Nessus & Nmap

In a recent conversation with Paul Asadoorian, he mentioned a Nessus plugin called nmapxml.  He was not sure how well it worked but suggested I try it out. The plugin allows you to import Nmap scan results for Nessus to use in the discovery phase of a scan.  The discovery phase of a Nessus scan occurs at the beginning when Nessus is trying to “discover” which hosts are alive as well as which services and operating systems are running on those hosts that will require vulnerability testing.  

But Nessus has a built-in port/service scanner you say, right?  Yes, you are absolutely correct but since Nmap specializes in port scanning and service/OS fingerprinting maybe it would do an even better job than its Nessus cousin!  Well, I am an unashamed Nmap fan girl for sure so I was convinced that adding Nmap to the mix would dramatically improve the accuracy of our Nessus findings and hopefully reduce some false positives.  With that in mind, I decided to take this plugin for test drive and this is what I found….

….Importing Nmap scanning results provides NO improvement in fingerprinting or service discovery.  You can actually stop reading here if you want.  But if you are curious about how this process went — read on.  And by all means, if you have experimented with this plugin and have had better results please drop me a note and tell me about it.  

The process went something like this:

Step 1: Grab the NASL file from http://static.tenable.com/documentation/nmapxml.nasl

Step 2: Place the NASL file in the plugins folder of your Nessus installation

$ cp nmapxml.nasl  /opt/nessus/lib/nessus/plugins/

Step 3: Stop the Nessus service

$ sudo /etc/init.d/nessusd stop  

Step 4: Install the new plugin

$ cd /opt/nessus/sbin

$ sudo ./nessusd -y      (to install the new plugin)

Step 5: Restart the Nessus service

$ sudo /etc/init.d/nessusd start

Step 6: Run an Nmap scan of your target network

$ nmap -A -oX nmap-output.xml –iL targets.txt

        -A means include OS and version detection and allow NSE script scanning and traceroute

        -oX means write the output file in XML format

        -iL  means take the list of targets to scan from the file targets.txt with the format:

        10.11.12.13

        10.11.12.14

        172.16.24.0/24

        192.168.100-125

Step 7: Configure Nessus to use your Nmap results in the Discovery phase:

Step 8:  Run your Nessus scan using the newly updated policy that includes the Nmap scan results.

That’s really all there is to it.  After comparing the results with and without the Nmap file, the results were basically identical.  After three scan attempts and some tweaking of the Nmap scanning options, the only differences I found were very minor and probably due to other network congestion. The differences did not significantly impact the fingerprinting or service detection.  

So why even bother writing about such unexciting results?  For two reasons.  First, because just in case this sounded promising to you and you had also put it on your TO DO list – I thought I would save you the time.  And second, because this is what we do so much of the time….try something only to find that it does not work the way we had hypothesized.  But the good news is that we learn things in the process, which is exactly why I love this work!!

I plan to experiment with this some more (for example, IPv6 fingerprinting) and if I learn anything interesting I’ll be sure to post it here.