Nessus can be downloaded from the Nessus Project web site. Although several installation methods are offered, I recommend what they refer to as "the easy and less dangerous way." Download the installer script from one of the numerous mirrors. Signed MD5 checksums are available as well, and can be used to verify the authenticity of the software. After you've downloaded both the installer and the MD5, execute the following commands:
# openssl dgst nessus-installer.sh MD5(nessus-installer.sh)= ed093a47a0fc57efe1ef769a93cf602a # grep MD5 MD5 MD5 (nessus-installer.sh) = ed093a47a0fc57efe1ef769a93cf602a
Once the file has been verified, execute the following command to begin installing Nessus:
# sh nessus-installer.sh
The installer script will ask where you want to install Nessus, with a recommended default of /usr/local. This setting will place all the Nessus binaries in /usr/local/bin and /usr/local/sbin. Once you confirm the installation path, Nessus will compile and install.
Creating the Certificate
Next, you need to create a certificate for your nessusd server. Run this command:
The program will ask you a few questions. Use the default settings unless you know what you're doing and have a good reason for changing the settings. After the certificate has been created, the program will show you the location of the certificate and key files.
Creating the Users
You'll need to create one or more nessusd users. For each user, you define a set of rules. This is an excellent way to ensure that users scan only the hosts or subnets they "own." To add a user, run the following command:
For this example, I'll add a user who will authenticate using a password, with permission to scan hosts on the 192.168.0.0/24 network only:
Login : russ Authentication (pass/cert) [pass] : pass Login password : password
Next, I'll set up the access rules for the user:
Enter the rules for this user, and hit Ctrl-D once you are done : (the user can have an empty rules set) accept 192.168.0.0/24 default deny <ctrl-d>
Finally, you'll be prompted to confirm the settings. If you choose to use certificates rather than passwords for user authentication, you can use nessus-mkcert-client to generate them.
Starting the Server
To start the server, run this command:
# /usr/local/sbin/nessus -D
This will start nessusd in daemon mode. It may take a few seconds for the daemon to finish initializing. Once the daemon is ready, the process status will show nessusd is waiting for connections:
# ps -ef |grep nessusd |grep -v grep root 1866 1 0 20:34 ? 00:00:00 nessusd: waiting for incoming connections
Starting the Client and Logging In
To launch Nessus, run this command:
This will launch the Nessus X11 client (see Figure 1).
Figure 1 Nessus login screen.
Because we're using the same host for both client and server, the default nessusd host and port will work fine. Log in with the user and password you created earlier. The first time you log in to the nessus client, you'll be prompted to select the level of SSL paranoia (see Figure 2). This setting controls how stringently the nessus client will check the server's certificate. We'll use the first option.
Figure 2 SSL paranoia settings.
After you click OK, Nessus displays the certificate info (see Figure 3).
Figure 3 Certificate dialog.
Verify the certificate information and click Yes.
Configuring Your Scan
After confirming the certification information as previously described, you'll get a warning regarding plug-ins (see Figure 4).
Figure 4 Plug-in warning.
Nessus uses modules called plug-ins to perform its security checks. This modular architecture affords several advantages. As new vulnerabilities are discovered, Nessus plug-ins can be created or modified to audit for them. These updates are catalogued on the Nessus web site. You can run the script nessus-update-plugins (located in /usr/local/sbin by default) to download and install all the new plug-ins released since the latest Nessus release. You can also write your own plug-ins; the Nessus Attack Scripting Language (NASL) is the preferred language. C is also an option, but deprecated in favor of NASL. In addition to the documentation, you can view the source for all official Nessus plug-ins here. For the novice Nessus scripter, it may be easier to modify an existing plug-in rather than write one from scratch.
The warning shown in Figure 4 simply means that by default Nessus won't perform any testing that might hang or crash the hosts being scanned. Although this is good for maintaining 99.999% uptime, it's bad if your goal is a thorough security test. After you click OK, you'll have to start making some difficult choices.
Click the Plugins tab to display the options (see Figure 5). The upper pane of the window shows a list of plug-in categories; click a category to display a list of individual plug-ins for that category in the lower pane. (You can select or deselect entire categories.) Notice that by default the plug-ins with a warning symbol are not selected. You can enable these one by one, or use the Enable All button to turn on everything. If you've created a custom plug-in, use the Upload Plugin button to add it.
Figure 5 Options for plug-ins.
Hovering the mouse or pointer over a plug-in name displays additional information about that plug-in. If you need to research an individual plug-in, consult the plug-ins page on the Nessus web site.
After you've configured the plug-ins, click the Prefs tab at the top of the window. At first , you may find the list of options somewhat overwhelming. As a rule, don't change a default setting unless you know why you're changing it. Many of the options relate to helper applications that can be called by Nessus, such as Nmap, Hydra, and Whisker. Most of the rest relate to standard TCP/IP protocols, and are fairly self-explanatory.
Next is the Scan Options tab shown in Figure 6. As the name implies, the options are related to port scanning, and most display a pop-up explanation when the mouse or pointer hovers over the option. Two options require caution:
A detached scan allows you to initiate a scan and then disconnect your client from the nessusd server. Once the scan completes, a report will be emailed to the specified address.
Under a continuous scan, nessusd performs regular scans of your network and notifies you of any new problems. If you enable continuous scanning, you should also add a cron job on your nessusd server that regularly runs nessus-update-plugins.
Figure 6 Scan options.
The Target Selection tab shown in Figure 7 is where you tell Nessus what to scan. You can enter networks in CIDR notation, target individual hosts, read in a list of targets from a flat file, or generate a target list using a zone transfer from your name server. You can also save target lists and reuse them for future scans. Note that your target list will be checked against your user access rules when you start a scan.
Figure 7 Target selection.
If you need to exclude specific hosts from your scan, you can add additional rules. Figure 8 shows a rule added to exclude the router at 192.168.0.1. The syntax for rules is the same as for nessus-adduser.
Figure 8 User rules.
Nessus can remember what it learns from a scan, and can reuse that information during subsequent scans. These options are configured on the KB (short for knowledge base) tab shown in Figure 9.
Figure 9 Knowledge base options.
After you've configured everything, click Start the Scan to begin scanning (see Figure 10).
Figure 10 A scan in progress.
As the scan runs, you'll be able to see the progress against each host. Once the scan is finished, the report window will open (see Figure 11).
Figure 11 Report window.
You can browse the hosts that were scanned and examine all the vulnerabilities that were found. You can also save these reports in a variety of formats. The Nessus web site offers sample reports in HTML, ASCII, LaTeX, and PDF formats.