Tag Archives: OpenSSH

Making Expect scripts for SSH Authentication and Privilege Elevation

Expect can help you to automate interactive console applications. For example, expect script can go to some Linux host via SSH with password authentication, make additional authentication procedures (su, sudo) to elevate privileges and execute some commands. Like Vulnerability and Compliance management products do during the active Linux scanning, right? šŸ™‚ For example you can get the list of installed packages and makeĀ Vulnerability Assessment without Vulnerability Scanner.

Expect SSH exec

Actually, the tool is pretty old. It was presented more than 20 years ago! And perhaps now it makes more sense to use python scripts, for example paramiko with paramiko-expect. Or even use some software provisioning tool, like Ansible. But my fun was in creating (generating?) a small old-school scripts that could be sent to any remote host (with expect installed) to gather information from the accessible hosts.

Continue reading

Dealing with Nessus logs

Debugging Nessus scans is a very interesting topic. And it is not very well described even in Tenable University course. It become especially interesting when you see strange network errors in the scan results.Ā Let’s see how we can troubleshoot Nessus scans without sending Nessus DB files to TenableĀ  (which is, of course, the default way šŸ˜‰ ).

Nessus Logs

Default logging

Let’s see default NessusĀ logs. I cleared log nessusd.messagesĀ file to have only logs of the latest scan:

# echo "" > /opt/nessus/var/nessus/logs/nessusd.messages

and restarted Nessus:

# /bin/systemctl start nessusd.service

I scan only one host (test-linux-host01, 192.168.56.12) with the Advanced scan profile. No default settings was set.

As you can see from the cpe report, it’s typical Linux host with ssh server:

typical Linux host with ssh

What’s in the logs?

Continue reading

Vulners Nmap plugin

In previous post about Vulners vulnerability detection plugins for Burp and Google Chrome, I mentioned that it would be great to have a plugin for some free publicly available tool, like Nmap. And guys from the Vulners Team have recently released Nmap plugin. Isn’t it awesome? šŸ™‚

Vulners Nmap vulnerability detection plugin

To detect vulnerabilities with Vulners Nmap plugin, you need to download the scriptĀ and run it like this:

$ wget -O vulners.nse https://raw.githubusercontent.com/vulnersCom/nmap-vulners/master/vulners.nse
$Ā nmap -sV --script vulners.nse corporation.com

The output you can see on the screenshot above.

First of all, I need to say that it’s not the full analogue of the plugins for Burp and Google Chrome.

In the current version it doesn’t analyse the content and headers of the site. It doesn’t detect vulnerabilities of standard Web applications. From the other hand, this plugin can detect vulnerabilities of network services, that plugins for Burp and Chrome obviously won’t detect.

Continue reading

SSH, SFTP, public key authentication and python

SFTP is a simple and fairly reliable way to share the information within the organization. Let’s look at the situation when you need to pick up some files from a remote host with authorization by public key. And after that, let’s see how to use it with in python.

ssh sftp python

Moreover, let’s see how to work with SSH using python and execute any commands on the remote host. For example. if we need it to collect versions of installed packages and a version Linux distribution for further vulnerability analysis (see “Vulnerability Assessment without Vulnerability Scanner“). šŸ˜‰

Continue reading