Integrating Nessus with BackTrack 5's Tools

BackTrack 5, code name "Revolution", is a very popular Linux distribution used primarily for penetration testing. It contains a lot of different tools for scanning, testing, and exploiting everything from web applications to wireless networks. Since the creators of BackTrack 5 included such a vast array of tools, I thought it would be interesting to show how some of those tools can be integrated with your Nessus server to extend functionality and import results.

Importing Nmap Results

There are many occasions where Nmap is used to scan specific hosts or a large network of hosts. The XML results from Nmap can be imported into Nessus and used as the basis for vulnerability scanning. If you are going to use Nmap results this way, you can disable Nessus's built-in port scanners and host identification functionality, relying solely on your Nmap results to perform the scan:

Next you will need to download the "nmapxml.nasl" script from the Tenable web site to your plugins directory:

Click for larger image

Next, re-index the plugins and restart Nessus, which will allow the new plugin to be read and show up in the "Preferences" tab:

Click for larger image

Once Nessus has restarted, you can import Nmap XML results using the following configuration screen:

For more information, see the article Using Nmap Within Nessus and the blog post Plugin Spotlight: Import Nmap XML Results Into Nessus.

When using this configuration, keep in mind that Nessus will only test the hosts and services reported by Nmap, even if you've specified additional targets when creating the scan.

Enabling Nikto

Nikto is a web application scanning tool that searches for misconfigurations, openly accessible web directories and a host of web application vulnerabilities. You can download Nikto from the CIRT web site. The first step to enable Nikto is to modify "/pentest/web/nikto/nikto.pl" and change the "configfile" variable to "/pentest/web/nikto/nikto.conf":

Click for larger image

This allows you to run the "nikto.pl" command from outside of the /pentest/web/nikto directory. Next, add "/pentest/web/nikto" to the system path:

Click for larger image

This will update the path for all services run on the host, which means when you start Nessus, nikto.pl will be in the path. The final step is to re-index the Nessus plugins (/opt/nessus/sbin/nessusd -y) and restart the Nessus service (/etc/init.d/nessusd restart). When you configure a policy, Nikto will be available in the preferences:

Click for larger image

Using Hydra

Hydra is already installed in the system path, which means it is available to Nessus "out-of-the-box" in BackTrack 5. Menu options to configure Hydra exists in the Nessus preferences when a policy is configured:

Click for larger image

You will need to supply your own username and password dictionaries. You can find some sample word dictionaries in the "/pentest/dictionaries" directory on the BackTrack 5 distribution. Be certain that you check "Always enable Hydra (slow)" in the Nessus configuration or Hydra will not run.

Conclusion

BackTrack 5 will save you some time by including all of the popular tools by default, which is quicker than downloading, installing and configuring all the tools yourself. Extending Nessus scans can come in handy when performing targeted scans against a small number of hosts. Use caution when enabling Nikto and Hydra to run scans against large networks, as they will add time to your scans. As for Nmap results, sometimes other people will run Nmap scans and want to enumerate vulnerabilities, and other times you may run Nmap yourself and decide later that a vulnerability scan is required, so the ability to import the results avoids duplication of effort.

References

• Plugin Spotlight: Import Nmap XML Results Into Nessus
• Integrating Hydra with Nessus Video
• Integrating Nikto with Nessus Video