Launching Nessus scans inside Metasploit

Linux, Security, SOC
Network by Rosmarie Voegtli from Flickr
Network by Rosmarie Voegtli

[UPDATE Feb 24th 2018: tenable disabled the API to execute remote scan since version 7 so keep in mind that if you use nessus>7 this won’t work]

Metasploit is my favorite tool while I do Pen Test and Secuirty Checks. I use also Nessus for Vulnerability Assessment and integrate Nessus and Metasploit is a must.

Follow a short guide on how to launch Nessus from Metasploit (for reference, I used NESSUS 6.5 and Metasploit PRO but also Community Edition should be ok).


Please note that I found a bug in the integration (not blocking), and I’m investigating the cause

1 – Create a user (and a policy) for Metasploit inside Nessus
Inside Nessus GUI ( available at https://your.ip.address.here:8834/ ) create a user for Metasploit (name it msfuser or whatever you want). Once logged in as msfuser create a policy for your scan (Test policy)

Before proceed try to use from Nessus GUI your new policy, launching a scan against your target. Do this to be sure you can use it also from Metasploit.

2 – Load Nessus plugin from Metasploit
Once logged-in in Metasploit load Nessus plugin (here you can find the source code if you are interested). Launching nessus_help you can find a list of available commands.

msf-pro > load nessus
 [*] Nessus Bridge for Metasploit
 [*] Type nessus_help for a command listing
 [*] Successfully loaded plugin: Nessus
 msf-pro > nessus_help
 Command Help Text
 [...]
 msf-pro >

3 – Connect from Metasploit to Nessus
Connect to your Nessus server using command
> nessus_connect user:password@your.ip.adress.here:nessus_port

msf-pro > nessus_connect msfuser:your_pwd_here@your.ip.address.here:8834
 [*] Connecting to https://your.ip.address.here:8834/ as msfuser
 [*] User msfuser authenticated successfully.
 msf-pro >

4 – Start the Scan from Metasploit
Now you can start your Nessus scan from Metasploit.
First select from policy list, the policy you want to use (a policy both have a Policy ID and a UUID). We will use the one created before.

msf-pro > nessus_policy_list
 Policy ID Name Policy UUID
 --------- ---- -----------
 244 Test policy bbd4f805-3966-d464-b2d1-0079eb89d69708c3a05ec2812bcf
 msf-pro >

Please note that the Policy ID for “Test policy” is 244.
Then create a new scan directly from Metasploit (need the UUID of Policy ID 244).

msf-pro > nessus_scan_new
 [*] Usage:
 [*] nessus_scan_new <UUID of Policy> <Scan name> <Description> <Targets>
 [*] Use nessus_policy_list to list all available policies with their corresponding UUIDs
 msf-pro > nessus_scan_new bbd4f805-3966-d464-b2d1-0079eb89d69708c3a05ec2812bcf msf-test1 "Test scan" 192.168.0.1
 [*] Creating scan from policy number bbd4f805-3966-d464-b2d1-0079eb89d69708c3a05ec2812bcf, called msf-test1 - Test scan and scanning 192.168.0.1
 [*] New scan added
 [*] Use nessus_scan_launch 252 to launch the scan
 Scan ID Scanner ID Policy ID Targets Owner
 ------- ---------- --------- ------- -----
 252 1 251 192.168.0.1 msfuser           [BUG/PROBLEM]

Here I found the bug, as you can see the Policy ID associated with the new Scan ID is wrong. Is set to 251 and should be 244.

So the workaround is to create a new scheduled scan with Nessus GUI, and launch from Metasploit (or execute directly the scan from Nessus).

If you want to launch the scan from Metasploit execute a nessus_scan_list command, find the Scan ID and launch the scan.

msf-pro > nessus_scan_launch <SCAN_ID>

5 – Import scan results into Metasploit
When the scan is complete (nessus_scan_list to see the status) import into Metasploit DB the results.

msf-pro > nessus_scan_list
 Scan ID Name Owner Started Status Folder
 ------- ---- ----- ------- ------ ------
 260 Test scan msfuser completed 284
 msf-pro > nessus_db_import 260
 [*] Exporting scan ID 260 is Nessus format...
 [+] The export file ID for scan ID 260 is 1992923565
 [*] Checking export status...
 [*] The status of scan ID 260 export is ready
 [*] Importing scan results to the database...
 [*] Importing data of  192.168.0.1
 [+] Done
 msf-pro > nessus_scan_details 260 hosts
 Host ID Hostname % of Critical Findings % of High Findings % of Medium Findings % of Low Findings
 ------- -------- ---------------------- ------------------ -------------------- -----------------
 2 192.168.0.1 0 0 0 0
 msf-pro > nessus_scan_details 260 vulnerabilities
 Plugin ID Plugin Name Plugin Family Count
 --------- ----------- ------------- -----
 11219 Nessus SYN scanner Port scanners 3
 msf-pro >

6 – Using Metasploit for next phases
Now all the data are imported into Metasploit DB and we can use the usual commands to find services, vulnerabiities and try to exploit them.

msf-pro > services
 [...]
 msf-pro > vulns
 [...]

Enjoy
@merlos

Published by merlos

Founder and president of Cyber Saiyan - www.cybersaiyan.it - a no profit organization founded to promote social initiatives to spread cyber security and ethical hacking culture; Cyber Saiyan organizes RomHack Conference and Camp romhack.camp

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.