Quantcast
Channel: Active questions tagged nessus - Stack Overflow
Viewing all 232 articles
Browse latest View live

Powershell: extracting a comma-separated list of IPs?

$
0
0

I'm dealing with a .csv export from Nessus, where essentially I have a column of Host IPs and a column with Plugin IDs

My customer wants an output where, for example, Plugin X would be in a column, and then next to it would be a comma separated list of affected Host IPs, and then next to THAT would be a count of the affected Host IPs.

Pic of what I'm looking for

After importing the Nessus CSV with Powershell, I was able to start to get what I needed with this:

$allfiltered | select-object 'Host IP','Plugin ID' | Where-Object 'Plugin ID' -like "57041" | Format-Table -Property  'Plugin ID','Host IP'

This gives me an output like this:

57041     10.1.1.1
57041     10.1.1.2
57041     10.1.1.3
57041     10.1.1.4
57041     10.1.1.5
57041     10.1.1.6
57041     10.1.1.7

But as you can see, I have a long way to go to pull this into the output I need (see pic above).

I think I'm eventually going to need a for loop to get all the plugin values assessed, but I need to figure out how to essentially query for "Take all IPs that match plugin X and place them into a comma separated list" and go from there.

Can you help steer me in the right direction?

-B


How to change Policy Scan type using nessus API?

$
0
0

I am following documentation present at https://localhost:8834/api/# fro nessus. I listed policies and created new scan with template uuid as "Host Discovery" uuid fetched from the policies list. Problem is it creates new scan with discovery scan type custom. I am not able to figure out how to change it.

Curl and Nessus API (Session Hijacking)

$
0
0

I am currently working with Nessus Automation using API. I prefer to use CURL for the requirement. I see that everytime to get data from Nessus, I need to use token (session id). If I send this token with GET method, won't it lead to Session hijacking? What could be the solution to avoid such a problem and have a proper security?

https://cloud.tenable.com/api

How can i send nessus log over syslog?

$
0
0

I've been ask to send the logs from a Nessus scanner remotely on a syslog server, But I can't find a way to bind it to syslog.

Is there a way to do it ?

Unable to automate scan with Nessus 7 professional

$
0
0

I am evaluating the product Nessus 7 to perform vulnerability scans on the systems in my network.I am able to perform the scans successfully, but I am unable to automate it with a python Nessrest client. The following error is thrown by the nessrest client. Please help me out with this issue. Thank you.

 No Title
 *****************START ERROR*****************
 JSON    :
 {"uuid": "ab4bacd2-05f6-425c-9d79-3ba3940ad1c24e51e1f403febe40", 
 "settings": {"text_targets": "targetIp", "file_targets": "", 
 "folder_id": 82, "description": "Created with REST API", "filters": [], 
 "launch": "ON_DEMAND", "scanner_id": "1", "emails": "", "filter_type": "", 
 "name": ""}}
 {}
 HEADERS :
 {'X-Cookie': 'token=1c1c4f11e325eb19440feaaf04706d1265f347d105a06f44', 
 'Content-type': 'application/json', 'Accept': 'text/plain'}
 URL     : https://ipaddress:8834/scans 
 METHOD  : POST
 RESPONSE: 412


 {
   "error": "API is not available"
 }


 ******************END ERROR******************
 Traceback (most recent call last):
 File "nessrest.py", line 1, in <module>
      import nessrest
 File "C:\Users\ballalc\nessrest.py", line 8, in <module>
      scan.scan_add(targets="ipaddress")
 File "C:\Users\ballalc\ness6rest.py", line 705, in scan_add
      self.scan_uuid = self.res["scan"]["uuid"]
 KeyError: 'scan' 

How can I use nessrest api (python) to export nessus scan reports in xml?

$
0
0

I am trying to automate the running of and downloading nessus scans using python. I have been using the nessrest api for python, and am able to successfully run a scan, but am not being successfully download the report in nessus format.

Any ideas how I can do this? I have been using the module scan_download, but that actually executes before my scan even finishes.

Thanks for the help in advance!

Linq XML Xelement with Namespace Returns Null

$
0
0

I am parsing an .nessus file generated from an offline config file audit. I've set up a Linq for the ReportItem node and verified the namespace works, but when I try to get the cm:compliance-solution value it returns null (verified there is a value in this element also).

This is the Linq I'm using--fixText variable is the problem (verified by commenting out all others)

XElement xelement = XElement.Load(fileName);
IEnumerable<XElement> findings = xelement.Elements();
XNamespace ns = xelement.GetNamespaceOfPrefix("cm");

var findingDetails = from f in findings.Descendants("ReportItem")
             select new
                 {
                      title = f.Element(ns + "compliance-check-name").Value,
                      description = f.Element("description").Value,
                      vulLevel = f.Element(ns + "compliance-result").Value,
                      fixText = f.Element(ns + "compliance-solution").Value,
                      testID = f.Element(ns + "compliance-check-id").Value,
                      source = f.Element(ns + "compliance-audit-file").Value
                 };

Here is a sample .nessus file I'm working form:

<?xml version="1.0" ?>
<NessusClientData_v2 xmlns:cm="http://www.nessus.org/cm">
<Policy><policyName>Offline Config Audit</policyName>
</Policy>
<Report name="Router">
<ReportHost name="router-001.config"><HostProperties>
<tag name="source_type">offline_audit</tag>
<tag name="source_name">Cisco</tag>
<tag name="operating-system">Cisco IOS</tag>
<tag name="host-fqdn">router-001</tag>
<tag name="HOST_END">Fri Jun 29 09:56:38 2018</tag>
</HostProperties>
<ReportItem port="0" svc_name="general" protocol="tcp" severity="2" pluginID="46689" pluginName="Cisco IOS Compliance Checks" pluginFamily="Policy Compliance">
<compliance>true</compliance>
<fname>cisco_compliance_check.nbin</fname>
<plugin_modification_date>2018/05/31</plugin_modification_date>
<plugin_name>Cisco IOS Compliance Checks</plugin_name>
<plugin_publication_date>2010/05/17</plugin_publication_date>
<plugin_type>local</plugin_type>
<risk_factor>None</risk_factor>
<script_version>$Revision: 1.278 $</script_version>
<cm:compliance-check-name>NET-VLAN-024 - Restricted VLAN not assigned to non-802.1x device.</cm:compliance-check-name>
<description>&quot;NET-VLAN-024 - Restricted VLAN not assigned to non-802.1x device.&quot; : [WARNING] The SA will ensure a packet filter is implemented to filter the enclave traffic to and from printer VLANs to allow only print traffic.

 A firewall rule set can filter network traffic within the printer VLAN to only expected printer protocols. The SA managing the local enclave should identify the printer port traffic within the enclave. Ports commonly used by printers are typically tcp port 515, 631, 1782 and tcp ports 9100, 9101, 9102 but others are used throughout the industry. The SA can review RFC 1700 Port Assignments and review printer vendor documents for the filter rule-set.

 NOTE: This check is derived from the L3 switch guidance, if the scan target is a router the check can be ignored.
 NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution : 

Define the filter on the VLAN ACL or build a firewall ruleset to accomplish the requirment.

See Also : 

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R28_STIG.zip

Reference(s) : 

8500.2|ECND-2,CAT|II,Rule-ID|SV-20089r1_rule,STIG-ID|NET-VLAN-024,Vuln-ID|V-18545 </description>
<cm:compliance-audit-file>DISA_STIG_Cisco_Perimeter_Router_L3_Switch_V8R28.audit</cm:compliance-audit-file>
<cm:compliance-check-id>acfebcd97143973eabbc5132d9035dcc</cm:compliance-check-id>
<cm:compliance-info>The SA will ensure a packet filter is implemented to filter the enclave traffic to and from printer VLANs to allow only print traffic.

 A firewall rule set can filter network traffic within the printer VLAN to only expected printer protocols. The SA managing the local enclave should identify the printer port traffic within the enclave. Ports commonly used by printers are typically tcp port 515, 631, 1782 and tcp ports 9100, 9101, 9102 but others are used throughout the industry. The SA can review RFC 1700 Port Assignments and review printer vendor documents for the filter rule-set.

 NOTE: This check is derived from the L3 switch guidance, if the scan target is a router the check can be ignored.
 NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
</cm:compliance-info>
<cm:compliance-result>WARNING</cm:compliance-result>
<cm:compliance-reference>8500.2|ECND-2,CAT|II,Rule-ID|SV-20089r1_rule,STIG-ID|NET-VLAN-024,Vuln-ID|V-18545
</cm:compliance-reference>
<cm:compliance-solution>Define the filter on the VLAN ACL or build a firewall ruleset to accomplish the requirment.
</cm:compliance-solution>
<cm:compliance-see-also>https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R28_STIG.zip
</cm:compliance-see-also>
</ReportItem>
</ReportHost>
</Report>
</NessusClientData_v2>

Error Details:

System.NullReferenceException
HResult=0x80004003
Message=Object reference not set to an instance of an object.

Ansible win_package stuck forever

$
0
0

I am using win_package module for installing "Nessus" in Windows 2016 server. But whenever I execute it, it hangs forever without response. Even after waiting for an hour, there is no response.

I have already kept Nessus installer in Windows server directory as mentioned in the code.

Please help.

Playbook main file:

---
- name: Windows Install Nessus
  gather_facts: yes
  hosts: windows
  vars_files:
  - /etc/ansible/vars/Win_Vars.yml
  tasks:
  - import_tasks: Install_Nessus.yml

Playbook Task file (Install_Nessus.yml):

- name: Install Nessus in Windows server
      win_package:
        path: C:\temp\Nessus-8.0.1-x64.msi
        state: present

Output:

[root@localhost ansible]# ansible-playbook Win_Nessus_Install.yml [DEPRECATION WARNING]: DEFAULT_ASK_SUDO_PASS option, In favor of Ansible Become, which is a generic framework. See become_ask_pass. , use become instead. This feature will be removed in version 2.8. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. [DEPRECATION WARNING]: The sudo command line option has been deprecated in favor of the "become" command line arguments. This feature will be removed in version 2.9. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. SSH password: SUDO password[defaults to SSH password]:

PLAY [Windows OS Basic Settings2]


TASK [Gathering Facts] ********************************************************************************************************************************************************************************************************************** ok: [target_windows]

TASK [Install Nessus in Windows server]



How can get the reproduce/test procedure for the vulnerabilities reported by NESSUS?

$
0
0

My NESSUS scanning gives report that there are vulnerabilities in my host, such as:

>     Vulnerabilities by PluginExpand All | Collapse All
>     **11801 (1) - HTTP Method Remote Format String-**
>     **Synopsis**
>     It is possible to execute code on the remote host through the web server.
>     DescriptionThe remote web server seems to be vulnerable to a format string attack on the method name. An attacker might use this
> flaw to make it crash or even execute arbitrary code on this host.
>     **Solution**
>     Upgrade your software or contact your vendor and inform him of this vulnerability.

I expect that the tool should give the detailed http request used that can crash my http server, but it is not included in the report. So I am in difficulty to investigate/remedy this vulnerability.

Please help to suggest how I can figure out the http request used which can crash my server? Can the NESSUS tool have this information provided?

Is there a way to get the MS KB associated with a [Tenable] Nessus plugin ID?

$
0
0

I have a large CSV file containing a list of Nessus plugin ID's. I'd like to know if there's an API you can call (via Powershell maybe?) that can tell if the plugin is associated with an MS KB, and if so, what the KB number is. I did a search but didn't find anything close in the tenable.com forum.

Nessus File upload REST API

$
0
0

I'm trying to upload an exported scan (.nessus) file to a Nessus Community Edition server using python and the Nessus REST API (func POST /file/upload) however I keep getting the response null like this {"fileuploaded":null} in the response.

I can't seem to see in the API doc's what else could be required.

def upload_scan_file(_path):
    _url = url+"/file/upload"
    _head['Content-type'] = ''
    _files = {"file": open(_path, 'rb'), "no_enc" : "0"}
    r = requests.post(_url, headers=_head, verify=False, files=_files)
    return r.text

The reason I unset the Content-type key in the headers dict is that I get a {'error': Content-type: application/json not supported'}

_path contains the file path.

_head is a dict of header values that I use to query all the others information.

Any help would be appreciated.

Get specific element data from xml

$
0
0

I am trying to parse a nessus xml report and am trying to get the specific description and plugin_output but can't seem to get it for some reason

I have the following xml data:

<ReportHost name="WebServerA.internal">
<HostProperties>
<tag name="cpe-1">cpe:/a:microsoft:iis:8.5</tag>
<tag name="cpe">cpe:/o:microsoft:windows</tag>
<tag name="patch-summary-total-cves">14</tag>
<tag name="cpe-0">cpe:/o:microsoft:windows_server_2012:r2</tag>
<tag name="system-type">general-purpose</tag>
<tag name="operating-system">Microsoft Windows Server 2012 R2 Standard</tag>
<tag name="LastUnauthenticatedResults">1545398521</tag>
<tag name="Credentialed_Scan">false</tag>
<tag name="policy-used">Basic Network Scan</tag>
<tag name="os">windows</tag>
<tag name="mac-address">00:10:36:A5:3B:AA</tag>
<tag name="host-fqdn">WebServerA.internal</tag>
<tag name="host-rdns">WebServerA.internal</tag>
<tag name="HOST_END">Fri Dec 21 08:22:01 2018</tag>
<tag name="netbios-name">WEBSERVERA</tag>
<tag name="host-ip">10.1.5.33</tag>
<tag name="HOST_START">Fri Dec 21 08:16:28 2018</tag>
</HostProperties>
<ReportItem port="0" svc_name="general" protocol="tcp" severity="0" pluginID="117886" pluginName="Local Checks Not Enabled (info)" pluginFamily="Settings">
<description>Nessus did not enable local checks on the remote host. This does not necessarily indicate a problem with the scan. </description>
<plugin_output>
The following issues were reported :

  - Plugin      : no_local_checks_credentials.nasl
    Plugin ID   : 110723
    Plugin Name : No Credentials Provided
    Message     :
Credentials were not provided for detected SSH service.
</plugin_output>
</ReportItem>
<ReportItem port="0" svc_name="general" protocol="tcp" severity="0" pluginID="19506" pluginName="Nessus Scan Information" pluginFamily="Settings">
<description>This plugin displays, for each tested host, information about the scan itself :

  - The version of the plugin set.
  - The type of scanner (Nessus or Nessus Home).
  - The version of the Nessus Engine.
  - The port scanner(s) used.
  - The port range scanned.
  - Whether credentialed or third-party patch management     checks are possible.
  - The date of the scan.
  - The duration of the scan.
  - The number of hosts scanned in parallel.
  - The number of checks done in parallel.
</description>
<plugin_output>Information about this scan :

Nessus version : 7.1.1
Plugin feed version : 201810052251
Scanner edition used : Nessus
</plugin_output>
</ReportHost>

And the following code is what i am trying to use in order to loop through and get the data, but when i run the child loop and print child.attrib, it just comes back with a blank {} and doesn't seem to be able to grab the report items and whats in between them.

for host in root.iter('HostProperties'):
    for child in host:
        print child.attrib

How to obtain different report formats using nessus command line?

$
0
0

I have written a script to run a nessus scan.However the output that I get from the scan is in XML format. I would like to experiment with different output formats preferably HTML or CSV.

I run the following command syntax for the scan:-

scan <host> <port> <username> <password> <policy> <targets> <report>

I found on some forum that -T html can be used to obtain the report in html format however this doesnt work. I am using nessus version 8.1.

How to read JSON (in mentioned format)?

$
0
0

I have to parse and get the 'id' field value alone (i.e 13 in this case) from the below JSON response. My JSON response will be in the below format. This is get policies nessus call

{'policies': [{'creation_date': 1546583582,
               'description': 'New Scan',
               'has_credentials': 0,
               'id': 13}]}

My code:

import requests
from first import *
url = 'https://localhost:8834/policies'
headers = {'X-Cookie':mys()}
response = requests.get(url, headers=headers, verify=False)
resp = response.json()
for k,v in resp.items():
    print (v)

Code response:

[{'creation_date': 1546583582,'description': 'New Scan','has_credentials': 0,'id': 13}]

I'm unsure how to write a code to get the result as expected response - 'id' : 13 or just 13.

How to login to a webpage in Nessus and perform a SecTest?

$
0
0

I am trying to test a webpage using Nessus. I have tested all the stuff about the Server. But now I want to proceed by login to the webpage and test all possible pages behind the login form. But I couldn't achieve it. I gave all(text, password and hidden fields) the form fields' values including the ticket generated by Central Authentication System. But nothing happens. Either there isn't any security issue behind the login page ( :P ), or I couldn't login to the page (100% possibility :D ). For extra info:

These are login fields. ;)

username=
&password=
&lt=_c0C1F5872-F217-B20F-6D86-AA3AA1C1262E_kC7BEB4F7-5216-53EB-2F9A-7FDDFE01D145
&_eventId=submit
&submit=Login

Is there anyone who used Nessus and know how to solve this problem? And is there anyone who knows how to import Cookies to Nessus?

Thanks in advance. ;)


Chef Nessus Agent Install

$
0
0

I am trying to write a cookbook to download and install Nessus Agent found here:

https://www.tenable.com/downloads/nessus-agents

But am having trouble due to an explicit download url not being provided, and the requirement of accepting the license agreement.

I am using windows_package to try and install it. Any help is appreciated.

python tenable_io export to CSV class call

$
0
0

may this question is answerd fast from you, but i am new to Python and having some struggle.

i want to call a function or a class in python.

i have the following example from here: https://www.tenable.com/blog/tips-on-using-the-tenable-python-sdk-how-to-run-internal-scans-scan-imports-and-exports-and

from tenable_io.client import TenableIOClient

client = TenableIOClient(access_key='{YOUR ACCESS KEY}', secret_key='{YOUR SECRET KEY}')
scans = {scan.name: scan.id for scan in client.scans_api.list().scans}
scan = client.scan_helper.id(scans['{YOUR SCAN NAME}'])
scan.download('{YOUR SCAN NAME}.pdf')

This is working fine and i get the export as pdf. But now i want to get the scan as CSV and there is a hint in the document:

Optionally, you can also pass in additional parameters from “ScanExportRequest” to export the report in a different format such as CSV or HTML.

https://github.com/tenable/Tenable.io-SDK-for-Python/blob/master/tenable_io/api/scans.py#L257

the question now is: how do i process with this to get the output as CSV?

class ScanExportRequest(BaseRequest):

    CHAPTER_CUSTOM_VULN_BY_HOST = u'vuln_by_host'
    CHAPTER_CUSTOM_VULN_BY_PLUGIN = u'vuln_by_plugin'
    CHAPTER_EXECUTIVE_SUMMARY = u'vuln_hosts_summary'

    FORMAT_CSV = u'csv'
    FORMAT_DB = u'db'
    FORMAT_HTML = u'html'
    FORMAT_NESSUS = u'nessus'
    FORMAT_PDF = u'pdf'

    def __init__(
            self,
            format,
            password=None,
            chapters=None,
):

Should we consider info level issues reported by nessus as vulnerabilities

$
0
0

While running a nessus scan it reported few issues with severity as "info". Should we consider these as security vulnerabilities against that product/module.

Nessus documentation is not very clear on this aspect. Would like to know what is the common industry practices.

How to fix IP address revelation found by Nessus scanning

$
0
0

Did a Nessus scan and found the below vulnerability

Nessus was able to exploit the issue using the following request :

GET / HTTP/1.0
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*




This produced the following truncated output (limited to 10 lines) :
------------------------------ snip ------------------------------
Content-Type: text/html
Server: Microsoft-IIS/7.5
WWW-Authenticate: Basic realm="xx.xxx.xx.xx"
X-Powered-By: ASP.NET
Date: Mon, 18 Mar 2019 17:07:55 GMT
Connection: keep-alive
Content-Length: 1293

To put it precisely, the request sent by Nessus was served by a response header showing the IP of the server, which shouldn't be the case.

My application is hosted in IIS 7.

I found the below link but it addresses issues for IIS below 6

https://support.microsoft.com/en-us/help/218180

How to fix this ?

OpenVAS: CLI Vulnerability Scanning [CentOS]

$
0
0

I have been trying to figure out how I can execute tasks from the command line with OpenVAS (without any interactions with their web gui)

I've tried running this command:

omp --port=9392 --host=<IP> --username=admin --password=admin --xml "<get_results/>"

And it just stalls there, appearing to do nothing. No output, nothing.

After looking around, apparently omp is deprecated and people have said to switch to gvm-cli found here.

After switching to gvm-cli, I ran the following command, and got this error..

gvm-cli socket --gmp-username admin --gmp-password admin --xml "<get_results/>"

Traceback (most recent call last):
  File "/home/phillip/py37/bin/gvm-cli", line 10, in <module>
    sys.exit(main())
  File "/home/phillip/py37/lib/python3.7/site-packages/gvmtools/cli.py", line 92, in main
    gvm.authenticate(args.gmp_username, args.gmp_password)
  File "/home/phillip/py37/lib/python3.7/site-packages/gvm/protocols/gmpv7.py", line 210, in authenticate
    self._send(cmd.to_string())
  File "/home/phillip/py37/lib/python3.7/site-packages/gvm/protocols/base.py", line 62, in _send
    self.connect()
  File "/home/phillip/py37/lib/python3.7/site-packages/gvm/protocols/base.py", line 98, in connect
    self._connection.connect()
  File "/home/phillip/py37/lib/python3.7/site-packages/gvm/connections.py", line 310, in connect
    self._socket.connect(self.path)
FileNotFoundError: [Errno 2] No such file or directory

I'm not sure what else to do. Could someone steer me in the right direction with this?

What I want to eventually end up doing is create an automated scanning system completely from the command line. I want to be able to:

  1. Create a new target
  2. Create a new task
  3. Run the scan

How can I accomplish this?

Extra Info:

When running openvas-check-setup --v9 my output is: It seems like your OpenVAS-9 installation is OK

OS: CentOS 7

The web gui runs fine, and I executed a task to make sure everything is working ok.

Viewing all 232 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>