/vcr-1

Vulnerability Compliance Report Tool used to parse Nessus files into html reports created by SynerComm, Inc.

Primary LanguagePowerShellGNU General Public License v2.0GPL-2.0

Vulnerability Compliance Report Tool

Vulnerability Compliance Report Tool is used to parse Nessus files into beautiful html reports.

Use Cases:

  • Security organizations looking to present clean looking vulnerability data to clients
  • Auditors who use Nessus to run CIS benchmark scans against their Windows systems
  • Pentesters looking for easier and faster ways to do their reporting
  • Archiving vulnerability scan reports for later viewing

Prerequisites:

  • A .nessus file that has been generated by the Tenable Nessus product.

  • The following types of Nessus scans are supported:

    • Basic Network Scan
    • CIS Benchmark Scan for one of the following Windows operating systems:
      • 7/8/8.1/2008/2008R2/2012/2012R2
  • The script and its template directories

  • Chrome, Firefox, or Internet Explorer 11 (in non-compatibility mode)

  • A Windows machine running PowerShell v3 or higher

  • Note Administrator rights are not required to run Parse-Nessus.ps1

Instructions

Save the script and template folder to a destination of your choosing, and ensure you have a valid .nessus file at the ready.

Remember, only “Basic Network Scan” and “CIS Benchmark” scans are supported.

####The script receives the following arguments:

-NessusFilePath

REQUIRED. The full path to the actual .nessus file.

-CustomerName

REQUIRED. A company or organization name. Used in the actual HTML.

-TemplatePath

The full path to the HTML template directory. If not specified, then the current working directory will be searched for the appropriate template. This parameter is helpful if you are building your own template.

-CIS

A switch parameter indicating that a CIS benchmark scan was run. If this is not specified, then a Basic Network Scan is assumed.

-OperatingSystem

Must be passed in conjunction with the –CIS parameter. OperatingSystem is a simple string indicating which Operating System the CIS benchmark scan targeted. Run “get-help .\parse-nessus.ps1 –detailed” to see the full list of supported operating systems.

-DebugMode

For the adventurous =). DebugMode is a switch parameter that will print a ton of information to the screen. Generally used for troubleshooting purposes.

Basic Network Scan

The most basic command would be run against a simple exported Basic Network Scan:

PS C:\VCR> .\Parse-Nessus.ps1 -NessusFilePath "C:\vcr\acme.nessus" -CustomerName "Acme Corporation"

Once the script is done running, it will produce a directory in the current working directory with your customer name and the date:

Imgur

Open this directory and double click the index.html file (or open in a browser of your choosing. Chrome or Firefox preferred). You will see a dashboard style report that is the launching point for viewing additional vulnerability on the hosts which were scanned.

Imgur

There are two ways to interact with the vulnerability data: by IP, or by Vulnerability.

By IP: Scoll to the bottom of index.html (also called the Dashboard) to see a list of IPs. The will be sorted by criticality (Red = Critical, Orange = High, etc). They are organized by number of vulnerabilities for a given criticality. In other words, reading left to right and top to bottom, the upper left most entry of any given color contains the most vulnerabilities of that criticality, and none for the category above it.

For example, consider the following image:

Imgur

192.168.1.232 contains the most critical vulnerabilities, and 192.168.1.7 contains the least (but a least one). 192.168.1.170 contains the most high vulnerabilities, and no critical vulnerabilities. 192.168.1.6 contains the most medium vulnerabilities, and no critical or high vulnerabilities.

Click each IP address to see the vulnerabilities associated with that host. You may then click each vulnerability name to see details about that vulnerability, including description, affected port/service, and any available mitigations.

Important The templates use jQuery to properly format that pages, and it can take a while to format larger pages. Be sure to allow the scripts to continue to run (or run at all), or the pages won't look good.

At any time, click “Dashboard” in the upper right navigation menu to get back to the main view.

By Vulnerability: In the upper right corner of index.html, click “Vulnerability Report”. This report can be huge and will take a while to load (jQuery is formatting the data in the background). If you get prompted to continue running scripts on the page, click “Yes”.

Once formatting is complete, you will be presented with a “master list” of all vulnerabilities for that Nessus scan. Similar to the reports by IP, the vulnerability report is presented in a drill-down style. Click each vulnerability to see a list of hosts affected by that vulnerability, as well as details, port/service, mitigations, etc.

At any time, click “Dashboard” in the upper right navigation menu to get back to the main view.

CIS Benchmark Scans

VCR also supports reporting of Nessus CIS Benchmark scans. The biggest difference between reporting on a Basic Network Scan vs a CIS Benchmark scan is that the Basic Network Scan reports show vulnerabilities by host, whereas the CIS Benchmark report shows the checks run against each host and a “Pass/Fail” status:

Imgur

The procedure for generating the reports for a CIS Benchmark .nessus file is the same as a Basic Network Scan with a couple of important additions, specifically you must pass the –CIS switch parameter as well as the –OperatingSystem parameter.

For example:

PS C:\VCR> .\Parse-Nessus.ps1 -NessusFilePath "C:\vcr\acme-cis-win7.nessus" -CustomerName "Acme Corporation" -CIS -OperatingSystem Windows7

Important to note that it’s implied that each .nessus file only targets one versions of Windows at a time. This is generally how the CIS benchmarks are setup by default, but if you combine scans for different versions of Windows into the same .nessus file, then the script will give unpredictable results (if it works at all).

Creating your own template

Though you are certainly free to use the provided templates, many users will want to customize them to their own organization/company. This is perfectly acceptable and can be done so without permission.

There are two included template directories: template-cisbenchmark and template-networkscan. Do not change the template directory names or the script will not work.

If simply modifying the existing templates:

  1. Replace the /images/logo.jpg file with your own
  2. In the template directory, open templateByVuln.html, templateDashboard.html, and templateFindings.html and do a Find/Replace for “SynerComm”, replacing with your own organization name

If creating your own template:

  1. Template directories must be named: template-cisbenchmark & template-networkscan
  2. Preserve the existing template directory structure and naming conventions
  3. Three template files must exist:
    1. templateFindings.html – This is the html page that is displayed per individual IP
    2. templateDashboard.html – The main page that gets transformed to index.html
    3. templateByVuln.html – The Vulnerability Report template page
  4. In each of the template files, you may place the following substitution variables anywhere on the page (note, you must include the pipe character “|” before and after each variable name. Variables are case sensitive)
  5. The below table lists the substitution variables and which template files the script searches for them in In the Template File field:
    1. D = templateDashboard.html
    2. F = templateFindings.html
    3. V = templateByVuln.html
    4. A = All template files
Variable Name Template File Description
|GENERATEDDATE| D The current date
|REPORTINFO| A The main table of data pertinent to each page. For example, on the dashboard this is the list of IPs.
|TOTALFINDINGS| A Total number of findings/vulns.
|TOTALCRITICAL| A Total number of critical vulns
|TOTALHIGH| A Total number of high vulns
|TOTALMEDIUM| A Total number of medium vulns
|TOTALLOW| A Total number of low vulns
|TOTALINFORMATIONAL| D, F Total number of informational vulns
|TOTALCHECKS| D,F (CIS Template Only) Total number of CIS checks
|TOTALFAILED| D,F (CIS Template Only) Total number of CIS failed checks
|TOTALPASSED| D,F (CIS Template Only) Total number of CIS passed checks
|TOTALERRORS| D,F (CIS Template Only) Total number of CIS check errors
|OPERATINGSYSTEM| D,F (CIS Template Only) The Operating System version. Derived from the OperatingSystem parameter.
|HOST| F The computer name (if available. “Unknown” if not)
|COMPANYNAME| D The Organization name. Derived from the CustomerName parameter.

Download Links & Contact Info

You may download the Parse-Nessus.ps1 script and available templates above. If you have any questions, comments, or issues with the script, or would like to see any feature enhancements, please open an issue here.