Nessus Tools: HTML reports revisited

On a recent engagement, I noticed that people were wasting time scrolling through nessus reports to find vulnerabilities in which they either need to confirm, or dig into deeper. There were many findings that would automatically be written up because there is nothing to further exploit, and the supporting information in the output was good enough. And of course there is informational things in the report like traceroute output, ping times, mac address, operating system, etc. Good information to have, but not really needed while in vulnerability assessment / penetration testing mode.

I really needed something to just show me the interesting things to focus on. Since I had all the nessus data in a database already via nbe2sql, I quickly wrote some sql statements and parsers to solve my problem and make a pretty report.

The latest release of the nessus tools has two more html reports.

  • One script is called report_auto which generates html that contain findings to simply write up. For each vulnerability type there is a table with IP and supporting information columns. 
  • The other script is called report_manual which generates html that contain findings or information to pursue.

Do note that only a handful of nessus pluginid’s are supported in the script. If you want other checks included please provide me with some sample data and I will get it included.

Code:

I do hope that others find these additions useful. I really hate it when testers have to spend time on low level findings. Yes they still need to be looked at and written up, but testers should be focusing on the interesting stuff.

Nessus Tools: HTML reports

I’m not sure about you, but I hate how Nessus generates HTML reports. While reviewing the report I find myself having to remember what IP I am looking at, and spend too much time scrolling back up the report because of my short memory. Also, none of the ports identified as having a web server behind it are links.

Leveraging the sqlite database from nbe2sql, I wrote sql2html. Both of the two issues above are implemented, as well as dynamic table sorting via javascript sorttable.

Please let me know if there are any issues, or if you want a feature added. Enjoy.

Code: