This chapter provides a comprehensive study of the Nessus vulnerability scanner, a critical tool for the Vulnerability Management domain of the CS0-003 CySA+ exam. Nessus is widely used for automated vulnerability scanning, configuration auditing, and compliance checking. Approximately 10-15% of exam questions in Domain 2 (Vulnerability Management) will involve Nessus, including its architecture, scan types, plugin system, and interpretation of results. Mastery of Nessus is essential for the exam and real-world security analysis.
Jump to a section
Imagine a hospital where doctors need to diagnose patients' illnesses. The hospital has a central diagnostic lab (Nessus) that can run hundreds of different tests. When a doctor (security analyst) orders a checkup (vulnerability scan), they send a requisition form (scan policy) to the lab. The lab technician (Nessus engine) first accesses the patient's chart (target list) and then draws blood, takes X-rays, and performs other tests (plugins). Each test is a specific procedure: a blood test checks for anemia (e.g., missing patch), an X-ray looks for fractures (e.g., open port). The lab uses a standardized machine (Nessus scanner) that runs all tests simultaneously. Results are compiled into a report (PDF/HTML) listing each abnormality (vulnerability) with severity (critical, high, etc.) and recommended treatment (remediation). The doctor then prioritizes treatments based on severity and criticality. Just as a lab might have false positives (e.g., a borderline result that isn't actually disease), Nessus can report false positives that need verification. The lab also has a quality control process (plugin updates) to ensure tests are current. If the lab is overloaded (many scans), results may be delayed. The key is that the lab doesn't treat the patient—it only identifies issues. Similarly, Nessus identifies vulnerabilities but does not fix them automatically.
What is Nessus and Why Does It Exist?
Nessus is a proprietary vulnerability scanner developed by Tenable, Inc. It is one of the most widely deployed scanners in enterprise environments, used to identify vulnerabilities, misconfigurations, and compliance issues across networks, systems, and applications. Nessus exists because manual security assessments are time-consuming, error-prone, and impractical at scale. Automated scanning allows organizations to continuously monitor their attack surface and prioritize remediation based on risk.
Nessus supports both authenticated and unauthenticated scanning. Authenticated scans use credentials (e.g., SSH, Windows domain accounts) to log into targets and perform deep inspections, such as checking registry settings, file versions, and patch levels. Unauthenticated scans rely on network-based probes to identify open ports, services, and banner information, which can reveal vulnerabilities without accessing the target OS.
How Nessus Works Internally
Nessus operates on a client-server model. The core components are:
Nessus Scanner: The engine that performs scans. It can be installed on Linux, Windows, or as a virtual appliance. The scanner runs plugins (Nessus Attack Scripting Language, NASL scripts) that test for specific vulnerabilities.
Nessus Manager: A web-based interface for configuring scans, managing users, and viewing results. It communicates with the scanner via REST API.
Nessus Agents: Lightweight software installed on endpoints that can perform scans locally and report results to the manager, useful for mobile or offline devices.
When a scan is launched:
Target Discovery: Nessus first performs host discovery (ping sweeps, ARP scans) to identify live hosts. By default, it uses ICMP echo requests, TCP SYN to port 443, and TCP ACK to port 80. If a host responds, it is considered alive.
Port Scanning: Nessus scans each live host for open ports. It can use various techniques: TCP SYN scan (half-open), TCP connect (full), or UDP scan. The default is a TCP SYN scan on common ports (1-1024 and a list of well-known higher ports). The port scan interval is configurable (default 5 ms).
Service Detection: For each open port, Nessus attempts to identify the service and version by sending probes and analyzing banners. It uses a database of service fingerprints.
Plugin Execution: Nessus runs plugins relevant to the detected services and OS. Each plugin has an ID (e.g., 12345), a severity (Critical, High, Medium, Low, Info), and a family (e.g., 'Windows', 'CGI abuses'). Plugins are written in NASL and are updated daily via the Nessus plugin feed.
Result Aggregation: Findings are stored in a database and presented in the UI or exported as reports (PDF, HTML, CSV, Nessus format). Each finding includes the plugin ID, description, CVSS score, remediation steps, and evidence (e.g., banner output).
Key Components, Values, Defaults, and Timers
- Plugin Feed: Nessus requires an active subscription to receive plugin updates. The feed is updated daily; without it, only a limited set of plugins is available. - Scan Policy: A set of parameters that define how a scan runs. Key settings: - Port scan range: Default 'default' (common ports). Can be set to 'all' (1-65535) or custom. - Scan type: 'Basic Network Scan', 'Credentialed Patch Audit', 'Web Application Scan', etc. - Performance options: Max simultaneous hosts (default 30), max simultaneous checks per host (default 5), network timeout (default 5 seconds). - Credentials: For authenticated scans, you can provide SSH (username/password or key), Windows (domain or local), or database credentials. Nessus uses these to log in and execute commands (e.g., 'wmic', 'rpm -qa'). - CVSS Scoring: Nessus uses CVSS v3 for vulnerability severity. CVSS base scores range from 0.0 to 10.0. Nessus maps these to: Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (0.1-3.9), Info (0.0). - Schedule: Scans can be run once, daily, weekly, or monthly. Scheduled scans use a cron-like syntax. - Agent Scan Interval: Nessus agents communicate with the manager every 30 minutes by default, configurable from 1 minute to 24 hours.
Configuration and Verification Commands
Nessus is primarily managed via the web interface, but there is a command-line tool nessuscli for administrative tasks. Common commands:
# Check Nessus service status
systemctl status nessusd
# Start/stop Nessus
systemctl start nessusd
systemctl stop nessusd
# List registered users
/opt/nessus/sbin/nessuscli lsuser
# Add a new user
/opt/nessus/sbin/nessuscli adduser <username>
# Fetch plugin feed (requires subscription)
/opt/nessus/sbin/nessuscli update --plugins-only
# Verify scan results using API (example with curl)
curl -k -H 'X-ApiKeys: accessKey=...; secretKey=...' https://localhost:8834/scansHow Nessus Interacts with Related Technologies
Nessus and SIEM: Nessus can export scan results in syslog format (CEF) or via API to SIEMs like Splunk, QRadar, or ELK. This allows correlation with other security events.
Nessus and Patch Management: Nessus identifies missing patches but does not deploy them. It can integrate with tools like WSUS or SCCM by outputting a list of missing patches.
Nessus and Compliance: Nessus has compliance scanning capabilities for standards like CIS Benchmarks, DISA STIG, PCI DSS. It checks configurations against these baselines and reports non-compliant items.
Nessus and Network Scanners: Nessus can be used alongside other scanners like OpenVAS or Qualys. Often, Nessus is used for authenticated scanning, while unauthenticated scans are done by other tools for redundancy.
Advanced Features
Nessus Professional: The commercial version includes unlimited IPs, advanced reporting, and compliance templates.
Nessus Expert: Adds external scanning, web application scanning, and cloud infrastructure scanning.
Nessus Cloud: A SaaS version for managing scans across distributed environments.
Nessus Agents: For scanning endpoints that are not always on the network (laptops, remote workers). Agents perform local scans and report results when they connect.
Performance Considerations
Scanning large networks (e.g., /16 subnet) requires careful tuning. Use the following guidelines:
Set max simultaneous hosts to 15-20 to avoid overwhelming the scanner or network.
Use a dedicated scan network segment to avoid interference with production traffic.
For authenticated scans, use a dedicated service account with minimal privileges (e.g., domain user with read-only access).
Schedule scans during maintenance windows to minimize impact.
Common Pitfalls
False Positives: Nessus may report vulnerabilities that do not actually exist (e.g., based on banner version that is patched). Always verify findings manually.
False Negatives: Unauthenticated scans miss many vulnerabilities. Always use authenticated scans when possible.
Credential Failure: If credentials are incorrect or lack privileges, authenticated scans will fall back to unauthenticated, missing deep checks.
Plugin Overload: Running all plugins on every host can take days. Use scan policies tailored to the target (e.g., only Windows plugins for Windows hosts).
Install Nessus Scanner
Download the appropriate Nessus package from Tenable's website for your OS (e.g., .deb for Debian/Ubuntu, .rpm for RHEL/CentOS). Install using package manager (e.g., `dpkg -i Nessus-<version>.deb`). After installation, start the Nessus service: `systemctl start nessusd`. Access the web interface at `https://<scanner-ip>:8834`. On first login, you must register the scanner with a Nessus activation code (obtained from Tenable). Without registration, only a limited set of plugins is available. The activation code ties the scanner to your subscription level (Professional, Expert, etc.).
Create a Scan Policy
In the Nessus web interface, navigate to 'Policies' and click 'New Policy'. Choose a template (e.g., 'Basic Network Scan' for unauthenticated, 'Credentialed Patch Audit' for authenticated). Configure settings: port scan range (default 'default' scans common ports; set to 'all' for full 65535 ports), discovery settings (ping methods, timing), and performance options (max hosts, max checks). For authenticated scans, add credentials under the 'Credentials' tab: SSH credentials (username/password or key) for Unix, or Windows credentials (domain or local). Save the policy with a descriptive name.
Configure a Scan and Launch It
Go to 'Scans' > 'Create New Scan'. Select the policy created earlier. Enter a name, description, and targets (IP addresses, CIDR ranges, or hostnames). Optionally set a schedule (e.g., daily at 2 AM). Under 'Notifications', configure email alerts for scan completion or critical findings. Click 'Launch' to start the scan immediately. The scan will proceed through discovery, port scanning, service detection, and plugin execution. You can monitor progress in the 'Scans' list; the status shows 'Running', 'Completed', or 'Canceled'.
Review Scan Results
Once the scan completes, click on the scan name to view results. The 'Vulnerabilities' tab lists all findings sorted by severity (Critical, High, Medium, Low, Info). Each entry shows the plugin ID, name, CVSS score, and host count. Click a vulnerability to see details: description, affected hosts, remediation steps, and evidence (e.g., banner output). The 'Hosts' tab shows each target with its open ports and associated vulnerabilities. Use filters to focus on specific severities or plugins. Export results as PDF, HTML, CSV, or Nessus format for reporting.
Remediate and Rescan
Based on the findings, prioritize remediation: critical vulnerabilities on critical assets first. Apply patches, change configurations, or implement compensating controls. After remediation, reconfigure the same scan policy and launch a new scan (or use a 'rescan' option if available). Compare results to verify that vulnerabilities are resolved. Nessus provides a 'Compare' feature to show differences between scans. Document the remediation and rescan results for compliance and audit purposes. Repeat the cycle regularly.
Enterprise Scenario 1: Monthly PCI DSS Compliance Scanning
A large e-commerce company must comply with PCI DSS requirement 11.2, which mandates quarterly internal and external vulnerability scans. They use Nessus Professional with a dedicated scanning appliance in their DMZ. The scanning team configures a 'PCI DSS Internal Scan' policy that includes all ports (1-65535) and authenticated credentials for Windows and Linux servers. They schedule scans on the first weekend of each quarter to avoid business disruption. The scan covers over 5000 hosts across multiple subnets. Performance tuning is critical: they set max simultaneous hosts to 20 and use a dedicated scan network to minimize impact. After each scan, they generate a PCI DSS compliance report (Nessus has a built-in template). The report is reviewed by the compliance officer and any critical findings must be remediated within 30 days. A common issue is credential failure due to password changes; they maintain a separate service account with a long expiration and use SSH keys for Linux to reduce failures.
Enterprise Scenario 2: Continuous Monitoring with Nessus Agents
A financial institution with a large remote workforce deploys Nessus Agents on all endpoints (Windows laptops, macOS, Linux desktops). The agents perform local scans every 4 hours and report results to the Nessus Manager. This allows visibility into vulnerabilities on devices that are not always connected to the corporate network. The security team uses the manager's dashboard to track unpatched software and misconfigurations. When a critical vulnerability like Log4Shell (CVE-2021-44228) is announced, Tenable releases a plugin within hours. The agents automatically download the new plugin and scan for it on the next check-in. The team can then identify all affected endpoints and push patches via their endpoint management tool (e.g., SCCM). A challenge is agent communication: if an agent cannot reach the manager for 30 days, it becomes inactive and must be reconnected. They set the check-in interval to 30 minutes for critical servers.
Enterprise Scenario 3: Vulnerability Assessment for Cloud Environments
A SaaS provider uses Nessus Expert to scan their AWS and Azure infrastructure. They deploy Nessus as a virtual appliance in each cloud region and use API integrations to dynamically discover assets. The scan policies include cloud-specific checks (e.g., S3 bucket permissions, security group rules). They run scans weekly and export results to their SIEM (Splunk) for correlation with intrusion detection alerts. A common misconfiguration is scanning public IP addresses without proper whitelisting, which can trigger cloud provider abuse alerts. They ensure the scanner's IP is whitelisted in the cloud security group and that scans are performed from a known VPC.
What CS0-003 Tests on Nessus
The CS0-003 exam objectives for Domain 2.1 (Vulnerability Management) include: - 2.1.1: Given a scenario, implement vulnerability scanning methods and tools (including Nessus). - 2.1.2: Given a scenario, analyze vulnerability scan results (including interpreting Nessus reports). - 2.1.3: Explain the use of vulnerability scanning in compliance (e.g., PCI DSS, CIS benchmarks).
The exam expects you to know:
The difference between authenticated and unauthenticated scans and when to use each.
How to interpret Nessus scan results: severity levels (Critical, High, Medium, Low, Info) and CVSS scores.
The purpose of plugins and plugin families.
How to configure scan policies, including credentials and performance settings.
Common issues: false positives, false negatives, credential failures.
Common Wrong Answers and Why Candidates Choose Them
'Nessus can automatically patch vulnerabilities.' – This is wrong because Nessus is a scanner, not a patch management tool. It identifies vulnerabilities but does not fix them. Candidates confuse scanning with remediation.
'Unauthenticated scans are more accurate than authenticated scans.' – Wrong. Unauthenticated scans rely on banners and network probes, which can be spoofed or outdated. Authenticated scans provide deeper, more accurate results. Candidates may think unauthenticated scans are better because they are less intrusive.
'Nessus uses signatures to detect vulnerabilities.' – While Nessus uses plugins (scripts), the term 'signature' is more associated with IDS/IPS. Nessus plugins are scripts that test for specific conditions, not just signature matching. Candidates may confuse vulnerability scanning with intrusion detection.
'The default port scan range is 1-65535.' – The default is 'default' which scans common ports (about 4,700 ports). Full range must be explicitly configured. Candidates may assume 'default' means all ports.
Specific Numbers and Terms to Memorize
Default Nessus web interface port: 8834 (HTTPS).
CVSS v3 severity thresholds: Critical >= 9.0, High >= 7.0, Medium >= 4.0, Low >= 0.1, Info = 0.0.
Plugin update frequency: Daily.
Agent check-in interval: Default 30 minutes.
Max simultaneous hosts default: 30.
Max simultaneous checks per host default: 5.
Network timeout default: 5 seconds.
Edge Cases and Exceptions
If a host does not respond to ping, Nessus may still scan it if 'Ping the remote host' is disabled. This is useful for hosts that block ICMP.
Nessus can scan IPv6 targets, but performance may differ.
When using agents, if the manager is unreachable, agents queue results and send them when connectivity is restored.
Nessus can be used for web application scanning (Nessus Expert), but it is not a substitute for dedicated web scanners like Burp Suite.
How to Eliminate Wrong Answers
If a question asks about 'fixing vulnerabilities', eliminate any answer that says Nessus does it.
If a question mentions 'deep inspection' or 'patch level', the answer likely involves authenticated scanning.
For questions about scan performance, look for options that limit simultaneous hosts or checks.
For reporting, remember that CVSS scores are used for severity; Nessus does not assign 'risk' scores (that is a separate calculation).
Nessus is a vulnerability scanner that identifies vulnerabilities but does not remediate them.
Authenticated scans use credentials to perform deep inspections and are more accurate than unauthenticated scans.
Default port scan range is 'default' (~4700 ports), not all 65535.
CVSS v3 severity: Critical (>=9.0), High (>=7.0), Medium (>=4.0), Low (>=0.1), Info (0.0).
Nessus web interface runs on TCP port 8834 (HTTPS).
Plugins are updated daily via the Nessus plugin feed (requires subscription).
Agents check in every 30 minutes by default and can scan offline endpoints.
False positives are common; always verify findings manually.
Nessus can be used for compliance scanning (PCI DSS, CIS benchmarks).
Performance settings like max simultaneous hosts (default 30) and checks per host (default 5) affect scan speed and impact.
These come up on the exam all the time. Here's how to tell them apart.
Nessus
Commercial product with paid subscription for full plugin feed.
User-friendly web interface with advanced reporting and compliance templates.
Agent support for offline/remote scanning.
Frequent plugin updates (daily) with dedicated research team.
Integrates with SIEM, ticketing systems, and patch management tools.
OpenVAS
Open-source fork of Nessus (pre-2005). Free to use.
Web interface (Greenbone Security Assistant) is less polished.
No native agent support; relies on network scanning only.
Plugin updates are community-driven and less frequent.
Limited compliance scanning and reporting capabilities.
Mistake
Nessus can automatically remediate vulnerabilities after scanning.
Correct
Nessus is a vulnerability scanner, not a patch management tool. It identifies vulnerabilities but does not apply fixes. Remediation must be done manually or via separate tools like WSUS or SCCM.
Mistake
Unauthenticated scans provide the same depth as authenticated scans.
Correct
Unauthenticated scans rely on network probes and banner grabbing, which can miss many vulnerabilities, such as missing patches or local misconfigurations. Authenticated scans with valid credentials can inspect the OS registry, file versions, and installed software, providing much more accurate and comprehensive results.
Mistake
Nessus uses a signature-based detection method like antivirus software.
Correct
Nessus uses plugins written in NASL (Nessus Attack Scripting Language) that test for specific conditions, such as the presence of a vulnerable file version or an open port with a known vulnerable service. This is more akin to a scripted test than a simple signature match.
Mistake
The default port scan in Nessus scans all 65535 ports.
Correct
The default port scan range is 'default', which scans approximately 4,700 common ports (e.g., 1-1024 and many higher ports like 3306, 3389). To scan all 65535 ports, you must explicitly set the port scan range to 'all' in the scan policy.
Mistake
Nessus can only scan on-premises devices, not cloud assets.
Correct
Nessus can scan cloud assets (AWS, Azure, GCP) by deploying scanners in the cloud or using Nessus Expert with API integrations. It can also scan public IP addresses of cloud resources from an external perspective.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Authenticated scans use valid credentials (e.g., SSH keys, Windows domain accounts) to log into target systems and perform deep inspections of the OS, registry, installed software, and patch levels. This provides accurate, comprehensive results. Unauthenticated scans rely on network probes, banner grabbing, and open port checks; they are faster but less accurate and may miss many vulnerabilities. For the CS0-003 exam, remember that authenticated scans are preferred for thorough assessments.
Nessus assigns severity based on CVSS v3 base scores: Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (0.1-3.9), and Info (0.0). The severity indicates the potential impact of the vulnerability. Critical findings require immediate attention. However, severity alone does not determine risk; you must also consider asset criticality and exploitability.
Yes. Nessus Expert includes cloud scanning capabilities. You can deploy a Nessus scanner in a cloud VPC or use the Nessus Cloud service. It can scan cloud instances, storage (e.g., S3 buckets), and configurations via API integrations. For the exam, know that Nessus can scan both on-premises and cloud assets.
Plugins are scripts written in NASL that test for specific vulnerabilities or misconfigurations. Each plugin has a unique ID, severity, and family (e.g., 'Windows', 'CGI abuses'). Nessus runs plugins relevant to the detected services and OS. Plugins are updated daily via the Nessus plugin feed to include new vulnerabilities.
The frequency depends on organizational policy and compliance requirements. For example, PCI DSS requires quarterly internal and external scans. Best practices recommend continuous scanning (e.g., weekly or daily) for critical assets. Nessus allows scheduling scans (e.g., daily, weekly) and using agents for continuous monitoring.
False positives can occur due to banner grabbing (e.g., a service reports an old version but is actually patched), misconfigured services that appear vulnerable, or incomplete plugin logic. Always verify critical findings manually by checking the actual system. Nessus also allows you to mark findings as 'Accepted Risk' or 'False Positive' in the interface.
Ensure the credentials are correct and have sufficient privileges (e.g., SSH user must have shell access; Windows user must be in the local Administrators group or have remote registry access). Check that the target allows remote authentication (e.g., SSH enabled, Windows Remote Registry service running). Use the 'Test Credentials' feature in Nessus before running the scan.
You've just covered Nessus Vulnerability Scanner — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?