performing-vulnerability-scanning-with-nessus

# Performing Vulnerability Scanning with Nessus

## When to Use

- Conducting initial vulnerability assessment during the reconnaissance phase of a penetration test
- Performing periodic vulnerability scans to maintain compliance with PCI-DSS (requirement 11.2), HIPAA, or SOC 2 standards
- Validating that remediation efforts have successfully addressed previously identified vulnerabilities
- Establishing a baseline of known vulnerabilities before targeted manual exploitation
- Auditing patch compliance and configuration drift across server and workstation fleets

**Do not use** as a substitute for manual penetration testing, against systems without written authorization, or against fragile systems (medical devices, legacy SCADA) where scanning may cause service disruption.

## Prerequisites

- Tenable Nessus Professional or Nessus Expert with current plugin updates (plugins should be less than 24 hours old)
- Network connectivity to all target hosts on all ports (no firewall restrictions between scanner and targets)
- Administrative credentials for authenticated scanning (domain admin or local admin for Windows, root/sudo for Linux, SNMP community strings for network devices)
- Target IP ranges and hostnames documented in the scope agreement
- Change management approval for scanning during authorized windows

## Workflow

### Step 1: Scan Configuration

Configure the Nessus scan policy based on engagement requirements:

- **Scan type selection**: Choose "Advanced Scan" for full control over plugin families, or "Credentialed Patch Audit" for patch compliance. Avoid "Basic Network Scan" for penetration tests as it uses a limited plugin set.
- **Discovery settings**: Configure port scanning to scan all 65,535 TCP ports and top 1,000 UDP ports. Set host discovery to use ARP (local), TCP SYN, and ICMP for maximum coverage.
- **Authentication**: Add Windows credentials (domain account with local admin), SSH credentials (key-based preferred over password), SNMP credentials (v3 with authPriv preferred), and database credentials for database-specific checks.
- **Plugin configuration**: Enable all plugin families relevant to the target environment. For penetration testing, ensure "Denial of Service" plugins are disabled unless explicitly authorized. Enable CGI scanning for web servers.
- **Performance settings**: Set maximum concurrent hosts per scanner (default 30, reduce for sensitive networks), maximum concurrent checks per host (4-5 for production, higher for test environments), and network timeout values appropriate for the target network.

### Step 2: Scan Execution and Monitoring

Launch the scan and monitor for issues:

- Start the scan during the authorized testing window
- Monitor scan progress through the Nessus web interface, checking for hosts timing out, authentication failures, or plugins causing errors
- Watch for credential failures indicated by "Authentication Failure" results; these mean the authenticated scan fell back to unauthenticated mode, producing incomplete results
- If specific hosts are crashing or becoming unresponsive, pause the scan, exclude those hosts, and report the issue to the client
- For large networks (1,000+ hosts), consider splitting scans into smaller subnets to manage load and allow restartability

### Step 3: Results Analysis and Validation

Analyze scan results to separate true positives from false positives:

- **Sort by severity**: Start with Critical and High findings; these represent the most exploitable and impactful vulnerabilities
- **Validate authentication**: Verify that plugin 19506 (Nessus Scan Information) shows "Credentialed checks: yes" for each host. Unauthenticated results miss local vulnerabilities.
- **Eliminate informational noise**: Filter out informational findings unless they reveal useful information for manual testing (service banners, SSL certificate details, open ports)
- **Cross-reference CVEs**: For each Critical/High finding, verify the CVE in the National Vulnerability Database. Check if the vulnerability has a public exploit (Exploit-DB, Metasploit module).
- **False positive identification**: Common false positives include version-based detection where backported patches make the software appear vulnerable (common in RHEL/CentOS). Check `rpm -q --changelog <package>` on the target to verify.
- **Group by remediation**: Organize findings by the action needed to fix them (e.g., "Apply Windows KB5034441" affects 47 hosts) rather than listing each instance individually

### Step 4: Vulnerability Prioritization

Rank validated vulnerabilities for remediation using risk-based prioritization:

- **CVSS score**: Use the CVSS v3.1 base score as the starting point. Scores 9.0-10.0 are Critical, 7.0-8.9 High, 4.0-6.9 Medium, 0.1-3.9 Low.
- **Exploit availability**: Increase priority for vulnerabilities with publicly available exploit code, especially Metasploit modules or weaponized PoCs
- **Network exposure**: A critical vulnerability on an internet-facing system is higher priority than the same vulnerability on an isolated internal server
- **Asset criticality**: Consider the business value of the affected system. Domain controllers, databases with PII, and payment processing systems warrant higher priority.
- **Compensating controls**: Reduce priority if the vulnerability is mitigated by network segmentation, WAF rules, or EDR protections (document the compensating control)

### Step 5: Report Generation

Generate a comprehensive vulnerability scan report:

- Export the Nessus report in both executive (PDF) and detailed (CSV/HTML) formats
- Create a custom report that includes only validated findings with false positives removed
- Include a remediation priority matrix mapping each vulnerability to its recommended fix, affected hosts, and timeline
- Add context from manual validation (e.g., "This finding was confirmed exploitable during the penetration test")
- Include scan metadata: date/time, scanner version, plugin set date, scan policy used, authentication success rate

## Key Concepts

| Term | Definition |
|------|------------|
| **Authenticated Scan** | A vulnerability scan that uses valid credentials to log into target hosts and perform local checks, detecting significantly more vulnerabilities than unauthenticated scanning |
| **Plugin** | A Nessus script that checks for a specific vulnerability, misconfiguration, or compliance item; Nessus maintains over 200,000 plugins updated daily |
| **CVSS** | Common Vulnerability Scoring System; a standardized framework for rating the severity of vulnerabilities from 0.0 to 10.0 based on exploitability and impact metrics |
| **False Positive** | A vulnerability reported by the scanner that does not actually exist on the target, often caused by version-based detection without exploit verification |
| **Credentialed Patch Audit** | A scan type focused specifically on identifying missing operating system and application patches by comparing installed versions against known vulnerability databases |
| **Plugin Family** | A logical grouping of Nessus plugins by category (e.g., Windows, Ubuntu Local Security Checks, Web Servers, Databases) |

## Tools & Systems

- **Nessus Professional**: Commercial vulnerability scanner by Tenable with over 200,000 plugins covering CVEs, misconfigurations, and compliance checks
- **Nessus Expert**: Extended version including external attack surface scanning, IaC scanning, and cloud infrastructure assessment
- **Tenable.io**: Cloud-hosted vulnerability management platform for enterprise deployments with asset tracking, trend analysis, and prioritization
- **OpenVAS (Greenbone)**: Open-source alternative vulnerability scanner with community-maintained vulnerability tests for comparison scanning

## Common Scenarios

### Scenario: Quarterly PCI-DSS Vulnerability Scan for a Retail Company

**Context**: A retailer processes credit card payments and must comply with PCI-DSS requirement 11.2, which mandates quarterly internal and external vulnerability scans. The cardholder data environment (CDE) consists of 200 servers across 3 VLANs. All hosts run either Windows Server 2019/2022 or RHEL 8/9.

**Approach**:
1. Configure authenticated scan with domain service account for Windows and SSH key for Linux hosts
2. Use the PCI-DSS scan policy template with all relevant plugin families enabled
3. Scan all 200 CDE hosts during the Saturday maintenance window (02:00-06:00)
4. Identify 847 findings: 12 Critical, 34 High, 189 Medium, 612 Low/Informational
5. Validate Critical findings: 3 are false positives (backported patches on RHEL), 9 are confirmed vulnerabilities
6. Group remaining findings by remediation action: 6 require Windows patches, 2 require Apache upgrades, 1 requires TLS configuration hardening
7. Generate PCI-compliant report showing no Critical or High vulnerabilities remain unaddressed (after remediation and rescan)

**Pitfalls**:
- Running unauthenticated scans and missing the majority of local vulnerabilities, producing an incomplete compliance report
- Not updating Nessus plugins before scanning, missing recently published CVEs
- Scanning fragile legacy systems without reducing scan intensity, causing crashes or service disruption
- Accepting Nessus results at face value without manually validating critical findings for false positives

## Output Format

```
## Vulnerability Scan Summary - CDE Environment

**Scan Date**: 2025-11-15 02:00-05:47 UTC
**Scanner**: Nessus Professional 10.8.3 (Plugins: 2025-11-14)
**Hosts Scanned**: 200 (198 authenticated, 2 authentication failed)
**Scan Policy**: PCI-DSS Internal Scan

### Findings Summary
| Severity | Count | Validated |
|----------|-------|-----------|
| Critical | 12    | 9 (3 FP)  |
| High     | 34    | 31 (3 FP) |
| Medium   | 189   | 178       |
| Low/Info | 612   | N/A       |

### Top Critical Findings

**1. CVE-2024-21762 - Fortinet FortiOS Out-of-Bounds Write (CVSS 9.8)**
- Affected Hosts: fw-cde-01.corp.example.com (10.50.1.1)
- Exploit Available: Yes (Metasploit module)
- Remediation: Upgrade FortiOS to 7.4.3 or later
- Priority: Immediate - internet-facing device protecting CDE

**2. CVE-2024-6387 - OpenSSH regreSSHion (CVSS 8.1)**
- Affected Hosts: 14 Linux servers (see Appendix A)
- Exploit Available: Yes (public PoC)
- Remediation: Upgrade OpenSSH to 9.8p1 or later
- Priority: Within 7 days - authenticated remote code execution
```