Overview
Nipper-ng (Network Infrastructure Parser Next Generation) is an auditing tool designed to parse and analyze configuration files from network devices such as routers, switches, and firewalls. It identifies security vulnerabilities, configuration weaknesses, and compliance issues by examining device configs from vendors like Cisco, Juniper, CheckPoint, Palo Alto Networks, and others.
Nipper-ng generates detailed audit reports highlighting security risks, misconfigurations, weak access controls, and areas of non-compliance with industry standards. It’s essential for network administrators and security professionals conducting infrastructure assessments and compliance audits.
Installation
Linux (Debian/Ubuntu)
sudo apt-get update
sudo apt-get install nipper-ng
Linux (RedHat/CentOS/Fedora)
sudo yum install nipper-ng
# or
sudo dnf install nipper-ng
Kali Linux
sudo apt-get install nipper-ng
Build from Source
# Install dependencies
sudo apt-get install build-essential libssl-dev zlib1g-dev
# Clone/download nipper-ng
git clone https://github.com/arpihausmann/nipper-ng.git
cd nipper-ng
# Build and install
./configure
make
sudo make install
Verify Installation
nipper --version
nipper --help
Basic Syntax
nipper --input <config-file> --output <report-file> [options]
nipper -i <config-file> -o <report-file> [options]
| Device Type | Vendor | Format |
|---|
| Router | Cisco | IOS, IOS-XE, IOS-XR |
| Router | Juniper | JunOS |
| Router | Palo Alto | PAN-OS |
| Firewall | Cisco | ASA, PIX |
| Firewall | CheckPoint | SmartCenter |
| Firewall | Palo Alto | PAN-OS |
| Switch | Cisco | IOS, IOS-XE |
| Switch | Juniper | JunOS |
| VPN | Cisco | IPSec, GRE |
| VPN | Juniper | IPSec |
Essential Commands
| Command | Description |
|---|
nipper --input file | Specify input config file |
nipper --output file | Specify output report file |
nipper --type device | Explicitly set device type |
nipper --report full | Generate full audit report |
nipper --report issues | Report only issues/vulnerabilities |
nipper --report compliance | Generate compliance report |
nipper --list-devices | List all supported devices |
nipper --list-settings | Show all configuration settings |
nipper --help | Display help information |
nipper --version | Show version number |
nipper --debug | Enable debug output |
Report Types
| Report Type | Description |
|---|
full | Comprehensive audit with all findings |
issues | Security issues and vulnerabilities only |
compliance | Compliance-focused findings |
device | Device-specific configuration details |
security | Security configuration analysis |
performance | Performance-related observations |
Common Usage Examples
Basic Report Generation
nipper --input router-config.txt --output report.html
Cisco Router Configuration Audit
nipper -i cisco-router.conf -o cisco-audit.html --type "Cisco Router"
Firewall Configuration Analysis
nipper --input asa-firewall.cfg --output firewall-report.html --type "Cisco ASA"
Generate Text Report
nipper -i config.txt -o audit-report.txt --html-format false
Generate Compliance-Focused Report
nipper --input device.conf --output compliance-report.html --report compliance
Analyze Multiple Devices
for file in *.conf; do
nipper -i "$file" -o "${file%.conf}-report.html"
done
Advanced Options
Device Type Specification
# Explicit device type
nipper -i config.txt -o report.html --type "Cisco IOS Router"
# Cisco ASA Firewall
nipper -i asa.cfg -o asa-report.html --type "Cisco ASA Firewall"
# Juniper SRX
nipper -i srx.conf -o srx-report.html --type "Juniper SRX"
# Palo Alto Networks
nipper -i panorama.conf -o panorama-report.html --type "Palo Alto Networks Firewall"
Report Customization
# Security issues only
nipper -i config.txt -o report.html --report issues
# Device details
nipper -i config.txt -o report.html --report device
# Combined report
nipper -i config.txt -o report.html --report full
# HTML report (default)
nipper -i config.txt -o report.html
# Text report
nipper -i config.txt -o report.txt --html-format false
# Debug output
nipper -i config.txt -o report.html --debug
Vulnerability Categories
Access Control Issues
nipper -i config.txt -o report.html
# Checks for:
# - Weak access control lists (ACLs)
# - Default credentials
# - Open management ports
# - Unrestricted access policies
Authentication Weaknesses
# Reports will highlight:
nipper -i config.txt -o report.html
# - Unencrypted protocols (Telnet, HTTP)
# - Weak password policies
# - Local authentication weaknesses
# - TACACS/RADIUS misconfigurations
Encryption Issues
# Identifies:
nipper -i config.txt -o report.html
# - Weak encryption algorithms
# - Unencrypted protocols
# - Outdated security standards
# - DES/MD5 usage (deprecated)
Routing Security
# Analyzes:
nipper -i router-config.txt -o report.html
# - BGP security gaps
# - Routing protocol authentication
# - Route redistribution risks
# - Dynamic routing misconfigurations
Cisco Configuration Audit
Extract and Analyze Cisco IOS Config
# From device
show running-config > cisco-config.txt
nipper -i cisco-config.txt -o cisco-report.html
# Specific security checks
nipper -i cisco-config.txt -o report.html --type "Cisco Router"
Key Cisco Findings
# Report will identify:
# - VTY line access control
# - Enable password weaknesses
# - SNMP community strings
# - CDP enabled globally
# - IP directed broadcasts
# - HTTP server enabled
# - Unused interfaces
# - Privilege escalation paths
Firewall Configuration Audit
Cisco ASA Analysis
show running-config > asa-config.txt
nipper -i asa-config.txt -o asa-report.html --type "Cisco ASA Firewall"
Palo Alto Networks Audit
# Export configuration from Panorama/Device
nipper -i palo-alto.xml -o pa-report.html --type "Palo Alto Networks Firewall"
CheckPoint Firewall Audit
nipper -i checkpoint.conf -o checkpoint-report.html --type "CheckPoint Firewall"
Compliance Reporting
Generate Compliance Report
nipper -i config.txt -o compliance-report.html --report compliance
Compliance Standards Checked
# Nipper checks against:
# - PCI DSS (Payment Card Industry Data Security Standard)
# - HIPAA (Health Insurance Portability and Accountability Act)
# - SOX (Sarbanes-Oxley)
# - ISO 27001
# - NIST guidelines
# - CIS benchmarks
# Each finding includes:
# - Impact severity rating
# - Remediation steps
# - Best practice recommendations
# - Configuration examples
Batch Processing
Process Multiple Configurations
#!/bin/bash
# Audit all router configs
for config in routers/*.conf; do
device=$(basename "$config" .conf)
nipper -i "$config" -o "reports/${device}-audit.html"
echo "Processed: $device"
done
Generate Compliance Summary
#!/bin/bash
# Create compliance reports for all devices
for config in devices/*.conf; do
name=$(basename "$config" .conf)
nipper -i "$config" -o "compliance/${name}-compliance.html" \
--report compliance
done
Combined Analysis
#!/bin/bash
# Generate both issues and compliance reports
for config in *.conf; do
base="${config%.conf}"
echo "=== Analyzing $base ==="
# Issues report
nipper -i "$config" -o "${base}-issues.html" --report issues
# Compliance report
nipper -i "$config" -o "${base}-compliance.html" --report compliance
# Full report
nipper -i "$config" -o "${base}-full.html" --report full
done
Security Issue Examples
Default Credentials Detection
nipper -i config.txt -o report.html
# Flags:
# - Default community strings (public, private)
# - Factory default passwords
# - Unchanged service credentials
Weak Encryption Identification
# Report highlights:
# - MD5 for hashing
# - DES encryption
# - No encryption configured
# - Unencrypted management protocols
Access Control Weaknesses
# Identifies:
# - Permit any/any rules
# - Overly permissive ACLs
# - Open management access
# - Trust relationships
Protocol Security Issues
# Detects:
# - Telnet enabled (vs SSH)
# - HTTP management (vs HTTPS)
# - SNMPv1/v2c (vs SNMPv3)
# - Insecure protocols
Output Interpretation
Report Severity Levels
Critical - Immediate security risk, exploit likely
High - Significant vulnerability, serious impact
Medium - Notable security concern, recommended fix
Low - Minor issue, best practice recommendation
Info - Informational finding, no action required
# Each finding includes:
1. Description of issue
2. Security impact assessment
3. Step-by-step remediation
4. Configuration examples
5. Verification procedures
Real-World Audit Scenarios
Security Baseline Assessment
# Extract configs from all critical devices
for device in router1 firewall1 switch1; do
ssh admin@$device "show running-config" > ${device}.conf
done
# Generate baseline reports
for config in *.conf; do
nipper -i "$config" -o "${config%.conf}-baseline.html"
done
Pre-Change Audit
# Capture current state before changes
nipper -i current-config.txt -o pre-change-audit.html
# ... make changes ...
# Capture and compare post-change
nipper -i new-config.txt -o post-change-audit.html
Incident Response Analysis
# Analyze device configs from time of incident
nipper -i incident-config.txt -o incident-report.html --report full
# Focus on security issues
nipper -i incident-config.txt -o incident-issues.html --report issues
Compliance Verification
# Quarterly compliance checks
nipper -i config.txt -o q1-compliance.html --report compliance
nipper -i config.txt -o q2-compliance.html --report compliance
From Cisco Devices
# Via SSH
ssh admin@router.example.com "show running-config" > cisco-router.conf
# Via Telnet (less secure)
(echo "password"; echo "enable"; echo "password"; \
echo "terminal length 0"; echo "show running-config"; \
echo "exit") | telnet router.example.com > cisco-config.conf
From Juniper Devices
ssh admin@juniper.example.com "show configuration | display text" > juniper.conf
From Palo Alto Networks
# Via SSH
ssh admin@palo.example.com "show config running" > panorama.conf
From CheckPoint
# Export via management interface or API
sftp admin@checkpoint.example.com
get /configs/current.conf
Best Practices
Regular Audits
# Maintain audit schedule
- Monthly for critical devices
- Quarterly for standard devices
- Before/after major changes
- When security policies update
Baseline Establishment
# Create security baseline
nipper -i baseline-config.txt -o baseline-report.html
# Track changes over time
nipper -i current-config.txt -o current-report.html
# Compare findings
diff baseline-report.html current-report.html
# Document all findings
nipper -i config.txt -o findings.html
# Track remediation progress
# Update with revised configs
nipper -i remediated-config.txt -o verification.html
Documentation
# Keep audit trail
- Store all reports with dates
- Document remediation actions
- Track policy changes
- Maintain configuration versions
Troubleshooting
Unrecognized Device Type
# List supported devices
nipper --list-devices
# Use correct device type
nipper -i config.txt -o report.html --type "Cisco IOS Router"
Parse Errors
# Enable debug mode
nipper -i config.txt -o report.html --debug
# Verify config file format
# Remove extra spaces, special characters
Missing Features
# Check nipper-ng version
nipper --version
# Update to latest version
sudo apt-get install --only-upgrade nipper-ng
Network Scanning
# Use with nmap for comprehensive audit
nmap -sV 192.168.1.0/24 > devices.txt
# Then collect configs and analyze with nipper
Configuration Management
# Version control configs
git clone <config-repo>
cd configs
for config in *.conf; do
nipper -i "$config" -o "reports/${config%.conf}.html"
done
git add reports/
git commit -m "Security audit $(date)"
Ticketing System Integration
# Parse nipper output and create tickets
nipper -i config.txt -o report.html
# Create tickets for each critical/high finding
Security Considerations
- Ensure configs are securely transported and stored
- Protect reports containing sensitive network details
- Restrict access to nipper reports (non-public information)
- Audit extraction credentials and access
- Maintain confidentiality of network architecture
- Follow organizational information security policies
- Nessus - Comprehensive vulnerability assessment
- OpenVAS - Open-source vulnerability scanner
- NMAP - Network mapper and port scanner
- Shodan - Search engine for internet-connected devices
- Qualys - Cloud-based vulnerability management
- Tenable - Vulnerability and risk management
References
- Nipper-ng GitHub: https://github.com/arpihausmann/nipper-ng
- Man page:
man nipper
- Configuration parsing documentation
- Compliance framework references (PCI, HIPAA, ISO 27001)
- Network device configuration guides
