Nessus v6 Command Line Reference November 26, 2014 (Revision 2)
Table of Contents Introduction ......................................................................................................................................... 3 Standards and Conventions........................................................................................................................... 3 Nessus Command Line ...................................................................................................................... 3 Overview and Basic Usage ......................
Introduction This document describes the command line tools of Tenable Network Security’s Nessus 6 vulnerability scanner. Please email any comments and suggestions to support@tenable.com. Tenable Network Security, Inc. is the author and maintainer of the Nessus vulnerability scanner. In addition to constantly improving the Nessus engine, Tenable writes most of the plugins available to the scanner, as well as compliance checks and a wide variety of audit policies.
Note that the examples below at this point will be in the standard Linux format. Please adjust for your operating system accordingly.
If you want to see help for a specific command, the syntax is: # nessuscli help An example of this help usage is: # /opt/nessus/sbin/nessuscli bug-report-generator help Usage: nessuscli bug-report-generator Usage: nessuscli bug-report-generator --quiet [--full] [--scrub] Generate an archive of system diagnostics. Running without arguments will prompt for values. Running with --quiet will not prompt for values. The defaults in quiet mode are normal mode and no IPv4 subnet sanitization.
Netmask ........ Adapter# 0 Name............ Real name ...... IPv6 address ... IPv6 network ... IPv6 netmask ... Adapter# 1 Name............ Real name ...... IPv6 address ... IPv6 network ... IPv6 netmask ... 255.255.252.0 lo lo ::1 ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff eth1 eth1 fe80::250:56ff:fe10:76d fe80:: ffff:ffff:ffff:ffff:: Managing Advanced Settings The nessuscli fix command has a series of options to manage the advanced settings on your Nessus scanner.
checks_read_timeout: 5 allow_post_scan_editing: yes optimize_test: yes port_range: default cgi_path: /cgi-bin:/scripts rules: /Library/Nessus/run/etc/nessus/nessusd.rules dumpfile: /Library/Nessus/run/var/nessus/logs/nessusd.dump log_whole_attack: no www_logfile: /Library/Nessus/run/var/nessus/logs/www_server.log logfile: /Library/Nessus/run/var/nessus/logs/nessusd.messages throttle_scan: yes max_checks: 5 global.
# nessuscli fix --secure --set proxy_port=[port] # nessuscli fix --secure --set proxy_userame=[user] # nessuscli fix --secure --set proxy_password=[password] Nessus Command Line Certificate Commands The nessuscli mkcert commands offer the ability to create Nessus-supported self-signed digital certificates from the command line. Creating a Nessus Server Digital Certificate To create a Nessus server digital certificate, run the commands and follow the prompts. Note that the defaults are in brackets.
Creating a Nessus Client-Side Digital Certificate To create a Nessus client digital certificate, run the commands and follow the prompts. Note that the defaults are in brackets.
Listing Nessus Users To list Nessus users, run the following command: # /opt/nessus/sbin/nessuscli lsuser admin auditor windowsadmin linuxadmin Changing a Nessus User’s Password To change a Nessus user’s password, run the following command: # /opt/nessus/sbin/nessuscli chpasswd Login to change: auditor New password: New password (again): Password changed for auditor Note that you will need to enter the same new password twice, but it will not be echoed on the screen.
Nessus Enterprise users and groups are not supported for the nessuscli adduser. Removing a Nessus User To remove a Nessus user, run the following command: # /opt/nessus/sbin/nessuscli rmuser Login to remove: auditor User removed Nessus Command Update Commands The nessuscli commands offer the ability to update Nessus and Nessus plugins. By default, this tool will recognize the software update options selected through the Nessus UI.
Updating the Plugins Only To force the nessuscli to update the plugins only, use the --plugins-only option: # /opt/nessus/sbin/nessuscli update --plugins-only ----- Fetching the newest updates from nessus.org ----Nessus Plugins: Complete * Nessus Plugins are now up-to-date and the changes will be automatically processed by Nessus. Updating a Specific Plugin Archive If you wish to supply a plugin archive (e.g.
Nessus Nessus Nessus … Nessus Nessus Nessus … Nessus Nessus Plugins: Downloading (0%) Plugins: Downloading (1%) Plugins: Downloading (2%) Nessus Nessus … Nessus Nessus Core Components: Downloading (0%) Core Components: Downloading (8%) Plugins: Downloading (99%) Plugins: Unpacking (0%) Plugins: Unpacking (4%) Plugins: Unpacking (90%) Plugins: Complete Core Components: Downloading (98%) Core Components: Complete * Nessus Plugins are now up-to-date and the changes will be automatically processed by Ness
Once registered, you will receive the URL to download the plugins and a link to download the nessus-fetch.rc file. To register a Nessus scanner offline, run the following command: # /opt/nessus/sbin/nessuscli fetch --register-offline Example: Copyright © 2014. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
# /opt/nessus/sbin/nessuscli fetch --register-offline nessus-fetch.rc Nessus has been registered properly - thank you. Confirming Nessus Registration Codes To confirm that the Nessus scanner is registered properly, run the following command: # /opt/nessus/sbin/nessuscli nessuscli fetch --check Checking... Updates are configured properly To display that the Nessus scanner activation code, run the following command: # /opt/nessus/sbin/nessuscli nessuscli fetch --code-in-use Checking...
-> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> Copying /etc/SuSE-release... Copying /etc/debian_version... Running uname -a... Running /opt/nessus/sbin/nessusd -d... Running ldd /opt/nessus/sbin/nessusd... Running dmesg... Running tail -n 10000 /opt/nessus/var/nessus/logs/nessusd.messages... Running tail -n 10000 /opt/nessus/var/nessus/logs/nessusd.dump... Copying /opt/nessus/var/nessus/uuid... Running bash -c cd /opt/nessus/var/nessus/logs;ls | grep -v nessusd.
Nessus Credential Checks for Unix and Windows – information on how to perform authenticated network scans with the Nessus vulnerability scanner Nessus Compliance Checks – high-level guide to understanding and running compliance checks using Nessus and SecurityCenter Nessus Compliance Checks Reference – comprehensive guide to Nessus Compliance Check syntax Nessus v2 File Format – describes the structure for the .nessus file format, which was introduced with Nessus 3.2 and NessusClient 3.
About Tenable Network Security Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure compliance. Our family of products includes SecurityCenter Continuous View™, which provides the most comprehensive and integrated view of network health, and Nessus®, the global standard in detecting and assessing network data. Tenable is relied upon by more than 24,000 organizations, including the entire U.S.
