Activity 4.1: Install a Vulnerability Scanner

In this excercise I will install Nessus on a Kali Linux VM. After installation, I will run a vulnerability scan on an unpatched version of Windows Server 2019 and the Metapsloitable VM.


  1. Visit Nessus in order to obtain an activation code. Its free. Put your email in and done!

  2. Download the correct version of Nessus. As Kali Linux is based on Debian Linux, I will download that version.

  3. In order to install on Kali, first open a terminal as root. Navigate to the directory where Nessus was downloaded. Run the below install command or refer to the documentation for the correct command to run. Nessus Install

  4. Start the Nessus Scanner by typing # /bin/systemctl start nessusd.service for Debian, Kali or Ubunutu. Red Hat, CentOS, Oracle Linux, Fedora, SUSE and FreeBSD can use # service nessusd start

  5. Complete the install from the webbrowser by visiting the URL stated in the terminal. In my case it is “https://kali:8834/.” Make sure you have your activation code ready.

Nessus Install

Once you create a username and password, Nessus will reach out and install the required plugins. Grab some popcorn this can take some time.

Nessus Install

Activity 4.2: Run a Vulnerability Scan

Running a vulnerability scan from Tenable is easy.

  1. Login to your Nessus Server via the URL provided after install. Mine was “https://kali:8834/.”

  2. Select New Scan > Basic Network Scan

  3. Input the hosts you would like scanned into here. In this situation I will select:
    • - The Metasploitable VM
    • - The Windows VM Nessus Scan Once the scan is created, launch the scan.
  4. Here are the results! You can click the report button in the corner for a nice pretty report in the formant of your choice. Nessus Scan

  5. As this is a non-credentialed scan, what happens when we add credentials to our scan? I will create a new credentialed scan for my Windows VM. Create a new scane. Under the credentials tab, add the credentials for our Windows Server. Note: In a production environment, you would create a service account for this purpose. Nessus Scan

  6. Lets review the results. We are able to get greater insight and view more vulnerabilities by running the credentialed scan.

Credentialed Scan: 260 Vulnerabilities Nessus Scan

Un-Credentialed Scan: 51 Vulnerabilities Nessus Scan


A glossary of all the terms, acronyms and slang I run across for this chapter.

Active Scanning The scanning actively engages and tests the host for vulnerabilities.
Agent-based Scanning Systems run a lightweight agent which scans and reports back to the scanning server
Barries to Scanning Fear of service degradations, Rigid customer agreements, IT Governance and Change management processes
Common Vulnerability Scanning Tools Tenable Nessus, Qualys, Rapid7 Nexpose and OpenVAS
Compensating Control Additional steps taken to address a vulnerability without fully remediating it
CPE Common Platform Enumeration; SCAP component that provides standard naming for products and versions
Credentialed Scanning Providing system access to a scan allowing access to operating systems, databases and applications
CVSS Common Vulnerability Scoring System, provides a standardised approach for measuring vulnerability severity
Determining Scan Frequency Depends on organisation's risk appetite, compliance standards, target system technical constraints, business constraints and licensing limitations
External Scan PCI DSS Scan Must be run an approved scanning vendor
Federal Agency Scanning Scope Applies to low, moderate and high impact systems
FISMA Federal Information Security Act
Identifying Scan Targets Targets are often identified by asset criticality, data classification of the info stored, system exposure to the internet or private networks and environment type of the system
Interception Proxies Run on a tester's system and intercept requests from the web browser to the web server before being released; can be classified as an exploit tool.
Ongoing Scanning Similar to continuous monitoring, constantly scans the network for vulnerabilities, instead of traditional scheduled scanning
Passive Scanning Monitor the network passively, looking for outdated or vulnerable systems
PCI DSS Payment Card Data Security Standard
PCI DSS Internal Scannin Scope Scans only need to be run on systems dedicated to credit card processing.
PCI DSS Scan Frequency Scans must be performed quarterly at a minimum
Prioritizing Remediation Deciding factors include: Criticality of systems affected, Difficulty of remediation, Severity of the Vulnerability, Exposure of the vulnerability
Remediation Workflow After a scan, organisations should have a workflow that prioritises testing, detection and remediation of detected vulnerabilities
Scan Perspective Running scans from different network vantage points and the internet in order to provide a different view into potential vulnerabilities
Scan Scope What systems and networks will be included in the scan; What kind of scan will be conducted.
SCAP Security Content Automation Protocol (SCAP) is a multi-purpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement.
Vulnerability Feeds Ensures scans have the latest virus signatures, file hashes and plugins in order to scan for specified vulnerabilities
Vulnerability Management Program Seeks to identify, prioritize and remediate vulnerabilities
Web App Scanning Tools Common tools include Nikito, command line based, and Archani
Wireless Assessment Tools Air crack-ng, Reaver, Hashcat (formerly known as oclHashcat)
Zed Attack Proxy Popular open source interception proxy