Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

#10 There's More Than One Way... - The Top Ten Things You Didn't Know About Nessus

Drum Roll Please...

Being the Product Evangelist for Tenable Network Security gives me some interesting insight into how the community views the features of our products. I meet some people who provide us with awesome suggestions for improvements and I also meet some people who scan their networks at semi-regular intervals using the default set of policies, unaware of the huge variety of features that Nessus includes.

Hence the project I have been working on: with help and support from the community and my fellow co-workers at Tenable, I have developed what we understand to be a list of the top ten things that people may not know about Nessus.

In part one, I want to explore the differences between traditional network-based scanning and scanning with credentials. So, in traditional David Letterman top ten fashion, we’ll start with number 10!

Speedy Target Safe Cracking
Nessus maintains a balance of speed, accuracy, and intrusiveness.

#10. There's More Than One Way To...

One of the most misunderstood, and widely untapped resources of the Nessus vulnerability scanner, is the ability to run Nessus both with and without credentials. Don’t get me wrong; running Nessus against your network without credentials is amazingly useful and fast. Without a doubt, the ability to put a Nessus server on your network and let it scan everything that is connected to your organization is very powerful. With only a subnet mask or range of IP addresses, Nessus can tell you a lot about your network. Nessus maintains a balance of speed, accuracy, and intrusiveness. For example:

  • Multi-tasking - With version 4.x, Nessus implemented a fully thread-based (as opposed to process based) model for better scalability and reduced memory usage. There were also performance improvements made along the way to reduce CPU usage on all platforms.
  • 64-Bit & Memory Usage Improvements - Version 4.x of Nessus also introduced 64-bit support and more efficient memory usage. This means you can install Nessus on a 16-core CPU server with 32GB of RAM, and Nessus will use it to its full potential. Some customers are scanning hundreds of thousands of systems in under 24 hour periods.
  • Flexible Policy Configuration - The end user is able to create policies that fit their needs or target a specific class of machines, applications, or time constraints. There are several built-in policies from Tenable, including templates for internal scans, external scans, and web applications.

SSH Settings
Several options exist for securing the credentials used by Nessus. For example, when using SSH, Nessus accepts private/public keys, sudo, su, su+sudo, and reads from an SSH known_hosts file (only scanning target hosts that are in the known_hosts file you've uploaded).

Credentialed Scanning with Nessus has Several Benefits

Running with credentials has several advantages and provides you with deeper level of information about your network and systems:

  • Unobtrusive Scanning - Because the scan is performed with credentials, vulnerability identification operations are executed on the host itself rather than across the network. Everything from operating system fingerprinting to port enumeration is done by running commands on the target, then sending the results of those commands back to the Nessus server. This allows Nessus to consume far less system and network resources than performing a traditional network scan that probes ports and services remotely.
  • Definitive List of Missing Patches - Rather than probe a service remotely and attempt to find a vulnerability, Nessus will query the local host to see if a patch for a given vulnerability has been applied. This type of query is far more accurate (and safer) than running a remote check.
  • Uncover Client-side Software Vulnerabilities - By looking at the software installed and its version, Nessus will find client-side software vulnerabilities that are otherwise missed in a traditional network-based audit.
  • Discover New Types of "Vulnerabilities" - As you will see in the examples below, Nessus can read password policies, obtain a list of USB devices, check anti-virus software configurations and even enumerate Bluetooth devices attached to scanned hosts.
Picture 83.png
Perhaps the most attacked client-side software, right next to Internet Explorer, is anything made by Adobe. They are responsible for some of the most popular client-side software including Adobe Acrobat/Reader, Adobe Flash and, to a lesser extent, Adobe AIR. The ability to seek out Adobe products with missing patches in your environment, without running a client-side penetration test, is a win.

Enterprise Credentialed Scanning Features

Using Tenable’s SecurityCenter to manage enterprise credentialed vulnerability scanning has several advantages. SecurityCenter stores credentials safely in a central location as a resource for Nessus scanners to access. This means you can define a set of credentials, initiate a scan that will utilize several Nessus servers at once (load balancing the scan across them) and have them all use the same credentials.

SC Credential Screen
Click for larger image

SecurityCenter also allows you to attach credentials to a scan, rather than a policy, providing for more flexibility when defining your vulnerability scans:

SC Policy
Click for larger image

The features described above allow you to have different sets of credentials for a wide range of systems or departments, and customize policies for each scan, then attach whichever credentials are required.

Stay Tuned

Look for more posts from the "Top Ten Things You Didn't Know About Nessus" project coming soon! #9 will cover configuration and compliance auditing.