# Nessus Scan Types

Here we have options for a basic <mark style="color:green;">Host Discovery</mark> scan to identify live hosts/open ports or a variety of scan types such as the <mark style="color:green;">Basic Network Scan</mark>, <mark style="color:green;">Advanced Scan</mark>, <mark style="color:green;">Malware Scan</mark>, <mark style="color:green;">Web Application Tests</mark>, as well as scans targeted at specific CVEs and audit & compliance standards. A description of each scan type can be found [here](https://docs.tenable.com/nessus/Content/ScanAndPolicyTemplates.htm).

<figure><img src="https://3367244783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FK3YP1U2Fck03eUZ2XijJ%2Fuploads%2FAbCbPGj5at9ifVGUPMuo%2Fimage.png?alt=media&#x26;token=56c81a06-b1fa-4c18-858f-3db813dc6470" alt=""><figcaption></figcaption></figure>

## Basic Network Scan

<figure><img src="https://3367244783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FK3YP1U2Fck03eUZ2XijJ%2Fuploads%2FaM78euqBPotPxKacW29G%2Fimage.png?alt=media&#x26;token=a04abf46-51c5-411f-98f0-0bdd18c310c5" alt=""><figcaption></figcaption></figure>

1. Give it a Name, Description, Folder, and then the target

### Discovery

In the `Discovery` section, under `Host Discovery`, we're presented with the option to enable scanning for fragile devices. Scanning devices such as network printers often result in them printing out reams of paper with garbage text, leaving the devices unusable. We can leave this setting disabled: ![Options for Fragile Devices: Scan Network Printers, Scan Novell Netware hosts, Scan Operational Technology devices.](https://academy.hackthebox.com/storage/modules/108/nessus/options.png)

### Assessment

Under the <mark style="color:green;">Assessment</mark> category,&#x20;

1. Web application scanning can also be enabled if required,&#x20;
2. Custom user agent and various other web application scanning options can be specified (e.g., a URL for Remote File Inclusion (RFI) testing):

If desired, Nessus can attempt to authenticate against discovered applications and services using provided credentials (if running a credentialed scan), or else can perform a brute-force attack with the provided username and password lists:

<figure><img src="https://3367244783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FK3YP1U2Fck03eUZ2XijJ%2Fuploads%2F6yFd1xyK0aN7hcLeht0W%2Fimage.png?alt=media&#x26;token=72f2fb4a-cc07-4b97-893a-5f75bcfb1ac4" alt=""><figcaption></figcaption></figure>

User enumeration can also be performed using various techniques, such as RID Brute Forcing:&#x20;

<figure><img src="https://3367244783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FK3YP1U2Fck03eUZ2XijJ%2Fuploads%2FE6BUKni7AueSjH96ukuz%2Fimage.png?alt=media&#x26;token=e827b2b4-3642-43ad-b69f-3f6fab5296b7" alt=""><figcaption></figcaption></figure>

If we opt to perform RID Brute Forcing, we can set the starting and ending UIDs for both domain and local user accounts:

<figure><img src="https://3367244783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FK3YP1U2Fck03eUZ2XijJ%2Fuploads%2F5wEMZL7n2f9hz5lO4oF3%2Fimage.png?alt=media&#x26;token=c94eab89-2983-43d8-9b62-494861adf3fc" alt=""><figcaption></figcaption></figure>

### Advanced

On the `Advanced` tab, safe checks are enabled by default.&#x20;

* This prevents Nessus from running checks that may negatively impact the target device or network.
* We can also choose to slow or throttle the scan if Nessus detects any network congestion, stop attempting to scan any hosts that become unresponsive, and even choose to have Nessus scan our target IP list in random order: