Tenable Nessus Tips and Tricks (+Script Auto-Installation) – 51 Security

Tenable Nessus Tips and Tricks (+Script Auto-Installation) – 51 Security


scan_vulnerability_groups = yes : enable grouping

scans_vulnerability_groups_mixed = no : set group severity to the highest severity in the group

Filter For Vulnerabilities

You have to play All / Any, is equale to, is not equale to , those options to create your customized filters. 

How to find out failed login hosts

A quick check:

  • Plugin 19506 Nessus Scan information : Along with other information, this give you a quick summary of CREDENTIALS YES/NO

 

If you have a failure, then review other Plugins to find out the cause, Here are some Plugins worth looking at

  • 110723 No Credentials Provided
  • 110095 Authentication Success
  • 104410 Authentication Failure(s) for Provided Credentials
  • 110385 Authentication Success Insufficient Access
  • 21745 Authentication Failure – Local Checks Not Run
  • 117885 Authentication Success with Intermittent Failure
  • 10394 Microsoft Windows SMB Log In Possible

 

Failed 66 is from  plugin 19506’s output with “Credential Check: No“.

Create filters to filter failed credential check machines using Plugin ID: 19506:

This will shows all failed credential check machines, including Windows, Linux, Devices, etc. 

How to Quickly Find Out Machines OS and Those Failed Credential Check

 Plugin ID: 11936

How to quickly find out Windows machines which failed login using provided credentials?

1. Filter plugin 19506, then search “Credential Check: No” in Plugin Output column. Copy all filtered machine’s IPs out to a new sheet’s column.

2. Clear Filter. Filter plugin 11936, then seach “Windows” in Plugin Output column. Copy all filtered machine’s IPs out to a new sheet’s column. 

3. Create a column “Is it windows?” to check if we can find one existing in both Columns, A & D. 

Filter Windows Machines using Plugin ID 11936.

Create Nessus Instance in Low End VPS

GCP Free tier:

Google Free Tier: e2-micro (0.25 -2 vcpu, 1 core, 1 GB memory)

  • 1 non-preemptible e2-micro VM instance per month in one of the following US regions:
    • Oregon: us-west1
    • Iowa: us-central1
    • South Carolina: us-east1
  • 30 GB-months standard persistent disk
  • 1 GB of outbound data transfer from North America to all region destinations (excluding China and Australia) per month
  • Compute Engine free tier does not charge for an external IP address.

Installation steps

1 Create your GCP VM

2 Connect to VM

Update system (Optional)

  • apt update -y && apt upgrade -y  

SWAP size increase: (Optional)

  • wget https://raw.githubusercontent.com/51sec/swap/main/swap.sh && bash swap.sh

3 Install Observability – Ops Agent (Optional)

You will be able to see much more metrics from your VPS, such as memory usage. 

4 Install Nessus using an auto-installation script from Github

Three commands from the cli session: 

  • curl https://raw.githubusercontent.com/51sec/nessus-special/main/ubuntu.sh -o ubuntu.sh
  • chmod +x ubuntu.sh
  • ./ubuntu.sh

One line command:

  • curl https://raw.githubusercontent.com/51sec/nessus-special/main/ubuntu.sh -o ubuntu.sh && chmod +x ubuntu.sh && ./ubuntu.sh

Access Tenable Nessus Web GUI:

https://<Public IP>:12345

GITHUB Repository: https://github.com/51sec/nessus-special

Screenshots for oberability tab and settings page:

Total hours until all plug-ins compiled in a low end VPS (GCP E2-Micro, 1vCPU/1G RAM/30G Standard Disk):  about 9 hours (from 2pm – 11pm)

Settings:

Warning for minimum requirements not met. 

Dring a scan:

CPU load is 2% and maximum memory usage is about 180MB. 

Here is the GCP’s observability:

Auto-installation Script Issue:

Each time, when the system reboot, the whole Plugins compiling process will need to start from beginning. In this case, if you are using a low end vps such as GCP e2-micro instance, it will take another 9 hours before it completed all compiling tasks. 

How to Update Plugin-set:

Since auto update for plugin has been disabled, you will not be able to use Web Gui or normal way to update your plugins. You will just need to re-run the script. No need to delete anything before re-run. 

  • re-run the installation scrip. 

VPR (Vulnerability Priority Rating)

Difference Between CVSS Severity and Vulnerability Priority Rating (VPR) in Nessus

The failure of CVSS Scoring

Predictive Prioritization Using VPR

Threat Recency – how recently have there been attacks utilizing this vul?

Threat Intensity – number and frequncy of recent events (very low to very high)

Threat Sources – What data was used

Exploit Code Maturity – Parallels CVSS (Unproven – high)

Product Coverage – Number of unique products (Low -very high)

YouTube Video: One Line Command To Deploy Tenable Nessus In Low End Free Linux VPS

References

  • https://www.tenable.com/webinars
  • https://www.tenable.com/education

Post Comment