Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Nessus: Mythbusters Edition

I've recently been doing a bit of research into the history of Nessus. I discovered that the first version of Nessus was published in 1998, and any time software has been around for that long there are bound to be some myths and misconceptions that develop as fast as new features over the years. This post will explain some common myths and set the record straight.

 

BlowUpMyth.jpg


While we did not generate any large explosions for this post, I dove across the office, just because.

 

 

Myth #1 - "Installing Nessus from your Linux distribution’s repository installs the latest version of Nessus"

 

Depending on which Linux distribution you are running, and which version of the distribution you have installed, you may be able to install a package called "nessus" from the package repository. Many people believe that this process installs a recent version of Nessus, but it does not. Typically distributions will include a 2.x version of Nessus in the repository. The current version of Nessus is 4.4.0 and can only be downloaded from http://www.nessus.org or from the Tenable Customer Support Portal. To give some background, the following is a brief history of Nessus versions:

  • 1998 – Nessus alpha1 - Student project, announced on the Bugtraq mailing list
  • May 2000 - Nessus 1.0 - First stable version
  • February 2003 - Nessus 2.0 - New NASL engine
  • October 2004 - Nessus 2.2 - Ability to log into hosts via SSH, last GPL version
  • December 2005 - Nessus 3.0 - NASL3 engine introduced
  • April 2009 - Nessus 4.0 - Thread-based model, 64-bit support
  • November 2009 - Nessus 4.2 - Nessus API, user interface, reports, and policies stored on server
  • November 2010 - Nessus 4.4 - Lower memory usage, scheduling, reporting enhancements

You can also review the article "Why Upgrade to Nessus 4?" for a detailed look at the improvements between versions, including a performance analysis between Nessus 2 and Nessus 4.

Myth #2: "Nessus uses Nmap as a scanning engine"

Prior to Nessus 2.2.0, small portions of code from Nmap 1.x were used in an early port scanning plugin. Nessus also used (and still does to this day) its own port scanning engine, including the SYN scanner that was included in the first versions of Nessus. While Nmap is a fantastic port scanner (and so much more!) Nessus has never included or used Nmap as a port scanner by default.

There are two Nessus plugins that can integrate Nmap. One to run Nmap alongside Nessus, and one to import results. For more information, see "When, how and why (not) to use Nmap within Nessus"

If you do need to import Nmap results, I suggest installing nmapxml.nasl. There are some cases where someone will already have run an Nmap scan, and it’s useful to import the results into Nessus to run vulnerability scans against the list of hosts.

Note: You can find more information in the post titled "Using Nmap Results With Nessus Batch Scanning".

Myth #3: "Nessus does not support IPv6"

Nessus will scan IPv6 hosts, provided the scanning engine is running on either Linux or a Mac OS X system with IPv6 enabled. See the post titled "Nessus 3.2 BETA - IPv6 Scanning"

Microsoft Windows lacks some of the key APIs needed for IPv6 packet forgery (e.g., getting the MAC address of the router, routing table, etc.). This in turn prevents the port scanner from working properly, but something being planned for future releases is to add support for IPv6 scanning for Nessus servers running on Windows.

Myth #4: "Nessus scans only network services, not web applications."

In June 2009, Tenable released a major overhaul of the web application scanning functionality of Nessus. Since then Nessus has continued to implement web application scanning features that use fuzzing techniques to find custom vulnerabilities in applications. Nessus has several ways to enumerate vulnerabilities in web applications:

  • Known Web Application Vulnerabilities - Nessus contains over 2,523 plugins that can fingerprint and detect known vulnerabilities in web applications. Any plugin listed in the "CGI Abuses" or "CGI Abuses : XSS" plugin families is written to enumerate vulnerabilities that have been previously reported in a web application product (open-source or commercial).
  •  

  • Previously Unknown Web Application Vulnerabilities - This level of scanning uses various fuzzing and other enumeration techniques to detect vulnerabilities not yet discovered. Each parameter of the web application is tested for SQL injection, cross-site scripting and a large number of other common, and not-so-common, web application attacks.
  •  

     

  • Vulnerabilities in the Platform Nessus will remotely find vulnerabilities in web application frameworks (e.g., PHP, .NET, etc.), web servers (e.g., Apache, IIS, etc.), and databases (e.g. MySQL, PostgreSQL, etc.). Furthermore, you can use Nessus to perform local patch checking and configuration auditing of the systems and applications in use.

 

Myth #5: "Nessus only scans devices across the network"

Along those lines, one of the more powerful features in Nessus is the ability to audit patches and configurations locally. Rather than perform the entire scan of the device(s) across the network, which consumes some bandwidth and has the potential to "aggravate" a target, Nessus can log into the target and check the configuration locally. Tenable currently supports the following platforms with respect to local patch checking:

  • Linux (Various distributions)
  • Windows (All supported platforms)
  • VMware ESX
  • HP-UX
  • Solaris
  • Mac OS X
  • Databases (Oracle, MSSQL and more)

Nessus can also perform configuration auditing, review the configuration of an operating system or application and compare it to a known standard. Nessus supports many different operating systems and applications, including Cisco IOS, CIS Benchmarks and more. A great example of this capability in action is included in the post titled "Auditing Linux, Apache, & MySQL Against CIS Benchmarks"

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.