openvasreporting
openvasreporting copied to clipboard
TheGroundZero
Errors when generating excel with xmls from GVM11
Due to the fact that openvas had its life cycle at the end, I needed to install GVM11, however the XML is different from openvas 9 and the script you provided does not work with it. Did you have any plans to make the new version available to us? Note: You did a great job, helped a lot with scripting. an example of xml generated by gvm11
admin2020-05-29T00:26:38-03:00<creation_time>2020-05-29T00:26:38-03:00</creation_time><modification_time>2020-05-29T00:33:45-03:00</modification_time>0<in_use>0</in_use>Target 171<report_format id="a994b278-1f62-11e1-96ac-406186ea4fc5">XML</report_format>9.0severitydescendingapply_overrides=0 levels=hml rows=1000 min_qod=70 first=1 sort-reverse=severity notes=1 overrides=1HighMediumLowapply_overrides=0levels=hmlrows=1000min_qod=70first=1sort-reverse=severitynotes=1overrides=1<severity_class id="d4c74cda-89e1-11e3-9c29-406186ea4fc5">nist<full_name>NVD Vulnerability Severity Ratings</full_name><severity_range>None0.00.0</severity_range><severity_range>Low0.13.9</severity_range><severity_range>Medium4.06.9</severity_range><severity_range>High7.010.0</severity_range></severity_class><scan_run_status>Done</scan_run_status>1<closed_cves>3</closed_cves>1310<ssl_certs>0</ssl_certs>Target 1710teste1711002020-05-29T00:26:18-03:00<scan_start>2020-05-29T00:26:38-03:00</scan_start>America/Sao_Paulo<timezone_abbrev>-03</timezone_abbrev>3general/tcp172.16.0.1712.6Low445/tcp172.16.0.1719.3High135/tcp172.16.0.1715.0MediumMicrosoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)admin<modification_time>2020-05-29T00:32:15-03:00</modification_time><creation_time>2020-05-29T00:32:15-03:00</creation_time>172.16.0.171445/tcpnvtMicrosoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)Windows : Microsoft Bulletins<cvss_base>9.3</cvss_base>cvss_base_vector=AV:N/AC:M/Au:N/C:C/I:C/A:C|summary=This host is missing a critical security
update according to Microsoft Bulletin MS17-010.|insight=Multiple flaws exist due to the way that the
Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests.|affected=- Microsoft Windows 10 x32/x64 Edition
Microsoft Windows Server 2012 Edition
Microsoft Windows Server 2016
Microsoft Windows 8.1 x32/x64 Edition
Microsoft Windows Server 2012 R2 Edition
Microsoft Windows 7 x32/x64 Edition Service Pack 1
Microsoft Windows Vista x32/x64 Edition Service Pack 2
Microsoft Windows Server 2008 R2 x64 Edition Service Pack 1
Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2|impact=Successful exploitation will allow remote
attackers to gain the ability to execute code on the target server, also
could lead to information disclosure from the server.|solution=The vendor has released updates. Please see the references for more information.|vuldetect=Send the crafted SMB transaction request
with fid = 0 and check the response to confirm the vulnerability.|solution_type=VendorFix<scan_nvt_version></scan_nvt_version>High9.395<original_threat>High</original_threat><original_severity>9.3</original_severity>DCE/RPC and MSRPC Services Enumeration Reportingadmin<modification_time>2020-05-29T00:31:05-03:00</modification_time><creation_time>2020-05-29T00:31:05-03:00</creation_time>172.16.0.171135/tcpnvtDCE/RPC and MSRPC Services Enumeration ReportingWindows<cvss_base>5.0</cvss_base>cvss_base_vector=AV:N/AC:L/Au:N/C:P/I:N/A:N|summary=Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) or MSRPC services running
on the remote host can be enumerated by connecting on port 135 and doing the appropriate queries.|insight=|affected=|impact=An attacker may use this fact to gain more knowledge
about the remote host.|solution=Filter incoming traffic to this ports.|vuldetect=|solution_type=Mitigation<scan_nvt_version></scan_nvt_version>Medium5.080Here is the list of DCE/RPC or MSRPC services running on this host via the TCP protocol:
Port: 49152/tcp
UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49152]
Port: 49153/tcp
UUID: 06bba54a-be05-49f9-b0a0-30f790261023, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49153]
Annotation: Security Center
UUID: 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49153]
Annotation: NRP server endpoint
UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49153]
Annotation: DHCP Client LRPC Endpoint
UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49153]
Annotation: DHCPv6 Client LRPC Endpoint
UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49153]
Annotation: Event log TCPIP
Port: 49154/tcp
UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49154]
Annotation: IP Transition Configuration endpoint
UUID: 86d35949-83c9-4044-b424-db363231fd0c, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49154]
UUID: 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49154]
Annotation: XactSrv service
UUID: a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49154]
Annotation: IKE/Authip API
Port: 49155/tcp
UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49155]
Named pipe : lsass
Win32 service or process : lsass.exe
Description : SAM access
Port: 49184/tcp
UUID: 367abb81-9844-35f1-ad32-98f038001003, version 2
Endpoint: ncacn_ip_tcp:172.16.0.171[49184]
Port: 49186/tcp
UUID: 12345678-1234-abcd-ef00-0123456789ab, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49186]
Annotation: IPSec Policy agent endpoint
Named pipe : spoolss
Win32 service or process : spoolsv.exe
Description : Spooler service
UUID: 6b5bdd1e-528c-422c-af8c-a4079be4fe48, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49186]
Annotation: Remote Fw APIs
Note: DCE/RPC or MSRPC services running on this host locally were identified. Reporting this list is not enabled by default due to the possible large size of this list. See the script preferences to enable this reporting.
<original_threat>Medium</original_threat><original_severity>5</original_severity>TCP timestampsadmin<modification_time>2020-05-29T00:28:09-03:00</modification_time><creation_time>2020-05-29T00:28:09-03:00</creation_time>172.16.0.171general/tcpnvtTCP timestampsGeneral<cvss_base>2.6</cvss_base>cvss_base_vector=AV:N/AC:H/Au:N/C:P/I:N/A:N|summary=The remote host implements TCP timestamps and therefore allows to compute
the uptime.|insight=The remote host implements TCP timestamps, as defined by RFC1323.|affected=TCP/IPv4 implementations that implement RFC1323.|impact=A side effect of this feature is that the uptime of the remote
host can sometimes be computed.|solution=To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to
/etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime.
To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled'
Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled.
The default behavior of the TCP/IP stack on this Systems is to not use the
Timestamp options when initiating TCP connections, but use them if the TCP peer
that is initiating communication includes them in their synchronize (SYN) segment.
See the references for more information.|vuldetect=Special IP packets are forged and sent with a little delay in between to the
target IP. The responses are searched for a timestamps. If found, the timestamps are reported.|solution_type=Mitigation<scan_nvt_version></scan_nvt_version>Low2.680It was detected that the host implements RFC1323.
The following timestamps were retrieved with a delay of 1 seconds in-between:
Packet 1: 101882
Packet 2: 101991
<original_threat>Low</original_threat><original_severity>2.6</original_severity><result_count>1414300111111011<false_positive>00</false_positive></result_count>9.39.3172.16.0.1712020-05-29T00:26:43-03:002020-05-29T00:32:59-03:00<port_count>2</port_count><result_count>31110<false_positive>0</false_positive></result_count>EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.902782EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.11913EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.103549EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.10879OSMicrosoft Windowsnvt1.3.6.1.4.1.25623.1.0.108044DCE/RPC and MSRPC Services EnumerationEXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.11024Services139,tcp,smbnvt1.3.6.1.4.1.25623.1.0.11011Service detection (1.3.6.1.4.1.25623.1.0.11011)EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.802726traceroute172.17.0.2,172.16.0.171nvt1.3.6.1.4.1.25623.1.0.51662Traceroutecpe:/o:microsoft:windows_7:-:sp1general/tcpnvt1.3.6.1.4.1.25623.1.0.105937EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.902269scanned_with_feedversion202005270936nvt1.3.6.1.4.1.25623.1.0.103739Host Scan EndClosed CVECVE-2006-3439openvasmd1.3.6.1.4.1.25623.1.0.902782Microsoft Windows Server Service Remote Code Execution Vulnerability (921883)10.0EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.902815OSWindows 7 Professional 7601 Service Pack 1nvt1.3.6.1.4.1.25623.1.0.102011SMB NativeLanMantcp_ports135,139,445nvt1.3.6.1.4.1.25623.1.0.900239Check Open TCP PortsEXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.11367EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.11159OS-Detectioncpe:/o:microsoft:windows_7:-:sp1nvt1.3.6.1.4.1.25623.1.0.105937Services445,tcp,cifsnvt1.3.6.1.4.1.25623.1.0.11011Service detection (1.3.6.1.4.1.25623.1.0.11011)scanned_with_feedtypeGreenbone Community Feednvt1.3.6.1.4.1.25623.1.0.103739Host Scan EndEXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.11880ports135,139,445nvt1.3.6.1.4.1.25623.1.0.900239Check Open TCP PortsEXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.15571EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.11905EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.11903best_os_txtWindows 7 Professional 7601 Service Pack 1nvt1.3.6.1.4.1.25623.1.0.102011;SMB NativeLanManscanned_with_scanner11.0.1nvt1.3.6.1.4.1.25623.1.0.103739Host Scan EndEXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.14687EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.10927Closed CVECVE-2009-2526, CVE-2009-2532, CVE-2009-3103openvasmd1.3.6.1.4.1.25623.1.0.900965Microsoft Windows SMB2 Negotiation Protocol Remote Code Execution Vulnerability10.0Closed CVECVE-2010-0020, CVE-2010-0021, CVE-2010-0022, CVE-2010-0231openvasmd1.3.6.1.4.1.25623.1.0.902269Microsoft Windows SMB Server NTLM Multiple Vulnerabilities (971468)10.0Services135,tcp,epmap,A DCE endpoint resolution service seems to be running on this port.nvt1.3.6.1.4.1.25623.1.0.108044DCE/RPC and MSRPC Services EnumerationEXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.11901OScpe:/o:microsoft:windowsnvt1.3.6.1.4.1.25623.1.0.108044DCE/RPC and MSRPC Services EnumerationEXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.900965hostname_determination172.16.0.171,172.16.0.171,IP-addressnvt1.3.6.1.4.1.25623.1.0.108449Hostname Determination ReportingEXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.103674OScpe:/o:microsoft:windows_7:-:sp1nvt1.3.6.1.4.1.25623.1.0.102011SMB NativeLanManbest_os_cpecpe:/o:microsoft:windows_7:-:sp1nvt1.3.6.1.4.1.25623.1.0.102011;SMB NativeLanManEXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.10832EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.11881<scan_end>2020-05-29T00:33:45-03:00</scan_end>0<report_format></report_format>
If I find the time to do so, I'll install a fresh copy of OpenVAS/Greenbone Vulnerability Management and check what breaks.
This is a project I maintain in my spare time, and I'm not having a lot of that recently.
You are using GVM-11 from here, right? https://community.greenbone.net/t/about-the-greenbone-source-edition-gse-category/176
Also, I updated your post to use code tags, please check if this didn't affect the content.
Yes, I am using GVM11, as the openvas 9 version has ended its life cycle. We were forced to use Greenbone Vulnerability Management and comparing the xml files, the fields are different. If necessary, I can send a copy of each for future analysis. Thank you very much for your feedback
Hello, thank you so much for this and it helped me a lot in the past. With the Green Bone 11 with the latest scan when I am trying to generate xlsx format I am getting below error. Not sure what to do can you pleas take a look when you get chance ?
Traceback (most recent call last):
File "openvasreporting.py", line 9, in
Hi @TheGroundZero , have you had time to look at this issue ? as OpenVAS 9 is now EOL since some time now I cannot even download NVTs updates, so moving to GVM 11 has become critical. For an easy install have you tried installing the GSM Trial version ? its a VM image that can be run on Virtualbox.
Hi all
I've been seriously lacking on support on this project, for which I want to apologise. If anyone is able to help me out on this, that'd be highly appreciated! Feel free to send in a PR.
In the meantime, I'll install the VM and will have to research what changed in the report files. I'm already getting lost in the different Greenbone solutions
@juanluisbaptiste
OpenVAS 9 is now EOL since some time now I cannot even download NVTs updates
In case you are looking for a workaround try the following:
echo "45.135.106.142 feed.community.greenbone.net feed.openvas.org" >> /etc/hosts
It works for me :D it seems like they just shutdown the old domain.
@TheGroundZero Where would I start if I wanted to make this work with the newest version of OpenVAS?
@TheGroundZero Where would I start if I wanted to make this work with the newest version of OpenVAS?
To be honest, it's been a while since I've worked on this project.
I suppose the main issue is that the report format has changed. So the new format would have to be "reverse engineered" and the code modified to match it.
@TheGroundZero I think @austinsonger question was more about if you could give him a pointer on where start looking at the code to add support for the new XML format. That pointer would be helpful for anyone thinking on working on this.
@TheGroundZero I think @austinsonger question was more about if you could give him a pointer on where start looking at the code to add support for the new XML format. That pointer would be helpful for anyone thinking on working on this.
That would be here: https://github.com/TheGroundZero/openvasreporting/blob/0aa8d250435f9e2f390632c2af235d5497d3064e/openvasreporting/libs/parser.py#L57
Some knowledge of XPath is useful