Nessus Plugin for taking screenshots of discovered web services

Jan 25, 2025 3 min read
Nessus Plugin for taking screenshots of discovered web services

In this article, I will show how to extend the capabilities of the Nessus scanner using a plugin written in NASL (Nessus Attack Scripting Language). This plugin automatically takes screenshots of discovered web services during the scan. This functionality was often missing in Nessus, which is why I created a plugin that allows adding these screenshots to the report.

The plugin works in headless Google Chrome mode, taking a screenshot of the discovered HTTP or HTTPS service and saving it to a PNG file. After capturing the screenshot, the file is attached to the Nessus report. Thanks to this plugin, I can immediately see how the discovered web service looks in the report. It’s similar to the EyeWitness tool, but integrated directly into Nessus. This way, I save time during the identification of discovered services.

Installing the Plugin

First, you need to download and install Google Chrome:

wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
sudo dpkg -i ./google-chrome-stable_current_amd64.deb

Then, copy the plugin to the appropriate directory with other plugins:

sudo cp create_www_screenshot.nasl /opt/nessus/lib/nessus/plugins

Next, disable the plugin signature verification and recompile all plugins:

sudo /opt/nessus/sbin/nessuscli fix --set nasl_no_signature_check=yes
sudo /opt/nessus/sbin/nessusd -R

Finally, restart the Nessus service:

systemctl restart nessusd

What Does the Code Do?

The script starts by setting basic information such as its ID, version, modification date, and category:

script_id(998877);
script_version("1.0");
script_set_attribute(attribute:"plugin_modificaton_date", value: "2025/01/25");
script_name(english: "Create www service screenshot");
script_set_attribute(attribute:"solution", value:"n/a");
script_set_attribute(attribute:"risk_factor", value:"None");
script_set_attribute(attribute:"description", value: "Capture screenshots of identified web services and automatically attach them to the Nessus scan report");
script_summary(english: "Capture screenshots of identified web services and automatically attach them to the Nessus scan report");
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright("This script is Copyright (C) 2025 and is owned by Michal Walkowski <michal.walkowski at pwr.edu.pl");

Then, the script checks if other required plugins are loaded, such as those responsible for detecting web services, HTTP version, and SSL/TLS support:

script_dependencies("find_service.nasl", "http_version.nasl", "http_info.nasl", "ssl_supported_versions.nasl");
script_require_keys("Services/www");
script_require_ports("Services/www", 80);

Based on the detected service, the script automatically selects the protocol (HTTP or HTTPS):

proto = "http";
if(get_port_transport(port) > ENCAPS_IP)
  proto = "https";

When everything is ready, the script takes a screenshot of the main page of the discovered service and saves it as a PNG file:

pread(cmd:"google-chrome", argv:make_list("google-chrome", "--no-sandbox", "--headless", "--disable-gpu", "--ignore-certificate-errors", "--reduce-security-for-testing", "--disable-web-security", "--window-size=1920,1200", "--virtual-time-budget=1000", "--screenshot=" + img_file, proto + "://" + host_ip + ":" + port));

After taking the screenshot, the script reads the file and attaches it to the Nessus report:

attachments = make_list();
attachments[0] = make_array();
attachments[0]["type"] = "image/png";
attachments[0]["name"] = proto + ".png";
attachments[0]["value"] = r;
security_report_with_attachments(level:0, port:port, extra:"", attachments:attachments);

The full plugin code can be found here.

Demo

After properly importing the plugin, a new plugin called Create www service screenshot will appear under the Misc category:

Fig 1. Properly loaded Nessus plugin.
Fig 1. Properly loaded Nessus plugin.

After the scan finishes, a screenshot of the discovered web service will appear as an attachment in the Nessus report:

Fig 2. Screenshot attachment in the report.
Fig 2. Screenshot attachment in the report.

After downloading the attachment, we get the screenshot of the discovered web service.

Summary

Thanks to this Nessus plugin, I can instantly get screenshots of discovered web services in my report. It’s a convenient and time-saving solution that is very useful during security audits. With this plugin, I no longer need to use additional tools like EyeWitness to visualize discovered services.

Nessus plugin Web scanning Scan report Vulnerability scanning