Tenable Network Security
Solutions Products Nessus Demos Partners Online Store
Download
Download Nessus now!		 Documentation
Documentation about Nessus		 ProfessionalFeed
Scan at your workplace and improve your policy compliance scanning abilities
Plugins
See all the security checks performed by Nessus		 Enterprise Products
Our line of enterprise products		 Features
Nessus main features

When, how and why (not) to use Nmap within Nessus

Nmap is a popular open-source port scanner which can be used within Nessus instead of Nessus's own TCP scanner to conduct port scans. However, the interaction of Nmap and Nessus may yield poor results and bad performance on large networks.

Since many people were unknowingly misusing Nmap and Nessus (resulting in a bad perception of the two products), we have decided to remove the plugin nmap.nasl from the Nessus distribution. If you want to use Nmap within Nessus, read this document first.

This document explains the problems using Nmap with Nessus, why you may want to use Nmap or not, and if you do, the best method to use it.

How Nessus uses Nmap

Nessus is optimized to work with "plugins", which are updated daily and distributed with the Nessus feed. Plugins are implemented in such a way that there is no memory utilization required to launch them -- the NASL interpreter is optimized in such a way that launching a plugin only uses several kilobytes. The operating system is not involved when a plugin is created, which makes the process of execution fast and efficient.

However, since Nmap is an external application, Nessus calls it by launching a special plugin which actually executes the nmap binary, which is a costly operation. To make things worse, in the Nessus architecture each plugin is in charge of ONE host. This means that if you have configured Nessus to scan forty hosts at a time, then there will be forty instances of Nmap running in memory.

Nmap, just like Nessus, is optimized to scan several hosts at the same time. Therefore, executing it for only one host is inefficient and not adapted to the model used by its developer. Since Nmap uses between 6 and 20 megabytes of memory per host (depending on the scanning options), then all the Nmap processes will use between 240 and 800 megabytes of memory when Nessus is configured to scan 40 hosts in parallel. By contrast, Nessus or Nmap by themselves use much less memory (around 120 megabytes for forty hosts in parallel in the case of Nessus).

Spawning multiple processes from disk also negatively impacts operating system performance. Therefore, using Nmap from Nessus not only uses more memory, but the scan is slowed down considerably (often by a factor of 3).

Which port scanner to use?

Nessus comes with its own port scanner (Nessus TCP scanner, plugin id#10335). This TCP scanner is obviously optimized to work with Nessus by itself. Nessus TCP scanner is also self-tuning, that is, it guesses the correct timing for each target, meaning that when used to scan a mixed environment of both firewalled and unfirewalled hosts, it is not necessary to configure any special option to get results in a decent amount of time.

If you are familiar with Nmap and want to use it for your scan, then run it from the command-line first, and save the results in 'grepable' output:

# nmap -n -sS -p1-65535 -oG nmap-results.txt 10.254.0.0/16

You can then import the results to Nessus directly (in the plugins preferences -> Nmap NASL Wrapper -> File containing Nmap results). This prevents Nessus from re-scanning your network. You will need the nmap.nasl plugin below.

Finally, if you are only scanning a small number of hosts (less than five at a time) you may use the nmap.nasl plugin below to directly call the Nmap binary. In this case, make sure that Nmap is in your $PATH before launching it.

The Nmap Plugin

There are two plugins which can use/import Nmap's results in Nessus :

  • nmap.nasl lets you call nmap directly, or import the output of nmap -oG (greppable output)
  • nmapxml.nasl lets you import Nmap's XML results (nmap -oX), including the output of nmap -sV and the output of the LUA scripts
  • You can install both plugins if you wish 
    # cp nmap.nasl /opt/nessus/lib/nessus/plugins/
# cp nmapxml.nasl /opt/nessus/lib/nessus/plugins/
  • Restart nessusd: 
    # killall nessusd (or "service nessusd stop")
# /opt/nessus/sbin/nessus-service -D (or "service nessusd start")
  • Next time you connect to Nessus, look for the new port scanner (Nmap NASL Wrapper) displayed in your client. If it is not displayed, then it probably means that Nmap is not in your $PATH when you are starting nessusd.
About us | Whitepapers | Training | Discussion Forums | Support Portal | Blog | RSS feeds | Contact us | Legal | Privacy

© Copyright 2002 - 2010 Tenable Network Security(R). All Rights Reserved.

This is the web site for the Nessus Vulnerability Scanner from Tenable Network Security. If you are looking for the probabilistic analysis software from Southwest Research Institute, please visit www.nessus.swri.org