john3j
04-17-2015, 12:17 PM
I am trying to figure out how to make a consolidated report of Nessus scans and dump them into an Excel workbook, in an attempt to create a software library for a collection of systems. My vision is that I would run a macro that asks for the directory where the scans are stored. The macro would go through each scan, which is a .nessus file, and scrape data that is output into worksheets (per host). There are three plugins that I am looking for, which tell me the operating system installed, a list of software on the host, as well as Office installations. I would want a separate worksheet within the same workbook for each host, so the hostname would need to be pulled as well. Nessus files look pretty complex, but the plugin IDs that I am looking for are 55472 (Device Hostname), 11936 (OS Identification), 20811 (Microsoft Windows Installed Software Enumeration), and 27524 (Microsoft Office Detection). As far as the software enumeration goes, I dont want to display anything about the updates that are installed, which are listed after "The following updates are installed".
Here are snippets from the .nessus file:
<ReportItem port="0" svc_name="general" protocol="tcp" severity="0" pluginID="55472" pluginName="Device Hostname" pluginFamily="General">
<description>This plugin reports a device's hostname collected via SSH or WMI.</description>
<fname>wmi_system_hostname.nbin</fname>
<plugin_modification_date>2014/01/07</plugin_modification_date>
<plugin_name>Device Hostname</plugin_name>
<plugin_publication_date>2011/06/30</plugin_publication_date>
<plugin_type>local</plugin_type>
<risk_factor>None</risk_factor>
<script_version>$Revision: 1.3 $</script_version>
<solution>n/a</solution>
<synopsis>It is possible to determine the remote system hostname.</synopsis>
<plugin_output>
Hostname : Computer1
</plugin_output>
</ReportItem>
<ReportItem port="0" svc_name="general" protocol="tcp" severity="0" pluginID="11936" pluginName="OS Identification" pluginFamily="General">
<description>Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name of the remote operating system in use. It is also sometimes possible to guess the version of the operating system.</description>
<fname>os_fingerprint.nasl</fname>
<plugin_modification_date>2014/02/19</plugin_modification_date>
<plugin_name>OS Identification</plugin_name>
<plugin_publication_date>2003/12/09</plugin_publication_date>
<plugin_type>combined</plugin_type>
<risk_factor>None</risk_factor>
<script_version>$Revision: 2.37 $</script_version>
<solution>n/a</solution>
<synopsis>It is possible to guess the remote operating system.</synopsis>
<plugin_output>
Remote operating system : Microsoft Windows 7 Ultimate
Confidence Level : 99
Method : MSRPC
The remote host is running Microsoft Windows 7 Ultimate</plugin_output>
</ReportItem>
<ReportItem port="445" svc_name="cifs" protocol="tcp" severity="0" pluginID="20811" pluginName="Microsoft Windows Installed Software Enumeration (credentialed check)" pluginFamily="Windows">
<description>This plugin lists software potentially installed on the remote host by crawling the registry entries in :
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall HKLM\SOFTWARE\Microsoft\Updates
Note that these entries do not necessarily mean the applications are actually installed on the remote host - they may have been left behind by uninstallers, or the associated files may have been manually removed.</description>
<fname>smb_enum_softwares.nasl</fname>
<plugin_modification_date>2013/07/25</plugin_modification_date>
<plugin_name>Microsoft Windows Installed Software Enumeration (credentialed check)</plugin_name>
<plugin_publication_date>2006/01/26</plugin_publication_date>
<plugin_type>local</plugin_type>
<risk_factor>None</risk_factor>
<script_version>$Revision: 1.15 $</script_version>
<solution>Remove any applications that are not compliant with your organization's acceptable use and security policies.</solution>
<synopsis>It is possible to enumerate installed software.</synopsis>
<plugin_output>
The following software are installed on the remote host :
LG Power Tools [version 6.0.3316] [installed on 2012/07/02]
LG CyberLink Power2Go [version 6.2.4009] [installed on 2012/07/02]
LG CyberLink LabelPrint [version 2.5.3109] [installed on 2012/07/02]
Symantec Endpoint Protection [version 12.1.5337.5000] [installed on 2015/03/31]
MSXML 4.0 SP3 Parser (KB2758694) [version 4.30.2117.0] [installed on 2013/02/14]
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 [version 9.0.30729.4148] [installed on 2012/08/10]
Intel(R) USB 3.0 eXtensible Host Controller Driver [version 1.0.4.225]
MSXML 4.0 SP3 Parser (KB2721691) [version 4.30.2114.0] [installed on 2012/09/05]
Microsoft .NET Framework 4.5.2 [version 4.5.51209] [installed on 2014/11/19]
Microsoft Visual C++ 2005 Redistributable [version 8.0.61001] [installed on 2012/09/05]
EMET 5.1 [version 5.1] [installed on 2015/03/31]
Symantec Endpoint Protection [version 12.1.4112.4156] [installed on 2014/09/17]Microsoft Visual C++ 2005 Redistributable [version 8.0.59193] [installed on 2012/10/09]
MSXML 4.0 SP2 (KB954430) [version 4.20.9870.0] [installed on 2012/09/05]
Microsoft Silverlight [version 5.1.30214.0] [installed on 2014/03/21]
Security Update for Microsoft .NET Framework 4.5.2 (KB2972107) [version 1]
Security Update for Microsoft .NET Framework 4.5.2 (KB2972216) [version 1]
Security Update for Microsoft .NET Framework 4.5.2 (KB2978128) [version 1]
Security Update for Microsoft .NET Framework 4.5.2 (KB2979578v2) [version 2]
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 [version 9.0.30729.6161] [installed on 2012/09/05]
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 [version 10.0.40219] [installed on 2015/01/27]
Intel(R) Processor Graphics [version 8.15.10.2696]
Realtek High Definition Audio Driver [version 6.0.1.6662] [installed on 2012/07/02]
Intel(R) OpenCL CPU Runtime
The following updates are installed :
MSXML4SP2 :
Q954430 [installed on 9/5/2012]
MSXML4SP3 :
Q2721691 [installed on 9/5/2012]
Microsoft .NET Framework 4 Client Profile :
KB2468871 [version 1] [installed on 4/10/2014]
KB2533523 [version 1] [installed on 4/10/2014]
KB2600217 [version 1] [installed on 4/10/2014]
Microsoft .NET Framework 4 Extended :
KB2468871 [version 1] [installed on 4/10/2014]
KB2533523 [version 1] [installed on 4/10/2014]
KB2600217 [version 1] [installed on 4/10/2014]
Microsoft .NET Framework 4.5.1 :
KB2898869 [version 1] [installed on 4/10/2014]
KB2901126 [version 1] [installed on 4/10/2014]
KB2931368 [version 1] [installed on 5/15/2014]
Microsoft .NET Framework 4.5.2 :
KB2972107 [version 1] [installed on 11/19/2014]
KB2972216 [version 1] [installed on 9/17/2014]
KB2978128 [version 1] [installed on 11/19/2014]
KB2979578v2 [version 2] [installed on 11/19/2014]
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 :
KB2151757 [version 1] [installed on 8/10/2012]
KB2467173 [version 1] [installed on 8/10/2012]
KB2565063 [version 1] [installed on 1/27/2015]
KB982573 [version 1] [installed on 8/10/2012]
</plugin_output>
</ReportItem>
</ReportItem>
<ReportItem port="0" svc_name="general" protocol="tcp" severity="0" pluginID="27524" pluginName="Microsoft Office Detection" pluginFamily="Windows">
<cpe>cpe:/a:microsoft:office</cpe>
<description>Microsoft Office is installed on the remote host.</description>
<fname>office_installed.nasl</fname>
<plugin_modification_date>2014/10/31</plugin_modification_date>
<plugin_name>Microsoft Office Detection</plugin_name>
<plugin_publication_date>2007/10/23</plugin_publication_date>
<plugin_type>local</plugin_type>
<risk_factor>None</risk_factor>
<script_version>$Revision: 1.44 $</script_version>
<see_also>http://office.microsoft.com/</see_also>
<solution>n/a</solution>
<synopsis>The remote Windows host contains an office suite.</synopsis>
<plugin_output>
The remote host has the following Microsoft Office 2010 Service Pack 2 components installed :
- Word : 14.0.7145.5001
- Excel : 14.0.7145.5001
- PowerPoint : 14.0.7121.5000
</plugin_output>
</ReportItem>
I have attached a sample workbook of what I would want the output to look like. I assume I could use the following to loop through the files in a directory:
Sub LoopThroughFiles()
Dim MyObj As Object, MySource As Object, file As Variant
file = Dir("c:\testfolder\")
While (file <> "")
If InStr(file, "test") > 0 Then
MsgBox "found " & file
Exit Sub
End If
file = Dir
Wend
End Sub
Any help would be greatly appreciated!13202
Here are snippets from the .nessus file:
<ReportItem port="0" svc_name="general" protocol="tcp" severity="0" pluginID="55472" pluginName="Device Hostname" pluginFamily="General">
<description>This plugin reports a device's hostname collected via SSH or WMI.</description>
<fname>wmi_system_hostname.nbin</fname>
<plugin_modification_date>2014/01/07</plugin_modification_date>
<plugin_name>Device Hostname</plugin_name>
<plugin_publication_date>2011/06/30</plugin_publication_date>
<plugin_type>local</plugin_type>
<risk_factor>None</risk_factor>
<script_version>$Revision: 1.3 $</script_version>
<solution>n/a</solution>
<synopsis>It is possible to determine the remote system hostname.</synopsis>
<plugin_output>
Hostname : Computer1
</plugin_output>
</ReportItem>
<ReportItem port="0" svc_name="general" protocol="tcp" severity="0" pluginID="11936" pluginName="OS Identification" pluginFamily="General">
<description>Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name of the remote operating system in use. It is also sometimes possible to guess the version of the operating system.</description>
<fname>os_fingerprint.nasl</fname>
<plugin_modification_date>2014/02/19</plugin_modification_date>
<plugin_name>OS Identification</plugin_name>
<plugin_publication_date>2003/12/09</plugin_publication_date>
<plugin_type>combined</plugin_type>
<risk_factor>None</risk_factor>
<script_version>$Revision: 2.37 $</script_version>
<solution>n/a</solution>
<synopsis>It is possible to guess the remote operating system.</synopsis>
<plugin_output>
Remote operating system : Microsoft Windows 7 Ultimate
Confidence Level : 99
Method : MSRPC
The remote host is running Microsoft Windows 7 Ultimate</plugin_output>
</ReportItem>
<ReportItem port="445" svc_name="cifs" protocol="tcp" severity="0" pluginID="20811" pluginName="Microsoft Windows Installed Software Enumeration (credentialed check)" pluginFamily="Windows">
<description>This plugin lists software potentially installed on the remote host by crawling the registry entries in :
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall HKLM\SOFTWARE\Microsoft\Updates
Note that these entries do not necessarily mean the applications are actually installed on the remote host - they may have been left behind by uninstallers, or the associated files may have been manually removed.</description>
<fname>smb_enum_softwares.nasl</fname>
<plugin_modification_date>2013/07/25</plugin_modification_date>
<plugin_name>Microsoft Windows Installed Software Enumeration (credentialed check)</plugin_name>
<plugin_publication_date>2006/01/26</plugin_publication_date>
<plugin_type>local</plugin_type>
<risk_factor>None</risk_factor>
<script_version>$Revision: 1.15 $</script_version>
<solution>Remove any applications that are not compliant with your organization's acceptable use and security policies.</solution>
<synopsis>It is possible to enumerate installed software.</synopsis>
<plugin_output>
The following software are installed on the remote host :
LG Power Tools [version 6.0.3316] [installed on 2012/07/02]
LG CyberLink Power2Go [version 6.2.4009] [installed on 2012/07/02]
LG CyberLink LabelPrint [version 2.5.3109] [installed on 2012/07/02]
Symantec Endpoint Protection [version 12.1.5337.5000] [installed on 2015/03/31]
MSXML 4.0 SP3 Parser (KB2758694) [version 4.30.2117.0] [installed on 2013/02/14]
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 [version 9.0.30729.4148] [installed on 2012/08/10]
Intel(R) USB 3.0 eXtensible Host Controller Driver [version 1.0.4.225]
MSXML 4.0 SP3 Parser (KB2721691) [version 4.30.2114.0] [installed on 2012/09/05]
Microsoft .NET Framework 4.5.2 [version 4.5.51209] [installed on 2014/11/19]
Microsoft Visual C++ 2005 Redistributable [version 8.0.61001] [installed on 2012/09/05]
EMET 5.1 [version 5.1] [installed on 2015/03/31]
Symantec Endpoint Protection [version 12.1.4112.4156] [installed on 2014/09/17]Microsoft Visual C++ 2005 Redistributable [version 8.0.59193] [installed on 2012/10/09]
MSXML 4.0 SP2 (KB954430) [version 4.20.9870.0] [installed on 2012/09/05]
Microsoft Silverlight [version 5.1.30214.0] [installed on 2014/03/21]
Security Update for Microsoft .NET Framework 4.5.2 (KB2972107) [version 1]
Security Update for Microsoft .NET Framework 4.5.2 (KB2972216) [version 1]
Security Update for Microsoft .NET Framework 4.5.2 (KB2978128) [version 1]
Security Update for Microsoft .NET Framework 4.5.2 (KB2979578v2) [version 2]
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 [version 9.0.30729.6161] [installed on 2012/09/05]
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 [version 10.0.40219] [installed on 2015/01/27]
Intel(R) Processor Graphics [version 8.15.10.2696]
Realtek High Definition Audio Driver [version 6.0.1.6662] [installed on 2012/07/02]
Intel(R) OpenCL CPU Runtime
The following updates are installed :
MSXML4SP2 :
Q954430 [installed on 9/5/2012]
MSXML4SP3 :
Q2721691 [installed on 9/5/2012]
Microsoft .NET Framework 4 Client Profile :
KB2468871 [version 1] [installed on 4/10/2014]
KB2533523 [version 1] [installed on 4/10/2014]
KB2600217 [version 1] [installed on 4/10/2014]
Microsoft .NET Framework 4 Extended :
KB2468871 [version 1] [installed on 4/10/2014]
KB2533523 [version 1] [installed on 4/10/2014]
KB2600217 [version 1] [installed on 4/10/2014]
Microsoft .NET Framework 4.5.1 :
KB2898869 [version 1] [installed on 4/10/2014]
KB2901126 [version 1] [installed on 4/10/2014]
KB2931368 [version 1] [installed on 5/15/2014]
Microsoft .NET Framework 4.5.2 :
KB2972107 [version 1] [installed on 11/19/2014]
KB2972216 [version 1] [installed on 9/17/2014]
KB2978128 [version 1] [installed on 11/19/2014]
KB2979578v2 [version 2] [installed on 11/19/2014]
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 :
KB2151757 [version 1] [installed on 8/10/2012]
KB2467173 [version 1] [installed on 8/10/2012]
KB2565063 [version 1] [installed on 1/27/2015]
KB982573 [version 1] [installed on 8/10/2012]
</plugin_output>
</ReportItem>
</ReportItem>
<ReportItem port="0" svc_name="general" protocol="tcp" severity="0" pluginID="27524" pluginName="Microsoft Office Detection" pluginFamily="Windows">
<cpe>cpe:/a:microsoft:office</cpe>
<description>Microsoft Office is installed on the remote host.</description>
<fname>office_installed.nasl</fname>
<plugin_modification_date>2014/10/31</plugin_modification_date>
<plugin_name>Microsoft Office Detection</plugin_name>
<plugin_publication_date>2007/10/23</plugin_publication_date>
<plugin_type>local</plugin_type>
<risk_factor>None</risk_factor>
<script_version>$Revision: 1.44 $</script_version>
<see_also>http://office.microsoft.com/</see_also>
<solution>n/a</solution>
<synopsis>The remote Windows host contains an office suite.</synopsis>
<plugin_output>
The remote host has the following Microsoft Office 2010 Service Pack 2 components installed :
- Word : 14.0.7145.5001
- Excel : 14.0.7145.5001
- PowerPoint : 14.0.7121.5000
</plugin_output>
</ReportItem>
I have attached a sample workbook of what I would want the output to look like. I assume I could use the following to loop through the files in a directory:
Sub LoopThroughFiles()
Dim MyObj As Object, MySource As Object, file As Variant
file = Dir("c:\testfolder\")
While (file <> "")
If InStr(file, "test") > 0 Then
MsgBox "found " & file
Exit Sub
End If
file = Dir
Wend
End Sub
Any help would be greatly appreciated!13202