Assessment Scan Settings
Note: If a scan is based on a policy, you cannot configure Assessment settings in the scan. You can only modify these settings in the related policy.
You can use Assessment settings to configure how a scan identifies vulnerabilities, as well as what vulnerabilities are identified. This includes identifying malware, assessing the vulnerability of a system to brute force attacks, and the susceptibility of web applications.
Certain Tenable-provided scanner templates include preconfigured assessment settings.
If you select the Custom preconfigured setting option, or if you are using a scanner template that does not include preconfigured assessment settings, you can manually configure Assessment settings in the following categories:
Note: The following tables include settings for the Advanced Scan template. Depending on the template you select, certain settings may not be available, and default values may vary.
General
The General section includes the following groups of settings:
| Setting |
Default Value |
Description |
| Accuracy |
| Override normal Accuracy |
Disabled |
In some cases, Nessus cannot remotely determine whether a flaw is present or not. If report paranoia is set to Show potential false alarms, a flaw is reported every time, even when there is a doubt about the remote host being affected. Conversely, a paranoia setting of Avoid potential false alarms causes Nessus to not report any flaw whenever there is a hint of uncertainty about the remote host. As a middle ground between these two settings, disable this setting.
|
| Perform thorough tests (may disrupt your network or impact scan speed) |
Disabled |
Causes various plugins to work harder. For example, when looking through SMB file shares, a plugin can analyze 3 directory levels deep instead of 1. This could cause much more network traffic and analysis in some cases. By being more thorough, the scan is more intrusive and is more likely to disrupt the network, while potentially providing better audit results. |
| Antivirus |
| Antivirus definition grace period (in days) |
0 |
Configure the delay of the Antivirus software check for a set number of days (0-7). The Antivirus Software Check menu allows you to direct Nessus to allow for a specific grace time in reporting when antivirus signatures are considered out of date. By default, Nessus considers signatures out of date regardless of how long ago an update was available (e.g., a few hours ago). This can be configured to allow for up to 7 days before reporting them out of date. |
| SMTP |
| Third party domain |
Nessus attempts to send spam through each SMTP device to the address listed in this field. This third party domain address must be outside the range of the site being scanned or the site performing the scan. Otherwise, the test may be aborted by the SMTP server.
|
| From address |
The test messages sent to the SMTP server(s) appear as if they originated from the address specified in this field.
|
| To address |
Nessus attempts to send messages addressed to the mail recipient listed in this field. The postmaster address is the default value since it is a valid address on most mail servers.
|
Brute Force
The Brute Force section includes the following groups of settings:
| Setting |
Default Value |
Description |
| General Settings |
| Only use credentials provided by the user |
Enabled |
In some cases, Nessus can test default accounts and known default passwords. This can cause the account to be locked out if too many consecutive invalid attempts trigger security protocols on the operating system or application. By default, this setting is enabled to prevent Nessus from performing these tests. |
| Oracle Database |
| Test default accounts (slow) |
Disabled |
Test for known default accounts in Oracle software. |
|
Hydra
Hydra options only appear when Hydra is installed on the same computer as the scanner or agent executing the scan.
|
| Always enable Hydra (slow) |
Disabled |
Enables Hydra whenever the scan is performed. |
| Logins file |
|
A file that contains user names that Hydra uses during the scan. |
| Passwords file |
|
A file that contains passwords for user accounts that Hydra uses during the scan. |
| Number of parallel tasks |
16 |
The number of simultaneous Hydra tests that you want to execute. By default, this value is 16.
|
| Timeout (in seconds) |
30 |
The number of seconds per log on attempt. |
| Try empty passwords |
Enabled |
If enabled, Hydra tries user names without using a password. |
| Try login as password |
Enabled |
If enabled, Hydra tries a user name as the corresponding password. |
| Stop brute forcing after the first success |
Disabled |
If enabled, Hydra stops brute forcing user accounts after the first time an account is successfully accessed. |
| Add accounts found by other plugins to the login file |
Enabled |
If disabled, only the user names specified in the logins file are used for the scan. Otherwise, additional user names discovered by other plugins are added to the logins file and used for the scan. |
| PostgreSQL database name |
|
The database that you want Hydra to test. |
| SAP R/3 Client ID (0 - 99) |
|
The ID of the SAP R/3 client that you want Hydra to test. |
| Windows accounts to test |
Local accounts |
Can be set to Local accounts, Domain Accounts, or Either. |
| Interpret passwords as NTLM hashes |
Disabled |
If enabled, Hydra interprets passwords as NTLM hashes. |
| Cisco login password |
|
This password is used to log in to a Cisco system before brute forcing enable passwords. If no password is provided here, Hydra attempts to log in using credentials that were successfully brute forced earlier in the scan. |
| Web page to brute force |
|
Enter a web page that is protected by HTTP basic or digest authentication. If a web page is not provided here, Hydra attempts to brute force a page discovered by the Nessus web crawler that requires HTTP authentication. |
| HTTP proxy test website |
|
If Hydra successfully brute forces an HTTP proxy, it attempts to access the website provided here via the brute forced proxy. |
| LDAP DN |
|
The LDAP Distinguish Name scope that Hydra authenticates against. |
SCADA
| Setting |
Default Value |
Description |
|
Start at Register
|
0 |
The register at which to start scanning.
|
| End at Register |
16 |
The register at which to stop scanning. |
| ICCP/COTP TSAP Addressing Weakness |
The ICCP/COTP TSAP Addressing menu determines a Connection Oriented Transport Protocol (COTP) Transport Service Access Points (TSAP) value on an ICCP server by trying possible values.
|
| Start COTP TSAP |
8 |
Specifies the starting TSAP value to try. |
| Stop COTP TSAP |
8 |
Specifies the ending TSAP value to try. All values between the Start and Stop values are tried. |
Web Applications
By default, web applications are not scanned. When you first access the Web Application section, the Scan Web Applications setting appears and is set to Off. To modify the Web Application settings listed on the following table, click the Off button. The rest of the settings appear.
The Web Applications section includes the following groups of settings:
| Setting |
Default Value |
Description |
| General Settings |
| Use a custom User-Agent |
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
|
Specifies which type of web browser Nessus impersonates while scanning.
|
| Web Crawler |
| Start crawling from |
/
|
The URL of the first page that is tested. If multiple pages are required, use a colon delimiter to separate them (e.g., /:/php4:/base).
|
| Excluded pages (regex) |
/server_privileges\.php <> log out |
Specifies portions of the web site to exclude from being crawled. For example, to exclude the /manual directory and all Perl CGI, set this field to: (^/manual) <> (\.pl(\?.*)?$).
Nessus supports POSIX regular expressions for string matching and handling, as well as Perl-compatible regular expressions (PCRE).
|
| Maximum pages to crawl |
1000
|
The maximum number of pages to crawl.
|
| Maximum depth to crawl |
6
|
Limit the number of links Nessus follows for each start page.
|
| Follow dynamic pages |
Disabled
|
If selected, Nessus follows dynamic links and may exceed the parameters set above.
|
| Application Test Settings |
| Enable generic web application tests |
Disabled |
Enables the options listed below. |
| Abort web application tests if HTTP login fails |
Disabled |
If Nessus cannot log in to the target via HTTP, then do not run any web application tests. |
| Try all HTTP methods |
Disabled |
This option instructs Nessus to also use POST requests for enhanced web form testing. By default, the web application tests only use GET requests, unless this option is enabled. Generally, more complex applications use the POST method when a user submits data to the application. This setting provides more thorough testing, but may considerably increase the time required. When selected, Nessus tests each script or variable with both GET and POST requests. This setting provides more thorough testing, but may considerably increase the time required. |
| Attempt HTTP Parameter Pollution |
Disabled |
When performing web application tests, attempt to bypass filtering mechanisms by injecting content into a variable while also supplying the same variable with valid content. For example, a normal SQL injection test may look like /target.cgi?a='&b=2. With HTTP Parameter Pollution (HPP) enabled, the request may look like /target.cgi?a='&a=1&b=2. |
| Test embedded web servers |
Disabled |
Embedded web servers are often static and contain no customizable CGI scripts. In addition, embedded web servers may be prone to crash or become non-responsive when scanned. Tenable recommends scanning embedded web servers separately from other web servers using this option. |
| Test more than one parameter at a time per form |
Disabled |
This setting manages the combination of argument values used in the HTTP requests. The default, without checking this option, is testing one parameter at a time with an attack string, without trying non-attack variations for additional parameters. For example, Nessus would attempt
/test.php?arg1=XSS&b=1&c=1, where b and c allow other values, without testing each combination. This is the quickest method of testing with the smallest result set generated.
This setting has four options:
- Test random pairs of parameters: This form of testing randomly checks a combination of random pairs of parameters. This is the fastest way to test multiple parameters.
- Test all pairs of parameters (slow): This form of testing is slightly slower but more efficient than the one value test. While testing multiple parameters, it tests an attack string, variations for a single variable and then use the first value for all other variables. For example, Nessus would attempt /test.php?a=XSS&b=1&c=1&d=1 and then cycle through the variables so that one is given the attack string, one is cycled through all possible values (as discovered during the mirror process) and any other variables are given the first value. In this case, Nessus would never test for /test.php?a=XSS&b=3&c=3&d=3 when the first value of each variable is 1.
- Test random combinations of three or more parameters (slower): This form of testing randomly checks a combination of three or more parameters. This is more thorough than testing only pairs of parameters. Increasing the amount of combinations by three or more increases the web application test time.
- Test all combinations of parameters (slowest): This method of testing checks all possible combinations of attack strings with valid input to variables. Where all pairs testing seeks to create a smaller data set as a tradeoff for speed, all combinations makes no compromise on time and uses a complete data set of tests. This testing method may take a long time to complete.
|
Do not stop after first flaw is found per web page
|
Disabled
|
This setting determines when a new flaw is targeted. This applies at the script level. Finding an XSS flaw does not disable searching for SQL injection or header injection, but unless otherwise specified, there is at most one report for each type on a given port. Note that several flaws of the same type (for example, XSS or SQLi) may be reported if they were caught by the same attack.
If this option is disabled, as soon as a flaw is found on a web page, the scan moves on to the next web page.
If you enable this option, select one of the following options:
- Stop after one flaw is found per web server (fastest) — (Default) As soon as a flaw is found on a web server by a script, Nessus stops and switches to another web server on a different port.
- Stop after one flaw is found per parameter (slow) — As soon as one type of flaw is found in a parameter of a CGI (for example, XSS), Nessus switches to the next parameter of the same CGI, the next known CGI, or to the next port or server.
- Look for all flaws (slowest) — Perform extensive tests regardless of flaws found. This option can produce a very verbose report and is not recommend in most cases.
|
| URL for Remote File Inclusion |
http://rfi.nessus.org/rfi.txt |
During Remote File Inclusion (RFI) testing, this setting specifies a file on a remote host to use for tests. By default, Nessus uses a safe file hosted by Tenable, Inc. for RFI testing. If the scanner cannot reach the internet, you can use an internally hosted file for more accurate RFI testing. |
| Maximum run time (min) |
5 |
This option manages the amount of time in minutes spent performing web application tests. This option defaults to 60 minutes and applies to all ports and CGIs for a given website. Scanning the local network for web sites with small applications typically completes in under an hour, however web sites with large applications may require a higher value. |
Windows
The Windows section contains the following groups of settings:
| Setting |
Default Value |
Description |
| General Settings |
| Request information about the SMB Domain |
Disabled |
If enabled, domain users are queried instead of local users.
|
| User Enumeration Methods |
|
You can enable as many of the user enumeration methods as appropriate for user discovery.
|
| SAM Registry |
Enabled |
Nessus enumerates users via the Security Account Manager (SAM) registry. |
| ADSI Query |
Enabled |
Nessus enumerates users via Active Directory Service Interfaces (ADSI). To use ADSI, you must configure credentials under Credentials > Miscellaneous > ADSI. |
| WMI Query |
Enabled |
Nessus enumerates users via Windows Management Interface (WMI). |
| RID Brute Forcing |
Disabled |
Nessus enumerates users via relative identifier (RID) brute forcing. Enabling this setting enables the Enumerate Domain Users and Enumerate Local User settings. |
| Enumerate Domain Users (available with RID Brute Forcing enabled) |
| Start UID |
1000 |
The beginning of a range of IDs where Nessus attempts to enumerate domain users. |
| End UID |
1200 |
The end of a range of IDs where Nessus attempts to enumerate domain users. |
| Enumerate Local User (available with RID Brute Forcing enabled) |
| Start UID |
1000 |
The beginning of a range of IDs where Nessus attempts to enumerate local users. |
| End UID |
1200 |
The end of a range of IDs where Nessus attempts to enumerate local users. |
Malware
The Malware section contains the following groups of settings:
| Setting |
Default Value |
Description |
| General Settings |
| Disable DNS resolution |
Disabled |
Checking this option prevents Nessus from using the cloud to compare scan findings against known malware. |
| Hash and Whitelist Files |
| Custom Netstat IP Threat List |
None |
A text file that contains a list of known bad IP addresses that you want to detect.
Each line in the file must begin with an IPv4 address. Optionally, you can add a description by adding a comma after the IP address, followed by the description. You can also use hash-delimited comments (e.g., #) in addition to comma-delimited comments.
|
| Provide your own list of known bad MD5 hashes |
None |
Additional known bad MD5 hashes can be uploaded via a text file that contains one MD5 hash per line. Optionally, you can include a description for a hash by adding a comma after the hash, followed by the description. If any matches are found when scanning a target, the description appears in the scan results. Hash-delimited comments (e.g., #) can also be used in addition to the comma-delimited ones.
|
| Provide your own list of known good MD5 hashes |
None |
Additional known good MD5 hashes can be uploaded via a text file that contains one MD5 hash per line. It is possible to (optionally) add a description for each hash in the uploaded file. This is done by adding a comma after the hash, followed by the description. If any matches are found when scanning a target, and a description was provided for the hash, the description appears in the scan results. Standard hash-delimited comments (e.g., # ) can optionally be used in addition to the comma-delimited ones. |
| Hosts file whitelist |
None |
Nessus checks system hosts files for signs of a compromise (e.g., Plugin ID 23910 titled Compromised Windows System (hosts File Check)). This option allows you to upload a file containing a list of IPs and hostnames to be ignored by Nessus during a scan. Include one IP and one hostname (formatted identically to your hosts file on the target) per line in a regular text file.
|
| Yara Rules |
| Yara Rules |
None |
A .yar file containing the YARA rules to be applied in the scan. You can only upload one file per scan, so include all rules in a single file. For more information, see yara.readthedocs.io.
|
| File System Scanning |
| Scan file system |
Off |
Enabling this option allows you to scan system directories
and files on host computers.
Caution: Enabling this setting in scans targeting 10 or more hosts could result in performance degradation.
|
| Windows Directories |
| Scan %Systemroot% |
Off |
Enables file system scanning to scan %Systemroot%. |
| Scan %ProgramFiles% |
Off |
Enables file system scanning to scan %ProgramFiles%. |
| Scan %ProgramFiles(x86)% |
Off |
Enables file system scanning to scan %ProgramFiles(x86)%. |
| Scan %ProgramData% |
Off |
Enables file system scanning to scan %ProgramData%. |
| Scan User Profiles |
Off |
Enables file system scanning to scan user profiles. |
| Linux Directories |
| Scan $PATH |
Off |
Enable file system scanning to scan for $PATH locations. |
| Scan /home |
Off |
Enable file system scanning to scan /home. |
| MacOS Directories |
| Scan $PATH |
Off |
Enable file system scanning to scan $PATH locations. |
| Scan /Users |
Off |
Enable file system scanning to scan /Users. |
| Scan /Applications |
Off |
Enable file system scanning to scan /Applications. |
| Scan /Library |
Off |
Enable file system scanning to scan /Library. |
| Custom Directories |
| Custom Filescan Directories |
None |
A custom file that lists directories to be scanned by malware file scanning. In the file, list each directory on a new line. Root directories such as 'C:\' or '/' are not accepted, nor are variables such as %Systemroot%. |
Databases
| Setting |
Default Value |
Description |
| Oracle Database |
| Use detected SIDs |
Disabled |
When enabled, if at least one host credential and one Oracle database credential are configured, the scanner authenticates to scan targets using the host credentials, and then attempts to detect Oracle System IDs (SIDs) locally. The scanner then attempts to authenticate using the specified Oracle database credentials and the detected SIDs.
If the scanner cannot authenticate to scan targets using host credentials or does not detect any SIDs locally, the scanner authenticates to the Oracle database using the manually specified SIDs in the Oracle database credentials.
|
