Web Application Tests
Web app scanning (can set custom user-agent, RFI test URL)
Malware Scan
Detect malware on hosts
Full template descriptions: Tenable Docs
Scan Configuration
Discovery tab:
Host Discovery: optionally skip fragile devices (printers, Novell Netware, OT devices).
Port Scanning: common ports, all ports, or custom range.
Service Discovery: "Probe all ports to find services" is on by default. Can also detect expiring/revoked SSL/TLS certs.
Assessment tab:
Web app scanning toggle (custom user-agent, crawl start path, exclusions).
Brute-force authentication with provided username/password lists or credential-based auth via Hydra.
User enumeration: SAM Registry, ADSI, WMI queries, RID brute-forcing (set start/end UIDs).
Advanced tab:
Safe checks enabled by default — prevents checks that could crash targets.
Throttle scan if network congestion detected.
Stop scanning unresponsive hosts.
Scan IPs in random order.
Performance: network timeout (default 5s), max checks per host (default 4), max hosts per scan (default 30).
Scan Policies
Custom scan configurations saved as reusable templates. Create via Policies → New Policy → Advanced Scan, customize settings/credentials/plugins, then save. Available under Scan Templates → User Defined when creating new scans. Policies can be imported/exported between Nessus instances.
Plugins
Written in NASL. Rated: Critical, High, Medium, Low, Info. Searchable database: tenable.com/plugins.
Plugin Rules — exclude false positives from results while keeping the detection active for other hosts:
Resources → Plugin Rules → New Rule: specify host, plugin ID, and action (
Hide this result).Useful for known-safe configurations (e.g., DirectAccess intentionally using null cipher suites, self-signed certs on internal services).
Credentialed Scanning
SSH
Password, public key, certificate, Kerberos
Windows
Password, Kerberos, LM hash, NTLM hash
Databases
Oracle, PostgreSQL, DB2, MySQL, SQL Server, MongoDB, Sybase
Plaintext services
FTP, HTTP (form-based), IMAP, IPMI, Telnet
For Windows: options to never send creds in the clear, disable NTLMv1.
Confirm successful auth by checking Nessus output for messages like "Credentialed checks enabled for MSSQL on port 1433".
Reports & Export
PDF / HTML
Executive Summary or custom report with severity, CVSS, plugin details
CSV
Selectable columns — useful for Splunk import or stakeholder distribution
.nessus
XML with scan settings + plugin outputs
.db
.nessus + KB + Audit Trail + attachments
Reports are supplementary data, not a final client deliverable.
CLI export via the Nessus REST API:
OpenVAS
OpenVAS by Greenbone Networks — open-source vulnerability scanner with the Greenbone Security Assistant (GSA) web UI.
Setup
Scan Configurations
Base
Enumerate host status and OS info. No vuln checks.
Discovery
Identify services, hardware, ports, software. No vuln checks.
Host Discovery
Only tests if host is alive (ping-based). No vuln checks.
System Discovery
Deeper than Discovery — identifies OS and hardware.
Full and fast
Recommended — uses NVT intelligence to select the best checks based on accessible ports. Safest option.
OpenVAS uses NVT (Network Vulnerability Test) Families — categories for Windows, Linux, Web Apps, etc.
Configuration Workflow
Configurations → Targets: add individual hosts or host lists. Set ports, auth creds, and alive test method (default uses NVT
Ping Host).Scans → New Task: select scan config, target, schedule. Run the task.
Scans → Reports: view results with severity, OS info, ports, services.
Reports & Export
Export formats: XML, CSV, PDF, ITG, TXT.
Convert XML to Excel with openvasreporting:
Generates an Excel doc with severity summary, pie charts, and a table of contents listing each vulnerability with CVSS and affected hosts.
Scanning Best Practices
Before scanning:
Communicate with client/stakeholders about sensitive or legacy hosts that should be excluded or scanned separately (off-hours, different config).
Get written approval and define scope.
Mitigating common issues:
Firewall shows all ports open or none → create an Advanced Scan and disable "Ping the remote host" (skips ICMP liveness check).
Some firewalls return ICMP Unreachable → Nessus interprets as live host, creating informational false positives.
Target under heavy load → reduce Max Concurrent Checks Per Host in Performance Options.
Legacy/fragile systems → exclude from scan or use
nessusd.rules(docs).Never run Denial of Service checks unless explicitly requested. Always enable safe checks.
Monitor network impact with vnstat:
Keep detailed scan logs in case an incident must be investigated.
Last updated