Tenable Nessus Tips and Tricks (+Script Auto-Installation) – 51 Security
scan_vulnerability_groups = yes : enable grouping
scans_vulnerability_groups_mixed = no : set group severity to the highest severity in the group
Filter For Vulnerabilities
You have to play All / Any, is equale to, is not equale to , those options to create your customized filters.
How to find out failed login hosts
- Plugin 19506 Nessus Scan information : Along with other information, this give you a quick summary of CREDENTIALS YES/NO
If you have a failure, then review other Plugins to find out the cause, Here are some Plugins worth looking at
- 110723 No Credentials Provided
- 110095 Authentication Success
- 104410 Authentication Failure(s) for Provided Credentials
- 110385 Authentication Success Insufficient Access
- 21745 Authentication Failure – Local Checks Not Run
- 117885 Authentication Success with Intermittent Failure
- 10394 Microsoft Windows SMB Log In Possible
Failed 66 is from plugin 19506’s output with “Credential Check: No“.
Create filters to filter failed credential check machines using Plugin ID: 19506:
This will shows all failed credential check machines, including Windows, Linux, Devices, etc.
How to Quickly Find Out Machines OS and Those Failed Credential Check
Plugin ID: 11936
How to quickly find out Windows machines which failed login using provided credentials?
1. Filter plugin 19506, then search “Credential Check: No” in Plugin Output column. Copy all filtered machine’s IPs out to a new sheet’s column.
2. Clear Filter. Filter plugin 11936, then seach “Windows” in Plugin Output column. Copy all filtered machine’s IPs out to a new sheet’s column.
3. Create a column “Is it windows?” to check if we can find one existing in both Columns, A & D.
Filter Windows Machines using Plugin ID 11936.
Create Nessus Instance in Low End VPS
GCP Free tier:
Google Free Tier: e2-micro (0.25 -2 vcpu, 1 core, 1 GB memory)
- 1 non-preemptible
e2-micro
VM instance per month in one of the following US regions:- Oregon:
us-west1
- Iowa:
us-central1
- South Carolina:
us-east1
- Oregon:
- 30 GB-months standard persistent disk
- 1 GB of outbound data transfer from North America to all region destinations (excluding China and Australia) per month
- Compute Engine free tier does not charge for an external IP address.
Installation steps
1 Create your GCP VM
2 Connect to VM
Update system (Optional)
- apt update -y && apt upgrade -y
SWAP size increase: (Optional)
- wget https://raw.githubusercontent.com/51sec/swap/main/swap.sh && bash swap.sh
3 Install Observability – Ops Agent (Optional)
You will be able to see much more metrics from your VPS, such as memory usage.
4 Install Nessus using an auto-installation script from Github
Three commands from the cli session:
- curl https://raw.githubusercontent.com/51sec/nessus-special/main/ubuntu.sh -o ubuntu.sh
- chmod +x ubuntu.sh
- ./ubuntu.sh
One line command:
- curl https://raw.githubusercontent.com/51sec/nessus-special/main/ubuntu.sh -o ubuntu.sh && chmod +x ubuntu.sh && ./ubuntu.sh
Access Tenable Nessus Web GUI:
https://<Public IP>:12345
GITHUB Repository: https://github.com/51sec/nessus-special
Screenshots for oberability tab and settings page:
Total hours until all plug-ins compiled in a low end VPS (GCP E2-Micro, 1vCPU/1G RAM/30G Standard Disk): about 9 hours (from 2pm – 11pm)
Settings:
Warning for minimum requirements not met.
Dring a scan:
CPU load is 2% and maximum memory usage is about 180MB.
Here is the GCP’s observability:
Auto-installation Script Issue:
Each time, when the system reboot, the whole Plugins compiling process will need to start from beginning. In this case, if you are using a low end vps such as GCP e2-micro instance, it will take another 9 hours before it completed all compiling tasks.
How to Update Plugin-set:
- re-run the installation scrip.
VPR (Vulnerability Priority Rating)
Difference Between CVSS Severity and Vulnerability Priority Rating (VPR) in Nessus
The failure of CVSS Scoring
Predictive Prioritization Using VPR
Threat Recency – how recently have there been attacks utilizing this vul?
Threat Intensity – number and frequncy of recent events (very low to very high)
Exploit Code Maturity – Parallels CVSS (Unproven – high)
Product Coverage – Number of unique products (Low -very high)
YouTube Video: One Line Command To Deploy Tenable Nessus In Low End Free Linux VPS
References
- https://www.tenable.com/webinars
- https://www.tenable.com/education
Post Comment