Module: Msf::DBManager::Import::Nessus::NBE

Included in:
Msf::DBManager::Import::Nessus
Defined in:
lib/msf/core/db_manager/import/nessus/nbe.rb

Instance Method Summary collapse

Instance Method Details

#import_nessus_nbe(args = {}, &block) ⇒ Object

There is no place the NBE actually stores the plugin name used to scan. You get “Security Note” or “Security Warning,” and that's it.


4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# File 'lib/msf/core/db_manager/import/nessus/nbe.rb', line 4

def import_nessus_nbe(args={}, &block)
  nbe_data = args[:data]
  wspace = Msf::Util::DBManager.process_opts_workspace(args, framework).name
  bl = validate_ips(args[:blacklist]) ? args[:blacklist].split : []

  nbe_copy = nbe_data.dup
  # First pass, just to build the address map.
  addr_map = {}

  # Cache host objects before passing into handle_nessus()
  hobj_map = {}

  nbe_copy.each_line do |line|
    r = line.split('|')
    next if r[0] != 'results'
    next if r[4] != "12053"
    data = r[6]
    addr,hname = data.match(/([0-9\x2e]+) resolves as (.+)\x2e\\n/n)[1,2]
    addr_map[hname] = addr
  end

  nbe_data.each_line do |line|
    r = line.split('|')
    next if r[0] != 'results'
    hname = r[2]
    if addr_map[hname]
      addr = addr_map[hname]
    else
      addr = hname # Must be unresolved, probably an IP address.
    end
    port = r[3]
    nasl = r[4]
    type = r[5]
    data = r[6]

    # If there's no resolution, or if it's malformed, skip it.
    next unless ipv46_validator(addr)

    if bl.include? addr
      next
    else
      yield(:address,addr) if block
    end

    hobj_map[ addr ] ||= report_host(:host => addr, :workspace => wspace, :task => args[:task])

    # Match the NBE types with the XML severity ratings
    case type
    # log messages don't actually have any data, they are just
    # complaints about not being able to perform this or that test
    # because such-and-such was missing
    when "Log Message"; next
    when "Security Hole"; severity = 3
    when "Security Warning"; severity = 2
    when "Security Note"; severity = 1
    # a severity 0 means there's no extra data, it's just an open port
    else; severity = 0
    end
    if nasl == "11936"
      os = data.match(/The remote host is running (.*)\\n/)[1]
      report_note(
        :workspace => wspace,
        :task => args[:task],
        :host => hobj_map[ addr ],
        :type => 'host.os.nessus_fingerprint',
        :data => {
          :os => os.to_s.strip
        }
      )
    end

    next if nasl.to_s.strip.empty?
    plugin_name = nil # NBE doesn't ever populate this
    handle_nessus(wspace, hobj_map[ addr ], port, nasl, plugin_name, severity, data)
  end
end

#import_nessus_nbe_file(args = {}) ⇒ Object

Import Nessus NBE files


84
85
86
87
88
89
90
91
92
# File 'lib/msf/core/db_manager/import/nessus/nbe.rb', line 84

def import_nessus_nbe_file(args={})
  filename = args[:filename]

  data = ""
  ::File.open(filename, 'rb') do |f|
    data = f.read(f.stat.size)
  end
  import_nessus_nbe(args.merge(:data => data))
end