NessusWC Help
			=============

1. Log in to a Nessus server
----------------------------

IP Address: This is the IP address of the Nessus server. The field has a
default value set at compile time (i.e. set to localhost were I run a Nessus
daemon), but it can be overwritten anytime for a different Nessus server IP
address. There is no DNS name conversion built in, so don't use names but
IP addresses only.

Nessus Port: That's the TCP port number were the Nessus daemon listens. Port
1241 is standard and set as the default. Should a remote Nessus daemon run on
a different port, it can be set here.

Encryption: The NessusWC client communication is encrypted only, no cleartext
connection is possible. The encryption setting must match what is configured
at the Nessus server (nessusd.conf: ssl_version=). If there is no entry in
nessusd.conf, 'auto' matches for older nessus versions, newer need 'TLSv1'.
Unfortunately, tests show that having one side (client or server) on 'auto'
while the other side isn't will result in a communication error. Hence, make
sure you set this value explicit, i.e. set it to SSLv3 on both sides.

Username: This is the user configured in the Nessus server. A default user is
set at compile time to correspond with a default server. It can be overwritten
with any valid nessus username. For information on how to set up a nessus
user, see the manual for the 'nessus-adduser' command.

Password: This is the Nessus user login password. Security warning: Although
the password is encrypted between NessusWC and the Nessus daemon, it 
is part of the argument hand-off between cgi's (although not visible in the
URL through the POST method. This could need improvement. Maybe by means of
a cookie ? Would a SSL session alone be enough for protection? Your ideas are
welcome).

Certificate: NessusWC also supports user authentication with a client
certificate. This client certificate name is currently set at compile time.
If you use password authentication, select 'None (use pass)' from the list.
According to the current Nessus communication protocol, a password *must* be
set and presented to the Nessus server. But it s now a random value, I
usually use five stars '*****'.
Client cert authentication has the same security concerns, as knowlegde of
the certificate name is as good as the password. Read more in section 6.

2. Configure the Nessus scanner server for a new scan
-----------------------------------------------------

After the successful login, Nessus sends a full set of configuration data.
The data of available plugins is sorted and displayed in a table of plugin
families. A checkbox in front of the family name enables a particular family.
The number after the family is the number of plugins belonging to it.
Be careful what and how much to enable. Besides that certain plugins have the
potential to 'crash' the scan target, a scan with lot's of plugins and
multiple targets can create considerable stress to networks. Enabling
everything will also *substantially* increase the scan time. Nessus comes
with an enormous number of plugins. Although some have a certain intelligence
through dependencies, often they just probe nonexistent services were Nessus
needs to wait for the network timeout before it can move on. These seconds
and minutes add up and you'll risk a timeout error!
The latest plugin addition to Nessus are so-called 'Local Security' checks
that verify a systems patch level. These plugins work only if Nessus is
able to log into the system (currently only via secure shell with passwordless
public/private key authentication). Please enable these checks only if that is
correctly set up with your target system.
My advice is to start easy with say the 'General' section plugin group and
add other groups as necessary.

Above the plugin family selection is were the scan target system IP address
needs to be specified. Although a netmask field is available and suggests the
possibility to scan a network, this feature is not yet implemented. Currently,
NessusWC scans a single host IP only and ignores the netmask field.

By click on the 'Scan' button, NessusWC logs on to Nessus again and starts the
scan, enabling the plugins from the selected plugin families. It then updates
the scan status html page, which forwards to the results html page once the
scan is complete.

3. Using Scan Templates
-----------------------

Scan templates are scan configuration files containing a list of plugins,
their preferences and "enabled" status. They allow a fine-grained scan
configuration to enable or disable single plugins rather then whole plugin
families.
A scan template can be generated after a normal scanner login with NessusWC
at the scan configuration page. They can also be generated by exporting
a scan session from NessusWX, the Nessus client program for Windows. The
template file generation in NessusWC is limited to a maximum of 999 files.

Once a template is selected for scanning, the Nessus login screen comes
up to ask for the Nessus server login. After that, the scan configuration
display highlights plugin families were at least one plugin has been
selected and asks for the target IP address to scan. Then, start the scan
as usual.

4. Scheduled scanning
---------------------

Scans with a scan template can be scheduled using wget with a crontab entry.
Here is a working example: Run a scan each saturday for host 192.168.11.110
with template "Windows Systems" (is template-003.rc)

Add to the crontab of the webserver user (i.e. wwwrun) a line like this:

11 8 * * 6  wget http://localhost/nessuswc/cgi-bin/"scanprocess.cgi?nessusd-ip=1
27.0.0.1&nessusd-port=1241&nessusd-encr=SSLv3&nessusd-user=fm&nessusd-pass=test&
nessusd-cert=none&t-ip=192.168.11.110&t-mask=255.255.255.255&template=template-0
03.rc" > /dev/null 2>&1

(make sure to remove the newlines in the crontab).

5. Most common errors:
----------------------

SSL connection errors, example 1: Error SSL_connect during SSL handshake.
Reason: Operation not permitted.

Check that all certificates match: client certificate and nessus server
certificate are signed by the same CA certificate and the client has the
correct CA certificate available.

SSL connection errors, example 2: Error SSL_connect() during SSL handshake.
0 Input/output error || 0 No such device or address

The encryption setting of NessusWC must match the Nessus daemon configuration
in /etc/nessus/nessud.conf, check for a line ssl_version=SSLv3.

SSL connection errors, example 3: Error connecting to Nessus server [ip] port
on [num].

Either the remote Nessus server is down, firewalled, just starting up loading
its plugins - or the host is just simply not reachable or doesn't even exist.

Other connection errors, example 4: Can't login to Nessus server.

Either your Nessus username or password is wrong or the Nessus user does not
exist. You will also see a 'Bad login attempt' message  in the Nessus server
log.

Scan configuration errors, example 1: No plugin family has been selected.

You forgot to select at least one plugin family.

Scan configuration errors, example 2: These hosts could not be tested
because you are not allowed to do so.

A nessus server ruleset prevents you from scanning that particular host/
network. Check nessusd.rules or the the users rules configuration.

Scan process errors: If a scan is taking too long, the webserver can and will
cut the connection through a timeout. When this happens, the web client didn't
write a result page and forwards to an nonexisting document with error 404.

Increasing the timeout on the web server makes sense as scans can easily take
longer than the defaults. For the Apache web server, I increased the standard
timeout from 300 (seconds, equals 5 minutes) to 1800 (half an hour).

NessusWC Client Error: max number of plugins exhausted (20000).

The max number of plugins is set in nessuswc.h. With the nessus plugin list
constantly growing, it recently went over 20.000 plugins, exceeding NessusWC's
internal limit for plugins. This limit can be increased in nessuswc.h,
i.e. #define MAXPLUGS 40000 followed by a recompilation. 40000 is the new
default value in NessusWC v1.2.2.

6. Restrictions and more security concerns
------------------------------------------

In the NessusWC software version I run online, the default user 'guest' 
is restricted to only be able to scan localhost and the official IP address
of my web server.
You are free to set the Nessus server and user name to your own system and
scan with the limited or unlimited abilities of *your own* Nessus daemon.
You'll be responsible for the scans originating from your Nessus daemon,
since this software only provides the ability to configure and start a scan
that is ultimately executed and traceable to the Nessus daemon IP itself.

Also, the generated scan results on this server are open to public review.
Should that be a concern, feel free to download, configure and compile the
source on your own system were you can control and restrict access to this
scanner interface and/or the results, which is highly advisable.

7. Additional Notes
-------------------

NessusWC has been reported running on all major Linux distributions. It
works with all Nessus version 2 up and including the latest releases
2.2.10 and 3.0.5. Users of Fedora Core 4 (FC4) and up please watch out
for the SELinux functionality now enabled by default. It will stop the
Apache daemon from opening a network socket. The error you will get is:
 Error connecting to Nessus server [ip] port [num].
... even if your nessus daemon is running on the localhost.

Happy Scanning!
Frank