Using Nmap Results With Nessus Batch Scanning
A Nessus user recently asked us the following question:
"I would like to have Nessus read Nmap scan results from the command line. I already have Nmap portscanning and operating system fingerprinting, can I import the Nmap findings using Nessus in batch mode?"
As of Nessus v6 the command line utilities for running Nessus scans are no longer included. Customers are encouraged to use the Nessus API to implement command line base scanning, and a host of other features include uploading and downloading reports. Customers can find examples in the Tenable Discussion Forum, and in particular the post "Nessus v6 API Demo Scripts" and documentation.
Tenable has supported Nmap usage within Nessus for several years. Nmap and Nessus have different types of scanning philosophies and understanding how they work can help you achieve success with your network scanning efforts. The Nessus server includes its own portscanning, service fingerprinting and operating system identification techniques that are similar but independent from Nmap’s. However, you may run into a situation where Nmap was run first and you already have the output from this tool and want to apply the results to your vulnerability scan. I set out to do this in my lab and realized this would be a good opportunity to highlight some of the features in Nessus. Below is a step-by-step guide on configuring Nessus to run batch mode scans based on Nmap results:
Step 1 - Run Nmap and output “grepable” results:
|# nmap -O -sV -T4 -oG nmapscanresults 192.168.1.0/24|
The Nmap command above will scan the target network (192.168.1.0/24), identify the remote operating system (-O), detect the services running on the ports discovered (-sV), and output Nmap grepable results (-oG) into the file called "nmapscanresults" using aggressive scan speeds (-T4).
Step 2 - Now we can use NessusClient to configure a Nessus scan that will use the Nmap results. You could create the Nessus configuration without using the NessusClient by creating a ~/.nessusrc file containing the scan policy information. However, its easier to perform the initial configuration and vulnerability scan using the NessusClient, then make subsequent changes in the ~/.nessusrc file. Refer to "When, how and why (not) to use Nmap within Nessus" for instructions on how to setup and configure nmap.nasl and make sure you are using the latest version of nmap.nasl. When you configure the policy, do not check the “share policy across multiple sessions” box. If you do, the scan policy will not be embedded into the .nessus file.
Step 3 - Only enable the Nmap Importer NASL wrapper in your scan policy configuration:
Since the Nmap output file contains all of the portscan results for our targets we do not need to enable any additional portscanners.
Step 4 - Go to the Advanced tab and select "Nmap Importer (Nasl wrapper)" from the pull-down menu. This option allows you to choose the Nmap grepable results file to use for the scan:
|If you are configuring the scan using NessusClient on a system other than the Nessus server you will be running the batch-mode scan from, then you will need to make some adjustments. The location of the Nmap grepable results is stored in the .nessus file. When the .nessus file is copied to the server to perform the scan, make sure that the Nmap grepable results file is in the same location on the server as it was on the client. This post makes the assumption that the NessusClient and server are the same host. You can change this value in the ~/.nessusrc configuration file by editing the line "Nmap Importer (NASL wrapper)[file]:File containing grepable results".|
Step 5 - Execute your scan against the targets of your choosing (these too will be stored in the .nessus file) and save the results by choosing "File-Save As.." from the menu. This will save both the scan results and scan policy into the same .nessus file. In this example we called the file "ExampleNmap.nessus" and transfer it to the Nessus server.
Step 6 - Read our scan policy and results with the Nessus client. A Mac OS X system was used in this example. If you are using a Linux system, note that the path to Nessus will be /opt/nessus/bin/nessus:
|$ /Library/Nessus/run/bin/nessus --dot-nessus ExampleNmap.nessus --list-policies|
List of policies contained in ExampleNmap.nessus:
Step 7 - Execute your scan in batch mode using the following command:
|$ /Library/Nessus/run/bin/nessus --dot-nessus ExampleNmap.nessus --policy-name ExampleNmap -q localhost 1241 user mypassword|
The above command will connect the command-line Nessus client to the local nessus server. A scan will be executed using the policy name "ExampleNmap" which exists in the "ExampleNmap.nessus" file. The results will be stored in the .nessus file.
Step 8 - When the scan has completed you can export and review the results using the following commands:
|$ /Library/Nessus/run/bin/nessus --dot-nessus ExampleNmap.nessus --list-reports|
List of reports contained in ExampleNmap.nessus:
- '09/04/23 03:41:33 PM - ExampleNmap'
- 'Thu Apr 23 16:08:56 2009 - ExampleNmap'
The above command shows two reports inside the .nessus file, listed by the time and date they were completed. Use the following command to export the most recent results to HTML:
|$ /Library/Nessus/run/bin/nessus --dot-nessus ExampleNmap.nessus -i "Thu Apr 23 16:08:56 2009 - ExampleNmap" -o ExampleNmap.html|
If you have previously scanned your network with Nmap and saved the results in grepable Nmap output, you can save the step of having Nessus rescan your network by importing the results into Nessus and incorporating them into your scan. The Nessus command line client ("nessus") can import results and scan polices from a .nessus file. Large organizations who have dedicated port scanning monitoring efforts should also consider deploying the Passive Vulnerability Scanner with the Security Center. This allows continuous monitoring of the network for change in real time and automatically combines passively discovered information with results from Nessus active and credentialed network scans.