Skip to content

Instantly share code, notes, and snippets.

@jasonadsit

jasonadsit/Get-TenablePluginOutput.ps1

Last active March 1, 2022 15:52
Show Gist options
  • Save jasonadsit/db19229634c788276419c5a4134a1b7e to your computer and use it in GitHub Desktop.
Save jasonadsit/db19229634c788276419c5a4134a1b7e to your computer and use it in GitHub Desktop.
Download ZIP
Get-TenablePluginOutput
Raw
Get-TenablePluginOutput.ps1
function Get-TenablePluginOutput {
<#
.SYNOPSIS
Parses Nessus XML (.nessus) files for a specific PluginID's output
.DESCRIPTION
Parses Nessus XML (.nessus) files for a specific PluginID's output
.EXAMPLE
Get-TenablePluginOutput -Path \\path\to\folder -PluginID 92438
Gets PluginOutput for PluginID 92438 from all *.nessus files under \\path\to\folder
.PARAMETER PluginID
The Tenable PluginID to extract PluginOutput from
.PARAMETER Flatten
Switch to split the PluginOutput by "`n"/NewLine
.PARAMETER IncludeMacAddress
Switch to include the MacAddress
.PARAMETER Path
Paths to operate on. Accepts files as well as folders
.INPUTS
System.Object
.OUTPUTS
System.Object
.NOTES
#######################################################################################
Author: State of Oregon, EIS, CSS, Cybersecurity Assessment Team
Version: 1.1
#######################################################################################
License: https://unlicense.org/UNLICENSE
#######################################################################################
.LINK
https://github.com/orgs/stateoforegon-eis-css/teams/cybersecurity-assessors
.FUNCTIONALITY
Parses Nessus XML (.nessus) files for a specific PluginID's output
#>
[CmdletBinding()]
param (
[parameter(Position=0)]
[string]
$PluginID,
[parameter(Position=1)]
[switch]
$Flatten,
[parameter(Position=2)]
[switch]
$IncludeMacAddress,
[parameter(Position=3,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True)]
[Alias('PSPath','FullName')]
[string[]]
$Path
) #param
begin {
if (-not $PSBoundParameters.ContainsKey('Path')) {
$Path = Get-Location
} #if
} #begin
process {
$Path | ForEach-Object {
$EachPath = $_ | Get-Item
if (-not $EachPath.PSIsContainer) {
$NessusFile = $EachPath | Where-Object { $_.Name -match '\.nessus$' }
} elseif ($EachPath.PSIsContainer) {
$NessusFile = $EachPath | Get-ChildItem -Recurse -Filter *.nessus
}
$NessusFile | ForEach-Object {
$ReportXml = New-Object -TypeName Xml
$ReportFullName = $_.FullName
$ReportXml.Load($ReportFullName)
$ReportXml.SelectNodes('//NessusClientData_v2/Report/ReportHost') |
Where-Object { $_.ReportItem.GetAttribute('pluginID') -eq $PluginID }
Clear-Variable -Name ReportXml
[gc]::Collect()
} | ForEach-Object {
$Tags = $_.HostProperties.tag | Group-Object -Property name -AsHashTable
$ReportItems = $_.ReportItem | Group-Object -Property pluginID -AsHashTable
$IpAddress = $Tags['host-ip'].'#text' #-split "`n" | Select-Object -First 1
$NetBiosName = $Tags['netbios-name'].'#text' #-split "`n" | Select-Object -First 1
$MacAddress = $Tags['mac-address'].'#text' #-split "`n" | Select-Object -First 1
if (-not $Flatten) {
if (-not $IncludeMacAddress) {
[pscustomobject][ordered] @{
IpAddress = $IpAddress
NetBiosName = $NetBiosName
PluginOutput = $ReportItems[$PluginID].plugin_output
}
} elseif ($IncludeMacAddress) {
[pscustomobject][ordered] @{
IpAddress = $IpAddress
NetBiosName = $NetBiosName
MacAddress = $MacAddress
PluginOutput = $ReportItems[$PluginID].plugin_output
}
} #if $IncludeMacAddress
} elseif ($Flatten) {
$ReportItems[$PluginID].plugin_output -split "`n" | ForEach-Object {
$EachLine = $_.Trim()
if (-not $IncludeMacAddress) {
[pscustomobject][ordered] @{
IpAddress = $IpAddress
NetBiosName = $NetBiosName
PluginOutput = $EachLine
}
} elseif ($IncludeMacAddress) {
[pscustomobject][ordered] @{
IpAddress = $IpAddress
NetBiosName = $NetBiosName
MacAddress = $MacAddress
PluginOutput = $EachLine
}
} #if $IncludeMacAddress
} #ForEach-Object $EachLine
} #if $Flatten
Clear-Variable -Name Tags
Clear-Variable -Name ReportItems
[gc]::Collect()
} #ForEach-Object ReportHost
} #ForEach-Object $Path
} #process
end {
} #end
} #function Get-TenablePluginOutput
@jasonadsit
Copy link
Author

jasonadsit commented Jan 12, 2021
edited
Loading 

Get-TenablePluginOutput -PluginID 72684 |
ForEach-Object { $_.PluginOutput -split "`n`n" } |
Where-Object { $_ -cmatch 'SID' } |
Sort-Object -Unique | ForEach-Object {
    $EachOne = @{}
    $Lines = $_ -split "`n" | ForEach-Object { $_.Trim() }
    $Lines | ForEach-Object {
        $Key = ($_ -split '\s:\s')[0].Trim()
        $Value = ($_ -split '\s:\s')[-1].Trim()
        $EachOne.Add($Key,$Value)
    }
    [pscustomobject][ordered]@{
        Name = $EachOne['Name']
        SID = $EachOne['SID']
        Disabled = $EachOne['Disabled']
        Lockout = $EachOne['Lockout']
        ChangePassword = $EachOne['Change password']
        Source = $EachOne['Source']
    }
} | Sort-Object -Property SID -Unique

@jasonadsit
Copy link
Author

jasonadsit commented Jan 12, 2021
edited
Loading 

Get-TenablePluginOutput -PluginID 58452 -Flatten |
Where-Object { $_.PluginOutput -match '\s-\s' } |
Group-Object -Property PluginOutput |
Sort-Object -Property Count -Descending |
Select-Object -Property Count,@{n='StartupItem';e={$_.Name}}

@jasonadsit
Copy link
Author

jasonadsit commented Jan 12, 2021
edited
Loading 

Get-TenablePluginOutput -PluginID 96533 | ForEach-Object {
    $IpAddress = $_.IpAddress
    $NetBiosName = $_.NetBiosName
    $EachPlugin = $_.PluginOutput -split "`n`n" | Where-Object { $_ -match '\s\s\s\sName' }
    $EachPlugin | ForEach-Object {
        $PluginLines = $_ -split "`n" | ForEach-Object { $_.Trim() }
        $PluginName = ($PluginLines[0] -split "\s:\s")[-1]
        $PluginDescription = ($PluginLines[1] -split "\s:\s")[-1]
        $PluginVersion = ($PluginLines[2] -split "\s:\s")[-1]
        $PluginUpdateDate = ($PluginLines[3] -split "\s:\s")[-1]
        $PluginPath = ($PluginLines[4] -split "\s:\s")[-1]
        [pscustomobject][ordered]@{
            IpAddress = $IpAddress
            NetBiosName = $NetBiosName
            Name = $PluginName
            Description = $PluginDescription
            Version = $PluginVersion
            UpdateDate = $PluginUpdateDate
            Path = $PluginPath
        }
    }
} | Group-Object -Property Name |
Sort-Object -Property Count -Descending |
Select-Object -Property Count,@{n='ChromePlugin';e={$_.Name}}

@jasonadsit
Copy link
Author 

Get-TenablePluginOutput -PluginID 10736 | ForEach-Object {
    $IpAddress = $_.IpAddress
    $NetBiosName = $_.NetBiosName
    $_.PluginOutput -split "`n`n" | Where-Object { $_ -cmatch 'UUID' } | ForEach-Object {
        $Lines = $_ -split "`n" | ForEach-Object { $_.Trim() }
        $EachOne = @{}
        $Lines | ForEach-Object {
            $Key = ($_ -split '\s:\s')[0].Trim()
            $Value = ($_ -split '\s:\s')[-1].Trim()
            $EachOne.Add($Key,$Value)
            [pscustomobject][ordered]@{
                IpAddress = $IpAddress
                NetBiosName = $NetBiosName
                ObjectUUID = $EachOne['Object UUID']
                UUID = $EachOne['UUID']
                Description = $EachOne['Description']
                WindowsProcess = $EachOne['Windows process']
                Type = $EachOne['Type']
                TcpPort = $EachOne['TCP Port']
                IP = $EachOne['IP']
            }
        }
    }
}

@jasonadsit
Copy link
Author 

Get-TenablePluginOutput -PluginID 44401 | ForEach-Object {
    $IpAddress = $_.IpAddress
    $NetBiosName = $_.NetBiosName
    $_.PluginOutput -split "`n`n" | Where-Object { $_ -match 'Executable' } | ForEach-Object {
        $Lines = $_ -split "`n" | ForEach-Object { $_.Trim() }
        $EachOne = @{}
        $Lines | ForEach-Object {
            $Key = ($_ -split '\s:\s')[0].Trim()
            $Value = ($_ -split '\s:\s')[-1].Trim()
            $EachOne.Add($Key,$Value)
            [pscustomobject][ordered]@{
                IpAddress = $IpAddress
                NetBiosName = $NetBiosName
                DisplayName = $EachOne['Display name']
                ServiceName = $EachOne['Service name']
                LogOnAs = $EachOne['Log on as']
                ExecutablePath = $EachOne['Executable path']
            }
        }
    }
}

@jasonadsit
Copy link
Author 

Get-TenablePluginOutput -PluginID 58181 -Flatten |
Where-Object { $_.PluginOutput -match 'NameServer:' } |
Select-Object -Property IpAddress,
                        NetBiosName,
                        @{
                            n='DnsServers';
                            e={
                                $_.PluginOutput.Split(':')[-1].Trim().Replace(',',' ')
                            }
                        }

@jasonadsit
Copy link
Author

jasonadsit commented Jan 14, 2021
edited
Loading 

$PluginID = '21156'
Get-ChildItem -Filter *.nessus |
Select-Xml -XPath //NessusClientData_v2/Report/ReportHost |
Select-Object -ExpandProperty Node |
Where-Object { $_.ReportItem.GetAttribute('pluginID') -eq $PluginID } | ForEach-Object {
    $Tags = $_.HostProperties.tag | Group-Object -Property name -AsHashTable
    $ReportItems = $_.ReportItem | Group-Object -Property pluginID -AsHashTable
    $ReportItems[$PluginID] | ForEach-Object {
        $Reference = $(($_.'compliance-reference' -split ',') -join "`r`n")
        $Reference = "$Reference`r`n"
        [pscustomobject][ordered]@{
            IpAddress = $Tags['host-ip'].'#text'
            ComputerName = $Tags['host-fqdn'].'#text' -split '\.' | Select-Object -First 1
            CheckName = $_.'compliance-check-name'
            Result = $_.'compliance-result'
            Reference = $Reference
            Solution = $_.'compliance-solution'
        }
    }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment