0

I have a perl script using the Net::Nessus::REST module. Currently I'm using:

$nessus->create_session(
    username => $NESSUSUSER,
    password => $NESSUSPASSWORD
);

this bit of code to create a session token. This works great so long as my scans complete within 30 minutes. After 30 minutes the session token expires and I get this error message.

server error: Invalid Credentials at nessus.pl line 68

Unless somebody knows a way to set the timeout to something like 86400 seconds, I would like to use the API Access/Secret Key that I generate. The only problem I have is that I cannot find an example of how to list this with some bit of perl script using the Net::Nessus::REST module. Could somebody help me with the bit API Key of code that I could swap in for the create_session example above?

Thanks,

Alby
  • 426
  • 2
  • 7
  • 17
  • Did you peruse the local documentation within the [method's doc section](https://metacpan.org/pod/Net::Nessus::REST#$nessus-%3Ecreate_session(username-=%3E-$username,-password-=%3E-$password))? Apparently, it may provide insight. I don't have a Nessus server, so I can't view it myself. – stevieb Feb 21 '17 at 03:51
  • Thanks for the tip StevieB, I checked these before posting and I don't see anything about API Keys, just token sessions. I'm hoping that I've overlooked something. – Alby Feb 21 '17 at 04:21
  • I found a way around the 30 minute timeout by changing the xmlrpc_idle_session_timeout setting and restarting Nessus. In short, I can go back to using session tokens. But I'd still like to know how to use API Keys vs. session tokens. – Alby Feb 21 '17 at 04:41
  • Can't you just refresh the session? Or are _your scans_ one command and then it goes and does stuff on its own? – simbabque Feb 21 '17 at 06:22

1 Answers1

2

It really is rather simple; you have to include a Http-Header "X-ApiKeys" in each request:

Java: 

con.setRequestProperty("X-ApiKeys", "accessKey="+YourAccKey+";secretKey="+YourSecKey+";");

Curl: 

curl -X POST -H 'X-ApiKeys: accessKey=YOURKEY;secretKey=YOURSECRET' -H 'Content-Type:application/json' 
    --data '{"scan_id":"21", "alt_targets":[127.0.0.1]}' 
-k "https://NessusServerIp:8834/scans/21/launch" | python -m json.tool

..This will do all the magic.

For more info check out the API-Docu [ -> https://YourNessusIP:8834/api#/authorization ] :

API Keys These keys are generated per account through Nessus.session: keys or Nessus.users: keys and can be used to authenticate without creating a session. Add them to your request using the following HTTP header:

X-ApiKeys: accessKey={accessKey}; secretKey={secretKey};

Example:

curl -H "X-ApiKeys: accessKey={accessKey}; secretKey={secretKey}" https://{nessus-host}/scans*

Gewure
  • 1,208
  • 18
  • 31