Learn how to scan for security flaws with Nessus

IT departments can easily spend thousands of dollars on software that helps pinpoint network security soft spots. However, Nessus can do the job for free. Here's a detailed look at how to use the Nessus security scanner.

Nessus is a powerful tool for scanning your network and pinpointing security issues such as missing patches and flaws that could targeted by attackers. In my previous article, I introduced Nessus and explained how it can be a valuable asset. Now, I'm going to show you the specifics of how to use it.

First things first
Before you start scanning your hosts or network, you need to get permission. Anyone running scans without prior notice and permission will be seen as a hacker—no matter how good your intentions are. Scanning can freeze host systems and is visible to IDS devices and sniffers. I strongly suggest that you start scanning in a lab environment before trying this on a live production network. When you are ready to scan production systems, run the scans during nonworking hours (or at least, during less hectic times) and have fellow administrators ready to restart systems or applications if necessary.

Defining your scan
Nessus is highly configurable, as you will see. It's impossible to cover all variations and options in the short span of this article; however, I'll give you an overview that will help you get started. You'll need time and experimentation to really discover what you can do with this tool.

Now on to the fun part. Figure A shows the Nessus Windows client.

Figure A

The first thing you need to do is establish a connection from the client to the server. You'll find two connection options on the Communications menu. Select Connect to open the Connect dialog box (Figure B), where you can enter your username in the Login text box. This is what you'll use if you have more than one user configured on the server. You can choose Quick Connect if you do not want to use individual usernames.

Figure B

You can connect using either the DNS name of your server or the IP address. The default port is 1241, but this is changeable through your server configuration file. Click Connect, and the server will prompt you for your password and authenticate you. You will then see how many plug-ins have been loaded for the client to use during scans.

Now, you need to start a scanning session by selecting from the Session menu. You'll be asked to create a session name when creating a new scan file. Then, you can define the parameters you want to use for this scan in the Session Properties dialog box (Figure C). Click Add to define the host, network, or IP address range you want to scan (Figure D).

Figure C

Figure D

After you define the target, select the Options tab (Figure E).

Figure E

At first, make sure you have the Safe Checks option selected—unless you want to bring the wrath of some poor administrator upon yourself. With this option selected, Nessus relies on using banners to report vulnerabilities instead of actually trying to use the suspected vulnerability to see how far it can be exploited.

The Port Scan tab (Figure F) allows you to define specific ports or ranges of ports. If you wanted to run a scan on your network or host to find out whether or where a particular service is running—such as SMTP servers—you would click the Configure Services button. This is also where you select specific scanners to use. All port scanners are off by default. To activate them, just highlight and enable them.

Figure F

The Connection tab (Figure G) allows you to use logins and passwords for your scan parameters, as well as to specify encryption methods for your session.

Figure G

In the Plugins tab, click the Configure Plugins button to see how incredibly configurable Nessus can really be. Each plug-in has a default setting that can be changed, and you can use the Configure Plugins dialog box (Figure H) to select the desired plug-ins to fine-tune your scan. For instance, if you know you're scanning a UNIX host, you can disable the Cisco and Windows plug-ins.

Figure H

Executing your scan
Once you've defined your scan, simply double-click its icon to execute it. The scans are saved as part of the database that Nessus creates, called NessusDB. You can view reports at the end of a scan or save them as text files or HTML files. Reports are saved in the NessusWX folder.

Additional report options, such as pie charts, are handy for pitching cases to management-type folks. You can also import the results to a spreadsheet if you want to track results for large scans.

Figure I shows part of the results of a sample scan. The offending service and the severity level are reported, as well as information about the vulnerability. Web links for more in-depth information are often supplied in the Description section.

Figure I

An impressive solution
Worried about running these scans on your network? You shouldn't be, as long as you use common sense, get permission, and work closely with system owners. After all, hackers may have already run the same scans against your network. Just remember, these scans are a snapshot of time. Systems that look secure today may not be secure tomorrow or next week. Security is an ongoing process, not a one-shot deal.

Once you've used Nessus, you can easily see how administrators can put this valuable tool to work. You can pay a lot of money for a commercial product, you can pay someone a lot of money to do it for you, or you can take control and get an excellent picture of vulnerabilities on your own. Nessus is an easy to use, up-to-date tool that enables you to find vulnerabilities and check them on a routine basis, and it often points you to resources for fixes. That's pretty impressive for a free tool.

Editor's Picks

Free Newsletters, In your Inbox