2

I want to scan with Nessus a network which include OT devices but I don't know how can I config Nessus to do it.

Firstly, I disable ping scan, before of Nessus scan I do a IP enumerate with Nmap, and Service Discovery option. In addition, I change default value of Port Scanning, setting the OT tipical ports, more or less 25 ports. Besides, in Assessment I disabled Request imformation about thre SMB domain.

Finally, on Advanced I set 1 on Network timeout (in seconds), Max simultaneos checks per host and on Max simultaneous hots per scan. On Max number of concurrent TCP sessions per host and Max number of concurrent TCP sessions per scan I set the value 25.

On Plugins I don't know what change can I do to do a correct and effective scan with Nessus.

I am doing the scans via VPN.

Is correct my config? What is the best plugin config to OT devices?

Thanks!

Iratzar Carrasson Bores
  • 196
  • 1
  • 13

2 Answers2

1

I think whatever configuration settings you have done are correct for OT devices. Regarding plugins, I think it would be best to search plugins on Nessus Website. For example, Check this nessus plugins search website: https://www.tenable.com/plugins/search?q=OT&sort=&page=1

The listed plugins (First 4 on the plugins page) are the generic ones. You need to put little bit of efforts to find some more according to your device or your scan requirements.

tech_enthusiast
  • 435
  • 1
  • 5
  • 19
  • I saw the first 4 plugins of the page, but in my Nessus version I couldn't find them. In my version, _Nessus Home 6.11.1_, all plugins related with OT are in SCADA group, aren't them? – Iratzar Carrasson Bores Mar 23 '18 at 08:12
  • @IratzarCarrassonBores I am not sure about Nessus Home Version as I use Nessus Professional. I think Home version does not allow OT device plugins, but if you provide me the link or the details about SCADA group plugins, I might get you some details. – tech_enthusiast Mar 23 '18 at 08:35
0

The reason you aren't seeing anything, most likely, is because nessus, and most scanners, are looking for "servers"--as in applications on the device that have something "listening". If you try to scan your phone on the wifi subnet with nessus you'll end up with nothing most likely as phones typically do not have any "servers" and have icmp (ping) responses disabled.

For reference, I am primary on an OT/ICS technology "red-team". We scan these devices all the time with nessus (and nexpose, and etc). Typically we see "Webserver", "Snmp", and maybe some of the proprietary protocol listeners. If we scan a sensor, nothing. If we scan an older PLC, nothing.

Even more important, and worth asking when talking about OT... nessus won't scan the serial bus (rs-232, rs-485, etc), just want to make sure your aware of that. Also, although rare, is your OT on the other side of a data diode?

I could talk about this for days, but I need more info. Please hit me up in the comments with more info and also check out this website: www.scadahacker.com

bashCypher
  • 1,839
  • 11
  • 21
  • When do you see "Webserver", SNMP or things like that? On OT devices? What tools do you use for scan OT devices? I don't have more information about the targets, I am doing a black box scan. – Iratzar Carrasson Bores Mar 22 '18 at 08:21
  • You should see any application servers with nessus (or even Nmap). Many OT devices are very simple, like sensors and plc's, so shouldn't see any application servers. Check your tools, would be my suggestion, but scanning something you know that should respond. Do you know of any devices that have a web interface? A webpage for configuration? OT gateways typically will. – bashCypher Mar 22 '18 at 14:43
  • I don't have any idea about network – Iratzar Carrasson Bores Mar 22 '18 at 18:42
  • Ok, so you probably can't get them with a ping sweep. Try using "netdiscover" if you are in the lan, that will get you some arp calls. If arp-scan-works too. – bashCypher Mar 23 '18 at 00:56
  • I am connected via VPN, ARP scan is not possible. – Iratzar Carrasson Bores Mar 23 '18 at 08:01
  • Ok, well, you're going to struggle. If the different flavors of NMAP isn't pulling devices and you have nothing "known" to sanity check against, you are going to have to get creative. Going after broadcast communication is only thing I can think of left. – bashCypher Mar 23 '18 at 14:51