Configuring The Ports That Nessus Scans
When only select ports require scanning, use these easy steps to define them
When assessing targets with a network scanner like Nessus, a common question is "How do I control the ports that Nessus tests during a scan?" This blog covers a number of options, including:
- How to limit the port scan
- Choosing host enumeration
- Considering unscanned ports closed
- Addressing UDP ports
- Explicit port control
- Alternative options to port scanning
Below, we talk about some of the reasons Nessus sends packets to various ports and how scans can be configured to limit access to specific ports or ranges of ports. This is applicable to any Tenable toolset that uses Nessus in a customizable fashion, like Nessus Professional, Tenable.sc or Tenable.io.
Limiting the port scan
The first setting someone should review, in an effort to minimize the ports touched by a Nessus scan, is the port scan range. Most Nessus scan policies have the port scan range set to "default." When set using the keyword 'default,' the scanner will scan approximately 4,600 common ports. The current list of ports can be found in the nessus-services file on the Nessus scanner at the locations below.
Users can enter more specific ranges and ports into the scan policy, such as "21-80", "21,22,25,80" or "21-143,1000-2000,60000-60005". Doing so will cause the port scanner to target just those ports during the port scan.
If required, 'all’ instructs the scanner to scan all 65,536 ports, including port 0. Note that this can greatly increase the scan time of each target and is not a recommended configuration if scanning through network firewalls.
Choosing host enumeration
If an ICMP probe (a ping), or ARP is enabled to discover active hosts, then no specific ports are probed. However, if a "TCP Ping" is used to discover a host, then a small number of ports will be probed (the default setting in most scan policies). Both options can be enabled and are not exclusive.
Nessus will also only run subsequent host discovery methods on a target if the previous ones fail or if they’re not enabled.
Considering un-scanned ports closed
After a host is discovered and the desired ports are scanned, Nessus will attempt to run the enabled plugins against the target. If a plugin runs which attempts to connect to a specific port and the "Consider Unscanned Ports Closed" setting is enabled, Nessus won't even run the plugin. However, if this setting is disabled (the default setting in most scan policies), Nessus may start to probe ports that were not specified by the port scan.
Understanding UDP port probes
For port scanning, the UDP protocol is very unreliable. However, Nessus supports it for those customers with specific compliance requirements or unique local environments.
UDP is unreliable because if a port is open, the host is NOT supposed to send a response and if a port is closed, the host is supposed to return an "ICMP Port Unreachable" packet. Since UDP packets can be dropped or a host or network firewall can stop a packet, a scanner that does not get a response for a UDP probe can be fooled into thinking the port is open. Even for closed ports, if a network has implemented outbound ICMP filtering as a security measure, the scanner won't see the "ICMP Port Unreachable" messages.
If the UDP port scanner is enabled, you can specify a split range specific to each protocol. For example, if you want to scan a different range of ports for TCP and UDP in the same policy, you would type:
You can also specify a set of ports to scan for both protocols, as well as individual ranges for each separate protocol. For example:
You can also include default in a list of custom ports. For example:
Note that the default services list in Nessus (discussed above) includes individual definitions for both TCP and UDP ports.
Explicit control for troubleshooting
Given the complex nature of all the various options with port scanning, it can be time consuming to troubleshoot exactly why a scanner is probing a target on a certain port. Nessus offers an engine level control that allows prevention of communication with a specific port (or range) by using nessusd.rules.
Alternatives to network port scanning
When Nessus can login to the target, it will attempt to run the equivalent of 'netstat’ locally (or use SNMP on network devices) and enumerate ports first before running network port scanners (the default setting in most scan policies). This is much more efficient, as Nessus knows exactly what ports are open without having to test them all individually.
Tenable.sc and Tenable.io customers who have deployed a Nessus Network Monitor (NNM) enjoy continuous monitoring of their network as well as some advantages over active scans. Since the NNM operates 24x7 and watches all traffic, it can see activity on the network that might not be present during an active scan, ports that are not specified in a scan policy or otherwise blocked from the scanner.
For Tenable.sc or Tenable.io customers, deploying Nessus agents can also be an option to limit the port probing in a traditional Nessus network assessment. By design, Nessus agents don’t perform any network-based testing. They will enumerate local ports, like a credentialed scan does, but they don’t reach out and test ports for vulnerabilities or scan ranges of ports to see what is listening.
- Tenable Community: List of ports in Nessus defined by Port Scan Range 'default’
- Tenable Community: What ports does 'built-in’ represent?
- Tenable Community: Ping Type Order/Hierarchy
- Tenable Community: What is the nessusd.rules file?
- Tenable Community: Phases of a vulnerability scan
- Tenable Community: Why is Nessus Scanning Ports Outside of the Port Range?
- Tenable Community: Tenable Scan Strategy Guide
- Tenable Blog: 4 Ways to Improve Nessus Scans Through Firewalls
- Documentation: Nessus Scan Policy Discovery Settings
Are You Vulnerable to the Latest Exploits?
Enter your email to receive the latest cyber exposure alerts in your inbox.