All Entries Tagged With: "nessus"

Web Application Scanning Using Nessus – Video

Web Application Scanning Using Nessus Video

Scanning web applications with Nessus offers the end user several new configuration options in the Nessus client. You should take into account:

• Number of web servers and applications being scanned
• Size of the applications (e.g. how many parameters does each CGI application have?)
• Depth and scope of the scan with respects to the type of tests being performed and how exhaustive they should be

This video demonstrates how to setup Nessus to scan a web application using the new options:

Click to play

You can visit Tenable Security’s new video channel at http://tenablesecurity.blip.tv for more exciting video tutorials!

Passively Detecting SQL Injection

From the Tenable Security Blog

Passively Detecting SQL Injection

SQL injection is a class of vulnerabilities that can plague web applications in your environment, often with devastating consequences. They can be difficult to detect and validate and are sometimes the cause of major data breaches. This is a deadly combination. Databases contain the information that attackers are after, including SSN, credit card numbers and other information associated with an individual’s identity such as name, address, phone number, mother’s maiden name and more.

The Tenable Passive Vulnerability Scanner (PVS) contains a check for detecting SQL injection attacks. It is a very simple check that first looks for an HTTP request:

pregex=^(GET|POST) /.* HTTP/1\.

Next, it looks for a response that is not formatted as HTML:

match=!<html> match=!<HTML>

At first glance you might be inclined to think this would lead to false positives. In fact, it turns out to be quite an accurate check. At one of the Tenable research sites we saw this alert:

When I went to the above URL manually, I was presented with an error page:

It appears that the error page was not rendering correctly (an error on the error page, how ‘bout that?). Viewing the source of the page revealed information about the problem:

The result of “View source” above contains valuable information that can be used in SQL injection attacks. This includes a table name and a column name visible in the SELECT statement. In addition, the page reveals the file system path in use on the web server. Finally, the error message tells us that the remote server is using a MySQL database. This is extremely valuable information for an attacker looking to exploit this potential vulnerability.

Conclusion

The parameter should be more thoroughly tested to see if SQL injection is indeed possible. However, the information gathered from the error message is certainly a good start for an attacker. It is important to configure the web application to not display this error message to the end user. Passive monitoring is an excellent method to monitor your web applications without any impact to the environment. Activity from normal users, potential hackers and even web spiders can all provide input that may result in displaying an unexpected SQL error.

Nessus – Audit the Cloud with Passive Scanning

From: Tenable Security Blog

Audit the Cloud with Passive Scanning

Imagine a scenario where you are tasked to audit the security of an organization’s efforts to “cloud-source” applications, operating systems, databases and other aspects of IT infrastructure. You want to fire up your favorite network scanner, Nessus, but are warned that some of the outsourced companies have clauses that prevent auditing, network scanning or security testing. Even still – some of the technology is at the API or SQL level and there isn’t even an identifiable OS to scan. Last, even though you may be able to perform a scan quickly, some of the cloud resources get charged at an hourly rate and the act of auditing costs your company money that the application group did not budget for. Fortunately, passive vulnerability scanning can help audit remote resources that are now off your network and “in the cloud”.

How does this work?

If network traffic to the remote cloud occurs over common TCP/UDP protocols such as HTTP, SQL or SSH, Tenable’s Passive Vulnerability Scanner (PVS) can be used to monitor the communications, perform protocol analysis and identify the applications and vulnerabilities used by the remote “cloud” organization. As your employees and customers communicate with the resources in the “cloud”, the network traffic can be used to identify what technologies are in use.

Depending on your “cloud” application or technology, you may find issues at the API, OS or application level. For example, consider a service that offers access to a MySQL instance. Your applications can make SQL queries directly to your MySQL instance “in the cloud”. In this case, passive monitoring would watch the SQL queries to determine the version of SQL as well as any vulnerabilities associated with it. On the other hand, if your remote solution was a full virtual operating system, you may observe client-side vulnerabilities in web APIs, web browsers and other end-user software if they communicate back to your organization.

What can you do when you find a vulnerability?

If you think this question was the next logical question – you are ahead of the pack. Most executives I speak with feel that once they outsource to the “cloud”, security is no longer their problem. I could not disagree more. However, for those that monitor the enterprise, what are your options when you do find a vulnerability in your “cloud” vendor? Fortunately, there are several options:

Compensate

If you know about a given vulnerability, you can take actions to mitigate it. Maybe you can effectively apply some sort of patch to your system. Maybe you can use a different technology that is compatible and not (currently) vulnerable. At a minimum, if you understand the vulnerability and how it can be exploited, you could leave it in place, and watch for signs of exploitation.

Complain

Even if your service level agreement with your cloud vendor does not cover security patches or upgrades, opening up a trouble ticket can work wonders. This action may force your vendor to at least acknowledge the issue and provide guidance if they will or will not fix it.

Get a New Cloud

It may be possible to find a new vendor that does not have this technology flaw, has a better record at network security or responds to security concerns more promptly. Switching “cloud” vendors can be just as painful as the first move of applications and data off your own network.

For More Information

Tenable has an online demo of how the Passive Vulnerability Scanner can be used to sniff traffic and discover vulnerabilities in real time. In production, most of our enterprise customers use the Security Center to manage their PVS sensors. When monitoring a “cloud” resource, from the Security Center’s point of view, these resources are just another range of IP addresses that require information to be gathered. To see an example of what types of passive vulnerability and asset data can be found with this technique, please watch this video.

Building a BackTrack 4, Nessus USB Stick that maintains changes across boots

Check out this link if you want to build a bootable USB drive with BackTrack 4 and Nessus, and maintain persistent changes.

http://www.infosecramblings.com/backtrack/backtrack-4-usbpersistent-changesnessus/

The other way you can do this (this is the way I do it) is to download the BackTrack 4 VM and use that from a fast USB stick, such as Ironkey. I’ve found that this is extremely fast and it allows to do writes. So, if you don’t want to make the stick bootable – or – you don’t want to dedicate the whole USB drive to BackTrack, then this is the method for you.

Using Nessus in Web Application Testing

Here’s a PDF for ‘Using Nessus in Web Application Testing’, from PaulDotCom. It’s a handy doc to read, especially if you want to supplement your current testing, or you don’t have a test framework yet. Download it below.

Tips For Using Nessus In Web Application Testing

From: http://blog.tenablesecurity.com

Selecting a Target

To create a realistic testing environment our target was setup to run “Mutilidae” version 1.2, a PHP application that was written to contain vulnerabilities. Multilidae was written by “Irongeek” and contains vulnerabilities that specifically the OWASP top ten list. It contains many different types of vulnerabilities, including SQL injection, cross-site scripting (XSS) and information disclosures.

Selecting Plugins

When tuning Nessus for web application testing, you can select the plugin families that are relevant to your test. This saves time and makes for a more efficient scan. However, for a more thorough scan, you can leave all plugin families enabled and let Nessus choose the best plugins. For this scan, I have enabled the following plugin families:

• CGI abuses – This plugin family checks for anything that is ‘CGI’ related, unless it is XSS (and only a XSS vulnerability), in which case it falls into the “CGI abuses : XSS” family. These checks use a combination of detection techniques, including checking version of the application and testing for the actual vulnerability. The attacks include software detection, information disclosure, XSS, SQLi, LFI, RFI, overflows and more.
• CGI abuses : XSS – Specific CGI checks for reflective and persistent XSS vulnerabilities in common web applications.
• Database – Typically a web server will run a database that is used by various web applications.
• FTP – Web pages need to be updated, and FTP is a popular protocol used to allow your web developers to send files to the server.
• Gain a Shell Remotely – If you can obtain a shell on the remote web server, testing the application is somewhat moot.
• Gain root remotely – Same thing as above, if you gain root, resolve this problem before the application is tested.
• General – Contains the operating system fingerprinting plugins, including ones that will identify the OS over HTTP. Identifying the underlying operating system is very important for web application testing, as it will determine the syntax of commands sent via injection (command and SQL) attacks.
• Remote file access- Includes checks for specific web server/application vulnerabilities that lead to remote file disclosure.
• Service detection – Contains checks for several different services, including detecting Apache running HTTPS, HTTP CONNECT proxy settings and other services that may host web applications.
• Web servers – Plugins in this family detect approximately 300 specific vulnerabilities in popular web servers, such as Apache, IIS and generic vulnerabilities associated with the HTTP protocol itself.

Configuring the Scan Policy

In the “Advanced” settings tab, go to the “Global variables settings” and enable the following options:

The “Enable CGI scanning” checkbox causes Nessus to search the web server for known CGI applications and associated vulnerabilities. “Enable experimental scripts” allows Nessus to test for vulnerabilities that use new techniques. The “Thorough tests (slow)” expands your testing when it comes to web applications and allows the the plugin to “try harder” on various tests. This enables more exhaustive SQL injection testing, and it will tell more about CGI applications. By default, Nessus will only store and test the last 8 CGI applications found. With thorough testing enabled, Nessus will store and test up to 1024 CGI locations.

Next, select “Web mirroring” from the pull-down menu:

In the “Start page” field, enter the location of the web application that you wish to test. Nessus will detect several different web applications and enumerate common directories on the web server. However, it cannot know about all directory names, so by entering the directory to do web mirroring, we add it to the list of applications that will be tested by the CGI scanner and other plugins.

Next, select “Unknown CGI Argument Input Validation Tests (toturecgis) from the pull-down menu:

Select the check box to send POST requests. This will expand the testing that Nessus can do beyond just GET requests. This is important for web application testing as many vulnerabilities could exist in the web application that are only triggered by sending a POST request. By checking this option, it will increase the amount of time for the scan to complete.

Reporting

After scanning the web application with the above settings, I noticed several plugin results of interest. The first plugin that was triggered was 26194, “Web Server Uses Plain Text Authentication Forms“:

Nessus finds three separate pages that are transmitting fields labeled “password” in clear-text, as the application is not using SSL.

The next plugin is 10662, “Web mirroring” which attempts to mirror the remote web site based on the parameters (“/mutillidea”) that we provided:

The web mirroring finds not only additional directories (“/mutillidae/images/”), but several CGI applications as well. In a web application assessment, the tester would use the provided CGI values above to perform manual or automated testing to determine the security posture of the web application. Nessus can perform some of this testing for you with plugin 10672, “Unknown CGI Argument Input Validation Tests (torturecgis)“:

The above plugin output identifies a couple of different CGI scripts that have security problems, such as traversals and XSS. Nessus chose to test the “logout” function, which is vulnerable to both XSS and remote file disclosure. By changing the syntax of the request slightly we can change this into a successful attack that reads the “/etc/passwd” file. Below we use the syntax of “index.php?page=/etc/passwd” and successfully execute the attack:

Conclusion

While Nessus is not specifically designed for application scanning, it can be a valuable aid in performing pre-deployment scans before bringing applications online. Nessus is a fast and efficient way to identify which applications are on the network and if they are vulnerable to common exploits. This helps to quickly identify applications that may need rudimentary security fixes before more detailed manual testing is performed. Nessus can automate the process of discovering applications and common software, discovering the versions running and checking to see if they are vulnerable. The CGI scanner does a good job of basic “fuzzing” of the parameters of the discovered CGI applications to uncover attacks such as XSS and remote file disclosure. Again, while Nessus does not replace your web application testing tool, or completely replace your web application testing methodology, it is a valuable tool in the web application assessment process, especially for blind testing of large environments with several web servers and multiple applications.

References

• Using Nessus to call Nikto
• Detecting Web Servers with Malicious Javascript

PCI-DSS Auditing Linux, Apache, PHP, & MySQL With Nessus 4

From: http://blog.tenablesecurity.com

PCI-DSS Scanning

The effectiveness of the Payment Card Industry (PCI) standards to secure systems responsible for credit card transaction processing is a question of debate among information security professionals. Regardless of the hype or negativity surrounding PCI, it remains a requirement for many organizations to follow. Nessus has built-in PCI-DSS compliance checks that compare scan results with the PCI standards and produce a report on your compliance posture. It is very important to note that a successful compliance scan does not guarantee compliance or a secure infrastructure. Compliance scanning is just one tool to be used as part of a comprehensive program that includes the appropriate policies and procedures to ensure that assets are appropriately protected.

I recently tested the Nessus PCI-DSS auditing functionality to determine how some of my scans compared to PCI-DSS standards. I started by acquiring a system that would most likely be governed by the PCI standard. I located a free virtual appliance configured with osCommerce, an open source online merchant site and shopping cart system. After I got the system running, I noticed the pre-installed software was already out-of-date. For example, the version of osCommerce included in the virtual appliance I used was two versions behind according to the osCommerce web site. This is a perfect testing ground for Nessus and PCI because there will most likely be areas where the PCI compliance fails, and other areas that pass.

Configuring a PCI-DSS Nessus Scan

The PCI standards council publishes a guide titled “Payment Card Industry (PCI) Data Security Standard Security Scanning Procedures” which outlines how to conduct a scan when performing a PCI-DSS audit and states:

“The ASV scanning solution must include an exhaustive fingerprinting scan on all transmission control protocol (TCP) and user datagram protocol (UDP) ports.”

The above requirement leads us to the following steps to configure our scan policy:

Step 1 – Configure your scan policy to scan all of the UDP and TCP ports on the remote host. This can be done in one two ways. If you are not scanning with credentials (this is the case for most QSVs, or Qualified Scanning Vendors), then configure the network-based portscanners:

If you have credentials on the target host(s), then only select the local portscanners:

The netstat portscanners will invoke the netstat program on the target host and collect open port information rather than testing via the network. The local scanners are more efficient; issuing a local command is much faster than probing all ports and waiting for a response.

In both cases the “Port scanner range” is set to “1-65535″, which is applied to any of the selected portscanners. The UDP scanner is not new to Nessus, but versions prior to Nessus 4.0 were only available for ProfessionalFeed customers and required that you download a separate plugin from the Tenable web site . It is now included in Nessus 4.0 and has been updated with various improvements.

Step 2 (Optional) – If you have credentials on the target host(s), enter them for your target system on the Credentials tab. Our target system is Linux, so we will use SSH to authenticate. For production use, generate a public/private keypair for your Nessus server, and then copy the public key to your production systems. See the Tenable blog post “Configuring Nessus To Scan Through Firewalls” for an example of this. The Tenable portscanners and plugins that perform local scanning activity require that you scan with credentials. In our test case, the osCommerce virtual appliance was built using Fedora Core release 5, so we will use local security checks from Nessus.

Step 3 – Enable all plugins:

To perform a successful PCI-DSS compliant scan, all plugins must be enabled including the policy compliance checks shown above. For more information about the specifics of these plugins, refer to the Tenable blog post, “PCI-DSS Plugins For Nessus“).

Step 4 – Modify your global variable settings:

In the configuration screen above, enable thorough testing and experimental scripts, both of which are required for a successful PCI compliant scan

Step 5 – Enable PCI DSS compliance checking:
Finally, we will need to enable the compliance checking in the Advanced tab. At
this point we are done configuring our scan policy and can click “Save”.

Step 6 – Disable the firewall on the target:

On the target host the local firewall must be disabled. PCI requires that no firewall exist between the scanner and the server being tested. To do this within Fedora Core release 5, I’ve issued the following command:
# service iptables stop
Disabling the firewall also helps the scan run faster, as scanning all UDP ports over the network through a firewall is a very time consuming task.

While removing the firewall from the equation can help speed up the scan and allow the scanner to enumerate all of the vulnerabilities available from the network, leaving it enabled can also have value. If the firewall is enabled then a vulnerability scan is launched against it and the scan fails, this shows that your defenses are working properly (provided there was no DoS condition on the target host). The primary reason to disable it here is to allow the scan to complete in a reasonable amount of time. However, its is good to test your firewalls with the vulnerability scanner to ensure they are blocking the correct ports and functioning per your policy and procedures.

Scanning & Reporting

Now we are ready to initiate the scan, which will take a bit longer than many Nessus scans you may have performed, as we have enabled all plugins, thorough tests, and UDP scanning. When the scan is complete, we can see that our system is not compliant with PCI-DSS specifications. Plugin 33929, “PCI DSS compliance“, has analyzed the results and determined that we are not compliant due to several vulnerabilities identified during the scan.

The PCI compliance scan results are mixed into the report; some are in the “general/tcp” section and others are appended to the entries associated with a particular open port and service. The best way to gather all of the scan results is to use the filtering feature in conjunction with the report template feature introduced in Nessus 4. The first step is to create a filter that will only display results from the PCI compliance plugin:

Clicking “Apply Filter” will bring you back to the NessusClient where the filtered results will be displayed. You can then choose a report template, such as “Sort By Vulnerability Detail” and click “View template…”. Your web browser will open and display your custom report:

The new report displays all of the alerts that caused the scan results to be not in compliance with PCI-DSS. This report can now be used to go back to the web server and remediate the problems until the scan passes the PCI compliance checking.

Conclusion

The PCI-DSS standard is focused primarily on finding vulnerable web servers. If your organization is a level 3, 4 or 5 merchant you also have PCI requirements to demonstrate usage of access control, anti-virus protection, system logging, and many other types of security monitoring. NessusProfessional Feed users have access to a variety of configuration auditing polices to help test for these PCI requirements. Tenable Security Center and Log Correlation Engine users can also monitor system logs and network activity in real time to monitor and report on a many different types of PCI audit requirements. For more information about Tenable’s enterprise PCI monitoring, please contact our sales staff to request our Real Time PCI Monitoring white paper.

References

• PCI-DSS Plugins For Nessus
• Enterprise PCI Auditing Video – This twelve minute video discusses how unifying system and event analysis into one platform can address all 12 requirements of PCI.
• Maximizing ROI on Vulnerability Management – This paper describes the methodology for developing a comprehensive vulnerability management program.

Root is just a few clicks away

From the Tenable Network Security Blog

Default vendor logins and passwords are a common security issue that Nessus can scan for. Some of these default accounts can pose a serious security risk, depending on the type of access they permit. Nessus plugin id 35029 (“Dell Remote Access Controller Default password (calvin) for ‘root’ account“) is a great example of this. It looks for a default username and password present on DRAC (Dell Remote Access Controller) devices which provide remote systems management for Dell servers.

This is a common practice for many vendors: instead of having the end user create a password during the initial configuration of the system, the vendor assigns a default value. The default passwords are often posted in the vendor’s documentation, and several other web sites such as the list provided by the Phenoelit group. In this case, the default username and password pair allows a user access to the DRAC server functionality, including the ability to power the server on or off, and access the remote console. The DRAC system is an embedded system that sits inside the server with access to the hardware. It is intended for maintenance purposes and is separate from the operating system on the server.

The DRAC login and password provides access to the console as if the user were sitting in front of it. A serious risk is posed if an administrator had logged into the console as root and forgot to log off, providing the attacker with the root-level access when connecting via DRAC.

A common security requirement is to ensure that system consoles are physically protected from access. Using the default username and password for DRAC violates this requirement and poses a serious security risk.

It is important to investigate the results of each plugin and determine the full implications of the findings. Change the default passwords and be certain to log out of your sessions when administering systems (Windows or Linux/UNIX). Nessus also has several other plugins for detecting the presence of default passwords, for example on UNIX systems see the plugin category Default Unix Accounts.

Configuring Nessus To Scan Through Firewalls

From the Tenable Network Security Blog

Nessus Scanning Through Firewalls

Tuning a Network Scan

The first scan strategy targets a single Linux host (Fedora Core release 5) running iptables. In this example, we do not have credentials on this system, so we must scan across the network. The first step is to configure the number of vulnerability checks to run concurrently for each host:

Since iptables is a stateful firewall, it will keep track of connections. If Nessus makes too many connections at once, the firewall may become overwhelmed and drop connections, causing the scan to miss open ports and/or vulnerabilities. By limiting Nessus to only 5 checks at once, we can reduce the number of simultaneous connections. Another setting exists to help control the number of total sessions created for a given host, which encompasses the port scanners, service detection and vulnerability checks. The network tab of the scan configuration has the following options:

I started by setting “Maximum simultaneous TCP sessions per host” to 100, and then reduced it to 50 to get the scan running smoothly. Even with these reduced settings, I observed errors on the target host:

ip_conntrack is the iptables module that is responsible for managing sessions. When it encounters too many sessions, its connection table becomes full and it starts dropping traffic in an attempt to keep up with the onslaught of packets it is receiving. You can tune the above two settings in Nessus to be less aggressive and attempt to avoid these errors. For this example, I did not drop them down any further as the scan would have taken longer and I wanted to show an example of the iptables errors that may occur. You can also tune the portscanner to be more sensitive when it encounters a firewall:

Even with the above tuning, the scan may take anywhere from 20 to 30 minutes to complete. Despite the iptables errors, we get some good results:

Since we were scanning through a firewall, Nessus only found TCP ports 80 and 22 available. The web server was running osCommerce, and plugin 19253 was triggered, “osCommerce Unprotected Admin Directory“.

Configuring a Credentialed Scan

A Nessus scan with credentials avoids most of the problems encountered with a network scan of a firewall protected host. In this example we will be scanning the same host as before, however our scan configuration will be very different. The first screen is configured with the following settings:

Since it will be scanning the target host locally, we can disable all of the network port scanner plugins. We enable the “netstat portscanner (SSH)” plugin, which will run the netstat command on the target system to get a listing of open ports. This provides far more accurate results than network port scanning in a fraction of the time. Next, go to the Credentials tab, and select “SSH settings”:

A user called “nessus” has been previously created on the target host. This user does not need to have any special or elevated privileges. The system running the NessusClient will need the public and private SSH keys of the target host. Although supported, it is not recommended to use password authentication for performing SSH scans. It should be noted that the Nessus server will require SSH access to the host through the firewall. Our policy looks very different as well:

The only plugin that needs to be enabled is the “Fedora Local Security Checks”. This greatly speeds up the scan, which completes in just a few minutes. The scan results are slightly different, but no less important to review:

Instead of reporting on vulnerabilities found remotely in the web server, Nessus reports a long list of missing operating system and software patches, equally as important as some of the issues found in the network-based scan. We also get much more accurate port scan results, as it provides a complete list of open TCP and UDP ports in a fraction of the time.

Conclusion

Nessus works great for both network scans and credentialed scanning. When scanning through firewalls it will take longer, but tuning your settings can ensure more accurate results. Scanning with credentials is the best way to get around firewalls, but offers different results. The best strategy is to perform both types of scans on a regular basis and act upon the results according to your vulnerability management plan. Nessus ProfessionalFeed customers can get more information from credentialed scanning by applying various audit files to check the operating system against industry or local standards.

nessuscmd Tip: Finding Open SMB File Shares

From the Tenable Security Blog:

Penetration testers spend a lot of time searching for software vulnerabilities, such as buffer overflows or SQL injection. However, there are many other ways in which networks and systems can present vulnerabilities. Open SMB file shares can disclose sensitive information about an organization: I’ve found everything from student grades to bank account numbers using this technique. A great way to check for the presence of open SMB shares is to run a quick Nessus scan from the command line as follows:

# ./nessuscmd -U -p139,445 -V -i 10396 192.168.1.0/24

The flags used in this command perform the following functions:

This will result in the following output:

+ Results found on 192.168.10.230 :
- Port netbios-ssn (139/tcp) is open
- Port microsoft-ds (445/tcp) is open
[!] Plugin ID 10396
|
| Synopsis :
|
| It is possible to access a network share.
|
| Description :
|
| The remote has one or many Windows shares that can be accessed
| through the network with the given credentials.
| Depending on the share rights, it may allow an attacker to
| read/write confidential data.
|
| Solution :
|
| To restrict access under Windows, open the explorer, do a right
| click on each shares, go to the 'sharing' tab, and click on
| 'permissions'.
|
| Risk factor :
|
| High / CVSS Base Score : 7.5
| (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
|
| Plugin output :
|
| The following shares can be accessed as nessus6804946061421403042121321
| 621 :
|
| - backup - (readable,writable)
| + Content of this share :
| ..
| CreditApplication_Fax.pdf
| Payroll_2009.xls
| Invoice10001.doc

This is a great script to run on a regular basis, or in an ad-hoc fashion, to keep tabs on what file shares are exposed in your environment and what information is available. Nessus ProfessionalFeed subscribers can also perform a sensitive data audit of files and documents located on Windows computers. Tenable offers mulitple audit polices which scan files for credit cards, adult media, financial spread sheets and much more.

Find vulnerable systems in a Nessus export

From: COMMAND LINE KUNG FU: PaulDotCom, Ed Skoudis, Hal Pomeranz, byte_bucket

Paul Says:

I use this command all the time to get a list of IP addresses that are vulnerable to a specified vulnerability in a Nessus .nsr output file:

Linux/OS X Command:

$ grep -h "CVE-2008-4250" *.nsr | cut -d"|" -f 1 | sort -u

For bonus point, funnel those IP addresses through to Metasploit’s msfcli and get shell on all of them in one command :)

Hal’s Comments:

It’s always a danger sign when you end up piping grep into cut– usually this means you can create a single awk expression instead (and don’t even get me started on people who pipe grep into awk):

$ awk -F'|' '/CVE-2008-4250/ {print $1}' | sort -u

Paul’s Comments:

That is slick! I’ve never been truly happy with cut and will spend some more time with the search feature in awk, its looks MUCH cleaner.

Ed Responds:

I’m glad you two have made up and are friends again. As for my answer… first off, aren’t nsr reports deprecated? Isn’t nbe the way to go these days?

Anyway, to do this at a shell that actually makes you work for a living, you could run:

C:> for /F "delims=:| tokens=2" %i in ('findstr CVE-2008-4250 *.nsr') do @echo %i

Starting from the center command and working outward, I’m invoking findstr to look for the string CVE-2008-4250 in all .nsr files. That command will execute in my FOR /F loop because it’s in single quotes (‘ ‘). I’ll have one line of output for each line that contains that string, of the form filename:line. I take those lines of output and iterate over them in my FOR /F loop, with delimeters of : and |. That way, it’ll split up my file name (before the colon) and IP address in the NSR file (before the |). I set my iterator variable to the token 2, so that it will take on the IP address from the file. I simply then echo out the contents of that variable.

All in all, a pretty standard use of FOR /F loops to parse the output of a command, in this case, the findstr command. You could sort it alphanumerically (sigh… not numerically) by putting parens around the whole shebang and piping it through sort, if you really want to. There you have it.

Paul Responds:

Ed and I had a discussion about Nessus file formats, and I will spare everyone any confusion and provide the following link:

https://discussions.nessus.org/thread/1124?tstart=0

At one time, .nsr was the way to go, however I recommend that people start looking into the .nessus (XML) format. We’ll save that for a future episode :)