Pin Me

Security How-To: Scanning a URL and Database with the Nessus Scanner

written by: Jeffrey Davis•edited by: Bill Fulks•updated: 7/31/2010

Knowing what's going on with your hosted website is crucial to ensuring that uptime is stabilized, TCP ports are set without open vulnerabilities, database stores are functioning properly and that everything is running like it should, and Tenable Nessus detects and shows it all by level of severity.

  • slide 1 of 8

    Introduction

    Knowing what's going on with your hosted website is crucial to ensuring that uptime is stabilized, TCP ports are set adequately and without dangerous vulnerabilities and that everything is running like it should. You may also want to ensure that your website database functions relative to server-executed application scripts (like Drupal or Joomla) can properly access their database stores (like with MySQL, for instance). Tenable Nessus does all of this and displays it online using a concise, easy to browse interface that shows what's good and what's not exemplified from low risk to excruciatingly high. So how does one use Nessus to run a scan for these potential issues?

    In our general overview of using Tenable Nessus, we ran an overview of the client interface across all four main functions of the software. In this guide, we're going to get into the meaty core of actually running a Nessus scan.

  • slide 2 of 8

    Getting Started

    The first order of business is to access the client interface (assuming you have everything set up properly) by typing https://localhost:8834/ into the provided space in your web browser. (Don't freak over any security errors, though -- Nessus is totally harmless.) Next, be sure to log in with the administrator account for adequate results. Note that I will be leaving out the username herein for my own privacy, but make sure that you actually specify your log in using the spaces provided, and click login as pictured:

    Nessus Client Login 

    Once you're in, you should arrive at the reports screen as pictured:

    Nessus Reports Screen 

    As described in our Using Nessus Scanner guide, the top rows of the navigation bar encompass the means to access the functions of the scanner interface. The three options in the top row are unnecessary for this guide -- and we certainly don't want to log out prematurely, either. Just turn your attention to the bottom row of the navigation bar, which links up the four screens we can access, as well as the name of the current screen as pictured below:

    Nessus Client Navigation Bar 

    Before we proceed further, we need a scanning policy established before we can actually run a scan for the first time, so click Policies (it's the third item from the right within the light blue area of the second row). You should arrive at the following screen:

    Default Policies Screen 

    In the next two sections we are actually going to add our first scan policy.

  • slide 3 of 8

    Steps One and Two of Creating a Policy

    Begin the procedure of adding a policy by clicking the Add button. You should see the following:

    Adding Basic Policy Information 

    Now enter the basic details for the scan here before we proceed. We need to name the scan policy of course, so put that in. We are going to use bhtest for this example; you can name yours practically anything. The scan options default to using safe checks and silent dependencies so leave those as is; we probably shouldn't mess with those. Ensure that consider unopened ports as closed is checked as well, since we want to have clean results without unneeded filler, and littering the results with false positives just ain't in our best interests here. You may as well check the options to log scan details to server, stop host scan on disconnect and to avoid sequential scans for the purposes of using failsafe processing and (in the case of the scan log) to have future reference later. Saving to the knowledge base -- and using the options to the right -- can be done as you wish, as it doesn't hurt either way. Your display should reflect the adjustments like this:

    Basic Policy Specifications Example 

    Click Next, and you will come to the credentials specification screen as pictured below:

    Adding Credentials Information 

    You may actually be able to leave this blank, if you can believe that one. As such, we're going to skip this and click Next again. (You can always add the information later if you discover that you actually need it by simply clicking the policy after creating it and clicking edit to repeat this process with esisting information already filled out.)

    Continued: Steps three and four of the policy builder, and running our first scan

  • slide 4 of 8
    It pays to be on top of ensuring that uptime is stabilized, TCP ports are set without open vulnerabilities, database stores are functioning properly and that everything is running like it should with your website hosting, and Tenable Nessus detects and shows it all using a concise, easy to browse interface that tells you what's good and what's not exemplified from low risk to excruciatingly high. Page two of our URL scanning guide for Tenable Nessus guides you through specifying the second half of a typical Nessus scanning policy, beginning the addition of a scan profile and specifying the URL address to be scanned.
  • slide 5 of 8

    Steps Three and Four of Creating a Policy

    After clicking Next, you should come to the Plugins selector as pictured below:

    Choosing Scanner Plugins 

    In most cases, you don't need to specify the use of any plugins (we sure aren't going to here, but your situation may differ in which case you can check of any plugins you desire, or all of them if needed). So let's go ahead and click Next to proceed to the final step of adding our first policy, as shown below:

    Setting Database Settings Preferences 

    As you can see, we are now going to set plugin options. Since we didn't set up any optional plugins (which is why that wasn't a typo in the picture caption) we only have the basic scan procedures to configure. The only one of note here is the database settings, so let's configure that real quick. For the example here, we are going to use a MySQL scan profile so change the database type accordingly to get the result shown below:

    Specifying a MySQL Database Scan 

    We're done now, so click Submit and our policy will display in the list as shown below:

  • slide 6 of 8

    Configuring a Scan

    We are now ready to scan a URL for database and server compliance. Go to the scan page (immediately to the left of Policies on the navigation bar) and you should come to the following screen:

    Nessus Scans Screen 

    As we did for creating a policy, we need to add a scan profile here. Unlike policies, scans can be set up for one-time, immediate use so let's use that option as we go through the process. Begin by using the Add button (I honestly wish there was a scan now choice, but such is life, eh?) You should see the following:

    Setting Up a Scan 

    Now we need to provide the information on what internet location to scan. You could input an IP address; however it's much better to provide the location in URL (domain name) format. For the purposes of this guide I will use an address for a blog archive used with my primary URL, which due to constraints involving my website being hosted with Google's Blogger service (as I have not tested a subdomain configured to such a hosted domain using an external hosting provider by enough measures to configure the archive by other means) I will be using a double subdomain registered to a free website hosting provider (structured in the format of addedsub.mainsub.hostingprovider.com). The actual URL is listed in the pictured example within a multi-line URL specifications box (the fourth option from the top); in other words, we can specify more than one URL with each address provided line by line.

    Continued: finishing scan preparations and beginning the scan process

  • slide 7 of 8
    It pays to be on top of ensuring that uptime is stabilized, TCP ports are set without open vulnerabilities, and that everything is running like it should with your website hosting. You probably also want to be sure that that your website database functions (like in MySQL) are functioning properly relative to their linked server-executed application scripts (like Drupal or Joomla). Tenable Nessus does all of this and shows it all using a concise, easy to browse interface that tells you what's good and what's not exemplified from low risk to excruciatingly high. This final page of our guide to running a Nessus scan finishes the process of creating a scan profile, and walks you across the results browser.
  • slide 8 of 8

    Running and Monitoring the Scan

    Of course, we're only using one line in this example, so additional URL inputs aren't necessary for the purpose of this guide, but rest assured that you really do have such an option in case you actually need it. Above the URL targets box, you should notice a policy selector drop-down; select the bhtest policy we created earlier for the scan processing that will be done shortly. Finally, in the very top box type a reference name for your scan to view the results at a later time from the reports page. The bhtest name was used again for the reference name for our example scan (yes, Nessus really does permit the same reference name to be used for both policy profiles and scan reference names) but we can skip the targets file in this case as we already specified our scan target (you will really only need to use one or the other, and a standard ASCII text file is required -- no Unicode is permitted, unfortunately). We're now ready to proceed, so click Launch Scan and the progress will be displayed as follows:

    The Scan in Progress 

    You can hit the browse toggle at any time to view the progress of a scan by URL, as follows:

    Browsing Addresses Used for a Scan 

    Each URL will have a full yellow bar with Complete in the middle after being scanned, with progress percentage displayed until then). You can also view the results to date per URL, in addition to the final results for that URL by clicking the applicable host URL which brings up the following:

    Browsing URL Details for a Scan 

    And you can further navigate by clicking the results for a specific TCP port by clicking it in the list for its detailed results as in the following example:

    Browsing TCP Port Details 

    One last note or three: if at any time you want to refer to your scan results you can do so from the reports screen. Navigation of the reports themselves need only require you to click the breadcrumb toggles above the results list, or simply use the category selector on the upper portion of the far-left area to move between report information, scanned hosts and port scan results and choose any relevant options from there.

    And that's a wrap! If you found this useful, then be sure to check any of the other how-to guides available right here on the Hub. Until next time...