Penetration testing

Network Scanning Using Nessus

Kamal B
December 13, 2012 by
Kamal B

What is Nessus?

If you are looking for a vulnerability scanner, you might have come across several expensive commercial products and tools with a wide range of features and benefits.

If a free, full-featured vulnerability scanner is on your mind, then it's time you know about Nessus. This article covers installation, configuring, selecting policies, starting a scan, and analyzing the reports using NESSUS Vulnerability Scanner.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Nessus was founded by Renuad Deraison in 1998 to provide the Internet community with a free remote security scanner. It is one of the full-fledged vulnerability scanners that allow you to detect potential vulnerabilities in systems. Nessus is the world's most popular vulnerability scanning tool and is supported by most research teams around the world.

The tool is free of cost for personal use in a non-enterprise environment. Nessus uses a web interface to set up, scan, and view reports. It has one of the largest vulnerability knowledge bases available; because of this KB, the tool is very popular.

Key features

  • Identifies vulnerabilities that allow a remote attacker to access sensitive information from the system
  • Checks whether the systems in the network have the latest software patches
  • Tries with default passwords, common passwords, on systems account
  • Configuration audits
  • Vulnerability analysis
  • Mobile device audits
  • Customized reporting

For more details on the features of Nessus, visit:

Operating systems that support Nessus

Microsoft Windows XP/Vista/7


Mac OS X (10.5 and higher)

Free BSD

Sun Solaris and many more

Installation and configuration

  • You can download the Nessus home feed (free) or professional feed from the following link:

  • Once you download the Nessus tool, you need to register with the Nessus official website to generate the activation key, which is required to use the Nessus tool. You can do it from the following link:


    • Click on "Nessus for Home" and enter the required details.
    • An e-mail with an activation key will be sent to your mail.
  • Install the tool. (Installation of the Nessus tool will be quite confusing, so tutorials should be useful).For installation guidelines go to: ( Check for your operating system and follow the steps mentioned in the PDF.
  • Open Nessus in the browser; normally it runs on port 8834.

    (http://localhost:8834/WelcomeToNessus-Install/welcome) and follow the screen.

  • Create an account with Nessus.
  • Enter the activation code you have obtained by registering with the Nessus website. Also you can configure the proxy if needed by giving proxy hostname, proxy username, and password.
  • Then the scanner gets registered with Tenable and creates a user.
  • Download the necessary plug-in. (It takes some time to download the plug-in; while you are watching the screen, you can go through the vast list of resources we have for Nessus users).

Once the plug-ins are downloaded, it will automatically redirect you to a login screen. Provide the username and password that you have created earlier to login.

Running the tool:

Nessus gives you lots of choices when it comes to running the actual vulnerability scan. You'll be able to scan individual computers, ranges of IP addresses, or complete subnets. There are over 1200 vulnerability plug-ins with Nessus, which allow you to specify an individual vulnerability or a set of vulnerabilities to test for. In contrast to other tools, Nessus won't assume that explicit services run on common ports; instead, it will try to exploit the vulnerabilities.

Among of the foundations for discovering the vulnerabilities in the network are:

  • Knowing which systems exist
  • Knowing which ports are open and which listening services are available in those ports
  • Determining which operating system is running in the remote machine

Once you login to Nessus using the web interface, you will be able to see various options, such as:

  • Policies--Using which you can configure the options required for scan
  • Scans--for adding different scans
  • Reports--for analyzing the results

The basic workflow of Nessus tool is to Login, Create or Configure the Policy, Run the Scan, and Analyze the Results.


Policies are the vulnerability tests that you can perform on the target machine. By default, Nessus has four policies.

[caption id="" align="alignnone" width="624"]Figure A (Click to Enlarge) Figure A (Click to Enlarge)[/caption]

Figure (A) shows the default polices that come with Nessus tool.

External network scan

The policy is preconfigured so that Nessus scans externally-facing hosts that provide services to the host. It scans all 65,535 ports of the target machine. It is also configured with plug-ins required for web application vulnerabilities tests such as XSS.

Internal network scan

This policy is configured to scan large internal networks with many hosts, services, embedded systems like printers, etc. This policy scans only standard ports instead of scanning all 65,535 ports.

Web app tests

Nessus uses this policy to detect different types of vulnerabilities existing in web applications. It has the capability to spider the entire website to discover the content and links in the application. Once the spider process has been completed, Nessus starts to discover the vulnerabilities that exist in the application.

Prepare for PCI DSS audits

This policy has PCI DSS (Payment Card Industry Data Security Standards) enabled. Nessus compares the results with the standards and produces a report for the scan. The scan doesn't guarantee a secure infrastructure. Industries or organizations preparing for PCI-DSS can use this policy to prepare their network and systems.

Apart from these pre-configured policies, you can also upload a policy by clicking on "Upload" or configure your own policy for your specific scan requirements by clicking on "New Policy."

Configuring the policy

  • Click on the Policies tab on the top of the screen
  • Click on the New Policy button to create a new policy

Under the General settings tab select the "setting type," based on the scan requirement, such as Port Scanning, Performance Scanning, etc. Based on this type, Nessus prompts you for different options to be selected. For example, "Port Scanning" has the following options:

[caption id="" align="alignnone" width="623"]Figure B (Click to Enlarge) Figure B (Click to Enlarge)[/caption]

Figure (B) shows configuring options for Port Scanning

Enter the port scan range. By default, Nessus scans all the TCP ports in the /etc/services file. You can limit the ports by specifying them manually (for example, 20-30). You have different scanners available, such as the Nessus SNMP scanner, SSH scanner, ping remote host, TCP Scanner, SYN scanner, etc. Enable by checking the check box as per the scan requirement.

  • Enter the credentials for the scan to use. You can use a single set of credentials or a multiple set of credentials if you have to. You can also work it out without entering the credentials.
  • The plug-in tab lists a number of plug-ins. By default, Nessus will have all the plug-ins enabled. You can enable or disable all the plug-ins at a time or enable few from the plug-in family as per the scan you'd like to perform. You can also disable some unwanted plug-ins from the plug-in family by clicking on that particular plug-in.

[caption id="" align="alignnone" width="623"]Figure C (Click to Enlarge) Figure C (Click to Enlarge)[/caption]

  • Figure (C) shows the sub-plug-ins for the plug-in backdoors

In Figure (C), the green indicates the parent plug-in and the blue indicates the sub-plug-ins or the plug-ins under the parent plug-in (backdoor). You can enable or disable by simply clicking on the enabled button.

  • In Policy Preferences, you are provided with a drop-down box to select different types of plug-ins. Select the plug-in based on the scan requirement and specify the settings as per the plug-in requirement. Click "Finish" once completed. For example: configure the database.

[caption id="" align="alignnone" width="624"]Figure D (Click to Enlarge) Figure D (Click to Enlarge)[/caption]

  • Figure (D) shows the configuration of database settings plug-in


Once you are done configuring the policies as per your scan requirement, you need to configure the scan details properly. You can do it under the Scan tab

Under the Scan tab, you can create a new scan by clicking "New Scan" on the top right. Then a pop-up appears where you need to enter the details, such as Scan Name, Scan Type, Scan Policy, and Target.

  • Scan Name: The name that you want to give to the scan.
  • Scan Type: You have options to run the scan immediately by selecting "RUN NOW." Or you can make a template which you can launch later when you want to run the scan. All the templates are moved under the Template tab beside the Scan tab.
  • Scan Policy: Select the policy that you have configured previously in the policies section.
  • Select Target: Enter the target machine that you are planning to test. Depending upon the targets, Nessus takes time to scan the targets.


Once the scanning process has been completed successfully, results can be analyzed.

  • You can see the name of the scan under the Results section. Click on the name to see the report.
  • Hosts--Specifies all the target systems you have scanned.
  • Vulnerabilities--Displays all the vulnerabilities on the target machine that has been tested.
  • Export Results--You can export the results into various formats such as html, pdf, etc. You can also select an individual section or complete result to export based on your requirement.

Let us try an example now

I have configured a policy named "Basic Scan." We have many options while configuring or building the policy, such as port scanners, performance of the tool, advanced, etc.

[caption id="" align="alignnone" width="624"]Figure E (Click to Enlarge) Figure E (Click to Enlarge)[/caption]

Figure (E) shows configuration settings of Port Scanning for the policy "Basic Scan."

You don't need credentials now, so skip the Credentials tab and move to the Plug-ins tab. You need to configure the specific plug-in as per the requirements of the scan that you want to perform on the remote machine.

[caption id="" align="alignnone" width="624"]Figure F  (Click to Enlarge) Figure F (Click to Enlarge)[/caption]

Figure (F) shows the plug-ins I have enabled for the policy "Basic Scan." I have enabled a few plug-ins for the Windows machine scan.

[caption id="" align="alignnone" width="624"]Figure G (Click to Enlarge) Figure G (Click to Enlarge)[/caption]

Figure (G) shows configuring the scan.

I have configured the scan to run instantly with the policy that I have created earlier. And the scan target specifies the IP address I want to scan

Once all the details have been entered, click on Create Scan, which shows that the Scan is running, as shown in Figure (H) below:

[caption id="" align="alignnone" width="624"]Figure H (Click to Enlarge) Figure H (Click to Enlarge)[/caption]

Once the scanning has been completed, you can see the results in Results tab. Figure (I) shows the same.

[caption id="" align="alignnone" width="625"]Figure I (Click to Enlarge) Figure I (Click to Enlarge)[/caption]

Double clicking on the title displays the scan results.

[caption id="" align="alignnone" width="625"]Figure J (Click to Enlarge) Figure J (Click to Enlarge)[/caption]

Figure (J) shows the Hosts details. It includes all the targets that you have scanned during the test. Double clicking on the host address displays the vulnerabilities Nessus has identified during the test. You can also click on the Vulnerabilities tab to check out the vulnerabilities.

[caption id="" align="alignnone" width="624"]Figure K (Click to Enlarge) Figure K (Click to Enlarge)[/caption]

Figure (K) shows the Vulnerabilities that Nessus found during its scan. Nessus marks the risk as high, medium, info, etc. Clicking on Vulnerability gives you brief description of it.

For example, let us go with the Netstat port scanner, which displays the following information:

[caption id="" align="alignnone" width="624"]Figure L (Click to Enlarge) Figure L (Click to Enlarge)[/caption]

Figure (L) shows the ports opened in the target machine.

In the same manner you can analyze complete details by clicking on the vulnerabilities. Nessus also suggests solutions or remedies for the vulnerabilities with a few references.


Nessus is a tool that automates the process of scanning the network and web applications for vulnerabilities. It also suggests solutions for the vulnerabilities that are identified during the scan.


Nessus configuration options and screenshots

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

Kamal B
Kamal B

Kamal B is an Information Security Professional with experience in penetration testing of web applications. Currently a researcher with InfoSec Institute, his blog is located at -