You’re Fired! Now, where do you have local accounts?

3 min readApr 11, 2023

“You’re fired!” or “I Quit!”; whatever the scenario the next technical thing that happens when someone leaves is account remediation. Some solutions make it easy to shut off access widely.

However, local accounts aren’t as easy to disable in mass, especially if you don’t have an effective way of detecting them.

This is where thinking like a hacker pays off. A broom was never meant to be a weapon but against a handful of spiders its effective.

As the metaphor suggests, vulnerability scanning wasn’t designed to solve this problem. However, given the information gathered by Nessus, it’s quite useful in this capacity. Let’s look at the gold found in two plugins found using credentialed scanning.

The plugin, 95928 enumerates local users on Linux machines

In Windows, the plugin 71246 enumerates local user group memberships:

Now what?

Well, now that we know the data is there, let’s use it to our advantage. If we only had to do this once, the user interface would suffice. Since this passes the automation test of “repeatable and predictable”; I’m electing to automate it!

The Problem

The problem were solving here is visibility into what assets a user has access to, local or otherwise.

Solution Brief

Tags are the best way to identify groups of assets in Tenable.io; they can be used in Role based Access, Reports, Dashboards and focused scanning. All of which make it perfect for starting the workflow to solve this problem.

The Solution

The solution is a simple docker service. The docker service uses navi to download all of the vulnerability and asset data and parse the data using a username provided.

The results

After the service runs for each desired user, I get a clear view of how many assets of which they potentially have access.

On each effected asset, I have better visibility into what users have access to the machine:

The docker command

docker run -d packetchaos/usertags {your access key} {your secret key} {username}

The code

from os import system as cmd
import sys
import time
import requests
start = time.time()

access_key = str(sys.argv[1])
secret_key = str(sys.argv[2])
user = str(sys.argv[3])

url = "https://cloud.tenable.com"

# Replace 'access_key and secret_key with your keys
cmd('navi keys --a "{}" --s "{}"'.format(access_key, secret_key))

# Update the navi database for tagging on vulns
cmd('navi update full')


def grab_headers():
    return {'Content-type': 'application/json', 'user-agent': 'Navi-SS-user_tags', 'X-ApiKeys': 'accessKey=' + access_key + ';secretKey=' + secret_key}


cmd('navi tag --c "Known Users" --v "{}" --query "select asset_uuid from vulns where plugin_name LIKE \'%Users%\' and output LIKE \'%{}%\';"'.format(user, user))


finish = time.time()

total = finish - start
mins = total/60

print("The Script took {} seconds or {} minutes".format(total, mins))

One more thing

While the example I chose is powerful, this script could be used to determine asset ownership. Any use-case where you want visibility into who or what service has access to your environment.