This is a quick post about importing nessus6 scan results into metasploit. This can be very useful for adding a ton of information into a new Metsploit database, or adding to information you already have (eg importing results from a weekly or monthly scan of a website / web server)
To import your Nessus results into Metasploit, there are a few steps that you have to complete, in order:
1) start msfconsole from your terminal
ā© msfconsoleā©
inside msfconsole, start the nessus module
ā©load nessusā©
Once the Nessus module has loaded, connect to your Nessus server
ā©nessus_connect user:password@127.0.0.1:8834ā©
Now that you have a connection to your running Nessus server, you can show all the scans that have completed with the following:
ā©nessus_scan_listā©
This tutorial is about importing nessus6 scan results into metasploit, so the most important command is this – you can then import any of the completed Nessus scans with:
ā©nessus_db_import scan_IDā©
There are a number of additional commands that you can run for help inside the nessus module:
ā©# to get a list of all the things you can doā©nessus helpā©ā©# to show all your policiesā©nessus_policy_listā©ā©#to start a new scanā©nessus_scan_newā©ā©# to show all the completed scansā©nessus_scan_listā©ā©#to import a scan into metasploit databaseā©nessus_db_import (scan_ID)ā©
You can initiate nessus scans through msfconsole too with the nessus_scan_new command, and alter / add new policies, etc. Nessus is a great tool as a baseline for your website checking, and makes a great addition to metasploit (and numerous static-analysis tools) – especially when used as part of a QA process when developing webistes. It can be very time-consuming, but using metasploit and nessus you can set these up on a QA box and have them run periodically against your assets and can deal with their results accordingly!
If you enjoy this tutorial, please check out my metasploit tutorials below
Sources: Tenable
