Using Nessus For Host Discovery
A Nessus user recently contacted me about performing a scan that would simply discover hosts on the network. This is a very low impact scan that does not look for vulnerabilities or enumerate ports. There are a few good reasons to run this type of scan:
Systems protected by a network or host-based firewall may only respond on a single port or to an ICMP echo request. Hosts that only respond to an ICMP ping will not show up in the default Nessus scan report. By enumerating these hosts you can include them in the report to show that scans were attempted but did not find any results, then determine if this is normal behavior or not.
Your internal policies may provide specific time windows when vulnerability scanning can occur. By tuning a scan that only discovers live hosts, you can check that your Nessus server is set up properly, collect a list of hosts to scan and stay within your vulnerability scanning policy guidelines.
To configure a scan that will only test if hosts are alive, use the following policy settings:
Click for larger image
In the main policy configuration screen above the only setting in the "Port scanners" section enabled is "Ping host", which tells Nessus not to portscan the target hosts but only send packets that will test if the hosts are alive or not. I've also increased the "Max checks per host" setting from the default of 40 to 80. Since we are only performing tests to check if a host is alive, scanning more hosts per scan will make the scan run much faster with little impact on the network or local Nessus scanner machine.
Click for larger image
All plugins can be disabled in the plugins section. This may seem odd at first, but the "Ping host" checkbox in the first configuration screen will take care of host discovery without any plugins being enabled. You could easily extend this scan to perform operating system identification by enabling the appropriate plugins, but be cautioned that this will trigger several more checks and increase your scan time as well as send more invasive scans to each host.
In the preferences tab under "Ping the remote host", you can tune the host discovery settings. I've checked "Log live hosts in the report", which causes Nessus to report on hosts that respond to a discovery ping, which is not the default behavior. I've also enabled "Fast network discovery", which disabled some of the more advanced features of host discovery, such as proxy server detection.
Processing the results
This is a great scan to run on a regular basis on your network to discover new hosts (and if you enable operating system detection, will tell you the type of hosts appearing on the network). If you are a penetration tester, you may also wish to export the IP addresses to a file for processing by other tools, or even quickly see which type of host discovery test was successful. By exporting the data to an NBE (download the report and save as an NBE file from within the Nessus GUI) file, I came up with two quick Linux (or other UNIX compatible shell) command line tricks to extract this information:
The following command will extract the IP address and the method of discovery:
| $ awk -F "|" '/10180/ {print $2 $7}' HostDiscoveryResults.nbe | sed -e 's/Synopsis//' | cut -d: -f1,7 | sed -e 's/\\n/ /g' xbox-basement.myinternaldomain.com : The remote host is up The remote host replied to an ICMP echo packet madmonk.myinternaldomain.com : The remote host is up The remote host emitted a UDP packet from port 53 going to port 33609 linky.myinternaldomain.com : The remote host is up The remote host replied to an ICMP echo packet johnnymo.myinternaldomain.com : The remote host is up The remote host replied to an ICMP echo packet hanzo.myinternaldomain.com : The remote host is up The remote host replied to an ICMP echo packet gogo.myinternaldomain.com : The remote host is up The host is the local scanner. 192.168.1.81 : The remote host is up The remote host replied to an ICMP echo packet 192.168.1.79 : The remote host is up The remote host replied to an ICMP echo packet |
The following command will extract just the IP addresses:
| $ awk -F "|" '/10180/ {print $2 }' HostDiscoveryResults.nbe xbox-basement.myinternaldomain.com madmonk.myinternaldomain.com linky.myinternaldomain.com johnnymo.myinternaldomain.com hanzo.myinternaldomain.com gogo.myinternaldomain.com 192.168.1.81 192.168.1.79 |
The nice part about the commands above, is that you can run this against any Nessus scan result file that you've enabled "Ping host" for and it will extract the live host information. This is done with the parameter sent to awk of "/10180/", which is the plugin ID associated with this option. Keep in mind you will be missing the hosts that only responded to host discovery unless you enable the option "Log live hosts in the report".
Conclusion
Knowing what's on your network is extremely important. If you don't know what is on your network, how do you know what needs to be managed, secured or monitored? The data can be used in all sorts of meaningful ways, such as tracking growth on the network or discovering hosts being plugged into the network that need to be scanned later. This is a great use of the new scan scheduling feature of Nessus, or an additional scan in your SecurityCenter. Finally, you may also want to read the post titled, Scanning Large Networks with Nessus, which also contains some tips useful for customizing Nessus scans in this way.
Related Articles
Study: Tenable Offers Fastest, Broadest Coverage of CISA's KEV Catalog
October 23, 2023Tenable ranked first in multiple vulnerability management categories, including the most comprehensive coverage and quickest detection of CISA's Known Exploited Vulnerabilities, according to a Miercom report commissioned by Tenable.
Tuning Network Assessments for Performance and Resource Usage
September 13, 2022Using the correct tool for the job and optimizing scanner placement will have a large impact on scan efficiency with Nessus, Tenable.io and Tenable.sc.
Terrascan Joins the Nessus Community, Enabling Nessus To Validate Modern Cloud Infrastructures
May 17, 2022The addition of Terrascan to the Nessus family of products helps users better secure cloud native infrastructure by identifying misconfigurations, security weaknesses, and policy violations by scanning Infrastructure as Code repositories.
Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments
April 18, 2024The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.
Oracle April 2024 Critical Patch Update Addresses 239 CVEs
April 17, 2024Oracle addresses 239 CVEs in its second quarterly update of 2024 with 441 patches, including 38 critical updates.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
- Nessus