16 Replies Latest reply: Feb 9, 2012 5:13 AM by javaStudent RSS

Tips: Some URLs you need to know for interacting with the Nessus 4.2 scanner

Novice

(Warning: this is not an official Nessus documentation. Use at your own risk)

Hi there,


Before upgrading to 4.2.x, I've been using the nessus command-line client to automate my scans. But besides producing only Nessus v1 format reports, this client is also now deprecated with the 4.2 release. So I needed to know how to interact with the new Nessus XMLRPC interface and automate my scans. In forum posts here and there, Renaud offered to send an HTML file that contains most (if not all) of the useful URLs and parameters one needs to do so. So I took him on his offer and he also provided some useful tips that have been tremendously helpful.


So here I am contributing back to the community and I hope that this will be helpful to the people who automate their scans. So far, I've been able to do what I need without resorting to a browser. For ex.:

  • launch a scan
  • list current scans/reports
  • download reports
  • delete reports
  • list scan policies

 

I do this using Ruby but of course, any programming language or tool that can issue an HTTP POST request and parse an XML tree would do just fine.


Here are the list of URLs you need to know about. But first let me define a "base url" that I am going to use throughout in this post: https://my.nessus.scanner:8834. Replace my.nessus.scanner with the FQDN of your Nesssus scanner, its IP address or even localhost if you are interacting with it on the same box that it is installed on. Note that it uses a self-signed certificate so you'd need to make provisions in your programs/scripts for this. Also, please note that we are using the same TCP port that you'd use with a traditional browser.


Login to the scanner

URL: https://my.nessus.scanner:8834/login

POST params: login (Nessus username), password

Example: wget --no-check-certificate --post-data 'login=username&password=password' https://my.nessus.scanner:8834/login -O -


When you issue a login request, Nessus will reply with a login token. You can think of this token as a cookie. This is all you need to 'authenticate' to Nessus from now on. A login token looks like: 81d64733f78b6a6d34217bfedff12b3244ec20d015d26a0a


Launch a new scan

URL: https://my.nessus.scanner:8834/scan/new/

POST params: token, policy_id, target, scan_name

Example: wget --no-check-certificate --post-data 'token=81d64733f78b6a6d34217bfedff12b3244ec20d015d26a0a&\

policy_id=1&target=10.1.2.3,192.168.5.4,172.16.0.0/16,www.host.com,192.168.10.11-192.168.10.45&scan_name=this_is_my_first_test_scan' \

https://my.nessus.scanner:8834/scan/new/


The policy_id parameter is the scan policy identifier. Obviously, you will need to use your browser to create a scan policy first so that you can have this ID. The scan_name is a human-friendly name for your scan. This is the same thing when you launch a scan using the Web UI. Please note that Nessus uses a unique scan identifier (uuid) that looks like this:

60c6eaa3-5063-0a70-bf33-c00b71d4cfaf97af24f344d0bfa1


To download or delete a scan report, you will need this uuid.


List current scans/reports

URL: https://my.nessus.scanner:8834/report/list

POST params: token

Example: wget --post-data 'token=81d64733f78b6a6d34217bfedff12b3244ec20d015d26a0a' --no-check-certificate https://lmy.nessus.scanner:8834/report/list -O -


If a scan is completed (i.e. a scan report is ready), its status subnode in the XML response you receive back (each scan/report has a corresponding report node) is shown as completed.


Download a report

URL: https://my.nessus.scanner:8834/file/report/download

POST params: token, report

Example: wget --post-data 'token=81d64733f78b6a6d34217bfedff12b3244ec20d015d26a0a&report=60c6eaa3-5063-0a70-bf33-c00b71d4cfaf97af24f344d0bfa1' --no-check-certificate https://my.nessus.scanner:8834/file/report/download -O -


The report parameter is the report UUID.


Delete a report

URL: https://my.nessus.scanner:8834/report/delete

POST params: token, report

Example: wget --post-data  'token=81d64733f78b6a6d34217bfedff12b3244ec20d015d26a0a&report=60c6eaa3-5063-0a70-bf33-c00b71d4cfaf97af24f344d0bfa1'  --no-check-certificate  https://my.nessus.scanner:8834/report/delete -O -


This should be enough to get you started. HTH

  • Re: Tips: Some URLs you need to know for interacting with the Nessus 4.2 scanner
    Novice

    Thanks, this is great info.

  • Re: Tips: Some URLs you need to know for interacting with the Nessus 4.2 scanner
    Apprentice

    Thanks for the great detail, Saad.  Do you know if it will be possible to create and manage scan policies programmatically the same way or will they only be able to be created and managed manually?

     

    Chris

  • Re: Tips: Some URLs you need to know for interacting with the Nessus 4.2 scanner
    Novice

    Hi,

     

    I have written a couple of posts about automating your scans (on windows, you can easily adapt the theory to unix as the perl modules are available cross platform)

     

    Hope this helps as it ties up the XMLRPC components into a practical solution.

     

    http://www.centralconsultancy.com/?p=10

     

    Regards

     

    Chaz

  • Re: Tips: Some URLs you need to know for interacting with the Nessus 4.2 scanner
    Novice

    Hi,

     

    I'm trying to write a Java client to communicate with nessus. Firstly, I tried to use apache xml-rpc client, but it didn't work. ( Tenable Network Security: Login fails with XmlRpcClientException...)

    I think nessus expects simple HTTP posts. Now I am trying apache HttpClient.

     

     

     
        HttpClient client = new DefaultHttpClient();
        client =  WebClientDevWrapper.wrapClient(client); // handles SSL certificate issues
        
        HttpHost host =new HttpHost( "localhost",8834);
        
        
        HttpPost post = new HttpPost("/login");
        
        
        HttpParams par = new BasicHttpParams();
        
        par.setParameter("password", "123456");
        par.setParameter("login", "admin");
        par.setParameter("seq", 1235484);
        
            post.setParams(par);
        
         System.out.println("req: "+ post.getRequestLine() ); // output: "req: POST /login HTTP/1.1"
         System.out.println( "protocol: " +post.getProtocolVersion() );output: "protocol: HTTP/1.1"
    
              //Do I need to set headers like this? I tried bu get org.apache.http.client.ClientProtocolException
    
    //            post.setHeader("Host", "localhost:8834");
    //            post.setHeader("User-Agent", "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9");
    //            post.setHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
    //            post.setHeader("Accept-Language", "en-us,en;q=0.5");
    //            post.setHeader("Accept-Encoding", "gzip,deflate");
    //            post.setHeader("Accept-Charset", "ISO-8859-1,utf-8;q=0.7,*;q=0.7");
    //            post.setHeader("Keep-Alive", "300");
    //            post.setHeader("Connection", "keep-alive");
    //            post.setHeader("Cookie", "token=cb8f206391b7e99e220c6e02987a76c584f6780a22137919");
    //            post.setHeader("Referer", "https://localhost:8834/NessusClient.swf");
    //            post.setHeader("Content-type", "application/x-www-form-urlencoded");
    //            post.setHeader("Content-length", "35");
    //            post.setHeader("POST", "/login HTTP/1.1");
    
                 
        HttpResponse response = client.execute(host,post);
         System.out.println(response);
    //output: HTTP/1.1 400 Bad request [Date: Thu, 09 Feb 2012 13:07:47 GMT, Server: NessusWWW, Connection: close, Expires: Thu, 09 Feb 2012 13:07:47 GMT, Content-Length: 439, Content-Type: text/html, Cache-Control: , Expires: 0, Pragma : ]
    
    

     

    I get

    HTTP/1.1 400 Bad request [Date: Thu, 09 Feb 2012 13:07:47 GMT, Server: NessusWWW, Connection: close, Expires: Thu, 09 Feb 2012 13:07:47 GMT, Content-Length: 439, Content-Type: text/html, Cache-Control: , Expires: 0, Pragma : ]

    as response.

     

    What can be the problem? Is this the right way to communicate with  nessus in Java?  I use Nessus XML-RPC Protocol Specification September 28, 2010 (Revision 2) as reference.