search

sensepost / gowitness

🔍 gowitness - a golang, web screenshot utility using Chrome Headless
GNU General Public License v3.0
2.79k stars 322 forks source link

Nessus Parser Misses Ports #171

Open mthbrown opened 1 year ago

mthbrown commented 1 year ago

Describe the bug While using the nessus parser, I noticed that it missed a www service. I had 2 www in my .nessus file. It detected one while missing the other

To Reproduce Steps to reproduce the behavior:

  1. Perform a Basic Network Scan in Nessus
  2. Run:
gowitness nessus --file report.nessus

Expected behavior It should have detected both of them

Version Information:

$ gowitness version
gowitness: 2.4.2

git hash: c9c6b17
go version: go1.19_linux/amd64

Additional context

$ grep -i "www" report.nessus

<ReportItem port="80" svc_name="www" protocol="tcp" severity="0" pluginID="10107" pluginName="HTTP Server Type and Version" pluginFamily="Web Servers">
<ReportItem port="11127" svc_name="www" protocol="tcp" severity="0" pluginID="22964" pluginName="Service Detection" pluginFamily="Service detection">

The full report is available here

catpipeless commented 1 year ago

I have this issue as well. I believe it is due to the plugin name not being "Service Detection" possibly an issue with the plugin output as well. I cannot get gowitness to respect the replacement command arguments I provide though.

leonjza commented 1 year ago

This is interesting. We're filtering based on the service name passed through as an option that defaults to www and https. I'd need to test this to debug what is happening.

catpipeless commented 1 year ago

I changed a bunch of the plugin names in the xml to "Service Detection" and got it to work more but not completely

quentinpraz commented 1 year ago

I'm facing the same issue. I did some troubleshooting and the parsing seems to be OK. With the --debug option, I can see that all ports are parsed (thanks to this debug line). However, I think that there is an issue when the ip:port are added to the target list [here]. I'm not proficient in Go but I think that if an IP has multiple open ports, only the latest port will be stored in the target list (others will be overwritten because the map can only have one value pre key). I'm not able to propose a pull request (du to my poor level in Go) but I hope this could help resolve the issue. [Edit: I tried finally]