Appearance
Nessus Cheat Sheet
Overview
Nessus is a comprehensive vulnerability assessment platform developed by Tenable that provides enterprise-grade security scanning capabilities for identifying, analyzing, and prioritizing security vulnerabilities across network infrastructure, web applications, databases, and cloud environments. As one of the most widely deployed vulnerability scanners in the cybersecurity industry, Nessus combines advanced scanning techniques with extensive vulnerability intelligence to deliver accurate and actionable security assessments. The platform supports both authenticated and unauthenticated scanning methodologies, enabling security teams to conduct thorough assessments of internal and external assets while minimizing false positives and providing detailed remediation guidance.
The Nessus architecture consists of multiple components including the Nessus Scanner engine, Nessus Manager for centralized management, and various client interfaces for configuration and reporting. The scanner engine utilizes a comprehensive plugin framework with over 100,000 vulnerability checks covering operating systems, network services, web applications, databases, and specialized industrial control systems. This extensive plugin library is continuously updated by Tenable's research team to address emerging threats and newly discovered vulnerabilities, ensuring that organizations maintain current visibility into their security posture. The platform's intelligent scanning capabilities include adaptive scanning techniques that adjust scan intensity based on target responsiveness and network conditions.
Nessus provides advanced features for enterprise security programs including compliance auditing against industry standards such as PCI DSS, HIPAA, and CIS benchmarks, integration with vulnerability management workflows, and comprehensive reporting capabilities for technical and executive audiences. The platform supports distributed scanning architectures for large environments, API integration for automation and orchestration, and advanced configuration options for specialized scanning requirements. With its proven track record in enterprise environments and continuous innovation in vulnerability detection techniques, Nessus remains a cornerstone tool for organizations implementing comprehensive vulnerability management programs and maintaining robust security postures.
Installation
Nessus Professional Installation
Installing Nessus Professional on various platforms:
bash
# Ubuntu/Debian Installation
# Download Nessus from Tenable website
wget https://www.tenable.com/downloads/api/v1/public/pages/nessus/downloads/[VERSION]/Nessus-[VERSION]-ubuntu1404_amd64.deb
# Install Nessus package
sudo dpkg -i Nessus-[VERSION]-ubuntu1404_amd64.deb
# Start Nessus service
sudo systemctl enable nessusd
sudo systemctl start nessusd
# Check service status
sudo systemctl status nessusd
# Access web interface
# Navigate to https://localhost:8834
# CentOS/RHEL Installation
# Download RPM package
wget https://www.tenable.com/downloads/api/v1/public/pages/nessus/downloads/[VERSION]/Nessus-[VERSION]-es7.x86_64.rpm
# Install package
sudo rpm -ivh Nessus-[VERSION]-es7.x86_64.rpm
# Start service
sudo systemctl enable nessusd
sudo systemctl start nessusd
# Configure firewall
sudo firewall-cmd --permanent --add-port=8834/tcp
sudo firewall-cmd --reload
# Windows Installation
# Download Windows installer from Tenable
# Run installer as Administrator
# Follow installation wizard
# Access via https://localhost:8834
# macOS Installation
# Download macOS installer
# Mount DMG file
# Run installer package
# Start Nessus from Applications or command line
sudo launchctl load /Library/LaunchDaemons/com.tenablesecurity.nessusd.plistDocker Installation
Running Nessus in Docker:
bash
# Create Nessus Docker container
docker run -d --name nessus \
-p 8834:8834 \
-v nessus_data:/opt/nessus/var/nessus \
tenable/nessus:latest
# Check container status
docker ps | grep nessus
# View container logs
docker logs nessus
# Access web interface
# Navigate to https://localhost:8834
# Stop/Start container
docker stop nessus
docker start nessus
# Update Nessus in Docker
docker pull tenable/nessus:latest
docker stop nessus
docker rm nessus
# Run new container with same volumeInitial Configuration
Setting up Nessus for first use:
bash
# Create admin user (via web interface or CLI)
# Web interface: https://localhost:8834
# Follow setup wizard
# CLI user creation (if needed)
sudo /opt/nessus/sbin/nessuscli adduser admin
# Set user password
sudo /opt/nessus/sbin/nessuscli chpasswd admin
# Check Nessus version
sudo /opt/nessus/sbin/nessuscli -v
# Update plugins
sudo /opt/nessus/sbin/nessuscli update
# Check plugin status
sudo /opt/nessus/sbin/nessuscli plugins list
# License activation (Professional/Enterprise)
sudo /opt/nessus/sbin/nessuscli fetch --register [ACTIVATION_CODE]
# Check license status
sudo /opt/nessus/sbin/nessuscli fetch --checkBasic Usage
Web Interface Navigation
Using the Nessus web interface:
bash
# Access Nessus web interface
https://localhost:8834
# Login with admin credentials
# Username: admin
# Password: [your_password]
# Main navigation areas:
# - Scans: Create and manage vulnerability scans
# - Policies: Configure scan templates and policies
# - Settings: System configuration and user management
# - Help: Documentation and support resources
# Create new scan
# 1. Click "New Scan"
# 2. Select scan template
# 3. Configure scan settings
# 4. Add targets
# 5. Launch scan
# View scan results
# 1. Click on completed scan
# 2. Review vulnerability summary
# 3. Drill down into specific findings
# 4. Export reports as neededBasic Scanning
Performing basic vulnerability scans:
bash
# Quick scan of single host
# Target: 192.168.1.100
# Template: Basic Network Scan
# Settings: Default
# Network range scan
# Target: 192.168.1.0/24
# Template: Advanced Scan
# Settings: Comprehensive
# Web application scan
# Target: https://webapp.example.com
# Template: Web Application Tests
# Settings: Authenticated scan
# Database scan
# Target: 192.168.1.50:3306
# Template: Advanced Scan
# Settings: Database-specific checks
# Compliance scan
# Target: 192.168.1.0/24
# Template: Policy Compliance Auditing
# Settings: CIS benchmarksScan Templates
Common Nessus scan templates:
bash
# Basic Network Scan
# - Port scanning
# - Service detection
# - Basic vulnerability checks
# - Suitable for: Initial discovery
# Advanced Scan
# - Comprehensive vulnerability assessment
# - All plugin families enabled
# - Detailed service enumeration
# - Suitable for: Thorough security assessment
# Web Application Tests
# - Web vulnerability scanning
# - OWASP Top 10 checks
# - Authentication testing
# - Suitable for: Web application security
# Malware Scan
# - Malware detection
# - Backdoor identification
# - Suspicious file analysis
# - Suitable for: Incident response
# Mobile Device Scan
# - Mobile device vulnerabilities
# - Configuration assessment
# - App security analysis
# - Suitable for: Mobile security
# SCADA and ICS Scan
# - Industrial control systems
# - SCADA vulnerabilities
# - Protocol-specific checks
# - Suitable for: OT/ICS environmentsAdvanced Features
Authenticated Scanning
Configuring authenticated scans for deeper assessment:
bash
# Windows Authentication
# Credentials tab in scan policy:
# - Authentication method: Windows
# - Username: domain\username or username
# - Password: [password]
# - Domain: [domain_name]
# SSH Authentication
# Credentials tab:
# - Authentication method: SSH
# - Username: [ssh_username]
# - Password: [ssh_password]
# - Or use SSH key authentication
# - Private key: [path_to_private_key]
# - Passphrase: [key_passphrase]
# Database Authentication
# Credentials tab:
# - Authentication method: Database
# - Database type: MySQL/PostgreSQL/Oracle/MSSQL
# - Username: [db_username]
# - Password: [db_password]
# - Database: [database_name]
# SNMP Authentication
# Credentials tab:
# - Authentication method: SNMP
# - Community string: [community]
# - SNMP version: v1/v2c/v3
# - For v3: Username, auth/priv protocols
# Web Application Authentication
# Credentials tab:
# - Authentication method: HTTP
# - Username: [web_username]
# - Password: [web_password]
# - Authentication type: Basic/Digest/NTLM/FormCustom Scan Policies
Creating custom scan policies:
bash
# Create new policy
# 1. Navigate to Policies
# 2. Click "New Policy"
# 3. Select base template
# 4. Configure settings
# General Settings
# - Name: Custom Security Assessment
# - Description: Comprehensive scan for production systems
# - Folder: [organization_folder]
# Discovery Settings
# - Port scan range: 1-65535
# - Port scan type: SYN scan
# - Network ping: ICMP/TCP/ARP
# - Service detection: Enabled
# Assessment Settings
# - General: All vulnerability checks
# - Brute force: Disabled (for production)
# - Web applications: Enabled
# - Windows: Enabled with credentials
# - UNIX: Enabled with credentials
# Report Settings
# - Format: HTML/PDF/CSV
# - Include: Executive summary, technical details
# - Exclude: Information-level findings (optional)
# Advanced Settings
# - Max hosts per scan: 100
# - Max checks per host: Unlimited
# - Network timeout: 5 minutes
# - Max scan time: 24 hoursPlugin Management
Managing Nessus plugins:
bash
# Update plugins via CLI
sudo /opt/nessus/sbin/nessuscli update
# Check plugin feed status
sudo /opt/nessus/sbin/nessuscli plugins list | head -20
# Plugin families
# - Backdoors
# - Brute force attacks
# - CISCO
# - Databases
# - Denial of service
# - FTP
# - Firewalls
# - General
# - Gain a shell remotely
# - Malware
# - Misconfiguration
# - Netware
# - Peer-To-Peer File Sharing
# - Policy Compliance
# - Port scanners
# - SCADA
# - SMTP problems
# - SNMP
# - Service detection
# - Settings
# - Web Servers
# - Windows
# Enable/disable plugin families in policy
# 1. Edit scan policy
# 2. Navigate to Plugins tab
# 3. Select/deselect plugin families
# 4. Configure individual plugins if needed
# Custom plugin configuration
# 1. Expand plugin family
# 2. Configure individual plugins
# 3. Set plugin preferences
# 4. Save policyCompliance Scanning
Performing compliance audits:
bash
# CIS Benchmarks
# Policy template: Policy Compliance Auditing
# Compliance tab:
# - Select CIS benchmark
# - Choose operating system
# - Configure audit file
# PCI DSS Compliance
# Policy template: PCI DSS Audit
# Settings:
# - Network segmentation checks
# - Encryption verification
# - Access control assessment
# - Vulnerability management
# NIST Cybersecurity Framework
# Policy template: NIST CSF
# Categories:
# - Identify
# - Protect
# - Detect
# - Respond
# - Recover
# HIPAA Compliance
# Policy template: HIPAA Audit
# Focus areas:
# - Access controls
# - Audit controls
# - Integrity
# - Person or entity authentication
# - Transmission security
# SOX Compliance
# Policy template: SOX Audit
# Controls:
# - IT general controls
# - Application controls
# - Database security
# - Change management
# Custom compliance audit
# 1. Create new policy
# 2. Select compliance template
# 3. Upload custom audit file
# 4. Configure scan settings
# 5. Run compliance scanAutomation Scripts
Automated Scanning Script
python
#!/usr/bin/env python3
# Nessus automated scanning and reporting
import requests
import json
import time
import urllib3
import logging
from datetime import datetime
import argparse
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class NessusAutomation:
def __init__(self, server_url, username, password):
self.server_url = server_url.rstrip('/')
self.username = username
self.password = password
self.token = None
self.session = requests.Session()
self.session.verify = False
self.setup_logging()
self.authenticate()
def setup_logging(self):
logging.basicConfig(
level=logging.INFO,
format='%(asctime)s - %(levelname)s - %(message)s',
handlers=[
logging.FileHandler('/var/log/nessus_automation.log'),
logging.StreamHandler()
]
)
self.logger = logging.getLogger(__name__)
def authenticate(self):
"""Authenticate with Nessus server"""
auth_data = {
'username': self.username,
'password': self.password
}
try:
response = self.session.post(
f"{self.server_url}/session",
json=auth_data,
timeout=30
)
if response.status_code == 200:
self.token = response.json()['token']
self.session.headers.update({'X-Cookie': f'token={self.token}'})
self.logger.info("Successfully authenticated with Nessus")
else:
raise Exception(f"Authentication failed: {response.status_code}")
except Exception as e:
self.logger.error(f"Authentication error: {e}")
raise
def get_scan_templates(self):
"""Get available scan templates"""
try:
response = self.session.get(f"{self.server_url}/editor/scan/templates")
if response.status_code == 200:
templates = response.json()['templates']
self.logger.info(f"Found {len(templates)} scan templates")
return templates
else:
raise Exception(f"Failed to get templates: {response.status_code}")
except Exception as e:
self.logger.error(f"Error getting templates: {e}")
return []
def create_scan(self, name, targets, template_uuid, policy_id=None):
"""Create a new scan"""
scan_data = {
'uuid': template_uuid,
'settings': {
'name': name,
'text_targets': targets,
'description': f'Automated scan created on {datetime.now().isoformat()}'
}
}
if policy_id:
scan_data['settings']['policy_id'] = policy_id
try:
response = self.session.post(
f"{self.server_url}/scans",
json=scan_data
)
if response.status_code == 200:
scan_id = response.json()['scan']['id']
self.logger.info(f"Created scan '{name}' with ID: {scan_id}")
return scan_id
else:
raise Exception(f"Failed to create scan: {response.status_code}")
except Exception as e:
self.logger.error(f"Error creating scan: {e}")
return None
def launch_scan(self, scan_id):
"""Launch a scan"""
try:
response = self.session.post(f"{self.server_url}/scans/{scan_id}/launch")
if response.status_code == 200:
self.logger.info(f"Launched scan ID: {scan_id}")
return True
else:
raise Exception(f"Failed to launch scan: {response.status_code}")
except Exception as e:
self.logger.error(f"Error launching scan: {e}")
return False
def get_scan_status(self, scan_id):
"""Get scan status"""
try:
response = self.session.get(f"{self.server_url}/scans/{scan_id}")
if response.status_code == 200:
scan_info = response.json()['info']
status = scan_info['status']
return status
else:
raise Exception(f"Failed to get scan status: {response.status_code}")
except Exception as e:
self.logger.error(f"Error getting scan status: {e}")
return None
def wait_for_scan_completion(self, scan_id, max_wait_time=3600):
"""Wait for scan to complete"""
start_time = time.time()
while time.time() - start_time < max_wait_time:
status = self.get_scan_status(scan_id)
if status == 'completed':
self.logger.info(f"Scan {scan_id} completed successfully")
return True
elif status in ['canceled', 'aborted']:
self.logger.error(f"Scan {scan_id} was {status}")
return False
elif status == 'running':
self.logger.info(f"Scan {scan_id} is still running...")
time.sleep(60) # Check every minute
else:
self.logger.warning(f"Unknown scan status: {status}")
time.sleep(60)
self.logger.error(f"Scan {scan_id} did not complete within {max_wait_time} seconds")
return False
def export_scan_report(self, scan_id, format_type='html'):
"""Export scan report"""
export_data = {
'format': format_type
}
try:
# Request export
response = self.session.post(
f"{self.server_url}/scans/{scan_id}/export",
json=export_data
)
if response.status_code == 200:
file_id = response.json()['file']
self.logger.info(f"Export requested for scan {scan_id}, file ID: {file_id}")
# Wait for export to complete
while True:
status_response = self.session.get(
f"{self.server_url}/scans/{scan_id}/export/{file_id}/status"
)
if status_response.status_code == 200:
export_status = status_response.json()['status']
if export_status == 'ready':
# Download the report
download_response = self.session.get(
f"{self.server_url}/scans/{scan_id}/export/{file_id}/download"
)
if download_response.status_code == 200:
filename = f"nessus_scan_{scan_id}_{datetime.now().strftime('%Y%m%d_%H%M%S')}.{format_type}"
with open(filename, 'wb') as f:
f.write(download_response.content)
self.logger.info(f"Report downloaded: {filename}")
return filename
else:
raise Exception(f"Failed to download report: {download_response.status_code}")
else:
self.logger.info(f"Export status: {export_status}")
time.sleep(10)
else:
raise Exception(f"Failed to check export status: {status_response.status_code}")
else:
raise Exception(f"Failed to request export: {response.status_code}")
except Exception as e:
self.logger.error(f"Error exporting report: {e}")
return None
def get_scan_vulnerabilities(self, scan_id):
"""Get vulnerabilities from scan"""
try:
response = self.session.get(f"{self.server_url}/scans/{scan_id}")
if response.status_code == 200:
scan_data = response.json()
vulnerabilities = scan_data.get('vulnerabilities', [])
# Get detailed vulnerability information
detailed_vulns = []
for vuln in vulnerabilities:
vuln_detail_response = self.session.get(
f"{self.server_url}/scans/{scan_id}/hosts/{vuln['host_id']}/plugins/{vuln['plugin_id']}"
)
if vuln_detail_response.status_code == 200:
detailed_vulns.append(vuln_detail_response.json())
return detailed_vulns
else:
raise Exception(f"Failed to get vulnerabilities: {response.status_code}")
except Exception as e:
self.logger.error(f"Error getting vulnerabilities: {e}")
return []
def create_automated_scan_workflow(self, targets, scan_name_prefix="Auto"):
"""Create and execute automated scan workflow"""
self.logger.info("Starting automated scan workflow")
# Get available templates
templates = self.get_scan_templates()
# Find Advanced Scan template
advanced_template = None
for template in templates:
if 'advanced' in template['name'].lower():
advanced_template = template
break
if not advanced_template:
self.logger.error("Advanced scan template not found")
return None
# Create scan
scan_name = f"{scan_name_prefix}_{datetime.now().strftime('%Y%m%d_%H%M%S')}"
scan_id = self.create_scan(
name=scan_name,
targets=targets,
template_uuid=advanced_template['uuid']
)
if not scan_id:
return None
# Launch scan
if not self.launch_scan(scan_id):
return None
# Wait for completion
if not self.wait_for_scan_completion(scan_id):
return None
# Export reports
html_report = self.export_scan_report(scan_id, 'html')
csv_report = self.export_scan_report(scan_id, 'csv')
# Get vulnerability data
vulnerabilities = self.get_scan_vulnerabilities(scan_id)
results = {
'scan_id': scan_id,
'scan_name': scan_name,
'html_report': html_report,
'csv_report': csv_report,
'vulnerability_count': len(vulnerabilities),
'vulnerabilities': vulnerabilities
}
self.logger.info(f"Automated scan workflow completed for {targets}")
return results
def logout(self):
"""Logout from Nessus"""
try:
response = self.session.delete(f"{self.server_url}/session")
if response.status_code == 200:
self.logger.info("Successfully logged out from Nessus")
else:
self.logger.warning(f"Logout response: {response.status_code}")
except Exception as e:
self.logger.error(f"Error during logout: {e}")
# Usage example
def main():
parser = argparse.ArgumentParser(description='Nessus Automation Script')
parser.add_argument('--server', required=True, help='Nessus server URL')
parser.add_argument('--username', required=True, help='Nessus username')
parser.add_argument('--password', required=True, help='Nessus password')
parser.add_argument('--targets', required=True, help='Scan targets (comma-separated)')
parser.add_argument('--scan-name', default='Automated', help='Scan name prefix')
args = parser.parse_args()
try:
# Initialize Nessus automation
nessus = NessusAutomation(args.server, args.username, args.password)
# Run automated scan workflow
results = nessus.create_automated_scan_workflow(
targets=args.targets,
scan_name_prefix=args.scan_name
)
if results:
print(f"Scan completed successfully:")
print(f" Scan ID: {results['scan_id']}")
print(f" Scan Name: {results['scan_name']}")
print(f" Vulnerabilities Found: {results['vulnerability_count']}")
print(f" HTML Report: {results['html_report']}")
print(f" CSV Report: {results['csv_report']}")
else:
print("Scan workflow failed")
# Logout
nessus.logout()
except Exception as e:
print(f"Error: {e}")
if __name__ == "__main__":
main()Integration Examples
SIEM Integration
bash
#!/bin/bash
# Nessus SIEM integration script
# Configuration
NESSUS_SERVER="https://nessus.company.com:8834"
NESSUS_USER="api_user"
NESSUS_PASS="api_password"
SPLUNK_HEC_URL="https://splunk.company.com:8088/services/collector/event"
SPLUNK_TOKEN="your-hec-token"
# Function to send events to Splunk
send_to_splunk() {
local event_data="$1"
curl -k -X POST "$SPLUNK_HEC_URL" \
-H "Authorization: Splunk $SPLUNK_TOKEN" \
-H "Content-Type: application/json" \
-d "$event_data"
}
# Function to process Nessus scan results
process_scan_results() {
local scan_id="$1"
# Export scan results as JSON
python3 -c "
import requests
import json
import urllib3
urllib3.disable_warnings()
session = requests.Session()
session.verify = False
# Authenticate
auth_data = {'username': '$NESSUS_USER', 'password': '$NESSUS_PASS'}
auth_response = session.post('$NESSUS_SERVER/session', json=auth_data)
token = auth_response.json()['token']
session.headers.update({'X-Cookie': f'token={token}'})
# Get scan results
scan_response = session.get('$NESSUS_SERVER/scans/$scan_id')
scan_data = scan_response.json()
# Process vulnerabilities
for vuln in scan_data.get('vulnerabilities', []):
splunk_event = {
'time': scan_data['info']['timestamp'],
'source': 'nessus',
'sourcetype': 'nessus:vulnerability',
'event': {
'scan_id': '$scan_id',
'plugin_id': vuln['plugin_id'],
'plugin_name': vuln['plugin_name'],
'severity': vuln['severity'],
'count': vuln['count'],
'vuln_index': vuln['vuln_index']
}
}
print(json.dumps(splunk_event))
" | while read -r event; do
send_to_splunk "$event"
done
}
# Main execution
if [ $# -ne 1 ]; then
echo "Usage: $0 <scan_id>"
exit 1
fi
SCAN_ID="$1"
process_scan_results "$SCAN_ID"Troubleshooting
Common Issues
Service Startup Issues:
bash
# Check Nessus service status
sudo systemctl status nessusd
# Check Nessus logs
sudo tail -f /opt/nessus/var/nessus/logs/nessusd.messages
# Restart Nessus service
sudo systemctl restart nessusd
# Check port availability
sudo netstat -tlnp | grep 8834
sudo ss -tlnp | grep 8834Web Interface Access Issues:
bash
# Check firewall settings
sudo ufw status
sudo firewall-cmd --list-ports
# Allow Nessus port
sudo ufw allow 8834/tcp
sudo firewall-cmd --permanent --add-port=8834/tcp
sudo firewall-cmd --reload
# Check SSL certificate
openssl s_client -connect localhost:8834 -servername localhost
# Reset admin password
sudo /opt/nessus/sbin/nessuscli chpasswd adminPlugin Update Issues:
bash
# Manual plugin update
sudo /opt/nessus/sbin/nessuscli update
# Check plugin feed status
sudo /opt/nessus/sbin/nessuscli plugins list
# Reset plugin database
sudo systemctl stop nessusd
sudo rm -rf /opt/nessus/var/nessus/plugins/*
sudo systemctl start nessusd
sudo /opt/nessus/sbin/nessuscli updatePerformance Optimization
Optimizing Nessus performance:
bash
# Increase memory allocation
# Edit /opt/nessus/etc/nessus/nessusd.conf
# Add: max_hosts = 50
# Add: max_checks = 10
# Optimize scan settings
# - Reduce concurrent hosts per scan
# - Disable unnecessary plugin families
# - Use authenticated scanning when possible
# - Schedule scans during off-peak hours
# Database optimization
sudo /opt/nessus/sbin/nessuscli fix --reset-db
# Disk space management
# Clean old scan results
# Archive completed scans
# Monitor /opt/nessus/var/nessus/ usageSecurity Considerations
Operational Security
Nessus Server Security:
- Deploy Nessus on dedicated, hardened systems
- Implement network segmentation for scanner placement
- Use strong authentication and access controls
- Regular security updates and patch management
- Monitor Nessus server for unauthorized access
Scan Data Protection:
- Encrypt scan results and reports
- Implement secure data retention policies
- Control access to vulnerability data
- Secure transmission of scan results
- Regular backup and recovery procedures
Compliance and Governance
Scanning Authorization:
- Obtain proper authorization before scanning
- Document scanning scope and limitations
- Implement change control for scan policies
- Regular review of scanning procedures
- Compliance with organizational policies