August 12th, 2021

Nessus versus Penetration Test

Why Nessus Scans cannot replace Penetration Testing. 

Many organizations utilize security products to support their IT and Cybersecurity personnel.  These applications can assist with Vulnerability Management, Asset Management, and Network Management, often incorporating features that give visibility and statistics on their findings within their environments.  While these tools help identify issues within a network and provide awareness to their users, they are equally a goldmine of information that can be targeted by malicious attackers and often miss vulnerabilities and misconfigurations an experienced actor could abuse. 

Visibility Gaps for Vulnerability Scanners 

When IT teams too heavily rely on their automated solutions to identify vulnerabilities and weaknesses, they may overlook gaps in their network visibility.

Active Directory Analysis

Windows Domains consist of an Active Directory structure that controls the configuration, authentication, and authorization of the domain-joined systems.  While tools like Tenable’s Nessus and Rapid7’s Nexpose target open ports and services during their network scans, a deep dive into the misconfigurations and vulnerabilities of Active Directory is often missing.  The Access Control Lists (ACLs) and Group Policy Objects (GPOs) are key components that can be abused to perform lateral movement, privilege escalation, and account takeovers within a Window’s environment.

File Server Auditing

Vulnerability scanners will help identify exposed ports of File Servers and can also address systems that are missing security patches; however, they do know perform tailored audits against the File Server’s contents or privilege separation.  Conducting a file server audit can help discover excessive READ permissions, sensitive data repositories, unprotected Personally Identifiable Information (PII), and plaintext credentials.

Incident Response Exercises 

Nessus scans will not test your Blue Team’s react speed or process like a penetration test will.  When a pentest uncovers a vulnerability or is able to perform lateral movement or privilege escalation, what tools are in place to detect that activity and how does the security team respond?  Penetration Tests and Red Team engagements are the best ways to perform adversarial emulation and exercise how to respond to ensure the communication, processes, and actions are well versed to handle a real-life incident. 

Security Recommendations 

During the numerous Penetration Tests PLEX Cyber has performed, there are common trends in the shortcomings and vulnerabilities present in the configurations and usage of Nessus scanners.  

Restricted Access 

Network routing restrictions and firewalls to ensure only the necessary IT Admin computers or the IT subnet can access the security appliance to make changes. 

Ensure authentication is restricted to only necessary IT admin staff, preferably not domain-based authentication, possibly even MFA if it allows.  Disable or restrict SSH access. 

Scanning Configurations 

Be careful about the credentials provided to the system for authenticated testing, ensuring that the related account has account restrictions (such as no interactive logins, time-based authentication windows, disabled until needed for scans, etc.). 

It’s best to ensure the Nessus scans only happen at specific time windows.  Attackers target these appliances and can launch scanning and lateral movement capabilities from them, often undetected because the Nessus Server has full permissions to perform heavy scanning and vulnerability detections across the enterprise. 

Ensure scans are not set blindly to full CIDR notation and only scans known company assets.  If the Nessus appliance is configured in such a way that rogue devices could be included, authenticated services such as FTP, SSH, and SMB can be enabled on the rogue device as a honeypot to collect the scanner’s stored credentials. 


Security appliances are an important aspect in reducing risk and increasing awareness.  Ensuring these applications are configured properly and are not misused or abused is vital to maintain a strong security posture.  Additionally, requiring ongoing penetration testing helps cover the blind spots often missed by the Vulnerability Management solutions.  PLEX Cyber is well versed in performing Penetration Testing and is available to assist.  

For more information on how PLEX Cyber can help your organization secure its environment, please contact Christina Majernik, VP PLEX Cyber at