Nessus 5.2 HTML5 User Guide



Comments



Description

Nessus 5.2 HTML5 User Guide January 6, 2014 (Revision 19) Table of Contents Introduction ......................................................................................................................................... 4 Standards and Conventions ....................................................................................................................... 4 New in Nessus 5.2 ............................................................................................................................... 4 Nessus UI Overview ............................................................................................................................ 5 Description ................................................................................................................................................... 5 Supported Platforms ................................................................................................................................... 5 Installation ........................................................................................................................................... 5 Operation ............................................................................................................................................. 5 Overview ...................................................................................................................................................... 5 Connect to Nessus UI ................................................................................................................................ 5 User Profile .............................................................................................................................................. 11 Settings.................................................................................................................................................... 11 Interface Shortcuts ................................................................................................................................... 12 Policy Overview ......................................................................................................................................... 13 Creating a New Policy ............................................................................................................................... 14 Using the Policy Wizard ........................................................................................................................... 14 Advanced Policy Creation ........................................................................................................................ 17 General Settings ...................................................................................................................................... 17 Credentials .............................................................................................................................................. 20 Plugins ..................................................................................................................................................... 24 Preferences ............................................................................................................................................. 27 Importing, Exporting, and Copying Policies ............................................................................................ 30 Creating, Launching, and Scheduling a Scan ......................................................................................... 31 Browse Scan Results ............................................................................................................................... 36 Report Filters ........................................................................................................................................... 45 Report Screenshots ................................................................................................................................. 50 Scan Knowledge Base ............................................................................................................................. 50 Compare (Diff Results) ............................................................................................................................ 51 Upload and Export ................................................................................................................................... 52 .nessus File Format ................................................................................................................................. 54 Delete ...................................................................................................................................................... 55 Mobile ......................................................................................................................................................... 55 SecurityCenter ........................................................................................................................................... 56 Configuring SecurityCenter to Work with Nessus ..................................................................................... 56 Host-Based Firewalls ............................................................................................................................................... 57 Scanning Preferences in Detail ....................................................................................................... 57 ADSI Settings ............................................................................................................................................. 57 Apple Profile Manager API Settings ......................................................................................................... 57 Check Point GAiA Compliance Checks ................................................................................................... 58 Cisco IOS Compliance Checks ................................................................................................................. 59 Citrix XenServer Compliance Checks ...................................................................................................... 59 Database Compliance Checks .................................................................................................................. 60 Database settings ...................................................................................................................................... 60 Do not scan fragile devices ...................................................................................................................... 61 2 FireEye Compliance Checks ..................................................................................................................... 62 Global variable settings ............................................................................................................................ 63 Good MDM Settings................................................................................................................................... 64 HP ProCurve Compliance Checks ............................................................................................................ 65 HTTP cookies import ................................................................................................................................. 65 HTTP login page ........................................................................................................................................ 66 IBM iSeries Compliance Checks ............................................................................................................... 68 IBM iSeries Credentials ............................................................................................................................. 68 ICCP/COTP TSAP Addressing .................................................................................................................. 69 Juniper Junos Compliance Checks.......................................................................................................... 69 LDAP ‘Domain Admins’ Group Membership Enumeration ..................................................................... 69 Login configurations ................................................................................................................................. 70 Malicious Process Detection .................................................................................................................... 71 Modbus/TCP Coil Access .......................................................................................................................... 71 Nessus SYN scanner and Nessus TCP scanner...................................................................................... 72 NetApp Data ONTAP Compliance Checks ............................................................................................... 73 Oracle Settings .......................................................................................................................................... 73 PCI DSS Compliance ................................................................................................................................. 74 Patch Management .................................................................................................................................... 74 Palo Alto Networks PAN-OS Settings ...................................................................................................... 74 Patch Report .............................................................................................................................................. 75 Ping the remote host ................................................................................................................................. 75 Port scanner settings ................................................................................................................................ 76 Remote web server screenshot ................................................................................................................ 77 SCAP Linux Compliance Checks ............................................................................................................. 77 SCAP Windows Compliance Checks ....................................................................................................... 78 SMB Registry: Start the Registry Service during the scan ..................................................................... 79 SMB Registry : Start the Registry Service during the scan .................................................................... 79 SMB Scope ................................................................................................................................................. 79 SMB Use Domain SID to Enumerate Users .............................................................................................. 80 SMB Use Host SID to Enumerate Local Users ......................................................................................... 80 SMTP settings ............................................................................................................................................ 80 SNMP settings ........................................................................................................................................... 81 Service Detection....................................................................................................................................... 82 Unix Compliance Checks .......................................................................................................................... 82 VMware SOAP API Settings ...................................................................................................................... 83 VMware vCenter SOAP API Settings ........................................................................................................ 84 VMware vCenter/vSphere Compliance Checks ....................................................................................... 85 Wake-on-LAN ............................................................................................................................................. 85 Web Application Tests Settings ............................................................................................................... 86 Web mirroring ............................................................................................................................................ 88 Windows Compliance Checks .................................................................................................................. 89 Windows File Contents Compliance Checks ........................................................................................... 89 For Further Information .................................................................................................................... 90 About Tenable Network Security ..................................................................................................... 92 3 2013. you must have an operational Nessus scanner deployed and be familiar with its use. To use the UI. Command line options and keywords are also indicated with the courier bold font.2 As of August 22.Introduction This document describes how to use Tenable Network Security’s Nessus user interface (UI). httpd. Please email any comments and suggestions to support@tenable. Standards and Conventions Throughout the documentation.com. The Nessus UI is a web-based interface to the Nessus vulnerability scanner. and /etc/passwd. and executables are indicated with a courier bold font such as gunzip. Tips. and best practices are highlighted with this symbol and white on blue text. filenames. daemons. New in Nessus 5. Command line examples will display the command being run in courier bold to indicate what the user typed while the sample output generated by the system will be indicated in courier (not bold). examples. Following is an example running of the Unix pwd command: # pwd /opt/nessus/ # Important notes and considerations are highlighted with this symbol and grey text boxes. Nessus product names have been revised as shown below: Former Product Name Nessus ProfessionalFeed Nessus HomeFeed The following list shows official Nessus product names:     Nessus® Nessus Perimeter Service Nessus Auditor Bundles Nessus Home New Product Name Nessus Nessus Home 4 . Command line examples may or may not include the command line prompt and output text from the results of the command. Windows. it can run on any platform with a modern web browser. The primary features are:        Generates . list of targets and the results of several scans can all be stored in a single . all platforms draw from the same code base eliminating most platform specific bugs and allowing for faster deployment of new features. Be sure to connect to the user interface via HTTPS. Scans will continue to run on the server even if you are disconnected for any reason. Supported Platforms Since the Nessus UI is a web-based client.Nessus UI Overview Description The Nessus User Interface (UI) is a web-based interface to the Nessus scanner that is comprised of a simple HTTP server and web client. Provides unified interface to the Nessus scanner regardless of base platform. 5 .nessus file that can be easily exported.2 Installation and Configuration Guide for instructions on installing Nessus. The former standalone NessusClient is no longer updated or supported. A policy wizard to help quickly create efficient scan policies for auditing your network. As of Nessus 5. Oracle Java (formerly Sun Microsystems’ Java) is required for PDF report functionality. yet powerful interface for managing vulnerability-scanning activity. perform the following:   Open a web browser of your choice. Google Chrome 29. Nessus is compatible with Chrome 29 for Android. Operation Overview Nessus provides a simple. Mozilla Firefox 24. as well as browsers on iOS 7. The UI displays scan results in real-time so you do not have to wait for a scan to complete to view results. Refer to the Nessus 5.0.nessus files that Tenable products use as the standard for vulnerability data and scan policy. In addition. A policy session. and requires no software installation apart from the Nessus server. Please refer to the “Nessus v2 File Format” guide for more details. The Nessus web-based user interface is best-experienced using Microsoft Internet Explorer 10. Opera 16. and Linux. or Apple Safari 6 on the desktop. Connect to Nessus UI To launch the Nessus HTML5 UI. The same functionalities exist on Mac OS X. as unencrypted HTTP connections are not supported. Installation User management of the Nessus 5 server is conducted through a web interface or SecurityCenter only. As of Nessus 4. Enter https://[server IP]:8834/ in the navigation bar. Nessus scan reports can be uploaded via the Nessus UI and compared to other reports. Firefox users can click on “I Understand the Risks” and then “ Add Exception…” to display the site exception dialog box: 6 .The first time you attempt to connect to the Nessus user interface. most web browsers will display an error indicating the site is not trusted due to the self-signed SSL certificate: Users of Microsoft Internet Explorer can click on “Continue to this website (not recommended) ” to load the Nessus user interface. consult the Nessus Installation and Configuration Guide. For information on installing a custom SSL certificate. After your browser has confirmed the exception. a splash screen will be displayed as follows: 7 .Verify the “Location:” bar reflects the URL to the Nessus server and click on “ Confirm Security Exception”. Authenticate using the administrative account and password previously created during the installation process. the UI will present menus to browse reports. When logging in. and configuration options for the Nessus scanner: 8 . and manage policies. conduct scans. Only use this option if the computer is always in a secured location! After successful authentication. Administrative users will also see options for user management. you can optionally instruct your browser to remember the username on that computer. More information about these options can be found below.At any point during Nessus use. and a bell for quick access to important notifications related to Nessus operation: Clicking on this down arrow will offer a menu containing options to access your user profile. and plugin rules page. The “admin” notation seen on the upper right hand side in the screenshot above denotes the account currently logged in. the top left menu options will be present. folder management. general Nessus settings. More information about these options can be found below. plugin feed (if administrator). information about the installation. mail server configuration options (if administrator). The “User Profile” option will bring up a menu with several pages of options related to the user account including the password change facility. as well as an option to sign out. a drop down menu. help & support options. The “Settings” option provides access to the “About” page. and advanced scanner options (if administrator). 9 . notification of new Nessus releases. The bell icon on the upper right side can be clicked on to show any messages related to Nessus operations including errors. session events. and more: This will also serve as a place to provide any additional alerts or errors via popups that will fade shortly after and stay in the notification history until cleared: 10 .The “Help & Support” link will load the Tenable support page in a new tab or window. “Sign Out” will terminate your current session with Nessus. The “Plugin Rules” option provides a facility to create a set of rules that dictate the behavior of certain plugins related to any scan performed. The “General Settings” field shows the current authenticated user as well as the user type.2 Installation and Configuration Guide”. The “Change Password” option allows you to change the password. The “Advanced” section contains a wide variety of configuration options to offer more granular control of how the scanner operates. A rule can be based on the Host (or all hosts). Plugin ID. for offline updates from a central internal server) and a proxy for plugin updates. plugin set version. 11 . see the “Nessus 5. which is recommended every 3 months.2 Installation and Configuration Guide”. Web UI version. either Administrator or user. plugin update date. For more information.. see the “Nessus 5. and feed expiration date. an optional Expiration Date.2 Installation and Configuration Guide”. This provides a method of organizing and storing scan results for easier management. The same rules can be set from the scan results page.User Profile The user profile options allow you to manipulate options related to your account. and manipulation of Severity. see the “Nessus 5. The “Folders” option allows you to manage folders to store scan results. Settings The “About” section provides information regarding the Nessus installation including the Engine version. For more information.g. The “Plugin Feed” setting allows you to designate a custom plugin update host (e. For more information. The “Mail Server” setting controls settings related to the SMTP server. from anywhere within the interface: Main Interface R S T P U C Shift + Left/Right Arrow Shift + S Listing Views Shift + Up/Down Arrow Shift + Enter Move Selection Up or Down Open the Selected Entry Results Scans Templates Policies Users Configuration Switch Tabs Left or Right New Scan 12 . as well as performing common activities. These can be used at any time.Interface Shortcuts The HTML5 interface has several hotkeys that allow quick keyboard-navigation to the major sections of the interface. Database compliance policy checks. Granular family or plugin based scan specifications. SSH). 13 . IMAP.. report verbosity. number of hosts. Unix compliance checks.g. HTTP. Windows. authenticated Oracle database scans. POP. or Kerberos based authentication. service detection scan settings. FTP. type of port scanner and more. These options include. and more. but are not limited to:     Parameters that control technical aspects of the scan such as timeouts. Credentials for local scans (e.Results View Shift + U Esc Left/Right Arrow D Scan View N Policy View Shift + U User View N New User Upload New Policy New Scan Upload Report Return to Results Listing Previous/Next Vulnerability in Details Mode Delete Selected Result Policy Overview A Nessus policy consists of configuration options related to performing a vulnerability scan. Log in to systems and enumerate missing software updates. For users performing generic web application scans. For users scanning internal or external hosts. 14 . For users searching for malware on Windows systems.Creating a New Policy Once you have connected to a Nessus server UI. The policy addition screen will be displayed as follows: Using the Policy Wizard The first option is to optionally use the Policy Wizard to help you form a policy with a specific purpose. you can create a custom policy by clicking on the “ Policies” option on the bar at the top and then “+ New Policy” button toward the left. The default wizard templates are: Policy Wizard Name Host Discovery Basic Network Scan Credentialed Patch Audit Web Application Tests Windows Malware Scan Description Identifies live hosts and open ports. and a description. Note that each wizard is different.Mobile Device Scan Prepare for PCI DSS Audits Advanced Policy For users of Apple Profile Manager. the policy wizard will receive additional wizards to help customers and existing wizards may be further enhanced. policy visibility (private or shared). or Good MDM. For users preparing to audit against PCI DSS compliance. The first step for each wizard asks you to set the policy name. ADSI. Click “Next” to continue to the next step: 15 . For users who want total control of their policy configuration. Over time. The following provides a general idea of using one of the wizards. By default wizard policies will allow you to edit the report after a scan. so this is just one example. some steps of a policy wizard may be optional. 16 . Click “Next” to go to the final step: The final step gives you the option to add credentials to enhance scanning. As noted. the policy will be saved with recommended settings.This policy will ask you to select if it is to be used for internal or external hosts. as the options will vary based on the answer. Once created. You can edit the wizard options or any other aspect of the policy at any time. When performing a scan for regulatory compliance or other types of audits. and Preferences.790 common ports found in the nessus-services file. Note that there are four configuration tabs: General Settings.23. but they provide more granular control over the Nessus scanner operation. There are four drop down menu items that control scanner behavior: The “Basic” screen is used to define aspects of the policy itself: Option Name Visibility Description Allow Post-Scan Report Editing Description Sets the name that will be displayed in the Nessus UI to identify the policy. You can also specify a set of ports to scan for both protocols. “21. or a custom list of ports specified by the user. if you want to scan a different range of ports for TCP and UDP in the same policy.T:1024- 17 . Specifying “1-65535” will scan all ports. “Web Server scans without local checks or non HTTP services”). For most environments. you would specify “T:1-1024. as well as individual ranges for each separate protocol ("1-1024. Only administrative users can share policies. with full control over all options from the beginning. Plugins. This feature allows users to delete items from the report when checked. uncheck this to show that the scan was not tampered with.8080.. “all” which scans 65. Credentials. Controls if the policy is shared with other users.80.110” or “1-1024. These tabs are described below.g.Advanced Policy Creation If a policy wizard is not desired. You may also specify a split range specific to each protocol. Used to give a brief description of the scan policy. Accepts “default”.U:300-500”.535 ports.25. For example. approximately 4. the default settings do not need to be modified. The “Port Scanning” menu controls options related to port scanning including the port ranges and methods: Option Port Scan Range Description Directs the scanner to target a specific range of ports. the Advanced option allows you to create a policy the traditional way.9000-9200” are allowed. or kept private for your use only. typically good to summarize the overall purpose (e. For example. General Settings The “General Settings” tab enables you to name the policy and configure scan related operations. If any port enumerator (netstat or SNMP) is successful. UDP is a “stateless” protocol. select only that port scanner and specify the ports normally. Nessus will still honor the “consider unscanned ports as closed” option if selected. and determines port state based on a reply. This option engages Nessus’ built-in UDP scanner to identify open UDP ports on the targets.. If you are scanning a single protocol. and because of the nature of UDP services and screening devices. Nessus will consider it closed. Windows and Mac OS X). Nessus TCP scanner Use Nessus’ built-in TCP scanner to identify open TCP ports on the targets. For example. UDP based communication is not always reliable. Nessus will guess relevant SNMP settings during a scan. waits for SYN-ACK reply. Nessus UDP Scanner Ping the remote host Netstat Portscanner (WMI) The “Port Scan Range” option directs the scanner to target a specific range of ports. However. SYN scans are a popular method for conducting port scans and generally considered to be a bit less intrusive than TCP scans. This scanner is optimized and has some self-tuning features. thus ignoring any port ranges specified. the port range becomes “all”. This scan is intended for Windows-based systems and requires authentication credentials. If the settings are provided by the user under “Preferences”. this will allow Nessus to better test the remote host and produce more detailed audit results. they are not always remotely detectable. It relies on the netstat command being available via a WMI connection to the target. netstat portscanner (SSH) This option uses netstat to check for open ports from the local machine.g. Consider Unscanned Ports as Closed Nessus SNMP Scanner If a port is not scanned with a selected port scanner (e. Direct Nessus to scan targets for a SNMP service. there are many Cisco router checks that determine the vulnerabilities present by examining the version of the returned SNMP string. This option uses netstat to check for open ports from the local machine.g. or lack of reply. It relies on the netstat command being available via a SSH connection to the target. selecting this scanner will cause Nessus to use the SYN scanner to avoid serious performance issues native to those operating systems.. This option enables Nessus to ping remote hosts on multiple ports to determine if they are alive. A WMI based scan uses netstat to determine open ports.65535. The following values are allowed: 18 .U:1025"). On some platforms (e. The scanner sends a SYN packet to the port. This scan is intended for Unix-based systems and requires authentication credentials. Nessus SYN scanner Use Nessus’ built-in SYN scanner to identify open TCP ports on the targets. out of the range specified). meaning that communication is not performed with handshake dialogues. This information is necessary for these audits. if you want to scan a different range of ports for TCP and UDP in the same policy.U:300-500”. For Nessus scanners installed on Windows XP. These options are perhaps the most important when configuring a scan as they have the biggest impact on scan times and network activity. Once the congestion has subsided. Nessus will scan approximately 4.25. For example. This setting limits the maximum number of hosts that a Nessus scanner will scan at the same time. and 8 hosts. select only that port scanner and specify the ports normally.9000-9200” are allowed. Set to five seconds by default. Reduce Parallel Connections on Congestion Use Kernel Congestion Detection (Linux Only) This enables Nessus to detect when it is sending too many packets and the network pipe is approaching capacity. Option Max Checks Per Host Max Hosts Per Scan Network Receive Timeout (seconds) Max Simultaneous TCP Sessions Per Host Description This setting limits the maximum number of checks a Nessus scanner will perform against a single host at one time. 7. This feature is only available for Nessus scanners deployed on Linux. You can also specify a set of ports to scan f or both protocols. Nessus will automatically attempt to use the available space within the network pipe again. you would specify “T:1-1024.80. If detected. Max Simultaneous TCP Sessions Per Scan This setting limits the maximum number of established TCP sessions for the entire scan. the SYN scanner will send 1500 packets per second at most). This setting limits the maximum number of established TCP sessions for a single host. If you are scanning a single protocol. Enables Nessus to monitor the CPU and other internal workings for congestion and scale back accordingly. regardless of the number of hosts being scanned.T:102465535. as well as individual ranges for each separate protocol ("1-1024. If you are scanning over a slow connection. if this option is set to 15.23. you may wish to set this to a higher number of seconds.Value “default” “all” Custom List Description Using the keyword “default”.U:1025"). The list of ports can be found in the nessus-services file. Using the keyword “all”.g. You may also specify a split range specific to each protocol.110” or “1-1024. Specifying “1-65535” will scan all ports.8080. Vista. Nessus will throttle the scan to accommodate and alleviate the congestion.535 ports. The “Performance” menu provides options that control how many scans will be launched. For example. This TCP throttling option also controls the number of packets per second the SYN scanner will eventually send (e. A custom range of ports can be selected by using a comma delimited list of ports or port ranges. This is the time that Nessus will wait for a response from a host unless otherwise specified within a plugin.790 common ports. Nessus will scan all 65.. 19 . this value must be set to 19 or less to get accurate results. “21. Nessus will always attempt to use as much resource as is available. Save additional details of the scan to the Nessus server log (nessusd. but only use them if administrative privileges are granted when previous accounts provided user access. Server Message Block (SMB) is a file sharing protocol that allows computers to share information transparently across the network. it will check subsequent credentials supplied. a host has stopped responding after a denial of service plugin. IDS) has begun to block traffic to a server. The “Windows credentials” drop-down menu item has settings to provide Nessus with information such as SMB account name. Once Nessus is able to authenticate with a set of credentials. The resulting log can be used to confirm that particular plugins were used and hosts were scanned. If you want to include the list of dependencies in the report. uncheck the box. and domain name. This may occur if users turn off their PCs during a scan. This feature has since been enhanced to randomize across the entire target IP space. plugin finish or if a plugin is killed.The “Advanced” menu further defines options related to how the scan should behave: Option Safe Checks Silent Dependencies Log Scan Details to Server Description Safe Checks will disable all plugins that may have an adverse effect on the remote host. or a security mechanism (e. When multiple SMB accounts are configured. Stop Host Scan on Disconnect Avoid Sequential Scans The range specified for a port scan will be applied to both TCP and UDP scans. If this option is checked.messages) including plugin launch.. using credentials enables Nessus to determine if important security patches have been applied. Credentials The “Credentials” tab. password. It is not necessary to modify other SMB parameters from default settings. Providing this information to Nessus will allow it to find local information from a remote Windows host. These accounts are not always suitable for performing credentialed scans. this account may be hidden. Continuing scans on these machines will send unnecessary traffic across the network and delay the scan. Nessus will stop scanning if it detects that the host has become unresponsive. this option worked on a per-subnet basis. If checked. By default. Nessus will scan the list of hosts in a random order. The real administrator account can be 20 .g. Nessus scans a list of IP addresses in sequential order. allows you to configure the Nessus scanner to use authentication credentials during scanning. it allows Nessus to perform a wider variety of checks that result in more accurate scan results. the list of dependencies is not included in the report. pictured below. For example. If checked. By configuring credentials. named “Administrator” be used for credentialed scanning to ensure full access is permitted. Before July 2013. Nessus will try to log in with the supplied credentials sequentially. Tenable recommends that the original administrative account. This is typically useful in helping to distribute the network traffic directed at a particular subnet during large scans. On some versions of Windows. Designate Hosts by their DNS Name Use the host name rather than IP address for report output. Some versions of Windows allow you to create a new account and designate it as an “administrator”. Server 2003. Nessus does attempt to try several checks in most cases if no account is provided. 21 . Windows 8.Now you see it. Nessus can easily and securely scan multiple domains. reading keys and values from the registry will not be possible. even with full credentials. and Windows 2008 that are more accurate if a domain account is provided. If the service is not running. Nessus includes a variety of security checks for Windows NT. This service must be started for a Nessus credentialed scan to fully audit a system using credentials. Tenable recommends that network administrators consider creating specific domain accounts to facilitate testing.unhidden by running a DOS prompt with administrative privileges and typing the following command: C:\> net user administrator /active:yes If a maintenance SMB account is created with limited administrator privileges. XP. now you don’t!” for more information. The Windows Remote Registry service allows remote computers with credentials to access the registry of the computer being audited. Please see the Tenable blog post titled “Dynamic Remote Registry Auditing . Windows 7. Vista. 2000. Since many sites do not permit a remote login as root.Users can select “SSH settings” from the drop-down menu and enter credentials for scanning Unix systems. “su+sudo”. Nessus will only attempt to log into hosts in this file. In addition. Nessus can escalate privileges on Cisco devices by selecting “Cisco ‘enable’”. “sudo”. or “pbrun” with a separate password for an account that has been set up to have “su” or “sudo” privileges. “dzdo”. 22 . it is recommended to use SSH keys for authentication rather than SSH passwords. However. the “Preferred SSH port” can be set to direct Nessus to connect to SSH if it is running on a port other than 22. along with either the SSH password or the SSH public key and private key pair. aes-cbc. There is a field for entering the SSH user name for the account that will perform the checks on the target Unix system. As such. There is also a field for entering the Passphrase for the SSH key. Nessus supports the blowfish-cbc. Finally. it is not recommended to use SSH passwords unless absolutely necessary. The most effective credentialed scans are when the supplied credentials have “root” privileges. if it is required. and aes-ctr cipher algorithms. The “Elevate privileges with” drop-down provides several methods of increasing privileges once authenticated. Nessus can use SSH key-based access to authenticate to a remote server. If an SSH known_hosts file is available and provided as part of the scan policy. Nessus encrypts all passwords stored in policies. The following screen capture shows the available SSH options. These credentials are used to obtain local information from remote Unix systems for patch auditing or compliance checks. This helps ensure that the same username and password you are using to audit your known SSH servers is not used to attempt a log in to a system that may not be under your control. Nessus users can invoke “su”. nessus file is then copied to a different Nessus installation. all passwords in the policy will be unusable by the second Nessus scanner as it will be unable to decrypt them. rsh.If an account other than root must be used for privilege escalation.nessus file and that . If the policy is saved to a . and rexec. The cleartext protocols supported for this option are telnet. if a secure method of performing credentialed checks is not available. “Kerberos configuration” allows you to specify credentials usi ng Kerberos keys from a remote system: Finally. In addition. users can force Nessus to try to perform checks over insecure protocols by configuring the “Cleartext protocol settings” drop-down menu item. it can be specified under the “ Escalation account” with the “Escalation password”. 23 . there are check boxes to specifically direct Nessus to attempt to perform patch level checks over the insecure protocols: By default. all passwords (and the policy itself) are encrypted. risk information. Clicking on the plugin family will load the complete list of plugins. Use encrypted authentication mechanisms whenever possible. 24 . exploit information. Scrolling down in your browser will also show solution information. Individual plugins can be enabled or disabled to create very specific scan policies. Selecting a specific plugin will display the plugin output that will be displayed as seen in a report. and allow for granular selection based on your scanning preferences.g. additional references if available.Using cleartext credentials in any fashion is not recommended! If the credentials are sent remotely (e.. via a Nessus scan). Selecting a family will display the list of its plugins. The synopsis and description will provide more details of the vulnerability being examined. A family with some plugins disabled will turn blue and display “mixed” to indicate only some plugins are enabled. and any vulnerability database or informational cross-references. Clicking on the plugin family allows you to enable (green) or disable (red) the entire family. the credentials could be intercepted by anyone with access to the network. Plugins The “Plugins” tab enables the user to choose specific security checks by plugin family or individual checks. At the top of the plugin family page. you can create filters to build a list of plugins to include in the policy. Multiple filters can be set in a single policy. as well as disable or enable all plugins. Filters allow granular control over plugin selection. 25 . where any one criteria will return matches. you can type in the search box. In addition to text searches. The filter criteria can be based on “Any”. To create a filter. This will filter the plugins on-the-fly. click on the “Filter Options” button: Each filter created provides several options for refining a search. you can type in id:10123 to quickly filter a specific plugin.To quickly filter plugins based on name in order to locate and read about it. where every filter criteria must be pre sent. if we want a policy that only includes plugins that have an exploit or can be exploited without a scripted exploit. or “All”. For example. we create two filters and select “Any” for the criteria: 26 . The following table provides an overview of all preferences. For more detailed information regarding each preference item. When new plugins are received via a plugin update. select each plugin family and click “Enable Plugins”. we select “All” and add the desired filters. new plugins in that family will automatically be disabled as well. and additional functionality that the connected Nessus scanner has access to. but does contain some useful checks that will not cause any harm. check the Scanning Preferences in Detail section of this document. they will automatically be enabled if the family they are associated with is enabled. When a policy is created and saved. Preferences The “Preferences” tab includes the ability for granular control over scan policy settings. it is recommended you start by disabling all plugins. Using plugin filters. 2012 that has a public exploit.0: For a full list of filter criteria and details. 27 . and CVSS Base Score higher than 5. the policy below would include any vulnerability with a patch published after January 1. it is recommended that the “Denial of Service” family not be used on a production network unless scheduled during a maintenance window and with staff ready to respond to any issues. For example. audit policies. A commercial version of Nessus may have more advanced configuration options available than Nessus Home. Note that this is a dynamic list of configuration options that is dependent on the Nessus version. The “Denial of Service” family can be used in conjunction with “Safe Checks” to ensure that any potentially dangerous plugins are not run. it records all of the plugins that are initially selected. However. If the family has been disabled or partially enabled. The “Denial of Service” family contains some plugins that could cause outages on a network if the “Safe Checks” option is not enabled. Selecting an item from the dropdown menu will display further configuration items for that category. This list will change as plugins are added or modified. check the Report Filters section of this document. To use filters to create a policy. Once completed.If we want to create a policy that contains plugins that match several criteria. narrow down the plugins you want to be in your policy. iPad). A commercial option that allows a policy file to be specified to test IBM iSeries systems against compliance standards. A commercial option that allows a policy file to be specified to test Cisco IOS based devices against compliance standards.Preference Drop-down ADSI settings Apple Profile Manager API Settings Cisco IOS Compliance Checks Database Compliance Checks Database Settings Do not scan fragile devices Global variable settings HTTP cookies import HTTP login page IBM iSeries Compliance Checks IBM iSeries Credentials ICCP/COTP TSAP Addressing Weakness Login configurations Modbus/TCP Coil Access Nessus SYN scanner Nessus TCP scanner News Server (NNTP) Information Disclosure Oracle Settings PCI DSS compliance Patch Management: Red Hat Satellite Server Settings Description Active Directory Service Interfaces pulls information from the mobile device management (MDM) server regarding Android and iOS-based devices.. 28 . Options for integrating Nessus with the Red Hat Satellite patch management server. and Oracle against compliance standards. A commercial option related to Supervisory Control And Data Acquisition (SCADA) tests. due to increased risk of crashing the target. A wide variety of configuration options for Nessus. this preference specifies an external file to import HTTP cookies to allow authentication to the application. Options related to the built-in SYN scanner. POP. Consult the Patch Management Integration document for more information. FTP. MySQL. A set of options that directs Nessus not to scan specific devices. and IMAP service testing. NNTP. iPhone.g. Options related to testing Oracle Database installations. Where credentials are specified for basic HTTP. Settings related to the login page for web application testing. Options related to the built-in TCP scanner. A commercial feature that enables enumeration and vulnerability scanning of Apple iOS devices (e. A commercial option that directs Nessus to compare scan results against PCI DSS standards. A set of options for testing NNTP servers for information disclosure vulnerabilities. SQL Server. Where credentials are specified for IBM iSeries systems. A commercial option related to Supervisory Control And Data Acquisition (SCADA) tests. Options used to specify the type of database to be tested as well as which credentials to use. A commercial option that allows a policy file to be specified to test databases such as DB2. For web application testing. A commercial option that allows a policy file to be specified to test Windows systems against compliance standards. Direct Nessus to send Wake-on-LAN (WOL) packets before performing a scan. Consult the Patch Management Integration document for more information. 29 . Direct Nessus to start the SMB registry service on hosts that do not have it enabled. Settings that control Nessus’ ping-based network discovery. Consult the Patch Management Integration document for more information. Configuration details that control how many web pages Nessus will mirror. Options for integrating Nessus with the VMware Go Server (formerly Shavlik) patch management server. Configuration and authentication information for VMware’s SOAP API. An option that allows you to specify the SID range for SMB lookups of domain users. A commercial option that allows a policy file to be specified to test Unix systems against compliance standards. Direct Nessus to query domain users instead of local users. in order to analyze the contents for vulnerabilities. Consult the Patch Management Integration document for more information. Configuration and authentication information for the Simple Network Management Protocol (SNMP). Options related to testing web applications.Patch Management: SCCM Server Settings Patch Management: VMware Go Server Settings Patch Management: WSUS Server Settings Ping the remote host Port scanner settings SMB Registry : Start the Registry Service during the scan SMB Scope SMB Use Domain SID to Enumerate Users SMB Use Host SID to Enumerate Local Users SMTP Settings SNMP Settings Service Detection Unix Compliance Checks VMware SOAP API Settings Wake-on-LAN Web Application Test Settings Web mirroring Windows Compliance Checks Windows File Contents Compliance Checks Options for integrating Nessus with the System Center Configuration Manager (SCCM) patch management server. An option that allows you to specify the SID range for SMB lookups of local users. Two options that offer more control over port scanning activity. Options for testing the Simple Mail Transport Protocol (SMTP). Options for integrating Nessus with the Windows Server Update Service (WSUS) patch management server. Options that direct Nessus how to test SSL-based services. A commercial option that allows a policy file to be specified to test files on Windows system against compliance standards. For organizational convenience. compliance data will be available within the Nessus UI. select the policy from your local system and click on “ Open”: 30 . compliance data that was generated with Nessus 4 will not be available in the compliance checks chapter of exported reports.Due to the XML meta-data upgrades in Nessus 5. and Copying Policies The “Upload” button on the Policies menu bar allows you to upload previously created policies to the scanner. However. Using the native file browser box. Exporting. Nessus has two pre-set filters on the left side for “Private” and “Shared” policies: Importing. g. however. Launching.g. Compliance.The “Options” button on the menu bar allows you to download a selected policy from the scanner to the local file system.audit files contained in a policy will not be exported. users can create dynamic reports of their own choosing instead of selecting from a specific list. If you want to create a policy similar to an existing policy with minor modifications. This is useful for creating standard policies with minor changes as required for a given environment. The HTML format is still supported by default. The scan has been aborted due to an invalid target list or a server error (e. Scans with the same status can be listed through the virtual folders on the left navigation panel. By using the report filters and export features. it is also possible to export reports in PDF.. Old scans are all considered to be “completed”. reboot. crash) The scan has been imported using the upload functionality. 31 . These statuses only apply to new scans. you can select the base policy in the list and click on “Options” and then “Copy Policy” on the menu bar. The user stopped the scan before the end. if Java is installed on the scanner host. The following scan statuses are available in the scan list table: Scan Status Completed Canceled Aborted Imported Description The scan is fully finished. Creating. Passwords and .. or Compliance Executive. Host Centric. text editor) or save the policy to the directory of your choice. The browser’s download dialog box allows you to open the policy in an external program (e. This will create a copy of the original policy that can be edited to make any required modifications. and Scheduling a Scan Users can create their own report by chapters: Vulnerability Centric. nessus.0.0.0/24).168. Unicode/UTF-8 encoding is not supported. 192.org). Upload Targets – A text file with a list of hosts can be imported by clicking on “ Add File” and selecting a file from the local machine. 192.After creating or selecting a policy.0. The “New Scan” screen will be displayed as follows: Under the “Basic Settings” tab. Policy – Select a previously created policy that the scan will use to set parameters controlling Nessus server scanning behavior.168.1192.g. subnet with CIDR notation (e.102 32 .168. Example host file formats: Individual hosts: 192.. Scan Targets – Targets can be entered by single IP address (e. www.g. 192.168. IP range (e. The host file must be formatted as ASCII text with one host per line and no extra spaces or lines.g.100 192.0. or resolvable host (e.0.255).0. you can create a new scan by clicking on the “ Scans” option on the menu bar at the top and then click on the “+ New Scan” button on the left.168...101 192.168. there are five fields to enter the scan target:      Name – Sets the name that will be displayed in the Nessus UI to identify the scan.0..168.1). Folder – The Nessus UI folder to store the scan results.g. tenable.0. Daily – Schedule the scan to occur on a daily basis.0 and later.2.1. Under the “Schedule Settings” tab.tenablesecurity.Host range: 192.168.1] www. 33 . there is a drop-down menu that controls when the scan will be launched: The launch options are as follows:      Now – Start the scan immediately. On non-Windows hosts.nessus. Weekly – Schedule the scan to occur on a recurring basis.com[192. the PCAP driver does not allow this regardless of Nessus configuration.168. Note that on Windows. This functionality is available in Nessus 5. On Demand – Create the scan as a template so that it can be manually launched at any time (this feature was formerly handled under the “Scan Template” option).1/24 Virtual servers: www.168.0.1] www.168.1.102 Host CIDR block: 192.org[192.168. by time and day of week. Nessus administrators can add a custom advanced setting named multi_scan_same_host and set it to true. Once – Schedule the scan at a specific time.0. for up to 20 weeks.1.com[192.100-192. this may cause virtual hosts to be throttled as Nessus views them as the same IP address.168.1] Depending on your scan settings such as “max hosts” or “max checks per host”. This will allow the scanner to perform multiple scans against the same IP address. at a specific time or interval up to 20 days. by time and day or week of month. it can be accessed via the “Schedules” menu at the top. by time and day. Yearly – Schedule the scan to occur every year.  Monthly – Schedule the scan to occur every month. An example of a scheduled scan is below: Once a scheduled scan is created. This page allows you manage scheduled scans and update them as required: Under the “Email Settings” tab. for up to 20 years. you can optionally configure email addresses to which the scan results will be mailed upon scan completion. 34 . for up to 20 months. If you have not configured these settings.The “Email Scan Results” functionality requires that a Nessus administrator configure the SMTP settings. Nessus will warn you that they must be set for the functionality to work. For more information on configuring SMTP settings.2 Installation and Configuration Guide. click “Save”. the scan will begin immediately (if “Now” was selected) before the display is returned to the general “ Scans” page. 35 . consult the Nessus 5. After you have entered the scan information. After submitting. The top menu bar will also update the number overlaying the “Scans” button to indicate how many total scans are present. On the left are two default folders.Once a scan has launched. The default location for new scans can be changed via Additional folders can be created via the “New Folder” option. Scans in the “Trash” folder will be deleted automatically after 30 days. While a scan is running. 36 . select the scan by checking the box to the left. mark as read. By default. The second allows you to move the scan to the desired folder. a pause and stop button are on the left to change the status: After selecting a particular scan on the list via the checkbox on the left. the “More” and “Move To” buttons on the top right will allow you to perform further actions including the ability to rename. One provides “More” options including rename and mark a scan as read or unread. or move it to a different folder. along with basic information about the scan. Once checked. manipulate scan status. To move scan results between folders. shown below: Folders can also be managed via the “User Profile” -> “Folders” menu. Browse Scan Results Scans can be organized into folders. They can be deleted at any time by individually deleting. My Scans and Trash. the “Scans” list will display a list of all scans currently running or paused. additional dropdown menus will appear at the top. or selecting “Empty Trash” at the top. all new scans will appear in the My Scans virtual folder. To browse the results of a scan. which shows a list of hosts with a color coded vulnerability summary per host: 37 . displaying ports and specific vulnerability information. This allows you to view results by navigating through the results by vulnerabilities or hosts. The default view/tab is by host summary. click on a report from the list. From the “Hosts” summary view. a host can be deleted from the scan results by selecting the trashcan icon to the right of Host Details. there will be a notation at the top of the results: Clicking on the “Hide Details” on the upper right will suppress the Scan Details to show more of the host summary.If any errors occurred during the scan. each summary will contain details about the vulnerability or informational findings. as well as Host Details that provide general information about the host scanned. If “Allow Post-Scan Report Editing” was selected in the scan policy. 38 . click on the host via the navigation flow at the top to display a pull down-menu of other hosts. Plugin Details will be displayed on the right providing additional information about the plugin and associated vulnerability. From this screen. a search box will be available for quick host location: Clicking on a vulnerability via the Hosts or Vulnerabilities tab will display vulnerability information including a description.To quickly change between hosts. references. solution. the pen icon to the right of Plugin Details can be used to modify the displayed vulnerability: 39 . and any available plugin output. If there are numerous hosts. 40 . Clicking on the pen icon will display a dialog as shown below: The severity drop-down menu will enable you to re-classify the severity rating of the vulnerability in question. and also to hide it from the report: 41 . The severity ratings are derived from the associated CVSS score. the specified modification rule will no longer be applied to that finding. where 0 is “Info”. Selecting the “Vulnerabilities” tab at the top will switch to the Vulnerability View. but also include a list of affected hosts at the bottom. 42 . and a CVSS score of 10 will be flagged “Critical”. Upon that date. This will sort the results by vulnerabilities rather than hosts. and include the number of hosts affected to the right. less than 7 is “Medium”. Selecting a vulnerability will provide the same information as before. Note that global rules for recasting plugin risk/severity can be established in the “User Profile” -> “Plugin Rules” area within Nessus. Doing so will bring up a dialog box allowing you to set an optional expiration date for the modification rule: An expiration date can be selected using the calendar. clicking “Save” will save the change and apply it to the vulnerability in question. less than 10 is “High”. the modification can be applied to all future reports by clicking the option. In addition.Once the change is made. less than 4 is “Low”. 43 .Clicking on an affected host at the bottom will load the host-based view of vulnerabilities. This advice is intended to provide you with the most effective mitigation that will significantly reduce the number of vulnerabilities: 44 . The first is a Remediations tab that provides summary information to remediate major issues that have been discovered. Nessus offers two additional tabs. the results will be found on a separate at the top called “Compliance”: In addition to the Hosts and Vulnerabilities tabs.If a scan is initiated that uses a compliance policy. The second filter type is more comprehensive and allows you to specify more details. When multiple filters are used.The second tab is called Notes and offers advice to enhance your scan results: Report Filters Nessus offers a flexible system of filters to assist in displaying specific report results. specify the keyword “Any” or “All” accordingly. Multiple filters can be created with logic that allows for complex filtering. To create this type of filter. a filter argument. more detailed and customized report views can be created. and a value to filter on. begin by clicking on the down arrow on the right side of the “Filter Vulnerabilities” box. Filters can be created from any report tab. then only results that match all filters will be displayed: 45 . A filter is created by selecting the plugin attribute. Filters can be used to display results based on any aspect of the vulnerability findings. When selecting multiple filters. As you type. If “All” is selected. The first filter type is a simple text string entered into the “Filter Vulnerabilities” box on the upper right. Nessus will immediately begin to filter the results based on your text and what it matches in the titles of the findings. Once a filter has been set, it can be removed individually by clicking on the to the right. Additionally, all filters can be removed at the same time by selecting “Clear Filters”. The report filters allow for a wide variety of criteria for granular control of results: Option Plugin ID Plugin Description Plugin Name Plugin Family Plugin Output Plugin Type Solution Synopsis Description Filter results if Plugin ID “is equal to”, “is not equal to”, “contains”, or “does not contain” a given string (e.g., 42111). Filter results if Plugin Description “contains”, or “does not contain” a given string (e.g., “remote”). Filter results if Plugin Name “is equal to”, “is not equal to”, “contains”, or “does not contain” a given string (e.g., “windows”). Filter results if Plugin Name “is equal to” or “is not equal to” one of the designated Nessus plugin families. The possible matches are provided via a drop-down menu. Filter results if Plugin Description “ is equal to”, “is not equal to”, “contains”, or “does not contain” a given string (e.g., “PHP”) Filter results if Plugin Type “is equal to” or “is not equal to” one of the two types of plugins: local or remote. Filter results if the plugin Solution “contains” or “does not contain” a given string (e.g., “upgrade”). Filter results if the plugin Solution “contains” or “does not contain” a given string (e.g., “PHP”). Hostname Port Protocol CPE Filter results if the host “is equal to”, “is not equal to”, “contains”, or “does not contain” a given string (e.g., “192.168” or “lab”). Filter results based on if a port “is equal to”, “is not equal to”, “contains”, or “does not contain” a given string (e.g., “80”). Filter results if a protocol “is equal to” or “is not equal to” a given string (e.g., “http”). Filter results based on if the Common Platform Enumeration (CPE) “is equal to”, “is not equal to”, “contains”, or “does not contain” a given string (e.g., “solaris”). CVSS Base Score Filter results based on if a CVSS base score “is less than”, “is more than”, “is equal to”, “is not equal to”, “contains”, or “does not contain” a string (e.g., “5”). This filter can be used to select by risk level. The severity ratings are derived from the associated CVSS score, where 0 is “Info”, less than 4 is “Low”, less than 7 is “Medium”, less than 10 is “High” , and a CVSS score of 10 will be flagged “Critical”. CVSS Temporal Score Filter results based on if a CVSS temporal score “is less than”, “is more than”, “is equal to”, “is not equal to”, “contains”, or “does not contain” a string (e.g., “3.3”). 46 CVSS Temporal Vector CVSS Vector Filter results based on if a CVSS temporal vector “is equal to”, “is not equal to”, “contains”, or “does not contain” a given string (e.g., “E:F”). Filter results based on if a CVSS vector “is equal to”, “is not equal to”, “contains”, or “does not contain” a given string (e.g., “AV:N”). Vulnerability Publication Date Patch Publication Date Filter results based on if a vulnerability publication date “ earlier than”, “later than”, “on”, “not on”, “contains”, or “does not contain” a string (e.g., “01/01/2012”). Note: Pressing the button next to the date will bring up a calendar interface for easier date selection. Filter results based on if a vulnerability patch publication date “is less than”, “is more than”, “is equal to”, “is not equal to”, “contains”, or “does not contain” a string (e.g., “12/01/2011”). Filter results based on if a Nessus plugin publication date “is less than”, “is more than”, “is equal to”, “is not equal to”, “contains”, or “does not contain” a string (e.g., “06/03/2011”). Filter results based on if a Nessus plugin modification date “ is less than”, “is more than”, “is equal to”, “is not equal to”, “contains”, or “does not contain” a string (e.g., “02/14/2010”). Plugin Publication Date Plugin Modification Date CVE Bugtraq ID CERT Advisory ID Filter results based on if a CVE reference “is equal to”, “is not equal to”, “contains”, or “does not contain” a given string (e.g., “2011-0123”). Filter results based on if a Bugtraq ID “is equal to”, “is not equal to”, “contains”, or “does not contain” a given string (e.g., “51300”). Filter results based on if a CERT Advisory ID (now called Technical Cyber Security Alert) “is equal to”, “is not equal to”, “contains”, or “does not contain” a given string (e.g., “TA12-010A”). Filter results based on if an Open Source Vulnerability Database (OSVDB) ID “is equal to”, “is not equal to”, “contains”, or “does not contain” a given string (e.g., “78300”). Filter results based on if a Secunia ID “is equal to”, “is not equal to”, “contains”, or “does not contain” a given string (e.g., “47650”). Filter results based on if an Exploit Database ID (EBD-ID) reference “is equal to”, “is not equal to”, “contains”, or “does not contain” a given string (e.g., “18380”). Filter results based on if a Metasploit name “is equal to”, “is not equal to”, “contains”, or “does not contain” a given string (e.g., “xslt_password_reset”). Filter results based on if an ExploitHub exploit is “true” or “false”. Filter results based on if an IAVA reference “is equal to”, “is not equal to”, “contains”, or “does not contain” a given string (e.g., 2012-A-0008). Filter results based on if an IAVB reference “ is equal to”, “is not equal to”, “contains”, or “does not contain” a given string (e.g., 2012-A-0008). Filter results based on if an IAVT reference “is equal to”, “is not equal to”, “contains”, or “does not contain” a given string (e.g., 2012-A-0008). OSVDB ID Secunia ID Exploit Database ID Metasploit Name Exploit Hub IAVA IAVB IAVT 47 See Also Filter results based on if a Nessus plugin “see also” reference “ is equal to”, “is not equal to”, “contains”, or “does not contain” a given string (e.g., “seclists.org”). Exploits Available Exploitability Ease Filter results based on the vulnerability having a known public exploit. Filter results based on if the exploitability ease “is equal to” or “is not equal to” to the following values: “Exploits are available”, “No exploit is required”, or “No known exploits are available”. Filter results based on if the presence of a vulnerability in the Metasploit Exploit Framework “is equal to” or “is not equal to” true or false. Filter results based on if the presence of an exploit in the CANVAS exploit framework “is equal to” or “is not equal to” true or false. Filter results based on which CANVAS exploit framework package an exploit exists for. Options include CANVAS, D2ExploitPack, or White_Phosphorus. Filter results based on if the presence of an exploit in the CORE exploit framework “ is equal to” or “is not equal to” true or false. Filter results based on if the presence of an exploit in the Elliot exploit framework “ is equal to” or “is not equal to” true or false. Filter results based on if an Elliot exploit “is equal to”, “is not equal to”, “contains”, or “does not contain” a given string (e.g., “Typo3 FD”). Filter results based on if the presence of an exploit on the ExploitHub web site “ is equal to” or “is not equal to” true or false. Metasploit Exploit Framework CANVAS Exploit Framework CANVAS Package CORE Exploit Framework Elliot Exploit Framework Elliot Exploit Name ExploitHub When using a filter, the string or numeric value can be comma delimited to filter based on multiple strings. For example, to filter results to show only web servers, you could create a “Ports” filter, select “is equal to” and input “80,443,8000,8080”. This will show you results associated with those four ports. Filter criteria are not case sensitive. If a filter option is not available, it means that the report contains nothing that meets the criteria. For example, if “Microsoft Bulletin” is not on the filter dropdown list, then no vulnerabilities were found that reference a Microsoft Bulletin. As a filter is created, the scan results will be updated to reflect the new filter criteria after selecting “ Apply”. The down arrow in the “Filter Vulnerabilities” box will change to a numeric representation of how many filters are currently being applied. Once the results have been filtered to provide the data set you want, click “ Export Results” to export just the filtered results. To receive a report with all of the results, remove all filters and use the export feature. Nessus scan results provide a concise list of plugins that detected issues on the host. However, there are times where you may want to know why a plugin did not return results. The “Audit Trail” functionality will provide this information. Begin by clicking “Audit Trail” located on the upper right-hand side: 48 you can supply a host IP for the initial query to limit the results to a target of interest.This will bring up the Audit Trail dialogue box. Optionally. 49 . For a single scanned host. click on one to display information about why the plugin did not fire: Due to the resources required for the audit trail. If between 2 and 512 hosts are scanned. The audit trail is only available for scans originated on the host. Once the host(s) are displayed. Begin by entering the plugin ID you want to know more about. Scanning over 512 hosts will always result in a partial audit trail. a full audit trail is only available if the Nessus server has more than 1 CPU and 2G of RAM. Click “Submit” and a host or list of hosts will be displayed that relates to your query. the full audit trail is available. It does not work on imported scans. there are cases where only a partial audit trail will be provided. In the example below. Scan Knowledge Base A Knowledge Base (KB) is saved with every scan performed. Click on this and one of the host details is “KB” with a “Download” link: 50 . a screenshot will be taken to show the session and included in the report. This is an ASCII text file containing a log of information relevant to the scan performed and results found. See the Scanning Preferences in Detail section of this document for more information. To the right of the host name or IP there is link titled “Host Details”.2 also has the ability to take screenshots during a vulnerability scan and include them in a report. if Nessus discovers VNC running without a password to restrict access. For example. and what information was found. as it allows Support staff to understand exactly what Nessus did. select a report and then a specific host. A KB is often useful during cases where you need support from Tenable. To download a KB.Report Screenshots Nessus 5. under “Remote web server screenshot”. a VNC was discovered where the user was browsing the Tenable web site: This feature must be enabled in the “Preferences” section of a scan policy. click on “More”. This comparison highlights which vulnerabilities have been found or remediated between the two scans. begin by selecting two scans from the “ Scans” list. Compare (Diff Results) With Nessus. To compare reports. and select “Diff” from the dropdown menu: Nessus will compare the first report selected with the second. In the example above. “DMZ Web Server” is an unauthenticated scan of a single web server sitting in a DMZ. The compare feature shows what is new since the baseline (i. if systems are patched as new vulnerabilities are found. and produce a list of results that are different since the first.Only scans performed on the host will have an associated KB. The results display the differences.. This helps in compliance analysis by showing how vulnerabilities are being remediated. highlighting vulnerabilities that were not found in the October 7 scan: 51 . The ability to show scan differentials helps to point out how a given system or network has changed over time. not produce a differential of any two reports. or how two scans may not be targeting the same hosts. you can compare two scan reports against each other to display any differences.e. the first report selected). performed several times. Imported scans do not carry the KB with them. To export a scan. click on the “Export” drop-down at the top. and communication between groups or organizations within a company. begin by selecting the report from the “Scans” screen.Upload and Export Scan results can be exported from one Nessus scanner and imported to a different Nessus scanner. and choose the format you want. On the left is the available content and on the right is content that will be exported. report comparison. The “Upload” and “Export” features facilitate better scan management. You can drag content from one side to the other to create the custom export: 52 . report backup. This will display a window that allows you to specify the information (broken into “chapters”) to be included. Option . A report generated in PDF format that allows chapter selection. A report generated using standard HTML that allows chapter selection. allowing you to save the scan results to the location of your choice. This report will open in a new tab in your browser. spreadsheets.2 through 4.2 and later. and more. This report does not allow chapter selection. Oracle Java (formerly Sun Microsystems’ Java) is required for PDF report functionality. your standard web browser “ Save File” dialog will be displayed. This format uses an expanded set of XML tags to make extracting and parsing information more granular. This report does not allow chapter selection. compatible with Nessus 4. . PDF generation may take several minutes. Reports can be downloaded in several formats.0. Depending on the size of the report.Only compliance scans performed with Nessus 5 can be exported to PDF or HTML formats with compliance chapters.2. An XML-based format used in Nessus 3.nessus Description An XML-based format and the de-facto standard in Nessus 4.nessus (v1) HTML PDF After selecting a format. CSV A comma-separated values (CSV) export that can be used to import into many external programs such as databases. Note that some formats will not allow chapter selection.x and Security Center 3. and include all information. Imported scans from previous versions of Nessus will not export in that manner. This report does not allow chapter selection. 53 . Secure: Passwords are not saved in the file. Instead.nessus File Format Nessus uses a specific file format (. Please see the “Nessus v2 File Format” document for more details on . generate the list of target addresses and finally. Next.nessus file contains the list of targets. . Nessus will parse the information and make it available in the “Scans” interface. all the information can be saved in a . for easy forward and backward compatibility.nessus file by using the “Export” option from the “Scans” result. policies. The process to create a .nessus file that contains the targets. the policies defined by the user.nessus scan file you want to import and click on “Open”. Self-sufficient: a single . as well as the scan results themselves. click on the “Upload” button on the top bar of the “Scans” screen to open a file browse window: Select the . and easy implementation. and scan results is to first generate the policy and save it. a reference to a password stored in a secure location on the local host is used. run a scan. 54 .nessus files.nessus) for scan export and import. Once the scan is complete.To import a report. This format has the following advantages:    XML based. you can click the “X” to the right of the scan from the “Scans” tab: This action cannot be undone! Use the “Export” feature to export your scan results before deleting. The Mobile scanning functionality is specified under the “Configuration” menu. Nessus can be configured to authenticate to these servers. 55 . Mobile Nessus 5 has the ability to scan Active Directory Service Interfaces and Apple Profile Manager. To scan for mobile devices. Nessus must be configured with authentication information for the management server(s). allowing for the inventory and vulnerability scanning of both Apple iOS-based and Android devices. Using the template scan. and report on any issues. The “Mobile Settings” tab offers one place to configure the Apple Profile Manager and ADSI information. Since Nessus authenticates directly to the management servers. query for mobile device information. a mobile scan policy will be automatically created with just the Mobile plugin family enabled and a Mobile scan will be created under “Templates”. mobile devices can be scanned for as often as required.Delete Once you are finished with scan results. The Nessus scanner’s IP address or hostname.7 “Add Scanner” page is shown below: After successfully adding the scanner. The state of the Nessus scanner may be set to Enabled or Disabled as needed. The ability to Verify Hostname is provided to check the CommonName (CN) of the SSL certificate presented by the Nessus server.x or higher. please refer to the “SecurityCenter Administration Guide” available on the Tenable Support Portal. and selection of Scan Zones for the Nessus scanner to be assigned to can be selected. the use of a proxy may be selected.2. authentication type (created while configuring Nessus). The password fields are not available if “SSL Certificate” authentication is selected. and administrative login ID and password or certificate information are required. Click the “Resources” tab and then click “Nessus Scanners”.SecurityCenter Configuring SecurityCenter to Work with Nessus The SecurityCenter administration interface is used to configure access and control of any Nessus scanner that is version 4. Nessus port (default: 8834). Click “Add” to open the “ Add Scanner” dialog. the following banner is displayed: For more information on integrating Nessus and SecurityCenter. 56 . An example screen capture of the SecurityCenter 4. . This feature does not require any ports be specified in the scan policy. On Microsoft XP Service Pack 2 systems and later. and additional functionality that the connected Nessus scanner has access to. 57 .e.Host-Based Firewalls If your Nessus server is configured with a local firewall such as ZoneAlarm. or any other firewall software. Note that this is a dynamic list of configuration options that is dependent on the Nessus version. These settings are required for mobile device scanning. the scan policy does not require a target host to scan. port 8834 is used to communicate with SecurityCenter. and “Good MDM Settings”. A commercial scanner may have more advanced configuration options available than a Nessus Home scanner. you can target “localhost” and the policy will still reach out to the MDM server for information. host devices do not need to be scanned directly to obtain information about them.. each device will update its information with the Profile Manager server). Scanning Preferences in Detail The “Preferences” tab under “Policies” includes almost 40 drop-down menus that provide fine granular control over scan settings. iPhone. To open up port 8834 choose the “Exceptions” tab and then add port “8834” to the list. audit policies. Apple Profile Manager API Settings The “Apple Profile Manager API Settings” menu allows Nessus to query an Apple Profile Manager server to enumerate Apple iOS-based devices (e. The following section provides extensive detail on each “Preferences” option. When either of these options is configured. it is required that connections be opened from SecurityCenter’s IP address. Note: For “ADSI Settings”. Optionally. Using the credentials and server information. This list may also change as plugins are added or modified. the Windows XP firewall. Nessus will collect information from any phone that has been updated via ADSI in the last 365 days. ADSI Settings The “ADSI Settings” menu allows Nessus to query an ActiveSync server to determine if any Android or iOS-based devices are connected. The Nessus scanner must be able to reach the mobile device management (MDM) server to query it for information. By default.g. Using the credentials and server information. communications over SSL can be specified as well as directing the server to force a device information update (i. Spending time to explore and configure each menu can provide great flexibility and considerably more accurate scan results over using a default policy. “Apple Profile Manager API Settings”. Nessus authenticates to the domain controller (not Exchange server) to directly query it for device information. iPad) on the network. clicking on the “Security Center” icon available in the “Control Panel” allows you to manage the “Windows Firewall” settings. BlackICE. Nessus authenticates to the Profile Manager to directly query it for device information. 58 . Up to five policies may be selected at one time.This feature does not require any ports be specified in the scan policy. Check Point GAiA Compliance Checks The “Check Point GAiA Compliance Checks” menu allows commercial customers to upload policy files that will be used to determine if a tested Check Point GAiA based device meets the specified compliance standards. These settings are required for mobile device scanning. 59 . Up to five policies may be selected at one time. Citrix XenServer Compliance Checks The “Citrix XenServer Compliance Checks” menu allows commercial customers to upload policy files that will be used to determine if a tested XenServer based system meets the specified compliance standards. The policies may be run against Saved (show config). Running (show running). Up to five policies may be selected at one time.Cisco IOS Compliance Checks The “Cisco IOS Compliance Checks” menu allows commercial customers to upload policy files that will be used to determine if a tested Cisco IOS based device meets the specified compliance standards. or Startup (show startup) configurations. MySQL. SYSOPER. Port the database listens on. The password for the supplied username. Up to five policies may be selected at one time. ID of the database to audit. Informix/DRDA. and PostgreSQL are supported. and credentials: Option Login Password DB Type Database SID Database port to use Oracle auth type SQL Server auth type Description The username for the database. and SYSDBA are supported. 60 . relevant settings. NORMAL. Oracle.Database Compliance Checks The “Database Compliance Checks” menu allows commercial customers to upload policy files that will be used to determine if a tested database meets the specified compliance standards. SQL Server. Database settings The “Database settings” options are used to specify the type of database to be tested. Windows or SQL are supported. DB2. It is recommended that scanning of these devices be performed in a manner that allows IT staff to monitor the systems for issues. Nessus will only scan these devices if these options are checked. or prone to crashing when receiving unexpected input. Users can select either “ Scan Network Printers” or “Scan Novell Netware hosts” to instruct Nessus to scan those particular devices. 61 .Do not scan fragile devices The “Do not scan fragile devices” menu offers two options that instruct the Nessus scanner not to scan hosts that have a history of being “fragile”. FireEye Compliance Checks The “FireEye Compliance Checks” menu allows commercial customers to upload policy files that will be used to determ ine if a tested FireEye device meets the specified compliance standards. Up to five policies may be selected at one time. 62 . Select “Mixed” if you ar e using RFC 1918 addresses and have multiple routers within your network. private non-Internet routable IPs or a mix of these. this might disrupt some services and cause unforeseen side effects. Activates CGI checking. The following table provides more detailed information about each option available: Option Probe services on every port Do not log in with user accounts not specified in the policy Enable CGI scanning Network type Description Attempts to map each open port with the service that is running on that port. Disabling this option will tremendously speed up the audit of a local network. Note that in some rare cases. Allows you to specify if you are using publicly routable IPs.Global variable settings The “Global variable settings” menu contains a wide variety of configuration options for the Nessus server. Used to prevent account lockouts if your password policy is set to lock out accounts after several invalid attempts. 63 . Do not enable this setting while scanning a production network. Note that by being more thorough. 64 . a paranoia setting of “Avoid false alarm” will cause Nessus to not report any flaw whenever there is a hint of uncertainty about the remote host. For example. when looking through SMB file shares. When either of these options are configured. In some cases. The password for managing the SSL key specified. This feature does not require any ports be specified in the scan policy. “Apple Profile Manager API Settings”. a plugin can analyze 3 levels deep instead of 1. host devices do not need to be scanned directly to obtain information about them. If the report paranoia is set to “Paranoid” then a flaw will be reported every time. Conversely. Specifies a Certificate Authority (CA) that Nessus will trust. The Nessus scanner must be able to reach the Mobile Device Management (MDM) server to query it for information. Specifies a local SSL key to use to communicate with the remote host. Nessus authenticates to the GMC server to directly query it for device information. Nessus cannot remotely determine whether a flaw is present or not. Allows Nessus to use a client side SSL certificate to communicate with a remote host. Specifies which type of web browser Nessus will impersonate while scanning. and “Good MDM Settings”. A higher setting will provide more information about plugin activity in the report. Causes various plugins to “work harder”. the scan will be more intrusive and is more likely to disrupt the network. The default option (“ Normal”) is a middle ground between these two settings. while potentially having better audit results. This could cause much more network traffic and analysis in some cases. Using the credentials and server information. Report verbosity Report paranoia HTTP User-Agent SSL certificate to use SSL CA to trust SSL key to use SSL password for SSL key Good MDM Settings The “Good MDM Settings” menu allows Nessus to query a Good mobile device management server to determine if any Android or iOS-based devices are connected. Note: For “ADSI Settings”. the scan policy does not require a target host to scan: you can target “localhost” and the policy will still reach out to the MDM server for information. These settings are required for mobile device scanning.Enable experimental scripts Thorough tests (slow) Causes plugins that are considered experimental to be used in the scan. even when there is a doubt about the remote host being affected. Nessus can import HTTP cookies from another piece of software (e.g.) with the “HTTP cookies import” settings. Up to five policies may be selected at one time. web proxy. The cookie file must be in Netscape format.. A cookie file can be uploaded so that Nessus uses the cookies when attempting to access a web application. 65 . etc. web browser.HP ProCurve Compliance Checks The “HP ProCurve Compliance Checks” menu allows commercial customers to upload policy files that will be used to determine if a tested HP ProCurve device meets the specified compliance standards. HTTP cookies import To facilitate web application testing. “/login.php”.g.. Login form fields Login form method Automated login page search Re-authenticate delay (seconds) Check authentication on page Follow 30x redirections (# of levels) Authenticated regex Invert test (disconnected if regex matches) Match regex on HTTP headers 66 . login=%USER%&password=%PASS%). If a 30x redirect code is received from a web server.g.html”. This field can be used to provide more than two parameters if required (e. This is useful to avoid triggering brute force lockout mechanisms. Nessus can attempt to match a given string such as “Authentication successful!” A regex pattern to look for on the login page.g. e. “/admin. Simply receiving a 200 response code is not always sufficient to determine session state. a “group” name or some other piece of information is required for the authentication process). the login form for <form method="POST" name="auth_form" action="/login.. The “action” parameter for the form method.HTTP login page The “HTTP login page” settings provide control over where authenticated testing of a custom web-based application begins. Specify the authentication parameters (e. Direct Nessus to search for a login page.. tells Nessus authentication was not successful (e. Specify if the login action is performed via a GET or POST request. The absolute path of a protected web page that requires authentication. A regex pattern to look for on the login page. “Authentication failed!”) Rather than search the body of a response. this directs Nessus to follow the link provided or not. e. they will be substituted with values supplied on the “Login configurations” drop-down menu. that if found. For example.php"> would be “/login. Nessus can search the HTTP response headers for a given regex pattern to better determine authentication state. The time delay between authentication attempts. If the keywords %USER% and %PASS% are used. Option Login page Login form Description The absolute path to the login page of the application.g.g.html”.. to better assist Nessus in determining authentication status.. 67 . If the credentials supplied do not work. This instructs Nessus to ignore case.Case insensitive regex Abort web application tests if login fails The regex searches are case sensitive by default. Nessus will abort the custom web application tests (but not the CGI plugin families). Up to five policies may be selected at one time. 68 . This is required for compliance auditing for example.IBM iSeries Compliance Checks The “IBM iSeries Compliance Checks” menu allows commercial customers to upload policy files that will be used to determine if a tested IBM iSeries system meets the specified compliance standards. IBM iSeries Credentials The “IBM iSeries Credentials” preferences provides a place to give Nessus credentials to authenticate to an IBM iSeries system. The start and stop values are set to “8” by default. LDAP ‘Domain Admins’ Group Membership Enumeration The “LDAP ‘Domain Admins’ Group Membership Enumeration ” menu allows you to enter a set of LDAP credentials that can be used to enumerate a list of members of the “Domain Admins” group in the remote LDAP directory. Juniper Junos Compliance Checks The “Juniper Junos Compliance Checks” menu allows commercial customers to upload policy files that will be used to determine if a tested Juniper Junos based device meets the specified compliance standards. It determines a Connection Oriented Transport Protocol (COTP) Transport Service Access Points (TSAP) value on an ICCP server by trying possible values.ICCP/COTP TSAP Addressing The “ICCP/COTP TSAP Addressing” menu deals specifically with SCADA checks. Up to five policies may be selected at one time. 69 . use the “HTTP login page” pull-down menu. By supplying credentials. For configuring credentials for a custom web application.Login configurations The “Login configurations” menu allows the Nessus scanner to use credentials when testing HTTP. or IMAP. 70 . POP3. Nessus may have the ability to do more extensive checks to determine vulnerabilities. FTP. POP2. NNTP. HTTP credentials supplied here will be used for Basic and Digest authentication only. Malicious Process Detection The “Malicious Process Detection” menu allows you to specify a list of additional MD5 hashes that Nessus will use to scan a system for known malware. This list is used by the plugin “Malicious Process Detection: User Defined Malware Running” (Plugin ID 65548), which functions like Tenable’s “Malicious Process Detection” (Plugin ID 59275). Additional hashes can be uploaded via a text file that contains one MD5 hash per line. It is possible to (optionally) add a description for each hash in the uploaded file. This is done by adding a comma after the hash, followed by the description. If any matches are found when scanning a target, and a description was provided for the hash, the description will show up in the scan results. Standard hash-based comments (e.g., #) can optionally be used in addition to the comma-delimited ones. Modbus/TCP Coil Access The “Modbus/TCP Coil Access” options are available for commercial users. This drop-down menu item is dynamically generated by the SCADA plugins available with the commercial version of Nessus. Modbus uses a function code of 1 to read “coils” in a Modbus slave. Coils represent binary output settings and are typically mapped to actuators. The ability to read coils may help an attacker profile a system and identify ranges of registers to alter via a “write coil” message. The defaults for this are “0” for the Start reg and “16” for the End reg. 71 Nessus SYN scanner and Nessus TCP scanner “Nessus SYN scanner” and “Nessus TCP scanner” options allow you to better tune the native SYN and TCP scanners to detect the presence of a firewall. Value Automatic (normal) Disabled (softer) Do not detect RST rate limitation (soft) Ignore closed ports (aggressive) Description This option can help identify if a firewall is located between the scanner and the target (default). Disables the Firewall detection feature. Disables the ability to monitor how often resets are set and to determine if there is a limitation configured by a downstream network device. Will attempt to run plugins even if the port appears to be closed. It is recommended that this option not be used on a production network. 72 NetApp Data ONTAP Compliance Checks The “NetApp Data ONTAP Compliance Checks” menu allows commercial customers to upload policy files that will be used to determine if a tested NetApp Data ONTAP based device meets the specified compliance standards. Up to five policies may be selected at one time. Oracle Settings The “Oracle Settings” menu configures Nessus with the Oracle Database SID and includes an option to test for known default accounts in Oracle software. 73 PCI DSS Compliance The “PCI DSS Compliance” option will have Nessus compare the scan results to current PCI DSS compliance standards. “Patch Management: Red Hat Satellite Server Settings”. “Patch Management: SCCM Server Settings”. SCCM. and VMware Go (formerly Shavlik) patch management systems to perform patch auditing on systems for which credentials may not be available to the Nessus scanner. 74 . Options for these patch management systems can be found under ”Preferences” in their respective drop-down menus: “Patch Management: IBM Tivoli Endpoint Manager Server Settings ”. This feature is only available to commercial customers. “Patch Management: VMware Go Server Settings”. WSUS. This requires valid credentials and allows you to configure the port and optionally verify the SSL certificate fully before proceeding. Patch Management Nessus can leverage credentials for the Red Hat Satellite Server. More information on using Nessus to scan hosts via these patch management systems is available in the “Patch Management Integration” document. Palo Alto Networks PAN-OS Settings The “Palo Alto Networks PAN-OS Settings” menu allows commercial customers to audit Palo Alto PAN-OS devices. and “Patch Management: WSUS Server Settings”. Patch Report The “Patch Report” menu allows you to configure Nessus to include or remove superseded patch information in the scan report. This is used when the Nessus host falls within the target network range for the scan. Allows you to specify the number of attempts to try to ping the remote host. ICMP ping. Such checks can take some time. If you are not sure of the ports. In the scan policy under “Advanced” -> “Ping the remote host”. NTP (port 123). RPC…) Make the dead hosts appear in the report Log live hosts in the report Test the local Nessus host Fast network discovery Description Specifies the list of ports that will be checked via TCP ping. This can be done via ARP ping. hosts that did not reply to the ping request will be included in the security report as dead hosts. This option allows you to include or exclude the local Nessus host from the scan. “ping” must disabled. RPC (port 111). and RIP (port 520). If the “fast network discovery” option is enabled. and ARP ping. By default. The default is set to 6. Nessus will not perform these checks. it performs extra checks to make sure that it is not a transparent proxy or a load balancer that would return noise but no result (some devices answer to every port 1-65535 but there is no service behind). This option is on by default. Option TCP ping destination port(s) Number of Retries (ICMP)” Do an applicative UDP ping (DNS. ICMP. TCP ping. Select this option to specifically report on the ability to successfully ping a remote host. or applicative UDP ping. uncheck TCP. Perform a UDP ping against specific UDP-based applications including DNS (port 53). leave this setting to the default of “built-in”. when Nessus “pings” a remote IP and receives a reply. To scan VMware guest systems. especially if the remote host is firewalled. If this option is selected. Ping the remote host The “Ping the remote host” options allow for granular control over Nessus’ ability to ping hosts during discovery scanning. 75 . WMI or netstat) finds a port. This helps determine if some form of access control is being used (e. Otherwise.Port scanner settings The “Port scanner settings” menu provides two options to further control port scanning activity: Option Check open TCP ports found by local port enumerators Only run network port scanners if local port enumeration failed Description If a local port enumerator (e.g. TCP wrappers. Nessus will also verify it is open remotely. rely on local port enumeration first.g. 76 . firewall)... web server directory indexing). For more information on SCAP. The feature only works for Internet-facing hosts. please visit the NIST Security Content Automation Protocol site. Note that screenshots are not exported with a Nessus scan report. VNC. RDP) as well as configuration specific options (e.. This includes some services (e. as the screenshots are generated on a managed server and sent to the Nessus scanner.. SCAP Linux Compliance Checks The “SCAP Linux Compliance Checks” menu allows commercial customers to upload SCAP zip files that will be used to determine if a tested Linux system meets the compliance standards as specified in SP 800-126.g.g.Remote web server screenshot The “Remote web server screenshot” menu enables Nessus to take screenshots to better demonstrate some findings. 77 . For more information on SCAP. 78 .SCAP Windows Compliance Checks The “SCAP Windows Compliance Checks” menu allows commercial customers to upload SCAP zip files that will be used to determine if a tested Windows system meets the compliance standards as specified in SP 800-126. please visit the NIST Security Content Automation Protocol site. 79 . Once completed. if the option “Request information about the domain” is set. then domain users will be queried instead of local users. SMB Registry : Start the Registry Service during the scan The “SMB Registry : Start the Registry Service during the scan ” menu allows Nessus to use credentials to temporarily start the SMB Registry service so that it may perform additional auditing. SMB Scope Under the “SMB Scope” menu.SMB Registry: Start the Registry Service during the scan The “SMB Registry: Start the Registry Service during the scan ” menu enables the service to facilitate some of the scanning requirements for machines that may not have the SMB Registry running all the time. Nessus will disable the service. SMB Use Host SID to Enumerate Local Users The “SMB Use Host SID to Enumerate Local Users” menu specifies the SID range to use to perform a reverse lookup on local usernames. This third party domain address must be outside the range of the site being scanned or the site performing the scan. If the message is accepted. Nessus will attempt to relay messages through the device to the specified “Third party domain”. If the message sent to the “Third party domain” is rejected by the address specified in the “To address” field. Option Third party domain Description Nessus will attempt to send spam through each SMTP device to the address listed in this field. Otherwise.SMB Use Domain SID to Enumerate Users The “SMB Use Domain SID to Enumerate Users” menu specifies the SID range to use to perform a reverse lookup on usernames on the domain. The default setting is recommended. SMTP settings The “SMTP settings” menu specifies options for SMTP (Simple Mail Transport Protocol) tests that run on all devices within the scanned domain that are running SMTP services. then the SMTP server was successfully used to relay spam. the test might be aborted by the 80 . The default setting is recommended for most scans. the spam attempt failed. From address To address The test messages sent to the SMTP server(s) will appear as if they originated from the address specified in this field. If Nessus is unable to guess the community string and/or password. The username for a SNMPv3 based account. Option Community name (0-3) UDP port SNMPv3 user name SNMPv3 authentication password SNMPv3 authentication algorithm SNMPv3 privacy password SNMPv3 privacy algorithm Description The SNMP community name. A password used to protect encrypted SNMP communication. During the course of scanning. Direct Nessus to scan a different port if SNMP is running on a port other than 161. it may not perform a full audit against the service. Nessus will attempt to send messages addressed to the mail recipient listed in this field. The encryption algorithm to use for SNMP traffic.SMTP server. 81 . The password for the username specified. Select MD5 or SHA1 based on which algorithm the remote service supports. Up to four separate community name strings are supported per scan policy. Nessus will make some attempts to guess the community string and use it for subsequent tests. SNMP settings The “SNMP settings” menu allows you to configure Nessus to connect and authenticate to the SNMP service of the target. The postmaster address is the default value since it is a valid address on most mail servers. . 443). Unix Compliance Checks The “Unix Compliance Checks” menu allows commercial customers to upload Unix audit files that will be used to determine if a tested system meets the specified compliance standards. Up to five policies may be selected at one time. Testing for SSL capability on all ports may be disruptive for the tested host.g. or none. 82 . all ports.Service Detection The “Service Detection” menu controls how Nessus will test SSL based services: known SSL ports (e. and vSphere Hypervisor management systems via their own SOAP API. and the account must be in the root local group.x / 5. not the virtual machines running on the hosts.VMware SOAP API Settings The “VMware SOAP API Settings” menu provides Nessus with the credentials required to authenticate to VMware ESX. The API is intended for the auditing of vSphere 4. This authentication method can be used to perform credentialed scans or perform compliance audits. and ESX hosts. The credentials can be Active Directory (AD) accounts for integrated hosts or local accounts. ESXi. VMware password (unsafe!) 83 . This password is sent insecurely and may be intercepted by sniffing the network. Option VMware user name Description The user name to authenticate with. as SSH access has been deprecated. ESXi. locally created accounts are user and password.x. Domain credentials are user@domain. The user name to authenticate with. This authentication method can be used to perform credentialed scans or perform compliance audits. Domain credentials are user@domain. VMware vCenter SOAP API Settings The “VMware vCenter SOAP API Settings” menu provides Nessus with the credentials required to authenticate to VMware vCenter via its own SOAP API. The credentials can be Active Directory (AD) accounts for integrated hosts or local accounts. verify the integrity of it. Port vCenter answers on (default: 443). Use SSL to connect to the host. ignore it. This password is sent insecurely and may be intercepted by sniffing the network. The API is intended for the auditing of vCenter. not the virtual machines running on the hosts. and the account must be in the root local group. Option VMware vCenter host VMware vCenter port VMware vCenter user name Description Host name or IP of the vCenter installation to audit. locally created accounts are user and password. VMware vCenter password SSL Verify SSL Certificate 84 .Ignore SSL Certificate If an SSL certificate is present on the server. If an SSL certificate is present on the server. unless SSL is specified. as SSH access has been deprecated. For example: 00:11:22:33:44:55 aa:bb:cc:dd:ee:ff […] 85 . Up to five policies may be selected at one time. Wake-on-LAN The “Wake-on-LAN” (WOL) menu controls which hosts to send WOL magic packets to before performing a scan and how long to wait (in minutes) for the systems to boot.VMware vCenter/vSphere Compliance Checks The “VMware vCenter/vSphere Compliance Checks” menu allows commercial customers to upload VMware vCenter or vSphere audit files that will be used to determine if a tested system meets the specified compliance standards. The list of MAC addresses for WOL is entered using an uploaded text file with one host MAC address per line. These tests are dependent on the following NASL plugins:             11139. 42479. 42054 – Server Side Includes (CGI abuses) 44136 – Cookie Manipulation (CGI abuses) 46196 – XML Injection (CGI abuses) 40406. Nessus would attempt “/test. Scanning the local network for web sites with small applications will typically complete in under an hour. however web sites with large applications may require a higher value. 42872 – File Inclusion (CGI abuses) 42055 – Format String (CGI abuses) 42423. This setting provides more thorough testing.Web Application Tests Settings The “Web Application Tests Settings” menu tests the arguments of the remote CGIs (Common Gateway Interface) discovered in the web mirroring process by attempting to pass common CGI programming errors such as cross-site scripting. 48927 – Error Messages 47830. 42427. This option defaults to 60 minutes and applies to all ports and CGIs for a given web site. the web application tests will only use GET requests. Nessus will only test using GET requests. command execution. This option will instruct Nessus to also use “POST requests” for enhanced web form testing. traversal attacks. 44134 – Additional attacks (CGI abuses) Note: This list of web application related plugins is updated frequently and may not be complete. 47832. without Try all HTTP methods Combinations of arguments values 86 . Generally.php?arg1=XSS&b=1&c=1” where “b” and “c” allow other values. Additional plugins may be dependent on the settings in this preference option. 44967 – Command Execution (CGI abuses) 39466. For example. 43160 – SQL Injection (CGI abuses) 39465. 42056. 47834. 42426. Option Maximum run time (min) Description This option manages the amount of time in minutes spent performing web application tests. more complex applications use the POST method when a user submits data to the application. 47831. and SQL injection. Enable this option by selecting the “Enable web applications tests” checkbox. 46194 – Directory Traversal (CGI abuses) 39468 – HTTP Header Injection (CGI abuses: XSS) 39469. 42425. but may considerably increase the time required. 49067 – Cross-Site Scripting (CGI abuses: XSS) 39467. By default. This dropdown has three options: one value – This tests one parameter at a time with an attack string. 46193. 46195. without trying “non-attack” variations for additional parameters. 42424. When selected. Nessus will test each script/variable with both GET and POST requests. unless this option is enabled. This option manages the combination of argument values used in the HTTP requests. By default. remote file inclusion. 48926. The dropdown has four options: per CGI – As soon as a flaw is found on a CGI by a script. but you will have at most one report for each type on a given port. or the next known CGI. per port (quicker) – As soon as a flaw is found on a web server by a script. Nessus switches to the next known CGI on the same server. look for all flaws (slower) – Perform extensive tests regardless of flaws found. This is the quickest method of testing with the smallest result set generated.php?a=XSS&b=1&c=1&d=1” and then cycle through the variables so that one is given the attack string. Where “All-pairs” testing seeks to create a smaller data set as a tradeoff for speed. XSS.. For example. By default.cgi?a='&b=2”.. the request may look like “/target. a normal SQL injection test may look like “/target. This option can produce a very verbose report and is not recommend in most cases.cgi?a='&a=1&b=2”.php?a=XSS&b=3&c=3&d=3” when the first value of each variable is “1”.g. During Remote File Inclusion (RFI) testing. variations for a single variable and then use the first value for all other variables. or to the next port/server. This applies at the script level. All combinations (extremely slow) – This method of testing will do a fully exhaustive test of all possible combinations of attack strings with valid input to variables. Stop at first flaw URL for Remote File Inclusion 87 . This option determines when a new flaw is targeted. If the scanner cannot reach the Internet. embedded web servers may be prone to crash or become non-responsive when scanned. SQLi. XSS). Tenable recommends scanning embedded web servers separately from other web servers using this option. In this case. or if there is no other CGI. finding an XSS flaw will not disable searching for SQL injection or header injection. With HTTP Parameter Pollution (HPP) enabled. one is cycled through all possible values (as discovered during the mirror process) and any other variables are given the first value. it will test an attack string. unless “thorough tests” is set. In addition. Nessus switches to the next parameter of the same CGI.testing each combination. “all combinations” makes no compromise on time and uses a complete data set of tests. All pairs (slower but efficient) – This form of testing is slightly slower but more efficient than the “one value” test. Note that several flaws of the same type (e.g. per parameter (slow) – As soon as one type of flaw is found in a parameter of a CGI (e. Nessus would never test for “/test. For example. Nessus will use a safe file hosted on Tenable’s web server for RFI testing. Nessus stops and switches to another web server on a different port. this option specifies a file on a remote host to use for tests. HTTP Parameter Pollution When performing web application tests. to the next port/server.) may be reported sometimes. This is the default option. Test Embedded web servers Embedded web servers are often static and contain no customizable CGI scripts. using an internally hosted file is recommended for more accurate RFI testing. While testing multiple parameters. if they were caught by the same attack. attempt to bypass any filtering mechanisms by injecting content into a variable while supplying the same variable with valid content as well. etc. Nessus would attempt “/test. This testing method may take a long time to complete. If selected. Enable exclusion of portions of the web site from being crawled.pl(\?. For example. Limit the number of links Nessus will follow for each start page. then the scan will generate at least 1 gigabyte of traffic from the server to the Nessus scanner. if there is 1 gigabyte of material on a web server and Nessus is configured to mirror everything. If multiple pages are required. set this f ield to: (^/manual)|(\. Nessus will follow dynamic links and may exceed the parameters set above. this may cause a significant amount of traffic to be generated during the scan. Nessus will mirror web content to better analyze the contents for vulnerabilities and help minimize the impact on the server. to exclude the “/manual” directory and all Perl CGI. Option Number of pages to mirror Maximum depth Start page Excluded items regex Description The maximum number of pages to mirror.. The URL of the first page that will be tested.g. Follow dynamic pages 88 . use a colon delimiter to separate them (e. “/:/php4:/base”).*)?$).Web mirroring The “Web mirroring” menu sets configuration parameters for Nessus’ native web server content mirroring utility. For example. If the web mirroring parameters are set in such a way to mirror an entire web site. Windows File Contents Compliance Checks The “Windows File Contents Compliance Checks” menu allows commercial customers to upload Windows-based audit files that search a system for a specific type of content (e.. When all of the options have been configured as desired. you can click on “Edit” to make changes to a policy you have already created or click on “ Delete” to remove a policy completely.g. 89 .Windows Compliance Checks The “Windows Compliance Checks” menu allows commercial customers to upload Microsoft Windows configuration audit files that will be used to determine if a tested system meets the specified compliance standards. At any time. Social Security numbers) to help determine compliance with corporate regulations or third-party standards. Up to five policies may be selected at one time. credit cards. click “ Submit” to save the policy and return to the Policies tab. configuration. user operation and overall testing.For Further Information Tenable has produced a variety of other documents detailing Nessus’ installation. deployment.2 and NessusClient 3.2 Nessus 5. These are listed here:    Nessus 5.2 Installation and Configuration Guide – step by step walk through of installation and configuration Nessus Credential Checks for Unix and Windows – information on how to perform authenticated network scans with the Nessus vulnerability scanner Nessus Compliance Checks – high-level guide to understanding and running compliance checks using Nessus and SecurityCenter Nessus Compliance Checks Reference – comprehensive guide to Nessus Compliance Check syntax Nessus v2 File Format – describes the structure for the . PVS. and provides tips or workarounds to allow the software to better co-exist without compromising your security or hindering your vulnerability scanning efforts Nessus 5 and Mobile Device Scanning – describes how Nessus integrates with Microsoft Active Directory and mobile device management servers to identify mobile devices in use on the network Nessus 5.nessus file format.0 and Scanning Virtual Machines – describes how Tenable Network Security's Nessus vulnerability scanner can be used to audit the configuration of virtual platforms as well as the software that is running on them Strategic Anti-malware Monitoring with Nessus. which was introduced with Nessus 3. and LCE – describes how Tenable's USM platform can detect a variety of malicious software and identify and determine the extent of malware infections        90 .0 REST Protocol Specification – describes the REST protocol and interface in Nessus Nessus 5 and Antivirus – outlines how several popular security software packages interact with Nessus. tenablesecurity.com/user/tenablesecurity Tenable Twitter Feed: http://twitter.com/. and Red Hat Network Satellite patch management systems to perform patch auditing on systems for which credentials may not be available to the Nessus scanner Real-Time Compliance Monitoring – outlines how Tenable’s solutions can be used to assist in meeting many different types of government and financial regulations Tenable Products Plugin Families – provides a description and summary of the plugin families for Nessus. Patch Management Integration – document describes how Nessus and SecurityCenter can leverage credentials on the IBM TEM. 91 . or visit our website at http://www.org/ Tenable Blog: http://blog. VMware Go. and the Passive Vulnerability Scanner SecurityCenter Administration Guide    Other online resources are listed below:      Nessus Discussions Forum: https://discussions.nessus.com/tenablesecurity Please feel free to contact Tenable at [email protected]/podcast/ Example Use Videos: http://www.com/ Tenable Podcast: http://blog. [email protected]. Log Correlation Engine.tenable. Microsoft WSUS and SCCM. tenable. prevent attacks and comply with a multitude of regulatory requirements.tenable. to stay ahead of emerging vulnerabilities.S. For more information. Inc. Department of Defense and many of the world’s largest companies and governments.872. Inc. threats and compliance-related risks. 92 . Tenable Network Security. GLOBAL HEADQUARTERS Tenable Network Security 7021 Columbia Gateway Drive Suite 500 Columbia.com Copyright © 2014. All rights reserved.000 organizations. Its Nessus and SecurityCenter solutions continue to set the standard to identify vulnerabilities. including the entire U. please visit www.com. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security.0555 www.About Tenable Network Security Tenable Network Security is relied upon by more than 20. MD 21046 410.
Copyright © 2024 DOKUMEN.SITE Inc.