Nessus Training Session 1 - Installation, Configuration, and Maintenance
Prepared by Ramsey Dow
Contents
Prerequisites for Nessus Installation
Nessus Software Activation Code Scan server
Installation
Ubuntu Server 13.04 Windows Server 2012 R2
Maintenance and Troubleshooting
Verifying that Nessus is running Starting, stopping and restarting the Nessus daemon Checking your plugin feed Updating your plugin feed Managing users from the command line Updating your shell environment for Nessus Refreshing Tenable policy templates Upgrading Nessus Uninstalling Nessus
Useful Web Sites and Resources
Nessus Vulnerability Scanner Other Security Tools National Vulnerability Database Vendor Resources Prerequisites for Nessus Installation
Note: The Useful Web Sites and Resources section at the end of this handout has a list of all of the important URIs referenced herein. Please keep that attachment handy as you work through the instructions contained herein.
Nessus Software
First, you must acquire the software. Download the correct distribution package from Tenable’s Nessus download page.
Browse to http://www.tenable.com/products/nessus/select-your-operating-system Right click to expand the operating system of your choice Download the appropriate package (typically 64-bit in this day and age) Click on the Agree button to initiate the download
Be sure to confirm the integrity of the installation package by comparing the downloaded file’s MD5 checksum with the one listed in the MD5.asc file.
Download https://static.tenable.com/marketing/MD5.asc Verify the hash of the file you downloaded with that in the MD5.asc file
I tend to use md5deep, a freely available cryptographic hashing utility. (Don’t let the name fool you, it does SHA–256, too.)
md5deep -m MD5.asc * 2>/dev/null
The -m switch invokes matching mode, which prints the full pathname of every file with a matching hash in the match file, MD5.asc.
It should go without saying, but do not use files that fail this integrity check.
Here we can see that the Ubuntu version I downloaded is OK:
� ~/Downloads $ md5deep -m MD5.asc * 2>/dev/null /Users/ramsey/Downloads/Nessus-5.2.3-ubuntu1110_amd64.deb Activation Code
You need to have an Activation Code handy. Recently, scanner activation has been made an integral part of the installation process. If you don’t have an Activation Code then you won’t be able to complete the installation process.
If you have a ProfessionalFeed then you will have received this code in an email from Tenable. You can also get it from the Tenable Support Center.
If you are just experimenting you can install Nessus Home instead of the commercial version. You can pick up an Activation Code from the Nessus Home page.
A brief word is in order about Nessus Home. It is similar to the commercial version of Nessus, but is definitely missing some plugins. Notably absent are the SCADA plugins and the robust compliance checking system. In addtion, Nessus Home can only scan 16 IPs at a time. Recently, Nessus Home scans have started complaining when scanning non-RFC 1918 address space. Complaints aside, Nessus still scans these addresses.
Scan server
Nessus can be installed on a wide variety of contemporary operating systems, including FreeBSD, Solaris, several flavors of Linux, and Windows. For this training we will be installing Nessus on both Ubuntu Server 13.04 and Windows Server 2012 R2.
Nessus is a Linux application and it definitely runs best on Linux. Lots of people run Nessus on Windows, however, so we will definitely be taking a look at that. Because of its heritage, Nessus operates better on Linux, especially when scanning large networks (e.g., 10,000+ hosts). I definitely recommend running the Nessus server on Linux.
A Nessus scan server should be configured with a minimum of 2 GiB of RAM. If you plan to scan large numbers of hosts then 4 GiB would be better.
Nessus stores data from past scans. You can delete historical scan data, but keeping it on the server allows you to browse it, filter on it, modify results, and produce differential reports. I recommend configuring your Nessus scan server with about 64 GB of disk.
Nessus runs fine in a VM. Just make sure that its network adapter is bridged or problems will ensue. Finally, Tenable recommends against running a host-resident firewall on your Nessus server. It is certainly possible, but might cause problems. I run a kernel-resident packet filter on Casaba’s Internet-facing Nessus scanner and we have no problems.
Installation Ubuntu Server 13.04
These instructions detail how to install Nessus on Ubuntu Linux. The installation process is slightly different with each supported operating system. The Nessus 5.2 Installation and Configuration Guide has detailed instructions for each supported platform.
These instruction assume a fresh Nessus install. Refer to Upgrading Nessus in the Maintenance and Troubleshooting section, hereafter, for details on performing an upgrade installation.
Make sure that you have satisfied all of the requirements:
You have the right Nessus distribution package You have the right kind of Activation Code You have a properly configured server on which to deploy Nessus
Now you need to get the software on to your server. I use scp:
scp Nessus-5.2.3-ubuntu1110_amd64.deb [email protected]:.
Finally, login to the server and install Nessus as root.
sudo dpkg -i Nessus-5.2.3-ubuntu1110_amd64.deb
Wait while Nessus to finish installing itself. Eventually you will receive a notice to browse to https://localhost:8834/ to complete the installation. (Actually, it will refer to the hostname, but localhost will work fine.)
Browse to https://localhost:8834/ and follow the instructions.
First you will be prompted to enter the name and password for the Nessus administrator. On the next screen you will have to enter your Activation Code.
After your scanner instance has been successfully activated it will begin to download the latest plugin set from Tenable’s plugin distribution servers. There are over 50,000 plugins, so the installation may take ten minutes or so to run to completion.
Eventually you will be presented with the Nessus login screen.
Windows Server 2012 R2
These instructions detail how to install Nessus on Windows Server 2012 R2.
These instruction assume a fresh Nessus install. Refer to Upgrading Nessus in the Maintenance and Troubleshooting section, hereafter, for details on performing an upgrade installation.
Make sure that you have satisfied all of the requirements:
You have the right Nessus distribution package You have the right kind of Activation Code You have a properly configured server on which to deploy Nessus
A couple of additional notes apply to Windows installations.
First, antivirus and antimalware software might flag Nessus as hostile. If that happens, temporarily disable protections for the duration of the installation.
Second, you need to disable IE Enhanced Security Configuration for administrators for the duration of the installation. This step is required because part of the Nessus installation process is browser-driven. Failure to disable IE Enhanced Security Configuration for the Administrator user will prevent the installation from succeeding.
Run Server Manager Click on Local Server Find IE Enhanced Security Configuration, currently set to on Click on on Disable it for Administrators Click the OK button You can safely re-enable IE Enhanced Security Configuration for administrators after the browser-based portion of the installation has run to completion (i.e., when the login screen first appears).
The actual installation process follows and is straightforward.
Double-click the Nessus-5.2.3-x64.msi installer pacakge Click the Next > button Accept the license agreement and click the Next > button Accept the default installation location and click the Next > button Confirm the installation by clicking the Install button Click the Yes button when asked to elevate privileges Opt to install custom NDIS layer drivers if asked Click the Finish button when the install completes
Note that you will only be asked to install NDIS layer drivers once. If you uninstall and then reinstall Nessus you won’t be asked again. Unfortunately, this is the case with the video, so we aren’t prompted as to whether we want to allow NDIS driver installation. When you perform your install you will be asked. Respond affirmatively. This driver is required for low- level packet manipulation.
After the installer is dismissed, IE will attempt to load http://localhost:8834/. You will be prompted to connect via SSL instead. Click on the supplied link.
WARNING: If you navigate away from the installation sequence before you specify the Nessus administrator’s user name and password then your installation will be broken. In such a case the fastest way to rectify things is to uninstall and then reinstall Nessus.
IE will warn you that the site’s certificate is self-signed. Click the Continue to this website (not recommended) link.
Click the Get started > button
Enter a user name and password for your Nessus administrator user. I tend to use my name, but you can name the account anything you want. Click the Next > button when you are ready to proceed.
Now you will be prompted to enter your Activation Code. Clicking the Next > button will trigger an outbound connection to Tenable activation servers. Click the Optional Proxy Settings button if you need to specify a web proxy. Click the Next > button when ready. Once your scanner instance is activated you will need to click the Next: Download plugins < button. There are over 50,000 plugins, so the download will take about 10 minutes or so on a reasonable network.
Once all plugins have been downloaded the browser will refresh to the scanner’s login page. Login with the username and password you entered earlier.
You can re-enable IE Enhanced Security Configuration once the installation process has completed. You can administer the interface via HTTPS from a client workstation.
Punch a hole in Windows Firewall to allow browser sessions to Nessus
If you are running Windows Firewall, you will need to punch a hole for port 8834 so that clients will be able to connect.
Select Start > Control Panel Double-click on Windows Firewall Click on Advanced settings Click on Inbound rules in the pane to the left Click on New Rule… in the pane to the right Click on the Port radio button Click the Next > button to continue Ensure the TCP and Specific local ports radio buttons are selected Enter 8834 as the port Click the Next > button to continue Ensure the Allow the connection radio button is selected Click the Next > button to continue Apply the rule to the appropriate environments (I’m using the default for this class) Click the Next > button to continue Name the rule Nessus Provide a description if so desired Click the Finish button to continue
Now you should be able to connect to your Windows Nessus scan server by browsing to http://address:8834/. Maintenance and Troubleshooting
In general, most Nessus commands require root privileges to execute. You can su to root or run the commands through sudo. I tend to be a heavy sudo user, but that’s not the only way.
Verifying that Nessus is running
On UNIX platforms you can check the process table to see if Nessus is running. On Ubuntu, I type:
ps auxwg | grep nessus
On Windows I tend to use the Get-Process cmdlet from Powershell:
Get-Process -Name Nessus*
Starting, stopping and restarting the Nessus daemon
Start the Nessus daemon with the following command:
sudo /opt/nessus/sbin/nessus-service -D
You can suppress output by passing the -q switch to the command.
Alternately, you can use Linux’s facility for controlling daemons:
sudo /etc/init.d/nessusd start
You can also use Ubuntu’s Upstart facility to control the daemon:
sudo service nessusd start You can pass stop and restart to both the /etc/init.d/nessusd and service nessusd commands as well.
I tend to use the service nessusd command the most in my day-to-day operations.
In case of emergency, you can stop the Nessus daemon and abruptly halt all running scans by executing the following command:
sudo killall nessus
You can start and stop the Nessus service from the Command Prompt on Windows as well. You need administrator privileges to do this, so be sure to right click on Command Prompt and select Run as administrator.
net stop "Tenable Nessus" net start "Tenable Nessus"
Checking your plugin feed
Sometimes you want to verify that your plugin feed is working fine according to Nessus. Simply login to your Nessus scan server and run the following command:
sudo /opt/nessus/bin/nessus-fetch --check
You can obtain additional information about your feed by looking at the plugin_feed_info.inc file.
cat /opt/nessus/lib/nessus/plugins/plugin_feed_info.inc
You should be able to cat this file as a normal user. For exmaple, you might see:
PLUGIN_SET = "201310062215"; PLUGIN_FEED = "ProfessionalFeed (Direct)"; Updating your plugin feed
You can easily update your plugin feed from the command line:
sudo /opt/nessus/sbin/nessus-update-plugins
Managing users from the command line
You can easily add users, change passwords, and delete users from the command line.
sudo /opt/nessus/sbin/nessus-adduser
You will have the opportunity to specify the new user’s name, password, whether they are an administrator, and any scan-specific restrictions you wish to apply.
Use the following command if you need to reset a user’s password:
sudo /opt/nessus/sbin/nessus-chpasswd
In addition, this command also lets you specify the authentication type: password or certificate.
Finally, use this command to delete a user:
sudo /opt/nessus/sbin/nessus-rmuser
Updating your shell environment for Nessus
For those who use Nessus from the command line a lot, simplify your administrative life by adding key Nessus directories to your PATH and MANPATH environment variables:
export PATH="${PATH}:/opt/nessus/sbin:/opt/nessus/bin" export MANPATH="${MANPATH}:/opt/nessus/man" Now you can run commands more simply, e.g.:
sudo nessus-update-plugins
Refreshing Tenable policy templates
There are four Tenable-supplied policy templates that come pre-installed with any Nessus scan server:
External Network Scan Internal Network Scan Prepare for PCI-DSS audits (section 11.2.2) Web App Tests
You shouldn’t modify these templates directly. If you feel that you need to change them, you should duplicate them and work on the copy.
Should a user modify one of these templates you can restore it using the following procedure.
sudo vim /opt/nessus/var/nessus/imported-policies
To force Nessus to re-create a policy, simply remove the
The following UUIDs represent the Tenable-supplied policies:
Tenable Policy Name UUID External Network Scan 918B9E6A-908F-460A-AECD-325EE649A95B Internal Network Scan AF5EFE99-A40A-4E27-89B4-1E86E4953852 Prepare for PCI-DSS audits E99D6B27-5A10-4239-BC9A-CF16BC30E142 Web App Tests D2A991B9-F116-4540-90DC-97BFA7DE615E Upgrading Nessus
First, make sure that there are no scans running. Normally I login to the web interface and eyeball it to make sure I won’t be nuking anybody’s scans.
Next, stop the daemon.
sudo service nessusd stop
Install the new version of the software.
sudo dpkg -i Nessus-5.2.3-ubuntu1110_amd64.deb
Now start the Nessus daemon back up again.
sudo service nessusd start
At this point I tend to check the feed to make sure Nessus remains happy.
sudo /opt/nessus/bin/nessus-fetch --check
Assuming all is well, I instruct Nessus to update its plugin feed.
sudo /opt/nessus/sbin/nessus-update-plugins
Now you can login to the web interface and check the Help & Support section to verify the new version. Uninstalling Nessus
First, make sure that there are no scans running. Normally I login to the web interface and eyeball it to make sure I won’t be nuking anybody’s scans.
Next, stop the daemon.
On Ubuntu, use the dpkg command to remove the Nessus package. First, determine the package’s name:
dpkg -l | grep -i nessus
Next, remove it with this command:
dpkg -r
These instructions will not remove the configuration files or files that were not part of the original installation. Files that were part of the original package but have changed since installation will not be removed as well. To completely remove the remaining files use the following command:
sudo rm -rf /opt/nessus
On Windows platforms, open the Control Panel and navigate to Programs and Features. Select Tenable Nessus and click the Uninstall button. Follow the prompts and Nessus will be removed.
Be careful when updating Nessus on Windows. You may be asked if you want to delete everything in the Nessus directory.
Answering Yes to this question will cause Nessus to attempt to delete the entire Nessus folder along with any manually added files. This includes previously created users, existing scan policies, and scan results will be removed, and the scanner will become unregistered.
Answering No will maintain the Nessus folder along with existing scans, reports, etc. After the new version of Nessus is installed, they will still be available for viewing and exporting. Useful Web Sites and Resources Nessus Vulnerability Scanner
Documentation http://www.tenable.com/products/nessus/documentation Downloads http://www.tenable.com/products/nessus/select-your-operating-system Nessus Home Activations http://www.tenable.com/products/nessus-home Support Center https://support.tenable.com/support-center/ Discussion Forums https://discussions.nessus.org/welcome Other Security Tools & Resources
Nmap security scanner http://nmap.org Vulscan.NSE - enhances Nmap to a vulnerability scanner http://www.computec.ch/projekte/vulscan/ md5deep cryptographic hashing tool http://md5deep.sourceforge.net Metasploit penetration testing framework http://www.metasploit.com A Complete Guide to the Common Vulnerability Scoring System Version 2.0 http://www.first.org/cvss/cvss-guide Penetration Testing Execution Standard http://www.pentest-standard.org/index.php/Main_Page National Vulnerability Database
Search CVE and CCE Vulnerability Database http://web.nvd.nist.gov/view/vuln/search Common Vulnerability Scoring System Version 2 Calculator https://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 Vendor Resources
Nessus findings provide a rich level of detail, including links to relevant advisories and patches. However, I find the following sites to be useful.
Apple
Apple Product Security https://ssl.apple.com/support/security/ Apple security updates http://support.apple.com/kb/HT1222
Cisco Systems
Cisco IOS Software Checker http://tools.cisco.com/security/center/selectIOSVersion.x Cisco Security Advisories, Responses, and Notices http://tools.cisco.com/security/center/publicationListing.x
FreeBSD
FreeBSD Security Information http://www.freebsd.org/security/ FreeBSD Security Advisories http://www.freebsd.org/security/advisories.html
Microsoft
Microsoft Security Response Center http://www.microsoft.com/security/msrc/default.aspx
Ubuntu Linux
Ubuntu security notices http://www.ubuntu.com/usn/ Ubuntu CVE Tracker
http://people.canonical.com/ubuntu-security/cve/