Tenable Documentation
,
329
especially for Windows targets,
before we start our first authenticated scan.
Our scan target is a Linux system without AV. Therefore, we can click the arrow next to
Save
and
launch the scan. After the scan has finished, we can review the results. In the
Vulnerabilities
page,
we get a list of the findings for the authenticated scan. In the last section, we had already grouped
findings with the
MIXED
severity. For our authenticated scan, let’s disable the grouping of findings
by clicking on the wheel and selecting
Disable Groups
.
Figure 66: Disable Grouped Results
After we disable groups, each finding is listed separately.
323
(Tenable Documentation, 2022), https://docs.tenable.com/nessus/Content/Credentials.htm
324
(Wikipedia, 2022), https://en.wikipedia.org/wiki/Server_Message_Block
325
(Wikipedia, 2021), https://en.wikipedia.org/wiki/Windows_Management_Instrumentation
326
(Tenable Community, 2021), https://community.tenable.com/s/article/Symantec-Endpoint-Protection-interfering-with-Nessus-
authenticated-scans
327
(Microsoft Docs, 2021), https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-
account-control-overview
328
(Tenable Docs, 2022), https://docs.tenable.com/nessus/Content/EnableWindowsLoginsForLocalAndRemoteAudits.htm
329
(Tenable Docs, 2022), https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm
Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
188
Figure 67: Authenticated Scan Results
We get a list of vulnerabilities from the
Ubuntu Local Security Checks
330
plugin family
.
331
Plugins
grouped into plugin families check for vulnerabilities in the same context. For example, there are
separate plugin families for checking vulnerabilities in databases, firewalls, or web servers. The
Ubuntu Local Security Checks plugin family contains a multitude of plugins that check for local
vulnerabilities and missing patches for Ubuntu.
The
Name
column provides us with the vulnerable Ubuntu versions and a brief description as well
as the patch number for the vulnerabilities.
330
(Tenable, 2022), https://www.tenable.com/plugins/nessus/families/Ubuntu%20Local%20Security%20Checks
331
(Tenable, 2022), https://www.tenable.com/plugins/nessus/families
Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
189
Figure 68: Vulnerability data of Firefox and curl
The list also contains vulnerability data of locally exposed applications such as
Firefox
332
or
cURL
.
333
7.2.6
Working with Nessus Plugins
By default, Nessus will enable a number of plugins behind-the-scenes, when running a default
template. While this is certainly useful in many scenarios, we can also fine-tune our options to
quickly run a single plugin. We can use this feature to validate a previous finding or to quickly
discover all the targets in an environment that are at risk to a specific vulnerability.
For this example, we will set a plugin filter to identify if the
DESKTOP
machine is vulnerable to
CVE-2021-3156
.
334
This is a locally exploitable vulnerability that allows an unprivileged user to
elevate privileges to root.
To leverage the dynamic plugin filter, we will once again begin with a
New Scan
.
332
(Mozilla, 2022), https://www.mozilla.org/en-US/firefox/new/
333
(Wikipedia, 2022), https://en.wikipedia.org/wiki/CURL
334
(Tenable, 2021), https://www.tenable.com/cve/CVE-2021-3156
Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
190
Figure 69: Creating a new Scan
This time, we will use the Advanced Dynamic Scan template. This template allows us to use a
dynamic plugin filter instead of manually enabling or disabling plugins.
To use this template, we click on
Advanced Dynamic Scan
.
Figure 70: Select Advanced Dynamic Scan
Once again, we’ll configure the name and target.
Figure 71: Enter Name and Target
Next, we’ll provide the same SSH and sudo credentials we used in the last example, meaning we’ll
also be conducting an authenticated scan.
Now we can select the plugins we want to use in our vulnerability scan. As stated before, the
Advanced Dynamic Scan allows us to use a filter instead of enabling or disabling groups or
individual plugins.
Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
191
To do so, let’s click on the
Dynamic Plugins
tab. In the left dropdown menu, we’ll select
CVE
to
filter for a specific CVE. In the middle dropdown menu, we can choose from different filter
arguments to specify the matching behavior. On the right dropdown menu, we can specify a CVE
number. After entering “CVE-2021-3156”, we can click on
Preview Plugins
. This may take a few
minutes to complete.
Figure 72: Filter for specific Plugins
Once
Preview Plugins
is finished running, we get a list of found plugin families that cover this
Yüklə Dostları ilə paylaş: |