Tag Archives: sudo

Vulristics: Beyond Microsoft Patch Tuesdays, Analyzing Arbitrary CVEs

Hello everyone! In this episode I would like to share an update for my Vulristics project.

For those who don’t know, in this project I am working on an alternative vulnerability scoring based on publicly available data to highlight vulnerabilities that need to be fixed as soon as possible. Roughly speaking, this is something like Tenable VPR, but more transparent and even open source. Currently it works with much less data sources. It mainly depends on the type of vulnerability, the prevalence of vulnerable software, public exploits and exploitation in the wild.

Elevation of Privilege - Windows Win32k

I started with Microsoft PatchTuesday Vulnerabilities because Microsoft provides much better data than other vendors. They have the type of vulnerability and the name of the vulnerable software in the title.

Elevation of Privilege - Windows Win32k MS site

But it’s time to go further and now you can use Vulristics to analyze any set of CVEs. I changed the scirpts that were closely related to the Microsoft datasource and added new features to get the type of vulnerability and name of the software from the CVE description.

Elevation of Privilege - Sudo (CVE-2021-3156) - High [595]
Continue reading

Making Expect scripts for SSH Authentication and Privilege Elevation

Expect can help you to automate interactive console applications. For example, expect script can go to some Linux host via SSH with password authentication, make additional authentication procedures (su, sudo) to elevate privileges and execute some commands. Like Vulnerability and Compliance management products do during the active Linux scanning, right? šŸ™‚ For example you can get the list of installed packages and makeĀ Vulnerability Assessment without Vulnerability Scanner.

Expect SSH exec

Actually, the tool is pretty old. It was presented more than 20 years ago! And perhaps now it makes more sense to use python scripts, for example paramiko with paramiko-expect. Or even use some software provisioning tool, like Ansible. But my fun was in creating (generating?) a small old-school scripts that could be sent to any remote host (with expect installed) to gather information from the accessible hosts.

Continue reading

Qualys authenticated scanning

Let’s see how authenticated scanning works in Qualys. Nessus stores scanning credentials in related Scan Policy (see “Tenable Nessus: registration, installation, scanning and reporting“). Iit’s not always convenient. In Qualys you can set up a scanning record and configure for which hosts it will be used.

Login Credentials

I downloaded Qualys Virtual Scanning Appliance VirtualBox imageĀ  and configured it as it was described in “Using Qualys Virtual Scanner Appliance“. The only difference: I configured second network device as VirtualBox “Host Only Adapter” to scan virtual machines on my host. You can see how to configure VirtualBox “Host Only Adapter” in my post here.

Continue reading