Friday 24 October 2014

Nessus with System Center Orchestrator and getting PDF reports via powershell.

I have recently created an integration pack for Nessus and Orchestrator using the NessusSharp Library located here

All is good and I can initiate a scan and wait for its completion by getting the status using listreports() and filtering by the scan id.

I then wanted to get the PDF report and email it, which isn't that easy as the above library nor powershell posh-nvs (formally posh-sec-mod) support getting anything other than a nessusv2 report.

I would have put a bit of effort into this but it appears that nessus 6 has a new api which is REST based, so I'm reluctant to spend any time doing something that I need to replace shortly, so I have done a temporary quick and dirty powershell script for downloading PDF reports from nessus.

The links below may help with working out wtf this is doing and what helped me knock this quick and dirty solution together:

The code is below.. Update: Please note that this code requires version 3 of powershell for the invoke-webrequest command.. I did have "# Requires -version 3.0 at the beginning of the script.. but orchestrator doesn't seem to like that when you wrap the script in $var = powershell { } Need to test this more first though.

$username = "login"
$password = "password"
$Server = "server"
$port = "8834"
$reportID = "2bfd7a4d-a806-8d5e-905a-0c39e7e248556d7fc3b9c5aa0f98"

# Ignore SSL Errors
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

$postParams = @{login=$username;password=$password}
$resp = Invoke-WebRequest -Uri "https://$($Server):$($port)/login" -body $postParams -Method Post

#Crude check!
if ($resp.StatusCode -ne 200){throw "Authorisation failed"}

# Try and get the token returned whilst logging in
$resp1 = $resp.AllElements[4].InnerHTML
$result = $resp1 -match "(?<content>.*)</token>"

#Another crude check!
If ($result -ne $true){Throw ("Error Logging in")}

$Token = $matches['content']
$ChapParams = @{chapters='compliance;compliance_exec;vuln_by_host;vuln_by_plugin;`
$Chapresp = Invoke-WebRequest -Uri "https://$($Server):$($port)/chapter" -body $ChapParams -Method Post

# Wait for the Report to be generated
# TODO: Check contents are valid at some point, if not wait
# longer and re-download.
start-sleep -seconds 60

$file = $Chapresp -match 'fileName=(?.*)">'
$filename = $matches['content']

$DownloadParams = @{fileName=$fileName;step=2;token=$token;}
Invoke-WebRequest -Uri "https://$($Server):$($port)/file/xslt/download" `
 -body $DownloadParams -Method Post -OutFile "c:\temp\pdf\$($filename)"

# Ingore the html below.. blogger, or syntax higlighter is finding the tag on the line for getting the filename!