To activate a Nessus instance that lacks direct internet access.
From an operational security perspective, this process is vital. It ensures that licenses are not easily pirated, protecting the intellectual property of the vendor. More importantly, it ensures that the user is running an authentic, unaltered version of the scanner. If the nessuscli binary were tampered with or replaced by a malicious actor, the challenge-response mechanism would likely fail, preventing a compromised tool from being used to audit a secure network.
Challenge Code: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
or run the full path command based on your operating system: Linux: # /opt/nessus/sbin/nessuscli fetch --challenge To activate a Nessus instance that lacks direct
The subsequent step—which usually occurs on the vendor’s website—involves combining this challenge string with the purchased activation code. The vendor’s system validates the request and generates a corresponding "response string." When this response string is fed back into the offline Nessus server (usually via nessuscli fetch --challenge <code> ), the server validates the digital signature. This completes the circle of trust. The server now knows it has a legitimate license, and the vendor knows that a legitimate installation has been activated.
To generate the code, you must have administrative privileges on the server where Nessus is installed.
The command will return a long alphanumeric string similar to this: Challenge code: aaaaaa11b2222cc33d44e5f6666a777b8cc99999 . More importantly, it ensures that the user is
This code is a "fingerprint" of your specific installation. It does not contain your license data but is used by Tenable to lock a license file to your specific hardware. Next Steps After Fetching the Code
To understand the significance of this command, one must first understand the context of the Nessus scanner. Developed by Tenable, Nessus is one of the most widely deployed vulnerability scanners in the world. To function fully, the scanner requires a valid license or activation code to download the latest plugins—the scripts that allow it to detect specific vulnerabilities. In a standard, internet-connected environment, this process is often automated and invisible to the user. However, in high-security environments—such as government agencies, financial institutions, or isolated operational technology (OT) networks—systems are often "air-gapped," meaning they have no direct connection to the outside internet.
: After running the command, you'll see an output that typically includes a challenge code. The output might look something like this: The vendor’s system validates the request and generates
A URL to download the latest (e.g., all-2.0.tar.gz ).
You must copy this code and enter it along with your Activation Code on the Nessus Offline Registration Page to generate a license file. Platform-Specific Paths