Introduction
Nessus is a program designed to automate testing and discovery of known security
problems. Nessus aims to provide to the Internet community a free, powerful, up-to-date
and easy to use remote security scanner. The program combines state-of-the-art
probabilistic algorithms with general-purpose numerical analysis methods to compute the
probabilistic response and reliability of engineered systems.
A security scanner is software that remotely audits a given network and determines
whether a hacker may break into it and/or misuse it in some way. In many situations,
someone will discover a way into a protected program. The discovery may be accidental
or through research and in various levels of detail, is then released to the security
community. Nessus is designed to help identify and solve these known problems, before
a hacker takes advantage of them. Nessus is a great tool with many capabilities. The
program is however fairly complex and few articles exist to direct a new user through the
details of how to install and use it.
Nessus has client server technology, which is a very powerful tool. Servers can be placed
at a large range of strategic points on a network allowing tests to be conducted from
various points of view. Either a central client or multiple distributed clients may control
all the servers. The server section runs on most of the different UNIX systems. It also
runs on MAC systems but the programs runs much better on Linux systems. Clients are
available for both Windows and UNIX. The Nessus server performs the actual testing
while the client provides configuration and reporting functionality.
How Does Nessus Work?
Nessus lets users run the administrative console, which executes vulnerability scans and
holds databases on a machine other than the server. Client front ends are available for
Java, Win32, and X11, making Nessus a true cross-platform tool that can scan Linux and
Windows hosts.
Nessus provides plug-ins that are very similar to virus signatures and scan for common
infected applications. These plug-in programs are typically written in the NASL
language (Nessus Attack Scripting Language) but they can be written in most languages.
Plug-in updates need to be done frequently so the program has up to date vulnerability
detection.
The administrator using Nessus can either customize the scan or use the default scans,
which are usually the preferred method for time saving purposes. The user can also set
port scanning to various levels to take firewalls and intrusion detection systems into
consideration.
For more accurate and detailed information from Windows-based hosts in a Windows
domain, it is recommended to create a domain group and account that have remote
registry access privileges. Upon completing this task, the user will gain access not only to
registry key settings but also to the service pack patch levels, Internet Explorer
vulnerabilities, and all services running on the host.
The scan results are formatted based on domains, hosts, and associated vulnerabilities.
Reported weaknesses come with a multitude of suggestions, explaining the nature of the
problem and listing fixes. Further information is provided for administrators through
Links to the Common Vulnerabilities and Exposures (CVE) dictionary
(www.cve.mitre.org) and Microsoft TechNet (www.microsoft.com/TechNet), which is an
online security resource. These programs are a great resource for any administrator and
provide existing patches and any known vulnerabilities. Nessus will appeal most to an
administrator who wants not only a comprehensive scanning tool, but also an in-depth
long-term education in network security vulnerabilities.
Tutorial on How to Use Nessus
This section shows you how to configure Nessus server (nessusd) to scan a part of the
network (eight hosts actually). Seven of the tested hosts are on a local network, whereas
the last is located somewhere else, across the Internet.

First Step: The configuration of the server by the administrator

Second Step: The use of the Unix client (including screenshots)

Third Step: The results of the test
First Step: The configuration of the server by the administrator
Nessus is made up of two parts: a client and a server. You need a Unix-like system to use
the server. In this test, it is only a the standard client nessus, and because it is the only
one that supports the cipher layer.
First: Download and install nessusd and nessus
- You have to download the latest version of Nessus.
Second: Create a nessusd account
- The nessusd server has its own users database, each user having a set of
restrictions. This allows you to share a single nessusd server for a whole network
and different administrators who will only test their part of the network.
The utility nessus-adduser takes care of the creation of a new account :
# nessus-adduser
Addition of a new nessusd user
-----------------------------Login: renaud
Authentication (pass/cert) [pass]: pass
Password: secret
User rules
---------nessusd has a rules system which allows you to restrict the hosts
that renaud2 has the right to test. For instance, you may want
him to be able to scan his own host only.
Please see the nessus-adduser(8) man page for the rules syntax
Enter the rules for this user, and hit ctrl-D once you are done :
(the user can have an empty rules set)
deny 10.163.156.1
accept 10.163.156.0/24
default deny
Login
Password
DN
Rules
: renaud
: secret
:
:
deny 10.163.156.1
accept 10.163.156.0/24
default deny
Is that ok (y/n) ? [y] y
user added.
Third: configure your nessus daemon
In the file /usr/local/etc/nessus/nessusd.conf, we can set several options for
nessusd. Typically this is where you can specify the resources you want nessusd
to use, the speed at which it should read data, and so on...
Note that if you don't have a nessusd.conf file, nessusd will create one for you.
Start nessusd
Once all of this is done, we can safely start nessusd as root : nessusd -D
Second Step: The use of the Unix Client
In the first step, we saw how to configure the nessusd, as root, to suit our needs. Now, we
will connect to it as a simple user.
Fire up nessus :
We immediately click on Login, since this setup is correct. Since we never
connected to this server, it will show us its certificate and ask whether you should
accept it or not. Note that if you wanted to avoid man-in-the-middle attacks, you
should configure the client so that it uses a recognized Certificate Authority to
check SSL keys, but this is beyond the scope of the demo.
Once we connected, the Log in button changes to Log out, and a Connected
label appears at its left.

The security checks configuration
We let all the security check to be performed, except the Denial of Service
attacks, because we do not need our hosts to crash at this moment
Clicking on a plugin name will pop up a window explaining what the plugin does.

The plugins preferences
You can give extra information to some security checks so that the audit is more
complete. For instance, if you give a SMB login and account to nessusd, then you
will be given local information about the remote Windows host (such as the
missing security patches).
Many options can be set through this panel.

The scan options
In this section, we choose which port scanner we want to use, how many hosts we
want to have scanned at the same time, and how many plugins we want to run in
parallel against each host. If we were to scan a firewalled web server, we could
check the option "consider unscanned ports as closed" and only specify to scan
port 80 - this would greatly speed up the scan.

Define the targets :
The hosts of the local network are using private IP adresses, so entering
'10.163.156.1-10.163.156.1.254' is fine. We do not check the 'Perform a DNS
transfer zone' option, since it would make DNS transfer on fr.nessus.org and
nessus.org, and it would be useless, since it would not gain any new hosts.
We could use the following options to define the targets:
10.163.156.1
A single IP address.
10.163.156.1-254
A range of IP addresses.
10.163.156.1-10.163.159.254
Another range of IP addresses.
10.163.156.1/24
Again a range of IP addresses in CIDR notation.
hope.fr.nessus.org
A hostname in Full Qualified Domain Name notation. (hope)
A hostname (as long as it is resolvable on the server).
prof, 10.163.156.0/24, ...
Any combination of the formentioned forms seperated by a comma.

The rules section
The rules allow a user to restrict his test. For instance, we want to test
10.163.156.1/24, except 10.163.156.5. The ruleset that we entered allows us to do
that.

Once all of this is done, we can start the test :
Third Step: The result of the test
Now that the test is over, the report window pops up :
Conclusion
Nessus is a powerful tool that will greatly aid your ability to test and discover known
security problems. However, it is important to remember the power that Nessus gives
you should be used wisely as it can render production systems unavailable with some of
the more dangerous plus-ins. For more information on Nessus, visit the official Nessus
site at www.nessus.org.