Nessus CSV Parser and Extractor

yenp - Nessus CSV parser and extractor

Introducing yanp.sh – Yet Another Nessus Parser! This small tool provides quick and easy way of extracting vital information from Nessus scan results. It can parse multiple results in one go and in the end create a consolidated report from all results combined. This tool helps us speed up the reporting phase, but not only that..

Introduction

Often times it happens during a VAPT engagement that we have to split up the scope into several smaller parts and work on them individually.

For instance, we may be given a list of separated areas (zones) which we have to scan carefully, one by one. Other times, we may have to re-scan some portions of the scope due to various reasons.

In the end we end up having multiple separate results instead of one single scan result. And having multiple scan results can be very impractical during the reporting phase.

Leveraging Nessus capabilities

Sometimes we may also want to leverage Nessus’s powerful detection capabilities and extract some information from the scan results for further processing.

For instance, Nessus can recognize various network services such as web servers and so we can easily generate list of URLs from it. We can then run some of our own automation which we can feed with URLs found by Nessus.

We can also extract list of open ports, list of alive IP addresses and other interesting things. And that’s exactly where our little parser tool comes handy.

Parser features

The yanp.sh parser has the following features. It will process every Nessus CSV report found in the current working directory and it will parse out the following information from each report:

  • List of found IP addresses
  • List of resolved hostnames and corresponding IP addresses
  • List of open TCP and UDP ports
  • List of URLs (http and https)
  • List of vulnerabilities and for every vulnerability:
    • List of affected IP addresses
    • List of CVEs

In the end the tool will also consolidate everything and produce results from all the Nessus reports combined. Everything nicely sorted and formatted, ready to be copy & pasted into the report that we are writing for the customer.

Let’s see how it looks in practice.

Example usage

First we will collect all our Nessus scan results and save them on disk into one folder. Then we will run the parser. Here’s the process in detail step by step:

1. Download each Nessus scan report in CSV format like this:

Exporting Nessus scanner results in CSV format

You can keep all options default and just click to generate the report:

Generate Nessus scan report in CSV format

2. After we have downloaded all the reports in one folder, we should have something like this on our machine:

Before parsing the Nessus scan results

(In our case we have two reports)

3. Now we can run the parser. The parser will process all (both) CSV reports and in the end it will also merge everything and produce consolidated results from all reports:

Parsing Nessus scan results

4. After the parsing is done, we should see all the results in our current working directory like this:

Results produced by the Nessus scan report parser

As we can see, the parser produced results separately for every single CSV report and there are also consolidated results from all CSV reports merged together.

This will consequently allow us to easily work with any results that we need. Do we need results only from DMZ? Fine. Do we need results from all the reports? No problem.

Now let’s see how the actual output looks.

Example output

As we mentioned above, this tool extracts various information from the Nessus scan reports and it produces output that is either ready to be copy & pasted somewhere easily, or ready to be fed into some other tool. This section provides details.

List of alive IP addresses

The produced hosts.txt file provides list of all IP addresses that were found to be alive during the scanning:

List of parsed IP addresses from Nessus scan results

Now we can easily feed this file into some other tool that expects a list of IP addresses in a file as an input.

List of hostnames and corresponding IP addresses

The produced hosts.resolved.txt file contains extracted DNS information, if there was any. It has the following format:

List of resolved hostnames and IP addresses parsed from Nessus scan results

List of open TCP and UDP ports

The produced open.ports.txt file contains list of open ports in the following format:

List of open ports parsed from Nessus scan results

For instance, we can easily extract list of hosts that have port tcp/22 (SSH) open:

grep ';22;tcp' open.ports.txt | cut -d';' -f1
List of hosts with port tcp/22 open parsed from Nessus scan results

Now we could feed this list into some additional automation that we have for SSH servers. For instance, we could perform SSH login attack on these IPs using Medusa, Hydra, Nmap, Metasploit or other tool.

List of URLs

The produced urls.txt file contains list of extracted URLs. It includes also FQDN URLs, if there was a hostname found for a given IP address:

List of URLs parsed from Nessus scan results

Now we could feed this list, for instance, into our hunter tool for default logins, which is capable of auditing more than 380 various administrative interfaces.

We could also feed the URL list into EyeWitness and grab web screenshots for visual analysis. Or we could feed it into Nikto web scanner and many other tools.

List of vulnerabilities

Here’s how the list of vulnerabilities looks like. Each line represents a single vulnerability and it contains the following information separated by semicolon (;):

  • Severity
  • Vulnerability description
  • List of affected hosts

For instance, the produced vulns.hosts.without.ports.txt file may look like this:

List of vulnerabilities parsed from Nessus scan results

The list is sorted by severity from critical vulnerabilities to informational (first column). Now the affected hosts (last column) can be easily selected and copy & pasted into the actual report that we are writing.

For some vulnerabilities, it is more reasonable to include them in the report with port numbers. That’s where the other produced file – vulns.hosts.with.ports.txt – comes handy:

List of vulnerabilities including port information parsed from Nessus scan results

We can simply copy & paste the selected hosts into our report where we are just reporting a finding of unsupported web servers. Nice and clean.

List of CVEs for each vulnerability

The produced vulns.cve.list.txt file contains list of CVEs associated with each vulnerability. Again, the file is sorted by severity from Critical to Informational (first column):

List of vulnerabilities and their CVEs parsed from Nessus scan results

Note that some vulnerabilities have no CVE. The reason why there is no CVE could be any of the following:

  • The vulnerability targets a generic issue
  • The vulnerability is a configuration problem
  • The vendor does not wish to assign a CVE
  • There is a delay in the process of assigning a CVE

So it is perfectly fine to see a vulnerability without having a CVE assigned.

Grab your copy

The yanp.sh parser tool lives in our InfosecMatter Github repository here.

It works out-of-the-box on any Linux distribution, including Kali Linux.

Limitations

Compatibility. As of now the parser doesn’t work on Mac OS X. Although it was written in Bash and it has no dependencies other than standard text-processing Linux utilities, the OS X often times contains different (non-GNU) versions of the utilities.

Speed. If the Nessus scan results are very big, the parser can take several minutes to complete. On the other hand, once they are processed, the parser will not process them again. The parser can be re-run anytime if there are new results in the current working directory and it will only rework the consolidated results.

Conclusion

Although this parser is not perfect, in most situations this is exactly what we need for reporting purposes and for extracting information from Nessus results. It works out-of-the-box in Kali Linux, from where we also usually run Nessus as well. Thus, it makes a perfect companion with Nessus scanner on our testing machines. Hope you will find it useful too!

If you like our tools and you would like more, please do subscribe to our mailing list and follow us on Twitter, Facebook or Github to get notified about new additions!

Leave a Comment

Your email address will not be published. Required fields are marked *