We can retrieve a list of the reports available on the Nessus Server and the information that they provide with Get-NessusReports function and we provide it a index for the session or an object of Nessus.Server.Session :
C:\> Get-NessusReports -Index 0 ServerHost : 192.168.10.3 ReportID : a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c ReportName : Dev Lab Full Scan Status : completed KB : True AuditTrail : True Date : 4/14/2013 2:36:21 AM Session : Nessus.Server.Session ServerHost : 192.168.10.3 ReportID : beb54ae5-ddd5-4700-3e85-d0241ade948354bf668ec4c5c319 ReportName : Lab Full Unauthenticated Scan Status : completed KB : True AuditTrail : True Date : 4/11/2013 6:39:22 AM Session : Nessus.Server.Session ServerHost : 192.168.10.3 ReportID : 908185a5-19cc-e2e4-6073-2134043611b99e3d5fcf060ec31e ReportName : Scan Dev Lab Status : completed KB : True AuditTrail : True Date : 4/11/2013 4:26:13 AM Session : Nessus.Server.Session ServerHost : 192.168.10.3 ReportID : 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d ReportName : Lab Scan 1 Status : completed KB : True AuditTrail : True Date : 4/14/2013 2:36:21 AM Session : Nessus.Server.Session
The main properties for each report object are:
The Get-NessusReports function produces objects for each report and these have 2 ScriptMethods that we can use against the object it self
We can query a report and get a summary of the hosts that are in the report and the number of items reported for each severity level, this is done with Get-NessusReportHostSummary.
C:\> Get-NessusReportHostSummary -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c Hostname : 192.168.10.10 Info : 51 Low : 1 Medium : 4 High : 0 Critical : 0 Hostname : 192.168.10.12 Info : 51 Low : 2 Medium : 5 High : 1 Critical : 1 Hostname : 192.168.10.13 Info : 95 Low : 2 Medium : 12 High : 0 Critical : 0 Hostname : 192.168.10.2 Info : 38 Low : 1 Medium : 1 High : 0 Critical : 0 Hostname : nessus.darkoperator.com Info : 39 Low : 1 Medium : 3 High : 0 Critical : 0
We can get a summary for each item found and how many of them are in the report using the function Get-NessusReportVulnSummary
C:\> Get-NessusReportVulnSummary -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c PluginID : 10107 PluginName : HTTP Server Type and Version PluginFamily : Web Servers Count : 5 Severity : Info PluginID : 10147 PluginName : Nessus Server Detection PluginFamily : Service detection Count : 1 Severity : Info PluginID : 10150 PluginName : Windows NetBIOS / SMB Remote Host Information Disclosure PluginFamily : Windows Count : 4 Severity : Info PluginID : 10263 PluginName : SMTP Server Detection PluginFamily : Service detection Count : 2 Severity : Info PluginID : 10267 PluginName : SSH Server Type and Version Information PluginFamily : Service detection Count : 1 Severity : Info PluginID : 10287 PluginName : Traceroute Information PluginFamily : General Count : 4 Severity : Info PluginID : 10394 PluginName : Microsoft Windows SMB Log In Possible PluginFamily : Windows Count : 3 Severity : Info PluginID : 10736 PluginName : DCE Services Enumeration PluginFamily : Windows Count : 49 Severity : Info PluginID : 10761 PluginName : COM+ Internet Services (CIS) Server Detection PluginFamily : Windows Count : 3 Severity : Info PluginID : 10785 PluginName : Microsoft Windows SMB NativeLanManager Remote System Information Disclosure PluginFamily : Windows Count : 4 Severity : Info PluginID : 10863 PluginName : SSL Certificate Information PluginFamily : General Count : 5 Severity : Info PluginID : 10881 PluginName : SSH Protocol Versions Supported PluginFamily : General Count : 1 Severity : Info PluginID : 10884 PluginName : Network Time Protocol (NTP) Server Detection PluginFamily : Service detection Count : 2 Severity : Info PluginID : 10940 PluginName : Windows Terminal Services Enabled PluginFamily : Windows Count : 4 Severity : Info ........
If we want all the information available for each host in a report we use the function Get-NessusReportHostsDetailed, this function will download the report XML, Parse it and generate PowerShell objects for each piece of information found. The information will be divided in to 2 parts for each hosts
C:\> Get-NessusReportHostsDetailed -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c Host Host_Properties ReportItems ---- --------------- ----------- nessus.darkoperator.com @{system_type=general-purp... {@{Host=nessus.darkoperato... 192.168.10.2 @{operating_system=Microso... {@{Host=192.168.10.2; Port... 192.168.10.13 @{operating_system=Microso... {@{Host=192.168.10.13; Por... 192.168.10.12 @{operating_system=Microso... {@{Host=192.168.10.12; Por... 192.168.10.10 @{operating_system=Microso... {@{Host=192.168.10.10; Por...
Here is an example of the information we can get in the host properties:
C:\> $reporthost = Get-NessusReportHostsDetailed -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c | select -First 1 C:\> $reporthost.Host_Properties system_type : general-purpose netstat_listen_tcp4_0 : 0.0.0.0:22 local_checks_proto : local netstat_listen_tcp46_3 : :::22 netstat_listen_tcp4_2 : 0.0.0.0:8834 HOST_START : Sun Apr 14 02:22:48 2013 host_ip : 192.168.10.3 operating_system : Linux Kernel 2.6.32-358.0.1.el6.x86_64 on CentOS release 6.4 (Final) netstat_listen_tcp4_1 : 0.0.0.0:1241 mac_address : 00:0C:29:28:7A:F9 HOST_END : Sun Apr 14 02:31:13 2013 netstat_listen_tcp6_5 : :::8834 host_fqdn : nessus.darkoperator.com netstat_listen_tcp6_4 : :::1241
Report items will contain the information about each vulnerability and each informational plugin that was lunched and was successful in executing.
C:\> $reporthost.ReportItems[3] Host : nessus.darkoperator.com Port : 0 ServiceName : general Severity : Info PluginID : 33276 PluginName : Enumerate MAC Addresses via SSH PluginFamily : General RiskFactor : None Synopsis : This plugin enumerates MAC addresses on a remote host. Description : By connecting to the remote host via SSH with the supplied credentials, this plugin enumerates MAC addresses. Solution : Disable any unused interfaces. PluginOutput : The following MAC address exists on the remote host : - 00:0C:29:28:7A:F9 (interface eth0) SeeAlso : CVE : BID : ExternaReference : PatchPublicationDate : VulnPublicationDate : Exploitability : ExploitAvailable : CANVAS : Metasploit : COREImpact : MetasploitModule : CANVASPackage : CVSSVector : CVSSBase : CVSSTemporal : PluginType : local PluginVersion :
One of the great advantages of PowerShell is that it makes managing the large amount of data quite simple and provides options to export the objects in to XML, CSV and even generate our custom HTML reports. Lets look at the GridView option that allow us to see all the report items in a grid and even add filters to the view The command we use is:
$reporthost.ReportItems | Out-GridView
We can retrieve the XML .Net Object representation of a report if you which to manipulate the XML it self or use it for other purposes. Getting a XML .Net Object of the report and saving it to disk as a .nessus file
C:\> $nessusreport = Get-NessusV2ReportXML -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c C:\> $nessusreport.Save("$env:HOMEPATH\Desktop\DevLabRepor.nessus")
Getting access to the information in XML is super easy since in PowerShell it is just like working with a regular .Net object
C:\> $nessusreport.NessusClientData_v2.Report.ReportHost name HostProperties ReportItem ---- -------------- ---------- nessus.darkoperator.com HostProperties {ReportItem, ReportItem, R... 192.168.10.2 HostProperties {ReportItem, ReportItem, R... 192.168.10.13 HostProperties {ReportItem, ReportItem, R... 192.168.10.12 HostProperties {ReportItem, ReportItem, R... 192.168.10.10 HostProperties {ReportItem, ReportItem, R... C:\> $nessusreport.NessusClientData_v2.Policy policyName : All Plugins with Full Scan policy_comments : Preferences : Preferences FamilySelection : FamilySelection IndividualPluginSelection : IndividualPluginSelection
Filtering Report Items
I know that many people are new to PowerShell and still learning the power it has to filter and manipulate objects so the function Retrieve and filter report items Get-NessusReportItems is here to help with some of the filtering. The function will filter at the server the reported items for Host and Severity and return the appropriate report item objects for use:
C:\> Get-NessusReportItems -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce7b209483c -HostFilter 192.168.10.12 -SeverityFilter critical,high Host : 192.168.10.12 Port : 3389 ServiceName : msrdp Severity : High PluginID : 58435 PluginName : MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387) (uncredentialed check) PluginFamily : Windows RiskFactor : High Synopsis : The remote Windows host could allow arbitrary code execution. Description : An arbitrary remote code vulnerability exists in the implementation of the Remote Desktop Protocol (RDP) on the remote Windows host. The vulnerability is due to the way that RDP accesses an object in memory that has been improperly initialized or has been deleted. If RDP has been enabled on the affected system, an unauthenticated, remote attacker could leverage this vulnerability to cause the system to execute arbitrary code by sending a sequence of specially crafted RDP packets to it. This plugin also checks for a denial of service vulnerability in Microsoft Terminal Server. Note that this script does not detect the vulnerability if the 'Allow connections only from computers running Remote Desktop with Network Level Authentication' setting is enabled or the security layer is set to 'SSL (TLS 1.0)' on the remote host. Solution : Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, and 2008 R2 : http://technet.microsoft.com/en-us/security/bulletin/ms12-020 PluginOutput : SeeAlso : CVE : {CVE-2012-0002, CVE-2012-0152} BID : {52353, 52354} ExternaReference : {OSVDB:80000, OSVDB:80004, EDB-ID:18606, IAVA:2012-A-0039...} PatchPublicationDate : 2012/03/13 VulnPublicationDate : 2012/03/13 Exploitability : Exploits are available ExploitAvailable : true CANVAS : true Metasploit : true COREImpact : true MetasploitModule : MS12-020 Microsoft Remote Desktop Checker CANVASPackage : White_Phosphorus CVSSVector : CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C CVSSBase : 9.3 CVSSTemporal : 7.3 PluginType : remote PluginVersion : Host : 192.168.10.12 Port : 5355 ServiceName : llmnr Severity : Critical PluginID : 53514 PluginName : MS11-030: Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553) (remote check) PluginFamily : Windows RiskFactor : Critical Synopsis : Arbitrary code can be executed on the remote host through the installed Windows DNS client. Description : A flaw in the way the installed Windows DNS client processes Link- local Multicast Name Resolution (LLMNR) queries can be exploited to execute arbitrary code in the context of the NetworkService account. Note that Windows XP and 2003 do not support LLMNR and successful exploitation on those platforms requires local access and the ability to run a special application. On Windows Vista, 2008, 7, and 2008 R2, however, the issue can be exploited remotely. Solution : Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, and 2008 R2 : http://technet.microsoft.com/en-us/security/bulletin/ms11-030 PluginOutput : SeeAlso : CVE : CVE-2011-0657 BID : 47242 ExternaReference : {OSVDB:71780, IAVA:2011-A-0039, MSFT:MS11-030} PatchPublicationDate : 2011/04/12 VulnPublicationDate : 2011/04/12 Exploitability : Exploits are available ExploitAvailable : true CANVAS : Metasploit : true COREImpact : true MetasploitModule : Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS CANVASPackage : CVSSVector : CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C CVSSBase : 10.0 CVSSTemporal : 7.8 PluginType : remote PluginVersion :
To get the KB is very simple and it is used mainly when opening support tickets with Tenable or when we want to trace what plugins executed or if we want to see what information some plugins used to determined if the host is vulnerable.
C:\> Get-NessusReportHostKB -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c -ReportHost 192.168.10.12 | Out-File -FilePath $env:HOMEPATH\Desktop\lab.txt
If we want to see the audit trail for a plugin that executed against a hosts we can retrieve it and it will tell us more information as to why it did not trigger:
C:\> Get-NessusReportPluginAudit 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c -Host 192.168.10.12 -PluginID 35952 | fl Host : 192.168.10.12 PluginID : 35952 ExitCode : 1 Reason : Can't open socket on port 49777.
I hope you liked this short series. I’m currently working on expanding the functions for Nessus even more and looking forward to the new stuff that will be coming out with new releases so as to add support to those.