homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defence Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
      • European Skills Framework
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Data, Data, Everywhere - What to do with Volumes of Nessus Output
370x370_Kevin-Fiscus.jpg
Kevin Fiscus

Data, Data, Everywhere - What to do with Volumes of Nessus Output

April 29, 2014

[Editor's note: Here's a really nice article by Kevin Fiscus on a tool that'll help you analyze and manage a great deal of Nessus vulnerability scanner output. This is really helpful, cool stuff! Thanks, Kevin. -Ed.]

Doing really good, high-value penetration testing is hard. You have to start with a solid, repeatable methodology on which you build a process implemented via tools and techniques. It is a technical endeavor that is, more often than not, remarkably creative. But, to do it well, you need to understand hacker techniques, cyber defense, protocols, packets, and even people. Sometimes, however, basic logistics get in the way. The problem, in many cases, is that the tools are simply too good, or rather, they give too much information but lack a particularly effective way for a penetration tester to use that information. Case in point: Nessus.

Nessus is a fantastic vulnerability scanner. It has the capability to perform both credentialed and uncredentialled scans of target environments, and test for tens of thousands of vulnerabilities across an enormous range of platforms. For the budget conscious among us, it is also one of the more cost effective commercial solutions on the market. Unfortunately, while superior in many ways, it is not known for its reporting capabilities. Tenable Network Security, the creators of Nessus, have additional products to provide more advance reporting capabilities, but purchasing them changes the cost structure considerably.

The problem, thus, is one of data overload from any vulnerability scanner, including Nessus. Particularly when performing internal, credentialed scans against network resources, the amount of data generated can be overwhelming. While generally presented in an easy-to-understand format, the data you'll be given includes each vulnerability individually. Nessus has the capability to view results by IP address or by vulnerability, so identifying the most vulnerable server by vulnerability count or the most common critical severity vulnerability is fairly easy. But what if you wanted to identify the most vulnerable server in terms of the common vulnerability scoring system (CVSS), or wanted to count the number of servers with at least one high or at least one critical severity vulnerability? These things can be difficult within the Nessus interface and are more difficult when looking at Nessus output reports. Fortunately, there are answers for nifty and high-value ways to slice and dice Nessus results.

Nessus has the ability to output reports in a variety of formats, one of which is XML. This has allowed the security community to create tools to parse Nessus results and convert them into a variety of other formats. The one I tend to like can be found at http://www.melcara.com and is called, very originally, "Nessus Parser." The current version, as of the writing of this posting, is v20a. And, it's free.

The Melcara Nessus Parser is a Perl program that converts Nessus XML output into a Microsoft Excel workbook. It doesn't just create a CSV file with basic scan results, it creates an entire workbook consisting of over TWENTY tabs. A brief tour of at least a few of these tabs will help illustrate the benefits of this tool.

The "Home Worksheet" tab contains summary information about the numbers and counts of vulnerabilities and vulnerable systems as shown below:

KF-Blog-1.png

The "CVSS Score Total" tab includes, for each IP address scanned, Common Vulnerability Scoring System results and allows you to tune the final scores by introducing a score modifier. By changing the value of a few cells, you can increase the contributing factor of a medium severity from 1 to 1.25, a high severity to 1.5 and a critical to 1.75 (or any value you want). The spreadsheet has been formatted to allow easy sorting on any column.

KF-Blog-2.png

A series of five tabs labeled Critical, High, Medium, Low, and Informational provide counts and details for each identified vulnerability. For each tab, it lists the type of vulnerability (plugin family), the vulnerability name (plugin name), the number of instances of that vulnerability identified, a description of the vulnerability, the recommended solution, and whether there are exploits for the vulnerability included in Canvas, Metasploit, or Core Impact. That last tidbit is really cool and helpful for penetration testers looking to move from scanning into outright exploitation of target systems.

The "Device Type" tab provides the IP address, fully qualified domain name, NetBIOS name, and device type for every tested system while the "HostConfigData" tab provides the number of vulnerabilities by severity for each IP address. This tab also provides information about minimum password length, password history length, minimum/maximum password age, complexity requirements and account lockout information if credentialed tests were run. The "portScanData" tab contains information about listening ports and services for each IP address while "InstalledSoftwareData" provides information about software identified to be installed on each target system.

The "UserAccount Data" tab provides information about user accounts found on each tested system, including where the account was found (local or Active Directory), the account name, and the SID and the type of account (e.g. Domain User, Domain Administrator, etc.). This tab also includes information about whether the password for the account has ever been changed, whether the account has been disabled, whether it has ever logged in, and information about certain group membership. Additional tabs provide information about Wireless Access Points and SSIDs detected, passed or failed compliance or policy checks, and various summary information.

Other than the "Home Worksheet", all of the tabs are formatted to allow for filtering and sorting of the data in any column, and because the data is in Excel, the workbooks can be expanded with graphs, charts, pivot tables, etc. That's pretty sweet. Also, got a whole bunch of Nessus results from several scans against several target environments? The Melcara Nessus Parser has the capability of taking multiple Nessus XML files as input, and track which file the results came from, for each row of data presented. Thus, if you wanted to scan five different locations individually, you could look at their results individually, as a whole, or any subset thereof.

Getting the Nessus Parser to run can be somewhat challenging. You, of course, need to install Perl and there are a whole set of CPAN modules that need to be installed for it to run. That said, it is my experience that the author of the tool is extremely helpful, should you run into problems. Once everything is set up, running the tool is easy and involves these steps:

Step 1: Export the results of your Nessus scans in XML (or .nessus) format
Step 2: Place all the XML files into a directory
Step 3: Execute the command "perl parse_nessus_xml.v20a.pl -d <directory>" where the directory is the location of the XML files.

The parser will look at all of the files in the selected directory, identify those that contain Nessus output, and generate an output report based on provided input. There are a couple of additional command line switches that can be used to control the output:

  • The default output file will be called "nessus_report_XXXXXXXXX" where the X's will be replace with data and time information. If you want to change the prefix of "nessus_report" to something else, you do it with the -o option
  • If you want to run the tool against an individual file instead of a directory, you can use the -f <filename> instead of -d <directory>.
  • The -r option allows you to change the severity of individual Nessus plugins by plugin ID.

The Melcara Nessus Parser can be of tremendous value in reviewing, sorting, analyzing and working with Nessus output. As a penetration tester, the ability to identify the most vulnerable targets or to find that one obscure vulnerability is awesome. As a defensive security professional using Nessus to attempt to improve security, the ability to take the output from a scanning tool like Nessus and truly work with the output is amazing.

If you are new to vulnerability scans, Nessus and/or penetration testing in general, or if you have been doing this type of thing for a while and want to take your skills to the next level, you will definitely want to check out SANS SEC560: Network Penetration Testing and Ethical Hacking. This course not only teaches you cool hacker tools and techniques, it also provides you with an industry proven methodology that ensures your penetrations tests provide real business value.

-Kevin Fiscus
SANS Certified Instructor

UPDATE: Diligent reader Vikneswaran Kunasegaran (@SecurityBazinga) noticed that the Melcara script didn't work on Kali Linux (and possibly some Debian systems) due to some missing dependencies. He wrote a handy little script that automatically pulls down those dependencies and gets your system ready. You could do what the script does manually, if you'd prefer, or just copy and paste it into a file, chmod it so that it is executable, and run it. Thanks, Vikneswaran. Nice work! Here's the script:

#!/bin/sh
#install dependencies for running nessus parser melcara.com#

#update#
sudo apt-get update

#install dependencies#
sudo cpan install XML::TreePP
sudo cpan install Data::Dumper
sudo cpan install Math::Round
sudo cpan install Excel::Writer::XLSX
sudo cpan install Data::Table
sudo cpan install Excel::Writer::XLSX::Chart

#Thank you Have Fun!#
    Share:
    TwitterLinkedInFacebook
    Copy url Url was copied to clipboard
    Subscribe to SANS Newsletters
    Receive curated news, vulnerabilities, & security awareness tips
    United States
    Canada
    United Kingdom
    Spain
    Belgium
    Denmark
    Norway
    Netherlands
    Australia
    India
    Japan
    Singapore
    Afghanistan
    Aland Islands
    Albania
    Algeria
    American Samoa
    Andorra
    Angola
    Anguilla
    Antarctica
    Antigua and Barbuda
    Argentina
    Armenia
    Aruba
    Austria
    Azerbaijan
    Bahamas
    Bahrain
    Bangladesh
    Barbados
    Belarus
    Belize
    Benin
    Bermuda
    Bhutan
    Bolivia
    Bonaire, Sint Eustatius, and Saba
    Bosnia And Herzegovina
    Botswana
    Bouvet Island
    Brazil
    British Indian Ocean Territory
    Brunei Darussalam
    Bulgaria
    Burkina Faso
    Burundi
    Cambodia
    Cameroon
    Cape Verde
    Cayman Islands
    Central African Republic
    Chad
    Chile
    China
    Christmas Island
    Cocos (Keeling) Islands
    Colombia
    Comoros
    Cook Islands
    Costa Rica
    Croatia (Local Name: Hrvatska)
    Curacao
    Cyprus
    Czech Republic
    Democratic Republic of the Congo
    Djibouti
    Dominica
    Dominican Republic
    East Timor
    East Timor
    Ecuador
    Egypt
    El Salvador
    Equatorial Guinea
    Eritrea
    Estonia
    Ethiopia
    Falkland Islands (Malvinas)
    Faroe Islands
    Fiji
    Finland
    France
    French Guiana
    French Polynesia
    French Southern Territories
    Gabon
    Gambia
    Georgia
    Germany
    Ghana
    Gibraltar
    Greece
    Greenland
    Grenada
    Guadeloupe
    Guam
    Guatemala
    Guernsey
    Guinea
    Guinea-Bissau
    Guyana
    Haiti
    Heard And McDonald Islands
    Honduras
    Hong Kong
    Hungary
    Iceland
    Indonesia
    Iraq
    Ireland
    Isle of Man
    Israel
    Italy
    Jamaica
    Jersey
    Jordan
    Kazakhstan
    Kenya
    Kiribati
    Korea, Republic Of
    Kosovo
    Kuwait
    Kyrgyzstan
    Lao People's Democratic Republic
    Latvia
    Lebanon
    Lesotho
    Liberia
    Liechtenstein
    Lithuania
    Luxembourg
    Macau
    Macedonia
    Madagascar
    Malawi
    Malaysia
    Maldives
    Mali
    Malta
    Marshall Islands
    Martinique
    Mauritania
    Mauritius
    Mayotte
    Mexico
    Micronesia, Federated States Of
    Moldova, Republic Of
    Monaco
    Mongolia
    Montenegro
    Montserrat
    Morocco
    Mozambique
    Myanmar
    Namibia
    Nauru
    Nepal
    Netherlands Antilles
    New Caledonia
    New Zealand
    Nicaragua
    Niger
    Nigeria
    Niue
    Norfolk Island
    Northern Mariana Islands
    Oman
    Pakistan
    Palau
    Palestine
    Panama
    Papua New Guinea
    Paraguay
    Peru
    Philippines
    Pitcairn
    Poland
    Portugal
    Puerto Rico
    Qatar
    Reunion
    Romania
    Russian Federation
    Rwanda
    Saint Bartholemy
    Saint Kitts And Nevis
    Saint Lucia
    Saint Martin
    Saint Vincent And The Grenadines
    Samoa
    San Marino
    Sao Tome And Principe
    Saudi Arabia
    Senegal
    Serbia
    Seychelles
    Sierra Leone
    Sint Maarten
    Slovakia
    Slovenia
    Solomon Islands
    South Africa
    South Georgia and the South Sandwich Islands
    South Sudan
    Sri Lanka
    St. Helena
    St. Pierre And Miquelon
    Suriname
    Svalbard And Jan Mayen Islands
    Swaziland
    Sweden
    Switzerland
    Taiwan
    Tajikistan
    Tanzania
    Thailand
    Togo
    Tokelau
    Tonga
    Trinidad And Tobago
    Tunisia
    Turkey
    Turkmenistan
    Turks And Caicos Islands
    Tuvalu
    Uganda
    Ukraine
    United Arab Emirates
    United States Minor Outlying Islands
    Uruguay
    Uzbekistan
    Vanuatu
    Vatican City
    Venezuela
    Vietnam
    Virgin Islands (British)
    Virgin Islands (U.S.)
    Wallis And Futuna Islands
    Western Sahara
    Yemen
    Yugoslavia
    Zambia
    Zimbabwe

    By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Tags:
    • Penetration Testing and Red Teaming

    Related Content

    Blog
    N2C_Blog_Image.png
    Penetration Testing and Red Teaming, Cyber Defense, Cybersecurity and IT Essentials, Open-Source Intelligence (OSINT), Red Team Operations, Incident Response & Threat Hunting, Operating System & Device In-Depth, Community, Digital Forensics and Incident Response, Job Hunting, Mentorship, NetWars, Imposter Syndrome, Offensive Operations
    March 14, 2023
    A Visual Summary of SANS New2Cyber Summit 2023
    Check out these graphic recordings created in real-time throughout the event for SANS New2Cyber Summit 2023
    370x370-person-placeholder.png
    Alison Kim
    read more
    Blog
    Untitled_design-43.png
    Digital Forensics and Incident Response, Cybersecurity and IT Essentials, Industrial Control Systems Security, Purple Team, Open-Source Intelligence (OSINT), Penetration Testing and Red Teaming, Cyber Defense, Cloud Security, Security Management, Legal, and Audit
    December 8, 2021
    Good News: SANS Virtual Summits Will Remain FREE for the Community in 2022
    They’re virtual. They’re global. They’re free.
    370x370-person-placeholder.png
    Emily Blades
    read more
    Blog
    Penetration Testing and Red Teaming
    January 17, 2018
    SANS Poster - White Board of Awesome Command Line Kung Fu (PDF Download)
    Imagine you are sitting at your desk and come across a great command line tip that will assist you in your career as an information security professional, so you jot the tip down on a note, post-it, or scrap sheet of paper and tape it to your white board... now imagine you do this all the time...
    SANS Pen Test
    read more
    • Register to Learn
    • Courses
    • Certifications
    • Degree Programs
    • Cyber Ranges
    • Job Tools
    • Security Policy Project
    • Posters & Cheat Sheets
    • White Papers
    • Focus Areas
    • Cyber Defense
    • Cloud Security
    • Cybersecurity Leadership
    • Digital Forensics
    • Industrial Control Systems
    • Offensive Operations
    Subscribe to SANS Newsletters
    Receive curated news, vulnerabilities, & security awareness tips
    United States
    Canada
    United Kingdom
    Spain
    Belgium
    Denmark
    Norway
    Netherlands
    Australia
    India
    Japan
    Singapore
    Afghanistan
    Aland Islands
    Albania
    Algeria
    American Samoa
    Andorra
    Angola
    Anguilla
    Antarctica
    Antigua and Barbuda
    Argentina
    Armenia
    Aruba
    Austria
    Azerbaijan
    Bahamas
    Bahrain
    Bangladesh
    Barbados
    Belarus
    Belize
    Benin
    Bermuda
    Bhutan
    Bolivia
    Bonaire, Sint Eustatius, and Saba
    Bosnia And Herzegovina
    Botswana
    Bouvet Island
    Brazil
    British Indian Ocean Territory
    Brunei Darussalam
    Bulgaria
    Burkina Faso
    Burundi
    Cambodia
    Cameroon
    Cape Verde
    Cayman Islands
    Central African Republic
    Chad
    Chile
    China
    Christmas Island
    Cocos (Keeling) Islands
    Colombia
    Comoros
    Cook Islands
    Costa Rica
    Croatia (Local Name: Hrvatska)
    Curacao
    Cyprus
    Czech Republic
    Democratic Republic of the Congo
    Djibouti
    Dominica
    Dominican Republic
    East Timor
    East Timor
    Ecuador
    Egypt
    El Salvador
    Equatorial Guinea
    Eritrea
    Estonia
    Ethiopia
    Falkland Islands (Malvinas)
    Faroe Islands
    Fiji
    Finland
    France
    French Guiana
    French Polynesia
    French Southern Territories
    Gabon
    Gambia
    Georgia
    Germany
    Ghana
    Gibraltar
    Greece
    Greenland
    Grenada
    Guadeloupe
    Guam
    Guatemala
    Guernsey
    Guinea
    Guinea-Bissau
    Guyana
    Haiti
    Heard And McDonald Islands
    Honduras
    Hong Kong
    Hungary
    Iceland
    Indonesia
    Iraq
    Ireland
    Isle of Man
    Israel
    Italy
    Jamaica
    Jersey
    Jordan
    Kazakhstan
    Kenya
    Kiribati
    Korea, Republic Of
    Kosovo
    Kuwait
    Kyrgyzstan
    Lao People's Democratic Republic
    Latvia
    Lebanon
    Lesotho
    Liberia
    Liechtenstein
    Lithuania
    Luxembourg
    Macau
    Macedonia
    Madagascar
    Malawi
    Malaysia
    Maldives
    Mali
    Malta
    Marshall Islands
    Martinique
    Mauritania
    Mauritius
    Mayotte
    Mexico
    Micronesia, Federated States Of
    Moldova, Republic Of
    Monaco
    Mongolia
    Montenegro
    Montserrat
    Morocco
    Mozambique
    Myanmar
    Namibia
    Nauru
    Nepal
    Netherlands Antilles
    New Caledonia
    New Zealand
    Nicaragua
    Niger
    Nigeria
    Niue
    Norfolk Island
    Northern Mariana Islands
    Oman
    Pakistan
    Palau
    Palestine
    Panama
    Papua New Guinea
    Paraguay
    Peru
    Philippines
    Pitcairn
    Poland
    Portugal
    Puerto Rico
    Qatar
    Reunion
    Romania
    Russian Federation
    Rwanda
    Saint Bartholemy
    Saint Kitts And Nevis
    Saint Lucia
    Saint Martin
    Saint Vincent And The Grenadines
    Samoa
    San Marino
    Sao Tome And Principe
    Saudi Arabia
    Senegal
    Serbia
    Seychelles
    Sierra Leone
    Sint Maarten
    Slovakia
    Slovenia
    Solomon Islands
    South Africa
    South Georgia and the South Sandwich Islands
    South Sudan
    Sri Lanka
    St. Helena
    St. Pierre And Miquelon
    Suriname
    Svalbard And Jan Mayen Islands
    Swaziland
    Sweden
    Switzerland
    Taiwan
    Tajikistan
    Tanzania
    Thailand
    Togo
    Tokelau
    Tonga
    Trinidad And Tobago
    Tunisia
    Turkey
    Turkmenistan
    Turks And Caicos Islands
    Tuvalu
    Uganda
    Ukraine
    United Arab Emirates
    United States Minor Outlying Islands
    Uruguay
    Uzbekistan
    Vanuatu
    Vatican City
    Venezuela
    Vietnam
    Virgin Islands (British)
    Virgin Islands (U.S.)
    Wallis And Futuna Islands
    Western Sahara
    Yemen
    Yugoslavia
    Zambia
    Zimbabwe

    By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
    • © 2023 SANS™ Institute
    • Privacy Policy
    • Contact
    • Careers
    • Twitter
    • Facebook
    • Youtube
    • LinkedIn