Introducing yanp.sh – Yet Another Nessus Parser! This small tool provides quick and easy way of extracting vital information from Nessus scan results. It can parse multiple results in one go and in the end create a consolidated report from all results combined. This tool helps us speed up the reporting phase, but not only that..
Introduction
Often times it happens during a VAPT engagement that we have to split up the scope into several smaller parts and work on them individually.
For instance, we may be given a list of separated areas (zones) which we have to scan carefully, one by one. Other times, we may have to re-scan some portions of the scope due to various reasons.
In the end we end up having multiple separate results instead of one single scan result. And having multiple scan results can be very impractical during the reporting phase.
Leveraging Nessus capabilities
Sometimes we may also want to leverage Nessus’s powerful detection capabilities and extract some information from the scan results for further processing.
For instance, Nessus can recognize various network services such as web servers and so we can easily generate list of URLs from it. We can then run some of our own automation which we can feed with URLs found by Nessus.
We can also extract list of open ports, list of alive IP addresses and other interesting things. And that’s exactly where our little parser tool comes handy.
Parser features
The yanp.sh parser has the following features. It will process every Nessus CSV report found in the current working directory and it will parse out the following information from each report:
- List of found IP addresses
- List of resolved hostnames and corresponding IP addresses
- List of open TCP and UDP ports
- List of URLs (http and https)
- List of vulnerabilities and for every vulnerability:
- List of affected IP addresses
- List of CVEs
In the end the tool will also consolidate everything and produce results from all the Nessus reports combined. Everything nicely sorted and formatted, ready to be copy & pasted into the report that we are writing for the customer.
Let’s see how it looks in practice.
Example usage
First we will collect all our Nessus scan results and save them on disk into one folder. Then we will run the parser. Here’s the process in detail step by step:
1. Download each Nessus scan report in CSV format like this:
You can keep all options default and just click to generate the report:
2. After we have downloaded all the reports in one folder, we should have something like this on our machine:
(In our case we have two reports)
3. Now we can run the parser. The parser will process all (both) CSV reports and in the end it will also merge everything and produce consolidated results from all reports:
4. After the parsing is done, we should see all the results in our current working directory like this:
As we can see, the parser produced results separately for every single CSV report and there are also consolidated results from all CSV reports merged together.
This will consequently allow us to easily work with any results that we need. Do we need results only from DMZ? Fine. Do we need results from all the reports? No problem.
Now let’s see how the actual output looks.
Example output
As we mentioned above, this tool extracts various information from the Nessus scan reports and it produces output that is either ready to be copy & pasted somewhere easily, or ready to be fed into some other tool. This section provides details.
List of alive IP addresses
The produced hosts.txt
file provides list of all IP addresses that were found to be alive during the scanning:
Now we can easily feed this file into some other tool that expects a list of IP addresses in a file as an input.
List of hostnames and corresponding IP addresses
The produced hosts.resolved.txt
file contains extracted DNS information, if there was any. It has the following format:
List of open TCP and UDP ports
The produced open.ports.txt
file contains list of open ports in the following format:
For instance, we can easily extract list of hosts that have port tcp/22 (SSH) open:
grep ';22;tcp' open.ports.txt | cut -d';' -f1
Now we could feed this list into some additional automation that we have for SSH servers. For instance, we could perform SSH login attack on these IPs using Medusa, Hydra, Nmap, Metasploit or other tool.
List of URLs
The produced urls.txt
file contains list of extracted URLs. It includes also FQDN URLs, if there was a hostname found for a given IP address:
Now we could feed this list, for instance, into our hunter tool for default logins, which is capable of auditing more than 380 various administrative interfaces.
We could also feed the URL list into EyeWitness and grab web screenshots for visual analysis. Or we could feed it into Nikto web scanner and many other tools.
List of vulnerabilities
Here’s how the list of vulnerabilities looks like. Each line represents a single vulnerability and it contains the following information separated by semicolon (;
):
- Severity
- Vulnerability description
- List of affected hosts
For instance, the produced vulns.hosts.without.ports.txt
file may look like this:
The list is sorted by severity from critical vulnerabilities to informational (first column). Now the affected hosts (last column) can be easily selected and copy & pasted into the actual report that we are writing.
For some vulnerabilities, it is more reasonable to include them in the report with port numbers. That’s where the other produced file – vulns.hosts.with.ports.txt
– comes handy:
We can simply copy & paste the selected hosts into our report where we are just reporting a finding of unsupported web servers. Nice and clean.
List of CVEs for each vulnerability
The produced vulns.cve.list.txt
file contains list of CVEs associated with each vulnerability. Again, the file is sorted by severity from Critical to Informational (first column):
Note that some vulnerabilities have no CVE. The reason why there is no CVE could be any of the following:
- The vulnerability targets a generic issue
- The vulnerability is a configuration problem
- The vendor does not wish to assign a CVE
- There is a delay in the process of assigning a CVE
So it is perfectly fine to see a vulnerability without having a CVE assigned.
Grab your copy
The yanp.sh parser tool lives in our InfosecMatter Github repository here.
It works out-of-the-box on any Linux distribution, including Kali Linux.
Limitations
Compatibility. As of now the parser doesn’t work on Mac OS X. Although it was written in Bash and it has no dependencies other than standard text-processing Linux utilities, the OS X often times contains different (non-GNU) versions of the utilities.
Speed. If the Nessus scan results are very big, the parser can take several minutes to complete. On the other hand, once they are processed, the parser will not process them again. The parser can be re-run anytime if there are new results in the current working directory and it will only rework the consolidated results.
Conclusion
Although this parser is not perfect, in most situations this is exactly what we need for reporting purposes and for extracting information from Nessus results. It works out-of-the-box in Kali Linux, from where we also usually run Nessus as well. Thus, it makes a perfect companion with Nessus scanner on our testing machines. Hope you will find it useful too!
If you like our tools and you would like more, please do subscribe to our mailing list and follow us on Twitter, Facebook or Github to get notified about new additions!
SHARE THIS