Penetration Testing with Kali Linux OffSec
|
|
Tenable Documentation
, 329 especially for Windows targets, before we start our first authenticated scan. Our scan target is a Linux system without AV. Therefore, we can click the arrow next to Save and launch the scan. After the scan has finished, we can review the results. In the Vulnerabilities page, we get a list of the findings for the authenticated scan. In the last section, we had already grouped findings with the MIXED severity. For our authenticated scan, let’s disable the grouping of findings by clicking on the wheel and selecting Disable Groups . Figure 66: Disable Grouped Results After we disable groups, each finding is listed separately. 323 (Tenable Documentation, 2022), https://docs.tenable.com/nessus/Content/Credentials.htm 324 (Wikipedia, 2022), https://en.wikipedia.org/wiki/Server_Message_Block 325 (Wikipedia, 2021), https://en.wikipedia.org/wiki/Windows_Management_Instrumentation 326 (Tenable Community, 2021), https://community.tenable.com/s/article/Symantec-Endpoint-Protection-interfering-with-Nessus- authenticated-scans 327 (Microsoft Docs, 2021), https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user- account-control-overview 328 (Tenable Docs, 2022), https://docs.tenable.com/nessus/Content/EnableWindowsLoginsForLocalAndRemoteAudits.htm 329 (Tenable Docs, 2022), https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 188 Figure 67: Authenticated Scan Results We get a list of vulnerabilities from the Ubuntu Local Security Checks 330 plugin family . 331 Plugins grouped into plugin families check for vulnerabilities in the same context. For example, there are separate plugin families for checking vulnerabilities in databases, firewalls, or web servers. The Ubuntu Local Security Checks plugin family contains a multitude of plugins that check for local vulnerabilities and missing patches for Ubuntu. The Name column provides us with the vulnerable Ubuntu versions and a brief description as well as the patch number for the vulnerabilities. 330 (Tenable, 2022), https://www.tenable.com/plugins/nessus/families/Ubuntu%20Local%20Security%20Checks 331 (Tenable, 2022), https://www.tenable.com/plugins/nessus/families Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 189 Figure 68: Vulnerability data of Firefox and curl The list also contains vulnerability data of locally exposed applications such as Firefox 332 or cURL . 333 7.2.6 Working with Nessus Plugins By default, Nessus will enable a number of plugins behind-the-scenes, when running a default template. While this is certainly useful in many scenarios, we can also fine-tune our options to quickly run a single plugin. We can use this feature to validate a previous finding or to quickly discover all the targets in an environment that are at risk to a specific vulnerability. For this example, we will set a plugin filter to identify if the DESKTOP machine is vulnerable to CVE-2021-3156 . 334 This is a locally exploitable vulnerability that allows an unprivileged user to elevate privileges to root. To leverage the dynamic plugin filter, we will once again begin with a New Scan . 332 (Mozilla, 2022), https://www.mozilla.org/en-US/firefox/new/ 333 (Wikipedia, 2022), https://en.wikipedia.org/wiki/CURL 334 (Tenable, 2021), https://www.tenable.com/cve/CVE-2021-3156 Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 190 Figure 69: Creating a new Scan This time, we will use the Advanced Dynamic Scan template. This template allows us to use a dynamic plugin filter instead of manually enabling or disabling plugins. To use this template, we click on Advanced Dynamic Scan . Figure 70: Select Advanced Dynamic Scan Once again, we’ll configure the name and target. Figure 71: Enter Name and Target Next, we’ll provide the same SSH and sudo credentials we used in the last example, meaning we’ll also be conducting an authenticated scan. Now we can select the plugins we want to use in our vulnerability scan. As stated before, the Advanced Dynamic Scan allows us to use a filter instead of enabling or disabling groups or individual plugins. Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 191 To do so, let’s click on the Dynamic Plugins tab. In the left dropdown menu, we’ll select CVE to filter for a specific CVE. In the middle dropdown menu, we can choose from different filter arguments to specify the matching behavior. On the right dropdown menu, we can specify a CVE number. After entering “CVE-2021-3156”, we can click on Preview Plugins . This may take a few minutes to complete. Figure 72: Filter for specific Plugins Once Preview Plugins is finished running, we get a list of found plugin families that cover this Yüklə Dostları ilə paylaş:
|