Nessus Parsing Tools – Origins

2010-04

While on an engagement a while ago I noticed that the tester’s workflow was time consuming as they were scrolling through nessus reports to find vulnerabilities in which they either needed to confirm or dig into deeper. There were many findings that could automatically be written up because the supporting information in the output was good enough and there was no need to prove out the vulnerability. And of course there were informational things in the report like traceroute output, ping times, mac address, operating system, etc. Good information to have, but not really needed while in vulnerability assessment / penetration testing mode.

What was needed was a way to show only the interesting things to focus on. So we took the nbe file and dumped it into a sqlite database, and wrote some sql statements so we could extract the data. At the core of the scripts, there are three reports that it can generate.

• report_auto generates a web page that contain findings to simply write up. For each vulnerability type there is a table with IP and supporting information columns.
• report_manual generates a web page that contain findings or information to pursue.
• report_unsorted generates a web page of findings where we haven’t classified the vulnerability yet.

I do hope that others find these additions useful. I really hate it when testers have to spend time on low level findings. Yes they still need to be looked at and written up, but testers should be focusing on the interesting stuff. If you want to help with this project, tell us which nessus ids belong in the auto or manual report sections. Thanks and enjoy!