Field Manual

Nessus OpenVAS Cheat Sheet

3 min read

πŸ›‘οΈ Methodology Checklist

  • Configure scan policy: set credentials if available
  • Set scan targets matching authorised scope
  • Launch discovery scan first, then full credentialed scan
  • Review Critical and High findings first
  • Manually verify top findings before including in report
  • Export report in required format (PDF/CSV/HTML)
  • Cross-reference findings with manual testing results

🎯 Operational Context

Think Dumber First: Run authenticated scans whenever credentials are available β€” they find 3-5x more vulnerabilities than unauthenticated. Always validate Critical/High scanner findings manually before reporting β€” false positive rates average 30-40%. Automated scanners excel at patch-level enumeration; they miss business logic, chained exploits, and auth bypasses.

When you land here: Credentials available (or not). Configure authenticated scan (SSH key or domain creds). Run scan. Triage: Critical first β†’ cross-validate with searchsploit β†’ document with evidence. Import XML to MSF for vulns tracking.

⚑ Tactical Cheatsheet

CommandTactical Outcome
sudo dpkg -i [NESSUS_PACKAGE].debInstall Nessus
sudo systemctl start nessusd.serviceStart Nessus service
sudo systemctl status nessusd.serviceCheck Nessus status
mkdir -p [GVM_PATH]/gvmd [GVM_PATH]/openvasCreate OpenVAS data directories
sudo chmod -R 777 [GVM_PATH]Fix OpenVAS permissions
sudo docker run -d -p 8080:9392 --name openvas --restart always --security-opt apparmor=unconfined -v [GVM_PATH]:/var/lib/gvm immauss/openvasDeploy OpenVAS in Docker
sudo docker logs -f openvasMonitor OpenVAS initialization
sudo docker start openvasStart OpenVAS container
sudo docker stop openvasStop OpenVAS container
sudo docker logs openvas 2>&1 | grep "Password"Get auto-generated OpenVAS password
CommandTactical Outcome
sudo apt install vnstat && sudo vnstat -l -i [INTERFACE]Monitor scan bandwidth impact
CommandTactical Outcome
./nessus_report_downloader.rbCLI Nessus report download
python3 -m openvasreporting -i [REPORT].xml -f xlsxConvert OpenVAS XML to Excel
SettingGuidance
Basic Network ScanStandard template for comprehensive scanning
Credentialed Patch AuditMost accurate β€” logs in to verify local patch levels
Safe ChecksAlways enabled β€” prevents crashing services
Ping Remote HostDisable if firewall drops ICMP (forces port scan anyway)
Full and fast (OpenVAS)Recommended mode β€” uses port intelligence
Plugin IDTactical Outcome
10394Microsoft Windows SMB Login Possible
110723Target Credential Status
10396Accessible SMB Shares
10335VNC Server Detected
26925VNC Server Password Strength
CVENameAttack Path
CVE-2021-34527PrintNightmarePort 445 on DC β†’ RCE β†’ domain takeover
CVE-2020-5902F5 BIG-IP TMUIManagement port β†’ unauth RCE
MS17-010EternalBlueSMBv1 β†’ RCE
CVE-2019-0708BlueKeepRDP pre-auth β†’ RCE

πŸ”¬ Deep Dive & Workflow

Monitoring

Reporting & Output

Scanning Methodology Reference

Verification Plugin IDs (Nessus)

Notable CVEs

πŸ› οΈ Troubleshooting & Edge Cases

ProblemCauseFix
Authenticated scan fails to gather additional infoCredentials not working or firewall blocking scannerManually verify creds on target; check if scanner IP can reach target on all ports; review scanner logs
Scan returns only Low/Info findings despite vulnerable targetUnauthenticated scan missing patch-level dataEnable credential scanning; without creds, scanner only sees network-exposed vulnerabilities
Scanner plugin timeouts causing incomplete resultsTarget slow or scan too aggressiveReduce max_simult_tcp_sessions; use β€˜Safe Checks’ only plugin subset; scan 50 hosts max per scan
Scanner IP gets blocked mid-scanIDS/IPS triggered by scan rateWhitelist scanner IP in IDS before starting; reduce scan speed; notify security team before running scans in production
Large scan crashes scannerMemory exhaustionLimit to 100 hosts per scan; split by subnet; increase scanner VM RAM to 8GB minimum

πŸ“ Reporting Trigger

Finding Title: (Scanner findings populate vulnerability assessment report appendix. Critical/High findings require manual validation and narrative explanation. Medium/Low can appear in tabular format. Include: Plugin ID, CVE, CVSS, affected asset, remediation, and scanner evidence screenshot.)

πŸ”— Related Nodes

Graph View

Backlinks