Penetration Testing with Kali Linux OffSec
|
|
Credentialed Patch Audit
scan template, which comes preconfigured to execute local security checks against the target. The difference between this and the Basic Network Scan template with provided credentials, is that the Credentialed Patch Audit scan only uses local security checks and will not do a regular vulnerability check from an external perspective. The Credentialed Patch Audit template will not only scan for missing operating system patches, but also for outdated applications, which may be vulnerable to privilege escalation attacks . 321 Figure 63: Select Credentialed Patch Audit Once again, we will provide a name for the scan and set the target to DESKTOP. 321 (Wikipedia, 2022), https://en.wikipedia.org/wiki/Privilege_escalation Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 186 Figure 64: Basic Settings for the Authenticated Scan Next, let’s click on the Credentials tab and select SSH 322 in the Host category. On the Authentication method dropdown, we’ll select password , and enter “offsec” as the username and “lab” for the password. We’ll select sudo for the Elevate privileges with option and enter “root” as the sudo user and “lab” as the password. Figure 65: SSH and Sudo Credentials for the Authenticated Scan While we will use the SSH configuration for this example, there are several other authentication mechanisms available. To get a list of all available mechanisms, we can click the Categories 322 (Wikipedia, 2022), https://en.wikipedia.org/wiki/Secure_Shell Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 187 dropdown menu and select All . We can consult the Tenable Documentation 323 for a complete list of supported authentication mechanisms. For Linux and macOS targets, SSH is used. While we can also use SSH on Windows, in most cases, we will use Server Message Block (SMB) 324 and Windows Management Instrumentation (WMI) 325 to perform authenticated vulnerability scans against Windows targets. Both methods allow us to use local or domain accounts and different authentication options. To get meaningful results in an authenticated vulnerability scan, we need to ensure that our target system is configured correctly. Depending on the authentication method we want to use, we need to make sure that there is no firewall blocking connections from our scanner. Furthermore, we often find antivirus (AV) programs installed on both Linux and Windows targets. AV may flag the vulnerability scan as malicious and therefore, terminate our connection or render the results useless. Depending on the AV program, we can add an exception 326 for the authenticated scan or temporarily disable it. Another Windows security technology we need to consider is User Account Control (UAC). 327 UAC is a security feature for Windows that allows users to use standard privileges instead of administrator privileges. An administrative user will run most applications and commands in standard privileges and receive administrator privileges only when needed. Due to the nature of UAC, it can also interfere with our scan. We can configure UAC to allow Nessus or temporarily disable it. 328 We should consult the Yüklə Dostları ilə paylaş:
|