Importing nessus6 scan results into metasploit

This is a quick post about importing nessus6 scan results into metasploit. This can be very useful for adding a ton of information into a new Metsploit database, or adding to information you already have (eg importing results from a weekly or monthly scan of a website / web server)

To import your Nessus results into Metasploit, there are a few steps that you have to complete, in order:

1) start msfconsole from your terminal

	msfconsole

inside msfconsole, start the nessus module

load nessus

Once the Nessus module has loaded, connect to your Nessus server

nessus_connect user:password@127.0.0.1:8834

Now that you have a connection to your running Nessus server, you can show all the scans that have completed with the following:

nessus_scan_list

This tutorial is about importing nessus6 scan results into metasploit, so the most important command is this – you can then import any of the completed Nessus scans with:

nessus_db_import scan_ID

There are a number of additional commands that you can run for help inside the nessus module:

# to get a list of all the things you can do
nessus help

# to show all your policies
nessus_policy_list

#to start a new scan
nessus_scan_new

# to show all the completed scans
nessus_scan_list

#to import a scan into metasploit database
nessus_db_import (scan_ID) 

You can initiate nessus scans through msfconsole too with the nessus_scan_new command, and alter / add new policies, etc. Nessus is a great tool as a baseline for your website checking, and makes a great addition to metasploit (and numerous static-analysis tools) – especially when used as part of a QA process when developing webistes. It can be very time-consuming, but using metasploit and nessus you can set these up on a QA box and have them run periodically against your assets and can deal with their results accordingly!

If you enjoy this tutorial, please check out my metasploit tutorials below

Sources: Tenable

Leave a Reply