Extra: Nessus Vulnerability Scanning - Lab
Overview and Aims
In this lab you will learn about Nessus and use it to scan virtual machines for vulnerabilities. You will:
- Research Nessus and explain what it does.
- Register for a Nessus Essentials licence.
- Download, install, and configure Nessus on your own Linux machine (Kali or Ubuntu Desktop).
- Use Nessus to scan at least two virtual machines that you control.
- Generate and export a report for each scanned virtual machine.
- Produce a short write-up describing findings and suggested remediations.
Network note:
The forensic workstation on the lab network does not have internet access.
You must use your own machine (laptop/VM) with internet connectivity to download, register and run Nessus.
Ensure your scanner can reach your target VMs through a shared network or NAT configuration.
Safety, Legal, and Ethical Reminder
Only scan systems that you own or have explicit permission to scan.
Scanning unauthorised systems is illegal and unethical. Document authorisation where required.
Resources Required
- A Linux machine with internet access (Kali Linux recommended, Ubuntu Desktop acceptable).
- Nessus Essentials licence (free, registration required).
- At least two target virtual machines under your control (any OS, please feel free to use any from the Forenscis Workstation).
- A web browser on the scanner (to access the Nessus web UI).
- Snapshot or backup of target VMs before scanning.
Step 1 - Research Nessus
Write a short paragraph (3–6 sentences) describing Nessus. Include:
- A clear definition of what Nessus is.
- Its main uses (vulnerability discovery, configuration checks, web app scanning, credential audits).
- A reference to the official Tenable documentation or Nessus Essentials page.
References:
Step 2 - Obtain Nessus Essentials Licence
- Register for a free Nessus Essentials licence:
https://www.tenable.com/tenable-for-education/nessus-essentials - Save the activation code and registration email for your portfolio.
Step 3 - Download Nessus
- Go to one of the download links below:
- Download the Debian package (
Nessus-X.X.X-amd64.deb) suitable for your system (Kali/Ubuntu). - Note the directory where you saved the file (e.g.,
~/Downloads).
Step 4 - Prepare and Install Nessus
Before installing Nessus, update your Linux system:
sudo apt update && sudo apt upgrade -y
Install Nessus:
cd ~/Downloads
sudo dpkg -i Nessus-*.deb
# If dependencies are missing:
sudo apt -f install -y
Start the Nessus service:
sudo systemctl enable --now nessusd.service
sudo systemctl status nessusd.service
Step 5 - Access the Nessus Web Interface
- Open your web browser and navigate to:
https://localhost:8834/ - Accept the SSL certificate warning (safe for lab use).
- Follow the setup wizard:
- Create an admin account.
- Enter your activation code.
- Allow Nessus to download its plugins (requires internet).
Setup may take several minutes.
Step 6 - Network Setup for Scanning
Ensure your Nessus scanner can reach the target VMs.
- If the VMs are hosted on the same system, connect them using host-only, bridged, or the shared CyberLabNAT network.
- Confirm connectivity using:
ping -c 3 <target-ip>
nmap -Pn -p 22,80,443 <target-ip>
Step 7 - Configure and Run Scans
- Open the Nessus web interface.
- Click New Scan → choose Basic Network Scan (for unauthenticated scanning).
- Alternatively, try a Credentialed Scan if you have valid credentials.
- Set:
- Scan Name: something meaningful (e.g., “Ubuntu Server Scan”).
- Target: IP address of your VM.
- Policy: use default or modify as needed.
- Click Save, then Launch.
Repeat for a second VM.
Tip: Credentialed scans give deeper insight and fewer false positives.
Step 8 - Generate and Export Reports
After each scan:
- Review findings in the Nessus dashboard.
- Export reports for each scanned machine:
- Formats: PDF and CSV.
- Include key screenshots of results and exports.
For each High or Critical finding:
- Record the CVE ID (if available).
- Summarise the risk and impact.
- Suggest remediation steps (patches, configuration changes, password policies, etc.).
Example export workflow:
- Open completed scan → Export → choose PDF or CSV → save files to your lab folder.
Troubleshooting
| Issue | Possible Cause | Fix |
|---|---|---|
dpkg dependency errors | Missing packages | Run sudo apt -f install -y |
Cannot access https://localhost:8834/ | Service not running | Check with sudo systemctl status nessusd.service |
| Slow plugin download | Poor network | Verify internet access; restart Nessus |
| Scan fails or times out | Network isolation | Check that scanner and targets share the same network |
Note about your target: Metasploitable 2
If you plan to scan Metasploitable 2 for this lab, that is perfectly acceptable - Metasploitable 2 is an intentionally vulnerable virtual machine designed for training and testing. Use it only in isolated lab networks or on a private host under your control.
When you use Metasploitable 2 as a target, expect many known, high‑severity issues; the purpose here is to practise scanning, interpreting results and writing remediation plans, not to exploit systems on production networks.
Step 9 - Example Results and Interpretation (Metasploitable 2)
Below are typical findings you might see when scanning Metasploitable 2. These are examples to help you interpret your real results. Do not use these as a checklist to attack other people's systems - only apply tests to systems you own or have permission to scan.
Example: Common Findings on Metasploitable 2
| Severity | Service / Symptom | Typical Description | Suggested Remediation |
|---|---|---|---|
| Critical / High | FTP server (vsftpd backdoor) | The FTP service on older vsftpd builds contains a backdoor that allows unauthorised access. | Replace vsftpd with a modern supported version, or remove the service if not required. Ensure packages are sourced from trusted repositories. |
| High | Samba / SMB | Outdated Samba or vulnerable SMB services exposing shares and allowing remote code execution in some cases. | Update Samba to a supported version, remove unnecessary shares, and restrict SMB to trusted networks. Apply vendor patches. |
| High | Tomcat with default credentials | Tomcat manager or admin interfaces using default/weak credentials. | Remove or change default credentials, restrict access to management interfaces, and enable strong authentication. |
| Medium / High | MySQL with weak credentials | Database server permits login with blank or weak passwords. | Enforce strong passwords, disable remote root access, and follow database hardening guides. |
| Medium | ProFTPD / Anonymous upload | FTP server allows anonymous logins or writable anonymous folders. | Disable anonymous uploads, limit permissions, and monitor file uploads. |
| Medium | Outdated web applications | Web apps with known vulnerabilities (old PHP apps, outdated frameworks). | Update or remove vulnerable web applications; apply patches and follow secure deployment practices. |
| Low / Medium | Missing security headers | HTTP responses lack headers such as Content-Security-Policy or X-Frame-Options. | Configure web server to add appropriate security headers. |
How to report Metasploitable 2 findings
For each finding in your report:
- Record the service, port, and severity reported by Nessus.
- Copy any plugin output or evidence that shows why Nessus flagged the issue.
- If a CVE is provided by Nessus, record it; otherwise cite the plugin name and description.
- Provide a short technical explanation in plain language and one or two practical remediation steps.
Example entry (concise):
- Service/port: vsftpd (21/tcp)
- Severity: Critical
- Nessus plugin: vsftpd backdoor detected
- Why it matters: An attacker can gain unauthorised shell access via the backdoor.
- Remediation: Remove vulnerable vsftpd, install supported FTP server or disable FTP; verify no unknown accounts exist; restrict access to trusted hosts only.
End of Lab
Best,
Ali