Nessus Server Detection

🗓️ 12 Oct 1999 00:00:00Reported by TenableType
Nessus Server detection details and trusted RSA signature examination provided in this document.
Source	Link
tenable	www.tenable.com/products/nessus/nessus-professional
#TRUSTED 80532f11819cf0fdfd7bd73d8f39830ff95d2292a80b3832c21ddd6776b669b951a9b55318871d2635ea95c78b00ecef0f7a18d32eabd07e5b1995796dd389b7bb165119df9533b4e4d5939894cfda48c1132bd56fa6c9d1eb269e867c4bd57e274ecac5ae43d7668ba043197bf968b88716c82abd8167a8d3699b042ced9489449fec632b02d3d219eb21c5e54955fe5c83cb02360efb16e8e279b4b04c89ffddabc52087b0919e5ac9694e79cc5a038c1c30efee05399f8917b9060efd68eae0fe4405cdfbc917be49904c0e6cb941a29ffe877d14173c0f513e9759f85fbe5f64ca73fcbfe195aa8fb3390c187b77f546608552548858ac45467b478610cafcf139602551e44ac63bba54533324edb24765f1cd5fe55207d16711a4ced905c6a30e778c3a6327db3a515f9cbe5c8dffcb7f087a0204f54de63bcdc5b6513fe88105553643e48dfd15eefb844cb7e0c7ac5b77950b7d390564a631bc1fb1a066f858346dbd82edebe0ea91b5d0dcd95ecb68822dd31eb5017b0090163e6cdf052882cc31f18d31f552bd781d2ffe67addb943429a0bc91eb248c3d340881db1f06d2041e577c9322765abedbe1d2ca4128263fd1217acb0a3d54fc32d31919fc101975c40491f18ad83cb6a2994b0ec7940741850dee3218769662ad329af42dc9735f690954b37fd717bbf6adf48b5c4e79a3373d6276226929d241b71681
#TRUST-RSA-SHA256 b08a79c364c37121d1dc86a847279c3cdcc0c08d0584910e636a8f814ea16f778c61db81917c6951c9a20160591e3dcde1cb58c6e6dda8972cb6689edb17a6cb170a71ab4cb8774793d0f0cf666028dc9e92d9190fdc46090995709eec9bd889552a386c0d15ec370098eab1691d8d0482b3318c8d93984153858158616ef53f88e111f72b310c73502f02974bf219102e574e075df6728ee10b94471ab0244daa6b7def5083f8a77d720e04c3738c3e08b77d5bbe6081784bebe110d069b0149c5a72390fe013d2bb09d07503da47290b991727f0d15d3d3818bd02d26870e916fbf959abd960c796bed01657f814b9d635b64a4919b166a75587b35ffdf294b1ff800b7429bb7e8bd02145dcb4776492889cb9323e191346b891085b65b286281b5703d4b7f6cf2fec6b1dfbb3130e19188515c9726a3bc0630d610268a232c14ac14454d275114d493d648157ea9f1364c7744e0d20d51fcc07987b859a3194af88f0f70d742c6450f68a04486f20321f070fb7e2ef86c9d0efa6592fbd4e2d0c085f9d450dbca4a9fd61361ab616b25847d3b535ef34e78b5bc4bc060b04b8c8663468275313e49376328bcd996aa60b974238716b2db6a07878d137de1f81691bc55b9d8f0107e91f22bc2d669f29c8b6b0df3c33abbb104e36de89c27eebd1c44996a64dd1c5e8cc2c620974928c51a1386c7e49d698f083582ec8b549
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(10147);
  script_version("1.58");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/21");
  script_xref(name:"IAVT", value:"0001-T-0673");

  script_name(english:"Nessus Server Detection");

  script_set_attribute(attribute:"synopsis", value:
"A Nessus daemon is listening on the remote port.");
  script_set_attribute(attribute:"description", value:
"A Nessus daemon is listening on the remote port."

"Note: This plugin only attempts to log in to the remote device to detect the version, if valid Nessus credentials are configured.");
  script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/products/nessus/nessus-professional");
  script_set_attribute(attribute:"solution", value:
"Ensure that the remote Nessus installation has been authorized.");
  script_set_attribute(attribute:"risk_factor", value:"None");

  script_set_attribute(attribute:"plugin_publication_date", value:"1999/10/12");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"asset_inventory", value:"True");
  script_set_attribute(attribute:"asset_inventory_category", value:"software_enumeration");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:tenable:nessus");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Service detection");

  script_copyright(english:"This script is Copyright (C) 1999-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("find_service2.nasl", "pvs_proxy_detect.nasl", "http_version.nasl");
  script_require_ports("Services/unknown", 1241, "Services/www", 8834);

  exit(0);
}

include('http.inc');
include('install_func.inc');
include('json.inc');
include('spad_log_func.inc');

var app = 'Tenable Nessus';

function nessus_detect(port)
{
  var soc = open_sock_tcp(port);
  if (soc)
  {
    send(socket:soc, data:'< NTP/1.2 >\n');
    var r = recv_line(socket:soc, length:4096);
    if ( '< NTP/1.2 >' >< r )
    {
      r = recv(socket:soc, length:7);
      close(soc);
      if ( 'User : ' >< r )
      {
        register_service(proto:app, port:port);
        security_note(port);
      }
    }
    else close(soc);
  }
  else
  {
    spad_log(message:'Problem when opening socket at port '+port);
  }
}

function nessus_ntp_detection()
{
  var ntp_port;
  var ntp_port_list;
  if (thorough_tests)
    ntp_port_list = get_unknown_svc_list();
  if(empty_or_null(ref:ntp_port_list))
   ntp_port_list = [1241];

  foreach ntp_port(ntp_port_list)
  {
    if(!service_is_unknown(port:ntp_port) || known_service(port:ntp_port))
    {
      spad_log(message:'Service on port '+ ntp_port+' already known');
      continue;
    }

    if(silent_service(ntp_port))
    {
      spad_log(message:'Service on port' + ntp_port+' is silent');
      continue;
    }

    if(!get_port_state(ntp_port))
    {
      spad_log(message:'NTP port ' + ntp_port + ' closed');
      continue;
    }

    nessus_detect(port:ntp_port);
  }
}

# Log in to Nessus to grab the version
function authenticated_scan_for_version(username, password)
{
  # authenticate
  var response = http::get_response(
    port: port,
    method: http::POST,
    item: '/session',
    add_headers: {'Content-Type': 'application/json'},
    data: '{"username":"' + username + '","password":"' + password + '"}'
  );

  if ('200 OK' >!< response[0])
  {
    dbg::detailed_log(lvl:1, msg:'Authentication failed');
    return NULL;
  }

  var response_body = json_read(response[2]);
  var auth_token = response_body[0]['token'];

  if (isnull(auth_token))
  {
    dbg::detailed_log(lvl:1, msg:'Failed to extract authentication token');
    return NULL;
  }

  # Get the version and model
  response = http::get_response(
    port: port,
    method: http::GET,
    item: '/server/properties',
    add_headers: {'X-Cookie': 'token=' + auth_token}
  );

  if ('200 OK' >!< response[0] || empty_or_null(response[2]))
  {
    dbg::detailed_log(lvl:1, msg:'Failed to retrieve server properties');
    return NULL;
  }

  var resp_body = json_read(response[2]);

  if (!empty_or_null(resp_body[0]['nessus_ui_version']))
  {
    return {'nessus_version': resp_body[0]['nessus_ui_version']};
  }
  else
  {
    dbg::detailed_log(lvl:1, msg:'Failed to extract Nessus version from server properties response');
    return NULL;
  }
}

# Nessus < 4.2
if(thorough_tests)
  nessus_ntp_detection();

# Nessus >= 4.2
http::enable_safe_auth(true);

var port = get_http_port(default:8834, ignore_broken:TRUE);

var install = NULL;
var version = NULL;
var extra   = make_array();
var nasl_version = NULL;
var feed    = NULL;
var web     = NULL;
var username, password, license_type;

if (!isnull(port))
{
  var server_header = http_server_header(port:port);
  if ('NessusWWW' >< server_header)
  {
    var res = http_send_recv3(method:'GET', item:'/server/properties', port:port);
    spad_log(message:'Response from GET /server/properties: ' + obj_rep(res));
    if (!isnull(res))
    {
      if ('Nessus' >< res[2])
      {
        # Response body should contain a json string
        var json = json_read(res[2]);

        # Version 5 returns a string with the same hierarchy as the XML on the /feed page
        var data;
        if (res[2] =~ '^{"reply"') data = json[0]['reply']['contents'];
        # Version 6 gets straight to the point
        else data = json[0];

        if (data['nessus_type'] !~ '^Nessus') exit(0, 'Server did not respond with expected Nessus Server properties information.');
        if ('SecurityCenter' >< data['nessus_type']) extra['Managed by'] = 'SecurityCenter';

        # if Nessus credentials are provided, try to log in to get more detailed version information and the license type
        var username = get_kb_item(http::KB_USERNAME);
        var password = get_kb_item(http::KB_PASSWORD);

        if (username && password)
        {
          var auth_data = authenticated_scan_for_version(username:username, password:password);
          if (!isnull(auth_data)) data['nessus_ui_version'] = auth_data['nessus_version'];
        }

        feed         = data['feed'];
        version      = data['nessus_ui_version'];
        nasl_version = data['server_version'];
        web          = data['web_server_version'];
        license_type = data['nessus_type'];

        if (!isnull(feed))   extra['Nessus feed'] = feed;
        if (!isnull(web))    extra['Web server version'] = web;
        if (!isnull(nasl_version))     extra['NASL Version'] = nasl_version;
        if (isnull(version) || version == '0.0.0') version = UNKNOWN_VER;

        if (!isnull(license_type))
          extra['License Type'] = license_type;
        else
          extra['License Type'] = 'Unknown';

        install = register_install(
          app_name : app,
          vendor : 'Tenable',
          product : 'Nessus',
          version  : version,
          port     : port,
          path     : '/',
          webapp   : TRUE,
          extra    : extra,
          cpe    : 'cpe:/a:tenable:nessus');
      }
      else
      {
        res = NULL;
        res = http_send_recv3(method:'GET', item:'/feed', port:port);
        spad_log(message:'Response from GET /feed: ' + obj_rep(res));
        if (!isnull(res))
        {
          if ('<nessus_type>Nessus' >!< res[2])
            exit(0, 'Server did not respond with expected Nessus Feed information.');

          if ('<feed>' >< res[2])
          {
            feed = strstr(res[2], '<feed>') - '<feed>';
            feed = feed - strstr(feed, '</feed>');
          }

          if ('<server_version>' >< res[2])
          {
            nasl_version = strstr(res[2], '<server_version>') - '<server_version>';
            nasl_version = nasl_version - strstr(nasl_version, '</server_version>');
          }

          if ('<web_server_version>' >< res[2])
          {
            web = strstr(res[2], '<web_server_version>') - '<web_server_version>';
            web = web - strstr(web, '</web_server_version>');
          }

          if ('<nessus_ui_version>' >< res[2])
          {
            version = strstr(res[2], '<nessus_ui_version>') - '<nessus_ui_version>';
            version = version - strstr(version, '</nessus_ui_version>');
          }

          if (!isnull(feed)) extra['Nessus Feed'] = feed;
          if (!isnull(web)) extra['Web Server Version'] = web;
          if (!isnull(nasl_version)) extra['NASL Version'] = nasl_version;

          install = register_install(
            app_name : app,
            vendor : 'Tenable',
            product : 'Nessus',
            version  : version,
            port     : port,
            path     : '/',
            webapp   : TRUE,
            extra    : extra,
            cpe    : 'cpe:/a:tenable:nessus');
        }
        else
        {
          spad_log(message:'Cannot access Nessus feed.');
        }
      }
    }
    else
    {
      spad_log(message:'Cannot access server/properties file.');
    }
  }
  else
  {
    spad_log(message:'Server header does not seem to be NessusWWW.');
  }
}

if (!isnull(install))
{
  report_installs(app_name:app, port:port);
  exit(0);
}
else
{
  # if we reach this point, none of the methods worked
  # given NTP is for legacy Nessus, we report on 
  # the HTTP-based detection
  audit(AUDIT_RESP_BAD, port);
}
21 Apr 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8