Using Nmap Within Nessus

Nmap and Nessus

Nmap is a popular open-source port scanner that can be used within the Tenable Nessus® vulnerability scanner instead of Nessus' own TCP scanner to conduct port scans. However, the interaction of Nmap and Nessus may yield poor results and bad performance on large networks.

Since many people were unknowingly misusing Nmap and Nessus (resulting in a bad perception of the two products), we have decided to remove the plugin nmap.nasl from the Nessus distribution. If you want to use Nmap within Nessus, please read this page first.

This page explains the problems using Nmap with Nessus, why you may want to use Nmap or not, and if you do, the best method to use it.

How Nessus Uses Nmap

Nessus is optimized to work with "plugins," which are updated daily and distributed with Nessus or Nessus Home. Plugins are implemented in such a way that there is no memory utilization required to launch them (the NASL interpreter is optimized in such a way that launching a plugin only uses several kilobytes). The operating system is not involved when a plugin is created, which makes the process of execution fast and efficient.

However, since Nmap is an external application, Nessus calls it by launching a special plugin that actually executes the nmap binary, which is a costly operation. To make things worse, in the Nessus architecture each plugin is in charge of one host. This means that if you have configured Nessus to scan forty hosts at a time, then there will be forty instances of Nmap running in memory.

Nmap, just like Nessus, is optimized to scan several hosts at the same time. Therefore, executing it for only one host is inefficient and not adapted to the model used by its developer. Since Nmap uses between 6 and 20 megabytes of memory per host (depending on the scanning options), then all the Nmap processes will use between 240 and 800 megabytes of memory when Nessus is configured to scan 40 hosts in parallel. By contrast, Nessus or Nmap by themselves use much less memory (around 120 megabytes for forty hosts in parallel in the case of Nessus).

Spawning multiple processes from disk also negatively impacts operating system performance. Therefore, using Nmap from Nessus not only uses more memory, but the scan is slowed down considerably (often by a factor of three).

Which Port Scanner Should I Use?

Nessus comes with its own port scanner (Nessus TCP scanner, plugin ID#10335). This TCP scanner is optimized to work with Nessus by itself. The Nessus TCP scanner is self-tuning (it guesses the correct timing for each target), meaning that when used to scan a mixed environment of both firewalled and unfirewalled hosts, it is not necessary to configure any special option to get results in a decent amount of time.

If you are familiar with Nmap and want to use it for your scan, run it from the command-line first, and save the results in "grepable" output:

# nmap -n -sS -p1-65535 -oG nmap-results.txt 10.254.0.0/16

You can then import the results to Nessus directly (in the plugins preferences -> Nmap NASL Wrapper -> File containing Nmap results). This prevents Nessus from re-scanning your network. You will need the nmap.nasl plugin below.

If you are only scanning a small number of hosts (less than five at a time) you may use the nmap.nasl plugin below to directly call the Nmap binary. In this case, make sure that Nmap is in your $PATH before launching it.

The Nmap Plugin

There are two plugins that can use/import Nmap's results in Nessus:

  • nmap.nasl lets you call nmap directly, or import the output of nmap -oG (greppable output)
  • nmapxml.nasl lets you import Nmap's XML results (nmap -oX), including the output of nmap -sV and the output of the LUA scripts

You can install both plugins if you wish.

# cp nmap.nasl /opt/nessus/lib/nessus/plugins/

# cp nmapxml.nasl /opt/nessus/lib/nessus/plugins/

Restart nessusd:

# killall nessusd (or "service nessusd stop")

# /opt/nessus/sbin/nessus-service -D -t

Next time you connect to Nessus, look for the new port scanner (Nmap NASL Wrapper) displayed in your client. If it is not displayed, then it probably means that Nmap is not in your $PATH when you are starting nessusd.

Buy Nessus

Save up to $850 on product, training, and certification bundles.

Buy Now