Nessus Port Scanning (Part 1)

Introduction
Understanding Port Scanners in Nessus
Analyzing a Recent Scan
Examining the Netstat Portscanner Plugin
- Plugin Description
- Plugin Code
Port Scanning Without Credentials
Understanding Other Port Scanner Plugins
Conclusion

Introduction

In this article, we will explore the port scanning capabilities of Nessus, a popular vulnerability scanning tool. We will delve into the different types of port scanners that Nessus uses, how to view and modify the settings, and whether it is simply an NMAP plugin. Let’s dive in and uncover the details.

Understanding Port Scanners in Nessus

When running a Discovery Scan with Nessus, you may wonder how the tool gathers its port information. While the simple answer is “port scanning,” we need to understand the specific type of port scanning employed by Nessus. To begin our exploration, let’s visit the following link: https://anon.tools/public/blog/nessus/port-scanners.

Analyzing a Recent Scan

To gain a deeper understanding of Nessus’ port scanning capabilities, let’s examine a recent scan and filter for the Port Scanner plugin family. Follow these steps:

Open your browser and navigate to “Scans > [Scan Name] > Vulnerabilities.”
Apply the “Portscanner” filter to display the relevant plugins.

By filtering for the Portscanner family, we can see the specific plugin that Nessus utilized during the scan.

Examining the Netstat Portscanner Plugin

One such plugin we may encounter is the Netstat Portscanner Plugin (ID 14272). Let’s explore what this plugin does and how it operates.

Plugin Description

The plugin description reveals that it executes a netstat command using the provided SSH credentials. Although its type is listed as “Remote,” it utilizes the SSH credentials for port enumeration, rather than running an “ss” command.

Plugin Code

We can even take a peek into the plugin code to understand its underlying functionality. The code snippet below demonstrates the netstat command being executed:

“`python
if (lcx::check_localhost())
{
buf = netstat::run_localhost_netstat();

if (buf)
{
    set_kb_item(name:"Host/netstat", value:buf);
    set_kb_item(name:"Host/netstat/method", value:"local");

    if (agent())
    {
        agent_ip = agent_get_ip();

        if (!isnull(agent_ip))
            report_xml_tag(tag:"host-ip", value:agent_ip);
    }
}
else
    exit(1, "Failed to run the command 'netstat -a -n' on localhost.");

}
“`

Based on this code snippet, we can confirm that the plugin indeed uses the netstat -a -n command for port scanning. Note that netstat is available on both Windows and Linux systems.

Port Scanning Without Credentials

To further investigate the behavior of Nessus’ port scanning, let’s see what happens when we remove the SSH credentials. In this case, the scan completes successfully, but the Port Scanner plugin only attempts a ping. However, a ping alone cannot provide port information, as evident from the plugin’s output, which fails to detect any ports and simply confirms that the host is up.

Understanding Other Port Scanner Plugins

Now that we know where to find the plugin information, we can follow the same approach to explore other port scanner plugins used by Nessus. Visit https://anon.tools/public/blog/nessus/port-scanners and run the scan while filtering for port scanner plugins. Check the plugin code and output to gain insights into how Nessus obtains its port information.

Conclusion

In this part of the series, we have covered the basics of Nessus’ port scanning capabilities. We have explored the Netstat Portscanner Plugin, its code, and the behavior when SSH credentials are absent. In the next part, we will delve into customizing port scans, defining port scan ranges, and troubleshooting steps. If you have any questions, please leave a comment below.