🛡️ Methodology Checklist
- Start Nessus:
sudo systemctl start nessusd - Log in at https://localhost:8834
- Create new scan: choose Advanced Scan or Basic Network Scan
- Input target IPs/CIDRs matching scope
- Add credentials under Credentials tab (SSH, SMB, SNMP)
- Launch scan and monitor progress
- Triage results: Critical → High → Medium → Low
- Export and integrate into engagement documentation
🎯 Operational Context
Think Dumber First: Start with an Advanced Scan policy — it gives maximum control over credentials, performance, and plugin selection. Save scan policy before running — recreating policy settings is tedious. Always download both
.nessus(XML) and CSV formats for documentation. Name scans with date and target subnet for audit trail.
When you land here: Need to run an authenticated VA scan. Start Nessus (sudo systemctl start nessusd). Create policy → create scan → configure credentials → launch. Monitor progress in the UI. Export results in multiple formats after completion.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo dpkg -i [NESSUS_PACKAGE].deb | Install Nessus Debian package |
sudo systemctl start nessusd.service | Start Nessus service |
sudo systemctl status nessusd.service | Check service status |
sudo apt install vnstat && sudo vnstat -l -i tun0 | Monitor scan bandwidth impact |
./nessus_report_downloader.rb | CLI report download via API |
🔬 Deep Dive & Workflow
Access: https://[TARGET_IP]:8834 | Default lab creds: htb-student / HTB_@cademy_student!
Scan Templates
| Template | Use Case |
|---|---|
| Host Discovery | Ping sweep — find live hosts, no vuln checking |
| Basic Network Scan | Standard choice — full system scan |
| Advanced Scan | Granular plugin/performance tuning |
| Credentialed Patch Audit | Logs in to check missing patches (most accurate) |
| Web Application Tests | OWASP Top 10 style scanning |
Scan Configuration Key Settings
- Discovery → Port Scan: All Ports (critical for non-standard services like VNC)
- Discovery → Fragile Devices: Disable “Scan Network Printers” (crashes printers)
- Assessment → Brute Force: Can use built-in Hydra with wordlists
- Assessment → RID Brute Force: Windows/AD user enumeration (UID 1000-1200 range)
- Advanced → Safe Checks: ALWAYS ENABLED — prevents crashing services
- Advanced → Performance → Throttle: Slow down on network congestion
Credentialed Scanning
The gold standard for internal assessments. Supports:
- Windows: Password, Kerberos, LM/NTLM Hash
- Linux: SSH (Password, Public Key, Certificate)
- Services: HTTP Form Auth, FTP, Telnet, IMAP
| OS | Username | Password |
|---|---|---|
| Linux | htb-student_adm | HTB_@cademy_student! |
| Windows | administrator | Academy_VA_adm1! |
Verify auth succeeded: Look for Plugin 110723 (Target Credential Status) or 10394 (SMB Log In Possible). “Authentication Failure - Local Checks Not Run” = credentials failed.
Scan Policies (Reusable Templates)
Create saved configs: New Policy → select base (Advanced Scan) → customize → save → appears under “User Defined” tab.
Use case: Save “Web Focus” policy that enables web spidering + disables Safe Checks, or “Stealth” policy with low packet rates.
Scan Issues & Mitigation
| Issue | Symptom | Fix |
|---|---|---|
| Firewall blocking | 0 hosts up OR all ports open | Disable “Ping remote host” |
| Fragile hosts | Legacy/OT/SCADA crash | Exclude IPs or use nessusd.rules |
| Network congestion | High latency, dropped packets | Reduce “Max Concurrent Checks Per Host” |
| Service crashes | Daemons stopping | Enable “Safe Checks” |
| VPN instability during exam | Unstable connection | Pause scan, reduce concurrent checks |
Export Formats
| Format | Best Use |
|---|---|
| PDF/HTML | Executive reports, appendix |
| CSV | Analytics (Splunk), large dataset filtering |
.nessus XML | Tool imports (EyeWitness, Metasploit) |
.db | Full archival, scanner migration |
Never submit raw Nessus PDF as final deliverable. Use it as supplementary data only.
Plugin Rules (False Positive Suppression)
Resources → Plugin Rules → New Rule → set “Hide this result” for specific Host + Plugin ID.
Exam Strategy
- Scans take 1-2 hours — analyze vulnerabilities as they appear, don’t wait for completion
- Found credentials? → immediately run Credentialed Patch Audit → finds Critical vulns blind scans miss
- Bad VPN? → use
nessus_report_downloader.rb→ choose.nessus(option 0) — smallest file
Notable Plugin IDs
| Plugin ID | Description |
|---|---|
| 10394 | Microsoft Windows SMB Login Possible |
| 110723 | Target Credential Status |
| 10396 | Accessible SMB Shares |
| 10335 | VNC Server Detected |
| 26925 | VNC Server Password Strength |
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Nessus daemon won’t start | Port 8834 in use or service crash | sudo systemctl restart nessusd; check netstat -tlnp | grep 8834; review /opt/nessus/var/nessus/logs/nessusd.messages |
| Scan completes but shows 0 hosts scanned | Network ACL blocking scanner | Ping from Nessus host to target; check Windows Firewall; pre-authorize scanner IP on target network |
| Plugin feed update fails | Internet connectivity blocked from Nessus host | Run nessuscli update --all; if air-gapped, download offline feed from Tenable portal and import manually |
| SMB credential test shows ‘Authentication failure’ | Wrong credential format or SMB signing | Verify creds manually: smbclient -U [USER]%[PASS] -L //[TARGET]; ensure domain format: DOMAIN\user |
| License expired — scans won’t launch | Trial or professional license lapsed | Generate new activation code from Tenable.com portal; nessuscli fetch --register [ACTIVATION_CODE] |
📝 Reporting Trigger
Finding Title: (Nessus is the scanning platform — export findings as CSV for import into report template. Critical and High plugin results require manual verification. Include Nessus plugin ID and CVE reference for each finding. Screenshot scanner UI showing vulnerability detail as evidence.)