My Guilty Obsession: Tagging by Plugin Output

Casey Reid a.k.a Packet Chaos
4 min readJul 25, 2023

--

If you are a Tenable Employee, I’m sure I elicited a giggle or even a belly laugh from those that work with me often. I’m legit obsessed with how one can utilize Tenable plugins to Level-up their Cyber Exposure game.

Before we get started you should know, Tenable has over 190,000 plugins and counting. The majority of the plugins utilized by Tenable are vulnerability detections covering a staggering 77, 597 CVEs as of this publication.

In addition, Nessus gathers a myriad of useful information captured in the “informational” plugins which is where my obsession begins. Let’s preview a few useful plugins and their outputs as we get into pragmatic use-cases.

Plugin 10863 — SSL Certificate Information

From the Tenable Plugin Page:

This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate.

A Screenshot from the UI below shows that you can get useful information from SSL certificates. In this case, it is a self-signed cert on my lab Splunk server which is confirmed by the details in the plugin output.

This can be helpful in finding IoT devices where SSL certs are utilized.

Splunk Server

Below is the screenshot from the UI for the 10863 plugin on my Splunk Server.

Buffalo TeraStation

Below is the screenshot from the UI for the 10863 plugin on my Buffalo Terastation.

Now, I mentioned my obsessions was around tagging… So how do you tag by a vulnerability attribute?

If you follow me you might have guessed the answer to be: navi

To tag my TeraStation:

navi tag --c "IoT Devices" --v "Buffalo TeraStation" --plugin 10863 --output "Buffalo"

To tag my Splunk Server:

navi tag --c "Security Software" --v "Splunk Server" --plugin 10863 --output "Splunk"

Plugin 66717 — mDNS Detection ( Local Network)

While this plugin requires the Nessus Scanner to be on the same local network, it is crazy useful for finding obscure IoT devices like Chromecast in the below example.

To elaborate, Nessus will finger print a Chromecast device as a Linux device because that is the OS it is technically built on. However, that isn’t how we see the device. To complicate the problem, devices like these can make your “Linux” metrics incorrect. So depending on how many IoT devices on your corporate network, this could be a painful challenge.

To tag my Chromecast devices simply:

navi tag --c "IoT Devices" --v "Chromecast" --plugin 66717 --output "Chromecast"

Okay, let’s go over the two most useful plugins for detecting packages installed and how to tag by the information found with-in.

I’m of course talking about plugins 20811 and 22869. If you are a long-time Tenable user these two plugins are only second in popularity to the king of plugins 19506.

Plugins 20811 and 22869

Both of these plugins enumerate software on the authenticated host, 20811 focused on Windows and 22869 focusing on Linux.

After hearing about these plugins a CISO whispered to me:

“Can you find tcpdump or wireshark?

I found that we have a LDAP integration that is leaving admin passwords visible to those who can see packets easily. My goal is to find who has it and lock it down if it isn’t required while we transition to LDAPS”

With credentialed scans, this objective is easy. Simply tag assets that have “tcpdump, wireshark or both” in the plugin output or in the plugin name.

If you find it in the plugin name, it indicates a vulnerability is present on the software which would preclude it’s existence.

Snippet from Plugin Output 22869

Tag by Package installed

navi tag --c "Security Software" --v "TCP Dump" --plugin 22869 --output "tcpdump"
navi tag --c "Security Software" --v "Wireshark" --plugin 20811 --output "Wireshark"

I hope sharing my obsession might help you with finding difficult-to-find assets and creating advanced tags!

More on tagging:

--

--

Casey Reid a.k.a Packet Chaos
Casey Reid a.k.a Packet Chaos

Written by Casey Reid a.k.a Packet Chaos

I'm a perpetually curious avid learner and athletic hacker/tinker who dabbles in python development, tenable integrations, philosophy, and writing