1. Log in to a Nessus server
IP Address: This is the IP address of the Nessus server. The field has a default value set at compile time (i.e. set to localhost were I run a Nessus daemon), but it can be overwritten anytime for a different Nessus server IP address. There is no DNS name conversion built in, so don't use names but IP addresses only.
Nessus Port: That's the TCP port number were the Nessus daemon listens. Port 1241 is standard and set as the default. Should a remote Nessus daemon run on a different port, it can be set here.
Encryption: The NessusWC client communication is encrypted only, no cleartext connection is possible. The encryption setting must match what is configured at the Nessus server (nessusd.conf: ssl_version=). If there is no entry in nessusd.conf, 'auto' matches for older nessus versions, newer need 'TLSv1'. Unfortunately, tests show that having one side (client or server) on 'auto' while the other side isn't will result in a communication error. Hence, make sure you set this value explicit, i.e. set it to SSLv3 on both sides.
Username: This is the user configured in the Nessus server. A default user is set at compile time to correspond with a default server. It can be overwritten with any valid nessus username. For information on how to set up a nessus user, see the manual for the 'nessus-adduser' command.
Password: This is the Nessus user login password. Security warning: Although the password is encrypted between NessusWC and the Nessus daemon, it is part of the argument hand-off between cgi's (although not visible in the URL through the POST method. This could need improvement. Maybe by means of a cookie ? Would a SSL session alone be enough for protection? Your ideas are welcome).
Certificate: NessusWC also supports user authentication with a client certificate. This client certificate name is currently set at compile time. If you use password authentication, select 'None (use pass)' from the list. According to the current Nessus communication protocol, a password *must* be set and presented to the Nessus server. But it s now a random value, I usually use five stars '*****'. Client cert authentication has the same security concerns, as knowlegde of the certificate name is as good as the password. Read more in section 6.
2. Configure the Nessus scanner server for a new scan
After the successful login, Nessus sends a full set of configuration data. The data of available plugins is sorted and displayed in a table of plugin families. A checkbox in front of the family name enables a particular family. The number after the family is the number of plugins belonging to it. Be careful what and how much to enable. Besides that certain plugins have the potential to 'crash' the scan target, a scan with lot's of plugins and multiple targets can create considerable stress to networks. Enabling everything will also *substantially* increase the scan time. Nessus comes with an enormous number of plugins. Although some have a certain intelligence through dependencies, often they just probe nonexistent services were Nessus needs to wait for the network timeout before it can move on. These seconds and minutes add up and you'll risk a timeout error! The latest plugin addition to Nessus are so-called 'Local Security' checks that verify a systems patch level. These plugins work only if Nessus is able to log into the system (currently only via secure shell with passwordless public/private key authentication). Please enable these checks only if that is correctly set up with your target system. My advice is to start easy with say the 'General' section plugin group and add other groups as necessary.
Above the plugin family selection is were the scan target system IP address needs to be specified. Although a netmask field is available and suggests the possibility to scan a network, this feature is not yet implemented. Currently, NessusWC scans a single host IP only and ignores the netmask field.
By click on the 'Scan' button, NessusWC logs on to Nessus again and starts the scan, enabling the plugins from the selected plugin families. It then updates the scan status html page, which forwards to the results html page once the scan is complete.
3. Using Scan Templates
Scan templates are scan configuration files containing a list of plugins, their preferences and "enabled" status. They allow a fine-grained scan configuration to enable or disable single plugins rather then whole plugin families. A scan template can be generated after a normal scanner login with NessusWC at the scan configuration page. They can also be generated by exporting a scan session from NessusWX, the Nessus client program for Windows. The template file generation in NessusWC is limited to a maximum of 999 files.
Once a template is selected for scanning, the Nessus login screen comes up to ask for the Nessus server login. After that, the scan configuration display highlights plugin families were at least one plugin has been selected and asks for the target IP address to scan. Then, start the scan as usual.
4. Scheduled scanning
Scans with a scan template can be scheduled using wget with a crontab entry. Here is a working example: Run a scan each saturday for host 192.168.11.110 with template "Windows Systems" (is template-003.rc)
Add to the crontab of the webserver user (i.e. wwwrun) a line like this:
11 8 * * 6 wget http://localhost/nessuswc/cgi-bin/"scanprocess.cgi?nessusd-ip=1
27.0.0.1&nessusd-port=1241&nessusd-encr=SSLv3&nessusd-user=fm&nessusd-pass=test&
nessusd-cert=none&t-ip=192.168.11.110&t-mask=255.255.255.255&template=template-0
03.rc" > /dev/null 2>&1(make sure to remove the newlines in the crontab).
5. Most common errors:
SSL connection errors, example 1: Error SSL_connect during SSL handshake. Reason: Operation not permitted.
Check that all certificates match: client certificate and nessus server certificate are signed by the same CA certificate and the client has the correct CA certificate available. The error also occurs when a certificate has been expired.
SSL connection errors, example 2: Error SSL_connect() during SSL handshake. 0 Input/output error || 0 No such device or address
The encryption setting of NessusWC must match the Nessus daemon configuration
in
SSL connection errors, example 3: Error connecting to Nessus server [ip] port on [num].
Either the remote Nessus server is down, firewalled, just starting up loading its plugins - or the host is just simply not reachable or doesn't even exist.
Other connection errors, example 4: Can't login to Nessus server.
Either your Nessus username or password is wrong or the Nessus user does not exist. You will also see a 'Bad login attempt' message in the Nessus server log.
Scan configuration errors, example 1: No plugin family has been selected.
You forgot to select at least one plugin family.
Scan configuration errors, example 2: These hosts could not be tested because you are not allowed to do so.
A nessus server ruleset prevents you from scanning that particular host/ network. Check nessusd.rules or the the users rules configuration.
Scan process errors: If a scan is taking too long, the webserver can and will cut the connection through a timeout. When this happens, the web client didn't write a result page and forwards to an nonexisting document with error 404.
Increasing the timeout on the web server makes sense as scans can easily take longer than the defaults. For the Apache web server, I increased the standard timeout from 300 (seconds, equals 5 minutes) to 1800 (half an hour).
NessusWC Client Error: max number of plugins exhausted (20000).
The max number of plugins is set in nessuswc.h. With the nessus plugin list constantly growing, it recently went over 20.000 plugins, exceeding NessusWC's internal limit for plugins. This limit can be increased in nessuswc.h, i.e. #define MAXPLUGS 40000 followed by a recompilation. 40000 is the new default value in NessusWC v1.2.2.
6. Restrictions and more security concerns
In the NessusWC software version I run online, the default user 'guest' is restricted to only be able to scan localhost and the official IP address of my web server. You are free to set the Nessus server and user name to your own system and scan with the limited or unlimited abilities of *your own* Nessus daemon. You'll be responsible for the scans originating from your Nessus daemon, since this software only provides the ability to configure and start a scan that is ultimately executed and traceable to the Nessus daemon IP itself.
Also, the generated scan results on this server are open to public review. Should that be a concern, feel free to download, configure and compile the source on your own system were you can control and restrict access to this scanner interface and/or the results, which is highly advisable.
7. Supported Versions
NessusWC has been reported running on all major Linux distributions and Apple's OS X. It works with all Nessus servers from version 2 up to releases 2.2.10 and 3.0.5. Since Nessus went closed-source and since 2008 having binary distributions only, no further development of NessusWC is possible.
The open-source fork OpenVAS changed the communication protocol and NessusWC is not compatible with OpenVAS version 3 and up.
8. Additional Notes
Users of Fedora Core 4 (FC4) and up please watch out for the SELinux functionality now enabled by default. It will stop the Apache daemon from opening a network socket. The error you will get is: Error connecting to Nessus server [ip] port [num]. ... even if your nessus daemon is running on the localhost.
Happy Scanning! Frank