I am trying to figure out how to make a consolidated report of Nessus scans and dump them into an Excel workbook, in an attempt to create a software library for a collection of systems. My vision is that I would run a macro that asks for the directory where the scans are stored. The macro would go through each scan, which is a .nessus file, and scrape data that is output into worksheets (per host). There are three plugins that I am looking for, which tell me the operating system installed, a list of software on the host, as well as Office installations. I would want a separate worksheet within the same workbook for each host, so the hostname would need to be pulled as well. Nessus files look pretty complex, but the plugin IDs that I am looking for are 55472 (Device Hostname), 11936 (OS Identification), 20811 (Microsoft Windows Installed Software Enumeration), and 27524 (Microsoft Office Detection). As far as the software enumeration goes, I dont want to display anything about the updates that are installed, which are listed after "The following updates are installed".
Here are snippets from the .nessus file:

<ReportItem port="0" svc_name="general" protocol="tcp" severity="0" pluginID="55472" pluginName="Device Hostname" pluginFamily="General">
<description>This plugin reports a device&apos;s hostname collected via SSH or WMI.</description>
<fname>wmi_system_hostname.nbin</fname>
<plugin_modification_date>2014/01/07</plugin_modification_date>
<plugin_name>Device Hostname</plugin_name>
<plugin_publication_date>2011/06/30</plugin_publication_date>
<plugin_type>local</plugin_type>
<risk_factor>None</risk_factor>
<script_version>$Revision: 1.3 $</script_version>
<solution>n/a</solution>
<synopsis>It is possible to determine the remote system hostname.</synopsis>
<plugin_output>
Hostname : Computer1
</plugin_output>
</ReportItem>

<ReportItem port="0" svc_name="general" protocol="tcp" severity="0" pluginID="11936" pluginName="OS Identification" pluginFamily="General">
<description>Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name of the remote operating system in use. It is also sometimes possible to guess the version of the operating system.</description>
<fname>os_fingerprint.nasl</fname>
<plugin_modification_date>2014/02/19</plugin_modification_date>
<plugin_name>OS Identification</plugin_name>
<plugin_publication_date>2003/12/09</plugin_publication_date>
<plugin_type>combined</plugin_type>
<risk_factor>None</risk_factor>
<script_version>$Revision: 2.37 $</script_version>
<solution>n/a</solution>
<synopsis>It is possible to guess the remote operating system.</synopsis>
<plugin_output>
Remote operating system : Microsoft Windows 7 Ultimate
Confidence Level : 99
Method : MSRPC

The remote host is running Microsoft Windows 7 Ultimate</plugin_output>
</ReportItem>
<ReportItem port="445" svc_name="cifs" protocol="tcp" severity="0" pluginID="20811" pluginName="Microsoft Windows Installed Software Enumeration (credentialed check)" pluginFamily="Windows">
<description>This plugin lists software potentially installed on the remote host by crawling the registry entries in :
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall HKLM\SOFTWARE\Microsoft\Updates
Note that these entries do not necessarily mean the applications are actually installed on the remote host - they may have been left behind by uninstallers, or the associated files may have been manually removed.</description>
<fname>smb_enum_softwares.nasl</fname>
<plugin_modification_date>2013/07/25</plugin_modification_date>
<plugin_name>Microsoft Windows Installed Software Enumeration (credentialed check)</plugin_name>
<plugin_publication_date>2006/01/26</plugin_publication_date>
<plugin_type>local</plugin_type>
<risk_factor>None</risk_factor>
<script_version>$Revision: 1.15 $</script_version>
<solution>Remove any applications that are not compliant with your organization&apos;s acceptable use and security policies.</solution>
<synopsis>It is possible to enumerate installed software.</synopsis>
<plugin_output>
The following software are installed on the remote host :
LG Power Tools [version 6.0.3316] [installed on 2012/07/02]
LG CyberLink Power2Go [version 6.2.4009] [installed on 2012/07/02]
LG CyberLink LabelPrint [version 2.5.3109] [installed on 2012/07/02]
Symantec Endpoint Protection [version 12.1.5337.5000] [installed on 2015/03/31]
MSXML 4.0 SP3 Parser (KB2758694) [version 4.30.2117.0] [installed on 2013/02/14]
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 [version 9.0.30729.4148] [installed on 2012/08/10]
Intel(R) USB 3.0 eXtensible Host Controller Driver [version 1.0.4.225]
MSXML 4.0 SP3 Parser (KB2721691) [version 4.30.2114.0] [installed on 2012/09/05]
Microsoft .NET Framework 4.5.2 [version 4.5.51209] [installed on 2014/11/19]
Microsoft Visual C++ 2005 Redistributable [version 8.0.61001] [installed on 2012/09/05]
EMET 5.1 [version 5.1] [installed on 2015/03/31]
Symantec Endpoint Protection [version 12.1.4112.4156] [installed on 2014/09/17]Microsoft Visual C++ 2005 Redistributable [version 8.0.59193] [installed on 2012/10/09]
MSXML 4.0 SP2 (KB954430) [version 4.20.9870.0] [installed on 2012/09/05]
Microsoft Silverlight [version 5.1.30214.0] [installed on 2014/03/21]
Security Update for Microsoft .NET Framework 4.5.2 (KB2972107) [version 1]
Security Update for Microsoft .NET Framework 4.5.2 (KB2972216) [version 1]
Security Update for Microsoft .NET Framework 4.5.2 (KB2978128) [version 1]
Security Update for Microsoft .NET Framework 4.5.2 (KB2979578v2) [version 2]
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 [version 9.0.30729.6161] [installed on 2012/09/05]
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 [version 10.0.40219] [installed on 2015/01/27]
Intel(R) Processor Graphics [version 8.15.10.2696]
Realtek High Definition Audio Driver [version 6.0.1.6662] [installed on 2012/07/02]
Intel(R) OpenCL CPU Runtime
The following updates are installed :
MSXML4SP2 :
Q954430 [installed on 9/5/2012]
MSXML4SP3 :
Q2721691 [installed on 9/5/2012]

Microsoft .NET Framework 4 Client Profile :
KB2468871 [version 1] [installed on 4/10/2014]
KB2533523 [version 1] [installed on 4/10/2014]
KB2600217 [version 1] [installed on 4/10/2014]
Microsoft .NET Framework 4 Extended :
KB2468871 [version 1] [installed on 4/10/2014]
KB2533523 [version 1] [installed on 4/10/2014]
KB2600217 [version 1] [installed on 4/10/2014]
Microsoft .NET Framework 4.5.1 :
KB2898869 [version 1] [installed on 4/10/2014]
KB2901126 [version 1] [installed on 4/10/2014]
KB2931368 [version 1] [installed on 5/15/2014]
Microsoft .NET Framework 4.5.2 :
KB2972107 [version 1] [installed on 11/19/2014]
KB2972216 [version 1] [installed on 9/17/2014]
KB2978128 [version 1] [installed on 11/19/2014]
KB2979578v2 [version 2] [installed on 11/19/2014]
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 :
KB2151757 [version 1] [installed on 8/10/2012]
KB2467173 [version 1] [installed on 8/10/2012]
KB2565063 [version 1] [installed on 1/27/2015]
KB982573 [version 1] [installed on 8/10/2012]
</plugin_output>
</ReportItem>

</ReportItem>
<ReportItem port="0" svc_name="general" protocol="tcp" severity="0" pluginID="27524" pluginName="Microsoft Office Detection" pluginFamily="Windows">
<cpe>cpe:/a:microsoft:office</cpe>
<description>Microsoft Office is installed on the remote host.</description>
<fname>office_installed.nasl</fname>
<plugin_modification_date>2014/10/31</plugin_modification_date>
<plugin_name>Microsoft Office Detection</plugin_name>
<plugin_publication_date>2007/10/23</plugin_publication_date>
<plugin_type>local</plugin_type>
<risk_factor>None</risk_factor>
<script_version>$Revision: 1.44 $</script_version>
<see_also>http://office.microsoft.com/</see_also>
<solution>n/a</solution>
<synopsis>The remote Windows host contains an office suite.</synopsis>
<plugin_output>
The remote host has the following Microsoft Office 2010 Service Pack 2 components installed :
- Word : 14.0.7145.5001
- Excel : 14.0.7145.5001
- PowerPoint : 14.0.7121.5000
</plugin_output>
</ReportItem>

I have attached a sample workbook of what I would want the output to look like. I assume I could use the following to loop through the files in a directory:

Sub LoopThroughFiles()
Dim MyObj As Object, MySource As Object, file As Variant
file = Dir("c:\testfolder\")
While (file <> "")
If InStr(file, "test") > 0 Then
MsgBox "found " & file
Exit Sub
End If
file = Dir
Wend
End Sub

Any help would be greatly appreciated!13202

Could you supply a real .nessus file for me/us to test with?
What version of Excel are you using?

I have attached a zip file that contains both a .nessus file, as well as a .html file. Please let me know if you need anything else?

13228

Please let me know if you need anything else?No, so far nothing more needed except for the version of Excel you're using.

No, so far nothing more needed except for the version of Excel you're using.

I apologize. I am using Microsoft 2010. If there is anything else that you have questions about please let me know.

There might be a small problem with the html/nessus files you supplied; I can't find any reference to Device Hostname or plugin no. 55472 in either of them!

The other 3 are there and I can get them.

Just consider the file as an ordinary ascii file:


Sub M_snb()
c00 =application.createobject("scripting.fileystemobject").opentextfile("G:\OF\example.nessus").readall
msgbox instr(c00,"Device Hostname")
End Sub

There might be a small problem with the html/nessus files you supplied; I can't find any reference to Device Hostname or plugin no. 55472 in either of them!

The other 3 are there and I can get them.

For the hostname, could you use plugin 46215? The hostname of the test computer I set up was WIN-FLS98C30126. I am very curious to see how you are achieving this! Thank you again for taking the time to help me!

See attached. Comments in the code. 2 buttons are just different ways of choosing which files to process. Be aware that repeated processing f the same files will result in errors due to creating a sheet with the same name as an existing one, so delete any such sheets first.
It's by no means rounded, just the result of my explorations - not especially slick. Will need polishing a lot, but could get you started.
Where Device Hostname is not present an attempt is made to get data from plugin 46215.
Code needs a reference to MicroSoft XML in the VBE, Tools|References.

See attached. Comments in the code. 2 buttons are just different ways of choosing which files to process. Be aware that repeated processing f the same files will result in errors due to creating a sheet with the same name as an existing one, so delete any such sheets first.
It's by no means rounded, just the result of my explorations - not especially slick. Will need polishing a lot, but could get you started.
Where Device Hostname is not present an attempt is made to get data from plugin 46215.
Code needs a reference to MicroSoft XML in the VBE, Tools|References.

p45cal, Thank you so much for your time and efforts. Your code works great on the file that I was able to provide to you. Unfortunately, when I try to run it on files where plugin 55472 is available, it errors out on me, but the debugging points to ".Name = HostName 'no checks at the moment to ensure hostname is a valid sheet name (all valid characters and not empty), nor is a check made that the same name doesn't already exist." from the sub AddAndPopulateNewSheet. I cannot provide you a .nessus file from a production system, but I can tell you that XML for the plugin looks like this:

<ReportItem port="0" svc_name="general" protocol="tcp" severity="0" pluginID="55472" pluginName="Device Hostname" pluginFamily="General"><description>This plugin reports a device&apos;s hostname collected via SSH or WMI.</description><fname>wmi_system_hostname.nbin</fname><plugin_modification_date>2014/01/07</plugin_modification_date><plugin_name>Device Hostname</plugin_name><plugin_publication_date>2011/06/30</plugin_publication_date><plugin_type>local</plugin_type><risk_factor>None</risk_factor><script_version>$Revision: 1.3 $</script_version><solution>n/a</solution><synopsis>It is possible to determine the remote system hostname.</synopsis><plugin_output> Hostname : TestComputer1</plugin_output></ReportItem>

Do you have any ideas? I would appreciate your thoughts!

p45cal,

With a slight modification of the code you had provided, I was able to achieve the report I was needing. Again, I really appreciate your time and willingness to help!

Try updating the following macro to:
Sub ParseXML(fname, HostName, OSID, Soft, Office)
Set oXMLFile = CreateObject("Microsoft.XMLDOM")
oXMLFile.Load (fname)
'Set myNodes = oXMLFile.SelectNodes("/NessusClientData_v2/Report/ReportHost/ReportItem/plugin_output[../plugin_name = 'OS Identification']")
'Set myNodes = oXMLFile.SelectNodes("/NessusClientData_v2/Report/ReportHost/ReportItem/plugin_output[../plugin_name = 'Microsoft Windows Installed Software Enumeration (credentialed check)']")
'Set myNodes = oXMLFile.SelectNodes("/NessusClientData_v2/Report/ReportHost/ReportItem/plugin_output[../plugin_name = 'Microsoft Office Detection']")

Set MyNode = oXMLFile.SelectSingleNode("/NessusClientData_v2/Report/ReportHost/ReportItem[@pluginID='55472']") 'Device Hostname
If Not MyNode Is Nothing Then 'Device Hostname present in report:
'MsgBox MyNode.Text
'HostName = MyNode.Text
HostName = Trim(Split(MyNode.Text, "Hostname : ")(1)) 'this will err if "Hostname : " isn't present.
Else 'Device Hostname NOT present in report:
Set MyNode = oXMLFile.SelectSingleNode("/NessusClientData_v2/Report/ReportHost/ReportItem[@pluginID='46215']") 'Inconsistent Hostname and IP Address
If Not MyNode Is Nothing Then
'MsgBox MyNode.Text
'MsgBox Split(MyNode.Text, "'")(2) 'this will err if fewer than 2 apostrophes.
HostName = Split(MyNode.Text, "'")(2) 'this will err if fewer than 2 apostrophes.
End If
End If
Set MyNode = oXMLFile.SelectSingleNode("/NessusClientData_v2/Report/ReportHost/ReportItem[@pluginID='11936']") 'OS Identification
If Not MyNode Is Nothing Then
'MsgBox MyNode.Text
OSID = MyNode.Text
End If
Set MyNode = oXMLFile.SelectSingleNode("/NessusClientData_v2/Report/ReportHost/ReportItem[@pluginID='20811']") 'Microsoft Windows Installed Software Enumeration (credentialed check)
If Not MyNode Is Nothing Then
If InStr(MyNode.Text, "The following updates are installed") > 0 Then
'MsgBox Split(MyNode.Text, "The following updates are installed")(0)
Soft = Split(MyNode.Text, "The following updates are installed")(0)
Else
'MsgBox MyNode.Text
Soft = MyNode.Text
End If
End If
Set MyNode = oXMLFile.SelectSingleNode("/NessusClientData_v2/Report/ReportHost/ReportItem[@pluginID='27524']") 'Microsoft Office Detection
If Not MyNode Is Nothing Then
'MsgBox MyNode.Text
Office = MyNode.Text
End If
End Sub

Does this still work for updated .nessus files?



Try updating the following macro to:

I've no idea.
Supply an 'updated .nessus file'.