Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Configuring The Ports That Nessus Scans

When only select ports require scanning, use these easy steps to define them

When assessing targets with a network scanner like Nessus, a common question is "How do I control the ports that Nessus tests during a scan?" This blog covers a number of options, including:

  • How to limit the port scan

  • Choosing host enumeration

  • Considering unscanned ports closed

  • Addressing UDP ports

  • Explicit port control

  • Alternative options to port scanning


Below, we talk about some of the reasons Nessus sends packets to various ports and how scans can be configured to limit access to specific ports or ranges of ports. This is applicable to any Tenable toolset that uses Nessus in a customizable fashion, like Nessus Professional, Tenable.sc or Tenable.io.

Limiting the port scan

The first setting someone should review, in an effort to minimize the ports touched by a Nessus scan, is the port scan range. Most Nessus scan policies have the port scan range set to "default." When set using the keyword 'default,' the scanner will scan approximately 4,600 common ports. The current list of ports can be found in the nessus-services file on the Nessus scanner at the locations below. 

Windows
C:\ProgramData\Tenable\Nessus\nessus\nessus-services
Mac
/Library/Nessus/run/var/nessus/nessus-services
Linux
/opt/nessus/var/nessus/nessus-services 

Users can enter more specific ranges and ports into the scan policy, such as "21-80", "21,22,25,80" or "21-143,1000-2000,60000-60005". Doing so will cause the port scanner to target just those ports during the port scan. 

If required, 'all’ instructs the scanner to scan all 65,536 ports, including port 0. Note that this can greatly increase the scan time of each target and is not a recommended configuration if scanning through network firewalls.

Choosing host enumeration

If an ICMP probe (a ping), or ARP is enabled to discover active hosts, then no specific ports are probed. However, if a "TCP Ping" is used to discover a host, then a small number of ports will be probed (the default setting in most scan policies). Both options can be enabled and are not exclusive. 

Nessus will also only run subsequent host discovery methods on a target if the previous ones fail or if they’re not enabled.

Considering un-scanned ports closed

After a host is discovered and the desired ports are scanned, Nessus will attempt to run the enabled plugins against the target. If a plugin runs which attempts to connect to a specific port and the "Consider Unscanned Ports Closed" setting is enabled, Nessus won't even run the plugin. However, if this setting is disabled (the default setting in most scan policies), Nessus may start to probe ports that were not specified by the port scan.

Understanding UDP port probes

For port scanning, the UDP protocol is very unreliable. However, Nessus supports it for those customers with specific compliance requirements or unique local environments.

UDP is unreliable because if a port is open, the host is NOT supposed to send a response and if a port is closed, the host is supposed to return an "ICMP Port Unreachable" packet. Since UDP packets can be dropped or a host or network firewall can stop a packet, a scanner that does not get a response for a UDP probe can be fooled into thinking the port is open. Even for closed ports, if a network has implemented outbound ICMP filtering as a security measure, the scanner won't see the "ICMP Port Unreachable" messages.

If the UDP port scanner is enabled, you can specify a split range specific to each protocol. For example, if you want to scan a different range of ports for TCP and UDP in the same policy, you would type:

T:1-1024,U:300-500

You can also specify a set of ports to scan for both protocols, as well as individual ranges for each separate protocol. For example: 

1-1024,T:1024-65535,U:1025

You can also include default in a list of custom ports. For example: 

T:64999,default,U:55550-55555

Note that the default services list in Nessus (discussed above) includes individual definitions for both TCP and UDP ports.

Explicit control for troubleshooting

Given the complex nature of all the various options with port scanning, it can be time consuming to troubleshoot exactly why a scanner is probing a target on a certain port. Nessus offers an engine level control that allows prevention of communication with a specific port (or range) by using nessusd.rules

Alternatives to network port scanning

Credentialed assessments

When Nessus can login to the target, it will attempt to run the equivalent of 'netstat’ locally (or use SNMP on network devices) and enumerate ports first before running network port scanners (the default setting in most scan policies). This is much more efficient, as Nessus knows exactly what ports are open without having to test them all individually.

Passive insight

Tenable.sc and Tenable.io customers who have deployed a Nessus Network Monitor (NNM) enjoy continuous monitoring of their network as well as some advantages over active scans. Since the NNM operates 24x7 and watches all traffic, it can see activity on the network that might not be present during an active scan, ports that are not specified in a scan policy or otherwise blocked from the scanner.

Agents

For Tenable.sc or Tenable.io customers, deploying Nessus agents can also be an option to limit the port probing in a traditional Nessus network assessment. By design, Nessus agents don’t perform any network-based testing. They will enumerate local ports, like a credentialed scan does, but they don’t reach out and test ports for vulnerabilities or scan ranges of ports to see what is listening.

Additional Documentation

Learn more

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training