Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

  • Twitter
  • Facebook
  • LinkedIn

Advantages Of Running Both Network & Authenticated Nessus Scans

Implementing Different Scan Types

Often, Nessus and Security Center users ask how often they should run a vulnerability scan, and what kinds of scans should be run. In a previous post we explored some of the different scan types, including network checks, local checks and configuration auditing. I often encourage people to run all three types of scans against their network with different frequency. All three types provide interesting and useful results that should be included in your vulnerability management program. In this post we will explore the differences, and benefits, of running the first two types of scans mentioned: network-based scans and local checks.

Network-Based Scanning

My test system is an older version of Fedora Linux (Fedora Core 5). It is missing several patches and contains a web application, osCommerce, with several vulnerabilities. I scanned the system using a standard Nessus network-based scan and got results that one would expect from a scan with this configuration. For example, Nessus reported the current HTTP server version and type:

Picture 79.png

Nessus did not find any vulnerabilities or missing patches associated with this instance of Apache. The banner that was retrieved indicated that it is Apache version "2.2.0" running on Fedora. This version is reported to contain several vulnerabilities:


The obvious question is, "if Nessus found that the banner contains a vulnerable version of Apache, why didn't it show up in the report?" The answer has to do with "backporting". Backporting is when a Linux distribution applies patches to a particular software package, but does not update the banner that is displayed by the service over the network (i.e. patching an older version rather than upgrading to a newer version without the vulnerabilities). Therefore, even if the banner in this case reports a vulnerable version of Apache, there is no way to be certain because it's part of a distribution (Fedora), which may have backported the patches. In order to reduce false positives, Nessus now includes "backport.inc", which documents the various banners from several different Linux distributions and identifies the backported version and the real version. The "backported version" is the version of the software that was patched by the Linux distribution, and the real version is the latest version of the product. For example, the entry for Fedora Core 5's instance of Apache is:

# Fedora FC5

backported_versions[i++] = "Apache/2.2.0 (Fedora)";

real_versions[j++] = "Apache/2.2.99 (Fedora)";

This information tells Nessus that while Fedora will report Apache 2.2.0, they've been backporting fixes since then. Nessus sets the real version to Apache version 2.2.99, which does not exist, but ensures that the Fedora Apache will always be flagged as a backport. There are new plugins that will report when this condition has occurred, according to the service. For example, the host we scanned in this example also has an alert on port 80 that reads:


Nevertheless, how can we tell if those patches have really been applied? We'll get to that in the local checks section, but first let’s look at one advantage that network checking has over local checking. In the following alert Nessus discovered that osCommerce was installed and contained an unprotected Admin directory:

Picture 80.png

This is an advantage because in order to test a service and application, sometimes you need to see it running. In this case, Nessus was able to find evidence that osCommerce was configured incorrectly and exposing a vulnerability to the network.

Local Checking

To get a complete and accurate picture of the vulnerabilities that exist on a particular host, a local check for current patches can be performed. This testing requires that you have credentials on the hosts that you are testing. When run against our test host, Nessus finds that there are several missing patches, including updates for the "httpd" package, which is Apache:

Picture 77.png

Suppose we want to see all of the patches that are missing from this particular host. We can use the filtering and reporting features in the Nessus client to produce a report that lists each patch that is missing:


The report above uses a template that was documented in the post titled "Creating Custom Reports with Nessus 4". This report is formatted nicely for network administrators as they can use it as a guide to apply patches. For example, if the systems administrator sees the report above, they should issue commands to apply the patches. However, the Fedora release running on this system is no longer supported, so it is recommended that the system be rebuilt with Centos 5. Once the system has been rebuilt, you can ensure all the latest operating system updates are applied by issuing the "yum update" command. If there are packages to be updated, they will be listed:

# yum update Loading "fastestmirror" plugin
Loading "priorities" plugin
Loading mirror speeds from cached hostfile
* rpmforge: ftp-stud.fht-esslingen.de
* base: mirror.trouble-free.net
* updates: ftp.linux.ncsu.edu
* addons: mirror.unl.edu
* extras: mirror.skiplink.com
374 packages excluded due to repository priority protections
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package NetworkManager-gnome.i386 1:0.7.0-4.el5_3 set to be updated
---> Package stunnel.i386 0:4.15-2.el5.1 set to be updated
---> Package mesa-libGL.i386 0:6.5.1-7.7.el5 set to be updated
---> Package planner.i386 0:0.14.1-4.el5 set to be updated
---> Package cdrecord.i386 9:2.01-10.7.el5 set to be updated
---> Package hwdata.noarch 0:0.213.11-1.el5 set to be updated

If you see the message "No Packages marked for Update", this means your system is up-to-date. An up-to-date system scanned with local checks may not contain results. You can disable "Silent Dependencies" and make sure that Nessus was able to login in and check for patches:



In the examples above, we can see the value in running both network-based and local authenticated Nessus scans that check for the presence of patches. In the network example, we see how Nessus is able to avoid false positives and report on distributions performing backporting of security patches. In addition, Nessus has several plugins that identify vulnerabilities in applications and services across the network. Local checking allows Nessus to perform a full patch audit, and when coupled with the reporting features can provide a report that can be shared with systems administrators and used to help keep tabs on which systems are missing patches.


Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a Demo

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.

Request a Demo


Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.