dradis-nessus 3.3.0

data/lib/dradis-nessus.rb

@@ -0,0 +1,9 @@
+require 'dradis-plugins'
+
+# Require engine
+require 'dradis/plugins/nessus'
+
+
+# Require supporting Nessus library
+require 'nessus/host'
+require 'nessus/report_item'

data/lib/dradis/plugins/nessus.rb

@@ -0,0 +1,11 @@
+module Dradis
+  module Plugins
+    module Nessus
+    end
+  end
+end
+
+require 'dradis/plugins/nessus/engine'
+require 'dradis/plugins/nessus/field_processor'
+require 'dradis/plugins/nessus/importer'
+require 'dradis/plugins/nessus/version'

data/lib/dradis/plugins/nessus/engine.rb

@@ -0,0 +1,24 @@
+module Dradis
+  module Plugins
+    module Nessus
+      class Engine < ::Rails::Engine
+        isolate_namespace Dradis::Plugins::Nessus
+
+        include ::Dradis::Plugins::Base
+        description 'Processes Nessus XML v2 format (.nessus)'
+        provides :upload
+
+        #     generators do
+        #       require "path/to/my_railtie_generator"
+        #     end
+
+        # Configuring the gem
+        # class Configuration < Core::Configurator
+        #   configure :namespace => 'burp'
+        #   setting :category, :default => 'Burp Scanner output'
+        #   setting :author, :default => 'Burp Scanner plugin'
+        # end
+      end
+    end
+  end
+end

data/lib/dradis/plugins/nessus/field_processor.rb

@@ -0,0 +1,53 @@
+module Dradis
+  module Plugins
+    module Nessus
+
+      class FieldProcessor < Dradis::Plugins::Upload::FieldProcessor
+
+        def post_initialize(args={})
+          @nessus_object = (data.name == 'ReportHost') ? ::Nessus::Host.new(data) : ::Nessus::ReportItem.new(data)
+        end
+
+        def value(args={})
+          field = args[:field]
+
+          # fields in the template are of the form <foo>.<field>, where <foo>
+          # is common across all fields for a given template (and meaningless).
+          _, name = field.split('.')
+
+          if name.end_with?('entries')
+            # report_item.bid_entries
+            # report_item.cve_entries
+            # report_item.xref_entries
+            entries = @nessus_object.try(name)
+            if entries.any?
+              entries.to_a.join("\n")
+            else
+              'n/a'
+            end
+          else
+            output = @nessus_object.try(name) || 'n/a'
+
+            if field == 'report_item.description' && output =~ /^  -/
+              format_bullet_point_lists(output)
+            else
+              output
+            end
+          end
+        end
+
+        private
+        def format_bullet_point_lists(input)
+          input.split("\n\n").map do |paragraph|
+            if paragraph =~ /^  - (.*)$/m
+              '* ' + $1.gsub(/    /, '').gsub(/\n/, ' ')
+            else
+              paragraph
+            end
+          end.join("\n\n")
+        end
+      end
+
+    end
+  end
+end

data/lib/dradis/plugins/nessus/gem_version.rb

@@ -0,0 +1,19 @@
+module Dradis
+  module Plugins
+    module Nessus
+      # Returns the version of the currently loaded Nessus as a <tt>Gem::Version</tt>
+      def self.gem_version
+        Gem::Version.new VERSION::STRING
+      end
+
+      module VERSION
+        MAJOR = 3
+        MINOR = 3
+        TINY = 0
+        PRE = nil
+
+        STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
+      end
+    end
+  end
+end

data/lib/dradis/plugins/nessus/importer.rb

@@ -0,0 +1,178 @@
+module Dradis::Plugins::Nessus
+  class Importer < Dradis::Plugins::Upload::Importer
+
+    # The framework will call this function if the user selects this plugin from
+    # the dropdown list and uploads a file.
+    # @returns true if the operation was successful, false otherwise
+    def import(params={})
+      file_content    = File.read( params[:file] )
+
+      logger.info{'Parsing nessus output file...'}
+      doc = Nokogiri::XML( file_content )
+      logger.info{'Done.'}
+
+      if doc.xpath('/NessusClientData_v2/Report').empty?
+        error = "No reports were detected in the uploaded file (/NessusClientData_v2/Report). Ensure you uploaded a Nessus XML v2 (.nessus) report."
+        logger.fatal{ error }
+        content_service.create_note text: error
+        return false
+      end
+
+      doc.xpath('/NessusClientData_v2/Report').each do |xml_report|
+        report_label = xml_report.attributes['name'].value
+        logger.info{ "Processing report: #{report_label}" }
+        # No need to create a report node for each report. It may be good to
+        # create a plugin.output/nessus.reports with info for each scan, but
+        # for the time being we just append stuff to the Host
+        # report_node = parent.children.find_or_create_by_label(report_label)
+
+        xml_report.xpath('./ReportHost').each do |xml_host|
+          process_report_host(xml_host)
+        end #/ReportHost
+        logger.info{ "Report processed." }
+      end  #/Report
+
+      return true
+    end # /import
+
+
+    private
+
+    # Internal: Parses the specific "Nessus SYN Scanner" and similar plugin into
+    # Dradis node properties.
+    #
+    # xml_host        - The Nokogiri XML node representing the parent host for
+    #                   this issue.
+    # host_node       - The Dradis Node that represents the host in the project.
+    # xml_report_item - The Nokogiri XML node representing the Service Detection
+    #                   <ReportItem> tag.
+    #
+    # Returns nothing.
+    #
+    # Plugins processed using this method:
+    #   - [11219] Nessus SYN Scanner
+    #   - [34220] Netstat Portscanner (WMI)
+    def process_nessus_syn_scanner(xml_host, host_node, xml_report_item)
+      port     = xml_report_item['port'].to_i
+      protocol = xml_report_item['protocol']
+      logger.info{ "\t\t\t => Creating new service: #{protocol}/#{port}" }
+
+      host_node.set_property(:services, {
+        port:     port,
+        protocol: protocol,
+        state:    'open',
+        name:     xml_report_item['svc_name'],
+        x_nessus: xml_report_item.at_xpath('./plugin_output').text
+      })
+
+      host_node.save
+    end
+
+    # Internal: Process each /NessusClientData_v2/Report/ReportHost creating a
+    # Dradis node and adding some properties to it (:ip, :os, etc.).
+    #
+    # xml_host        - The Nokogiri XML node representing the parent host for
+    #                   this issue.
+    #
+    # Returns nothing.
+    #
+    def process_report_host(xml_host)
+
+      # 1. Create host node
+      host_label = xml_host.attributes['name'].value
+      host_label += " (#{xml_host.attributes['fqdn'].value})" if xml_host.attributes['fqdn']
+
+      host_node = content_service.create_node(label: host_label, type: :host)
+      logger.info{ "\tHost: #{host_label}" }
+
+      # 2. Add host info note and host properties
+      host_note_text = template_service.process_template(template: 'report_host', data: xml_host)
+      content_service.create_note(text: host_note_text, node: host_node)
+
+      if host_node.respond_to?(:properties)
+        nh = ::Nessus::Host.new(xml_host)
+        host_node.set_property(:fqdn,         nh.fqdn)             if nh.try(:fqdn)
+        host_node.set_property(:ip,           nh.ip)               if nh.try(:ip)
+        host_node.set_property(:mac_address,  nh.mac_address)      if nh.try(:mac_address)
+        host_node.set_property(:netbios_name, nh.netbios_name)     if nh.try(:netbios_name)
+        host_node.set_property(:os,           nh.operating_system) if nh.try(:operating_system)
+        host_node.save
+      end
+
+
+      # 3. Add Issue and associated Evidence for this host/port combination
+      xml_host.xpath('./ReportItem').each do |xml_report_item|
+        case xml_report_item.attributes['pluginID'].value
+        when '0'
+        when '11219', '34220' # Nessus SYN scanner, Netstat Portscanner (WMI)
+          process_nessus_syn_scanner(xml_host, host_node, xml_report_item)
+        when '22964' # Service Detection
+          process_service_detection(xml_host, host_node, xml_report_item)
+        else
+          process_report_item(xml_host, host_node, xml_report_item)
+        end
+      end #/ReportItem
+    end
+
+    # Internal: Process each /NessusClientData_v2/Report/ReportHost/ReportItem
+    # and creates the corresponding Issue and Evidence in Dradis.
+    #
+    # xml_host        - The Nokogiri XML node representing the parent host for
+    #                   this issue.
+    # host_node       - The Dradis Node that represents the host in the project.
+    # xml_report_item - The Nokogiri XML node representing the Service Detection
+    #                   <ReportItem> tag.
+    #
+    # Returns nothing.
+    #
+    def process_report_item(xml_host, host_node, xml_report_item)
+      # 3.1. Add Issue to the project
+      plugin_id = xml_report_item.attributes['pluginID'].value
+      logger.info{ "\t\t\t => Creating new issue (plugin_id: #{plugin_id})" }
+
+      issue_text = template_service.process_template(template: 'report_item', data: xml_report_item)
+      issue_text << "\n\n#[Host]#\n#{xml_host.attributes['name']}\n\n"
+
+      issue = content_service.create_issue(text: issue_text, id: plugin_id)
+
+      # 3.2. Add Evidence to link the port/protocol and Issue
+      port_info = xml_report_item.attributes['protocol'].value
+      port_info += "/"
+      port_info += xml_report_item.attributes['port'].value
+
+      logger.info{ "\t\t\t => Adding reference to this host" }
+      evidence_content = template_service.process_template(template: 'evidence', data: xml_report_item)
+
+      content_service.create_evidence(issue: issue, node: host_node, content: evidence_content)
+
+      # 3.3. Compliance check information
+    end
+
+    # Internal: Parses the specific "Service Detection" plugin into Dradis node
+    # properties.
+    #
+    # xml_host        - The Nokogiri XML node representing the parent host for
+    #                   this issue.
+    # host_node       - The Dradis Node that represents the host in the project.
+    # xml_report_item - The Nokogiri XML node representing the Service Detection
+    #                   <ReportItem> tag.
+    #
+    # Returns nothing.
+    #
+    def process_service_detection(xml_host, host_node, xml_report_item)
+      port     = xml_report_item['port'].to_i
+      protocol = xml_report_item['protocol']
+      logger.info{ "\t\t\t => Creating new service: #{protocol}/#{port}" }
+
+      host_node.set_property(:services, {
+        port:     port,
+        protocol: protocol,
+        state:    'open',
+        name:     xml_report_item['svc_name'],
+        x_nessus: xml_report_item.at_xpath('./description').text
+      })
+
+      host_node.save
+    end
+  end
+end

data/lib/dradis/plugins/nessus/version.rb

@@ -0,0 +1,13 @@
+require_relative 'gem_version'
+
+module Dradis
+  module Plugins
+    module Nessus
+      # Returns the version of the currently loaded Nessus as a
+      # <tt>Gem::Version</tt>.
+      def self.version
+        gem_version
+      end
+    end
+  end
+end

data/lib/nessus/host.rb

@@ -0,0 +1,82 @@
+module Nessus
+  # This class represents each of the /NessusClientData_v2/Report/ReportHost
+  # elements in the Nessus XML document.
+  #
+  # It provides a convenient way to access the information scattered all over
+  # the XML in attributes and nested tags.
+  #
+  # Instead of providing separate methods for each supported property we rely
+  # on Ruby's #method_missing to do most of the work.
+  class Host
+    # Accepts an XML node from Nokogiri::XML.
+    def initialize(xml_node)
+      @xml = xml_node
+    end
+
+    # List of supported tags. They are all desdendents of the ./HostProperties
+    # node.
+    def supported_tags
+      [
+        # attributes
+        :name,
+
+        # simple tags
+        :ip, :fqdn, :operating_system, :mac_address, :netbios_name,
+        :scan_start_time, :scan_stop_time
+      ]
+    end
+
+    # Each of the entries associated with this host. Returns an array of
+    # Nessus::ReportItem objects
+    def report_items
+      @xml.xpath('./ReportItem').collect { |xml_report_item| ReportItem.new(xml_report_item) }
+    end
+
+    # This allows external callers (and specs) to check for implemented
+    # properties
+    def respond_to?(method, include_private=false)
+      return true if supported_tags.include?(method.to_sym)
+      super
+    end
+
+    # This method is invoked by Ruby when a method that is not defined in this
+    # instance is called.
+    #
+    # In our case we inspect the @method@ parameter and try to find the
+    # corresponding <tag/> element inside the ./HostProperties child.
+    def method_missing(method, *args)
+      # We could remove this check and return nil for any non-recognized tag.
+      # The problem would be that it would make tricky to debug problems with
+      # typos. For instance: <>.potr would return nil instead of raising an
+      # exception
+      unless supported_tags.include?(method)
+        super
+        return
+      end
+
+      # first we try the attributes: name
+      translations_table = {}
+      method_name = translations_table.fetch(method, method.to_s)
+      return @xml.attributes[method_name].value if @xml.attributes.key?(method_name)
+
+
+      # translation of Host properties
+      translations_table = {
+        ip:               'host-ip',
+        fqdn:             'host-fqdn',
+        operating_system: 'operating-system',
+        mac_address:      'mac-address',
+        netbios_name:     'netbios-name',
+        scan_start_time:  'HOST_START',
+        scan_stop_time:   'HOST_END'
+      }
+      method_name = translations_table.fetch(method, method.to_s)
+
+      if property = @xml.at_xpath("./HostProperties/tag[@name='#{method_name}']")
+        return property.text
+      else
+        return nil
+      end
+    end
+  end
+end

data/lib/nessus/report_item.rb

@@ -0,0 +1,118 @@
+module Nessus
+  # This class represents each of the /NessusClientData_v2/Report/ReportHost/ReportItem
+  # elements in the Nessus XML document.
+  #
+  # It provides a convenient way to access the information scattered all over
+  # the XML in attributes and nested tags.
+  #
+  # Instead of providing separate methods for each supported property we rely
+  # on Ruby's #method_missing to do most of the work.
+  class ReportItem
+
+    # Accepts an XML node from Nokogiri::XML.
+    def initialize(xml_node)
+      @xml = xml_node
+    end
+
+    # List of supported tags. They can be attributes, simple descendans or
+    # collections (e.g. <bid/>, <cve/>, <xref/>)
+    def supported_tags
+      [
+        # attributes
+        :port, :svc_name, :protocol, :severity, :plugin_id, :plugin_name, :plugin_family,
+        # simple tags
+        :solution, :risk_factor, :description, :plugin_publication_date,
+        :metasploit_name, :cvss_vector, :cvss_temporal_vector, :synopsis,
+        :exploit_available, :patch_publication_date, :plugin_modification_date,
+        :cvss_temporal_score, :cvss_base_score, :plugin_output,
+        :plugin_version, :exploitability_ease, :vuln_publication_date,
+        :exploit_framework_canvas, :exploit_framework_metasploit,
+        :exploit_framework_core,
+        # multiple tags
+        :bid_entries, :cve_entries, :see_also_entries, :xref_entries,
+        # compliance tags
+        :cm_actual_value, :cm_audit_file, :cm_check_id, :cm_check_name, :cm_info,
+        :cm_output, :cm_policy_value, :cm_reference, :cm_result, :cm_see_also,
+        :cm_solution
+      ]
+    end
+
+    # This allows external callers (and specs) to check for implemented
+    # properties
+    def respond_to?(method, include_private=false)
+      return true if supported_tags.include?(method.to_sym)
+      super
+    end
+
+    # This method is invoked by Ruby when a method that is not defined in this
+    # instance is called.
+    #
+    # In our case we inspect the @method@ parameter and try to find the
+    # attribute, simple descendent or collection that it maps to in the XML
+    # tree.
+    def method_missing(method, *args)
+      
+      # We could remove this check and return nil for any non-recognized tag.
+      # The problem would be that it would make tricky to debug problems with
+      # typos. For instance: <>.potr would return nil instead of raising an
+      # exception
+      unless supported_tags.include?(method)
+        super
+        return
+      end
+
+      # first we try the attributes: port, svc_name, protocol, severity,
+      #   plugin_id, plugin_name, plugin_family
+      translations_table = {
+        # @port           = xml.attributes["port"]
+        # @svc_name       = xml.attributes["svc_name"]
+        # @protocol       = xml.attributes["protocol"]
+        # @severity       = xml.attributes["severity"]
+        :plugin_id => 'pluginID',
+        :plugin_name => 'pluginName',
+        :plugin_family  => 'pluginFamily'
+      }
+      method_name = translations_table.fetch(method, method.to_s)
+      return @xml.attributes[method_name].value if @xml.attributes.key?(method_name)
+
+      # then we try the children tags: solution, risk_factor, description,
+      #   plugin_publication_date, metasploit_name, cvss_vector,
+      #   cvss_temporal_vector, synopsis, exploit_available,
+      #   patch_publication_date, plugin_modification_date, cvss_temporal_score,
+      #   cvss_base_score, plugin_output, plugin_version, exploitability_ease,
+      #   vuln_publication_date, exploit_framework_canvas,
+      #   exploit_framework_metasploit, exploit_framework_core
+      tag = @xml.xpath("./#{method_name}").first
+      if tag
+        return tag.text
+      end
+
+      # then the custom XML tags (cm: namespace)
+      if method_name.starts_with?('cm_')
+        method_name = method_name.sub(/cm_/, 'cm:compliance-').gsub(/_/, '-')
+        cm_value = @xml.at_xpath("./#{method_name}", { 'cm' => 'http://www.nessus.org/cm' })
+        if cm_value
+          return cm_value.text
+        else
+          return nil
+        end
+      end
+
+
+      # finally the enumerations: bid_entries, cve_entries, xref_entries
+      translations_table = {
+        :bid_entries => 'bid',
+        :cve_entries => 'cve',
+        :see_also_entries => 'see_also',
+        :xref_entries  => 'xref'
+      }
+      method_name = translations_table.fetch(method, nil)
+      if method_name
+        @xml.xpath("./#{method_name}").collect(&:text)
+      else
+        # nothing found, the tag is valid but not present in this ReportItem
+        return nil
+      end
+    end
+  end
+end