Skip to content

Nessus Executor

Category: Network and Vulnerability Scanners Script: nessus.py Integration: REST API Faraday Plugin: NessusPlugin Website: https://www.tenable.com/products/nessus

Description

Connects to a Tenable Nessus Professional instance via its REST API, creates or locates an existing scan by name, launches it, waits for completion, exports the results in .nessus format, and parses them into Faraday.

This executor is designed for on-premise Nessus Professional installations. For Tenable's cloud platform, use the TenableIO executor instead.

Prerequisites

  • Tenable Nessus Professional installed and accessible over the network
  • Valid Nessus user credentials
  • Network access to the Nessus port (default: 8834)

Configuration

Environment Variables (Setup)

Variable Required Description
NESSUS_USERNAME Yes Nessus account username
NESSUS_PASSWORD Yes Nessus account password
NESSUS_URL Yes Nessus server URL (e.g., https://nessus.local:8834)

Execution Arguments

Parameter Type Mandatory Description
NESSUS_SCAN_TARGET string Yes Target IPs, domains, or ranges (e.g., 192.168.1.0/24)
NESSUS_SCAN_NAME string No Scan display name. If a scan with this name already exists, it will be relaunched
NESSUS_SCAN_TEMPLATE string No Nessus scan template name (default: "basic")
NESSUS_URL url No Override the setup URL for this execution

YAML Configuration Example

executors:
  nessus_scan:
    repo_executor: nessus.py
    max_size: 65536
    varenvs:
      NESSUS_USERNAME: admin
      NESSUS_PASSWORD: "${NESSUS_PASS}"
      NESSUS_URL: "https://nessus.local:8834"
    params:
      NESSUS_SCAN_TARGET:
        mandatory: true
        type: string
        base: string
      NESSUS_SCAN_NAME:
        mandatory: false
        type: string
        base: string
      NESSUS_SCAN_TEMPLATE:
        mandatory: false
        type: string
        base: string

How It Works

  1. Authenticates with the Nessus API using username/password to obtain a session token
  2. Extracts the X-API-Token from the Nessus JavaScript bundle (nessus6.js)
  3. Searches for an existing scan matching NESSUS_SCAN_NAME
  4. If no matching scan is found, creates a new scan with the specified target and template
  5. Launches the scan and polls for completion
  6. Exports results in .nessus (XML) format
  7. Parses the export through NessusPlugin and outputs Faraday JSON

Troubleshooting

  • Self-signed SSL certificates: Nessus uses self-signed certs by default. The executor disables SSL verification (urllib3.disable_warnings)
  • Scan templates: Template names must match exactly as they appear in the Nessus UI (e.g., "basic", "advanced", "discovery")
  • Existing scans: If NESSUS_SCAN_NAME matches an existing scan, that scan is relaunched with its original configuration