Run Nessus and navigate to http://localhost:8834
Defining targets
Top-right, click "New Scan"
- Basic Network Scan: general scan containing a number of tests that may be used against different target types
- Arguments: a name for the scan and a list of targets (an IP address, an IP range, or comma-delimited FQDN or IP list)
- Credentialed Patch Audit: authenticated scan that enumerates missing patches
- Web Application Tests: specialized scan for locating published Web application security vulnerabilities
- Spectre and Meltdown: targeted scan for Meltdown and Spectre vulnerabilities
Configuring scan definitions
- Ports to scan
- In "Discovery" > "Scan Type" you can change the ports to scan
- "Discovery" > "Port Scanning" to select more specific options
- Turn off Host discovery (save time and scan more quietly)
- "Discovery" > "Host Discovery" under the "Settings" tab > deselect "Ping the remote host"
Authenticated scanning
From a new scan, click in the "Credentials" tab.
Scanning with Individual Nessus Plugins
From the "Plugins tab" you can select multiple options (a family of plugin) in the left column or one by one in the right column.
NSE scripts can be found in the /usr/share/nmap/scripts/ directory. Here you can find script.db, a file that serves as an index to all of the scripts.
- Check also: CVE-2021-41773 NSE Script
sudo nmap -sV -p 443 --script "http-vuln-cve2021-41773" <IP>
How to add new scripts
- Copy the file in
/usr/share/nmap/scripts/ sudo nmap --script-updatedb
Grep for scripts in the "vuln" and "exploit" categories
cat script.db | grep '"vuln"\|"exploit"'
Using NSE's "vuln" scripts
sudo nmap --script vuln <IP>
You can find it here: sullo/nikto.
An example of usage
nikto -host=http://www.targetcorp.com -maxtime=30s
You can find it here: projectdiscovery/nuclei. See also: "The Ultimate Guide to Finding Bugs With Nuclei by ProjectDiscovery"
Automatic Selection
nuclei -u http://target.io -as
Check for Technologies
%USERPROFILE%\nuclei-templates\technologies
Check for more: misconfiguration, CVEs and CNVD
-t %USERPROFILE%\nuclei-templates\misconfiguration -t %USERPROFILE%\nuclei-templates\cves -t %USERPROFILE%\nuclei-templates\cnvd
Use it in a workflow
cat subdomains.txt | httpx | nuclei -t technologies
Use tags combined with automatic selection
nuclei -l list.txt -as -tags log4j -o output.txt
Check for: takeovers, .git exposed, crlf-injection, swaggers, exposed panels and old copyrights
nuclei -l target.txt -t %USERPROFILE%/nuclei-templates/takeovers -t %USERPROFILE%/nuclei-templates/exposures/configs/git-config.yaml -t %USERPROFILE%/nuclei-templates/vulnerabilities/generic/crlf-injection.yaml -t %USERPROFILE%/nuclei-templates/exposures/apis/swagger-api.yaml -t %USERPROFILE%/nuclei-templates/exposed-panels -t %USERPROFILE%/nuclei-templates/miscellaneous/old-copyright.yaml -stats -o output/nuclei_target
Check for log4j
nuclei -l target.txt -as -tags log4j,cve -stats -o output/nuclei_2_target