how to tell nessus to focus on spcific service or port for scanning

Posted on 2006-05-22
Last Modified: 2013-11-18

I would use nessus to scan a server,
and what i am caring about is the web service which is working at port 8000

How can tell nessus only to scan this service, or this port, and not to scan any other

Question by:malibusa
    LVL 51

    Expert Comment

    disable all tests not related to web services, then add :8000 to the target host

    Author Comment


    when adding the part :8000 to the end of the target host, i get a message "nessusd returned an empty report"

    LVL 5

    Expert Comment

    Probably a silly question, but from the machine you have nessus on you can definitely see port 8000 on the web server?

    test - either browse to the server in you web browser, or telnet to port 8000.

    might also be worth performing a port scan with something like nmap to confirm the open ports



    Author Comment

    the port is open and i can access it from the scanner machine using the command telnet 8000

    when i enable only the plugins which are specificly for Apache, it gives a report about it, as TCP/8000 apache service

    but when i enable all the plugins, it does not show it at all
    LVL 3

    Expert Comment

    Instead of using only using nessus, I would instead use a tool specific for web-testing like whiskers.  

    I recently wrote an article for detailing my review of several vulnerability testers.

    You may find it useful, though it is somewhat off-topic.

    You might try changeing the reports verbosity level in the nessus setup area.  

    A few months back I did some intense testing of all the best vulnerability scanners out there... I had a couple nix boxes hooked up, as well as some dozers, and figured I could add clients to a "once-a-week" scanning contract. So naturally, I wanted to use the scanner that was the best for my purpose.

    I tested the following (trying to only list automated vulnerability scanners):

    ISS Internet Security Systems
    SSS Shadow Security Scanner
    Retina eEye
    GFI Languard Network Security Scanner
    Nstealth Security Scanner

    Review here.. (12+ pages)

    I was looking at 3 main areas while evaluating the scanners.

    1. Comprehensiveness of the testing: including how many options are allowed for different scanning, IDS evasion, and types of scans. Also in this category is the availability for the latest exploits and a custom exploit option to allow me to plug in custom exploits.

    2. Quality of the program: included in this category is availability of updates, speed of various variables, efficiency, "smartness" or "AI" of the program while scanning/reporting, security- (does running this version of this vuln scanner leave me vulnerable?), scheduling capabilities, alert and message capabilities, quaility of exploits, reactions to "false positives", and overall feature and capabilities.

    3. Reporting Capabilities: How easy is it to create a report? The quality and design of the report. The comprehensiveness and personalization of the reports..

    My findings
    All of these programs can be tested for free, either through an evaluation or trial, or warez... ISS is extra tricky. I believe that the availability of these programs on the net represents the conspiracy to aid script-kiddies everywhere so that these companies will then profit after an intrusion (or even a loud scan).

    Each of these programs is not to be used for cracking... Nothing serious at least.. using these programs is akin to knocking on every window of a house, while simultaneously ringing the doorbell and playing loud music in the driveway.. Some of the programs allow for easy use of anonymous socks and web proxys, but we all know by now that to achieve any real anonymity takes much more work than that.

    Well, after several months of constantly using most of these products continually, it became clear to me which ones I liked the best.

    The top pick all-around (for windows) has to be retina's eeye, the company has a bunch of hackers and you can tell by their awesome product.

    Another great scanner (windows -web) are the different products offered by nstalker... very good web vuln scanner. Free for download..

    A close 2nd would be the SSS, I love it, its great, but eEye's is better.

    The best choice for me however is nessus. Although it has a few negatives compared to some of the other products, it is the best solution for anything serious. Set-up up a couple of nessus servers around the globe and try attacking the same location through different networks for some real eye-opening fun. Also good to practice tracking and tracing.

    Qualys is poised to be super-rich, just check out their site... great if you don't want to f with a scanner yourself.

    ISS is way to expensive and I didn't like the fact that I had to try for awhile until I could download it. [Hint: Backdoor to download for clients/employees? Old Version != license? Google.. ;) ] But it is considered to be the best scanner and I admit the anti-pirating features and licensing of their software is pretty dam good.

    GFI is another top contender. It was just prone to crashing...

    A money place to get some other cool tools (Especially a bad-a$$ SSL encryption tester) are available for free at Get them soon, make a foundstone toolkit.... mcafee bought them so expect the free stuff to get yanked shortly... (I can't believe foundstone is almost gone...)

    Unless you are using these tools on yourself, or to check your friends pc or company (use scheduling with alerts to email or pager), there is no sane or logical reason to use these tools on any pc that you do not have express permission to use against.

    Remember these tools are the noisiest tools in a hackers arsenal and if you use it just once on an unknown host, your ISP can yank your account, you can face legal action, etc..

    Better to use firewalk, hping3 (now with scripting!), nmap, etc, and leave these crutch-like tools alone.

    Also check out , for the best product I have found so far.

    A few pointers..

    If you have a network of your own, and you don't have the time or resources to set up a nessus installation at a remote site to repeatedly test your network, the best solution IME is Qualys. I am not affiliated in any way, I checked it out merely to examine the competition in the marketplace... after experiencing their free trial, unheard of amounts of documentation, and extremely skilled marketing team, I am still very jealous.

    What an easy concept but they took it to that level and it stands alone, IMHO.

    So if you need that kind of simple, safe, comprehensive fix, check out qualys. Still, you would ultimately save a lot of money (even after computing time and costs) by setting up your own remote server somewhere to automatically check the network for you. Multiple locations of course are ideal (go through different networks etc..)

    The major lack of enthusiasm I have for most of these "vulnerability scanners" is the fact that so many of them run on windows and nothing else. The benefits to running from (almost anything else) a linux type platform are enormous. IOW, nessus can only continue to get better and better, while the only advantage eeye, ISS, and the rest of the dozer boys have is better knowledge of exploits.

    This is really a small point (in the big picture) because of the fact that it is sooo easy to copy an exploit (for those that do that sort of thing).

    So if you are out there, go help out the excellent people who give us nessus, go give them a donation, help them develop the software, test it out and email them detailed feedback of your likes and dislikes, do what you can to keep it around. I see it as having the most potential.

    NOTE: Just imagine if the source code to the "commercial scanners" (funny they are all for windows) was made available to the nessus teams.


    There are also vuln scanners that operate locally, many professionals use these to scan a lan of windows hosts for example. These are hard to find, so if you know of any, post.


    Also, after months of testing all the different vuln tools, including tons not listed above, still failed to find a bug that allowed me root on a server.

    It was the mole.cfm script that got me in... an old exploit that none of the scanners picked up. So if you are serious about keeping your data safe, hire a real expert (like foundstone or coresecurity) and not rely on a commericial marketing solution alone.

    Author Comment

    cduke250 recommended many other solution, and i am really thankfull to him/her

    but my Q is not yet answered
    LVL 51

    Expert Comment

    > but when i enable all the plugins, it does not show it at all
    what should all the plugins do with port 8000? most of them test anthing else, for example other ports.
    Please follow my suggestion http:#16734259

    BTW, nessus is currently not a proper web application scanner. If you want to scan your web application use a specialised scanner like nikto/wikto or a commercial one (AppScan, WebInspect, etc.)
    LVL 5

    Expert Comment


    ahoffman is correct - what are you specifically trying to test for?

    If you run nessus from you machine against a different webserver does it give you the results you are expecting?

    If the web server is running apache and you run the nessus apache tests, I'm not sure what else you would expect from running other modules against the web server port.

    I'll second the vote for nikto/wikto is pretty good:
    In our tests we have found the paid for apps like AppScan etc to be slightly better than wikto, bt it does a pretty good job, and it's free!  I'd recommend wikto as it is effectively a development of nikto with increased functionality.

    Another recommendation for you when using web site testing tools is to perform a manual walk through of the site in addition to any automated site walk through they perform as we have found they sometimes miss pages.

    LVL 3

    Expert Comment

    You can easily tell nessus to only scan port 8000 by specifying  "8000"  (without "") in the ports field of the nessus options.

    You should also click on the "enable all checks" at the first nessus screen.

    Are you using nessus on windows? Linux? Unix? BSD? Cygwin?

    Author Comment

    thank you all for participating,

    when i put any port number or range of ports in the box of port range field,

    the results comes as if it has been scanning all the services, it gives issues in snmp, ... and many other,

    i just ask it to scan port 8000 not any other port, yes i want it to try all checks, like if the service on this port is ssh or any other,
    but do not search and scan other ports

    the nessus is installed on Linux box (Debian)
    LVL 51

    Expert Comment

    > .. the results comes as if it has been scanning all the services, it gives issues in snmp ..
    please read the comments again
      you have to disable those check which you're not interested in!!

    Author Comment

    lets assume that we do want to scan a port which we do not know the service running on it,
    yes we know its port 8000, but i am not sure if it is web service behind it or not,

    so, i want to check it using all plug-ins, and get final report about it,

    again, all that scans to be only applied on this specific port not any thing else
    LVL 51

    Accepted Solution

    > again, all that scans to be only applied on this specific port not any thing else
    again, then you have to enable those plug-ins only which do not use different or fixed ports

    (I know, that this is a bit work to do, but as explained before: nessus is primary a network not application scanner)

    Author Comment

    my update, is i did not receive a solution, because nesses is not having this facility,

    if i am to give some one the credit, then i will give to

    LVL 27

    Expert Comment

    Any Update?

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now