These examples assume you're using my Get-TenablePluginOutput PowerShell function. You can load it from the web here:
$Content = Invoke-WebRequest -Uri https://gist.githubusercontent.com/jasonadsit/db19229634c788276419c5a4134a1b7e/raw/Get-TenablePluginOutput.ps1 | Select-Object -ExpandProperty Content
. ([scriptblock]::Create($Content))
Also assumes you've already set your working directory to one with some .nessus files in it. ;-)
Get-TenablePluginOutput -PluginID 10908 -Flatten | Where-Object { $_.PluginOutput -match '^-\s' } | Select-Object -Property IpAddress,NetBiosName,@{n='PluginOutput';e={($_.PluginOutput -replace '^-\s').Trim()}} | Select-Object -ExpandProperty PluginOutput | Sort-Object -Unique | Out-File .\xyz-tenable-10908-domain-admins.txt
Get-TenablePluginOutput -PluginID 10902 -Flatten | Where-Object { $_.PluginOutput -match '^-\s' } | Select-Object -Property IpAddress,NetBiosName,@{n='PluginOutput';e={($_.PluginOutput -replace '^-\s').Trim()}} | ForEach-Object { if ($_.PluginOutput -match 'Administrator\s\(User\)') { $_.PluginOutput = $_.PluginOutput.Split('\')[-1] } $_ } | Group-Object -Property PluginOutput | Sort-Object -Property Count -Descending | Select-Object -Property Count,Name,@{n='Systems';e={[string]($_.Group.NetBiosName -join ", ")}} | Export-Csv .\xyz-tenable-10902-local-admins.csv
Get-TenablePluginOutput -PluginID 65791 | ForEach-Object {
$IpAddress = $_.IpAddress
$NetBiosName = $_.NetBiosName
($_.PluginOutput -split "`n`n").Trim() | Where-Object { $_ -cmatch 'Friendly name' } | ForEach-Object {
$Lines = $_ -split "`n" | ForEach-Object { $_.Trim() }
$EachOne = @{}
$Lines | ForEach-Object {
$Key = ($_ -split '\s:\s')[0].Trim()
$Value = ($_ -split '\s:\s')[-1].Trim()
$EachOne.Add($Key,$Value)
[pscustomobject][ordered]@{
IpAddress = $IpAddress
NetBiosName = $NetBiosName
FriendlyName = $EachOne['Friendly name']
Device = $EachOne['Device']
}
}
} | Where-Object { $_.Device }
} | Select-Object -Property IpAddress,NetBiosName,@{n='DeviceName';e={"$($_.FriendlyName) | $($_.Device)"}} |
Group-Object -Property NetBiosName |
Sort-Object -Property Count -Descending |
Select-Object -Property Count,@{n='NetBiosName';e={$_.Name}},@{n='DeviceName';e={[string]($_.Group.DeviceName -join "`r`n")}} |
Export-Csv .\xyz-tenable-65791-portable-devices.csv
Get-TenablePluginOutput -PluginID 38689 -Flatten | Where-Object { $_.PluginOutput -match '\s:\s' } | Select-Object -Property IpAddress,NetBiosName,@{n='LastLoggedOn';e={($_.PluginOutput -split '\s:\s')[-1].Trim()}} | Export-Csv .\xyz-tenable-38689-last-logged-on-user.csv
Get-TenablePluginOutput -PluginID 45590 -Flatten | Where-Object { $_.PluginOutput -match 'cpe:' } | Group-Object -Property PluginOutput | Sort-Object -Property Count -Descending | Select-Object -Property Count,Name,@{n='Systems';e={[string]($_.Group.NetBiosName -join ', ')}} | Export-Csv .\xyz-tenable-45590-cpe.csv
Get-TenablePluginOutput -PluginID 10395 -Flatten | Where-Object { $_.PluginOutput -match '^-' } | Group-Object -Property PluginOutput | Sort-Object -Property Count -Descending | Select-Object -Property Count,@{n='ShareName';e={$_.Name -replace '^-\s'}},@{n='System';e={[string]($_.Group.NetBiosName -join ', ')}} | Export-Csv .\xyz-tenable-10395-smb-shares.csv
Get-TenablePluginOutput -PluginID 70329 -Flatten | Where-Object { $_.PluginOutput -match '\.' } | Select-Object -Property IpAddress,NetBiosName,@{n='PluginOutput';e={$_.PluginOutput.Split(' ')[-2]}} | Group-Object -Property PluginOutput | Sort-Object -Property Count -Descending | Select-Object -Property Count,@{n='ProcessName';e={$_.Name}},@{n='Systems';e={[string]($_.Group.NetBiosName -join ', ')}} | Export-Csv .\xyz-tenable-70329-windows-process-stats.csv
Get-TenablePluginOutput -PluginID 72684 |
ForEach-Object { $_.PluginOutput -split "`n`n" } |
Where-Object { $_ -cmatch 'SID' } |
Sort-Object -Unique | ForEach-Object {
$EachOne = @{}
$Lines = $_ -split "`n" | ForEach-Object { $_.Trim() }
$Lines | ForEach-Object {
$Key = ($_ -split '\s:\s')[0].Trim()
$Value = ($_ -split '\s:\s')[-1].Trim()
$EachOne.Add($Key,$Value)
}
[pscustomobject][ordered]@{
Name = $EachOne['Name']
SID = $EachOne['SID']
Disabled = $EachOne['Disabled']
Lockout = $EachOne['Lockout']
ChangePassword = $EachOne['Change password']
Source = $EachOne['Source']
}
} | Sort-Object -Property SID -Unique | Sort-Object -Property Name |
Export-Csv .\xyz-tenable-72684-users.csv
Get-TenablePluginOutput -PluginID 92422 -Flatten | Where-Object { $_.PluginOutput -match ':\s\\\\' } | Select-Object -Property IpAddress,NetBiosName,@{n='DriveLetter';e={($_.PluginOutput -split '\s:\s')[0].ToUpper()}},@{n='Path';e={($_.PluginOutput -split '\s:\s')[-1]}} | Export-Csv .\xyz-tenable-92422-mapped-drives.csv
Get-TenablePluginOutput -PluginID 140655 | ForEach-Object {
$IpAddress = $_.IpAddress
$NetBiosName = $_.NetBiosName
$_.PluginOutput = $_.PluginOutput -replace "^Nessus found the following sites configured on the remote host:`n"
$_.PluginOutput -split '\+\ssite\sname:\s' | ForEach-Object {
$SiteName = ($_ -split "`n")[0]
$_ -split '\+\sbinding' | Where-Object { $_ -match '\s:\s' } | ForEach-Object {
$EachBinding = $_.Trim()
$Lines = $EachBinding -split "`n" | Where-Object { $_ -match '\s:\s' } | ForEach-Object { $_.Trim() }
$EachOne = @{}
$Lines | ForEach-Object {
$Key = ($_ -split '\s:\s')[0].Trim()
$Value = ($_ -split '\s:\s')[-1].Trim()
$EachOne.Add($Key,$Value)
[pscustomobject][ordered]@{
IpAddress = $IpAddress
NetBiosName = $NetBiosName
SiteName = $SiteName
BindingIp = $EachOne['- IP address']
BindingPort = $EachOne['- port']
Domain = $EachOne['- domain']
Protocol = $EachOne['- protocol']
}
}
}
}
} | Where-Object { $_.Domain -and $_.Protocol } |
Export-Csv .\xyz-tenable-140655-iis-bindings.csv
Get-TenablePluginOutput -PluginID 65057 | ForEach-Object {
$IpAddress = $_.IpAddress
$NetBiosName = $_.NetBiosName
$_.PluginOutput -split "`n`n" | Where-Object { $_ -cmatch 'Path\s:\s' } | ForEach-Object {
$Lines = $_ -split "`n" | ForEach-Object { $_.Trim() }
$ErrorActionPreferenceBak = $ErrorActionPreference
$ErrorActionPreference = [System.Management.Automation.ActionPreference]::SilentlyContinue
$EachOne = @{}
$Lines | ForEach-Object {
$Key = ($_ -split '\s:\s')[0].Trim()
$Value = ($_ -split '\s:\s')[-1].Trim()
$EachOne.Add($Key,$Value)
[pscustomobject][ordered]@{
IpAddress = $IpAddress
NetBiosName = $NetBiosName
Path = $EachOne['Path']
UsedByServices = $EachOne['Used by services']
WritePermissions = $EachOne['File write allowed for groups']
FullControl = $EachOne['Full control of directory allowed for groups']
}
}
$ErrorActionPreference = $ErrorActionPreferenceBak
}
} | Where-Object { $_.Write -or $_.FullControl } | Export-Csv .\xyz-tenable-65057-insecure-service-permissions.csv
Get-TenablePluginOutput -PluginID 58181 -Flatten | Where-Object { $_.PluginOutput -match 'NameServer:' } | Select-Object -Property IpAddress,NetBiosName,@{n='DnsServers';e={($_.PluginOutput.Split(':')[-1].Trim().Replace(' ',',')).Replace(',',', ')}} | Group-Object -Property DnsServers | Sort-Object -Property Count -Descending | Select-Object -Property Count,@{n='DnsServers';e={$_.Name}},@{n='Systems';e={[string]($_.Group.NetBiosName -join ', ')}} | Export-Csv .\xyz-tenable-58181-configured-dns-server-variance.csv
Get-TenablePluginOutput -PluginID 51187 | ForEach-Object {
$IpAddress = $_.IpAddress
$NetBiosName = $_.NetBiosName
$_.PluginOutput = $_.PluginOutput.Trim()
$_.PluginOutput = $_.PluginOutput -replace "^Here is a list of encryptable volumes available on the remote system :`n"
$_.PluginOutput -split '\+\sDriveLetter\s' | Where-Object { $_ -match ':' } | ForEach-Object {
$DriveLetter = ($_ -split "`n")[0]
$Lines = $_ -split "`n" | Where-Object { $_ -match '\s:\s' } | ForEach-Object { $_.Trim() }
$EachOne = @{}
$Lines | ForEach-Object {
$Key = ($_ -split '\s:\s')[0].Trim()
$Value = ($_ -split '\s:\s')[-1].Trim()
$EachOne.Add($Key,$Value)
}
$ProtectionStatus = ($EachOne['- Protection Status']).Split(' ')[-1]
$SizeGB = [decimal]($EachOne['- Size']).Split(' ')[0]
[pscustomobject][ordered]@{
IpAddress = $IpAddress
NetBiosName = $NetBiosName
DriveLetter = $DriveLetter
ProtectionStatus = $ProtectionStatus
SizeGB = $SizeGB
}
}
} | Export-Csv .\xyz-tenable-51187-bitlocker.csv
Also, if you're just looking for some high-level stats, re-run the above after replacing...
Export-Csv .\xyz-tenable-51187-bitlocker.csv
with...
Group-Object -Property ProtectionStatus | Sort-Object -Property Count -Descending | Select-Object -Property @{n='VolumeCount';e={$_.Count}},@{n='BitLockerStatus';e={if ($_.Name -match 'Off') {'Unencrypted'} elseif ($_.Name -match 'On') {'Encrypted'}}},@{n='TotalData(GB)';e={($_.Group | Measure-Object -Property SizeGB -Sum).Sum}}
Get-TenablePluginOutput -PluginID 44401 | ForEach-Object {
$IpAddress = $_.IpAddress
$NetBiosName = $_.NetBiosName
$_.PluginOutput -split "`n`n" | Where-Object { $_ -match 'Executable' } | ForEach-Object {
$Lines = $_ -split "`n" | ForEach-Object { $_.Trim() }
$EachOne = @{}
$Lines | ForEach-Object {
$Key = ($_ -split '\s:\s')[0].Trim()
$Value = ($_ -split '\s:\s')[-1].Trim()
$EachOne.Add($Key,$Value)
[pscustomobject][ordered]@{
IpAddress = $IpAddress
NetBiosName = $NetBiosName
DisplayName = $EachOne['Display name']
ServiceName = $EachOne['Service name']
LogOnAs = $EachOne['Log on as']
ExecutablePath = $EachOne['Executable path']
}
}
}
} | Where-Object { $_.ExecutablePath -and $_.ServiceName } |
Group-Object -Property ExecutablePath |
Sort-Object -Property Count -Descending |
Select-Object -Property Count,
@{n='DisplayName';e={$_.Group[0].DisplayName}},
@{n='ExecutablePath';e={$_.Name}},
@{n='Systems';e={[string]($_.Group.NetBiosName -join ', ')}} |
Export-Csv .\xyz-tenable-44401-service-config.csv
Get-TenablePluginOutput -PluginID 60119 | ForEach-Object {
$IpAddress = $_.IpAddress
$NetBiosName = $_.NetBiosName
$_.PluginOutput -split "`n`n" |
Where-Object { $_ -match 'Share\spath' } | ForEach-Object {
$ShareAccess = $_.Trim()
$ShareName = ($ShareAccess -split "`n")[0].Split(':')[-1].Trim()
$LocalPath = ($ShareAccess -split "`n")[1].Split(':')[-1].Trim()
$ShareACL = ($ShareAccess -split "`n" | Select-Object -Skip 2) -join "`r`n"
$ShareACL -split '\[\*]\s' |
Where-Object { $_ -match '\sACE\sfor\s' } | ForEach-Object {
$Lines = $_ -split "`n" | ForEach-Object { $_.Trim() }
$EachOne = @{}
$Lines | ForEach-Object {
$Key = ($_ -split ':\s')[0].Trim()
$Value = ($_ -split ':\s')[-1].Trim()
$EachOne.Add($Key,$Value)
}
$AccessType = $Lines[0].Split(' ')[0].Trim()
$Principal = ($Lines[0] -split '\sACE\sfor\s')[-1].Split(':')[0].Trim()
$HexACL = $Lines[0].Split(':')[-1].Trim()
[pscustomobject][ordered]@{
IpAddress = $IpAddress
NetBiosName = $NetBiosName
ShareName = $ShareName
LocalPath = $LocalPath
AccessType = $AccessType
Principal = $Principal
HexACL = $HexACL
Read = $EachOne['FILE_GENERIC_READ']
Write = $EachOne['FILE_GENERIC_WRITE']
Execute = $EachOne['FILE_GENERIC_EXECUTE']
}
}
}
} | Export-Csv .\xyz-tenable-60119-share-access.csv
Get-TenablePluginOutput -PluginID 16193 | ForEach-Object {
$IpAddress = $_.IpAddress
$NetBiosName = $_.NetBiosName
$_.PluginOutput -split "`n`n" |
Where-Object { $_ -match 'Product\sname' } |
ForEach-Object { $_.Trim() } | ForEach-Object {
$Lines = $_ -split "`n" | ForEach-Object { $_.Trim() }
$EachOne = @{}
$Lines | ForEach-Object {
$Key = ($_ -split '\s:\s')[0].Trim()
$Value = ($_ -split '\s:\s')[-1].Trim()
$EachOne.Add($Key,$Value)
}
[pscustomobject][ordered]@{
IpAddress = $IpAddress
NetBiosName = $NetBiosName
ProductName = $EachOne['Product name']
Path = $EachOne['Path']
Version = $EachOne['Version']
EngineVersion = $EachOne['Engine version']
AntiVirusSigVersion = $EachOne['Antivirus signature version']
AntiSpywareSigVersion = $EachOne['Antispyware signature version']
}
}
} | Export-Csv .\xyz-tenable-16193-antivirus-software-check.csv
Get-TenablePluginOutput -PluginID 34220 -Flatten |
Where-Object { $_.PluginOutput -and $_.PluginOutput -notmatch 'Nessus was able to find' } |
Select-Object -Property IpAddress,
NetBiosName,
@{n='Port';e={$_.PluginOutput.Split(' ')[1].Split('/')[0].Trim()}},
@{n='Protocol';e={$_.PluginOutput.Split(' ')[1].Split('/')[-1].Trim()}} |
Export-Csv .\xyz-tenable-34220-netstat-portscanner-wmi.csv
Get-TenablePluginOutput -PluginID 50859 | ForEach-Object {
$IpAddress = $_.IpAddress
$NetBiosName = $_.NetBiosName
$Lines = $_.PluginOutput -split "`n" | Where-Object { $_ } | ForEach-Object { $_.Trim() }
$WsusServer = $Lines | Where-Object { $_ -match '^http' }
$EachOne = @{}
$Lines | ForEach-Object {
$Key = ($_ -split '\s:\s')[0].Trim()
$Value = ($_ -split '\s:\s')[-1].Trim()
$EachOne.Add($Key,$Value)
}
[pscustomobject][ordered]@{
IpAddress = $IpAddress
NetBiosName = $NetBiosName
WsusServer = $WsusServer
ElevateNonAdmins = $EachOne['ElevateNonAdmins']
TargetGroup = $EachOne['TargetGroup']
AUOptions = $EachOne['AUOptions']
AutoInstallMinorUpdates = $EachOne['AutoInstallMinorUpdates']
DetectionFrequency = $EachOne['DetectionFrequency']
NoAutoRebootWithLoggedOnUsers = $EachOne['NoAutoRebootWithLoggedOnUsers']
NoAutoUpdate = $EachOne['NoAutoUpdate']
ScheduledInstallDay = $EachOne['ScheduledInstallDay']
ScheduledInstallTime = $EachOne['ScheduledInstallTime']
}
} | Export-Csv .\xyz-tenable-50859-wsus-client-settings.csv
Get-TenablePluginOutput -PluginID 11219 -Flatten |
Where-Object { $_.PluginOutput -and $_.PluginOutput -notmatch 'Nessus was able to find' } |
Select-Object -Property IpAddress,
NetBiosName,
@{n='Port';e={$_.PluginOutput.Split(' ')[1].Split('/')[0].Trim()}},
@{n='Protocol';e={$_.PluginOutput.Split(' ')[1].Split('/')[-1].Trim()}} |
Export-Csv .\xyz-tenable-11219-syn-scanner.csv
Get-TenablePluginOutput -PluginID 66350 | ForEach-Object {
$IpAddress = $_.IpAddress
$NetBiosName = $_.NetBiosName
$_.PluginOutput -split "`n`n" | Where-Object { $_ -cmatch 'SSID\s:\s' } |
ForEach-Object { $_.Trim() } |
ForEach-Object {
$Lines = $_ -split "`n" | ForEach-Object { $_.Trim() }
$EachOne = @{}
$ErrorActionPreferenceBak = $ErrorActionPreference
$ErrorActionPreference = [System.Management.Automation.ActionPreference]::SilentlyContinue
$Lines | ForEach-Object {
$Key = ($_ -split '\s:\s')[0].Trim()
$Value = ($_ -split '\s:\s')[-1].Trim()
$EachOne.Add($Key,$Value)
}
[pscustomobject][ordered]@{
IpAddress = $IpAddress
NetBiosName = $NetBiosName
SSID = $EachOne['SSID']
DefaultGatewayMac = $EachOne['DefaultGatewayMac']
DnsSuffix = $EachOne['DnsSuffix']
SecurityMode = $EachOne['Security Mode']
Encryption = $EachOne['Encryption']
DateCreated = $(([datetime]$($EachOne['DateCreated'])).GetDateTimeFormats('s'))
DateLastConnected = $(([datetime]$($EachOne['DateLastConnected'])).GetDateTimeFormats('s'))
}
$ErrorActionPreference = $ErrorActionPreferenceBak
}
} | Export-Csv .\xyz-tenable-66350-wifi-history.csv
Get-TenablePluginOutput -PluginID 92373 -Flatten |
Where-Object { $_.PluginOutput -and $_.PluginOutput -notmatch 'Extended SMB session information attached.' } |
Group-Object -Property NetBiosName |
Sort-Object -Property Count -Descending |
Select-Object -Property @{n='Count';e={($_.Group.PluginOutput | Sort-Object -Unique).Count}},
@{n='ComputerName';e={$_.Name}},@{n='IpAddress';e={$_.Group.IpAddress[0]}},
@{n='SMB Sessions';e={[string](($_.Group.PluginOutput | Sort-Object -Unique) -join ', ')}} |
Sort-Object -Property Count -Descending | Export-Csv .\xyz-tenable-92373-smb-sessions.csv