Nessus XML and the missing netbios-name

It’s been a while since my last ramble but this issue seemed worth getting out there…

If you do any real volume of scanning you probably have had to write a parser (or at least find someone else who did) for all of the wonderful data that Nessus gathers over the course of a scan. I have a number of such parsers in various languages.

Recently I noticed that I stopped getting the netbios-name tag returned in my Nessus scan results.

*poof*

<ReportHost name="192.168.1.100"><HostProperties>
<tag name="system-type">general-purpose</tag>
<tag name="operating-system">Microsoft Windows Server 2012 R2 Standard</tag>
<tag name="Credentialed_Scan">true</tag>
<tag name="HOST_END">Thu Jan 3 19:09:27 2019</tag>
<tag name="smb-login-used">mydomain\myuser</tag>
<tag name="local-checks-proto">smb</tag>
<tag name="host-fqdn">myhost.mydomain.com</tag>
<tag name="host-rdns">myhost.mydomain.com</tag>
<tag name="host-ip">192.168.1.100</tag>
<tag name="HOST_START">Thu Jan 3 19:07:23 2019</tag>
</HostProperties>

What!?!? No tag….

Naturally I assumed that I must have forgotten to enable plugin 10150 – Windows NetBIOS /SMB Remote Hast Information Disclosure. After a review of the policy I was surprised to see it in there. Furthermore when I looked in the data in the *.nessus file I found that there were results from 10150 including the NetBIOS name!


<ReportItem port="137" svc_name="netbios-ns" protocol="udp" severity="0" pluginID="10150" pluginName="Windows NetBIOS / SMB Remote Host Information Disclosure" pluginFamily="Windows">
<description>The remote host is listening on UDP port 137 or TCP port 445, and replies to NetBIOS nbtscan or SMB requests.

Note that this plugin gathers information to be used in other plugins, but does not itself generate a report.</description>

<...snip...>

<plugin_output>The following 4 NetBIOS names have been gathered :

MYHOST = Computer name
MYDOMAIN= Workgroup / Domain name
MYHOST = File Server Service
MYDOMAIN = Browser Service Elections

The remote host has the following MAC address on its adapter :

00:16:35:aa:aa:aa</plugin_output>
</ReportItem>

As of November 2018 Nessus changed the way the tag generation works. It is now necessary to include plugin 118730 to the policy to include the netbios-name tag in the Nessus XML output.

After adding that plugin to the policy all was well…

<ReportHost name="192.168.1.100"><HostProperties>
<tag name="HOST_END">Fri Jan 4 09:55:43 2019</tag>
<tag name="system-type">general-purpose</tag>
<tag name="operating-system">Microsoft Windows Server 2003 Service Pack 2</tag>
<tag name="netbios-name">MYHOST</tag>
<tag name="hostname">MYHOST</tag>
<tag name="Credentialed_Scan">true</tag>
<tag name="host-fqdn">myhost.mydomain.com</tag>
<tag name="host-rdns">myhost.mydomain.com</tag>
<tag name="smb-login-used">MYDOMAIN\MYUSER</tag>
<tag name="local-checks-proto">smb</tag>
<tag name="host-ip">192.168.1.100</tag>
<tag name="HOST_START">Fri Jan 4 09:54:49 2019</tag>
</HostProperties>

The following plugins are now my bare minimum for a Nessus policy related to Windows information gathering:

plugin id plugin description
10150 Windows NetBios /SMB Remote Host Information Disclosure
10917 SMB Scope
11936 OS Identification
118730 Windows NetBIOS / SMB Remote Host Report Tag

Make sure you have the auto_enable_dependencies value set to yes in the advanced settings menu of your Nessus scanner.

If you have any questions or feedback you can reach me here or on Twitter @JaredGroves

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s