search

TheGroundZero / openvasreporting

OpenVAS Reporting: Convert OpenVAS XML report files to reports
Other
131 stars 45 forks source link

Errors when generating excel with xmls from GVM11 #15

Closed meetgyn closed 6 months ago

meetgyn commented 4 years ago

Due to the fact that openvas had its life cycle at the end, I needed to install GVM11, however the XML is different from openvas 9 and the script you provided does not work with it. Did you have any plans to make the new version available to us? Note: You did a great job, helped a lot with scripting. an example of xml generated by gvm11

admin2020-05-29T00:26:38-03:00<creation_time>2020-05-29T00:26:38-03:00</creation_time><modification_time>2020-05-29T00:33:45-03:00</modification_time>0<in_use>0</in_use>Target 171<report_format id="a994b278-1f62-11e1-96ac-406186ea4fc5">XML</report_format>9.0severitydescendingapply_overrides=0 levels=hml rows=1000 min_qod=70 first=1 sort-reverse=severity notes=1 overrides=1HighMediumLowapply_overrides=0levels=hmlrows=1000min_qod=70first=1sort-reverse=severitynotes=1overrides=1<severity_class id="d4c74cda-89e1-11e3-9c29-406186ea4fc5">nist<full_name>NVD Vulnerability Severity Ratings</full_name><severity_range>None0.00.0</severity_range><severity_range>Low0.13.9</severity_range><severity_range>Medium4.06.9</severity_range><severity_range>High7.010.0</severity_range></severity_class><scan_run_status>Done</scan_run_status>1<closed_cves>3</closed_cves>1310<ssl_certs>0</ssl_certs>Target 1710teste1711002020-05-29T00:26:18-03:00<scan_start>2020-05-29T00:26:38-03:00</scan_start>America/Sao_Paulo<timezone_abbrev>-03</timezone_abbrev>3general/tcp172.16.0.1712.6Low445/tcp172.16.0.1719.3High135/tcp172.16.0.1715.0MediumMicrosoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)admin<modification_time>2020-05-29T00:32:15-03:00</modification_time><creation_time>2020-05-29T00:32:15-03:00</creation_time>172.16.0.171445/tcpnvtMicrosoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)Windows : Microsoft Bulletins<cvss_base>9.3</cvss_base>cvss_base_vector=AV:N/AC:M/Au:N/C:C/I:C/A:C|summary=This host is missing a critical security
update according to Microsoft Bulletin MS17-010.|insight=Multiple flaws exist due to the way that the
Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests.|affected=- Microsoft Windows 10 x32/x64 Edition

    Microsoft Windows Server 2012 Edition

    Microsoft Windows Server 2016

    Microsoft Windows 8.1 x32/x64 Edition

    Microsoft Windows Server 2012 R2 Edition

    Microsoft Windows 7 x32/x64 Edition Service Pack 1

    Microsoft Windows Vista x32/x64 Edition Service Pack 2

    Microsoft Windows Server 2008 R2 x64 Edition Service Pack 1

    Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2|impact=Successful exploitation will allow remote
    attackers to gain the ability to execute code on the target server, also
    could lead to information disclosure from the server.|solution=The vendor has released updates. Please see the references for more information.|vuldetect=Send the crafted SMB transaction request
    with fid = 0 and check the response to confirm the vulnerability.|solution_type=VendorFix<scan_nvt_version></scan_nvt_version>High9.395<original_threat>High</original_threat><original_severity>9.3</original_severity>DCE/RPC and MSRPC Services Enumeration Reportingadmin<modification_time>2020-05-29T00:31:05-03:00</modification_time><creation_time>2020-05-29T00:31:05-03:00</creation_time>172.16.0.171135/tcpnvtDCE/RPC and MSRPC Services Enumeration ReportingWindows<cvss_base>5.0</cvss_base>cvss_base_vector=AV:N/AC:L/Au:N/C:P/I:N/A:N|summary=Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) or MSRPC services running
    on the remote host can be enumerated by connecting on port 135 and doing the appropriate queries.|insight=|affected=|impact=An attacker may use this fact to gain more knowledge
    about the remote host.|solution=Filter incoming traffic to this ports.|vuldetect=|solution_type=Mitigation<scan_nvt_version></scan_nvt_version>Medium5.080Here is the list of DCE/RPC or MSRPC services running on this host via the TCP protocol:

Port: 49152/tcp

 UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1
 Endpoint: ncacn_ip_tcp:172.16.0.171[49152]

Port: 49153/tcp

 UUID: 06bba54a-be05-49f9-b0a0-30f790261023, version 1
 Endpoint: ncacn_ip_tcp:172.16.0.171[49153]
 Annotation: Security Center

 UUID: 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1
 Endpoint: ncacn_ip_tcp:172.16.0.171[49153]
 Annotation: NRP server endpoint

 UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1
 Endpoint: ncacn_ip_tcp:172.16.0.171[49153]
 Annotation: DHCP Client LRPC Endpoint

 UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1
 Endpoint: ncacn_ip_tcp:172.16.0.171[49153]
 Annotation: DHCPv6 Client LRPC Endpoint

 UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1
 Endpoint: ncacn_ip_tcp:172.16.0.171[49153]
 Annotation: Event log TCPIP

Port: 49154/tcp

 UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1
 Endpoint: ncacn_ip_tcp:172.16.0.171[49154]
 Annotation: IP Transition Configuration endpoint

 UUID: 86d35949-83c9-4044-b424-db363231fd0c, version 1
 Endpoint: ncacn_ip_tcp:172.16.0.171[49154]

 UUID: 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1
 Endpoint: ncacn_ip_tcp:172.16.0.171[49154]
 Annotation: XactSrv service

 UUID: a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1
 Endpoint: ncacn_ip_tcp:172.16.0.171[49154]
 Annotation: IKE/Authip API

Port: 49155/tcp

 UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1
 Endpoint: ncacn_ip_tcp:172.16.0.171[49155]
 Named pipe : lsass
 Win32 service or process : lsass.exe
 Description : SAM access

Port: 49184/tcp

 UUID: 367abb81-9844-35f1-ad32-98f038001003, version 2
 Endpoint: ncacn_ip_tcp:172.16.0.171[49184]

Port: 49186/tcp

 UUID: 12345678-1234-abcd-ef00-0123456789ab, version 1
 Endpoint: ncacn_ip_tcp:172.16.0.171[49186]
 Annotation: IPSec Policy agent endpoint
 Named pipe : spoolss
 Win32 service or process : spoolsv.exe
 Description : Spooler service

 UUID: 6b5bdd1e-528c-422c-af8c-a4079be4fe48, version 1
 Endpoint: ncacn_ip_tcp:172.16.0.171[49186]
 Annotation: Remote Fw APIs

Note: DCE/RPC or MSRPC services running on this host locally were identified. Reporting this list is not enabled by default due to the possible large size of this list. See the script preferences to enable this reporting.
<original_threat>Medium</original_threat><original_severity>5</original_severity>TCP timestampsadmin<modification_time>2020-05-29T00:28:09-03:00</modification_time><creation_time>2020-05-29T00:28:09-03:00</creation_time>172.16.0.171general/tcpnvtTCP timestampsGeneral<cvss_base>2.6</cvss_base>cvss_base_vector=AV:N/AC:H/Au:N/C:P/I:N/A:N|summary=The remote host implements TCP timestamps and therefore allows to compute
the uptime.|insight=The remote host implements TCP timestamps, as defined by RFC1323.|affected=TCP/IPv4 implementations that implement RFC1323.|impact=A side effect of this feature is that the uptime of the remote
host can sometimes be computed.|solution=To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to
/etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime.

To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled'

Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled.

The default behavior of the TCP/IP stack on this Systems is to not use the
Timestamp options when initiating TCP connections, but use them if the TCP peer
that is initiating communication includes them in their synchronize (SYN) segment.

See the references for more information.|vuldetect=Special IP packets are forged and sent with a little delay in between to the
target IP. The responses are searched for a timestamps. If found, the timestamps are reported.|solution_type=Mitigation<scan_nvt_version></scan_nvt_version>Low2.680It was detected that the host implements RFC1323.

The following timestamps were retrieved with a delay of 1 seconds in-between:
Packet 1: 101882
Packet 2: 101991
<original_threat>Low</original_threat><original_severity>2.6</original_severity><result_count>1414300111111011<false_positive>00</false_positive></result_count>9.39.3172.16.0.1712020-05-29T00:26:43-03:002020-05-29T00:32:59-03:00<port_count>2</port_count><result_count>31110<false_positive>0</false_positive></result_count>EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.902782EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.11913EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.103549EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.10879OSMicrosoft Windowsnvt1.3.6.1.4.1.25623.1.0.108044DCE/RPC and MSRPC Services EnumerationEXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.11024Services139,tcp,smbnvt1.3.6.1.4.1.25623.1.0.11011Service detection (1.3.6.1.4.1.25623.1.0.11011)EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.802726traceroute172.17.0.2,172.16.0.171nvt1.3.6.1.4.1.25623.1.0.51662Traceroutecpe:/o:microsoft:windows_7:-:sp1general/tcpnvt1.3.6.1.4.1.25623.1.0.105937EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.902269scanned_with_feedversion202005270936nvt1.3.6.1.4.1.25623.1.0.103739Host Scan EndClosed CVECVE-2006-3439openvasmd1.3.6.1.4.1.25623.1.0.902782Microsoft Windows Server Service Remote Code Execution Vulnerability (921883)10.0EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.902815OSWindows 7 Professional 7601 Service Pack 1nvt1.3.6.1.4.1.25623.1.0.102011SMB NativeLanMantcp_ports135,139,445nvt1.3.6.1.4.1.25623.1.0.900239Check Open TCP PortsEXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.11367EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.11159OS-Detectioncpe:/o:microsoft:windows_7:-:sp1nvt1.3.6.1.4.1.25623.1.0.105937Services445,tcp,cifsnvt1.3.6.1.4.1.25623.1.0.11011Service detection (1.3.6.1.4.1.25623.1.0.11011)scanned_with_feedtypeGreenbone Community Feednvt1.3.6.1.4.1.25623.1.0.103739Host Scan EndEXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.11880ports135,139,445nvt1.3.6.1.4.1.25623.1.0.900239Check Open TCP PortsEXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.15571EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.11905EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.11903best_os_txtWindows 7 Professional 7601 Service Pack 1nvt1.3.6.1.4.1.25623.1.0.102011;SMB NativeLanManscanned_with_scanner11.0.1nvt1.3.6.1.4.1.25623.1.0.103739Host Scan EndEXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.14687EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.10927Closed CVECVE-2009-2526, CVE-2009-2532, CVE-2009-3103openvasmd1.3.6.1.4.1.25623.1.0.900965Microsoft Windows SMB2 Negotiation Protocol Remote Code Execution Vulnerability10.0Closed CVECVE-2010-0020, CVE-2010-0021, CVE-2010-0022, CVE-2010-0231openvasmd1.3.6.1.4.1.25623.1.0.902269Microsoft Windows SMB Server NTLM Multiple Vulnerabilities (971468)10.0Services135,tcp,epmap,A DCE endpoint resolution service seems to be running on this port.nvt1.3.6.1.4.1.25623.1.0.108044DCE/RPC and MSRPC Services EnumerationEXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.11901OScpe:/o:microsoft:windowsnvt1.3.6.1.4.1.25623.1.0.108044DCE/RPC and MSRPC Services EnumerationEXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.900965hostname_determination172.16.0.171,172.16.0.171,IP-addressnvt1.3.6.1.4.1.25623.1.0.108449Hostname Determination ReportingEXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.103674OScpe:/o:microsoft:windows_7:-:sp1nvt1.3.6.1.4.1.25623.1.0.102011SMB NativeLanManbest_os_cpecpe:/o:microsoft:windows_7:-:sp1nvt1.3.6.1.4.1.25623.1.0.102011;SMB NativeLanManEXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.10832EXIT_CODEEXIT_NOTVULNnvt1.3.6.1.4.1.25623.1.0.11881<scan_end>2020-05-29T00:33:45-03:00</scan_end>0<report_format></report_format>
TheGroundZero commented 4 years ago

If I find the time to do so, I'll install a fresh copy of OpenVAS/Greenbone Vulnerability Management and check what breaks.
This is a project I maintain in my spare time, and I'm not having a lot of that recently.

You are using GVM-11 from here, right? https://community.greenbone.net/t/about-the-greenbone-source-edition-gse-category/176

Also, I updated your post to use code tags, please check if this didn't affect the content.

meetgyn commented 4 years ago

Yes, I am using GVM11, as the openvas 9 version has ended its life cycle. We were forced to use Greenbone Vulnerability Management and comparing the xml files, the fields are different. If necessary, I can send a copy of each for future analysis. Thank you very much for your feedback

cybermonk3y commented 4 years ago

Hello, thank you so much for this and it helped me a lot in the past. With the Green Bone 11 with the latest scan when I am trying to generate xlsx format I am getting below error. Not sure what to do can you pleas take a look when you get chance ?

Traceback (most recent call last): File "openvasreporting.py", line 9, in from .libs.config import Config ImportError: attempted relative import with no known parent package

juanluisbaptiste commented 4 years ago

Hi @TheGroundZero , have you had time to look at this issue ? as OpenVAS 9 is now EOL since some time now I cannot even download NVTs updates, so moving to GVM 11 has become critical. For an easy install have you tried installing the GSM Trial version ? its a VM image that can be run on Virtualbox.

TheGroundZero commented 4 years ago

Hi all

I've been seriously lacking on support on this project, for which I want to apologise. If anyone is able to help me out on this, that'd be highly appreciated! Feel free to send in a PR.

In the meantime, I'll install the VM and will have to research what changed in the report files. I'm already getting lost in the different Greenbone solutions

moxli commented 3 years ago

@juanluisbaptiste

OpenVAS 9 is now EOL since some time now I cannot even download NVTs updates

In case you are looking for a workaround try the following: echo "45.135.106.142 feed.community.greenbone.net feed.openvas.org" >> /etc/hosts

It works for me :D it seems like they just shutdown the old domain.

juanluisbaptiste commented 3 years ago

@moxli thanks for this tip !!

austinsonger commented 3 years ago

@TheGroundZero Where would I start if I wanted to make this work with the newest version of OpenVAS?

TheGroundZero commented 3 years ago

@TheGroundZero Where would I start if I wanted to make this work with the newest version of OpenVAS?

To be honest, it's been a while since I've worked on this project.

I suppose the main issue is that the report format has changed. So the new format would have to be "reverse engineered" and the code modified to match it.

juanluisbaptiste commented 3 years ago

@TheGroundZero I think @austinsonger question was more about if you could give him a pointer on where start looking at the code to add support for the new XML format. That pointer would be helpful for anyone thinking on working on this.

TheGroundZero commented 3 years ago

@TheGroundZero I think @austinsonger question was more about if you could give him a pointer on where start looking at the code to add support for the new XML format. That pointer would be helpful for anyone thinking on working on this.

That would be here: https://github.com/TheGroundZero/openvasreporting/blob/0aa8d250435f9e2f390632c2af235d5497d3064e/openvasreporting/libs/parser.py#L57

Some knowledge of XPath is useful

github-actions[bot] commented 6 months ago

This issue has been marked as stale. There has been no activity on this issue for 30 days. In 14 days this issue will be closed.

github-actions[bot] commented 6 months ago

This issue has been stale for too long. It has been closed.