You are here: Features > Scans > Scan Policies

Add a Scan Policy

Clicking “Add” opens the Add Policy screen, which is used to configure the new scan policy. The initial screen presents options for Advanced or Template configurations. Items from either section may be selected to begin the process of creating a policy.

Template

The Template section allows users to create scan policies based on industry standards. After selecting a policy template the user is presented with a configuration screen to configure settings unique to the network being scanned. This will include options such as web directories to scan, compliance audit files to use, credentials to use, and other scan options depending on the template selected.

Advanced Scan

The tables below contain detailed descriptions of options available on each of the tabs displayed under the “Advanced Scan” Add Policy screen. The Advanced Scan option gives the ability to build a finely tuned scan policy utilizing all the available settings.

Basic Options

The “Basic” option sets the name and description of the policy:

Option Description

Name

Unique policy name

Description

Policy description (optional)

 

Scan Options

The “Advanced” frame controls options for the scan:

Option Description

General Settings

Enable Safe Checks

Nessus can attempt to identify remote vulnerabilities by interpreting banner information and attempting to exercise a vulnerability. When “Enable Safe Checks” is enabled, the second step is skipped. This is not as reliable as a full probe, but is less likely to negatively impact a targeted system.

Stop scanning hosts that become unresponsive during the scan

During a scan hosts may become unresponsive after a period of time. Enabling this setting will stop scan attempts against hosts that stop sending results.

Performance Options

Slow down the scan when network congestion is detected

When Nessus detects congestion during a scan, it will slow the speed of the scan in an attempt to ease the burden on the affected segment(s).

Use Linux kernel congestion detection

Use Linux kernel congestion detection during the scan to help alleviate system lockups on the Nessus scanner server.

Network Timeout (in seconds)

Determines the amount of time, in seconds, to determine if there is an issue communicating over the network.

Max Simultaneous Checks Per Host

This setting limits the maximum number of checks a Nessus scanner will perform against a single host at one time.

Max Simultaneous Hosts Per Scan

This setting limits the maximum number of hosts that a single Nessus scanner will scan at the same time. If the scan is using a zone with multiple scanners, each scanner will accept up to the amount specified in the Max Hosts Per Scan option. For example, if the Max Simultaneous Hosts Per Scan is set to 5 and there are five scanners per zone, each scanner will accept five hosts to scan, allowing a total of 25 hosts to be scanned between the five scanners.

Max number of concurrent TCP sessions per host

This setting limits the maximum number of TCP sessions established by any of the active scanners while scanning a single host.

Max number of concurrent TCP sessions per scan

This setting limits the maximum number of TCP sessions established by any of the active scanners during a scan.

Host Discovery

The “Host Discovery” section controls discovery options for the scan:

Option Description

Ping the remote host

When enabled, Nessus attempts to ping the hosts in the scan to determine if the host is alive or not.

General Settings (available when Ping the remote host is enabled)

Test the local Nessus host

This option allows you to include or exclude the local Nessus host from the scan. This is used when the Nessus host falls within the target network range for the scan.

Use Fast Network Discovery

When Nessus “pings” a remote IP and receives a reply, it performs extra checks to make sure that it is not a transparent proxy or a load balancer that would return noise but no result (some devices answer to every port 1 - 65535 even when there is no service behind the device). Such checks can take some time, especially if the remote host is firewalled. If the “Use Fast Network Discovery” option is enabled, Nessus will not perform these checks.

Ping Methods (available when Ping the remote host is enabled)

ARP

Ping a host using its hardware address via Address Resolution Protocol (ARP). This only works on a local network.

TCP

Ping a host using TCP.

Destination ports

Destination ports can be configured to use specific ports for TCP ping. This specifies the list of ports that will be checked via TCP ping. If you are not sure of the ports, leave this setting to the default of “built-in”.

ICMP

Ping a host using the Internet Control Message Protocol (ICMP).

Assume ICMP unreachable means the host is down

When a ping is sent to a host that is down, its gateway may return an ICMP unreachable message. When enabled, this option will consider this to mean the host is dead. This is to help speed up discovery on some networks.

 

Note that some firewalls and packet filters use this same behavior for hosts that are up but are connecting to a port or protocol that is filtered. With this option enabled, this will lead to the scan considering the host is down when it is indeed up.

Maximum Number of Retries (ICMP enable)

Allows you to specify the number of attempts to try to ping the remote host. The default is two attempts.

UDP

Ping a host using the User Datagram Protocol (UDP).

Tip: UDP is a “stateless” protocol, meaning that communication is not performed with handshake dialogues. UDP-based communication is not always reliable, and because of the nature of UDP services and screening devices, they are not always remotely detectable.

Fragile Devices

Scan Network Printers

Instructs the Nessus scanner not to scan network printers if unselected. Since many printers are prone to denial of service conditions, Nessus can skip scanning them once identified. This is particularly recommended if scanning is performed on production networks.

Scan Novell Netware Hosts

Instructs the Nessus scanner not to scan Novel Netware hosts if unselected. Since many Novell Netware hosts are prone to denial of service conditions, Nessus can skip scanning them once identified. This is particularly recommended if scanning is performed on production networks.

Wake-on-LAN

List of MAC addresses

Wake on Lan (WOL) packets will be sent to the hosts listed, one on each line, in an attempt to wake the specified host(s) during a scan.

Boot time wait (in minutes)

The number of minutes Nessus will wait to attempt a scan of hosts sent a WOL packet.

Network Type

Network Type

Allows you to specify if you are using publicly routable IPs, private non-Internet routable IPs or a mix of these. Select “Mixed” if you are using RFC 1918 addresses and have multiple routers within your network.

Port Scanning

The “Port Scanning” section controls discovery options for the scan:

Option Description

Ports

Consider Unscanned Ports as Closed

If a port is not scanned with a selected port scanner (e.g., out of the range specified), The scanner will consider it closed.

Port scan range

Directs the scanner to target a specific range of ports. Accepts “default” (a list of approximately 4,790 common ports found in the nessus-services file), “all” (scans all ports from 0-65535), or a custom list of ports specified by the user. The custom list may contain individual ports and ranges; for example, “21,23,25,80,110” and “1-1024,8080,9000-9200” are valid values. Specifying “1-65535” will scan all ports.

Local Port Enumerators

SSH (netstat)

This option uses netstat to check for open ports on the target host. It relies on the netstat command being available via a SSH connection to the target. This scan is intended for Unix-based systems and requires authentication credentials.

WMI (netstat)

This option uses netstat to check for open ports from the local machine. It relies on the netstat command being available via a WMI connection to the target. This scan is intended for Windows-based systems and requires authentication credentials

SNMP

Direct Nessus to scan targets for a SNMP service. Nessus will guess relevant SNMP settings during a scan. If the settings are provided by the user under “Preferences”, this will allow Nessus to better test the remote host and produce more detailed audit results. For example, there are many Cisco router checks that determine the vulnerabilities present by examining the version of the returned SNMP string. This information is necessary for these audits.

Only run network port scanners if local port enumeration failed

Rely on local port enumeration first before relying on network port scans.

Verify open TCP ports found by local port enumerators

If a local port enumerator (e.g., WMI or netstat) finds a port, Nessus will also verify it is open remotely. This helps determine if some form of access control is being used (e.g., TCP wrappers, firewall).

Network Port Scanners

TCP

Use Nessus’ built-in TCP scanner to identify open TCP ports on the targets. This scanner is optimized and has some self-tuning features.

Note: On some platforms (e.g., Windows and Mac OS X), if the operating system is causing serious performance issues using the TCP scanner, Nessus will launch the SYN scanner instead.

 

SYN

Use Nessus’ built-in SYN scanner to identify open TCP ports on the targets. SYN scans are a popular method for conducting port scans and generally considered to be a bit less intrusive than TCP scans. The scanner sends a SYN packet to the port, waits for SYN-ACK reply, and then determines port state based on a reply – or lack of.

Only run network port scanners if local port enumeration failed

Rely on local port enumeration first before relying on network port scans.

UDP

This option engages Nessus’ built-in UDP scanner to identify open UDP ports on the targets.

Tip: UDP is a “stateless” protocol, meaning that communication is not done with handshake dialogues. UDP based communication is not reliable, and because of the nature of UDP services and screening devices, they are not always remotely detectable. Utilizing the UDP scanner will noticeably increase scanning time.

 

Service Discovery

The “Service Discovery” screen directs the scanner on how it looks for services running on the target’s ports. The following values are allowed for the “Service Discovery” option:

Value Description

Probe all ports to find services

Attempts to map each open port with the service that is running on that port. Note that in some rare cases, this might disrupt some services and cause unforeseen side effects.

Search for SSL based services

Controls how Nessus will test SSL based services: known SSL ports (e.g., 443), all ports, or none. Testing for SSL capability on all ports may be disruptive for the tested host.

Search for SSL on

If selected, choose between Known SSL ports (e.g., 443) and All ports. Testing for SSL capability on all ports may be disruptive for the tested host.

Identify certificates expiring within x days

Identifies SSL certificates that will expire within the specified timeframe. Enter a value to set a timeframe (in days).

Enumerate all SSL ciphers

When SecurityCenter performs an SSL scan, it tries to determine the SSL ciphers used by the remote server by attempting to establish a connection with each different documented SSL cipher, regardless of what the server says is available.

Enable CRL checking (connects to the Internet)

Direct Nessus to check SSL certificates against known Certificate Revocation Lists (CRL). Enabling this option will make a connection and query one or more servers on the internet.

 

Values for Assessment Options

The “Assessment” screen directs the scanner on how it tests for certain information during the scan. The following values are allowed for the “Assessment” option:

Value Description

Accuracy

Override normal accuracy

In some cases, Nessus cannot remotely determine whether a flaw is present or not. If report paranoia is set to “Paranoid” then a flaw will be reported every time, even when there is a doubt about the remote host being affected. Conversely, a paranoia setting of “Avoid false alarms” will cause Nessus to not report any flaw whenever there is a hint of uncertainty about the remote host. Not changing from “Normal” is a middle ground between these two settings.

Perform thorough tests (may disrupt your network or impact scan speed)

Causes various plugins to use more aggressive settings. For example, when looking through SMB file shares, a plugin can analyze 3 directory levels deep instead of its default of 1. This could cause much more network traffic and analysis in some cases. Note that by being more thorough, the scan will be more intrusive and is more likely to disrupt the network, while potentially providing better audit results.

Antivirus

Antivirus definition grace period (in days)

This option determines the delay in the number of days of reporting the software as being outdated. The valid values are between 0 (no delay, default) and 7.

SMTP

Third Party Domain

Nessus will attempt to send spam through each SMTP device to the address listed in this field. This third party domain address must be outside the range of the site being scanned or the site performing the scan. Otherwise, the test may be aborted by the SMTP server.

From address

The test messages sent to the SMTP server(s) will appear as if they originated from the address specified in this field.

To Address

Nessus will attempt to send messages addressed to the mail recipient listed in this field. The postmaster address is the default value since it is a valid address on most mail servers.

 

Values for Brute Force Options

The “Brute Force” screen directs the scanner on how it tests for certain information against SCADA systems during the scan.

Additionally, if Hydra is installed on the same host as a Nessus server linked to SecurityCenter, the Hydra section will be enabled. Hydra extends brute force logon testing for the following services: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, S7-300, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

The following values are allowed for the “Brute Force” option:

Value Description

General Settings

Only use credentials provided by the user

In some cases, Nessus can test default accounts and known default passwords. This can cause the account to be locked out if too many consecutive invalid attempts trigger security protocols on the operating system or application. By default, this setting is enabled to prevent Nessus from performing these tests.

Oracle Database

Test default Oracle accounts (slow)

Test for known default accounts in Oracle software.

Hydra
Always enable Hydra (slow) Enables Hydra whenever the scan is performed.
Logins file A file that contains user names that Hydra will use during the scan.
Passwords file A file that contains passwords for user accounts that Hydra will use during the scan.
Number of parallel tasks

The number of simultaneous Hydra tests that you want to execute. By default, this value is 16.

Timeout (in seconds) The number of seconds per logon attempt.
Try empty passwords If enabled, Hydra will additionally try user names without using a password.
Try login as password If enabled, Hydra will additionally try a user name as the corresponding password.
Stop brute forcing after the first success If enabled, Hydra will stop brute forcing user accounts after the first time an account is successfully accessed.
Add accounts found by other plugins to the login file If disabled, only the user names specified in the logins file will be used for the scan. Otherwise, additional user names discovered by other plugins will be added to the logins file and used for the scan.
PostgreSQL database name The database that you want Hydra to test.
SAP R/3 Client ID (0 - 99) The ID of the SAP R/3 client that you want Hydra to test.
Windows accounts to test Can be set to Local accounts, Domain Accounts, or Either.
Interpret passwords as NTLM hashes If enabled, Hydra will interpret passwords as NTLM hashes.
Cisco login password This password is used to login to a Cisco system before brute forcing enable passwords. If no password is provided here, Hydra will attempt to login using credentials that were successfully brute forced earlier in the scan.
Web page to brute force Enter a web page that is protected by HTTP basic or digest authentication. If a web page is not provided here, Hydra will attempt to brute force a page discovered by the Nessus web crawler that requires HTTP authentication.
HTTP proxy test website If Hydra successfully brute forces an HTTP proxy, it will attempt to access the website provided here via the brute forced proxy.
LDAP DN The LDAP Distinguish Name scope that Hydra will authenticate against.

 

Values for SCADA Options

The “SCADA” screen directs the scanner on how it tests for certain information against SCADA systems during the scan. The following values are allowed for the “SCADA” option:

Value Description

Modbus/TCP Coil Access

Start at register

End at register

These options are available for commercial users. This drop-down menu item is dynamically generated by the SCADA plugins available with the commercial version of Nessus. Modbus uses a function code of 1 to read “coils” in a Modbus slave. Coils represent binary output settings and are typically mapped to actuators. The ability to read coils may help an attacker profile a system and identify ranges of registers to alter via a “write coil” message. The defaults for this are “0” for the “Start reg” and “16” for the “End reg”.

ICCP/COTP TSAP Addressing Weakness

Start COTP TSAP

Stop COTP TSAP

The “ICCP/COTP TSAP Addressing” menu determines a Connection Oriented Transport Protocol (COTP) Transport Service Access Points (TSAP) value on an ICCP server by trying possible values. The start and stop values are set to “8” by default.

 

Values for Web Applications Options

The “Web Applications” screen directs the scanner on how it tests for certain information against web servers applications during the scan. The following values are available for the “Web Application” option when the “Scan web applications” option is enabled:

Value Description
Web Application Settings
Scan web applications Enables the General Settings, Web Crawler, and Application Test Settings sections.

General Settings

Use a custom User-Agent

Specifies which type of web browser Nessus will impersonate while scanning.

Web Crawler

Start crawling from

The URL of the first page that will be tested. If multiple pages are required, use a colon delimiter to separate them (e.g., “/:/php4:/base”).

Excluded pages (regex)

Enable exclusion of portions of the web site from being crawled. For example, to exclude the “/manual” directory and all Perl CGI, set this field to: (^/manual)|(\.pl(\?.*)?$). Nessus supports POSIX regular expressions for string matching and handling, as well as Perl-compatible regular expressions (PCRE).

Maximum pages to crawl

The maximum number of pages to crawl.

Maximum depth to crawl

Limit the number of links Nessus will follow for each start page.

Follow dynamic pages

If selected, Nessus will follow dynamic links and may exceed the parameters set above.

Application Test Settings

Enable generic web application tests

Enables the options listed below.

Abort web application tests if HTTP login fails

If Nessus cannot login to the target via HTTP, then do not run any web application tests.

Try all HTTP Methods

This option will instruct Nessus to also use “POST requests” for enhanced web form testing. By default, the web application tests will only use GET requests, unless this option is enabled. Generally, more complex applications use the POST method when a user submits data to the application. This setting provides more thorough testing, but may considerably increase the time required. When selected, Nessus will test each script/variable with both GET and POST requests. This setting provides more thorough testing, but may considerably increase the time required.

Attempt HTTP Parameter Pollution

When performing web application tests, attempt to bypass filtering mechanisms by injecting content into a variable while supplying the same variable with valid content as well. For example, a normal SQL injection test may look like “/target.cgi?a='&b=2”. With HTTP Parameter Pollution (HPP) enabled, the request may look like “/target.cgi?a='&a=1&b=2”.

Test embedded web servers

Embedded web servers are often static and contain no customizable CGI scripts. In addition, embedded web servers may be prone to crash or become non-responsive when scanned. Tenable recommends scanning embedded web servers separately from other web servers using this option.

Test more than one parameter at a time per form

This option manages the combination of argument values used in the HTTP requests. The default, without checking this option, is testing one parameter at a time with an attack string, without trying “non-attack” variations for additional parameters. For example, Nessus would attempt “/test.php?arg1=XSS&b=1&c=1” where “b” and “c” allow other values, without testing each combination. This is the quickest method of testing with the smallest result set generated.

 

This drop-down has five options:

One value - This tests one parameter at a time with an attack string, without trying “non-attack” variations for additional parameters. For example, Nessus would attempt “/test.php?arg1=XSS&b=1&c=1” where “b” and “c” allow other values, without testing each combination. This is the quickest method of testing with the smallest result set generated.

Some pairs – This form of testing will randomly check a combination of random pairs of parameters. This is the fastest way to test multiple parameters.

All pairs (slower but efficient) – This form of testing is slightly slower but more efficient than the “one value” test. While testing multiple parameters, it will test an attack string, variations for a single variable and then use the first value for all other variables. For example, Nessus would attempt “/test.php?a=XSS&b=1&c=1&d=1” and then cycle through the variables so that one is given the attack string, one is cycled through all possible values (as discovered during the mirror process) and any other variables are given the first value. In this case, Nessus would never test for “/test.php?a=XSS&b=3&c=3&d=3” when the first value of each variable is “1”.

Some combinations – This form of testing will randomly check a combination of three or more parameters. This is more thorough than testing only pairs of parameters. Note that increasing the amount of combinations by three or more increases the web application test time.

All combinations (extremely slow) – This method of testing will do a fully exhaustive test of all possible combinations of attack strings with valid input to variables. Where “All-pairs” testing seeks to create a smaller data set as a tradeoff for speed, “all combinations” makes no compromise on time and uses a complete data set of tests. This testing method may take a long time to complete.

Do not stop after the first flaw is found per web page

This option determines when a new flaw is targeted. This applies at the script level; finding an XSS flaw will not disable searching for SQL injection or header injection, but you will have at most one report for each type on a given port, unless “thorough tests” is set. Note that several flaws of the same type (e.g., XSS, SQLi, etc.) may be reported sometimes, if they were caught by the same attack. The drop-down has four options:

Per CGI – As soon as a flaw is found on a CGI by a script, Nessus switches to the next known CGI on the same server, or if there is no other CGI, to the next port/server. This is the default option.

Per port (quicker) – As soon as a flaw is found on a web server by a script, Nessus stops and switches to another web server on a different port.

Per parameter (slow) – As soon as one type of flaw is found in a parameter of a CGI (e.g., XSS), Nessus switches to the next parameter of the same CGI, or the next known CGI, or to the next port/server.

Look for all flaws (slower) – Perform extensive tests regardless of flaws found. This option can produce a very verbose report and is not recommend in most cases.

URL for Remote File Inclusion

During Remote File Inclusion (RFI) testing, this option specifies a file on a remote host to use for tests. By default, Nessus will use a safe file hosted by Tenable for RFI testing. If the scanner cannot reach the Internet, using an internally hosted file is recommended for more accurate RFI testing.

Maximum run time (minutes_)

This option manages the amount of time in minutes spent performing web application tests. This option defaults to 60 minutes and applies to all ports and CGIs for a given web site. Scanning the local network for web sites with small applications will typically complete in under an hour, however web sites with large applications may require a higher value.

 

Values for Windows Scan Options

The “Windows” option controls basic Windows SMB domain options:

Option Description
General Setting

Request information about the SMB Domain

If the option Request information about the domain is set, then domain users will be queried instead of local users.

Enumerate Domain User

Start UID

1000

End UID 1200
Enumerate Local User
Start UID 1000
End UID

1200

 

Settings/Assessment/Malware

The malware feature provides options for DNS Resolution, hash, and whitelist files.

General Settings
Disable DNS Resolution Checking this option will prevent Nessus from using the cloud to compare scan findings against known malware.

Hash and Whitelist Files

Provide your own list of known bad MD5 hashes

Additional known bad MD5 hashes can be uploaded via a text file that contains one MD5 hash per line.

It is possible to (optionally) add a description for each hash in the uploaded file. This is done by adding a comma after the hash, followed by the description. If any matches are found when scanning a target and a description was provided for the hash the description will show up in the scan results.

Provide your own list of known good MD5 hashes

Additional known good MD5 hashes can be uploaded via a text file that contains one MD5 hash per line.

It is possible to (optionally) add a description for each hash in the uploaded file. This is done by adding a comma after the hash, followed by the description. If any matches are found when scanning a target, and a description was provided for the hash, the description will show up in the scan results.

Hosts file whitelist

Nessus checks system hosts files for signs of a compromise (e.g., Plugin ID 23910 titled Compromised Windows System (hosts File Check). This option allows you to upload a file containing a list of hostnames that will be ignored by Nessus during a scan. Include one hostname per line in a regular text file.

File System Scanning

The scan file system option allows users to scan system directories and files on host computers.

File System Scanning
Scan File System

Turning on this option allows you to scan system directories and files on host computers.

Enabling this setting in scans targeting 10 or more hosts could result in performance degradation.

Directories
Scan %Systemroot% Enable file system scanning to scan %Systemroot%
Scan %ProgramFiles% Enable file system scanning to scan %ProgramFiles%
Scan %ProgramFiles(x86)% Enable file system scanning to scan %ProgramFiles(x86)%
Scan %ProgramData% Enable file system scanning to scan %ProgramData%
Scan User Profiles Enable file system scanning to scan user profiles
Custom Filescan Directories

Add File Add a custom file that list directories for malware file scanning. List each each directory on one line.

Root directories such as 'C:\' or 'D:\' are not accepted.

 

Values for Scan Report Options

The “Report” options control information that is included in the scan’s report:

Option Description

Processing

Report Verbosity Determines the verbosity of the detail in the output of the scan results as Normal, Quiet, or Verbose.
Show missing patches that have been superseded Show patches in the report that have not been applied but have been superseded by a newer patch if enabled.
Hide results from plugins initiated as a dependency If a plugin is only run due to it being a dependency of a selected plugin, hide the results if enabled.

Output

Designate hosts by their DNS name When possible, designate hosts by their DNS name rather than IP address in the reports.
Display hosts that respond to ping When enabled, show a list of hosts that respond to pings sent as part of the scan.
Display unreachable hosts Display a list of hosts within the scan range that were not able to be reached during the scan, if enabled.
Generate SCAP XML Results Generate a SCAP XML results file as a part of the report output for the scan.

 

Value for Authentication Options

The “Authentication” option controls authentication options during a scan:

Option Description

Authentication

When added, authentication methods may be used to login to the scan target machines to gather more complete results of the host’s status. The authentication types include host, database, miscellaneous, plaintext authentication, and patch management. For each type, various relevant options are presented such as SNMPv3, MongoDB, VMWare APIs, and similar.

SNMP

UDP Port

This is the UDP port that will be used when performing certain SNMP scans. Up to four different ports may be configured, with the default port being 161.

SSH

known_hosts file

If an SSH known_hosts file is provided for the scan policy in the “known_hosts file” field, Nessus will only attempt to log in to hosts defined in this file. This helps to ensure that the same username and password you are using to audit your known SSH servers is not used to attempt a login to a system that may not be under your control.

Preferred port

This option is set to direct the scan to connect to a specific port if SSH is known to be listening on a port other than the default of 22.

Client Version

Specifies which type of SSH client to impersonate while performing scans.

Windows

Never send credentials in the clear

By default, Windows credentials are not sent to the target host in the clear.

Do not use NTLMv1 authentication

If the “Do not use NTLMv1 authentication” option is disabled, then it is theoretically possible to trick Nessus into attempting to log in to a Windows server with domain credentials via the NTLM version 1 protocol. This provides the remote attacker with the ability to use a “hash” obtained from Nessus. This “hash” can be potentially cracked to reveal a username or password. It may also be used to directly log in to other servers.

 

Because NTLMv1 is an insecure protocol this option is enabled by default.

Start the Remote Registry service during the scan

This option tells Nessus to start the Remote Registry service on computers being scanned if it is not running. This service must be running in order for Nessus to execute some Windows local check plugins.

Enable administrative shares during the scan

This option will allow Nessus to access certain registry entries that can be read with administrator privileges.

Plaintext Authentication

Perform patch audits over telnet

When enabled, patch audits will be permitted over a telnet connection. However this protocol is cleartext and usernames and passwords are unencrypted and are able to be intercepted. This option is therefore disabled by default.

Perform patch audits over rsh

When enabled, patch audits will be permitted over a rsh connection. However this protocol is cleartext and usernames and passwords are unencrypted and are able to be intercepted. This option is therefore disabled by default.

Perform patch audits over rexec

When enabled, patch audits will be permitted over a rexec connection. However this protocol is cleartext and usernames and passwords are unencrypted and are able to be intercepted. This option is therefore disabled by default.

HTTP

Login method

Specify if the login action is performed via a GET or POST request.

Re-authenticate delay (seconds)

The time delay between authentication attempts. This is useful to avoid triggering brute force lockout mechanisms.

Follow 30x redirections (# of levels)

If a 30x redirect code is received from a web server, this directs Nessus to follow the link provided or not.

Invert authenticated regex

A regex pattern to look for on the login page, that if found, tells Nessus authentication was not successful (e.g., “Authentication failed!”).

Use authenticated regex on HTTP headers

Rather than search the body of a response, Nessus can search the HTTP response headers for a given regex pattern to better determine authentication state.

Case insensitive authenticated regex

The regex searches are case sensitive by default. This instructs Nessus to ignore case.

 

Compliance

The “Compliance” section allows for adding compliance audit files to the scan. Once the type of Unix or Windows File Content is selected from the drop-down, a list of available audit files of that type will be available in the second drop-down menu. The list of audit files may be searched by entering text into the field or scrolling the list of available names. Hovering over a name will enable an information icon which, when hovered over, will display the name, description, and type of the audit file. Selecting the check mark to the right will add the chosen audit file to the policy. Clicking the X will remove it.

When an audit file exists in a policy, it may be edited to select a new compliance file or deleted by selecting the appropriate icon when hovered over.

Plugins

The “Plugins” tab gives the user the option to customize which plugins are used during the policy’s Nessus scan.

On each page of plugins there is a “Show Enabled” link that will show only the enabled plugins or families with one or more plugins enabled. The “Show All” link shows all of the plugins or families no matter if they are enabled or not. The “Enable All” link will enable all of the available plugins in the family while the “Disable All” link will disable all of the plugins.

The “Select Filter” drop-down provides a list of items to filter plugins off of. Filterable items include Name, CVE ID, MS Bulletin ID, Plugin ID, and others. These filters are available on the plugin families page and the family plugin list page. Selecting a filterable option will then display either a drop-down box to select options or a text entry box to enter text to search on within that option. Selecting the “Apply” button will apply the search criteria to the list and selecting the “Clear” button will clear the search parameters for the list of plugins.

Clicking the status next to a plugin family allows you to enable or disable the entire family. The rectangles next to the name of the Families will show green and read Enabled when all of the plugins for that family are enabled, will show blue and read Mixed when some of the plugins for that family are enabled, and will show red and read Disabled when none of the plugins are enabled for the family. Additionally, the number in the status column indicates the total number of enabled plugins for the family.

Clicking the name of a plugin family will display a list of that family’s plugins.

The displayed list of plugins will show the status of the individual plugin, the plugin name, and plugin ID. To the right of the plugin ID is an information icon. When the information icon is clicked, the Plugin Details will be displayed and provide more information about the vulnerability being examined. Scrolling down in the “Plugin Details” pane will also show solution information, additional references if available, the CVSSv2 score that provides a basic risk rating (as applicable), and other information provided by the plugin.

When a plugin family is selected, its name appears in a drop-down box. Selecting this drop-down box will display a list of all the available plugin families. Selecting one of these will change the list of vulnerabilities to display that family’s plugins. Clicking the “Back” link next to the drop-down list will return to the list of plugin families.

When a policy is created and saved, it records all of the plugins that are initially selected. When new plugins are received via a plugin feed update, they will automatically be enabled if the family they are associated with is enabled. If the family has been disabled or partially enabled, new plugins in that family will automatically be disabled as well.

Caution: The “Denial of Service” family contains some plugins that could cause outages on network hosts if the “Safe Checks” option is not enabled, but does contain some useful checks that will not cause any harm. The “Denial of Service” family can be used in conjunction with “Safe Checks” to ensure that any potentially dangerous plugins are not run. However, it is recommended that the “Denial of Service” family not be used on a production network.

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.