Introduction to Nessus Vulnerability Scanner

What is Nessus?

  • Up-to-date and powerful vulnerability scanner tool.
  • Open source, free to use.
  • Uses plug-ins to identify vulnerabilities.

Nessus Features

  • Client/Server architecture
  • Compatible with any platform (Windows, Linux, Mac OS X)
  • Port Scanning ( SYN Scan, TCP Connect Scan etc)
  • Performs deep and high speed Vulnerability scanning
  • Mobile device auditing
  • Plug-ins are written in NASL (Nessus Attack Scripting Language)
  • Reports and analyses vulnerabilities.

Nessus Architecture


Nessus Client & Server


  • Unix Client ( Linux, Solaris etc)
  • Windows Client


  • Runs on most operating systems
  • Performs scanning functions and sends results back to client

Introduction to Port Scanners

Port scanners are often used by administrators to check the security policies or by attackers to identify running services on a host. Port scanning is used to send packets to a list of port numbers in order to:

  • Check for live systems
  • Identify open ports on a system
  • Learn about services available on a system
  • Version detection of running services
  • OS detection
There are a few available port scanners:
  • Nmap
  • Netscan Pro Tools
  • Solarwinds Engineers Toolset
  • Superscan
  • Netifera
  • Unicornscan
  • The most popular port scanner
  • A lot of features
  • Open source
  • Multiplatform (Windows, Linux, BSD, OS X)
  • Command line and GUI
  • Available at
Nmap Common Options
  • – h  help
  • -p  choose ports
  • -sS    TCP SYN Scan
  • -sT  TCP Connect Scan
  • -sU  UDP Port Scan
  • -v  verbose output
  • -O  OS detection
  • -sV    Service version detection
  • -f  fragment packets
Scanning Countermeasures
  • Configure firewalls and Intrusion Detection Systems to detect and block probes
  • Filter inbound ICMP messages
  • Filter outbound ICMP type 3 unreachable messages at boarder routers and firewalls
  • Evaluate the way that firewall and IDS handle fragmented packets by performing scanning exercises using fragtest and fragroute
  • Configure Internet firewalls to identify port scans and block the connection

Deauthentication/Disassociation attack

Deauthentication/Disassociation attack is a part of the Denial-of-Service attacks. Attackers may also use this attack in order to recover hidden ESSIDs or to capture WPA/WPA2 handshakes by forcing victims to re-authenticate. This attack can be used only if there is at least one client connected to the access point.

The client is connected to the wireless router. The attacker will try to deauthenticate the client by using airodump-ng and aireplay-ng. Both tools are included in the Backtrack 5 r3 OS.The following steps describe the process of the attack. After the attacker has set the wireless network card in monitor mode he searches for access points in range. The complete command is the following:

  • airodump-ng mon0

Where airodump-ng is the tool and mon0 is the monitor interface. The result of this command is shown in the next screenshot.


At this point the attacker has information about the wireless router (ESSID, Channel, BSSID etc). The next step is to find the clients that are connected to the access point with ESSID XXXLab. To find this information he will use the following command:

  • airodump-ng mon0 -c 1 –bssid 00:05:59:49:A7:A0

Where airodump-ng is the tool, mon0 the interface, -c the channel and –bssid the MAC address of the access point. The result is shown in the next figure.


The figure above shows that there is one client connected with MAC address 00:13:CE:AC:70:BE.

Now the last step is to disassociate the client. To achieve this, the following command is used:

  • aireplay-ng -0 1000 -a  00:05:59:49:A7:A0 -c 00:13:CE:AC:70:BE mon0

Where aireplay-ng is the tool, -0 the parameter for the Deauthentication attack, 1000 is the number of deaths, -a the MAC address of the wireless router, –c the MAC address of the client and mon0 the interface. The result of the command is shown in the next screenshot.


The above screenshot shows that the attack is performed successfully. The client is disconnected from the network and cannot establish a connection until the attacker stops sending Deauthentication messages.