Nessus 5.2 HTML5 User Guide July 17, 2014

(Revision 43)

2

Table of Contents

Introduction ......................................................................................................................................... 5 Standards and Conventions ....................................................................................................................... 5

New in Nessus 5.2 ............................................................................................................................... 5

Nessus UI Overview ............................................................................................................................ 6 Description ................................................................................................................................................... 6 Supported Platforms ................................................................................................................................... 6

Installation ........................................................................................................................................... 6

Operation ............................................................................................................................................. 6 Overview ...................................................................................................................................................... 6

Connect to Nessus UI ................................................................................................................................ 6 Interface Shortcuts ................................................................................................................................... 12 User Profile .............................................................................................................................................. 14 Settings .................................................................................................................................................... 15

Advanced ................................................................................................................................................................. 15 Multi Scanner ............................................................................................................................................. 16 Policy Overview ......................................................................................................................................... 20 Creating a New Policy ............................................................................................................................... 20

Using the Policy Wizard ........................................................................................................................... 20 Advanced Policy Creation ........................................................................................................................ 23 General Settings ...................................................................................................................................... 23 Credentials .............................................................................................................................................. 26 Plugins ..................................................................................................................................................... 30 Preferences ............................................................................................................................................. 33

Sharing, Importing, Exporting, and Copying Policies ............................................................................. 38 Creating, Launching, and Scheduling a Scan ......................................................................................... 39

Creating and Managing Scan Folders ...................................................................................................... 46 Browse Scan Results ............................................................................................................................... 48 Report Filters ........................................................................................................................................... 56 Report Screenshots ................................................................................................................................. 62 Scan Knowledge Base ............................................................................................................................. 62 Compare (Diff Results) ............................................................................................................................ 63 Upload and Export ................................................................................................................................... 64 .nessus File Format ................................................................................................................................. 66 Delete ...................................................................................................................................................... 67

Mobile ......................................................................................................................................................... 67 SecurityCenter ........................................................................................................................................... 68

Configuring SecurityCenter to Work with Nessus ..................................................................................... 68 Host-Based Firewalls ............................................................................................................................................... 69

Scanning Preferences in Detail ....................................................................................................... 69 ADSI Settings ............................................................................................................................................. 70 Adtran AOS Compliance Checks .............................................................................................................. 70 AirWatch API Settings ............................................................................................................................... 71 Amazon AWS Compliance Checks ........................................................................................................... 72 Amazon Web Services Settings ................................................................................................................ 73 Antivirus Software Check ......................................................................................................................... 73

3

Apple Profile Manager API Settings ......................................................................................................... 74 Brocade FabricOS Compliance Checks ................................................................................................... 74 Check Point GAiA Compliance Checks ................................................................................................... 75 Cisco IOS Compliance Checks ................................................................................................................. 75 Citrix XenServer Compliance Checks ...................................................................................................... 76 Database Compliance Checks .................................................................................................................. 77 Database settings ...................................................................................................................................... 77 Dell Force10 FTOS Compliance Checks .................................................................................................. 78 Do not scan fragile devices ...................................................................................................................... 79 Extreme ExtremeXOS Compliance Checks ............................................................................................. 79 FireEye Compliance Checks ..................................................................................................................... 80 Fortigate FortiOS Compliance Checks ..................................................................................................... 81 Global variable settings ............................................................................................................................ 82 Good MDM Settings ................................................................................................................................... 83 Huawei Compliance Checks ..................................................................................................................... 84 HP ProCurve Compliance Checks ............................................................................................................ 85 HTTP cookies import ................................................................................................................................. 85 HTTP login page ........................................................................................................................................ 86 Hosts File Whitelisted Entries ................................................................................................................... 87 IBM iSeries Compliance Checks ............................................................................................................... 88 IBM iSeries Credentials ............................................................................................................................. 88 ICCP/COTP TSAP Addressing .................................................................................................................. 89 Juniper Junos Compliance Checks.......................................................................................................... 89 LDAP Domain Admins Group Membership Enumeration ..................................................................... 89 Login configurations ................................................................................................................................. 90 Malicious Process Detection .................................................................................................................... 91 MobileIron API Settings ............................................................................................................................. 91 Modbus/TCP Coil Access .......................................................................................................................... 92 Nessus SYN scanner and Nessus TCP scanner...................................................................................... 92 NetApp Data ONTAP Compliance Checks ............................................................................................... 93 Oracle Java Runtime Environment (JRE) Detection (Unix)..................................................................... 93 Oracle Settings .......................................................................................................................................... 94 PCI DSS Compliance ................................................................................................................................. 94 Palo Alto Networks PAN-OS Compliance Checks ................................................................................... 95 Palo Alto Networks PAN-OS Settings ...................................................................................................... 95 Patch Management .................................................................................................................................... 95 Patch Report .............................................................................................................................................. 96 Ping the remote host ................................................................................................................................. 96 Port scanner settings ................................................................................................................................ 97 Remote web server screenshot ................................................................................................................ 98 SCAP Linux Compliance Checks ............................................................................................................. 98 SCAP Windows Compliance Checks ....................................................................................................... 99 SMB Registry: Start the Registry Service during the scan ................................................................... 100 SMB Scope ............................................................................................................................................... 100 SMB Use Domain SID to Enumerate Users ............................................................................................ 100 SMB Use Host SID to Enumerate Local Users ....................................................................................... 101 SMTP settings .......................................................................................................................................... 101 SNMP settings ......................................................................................................................................... 102 Service Detection ..................................................................................................................................... 103 SonicWALL SonicOS Compliance Checks ............................................................................................ 103 Unix Compliance Checks ........................................................................................................................ 104

4

VMware SOAP API Settings .................................................................................................................... 104 VMware vCenter SOAP API Settings ...................................................................................................... 105 VMware vCenter/vSphere Compliance Checks ..................................................................................... 106 Wake-on-LAN ........................................................................................................................................... 107 Web Application Tests Settings ............................................................................................................. 107 Web mirroring .......................................................................................................................................... 110 Windows Compliance Checks ................................................................................................................ 111 Windows File Contents Compliance Checks ......................................................................................... 111

For Further Information .................................................................................................................. 112

About Tenable Network Security ................................................................................................... 114

5

Introduction This document describes how to use Tenable Network Securitys Nessus user interface (UI). Please email any comments and suggestions to support@tenable.com.

The Nessus UI is a web-based interface to the Nessus vulnerability scanner. To use the UI, you must have an operational Nessus scanner deployed and be familiar with its use.

Standards and Conventions Throughout the documentation, filenames, daemons, and executables are indicated with a courier bold font such as

gunzip, httpd, and /etc/passwd.

Command line options and keywords are also indicated with the courier bold font. Command line examples may or

may not include the command line prompt and output text from the results of the command. Command line examples will display the command being run in courier bold to indicate what the user typed while the sample output generated by

the system will be indicated in courier (not bold). Following is an example running of the Unix pwd command:

# pwd

/opt/nessus/

#

Important notes and considerations are highlighted with this symbol and grey text boxes.

Tips, examples, and best practices are highlighted with this symbol and white on blue text.

New in Nessus 5.2

As of August 22, 2013, Nessus product names have been revised as shown below:

Former Product Name New Product Name

Nessus Perimeter Service Nessus Enterprise Cloud

Nessus ProfessionalFeed Nessus

Nessus HomeFeed Nessus Home

The following list shows official Nessus product names:

Nessus

Nessus Enterprise

Nessus Enterprise Cloud

Nessus Auditor Bundles

Nessus Home

6

Nessus UI Overview

Description The Nessus User Interface (UI) is a web-based interface to the Nessus scanner that is comprised of a simple HTTP server and web client, and requires no software installation apart from the Nessus server. As of Nessus 4, all platforms draw from the same code base eliminating most platform specific bugs and allowing for faster deployment of new features. The primary features are:

Generates .nessus files that Tenable products use as the standard for vulnerability data and scan policy.

A policy session, list of targets and the results of several scans can all be stored in a single .nessus file that can

be easily exported. Please refer to the Nessus v2 File Format guide for more details.

The UI displays scan results in real-time so you do not have to wait for a scan to complete to view results.

Provides unified interface to the Nessus scanner regardless of base platform. The same functionalities exist on

Mac OS X, Windows, and Linux.

Scans will continue to run on the server even if you are disconnected for any reason.

Nessus scan reports can be uploaded via the Nessus UI and compared to other reports.

A policy wizard to help quickly create efficient scan policies for auditing your network.

Gives the ability to set one scanner as a primary and additional scanners secondary, allowing for a single Nessus

interface to manage large-scale distributed scans.

Supported Platforms Since the Nessus UI is a web-based client, it can run on any platform with a modern web browser.

The Nessus web-based user interface is best-experienced using Microsoft Internet Explorer 10 or later, Mozilla Firefox 17.0.8 or 26, Google Chrome 32, Opera 16, or Apple Safari 6 on the desktop. In addition, Nessus is compatible with Chrome 29 for Android, as well as browsers on iOS 7.

The Nessus web-based user interface requires a minimum version of 9 for Microsoft Internet Explorer.

Installation

User management of the Nessus 5 server is conducted through a web interface or SecurityCenter only. The former standalone NessusClient is no longer updated or supported.

Refer to the Nessus 5.2 Installation and Configuration Guide for instructions on installing Nessus. As of Nessus 5.0, Oracle Java (formerly Sun Microsystems Java) is required for PDF report functionality.

Operation

Overview Nessus provides a simple, yet powerful interface for managing vulnerability-scanning activity.

Connect to Nessus UI To launch the Nessus HTML5 UI, perform the following:

Open a web browser of your choice.

7

Enter https://[server IP]:8834/ in the navigation bar.

Be sure to connect to the user interface via HTTPS, as unencrypted HTTP connections are not supported.

The first time you attempt to connect to the Nessus user interface, most web browsers will display an error indicating the site is not trusted due to the self-signed SSL certificate:

Users of Microsoft Internet Explorer can click on Continue to this website (not recommended) to load the Nessus user interface. Firefox users can click on I Understand the Risks and then Add Exception to display the site exception dialog box:

8

Verify the Location: bar reflects the URL to the Nessus server and click on Confirm Security Exception. For information on installing a custom SSL certificate, consult the Nessus Installation and Configuration Guide.

9

After your browser has confirmed the exception, a splash screen will be displayed as follows:

Authenticate using the administrative account and password previously created during the installation process. When logging in, you can optionally instruct your browser to remember the username on that computer. Only use this option if the computer is always in a secured location! After successful authentication, the UI will present menus to browse reports, conduct scans, and manage policies. Administrative users will also see options for user management, and configuration options for the Nessus scanner:

10

At any point during Nessus use, the top left menu options will be present. The admin notation seen on the upper right hand side in the screenshot above denotes the account currently logged in, a drop down menu, and a bell for quick access to important notifications related to Nessus operation:

Clicking on this down arrow will offer a menu containing options to access your user profile, general Nessus settings, information about the installation, help & support options, whats new in this release, as well as an option to sign out.

The User Profile option will bring up a menu with several pages of options related to the user account including the password change facility, folder management, and plugin rules page. More information about these options can be found below.

The Settings option provides access to the Overview page, mail server configuration options (if administrator), plugin feed (if administrator), and advanced scanner options (if administrator). More information about these options can be found below.

11

The Whats New link provides access to the quick tour of new features with this Nessus release. More information about each option can be found below the image. In this example, we see new features of a Nessus Enterprise release:

The Help & Support link will load the Tenable support page in a new tab or window. Sign Out will terminate your current session with Nessus.

12

The bell icon on the upper right side can be clicked on to show any messages related to Nessus operations including errors, notification of new Nessus releases, session events, and more:

This will also serve as a place to provide any additional alerts or errors via popups that will fade shortly after and stay in the notification history until cleared:

Interface Shortcuts The HTML5 interface has several hotkeys that allow quick keyboard-navigation to the major sections of the interface, as well as performing common activities. These can be used at any time, from anywhere within the interface:

Main Interface

R Scans

N Scans -> New Scan

S Schedules

P Policies

U Users

13

C Settings

M User Profile

Creation

Shift + R New Scan

Shift + S New Schedule

Shift + F New Folder (Scan view only)

Schedules View

N New Schedule

Scan View

N New Scan

Policy View

N New Policy

Users View

N New User

Schedules View

N New Schedule

Groups View

N New Group

Advanced Settings View

N New Setting

14

User Profile The user profile options allow you to manipulate options related to your account.

Click on the user account to change the options related to the account.

The Account Settings field shows the current authenticated user as well as the user type, either Administrator or user.

The Change Password option allows you to change the password, which should be done in accordance with your organizations security policy.

The Plugin Rules option provides a facility to create a set of rules that dictate the behavior of certain plugins related to any scan performed. A rule can be based on the Host (or all hosts), Plugin ID, an optional Expiration Date, and manipulation of Severity. The same rules can be set from the scan results page. This allows you to reprioritize the severity of plugin results to better account for your organizations security posture and response plan.

15

Settings

The Mail Server setting controls settings related to the SMTP server, and can only be set by an administrator. For more information, see the Nessus 5.2 Installation and Configuration Guide.

Multi Scanner allows Nessus scanners to work together to outsource and aggregate scanning activity. This administrator feature is explained in greater detail below.

The Plugin Feed setting allows an administrator to designate a custom plugin update host (e.g., for offline updates from a central internal server). For more information, see the Nessus 5.2 Installation and Configuration Guide.

The Proxy setting allows an administrator to designate a proxy for plugin updates. For more information, see the Nessus 5.2 Installation and Configuration Guide.

The Scanners tab shows available scanners, as defined by the Multi Scanner feature. If no remote scanners are configured, only the local scanner will display.

Advanced The Advanced section contains a wide variety of configuration options to offer more granular control of how the scanner operates. For more information, see the Nessus 5.2 Installation and Configuration Guide.

16

The final settings options are related to the Multi Scanner functionality introduced with the Nessus UI 2.2 release. More information is available below.

Multi Scanner The Multi Scanner functionality gives your Nessus scanner the ability to delegate vulnerability scanning to multiple secondary servers, or be delegated to perform scans for another. You can use your own Nessus server to act as the primary, or you can configure your Nessus Perimeter Service scanner in the cloud to be the primary. This allows for consolidated reporting in a single Nessus user interface with scheduled scanning and emailing results.

The use of this functionality positions companies to create an extended network of Nessus scanners that give added value. Through strategic positioning of the scanners, you are able to not only test for vulnerabilities and misconfigurations, but also examine the system from different viewpoints on the network. This can greatly assist you in ensuring that network screening devices (e.g., firewalls, routers) are properly restricting access to a given system.

It is important to note that primary scanners do not reach out to the secondary scanners. Instead, secondary scanners periodically poll the primary scanner they are registered with to receive new instructions. When deploying a network of Nessus scanners using this functionality, this must be kept in mind to ensure that nothing will hinder the secondary scanner in connecting to its primary.

17

By default, a Nessus scanner will have this feature disabled. Selecting a different role will activate it. As a primary scanner, your installation will gain the ability to designate scans to additional scanners that have been configured to be a secondary scanner. After selecting Primary Scanner, a key will be generated that is used as a shared secret for a secondary scanner to authenticate to the primary:

This key is only used for the initial linking of two scanners. Subsequent communication is done via a separate set of credentials. At any time, you can disable this functionality by clicking the Disable Scanner button. If there is ever concern over the shared secret becoming compromised, you can regenerate the key at any time by clicking the arrows to the right of the key. Regenerating the key will not disable any secondary scanners that are already registered. Once a scanner has been configured to be a secondary, it will display on this interface:

As a Primary Scanner, you can unlink a secondary scanner via the icon on the left. Unlinking the scanner will make it unavailable for scheduled scans until re-linked. To completely remove a scanner, click the X. To retrieve information about the secondary scanner, click on the scanner name:

18

To configure your scanner to be a secondary scanner, select that option:

Assign the scanner a unique name for easy identification, along with the key generated from the primary scanner, the primary scanner IP address, and primary scanner port. If communication must be directed through a proxy, select this

option. Once selected, the scanner will use the proxy configured under Settings > Proxy. Note that authentication for

the secondary scanner must be either the primary scanner key or a Nessus Enterprise Cloud username and password. Once configured, Nessus will ensure that the scanner can reach and access the primary scanner and assign it a UUID for identification:

19

At any time, you can disable the secondary scanner setup via the button on the upper right. Once a scanner is designated Primary, it cannot be a secondary at the same time.

Assign the scanner a unique name for easy identification, along with the user credentials and server address of the Perimeter Service scanner.

The Scanners setting displays the other Nessus scanners linked to the current one. You have the ability to unlink scanners from this screen.

Scanners that are managed by SecurityCenter cannot use the Multi Scanner functionality.

20

Policy Overview A Nessus policy consists of configuration options related to performing a vulnerability scan. These options include, but are not limited to:

Parameters that control technical aspects of the scan such as timeouts, number of hosts, type of port scanner,

and more.

Credentials for local scans (e.g., Windows, SSH), authenticated Oracle database scans, HTTP, FTP, POP, IMAP,

or Kerberos based authentication.

Granular family or plugin based scan specifications.

Database compliance policy checks, report verbosity, service detection scan settings, Unix compliance checks,

and more.

Creating a New Policy Once you have connected to a Nessus server UI, you can create a custom policy by clicking on the Policies option on the bar at the top and then + New Policy button toward the left. The policy addition screen will be displayed as follows:

Using the Policy Wizard The first option is to optionally use the Policy Wizard to help you form a policy with a specific purpose. The default wizard templates may change from time to time. Some default templates are:

Policy Wizard Name Description

PCI Quarterly External Scan

An approved policy for quarterly external scanning required by PCI. This is offered on Nessus Enterprise Cloud only.

Host Discovery Identifies live hosts and open ports.

21

Basic Network Scan For users scanning internal or external hosts.

Credentialed Patch Audit Log in to systems and enumerate missing software updates.

Windows Malware Scan For users searching for malware on Windows systems.

Heartbleed Detection A remote check for the OpenSSL Heartbleed vulnerability

Web Application Tests For users performing generic web application scans.

Mobile Device Scan For users of Apple Profile Manager, ADSI, MobileIron, or Good MDM.

Offline Config Auditing Upload and audit the config file of a network device.

Amazon AWS Audit For users who want to audit managed AWS infrastructure systems.

Prepare for PCI DSS Audits

For administrators preparing for a PCI DSS compliance audit.

Advanced Policy For users who want total control of their policy configuration, this creates a default scan.

Over time, the policy wizard will receive additional wizards to help customers and existing wizards may be further enhanced. The following provides a general idea of using one of the wizards. Note that each wizard is different, so this is just one example.

The first step for each wizard asks you to set the policy name and a description. By default wizard policies will allow you to edit the report after a scan. Click Next to continue to the next step:

22

This policy will ask you to select if it is to be used for internal or external hosts, as the options will vary based on the answer. Click Next to go to the final step:

The final step gives you the option to add credentials to enhance scanning. As noted, some steps of a policy wizard may be optional. Once created, the policy will be saved with recommended settings. You can edit the wizard options or any other aspect of the policy at any time.

23

Advanced Policy Creation If a policy wizard is not desired, the Advanced option allows you to create a policy the traditional way, with full control over all options from the beginning.

Note that there are four configuration tabs: General Settings, Credentials, Plugins, and Preferences. For most environments, the default settings do not need to be modified, but they provide more granular control over the Nessus scanner operation. These tabs are described below.

General Settings The General Settings tab enables you to name the policy and configure scan related operations. There are four drop-down menu items that control scanner behavior:

The Basic screen is used to define aspects of the policy itself:

Option Description

Name Sets the name that will be displayed in the Nessus UI to identify the policy.

Description Used to give a brief description of the scan policy, typically good to summarize the overall purpose (e.g., Web Server scans without local checks or non HTTP services).

Allow Post-Scan Report Editing

This feature allows users to delete items from the report when checked. When performing a scan for regulatory compliance or other types of audits, uncheck this to show that the scan was not tampered with.

The Port Scanning menu controls options related to port scanning including the port ranges and methods:

Option Description

Port Scan Range Directs the scanner to target a specific range of ports. Accepts default, approximately 4,790 common ports found in the nessus-services file, all which scans 65,535

ports, or a custom list of ports specified by the user. For example, 21,23,25,80,110 or 1-1024,8080,9000-9200 are allowed. Specifying 1-65535 will scan all ports. You may also specify a split range specific to each protocol. For example, if you want to scan a different range of ports for TCP and UDP in the same policy, you would specify T:1-1024,U:300-500. You can also specify a set of ports to scan for both protocols, as well as individual ranges for each separate protocol ("1-1024,T:1024-65535,U:1025"). If you are scanning a single protocol, select only that port scanner and specify the ports normally.

24

Consider Unscanned Ports as Closed

If a port is not scanned with a selected port scanner (e.g., out of the range specified), Nessus will consider it closed.

Nessus SNMP Scanner Direct Nessus to scan targets for a SNMP service. Nessus will guess relevant SNMP settings during a scan. If the settings are provided by the user under Preferences, this will allow Nessus to better test the remote host and produce more detailed audit results. For example, there are many Cisco router checks that determine the vulnerabilities present by examining the version of the returned SNMP string. This information is necessary for these audits.

Nessus UDP Scanner This option engages Nessus built-in UDP scanner to identify open UDP ports on the targets.

UDP is a stateless protocol, meaning that communication is not performed with handshake dialogues. UDP based communication is not always reliable, and because of the nature of UDP services and screening devices, they are not always remotely detectable.

netstat portscanner (SSH) This option uses netstat to check for open ports from the local machine. It relies on

the netstat command being available via a SSH connection to the target. This scan

is intended for Unix-based systems and requires authentication credentials.

Ping the remote host This option enables Nessus to ping remote hosts on multiple ports to determine if they are alive.

Netstat Portscanner (WMI) This option uses netstat to check for open ports from the local machine. It relies on

the netstat command being available via a WMI connection to the target. This scan

is intended for Windows-based systems and requires authentication credentials.

A WMI based scan uses netstat to determine open ports, thus ignoring

any port ranges specified. If any port enumerator (netstat or SNMP) is

successful, the port range becomes all. However, Nessus will still honor the consider unscanned ports as closed option if selected.

Nessus TCP scanner Use Nessus built-in TCP scanner to identify open TCP ports on the targets. This scanner is optimized and has some self-tuning features.

On some platforms (e.g., Windows and Mac OS X), selecting this scanner will cause Nessus to use the SYN scanner to avoid serious performance issues native to those operating systems.

Nessus SYN scanner Use Nessus built-in SYN scanner to identify open TCP ports on the targets. SYN scans are a popular method for conducting port scans and generally considered to be a bit less intrusive than TCP scans. The scanner sends a SYN packet to the port, waits for SYN-ACK reply, and determines port state based on a reply, or lack of reply.

The Port Scan Range option directs the scanner to target a specific range of ports. The following values are allowed:

Value Description

default Using the keyword default, Nessus will scan approximately 4,790 common ports. The list of ports can be found in the nessus-services file.

25

all Using the keyword all, Nessus will scan all 65,535 ports.

Custom List A custom range of ports can be selected by using a comma delimited list of ports or port ranges. For example, 21,23,25,80,110 or 1-1024,8080,9000-9200 are allowed. Specifying 1-65535 will scan all ports. You may also specify a split range specific to each protocol. For example, if you want to scan a different range of ports for TCP and UDP in the same policy, you would specify T:1-1024,U:300-500. You can also specify a set of ports to scan for both protocols, as well as individual ranges for each separate protocol ("1-1024,T:1024-65535,U:1025"). If you are scanning a single protocol, select only that port scanner and specify the ports normally.

The Performance menu provides options that control how many scans will be launched. These options are perhaps the most important when configuring a scan as they have the biggest impact on scan times and network activity.

Option Description

Max Checks Per Host This setting limits the maximum number of checks a Nessus scanner will perform against a single host at one time.

Max Hosts Per Scan This setting limits the maximum number of hosts that a Nessus scanner will scan at the same time.

Network Receive Timeout (seconds)

Set to five seconds by default. This is the time that Nessus will wait for a response from a host unless otherwise specified within a plugin. If you are scanning over a slow connection, you may wish to set this to a higher number of seconds.

Max Simultaneous TCP Sessions Per Host

This setting limits the maximum number of established TCP sessions for a single host.

This TCP throttling option also controls the number of packets per second the SYN scanner will eventually send (e.g., if this option is set to 15, the SYN scanner will send 1500 packets per second at most).

Max Simultaneous TCP Sessions Per Scan

This setting limits the maximum number of established TCP sessions for the entire scan, regardless of the number of hosts being scanned.

For Nessus scanners installed on Windows XP, Vista, 7, and 8 hosts, this value must be set to 19 or less to get accurate results.

Reduce Parallel Connections on Congestion

This enables Nessus to detect when it is sending too many packets and the network pipe is approaching capacity. If detected, Nessus will throttle the scan to accommodate and alleviate the congestion. Once the congestion has subsided, Nessus will automatically attempt to use the available space within the network pipe again.

Use Kernel Congestion Detection (Linux Only)

Enables Nessus to monitor the CPU and other internal workings for congestion and scale back accordingly. Nessus will always attempt to use as much resource as is available. This feature is only available for Nessus scanners deployed on Linux.

The Advanced menu further defines options related to how the scan should behave:

26

Option Description

Safe Checks Safe Checks will disable all plugins that may have an adverse effect on the remote host.

Silent Dependencies If this option is checked, the list of dependencies is not included in the report. If you want to include the list of dependencies in the report, uncheck the box.

Log Scan Details to Server Save additional details of the scan to the Nessus server log (nessusd.messages)

including plugin launch, plugin finish or if a plugin is killed. The resulting log can be used to confirm that particular plugins were used and hosts were scanned.

Stop Host Scan on Disconnect

If checked, Nessus will stop scanning if it detects that the host has become unresponsive. This may occur if users turn off their PCs during a scan, a host has stopped responding after a denial of service plugin, or a security mechanism (e.g., IDS) has begun to block traffic to a server. Continuing scans on these machines will send unnecessary traffic across the network and delay the scan.

Avoid Sequential Scans By default, Nessus scans a list of IP addresses in sequential order. If checked, Nessus will scan the list of hosts in a random order. This is typically useful in helping to distribute the network traffic directed at a particular subnet during large scans.

Before July 2013, this option worked on a per-subnet basis. This feature has since been enhanced to randomize across the entire target IP space.

Designate Hosts by their DNS Name

Use the host name rather than IP address for report output.

The range specified for a port scan will be applied to both TCP and UDP scans.

Credentials The Credentials tab, pictured below, allows you to configure the Nessus scanner to use authentication credentials during scanning. By configuring credentials, it allows Nessus to perform a wider variety of checks that result in more accurate scan results.

The Windows credentials drop-down menu item has settings to provide Nessus with information such as SMB account name, password, and domain name. Server Message Block (SMB) is a file sharing protocol that allows computers to share information transparently across the network. Providing this information to Nessus will allow it to find local information from a remote Windows host. For example, using credentials enables Nessus to determine if important security patches have been applied. It is not necessary to modify other SMB parameters from default settings.

When multiple SMB accounts are configured, Nessus will try to log in with the supplied credentials sequentially. Once Nessus is able to authenticate with a set of credentials, it will check subsequent credentials supplied, but only use them if administrative privileges are granted when previous accounts provided user access. Some versions of Windows allow you to create a new account and designate it as an administrator. These accounts are not always suitable for performing credentialed scans. Tenable recommends that the original administrative account, named Administrator be used for credentialed scanning to ensure full access is permitted. On some versions of Windows, this account may be hidden. The real administrator account can be unhidden by running a DOS prompt with administrative privileges and typing the following command: C:\> net user administrator /active:yes

27

If a maintenance SMB account is created with limited administrator privileges, Nessus can easily and securely scan multiple domains.

Tenable recommends that network administrators consider creating specific domain accounts to facilitate testing. Nessus includes a variety of security checks for Windows NT, 2000, Server 2003, XP, Vista, Windows 7, Windows 8, and Windows 2008 that are more accurate if a domain account is provided. Nessus does attempt to try several checks in most cases if no account is provided.

The Windows Remote Registry service allows remote computers with credentials to access the registry of the computer being audited. If the service is not running, reading keys and values from the registry will not be possible, even with full credentials. Please see the Tenable blog post titled Dynamic Remote Registry Auditing - Now you see it, now you dont! for more information. This service must be started for a Nessus credentialed scan to fully audit a system using credentials.

Users can select SSH settings from the drop-down menu and enter credentials for scanning Unix systems. These credentials are used to obtain local information from remote Unix systems for patch auditing or compliance checks. There is a field for entering the SSH user name for the account that will perform the checks on the target Unix system, along with either the SSH password or the SSH public key and private key pair. There is also a field for entering the Passphrase for the SSH key, if it is required.

28

Nessus supports the OpenSSH SSH public key format. Other formats from other SSH applications, including PuTTY and SSH Communications Security, must be converted to OpenSSH public key format.

The most effective credentialed scans are when the supplied credentials have root privileges. Since many sites do not permit a remote login as root, Nessus users can invoke su, sudo, su+sudo, dzdo, or pbrun with a separate

password for an account that has been set up to have su or sudo privileges. In addition, Nessus can escalate

privileges on Cisco devices by selecting Cisco enable.

Nessus can use SSH key-based access to authenticate to a remote server. If an SSH known_hosts file is available and

provided as part of the scan policy, Nessus will only attempt to log into hosts in this file. Finally, the Preferred SSH port can be set to direct Nessus to connect to SSH if it is running on a port other than 22.

Nessus supports the blowfish-cbc, aes-cbc, and aes-ctr cipher algorithms.

Nessus encrypts all passwords stored in policies. However, it is recommended to use SSH keys for authentication rather than SSH passwords. This helps ensure that the same username and password you are using to audit your known SSH servers is not used to attempt a log in to a system that may not be under your control. As such, it is not recommended to use SSH passwords unless absolutely necessary.

The following screen capture shows the available SSH options. The Elevate privileges with drop-down provides several methods of increasing privileges once authenticated.

29

If an account other than root must be used for privilege escalation, it can be specified under the Escalation account

with the Escalation password.

Kerberos configuration allows you to specify credentials using Kerberos keys from a remote system:

Finally, if a secure method of performing credentialed checks is not available, users can force Nessus to try to perform checks over insecure protocols by configuring the Cleartext protocol settings drop-down menu item. The cleartext protocols supported for this option are telnet, rsh, and rexec. In addition, there are check boxes to specifically direct

Nessus to attempt to perform patch level checks over the insecure protocols:

By default, all passwords (and the policy itself) are encrypted within Nessus. If the policy is exported and saved to a .nessus file, the passwords will be stripped during export. Once you have imported your policy into the destination Nessus

scanner, you will need to re-apply your passwords to the credentials being used. The reason for this is that all passwords in the policy will be unusable by the destination Nessus scanner you import to, as it will be unable to decrypt them.

30

Using cleartext credentials in any fashion is not recommended! If the credentials are sent remotely (e.g., via a Nessus scan), the credentials could be intercepted by anyone with access to the network. Use encrypted authentication mechanisms whenever possible.

Plugins The Plugins tab enables the user to choose specific security checks by plugin family or individual checks.

Clicking on the plugin family allows you to enable (green) or disable (red) the entire family. Selecting a family will display the list of its plugins. Individual plugins can be enabled or disabled to create very specific scan policies. A family with some plugins disabled will turn blue and display mixed to indicate only some plugins are enabled. Clicking on the plugin family will load the complete list of plugins, and allow for granular selection based on your scanning preferences.

Selecting a specific plugin will display the plugin output that will be displayed as seen in a report. The synopsis and description will provide more details of the vulnerability being examined. Scrolling down in your browser will also show solution information, additional references if available, risk information, exploit information, and any vulnerability database or informational cross-references.

31

At the top of the plugin family page, you can create filters to build a list of plugins to include in the policy, as well as disable or enable all plugins. Filters allow granular control over plugin selection. Multiple filters can be set in a single policy.

32

To quickly filter plugins based on name in order to locate and read about it, you can type in the search box. This will filter

the plugins on-the-fly. In addition to text searches, you can type in id:10123 to quickly filter a specific plugin. To create a

filter, click on the Filter Options button:

Each filter created provides several options for refining a search. The filter criteria can be based on Any, where any one criteria will return matches, or All, where every filter criteria must be present. For example, if we want a policy that only includes plugins that have an exploit or can be exploited without a scripted exploit, we create two filters and select Any for the criteria:

33

If we want to create a policy that contains plugins that match several criteria, we select All and add the desired filters. For example, the policy below would include any vulnerability with a patch published after January 1, 2012 that has a public exploit, and CVSS Base Score higher than 5.0:

For a full list of filter criteria and details, check the Report Filters section of this document.

To use filters to create a policy, it is recommended you start by disabling all plugins. Using plugin filters, narrow down the plugins you want to be in your policy. Once completed, select each plugin family and click Enable Plugins.

When a policy is created and saved, it records all of the plugins that are initially selected. When new plugins are received via a plugin update, they will automatically be enabled if the family they are associated with is enabled. If the family has been disabled or partially enabled, new plugins in that family will automatically be disabled as well.

The Denial of Service family contains some plugins that could cause outages on a network if the Safe Checks option is not enabled, but does contain some useful checks that will not cause any harm. The Denial of Service family can be used in conjunction with Safe Checks to ensure that any potentially dangerous plugins are not run. However, it is recommended that the Denial of Service family not be used on a production network unless scheduled during a maintenance window and with staff ready to respond to any issues.

Preferences The Preferences tab includes the ability for granular control over scan policy settings. Selecting an item from the drop-down menu will display further configuration items for that category. Note that this is a dynamic list of configuration options that is dependent on the Nessus version, audit policies, and additional functionality that the connected Nessus scanner has access to. Using the policy wizard will not expose all of the preferences to you unless you explicitly select Advanced Mode in the upper right after selecting a policy. A commercial version of Nessus may have more advanced configuration options available than Nessus Home. This list will change as plugins are added or modified.

The following table provides an overview of all preferences. For more detailed information regarding each preference item, check the Scanning Preferences in Detail section of this document.

34

Preference Drop-down Description

ADSI settings Active Directory Service Interfaces pulls information from the mobile device management (MDM) server regarding Android and iOS-based devices.

Adtran AOS Compliance Checks

A commercial option that allows a system or policy file to be specified to test Adtran AOS based devices against compliance standards.

Amazon AWS Compliance Checks

A commercial option that allows a system to be specified to test Amazon AWS images against compliance standards.

Amazon Web Services Settings

Options used to specify the AWS regions, the AWS keys to use, and the SSL configurations to be tested.

Antivirus Software Check Configure the delay (in days, between 0 and 7)

Apple Profile Manager API Settings

A commercial feature that enables enumeration and vulnerability scanning of Apple iOS devices (e.g., iPhone, iPad).

Brocade FabricOS Compliance Checks

A commercial option that allows a system or policy file to be specified to test Brocade FabricOS based devices against compliance standards.

Check Point GAiA Compliance Checks

A commercial option that allows a system to be specified to test Check Point GAiA based devices against compliance standards.

Cisco IOS Compliance Checks

A commercial option that allows a device or policy file to be specified to test Cisco IOS based devices against compliance standards.

Citrix XenServer Compliance Checks

A commercial option that allows a system to be specified to test Citrix XenServers against compliance standards

Database Compliance Checks

A commercial option that allows a policy file to be specified to test databases such as DB2, SQL Server, MySQL, and Oracle against compliance standards.

Database Settings Options used to specify the type of database to be tested as well as which credentials to use.

Dell Force10 FTOS Compliance Checks

A commercial option that allows a system or policy file to be specified to test Dell Force10 FTOS based devices against compliance standards.

Do not scan fragile devices A set of options that directs Nessus not to scan specific devices, due to increased risk of crashing the target.

Extreme ExtremeXOS Compliance Checks

A commercial option that allows a system or policy file to be specified to test Extreme ExtremeXOS based devices against compliance standards.

FireEye Compliance Checks

A commercial option that allows a system or policy file to be specified to test FireEye devices against compliance standards.

Fortigate FortiOS Compliance Checks

A commercial option that allows a system or policy file to be specified to test Fortigate FortiOS based devices against compliance standards.

Global variable settings A wide variety of configuration options for Nessus.

Good MDM Settings Configurations and credentials related to testing Good MDM (Mobile Device Management) servers.

Huawei Compliance Checks

A commercial option that allows a device or policy file to be specified to test Huawei VRP based devices against compliance standards.

35

HP ProCurve Compliance Checks

A commercial option that allows a system or policy file to be specified to test HP ProCurve devices against compliance standards.

HTTP cookies import For web application testing, this preference specifies an external file to import HTTP cookies to allow authentication to the application.

HTTP login page Settings related to the login page for web application testing.

Hosts File Whitelisted Entries

Allows a user to upload a file containing a list of host names that will be ignored when Nessus checks a systems hosts file.

IBM iSeries Compliance Checks

A commercial option that allows a policy file to be specified to test IBM iSeries systems against compliance standards.

IBM iSeries Credentials Where credentials are specified for IBM iSeries systems.

ICCP/COTP TSAP Addressing Weakness

A commercial option related to Supervisory Control And Data Acquisition (SCADA) tests.

Juniper Junos Compliance Checks

A commercial option that allows a device or policy file to be specified to test Juniper Junos devices against compliance standards.

LDAP 'Domain Admins' Group Membership Enumeration

Where credentials are specified for LDAP service enumeration.

Login configurations Where credentials are specified for basic HTTP, NNTP, FTP, POP, and IMAP service testing.

Malicious Process Detection

Allows you to specify a set of MD5 hashes (known good or known bad) to compare against running processes on a remote system. With credentials, this can be used to detect a wide variety of malware on the system.

MobileIron API Settings Configuration and authentication information for MobileIrons API.

Modbus/TCP Coil Access A commercial option related to Supervisory Control And Data Acquisition (SCADA) tests.

Nessus SYN scanner Options related to the built-in SYN scanner.

Nessus TCP scanner Options related to the built-in TCP scanner.

NetApp Data ONTAP Compliance Checks

A commercial option that allows a system or policy file to be specified to test NetApp Data ONTAP devices against compliance standards.

News Server (NNTP) Information Disclosure

A set of options for testing NNTP servers for information disclosure vulnerabilities.

Oracle Settings Options related to testing Oracle Database installations.

PCI DSS compliance A commercial option that directs Nessus to compare scan results against PCI DSS standards.

Palo Alto Networks PAN-OS Compliance Checks

A commercial option that allows a system to be specified to test Palo Alto Networks PAN-OS devices against compliance standards.

36

Palo Alto Networks PAN-OS Settings

Configurations and credentials related to testing Palo Alto Networks installations.

Patch Management: IBM Tivoli Endpoint Manager Server Settings

Options for integrating Nessus with the IBM Tivoli Endpoint Manager patch management server. Consult the Patch Management Integration document for more information.

Patch Management: Red Hat Satellite Server Settings

Options for integrating Nessus with the Red Hat Satellite patch management server. Consult the Patch Management Integration document for more information.

Patch Management: SCCM Server Settings

Options for integrating Nessus with the System Center Configuration Manager (SCCM) patch management server. Consult the Patch Management Integration document for more information.

Patch Management: VMware Go Server Settings

Options for integrating Nessus with the VMware Go Server (formerly Shavlik) patch management server. Consult the Patch Management Integration document for more information.

Patch Management: WSUS Server Settings

Options for integrating Nessus with the Windows Server Update Service (WSUS) patch management server. Consult the Patch Management Integration document for more information.

Patch Report Configuration option for displaying superseded patches in the report.

Ping the remote host Settings that control Nessus ping-based network discovery.

Port scanner settings Two options that offer more control over port scanning activity.

Remote web server screenshot

Enables Nessus to connect to the cloud to take a remote screenshot of public systems with a remote desktop exposed.

SCAP Linux Compliance Checks

A commercial option that directs Nessus to compare scan results using the Security Content Automation Protocol (SCAP) for Linux systems.

SCAP Windows Compliance Checks

A commercial option that directs Nessus to compare scan results using the SCAP for Windows systems.

SMB Registry : Start the Registry Service during the scan

Direct Nessus to start the SMB registry service on hosts that do not have it enabled.

SMB Scope Direct Nessus to query domain users instead of local users.

SMB Use Domain SID to Enumerate Users

An option that allows you to specify the SID range for SMB lookups of domain users.

SMB Use Host SID to Enumerate Local Users

An option that allows you to specify the SID range for SMB lookups of local users.

SMTP Settings Options for testing the Simple Mail Transport Protocol (SMTP).

SNMP Settings Configuration and authentication information for the Simple Network Management Protocol (SNMP).

Service Detection Options that direct Nessus how to test SSL-based services.

37

SonicWALL SonicOS Compliance Checks

A commercial option that allows a system or policy file to be specified to test SonicWALL SonicOS devices against compliance standards.

Unix Compliance Checks A commercial option that allows a policy file to be specified to test Unix systems against compliance standards.

VMware SOAP API Settings Configuration and authentication information for VMwares SOAP API.

VMware vCenter SOAP API Settings

Configuration and authentication information for communicating with VMware vCenter using the SOAP API.

VMware vCenter/vSphere Compliance Checks

A commercial option that allows a system to be specified to test VMware devices against compliance standards.

Wake-on-LAN Direct Nessus to send Wake-on-LAN (WOL) packets before performing a scan.

Web Application Test Settings

Options related to testing web applications.

Web mirroring Configuration details that control how many web pages Nessus will mirror, in order to analyze the contents for vulnerabilities.

Windows Compliance Checks

A commercial option that allows a policy file to be specified to test Windows systems against compliance standards.

Windows File Contents Compliance Checks

A commercial option that allows a policy file to be specified to test files on Windows system against compliance standards.

Due to the XML meta-data upgrades in Nessus 5, compliance data that was generated with Nessus 4 will not be available in the compliance checks chapter of exported reports. However, compliance data will be available within the Nessus UI.

For organizational convenience, Nessus has two pre-set filters on the left side for Advanced and Wizard policies:

38

Sharing, Importing, Exporting, and Copying Policies The Upload button on the Policies menu bar allows you to upload previously created policies to the scanner. Using the native file browser box, select the policy from your local system and click on Open:

Clicking the checkbox on the selected policy from the scanner enables four options next to the Upload button. Those options are Share, Copy, Download, and Delete.

Clicking on Share will open the share settings for the selected policy. The available selections for default permissions are No access and Can use. Default permissions for other users are set to No access.

39

Clicking on Download will open the browsers download dialog box allows you to open the policy in an external program (e.g., text editor) or save the policy to the directory of your choice.

Passwords and .audit files contained in a policy will not be exported.

If you want to create a policy similar to an existing policy with minor modifications, you can select the base policy in the list and click on Copy on the menu bar. This will create a copy of the original policy that can be edited to make any required modifications. This is useful for creating standard policies with minor changes as required for a given environment.

Creating, Launching, and Scheduling a Scan Users can create their own report by chapters: Host Summary (Executive), Vulnerabilities by Host, Compliance Check (Executive), Suggested Remediations, Vulnerabilities by Plugin, or Compliance Check. The HTML format is still supported by default; however, if Java is installed on the scanner host, it is also possible to export reports in PDF, CSV, or the Nessus DB formats. By using the report filters and export features, users can create dynamic reports of their own choosing instead of selecting from a specific list.

Nessus DB format is an encrypted proprietary format. Note that the Nessus DB formats all the possible data about a scan, including but not limited to the results, the audit trails and attachments.

40

The following scan statuses are available in the scan list table:

Scan Status Description

Completed The scan is fully finished.

Running The scan is currently in progress.

Canceled The user stopped the scan before the end.

Aborted The scan has been aborted due to an invalid target list or a server error (e.g., reboot, crash)

Imported The scan has been imported using the upload functionality.

These statuses only apply to new scans. Old scans are all considered to be completed. Scans with the same status can be listed through the virtual folders on the left navigation panel.

41

After creating or selecting a policy, you can create a new scan by clicking on the Scans option on the menu bar at the top and then click on the + New Scan button on the left. The New Scan screen will be displayed as follows:

Under the Basic Settings tab, there are five fields to enter the scan target:

Name Sets the name that will be displayed in the Nessus UI to identify the scan.

Description Optional field for a more detailed description of the scan.

Policy Select a previously created policy that the scan will use to set parameters controlling Nessus server scanning behavior.

Folder The Nessus UI folder to store the scan results.

Scanner Which Nessus scanner to perform the scan. This will provide multiple options if you have configured

additional Nessus scanners to be secondary to this one.

Scan Targets Targets can be entered by single IP address (e.g., 192.168.0.1), IP range (e.g., 192.168.0.1-192.168.0.255), subnet with CIDR notation (e.g., 192.168.0.0/24), or resolvable host (e.g., www.nessus.org).

Upload Targets A text file with a list of hosts can be imported by clicking on Add File and selecting a file from the local machine.

The host file must be formatted as ASCII text with one host per line and no extra spaces or lines. Unicode/UTF-8 encoding is not supported.

42

Example host file formats:

Individual hosts:

192.168.0.100 192.168.0.101 192.168.0.102

Host range:

192.168.0.100-192.168.0.102

Host CIDR block:

192.168.0.1/24

Virtual servers:

www.tenable.com[192.168.1.1] www.nessus.org[192.168.1.1] www.tenablesecurity.com[192.168.1.1]

Depending on your scan settings such as max hosts or max checks per host, this may cause virtual hosts to be throttled as Nessus views them as the same IP address. On non-Windows hosts, Nessus administrators can add a custom advanced setting named multi_scan_same_host and set it to true. This will allow the

scanner to perform multiple scans against the same IP address. Note that on Windows, the PCAP driver does not allow this regardless of Nessus configuration. This functionality is available in Nessus 5.2.0 and later.

When performing scans using a secondary scanner, the scanner will be greyed out if it is unavailable for any reason. Scans that are being handled by a secondary scanner will have a cloud icon next to it to designate this fact. Note that scan results generated via secondary scanners will not be immediately available for browsing as the agent sends information to the primary scanner every 30 seconds. This can be changed via Settings -> Advanced and adding a ms_agent_sleep setting (e.g., setting this to 5 will configure it to 5 second updates, the lowest allowed). Once

completed, the generated report is only stored on the primary scanner. The secondary scanner will not keep a copy of the data generated. Scans performed by a secondary scanner will be noted in the scan details:

43

Under the Schedule Settings tab, there is a drop-down menu that controls when the scan will be launched:

The launch options are as follows:

Now Start the scan immediately.

On Demand Create the scan as a template so that it can be manually launched at any time (this feature was

formerly handled under the Scan Template option).

Once Schedule the scan at a specific time.

Daily Schedule the scan to occur on a daily basis, at a specific time or interval up to 20 days.

Weekly Schedule the scan to occur on a recurring basis, by time and day of week, for up to 20 weeks.

Monthly Schedule the scan to occur every month, by time and day or week of month, for up to 20 months.

Yearly Schedule the scan to occur every year, by time and day, for up to 20 years.

44

An example of a scheduled scan is below:

Once a scheduled scan is created, it can be accessed via the Schedules menu at the top. This page allows you manage scheduled scans and update them as required:

Under the Email Settings tab, you can optionally configure email addresses to which the scan results will be mailed upon scan completion.

45

The Email Scan Results functionality requires that a Nessus administrator configure the SMTP settings. For more information on configuring SMTP settings, consult the Nessus 5.2 Installation and Configuration Guide. If you have not configured these settings, Nessus will warn you that they must be set for the functionality to work.

After you have entered the scan information, click Save. After submitting, the scan will begin immediately (if Now was selected) before the display is returned to the general Scans page. The top menu bar will also update the number overlaying the Scans button to indicate how many total scans are present.

46

Once a scan has launched, the Scans list will display a list of all scans currently running or paused, along with basic information about the scan. While a scan is running, a pause and stop button are on the left to change the status:

After selecting a particular scan on the list via the checkbox on the left, the More and Move To buttons on the top right will allow you to perform further actions including the ability to rename, manipulate scan status, mark as read, or move it to a different folder.

Creating and Managing Scan Folders Scans can be organized into folders. On the left are two default folders, My Scans and Trash. By default, all new scans will appear in the My Scans virtual folder. Additional folders can be created via the New Folder option on the left and subsequent pop-up window, shown below:

Folders can be renamed or deleted by mousing over a folder to bring up a drop down arrow, and clicking on it:

47

Folders can also be managed via the User Profile -> Folders menu via the drop-down menu at the top right of the interface.

Scans in the Trash folder will be deleted automatically after 30 days. They can be deleted at any time by individually deleting, or selecting Empty Trash at the top.

To move scan results between folders, select the scan by checking the box to the left. Once checked, additional drop-down menus will appear at the top. One provides More options including rename and mark a scan as read or unread. The second allows you to move the scan to the desired folder.

48

Browse Scan Results To browse the results of a scan, click on a report from the list. This allows you to view results by navigating through the results by vulnerabilities or hosts, displaying ports and specific vulnerability information. The default view/tab is by host summary, which shows a list of hosts with a color coded vulnerability summary per host:

If any errors occurred during the scan, there will be a notation at the top of the results:

49

Clicking on the Hide Details on the upper right will suppress the Scan Details to show more of the host summary.

From the Hosts summary view, each summary will contain details about the vulnerability or informational findings, as well as Host Details that provide general information about the host scanned. If Allow Post-Scan Report Editing was selected in the scan policy, a host can be deleted from the scan results by selecting the trashcan icon to the right of Host Details.

50

To quickly change between hosts after you have already selected one, click on the host via the navigation flow at the top to display a pull down-menu of other hosts. If there are numerous hosts, a search box will be available for quick host location:

51

Clicking on a vulnerability via the Hosts or Vulnerabilities tab will display vulnerability information including a description, solution, references, and any available plugin output. Plugin Details will be displayed on the right providing additional information about the plugin and associated vulnerability. From this screen, the pen icon to the right of Plugin Details can be used to modify the displayed vulnerability:

Clicking on the pen icon will display a dialog as shown below:

52

The severity drop-down menu will enable you to re-classify the severity rating of the vulnerability in question, and also to hide it from the report:

Once the change is made, clicking Save will save the change and apply it to the vulnerability in question. In addition, the modification can be applied to all future reports by clicking the option. Doing so will bring up a dialog box allowing you to set an optional expiration date for the modification rule:

An expiration date can be selected using the calendar. Upon that date, the specified modification rule will no longer be applied to that finding.

53

Note that global rules for recasting plugin risk/severity can be established in the User Profile -> Plugin Rules area within Nessus.

The severity ratings are derived from the associated CVSS score, where 0 is Info, less than 4 is Low, less than 7 is Medium, less than 10 is High, and a CVSS score of 10 will be flagged Critical.

Selecting the Vulnerabilities tab at the top will switch to the Vulnerability View. This will sort the results by vulnerabilities rather than hosts, and include the number of hosts affected to the right. Selecting a vulnerability will provide the same information as before, but also include a list of affected hosts at the bottom, along with relevant output for each host.

54

In cases where one host has multiple findings on different ports, the results will be broken down by host and further broken down by port:

Clicking on an affected host at the bottom will load the host-based view of vulnerabilities.

55

If a scan is initiated that uses a compliance policy, the results will be found on a separate at the top called Compliance:

In addition to the Hosts and Vulnerabilities tabs, Nessus offers two additional tabs. The first is a Remediations tab that provides summary information to remediate major issues that have been discovered. This advice is intended to provide you with the most effective mitigation that will significantly reduce the number of vulnerabilities:

56

The second tab is called Notes and offers advice to enhance your scan results:

Report Filters Nessus offers a flexible system of filters to assist in displaying specific report results. Filters can be used to display results based on any aspect of the vulnerability findings. When multiple filters are used, more detailed and customized report views can be created.

The first filter type is a simple text string entered into the Filter Vulnerabilities box on the upper right. As you type, Nessus will immediately begin to filter the results based on your text and what it matches in the titles of the findings. The second filter type is more comprehensive and allows you to specify more details. To create this type of filter, begin by clicking on the down arrow on the right side of the Filter Vulnerabilities box. Filters can be created from any report tab. Multiple filters can be created with logic that allows for complex filtering. A filter is created by selecting the plugin attribute, a filter argument, and a value to filter on. When selecting multiple filters, specify the keyword Any or All accordingly. If All is selected, then only results that match all filters will be displayed:

Once a filter has been set, it can be removed individually by clicking on the to the right. Additionally, all filters can be removed at the same time by selecting Clear Filters. The report filters allow for a wide variety of criteria for granular control of results. The following filter attributes will be present if they are found in the scan results. If an attribute is not present in the scan results, Nessus will suppress them from the filters for convenience:

57

Option Description

Plugin ID Filter results if Plugin ID is equal to, is not equal to, contains, or does not contain a given string (e.g., 42111).

Plugin Description Filter results if Plugin Description contains, or does not contain a given string (e.g., remote).

Plugin Name Filter results if Plugin Name is equal to, is not equal to, contains, or does not contain a given string (e.g., windows).

Plugin Family Filter results if Plugin Name is equal to or is not equal to one of the designated Nessus plugin families. The possible matches are provided via a drop-down menu.

Plugin Output Filter results if Plugin Description is equal to, is not equal to, contains, or does not contain a given string (e.g., PHP)

Plugin Type Filter results if Plugin Type is equal to or is not equal to one of the two types of plugins: local or remote.

Solution Filter results if the plugin Solution contains or does not contain a given string (e.g., upgrade).

Synopsis Filter results if the plugin Solution contains or does not contain a given string (e.g., PHP).

Hostname Filter results if the host is equal to, is not equal to, contains, or does not contain a given string (e.g., 192.168 or lab).

Port Filter results based on if a port is equal to, is not equal to, contains, or does not contain a given string (e.g., 80).

Protocol Filter results if a protocol is equal to or is not equal to a given string (e.g., http).

CPE Filter results based on if the Common Platform Enumeration (CPE) is equal to, is not equal to, contains, or does not contain a given string (e.g., solaris).

CVSS Base Score Filter results based on if a CVSS base score is less than, is more than, is equal to, is not equal to, contains, or does not contain a string (e.g., 5).

This filter can be used to select by risk level. The severity ratings are derived from the associated CVSS score, where 0 is Info, less than 4 is Low, less than 7 is Medium, less than 10 is High, and a CVSS score of 10 will be flagged Critical.

CVSS Temporal Score Filter results based on if a CVSS temporal score is less than, is more than, is equal to, is not equal to, contains, or does not contain a string (e.g., 3.3).

CVSS Temporal Vector Filter results based on if a CVSS temporal vector is equal to, is not equal to, contains, or does not contain a given string (e.g., E:F).

58

CVSS Vector Filter results based on if a CVSS vector is equal to, is not equal to, contains, or does not contain a given string (e.g., AV:N).

Vulnerability Publication Date

Filter results based on if a vulnerability publication date earlier than, later than, on, not on, contains, or does not contain a string (e.g., 01/01/2012). Note: Pressing

the button next to the date will bring up a calendar interface for easier date selection.

Patch Publication Date Filter results based on if a vulnerability patch publication date is less than, is more than, is equal to, is not equal to, contains, or does not contain a string (e.g., 12/01/2011).

Plugin Publication Date Filter results based on if a Nessus plugin publication date is less than, is more than, is equal to, is not equal to, contains, or does not contain a string (e.g., 06/03/2011).

Plugin Modification Date Filter results based on if a Nessus plugin modification date is less than, is more than, is equal to, is not equal to, contains, or does not contain a string (e.g., 02/14/2010).

CVE Filter results based on if a CVE reference is equal to, is not equal to, contains, or does not contain a given string (e.g., 2011-0123).

Bugtraq ID Filter results based on if a Bugtraq ID is equal to, is not equal to, contains, or does not contain a given string (e.g., 51300).

CERT Advisory ID Filter results based on if a CERT Advisory ID (now called Technical Cyber Security Alert) is equal to, is not equal to, contains, or does not contain a given string (e.g., TA12-010A).

OSVDB ID Filter results based on if an Open Source Vulnerability Database (OSVDB) ID is equal to, is not equal to, contains, or does not contain a given string (e.g., 78300).

Secunia ID Filter results based on if a Secunia ID is equal to, is not equal to, contains, or does not contain a given string (e.g., 47650).

Exploit Database ID Filter results based on if an Exploit Database ID (EBD-ID) reference is equal to, is not equal to, contains, or does not contain a given string (e.g., 18380).

Metasploit Name Filter results based on if a Metasploit name is equal to, is not equal to, contains, or does not contain a given string (e.g., xslt_password_reset).

Exploited by Malware Filter results based on if the presence of a vulnerability is exploitable by malware is equal to or is not equal to true or false.

IAVA Filter results based on if an IAVA reference is equal to, is not equal to, contains, or does not contain a given string (e.g., 2012-A-0008).

IAVB Filter results based on if an IAVB reference is equal to, is not equal to, contains, or does not contain a given string (e.g., 2012-A-0008).

IAVM Severity Filter results based on the IAVM severity level (e.g., IV).

IAVT Filter results based on if an IAVT reference is equal to, is not equal to, contains, or does not contain a given string (e.g., 2012-A-0008).

59

See Also Filter results based on if a Nessus plugin see also reference is equal to, is not equal to, contains, or does not contain a given string (e.g., seclists.org).

Risk Factor Filter results based on the risk factor of the vulnerability (e.g., Low, Medium, High, Critical).

Exploits Available Filter results based on the vulnerability having a known public exploit.

Exploitability Ease Filter results based on if the exploitability ease is equal to or is not equal to to the following values: Exploits are available, No exploit is required, or No known exploits are available.

Metasploit Exploit Framework

Filter results based on if the presence of a vulnerability in the Metasploit Exploit Framework is equal to or is not equal to true or false.

CANVAS Exploit Framework

Filter results based on if the presence of an exploit in the CANVAS exploit framework is equal to or is not equal to true or false.

CANVAS Package Filter results based on which CANVAS exploit framework package an exploit exists for. Options include CANVAS, D2ExploitPack, or White_Phosphorus.

CORE Exploit Framework Filter results based on if the presence of an exploit in the CORE exploit framework is equal to or is not equal to true or false.

Elliot Exploit Framework Filter results based on if the presence of an exploit in the Elliot exploit framework is equal to or is not equal to true or false.

Elliot Exploit Name Filter results based on if an Elliot exploit is equal to, is not equal to, contains, or does not contain a given string (e.g., Typo3 FD).

ExploitHub Filter results based on if the presence of an exploit on the ExploitHub web site is equal to or is not equal to true or false.

When using a filter, the string or numeric value can be comma delimited to filter based on multiple strings. For example, to filter results to show only web servers, you could create a Ports filter, select is equal to and input 80,443,8000,8080. This will show you results associated with those four ports.

Filter criteria are not case sensitive. If a filter option is not available, it means that the report contains nothing that meets the criteria. For example, if Microsoft Bulletin is not on the filter dropdown list, then no vulnerabilities were found that reference a Microsoft Bulletin.

As a filter is created, the scan results will be updated to reflect the new filter criteria after selecting Apply. The down arrow in the Filter Vulnerabilities box will change to a numeric representation of how many filters are currently being applied.

Once the results have been filtered to provide the data set you want, click Export Results to export just the filtered results. To receive a report with all of the results, remove all filters and use the export feature.

Nessus scan results provide a concise list of plugins that detected issues on the host. However, there are times where you may want to know why a plugin did not return results. The Audit Trail functionality will provide this information. Begin by clicking Audit Trail located on the upper right-hand side:

60

This will bring up the Audit Trail dialogue box. Begin by entering the plugin ID you want to know more about. Click Submit and a host or list of hosts will be displayed that relates to your query. Optionally, you can supply a host IP for the initial query to limit the results to a target of interest. Once the host(s) are displayed, click on one to display information about why the plugin did not fire:

61

Due to the