-
-
Save c0axial/d25e7e39aae401b1783875314ffe393a to your computer and use it in GitHub Desktop.
Revisions
-
jasonadsit revised this gist
Mar 1, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -3,7 +3,7 @@ These examples assume you're using my [Get-TenablePluginOutput](https://gist.github.com/jasonadsit/db19229634c788276419c5a4134a1b7e) PowerShell function. You can load it from the web here: ```powershell $Content = Invoke-WebRequest -Uri https://gist.github.com/jasonadsit/db19229634c788276419c5a4134a1b7e/raw/Get-TenablePluginOutput.ps1 | Select-Object -ExpandProperty Content . ([scriptblock]::Create($Content)) ``` -
Mar 1, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -3,7 +3,7 @@ These examples assume you're using my [Get-TenablePluginOutput](https://gist.github.com/jasonadsit/db19229634c788276419c5a4134a1b7e) PowerShell function. You can load it from the web here: ```powershell $Content = Invoke-WebRequest -Uri https://gist.github.com/jasonadsit/db19229634c788276419c5a4134a1b7e/raw/499ef8312114f0780566782191a973694faa379c/Get-TenablePluginOutput.ps1 | Select-Object -ExpandProperty Content . ([scriptblock]::Create($Content)) ``` -
Mar 1, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -3,7 +3,7 @@ These examples assume you're using my [Get-TenablePluginOutput](https://gist.github.com/jasonadsit/db19229634c788276419c5a4134a1b7e) PowerShell function. You can load it from the web here: ```powershell $Content = Invoke-WebRequest -Uri https://gist.github.com/jasonadsit/db19229634c788276419c5a4134a1b7e/raw/6fd30c071e1863781983966a1eb6635ef16b6871/Get-TenablePluginOutput.ps1 | Select-Object -ExpandProperty Content . ([scriptblock]::Create($Content)) ``` -
Mar 1, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -3,7 +3,7 @@ These examples assume you're using my [Get-TenablePluginOutput](https://gist.github.com/jasonadsit/db19229634c788276419c5a4134a1b7e) PowerShell function. You can load it from the web here: ```powershell $Content = Invoke-WebRequest -Uri https://gist.github.com/jasonadsit/db19229634c788276419c5a4134a1b7e/raw/5e6be2139d372d3c8ec9262cdf25a799a9adfbea/Get-TenablePluginOutput.ps1 | Select-Object -ExpandProperty Content . ([scriptblock]::Create($Content)) ``` -
Feb 28, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -3,7 +3,7 @@ These examples assume you're using my [Get-TenablePluginOutput](https://gist.github.com/jasonadsit/db19229634c788276419c5a4134a1b7e) PowerShell function. You can load it from the web here: ```powershell $Content = Invoke-WebRequest -Uri https://gist.github.com/jasonadsit/db19229634c788276419c5a4134a1b7e/raw/35a6ac5339a833bd701a7a29e39e2ac86ca27478/Get-TenablePluginOutput.ps1 | Select-Object -ExpandProperty Content . ([scriptblock]::Create($Content)) ``` -
Feb 28, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -3,7 +3,7 @@ These examples assume you're using my [Get-TenablePluginOutput](https://gist.github.com/jasonadsit/db19229634c788276419c5a4134a1b7e) PowerShell function. You can load it from the web here: ```powershell $Content = Invoke-WebRequest -Uri https://gist.github.com/jasonadsit/db19229634c788276419c5a4134a1b7e/raw/73bca500e4508dcaebb89c3b71a6b49854fea9dd/Get-TenablePluginOutput.ps1 | Select-Object -ExpandProperty Content . ([scriptblock]::Create($Content)) ``` -
Nov 5, 2021 . 1 changed file with 13 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -407,3 +407,16 @@ Get-TenablePluginOutput -PluginID 66350 | ForEach-Object { } } | Export-Csv .\xyz-tenable-66350-wifi-history.csv ``` ## [Microsoft Windows SMB Sessions (92373)](https://www.tenable.com/plugins/nessus/92373) ```powershell Get-TenablePluginOutput -PluginID 92373 -Flatten | Where-Object { $_.PluginOutput -and $_.PluginOutput -notmatch 'Extended SMB session information attached.' } | Group-Object -Property NetBiosName | Sort-Object -Property Count -Descending | Select-Object -Property @{n='Count';e={($_.Group.PluginOutput | Sort-Object -Unique).Count}}, @{n='ComputerName';e={$_.Name}},@{n='IpAddress';e={$_.Group.IpAddress[0]}}, @{n='SMB Sessions';e={[string](($_.Group.PluginOutput | Sort-Object -Unique) -join ', ')}} | Sort-Object -Property Count -Descending | Export-Csv .\xyz-tenable-92373-smb-sessions.csv ``` -
Sep 30, 2021 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -170,7 +170,7 @@ Get-TenablePluginOutput -PluginID 65057 | ForEach-Object { ## [Windows DNS Server Enumeration (58181)](https://www.tenable.com/plugins/nessus/58181) ```powershell Get-TenablePluginOutput -PluginID 58181 -Flatten | Where-Object { $_.PluginOutput -match 'NameServer:' } | Select-Object -Property IpAddress,NetBiosName,@{n='DnsServers';e={($_.PluginOutput.Split(':')[-1].Trim().Replace(' ',',')).Replace(',',', ')}} | Group-Object -Property DnsServers | Sort-Object -Property Count -Descending | Select-Object -Property Count,@{n='DnsServers';e={$_.Name}},@{n='Systems';e={[string]($_.Group.NetBiosName -join ', ')}} | Export-Csv .\xyz-tenable-58181-configured-dns-server-variance.csv ``` ## [WMI Encryptable Volume Enumeration (51187)](https://www.tenable.com/plugins/nessus/51187) -
Sep 30, 2021 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -170,7 +170,7 @@ Get-TenablePluginOutput -PluginID 65057 | ForEach-Object { ## [Windows DNS Server Enumeration (58181)](https://www.tenable.com/plugins/nessus/58181) ```powershell Get-TenablePluginOutput -PluginID 58181 -Flatten | Where-Object { $_.PluginOutput -match 'NameServer:' } | Select-Object -Property IpAddress,NetBiosName,@{n='DnsServers';e={$_.PluginOutput.Split(':')[-1].Trim().Replace(',',', ')}} | Group-Object -Property DnsServers | Sort-Object -Property Count -Descending | Select-Object -Property Count,@{n='DnsServers';e={$_.Name}},@{n='Systems';e={[string]($_.Group.NetBiosName -join ', ')}} | Export-Csv .\xyz-tenable-58181-configured-dns-server-variance.csv ``` ## [WMI Encryptable Volume Enumeration (51187)](https://www.tenable.com/plugins/nessus/51187) -
Sep 30, 2021 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -134,7 +134,8 @@ Get-TenablePluginOutput -PluginID 140655 | ForEach-Object { } } } } | Where-Object { $_.Domain -and $_.Protocol } | Export-Csv .\xyz-tenable-140655-iis-bindings.csv ``` ## [Insecure Windows Service Permissions (65057)](https://www.tenable.com/plugins/nessus/65057) -
Aug 10, 2021 . 1 changed file with 34 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -372,3 +372,37 @@ Select-Object -Property IpAddress, @{n='Protocol';e={$_.PluginOutput.Split(' ')[1].Split('/')[-1].Trim()}} | Export-Csv .\xyz-tenable-11219-syn-scanner.csv ``` ## [Microsoft Windows Wireless Network History (66350)](https://www.tenable.com/plugins/nessus/66350) ```powershell Get-TenablePluginOutput -PluginID 66350 | ForEach-Object { $IpAddress = $_.IpAddress $NetBiosName = $_.NetBiosName $_.PluginOutput -split "`n`n" | Where-Object { $_ -cmatch 'SSID\s:\s' } | ForEach-Object { $_.Trim() } | ForEach-Object { $Lines = $_ -split "`n" | ForEach-Object { $_.Trim() } $EachOne = @{} $ErrorActionPreferenceBak = $ErrorActionPreference $ErrorActionPreference = [System.Management.Automation.ActionPreference]::SilentlyContinue $Lines | ForEach-Object { $Key = ($_ -split '\s:\s')[0].Trim() $Value = ($_ -split '\s:\s')[-1].Trim() $EachOne.Add($Key,$Value) } [pscustomobject][ordered]@{ IpAddress = $IpAddress NetBiosName = $NetBiosName SSID = $EachOne['SSID'] DefaultGatewayMac = $EachOne['DefaultGatewayMac'] DnsSuffix = $EachOne['DnsSuffix'] SecurityMode = $EachOne['Security Mode'] Encryption = $EachOne['Encryption'] DateCreated = $(([datetime]$($EachOne['DateCreated'])).GetDateTimeFormats('s')) DateLastConnected = $(([datetime]$($EachOne['DateLastConnected'])).GetDateTimeFormats('s')) } $ErrorActionPreference = $ErrorActionPreferenceBak } } | Export-Csv .\xyz-tenable-66350-wifi-history.csv ``` -
Jul 29, 2021 . 1 changed file with 12 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -360,3 +360,15 @@ Get-TenablePluginOutput -PluginID 50859 | ForEach-Object { } } | Export-Csv .\xyz-tenable-50859-wsus-client-settings.csv ``` ## [Nessus SYN scanner (11219)](https://www.tenable.com/plugins/nessus/11219) ```powershell Get-TenablePluginOutput -PluginID 11219 -Flatten | Where-Object { $_.PluginOutput -and $_.PluginOutput -notmatch 'Nessus was able to find' } | Select-Object -Property IpAddress, NetBiosName, @{n='Port';e={$_.PluginOutput.Split(' ')[1].Split('/')[0].Trim()}}, @{n='Protocol';e={$_.PluginOutput.Split(' ')[1].Split('/')[-1].Trim()}} | Export-Csv .\xyz-tenable-11219-syn-scanner.csv ``` -
Jul 27, 2021 . 1 changed file with 31 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -329,3 +329,34 @@ Select-Object -Property IpAddress, @{n='Protocol';e={$_.PluginOutput.Split(' ')[1].Split('/')[-1].Trim()}} | Export-Csv .\xyz-tenable-34220-netstat-portscanner-wmi.csv ``` ## [Microsoft Windows SMB : WSUS Client Configured (50859)](https://www.tenable.com/plugins/nessus/50859) ```powershell Get-TenablePluginOutput -PluginID 50859 | ForEach-Object { $IpAddress = $_.IpAddress $NetBiosName = $_.NetBiosName $Lines = $_.PluginOutput -split "`n" | Where-Object { $_ } | ForEach-Object { $_.Trim() } $WsusServer = $Lines | Where-Object { $_ -match '^http' } $EachOne = @{} $Lines | ForEach-Object { $Key = ($_ -split '\s:\s')[0].Trim() $Value = ($_ -split '\s:\s')[-1].Trim() $EachOne.Add($Key,$Value) } [pscustomobject][ordered]@{ IpAddress = $IpAddress NetBiosName = $NetBiosName WsusServer = $WsusServer ElevateNonAdmins = $EachOne['ElevateNonAdmins'] TargetGroup = $EachOne['TargetGroup'] AUOptions = $EachOne['AUOptions'] AutoInstallMinorUpdates = $EachOne['AutoInstallMinorUpdates'] DetectionFrequency = $EachOne['DetectionFrequency'] NoAutoRebootWithLoggedOnUsers = $EachOne['NoAutoRebootWithLoggedOnUsers'] NoAutoUpdate = $EachOne['NoAutoUpdate'] ScheduledInstallDay = $EachOne['ScheduledInstallDay'] ScheduledInstallTime = $EachOne['ScheduledInstallTime'] } } | Export-Csv .\xyz-tenable-50859-wsus-client-settings.csv ``` -
Jul 27, 2021 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -325,7 +325,7 @@ Get-TenablePluginOutput -PluginID 34220 -Flatten | Where-Object { $_.PluginOutput -and $_.PluginOutput -notmatch 'Nessus was able to find' } | Select-Object -Property IpAddress, NetBiosName, @{n='Port';e={$_.PluginOutput.Split(' ')[1].Split('/')[0].Trim()}}, @{n='Protocol';e={$_.PluginOutput.Split(' ')[1].Split('/')[-1].Trim()}} | Export-Csv .\xyz-tenable-34220-netstat-portscanner-wmi.csv ``` -
Jul 27, 2021 . 1 changed file with 7 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -321,5 +321,11 @@ Get-TenablePluginOutput -PluginID 16193 | ForEach-Object { ## [Netstat Portscanner (WMI) (34220)](https://www.tenable.com/plugins/nessus/34220) ```powershell Get-TenablePluginOutput -PluginID 34220 -Flatten | Where-Object { $_.PluginOutput -and $_.PluginOutput -notmatch 'Nessus was able to find' } | Select-Object -Property IpAddress, NetBiosName, @{n='Port';e={$_.PluginOutput.Split(' ')[1].Split('/')[-1].Trim()}}, @{n='Protocol';e={$_.PluginOutput.Split(' ')[1].Split('/')[0].Trim()}} | Export-Csv .\xyz-tenable-34220-netstat-portscanner-wmi.csv ``` -
Jul 27, 2021 . 1 changed file with 6 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -317,3 +317,9 @@ Get-TenablePluginOutput -PluginID 16193 | ForEach-Object { } } | Export-Csv .\xyz-tenable-16193-antivirus-software-check.csv ``` ## [Netstat Portscanner (WMI) (34220)](https://www.tenable.com/plugins/nessus/34220) ```powershell Get-TenablePluginOutput -PluginID 34220 -Flatten | Where-Object { $_.PluginOutput -and $_.PluginOutput -notmatch 'Nessus was able to find' } | Select-Object -Property IpAddress,NetBiosName,@{n='Port';e={$_.PluginOutput.Split(' ')[1].Split('/')[-1].Trim()}},@{n='Protocol';e={$_.PluginOutput.Split(' ')[1].Split('/')[0].Trim()}} ``` -
Jul 26, 2021 . 1 changed file with 30 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -287,3 +287,33 @@ Get-TenablePluginOutput -PluginID 60119 | ForEach-Object { } } | Export-Csv .\xyz-tenable-60119-share-access.csv ``` ## [Antivirus Software Check (16193)](https://www.tenable.com/plugins/nessus/16193) ```powershell Get-TenablePluginOutput -PluginID 16193 | ForEach-Object { $IpAddress = $_.IpAddress $NetBiosName = $_.NetBiosName $_.PluginOutput -split "`n`n" | Where-Object { $_ -match 'Product\sname' } | ForEach-Object { $_.Trim() } | ForEach-Object { $Lines = $_ -split "`n" | ForEach-Object { $_.Trim() } $EachOne = @{} $Lines | ForEach-Object { $Key = ($_ -split '\s:\s')[0].Trim() $Value = ($_ -split '\s:\s')[-1].Trim() $EachOne.Add($Key,$Value) } [pscustomobject][ordered]@{ IpAddress = $IpAddress NetBiosName = $NetBiosName ProductName = $EachOne['Product name'] Path = $EachOne['Path'] Version = $EachOne['Version'] EngineVersion = $EachOne['Engine version'] AntiVirusSigVersion = $EachOne['Antivirus signature version'] AntiSpywareSigVersion = $EachOne['Antispyware signature version'] } } } | Export-Csv .\xyz-tenable-16193-antivirus-software-check.csv ``` -
Jul 7, 2021 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -95,7 +95,8 @@ Sort-Object -Unique | ForEach-Object { ChangePassword = $EachOne['Change password'] Source = $EachOne['Source'] } } | Sort-Object -Property SID -Unique | Sort-Object -Property Name | Export-Csv .\xyz-tenable-72684-users.csv ``` ## [Windows Mapped Network Drives (92422)](https://www.tenable.com/plugins/nessus/92422) -
Jul 7, 2021 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -90,9 +90,9 @@ Sort-Object -Unique | ForEach-Object { [pscustomobject][ordered]@{ Name = $EachOne['Name'] SID = $EachOne['SID'] Disabled = $EachOne['Disabled'] Lockout = $EachOne['Lockout'] ChangePassword = $EachOne['Change password'] Source = $EachOne['Source'] } } | Sort-Object -Property SID -Unique | Export-Csv .\xyz-tenable-72684-users.csv -
Jul 6, 2021 . 1 changed file with 41 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -245,3 +245,44 @@ Select-Object -Property Count, @{n='Systems';e={[string]($_.Group.NetBiosName -join ', ')}} | Export-Csv .\xyz-tenable-44401-service-config.csv ``` ## [Microsoft Windows SMB Share Permissions Enumeration (60119)](https://www.tenable.com/plugins/nessus/60119) ```powershell Get-TenablePluginOutput -PluginID 60119 | ForEach-Object { $IpAddress = $_.IpAddress $NetBiosName = $_.NetBiosName $_.PluginOutput -split "`n`n" | Where-Object { $_ -match 'Share\spath' } | ForEach-Object { $ShareAccess = $_.Trim() $ShareName = ($ShareAccess -split "`n")[0].Split(':')[-1].Trim() $LocalPath = ($ShareAccess -split "`n")[1].Split(':')[-1].Trim() $ShareACL = ($ShareAccess -split "`n" | Select-Object -Skip 2) -join "`r`n" $ShareACL -split '\[\*]\s' | Where-Object { $_ -match '\sACE\sfor\s' } | ForEach-Object { $Lines = $_ -split "`n" | ForEach-Object { $_.Trim() } $EachOne = @{} $Lines | ForEach-Object { $Key = ($_ -split ':\s')[0].Trim() $Value = ($_ -split ':\s')[-1].Trim() $EachOne.Add($Key,$Value) } $AccessType = $Lines[0].Split(' ')[0].Trim() $Principal = ($Lines[0] -split '\sACE\sfor\s')[-1].Split(':')[0].Trim() $HexACL = $Lines[0].Split(':')[-1].Trim() [pscustomobject][ordered]@{ IpAddress = $IpAddress NetBiosName = $NetBiosName ShareName = $ShareName LocalPath = $LocalPath AccessType = $AccessType Principal = $Principal HexACL = $HexACL Read = $EachOne['FILE_GENERIC_READ'] Write = $EachOne['FILE_GENERIC_WRITE'] Execute = $EachOne['FILE_GENERIC_EXECUTE'] } } } } | Export-Csv .\xyz-tenable-60119-share-access.csv ``` -
Jul 6, 2021 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -213,7 +213,7 @@ with... Group-Object -Property ProtectionStatus | Sort-Object -Property Count -Descending | Select-Object -Property @{n='VolumeCount';e={$_.Count}},@{n='BitLockerStatus';e={if ($_.Name -match 'Off') {'Unencrypted'} elseif ($_.Name -match 'On') {'Encrypted'}}},@{n='TotalData(GB)';e={($_.Group | Measure-Object -Property SizeGB -Sum).Sum}} ``` ## [Microsoft Windows SMB Service Config Enumeration (44401)](https://www.tenable.com/plugins/nessus/44401) ```powershell Get-TenablePluginOutput -PluginID 44401 | ForEach-Object { -
Jul 6, 2021 . 1 changed file with 33 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -212,3 +212,36 @@ with... ```powershell Group-Object -Property ProtectionStatus | Sort-Object -Property Count -Descending | Select-Object -Property @{n='VolumeCount';e={$_.Count}},@{n='BitLockerStatus';e={if ($_.Name -match 'Off') {'Unencrypted'} elseif ($_.Name -match 'On') {'Encrypted'}}},@{n='TotalData(GB)';e={($_.Group | Measure-Object -Property SizeGB -Sum).Sum}} ``` [Microsoft Windows SMB Service Config Enumeration (44401)](https://www.tenable.com/plugins/nessus/44401) ```powershell Get-TenablePluginOutput -PluginID 44401 | ForEach-Object { $IpAddress = $_.IpAddress $NetBiosName = $_.NetBiosName $_.PluginOutput -split "`n`n" | Where-Object { $_ -match 'Executable' } | ForEach-Object { $Lines = $_ -split "`n" | ForEach-Object { $_.Trim() } $EachOne = @{} $Lines | ForEach-Object { $Key = ($_ -split '\s:\s')[0].Trim() $Value = ($_ -split '\s:\s')[-1].Trim() $EachOne.Add($Key,$Value) [pscustomobject][ordered]@{ IpAddress = $IpAddress NetBiosName = $NetBiosName DisplayName = $EachOne['Display name'] ServiceName = $EachOne['Service name'] LogOnAs = $EachOne['Log on as'] ExecutablePath = $EachOne['Executable path'] } } } } | Where-Object { $_.ExecutablePath -and $_.ServiceName } | Group-Object -Property ExecutablePath | Sort-Object -Property Count -Descending | Select-Object -Property Count, @{n='DisplayName';e={$_.Group[0].DisplayName}}, @{n='ExecutablePath';e={$_.Name}}, @{n='Systems';e={[string]($_.Group.NetBiosName -join ', ')}} | Export-Csv .\xyz-tenable-44401-service-config.csv ``` -
Jul 2, 2021 . 1 changed file with 12 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -200,3 +200,15 @@ Get-TenablePluginOutput -PluginID 51187 | ForEach-Object { } } | Export-Csv .\xyz-tenable-51187-bitlocker.csv ``` Also, if you're just looking for some high-level stats, re-run the above after replacing... ```powershell Export-Csv .\xyz-tenable-51187-bitlocker.csv ``` with... ```powershell Group-Object -Property ProtectionStatus | Sort-Object -Property Count -Descending | Select-Object -Property @{n='VolumeCount';e={$_.Count}},@{n='BitLockerStatus';e={if ($_.Name -match 'Off') {'Unencrypted'} elseif ($_.Name -match 'On') {'Encrypted'}}},@{n='TotalData(GB)';e={($_.Group | Measure-Object -Property SizeGB -Sum).Sum}} ``` -
Jul 2, 2021 . 1 changed file with 65 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -135,3 +135,68 @@ Get-TenablePluginOutput -PluginID 140655 | ForEach-Object { } } | Export-Csv .\xyz-tenable-140655-iis-bindings.csv ``` ## [Insecure Windows Service Permissions (65057)](https://www.tenable.com/plugins/nessus/65057) ```powershell Get-TenablePluginOutput -PluginID 65057 | ForEach-Object { $IpAddress = $_.IpAddress $NetBiosName = $_.NetBiosName $_.PluginOutput -split "`n`n" | Where-Object { $_ -cmatch 'Path\s:\s' } | ForEach-Object { $Lines = $_ -split "`n" | ForEach-Object { $_.Trim() } $ErrorActionPreferenceBak = $ErrorActionPreference $ErrorActionPreference = [System.Management.Automation.ActionPreference]::SilentlyContinue $EachOne = @{} $Lines | ForEach-Object { $Key = ($_ -split '\s:\s')[0].Trim() $Value = ($_ -split '\s:\s')[-1].Trim() $EachOne.Add($Key,$Value) [pscustomobject][ordered]@{ IpAddress = $IpAddress NetBiosName = $NetBiosName Path = $EachOne['Path'] UsedByServices = $EachOne['Used by services'] WritePermissions = $EachOne['File write allowed for groups'] FullControl = $EachOne['Full control of directory allowed for groups'] } } $ErrorActionPreference = $ErrorActionPreferenceBak } } | Where-Object { $_.Write -or $_.FullControl } | Export-Csv .\xyz-tenable-65057-insecure-service-permissions.csv ``` ## [Windows DNS Server Enumeration (58181)](https://www.tenable.com/plugins/nessus/58181) ```powershell Get-TenablePluginOutput -PluginID 58181 -Flatten | Where-Object { $_.PluginOutput -match 'NameServer:' } | Select-Object -Property IpAddress,NetBiosName,@{n='DnsServers';e={$_.PluginOutput.Split(':')[-1].Trim().Replace(',',' ')}} | Group-Object -Property DnsServers | Sort-Object -Property Count -Descending | Select-Object -Property Count,@{n='DnsServers';e={$_.Name}},@{n='Systems';e={[string]($_.Group.NetBiosName -join ', ')}} | Export-Csv .\xyz-tenable-58181-configured-dns-server-variance.csv ``` ## [WMI Encryptable Volume Enumeration (51187)](https://www.tenable.com/plugins/nessus/51187) ```powershell Get-TenablePluginOutput -PluginID 51187 | ForEach-Object { $IpAddress = $_.IpAddress $NetBiosName = $_.NetBiosName $_.PluginOutput = $_.PluginOutput.Trim() $_.PluginOutput = $_.PluginOutput -replace "^Here is a list of encryptable volumes available on the remote system :`n" $_.PluginOutput -split '\+\sDriveLetter\s' | Where-Object { $_ -match ':' } | ForEach-Object { $DriveLetter = ($_ -split "`n")[0] $Lines = $_ -split "`n" | Where-Object { $_ -match '\s:\s' } | ForEach-Object { $_.Trim() } $EachOne = @{} $Lines | ForEach-Object { $Key = ($_ -split '\s:\s')[0].Trim() $Value = ($_ -split '\s:\s')[-1].Trim() $EachOne.Add($Key,$Value) } $ProtectionStatus = ($EachOne['- Protection Status']).Split(' ')[-1] $SizeGB = [decimal]($EachOne['- Size']).Split(' ')[0] [pscustomobject][ordered]@{ IpAddress = $IpAddress NetBiosName = $NetBiosName DriveLetter = $DriveLetter ProtectionStatus = $ProtectionStatus SizeGB = $SizeGB } } } | Export-Csv .\xyz-tenable-51187-bitlocker.csv ``` -
Jun 30, 2021 . 1 changed file with 32 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -103,3 +103,35 @@ Sort-Object -Unique | ForEach-Object { ```powershell Get-TenablePluginOutput -PluginID 92422 -Flatten | Where-Object { $_.PluginOutput -match ':\s\\\\' } | Select-Object -Property IpAddress,NetBiosName,@{n='DriveLetter';e={($_.PluginOutput -split '\s:\s')[0].ToUpper()}},@{n='Path';e={($_.PluginOutput -split '\s:\s')[-1]}} | Export-Csv .\xyz-tenable-92422-mapped-drives.csv ``` ## [Microsoft Internet Information Services (IIS) Sites Enumeration (140655)](https://www.tenable.com/plugins/nessus/140655) ```powershell Get-TenablePluginOutput -PluginID 140655 | ForEach-Object { $IpAddress = $_.IpAddress $NetBiosName = $_.NetBiosName $_.PluginOutput = $_.PluginOutput -replace "^Nessus found the following sites configured on the remote host:`n" $_.PluginOutput -split '\+\ssite\sname:\s' | ForEach-Object { $SiteName = ($_ -split "`n")[0] $_ -split '\+\sbinding' | Where-Object { $_ -match '\s:\s' } | ForEach-Object { $EachBinding = $_.Trim() $Lines = $EachBinding -split "`n" | Where-Object { $_ -match '\s:\s' } | ForEach-Object { $_.Trim() } $EachOne = @{} $Lines | ForEach-Object { $Key = ($_ -split '\s:\s')[0].Trim() $Value = ($_ -split '\s:\s')[-1].Trim() $EachOne.Add($Key,$Value) [pscustomobject][ordered]@{ IpAddress = $IpAddress NetBiosName = $NetBiosName SiteName = $SiteName BindingIp = $EachOne['- IP address'] BindingPort = $EachOne['- port'] Domain = $EachOne['- domain'] Protocol = $EachOne['- protocol'] } } } } } | Export-Csv .\xyz-tenable-140655-iis-bindings.csv ``` -
Jun 30, 2021 . 1 changed file with 49 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -54,3 +54,52 @@ Export-Csv .\xyz-tenable-65791-portable-devices.csv ```powershell Get-TenablePluginOutput -PluginID 38689 -Flatten | Where-Object { $_.PluginOutput -match '\s:\s' } | Select-Object -Property IpAddress,NetBiosName,@{n='LastLoggedOn';e={($_.PluginOutput -split '\s:\s')[-1].Trim()}} | Export-Csv .\xyz-tenable-38689-last-logged-on-user.csv ``` ## [Common Platform Enumeration (CPE) (45590)](https://www.tenable.com/plugins/nessus/45590) ```powershell Get-TenablePluginOutput -PluginID 45590 -Flatten | Where-Object { $_.PluginOutput -match 'cpe:' } | Group-Object -Property PluginOutput | Sort-Object -Property Count -Descending | Select-Object -Property Count,Name,@{n='Systems';e={[string]($_.Group.NetBiosName -join ', ')}} | Export-Csv .\xyz-tenable-45590-cpe.csv ``` ## [Microsoft Windows SMB Shares Enumeration (10395)](https://www.tenable.com/plugins/nessus/10395) ```powershell Get-TenablePluginOutput -PluginID 10395 -Flatten | Where-Object { $_.PluginOutput -match '^-' } | Group-Object -Property PluginOutput | Sort-Object -Property Count -Descending | Select-Object -Property Count,@{n='ShareName';e={$_.Name -replace '^-\s'}},@{n='System';e={[string]($_.Group.NetBiosName -join ', ')}} | Export-Csv .\xyz-tenable-10395-smb-shares.csv ``` ## [Microsoft Windows Process Information (70329)](https://www.tenable.com/plugins/nessus/70329) ```powershell Get-TenablePluginOutput -PluginID 70329 -Flatten | Where-Object { $_.PluginOutput -match '\.' } | Select-Object -Property IpAddress,NetBiosName,@{n='PluginOutput';e={$_.PluginOutput.Split(' ')[-2]}} | Group-Object -Property PluginOutput | Sort-Object -Property Count -Descending | Select-Object -Property Count,@{n='ProcessName';e={$_.Name}},@{n='Systems';e={[string]($_.Group.NetBiosName -join ', ')}} | Export-Csv .\xyz-tenable-70329-windows-process-stats.csv ``` ## [Enumerate Users via WMI (72684)](https://www.tenable.com/plugins/nessus/72684) ```powershell Get-TenablePluginOutput -PluginID 72684 | ForEach-Object { $_.PluginOutput -split "`n`n" } | Where-Object { $_ -cmatch 'SID' } | Sort-Object -Unique | ForEach-Object { $EachOne = @{} $Lines = $_ -split "`n" | ForEach-Object { $_.Trim() } $Lines | ForEach-Object { $Key = ($_ -split '\s:\s')[0].Trim() $Value = ($_ -split '\s:\s')[-1].Trim() $EachOne.Add($Key,$Value) } [pscustomobject][ordered]@{ Name = $EachOne['Name'] SID = $EachOne['SID'] Disabled = [bool]$EachOne['Disabled'] Lockout = [bool]$EachOne['Lockout'] ChangePassword = [bool]$EachOne['Change password'] Source = $EachOne['Source'] } } | Sort-Object -Property SID -Unique | Export-Csv .\xyz-tenable-72684-users.csv ``` ## [Windows Mapped Network Drives (92422)](https://www.tenable.com/plugins/nessus/92422) ```powershell Get-TenablePluginOutput -PluginID 92422 -Flatten | Where-Object { $_.PluginOutput -match ':\s\\\\' } | Select-Object -Property IpAddress,NetBiosName,@{n='DriveLetter';e={($_.PluginOutput -split '\s:\s')[0].ToUpper()}},@{n='Path';e={($_.PluginOutput -split '\s:\s')[-1]}} | Export-Csv .\xyz-tenable-92422-mapped-drives.csv ``` -
Jun 28, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,56 @@ # Useful Tenable Plugins (and how to parse them) These examples assume you're using my [Get-TenablePluginOutput](https://gist.github.com/jasonadsit/db19229634c788276419c5a4134a1b7e) PowerShell function. You can load it from the web here: ```powershell $Content = Invoke-WebRequest -Uri https://gist.github.com/jasonadsit/db19229634c788276419c5a4134a1b7e/raw/4c35330033460f31edbf1808d4941152d05d51ce/Get-TenablePluginOutput.ps1 | Select-Object -ExpandProperty Content . ([scriptblock]::Create($Content)) ``` Also assumes you've already set your working directory to one with some .nessus files in it. ;-) ## [Microsoft Windows 'Domain Administrators' Group User List (10908)](https://www.tenable.com/plugins/nessus/10908) ```powershell Get-TenablePluginOutput -PluginID 10908 -Flatten | Where-Object { $_.PluginOutput -match '^-\s' } | Select-Object -Property IpAddress,NetBiosName,@{n='PluginOutput';e={($_.PluginOutput -replace '^-\s').Trim()}} | Select-Object -ExpandProperty PluginOutput | Sort-Object -Unique | Out-File .\xyz-tenable-10908-domain-admins.txt ``` ## [Microsoft Windows 'Administrators' Group User List (10902)](https://www.tenable.com/plugins/nessus/10902) ```powershell Get-TenablePluginOutput -PluginID 10902 -Flatten | Where-Object { $_.PluginOutput -match '^-\s' } | Select-Object -Property IpAddress,NetBiosName,@{n='PluginOutput';e={($_.PluginOutput -replace '^-\s').Trim()}} | ForEach-Object { if ($_.PluginOutput -match 'Administrator\s\(User\)') { $_.PluginOutput = $_.PluginOutput.Split('\')[-1] } $_ } | Group-Object -Property PluginOutput | Sort-Object -Property Count -Descending | Select-Object -Property Count,Name,@{n='Systems';e={[string]($_.Group.NetBiosName -join ", ")}} | Export-Csv .\xyz-tenable-10902-local-admins.csv ``` ## [Microsoft Windows Portable Devices (65791)](https://www.tenable.com/plugins/nessus/65791) ```powershell Get-TenablePluginOutput -PluginID 65791 | ForEach-Object { $IpAddress = $_.IpAddress $NetBiosName = $_.NetBiosName ($_.PluginOutput -split "`n`n").Trim() | Where-Object { $_ -cmatch 'Friendly name' } | ForEach-Object { $Lines = $_ -split "`n" | ForEach-Object { $_.Trim() } $EachOne = @{} $Lines | ForEach-Object { $Key = ($_ -split '\s:\s')[0].Trim() $Value = ($_ -split '\s:\s')[-1].Trim() $EachOne.Add($Key,$Value) [pscustomobject][ordered]@{ IpAddress = $IpAddress NetBiosName = $NetBiosName FriendlyName = $EachOne['Friendly name'] Device = $EachOne['Device'] } } } | Where-Object { $_.Device } } | Select-Object -Property IpAddress,NetBiosName,@{n='DeviceName';e={"$($_.FriendlyName) | $($_.Device)"}} | Group-Object -Property NetBiosName | Sort-Object -Property Count -Descending | Select-Object -Property Count,@{n='NetBiosName';e={$_.Name}},@{n='DeviceName';e={[string]($_.Group.DeviceName -join "`r`n")}} | Export-Csv .\xyz-tenable-65791-portable-devices.csv ``` ## [Microsoft Windows SMB Last Logged On User Disclosure (38689)](https://www.tenable.com/plugins/nessus/38689) ```powershell Get-TenablePluginOutput -PluginID 38689 -Flatten | Where-Object { $_.PluginOutput -match '\s:\s' } | Select-Object -Property IpAddress,NetBiosName,@{n='LastLoggedOn';e={($_.PluginOutput -split '\s:\s')[-1].Trim()}} | Export-Csv .\xyz-tenable-38689-last-logged-on-user.csv ```