Nessus Bridge for Metasploit :: Scan Commands

Welcome to part 4 of my Nessus Bridge for Metasploit coverage.  Here is part 1 and part 2 and part 3 if you are just joining us.

The Scan Commands are where this plugin starts to really differ from previously importing nessus scans from flat files.  With these commands we can stay within the metasploit framework and reach out and examine things with Nessus.  We can then use the Report Commands we just learnt about to pull that data back to later pwn stuff.

Scan Commands are as follows:

  • nessus_scan_new
  • nessus_scan_status
  • nessus_scan_pause
  • nessus_scan_pause_all
  • nessus_scan_stop
  • nessus_scan_stop_all
  • nessus_scan_resume
  • nessus_scan_resume_all

Lots of those look similar, and in fact they are.  Only difference is one command acts on one scan ID, the other acts on all running scans.

Important to note that these work on scans, not reports.  The difference?  Scan becomes a report after it completes. (Yeah I know running scans show up in the output of nessus_report_list – set myself a task in github to fix that).

Ok, lets start with the boring ones first.

nessus_scan_status

[singlepic id=11 w=320 h=240 mode=web20 float=]

This command shows you the status of all currently running scans.  If you have no running scans, well it wont show you any (see, very accurate).  XML that comes back from the command involved also shows policies and templates.  Future functionality will display those, but for now it just lists running scans and some info about them (such as progress if it is multiple hosts).

(nessus_scan_pause || nessus_scan_stop || nessus_scan_resume) <scan id>

[singlepic id=9 w=320 h=240 mode=web20 float=]

[singlepic id=10 w=320 h=240 mode=web20 float=]

[singlepic id=12 w=320 h=240 mode=web20 float=]

They do exactly what they sound like they might do.  They pause, stop and resume running scans (not reports).  You need to supply the scan id (from nessus_scan_status) and it will return confirmation that it has done the task.

You can also use all 3 commands with _all on the end and no scan ID.  This will iterate through all scans available and do the specified action on them.  Pretty simple.

Ok, that leads us to the bread and butter nessus_scan_new command.

nessus_scan_new <policy id> <scan name> <targets>

[singlepic id=8 w=320 h=240 mode=web20 float=]

No more do you have to drop to a command line or tab over to the web console to start a nessus scan.  You simply need to provide the policy ID for the policy you’d like to scan with (get that from nessus_policy_list), name your scan (use “quotes are cool” for multiple words) and give it the hosts you’d like to scan.  Hosts scan be one (192.168.1.1), a network cidr (192.168.1.0/24) or a range (192.168.1.1-127).  Hit enter and it goes to work.

So with what we have discovered so far we can do the following:

  • Auth to our nessus box.
  • Start a new scan
  • import the results of that scan to our metasploit workspace.

Nice. So what else could there be?

Next up we will learn about the plugin commands for getting all kinds of useful information about the vulnerabilities we discover.


Posted in Bananas, Security, Stuff, Technology, Things and tagged , , , , , , , , , , , , , , , , , , , , by with no comments yet.

Pingbacks & Trackbacks

Leave a Reply

Your email address will not be published. Required fields are marked *