|
0 |
|
|
1 |
package Parse::Nessus::NBE;
|
|
2 |
|
|
3 |
use strict;
|
|
4 |
use vars qw/ $VERSION @ISA @EXPORT_OK %EXPORT_TAGS /;
|
|
5 |
|
|
6 |
require Exporter;
|
|
7 |
|
|
8 |
@ISA = qw/ Exporter /;
|
|
9 |
@EXPORT_OK =
|
|
10 |
qw/ nbanners nports nplugin nwebdirs nnfs nos nsnmp nstatos nstatservices nstatvulns /;
|
|
11 |
%EXPORT_TAGS = (all => [qw/ nbanners nports nplugin nwebdirs nnfs nos nsnmp nstatos nstatservices nstatvulns /] );
|
|
12 |
$VERSION = '1.1';
|
|
13 |
|
|
14 |
use constant WEBDIR => 11032; # nessus plugin id for web directories discovered
|
|
15 |
use constant NFS => 10437; # nessus plugin id for nfs shares discovered
|
|
16 |
use constant NMAP1 => 10336; # nessus plugin id for Nmap OS guess
|
|
17 |
use constant NMAP2 => 11268; # nessus plugin id for Nmap OS guess
|
|
18 |
use constant QUESO => 10337; # nessus plugin id for QueSO OS guess
|
|
19 |
|
|
20 |
sub nbanners {
|
|
21 |
my (@ndata) = @_;
|
|
22 |
my (@banners);
|
|
23 |
foreach my $nbanner (@ndata) {
|
|
24 |
if ( $nbanner =~ /emote(.*)server (banner|type)/ ) {
|
|
25 |
my @result = split ( /\|/, $nbanner );
|
|
26 |
$result[6] =~ s/^(.*)\:\\n|Solution (.*)$|\\r|\\n//g;
|
|
27 |
push @banners, join "|", $result[2], $result[6];
|
|
28 |
}
|
|
29 |
}
|
|
30 |
return @banners;
|
|
31 |
}
|
|
32 |
|
|
33 |
sub nports {
|
|
34 |
my (@ndata) = @_;
|
|
35 |
my (@ports);
|
|
36 |
my $nport = pop (@ndata);
|
|
37 |
foreach my $ndata (@ndata) {
|
|
38 |
my @result = split ( /\|/, $ndata );
|
|
39 |
if ( $result[4] ) {
|
|
40 |
next;
|
|
41 |
}
|
|
42 |
elsif ( $result[3] =~ /\($nport\// ) {
|
|
43 |
push @ports, join "|", $result[2], $result[3];
|
|
44 |
}
|
|
45 |
}
|
|
46 |
return @ports;
|
|
47 |
}
|
|
48 |
|
|
49 |
sub nplugin {
|
|
50 |
my (@ndata) = @_;
|
|
51 |
my (@plugins);
|
|
52 |
my $nplugin = pop (@ndata);
|
|
53 |
foreach my $ndata (@ndata) {
|
|
54 |
my @result = split ( /\|/, $ndata );
|
|
55 |
if ( !$result[4] ) {
|
|
56 |
next;
|
|
57 |
}
|
|
58 |
elsif ( $result[4] =~ /$nplugin/ ) {
|
|
59 |
$result[6] =~ s/\\n//;
|
|
60 |
push @plugins, join "|", $result[2], $result[3], $result[6];
|
|
61 |
}
|
|
62 |
}
|
|
63 |
return @plugins;
|
|
64 |
}
|
|
65 |
|
|
66 |
sub nwebdirs {
|
|
67 |
my (@ndata) = @_;
|
|
68 |
my (@webdirs);
|
|
69 |
my $webdirplugin = WEBDIR;
|
|
70 |
foreach my $ndata (@ndata) {
|
|
71 |
my @result = split ( /\|/, $ndata );
|
|
72 |
if ( !$result[4] ) {
|
|
73 |
next;
|
|
74 |
}
|
|
75 |
elsif ( $result[4] =~ /$webdirplugin/ ) {
|
|
76 |
$result[6] =~ s/(^(.*)discovered\:|\\n|,)//g;
|
|
77 |
$result[6] =~ s/The following(.*)authentication:/\|/;
|
|
78 |
push @webdirs, join "|", $result[2], $result[3], $result[6];
|
|
79 |
}
|
|
80 |
}
|
|
81 |
return @webdirs;
|
|
82 |
}
|
|
83 |
|
|
84 |
sub nnfs {
|
|
85 |
my (@ndata) = @_;
|
|
86 |
my (@nfs);
|
|
87 |
my $nfsplugin = NFS;
|
|
88 |
foreach my $ndata (@ndata) {
|
|
89 |
my @result = split ( /\|/, $ndata );
|
|
90 |
if ( !$result[4] ) {
|
|
91 |
next;
|
|
92 |
}
|
|
93 |
elsif ( $result[4] =~ /$nfsplugin/ ) {
|
|
94 |
$result[6] =~ s/^(.*) \: \\n|\\n\\n(.*)$//g;
|
|
95 |
$result[6] =~ s/\\n/,/g;
|
|
96 |
push @nfs, join "|", $result[2], $result[3], $result[6];
|
|
97 |
}
|
|
98 |
}
|
|
99 |
return @nfs;
|
|
100 |
}
|
|
101 |
|
|
102 |
sub nos {
|
|
103 |
my (@ndata) = @_;
|
|
104 |
my (@os);
|
|
105 |
foreach my $ndata (@ndata) {
|
|
106 |
if ( $ndata =~
|
|
107 |
m/10336\|Security Note|11268\|Security Note|10337\|Security Note/ )
|
|
108 |
{
|
|
109 |
my @result = split ( /\|/, $ndata );
|
|
110 |
if ( $result[4] eq NMAP1 ) {
|
|
111 |
$result[6] =~ s/(Nmap(.*)running |(\;|\\n))//g;
|
|
112 |
push @os, join "|", $result[2], $result[6];
|
|
113 |
}
|
|
114 |
elsif ( $result[4] eq NMAP2 ) {
|
|
115 |
$result[6] =~ s/(Remote OS guess : |\\n\\n(.*)$)//g;
|
|
116 |
push @os, join "|", $result[2], $result[6];
|
|
117 |
}
|
|
118 |
elsif ( $result[4] eq QUESO ) {
|
|
119 |
$result[6] =~
|
|
120 |
s/(QueSO has(.*)\\n\*|\\n\\n\\nCVE (.*)$| \(by (.*)$)//g;
|
|
121 |
push @os, join "|", $result[2], $result[6];
|
|
122 |
}
|
|
123 |
}
|
|
124 |
}
|
|
125 |
return @os;
|
|
126 |
}
|
|
127 |
|
|
128 |
sub nsnmp {
|
|
129 |
my (@ndata) = @_;
|
|
130 |
my (@snmp);
|
|
131 |
foreach my $ndata (@ndata) {
|
|
132 |
if ( $ndata =~ m/10264\|Security Hole\|/ ) {
|
|
133 |
my @result = split ( /\|/, $ndata );
|
|
134 |
$result[6] =~ s/\\nSNMP Agent(.*?)community name: //;
|
|
135 |
$result[6] =~
|
|
136 |
s/(\\nSNMP Agent (.*?)community name: |\\nCVE(.*)$)/ /g;
|
|
137 |
push @snmp, join "|", $result[2], $result[6];
|
|
138 |
}
|
|
139 |
}
|
|
140 |
return @snmp;
|
|
141 |
}
|
|
142 |
|
|
143 |
sub nstatos {
|
|
144 |
my (@ndata) = @_;
|
|
145 |
my (@allos);
|
|
146 |
foreach my $ndata (@ndata) {
|
|
147 |
if ( $ndata =~
|
|
148 |
m/10336\|Security Note|11268\|Security Note|10337\|Security Note/ )
|
|
149 |
{
|
|
150 |
my @result = split ( /\|/, $ndata );
|
|
151 |
chomp $result[6];
|
|
152 |
if ( $result[4] eq NMAP1 ) {
|
|
153 |
$result[6] =~ s/(Nmap(.*)running |(\;|\\n))//g;
|
|
154 |
push @allos, $result[6];
|
|
155 |
}
|
|
156 |
elsif ( $result[4] eq NMAP2 ) {
|
|
157 |
$result[6] =~ s/(Remote OS guess : |\\n\\n(.*)$)//g;
|
|
158 |
push @allos, $result[6];
|
|
159 |
}
|
|
160 |
elsif ( $result[4] eq QUESO ) {
|
|
161 |
$result[6] =~
|
|
162 |
s/(QueSO has(.*)\\n\*|\\n\\n\\nCVE (.*)$| \(by (.*)$)//g;
|
|
163 |
push @allos, $result[6];
|
|
164 |
}
|
|
165 |
}
|
|
166 |
}
|
|
167 |
my %count;
|
|
168 |
map { $count{$_}++ } @allos;
|
|
169 |
my @rearranged = sort { $count{$b} <=> $count{$a} } keys %count;
|
|
170 |
my @graphos;
|
|
171 |
foreach (@rearranged) {
|
|
172 |
push @graphos, join "|", $_, "$count{$_}\n";
|
|
173 |
}
|
|
174 |
return @graphos;
|
|
175 |
}
|
|
176 |
|
|
177 |
sub nstatservices {
|
|
178 |
my (@ndata) = @_;
|
|
179 |
my (@allports);
|
|
180 |
foreach my $ndata (@ndata) {
|
|
181 |
my @result = split ( /\|/, $ndata );
|
|
182 |
if ( $result[4] ) {
|
|
183 |
next;
|
|
184 |
}
|
|
185 |
else {
|
|
186 |
chomp $result[3];
|
|
187 |
push @allports, $result[3];
|
|
188 |
}
|
|
189 |
}
|
|
190 |
my %count;
|
|
191 |
map { $count{$_}++ } @allports;
|
|
192 |
my @rearranged = sort { $count{$b} <=> $count{$a} } keys %count;
|
|
193 |
my @graphservices;
|
|
194 |
foreach (@rearranged) {
|
|
195 |
push @graphservices, join "|", $_, "$count{$_}\n";
|
|
196 |
}
|
|
197 |
return @graphservices;
|
|
198 |
}
|
|
199 |
|
|
200 |
sub nstatvulns {
|
|
201 |
my (@ndata) = @_;
|
|
202 |
my (@allvuln);
|
|
203 |
my $nsevval = pop (@ndata);
|
|
204 |
my $nseverity;
|
|
205 |
if ($nsevval == 1) {
|
|
206 |
$nseverity = "Hole";
|
|
207 |
}
|
|
208 |
elsif ($nsevval == 2) {
|
|
209 |
$nseverity = "Warning";
|
|
210 |
}
|
|
211 |
elsif ($nsevval == 3) {
|
|
212 |
$nseverity = "Note";
|
|
213 |
}
|
|
214 |
foreach my $ndata (@ndata) {
|
|
215 |
my @result = split ( /\|/, $ndata );
|
|
216 |
if (! $result[5]) {
|
|
217 |
next;
|
|
218 |
}
|
|
219 |
elsif ( $result[5] =~ /Security $nseverity/ ) {
|
|
220 |
push @allvuln, $result[4];
|
|
221 |
}
|
|
222 |
}
|
|
223 |
my %count;
|
|
224 |
map { $count{$_}++ } @allvuln;
|
|
225 |
my @rearranged = sort { $count{$b} <=> $count{$a} } keys %count;
|
|
226 |
my @graphvuln;
|
|
227 |
foreach (@rearranged) {
|
|
228 |
push @graphvuln, join "|", $_, "$count{$_}\n";
|
|
229 |
}
|
|
230 |
return @graphvuln;
|
|
231 |
}
|
|
232 |
|
|
233 |
1;
|
|
234 |
|
|
235 |
__END__
|
|
236 |
|
|
237 |
=pod
|
|
238 |
|
|
239 |
=head1 NAME
|
|
240 |
|
|
241 |
Parse::Nessus::NBE - use to extract specific data from Nessus NBE files
|
|
242 |
|
|
243 |
=head1 SYNOPSIS
|
|
244 |
|
|
245 |
use Parse::Nessus::NBE;
|
|
246 |
|
|
247 |
function(@nessusdata);
|
|
248 |
|
|
249 |
function(@nessusdata,$query);
|
|
250 |
|
|
251 |
=head1 DESCRIPTION
|
|
252 |
|
|
253 |
This module is designed to extract information from Nessus NBE files. Functions have been designed to return certain sets of data, such as service banners and OS versions. Other functions have been provided that will return more specific information, such as all IPs listening on a given port or all IPs associated with a specified plugin id.
|
|
254 |
|
|
255 |
=head1 EXAMPLES
|
|
256 |
|
|
257 |
To obtain a list of banners
|
|
258 |
|
|
259 |
my @banners = nbanners(@nessusdata);
|
|
260 |
print @banners;
|
|
261 |
|
|
262 |
# returns
|
|
263 |
IP|service banner
|
|
264 |
|
|
265 |
# example
|
|
266 |
192.168.0.5|CompaqHTTPServer/2.1
|
|
267 |
192.168.0.11|Apache/1.3.26 (Unix) mod_perl/1.24
|
|
268 |
192.168.0.30|Microsoft-IIS/5.0
|
|
269 |
192.168.0.31|220 cpan01 FTP server (SunOS 5.8) ready.
|
|
270 |
192.168.0.51|NetWare HTTP Stack
|
|
271 |
192.168.0.99|220 Service ready for new user.
|
|
272 |
...
|
|
273 |
|
|
274 |
To query by port
|
|
275 |
|
|
276 |
my $port = 80;
|
|
277 |
my @ports = nports(@nessusdata,$port);
|
|
278 |
print @ports;
|
|
279 |
|
|
280 |
# returns
|
|
281 |
IP|specified port
|
|
282 |
|
|
283 |
# example
|
|
284 |
192.168.0.5|ssh (22/tcp)
|
|
285 |
192.168.0.6|ssh (22/tcp)
|
|
286 |
192.168.0.8|ssh (22/tcp)
|
|
287 |
192.168.0.23|ssh (22/tcp)
|
|
288 |
192.168.0.89|ssh (22/tcp)
|
|
289 |
...
|
|
290 |
|
|
291 |
To obtain a list of web directories
|
|
292 |
|
|
293 |
my @webdirs = nwebdirs(@nessusdata);
|
|
294 |
print @webdirs;
|
|
295 |
|
|
296 |
# returns
|
|
297 |
IP|web port|web dir(s)|web dir(s) requiring authentication
|
|
298 |
|
|
299 |
# example
|
|
300 |
192.168.0.21|http (80/tcp)|/css /design /downloads /images /js
|
|
301 |
192.168.0.43|http (80/tcp)|/images /public|/console
|
|
302 |
192.168.0.47|https (443/tcp)|/files /html /images /js /jsp
|
|
303 |
192.168.0.101|https (443/tcp)|/application /common /images /report|/printers
|
|
304 |
192.168.0.110|http (80/tcp)|/admin
|
|
305 |
...
|
|
306 |
|
|
307 |
To obtain a list of nfs shares
|
|
308 |
|
|
309 |
my @nfs = nnfs(@nessusdata);
|
|
310 |
print @nfs;
|
|
311 |
|
|
312 |
# returns
|
|
313 |
IP|nfs port|nfs share(s)
|
|
314 |
|
|
315 |
# example
|
|
316 |
192.168.0.11|nfs (2049/tcp)|/apps (mountable by everyone)
|
|
317 |
192.168.0.31|nfs (2049/tcp)|/cdrom (mountable by everyone)
|
|
318 |
192.168.0.28|nfs (2049/tcp)|/data (mountable by everyone)
|
|
319 |
192.168.0.45|nfs (2049/tcp)|You are running a superfluous NFS daemon...
|
|
320 |
192.168.0.108|nfs (2049/tcp)|You are running a superfluous NFS daemon...
|
|
321 |
...
|
|
322 |
|
|
323 |
To obtain a OS listing
|
|
324 |
|
|
325 |
my @os = nos(@nessusdata);
|
|
326 |
print @os;
|
|
327 |
|
|
328 |
# returns
|
|
329 |
IP|OS version
|
|
330 |
|
|
331 |
# example
|
|
332 |
192.168.0.1|IOS 12.1.5-12.2(6a), Cisco IOS 12.1(5)-12.2(7a)
|
|
333 |
192.168.0.154|Linux 2.1.19 - 2.2.20
|
|
334 |
192.168.0.111|HP Advancestack Etherswitch 224T or 210
|
|
335 |
192.168.0.92|AIX 4.2-4.3.3
|
|
336 |
192.168.0.10|NT Server 4.0 SP4-SP5 running Checkpoint Firewall-1
|
|
337 |
...
|
|
338 |
|
|
339 |
To obtain a listing of SNMP community strings
|
|
340 |
|
|
341 |
my @snmp = nsnmp(@nessusdata);
|
|
342 |
print @snmp;
|
|
343 |
|
|
344 |
# returns
|
|
345 |
IP|SNMP community string(s)
|
|
346 |
|
|
347 |
# example
|
|
348 |
192.168.0.1|private public
|
|
349 |
192.168.0.111|public
|
|
350 |
192.168.0.121|private public
|
|
351 |
192.168.0.128|private public
|
|
352 |
192.168.0.145|public
|
|
353 |
...
|
|
354 |
|
|
355 |
To query by plugin id
|
|
356 |
|
|
357 |
my $plugin = 10667;
|
|
358 |
my @plugin = nplugin(@nessusdata,$plugin);
|
|
359 |
print @plugin;
|
|
360 |
|
|
361 |
# returns
|
|
362 |
IP|port|plugin data
|
|
363 |
|
|
364 |
# example
|
|
365 |
192.168.0.202|https (443/tcp)|...OpenSSL which is;older than 0.9.6e...
|
|
366 |
192.168.0.222|https (443/tcp)|...OpenSSL which is;older than 0.9.6e...
|
|
367 |
192.168.0.235|https (443/tcp)|...OpenSSL which is;older than 0.9.6e...
|
|
368 |
192.168.0.236|https (443/tcp)|...OpenSSL which is;older than 0.9.6e...
|
|
369 |
192.168.0.237|https (443/tcp)|...OpenSSL which is;older than 0.9.6e...
|
|
370 |
...
|
|
371 |
|
|
372 |
To obtain a OS count, useful for graphing
|
|
373 |
|
|
374 |
my @countos = nstatos(nessusdata);
|
|
375 |
print @countos;
|
|
376 |
|
|
377 |
# returns
|
|
378 |
OS version|count
|
|
379 |
|
|
380 |
# example
|
|
381 |
Windows NT4 or 95/98/98SE|17
|
|
382 |
Windows 2000 Advanced Server SP3|14
|
|
383 |
TOPS-20 Monitor 7(21733),KL-10 (DEC 2065)|11
|
|
384 |
Cisco router running IOS 12.1.5-12.2.13a|11
|
|
385 |
PS2 Linux 1.0|9
|
|
386 |
Linux 2.4.17 on HP 9000 s700|7
|
|
387 |
Cisco 2620 running IOS 12.1(6)|6
|
|
388 |
Windows 2000 Server SP3|5
|
|
389 |
Windows NT4 Workstation SP6a|4
|
|
390 |
Nortel/Alteon ACE Director 3 Version 6.0.42-B|4
|
|
391 |
|
|
392 |
To obtain a service count, useful for graphing
|
|
393 |
|
|
394 |
my @countservices = nstatservices(nessusdata);
|
|
395 |
print @countservices;
|
|
396 |
|
|
397 |
# returns
|
|
398 |
service port|count
|
|
399 |
|
|
400 |
#example
|
|
401 |
http (80/tcp)|69
|
|
402 |
telnet (23/tcp)|48
|
|
403 |
netbios-ssn (139/tcp)|48
|
|
404 |
https (443/tcp)|46
|
|
405 |
loc-srv (135/tcp)|42
|
|
406 |
ftp (21/tcp)|39
|
|
407 |
smtp (25/tcp)|34
|
|
408 |
pcanywheredata (5631/tcp)|30
|
|
409 |
ssh (22/tcp)|25
|
|
410 |
sun-answerbook (8888/tcp)|22
|
|
411 |
|
|
412 |
To obtain a vulnerability count, useful for graphing
|
|
413 |
|
|
414 |
# note: options are as follows:
|
|
415 |
# 1 returns high severity vulnerabilties
|
|
416 |
# 2 returns medium severity vulnerabilities
|
|
417 |
# 3 returns low level security notes
|
|
418 |
|
|
419 |
my @countvulns = nstatvulns(@nessusdata,1);
|
|
420 |
print @countvulns;
|
|
421 |
|
|
422 |
#returns
|
|
423 |
plugin id|count
|
|
424 |
|
|
425 |
#example
|
|
426 |
11875|40
|
|
427 |
11412|17
|
|
428 |
10116|12
|
|
429 |
11856|11
|
|
430 |
10932|10
|
|
431 |
10937|7
|
|
432 |
11793|6
|
|
433 |
|
|
434 |
=head1 AUTHOR
|
|
435 |
|
|
436 |
David J Kyger <dave@norootsquash.net>
|
|
437 |
|
|
438 |
=head1 Thanks
|
|
439 |
|
|
440 |
Gwendolynn ferch Elydyr <gwen@reptiles.org>
|
|
441 |
|
|
442 |
=head1 COPYRIGHT
|
|
443 |
|
|
444 |
Copyright 2003 David J Kyger. All rights reserved.
|
|
445 |
|
|
446 |
This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
|
|
447 |
|
|
448 |
=cut
|
|
449 |
|