Initial Setup

Plug-in Configuration

Creating and Configuring Session

Executing Scan and Viewing Reports

Step #1: Initial Setup

_{Before running the client the server must be up and running. The simplest way to accomplish this is to issue the following command (as root): nessusd -D}

Download the binary files from http://nessuswx.nessus.org/index.htm#download.

_{There are versions available that automatically install the program, create desktop icons, etc. However, the latest version available for download usually comes in a zip file that must be extracted to a folder.}

Double click on the NessusWX executable to get started. This should pull up the NessusWX console window.

Hit F4 or select Communications -> Connect from the File menu to bring up a connection window.

Enter in the server IP, and loginID/password combination previously created with the nessus-adduser command.

Click Connect.

_{Upon the initial run the SSL certificate is downloaded and verification is requested (to ensure that you are actually communicating with the intended server in the future).}

Upon connecting with the server, the client will download preferences and installed plug-in information.

Step #2: Plug-in Configuration

Select Communications -> Plug-in list to examine the list of installed plug-ins.

Plug-ins are the actual programs that test the target for vulnerabilities (similar to virus signatures in a virus scanner).

The window provides a list of downloaded plug-ins. The left window lists plug-in categories (i.e. those that test P2P file sharing, firewalls, etc.) You may expand each category to see the plug-ins included in that category, or “family” of plug-ins. Click on a plug-in name to get a description in the right window explaining what the plug-in does.

_{Some plug-ins are categorized as “dangerous”or DoS (denial of service). These plug-ins will actually perform a denial of service attack and will consequently crash vulnerable systems. Note that unlike the Unix client, the NessusWX client does not differentiate “dangerous” and “non-dangerous” plug-ins with an icon or warning. However, these can be disabled as a whole via the “Enable all non-DoS” button. Note that the author of the plug-in decides if it is “dangerous” or not.}

Step #3: Creating and Configuring a Session

In order to begin scanning systems with NessusWX, we must first create a session and configure preferences for plug-ins, targets, etc.

To create a session, Hit the Insert key from the main client window or select Session -> New from the File Menu. Select a name for your session and click Create/hit enter. Now you can define the parameters of your session.

A) Targets: First we identify the targets to be scanned. Targets can be specified as a single IP address, a subnet, or as a range of IP addresses.

_{It is recommended that the first scan you run be against your own isolated test system. (Because of the potential for misuse and/or abuse of the Nessus program, including crashing systems and causing loss of data, never scan any system without permission).}

B) Click on the Options tab. This will allow you to define various options, including maximum number of hosts to be scanned, security checks per host, etc.

_{One of the options is safe checks. When enabled, this disables the dangerous parts of safe-check compatible plug-ins and checking is done through passive methods (i.e. checking version numbers). Although safe checks are not as reliable as actually exploiting the vulnerability and may return false positives or negatives, they prevent the possibility of crashing a machine.}

_{Increasing maximum simultaneous hosts scanned and security checks per host will speed up the scan (but will require additional system resources)}

C) Click on Port scan to enable/disable port scanning options.

_{A port scanner searches the network target for active ports. Each port is tied to a specific application, i.e. Telnet (port 23) or Kerberos (port 88). Ports are categorized as open (a service is actively listening on the port), closed (connections to the port are denied), or blocked (there is no reply from the host). Nessus runs tests only if the port is active; furthermore, it only runs a test if the specific program for that test is available. Port scans therefore are used to significantly reduce scanning time.}

Nessus has several options for port scans, found in the bottommost scrollbox under Scan options. The two most commonly used types of scans are the tcp connect( ) and SYN scans.

_{TCP connect ( ): This is the most basic port scan, attempting to complete a connection to each port it scans. It isn’t very stealthy but is fast and accurate. It is less likely to crash systems because it completes and “tears down” the connections it builds.}

_{SYN Scan (or sync scan): SYN scans create a connection to a port, but do not complete it. This results in a scan that is faster, more stealthy, and more difficult to block than the TCP connect scan. Also, an additional benefit is that a SYN scan looks like a failed connect attempt, which blends into “clutter” in network logs and can elude intrusion detection alarms. In general, SYN scans are recommended for most general scanning purposes.}

_{NMAP: NMAP is a powerful and flexible open-source port scanner, widely recognized as an industry standard. If NMAP is installed on your system you may use the Nessus client as a front-end for configuring options. More information about NMAP can be found at its official website: http://www.insecure.org/nmap/}

From here you can also enable pings.

_{Pings check an IP address (or addresses) to see if it is active. If the IP does not respond to pings, the system assumes that the IP has no system and no further tests will be run against that IP. Therefore, as with port scans, enabling pings can greatly reduce scanning time.}

There are two basic types of pings: ICMP (most commonly used) and TCP.

_{ICMP: These are very accurate and comprehensive, as long as there is no firewall between the server and target that blocks the pings. Firewalls specifically are made to make systems difficult to scan and filter incoming IMCP pings. Also, pinging all addresses in a subnet make the scan obvious in firewall and routers logs. Therefore, ICMP pings are best suited for scanning one’s internal network(s).}

_{TCP: These make attempts to connect to specific ports in order to determine if a system exists. The ports can be user-defined; otherwise, the system will scan commonly used ports, i.e. 25 (SMTP for E-mail) or 80 (HTTP). TCP pings can effectively scan firewalled systems, and are less obvious than ICMP pings. However, systems without the chosen ports will be missed.}

D) Connection options:

This screen is usually greyed out; however, if you’d like to set up connection options specific to the current session (i.e. you wish to use a different nessus user/password), you may check the box marked “Use session-specific connection information” and setup accordingly.

E) Plug-in Setup: If you want your scan to utilize the global plug-in settings and preferences you configured earlier, you may bypass this section.

However, if you want to use a set of plug-ins or a certain configuration for this session only (i.e. you usually run non-denial of service plug-ins use them this time) click “Use session-specific plugin set” and the dialog box below will highlight.

Step #4: Execute Scan and View Reports

To begin a scan in NessusWX, right click the desired session and select “Execute”. You will be given a window with some additional options (if you want to save your session, etc.).

Click “Execute” again and NessusWX will begin the scanning process.

After the scan completes you will be given a dialog box that summarizes the results of the scan and allows you to print and save reports.

_{Detailed information about each vulnerability is displayed here.}