Nessus SSH Scanning on Windows

TL;DR

No, Nessus running directly on a Windows OS cannot reliably perform full internal scans of devices using SSH without additional configuration and potentially helper services. Windows’ native SSH implementation is limited compared to Linux-based systems, hindering Nessus’s ability to effectively leverage SSH for scanning.

Solution Guide

1. Understand the Limitations: Windows SSH (OpenSSH) differs from Linux implementations. It typically doesn’t offer the same flexibility or robustness needed for comprehensive network scans. Nessus relies on underlying OS capabilities to execute SSH commands and gather information.
   • Windows SSH is primarily designed for interactive sessions, not automated scanning.
   • Firewall restrictions can block outbound SSH connections from Windows.
   • Credential management within Windows SSH might be less straightforward than in Linux.
2. Check Nessus Configuration: Verify that the Nessus scanner is configured to use SSH credentials correctly.
   • Navigate to Settings > Credentials in the Nessus web interface.
   • Ensure you have created an SSH credential with valid username and password/key for target devices.
   • Confirm the correct port (default: 22) is specified.
3. Firewall Configuration: Ensure Windows Firewall allows outbound SSH connections.

   netsh advfirewall firewall add rule name="AllowSSH" dir=out action=allow protocol=TCP localport=any remoteport=22

   This command creates a rule allowing outgoing SSH traffic. Adjust the remoteport if your target devices use a non-standard SSH port.

4. SSH Key Management: Using SSH keys is generally more secure and reliable than passwords.
   • Generate an SSH key pair on the Windows machine (using PowerShell or PuTTYgen).
   • Copy the public key to the authorized_keys file on each target device.
   • Configure Nessus to use the private key for authentication.
5. Consider a Jump Host/Bastion Server: The most reliable solution is often to use a Linux-based jump host.
   • Install Nessus on a Linux server with good SSH support.
   • Configure the jump host to connect to target devices via SSH.
   • Nessus can then scan through the jump host, bypassing Windows’ limitations.
6. Alternative Scanning Methods: If SSH access is limited or unreliable, explore other Nessus plugins and scanning techniques.
   • Port Scan: Use TCP port scans to identify open ports on target devices.
   • Credentialed Scans (SMB/WMI): For Windows targets, use SMB or WMI credentials for more thorough scans.
   • Agent-Based Scanning: Deploy Nessus agents directly onto target devices if possible.
7. Troubleshooting SSH Connectivity: Verify basic SSH connectivity from the Windows machine to the target devices.

   ssh user@target_ip

   If this command fails, investigate network connectivity, firewall rules, and SSH server configuration on the target device.