Nessus 3.2 BETA -- Example 'nessuscmd' usage
The BETA of Nessus 3.2 includes support for a new command line method to invoke quick Nessus scans. This blog entry details some interesting examples for port scanning, operating system identification, testing of a certain bug and testing Windows and UNIX credentials using the nessuscmd tool.
'nessuscmd' Usage
Simply running the command (located in your ~/bin Nessus install directory) will show you the usage. New features and settings may be added before this product is officially out of BETA.
Command line options exist for:
- Port Scan options
- Selecting Vulnerabilities
- Providing UNIX and Windows Credentials
- Scan settings (such as 'max-hosts' or using a remote Nessus daemon)
Port Scans and Operating System Identification
Here is an example port scan with operating system identification invocation:
atragon# ./nessuscmd -sS -v -O -p 1-1024 192.168.20.24
Starting nessuscmd 3.1.4
Scanning '192.168.20.24'...
Host 192.168.20.24 is up
Discovered open port netbios-ssn (139/tcp) on 192.168.20.24
Discovered open port microsoft-ds (445/tcp) on 192.168.20.24
[i] Plugin 11936 reported a result on port general/tcp of 192.168.20.24
+ Results found on 192.168.20.24 :
- Host information :
[i] Plugin ID 11936
| The remote host is running Microsoft Windows XP
- Port netbios-ssn (139/tcp) is open
- Port microsoft-ds (445/tcp) is open
Running the nessuscmd utility with a few targeted ports is a great way to quickly obtain very accurate OS ID scans from the command line.
Testing For VNC
Using the Nessus.org plugins search tool, I found 5 plugins that enumerate or identify VNC and test for vulnerabilities associated with it. These were plugins 10342, 10758, 19288, 19289 and 21564. Running the nessuscmd tool can show specific results for these vulnerabilities as shown below:
atragon# ./nessuscmd 192.168.20.0/24 -i 10342,10758,19288,19289,21564
Starting nessuscmd 3.1.4
Scanning '192.168.20.0/24'...
+ Results found on 192.168.20.9 :
- Port vnc (5900/tcp)
[i] Plugin ID 19288
| The remote VNC server supports those security types:
| + 2 (VNC authentication)
|
+ Host 192.168.20.11 is up
+ Results found on 192.168.20.16 :
- Port vnc (5900/tcp)
[i] Plugin ID 19288
| The remote VNC server supports those security types:
| + 2 (VNC authentication)
|
+ Host 192.168.20.24 is up
+ Host 192.168.20.28 is up
+ Host 192.168.20.29 is up
+ Host 192.168.20.199 is up
+ Host 192.168.20.201 is up
+ Host 192.168.20.203 is up
+ Host 192.168.20.205 is up
Notice that this scan was performed against the class-C subnet of 192.168.20.0/24. Also notice that the results of these scans were 'informational' as indicated as such by the [i] next to the particular plugin ID output.
Testing for UNIX and Windows Credentials
The nessuscmd tool can also invoke plugins and pass them credentials to log into remote UNIX systems. The --ssh-login and --ssh-password arguments can be used to specify remote access. Here is an example of such a scan which enumerates installed software:
#atragon ./nessuscmd -v 192.168.20.11 -i 22869 --ssh-login root --ssh-password password
(long list of enumerated software deleted)
| fonts-xorg-100dpi-6.8.1-1|(none)
| libgnomeprint22-2.8.0-3|(none)
| eel2-2.8.1-2|(none)
| linuxwacom-0.6.4-6|0
| gtk+-1.2.10-33|1
| imlib-1.9.13-23|1
| libpng10-1.0.16-1|(none)
| pyparted-1.6.8-2|(none)
| gtk-engines-0.12-5|1
| gnome-kerberos-0.3.3-1|(none)
| xscreensaver-4.18-5.rhel4.2|1
| gnome-media-2.8.0-3|(none)
| gnome-terminal-2.7.3-1|(none)
| gnopernicus-0.9.12-1|(none)
| vino-2.8.1-1|(none)
| eog-2.8.1-2|(none)
| gnome-volume-manager-1.1.0-5|(none)
| desktop-printing-0.17-3.EL.1|(none)
Similarly, Windows systems can also be tested with the --smb-login and --smb-password arguments. We will use plugin #17651 which obtains the password policy.
atragon# ./nessuscmd -v 192.168.20.16 -i 17651 --smb-login Administrator --smb-password password
Starting nessuscmd 3.1.4
Scanning '192.168.20.16'...
Host 192.168.20.16 is up
[i] Plugin 17651 reported a result on port microsoft-ds (445/tcp) of 192.168.20.16
+ Results found on 192.168.20.16 :
- Port microsoft-ds (445/tcp)
[i] Plugin ID 17651
| The following password policy is defined on the remote host:
|
|
| Minimum password len: 0
| Password history len: 0
| Maximum password age (d): 42
| Password must meet complexity requirements: Enabled
| Minimum password age (d): 0
| Forced logoff time (s): Not set
| Locked account time (s): 1800
| Time between failed logon (s): 1800
| Number of invalid logon before locked out (s): 0
For More Information
Please send any feedback for the Nessus 3.2 BETA to Tenable's Director of Research, Renaud Deraison. Previously, we've blogged about Nessus 3.2's ability to perform IPv6 scanning as well as make use of pre-compiled NASL libraries, in particular to leverage Nessus's ability to query Windows WMI information.
The Nessus 3.2 BETA is currently available as Nessus 3.1.4 and is available for download at nessus.org under the downloads section.
Related Articles
Study: Tenable Offers Fastest, Broadest Coverage of CISA's KEV Catalog
October 23, 2023Tenable ranked first in multiple vulnerability management categories, including the most comprehensive coverage and quickest detection of CISA's Known Exploited Vulnerabilities, according to a Miercom report commissioned by Tenable.
Tuning Network Assessments for Performance and Resource Usage
September 13, 2022Using the correct tool for the job and optimizing scanner placement will have a large impact on scan efficiency with Nessus, Tenable.io and Tenable.sc.
Terrascan Joins the Nessus Community, Enabling Nessus To Validate Modern Cloud Infrastructures
May 17, 2022The addition of Terrascan to the Nessus family of products helps users better secure cloud native infrastructure by identifying misconfigurations, security weaknesses, and policy violations by scanning Infrastructure as Code repositories.
Cybersecurity Snapshot: Many Employees Overshare Work Info with AI Tools, Report Finds, as ‘Cybersecurity Awareness Month’ Kicks Off
October 4, 2024Check out the best practices cyber agencies are promoting during Cybersecurity Awareness Month, as a report warns that staffers are feeding confidential info to AI tools. Meanwhile, a study highlights how business decisions can derail OT security. Plus, get the latest on Active Directory security, CISO salary trends and ransomware attacks!
How to Unlock Advanced IoT Visibility for Cyber-Physical Systems
October 1, 2024As the number of IoT devices deployed globally continues to rise, cyber-physical systems and business operations are exposed to greater risk. Improving asset visibility, monitoring and risk management are critical steps to preventing breaches.
Cybersecurity Snapshot: NIST Program Probes AI Cyber and Privacy Risks, as U.S. Gov’t Tackles Automotive IoT Threat from Russia, China
September 27, 2024A new NIST program will revise security frameworks like NIST’s CSF as AI risks intensify. Plus, the U.S. may ban cars with Russian and Chinese IoT components. Meanwhile, the CSA adds AI insights to its zero trust guide. And get the latest on cybersecurity budgets, SBOMs and the Ghost cybercrime platform!
- Nessus