My Guilty Obsession: Tagging by Plugin Output
If you are a Tenable Employee, I’m sure I elicited a giggle or even a belly laugh from those that work with me often. I’m legit obsessed with how one can utilize Tenable plugins to Level-up their Cyber Exposure game.
Before we get started you should know, Tenable has over 190,000 plugins and counting. The majority of the plugins utilized by Tenable are vulnerability detections covering a staggering 77, 597 CVEs as of this publication.
In addition, Nessus gathers a myriad of useful information captured in the “informational” plugins which is where my obsession begins. Let’s preview a few useful plugins and their outputs as we get into pragmatic use-cases.
Plugin 10863 — SSL Certificate Information
From the Tenable Plugin Page:
This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate.
A Screenshot from the UI below shows that you can get useful information from SSL certificates. In this case, it is a self-signed cert on my lab Splunk server which is confirmed by the details in the plugin output.
This can be helpful in finding IoT devices where SSL certs are utilized.
Splunk Server
Below is the screenshot from the UI for the 10863 plugin on my Splunk Server.
Buffalo TeraStation
Below is the screenshot from the UI for the 10863 plugin on my Buffalo Terastation.
Now, I mentioned my obsessions was around tagging… So how do you tag by a vulnerability attribute?
If you follow me you might have guessed the answer to be: navi
To tag my TeraStation:
navi tag --c "IoT Devices" --v "Buffalo TeraStation" --plugin 10863 --output "Buffalo"
To tag my Splunk Server:
navi tag --c "Security Software" --v "Splunk Server" --plugin 10863 --output "Splunk"
Plugin 66717 — mDNS Detection ( Local Network)
While this plugin requires the Nessus Scanner to be on the same local network, it is crazy useful for finding obscure IoT devices like Chromecast in the below example.
To elaborate, Nessus will finger print a Chromecast device as a Linux device because that is the OS it is technically built on. However, that isn’t how we see the device. To complicate the problem, devices like these can make your “Linux” metrics incorrect. So depending on how many IoT devices on your corporate network, this could be a painful challenge.
To tag my Chromecast devices simply:
navi tag --c "IoT Devices" --v "Chromecast" --plugin 66717 --output "Chromecast"
Okay, let’s go over the two most useful plugins for detecting packages installed and how to tag by the information found with-in.
I’m of course talking about plugins 20811 and 22869. If you are a long-time Tenable user these two plugins are only second in popularity to the king of plugins 19506.
Plugins 20811 and 22869
Both of these plugins enumerate software on the authenticated host, 20811 focused on Windows and 22869 focusing on Linux.
After hearing about these plugins a CISO whispered to me:
“Can you find tcpdump or wireshark?
I found that we have a LDAP integration that is leaving admin passwords visible to those who can see packets easily. My goal is to find who has it and lock it down if it isn’t required while we transition to LDAPS”
With credentialed scans, this objective is easy. Simply tag assets that have “tcpdump, wireshark or both” in the plugin output or in the plugin name.
If you find it in the plugin name, it indicates a vulnerability is present on the software which would preclude it’s existence.
Tag by Package installed
navi tag --c "Security Software" --v "TCP Dump" --plugin 22869 --output "tcpdump"
navi tag --c "Security Software" --v "Wireshark" --plugin 20811 --output "Wireshark"
I hope sharing my obsession might help you with finding difficult-to-find assets and creating advanced tags!
More on tagging: