Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

  • Twitter
  • Facebook
  • LinkedIn

Scanning Large Networks with Nessus


The first time I was asked to scan a Class B network, my initial reaction was “Are you kidding me?” I actually thought it was a trick question to see how I reacted to unexpected situations. I had just two weeks to develop a strategy and perform the scan. This seemed to be a daunting task.

Ten years later, I had provided assessments for Class B (or bigger) networks over a dozen times, mostly for government agencies and the occasional university. Performing an audit of tens of thousands of IP addresses is no different from any other audit, unless time is restrictive. Large IP blocks in small time periods require you to revise your normal assessment methodology. Where you typically scan 65,535 ports on a machine, you may only be able to scan a dozen or two. Instead of examining every open port on a machine, time constraints may force you to focus on low-hanging fruit and services that are prone to high-risk vulnerabilities.

Developing a Methodology

Thinking about the polar opposites in assessment, you have a single IP address on one side, and a Class B network on the other. Adjusting your methodology to account for the number of machines becomes a balancing act between allotted time and number of targets. As the number of systems to scan increases, while the time allocated to scan remains constant, the amount of time per system must decrease.

To focus on a large amount of systems in a relatively small amount of time, you must greatly cut back on the time spent per system. This starts with deciding which ports are the most important to look for. When you create a short list of interesting ports, remember that adding or subtracting one port can drastically affect the time involved in the discovery phase. Even if you assume a single second per port discovery, adding a single port could cause your discovery port scan to extend by around 18 hours, seriously affecting your allotted scanning window.

The steps of discovery scanning must consider what 65,535 hosts mean in terms of time involved:

  • Host discovery (ping) [65536 hosts @ 1sec per host = ~ 18 hours]
  • Port discovery (scanner) [1 port @ 1sec per port, 65536 hosts = ~ 18 hours per port]
  • Banner recon (scanner) [1 service @ 2 sec per port, 10 services per host @ 65536 hosts = ~ 15 days]

Of course, the odds of finding a class B with 65,535 hosts all up, each with 10 services is about as great as winning the lottery four times. Not knowing the number of hosts that are alive or how many common services that may be there can swing your discovery time between a couple of days to a week. It is a serious challenge to perform a large-scale assessment in just two weeks when half the time is burned just figuring out what hosts are present. These radical time swings require that you use multiple scanners to perform such an assessment. Where one port could increase the scan time by 18 hours, it would only increase it by 9 hours if two scanners were used, 6 hours if three scanners, and so on.

Once you have determined which hosts are alive via pings and port scans, you must determine the extent of the assessment to be performed. This includes determining which ports need to be tested for vulnerabilities and if you are only interested in a specific risk level or higher.

Using Nessus to Implement the Methodology

Nessus is a network vulnerability scanner first and foremost. While it has depth and diversity in offering configuration audits, credentialed scans and web application testing, it has been focused on network scanning for over a decade. That makes it an ideal tool to perform large-scale assessments. With such a large IP address space, it is highly recommended that you leverage multiple Nessus scanners to perform the work. Dividing the targets up evenly between each scanner increases the efficiency of the assessment and allows you to look for more open ports and vulnerabilities.

There are two general ways to utilize Nessus to leverage the methodology as described above. First, you can create a single scan policy that performs all of the required functions including discovery, scanning a handful of ports and using specific plugins. Such a policy would be convenient and easy to manipulate should a repeat scan be required. However, putting everything into one policy is not efficient. If any adjustments need to be made to the policy, you would have to start over from the beginning or only have the changes used for remaining hosts that have not been scanned yet. If time is not a factor and the scan options are not subject to change, a single policy is a viable option.

The second option is to create one policy for each phase of the methodology. This involves separate policies for host discovery, port scanning and vulnerability checks. Using one policy at a time to refine the target list allows for efficient scans and the ability to make adjustments to the next policy based on previous results.

The first policy would focus on simple host discovery using ‘ping’ and no additional port scanners. This policy would not utilize any plugins or port scanners:


Note: Under Policy -> Preferences -> Ping the remote host, make sure that “Log live hosts in the report” is selected:


The next policy focuses on port scanning to look for important services or those frequently found with vulnerabilities. By selecting a small list of ports, we can quickly scan tens of thousands of hosts in a relatively short amount of time. This policy would be applied to a list of hosts found during the host discovery phase.


The third policy looks for vulnerabilities in the services previously found. The exact list of vulnerabilities will vary depending on the services you looked for, the nature of the services and the time involved. While we looked for web servers on port 80 and 443 in the previous policy, attempting to enable all web server related checks (i.e., server, CGI, CGI XSS) would significantly increase the time required to perform the scan. Carefully selecting plugins to look for specific information, high-risk vulnerabilities and “low hanging fruit” (vulnerabilities that are trivial to exploit) allows us to conduct a meaningful and helpful assessment despite the large number of systems and typically small time frames.


The final challenge is to put the results of all scans into meaningful reports to assist the organization. Exporting the results and sharing with administrators lets them import the data into their own Nessus scanner and use the report filtering to work with the data.

Tips and Tricks

Scanning large networks will always be a balance between how much you can scan versus the allocated time window. Using extra scanners will allow you to perform a significant amount of additional assessment work. Refining your scans to suit the target environment will produce more accurate data. If you know the target network is purely a Windows environment, removing services that are generally not found on that operating system (e.g., SSH) can save time and let you look for additional Windows-specific services.

Before beginning a project of this nature, have a lengthy and frank talk with the client or management. Make sure they understand the limitations of this type of assessment. Provide reasonable estimates based on your resources and ask if that is what they will find useful. Try to elicit additional information about the network and their concerns and use the information to refine your scans. A Linux heavy shop with extensive SSL protected web servers and MySQL databases requires a slightly different policy than a Windows heavy shop with only HTTP servers and a huge Oracle installation.

Managing the scan data for a large number of hosts can be a burden. Using SecurityCenter (SC) to manage the scans and data can provide you not only with a single place to house the data, but advanced reporting ability as well as historical trending data. If you are required to run large scans periodically to determine not only the vulnerabilities present, but to also verify patches are being applied, SecurityCenter can manage multiple Nessus scanners and correlate all the data into a comprehensive report.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.