This TryHackMe room provides a comprehensive introduction to Nessus, one of the most popular vulnerability scanning tools used in cybersecurity. Nessus is a powerful vulnerability scanner that can identify security issues, misconfigurations, and potential exploits across networks and systems.
Nessus is a vulnerability assessment tool developed by Tenable that uses a combination of discovery, configuration auditing, and vulnerability scanning. It can detect:
What is the name of the button which is used to launch a scan?
Answer: New Scan
The New Scan button is the primary way to initiate vulnerability scanning operations in Nessus.
What side menu option allows us to create custom templates?
Answer: Policies
The Policies section allows for creating and managing custom scan templates. These policies define how scans are conducted, what checks are performed, and what credentials are used.
What menu allows us to change plugin properties such as hiding them or changing their severity?
Answer: Plugin Rules
Plugin Rules provide fine-grained control over vulnerability detection. Users can:
In the 'Scan Templates' section after clicking on 'New Scan', what scan allows us to see simply what hosts are alive?
Answer: Host Discovery
Host Discovery is a lightweight scan that only checks for live hosts without performing full vulnerability assessments. Useful for mapping network topology.
One of the most useful scan types, which is considered to be 'suitable for any host'?
Answer: Basic Network Scan
The Basic Network Scan is a comprehensive template that's suitable for most environments and provides a good balance of thoroughness and efficiency.
What scan allows you to 'Authenticate to hosts and enumerate missing updates'?
Answer: Credentialed Patch Audit
This scan type uses credentialed access to perform deeper enumeration, including checking for missing security patches and system updates that require authentication to verify.
What scan is specifically used for scanning Web Applications?
Answer: Web Application Tests
The Web Application Tests template includes specialized plugins for detecting web-specific vulnerabilities such as SQL injection, XSS, and other application-layer issues.
Create a new 'Basic Network Scan' targeting the deployed VM. What option can we set under 'BASIC' (on the left) to set a time for this scan to run? This can be very useful when network congestion is an issue.
Answer: Schedule
The Schedule option allows for automated scanning at specified times, which is particularly useful for avoiding network congestion during business hours or peak usage times.
Under 'DISCOVERY' (on the left) set the 'Scan Type' to cover ports 1-65535. What is this type called?
Answer: Port scan (all ports)
The Port scan (all ports) option performs a comprehensive scan of all TCP ports (1-65535) rather than just the commonly used ones, providing more thorough coverage.
What 'Scan Type' can we change to under 'ADVANCED' for lower bandwidth connection?
Answer: Scan low bandwidth links
This optimization reduces scan speed and intensity to be more network-friendly, reducing impact on bandwidth-limited connections or production environments.
After the scan completes, which 'Vulnerability' in the 'Port scanners' family can we view the details of to see the open ports on this host?
Answer: Nessus SYN scanner
The Nessus SYN scanner plugin provides detailed information about discovered open ports and services, including port numbers, states, and associated services.
What Apache HTTP Server Version is reported by Nessus?
Answer: 2.4.99
Nessus banner grabbing capabilities can identify specific software versions, in this case detecting Apache HTTP Server version 2.4.99.
What is the plugin id of the plugin that determines the HTTP server type and version?
Answer: 10107
Plugin ID 10107 is dedicated to HTTP Server Version Detection, gathering server banners and response headers to identify web server types and versions.
What authentication page is discovered by the scanner that transmits credentials in cleartext?
Answer: login.php
Nessus identified a login form that transmits user credentials without proper encryption (HTTP instead of HTTPS), posing a significant security risk.
What is the file extension of the config backup?
Answer: .bak
Backup files (.bak) are commonly found during directory enumeration and can contain sensitive configuration information that should be protected or removed.
Which directory contains example documents? (This will be in a php directory)
Answer: /external/phpids/0.6/docs/examples/
The phpids directory contains the PHP Intrusion Detection System examples and documentation, which could provide insights into the application structure.
What vulnerability is this application susceptible to that is associated with X-Frame-Options?
Answer: Clickjacking
Clickjacking attacks can be mitigated with the X-Frame-Options header. When not properly configured, the application becomes susceptible to clickjacking attacks where malicious sites can embed the vulnerable application in invisible frames.
Use when you need to map live hosts on a network without performing vulnerability scans.
Best starting point for comprehensive vulnerability assessments on most systems.
Essential for internal assessments requiring authenticated access to detect missing patches.
Specialized scanning for web applications requiring OWASP Top 10 coverage.
Nessus supports various compliance frameworks and can integrate with:
As Nessus continues to evolve: