With the release of Nessus 4.2, the nessus command-line client has been deprecated. Even if it still distributed with the new release, there is no new functionality introduced to it. Moreover, it is only able to generate Nessus v1 format reports and not the new Nessus v2 reports that are far easier to parse and better organized.
Automating scans with Nessus 4.2 can be performed by leveraging the new XMLRPC interface. All you need is something to generate HTTP POST requests with the right parameters and something to parse the XML responses you get back.
As of this writing, official Nessus documentation to do so is not available yet. However, a few mail exchanges with Renaud Deraison, Chief Research Officer at Tenable Security Inc. got me started and he provided very useful tips that I’d like to share with you in case you need to automate scans as I do.
To issue requests, you need to submit a login token (which you can think of as a cookie) to the Nessus scanner to prove your identity. So the first you need to do is to login to the scanner and retrieve a login token.
But first let me define a base URL that I am going to use throughout in this post: https://my.nessus.scanner:8834. Replace my.nessus.scanner with the FQDN of your Nesssus scanner, its IP address or even localhost if you are interacting with it on the same box that it is installed on.
Nessus uses a self-signed certificate so you’d need to make provisions in your programs/scripts for this. Also, please note that we are using the same TCP port that you’d use with a traditional browser.
Login to the scanner
- URL: https://my.nessus.scanner:8834/login
- POST parameters: login (Nessus username), password
- Example:
wget --no-check-certificate --post-data 'login=username&password=password' https://my.nessus.scanner:8834/login -O -
When you issue a login request, Nessus will reply with a login token. You can think of this token as a cookie. This is all you need to authenticate to Nessus from now on. A login token looks like: 81d64733f78b6a6d34217bfedff12b3244ec20d015d26a0a
Launch a new scan
- URL: https://my.nessus.scanner:8834/scan/new/
- POST parameters: token, policy_id, target, scan_name
- Example:
wget --no-check-certificate --post-data 'token=81d64733f78b6a6d34217bfedff12b3244ec20d015d26a0a&policy_id=1&target=10.1.2.3,192.168.5.4,172.16.0.0/16,www.host.com,192.168.10.11-192.168.10.45&scan_name=this_is_my_first_test_scan' https://my.nessus.scanner:8834/scan/new/ -O -
The policy_id parameter is the scan policy identifier. Obviously, you will need to use your browser to create a scan policy first so that you can have this ID. The scan_name is a human-friendly name for your scan. This is the same thing when you launch a scan using the Web UI. Please note that Nessus uses a unique scan identifier (uuid) that looks like this: 60c6eaa3-5063-0a70-bf33-c00b71d4cfaf97af24f344d0bfa1
To download or delete a scan report, you will need this uuid.
List current scans/reports
- URL: https://my.nessus.scanner:8834/report/list
- POST parameters: token
- Example:
wget --post-data 'token=81d64733f78b6a6d34217bfedff12b3244ec20d015d26a0a' --no-check-certificate https://lmy.nessus.scanner:8834/report/list -O -
If a scan is completed (i.e. a scan report is ready), its status subnode in the XML response you receive back (each scan/report has a corresponding report node) is shown as completed.
Download a report
- URL: https://my.nessus.scanner:8834/file/report/download
- POST parameters: token, report
- Example:
wget --post-data 'token=81d64733f78b6a6d34217bfedff12b3244ec20d015d26a0a&report=60c6eaa3-5063-0a70-bf33-c00b71d4cfaf97af24f344d0bfa1' --no-check-certificate https://my.nessus.scanner:8834/file/report/download -O -
The report parameter is the report UUID.
Delete a report
- URL: https://my.nessus.scanner:8834/report/delete
- POST parameters: token, report
- Example:
wget --post-data 'token=81d64733f78b6a6d34217bfedff12b3244ec20d015d26a0a&report=60c6eaa3-5063-0a70-bf33-c00b71d
This should be enough to get you started. In upcoming posts, I will give more detailed examples and some code snippets that might prove useful.
Big thanks to Renaud for providing some precious help!
EDITED TO ADD (2010.03.31): Apparently, you need to use a non administrator account to be able to interact with Nessus 4.2 the way I describe it as Chris Counselman pointed out in the comments below. Thanks Chris!
