Monday, June 25, 2012

Host Identification in Dynamic Environments



I have been working a task in a environment that uses dynamic DHCP pools with a short lease, so at any given time scanning an IP could yield a different host. This can become problematic with scanning many hosts over time not just when trying to get good coverage of the environment but when it comes time to do reporting.

Many of us struggle with translating these dynamic results into a coherent report table.

This script will unique the vulnerabilities for a Risk Assessment report but with a few nice features. It will work with multiple .nessus files at the same time and in addition when rolling up the results will unique the host list and give you the best detail it can offer from the scan report as the host to link to the vulnerability in the following order;
  • FQDN
  • MAC Address
  • IP Address
While these networks can be a challenge to analyze my hope is this sciprt will make reporting a little less stressful.

This works with the following command-line

java -Xms32m -Xmx1024m XMLTable *.nessus > output.[html/xls]

You may not need the extra memory -Xms32m -Xmx1024m if only running this vs. a few files. I often merge over 100 .nessus files in a run.

** Keep in mind some hosts have multiple MAC Addresses and Nessus will tell you all of them in a lot of cases, so if the best data available was the MAC Address then you may get more than one. You can recognize these as they are not delimited by commas thus telling you this is one host **



No comments:

Post a Comment