How To Install Nessus Vulnerability Scanner

In our previous post we showed how to download and verify the hash of the Home edition of Nessus, and here we will show how to install, setup and run your first scan. This is a very basic setup to get you up and running quickly with the free version of Nessus. If you are going to be using in a live production environment, don’t use this guide.

If you have not read the initial post go here then come back.

You should be where we left off which is just after checking our hash and confirming against the checksum as below

Get used to running the “ls” cmd to check the directory you are in and that you have access to the correct files.

We “ls” to check as mentioned above then use “dpkg -i” which will de-package and then install Nessus.

While that runs and installs we need to go back to tenable.com and get an activation code.

Fill in the details and wait for your email with the activation code.

Go back to your Terminal where the install should now have completed. Check the Window for errors and if there are none we are good to continue.

Run the following “/etc/init.d/nessusd start”

Nessus is now running, so open a browser on the same machine and go to https://localhost:8834 and you should get the login screen.

Create a Username and a Password to login  for the first time (don’t forget these!) and you will get the activation page.

Leave the scanner type, and enter your activation key which you will have received by email.

If correct you will see the next screen, now is the time to make a coffee as this stage may take some time as Nessus sets up.

Once completed you will see the “New Scan” screen.

Select New Scan as shown, then select “Basic Network Scan”. This will allow us to do a basic scan of our internal home network.

We will need to find out the IP of our network for the next step, the easiest way to do this is to use either “ifconfig” on a Linux box or “ipconfig” on a Windows box. Run this from a Terminal Window and make a note of your ip address. (This is a simple step so if unsure how to do it you really shouldn’t be installing Nessus to be honest!)

Name and description can be whatever you want, but the IP Address in the targets box needs to be the IP address you want to scan. In the example it shows “192.168.0.0-255” which means that we are going to scan every address on our network. The scan an individual host you would use a single address, for example “192.168.0.5”. Now save as shown below and you’ll go back to the main page.

To start your scan click the chevron, as outlined below, then wait for your scan to complete.

Once the scan completes, the real fun starts!

How to verify a file hash in Linux

We have recently shown how to do this in Windows so we will now show how to do this in Linux. Here we will be using Kali but it will work with most Linux distros.

We want to download the free Home Version of Nessus but want to make sure the file has not been tampered with before we install.

We browse to the download site and download the version we need but also copy the hash checksums to simple text files for comparison later. You can do this by simply copying to your clipboard and then paste into a blank text file.

We will download everything to our download folder to make things simple. Once everything is done you should have 3 files in your download folder as shown below.

Now off to the cmd line so open a Terminal and “cd” to the Downloads folder as shown, then use “ls” to list the directory to also confirm you are in the correct location and the correct files are there.

Now we run “sha256sum Nessus-7.2.0-debian6_amd64.deb”. The cmd part is “sha256sum” and the next part is just the file name you want to hash.

You should see the output of the cmd which is your file hash to compare to the one from the site that you had copied earlier.

Now copy that hash output and paste underneath the one you have from the site. We used sha256sum and so will need to compare against the sha256 checksum. 

As you can see, the highlighted one is our output, and they are a perfect match. Excellent, we can now install Nessus with confidence that it has not been tampered with or had malicious code added.

Our next post will see us install Nessus.