Vulnerability Scanning Tips

vulnerability scanning tipsBefore you start vulnerability scanning, you should take into consideration some issues. Port scanning is a fairly innocuous activity, althouh it is annoying when you see the activity showing up in your logs. Vulnerability testing, however, can be quite a bit more disruptive, crashing servers, taking down Internet connections, or even deleting data. Many of the Nessus tests, for example, are specifically designed to cause a denial-of-service attack. Even with the safe checks option turned on, the tests can cause problems with some systems. With this in mind, here are some guidelines.

Scan Only with Permission

You should never scan a network that is not under your direct control or if you do not have explicit permission from the owner. Some of the activity initiated by Nessus could be legally considered hacking (especially with the DoS checks turned on). Unless you want to take the chance of being criminally and civilly charged, or having a complaint lodged against you by your ISP, you should always scan with permission. Non-company outsiders such as consultants should make sure to obtain written permission with all the legal disclaimers necessary. Internal personnel should make sure they have authority to scan all the machines in the range they are scanning. Coordinate with other departmental personnel as necessary, such as firewall administrators and security staff.

Modern vulnerability scanners are easy to install and use, but they are generally installed with generic settings. Using such settings may not be a good idea if you have legacy hardware. Approaching legacy hardware with a scan calls for caution, as a scan may cause problems with the legacy machine’s approaches to port management and binding. In such cases, port scanning can cause connection hang-ups and even system crashes. As a result, if your network includes such hardware, you want to be aware of the potential issues of running an untested scan and plan accordingly. Segmenting your risk by testing only a few servers at a time may be the way to go.

You should always make sure your backups are current anyway, but it is doubly important when vulnerability scanning, just in case the scan causes a problem with a server. Doing a Nessus scan right after you run backups will ensure that you can restore the most current version. But also make sure you aren’t running your scan during a backup. Not only could you cause a corruption of your backup data, but both processes will slow to a crawl.

Scheduling Your Scans

Along the lines of the last comment, make sure you coordinate your scan to get the results you want with minimal impact on other employees. Scanning the mail server at 8:00 AM when everyone is getting their e-mail will probably not make you very popular with the staff. Schedule scans on always-up servers for off-hours, and be sure to avoid overlapping with other system administration and general activity levels. If you are scanning internal machines, you will probably want to do it during the day unless you can arrange for everyone to leave their machines on at the end of the day. The best time to do it during business hours is generally around the lunch hour, as a minimal number of people will be using the network.

Schedule your scans as often as you feel is necessary, but don’t automatically assume that nightly scans are going to make your network more secure. If you cannot interpret and respond to scan reports on a daily basis, then don’t do the scan; all it will do is put additional traffic on your network. Base your frequency on the capability of your staff to deal with the results. You should do it at least once a month, but if you have a particularly busy network, you may want to do it weekly. Similarly, if you have a very small external network, you may feel comfortable with quarterly scans. Daily scans are probably excessive unless you have dedicated staff to handle the remediation work. If you have that much need for up-to-the minute protection, then use an intrusion detection system to supplement your vulnerability testing.

If you want a true of your external vulnerability (for the Internet), you should make sure your Nessus server is located outside your firewall. This can be on a home Internet connection, at a data center that is outside your company network, or at another company (perhaps you can negotiate a trade to use another company’s facilities for scanning and let them user yours for the same). Remember, because of the Nessus client-server architecture, you can still control your scans from inside your firewall. Just make sure you enable the SSL support so communications between your client and the server are encrypted.

If you are scanning your internal network, your internal network, your server will have to be located inside your firewall. Loading Nessus on a laptop can facilitate doing scans from both inside and outside your network without requiring multiple machines.

External Links:

Vulnerability Scanning Do’s And Don’ts at

Nessus Features and Capabilties

Nessus featuresIn the previous article, we introduced the Nessus vulnerability scanner. In this article, we will discuss some of the additional Nessus features.

Nessus Features: Scripting Language, Integration with Other Tools, Smart Testing

To supplement the plug-in architecture, Nessus has its own scripting language called Nessus Attack Scripting Language (NASL), one of the more important Nessus features. This easy-to-learn utility language allows you to quickly and easily write your own custom security plug-ins without having to know C or all of the internal workings of the main program.

Nessus can be used by itself or with several other open source security tools. You can use Nmap, the best port scanner in the world, or the port scanning part of the job, rather than the built-in one. the Nesseus port scanner is faster and a little more efficient with memory, but Nmap allows for a lot more options and settings. Almost all the Nmap settings are configurable from within the Nessus client. Nessus also works with Nikto and Whisker, tools that run more complex tests on web servers; CGI programs; and Hydra, a tool for running brute-force password attacks against common services. The functionality of these tools is written right into Nessus, so you can make configuration changes from a single interface.

Another ability which you may find is one of the more useful Nessus features is that it can be set up so that it does not automatically run all of the vulnerability tests on every host. Based on the results of a port’s scan or other input such as past vulnerability tests, Nessus will run only tests appropriate to that machine. So if the server is not running a web server, it won’t run web server-related tests. Nessus is also smart in that it does not automatically assume that web servers will run on port 80, but rather checks all the possible ports for signs of a web server. Nessus will even find multiple instances of services running on different ports. This is especially important if you are inadvertently running a web server or other public service on an unusual port.

Nessus Features: Knowledge Base and Reporting

Another one of the more useful Nessus features is that it can save all scan results in a database called the Knowledge Base. This allows it to use the results of past scans to intelligently figure out what tests to run. You can use this to avoid doing a port scan every time you run Nessus, because it will remember what ports it found open last time on each host and test only those. It can also remember what hosts it saw last time and test only new hosts. You probably shouldn’t do this every time, because you may miss new ports that open up on machines or new vulnerabilities that show up on previously scanned boxes. However, it can allow you to run scans more often with less bandwidth and processor power as long as you do a complete scan on a regular basis.

Nessus has some of the best reporting capabilities in the open source field. Although it is not perfect, it can output your scan data in just about any format. Basic HTML and HTML with pie charts and graphs are two of the more popular formats. These reports include summary data and are suitable for posting to an internal web site with little or no editing. Other report formats supported include XML, LaTeX, and plain text. The Windows client offers additional report formats. There are additional tools available that allow you to do further manipulation of the data.

Mailing Lists

Nessus has an extensive support network for getting help, both on basic installation and use as well as more complex programming and customization. there are no fewer than five Nessus mailing lists, each dedicated to a different area. There is an archive of all the past posts so you can check to see if your question has ever been answered. The following are the main Nessus mailing lists:

  • nessus: A general discussion list about Nessus.
  • nessus-devel: Talks about the development of the upcoming versions.
  • nessus-cvs: Shows the CVS commits made on the Nessus tree.
  • nessus-announce: A low-traffic moderated list that is dedicated to the announcements of the availability of new releases.
  • plug-ins-writers: A list dedicated to the writing of new Nessus plug-ins. If you want to write your own security checks, you should subscribe to it.

Of the discussion lists, nessus is the most active, broadest in scope, and probably most useful to the average reader. Much of the traffic consists, of questions and answers rather than actual discussions, and topics include Nessus and NessusWX, the plugins, vulnerabilities themselves, third-party add-ons, and so forth. Nessus-devel tends to be more discussion oriented, with the focus on revisions to Nessus and the NASL language. Plugins-writers leans more toward questions and answers, generally how to accomplish something in NASL or whether plugins are properly testing for vulnerabilties. None of these lists has an actual charter, though, and in practice there’s a fair amount of overlap among them.

To subscribe to any of the above lists, send an e-mail to with the following text in the body of the e-mail:

Subscribe listname

Replace listname with the name of the list to which you want to subscribe. To unsubscribe, do the name but write Unsubscribe listname in the body.

Nessus has quite a bit of documentation on its web site, including detailed instructions on installation, basic operation and use of Nessus features, and tutorials on how to write your own security checks in NASL.

Now the we have covered some of the more important Nessus features, in the next article, we will cover installing Nessus in Linux.

External Links:

Nessus home page on – Additional information on Nessus features can be found here

Nessus on Wikipedia

© 2013 David Zientara. All rights reserved. Privacy Policy