Monday, June 25, 2012

Nessus OneLiners

http://blog.tenablesecurity.com/2009/05/user-poll-your-favorite-nessus-results.html - Some of this code made it on the Nessus blog at the link above.

-----

Over the past years I have come up with a batch of handy one liners for Nessus NBE parsing of output. I though this would be a good time to roll them all up into a post.

A lot of this can be done with more complex work inside Nessus in the current versions. I am a fan of a handy one command.

Most of these items are simple but I get asked a lot for my method for things like counting the unique vulnerabilities in a scan etc.

-----

What IP addresses are covered by the NBE?

(**You need to turn on log live hosts in the ‘Advanced’, ‘Ping the Remote Host’, options screen.**)

grep ‘|10180|’ filename.nbe | awk -F '|' '{print $3}' | sort -u

Ok, thats just great now what type of network samples am I looking at?

grep ‘|11936|’ filename.nbe | awk -F '|' '{print $3, $7}' | awk -F '\' '{print $2}' | sed 's/nRemote operating system : //' | sort | uniq -c

Ok, thats all great but what host belongs to what group?

grep ‘|11936|’ filename.nbe | awk -F '|' '{print $3, $7}' | awk -F '\' '{print $1, $2}' | sed 's/  nRemote operating system :/,/' | sort -u

If you do not turn on log live hosts you can use the following command to see what was scanned but some signatures will show scanned addresses that are not live, it depends on the plugins used.

awk -F ‘|’ ‘{print $3} filename.nbe | sort -u

---

If you have what was scanned you can test it vs a inventory for coverage with the following command:
(Note: you can run the compare both directions for missed hosts or extra hosts)

grep -x -v -f scan.txt inventory.txt

----

Quick Summery Counts:


grep '|Security Hole|' *.nbe | awk -F '|' '{print $5}' | sort -u | wc -l
grep '|Security Warning|' *.nbe | awk -F '|' '{print $5}' | sort -u | wc -l
grep '|Security Note|' *.nbe | awk -F '|' '{print $5}' | sort -u | wc -l


----
Scrub the ‘Plugin Output:’ from the Details blob for reporting:

sed 's/Plugin output :/#Plugin output :/g' filename.nbe | sed 's/CVE :/#CVE :/g' | sed 's/Other references :/#Other references :/g' | awk -F '#' '{print $1, $3, $4}'

I will try and keep adding to this as I find useful one liners or if someone asks for additional detail on methods used in my reports.

cheers
JSN

No comments:

Post a Comment