The Software Enumeration is a report plugin for LimberDuck NFA (nessus file analyzer) to generate report from software installed on remote systems scanned with Tenable Nessus or Tenable Security Center.
List of installed software is based on Nessus plugin outputs listed below:
- Plugin ID 20811: Microsoft Windows Installed Software Enumeration (credentialed check)
- Plugin ID 22869: Software Enumeration (SSH)
Caution
The Software Enumeration report plugin for LimberDuck NFA (nessus file analyzer) has been tested on results reported for Operating Systems:
- Microsoft Windows 10 (Nessus Plugin ID 20811)
- Ubuntu 24.04 (Nessus Plugin ID 22869)
- macOS 15.6 (Nessus Plugin ID 22869)
If you find any issues or have suggestions for other Operating Systems, please open an issue on the GitHub repository.
Important
The target hosts must be scanned with credentialed checks enabled for Plugin IDs 20811 and/or 22869 to appear in the scan results.
- Platform Support: Windows, Linux, Unix, macOS, etc. (all supported by Nessus Plugin ID: 20811 and 22869)
- Two View Modes: List by host or group by software name
- Version Information: Software version in dedicated column
- Source Tracking: For Unix/Linux/macOS packages (e.g., "homebrew managed")
- Installation Dates: Captured for Windows software when available
- Plugin ID Tracking: Shows which Nessus plugin (20811 or 22869) provided the data
- Spreadsheet Formatting: Styling matching NFA's standard reports (clean design, bold headers, no borders, frozen first row, autofilter)
- Advanced Version Parsing: Handles various version formats including:
- Standard versions:
2.4.41,8.2p1,3.12.1 - Letter prefixes:
r3108(e.g., x264 r3108) - Letter suffixes:
9f(e.g., jpeg 9f) - Complex versions:
7.1.1_3(e.g., ffmpeg 7.1.1_3)
- Standard versions:
Important
Software Enumeration report plugin v0.1.0 works with LimberDuck NFA (nessus file analyzer) v0.12.0 or newer.
This plugin is automatically installed with LimberDuck NFA (nessus file analyzer) v0.12.0 or newer.
If you already have LimberDuck NFA (nessus file analyzer) installed in v0.12.0 or newer and want to manually install newer version of Software Enumeration NFA plugin, run:
pip install nfa-plugin-software-enumerationNote
If you want to make some changes to the plugin code and test them locally, clone the repository and install it in development mode:
cd nfa-plugin-software-enumeration
pip install -e .- Open LimberDuck NFA (nessus file analyzer).
- Navigate to the Advanced reports tab in the Settings section.
- Find Software Enumeration report on the list.
- Check Enable.
- (Optional) Configure plugin option:
- Group by software name: When enabled, groups results by software name showing all hosts where it is installed
- Select your
.nessusfiles and click Start button.
If selected .nessus files contain relevant data from Plugin ID 20811 and/or 22869, generated report will include worksheet named "software". See example output below.
| Target | Hostname | FQDN | IP | Scan started | Scan ended | OS | Software Name | Software Version | Platform | Software Source | Architecture | Software Description | Installed on | Plugin ID |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| server01.example.com | server01 | server01.example.com | 10.0.0.1 | 2025-12-08 10:00:00 | 2025-12-08 10:15:00 | Ubuntu 22.04 | openssh-server | 8.2p1-4 | Unix/Linux | apt | 22869 | |||
| server01.example.com | server01 | server01.example.com | 10.0.0.1 | 2025-12-08 10:00:00 | 2025-12-08 10:15:00 | Ubuntu 22.04 | apache2 | 2.4.41 | Unix/Linux | apt | 22869 | |||
| workstation.local | workstation | workstation.local | 10.0.0.5 | 2025-12-08 11:00:00 | 2025-12-08 11:20:00 | macOS Ventura | ffmpeg | 7.1.1_3 | Unix/Linux | homebrew managed | 22869 | |||
| workstation.local | workstation | workstation.local | 10.0.0.5 | 2025-12-08 11:00:00 | 2025-12-08 11:20:00 | macOS Ventura | jpeg | 9f | Unix/Linux | homebrew managed | 22869 | |||
| 10.0.0.2 | server02 | server02.corp.local | 10.0.0.2 | 2025-12-08 09:30:00 | 2025-12-08 09:50:00 | Windows Server 2019 | Microsoft Office Professional Plus 2019 | 16.0.10337.20039 | Windows | 2025/11/26 | 20811 | |||
| localhost | ubuntu | 127.0.0.1 | 2025-06-28 07:07:13 | 2025-06-28 07:23:02 | Linux Kernel 6.8.0-59-generic on Ubuntu 24.04 | accountsservice | 23.13.9-2ubuntu6 | Unix/Linux | arm64 | query and manipulate user account information | 22869 |
| Software Name | Platform | Software Versions | Software Source | Architecture | Software Description | Installed on | Plugin ID | Host Count | Installed On (Hosts) |
|---|---|---|---|---|---|---|---|---|---|
| ffmpeg | Unix/Linux | 7.1.1_3 | homebrew managed | 22869 | 1 | workstation.local | |||
| apache2 | Unix/Linux | 2.4.41, 2.4.43 | 22869 | 5 | server01 (10.0.0.1), server02 (10.0.0.2), server03 (10.0.0.3), ... | ||||
| Microsoft Office Professional Plus 2019 | Windows | 16.0.10337.20039 | 2025/11/26 | 20811 | 3 | server02 (10.0.0.2), server03 (10.0.0.3), workstation01 (10.0.0.10) | |||
| accountsservice | Unix/Linux | 23.13.9-2ubuntu6. | arm64 | query and manipulate user account information | 22869 | 1 | ubuntu (127.0.0.1) |
For Windows systems the Plugin ID 20811 is used:
- Detects "windows" in OS information
- Parses software with version from
[version X.X.X] - Extracts installation dates from
[installed on YYYY/MM/DD] - Skips first 3 header lines before parsing software list.
Example Plugin ID 20811 output:
The following software are installed on the remote host :
7-Zip 24.09 (x64) [version 24.09]
Microsoft Edge [version 142.0.3595.94] [installed on 2025/11/26]
For Linux/Unix-like systems the Plugin ID 22869 is used:
- Detects: e.g. Ubuntu, macOS
- Extracts source information from parentheses (e.g.,
(homebrew managed)) - Handles various version formats with advanced regex patterns
- Skips first 3 header lines before parsing software list.
Example Plugin ID 22869 outputs:
Here is the list of packages installed on the remote Mac OS X system :
App Store 3.0
Automator 2.10
...
ffmpeg 7.1.1_3 (homebrew managed)
Here is the list of packages installed on the remote Debian Linux system :
ii accountsservice 23.13.9-2ubuntu6 arm64 query and manipulate user account information
ii acl 2.3.2-1build1.1 arm64 access control list - utilities
The Unix/Linux parser uses a regex pattern to handle diverse version formats:
- Pattern:
^(.+?)\s+([a-zA-Z]?[0-9]+[a-zA-Z0-9._-]*)$ - Supports versions starting with letters (e.g.,
r3108,v2.1.0) - Handles versions ending with letters (e.g.,
9f) - Captures compound versions with dots, underscores, and dashes (e.g.,
7.1.1_3,8.2p1-4)
Spreadsheet Formatting
- Version column: Formatted as text to prevent Excel from misinterpreting versions as numbers.
- Plugin ID column: Formatted as number for proper sorting and filtering.
- Scan started and Scan ended columns: Formatted as datetime for accurate date handling.
- First row: Bold formatting and frozen for easy navigation.
- Auto-filter: Applied to all columns for quick data filtering.
- Styling: Matches the standard NFA's reports (clean design, bold headers, no borders, frozen first row, autofilter).
GNU GPLv3: LICENSE.
Damian Krawczyk created Software Enumeration report plugin for LimberDuck NFA (nessus file analyzer).