Performing Vulnerability Scanning with Nessus
When to Use
- Conducting initial vulnerability assessment during the reconnaissance phase of a penetration test
- Performing periodic vulnerability scans to maintain compliance with PCI-DSS (requirement 11.2), HIPAA, or SOC 2 standards
- Validating that remediation efforts have successfully addressed previously identified vulnerabilities
- Establishing a baseline of known vulnerabilities before targeted manual exploitation
- Auditing patch compliance and configuration drift across server and workstation fleets
Do not use as a substitute for manual penetration testing, against systems without written authorization, or against fragile systems (medical devices, legacy SCADA) where scanning may cause service disruption.
Prerequisites
- Tenable Nessus Professional or Nessus Expert with current plugin updates (plugins should be less than 24 hours old)
- Network connectivity to all target hosts on all ports (no firewall restrictions between scanner and targets)
- Administrative credentials for authenticated scanning (domain admin or local admin for Windows, root/sudo for Linux, SNMP community strings for network devices)
- Target IP ranges and hostnames documented in the scope agreement
- Change management approval for scanning during authorized windows
Workflow
Step 1: Scan Configuration
Configure the Nessus scan policy based on engagement requirements:
- Scan type selection: Choose "Advanced Scan" for full control over plugin families, or "Credentialed Patch Audit" for patch compliance. Avoid "Basic Network Scan" for penetration tests as it uses a limited plugin set.
- Discovery settings: Configure port scanning to scan all 65,535 TCP ports and top 1,000 UDP ports. Set host discovery to use ARP (local), TCP SYN, and ICMP for maximum coverage.
- Authentication: Add Windows credentials (domain account with local admin), SSH credentials (key-based preferred over password), SNMP credentials (v3 with authPriv preferred), and database credentials for database-specific checks.
- Plugin configuration: Enable all plugin families relevant to the target environment. For penetration testing, ensure "Denial of Service" plugins are disabled unless explicitly authorized. Enable CGI scanning for web servers.
- Performance settings: Set maximum concurrent hosts per scanner (default 30, reduce for sensitive networks), maximum concurrent checks per host (4-5 for production, higher for test environments), and network timeout values appropriate for the target network.
Step 2: Scan Execution and Monitoring
Launch the scan and monitor for issues:
- Start the scan during the authorized testing window
- Monitor scan progress through the Nessus web interface, checking for hosts timing out, authentication failures, or plugins causing errors
- Watch for credential failures indicated by "Authentication Failure" results; these mean the authenticated scan fell back to unauthenticated mode, producing incomplete results
- If specific hosts are crashing or becoming unresponsive, pause the scan, exclude those hosts, and report the issue to the client
- For large networks (1,000+ hosts), consider splitting scans into smaller subnets to manage load and allow restartability
Step 3: Results Analysis and Validation
Analyze scan results to separate true positives from false positives:
- Sort by severity: Start with Critical and High findings; these represent the most exploitable and impactful vulnerabilities
- Validate authentication: Verify that plugin 19506 (Nessus Scan Information) shows "Credentialed checks: yes" for each host. Unauthenticated results miss local vulnerabilities.
- Eliminate informational noise: Filter out informational findings unless they reveal useful information for manual testing (service banners, SSL certificate details, open ports)
- Cross-reference CVEs: For each Critical/High finding, verify the CVE in the National Vulnerability Database. Check if the vulnerability has a public exploit (Exploit-DB, Metasploit module).
- False positive identification: Common false positives include version-based detection where backported patches make the software appear vulnerable (common in RHEL/CentOS). Check
rpm -q --changelog <package>on the target to verify. - Group by remediation: Organize findings by the action needed to fix them (e.g., "Apply Windows KB5034441" affects 47 hosts) rather than listing each instance individually
Step 4: Vulnerability Prioritization
Rank validated vulnerabilities for remediation using risk-based prioritization:
- CVSS score: Use the CVSS v3.1 base score as the starting point. Scores 9.0-10.0 are Critical, 7.0-8.9 High, 4.0-6.9 Medium, 0.1-3.9 Low.
- Exploit availability: Increase priority for vulnerabilities with publicly available exploit code, especially Metasploit modules or weaponized PoCs
- Network exposure: A critical vulnerability on an internet-facing system is higher priority than the same vulnerability on an isolated internal server
- Asset criticality: Consider the business value of the affected system. Domain controllers, databases with PII, and payment processing systems warrant higher priority.
- Compensating controls: Reduce priority if the vulnerability is mitigated by network segmentation, WAF rules, or EDR protections (document the compensating control)
Step 5: Report Generation
Generate a comprehensive vulnerability scan report:
- Export the Nessus report in both executive (PDF) and detailed (CSV/HTML) formats
- Create a custom report that includes only validated findings with false positives removed
- Include a remediation priority matrix mapping each vulnerability to its recommended fix, affected hosts, and timeline
- Add context from manual validation (e.g., "This finding was confirmed exploitable during the penetration test")
- Include scan metadata: date/time, scanner version, plugin set date, scan policy used, authentication success rate
Key Concepts
| Term | Definition |
|---|---|
| Authenticated Scan | A vulnerability scan that uses valid credentials to log into target hosts and perform local checks, detecting significantly more vulnerabilities than unauthenticated scanning |
| Plugin | A Nessus script that checks for a specific vulnerability, misconfiguration, or compliance item; Nessus maintains over 200,000 plugins updated daily |
| CVSS | Common Vulnerability Scoring System; a standardized framework for rating the severity of vulnerabilities from 0.0 to 10.0 based on exploitability and impact metrics |
| False Positive | A vulnerability reported by the scanner that does not actually exist on the target, often caused by version-based detection without exploit verification |
| Credentialed Patch Audit | A scan type focused specifically on identifying missing operating system and application patches by comparing installed versions against known vulnerability databases |
| Plugin Family | A logical grouping of Nessus plugins by category (e.g., Windows, Ubuntu Local Security Checks, Web Servers, Databases) |
Tools & Systems
- Nessus Professional: Commercial vulnerability scanner by Tenable with over 200,000 plugins covering CVEs, misconfigurations, and compliance checks
- Nessus Expert: Extended version including external attack surface scanning, IaC scanning, and cloud infrastructure assessment
- Tenable.io: Cloud-hosted vulnerability management platform for enterprise deployments with asset tracking, trend analysis, and prioritization
- OpenVAS (Greenbone): Open-source alternative vulnerability scanner with community-maintained vulnerability tests for comparison scanning
Common Scenarios
Scenario: Quarterly PCI-DSS Vulnerability Scan for a Retail Company
Context: A retailer processes credit card payments and must comply with PCI-DSS requirement 11.2, which mandates quarterly internal and external vulnerability scans. The cardholder data environment (CDE) consists of 200 servers across 3 VLANs. All hosts run either Windows Server 2019/2022 or RHEL 8/9.
Approach:
- Configure authenticated scan with domain service account for Windows and SSH key for Linux hosts
- Use the PCI-DSS scan policy template with all relevant plugin families enabled
- Scan all 200 CDE hosts during the Saturday maintenance window (02:00-06:00)
- Identify 847 findings: 12 Critical, 34 High, 189 Medium, 612 Low/Informational
- Validate Critical findings: 3 are false positives (backported patches on RHEL), 9 are confirmed vulnerabilities
- Group remaining findings by remediation action: 6 require Windows patches, 2 require Apache upgrades, 1 requires TLS configuration hardening
- Generate PCI-compliant report showing no Critical or High vulnerabilities remain unaddressed (after remediation and rescan)
Pitfalls:
- Running unauthenticated scans and missing the majority of local vulnerabilities, producing an incomplete compliance report
- Not updating Nessus plugins before scanning, missing recently published CVEs
- Scanning fragile legacy systems without reducing scan intensity, causing crashes or service disruption
- Accepting Nessus results at face value without manually validating critical findings for false positives
Output Format
## Vulnerability Scan Summary - CDE Environment
**Scan Date**: 2025-11-15 02:00-05:47 UTC
**Scanner**: Nessus Professional 10.8.3 (Plugins: 2025-11-14)
**Hosts Scanned**: 200 (198 authenticated, 2 authentication failed)
**Scan Policy**: PCI-DSS Internal Scan
### Findings Summary
| Severity | Count | Validated |
|----------|-------|-----------|
| Critical | 12 | 9 (3 FP) |
| High | 34 | 31 (3 FP) |
| Medium | 189 | 178 |
| Low/Info | 612 | N/A |
### Top Critical Findings
**1. CVE-2024-21762 - Fortinet FortiOS Out-of-Bounds Write (CVSS 9.8)**
- Affected Hosts: fw-cde-01.corp.example.com (10.50.1.1)
- Exploit Available: Yes (Metasploit module)
- Remediation: Upgrade FortiOS to 7.4.3 or later
- Priority: Immediate - internet-facing device protecting CDE
**2. CVE-2024-6387 - OpenSSH regreSSHion (CVSS 8.1)**
- Affected Hosts: 14 Linux servers (see Appendix A)
- Exploit Available: Yes (public PoC)
- Remediation: Upgrade OpenSSH to 9.8p1 or later
- Priority: Within 7 days - authenticated remote code execution