Tag Archives: Port Scanning

Converting Nmap xml scan reports to json

Unfortunately, Nmap can not save the results in json. All available output options:

-oN <filespec> (normal output)
-oX <filespec> (XML output)
-oS <filespec> (ScRipT KIdd|3 oUTpuT)
-oG <filespec> (grepable output)
-oA <basename> (Output to all formats)

And processing xml results may not be easy an easy task. Just look how I analyze the contents of the Nessus report in “Parsing Nessus v2 XML reports with python“. Not the most readable code, right? And what alternatives do we have?

Nmap json scan report

Formal XML to json conversion is impossible. Formats are very different. However, there are python modules, for example xmltodict, that can reliably convert XML into Python structures of dictionaries, lists and strings. However, they have to change some names of parameters to avoid collisions. In my opinion this is not a big price for convenience.

So, let’s see how this will work for Nmap command:

nmap -sV -oX nmap_output.xml avleonov.com 1>/dev/null 2>/dev/null

Continue reading

Non-reliable Nessus scan results

Do you perform massive unauthenticated vulnerability scans with Nessus? It might be a bad idea. It seems that Nessus is not reliable enough to assess hundreds and thousands of hosts in one scan and can lose some valuable information.

Non-reliable Nessus scan results

The thing is that sometimes Nessus does not detect open ports and services correctly. And without successful service detection it will not launch other vulnerability detection plugins (see Nessus Scan stages in my post about Tenable University ). Scan results for the host will be empty, however in reality it may have some critical vulnerabilities, that you simply will not see!

Upd. When you use Nessus inside your corporate network only, it might not be issue for you. But if you deploy Nessus on some remote hosting to perform regular perimeter scans, emulating attacker’s actions, it’s quite a possibility that you will face such kind of errors. Especially if Nessus and scan targets are placed in different geograpfical locations and it takes many hops for Nessus to reach each target. If you use load balancers in your organisation to increase capacity and reliability of applications, this can also lead to errors.

Anyway, it’s good to know when Nessus was not able to detect services on some hosts and you should not relly on these  scan results. Let’s see how we can figure this out.

Continue reading

Qualys Option Profiles for Vulnerability Scanning

When I wrote about vulnerability scanning in Nessus, I described there in detail how Nessus scan profile looks like. And when I wrote about VM scanning in Qualys, I did not mentioned scan profiles at all. But it’s also an interesting topic. In Qualys scan profile you can’t specify which vulnerability check will run during the scan, as in Nessus (Upd. Actually yes you can, but in some different manner; I added how to do it in “Scan” section). However, you can also see some options that can affect the way you do the vulnerability scanning with Qualys.

The main option for me – the lists of scanning ports. By default Qualys does not check all the ports and that could negatively affect host detection during unauthenticated scanning.

Creating new scan profile: Vulnerability Management -> Option Profiles -> New

Qualys option profiles

Title

Setting title and owner of the profile. We can use this profile as a default for launching maps and scans or share it with other Qualys users in our organization ( “Make this a globally available option profile”).

qualys new option profile

Continue reading