performing-vulnerability-scanning-with-nessus

Performs authenticated and unauthenticated vulnerability scanning using Tenable Nessus to identify known vulnerabilities, misconfigurations, default credentials, and missing patches across network infrastructure, servers, and applications. The scanner correlates findings with CVE databases and CVSS scores to produce prioritized remediation guidance. Activates for requests involving vulnerability scanning, Nessus assessment, patch compliance checking, or automated vulnerability detection.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "performing-vulnerability-scanning-with-nessus" with this command: npx skills add mukul975/anthropic-cybersecurity-skills/mukul975-anthropic-cybersecurity-skills-performing-vulnerability-scanning-with-nessus

Performing Vulnerability Scanning with Nessus

When to Use

  • Conducting initial vulnerability assessment during the reconnaissance phase of a penetration test
  • Performing periodic vulnerability scans to maintain compliance with PCI-DSS (requirement 11.2), HIPAA, or SOC 2 standards
  • Validating that remediation efforts have successfully addressed previously identified vulnerabilities
  • Establishing a baseline of known vulnerabilities before targeted manual exploitation
  • Auditing patch compliance and configuration drift across server and workstation fleets

Do not use as a substitute for manual penetration testing, against systems without written authorization, or against fragile systems (medical devices, legacy SCADA) where scanning may cause service disruption.

Prerequisites

  • Tenable Nessus Professional or Nessus Expert with current plugin updates (plugins should be less than 24 hours old)
  • Network connectivity to all target hosts on all ports (no firewall restrictions between scanner and targets)
  • Administrative credentials for authenticated scanning (domain admin or local admin for Windows, root/sudo for Linux, SNMP community strings for network devices)
  • Target IP ranges and hostnames documented in the scope agreement
  • Change management approval for scanning during authorized windows

Workflow

Step 1: Scan Configuration

Configure the Nessus scan policy based on engagement requirements:

  • Scan type selection: Choose "Advanced Scan" for full control over plugin families, or "Credentialed Patch Audit" for patch compliance. Avoid "Basic Network Scan" for penetration tests as it uses a limited plugin set.
  • Discovery settings: Configure port scanning to scan all 65,535 TCP ports and top 1,000 UDP ports. Set host discovery to use ARP (local), TCP SYN, and ICMP for maximum coverage.
  • Authentication: Add Windows credentials (domain account with local admin), SSH credentials (key-based preferred over password), SNMP credentials (v3 with authPriv preferred), and database credentials for database-specific checks.
  • Plugin configuration: Enable all plugin families relevant to the target environment. For penetration testing, ensure "Denial of Service" plugins are disabled unless explicitly authorized. Enable CGI scanning for web servers.
  • Performance settings: Set maximum concurrent hosts per scanner (default 30, reduce for sensitive networks), maximum concurrent checks per host (4-5 for production, higher for test environments), and network timeout values appropriate for the target network.

Step 2: Scan Execution and Monitoring

Launch the scan and monitor for issues:

  • Start the scan during the authorized testing window
  • Monitor scan progress through the Nessus web interface, checking for hosts timing out, authentication failures, or plugins causing errors
  • Watch for credential failures indicated by "Authentication Failure" results; these mean the authenticated scan fell back to unauthenticated mode, producing incomplete results
  • If specific hosts are crashing or becoming unresponsive, pause the scan, exclude those hosts, and report the issue to the client
  • For large networks (1,000+ hosts), consider splitting scans into smaller subnets to manage load and allow restartability

Step 3: Results Analysis and Validation

Analyze scan results to separate true positives from false positives:

  • Sort by severity: Start with Critical and High findings; these represent the most exploitable and impactful vulnerabilities
  • Validate authentication: Verify that plugin 19506 (Nessus Scan Information) shows "Credentialed checks: yes" for each host. Unauthenticated results miss local vulnerabilities.
  • Eliminate informational noise: Filter out informational findings unless they reveal useful information for manual testing (service banners, SSL certificate details, open ports)
  • Cross-reference CVEs: For each Critical/High finding, verify the CVE in the National Vulnerability Database. Check if the vulnerability has a public exploit (Exploit-DB, Metasploit module).
  • False positive identification: Common false positives include version-based detection where backported patches make the software appear vulnerable (common in RHEL/CentOS). Check rpm -q --changelog <package> on the target to verify.
  • Group by remediation: Organize findings by the action needed to fix them (e.g., "Apply Windows KB5034441" affects 47 hosts) rather than listing each instance individually

Step 4: Vulnerability Prioritization

Rank validated vulnerabilities for remediation using risk-based prioritization:

  • CVSS score: Use the CVSS v3.1 base score as the starting point. Scores 9.0-10.0 are Critical, 7.0-8.9 High, 4.0-6.9 Medium, 0.1-3.9 Low.
  • Exploit availability: Increase priority for vulnerabilities with publicly available exploit code, especially Metasploit modules or weaponized PoCs
  • Network exposure: A critical vulnerability on an internet-facing system is higher priority than the same vulnerability on an isolated internal server
  • Asset criticality: Consider the business value of the affected system. Domain controllers, databases with PII, and payment processing systems warrant higher priority.
  • Compensating controls: Reduce priority if the vulnerability is mitigated by network segmentation, WAF rules, or EDR protections (document the compensating control)

Step 5: Report Generation

Generate a comprehensive vulnerability scan report:

  • Export the Nessus report in both executive (PDF) and detailed (CSV/HTML) formats
  • Create a custom report that includes only validated findings with false positives removed
  • Include a remediation priority matrix mapping each vulnerability to its recommended fix, affected hosts, and timeline
  • Add context from manual validation (e.g., "This finding was confirmed exploitable during the penetration test")
  • Include scan metadata: date/time, scanner version, plugin set date, scan policy used, authentication success rate

Key Concepts

TermDefinition
Authenticated ScanA vulnerability scan that uses valid credentials to log into target hosts and perform local checks, detecting significantly more vulnerabilities than unauthenticated scanning
PluginA Nessus script that checks for a specific vulnerability, misconfiguration, or compliance item; Nessus maintains over 200,000 plugins updated daily
CVSSCommon Vulnerability Scoring System; a standardized framework for rating the severity of vulnerabilities from 0.0 to 10.0 based on exploitability and impact metrics
False PositiveA vulnerability reported by the scanner that does not actually exist on the target, often caused by version-based detection without exploit verification
Credentialed Patch AuditA scan type focused specifically on identifying missing operating system and application patches by comparing installed versions against known vulnerability databases
Plugin FamilyA logical grouping of Nessus plugins by category (e.g., Windows, Ubuntu Local Security Checks, Web Servers, Databases)

Tools & Systems

  • Nessus Professional: Commercial vulnerability scanner by Tenable with over 200,000 plugins covering CVEs, misconfigurations, and compliance checks
  • Nessus Expert: Extended version including external attack surface scanning, IaC scanning, and cloud infrastructure assessment
  • Tenable.io: Cloud-hosted vulnerability management platform for enterprise deployments with asset tracking, trend analysis, and prioritization
  • OpenVAS (Greenbone): Open-source alternative vulnerability scanner with community-maintained vulnerability tests for comparison scanning

Common Scenarios

Scenario: Quarterly PCI-DSS Vulnerability Scan for a Retail Company

Context: A retailer processes credit card payments and must comply with PCI-DSS requirement 11.2, which mandates quarterly internal and external vulnerability scans. The cardholder data environment (CDE) consists of 200 servers across 3 VLANs. All hosts run either Windows Server 2019/2022 or RHEL 8/9.

Approach:

  1. Configure authenticated scan with domain service account for Windows and SSH key for Linux hosts
  2. Use the PCI-DSS scan policy template with all relevant plugin families enabled
  3. Scan all 200 CDE hosts during the Saturday maintenance window (02:00-06:00)
  4. Identify 847 findings: 12 Critical, 34 High, 189 Medium, 612 Low/Informational
  5. Validate Critical findings: 3 are false positives (backported patches on RHEL), 9 are confirmed vulnerabilities
  6. Group remaining findings by remediation action: 6 require Windows patches, 2 require Apache upgrades, 1 requires TLS configuration hardening
  7. Generate PCI-compliant report showing no Critical or High vulnerabilities remain unaddressed (after remediation and rescan)

Pitfalls:

  • Running unauthenticated scans and missing the majority of local vulnerabilities, producing an incomplete compliance report
  • Not updating Nessus plugins before scanning, missing recently published CVEs
  • Scanning fragile legacy systems without reducing scan intensity, causing crashes or service disruption
  • Accepting Nessus results at face value without manually validating critical findings for false positives

Output Format

## Vulnerability Scan Summary - CDE Environment

**Scan Date**: 2025-11-15 02:00-05:47 UTC
**Scanner**: Nessus Professional 10.8.3 (Plugins: 2025-11-14)
**Hosts Scanned**: 200 (198 authenticated, 2 authentication failed)
**Scan Policy**: PCI-DSS Internal Scan

### Findings Summary
| Severity | Count | Validated |
|----------|-------|-----------|
| Critical | 12    | 9 (3 FP)  |
| High     | 34    | 31 (3 FP) |
| Medium   | 189   | 178       |
| Low/Info | 612   | N/A       |

### Top Critical Findings

**1. CVE-2024-21762 - Fortinet FortiOS Out-of-Bounds Write (CVSS 9.8)**
- Affected Hosts: fw-cde-01.corp.example.com (10.50.1.1)
- Exploit Available: Yes (Metasploit module)
- Remediation: Upgrade FortiOS to 7.4.3 or later
- Priority: Immediate - internet-facing device protecting CDE

**2. CVE-2024-6387 - OpenSSH regreSSHion (CVSS 8.1)**
- Affected Hosts: 14 Linux servers (see Appendix A)
- Exploit Available: Yes (public PoC)
- Remediation: Upgrade OpenSSH to 9.8p1 or later
- Priority: Within 7 days - authenticated remote code execution

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

analyzing-cyber-kill-chain

No summary provided by upstream source.

Repository SourceNeeds Review
10-mukul975
Security

analyzing-android-malware-with-apktool

No summary provided by upstream source.

Repository SourceNeeds Review
10-mukul975
Security

analyzing-network-traffic-with-wireshark

No summary provided by upstream source.

Repository SourceNeeds Review
9-mukul975
Security

analyzing-certificate-transparency-for-phishing

No summary provided by upstream source.

Repository SourceNeeds Review
9-mukul975