Support this project (to solve issues, new features...) by applying the Github "Sponsor" button.
What's OpenVAS2Report?
The idea is very simple:
# Take an OpenVAS report, in it horrible XML format. # Convert it into an beautiful Excel, ready to give to your boss.
Why?
I'm security auditor and I really hate to pass OpenVAS XML report into to and Excel document. This is a work for a monkey, not for a human! (Yes: security auditors are humans too. I know, I know. It's incredible)
So I started to develop this project and I thought share it for help other auditors that also hate make a monkey's work.
OpenVAS to in two words
This package are composed by 2 tools:
openvas_to_document: This is the main program. You can use it to generate the Excel file.
openvas_cutter: This is a facility for filter and crop some information from OpenVAS XML report.
as a library: Also, you can use the tool as a library and import them it in your own code. It has BSD license, Feel free to use!
A picture is worth a 1000 words From XML. Using openvas_to_document you can obtain this Excel file:
Future
I'm have not enough time, but in a future, I'll write the module to export the results in a Word.
Bugs and errors
If you find some bugs, please, open a ticket using github issues. And, If you send me a patch I'll be very happy :)
And if you want to help me... A beer may be a great idea :)
The following error was experienced using GSM Community Edition Version: 4.0.5 VM (corresponds to OpenVAS-9):
root@gsm:~# openvas_to_report -i report-_guid_.xml -o openvas.xlsx
Traceback (most recent call last):
File "/usr/local/bin/openvas_to_report", line 11, in <module>
sys.exit(main())
File "/usr/local/lib/python3.4/dist-packages/openvas_to_report/openvas_to_document.py", line 65, in main
convert(config)
File "/usr/local/lib/python3.4/dist-packages/openvas_to_report/api.py", line 266, in convert
export_to_excel(openvas_info, output_file, lang)
File "/usr/local/lib/python3.4/dist-packages/openvas_to_report/libs/exporters/excel.py", line 76, in export_to_excel
_export_generic_format(output_file_name, vuln_info, lang)
File "/usr/local/lib/python3.4/dist-packages/openvas_to_report/libs/exporters/excel.py", line 232, in _export_generic_format
w1 = workbook.add_worksheet(name)
File "/usr/local/lib/python3.4/dist-packages/xlsxwriter/workbook.py", line 171, in add_worksheet
return self._add_sheet(name, is_chartsheet=False)
File "/usr/local/lib/python3.4/dist-packages/xlsxwriter/workbook.py", line 635, in _add_sheet
name = self._check_sheetname(name, is_chartsheet)
File "/usr/local/lib/python3.4/dist-packages/xlsxwriter/workbook.py", line 695, in _check_sheetname
sheetname)
Exception: Invalid Excel character '[]:*?/\' in sheetname 'MySQL / MariaDB weak password'
Perhaps OpenVAS-8's vulnerability names didn't include special characters?
Bringing in the re module and replacing the offending characters seems a reasonable hotfix that shouldn't break backward compatibility.
The following error was experienced using GSM Community Edition Version: 4.0.5 VM (corresponds to OpenVAS-9):
root@gsm:~# openvas_to_report -i report-_guid_.xml -o openvas.xlsx
Traceback (most recent call last):
File "/usr/local/bin/openvas_to_report", line 11, in <module>
sys.exit(main())
File "/usr/local/lib/python3.4/dist-packages/openvas_to_report/openvas_to_document.py", line 65, in main
convert(config)
File "/usr/local/lib/python3.4/dist-packages/openvas_to_report/api.py", line 248, in convert
openvas_info = openvas_parser(config.input_files, excluded_hosts=excluded_hosts, scope_hosts=scope_hosts)
File "/usr/local/lib/python3.4/dist-packages/openvas_to_report/libs/parsers/openvas_parser.py", line 185, in openvas_parser
vuln_description = vuln.find(".//description").text
AttributeError: 'NoneType' object has no attribute 'text'
root@gsm:~# openvas_to_report -i report-02a09a8c-ab70-4246-b13c-9930fb890530.xml -o openvas.xlsx
Traceback (most recent call last):
File "/usr/local/bin/openvas_to_report", line 11, in <module>
sys.exit(main())
File "/usr/local/lib/python3.4/dist-packages/openvas_to_report/openvas_to_document.py", line 65, in main
convert(config)
File "/usr/local/lib/python3.4/dist-packages/openvas_to_report/api.py", line 248, in convert
openvas_info = openvas_parser(config.input_files, excluded_hosts=excluded_hosts, scope_hosts=scope_hosts)
File "/usr/local/lib/python3.4/dist-packages/openvas_to_report/libs/parsers/openvas_parser.py", line 185, in openvas_parser
vuln_description = vuln.find(".//description").text
AttributeError: 'NoneType' object has no attribute 'text'
Reviewing the generated XML, there is no tag. It appears that everything is now lumped into a tag which contains several unordered pipe-delimited key-value pairs. Two examples follow:
cvss_base_vector=AV:N/AC:L/Au:N/C:N/I:P/A:N|insight=This script checks expiry dates of certificates associated with SSL/TLS-enabled services on the target and reports whether any have already expired.|solution=Replace the SSL/TLS certificate by a new one.|summary=The remote server's SSL/TLS certificate has already expired.|solution_type=Mitigation|qod_type=remote_app
cvss_base_vector=AV:N/AC:H/Au:N/C:P/I:N/A:N|summary=The remote host implements TCP timestamps and therefore allows to compute
the uptime.|vuldetect=Special IP packets are forged and sent with a little delay in between to the
target IP. The responses are searched for a timestamps. If found, the timestamps are reported.|solution=To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to
/etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime.
To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled'
Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled.
The default behavior of the TCP/IP stack on this Systems is to not use the
Timestamp options when initiating TCP connections, but use them if the TCP peer
that is initiating communication includes them in their synchronize (SYN) segment.
See also: http://www.microsoft.com/en-us/download/details.aspx?id=9152|affected=TCP/IPv4 implementations that implement RFC1323.|insight=The remote host implements TCP timestamps, as defined by RFC1323.|impact=A side effect of this feature is that the uptime of the remote
host can sometimes be computed.|solution_type=Mitigation|qod_type=remote_banner
Replacing "description" with "tags" at openvas_parser.py:185 gets past this issue, but a proper fix will involve some string manipulation (which I might do but I'd want to compare XML and XSLX output from OpenVAS-8 first to ensure I'm retrieving the same data).
openvas_to_report -i /tmp/OpenVASReports/Report1.xml -o Report1.xlsx
Traceback (most recent call last):
File "/usr/local/bin/openvas_to_report", line 11, in
load_entry_point('openvas-to-report==1.0.0', 'console_scripts', 'openvas_to_report')()
File "/usr/local/lib/python2.7/dist-packages/openvas_to_report-1.0.0-py2.7.egg/openvas_to_report/openvas_to_document.py", line 65, in main
convert(config)
File "/usr/local/lib/python2.7/dist-packages/openvas_to_report-1.0.0-py2.7.egg/openvas_to_report/api.py", line 266, in convert
export_to_excel(openvas_info, output_file, lang)
File "/usr/local/lib/python2.7/dist-packages/openvas_to_report-1.0.0-py2.7.egg/openvas_to_report/libs/exporters/excel.py", line 76, in export_to_excel
_export_generic_format(output_file_name, vuln_info, lang)
File "/usr/local/lib/python2.7/dist-packages/openvas_to_report-1.0.0-py2.7.egg/openvas_to_report/libs/exporters/excel.py", line 232, in _export_generic_format
w1 = workbook.add_worksheet(name)
File "/usr/lib/python2.7/dist-packages/xlsxwriter/workbook.py", line 170, in add_worksheet
return self._add_sheet(name, is_chartsheet=False)
File "/usr/lib/python2.7/dist-packages/xlsxwriter/workbook.py", line 633, in _add_sheet
name = self._check_sheetname(name, is_chartsheet)
File "/usr/lib/python2.7/dist-packages/xlsxwriter/workbook.py", line 692, in _check_sheetname
sheetname)
Exception: Invalid Excel character '[]:*?/' in sheetname 'SSL/TLS: Certificate Expired'
Hi, I have used the output of openvas_to_reporto to add new sheet called Vulnerability Index with follow colums: impact:critical, high, medium; title, number of host involved, worksheet name; ordered by impact, and inside each impact voice, oredered by number of host involved.
this can help sysop to select which systems to start to work on.
I have made it with vba (i am not a vba programmer) but could be better do inside the tool in python.
here the bad vba I have used
Sub sintesi()
Sheets("indice").Select
Sheets("indice").Range(Cells(2, 1).End(xlDown), Cells(2, 1).End(xlToRight)).ClearContents
Worksheets("indice").Range("A1:E1").Columns.AutoFit
Dim riga As Integer
Dim nhost As Integer
Cells(1, 1) = "WorkSheet"
Cells(1, 2) = "Impact"
Cells(1, 3) = "Title"
Cells(1, 4) = "Nr. Host Affected"
riga = 3
For X = 3 To Worksheets.Count
If Worksheets(X).Range("C6") = "Critical" Then
Cells(riga, 1) = Worksheets(X).Name
Cells(riga, 2) = "CRITICAL"
Set mys = Sheets(Sheets("indice").Cells(riga, 1).Value)
For Each cella In mys.Range("C2")
cella.Copy Destination:=Sheets("indice").Cells(riga, 1).End(xlToRight).Offset(0, 1)
Next
nhost = Sheets(Worksheets(X).Name).Range("C65000").End(xlUp).Row
Cells(riga, 4) = nhost - 9
riga = riga + 1
End If
Next X
riga = riga + 2
For X = 3 To Worksheets.Count
If Worksheets(X).Range("C6") = "High" Then
Cells(riga, 1) = Worksheets(X).Name
Cells(riga, 2) = "High"
Set mys = Sheets(Sheets("indice").Cells(riga, 1).Value)
For Each cella In mys.Range("C2")
cella.Copy Destination:=Sheets("indice").Cells(riga, 1).End(xlToRight).Offset(0, 1)
Next
nhost = Sheets(Worksheets(X).Name).Range("C65000").End(xlUp).Row
Cells(riga, 4) = nhost - 9
riga = riga + 1
End If
Next X
riga = riga + 2
For X = 3 To Worksheets.Count
If Worksheets(X).Range("C6") = "Medium" Then
Cells(riga, 1) = Worksheets(X).Name
Cells(riga, 2) = "Medium"
Set mys = Sheets(Sheets("indice").Cells(riga, 1).Value)
For Each cella In mys.Range("C2")
cella.Copy Destination:=Sheets("indice").Cells(riga, 1).End(xlToRight).Offset(0, 1)
Next
nhost = Sheets(Worksheets(X).Name).Range("C65000").End(xlUp).Row
Cells(riga, 4) = nhost - 9
riga = riga + 1
End If
Next X
this pattern should extraxt correct information (without description)
i'am not sure if this is the correct line that it searches, but using the patten below you can extract the port and protocol information: <port>22/tcp<host>xxx.xxx.xxx.xxx</host><severity>5.3</severity><threat>Medium</threat></port>
change number of groups to 3(line 100), and remove return of description(line 107)
Due to the fact that openvas had its life cycle at the end, I needed to install GVM11, however the XML is different from openvas 9 and the script you provided does not work with it. Did you have any plans to make the new version available to us?
Note: You did a great job, helped a lot with scripting.
an example of xml generated by gvm11
admin2020-05-29T00:26:38-03:00<creation_time>2020-05-29T00:26:38-03:00</creation_time><modification_time>2020-05-29T00:33:45-03:00</modification_time>0<in_use>0</in_use>Target 171<report_format id="a994b278-1f62-11e1-96ac-406186ea4fc5">XML</report_format>9.0severitydescendingapply_overrides=0 levels=hml rows=1000 min_qod=70 first=1 sort-reverse=severity notes=1 overrides=1HighMediumLowapply_overrides=0levels=hmlrows=1000min_qod=70first=1sort-reverse=severitynotes=1overrides=1<severity_class id="d4c74cda-89e1-11e3-9c29-406186ea4fc5">nist<full_name>NVD Vulnerability Severity Ratings</full_name><severity_range>None0.00.0</severity_range><severity_range>Low0.13.9</severity_range><severity_range>Medium4.06.9</severity_range><severity_range>High7.010.0</severity_range></severity_class><scan_run_status>Done</scan_run_status>1<closed_cves>3</closed_cves>1310<ssl_certs>0</ssl_certs>Target 1710teste1711002020-05-29T00:26:18-03:00<scan_start>2020-05-29T00:26:38-03:00</scan_start>America/Sao_Paulo<timezone_abbrev>-03</timezone_abbrev>3general/tcp172.16.0.1712.6Low445/tcp172.16.0.1719.3High135/tcp172.16.0.1715.0MediumMicrosoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)admin<modification_time>2020-05-29T00:32:15-03:00</modification_time><creation_time>2020-05-29T00:32:15-03:00</creation_time>172.16.0.171445/tcpnvtMicrosoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)Windows : Microsoft Bulletins<cvss_base>9.3</cvss_base>cvss_base_vector=AV:N/AC:M/Au:N/C:C/I:C/A:C|summary=This host is missing a critical security
update according to Microsoft Bulletin MS17-010.|insight=Multiple flaws exist due to the way that the
Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests.|affected=- Microsoft Windows 10 x32/x64 Edition
Microsoft Windows Server 2012 Edition
Microsoft Windows Server 2016
Microsoft Windows 8.1 x32/x64 Edition
Microsoft Windows Server 2012 R2 Edition
Microsoft Windows 7 x32/x64 Edition Service Pack 1
Microsoft Windows Vista x32/x64 Edition Service Pack 2
Microsoft Windows Server 2008 R2 x64 Edition Service Pack 1
Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2|impact=Successful exploitation will allow remote
attackers to gain the ability to execute code on the target server, also
could lead to information disclosure from the server.|solution=The vendor has released updates. Please see the references for more information.|vuldetect=Send the crafted SMB transaction request
with fid = 0 and check the response to confirm the vulnerability.|solution_type=VendorFix<scan_nvt_version></scan_nvt_version>High9.395<original_threat>High</original_threat><original_severity>9.3</original_severity>DCE/RPC and MSRPC Services Enumeration Reportingadmin<modification_time>2020-05-29T00:31:05-03:00</modification_time><creation_time>2020-05-29T00:31:05-03:00</creation_time>172.16.0.171135/tcpnvtDCE/RPC and MSRPC Services Enumeration ReportingWindows<cvss_base>5.0</cvss_base>cvss_base_vector=AV:N/AC:L/Au:N/C:P/I:N/A:N|summary=Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) or MSRPC services running
on the remote host can be enumerated by connecting on port 135 and doing the appropriate queries.|insight=|affected=|impact=An attacker may use this fact to gain more knowledge
about the remote host.|solution=Filter incoming traffic to this ports.|vuldetect=|solution_type=Mitigation<scan_nvt_version></scan_nvt_version>Medium5.080Here is the list of DCE/RPC or MSRPC services running on this host via the TCP protocol:
Port: 49152/tcp
UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49152]
Port: 49153/tcp
UUID: 06bba54a-be05-49f9-b0a0-30f790261023, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49153]
Annotation: Security Center
UUID: 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49153]
Annotation: NRP server endpoint
UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49153]
Annotation: DHCP Client LRPC Endpoint
UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49153]
Annotation: DHCPv6 Client LRPC Endpoint
UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49153]
Annotation: Event log TCPIP
Port: 49154/tcp
UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49154]
Annotation: IP Transition Configuration endpoint
UUID: 86d35949-83c9-4044-b424-db363231fd0c, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49154]
UUID: 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49154]
Annotation: XactSrv service
UUID: a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49154]
Annotation: IKE/Authip API
Port: 49155/tcp
UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49155]
Named pipe : lsass
Win32 service or process : lsass.exe
Description : SAM access
Port: 49184/tcp
UUID: 367abb81-9844-35f1-ad32-98f038001003, version 2
Endpoint: ncacn_ip_tcp:172.16.0.171[49184]
Port: 49186/tcp
UUID: 12345678-1234-abcd-ef00-0123456789ab, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49186]
Annotation: IPSec Policy agent endpoint
Named pipe : spoolss
Win32 service or process : spoolsv.exe
Description : Spooler service
UUID: 6b5bdd1e-528c-422c-af8c-a4079be4fe48, version 1
Endpoint: ncacn_ip_tcp:172.16.0.171[49186]
Annotation: Remote Fw APIs
Note: DCE/RPC or MSRPC services running on this host locally were identified. Reporting this list is not enabled by default due to the possible large size of this list. See the script preferences to enable this reporting.
<original_threat>Medium</original_threat><original_severity>5</original_severity>TCP timestampsadmin<modification_time>2020-05-29T00:28:09-03:00</modification_time><creation_time>2020-05-29T00:28:09-03:00</creation_time>172.16.0.171general/tcpnvtTCP timestampsGeneral<cvss_base>2.6</cvss_base>cvss_base_vector=AV:N/AC:H/Au:N/C:P/I:N/A:N|summary=The remote host implements TCP timestamps and therefore allows to compute
the uptime.|insight=The remote host implements TCP timestamps, as defined by RFC1323.|affected=TCP/IPv4 implementations that implement RFC1323.|impact=A side effect of this feature is that the uptime of the remote
host can sometimes be computed.|solution=To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to
/etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime.
To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled'
Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled.
The default behavior of the TCP/IP stack on this Systems is to not use the
Timestamp options when initiating TCP connections, but use them if the TCP peer
that is initiating communication includes them in their synchronize (SYN) segment.
See the references for more information.|vuldetect=Special IP packets are forged and sent with a little delay in between to the
target IP. The responses are searched for a timestamps. If found, the timestamps are reported.|solution_type=Mitigation<scan_nvt_version></scan_nvt_version>Low2.680It was detected that the host implements RFC1323.
The following timestamps were retrieved with a delay of 1 seconds in-between:
Packet 1: 101882
Packet 2: 101991
<original_threat>Low</original_threat><original_severity>2.6</original_severity><result_count>1414300111111011<false_positive>00</false_positive></result_count>9.39.3172.16.0.1712020-05-29T00:26:43-03:002020-05-29T00:32:59-03:00<port_count>2</port_count><result_count>31110<false_positive>0</false_positive></result_count>EXIT_CODEEXIT_NOTVULN
Traceback (most recent call last):
File "/usr/local/bin/openvas_to_report", line 11, in
load_entry_point('openvas-to-report==1.0.0', 'console_scripts', 'openvas_to_report')()
File "/usr/local/lib/python3.6/site-packages/openvas_to_report/openvas_to_document.py", line 65, in main
convert(config)
File "/usr/local/lib/python3.6/site-packages/openvas_to_report/api.py", line 248, in convert
openvas_info = openvas_parser(config.input_files, excluded_hosts=excluded_hosts, scope_hosts=scope_hosts)
File "/usr/local/lib/python3.6/site-packages/openvas_to_report/libs/parsers/openvas_parser.py", line 129, in openvas_parser
vuln_level = nvt_tmp.find(".//risk_factor").text
AttributeError: 'NoneType' object has no attribute 'text'