Problem solve Get help with specific problems with your technologies, process and projects.

Vulnerability scanning with Nessus: How to run a system scan

In the second tip in our series on running Nessus in the enterprise, our contributor takes you step-by-step through the process of running a system scan. View screenshots of the Nessus interface and learn commands for the Unix Nessus GUI.

previous tip

We'll assume that you're using the Unix Nessus GUI, but the commands are quite similar for those using NessusWX (for Windows). First, start the Nessus client by issuing the "nessus" command. You'll be presented with the window shown below:

In our in this series on using Nessus in the enterprise, we detailed the process of downloading and installing Nessus on the platform of your choice. Now that you've got it up and running, we'll examine how to use this powerful open source vulnerability scanner to monitor systems for security issues.

The top portion of this window allows you to specify the Nessus server that you'd like to use to originate the scan. If you're running the client and server on the same host, keep the default settings. Otherwise, you'll need to enter the appropriate hostname and port. The lower portion of the window requires that you enter the appropriate Nessus credentials to begin the scan. It's important to remember that these are separate and distinct from system login credentials and must be created using the nessus-adduser command.

After entering this information, click the "Log in" button to authenticate to the Nessus server. Next, we'll take a look at the Scan Options tab, shown below:

This tab contains several important options. First, the "Port range" textbox allows you to enter the specific ports that you'd like to scan. If you leave this set to "default," it will scan all of the destination ports contained within the nessus-services file. Otherwise, you may specify ports using ranges (e.g. "1-1024") and/or comma-delimited lists (e.g. "80, 443, 8080").

The other important option contained on this tab is the "Safe checks" box. Checking this box ensures that Nessus only runs plug-ins designated by their developers as "non-dangerous." If you're running a scan against a production system, it's critical that you check this box, as the unsafe plug-ins could cause an unintentional denial of service on the target system. (On the other hand, if you can do it, so can the bad guys!)

Next, let's move on to the Target tab, shown below:

You may use this tab to select either a single system or a comma-delimited list. Alternatively, you may read a list of hosts from a text file using the "Read file" button or attempt to perform a DNS zone transfer to obtain all of the hostnames in a domain by checking the "Perform a DNS zone transfer" box.

Once you've set the appropriate options for your scan, click the "Start the scan" button at the bottom of any tab, and you'll be off and running. The system will display the dialog box shown below:

It's important to note that scanning a single system could take several minutes or longer, depending upon the specified scope. When the scan completes, you'll see a full scan report, such as the one shown below:

You may navigate through this report to view the various alerts shown for each system grouped by host, port and severity.

That's all there is to it! You now have the basic information you need to conduct vulnerability scans with Nessus.


  How to get started
  How to run a system scan
  How to build an enterprise scanning program
  How to manage Nessus reports
  How to simplify security scans
  How to use Nessus with the SANS Top 20

Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.

Dig Deeper on Linux servers