NESSUS-SCAN01
NESSUS-SCAN01 is the vulnerability management node for the lab. It runs Nessus Essentials on Tenable Core and is used to perform authenticated and unauthenticated scans against lab endpoints to identify misconfigurations, missing patches, and known vulnerabilities.
Understanding Nessus
Nessus is a widely-used vulnerability scanner developed by Tenable. In this lab, Nessus Essentials (the free tier) is used — it supports up to 5 IP addresses per scan, which is sufficient for this environment.
Scans can be run in two modes:
- Unauthenticated: Nessus probes each target externally without credentials. It can identify open ports, exposed services, and some externally visible vulnerabilities, but visibility is limited to what is reachable from the network.
- Credentialed: Nessus logs into each target using supplied credentials. This allows it to enumerate installed software, check patch levels, audit registry settings, and surface far more vulnerabilities than an unauthenticated scan can detect.
In this lab, Windows credentials are added to the scan so that results from Windows endpoints (DC01, PC01) are as complete and actionable as possible.
VM Hardware Configuration
| Feature | Configuration |
|---|---|
| OS | Tenable Core |
| vCPU | 2 |
| RAM | 4 GB |
| Disk | 50 GB |
| Network | LAN_NET (Static IP: 192.168.20.40) |
[!IMPORTANT] In VirtualBox, the NIC must be attached to LAN_NET.
Initial Setup
Nessus on Tenable Core ships with a first-run wizard. On first boot, access the web interface and step through the wizard to configure the OS and create the initial admin account.
Default Credentials
The wizard begins with the following built-in credentials:
| Field | Value |
|---|---|
| Username | wizard |
| Password | admin |

Static IP Assignment
The wizard prompts whether to configure a static address. Set a static IP at this stage rather than relying on DHCP — this ensures the scanner is always reachable at a known address and its DNS record remains valid.
| Segment | IP Address | Gateway | DNS Server |
|---|---|---|---|
| LAN_NET | 192.168.20.40/24 |
192.168.20.1 |
192.168.20.10 |
Creating the OS Admin Account
Create the Tenable Core OS admin account when prompted:
| Field | Value |
|---|---|
| Username | nessus-scan01 |
| Password | P@ssw0rd123 |
DNS Registration in DC01
Adding the A Record and PTR
- Open DNS Manager on DC01
- Expand DC01 → Forward Lookup Zones → right-click
lab.internal→ New Host (A or AAAA) - Set the following values and check “Create associated pointer (PTR) record”
| Field | Value |
|---|---|
| Name | nessus-scan01 |
| IP | 192.168.20.40 |

Nessus Activation
After the OS wizard completes, the Nessus web interface walks through its own setup. Follow the on-screen steps to obtain an activation code for Nessus Essentials — a free Tenable account is required to receive one.
Once activated, create the Nessus service admin account:
| Field | Value |
|---|---|
| Username | nessus-scan01 |
| Password | P@ssw0rd123 |
[!NOTE] This is a separate account from the Tenable Core OS admin created during the initial wizard. The OS account manages the underlying appliance; this account is used to log in to the Nessus web interface and manage scans.
Running Scans
Host Discovery Scan
Once Nessus finishes loading its plugins and rules, it runs a host discovery scan by default. This performs a lightweight sweep of the network to enumerate live hosts before running deeper vulnerability scans.

Basic Network Scan
The main vulnerability scan targets the following LAN_NET hosts:
| Device | IP Address |
|---|---|
| PFSENSE-FW01 | 192.168.20.1 |
| DC01 | 192.168.20.10 |
| WAZUH-SIEM01 | 192.168.20.20 |
| PC01 | 192.168.20.102 |
To create the scan:
- In the Nessus web interface, select New Scan → Basic Network Scan
- Set the targets to:
192.168.20.1, 192.168.20.10, 192.168.20.20, 192.168.20.102

Adding Windows Credentials
To run a credentialed scan against Windows targets (DC01, PC01), add Windows credentials under the scan’s Credentials tab. This allows Nessus to authenticate to those machines and perform deep local inspection — checking installed software versions, patch levels, registry settings, and local security configuration. The difference in findings between a credentialed and an unauthenticated scan against a Windows host is significant.

Validating Detection During the Scan
While the scan is running, we can verify that the lab’s NIDS and HIDS systems are correctly picking up the scanning activity. A vulnerability scan generates a large volume of probe traffic across many ports and protocols — it should be loud and highly visible to any properly configured detection system. This is a useful opportunity to validate end-to-end detection coverage.
Suricata (NIDS)
Suricata on SURICATA-BR01 monitors all traffic traversing LAN_NET. It should fire multiple alerts as Nessus sweeps the network:

Wazuh — PC01 (HIDS)
The Wazuh agent on PC01 should surface alerts triggered by the credentialed scan probing the workstation locally:

Wazuh — DC01 (HIDS)
The Wazuh agent on DC01 should similarly alert as Nessus authenticates and enumerates the domain controller:

Scan Results
Once the scan completes, Nessus presents a full breakdown of findings grouped by severity — Critical, High, Medium, Low, and Info. These results form the basis for prioritising remediation work across the lab.
