As most of you know I work for Tenable Network Security, so my opinions about vulnerability scanners are biased (to say the least). However, the goal of this article is not to recommend or suggest which security software or solution you should purchase. The goal is not to tell you which vulnerability scanner is better or worse than the next. The goal of this article is to tell you the proper way to configure Nessus when doing a comparison and some things to take into consideration when evaluating vulnerability scanning products.
Comparisons (such as this one titled Nessus, OpenVAS and Nexpose VS Metasploitable) often garner a lot of attention, but lack some of the details required to offer a fair comparison. For example, many comparisons will use the built-in scan policies to scan just one host and compare the results with another tool's report. This really isn't a good test of the scanners capabilities. For example, the "External Network Scan" policy used in Nessus during a recent comparison is tuned to scan multiple hosts exposed to the Internet, NOT one single host.
If you are going to scan just one host, or a small subset of hosts in a lab or pre-production systems, consider the following Nessus scan policy settings:
- Safe Checks - Nessus tries its best not to cause any adverse affects on your systems and/or network. Therefore the "Safe Checks" options is selected by default when you create a scan and enabled on all of the default scan policies. Safe checks changes the behavior of several hundred or more plugins to "play nice". If you are scanning one, or even a few non-production hosts, in a lab environment its best to turn off Safe Checks.
- Thorough Tests (slow) - Causes various plugins to “try harder” and dig deeper into the system to detect a vulnerability and expand the scope of the search for said vulnerability. For example, when looking through SMB file shares, a plugin can analyze 3 levels deep instead of 1.
- Experimental Scripts - Exactly what you would think it means, plugins that are considered "experimental" are enabled. Plugins will also use this to enable certain functionality, but only when the user has selected this option.
- Follow Dynamic Links - Tell Nessus to spider each web site it encounters, adding the entries to the Knowledge base for other plugins to use and find more vulnerabilities (especially the web application testing plugins).
- Report Paranoia - When set to "Paranoid" it will cause Nessus to add results to the report that have a higher risk of being a false positive. By default this is set to normal to avoid generating potential false positives.
- Test SSL based services - When set to "All", every service is tested for SSL capabilities.
- Credentials - When scanning just one host its very easy to add credentials. In the case of Metasploitable, it is based on Ubuntu and Nessus has an entire plugin family for that distribution which will detect locally missing security patches.
To make things easier for folks, I've created a policy that you can download and import into Nessus called "Full Thorough Scan (slow)" which implements all of the above settings (and more). It carries the following warning:
"Please use this policy with caution. Consider this a scan with the safety set to "off". It may crash targets. It may contain false positives. The controls in place to regulate crashes and false positives have been disabled. It may take a long time to run. Do not run this against large numbers of hosts unless you have time. Consider this a policy to use in your lab when testing a host or two. You have been warned!"
I should also note that this is a policy I created on my own, and is not an official scan policy from Tenable. I used the above policy, configured the credentials for Metasploitable (msfadmin/msfadmin) and ran a Nessus scan. Some interesting results:
- Using result filtering and displaying only exploitable vulnerabilities, I found 46
- There are 14 vulnerabilities exploitable by CANVAS and associated exploit packs, 19 exploitable by Core IMPACT and 33 exploitable by Metasploit
- Nessus did in fact find a vulnerable ProFTPD server running on port 2121 and the Unreal IRCd Backdoor
- There are 166 vulnerabilities due to missing patches (A few of which are only exploitable by Core IMPACT and related to privilege escalation)
- CANVAS is listed as having the only exploit for a Samba RPC Buffer Overflow (CVE-2012-1182)
- The web application fuzzer in Nessus found a command execution vulnerability in Twiki (previously discovered, but seems to have never been assigned an official CVE entry)
I won't post my results here, as I want you as the user (or "evaluator") to go try it for yourself. I also suggest trying to scan something like Metasploitable (which I used version 2.0 downloaded from here) using the options and techniques you typically use. Then try a scan with the policy provided and compare the results.
Another important aspect to consider (arguably the most important) is that comparing vulnerability scanners in this manner is greatly limited in scope. It does not test, or take into consideration, all of the other features offered by the various tools. These other features could really help you do your job and improve the security of your organization! For example, Nessus now integrates with patch management systems, detects hosts participating in a botnet, identifies malicious processes and collects vulnerability data on mobile devices. Make sure these features factor into your evaluation and/or comparison.