Nessus scan over servers hosted on AWS

1,797 views
Skip to first unread message

Nandan L G

unread,
Oct 17, 2016, 9:10:20 AM10/17/16
to null
Hi All,

I have following scenarios, can anyone please help me to understand 

1. Nessus is installed in a machine which is in my company's network
2. I need to scan the hosts in AWS infrastructure (Provided with IP)

Is it possible to scan the AWS hosts from company's network or do we need install the Nessus in AWS? Please let me know if any requirements i need collect to run scan from my company's network 

Thanks in advance.

Regards,
Nandan

  

TAS

unread,
Oct 17, 2016, 9:38:59 AM10/17/16
to null-...@googlegroups.com
You cannot scans server in AWS using your own Nessus. But Amazon market place does have Nessus VM. You should check with support team of AWS before running scans. They usually don't allow and have alternatives to your requirement.

TAS
--
______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
______________________________________________________________________________
se7enth edition of nullcon Goa (Mar 9-12, 2016)
http://nullcon.net
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
Visit this group at https://groups.google.com/group/null-co-in.
For more options, visit https://groups.google.com/d/optout.

khushal

unread,
Oct 17, 2016, 11:08:21 AM10/17/16
to T

You need to post the request to CSP, after getting the approval you can do scanning as you were doing


--
______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
______________________________________________________________________________
se7enth edition of nullcon Goa (Mar 9-12, 2016)
http://nullcon.net
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+unsubscribe@googlegroups.com.

anirudh duggal

unread,
Oct 17, 2016, 11:09:14 AM10/17/16
to null-...@googlegroups.com

Hello Nandan,

You will need permission from Amazon to run Nessus over the cloud (I know it's your cloud), and give a static IP or a range of public IP's through which you will run those scans.
You can run it from your company's network. Also, there are cloud auditing profiles with Nessus. Do check them out as well.

If it's a big infrastructure inside of the AWS environment, install Nessus on one of the machines on cloud and then run Nessus, you will still need permission from Amazon to do it.
You will have to move your Nessus license from the Nessus customer portal in this case.

Regards,
Anirudh


--

vinay kadagave

unread,
Oct 17, 2016, 11:09:15 AM10/17/16
to null-...@googlegroups.com
you can scan it from your system but AWS will block your connection so you will have to take approval from AWS to scan it. 

If you want to scan the private IP interface you will need to have Nessus on AWS. 


Thanks & Regards,

Vinay


On Mon, Oct 17, 2016 at 7:08 PM, TAS <t...@null.co.in> wrote:
You cannot scans server in AWS using your own Nessus. But Amazon market place does have Nessus VM. You should check with support team of AWS before running scans. They usually don't allow and have alternatives to your requirement.

TAS

On Oct 14, 2016, at 22:11, Nandan L G <lgna...@gmail.com> wrote:

Hi All,

I have following scenarios, can anyone please help me to understand 

1. Nessus is installed in a machine which is in my company's network
2. I need to scan the hosts in AWS infrastructure (Provided with IP)

Is it possible to scan the AWS hosts from company's network or do we need install the Nessus in AWS? Please let me know if any requirements i need collect to run scan from my company's network 

Thanks in advance.

Regards,
Nandan

  

--
______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
______________________________________________________________________________
se7enth edition of nullcon Goa (Mar 9-12, 2016)
http://nullcon.net
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+unsubscribe@googlegroups.com.

--
______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
______________________________________________________________________________
se7enth edition of nullcon Goa (Mar 9-12, 2016)
http://nullcon.net
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+unsubscribe@googlegroups.com.

Prashanth S

unread,
Oct 17, 2016, 11:42:43 AM10/17/16
to null-...@googlegroups.com

Hi Nandan,

No matter what technique you use, follow this guidelines set by Amazon. https://aws.amazon.com/security/penetration-testing/
Fill this form https://aws.amazon.com/forms/penetration-testing-request get an approval and you are good to go.

The best option will be to use the Nessus AMI from amazon marketplace. https://aws.amazon.com/marketplace/pp/B01LXCD58S?qid=1476718288794&sr=0-2&ref_=srh_res_product_title


If all your targets are in the public then you can use your own Nessus. There is no restriction as long as you have done the above due diligence.

If your targets are not public IPs then you will have to use the Nessus AMI or use SSH tunneling (not recommended)

Hope this helps.


Regards,
Prashanth


--

Vincent Ruijter

unread,
Oct 18, 2016, 2:29:46 AM10/18/16
to null-...@googlegroups.com, Nandan L G
Hi Nandan,

It's an option to deploy an image in AWS with Nessus (or install it later) and scan it from there. Amazon has a policy for penetration testing, make sure to read it first (1), and request permission (2):



Regards,

Vincent 

On 14 Oct 2016, at 20:11, Nandan L G <lgna...@gmail.com> wrote:

Nandan

Nandan L G

unread,
Oct 18, 2016, 3:34:26 AM10/18/16
to null-...@googlegroups.com
Hi All,

Thank you all for your valuable responses. 

If I need to scan public IPs on AWS, will the scan with Access ID and Secrete Key connects those targets for vulnerability scan? Or do I need to connect through VPN?

Thanks,
Nandan

Akash

unread,
Oct 18, 2016, 7:57:52 AM10/18/16
to null-...@googlegroups.com
Hi Nandan, 


Access ID and Secret Key for what? 

I think this is already answered for you, repeating just to be sure.

1. You can scan anything on AWS as long as the AWS account owner (whose resources you want to scan) gets permission from AWS.

2. If security groups are in place and you would like to scan inside a VPC, you will need whitelist the external IP from you are scanning 

3. Setup openvpn in a new instance that is part of the VPC that you would like to scan. Allow connections to that instance from openvpn clients. 

4. Once you are connected, you will be able to use nessus like it was in the same LAN. 

We covered the same scenario in the cloud puliya a few days back.

Warm regards,
Akash Mahajan

That Web Application Security Guy | +91 99 805 271 82
akashm.com | @makash on twitter | linkd.in/webappsecguy
OWASP Bangalore Chapter Lead | null Community Manager

Team Rdr

unread,
Oct 18, 2016, 9:04:53 AM10/18/16
to null-...@googlegroups.com
i didn't tried nessus, but tried openvas using this method .working for me.

Nandan L G

unread,
Oct 19, 2016, 9:47:31 AM10/19/16
to null-...@googlegroups.com
Thanks Akash, your response has answered most of my queries. 

prasanna

unread,
Oct 20, 2016, 7:45:40 AM10/20/16
to null
Nessus has a scan template called Audit Cloud Infrastructure using which one can scan AWS, RackSpace, Azure etc . This scan policy requires AWS Key ID / Secret Key for auditing things similar to the ones you get in AWS's own Trusted Advisor (like MFA enabled or not, Public access for sensitive ports like 22, 3306 etc)

Another way to scan in addition to what Akash has mentioned is credentialed scan, which usually also lists missing patches. For example you can use security groups to whitelist access from your Office address only, provide ssh credentials with Key+passphrase. You might ask what if the server does not have public IP, you can assign public IP for the time of the scan and detach it later, but do remember the above point..

Do take approval from AWS before scan!

Prasanna
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.

--
______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
______________________________________________________________________________
se7enth edition of nullcon Goa (Mar 9-12, 2016)
http://nullcon.net
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.

--
______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
______________________________________________________________________________
se7enth edition of nullcon Goa (Mar 9-12, 2016)
http://nullcon.net
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.

Akash

unread,
Oct 21, 2016, 1:30:36 AM10/21/16
to null-...@googlegroups.com
Hi Prasanna,

Isn't the audit cloud infrastructure a static audit of the configuration for IAM etc? AFAIK it doesn't do a runtime check for anything. Also good to know that it supports more than just AWS.

To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+unsubscribe@googlegroups.com.

prasanna

unread,
Oct 21, 2016, 9:42:28 AM10/21/16
to null
Akash,

Yeah, these does compliance audit against CIS Benchmarks and etc and not VA Scans. Personally, I find these quite useful as it covers lot more things than AWS' own trusted advisor reports and requires Read Only access. 

Prasanna
Reply all
Reply to author
Forward
0 new messages