Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Configuring The Ports That Nessus Scans

When only select ports require scanning, use these easy steps to define them

When assessing targets with a network scanner like Nessus, a common question is "How do I control the ports that Nessus tests during a scan?" This blog covers a number of options, including:

  • How to limit the port scan

  • Choosing host enumeration

  • Considering unscanned ports closed

  • Addressing UDP ports

  • Explicit port control

  • Alternative options to port scanning


Below, we talk about some of the reasons Nessus sends packets to various ports and how scans can be configured to limit access to specific ports or ranges of ports. This is applicable to any Tenable toolset that uses Nessus in a customizable fashion, like Nessus Professional, Tenable.sc or Tenable.io.

Limiting the port scan

The first setting someone should review, in an effort to minimize the ports touched by a Nessus scan, is the port scan range. Most Nessus scan policies have the port scan range set to "default." When set using the keyword 'default,' the scanner will scan approximately 4,600 common ports. The current list of ports can be found in the nessus-services file on the Nessus scanner at the locations below. 

Windows
C:\ProgramData\Tenable\Nessus\nessus\nessus-services
Mac
/Library/Nessus/run/var/nessus/nessus-services
Linux
/opt/nessus/var/nessus/nessus-services 

Users can enter more specific ranges and ports into the scan policy, such as "21-80", "21,22,25,80" or "21-143,1000-2000,60000-60005". Doing so will cause the port scanner to target just those ports during the port scan. 

If required, 'all’ instructs the scanner to scan all 65,536 ports, including port 0. Note that this can greatly increase the scan time of each target and is not a recommended configuration if scanning through network firewalls.

Choosing host enumeration

If an ICMP probe (a ping), or ARP is enabled to discover active hosts, then no specific ports are probed. However, if a "TCP Ping" is used to discover a host, then a small number of ports will be probed (the default setting in most scan policies). Both options can be enabled and are not exclusive. 

Nessus will also only run subsequent host discovery methods on a target if the previous ones fail or if they’re not enabled.

Considering un-scanned ports closed

After a host is discovered and the desired ports are scanned, Nessus will attempt to run the enabled plugins against the target. If a plugin runs which attempts to connect to a specific port and the "Consider Unscanned Ports Closed" setting is enabled, Nessus won't even run the plugin. However, if this setting is disabled (the default setting in most scan policies), Nessus may start to probe ports that were not specified by the port scan.

Understanding UDP port probes

For port scanning, the UDP protocol is very unreliable. However, Nessus supports it for those customers with specific compliance requirements or unique local environments.

UDP is unreliable because if a port is open, the host is NOT supposed to send a response and if a port is closed, the host is supposed to return an "ICMP Port Unreachable" packet. Since UDP packets can be dropped or a host or network firewall can stop a packet, a scanner that does not get a response for a UDP probe can be fooled into thinking the port is open. Even for closed ports, if a network has implemented outbound ICMP filtering as a security measure, the scanner won't see the "ICMP Port Unreachable" messages.

If the UDP port scanner is enabled, you can specify a split range specific to each protocol. For example, if you want to scan a different range of ports for TCP and UDP in the same policy, you would type:

T:1-1024,U:300-500

You can also specify a set of ports to scan for both protocols, as well as individual ranges for each separate protocol. For example: 

1-1024,T:1024-65535,U:1025

You can also include default in a list of custom ports. For example: 

T:64999,default,U:55550-55555

Note that the default services list in Nessus (discussed above) includes individual definitions for both TCP and UDP ports.

Explicit control for troubleshooting

Given the complex nature of all the various options with port scanning, it can be time consuming to troubleshoot exactly why a scanner is probing a target on a certain port. Nessus offers an engine level control that allows prevention of communication with a specific port (or range) by using nessusd.rules

Alternatives to network port scanning

Credentialed assessments

When Nessus can login to the target, it will attempt to run the equivalent of 'netstat’ locally (or use SNMP on network devices) and enumerate ports first before running network port scanners (the default setting in most scan policies). This is much more efficient, as Nessus knows exactly what ports are open without having to test them all individually.

Passive insight

Tenable.sc and Tenable.io customers who have deployed a Nessus Network Monitor (NNM) enjoy continuous monitoring of their network as well as some advantages over active scans. Since the NNM operates 24x7 and watches all traffic, it can see activity on the network that might not be present during an active scan, ports that are not specified in a scan policy or otherwise blocked from the scanner.

Agents

For Tenable.sc or Tenable.io customers, deploying Nessus agents can also be an option to limit the port probing in a traditional Nessus network assessment. By design, Nessus agents don’t perform any network-based testing. They will enumerate local ports, like a credentialed scan does, but they don’t reach out and test ports for vulnerabilities or scan ranges of ports to see what is listening.

Additional Documentation

Learn more

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.