Wednesday, 6 August 2025

nessus advanced

Terrascan 

Need to tick a box to download it. 

Scans code for infrastructure as code (IAC)

Used to scan an GIT repo URL for example.

  • Log level: set the verbosity 
  • IAC type: select arm cft, docker, k8s etc
  • Remote type: git, s3, gcs, http, terraform-registry
Not we need git installed on nessus server to select the git type

Reviewing results is much like a regular Nessus scan.
Click on the control to get more detail on why the control failed etc.
For example SSH port 22 is open to the internet.

It will give your the file / line number where it found the issue so the code can be reviewed

Attack surface discovery

This is the initial scan to see what is visible 
My scans > new scan
select attack surface discovery template 
supply comma separated list of top level domains
domain.com,other.com
save and launch 

The scan will provide results

On the records tab we will see the IP's / hostnames names that were found. We will see the record types:
  • A and AAAA
  • MX
  • NS
  • PRT
  • CNAME
  • SOA etc 
Now we can select what was discovered
  • Click more > create scan
  • Select a basic or advanced network scan
  • The targets field automatically populates
  • Now we can run the normal Nessus scan on the targets we discovered

Web application scanning

Traditional Nessus scans are done on IP's. Web app scans will scan web applications looking deeper into the web app. It can run with creds or no creds. It can look for the unknown. It will send info the web forms. There are known and unknown vulns. 

Traditional Nessus scan is looking for the known. WAS is investigating on web apps. I will send many special request were page it finds.

  • Traditional will suggest patches/software upgrades to fix the problem .
  • WAS will show you leaks but further investigation will be needed from there. You will need to work with the customer/developer 
WAS scanning sequence 
  • Identify web server
  • Known web app (wordpress, joomla etc)
  • Vulnerabilities on the known web apps
  • Spider through website to understand the layout
  • identify forms (CGI etc)
  • Pass parameters at forms
  • Identify vulnerabilities in the web app forms etc
Credentialed WAS (going beyond the public areas of the web app/site)
  • Connect to website 
  • Connect to login form
  • Login 
  • Preform tests
  • Looking for SQL injection / XSS / Session mgmt
  • Like a traditional scan we get more info from a credentialed scan
  • WAS could have bad affects
  • Run on test/staging site (avoid live environment)
  • Scans can ddos/overload web servers/apps (rate limit the scan, run OOH)
  • Run with read only user
How to mitigate issues
  • Backup before starting scan
  • Scan a mirror of the site (test site etc)
  • Maintenance window for scan
  • Light scan first followed by scan tuning 
WAS workflow
  • Get website sub domains
  • run config scan
  • run overview scan (get creds)
  • develop scan policy 
  • follow up scans (code can change over time)
  • Keep WAS up to date
Sitemap.csv
This contains a list of URL discovered / HTTP methods supported etc

How to enable WAS in nessus
  • You need to have docker installed on your nessus server
  • Tick enable WAS
  • It will download the image
WAS Scan types

What kind of scan are we doing ?
  • Risk assessment 
  • Compliance requirements (credit card data requires PCIDSS, others may require CIS etc)
  • Data sensitivity 
  • Technology stack
  • Specific vulnerabilities 
Web app config audit scan
  • Checks HTTP headers available
  • XSS checks
  • HTTPS enforced ?
  • quick to run, good first step
SSL_TLS web app scan 

  • Look for proper implementation of SSL/TLS on your web server
  • Measured against industry standards
  • Runs quickly too, good for regular checks
Web app overview scan
  • Discovery scan
  • Spider and inventory all web pages / files / folders / sub domains
  • Results stored in sitemap.csv
  • The bigger the site, the longer the scan takes

Quick scan
  • Similar to config audit scan
  • Checks common security standards
  • Checks HTTP/SSL/TLS/DNS configs

Comprehensive  scan
  • Includes config audit, overview and SSL/TLS scans
  • Takes a long time depending on site size
  • Plugin family options for all web app plugins
  • The most detailed scan

Scans for special cases

PCI DSS - For payment card industry
API - checks APIs for RESTful API's (checking API's is key to web app testing)
OpenAPI (previously called Swagger)
Log4Shell - For the log4shell issue. Needs local creds for local checks.


Overview scan
  • New scan > web app tab
  • choose "overview"
  • provide URL
  • scan name
  • target URL

Config scan
  • New scn > web app tab
  • choose "Web app config audit"
  • scan name
  • target URL
SSL scan
  • New scn > web app tab
  • choose "SSL_TLS"
  • scan name
  • target URL
Filter results for SSL

Non credentialed web app scan
  • New scn > web app tab
  • choose "scan" scan
  • scan name
  • target URL

credentialed web app scan

  • Credentialed scans are important as it looks deeper looks at all the user pages /forms etc
  • Identify
  • can break sites so best to run on a copy of the live site
  • Basic/NTLM auth (type username and password). NTLM stronger than basic.
  • Nessus supports cookie based auth
    • Use web browser to login
    • Copy cookie
    • Name+Contecnt
    • chrome://settings/siteData
    • Check limitations (https, NoScript, expiration etc)
  • Form based auth (manual and selenium scripting)
    • login url and form paramaters
    • you can use selenium script
    • plugin 98033 detects a form
    • You will give details there
    • login page
    • creds (username and password), field name; field value
    • pattern for success (regex)
    • Page to veryify active
    • pattern to verify active (regex)
    • All patterns are regex
    • Selenium is used for scripting browser automation
    • Selenium IDE browsers extension (record, edit and play back)

Selenium scripting

  • Chrome extension makes it easier
  • create a new test project (givename)
  • enter Url and click start recording 
  • login and do you actions
  • open tool again and stop recording in top right
  • give the script a name
  • save it for use later

Using the script in a credentialed scan

  • New scan > web app tab
  • choose "scan"
  • enter scan name
  • enter URL
  • credentials tab
  • select web authentication
  • Select authentication method: Selenium Authentication 
  • You can upload your script file here
  • Enter the page to verify auth worked
  • Enter pattern to verify active session: Sign off (text or regex) text method is case in-sensitive
  • save scan and launch
  • On our results 
  • filter for selenium in the info we should see it succeeded
  • Give screenshots and other details of login.
  • This page is good if auth fails to figure out what is wrong


credentialed scan without a script (policy config)

  • New scan > web app tab
  • Choose "Scan"
  • Give the scan a name
  • Enter the URL
  • Click credentials and click 
  • Choose authentication method "login form"
  • Login page url: (the page where the username and password is entered)
  • You can give login paramaters in a .json file
  • simple example {'uid'.'admin','passw'.admin'}
  • Pattern to verify successful auth "Sign off"
  • url for active session
  • Pattern to verify active session "Sign off"
  • Save and run scan
  • check vulnerbilites
  • filter for authenticaiton
  • The info "Login form authenticaiton succeeded"
  • You will see details here
  • Filter for failed to see details of the login failed

Posted by at No comments:
Subscribe to: Posts (Atom)