Nessus is a powerful, cross-platform network scanner that does many things. And of those many things Nessus does, most people prefer to employ its power as a network vulnerability scanner. And Nessus does that very well. But Nessus doesn’t have to be limited to network security.

Of the many features Nessus has, the one I tend to use the most is network mapping. By using Nessus to scan your network, you can save the results, giving you an outstanding map of your current network. It’s an easy way to keep track of how many systems you have, what systems are deployed, what current IP addresses each system is assigned, and what ports are open on each system. It’s not difficult either.

This blog post is also available in PDF format in a TechRepublic download.

Firing up Nessus

I am going to assume you have Nessus up and running on your Windows system.

Editor’s Note: If you don’t, you can download the correct version of Nessus for your OS and install it. The install should be your basic start the installer and follow the wizard.

When you start Nessus, it will open up to the main window, shown in Figure A.

Figure A

There are a few steps to undertake before you are actually scanning.

From the main window, the first thing you need to do is to add a target to scan. A target can be a single address, a range of addresses, a subnet, or hosts from a file. Let’s set up a scan for a range of addresses.

To set up a scan for a range of addresses, first click the “+” button under the Networks to Scan section. When the new window opens (Figure B) the first thing to do is to select IP Range under the Scan section. Once IP Range is selected, a once grayed-out section will allow you to enter two bits of data: Start Address and End Address.

Figure B

These fields should be completed with internal IP addresses such as

For a sample scan, the value of will be entered for the Start Address and will be entered for the End Address. Click Save to save this information.

Now, before you can select a scan policy, Nessus has to connect to a Nessus server. Click on the Connect button, from the main window, to open up the Connection Manager (Figure C). The default is to connect to localhost, which is hosting the Nessus client. Select localhost and then click Connect.

Figure C

If you need to connect to a remove Nessus server, select the “+” sign and enter the correct information.

Once you have connected to the server, you can then select, edit, or add a scan policy. By default there are two policies: Default Scan Policy and Microsoft Patches. The Default Scan Policy is the best route because it is more in tune with networks that employ many types of operating systems and devices. The most likely configuration option you will want to edit will be in the Options tab of the Policy Editor (Figure D).

Figure D

To get to the Policy Editor, select a policy from the main window and click the Edit button.

In the Options section, the type of Port Scanner can be selected. The options available are: SNMP scanner, TCP scanner, Netstat scanner, ping, SYN scan, and LaBrea tarpit scan.

Once you have taken care of the necessary options, click Save to return to the main window. The scan is ready. Click the Scan Now button to begin the scan.

With the scan started, the discovered systems will appear in the left pane of the Report tab in the main window. Depending on the size of the scan, this can take some time. Figure E shows results appearing in the scan.

Figure E

As you can see, the information isn’t yet complete on any system.

During the scan, you can expand an IP address to give you information about currently open ports. If you click on an open port, you will see a very complete description of that port, risk factor, plugin, and output. This, of course, is not the information we are looking for.

Scan results

Once your scan is complete, to make use of the results, click the Export button on the main window. This will open up a new window asking for a file name and file type. For file type, you have three options: .html, .nbe, and .nsr. The latter two options are both Nessus proprietary formats. Select .html, give the file a name, and click Save.

Once the results are saved, it is time to take a look. Open up Firefox (or another browser) and open up the results file. The first thing you will see is the listing of discovered hosts (Figure F).

Figure F

In this listing, the severity of any problems is shown.

Scroll down through the file to find a detailed description of the various discovered hosts. Figure G shows the details of a Linux machine found on the network. In this listing, it shows the machine is an Ubuntu 8.10 machine running the 2.6.27-7 kernel.

Figure G

Below the basic information are more details than you might ever need about the machine.

Scroll down through the rest of the report to discover exactly how many machines are up on this network, what operating systems are on the network, and what devices are on the network. Figure H shows an Apple Airport running on the network at IP address

Figure H

The Apple Airport is shown with medium-level vulnerabilities.

And there you have it, a complete map of your network as well as the vulnerability associated with each device.

Final thoughts

Now that you have an HTML file you can browse, with a bit of ingenuity, you can strip all unnecessary information out to show only the IP address and OS (or whatever bits of information you need). This is an incredible tool that can quickly create a network map to help you keep track of all machines as well as all problems on your network.

Stay on top of the latest XP tips and tricks with TechRepublic’s Windows XP newsletter, delivered every Thursday. Automatically sign up today!