Listen to this Post

Introduction:
In today’s rapidly evolving threat landscape, organizations face an ever-increasing volume of vulnerabilities that can be exploited by malicious actors. Automated vulnerability assessment tools have become indispensable for security teams to identify, prioritize, and remediate weaknesses before they can be weaponized. Nessus, developed by Tenable, stands as one of the most widely adopted vulnerability scanners in the industry, offering comprehensive scanning capabilities that help security professionals detect software flaws, missing patches, misconfigurations, and malware across networks, servers, and applications. This guide provides a hands-on walkthrough of performing penetration testing using the Nessus Tool, covering everything from lab setup to generating actionable security reports.
Learning Objectives:
- Master the complete installation and activation process of Nessus Essentials on Kali Linux
- Configure and execute Host Discovery scans and Basic Network Scans to identify assets and vulnerabilities
- Analyze critical vulnerabilities including EternalBlue (SMB), BlueKeep (RDP), and UnrealIRCd Backdoor
- Generate and interpret professional security assessment reports with prioritized remediation recommendations
You Should Know:
- Environment & Lab Setup: Building Your Testing Ground
Before diving into vulnerability scanning, establishing a controlled testing environment is crucial for safe and effective learning. The recommended lab setup consists of three virtual machines:
- Scanner Machine: Kali Linux VM – serves as the attack/scanning platform
- Target Machine 1: Windows 7 VM – a vulnerable system for detecting legacy vulnerabilities
- Target Machine 2: Metasploitable VM – an intentionally vulnerable Linux system
Ensure all VMs are connected to the same isolated virtual network (e.g., NAT Network or Host-Only Adapter) to prevent accidental scanning of production systems. Document the IP addresses of each machine for scan configuration.
2. Nessus Installation & Activation: Complete Technical Guide
Step 1: Download Nessus Essentials
Visit the official Tenable website at https://www.tenable.com/products/nessus/nessus-essentials and register for a free Nessus Essentials license. You will receive an activation code via email. Choose the appropriate package for your system – for Kali Linux, select the Debian/Ubuntu .deb package. For command-line efficiency, use wget:
wget https://www.tenable.com/downloads/api/v1/public/pages/nessus/downloads/[latest-version]/download?i_agree_to_tenable_license_agreement=true -O Nessus.deb
Step 2: Install Nessus on Kali Linux
Navigate to your Downloads directory and install the package using dpkg:
cd Downloads sudo dpkg -i Nessus-<version>-debian10_amd64.deb
If you encounter dependency issues (common with libssl conflicts), resolve them with:
sudo apt --fix-broken install
Step 3: Start the Nessus Service
Launch the Nessus service and enable it to start automatically on boot:
sudo systemctl start nessusd sudo systemctl enable nessusd
Step 4: Access the Nessus Web Interface
Open your browser and navigate to https://localhost:8834 (or https://kali:8834 from the Kali machine itself). You will encounter an SSL certificate warning – this is normal. Click “Advanced” and proceed to the site.
Step 5: Activate Nessus
On the welcome screen, select “Nessus Essentials” and paste your activation code from the email. Create an admin user account with a strong password – this credential will be used for all future logins.
Alternative: Offline Activation
For air-gapped environments, obtain the challenge code:
/opt/nessus/sbin/nessuscli fetch --challenge
Visit https://plugins.nessus.org/v2/offline.php, enter the challenge code and activation code to download the license and plugin files. Then register offline:
/opt/nessus/sbin/nessuscli fetch --register-offline ./nessus.license /opt/nessus/sbin/nessuscli update all-2.0.tar.gz sudo systemctl restart nessusd
Command Line Reference for Activation:
| Platform | Command |
|-||
| Linux | `/opt/nessus/sbin/nessuscli fetch –register xxxx-xxxx-xxxx-xxxx` |
| Windows | `C:\Program Files\Tenable\Nessus\nessuscli.exe fetch –register xxxx-xxxx-xxxx-xxxx` |
| macOS | `/Library/Nessus/run/sbin/nessuscli fetch –register xxxx-xxxx-xxxx-xxxx` |
- Scan Configuration: Host Discovery and Basic Network Scans
Host Discovery Scan
Host discovery is the first step in any vulnerability assessment – it identifies active hosts on your network. To create a Host Discovery scan:
- In the Nessus dashboard, click Scans → New Scan
2. Under Discovery, select the Host Discovery template
3. Configure the scan:
- Name: Enter a descriptive name (e.g., “Network Host Discovery”)
- Targets: Enter target IP ranges using CIDR notation (e.g.,
192.168.1.0/24), range notation (e.g.,192.168.1.1-192.168.1.254), or comma-separated lists
4. Click Save → Launch
Host discovery scans do not count towards your license limit and are useful for mapping your attack surface.
Basic Network Scan
Once hosts are identified, run a comprehensive vulnerability scan:
1. Click Scans → New Scan
2. Select the Basic Network Scan template
3. Configure scan settings:
- Name: Enter a descriptive name
- Targets: Specify the IP address(es) of target systems
- Discovery: Configure port scanning options (default settings work well for most scenarios)
- Performance Options (default): 30 simultaneous hosts (max), 4 simultaneous checks per host (max), 5-second network read timeout
5. Click Save → Launch
Credentialed vs. Non-Credentialed Scans
A critical distinction in vulnerability assessment is whether Nessus can authenticate into target systems. Non-credentialed scans (like the one described above) only perform network-level checks and may miss vulnerabilities that require authenticated access. For deeper analysis, configure credentialed scans by providing valid credentials (domain admin, local admin, or SSH keys) – this allows Nessus to check registry settings, file versions, and configuration files for a more comprehensive assessment.
4. Deep-Dive Risk Analysis: Critical Vulnerabilities
Nessus categorizes vulnerabilities using the Common Vulnerability Scoring System (CVSS) and Tenable’s Vulnerability Priority Rating (VPR). The severity levels are:
| Severity | CVSS Score | Remediation Timeline |
|-|||
| Critical | 9.0 – 10.0 | Within 24 hours |
| High | 7.0 – 8.9 | Within 15 days |
| Medium | 4.0 – 6.9 | Within 45 days |
| Low | 1.0 – 3.9 | Long-term planning |
EternalBlue (CVE-2017-0144)
One of the most notorious vulnerabilities detected by Nessus is EternalBlue, a critical SMBv1 vulnerability in Windows systems. Exploited by the WannaCry ransomware in 2017, this flaw allows remote attackers to execute arbitrary code on vulnerable systems. Nessus identifies this through Plugin ID 42340.
Remediation: Disable SMBv1 immediately and apply Microsoft security update MS17-010.
BlueKeep (CVE-2019-0708)
BlueKeep is a critical remote code execution vulnerability in Microsoft’s Remote Desktop Protocol (RDP) affecting Windows 7, XP, 2003, and 2008 systems. With a CVSS v3 base score of 9.8, this vulnerability allows unauthenticated attackers to execute arbitrary code remotely. Nessus detects this through Plugin ID 125313.
Remediation: Apply the patches released by Microsoft in May 2019. For unsupported systems, upgrade to a supported Windows version or implement network-level RDP restrictions.
UnrealIRCd Backdoor (CVE-2010-2075)
This critical backdoor vulnerability in UnrealIRCd versions 3.2.8.1 allows attackers to execute arbitrary commands on the affected host. Nessus detects this through Plugin ID 46882.
Remediation: Re-download the software, verify integrity using published MD5/SHA1 checksums, and reinstall the clean version.
- Remediation & Reporting: Interpreting the Risk Wheel and Generating Reports
Understanding the Risk Wheel
Nessus presents findings using a color-coded risk wheel that provides an at-a-glance view of your security posture:
– Critical (Red): CVSS 9.0-10.0 – requires immediate action (e.g., remote code execution, unauthorized access)
– High (Orange): CVSS 7.0-8.9 – prioritize within days
– Medium (Yellow): CVSS 4.0-6.9 – plan remediation within weeks
– Low (Green): CVSS 1.0-3.9 – include in long-term security improvements
Generating a Security Assessment Report
- After scan completion, navigate to the scan results page
- Click the Report button in the top right corner
3. Select your preferred format:
- PDF: Professional executive summary with detailed findings
- HTML: Interactive web-based report
- CSV: Data for further analysis in spreadsheets
4. Configure report options:
- Include executive summary
- Include vulnerability details with CVSS scores and CVE identifiers
- Include remediation recommendations
- Optionally include screenshots and custom branding
Prioritizing Remediation
Not all high-severity vulnerabilities require immediate remediation. Consider:
- Exploit availability: Is there a public exploit? (Nessus indicates this with “Exploit Available: true”)
- Asset criticality: Is the vulnerable system business-critical?
- Compensating controls: Are there network or host-based controls mitigating the risk?
- Patch availability: Is a patch available, or is a workaround required?
6. Attack Surface Reduction: Hardening System Endpoints
Based on Nessus findings, implement these hardening measures:
Legacy Service Isolation
Nessus often detects outdated services that expand the attack surface:
– RLogin and RSH: These legacy remote access protocols lack encryption and should be disabled
– SMBv1: As mentioned, disable SMBv1 across all Windows systems
– Telnet: Replace with SSH for encrypted remote access
Cryptographic Hygiene
Nessus identifies weak cryptographic protocols that could be exploited:
– SSLv2/SSLv3: These protocols are fundamentally broken and must be disabled
– TLS 1.0/1.1: Deprecated protocols – enforce TLS 1.2+ configurations
– Weak cipher suites: Remove NULL, EXPORT, and low-bit ciphers
Implementation Example (Windows Registry):
Disable SMBv1 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force Disable SSLv2/SSLv3 (IIS) Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" Enabled -Type DWORD -Value 0 -Force
Implementation Example (Linux – OpenSSL Configuration):
In /etc/ssl/openssl.cnf or application-specific config openssl_conf = default_conf [bash] ssl_conf = ssl_sect [bash] system_default = system_default_sect [bash] MinProtocol = TLSv1.2 CipherString = DEFAULT@SECLEVEL=2
- Patch Management: Correlating Open Ports to CVE Identifiers
Effective patch management requires understanding which services are running and their associated vulnerabilities.
Using Nmap for Port Discovery (Pre-Scan):
nmap -sV -p- 192.168.1.100
Common Port-to-CVE Mappings:
| Port | Service | Common CVE | Severity |
||||-|
| 139, 445 | SMB | CVE-2017-0144 (EternalBlue) | Critical |
| 3389 | RDP | CVE-2019-0708 (BlueKeep) | Critical |
| 6667 | IRC | CVE-2010-2075 (UnrealIRCd Backdoor) | Critical |
| 22 | SSH | CVE-2016-6210 (OpenSSH user enumeration) | Medium |
| 80, 443 | HTTP/HTTPS | Various (depends on application) | Variable |
Prioritization Framework:
1. Critical + Exploitable: Patch within 24 hours
- Critical + No Exploit: Patch within 72 hours
3. High + Exploitable: Patch within 1 week
- High + No Exploit: Patch within 2 weeks
5. Medium/Low: Include in regular patch cycles
What Undercode Say:
- Attack Surface Reduction is Non-1egotiable: Legacy services like SMBv1, RLogin, and outdated SSL/TLS protocols represent some of the most frequently exploited vectors in modern cyberattacks. Nessus provides the visibility needed to identify and eliminate these risks before they become incident vectors.
-
Patch Management is a Continuous Process: Vulnerability scanning is not a one-time activity but an ongoing discipline. Correlating open ports to specific CVEs enables security teams to prioritize remediation based on real-world exploitability and asset criticality rather than treating all vulnerabilities equally.
Analysis: The Nessus vulnerability assessment workflow demonstrates the fundamental shift from reactive security to proactive risk management. By automating the discovery of known vulnerabilities, security professionals can focus their limited time on analysis and remediation rather than manual enumeration. The integration of CVSS scoring and VPR provides a risk-based prioritization framework that aligns security efforts with business objectives. However, it is crucial to remember that vulnerability scanners are tools – they require skilled interpretation to avoid alert fatigue and misprioritization. A critical vulnerability on a non-production system may be less urgent than a medium vulnerability on a public-facing payment gateway. The true value of Nessus lies not in the scan itself but in the informed decision-making it enables.
Prediction:
- +1 The continued integration of AI and machine learning into vulnerability assessment tools will dramatically reduce false positives and provide more contextual remediation guidance, making tools like Nessus more accessible to organizations with limited security resources.
-
+1 As regulatory frameworks (PCI DSS, HIPAA, GDPR) increasingly mandate continuous vulnerability assessment, demand for Nessus-certified professionals will surge, creating significant career opportunities in the vulnerability management space.
-
-1 The growing complexity of cloud-1ative environments (containers, serverless, microservices) will challenge traditional vulnerability scanners, requiring significant evolution in scanning methodologies to maintain comprehensive coverage.
-
-1 Attackers are increasingly targeting vulnerabilities in the vulnerability scanners themselves – securing the scanning infrastructure will become as critical as scanning the production environment.
-
+1 The shift toward API-first security testing will see Nessus and similar tools expanding their capabilities to include comprehensive API security testing, bridging the gap between network vulnerability assessment and application security testing.
▶️ Related Video (86% Match):
https://www.youtube.com/watch?v=-VRUy9X_SR8
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Dharamveer Prasad – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


