How to Use Nessus for Vulnerability Scanning
Nessus is one of the most widely used vulnerability scanners. The Essentials version is free for up to 16 IPs and covers CVE detection, configuration auditing, and compliance checks. This guide covers installation, scan policy configuration, credentialed scanning, and interpreting results to prioritize fixes.
Legal note: Only scan systems you own or have explicit written authorization to test. Unauthorized scanning is illegal in most jurisdictions and violates service provider terms.
1. Install Nessus Essentials
# Register for a free activation code at tenable.com/products/nessus/nessus-essentials
# Download the .deb or .rpm from the registration confirmation email
# Ubuntu / Debian
sudo dpkg -i Nessus-10.x.x-ubuntu1404_amd64.deb
sudo systemctl enable nessusd --now
# RHEL / CentOS
sudo rpm -ivh Nessus-10.x.x-es9.x86_64.rpm
sudo systemctl enable nessusd --now
# Nessus runs on HTTPS port 8834
echo "Open: https://localhost:8834"
Complete setup in the browser:
- Choose “Nessus Essentials”
- Enter your activation code
- Set admin credentials
- Wait for plugin compilation (10–20 minutes)
2. Understand Scan Types
| Scan Type | What It Does |
|---|---|
| Basic Network Scan | Port scan + safe plugin checks |
| Advanced Scan | Full plugin set, customizable |
| Credentialed Patch Audit | SSH/WinRM login to check installed packages against CVE DB |
| Web Application Tests | Crawl + inject for OWASP Top 10 |
| Internal PCI DSS | PCI compliance checks |
| Policy Compliance | CIS benchmark checks |
Start with a Basic Network Scan to enumerate the attack surface, then follow up with a Credentialed Patch Audit for full CVE coverage.
3. Configure SSH Credentials for Linux Scanning
Credentialed scans find 3–10x more vulnerabilities than unauthenticated ones. Set up a dedicated scan user:
# On the target Linux host — create a low-privilege scan user
sudo useradd -m -s /bin/bash nessus-scan
sudo passwd nessus-scan # or use key auth (preferred)
# Generate SSH key on the Nessus host
ssh-keygen -t ed25519 -f ~/.ssh/nessus_scan_key -N ""
# Copy key to target
ssh-copy-id -i ~/.ssh/nessus_scan_key.pub nessus-scan@target-host
# Grant sudo for specific commands only (least-privilege)
sudo tee /etc/sudoers.d/nessus-scan > /dev/null <<'EOF'
nessus-scan ALL=(root) NOPASSWD: /usr/bin/find, /bin/cat, /usr/bin/dpkg, \
/usr/bin/rpm, /usr/bin/yum, /usr/bin/apt, /usr/sbin/netstat, /usr/bin/ss, \
/sbin/ifconfig, /usr/bin/id, /usr/bin/uname, /bin/ls
EOF
In Nessus UI: Credentials > SSH > add the private key and username.
4. Create a Scan Policy
In Nessus, go to Policies > New Policy > Advanced Scan and configure:
Discovery:
- Port scan: TCP (all ports), UDP (common)
- Ping: ICMP + TCP ACK (handle firewalls that block ICMP)
Assessment:
- Scan for known bad processes: enabled
- Web application scanning: enabled if targeting web servers
- Thorough tests: disabled unless needed (slow, can be disruptive)
Report:
- Override normal severity with CVSS3 base score: enabled
- Show missing patches: enabled
Advanced:
- Safe checks only: enabled (prevents disruptive tests)
- Stop scanning after N failures: 20
- Max simultaneous hosts: 5 (reduce if scanning production)
- Max simultaneous checks per host: 5
5. Launch a Scan
Scans > New Scan > Advanced Scan (or your saved policy)
Name: Internal Network - 2026-03-22
Targets: 192.168.1.0/24
192.168.2.10-50
Schedule: Run now / or set recurring
Credentials: SSH (add key from step 3)
Windows: SMB credentials if scanning Windows hosts
Monitor progress in Scans > Running. A credentialed scan of 10 hosts typically takes 30–90 minutes.
6. Interpret CVSS Scores
Nessus uses CVSS 3.1 scoring:
| Score | Severity | Typical Examples |
|---|---|---|
| 9.0–10.0 | Critical | Unauthenticated RCE (Log4Shell, EternalBlue) |
| 7.0–8.9 | High | Authenticated RCE, privilege escalation |
| 4.0–6.9 | Medium | Information disclosure, CSRF |
| 0.1–3.9 | Low | Informational, hardening suggestions |
CVSS alone is not enough for prioritization. Nessus also shows:
- VPR (Vulnerability Priority Rating) — Tenable’s score combining CVSS + threat intelligence (exploit availability, active exploitation in the wild)
- EPSS score — probability of exploitation in the next 30 days
Prioritize: Critical + High + VPR > 7 and/or EPSS > 0.1.
7. Export and Filter Results
# Export via Nessus API (useful for automation)
NESSUS="https://localhost:8834"
API_KEY="your-api-key" # from Settings > My Account > API Keys
# List scans
curl -k -X GET "$NESSUS/scans" \
-H "X-ApiKeys: accessKey=$ACCESS_KEY; secretKey=$SECRET_KEY"
# Export scan as CSV
SCAN_ID=5
curl -k -X POST "$NESSUS/scans/$SCAN_ID/export" \
-H "X-ApiKeys: accessKey=$ACCESS_KEY; secretKey=$SECRET_KEY" \
-H "Content-Type: application/json" \
-d '{"format":"csv"}' | python3 -c "import sys,json; print(json.load(sys.stdin)['file'])"
# Download export
FILE_ID=abc123
curl -k -X GET "$NESSUS/scans/$SCAN_ID/export/$FILE_ID/download" \
-H "X-ApiKeys: accessKey=$ACCESS_KEY; secretKey=$SECRET_KEY" \
-o scan_results.csv
8. Prioritize Remediation
#!/usr/bin/env python3
"""
Prioritize Nessus CSV export: show Critical + High with public exploits.
Usage: python3 prioritize.py scan_results.csv
"""
import csv, sys
CRITICAL_THRESHOLD = 9.0
HIGH_THRESHOLD = 7.0
with open(sys.argv[1]) as f:
reader = csv.DictReader(f)
results = []
for row in reader:
try:
cvss = float(row.get("CVSS v3.0 Base Score") or row.get("CVSS") or 0)
except ValueError:
cvss = 0.0
if cvss >= HIGH_THRESHOLD:
results.append({
"host": row["Host"],
"plugin": row["Plugin Name"],
"cvss": cvss,
"exploit": row.get("Exploit Available", "No"),
"cve": row.get("CVE", ""),
})
results.sort(key=lambda x: (-x["cvss"], x["host"]))
print(f"{'CVSS':>5} {'Exploit':>7} {'Host':<20} {'CVE':<20} {'Name'}")
print("-" * 100)
for r in results:
print(f"{r['cvss']:>5.1f} {r['exploit']:>7} {r['host']:<20} "
f"{r['cve']:<20} {r['plugin'][:50]}")
9. Automate Recurring Scans
# Nessus API — trigger a scan programmatically
curl -k -X POST "$NESSUS/scans/$SCAN_ID/launch" \
-H "X-ApiKeys: accessKey=$ACCESS_KEY; secretKey=$SECRET_KEY"
# Add to weekly cron
sudo tee /etc/cron.d/nessus-weekly > /dev/null <<'EOF'
0 1 * * 0 root curl -sk -X POST "https://localhost:8834/scans/5/launch" \
-H "X-ApiKeys: accessKey=YOUR_KEY; secretKey=YOUR_SECRET" > /dev/null
EOF
10. Complement Nessus with OpenVAS
For unlimited IPs without cost, OpenVAS (Greenbone Community Edition) is the open-source alternative:
sudo apt install -y openvas
sudo gvm-setup # downloads NVT feed (~30 min)
sudo gvm-check-setup # verify installation
sudo gvm-start
# Access at: https://localhost:9392
Run both tools and cross-reference results — each has plugins the other misses.
Related Reading
- How to Use Metasploit for Authorized Pentesting
- How to Set Up OpenSCAP for Compliance Scanning
- How to Set Up Wazuh SIEM for Small Teams
Built by theluckystrike — More at zovo.one