Metasploit provides flexibility to penetration testers as it can support some of the most important tools inside the framework like Nessus and Nmap. You can initiate Nessus scans directly from the metasploit console, import existing scans and actually operate Nessus from inside the framework.
The main advantage is that the information is centralized between these tools since Nessus and Nmap scans are stored in the Metasploit database in an organized manner. Therefore it is possible to launch a Nessus scan via Metasploit, identify a vulnerability and then execute the appropriate exploit without leaving the framework and saving pentesting time.
The first step is to start and connect the postgresql database to Metasploit:
If the database is not created you can initiate it with the following command:
Then you can load the Nessus plugin:
Before you can operate Nessus via Metasploit you need to authenticate with your existing credentials:
Metasploit requires the policy UUID before the creation of a new nessus scan and the scan ID in order to execute it:
When the scan is finished the list of vulnerabilities that Nessus has discovered can be generated:
Metasploit can divide also the number of findings by host and criticality:
Existing Nessus scans can also imported to Metasploit.
Running Nessus or Nmap via Metasploit in a large pentest can help the penetration tester to manage his results effectively, save project time and therefore to conduct a quality assessment.