nessus scan

Scan box only has displayport + hdmi out so might need cables

Make sure time + date is set correctly

Make sure you have internet access on the scan box (may need FW rules and ssl exclusions)

Run software and plugin updates

Ask for AV/firewall logs not to log as it will create SIEM alerts

Copy from previous scan 

Don't use scheduled scans because it will just make alerts for the customer when it kicks off again in 1 months time

Config networks (get from firewall, LAN switch etc)

Don't forget anyconnect and WIFI pools / ranges

Watch out for citrix or other remote access global protect etc

Once you have list of networks email customer that list and ask if there is anything to add. Also get credentials for (windows / SSH / SNMP). Inform them the scan may set off alerts in their system logs (FW/SIEM/SOAR/SOC/EDR./AV etc). We will create some temp rules to allow it access.

Clear the log file and restart service before starting scan. (https://avleonov.com/2018/03/14/dealing-with-nessus-logs/)

Start scan just before 9am (Tuesday is good) to try catch as many point in time hosts. Scans can run for hours into days and users may connect/disconnect during this time.

After first scan check the scan to see how long it took to complete, were there any errors/notes. Were there any important networks missed.

Generate and write report

Download nessus

https://www.tenable.com/downloads/nessus?loginAttempted=true

For VMware choose the .ova, installs nessus core and the scanner runs on top of this

Docs

https://docs.tenable.com/nessus/Content/GettingStarted.htm?_gl=1*md6u5u*_ga*ODc2NzM3MDkyLjE3MTU2NzgwNzk.*_ga_HSJ1XWV6ND*MTczMzgyODgzNS44Mi4xLjE3MzM4Mjg4NTAuNDUuMC4xMzIxMTM2MzI4

Palo prereqs fw

Add temp FW rule

Go to Network > Network profiles > Zone protection

Edit zone protection

Recon protection 

Source address exclusion

Add Nessus-INT and EXT scanner IPs here

Nessus scan first setup

Default port for scanner https://192.168.1.100:8834/

Choose advance scan

Give a name 

Discover -> turn off ping the remote host

Port scanning -> can use default or all 

T:1-65535,U:1-1024

Local port enumerators (leave as is)

Use syn scan

Turn on UDP

Service disover

probe al ports

search for SSL/TLS on all ports

Assessment -> tick perform through tests

Brute force -> Tick only user creds set by user

Web application -> don't scan if we are just doing an infra scan

Report -> untick show missing patches that have been superseded 

Tick designate hosts by their DNS name

Advanced -> usually can leave but if flat network can tick bot to slow down the scan.

For internal scan we want to add creds for windows / SSH / SNMP. Ask for a temp admin user to run the scan.

Enable schedule once a quarter etc

Network detector tool 

This is more MS and AD focused but can give good results like a list of users who have passwords set not to expire.

Run "RunNetworkDetective" as administrator

Give credentials

Give domain controller IP

Send output to R to run report from reporting tool