51 Security

Learning, Sharing, Creating

Vulnerability Scan

Tenable Nessus Tips and Tricks (+Script Auto-Installation)

Bynetsec

Aug 7, 2024

Nessus is Tenable’s entry level product and is intended for vulnerability assessment – not vulnerability management. It provides ad-hoc scanning, suitable for small organizations that need to do infrequent scans, penetration testers, consultants and even developers who are scanning clients on a one to one type basis.

  • It is a single user solution. It can be shared but only one user at a time.
  • Nessus provides unlimited IP scanning – no bands or limits. You just point it at your network and it can scan as many IPs as you want.
  • It is for on-premise deployment – It is not a cloud hosted SaaS solution.

This post summarizes the tips and tricks I found useful during working on Tenable Nessus. 

CLOUD-NATIVE APPLICATION PROTECTION PLATFORM (CNAPP) includes:

  • – CWP
  • – CSPM
  • – CIEM + JIT
  • – KSPM
  • – DSPM
  • – CDR
  • – IaC / DevSecOps

Nessus Product Feature Comparism


 NESSUS PROFESSIONAL NESSUS EXPERT
Designed for Pentesters, Consultants, and Small and Medium-sized Business (SMB’s) Pentesters, Consultants, Developers and Small and Medium-sized  Business (SMB’s)
Real-Time Vulnerability Updates Yes Yes
Vulnerability Scanning Yes Yes
Prebuilt policies used for scanning
 Yes Yes. Also has an additional 500 prebuilt policies for cloud infrastructure scanning
Scan Cloud Infrastructure
 Yes, through the CLI*
(*Command Line Interface)
 Yes
External Attack Surface Scanning No Yes

Change Nessus Pro Session Timeout

Default inactivity time is 30 minutes. To change it to 60 minutes, run following commands from admin mode:
PS C:\Program Files\Tenable\Nessus> .\nessuscli fix –secure –set xmlrpc_idle_session_timeout=60
Successfully set ‘xmlrpc_idle_session_timeout’ to ’60’.
The Nessus web server will be restarted.
PS C:\Program Files\Tenable\Nessus>
Restart the web service. 

Set Group Severity to Highest Severity in Group

scan_vulnerability_groups = yes : enable grouping

scans_vulnerability_groups_mixed = no : set group severity to the highest severity in the group

Filter For Vulnerabilities

You have to play All / Any, is equale to, is not equale to , those options to create your customized filters. 

How to find out failed login hosts

A quick check:

  • Plugin 19506 Nessus Scan information : Along with other information, this give you a quick summary of CREDENTIALS YES/NO

 


If you have a failure, then review other Plugins to find out the cause, Here are some Plugins worth looking at

  • 110723 No Credentials Provided
  • 110095 Authentication Success
  • 104410 Authentication Failure(s) for Provided Credentials
  • 110385 Authentication Success Insufficient Access
  • 21745 Authentication Failure – Local Checks Not Run
  • 117885 Authentication Success with Intermittent Failure
  • 10394 Microsoft Windows SMB Log In Possible

 

Failed 66 is from  plugin 19506’s output with “Credential Check: No“.

Create filters to filter failed credential check machines using Plugin ID: 19506:

This will shows all failed credential check machines, including Windows, Linux, Devices, etc. 

How to Quickly Find Out Machines OS and Those Failed Credential Check

 Plugin ID: 11936

How to quickly find out Windows machines which failed login using provided credentials?
1. Filter plugin 19506, then search “Credential Check: No” in Plugin Output column. Copy all filtered machine’s IPs out to a new sheet’s column.
2. Clear Filter. Filter plugin 11936, then seach “Windows” in Plugin Output column. Copy all filtered machine’s IPs out to a new sheet’s column. 
3. Create a column “Is it windows?” to check if we can find one existing in both Columns, A & D. 

Filter Windows Machines using Plugin ID 11936.

Create Nessus Instance in Low End VPS

GCP Free tier:

Google Free Tier: e2-micro (0.25 -2 vcpu, 1 core, 1 GB memory)
  • 1 non-preemptible e2-micro VM instance per month in one of the following US regions:
    • Oregon: us-west1
    • Iowa: us-central1
    • South Carolina: us-east1
  • 30 GB-months standard persistent disk
  • 1 GB of outbound data transfer from North America to all region destinations (excluding China and Australia) per month
  • Compute Engine free tier does not charge for an external IP address.

Installation steps

1 Create your GCP VM

2 Connect to VM

Update system (Optional)

  • apt update -y && apt upgrade -y  

SWAP size increase: (Optional)

  • wget https://raw.githubusercontent.com/51sec/swap/main/swap.sh && bash swap.sh

3 Install Observability – Ops Agent (Optional)

You will be able to see much more metrics from your VPS, such as memory usage. 

4 Install Nessus using an auto-installation script from Github

Three commands from the cli session: 

  • curl https://raw.githubusercontent.com/51sec/nessus-special/main/ubuntu.sh -o ubuntu.sh
  • chmod +x ubuntu.sh
  • ./ubuntu.sh

One line command:

  • curl https://raw.githubusercontent.com/51sec/nessus-special/main/ubuntu.sh -o ubuntu.sh && chmod +x ubuntu.sh && ./ubuntu.sh

Access Tenable Nessus Web GUI:

https://<Public IP>:12345
GITHUB Repository: https://github.com/51sec/nessus-special

Screenshots for oberability tab and settings page:

Total hours until all plug-ins compiled in a low end VPS (GCP E2-Micro, 1vCPU/1G RAM/30G Standard Disk):  about 9 hours (from 2pm – 11pm)

Settings:

Warning for minimum requirements not met. 

Dring a scan:
CPU load is 2% and maximum memory usage is about 180MB. 

Here is the GCP’s observability:

Auto-installation Script Issue:

Each time, when the system reboot, the whole Plugins compiling process will need to start from beginning. In this case, if you are using a low end vps such as GCP e2-micro instance, it will take another 9 hours before it completed all compiling tasks. 

How to Update Plugin-set:

Since auto update for plugin has been disabled, you will not be able to use Web Gui or normal way to update your plugins. You will just need to re-run the script. No need to delete anything before re-run. 

  • re-run the installation scrip. 

VPR (Vulnerability Priority Rating)

Difference Between CVSS Severity and Vulnerability Priority Rating (VPR) in Nessus

The failure of CVSS Scoring

Predictive Prioritization Using VPR

Threat Recency – how recently have there been attacks utilizing this vul?

Threat Intensity – number and frequncy of recent events (very low to very high)
Threat Sources – What data was used

Exploit Code Maturity – Parallels CVSS (Unproven – high)
Product Coverage – Number of unique products (Low -very high)

Videos

YouTube Video: One Line Command To Deploy Tenable Nessus In Low End Free Linux VPS

References

  • https://www.tenable.com/webinars
  • https://www.tenable.com/education

By netsec

Related Post

Vulnerability Scan

Tenable Web Application Cerdential Scans For Web Appications and APIs

Oct 30, 2024 netsec
Vulnerability Scan

Tenable Lab Steps and Notes – Part 1 (Discovery, NNM, Assessment, Plugins, Compliance, VPR, Analysis)

Oct 30, 2024 netsec
Vulnerability Scan

Tenable Lab Steps and Notes – Part 2 (Dashboards, Reports, Core, Nessus, NNM, Agent, Scanner Groups)

Oct 30, 2024 netsec

Leave a Reply

You missed

Vulnerability Scan

Tenable Web Application Cerdential Scans For Web Appications and APIs

2024-10-30 netsec
CyberArk

Steps to Update/Renew Your CyberArk Infrastrucure Certificates (PSM)

2024-10-30 netsec
Vulnerability Scan

Tenable Lab Steps and Notes – Part 1 (Discovery, NNM, Assessment, Plugins, Compliance, VPR, Analysis)

2024-10-30 netsec
Vulnerability Scan

Tenable Lab Steps and Notes – Part 2 (Dashboards, Reports, Core, Nessus, NNM, Agent, Scanner Groups)

2024-10-30 netsec