Let's perform vulnerability scan with the help of Nessus:

1. To get started with a new scan in Nessus, you will need to ensure that the Scans tab is selected at the top of the screen. If no scans have been run in the past, this will generate an empty list at the center of the screen. To execute an initial scan, you will need to click on the blue New Scan button on the left-hand side of the screen, as shown in the following screenshot:

2. This will require some basic configuration information. You will be prompted with a series of fields, including Name, Policy, Folder, and Targets:
   • The Name field is simply used as a unique identifier to distinguish the scan results from other scans. If you are performing a large number of scans, it will be helpful to be very specific with the scan name.
   • The second field is the Policy field. It is what really defines all of the details of the scan. This field allows you to select which scan policy will be used. If you are not familiar with how scan policies work, refer to the preceding recipe. Any public or private scan policies that the logged-in user has created should be visible in the Policy drop-down menu.
   • The Folder field defines which folder the scan results will be placed in. Organizing your scans in folders can be helpful when you need to sort through a large number of scan results. New scan folders can be created from the main Scans menu by clicking on New Folder.
   • The last field is Targets. This field shows how one defines what systems will be scanned. Here, you can enter a single host IP address, a list of IP addresses, a sequential range of IP addresses, a CIDR range, or a list of IP ranges. Alternatively, you can use hostnames, assuming the scanner is able to properly resolve them to IP addresses using DNS.
   • Finally, there is also an option to upload a text file containing a list of targets in any of the aforementioned formats, as shown in the following screenshot:

3. After configuring the scan, it can be executed using the Launch button at the bottom of the screen. This will immediately add the scan to the list of scans, and the results can be viewed in real time, as shown in the following screenshot:

4. Even while the scan is running, you can click on the scan name and begin viewing the vulnerabilities as they are identified. Color-coding is used to quickly and easily identify the number of vulnerabilities and their levels of severity, as shown in the following screenshot:

5. After clicking on the example scan, we can see two of the hosts that are being scanned. The first indicates that the scan is complete, and the second host is at 2% completion. The bar graphs shown in the Vulnerabilities column show the number of vulnerabilities associated with each given host. Alternatively, one can click on the Vulnerabilities link at the top of the screen to organize the findings by discovered vulnerability and then the number of hosts for which that vulnerability was identified.
6. To the right-hand side of the screen, we can see a similar pie chart, but this one corresponds to all hosts scanned, as shown in the following screenshot:

7. This pie chart also clearly defines the meanings for each of the colors, ranging from critical vulnerabilities to informational details. By selecting the link for any particular host IP address, you can see the specific vulnerabilities that were identified for that host:

8. This list of vulnerabilities identifies the plugin name, which generally provides a brief description of the finding and the level of severity. As a penetration tester, the critical and high vulnerabilities will usually be the most promising if you are seeking to achieve remote code execution on the target system. By clicking on any one of the distinct vulnerabilities, you can get a large amount of information on that vulnerability, as shown in the following screenshot:

9. In addition to description and patching information, this page will also provide alternative sources for further research, and most importantly (for penetration testers, anyway) reveal whether or not an exploit exists. This page will also often indicate whether an available exploit is a public exploit or whether it exists within an exploitation framework such as Metasploit, CANVAS, or Core Impact.