> For the complete documentation index, see [llms.txt](https://book.ice-wzl.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ice-wzl.xyz/recon-enumeration/vulnerability-scanning.md). # Vulnerability Scanning Vulnerability scanning identifies potential vulnerabilities in network devices (routers, firewalls, switches), servers, workstations, and applications. Scanners **do not exploit** vulnerabilities (with minor exceptions) — a human must validate findings to confirm real issues vs. false positives. Scans run a combination of **static tests** (version-based CVE lookup — can miss backported patches) and **dynamic tests** (sends benign payloads like weak creds, SQLi, command injection — a hit means likely vulnerable). Run both **unauthenticated and authenticated scans** on a continuous schedule. Authenticated scans with a high-privilege account (`root`/`Administrator`) return the maximum vulnerability coverage since the scanner has full access to the host. *** ## Nessus [Nessus Essentials](https://community.tenable.com/s/article/Nessus-Essentials) — free version, limited to 16 hosts. ### Setup ```bash # Download from https://www.tenable.com/downloads/nessus?loginAttempted=true dpkg -i Nessus--ubuntu910_amd64.deb sudo systemctl start nessusd.service # Browse to https://localhost:8834 # Get activation code: https://www.tenable.com/products/nessus/activation-code ``` ### Scan Types Templates fall into three categories: **Discovery**, **Vulnerabilities**, **Compliance**. | Template | Use | | ------------------------ | ---------------------------------------------------------- | | Host Discovery | Identify live hosts and open ports | | Basic Network Scan | General-purpose vuln scan | | Advanced Scan | Fully customized, no pre-configured recommendations | | Credentialed Patch Audit | Authenticated patch-level check | | Web Application Tests | Web app scanning (can set custom user-agent, RFI test URL) | | Malware Scan | Detect malware on hosts | Full template descriptions: [Tenable Docs](https://docs.tenable.com/nessus/Content/ScanAndPolicyTemplates.htm) ### Scan Configuration **Discovery tab:** * Host Discovery: optionally skip fragile devices (printers, Novell Netware, OT devices). * Port Scanning: common ports, all ports, or custom range. * Service Discovery: "Probe all ports to find services" is on by default. Can also detect expiring/revoked SSL/TLS certs. **Assessment tab:** * Web app scanning toggle (custom user-agent, crawl start path, exclusions). * Brute-force authentication with provided username/password lists or credential-based auth via Hydra. * User enumeration: SAM Registry, ADSI, WMI queries, RID brute-forcing (set start/end UIDs). **Advanced tab:** * **Safe checks** enabled by default — prevents checks that could crash targets. * Throttle scan if network congestion detected. * Stop scanning unresponsive hosts. * Scan IPs in random order. * Performance: network timeout (default 5s), max checks per host (default 4), max hosts per scan (default 30). ### Scan Policies Custom scan configurations saved as reusable templates. Create via **Policies → New Policy → Advanced Scan**, customize settings/credentials/plugins, then save. Available under **Scan Templates → User Defined** when creating new scans. Policies can be imported/exported between Nessus instances. ### Plugins Written in [NASL](https://en.wikipedia.org/wiki/Nessus_Attack_Scripting_Language). Rated: Critical, High, Medium, Low, Info. Searchable database: [tenable.com/plugins](https://www.tenable.com/plugins). **Plugin Rules** — exclude false positives from results while keeping the detection active for other hosts: * **Resources → Plugin Rules → New Rule**: specify host, plugin ID, and action (`Hide this result`). * Useful for known-safe configurations (e.g., DirectAccess intentionally using null cipher suites, self-signed certs on internal services). ### Credentialed Scanning | Protocol | Auth Methods | | ------------------ | ----------------------------------------------------------- | | SSH | Password, public key, certificate, Kerberos | | Windows | Password, Kerberos, LM hash, NTLM hash | | Databases | Oracle, PostgreSQL, DB2, MySQL, SQL Server, MongoDB, Sybase | | Plaintext services | FTP, HTTP (form-based), IMAP, IPMI, Telnet | For Windows: options to never send creds in the clear, disable NTLMv1. Confirm successful auth by checking Nessus output for messages like "Credentialed checks enabled for MSSQL on port 1433". ### Reports & Export | Format | Notes | | ---------- | ------------------------------------------------------------------------- | | PDF / HTML | Executive Summary or custom report with severity, CVSS, plugin details | | CSV | Selectable columns — useful for Splunk import or stakeholder distribution | | `.nessus` | XML with scan settings + plugin outputs | | `.db` | `.nessus` + KB + Audit Trail + attachments | Reports are supplementary data, not a final client deliverable. **CLI export** via the Nessus REST API: ```bash # https://raw.githubusercontent.com/eelsivart/nessus-report-downloader/master/nessus6-report-downloader.rb ./nessus_downloader.rb # Interactive: enter server IP, port (8834), creds, select scan IDs and format (Nessus/HTML/PDF/CSV/DB) ``` *** ## OpenVAS [OpenVAS](https://www.openvas.org/) by Greenbone Networks — open-source vulnerability scanner with the Greenbone Security Assistant (GSA) web UI. ### Setup ```bash sudo apt-get update && apt-get -y full-upgrade sudo apt-get install gvm && openvas gvm-setup # Takes ~30 minutes, generates admin password at the end gvm-start # Web UI at https://localhost:9392 ``` ### Scan Configurations | Config | Purpose | | -------------------- | ----------------------------------------------------------------------------------------------------------- | | **Base** | Enumerate host status and OS info. No vuln checks. | | **Discovery** | Identify services, hardware, ports, software. No vuln checks. | | **Host Discovery** | Only tests if host is alive (ping-based). No vuln checks. | | **System Discovery** | Deeper than Discovery — identifies OS and hardware. | | **Full and fast** | **Recommended** — uses NVT intelligence to select the best checks based on accessible ports. Safest option. | OpenVAS uses **NVT (Network Vulnerability Test) Families** — categories for Windows, Linux, Web Apps, etc. ### Configuration Workflow 1. **Configurations → Targets**: add individual hosts or host lists. Set ports, auth creds, and alive test method (default uses NVT `Ping Host`). 2. **Scans → New Task**: select scan config, target, schedule. Run the task. 3. **Scans → Reports**: view results with severity, OS info, ports, services. ### Reports & Export Export formats: XML, CSV, PDF, ITG, TXT. **Convert XML to Excel** with [openvasreporting](https://github.com/TheGroundZero/openvasreporting): ```bash python3 -m openvasreporting -i report-.xml -f xlsx ``` Generates an Excel doc with severity summary, pie charts, and a table of contents listing each vulnerability with CVSS and affected hosts. *** ## Scanning Best Practices **Before scanning:** * Communicate with client/stakeholders about sensitive or legacy hosts that should be excluded or scanned separately (off-hours, different config). * Get written approval and define scope. **Mitigating common issues:** * Firewall shows all ports open or none → create an Advanced Scan and **disable "Ping the remote host"** (skips ICMP liveness check). * Some firewalls return ICMP Unreachable → Nessus interprets as live host, creating informational false positives. * Target under heavy load → reduce **Max Concurrent Checks Per Host** in Performance Options. * Legacy/fragile systems → exclude from scan or use `nessusd.rules` ([docs](https://community.tenable.com/s/article/What-is-the-Nessus-rules-file?language=en_US)). * **Never** run [Denial of Service checks](https://www.tenable.com/plugins/nessus/families/Denial%20of%20Service) unless explicitly requested. Always enable **safe checks**. **Monitor network impact** with `vnstat`: ```bash sudo apt install vnstat sudo vnstat -l -i eth0 # Compare rx/tx before and during a scan — a single-host scan can generate ~300 kbit/s and 800+ packets/sec ``` Keep detailed scan logs in case an incident must be investigated. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://book.ice-wzl.xyz/recon-enumeration/vulnerability-scanning.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.