(Warning: this is not an official Nessus documentation. Use at your own risk)
Before upgrading to 4.2.x, I've been using the nessus command-line client to automate my scans. But besides producing only Nessus v1 format reports, this client is also now deprecated with the 4.2 release. So I needed to know how to interact with the new Nessus XMLRPC interface and automate my scans. In forum posts here and there, Renaud offered to send an HTML file that contains most (if not all) of the useful URLs and parameters one needs to do so. So I took him on his offer and he also provided some useful tips that have been tremendously helpful.
So here I am contributing back to the community and I hope that this will be helpful to the people who automate their scans. So far, I've been able to do what I need without resorting to a browser. For ex.:
- launch a scan
- list current scans/reports
- download reports
- delete reports
- list scan policies
I do this using Ruby but of course, any programming language or tool that can issue an HTTP POST request and parse an XML tree would do just fine.
Here are the list of URLs you need to know about. But first let me define a "base url" that I am going to use throughout in this post: https://my.nessus.scanner:8834. Replace my.nessus.scanner with the FQDN of your Nesssus scanner, its IP address or even localhost if you are interacting with it on the same box that it is installed on. Note that it uses a self-signed certificate so you'd need to make provisions in your programs/scripts for this. Also, please note that we are using the same TCP port that you'd use with a traditional browser.
Login to the scanner
POST params: login (Nessus username), password
Example: wget --no-check-certificate --post-data 'login=username&password=password' https://my.nessus.scanner:8834/login -O -
When you issue a login request, Nessus will reply with a login token. You can think of this token as a cookie. This is all you need to 'authenticate' to Nessus from now on. A login token looks like: 81d64733f78b6a6d34217bfedff12b3244ec20d015d26a0a
Launch a new scan
POST params: token, policy_id, target, scan_name
Example: wget --no-check-certificate --post-data 'token=81d64733f78b6a6d34217bfedff12b3244ec20d015d26a0a&\
The policy_id parameter is the scan policy identifier. Obviously, you will need to use your browser to create a scan policy first so that you can have this ID. The scan_name is a human-friendly name for your scan. This is the same thing when you launch a scan using the Web UI. Please note that Nessus uses a unique scan identifier (uuid) that looks like this:
To download or delete a scan report, you will need this uuid.
List current scans/reports
POST params: token
Example: wget --post-data 'token=81d64733f78b6a6d34217bfedff12b3244ec20d015d26a0a' --no-check-certificate https://lmy.nessus.scanner:8834/report/list -O -
If a scan is completed (i.e. a scan report is ready), its status subnode in the XML response you receive back (each scan/report has a corresponding report node) is shown as completed.
Download a report
POST params: token, report
Example: wget --post-data 'token=81d64733f78b6a6d34217bfedff12b3244ec20d015d26a0a&report=60c6eaa3-5063-0a70-bf33-c00b71d4cfaf97af24f344d0bfa1' --no-check-certificate https://my.nessus.scanner:8834/file/report/download -O -
The report parameter is the report UUID.
Delete a report
POST params: token, report
Example: wget --post-data 'token=81d64733f78b6a6d34217bfedff12b3244ec20d015d26a0a&report=60c6eaa3-5063-0a70-bf33-c00b71d4cfaf97af24f344d0bfa1' --no-check-certificate https://my.nessus.scanner:8834/report/delete -O -
This should be enough to get you started. HTH