Codebase list libparse-nessus-nbe-perl / 6c819b6
Import original source of Parse-Nessus-NBE 1.1 Christopher Hoskin 9 years ago
6 changed file(s) with 712 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
+15
-0
Changes less more
0 Revision history for Perl extension Parse::Nessus::NBE
1
2 1.1 Tue Apr 27 16:06:21 2004
3 - added one function (nstatvulns)
4 - added %EXPORT_TAG support, thanks Gwen <gwen@reptiles.org>
5 - updated POD
6
7 1.0 Thu Jan 22 23:13:31 2004
8 - added two functions (nstatos, nstatservices)
9 - updated POD
10
11 0.01 Mon May 12 22:18:39 2003
12 - original version; created by h2xs 1.22 with options
13 -X -n Parse::Nessus::NBE
14
+6
-0
MANIFEST less more
0 Changes
1 Makefile.PL
2 MANIFEST
3 NBE.pm
4 README
5 t/1.t
+12
-0
Makefile.PL less more
0 use 5.008;
1 use ExtUtils::MakeMaker;
2 # See lib/ExtUtils/MakeMaker.pm for details of how to influence
3 # the contents of the Makefile that is written.
4 WriteMakefile(
5 'NAME' => 'Parse::Nessus::NBE',
6 'VERSION_FROM' => 'NBE.pm', # finds $VERSION
7 'PREREQ_PM' => {}, # e.g., Module::Name => 1.1
8 ($] >= 5.005 ? ## Add these new keywords supported since 5.005
9 (ABSTRACT_FROM => 'NBE.pm', # retrieve abstract from module
10 AUTHOR => 'David J Kyger <dave@norootsquash.net>') : ()),
11 );
+450
-0
NBE.pm less more
0
1 package Parse::Nessus::NBE;
2
3 use strict;
4 use vars qw/ $VERSION @ISA @EXPORT_OK %EXPORT_TAGS /;
5
6 require Exporter;
7
8 @ISA = qw/ Exporter /;
9 @EXPORT_OK =
10 qw/ nbanners nports nplugin nwebdirs nnfs nos nsnmp nstatos nstatservices nstatvulns /;
11 %EXPORT_TAGS = (all => [qw/ nbanners nports nplugin nwebdirs nnfs nos nsnmp nstatos nstatservices nstatvulns /] );
12 $VERSION = '1.1';
13
14 use constant WEBDIR => 11032; # nessus plugin id for web directories discovered
15 use constant NFS => 10437; # nessus plugin id for nfs shares discovered
16 use constant NMAP1 => 10336; # nessus plugin id for Nmap OS guess
17 use constant NMAP2 => 11268; # nessus plugin id for Nmap OS guess
18 use constant QUESO => 10337; # nessus plugin id for QueSO OS guess
19
20 sub nbanners {
21 my (@ndata) = @_;
22 my (@banners);
23 foreach my $nbanner (@ndata) {
24 if ( $nbanner =~ /emote(.*)server (banner|type)/ ) {
25 my @result = split ( /\|/, $nbanner );
26 $result[6] =~ s/^(.*)\:\\n|Solution (.*)$|\\r|\\n//g;
27 push @banners, join "|", $result[2], $result[6];
28 }
29 }
30 return @banners;
31 }
32
33 sub nports {
34 my (@ndata) = @_;
35 my (@ports);
36 my $nport = pop (@ndata);
37 foreach my $ndata (@ndata) {
38 my @result = split ( /\|/, $ndata );
39 if ( $result[4] ) {
40 next;
41 }
42 elsif ( $result[3] =~ /\($nport\// ) {
43 push @ports, join "|", $result[2], $result[3];
44 }
45 }
46 return @ports;
47 }
48
49 sub nplugin {
50 my (@ndata) = @_;
51 my (@plugins);
52 my $nplugin = pop (@ndata);
53 foreach my $ndata (@ndata) {
54 my @result = split ( /\|/, $ndata );
55 if ( !$result[4] ) {
56 next;
57 }
58 elsif ( $result[4] =~ /$nplugin/ ) {
59 $result[6] =~ s/\\n//;
60 push @plugins, join "|", $result[2], $result[3], $result[6];
61 }
62 }
63 return @plugins;
64 }
65
66 sub nwebdirs {
67 my (@ndata) = @_;
68 my (@webdirs);
69 my $webdirplugin = WEBDIR;
70 foreach my $ndata (@ndata) {
71 my @result = split ( /\|/, $ndata );
72 if ( !$result[4] ) {
73 next;
74 }
75 elsif ( $result[4] =~ /$webdirplugin/ ) {
76 $result[6] =~ s/(^(.*)discovered\:|\\n|,)//g;
77 $result[6] =~ s/The following(.*)authentication:/\|/;
78 push @webdirs, join "|", $result[2], $result[3], $result[6];
79 }
80 }
81 return @webdirs;
82 }
83
84 sub nnfs {
85 my (@ndata) = @_;
86 my (@nfs);
87 my $nfsplugin = NFS;
88 foreach my $ndata (@ndata) {
89 my @result = split ( /\|/, $ndata );
90 if ( !$result[4] ) {
91 next;
92 }
93 elsif ( $result[4] =~ /$nfsplugin/ ) {
94 $result[6] =~ s/^(.*) \: \\n|\\n\\n(.*)$//g;
95 $result[6] =~ s/\\n/,/g;
96 push @nfs, join "|", $result[2], $result[3], $result[6];
97 }
98 }
99 return @nfs;
100 }
101
102 sub nos {
103 my (@ndata) = @_;
104 my (@os);
105 foreach my $ndata (@ndata) {
106 if ( $ndata =~
107 m/10336\|Security Note|11268\|Security Note|10337\|Security Note/ )
108 {
109 my @result = split ( /\|/, $ndata );
110 if ( $result[4] eq NMAP1 ) {
111 $result[6] =~ s/(Nmap(.*)running |(\;|\\n))//g;
112 push @os, join "|", $result[2], $result[6];
113 }
114 elsif ( $result[4] eq NMAP2 ) {
115 $result[6] =~ s/(Remote OS guess : |\\n\\n(.*)$)//g;
116 push @os, join "|", $result[2], $result[6];
117 }
118 elsif ( $result[4] eq QUESO ) {
119 $result[6] =~
120 s/(QueSO has(.*)\\n\*|\\n\\n\\nCVE (.*)$| \(by (.*)$)//g;
121 push @os, join "|", $result[2], $result[6];
122 }
123 }
124 }
125 return @os;
126 }
127
128 sub nsnmp {
129 my (@ndata) = @_;
130 my (@snmp);
131 foreach my $ndata (@ndata) {
132 if ( $ndata =~ m/10264\|Security Hole\|/ ) {
133 my @result = split ( /\|/, $ndata );
134 $result[6] =~ s/\\nSNMP Agent(.*?)community name: //;
135 $result[6] =~
136 s/(\\nSNMP Agent (.*?)community name: |\\nCVE(.*)$)/ /g;
137 push @snmp, join "|", $result[2], $result[6];
138 }
139 }
140 return @snmp;
141 }
142
143 sub nstatos {
144 my (@ndata) = @_;
145 my (@allos);
146 foreach my $ndata (@ndata) {
147 if ( $ndata =~
148 m/10336\|Security Note|11268\|Security Note|10337\|Security Note/ )
149 {
150 my @result = split ( /\|/, $ndata );
151 chomp $result[6];
152 if ( $result[4] eq NMAP1 ) {
153 $result[6] =~ s/(Nmap(.*)running |(\;|\\n))//g;
154 push @allos, $result[6];
155 }
156 elsif ( $result[4] eq NMAP2 ) {
157 $result[6] =~ s/(Remote OS guess : |\\n\\n(.*)$)//g;
158 push @allos, $result[6];
159 }
160 elsif ( $result[4] eq QUESO ) {
161 $result[6] =~
162 s/(QueSO has(.*)\\n\*|\\n\\n\\nCVE (.*)$| \(by (.*)$)//g;
163 push @allos, $result[6];
164 }
165 }
166 }
167 my %count;
168 map { $count{$_}++ } @allos;
169 my @rearranged = sort { $count{$b} <=> $count{$a} } keys %count;
170 my @graphos;
171 foreach (@rearranged) {
172 push @graphos, join "|", $_, "$count{$_}\n";
173 }
174 return @graphos;
175 }
176
177 sub nstatservices {
178 my (@ndata) = @_;
179 my (@allports);
180 foreach my $ndata (@ndata) {
181 my @result = split ( /\|/, $ndata );
182 if ( $result[4] ) {
183 next;
184 }
185 else {
186 chomp $result[3];
187 push @allports, $result[3];
188 }
189 }
190 my %count;
191 map { $count{$_}++ } @allports;
192 my @rearranged = sort { $count{$b} <=> $count{$a} } keys %count;
193 my @graphservices;
194 foreach (@rearranged) {
195 push @graphservices, join "|", $_, "$count{$_}\n";
196 }
197 return @graphservices;
198 }
199
200 sub nstatvulns {
201 my (@ndata) = @_;
202 my (@allvuln);
203 my $nsevval = pop (@ndata);
204 my $nseverity;
205 if ($nsevval == 1) {
206 $nseverity = "Hole";
207 }
208 elsif ($nsevval == 2) {
209 $nseverity = "Warning";
210 }
211 elsif ($nsevval == 3) {
212 $nseverity = "Note";
213 }
214 foreach my $ndata (@ndata) {
215 my @result = split ( /\|/, $ndata );
216 if (! $result[5]) {
217 next;
218 }
219 elsif ( $result[5] =~ /Security $nseverity/ ) {
220 push @allvuln, $result[4];
221 }
222 }
223 my %count;
224 map { $count{$_}++ } @allvuln;
225 my @rearranged = sort { $count{$b} <=> $count{$a} } keys %count;
226 my @graphvuln;
227 foreach (@rearranged) {
228 push @graphvuln, join "|", $_, "$count{$_}\n";
229 }
230 return @graphvuln;
231 }
232
233 1;
234
235 __END__
236
237 =pod
238
239 =head1 NAME
240
241 Parse::Nessus::NBE - use to extract specific data from Nessus NBE files
242
243 =head1 SYNOPSIS
244
245 use Parse::Nessus::NBE;
246
247 function(@nessusdata);
248
249 function(@nessusdata,$query);
250
251 =head1 DESCRIPTION
252
253 This module is designed to extract information from Nessus NBE files. Functions have been designed to return certain sets of data, such as service banners and OS versions. Other functions have been provided that will return more specific information, such as all IPs listening on a given port or all IPs associated with a specified plugin id.
254
255 =head1 EXAMPLES
256
257 To obtain a list of banners
258
259 my @banners = nbanners(@nessusdata);
260 print @banners;
261
262 # returns
263 IP|service banner
264
265 # example
266 192.168.0.5|CompaqHTTPServer/2.1
267 192.168.0.11|Apache/1.3.26 (Unix) mod_perl/1.24
268 192.168.0.30|Microsoft-IIS/5.0
269 192.168.0.31|220 cpan01 FTP server (SunOS 5.8) ready.
270 192.168.0.51|NetWare HTTP Stack
271 192.168.0.99|220 Service ready for new user.
272 ...
273
274 To query by port
275
276 my $port = 80;
277 my @ports = nports(@nessusdata,$port);
278 print @ports;
279
280 # returns
281 IP|specified port
282
283 # example
284 192.168.0.5|ssh (22/tcp)
285 192.168.0.6|ssh (22/tcp)
286 192.168.0.8|ssh (22/tcp)
287 192.168.0.23|ssh (22/tcp)
288 192.168.0.89|ssh (22/tcp)
289 ...
290
291 To obtain a list of web directories
292
293 my @webdirs = nwebdirs(@nessusdata);
294 print @webdirs;
295
296 # returns
297 IP|web port|web dir(s)|web dir(s) requiring authentication
298
299 # example
300 192.168.0.21|http (80/tcp)|/css /design /downloads /images /js
301 192.168.0.43|http (80/tcp)|/images /public|/console
302 192.168.0.47|https (443/tcp)|/files /html /images /js /jsp
303 192.168.0.101|https (443/tcp)|/application /common /images /report|/printers
304 192.168.0.110|http (80/tcp)|/admin
305 ...
306
307 To obtain a list of nfs shares
308
309 my @nfs = nnfs(@nessusdata);
310 print @nfs;
311
312 # returns
313 IP|nfs port|nfs share(s)
314
315 # example
316 192.168.0.11|nfs (2049/tcp)|/apps (mountable by everyone)
317 192.168.0.31|nfs (2049/tcp)|/cdrom (mountable by everyone)
318 192.168.0.28|nfs (2049/tcp)|/data (mountable by everyone)
319 192.168.0.45|nfs (2049/tcp)|You are running a superfluous NFS daemon...
320 192.168.0.108|nfs (2049/tcp)|You are running a superfluous NFS daemon...
321 ...
322
323 To obtain a OS listing
324
325 my @os = nos(@nessusdata);
326 print @os;
327
328 # returns
329 IP|OS version
330
331 # example
332 192.168.0.1|IOS 12.1.5-12.2(6a), Cisco IOS 12.1(5)-12.2(7a)
333 192.168.0.154|Linux 2.1.19 - 2.2.20
334 192.168.0.111|HP Advancestack Etherswitch 224T or 210
335 192.168.0.92|AIX 4.2-4.3.3
336 192.168.0.10|NT Server 4.0 SP4-SP5 running Checkpoint Firewall-1
337 ...
338
339 To obtain a listing of SNMP community strings
340
341 my @snmp = nsnmp(@nessusdata);
342 print @snmp;
343
344 # returns
345 IP|SNMP community string(s)
346
347 # example
348 192.168.0.1|private public
349 192.168.0.111|public
350 192.168.0.121|private public
351 192.168.0.128|private public
352 192.168.0.145|public
353 ...
354
355 To query by plugin id
356
357 my $plugin = 10667;
358 my @plugin = nplugin(@nessusdata,$plugin);
359 print @plugin;
360
361 # returns
362 IP|port|plugin data
363
364 # example
365 192.168.0.202|https (443/tcp)|...OpenSSL which is;older than 0.9.6e...
366 192.168.0.222|https (443/tcp)|...OpenSSL which is;older than 0.9.6e...
367 192.168.0.235|https (443/tcp)|...OpenSSL which is;older than 0.9.6e...
368 192.168.0.236|https (443/tcp)|...OpenSSL which is;older than 0.9.6e...
369 192.168.0.237|https (443/tcp)|...OpenSSL which is;older than 0.9.6e...
370 ...
371
372 To obtain a OS count, useful for graphing
373
374 my @countos = nstatos(nessusdata);
375 print @countos;
376
377 # returns
378 OS version|count
379
380 # example
381 Windows NT4 or 95/98/98SE|17
382 Windows 2000 Advanced Server SP3|14
383 TOPS-20 Monitor 7(21733),KL-10 (DEC 2065)|11
384 Cisco router running IOS 12.1.5-12.2.13a|11
385 PS2 Linux 1.0|9
386 Linux 2.4.17 on HP 9000 s700|7
387 Cisco 2620 running IOS 12.1(6)|6
388 Windows 2000 Server SP3|5
389 Windows NT4 Workstation SP6a|4
390 Nortel/Alteon ACE Director 3 Version 6.0.42-B|4
391
392 To obtain a service count, useful for graphing
393
394 my @countservices = nstatservices(nessusdata);
395 print @countservices;
396
397 # returns
398 service port|count
399
400 #example
401 http (80/tcp)|69
402 telnet (23/tcp)|48
403 netbios-ssn (139/tcp)|48
404 https (443/tcp)|46
405 loc-srv (135/tcp)|42
406 ftp (21/tcp)|39
407 smtp (25/tcp)|34
408 pcanywheredata (5631/tcp)|30
409 ssh (22/tcp)|25
410 sun-answerbook (8888/tcp)|22
411
412 To obtain a vulnerability count, useful for graphing
413
414 # note: options are as follows:
415 # 1 returns high severity vulnerabilties
416 # 2 returns medium severity vulnerabilities
417 # 3 returns low level security notes
418
419 my @countvulns = nstatvulns(@nessusdata,1);
420 print @countvulns;
421
422 #returns
423 plugin id|count
424
425 #example
426 11875|40
427 11412|17
428 10116|12
429 11856|11
430 10932|10
431 10937|7
432 11793|6
433
434 =head1 AUTHOR
435
436 David J Kyger <dave@norootsquash.net>
437
438 =head1 Thanks
439
440 Gwendolynn ferch Elydyr <gwen@reptiles.org>
441
442 =head1 COPYRIGHT
443
444 Copyright 2003 David J Kyger. All rights reserved.
445
446 This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
447
448 =cut
449
+214
-0
README less more
0 Parse::Nessus::NBE version 1.1
1 ===============================
2
3 DESCRIPTION
4
5 This module is designed to extract information from Nessus NBE
6 files. Functions have been designed to return certain sets of data,
7 such as service banners and OS versions. Other functions have been
8 provided that will return more specific information, such as all IPs
9 listening on a given port or all IPs associated with a specified plugin
10 id.
11
12 To install:
13
14 % perl Makefile.PL
15 % make
16 % make test
17 % make install
18
19 Examples:
20
21 To obtain a list of banners
22
23 my @banners = nbanners(@nessusdata);
24 print @banners;
25
26 # returns
27 IP|service banner
28
29 # example
30 192.168.0.5|CompaqHTTPServer/2.1
31 192.168.0.11|Apache/1.3.26 (Unix) mod_perl/1.24
32 192.168.0.30|Microsoft-IIS/5.0
33 192.168.0.31|220 cpan01 FTP server (SunOS 5.8) ready.
34 192.168.0.51|NetWare HTTP Stack
35 192.168.0.99|220 Service ready for new user.
36 ...
37
38 To query by port
39
40 my $port = 22;
41 my @ports = nports(@nessusdata,$port);
42 print @ports;
43
44 # returns
45 IP|specified port
46
47 # example
48 192.168.0.5|ssh (22/tcp)
49 192.168.0.6|ssh (22/tcp)
50 192.168.0.8|ssh (22/tcp)
51 192.168.0.23|ssh (22/tcp)
52 192.168.0.89|ssh (22/tcp)
53 ...
54
55 To obtain a list of web directories
56
57 my @webdirs = nwebdirs(@nessusdata);
58 print @webdirs;
59
60 # returns
61 IP|web port|web dir(s)|web dir(s) requiring authentication
62
63 # example
64 192.168.0.21|http (80/tcp)|/css /design /downloads /images /js
65 192.168.0.43|http (80/tcp)|/images /public|/console
66 192.168.0.47|https (443/tcp)|/files /html /images /js /jsp
67 192.168.0.101|https (443/tcp)|/application /report|/printers
68 192.168.0.110|http (80/tcp)|/admin
69 ...
70
71 To obtain a list of nfs shares
72
73 my @nfs = nnfs(@nessusdata);
74 print @nfs;
75
76 # returns
77 IP|nfs port|nfs share(s)
78
79 # example
80 192.168.0.11|nfs (2049/tcp)|/apps (mountable by everyone)
81 192.168.0.31|nfs (2049/tcp)|/cdrom (mountable by everyone)
82 192.168.0.28|nfs (2049/tcp)|/data (mountable by everyone)
83 192.168.0.45|nfs (2049/tcp)|You are running a superfluous NFS daemon...
84 192.168.0.108|nfs (2049/tcp)|You are running a superfluous NFS daemon...
85 ...
86
87 To obtain a OS listing
88
89 my @os = nos(@nessusdata);
90 print @os;
91
92 # returns
93 IP|OS version
94
95 # example
96 192.168.0.1|IOS 12.1.5-12.2(6a), Cisco IOS 12.1(5)-12.2(7a)
97 192.168.0.154|Linux 2.1.19 - 2.2.20
98 192.168.0.111|HP Advancestack Etherswitch 224T or 210
99 192.168.0.92|AIX 4.2-4.3.3
100 192.168.0.10|NT Server 4.0 SP4-SP5 running Checkpoint Firewall-1
101 ...
102
103 To obtain a listing of SNMP community strings
104
105 my @snmp = nsnmp(@nessusdata);
106 print @snmp;
107
108 # returns
109 IP|SNMP community string(s)
110
111 # example
112 192.168.0.1|private public
113 192.168.0.111|public
114 192.168.0.121|private public
115 192.168.0.128|private public
116 192.168.0.145|public
117 ...
118
119 To query by plugin id
120
121 my $plugin = 10667;
122 my @plugin = nplugin(@nessusdata,$plugin);
123 print @plugin;
124
125 # returns
126 IP|port|plugin data
127
128 # example
129 192.168.0.202|https (443/tcp)|...OpenSSL which is;older than 0.9.6e...
130 192.168.0.222|https (443/tcp)|...OpenSSL which is;older than 0.9.6e...
131 192.168.0.235|https (443/tcp)|...OpenSSL which is;older than 0.9.6e...
132 192.168.0.236|https (443/tcp)|...OpenSSL which is;older than 0.9.6e...
133 192.168.0.237|https (443/tcp)|...OpenSSL which is;older than 0.9.6e...
134 ...
135
136 To obtain a OS count, useful for graphing
137
138 my @countos = nstatos(@nessusdata);
139 print @countos;
140
141 # returns
142 OS version|count
143
144 # example
145 Windows NT4 or 95/98/98SE|17
146 Windows 2000 Advanced Server SP3|14
147 TOPS-20 Monitor 7(21733),KL-10 (DEC 2065)|11
148 Cisco router running IOS 12.1.5-12.2.13a|11
149 PS2 Linux 1.0|9
150 Linux 2.4.17 on HP 9000 s700|7
151 Cisco 2620 running IOS 12.1(6)|6
152 Windows 2000 Server SP3|5
153 Windows NT4 Workstation SP6a|4
154 Nortel/Alteon ACE Director 3 Version 6.0.42-B|4
155
156 To obtain a service count, useful for graphing
157
158 my @countservices = nstatservices(@nessusdata);
159 print @countservices;
160
161 # returns
162 service port|count
163
164 #example
165 http (80/tcp)|69
166 telnet (23/tcp)|48
167 netbios-ssn (139/tcp)|48
168 https (443/tcp)|46
169 loc-srv (135/tcp)|42
170 ftp (21/tcp)|39
171 smtp (25/tcp)|34
172 pcanywheredata (5631/tcp)|30
173 ssh (22/tcp)|25
174 sun-answerbook (8888/tcp)|22
175
176 To obtain a vulnerability count, useful for graphing
177
178 # note: options are as follows:
179 # 1 returns high severity vulnerabilties
180 # 2 returns medium severity vulnerabilities
181 # 3 returns low level security notes
182
183 my @countvulns = nstatvulns(@nessusdata,1);
184 print @countvulns;
185
186 #returns
187 plugin id|count
188
189 #example
190 11875|40
191 11412|17
192 10116|12
193 11856|11
194 10932|10
195 10937|7
196 11793|6
197
198 For documentation:
199
200 % perldoc Parse::Nessus::NBE
201
202 If you find this module to be useful, please let me know. All comments
203 and requests for additions are welcome.
204
205 thanks go to dragonchild and hmerrill of Perl Monks for the initial
206 review of this module.
207
208 thanks also to Gwen <gwen@reptiles.org> for the %EXPORT_TAGS patch
209
210 David J Kyger <dave@norootsquash.net>
211
212 http://www.norootsquash.net
213
+15
-0
t/1.t less more
0 # Before `make install' is performed this script should be runnable with
1 # `make test'. After `make install' it should work as `perl 1.t'
2
3 #########################
4
5 # change 'tests => 1' to 'tests => last_test_to_print';
6
7 use Test::More tests => 1;
8 BEGIN { use_ok('Parse::Nessus::NBE') };
9
10 #########################
11
12 # Insert your test code below, the Test::More module is use()ed here so read
13 # its man page ( perldoc Test::More ) for help writing this test script.
14