Practical: Host Discovery Scan and OS Identification Scan

Performing Host Discovery and OS Identification scans are foundational tasks in vulnerability assessment and network reconnaissance. These scans help you identify live hosts on a network and determine their operating systems. Here’s a step-by-step guide to performing these scans using Nessus.

---

1. Host Discovery Scan

A Host Discovery Scan is used to identify active devices on a network without performing a full vulnerability scan. This scan is lightweight and is typically used as the first step to identify the scope of a larger assessment.

Step-by-Step Guide

1. Log in to Nessus: Access the Nessus dashboard by navigating to its URL (e.g., https://<your-nessus-server-ip>:8834) and logging in.
2. Create a New Scan:
   • Navigate to the My Scans folder.
   • Click New Scan and select the Host Discovery template.
3. Configure the Scan:
   • Name the Scan: Provide a descriptive name (e.g., “Host Discovery – Network A”).
   • Targets: Enter the IP range, subnet, or hostname(s) of the network you want to scan (e.g., 192.168.1.0/24).
   • Scan Options: Customize options such as the discovery method. Default methods include ICMP (ping), TCP, and UDP.
4. Save and Launch the Scan:
   • Save the scan configuration.
   • Launch the scan by clicking the Launch button.
5. Review Results:
   • Once the scan completes, review the results to see a list of live hosts.
   • The output will include basic details like IP addresses and, in some cases, detected services.

---

2. OS Identification Scan

An OS Identification Scan determines the operating systems running on the identified hosts. This information helps you tailor vulnerability scans and remediation efforts.

Step-by-Step Guide

1. Log in to Nessus: Use your credentials to access the Nessus interface.
2. Create a New Scan:
   • Go to My Scans.
   • Click New Scan and choose the Basic Network Scan template. This template supports OS detection.
3. Configure the Scan:
   • Name the Scan: Enter a descriptive name (e.g., “OS Identification – Network A”).
   • Targets: Specify the IP range, subnet, or hostnames to scan.
   • Advanced Settings:
     • Navigate to the settings and ensure the OS Fingerprinting option is enabled.
     • Modify port ranges if necessary to include common OS-related service ports.
4. Save and Launch the Scan:
   • Save your scan configuration.
   • Click Launch to start the scan.
5. Review Results:
   • Open the completed scan results.
   • Look for the Operating System section, which will display the detected OS types and versions for each host.
   • Nessus may also indicate confidence levels for each OS identification.

---

Best Practices for Host Discovery and OS Identification Scans

• Limit the Scope: Define a specific subnet or range to scan, especially in large networks, to minimize scan time and network impact.
• Avoid Peak Hours: Run these scans during off-peak hours to prevent interference with normal network operations.
• Credentialed Scans: For OS identification, use system credentials to improve accuracy.
• Combine with Port Scanning: Pair host discovery and OS identification scans with a port scan for deeper insights into the hosts’ configurations and services.

---

Analyzing and Using the Results

• Host Discovery: Use the list of active hosts to focus subsequent vulnerability scans on only live systems, reducing unnecessary scanning.
• OS Identification: Use detected OS versions to prioritize patches and assess known vulnerabilities. Tailor Nessus policies to suit the specific operating systems in use better.

Host Discovery and OS Identification scans are quick yet essential steps in understanding a network’s layout and its devices. Following these practical steps, you can efficiently map out your environment and lay the groundwork for deeper vulnerability assessments.