Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe
  • Twitter
  • Facebook
  • LinkedIn

Configuring The Ports That Nessus Scans

Configuring The Ports That Nessus Scans

When only select ports require scanning, use these easy steps to define them

When assessing targets with a network scanner like Nessus, a common question is "How do I control the ports that Nessus tests during a scan?" This blog covers a number of options, including:

  • How to limit the port scan

  • Choosing host enumeration

  • Considering unscanned ports closed

  • Addressing UDP ports

  • Explicit port control

  • Alternative options to port scanning


Below, we talk about some of the reasons Nessus sends packets to various ports and how scans can be configured to limit access to specific ports or ranges of ports. This is applicable to any Tenable toolset that uses Nessus in a customizable fashion, like Nessus Professional, Tenable.sc or Tenable.io.

Limiting the port scan

The first setting someone should review, in an effort to minimize the ports touched by a Nessus scan, is the port scan range. Most Nessus scan policies have the port scan range set to "default." When set using the keyword 'default,' the scanner will scan approximately 4,600 common ports. The current list of ports can be found in the nessus-services file on the Nessus scanner at the locations below. 

Windows
C:\ProgramData\Tenable\Nessus\nessus\nessus-services
Mac
/Library/Nessus/run/var/nessus/nessus-services
Linux
/opt/nessus/var/nessus/nessus-services 

Users can enter more specific ranges and ports into the scan policy, such as "21-80", "21,22,25,80" or "21-143,1000-2000,60000-60005". Doing so will cause the port scanner to target just those ports during the port scan. 

If required, 'all’ instructs the scanner to scan all 65,536 ports, including port 0. Note that this can greatly increase the scan time of each target and is not a recommended configuration if scanning through network firewalls.

Choosing host enumeration

If an ICMP probe (a ping), or ARP is enabled to discover active hosts, then no specific ports are probed. However, if a "TCP Ping" is used to discover a host, then a small number of ports will be probed (the default setting in most scan policies). Both options can be enabled and are not exclusive. 

Nessus will also only run subsequent host discovery methods on a target if the previous ones fail or if they’re not enabled.

Considering un-scanned ports closed

After a host is discovered and the desired ports are scanned, Nessus will attempt to run the enabled plugins against the target. If a plugin runs which attempts to connect to a specific port and the "Consider Unscanned Ports Closed" setting is enabled, Nessus won't even run the plugin. However, if this setting is disabled (the default setting in most scan policies), Nessus may start to probe ports that were not specified by the port scan.

Understanding UDP port probes

For port scanning, the UDP protocol is very unreliable. However, Nessus supports it for those customers with specific compliance requirements or unique local environments.

UDP is unreliable because if a port is open, the host is NOT supposed to send a response and if a port is closed, the host is supposed to return an "ICMP Port Unreachable" packet. Since UDP packets can be dropped or a host or network firewall can stop a packet, a scanner that does not get a response for a UDP probe can be fooled into thinking the port is open. Even for closed ports, if a network has implemented outbound ICMP filtering as a security measure, the scanner won't see the "ICMP Port Unreachable" messages.

If the UDP port scanner is enabled, you can specify a split range specific to each protocol. For example, if you want to scan a different range of ports for TCP and UDP in the same policy, you would type:

T:1-1024,U:300-500

You can also specify a set of ports to scan for both protocols, as well as individual ranges for each separate protocol. For example: 

1-1024,T:1024-65535,U:1025

You can also include default in a list of custom ports. For example: 

T:64999,default,U:55550-55555

Note that the default services list in Nessus (discussed above) includes individual definitions for both TCP and UDP ports.

Explicit control for troubleshooting

Given the complex nature of all the various options with port scanning, it can be time consuming to troubleshoot exactly why a scanner is probing a target on a certain port. Nessus offers an engine level control that allows prevention of communication with a specific port (or range) by using nessusd.rules

Alternatives to network port scanning

Credentialed assessments

When Nessus can login to the target, it will attempt to run the equivalent of 'netstat’ locally (or use SNMP on network devices) and enumerate ports first before running network port scanners (the default setting in most scan policies). This is much more efficient, as Nessus knows exactly what ports are open without having to test them all individually.

Passive insight

Tenable.sc and Tenable.io customers who have deployed a Nessus Network Monitor (NNM) enjoy continuous monitoring of their network as well as some advantages over active scans. Since the NNM operates 24x7 and watches all traffic, it can see activity on the network that might not be present during an active scan, ports that are not specified in a scan policy or otherwise blocked from the scanner.

Agents

For Tenable.sc or Tenable.io customers, deploying Nessus agents can also be an option to limit the port probing in a traditional Nessus network assessment. By design, Nessus agents don’t perform any network-based testing. They will enumerate local ports, like a credentialed scan does, but they don’t reach out and test ports for vulnerabilities or scan ranges of ports to see what is listening.

Additional Documentation

Learn more

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.