using Nmap scanlogs + Nessus

[diablo69 0]

I wanted to know if you could use the -oN or -oG option in nmap to save a logfile that can be pulled up in nessus, and scan the ip's that are contained in that file that nmap generated. If this is possible, please explain to me how this is accomplished, I just spent a good 20 mins on google trying to find the answer....

This is as close as I have gotten...cred goes to http://list.nessus.org/pipermail/nessus/20...rch/014949.html

----------------------------------------------------------------------------------

just tried this and found it to work fine -- nmap 4.01, nessus 3.0.2,

and NessusClient 1.0.0.RC4. And checking "Do not scan targets not in the

file" caused Nessus to avoid scanning hosts not in the nmap output file.

You may want to check your logs and make sure nessusd is loading the

nmap.nasl plugin and launching it during your scan.

Is there an issue with the format of the nmap output file? And what

exactly do you mean by "Nessus does not appear to use this file"? In

other words, what makes you think there's an issue?

-------------------------------------------------------------------------------------

Any suggestions?

Diablo69

[tekio 118]

I've always found standard Gnu/Linux commands to be helpful for this:

cat nmaplog.txt | grep -i open | cut -d " " -f 1 | cut -d " " -f 0 > goodIp.txt

You may want to man cut. That is just off the top of my head, as I'm now on a Windows box. Hopefully, I remembered the key words for the Nmap scan logs, and cut switches correctly.

EDIT: I'm assuming nessus will allow one to import a file of IP addresses. With the above commands the -oG should be used to log into a grepable file. The idea is to grep all open ports, and cut the ip addresses from the grepable file, redirecting them into a new file of valid ip addresses.

If that doesn't work let me know. I'll go on a Unix box and post the exact commands.

EDIT: political corrections: linux to Gnu/Linux

Edited November 11, 2008 by tekio

[operat0r 0]

ya mess with and learn sed awk and cut then you can parse anytjhing

http://rmccurdy.com/stuff/snortlist.txt

takes snortsam logs and nmaps ports 80,137,138,139,445,21,3389,5900 to see if they are open


grep Blocking /var/log/snortsam.log | sed 's/.*Blocking host //g' | sed 's/ completely.*//g' | sort | DUPE > /txt.txt
cat /txt.txt | sed 's/^/nmap -T 5  -oG log.xml --append-output /g' | sed 's/$/  -p 80,137,138,139,445,21,3389,5900 -P0 /g'  > go2.sh
bash go2.sh
grep Host: log.xml |grep open > /data/stuff/snortlist.txt

you can take it to the next level by making a autopwn rc script and just feeding it that

load db_sqlite3
db_destroy  test
db_create test

db_import_nmap_xml nmap.xml
db_hosts
db_autopwn -t -p -e

sesstions -l

skiddie powers activate !

FYI you know nessus can scan a range for you ... the non gui can take a target.txt file with a list of IP's to target

/usr/local/bin/nessus -q -T html -V localhost 1241 USRNAME PASSWORD /data/stuff/target.txt

Edited November 11, 2008 by operat0r

[diablo69 0]

ya mess with and learn sed awk and cut then you can parse anytjhing

http://rmccurdy.com/stuff/snortlist.txt

takes snortsam logs and nmaps ports 80,137,138,139,445,21,3389,5900 to see if they are open


grep Blocking /var/log/snortsam.log | sed 's/.*Blocking host //g' | sed 's/ completely.*//g' | sort | DUPE > /txt.txt
cat /txt.txt | sed 's/^/nmap -T 5  -oG log.xml --append-output /g' | sed 's/$/  -p 80,137,138,139,445,21,3389,5900 -P0 /g'  > go2.sh
bash go2.sh
grep Host: log.xml |grep open > /data/stuff/snortlist.txt

you can take it to the next level by making a autopwn rc script and just feeding it that

load db_sqlite3
db_destroy  test
db_create test

db_import_nmap_xml nmap.xml
db_hosts
db_autopwn -t -p -e

sesstions -l

skiddie powers activate !

FYI you know nessus can scan a range for you ... the non gui can take a target.txt file with a list of IP's to target

/usr/local/bin/nessus -q -T html -V localhost 1241 USRNAME PASSWORD /data/stuff/target.txt

Woot always more to learn . I've been in the Security Game for a while now, but I just figured out after 8 years of doing it, that I really like the computer security aspect of things and not information security, though I do dabble here and there in forensics. Anywho Thanks for all the in put. I really need to study perl again to automate my scripts as I don't like to work harder than I have to . Use to have perl automate scans for me . Anywho i'll be back periodically. Back to the forums and eq2 I go.

[operat0r 0]

Thx well your like me say 5+ years ago .. I did not want to program ( still dont ) but you need to learn something ruby python something.

* OHH 4got I did a twatech on this http://www.twatech.org/shows.php?ep=144

* nessus has its own scanner built in its connect scan plugin

* you can confiugre nessus to use NMAP !!!

http://www.nessus.org/documentation/index.php?doc=nmap-usage

also the nessus knowledge database is the SHIT but impossible to find ..

http://www.edgeos.com/nessuskb/

* also want to chekc out nessusupdate rc script

this is how I update my nessus

rmccurdy# cat UPDATENESSUS.sh
nessusd -d
nessus-update-plugins

# google for update-nessusrc  script ...
update-nessusrc -d -c "_all_" -f "_all_" ~/.nessusrc


# paranoia_level = 2
# ssl_version=none
# use_ssl = no
# user_client_cert=no

* this is what nessuse rc file looks like http://rmccurdy.com/scripts/nessusrc_file

* to start you may just want to use nessusnx client ( nessusux or something windows nessus client) you can build the scan profile how you like and save it in .nessusrc file and wala you can scan via cli

you sent me a PM on autopwn. Google autopwn and you will find some example syntax using postges or sqlite my portable ver uses sqlite3 just poke atound with autopwn and metasploit.

I would say im a less then avrage nessus user ( altho I use autopwn now more ) but if you guys have any questions about nessus or need help configureing something with it let me know. I also have nessus CGI client

http://rmccurdy.com/scripts/nessus_cgi_client.txt

Edited November 12, 2008 by operat0r