.

Creating automated Linux scans with Nessus 4.2 professional feed

<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Tue Aug 03, 2010 9:47 am

Creating automated Linux scans with Nessus 4.2 professional feed

Hello everybody!

I have created a short tutorial on how to run automated scans using the last version of Nessus, and I thought that the best place to put it will be the favorite site of the white hats.

The reason of this tutorial is that I didn't found another one on the web. Also, somebody from Tenable told to one of our contractors that automated scans are not supported anymore in Nessus, and we have to buy Tenable Security Center ($15.000+).

I first tried the Nessus version 4.0.2. I succeeded with that one, so I gave it a try to the newest version.
For both of them I have used the professional feed. On the last home feed version (4.2.2) the port 1241 is not opened, so maybe somebody else will have a fix for this.

1. First, you have to install Nessus.

2. For convenience I’ll create two folders:

    a. /opt/nessus-scripts  -  to store the scripts and the host files
    b. /opt/nessus-reports  -  to store the scan reports (named after the scan date)

3. You'll have to create a scan policy.

Because the firewall doesn’t allow me to connect to the port 8834 on my Nessus server, I created the policy using a Nessus 4.2 home feed version installed on a Windows 7 desktop.

Within the general tab of the policy configuration, be sure to set the visibility to “Private”. If the “Shared” visibility is used, the policy will be saved in the XML format, preventing it from exporting in the .nessus format.

As an example I created a policy named test, with the visibility set to Private. If the user used to create the policy is not a Nessus administrator, Private is the only option you have.

After you have created the policy, do a scan against any target using this policy. You don’t have to wait until the scan it is finished, you can stop it anytime.

Now, in the reports directory (/opt/nessus/var/nessus/username/reports/ for Linux) you’ll have created few files with the same name, but different extensions. One of them has the extension .nessus.v1 and the name something like a3ff3caf-b04d-c45f-9182-a53f93c9dd47c157243dcb7e12b7. Save this file using a friendly name with the .nessus extension.

Ex:    example.nessus

Upload this file to the Nessus server. You can verify the name of the policy with the following command:

    /opt/nessus/bin/nessus --dot-nessus example.nessus --list-policies

The results will be something like this:

      List of policies contained in example.nessus:
      - 'test
'

4. In the /opt/nessus-scripts folder I created two files: one is targets.txt (contains the hosts to scan) and the second one is the actual script used to scan, ex scan_script.sh

The content of the script we are using to scan the targets is:

NESSUS=/opt/nessus/bin/nessus
DATE=`date '+%H%M%m%d'`
#
#echo "Report will appear as $DATE.html"
#
# Generate an html report with the parameters passed in the command line
$NESSUS --dot-nessus /opt/nessus-scripts/example.nessus --policy-name 'test' <host> 1241 <user> <password> --target-file /opt/nessus-scripts/targets.txt /opt/nessus-reports/$DATE.html


This script can be automated using crontab. Also, you can use different extensions for the scan (nbe, nessus or text).

You can import the .nbe to Arcsight. If you don’t have Arcsight or Tenable Security Center, you can use Seccubus (http://seccubus.com/ ) in order to automate the scans, and to do a delta reporting.

Because I didn’t invented the wheel,references:

1. Nessus 4.2 User guide and Install guide
2. Nessus scheduling and MySQL article http://www.securitygroove.com/index.php/tutorials/83-scheduling-nessus-scans-and-storing-the-results-in-mysql
3. This article on the blog self http://blog.upbeat.fr/post/407107943/automating-scans-on-nessus-4-2
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Aug 03, 2010 11:00 am

Re: Creating automated Linux scans with Nessus 4.2 professional feed

Great job, alucian!  Looking forward to trying out your method, and seeing how it works.

Always nice when we give each other handy tools and scripts, and this is another great example.

Cheers!
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue Aug 03, 2010 11:28 am

Re: Creating automated Linux scans with Nessus 4.2 professional feed

Just out of sheer curiousness, why didn't you just go with OpenVAS (http://www.openvas.org/) "A new open-source project called OpenVAS has emerged to take the place of Nessus, the popular vulnerability assessment system that closed its source a few years ago." http://www.zdnet.com/blog/security/open ... essus/1715
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Aug 03, 2010 10:05 pm

Re: Creating automated Linux scans with Nessus 4.2 professional feed

Sil, I played with OpenVAS a while back and it wasn't very good.  It missed too much, when compared with Nessus.  Has it improved recently? 
~~~~~~~~~~~~~~
Ketchup
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Wed Aug 04, 2010 11:57 am

Re: Creating automated Linux scans with Nessus 4.2 professional feed

sil wrote:
Just out of sheer curiousness, why didn't you just go with OpenVAS (http://www.openvas.org/) "A new open-source project called OpenVAS has emerged to take the place of Nessus, the popular vulnerability assessment system that closed its source a few years ago." http://www.zdnet.com/blog/security/open ... essus/1715



First of all, I am new to my company, so I am using what they have.
Second, according to different sources Nessus is still the best commercial VA scanner. I am using OpenVAS by doing separate scans on the external network.
Also, it is very difficult to make the old IT people to accept open source source software. At least in my company, everything has to be "supported". I asked them to give me another desktop with free access to the external network. I want to put Backtrack on it, and using different tools, to scan the external network. Also, I want to use it to test other software and to improve myself. Well, this is a problem, because the company is using Red Hat. Nobody is doing support for Ubuntu like systems. I told them that I don't need support, and they replied...  "well, in case that you'll need support, who you'll gonna call"  :)
So, I am still going with Nessus, but I would like to try Nexpose also, especially because it integrates very easy with Metasploit Express. Like this, maybe I'll be allowed to try to identify divers false positives.
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software