Friday, March 20, 2009

Episode #13 - Find Vulnerable Systems In A Nessus Export

Paul Says:

I use this command all the time to get a list of IP addresses that are vulnerable to a specified vulnerability in a Nessus .nsr output file:

Linux/OS X Command:
$ grep -h "CVE-2008-4250" *.nsr | cut -d"|" -f 1 | sort -u 

For bonus point, funnel those IP addresses through to Metasploit's msfcli and get shell on all of them in one command :)

Hal's Comments:

It's always a danger sign when you end up piping grep into cut-- usually this means you can create a single awk expression instead (and don't even get me started on people who pipe grep into awk):

$ awk -F'|' '/CVE-2008-4250/ {print $1}' | sort -u

Paul's Comments:

That is slick! I've never been truly happy with cut and will spend some more time with the search feature in awk, its looks MUCH cleaner.

Ed Responds:

I'm glad you two have made up and are friends again. As for my answer... first off, aren't nsr reports deprecated? Isn't nbe the way to go these days?

Anyway, to do this at a shell that actually makes you work for a living, you could run:

C:\> for /F "delims=:| tokens=2" %i in ('findstr CVE-2008-4250 *.nsr') do @echo %i

Starting from the center command and working outward, I'm invoking findstr to look for the string CVE-2008-4250 in all .nsr files. That command will execute in my FOR /F loop because it's in single quotes (' '). I'll have one line of output for each line that contains that string, of the form filename:line. I take those lines of output and iterate over them in my FOR /F loop, with delimeters of : and |. That way, it'll split up my file name (before the colon) and IP address in the NSR file (before the |). I set my iterator variable to the token 2, so that it will take on the IP address from the file. I simply then echo out the contents of that variable.

All in all, a pretty standard use of FOR /F loops to parse the output of a command, in this case, the findstr command. You could sort it alphanumerically (sigh... not numerically) by putting parens around the whole shebang and piping it through sort, if you really want to. There you have it.

Paul Responds:

Ed and I had a discussion about Nessus file formats, and I will spare everyone any confusion and provide the following link:

At one time, .nsr was the way to go, however I recommend that people start looking into the .nessus (XML) format. We'll save that for a future episode :)