Welcome to part 3 of my Nessus Bridge for Metasploit coverage.  Here is part 1 and part 2 if you are just joining us.

Report commands are where we get to actually do things.  They concist of some commands to manage/import reports directly on your Nessus server.  No more going to the web console, exporting a report, moving it to your msf box and running db_import_nessus to get it into your workspace and available to db_autopwn or work with.

The implemented (so far) commands are:

Ok, make sure you are loaded up and authed to your server and we will check these out.

nessus_report_list

The basic “show me what ya got” command for reports.  It will list off all the reports on your server that your current user has access to.  You will see some big long string of characters, that is your report ID.  It is a unique identifier for each report.  Nessus allows you to call 2 reports the same name, this is how we know which one is which.  This view will be generally how you find the report ID for future commands.

nessus_report_get <report id>

This is the core command here.  This grabs the report from your Nessus server and passes it over to get imported to your msf workspace/db.  You need to have configured a db in msf (via db_connect) to use this command.  It is the same as doing db_import_nessus except that this pulls directly from your remote server.  Warning: dont try to pull a report with thousands of hosts, you will choke your box (need to change this to use a stream processor).  After you import with nessus_report_get you should be able to do db_hosts, db_services or db_vulns and see your data.  You can now proceed with db_autopwn as you would have before.

nessus_report_hosts <report id>

This will show you each host in your Nessus report and some information about each one.  The information is will display is the “severity” of the host (as measured by Nessus) and the number of vulnerabilities in each “severity” category from 0 to 3 with 0 being “info” and 3 being “critical”.  Shows current vs total progress (number of plugins).  If they are not the same it means some of the plugins didn’t complete correctly (i think).

nessus_report_host_ports <host> <report id>

This will show you the ports found on that host and how many vulns of each type per port.  Shows you the port number, the protocol and the severity (1-3).  Also includes the service name and a breakout of how many vulns of each sev type per port.  You will need the port number and protocol if you want details on each vuln for that port.

nessus_report_host_detail <hostname> <port> <protocol> <report id>

Here we see a breakdown of all the vulnerabilities discovered on that host, for that port.  Shows us the port name (and number/service), the severity (as assigned by Nessus), the plugin ID, the plugin name, the CVSS2 score, whether there is an exploit available (doesn’t yet link to a msf exploit if it exists, adding that to my to-do list), the CVE and lastly the CVSS vector (just incase you are into that stuff).  Quite a bit of information that should give you a good idea of what’s going on with that host.

Ok, that’s it for report commands, feel free to let me know if you think it needs to do something else or do something in a different manner.

On to “Scan Commands” the ‘do work!’ part of the run down.