Nessus: Mythbusters Edition
I've recently been doing a bit of research into the history of Nessus. I discovered that the first version of Nessus was published in 1998, and any time software has been around for that long there are bound to be some myths and misconceptions that develop as fast as new features over the years. This post will explain some common myths and set the record straight.
Myth #1 - "Installing Nessus from your Linux distribution’s repository installs the latest version of Nessus"
Depending on which Linux distribution you are running, and which version of the distribution you have installed, you may be able to install a package called "nessus" from the package repository. Many people believe that this process installs a recent version of Nessus, but it does not. Typically distributions will include a 2.x version of Nessus in the repository. The current version of Nessus is 4.4.0 and can only be downloaded from http://www.nessus.org or from the Tenable Customer Support Portal. To give some background, the following is a brief history of Nessus versions:
- 1998 – Nessus alpha1 - Student project, announced on the Bugtraq mailing list
- May 2000 - Nessus 1.0 - First stable version
- February 2003 - Nessus 2.0 - New NASL engine
- October 2004 - Nessus 2.2 - Ability to log into hosts via SSH, last GPL version
- December 2005 - Nessus 3.0 - NASL3 engine introduced
- April 2009 - Nessus 4.0 - Thread-based model, 64-bit support
- November 2009 - Nessus 4.2 - Nessus API, user interface, reports, and policies stored on server
- November 2010 - Nessus 4.4 - Lower memory usage, scheduling, reporting enhancements
You can also review the article "Why Upgrade to Nessus 4?" for a detailed look at the improvements between versions, including a performance analysis between Nessus 2 and Nessus 4.
Myth #2: "Nessus uses Nmap as a scanning engine"
Prior to Nessus 2.2.0, small portions of code from Nmap 1.x were used in an early port scanning plugin. Nessus also used (and still does to this day) its own port scanning engine, including the SYN scanner that was included in the first versions of Nessus. While Nmap is a fantastic port scanner (and so much more!) Nessus has never included or used Nmap as a port scanner by default.
There are two Nessus plugins that can integrate Nmap. One to run Nmap alongside Nessus, and one to import results. For more information, see "When, how and why (not) to use Nmap within Nessus"
If you do need to import Nmap results, I suggest installing nmapxml.nasl. There are some cases where someone will already have run an Nmap scan, and it’s useful to import the results into Nessus to run vulnerability scans against the list of hosts.
Note: You can find more information in the post titled "Using Nmap Results With Nessus Batch Scanning".
Myth #3: "Nessus does not support IPv6"
Nessus will scan IPv6 hosts, provided the scanning engine is running on either Linux or a Mac OS X system with IPv6 enabled. See the post titled "Nessus 3.2 BETA - IPv6 Scanning"
Microsoft Windows lacks some of the key APIs needed for IPv6 packet forgery (e.g., getting the MAC address of the router, routing table, etc.). This in turn prevents the port scanner from working properly, but something being planned for future releases is to add support for IPv6 scanning for Nessus servers running on Windows.
Myth #4: "Nessus scans only network services, not web applications."
In June 2009, Tenable released a major overhaul of the web application scanning functionality of Nessus. Since then Nessus has continued to implement web application scanning features that use fuzzing techniques to find custom vulnerabilities in applications. Nessus has several ways to enumerate vulnerabilities in web applications:
- Known Web Application Vulnerabilities - Nessus contains over 2,523 plugins that can fingerprint and detect known vulnerabilities in web applications. Any plugin listed in the "CGI Abuses" or "CGI Abuses : XSS" plugin families is written to enumerate vulnerabilities that have been previously reported in a web application product (open-source or commercial).
- Previously Unknown Web Application Vulnerabilities - This level of scanning uses various fuzzing and other enumeration techniques to detect vulnerabilities not yet discovered. Each parameter of the web application is tested for SQL injection, cross-site scripting and a large number of other common, and not-so-common, web application attacks.
- Vulnerabilities in the Platform Nessus will remotely find vulnerabilities in web application frameworks (e.g., PHP, .NET, etc.), web servers (e.g., Apache, IIS, etc.), and databases (e.g. MySQL, PostgreSQL, etc.). Furthermore, you can use Nessus to perform local patch checking and configuration auditing of the systems and applications in use.
Myth #5: "Nessus only scans devices across the network"
Along those lines, one of the more powerful features in Nessus is the ability to audit patches and configurations locally. Rather than perform the entire scan of the device(s) across the network, which consumes some bandwidth and has the potential to "aggravate" a target, Nessus can log into the target and check the configuration locally. Tenable currently supports the following platforms with respect to local patch checking:
- Linux (Various distributions)
- Windows (All supported platforms)
- VMware ESX
- Mac OS X
- Databases (Oracle, MSSQL and more)
Nessus can also perform configuration auditing, review the configuration of an operating system or application and compare it to a known standard. Nessus supports many different operating systems and applications, including Cisco IOS, CIS Benchmarks and more. A great example of this capability in action is included in the post titled "Auditing Linux, Apache, & MySQL Against CIS Benchmarks"