using NESSUS to prepare for PenTest Sec. Audit

Tue Jul 12 21:48:58 UTC 2011

On Tue, Jul 12, 2011 at 2:00 PM, Mike Gatti <ekim.ittag at gmail.com> wrote:
> Has anyone used Nessus PF (www.nessus.org) as a tool to run a self audit preparing for a PenTest Audit?
> I wanted to get your opinion on the tool and if it was useful preparing for a PenTest Audit?

Nessus is mostly used for information security systems audits (of the
vulnerability assessment one-shot type e.g. OCTAVE Allegro ; or
possibly the on-going vulnerability management type e.g. NIST SP
800-30). It is not useful for external, unauthenticated scans or
black-box "pen-tests".

Nessus works best when given credentials so that it can authenticate
to systems or network devices.

Many of the plugins for Nessus are in a specific language (NASL) and
have been imported for use in the open-source vulnerability assessment
scanner, OpenVAS. If you are going to check out OpenVAS, I suggest you
get the guest VM and load it with ESXi, VMware Workstation/Server,
VirtualBox, or VirtualPC. It's also mainly used for credentialed
scans.

If you are looking for external, "black-box" vulnerability assessments
or on-going vulnerability management -- I suggest that you check out
Qualys QualysGuard (QG) or Rapid7 NeXpose. An alternative to Nessus
for credentialed scans would be nCircle IP360 (just to complete this
market space, although certain US-Gov/DoD sites use Lumension/Harris
Stat instead). For web applications, you will need to add a specific
sort of scanner, such as HP WebInspect, as well as some open-source
tools to determine exploitability (e.g. Wapiti, Grabber, OWASP Zed
Attack Proxy, XSSer, sqlmap, etc). This web application security
scanner would be in addition to Qulays QG and OpenVAS/Nessus. While
many "network" vulnerability scanners claim to find issues such as SQL
injection -- in reality they do not actually do so to any degree of
completeness (for more information, see the WIVET.googlecode.com and
WAVSEP.googlecode.com scanner benchmarks, or run them for yourself).

If you are looking for penetration-testing, this cannot be done with a
single tool, or even multiple tools. You need strong people with a
good track record of experience in penetration-testing. I have seen a
few shops run some free tools (e.g. Cain & Abel) along with some
commercial tools (e.g. Paterva Maltego, Metasploit Pro, Core Impact,
and Burp Suite Professional), with some added open-source tools (e.g.
BackTrack 5 and the Social Engineering Toolkit). WiFi
penetration-testing is often done with two USB Alfa Networks cards and
a guest VM, such as Immunity Security's SILICA. However, depending on
your industry vertical and/or specific requirements -- you'll want a
custom pen-test that will involve strategy consulting and
threat-modeling beforehand. I don't recommend trying to do this on
your own.

If you do want to attempt pen-testing on your own, I recommend the
BlackHat conference official training for Maltego and Burp Suite
Professional, in addition to deep technical knowledge of all of the
modules and features available in BackTrack and the Metasploit
Framework (the new NoStach Press book on Metasploit -- and the less
useful but handy Packt Publishing book on BackTrack Penetration
Testing -- would be a good start).

Cheers,
Andre