Nessus Authentication Scan Results Analysis using JavaScript
Hi All,
I’m writing this blog to analyze the Nessus scan results for the authentication scan.
What is Nessus Authentication Scan?
This is the Nessus scan with limited plugins enabled, so that the scan takes less time to complete and only the authenticated related data will be collected like
- Is the server reachable? (Ping)
- Is Nessus able to login to servers using the provided credentials?
- Is Nessus able to escalate the privileges to perform it’s scan properly?
Tip: You can download the Nessus scan policy from my github channel, import into your Nessus, add the credentials to your policy and run the scan.
Ref: https://github.com/V9Y1nf0S3C/Pentest-workspace/tree/main/Nessus/Config_Files
When is this blog useful?
Imagine a scenario where you need to analyze the Nessus authentication scan results and report to your customer/client if the authentication and connectivity to the target servers is good or not. And you want to use the JavaScript code to analyze the results.
Tool Used: Nessus Professional v10.4.2
Tested on: Chrome & Edge
Where to use the JavaScript code? Paste the JavaScript on the web browser console to get the output. You can use the Inspect option or the Dev tools option to open developer tools and then go to Console tab.
How does this script works? Script work by getting the output from web browser DOM. So, make sure your DOM is loaded properly before executing the script.
Tip-1: Increase the “Results per page” count to max.
Tip-2: Scroll the web page to the bottom to load all elements available.
Case 1: I want to find the list of hosts
Use the following script to get the list of hosts and the count of plugins reported for that host.
Where to use: Open the Nessus scan results and go to the Hosts tab. Open the web browser developer tools > console > paste the code here
//[Nessus Scan > Hosts Tab]
const y = document.querySelector("#content > section > div:nth-child(2) > div:nth-child(2) > table > tbody").rows.length;
const z = document.querySelector("#content > section > div:nth-child(2) > div:nth-child(2) > table > tbody");
for (let i=0;i<y;i++){
console.log(i+1 + ".\t" + z.rows[i].cells[1].innerHTML + "\t [" + z.rows[i].cells[4].innerHTML+ "]")
}Expected Output:
1. 100.90.4.68 [74]
2. 100.90.4.69 [71]
3. 100.90.1.197 [71]
4. 100.90.1.198 [63]Sample Screenshot:
Case 2: I want to see the count of few important plugins (Windows & Linux)
Use the following script to get the list of few important plugins reported in the scan and the count of plugins output (for all hosts detected).
Where to use: Open the Nessus scan results and go to the Vulnerabilities tab. Open the web browser developer tools > console > paste the code here
//[Nessus Scan > Vulnerabilities Tab] Plugin analysis with count
const plugins = [10180,19506,110095,117887,141118,104410,21745,10394,117885,24786];
const y = document.querySelector("#content > section > div:nth-child(2) > div:nth-child(2) > table > tbody").rows.length;
const z = document.querySelector("#content > section > div:nth-child(2) > div:nth-child(2) > table > tbody");
const a = [];
for (let i=0;i<plugins.length;i++){
for (let j=0;j<y;j++){
if (plugins[i] == parseInt(z.rows[j].cells[6].innerHTML) ) {
a.push(j); continue;
}
}
}
for (let i=0;i<a.length;i++){
console.log( i + 1 + "." + z.rows[a[i]].cells[3].innerHTML + "\t\t[" + z.rows[a[i]].cells[5].innerHTML + "]")
}Expected Output:
1.Ping the remote host [75]
2.Nessus Scan Information [73]
3.Target Credential Issues by Authentication Protocol - No Issues Found [32]
4.OS Security Patch Assessment Available [32]
5.Target Credential Status by Authentication Protocol - Valid Credentials Provided [66]
6.Target Credential Status by Authentication Protocol - Failure for Provided Credentials [10]
7.OS Security Patch Assessment Failed [39]
8.Microsoft Windows SMB Log In Possible [39]
9.Nessus Windows Scan Not Performed with Admin Privileges [34]Sample Screenshot:
Case 3A: I want to find the list of reported hosts from the plugin output (Quick & Concise)
Use the following script to get the list of reported hosts from the plugin output.
Where to use: Open the Nessus scan results, go to the Vulnerabilities tab and click on any plugin to see the reported hosts. Open the web browser developer tools > console > paste the code here
//[Nessus Scan > Vulnerabilities > Open a vulnerability] List of effected hosts
const x=document.querySelector("#content > section > div.main-column > div:nth-child(3) > ul").getElementsByTagName("a");
for (let i=0;i<x.length;i++){
console.log(i+1 + ".\t" + x[i].innerHTML)
}Expected Output:
1. 100.90.1.21
2. 100.90.1.133
3. 100.90.1.134
4. 100.90.2.69
5. 100.90.2.70
6. 100.90.3.7
7. 100.90.4.5
8. 100.90.4.6
9. 100.90.4.197
10. 100.90.4.198Sample Screenshot:
Case 3B: I want to find the list of reported hosts from the plugin output (More detailed)
Use the following script to get the list of reported hosts from the plugin output.
Where to use: Open the Nessus scan results, go to the Vulnerabilities tab and click on any plugin to see the reported hosts. Open the web browser developer tools > console > paste the code here
//[Nessus Scan > Vulnerabilities > Open a vulnerability] List of effected hosts
const scan_name = document.querySelector("#titlebar > h1").innerHTML;
const scan_name2 = scan_name.split('\n'); //scan_name2[0]
const plugin_id = document.querySelector("#content > section > div.right-column > div:nth-child(2) > span:nth-child(5)").innerText;
const plugin_name = document.querySelector("#content > section > div.main-column > div.plugin-details-header > h4").innerHTML;
//get the list of output sections
const op_count = document.querySelector("#content > section > div.main-column > div:nth-child(3) > ul").querySelectorAll('li');
const outputs=[];
const port=[];
//get the list of hosts in the output sections
for (let i = 0; i < op_count.length; i++) {
//console.log("Now checking: " + i)
outputs[i] = document.getElementsByClassName("plugin-output-wrapper")[i].querySelectorAll("a");
port[i] = document.getElementsByClassName("plugin-output-wrapper")[i].querySelectorAll('td > span')[0].innerHTML;
}
//Convert obj to array
const arr2 = Object.entries(outputs);
arr2[0][1].length
//Count total hosts and the individual count
hosts_port_count = 0
hosts_port_out = ""
for (let i = 0; i < op_count.length; i++) {
hosts_port_out += "\t\tPort Output & Count of hosts [" +i+"] : [" + port[i] + "] : " + arr2[i][1].length + "\n"
hosts_port_count += arr2[i][1].length
}
//Print the output in formatted form
console.log("Scan Name:\t" + scan_name2[0] + "\nPlugin ID:\t" + plugin_id + "\nPlugin Name:\t" + plugin_name + "\nTotal Hosts :\t" + hosts_port_count + "\nIndividual Host count :\n" + hosts_port_out + "\n\n")
sno_counter=0
for (let i = 0; i < op_count.length; i++) {
for (let j = 0; j < arr2[i][1].length; j++) {
sno_counter += 1
console.log(sno_counter + ".\t" + plugin_id +"\t"+ port[i] +"\t"+ arr2[i][1][j].innerHTML)
//outputs[i] = document.getElementsByClassName("plugin-output-wrapper")[i].querySelectorAll("a");
}
}Expected Output:
Scan Name: V9 Connectivity Scan (Win+Lin) / Plugin #141118
Plugin ID: 141118
Plugin Name: Target Credential Status by Authentication Protocol - Valid Credentials Provided
Total Hosts : 66
Individual Host count :
Port Output & Count of hosts [0] : [22 / tcp / ssh] : 24
Port Output & Count of hosts [1] : [445 / tcp / cifs] : 10
Port Output & Count of hosts [2] : [445 / tcp / cifs] : 32
1. 141118 22 / tcp / ssh 100.90.1.21
2. 141118 22 / tcp / ssh 100.90.1.133
3. 141118 22 / tcp / ssh 100.90.1.134
4. 141118 22 / tcp / ssh 100.90.2.69
5. 141118 22 / tcp / ssh 100.90.2.70
...
25. 141118 445 / tcp / cifs 100.90.1.197
26. 141118 445 / tcp / cifs 100.90.1.198
27. 141118 445 / tcp / cifs 100.90.1.199
28. 141118 445 / tcp / cifs 100.90.2.5
29. 141118 445 / tcp / cifs 100.90.2.6
30. 141118 445 / tcp / cifs 100.90.2.133Sample Screenshot:
Tips
All above outputs are generated with tab space. Which means, if you copy and output from dev tools console and paste on the Excel, you can get the clean output in multiple cells instead of clumsy same cell output, which is easy to remove unnecessary data. Here is the sample screenshot
