Nessus 3.2 BETA -- Example 'nessuscmd' usage

The BETA of Nessus 3.2 includes support for a new command line method to invoke quick Nessus scans. This blog entry details some interesting examples for port scanning, operating system identification, testing of a certain bug and testing Windows and UNIX credentials using the nessuscmd tool.

'nessuscmd' Usage

Simply running the command (located in your ~/bin Nessus install directory) will show you the usage. New features and settings may be added before this product is officially out of BETA.

Command line options exist for:

• Port Scan options
• Selecting Vulnerabilities
• Providing UNIX and Windows Credentials
• Scan settings (such as 'max-hosts' or using a remote Nessus daemon)

Port Scans and Operating System Identification

Here is an example port scan with operating system identification invocation:

atragon# ./nessuscmd -sS -v -O -p 1-1024 192.168.20.24
Starting nessuscmd 3.1.4
Scanning '192.168.20.24'...

Host 192.168.20.24 is up
Discovered open port netbios-ssn (139/tcp) on 192.168.20.24
Discovered open port microsoft-ds (445/tcp) on 192.168.20.24
[i] Plugin 11936 reported a result on port general/tcp of 192.168.20.24
+ Results found on 192.168.20.24 :
   - Host information :
     [i] Plugin ID 11936
      | The remote host is running Microsoft Windows XP

   - Port netbios-ssn (139/tcp) is open
   - Port microsoft-ds (445/tcp) is open

Running the nessuscmd utility with a few targeted ports is a great way to quickly obtain very accurate OS ID scans from the command line.

Testing For VNC

Using the Nessus.org plugins search tool, I found 5 plugins that enumerate or identify VNC and test for vulnerabilities associated with it. These were plugins 10342, 10758, 19288, 19289 and 21564. Running the nessuscmd tool can show specific results for these vulnerabilities as shown below: 

atragon# ./nessuscmd  192.168.20.0/24 -i 10342,10758,19288,19289,21564
Starting nessuscmd 3.1.4
Scanning '192.168.20.0/24'...

+ Results found on 192.168.20.9 :
   - Port vnc (5900/tcp)
     [i] Plugin ID 19288
      | The remote VNC server supports those security types:
      | + 2 (VNC authentication)
      |
+ Host 192.168.20.11 is up
+ Results found on 192.168.20.16 :
   - Port vnc (5900/tcp)
     [i] Plugin ID 19288
      | The remote VNC server supports those security types:
      | + 2 (VNC authentication)
      |
+ Host 192.168.20.24 is up
+ Host 192.168.20.28 is up
+ Host 192.168.20.29 is up
+ Host 192.168.20.199 is up
+ Host 192.168.20.201 is up
+ Host 192.168.20.203 is up
+ Host 192.168.20.205 is up

Notice that this scan was performed against the class-C subnet of 192.168.20.0/24. Also notice that the results of these scans were 'informational' as indicated as such by the [i] next to the particular plugin ID output.

Testing for UNIX and Windows Credentials

The nessuscmd tool can also invoke plugins and pass them credentials to log into remote UNIX systems. The --ssh-login and --ssh-password arguments can be used to specify remote access. Here is an example of such a scan which enumerates installed software:

#atragon ./nessuscmd -v 192.168.20.11 -i 22869 --ssh-login root --ssh-password password

(long list of enumerated software deleted)

      | fonts-xorg-100dpi-6.8.1-1|(none)
      | libgnomeprint22-2.8.0-3|(none)
      | eel2-2.8.1-2|(none)
      | linuxwacom-0.6.4-6|0
      | gtk+-1.2.10-33|1
      | imlib-1.9.13-23|1
      | libpng10-1.0.16-1|(none)
      | pyparted-1.6.8-2|(none)
      | gtk-engines-0.12-5|1
      | gnome-kerberos-0.3.3-1|(none)
      | xscreensaver-4.18-5.rhel4.2|1
      | gnome-media-2.8.0-3|(none)
      | gnome-terminal-2.7.3-1|(none)
      | gnopernicus-0.9.12-1|(none)
      | vino-2.8.1-1|(none)
      | eog-2.8.1-2|(none)
      | gnome-volume-manager-1.1.0-5|(none)
      | desktop-printing-0.17-3.EL.1|(none)

Similarly, Windows systems can also be tested with the --smb-login and --smb-password arguments. We will use plugin #17651 which obtains the password policy.

atragon# ./nessuscmd -v 192.168.20.16 -i 17651 --smb-login Administrator --smb-password password
Starting nessuscmd 3.1.4
Scanning '192.168.20.16'...

Host 192.168.20.16 is up
[i] Plugin 17651 reported a result on port microsoft-ds (445/tcp) of 192.168.20.16
+ Results found on 192.168.20.16 :
   - Port microsoft-ds (445/tcp)
     [i] Plugin ID 17651
      | The following password policy is defined on the remote host:
      |
      |
      | Minimum password len: 0
      | Password history len: 0
      | Maximum password age (d): 42
      | Password must meet complexity requirements: Enabled
      | Minimum password age (d): 0
      | Forced logoff time (s): Not set
      | Locked account time (s): 1800
      | Time between failed logon (s): 1800
      | Number of invalid logon before locked out (s): 0

For More Information

Please send any feedback for the Nessus 3.2 BETA to Tenable's Director of Research, Renaud Deraison. Previously, we've blogged about Nessus 3.2's ability to perform IPv6 scanning as well as make use of pre-compiled NASL libraries, in particular to leverage Nessus's ability to query Windows WMI information.

The Nessus 3.2 BETA is currently available as Nessus 3.1.4 and is available for download at nessus.org under the downloads section.