Vulnerability Assessment & Scanning Nessus Tutorial

This is the second part of IT auditing and fundamentals, the first part of this article has been discussed on the previous issue.

What is nessus? What nessus can do ? And other similar question has been discussed above but from this point I will demonstrate you the best feature of nessus with some examples. Keep in mind that nessus are available into two feeds one is a home feed while other is for professional (you need to purchase it), figure 6 show you to simple interface of nessus.
Whether you are using home feed or professional feed there is a four policies exist by default and they are:

  • Eternal network scan
  • Internal network scan
  • Prepare for PCI DSS audit
  • Web app test

This is not enough and nessus are not bound you within these policies nessus provide a feature to create your own policy according to your requirement of the test. In the figure below demonstrate that I have edited the default policies and even I have created a new policy according to my requirement.
Now we can easily edit the policies and while editing the policies you can check the best scan type, port scanner and performance.

  • TCP scan: If you want nessus to scan TCP open ports than check on this option.
  • UDP scan: Same for UDP port scan just mark check.
  • Ping host: Ping is just to test the host is alive or not
  • SNMP scan: It will direct nessus to scan target of SNMP service
  • Netstat SSH scan: It will tell nessus to scan a open port by using Netstat command
  • You can set of the port range to scan.
  • The other setting is very simple but it is a best practice to remains these default, even you can change the performance like if you are going to conduct a test on a enterprise network that has above 100 host than change the maximum host per scan setting.

The next window is about the credentials.

You can set the credential type like:
  • Windows credentials
  • SSH settings
  • Clear text protocol settings
  • More

The third window is to set plug ins, nessus contain a wide range of plug ins like :
  • Backdoors
  • CGI scanning
  • Web server scanning
  • Windows
  • SMTP
  • More

Plug ins are the wonderful feature that will let an auditor to choose the best plug in according to the requirement of the test.

The last windows is about preferences, now in this point you can choose plugin setting like if you want to conduct an audit on Oracle database than choose oracle setting with oracle SID and so on.

Network Vulnerability Scanning Example Test

Now let suppose an auditor have to test the internal network, for this purpose nessus internal network scan policy is the best choice for a test behind a firewall, if you have a default plug in setting than it is a best. Keep in mind that in the internal test enable all the plug ins.

On the scan menu add a new scan.

Here I am using internal scan policy while in the scan range I have choose all the host from this subnet of class C IP. Launch a scan and it takes some time depending on the number of host.

Here is the report

It shows that there is a four host alive and they contain a lot of vulnerabilities even some vulnerabilities are at high risk but keep in mind that all the exploits against a vulnerability is not available on public, so how to check the available exploit against a vulnerability? It is very simple from the left side below click on show filter than mark a check on exploit exist.


Now the exploits of these vulnerabilities are available in public and we can see the detail of this exploits like CVE information, vulnerability publication date and more information.

Lets call a result of Zenmap you can integrate nmap (zenmap) result into nessus for the maximum performance that is why I have discussed zenmap before. On the scan windows of nessus simply browse the target file and import nmap result into nessus.

Its all done and I hope you have enjoyed it.

Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.
Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

What Makes ICS/OT Infrastructure Vulnerable?

Infrastructure security for operational technologies (OT) and industrial control systems (ICS) varies from IT security in several ways, with the inverse confidentiality, integrity, and...

Everything You Must Know About IT/OT Convergence

What is an Operational Technology (OT)? Operational technology (OT) is a technology that primarily monitors and controls physical operations. It can automate and control machines,...

Understand the OT Security and Its Importance

This article discusses OT security and why it is essential for protecting industrial systems from cyberattacks. We will also discuss common control objectives that can...

What is Deepfake, and how does it Affect Cybersecurity?

Producing deepfake is easy. It is hard to detect. They operate with a description of reality rather than reality itself (e.g., a video). Any...