Scans

Basic Network scans

Despite what the name might suggest, a Nessus basic scan is a fully comprehensive scan of a system. Unlike its Advanced Scan counterpart, most of the options in this template are already configured to an appropriate setting, and its default settings are suited to scanning most hosts. By default, a Basic Network scan will perform discovery on a host (similar to the Host Discovery template) before scanning the target host, focusing on the most commonly open ports (~4500 ports). During a basic scan, Nessus will also enumerate any open ports, in an attempt to identify the service running, and whether any vulnerabilities exist.

Click the Basic Network scan button from the Scan Templates page to launch the configuration page

Like the host discovery scan, only two fields (Name and Targets) are required before the scan is ready to launch. However, it's much more likely that you'll want to customize this type of scan.

Like the Host Discovery scan, you can adjust the depth of the scan performed by opening the Discovery tab. For example, changing the Scan Type to Port Scan (All Ports) will enumerate all 65535 ports on a host, instead of just the most commonly open ports – helpful in finding any services running on unconventional ports. The Custom scan type allows you to fully customize the discovery element of the scan, including preventing Nessus from pinging the remote host before scanning and configuring different protocols to use when port scanning.

The Assessment tab configures the vulnerability assessment element of the scan. By default, Nessus performs a range of techniques on any open ports it discovers, in an attempt to identify any possible vulnerabilities. If your target host is also running any web applications, Nessus can be configured to also include those applications in the scanning process, performing some basic web-application testing on any web applications it discovers. For example, the Scan for all web applications (complex) will crawl an entire web application, sending test data to the application, in an attempt to search for vulnerabilities.

Launching a scan

Once the scan is saved, you will be returned to the My Scans panel of Nessus. Find the scan you've created in the My Scans table, and click the Launch (▸) icon. Click on the scan once it's launched to open the Scan Details page, and you should see the scan status marked as Running.

Nessus reports back as soon as it discovers something of interest, so while the scan is running, click on the Vulnerabilities tab to see what Nessus has discovered so far. In this table, Nessus will collate everything that is identified during the course of the scanning. Results are added to this table in real-time, so you can start analyzing Nessus findings before the scan has completed.

Vulnerabilities found in the scan

When scanning multiple hosts, Nessus will keep track of all vulnerabilities found on all hosts in this table. Some related vulnerabilities are grouped by Nessus under a single "finding". This is signified by the Folder icon next to the vulnerability name. Despite consisting of multiple issues, Nessus will only consider this as one finding in the table.

For example, in the image below, Nessus has identified 20 unique findings across five different hosts. Out of these 20 findings, at least three (shown in the image) are made up of multiple issues. However, Nessus will still only count these as one vulnerability in the table. The number of vulnerabilities in the folder is noted in the Count column, which you can use to calculate the actual number of vulnerabilities identified by Nessus.

With each result, Nessus will also provide a Severity level, ranging from INFO to CRITICAL, to help rank the findings based on the impact, along with a severity score for more impactful vulnerabilities. Nessus will also detail the category in which the finding falls (known as the Family) in this table. Some of the more wide-ranging categories cover several different results (e.g., General), whereas other categories will focus on specific types of vulnerability (e.g., CGI Abuses).

It's important to note that everything Nessus identifies when scanning is collected under the Vulnerabilities tab – not just confirmed vulnerabilities. For example, the vulnerability named Nessus Scan Information is just a list of information about the Nessus scanner itself and doesn't signify any vulnerabilities on the target host. These results will be marked as INFO-level severity but may be mixed with actual INFO-level vulnerabilities. It's essential to verify manually whether each result in the Vulnerabilities table is a true vulnerability or just a purely informational result. These types of results are often called "false positives".

Select the Hosts tab to view the total number of vulnerabilities, broken down by each host scanned. For each host scanned, the number of vulnerabilities is shown in each row of the table, grouped by their severity. Hovering over any of the colored blocks in this table will show you the severity that the color represents as well as the number of vulnerabilities of that rank.

In this example, the Hosts tab contains the results for two hosts. On the first host, 19 vulnerabilities were identified - all of which were classified as INFO-level severity (represented by blue blocks). On the second, there were 14 INFO-level vulnerabilities and one MEDIUM-level vulnerability (represented by orange blocks).

Creating a new scan with a specific list of IP addresses provided

Can see the scan results here. Live hosts, vulnerability etc

Now to try and create a scan using Basic network scan

Returned around 38 Info level vulnerabilities

What the vulnerability tab looks like