Tuesday 15 February 2022

nessus scan

Scan box only has displayport + hdmi out so might need cables

Make sure time + date is set correctly

Make sure you have internet access on the scan box (may need FW rules and ssl exclusions)

Run software and plugin updates

Ask for AV/firewall logs not to log as it will create SIEM alerts

Copy from previous scan 

Don't use scheduled scans because it will just make alerts for the customer when it kicks off again in 1 months time

Config networks (get from firewall, LAN switch etc)

Don't forget anyconnect and WIFI pools / ranges

Watch out for citrix or other remote access global protect etc

Once you have list of networks email customer that list and ask if there is anything to add. Also get credentials for (windows / SSH / SNMP). Inform them the scan may set off alerts in their system logs (FW/SIEM/SOAR/SOC/EDR./AV etc). We will create some temp rules to allow it access.

Clear the log file and restart service before starting scan. (https://avleonov.com/2018/03/14/dealing-with-nessus-logs/)

Start scan just before 9am (Tuesday is good) to try catch as many point in time hosts. Scans can run for hours into days and users may connect/disconnect during this time.

After first scan check the scan to see how long it took to complete, were there any errors/notes. Were there any important networks missed.

Generate and write report


Nessus scan first setup

Choose advance scan

Give a name 

Discover -> turn off ping the remote host

Port scanning -> can use default or all 

T:1-65535,U:1-1024

Local port enumerators (leave as is)

Use syn scan

Turn on UDP

Service disover

probe al ports

search for SSL/TLS on all ports

Assessment -> tick perform through tests

Brute force -> Tick only user creds set by user

Web application -> don't scan if we are just doing an infra scan

Report -> untick show missing patches that have been superseded 

Tick designate hosts by their DNS name

Advanced -> usually can leave but if flat network can tick bot to slow down the scan.

For internal scan we want to add creds for windows / SSH / SNMP. Ask for a temp admin user to run the scan.

Enable schedule once a quarter etc



Network detector tool 

This is more MS and AD focused but can give good results like a list of users who have passwords set not to expire.

Run "RunNetworkDetective" as administrator

Give credentials

Give domain controller IP

Send output to R to run report from reporting tool


Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)