Getting Nessus Results Into Burp With a Tiny Shell Script


My post today is about a useful little bash script I made that extracts http and https targets from Nessus scans and generates URLs which can be used with Burp Suite, etc. But first, a word on Nessus scans in offensive engagements.  

Although it is a subject of disagreement in this field, in my opinion there are times where running a Nessus scan during a penetration test or even sometimes a Red Team engagement is not a bad idea. For instance, I often start out Red Team engagements stealthily, only checking for open ports with Shodan, etc. But after full compromise, it's important to me to go back and make sure I've found as many vulnerabilities as possible. Other times, if it seems a target is not well guarded, I will run a Nessus scan just to see what I can get away with. It can be amusing how little defenses are in place, often even for high value targets. At no time, however, do I ever deliver a glorified Nessus report to a client for an offensive engagement. In nearly every case, except perhaps DoS or the like, I verify vulnerabilities with my own manual exploits and provide customized, relevant report content.

When I run such scans, I generally use an aggressive Nessus policy. After reviewing the scan results, my next priority is often to extract the http and https targets from the scan and feed them into Burp Suite. This is easier said than done. The way Nessus lists open ports in reports is difficult to parse. I decided to see if I could solve this with a bash script I've dubbed nessos2belch. The odd name is of course based on synonyms, Nessos being a synonym of Nessus and belch of Burp.

For the tool to be most effective, I recommend that you turn on 'Probe all ports to find services' (use this with caution on internal environments) and set 'Search for SSL/TLS on' to 'All TCP ports' in the Nessus policy.


In addition, I recommend that the following plugin IDs be enabled:

  • 10335 (Nessus TCP scanner)
  • 11219 (Nessus SYN scanner)
  • 56984 (SSL / TLS Versions Supported)
  • 22964 (Service Detection)
The last two are mandatory for the tool to work, and the first two are recommended.

The Nessus scan should be filtered by these same plugin IDs above and the html report should be generated with the 'Vulnerabilities by Plugin' option.

The script is run by specifying the Nessus html report as the only argument, like so:

./nessos2belch.sh nessus-report.html

So far, it's been working well for me. It outputs a text file called n2b-output.txt which contains URLs, like so:

http://127.0.0.1:80/
https://127.0.0.1:443/
https://127.0.0.1:8443/

These targets can be pasted directly into Burp Suite's scanner, using Dashboard>New Scan, or used in other ways.

Feel free to suggest edits or let me know if there are issues. When I get time, I'd like to improve the tool to also output non-http/s targets in a separate file for analysis. The tool can be found on GitHub:





Comments

Post a Comment

Popular Posts