Skip to content

Instantly share code, notes, and snippets.

@jasonadsit

jasonadsit/useful-tenable-plugins.md

Last active August 6, 2023 11:11
Show Gist options
  • Save jasonadsit/9a6e65b247443b597a674b5bb236f4fa to your computer and use it in GitHub Desktop.
Save jasonadsit/9a6e65b247443b597a674b5bb236f4fa to your computer and use it in GitHub Desktop.
Download ZIP
useful-tenable-plugins.md
Raw
useful-tenable-plugins.md

Useful Tenable Plugins (and how to parse them)

These examples assume you're using my Get-TenablePluginOutput PowerShell function. You can load it from the web here:

$Content = Invoke-WebRequest -Uri https://gist.githubusercontent.com/jasonadsit/db19229634c788276419c5a4134a1b7e/raw/Get-TenablePluginOutput.ps1 | Select-Object -ExpandProperty Content
. ([scriptblock]::Create($Content))

Also assumes you've already set your working directory to one with some .nessus files in it. ;-)

Microsoft Windows 'Domain Administrators' Group User List (10908)

Get-TenablePluginOutput -PluginID 10908 -Flatten | Where-Object { $_.PluginOutput -match '^-\s' } | Select-Object -Property IpAddress,NetBiosName,@{n='PluginOutput';e={($_.PluginOutput -replace '^-\s').Trim()}} | Select-Object -ExpandProperty PluginOutput | Sort-Object -Unique | Out-File .\xyz-tenable-10908-domain-admins.txt

Microsoft Windows 'Administrators' Group User List (10902)

Get-TenablePluginOutput -PluginID 10902 -Flatten | Where-Object { $_.PluginOutput -match '^-\s' } | Select-Object -Property IpAddress,NetBiosName,@{n='PluginOutput';e={($_.PluginOutput -replace '^-\s').Trim()}} | ForEach-Object { if ($_.PluginOutput -match 'Administrator\s\(User\)') { $_.PluginOutput = $_.PluginOutput.Split('\')[-1] } $_ } | Group-Object -Property PluginOutput | Sort-Object -Property Count -Descending | Select-Object -Property Count,Name,@{n='Systems';e={[string]($_.Group.NetBiosName -join ", ")}} | Export-Csv .\xyz-tenable-10902-local-admins.csv

Microsoft Windows Portable Devices (65791)

Get-TenablePluginOutput -PluginID 65791 | ForEach-Object {
    $IpAddress = $_.IpAddress
    $NetBiosName = $_.NetBiosName
    ($_.PluginOutput -split "`n`n").Trim() | Where-Object { $_ -cmatch 'Friendly name' } | ForEach-Object {
        $Lines = $_ -split "`n" | ForEach-Object { $_.Trim() }
        $EachOne = @{}
        $Lines | ForEach-Object {
            $Key = ($_ -split '\s:\s')[0].Trim()
            $Value = ($_ -split '\s:\s')[-1].Trim()
            $EachOne.Add($Key,$Value)
            [pscustomobject][ordered]@{
                IpAddress = $IpAddress
                NetBiosName = $NetBiosName
                FriendlyName = $EachOne['Friendly name']
                Device = $EachOne['Device']
            }
        }
    } | Where-Object { $_.Device }
} | Select-Object -Property IpAddress,NetBiosName,@{n='DeviceName';e={"$($_.FriendlyName) | $($_.Device)"}} |
Group-Object -Property NetBiosName |
Sort-Object -Property Count -Descending |
Select-Object -Property Count,@{n='NetBiosName';e={$_.Name}},@{n='DeviceName';e={[string]($_.Group.DeviceName -join "`r`n")}} |
Export-Csv .\xyz-tenable-65791-portable-devices.csv

Microsoft Windows SMB Last Logged On User Disclosure (38689)

Get-TenablePluginOutput -PluginID 38689 -Flatten | Where-Object { $_.PluginOutput -match '\s:\s' } | Select-Object -Property IpAddress,NetBiosName,@{n='LastLoggedOn';e={($_.PluginOutput -split '\s:\s')[-1].Trim()}} | Export-Csv .\xyz-tenable-38689-last-logged-on-user.csv

Common Platform Enumeration (CPE) (45590)

Get-TenablePluginOutput -PluginID 45590 -Flatten | Where-Object { $_.PluginOutput -match 'cpe:' } | Group-Object -Property PluginOutput | Sort-Object -Property Count -Descending | Select-Object -Property Count,Name,@{n='Systems';e={[string]($_.Group.NetBiosName -join ', ')}} | Export-Csv .\xyz-tenable-45590-cpe.csv

Microsoft Windows SMB Shares Enumeration (10395)

Get-TenablePluginOutput -PluginID 10395 -Flatten | Where-Object { $_.PluginOutput -match '^-' } | Group-Object -Property PluginOutput | Sort-Object -Property Count -Descending | Select-Object -Property Count,@{n='ShareName';e={$_.Name -replace '^-\s'}},@{n='System';e={[string]($_.Group.NetBiosName -join ', ')}} | Export-Csv .\xyz-tenable-10395-smb-shares.csv

Microsoft Windows Process Information (70329)

Get-TenablePluginOutput -PluginID 70329 -Flatten | Where-Object { $_.PluginOutput -match '\.' } | Select-Object -Property IpAddress,NetBiosName,@{n='PluginOutput';e={$_.PluginOutput.Split(' ')[-2]}} | Group-Object -Property PluginOutput | Sort-Object -Property Count -Descending | Select-Object -Property Count,@{n='ProcessName';e={$_.Name}},@{n='Systems';e={[string]($_.Group.NetBiosName -join ', ')}} | Export-Csv .\xyz-tenable-70329-windows-process-stats.csv

Enumerate Users via WMI (72684)

Get-TenablePluginOutput -PluginID 72684 |
ForEach-Object { $_.PluginOutput -split "`n`n" } |
Where-Object { $_ -cmatch 'SID' } |
Sort-Object -Unique | ForEach-Object {
    $EachOne = @{}
    $Lines = $_ -split "`n" | ForEach-Object { $_.Trim() }
    $Lines | ForEach-Object {
        $Key = ($_ -split '\s:\s')[0].Trim()
        $Value = ($_ -split '\s:\s')[-1].Trim()
        $EachOne.Add($Key,$Value)
    }
    [pscustomobject][ordered]@{
        Name = $EachOne['Name']
        SID = $EachOne['SID']
        Disabled = $EachOne['Disabled']
        Lockout = $EachOne['Lockout']
        ChangePassword = $EachOne['Change password']
        Source = $EachOne['Source']
    }
} | Sort-Object -Property SID -Unique | Sort-Object -Property Name |
Export-Csv .\xyz-tenable-72684-users.csv

Windows Mapped Network Drives (92422)

Get-TenablePluginOutput -PluginID 92422 -Flatten | Where-Object { $_.PluginOutput -match ':\s\\\\' } | Select-Object -Property IpAddress,NetBiosName,@{n='DriveLetter';e={($_.PluginOutput -split '\s:\s')[0].ToUpper()}},@{n='Path';e={($_.PluginOutput -split '\s:\s')[-1]}} | Export-Csv .\xyz-tenable-92422-mapped-drives.csv

Microsoft Internet Information Services (IIS) Sites Enumeration (140655)

Get-TenablePluginOutput -PluginID 140655 | ForEach-Object {
    $IpAddress = $_.IpAddress
    $NetBiosName = $_.NetBiosName
    $_.PluginOutput = $_.PluginOutput -replace "^Nessus found the following sites configured on the remote host:`n"
    $_.PluginOutput -split '\+\ssite\sname:\s' | ForEach-Object {
        $SiteName = ($_ -split "`n")[0]
        $_ -split '\+\sbinding' | Where-Object { $_ -match '\s:\s' } | ForEach-Object {
            $EachBinding = $_.Trim()
            $Lines = $EachBinding -split "`n" | Where-Object { $_ -match '\s:\s' } | ForEach-Object { $_.Trim() }
            $EachOne = @{}
            $Lines | ForEach-Object {
                $Key = ($_ -split '\s:\s')[0].Trim()
                $Value = ($_ -split '\s:\s')[-1].Trim()
                $EachOne.Add($Key,$Value)
                [pscustomobject][ordered]@{
                    IpAddress = $IpAddress
                    NetBiosName = $NetBiosName
                    SiteName = $SiteName
                    BindingIp = $EachOne['- IP address']
                    BindingPort = $EachOne['- port']
                    Domain = $EachOne['- domain']
                    Protocol = $EachOne['- protocol']
                }
            }
        }
    }
} | Where-Object { $_.Domain -and $_.Protocol } |
Export-Csv .\xyz-tenable-140655-iis-bindings.csv

Insecure Windows Service Permissions (65057)

Get-TenablePluginOutput -PluginID 65057 | ForEach-Object {
    $IpAddress = $_.IpAddress
    $NetBiosName = $_.NetBiosName
    $_.PluginOutput -split "`n`n" | Where-Object { $_ -cmatch 'Path\s:\s' } | ForEach-Object {
        $Lines = $_ -split "`n" | ForEach-Object { $_.Trim() }
        $ErrorActionPreferenceBak = $ErrorActionPreference
        $ErrorActionPreference = [System.Management.Automation.ActionPreference]::SilentlyContinue
        $EachOne = @{}
        $Lines | ForEach-Object {
            $Key = ($_ -split '\s:\s')[0].Trim()
            $Value = ($_ -split '\s:\s')[-1].Trim()
            $EachOne.Add($Key,$Value)
            [pscustomobject][ordered]@{
                IpAddress = $IpAddress
                NetBiosName = $NetBiosName
                Path = $EachOne['Path']
                UsedByServices = $EachOne['Used by services']
                WritePermissions = $EachOne['File write allowed for groups']
                FullControl = $EachOne['Full control of directory allowed for groups']
            }
        }
        $ErrorActionPreference = $ErrorActionPreferenceBak
    }
} | Where-Object { $_.Write -or $_.FullControl } | Export-Csv .\xyz-tenable-65057-insecure-service-permissions.csv

Windows DNS Server Enumeration (58181)

Get-TenablePluginOutput -PluginID 58181 -Flatten | Where-Object { $_.PluginOutput -match 'NameServer:' } | Select-Object -Property IpAddress,NetBiosName,@{n='DnsServers';e={($_.PluginOutput.Split(':')[-1].Trim().Replace(' ',',')).Replace(',',', ')}} | Group-Object -Property DnsServers | Sort-Object -Property Count -Descending | Select-Object -Property Count,@{n='DnsServers';e={$_.Name}},@{n='Systems';e={[string]($_.Group.NetBiosName -join ', ')}} | Export-Csv .\xyz-tenable-58181-configured-dns-server-variance.csv

WMI Encryptable Volume Enumeration (51187)

Get-TenablePluginOutput -PluginID 51187 | ForEach-Object {
    $IpAddress = $_.IpAddress
    $NetBiosName = $_.NetBiosName
    $_.PluginOutput = $_.PluginOutput.Trim()
    $_.PluginOutput = $_.PluginOutput -replace "^Here is a list of encryptable volumes available on the remote system :`n"
    $_.PluginOutput -split '\+\sDriveLetter\s' | Where-Object { $_ -match ':' } | ForEach-Object {
        $DriveLetter = ($_ -split "`n")[0]
        $Lines = $_ -split "`n" | Where-Object { $_ -match '\s:\s' } | ForEach-Object { $_.Trim() }
        $EachOne = @{}
        $Lines | ForEach-Object {
            $Key = ($_ -split '\s:\s')[0].Trim()
            $Value = ($_ -split '\s:\s')[-1].Trim()
            $EachOne.Add($Key,$Value)
        }
        $ProtectionStatus = ($EachOne['- Protection Status']).Split(' ')[-1]
        $SizeGB = [decimal]($EachOne['- Size']).Split(' ')[0]
        [pscustomobject][ordered]@{
            IpAddress = $IpAddress
            NetBiosName = $NetBiosName
            DriveLetter = $DriveLetter
            ProtectionStatus = $ProtectionStatus
            SizeGB = $SizeGB
        }
    }
} | Export-Csv .\xyz-tenable-51187-bitlocker.csv

Also, if you're just looking for some high-level stats, re-run the above after replacing...

Export-Csv .\xyz-tenable-51187-bitlocker.csv

with...

Group-Object -Property ProtectionStatus | Sort-Object -Property Count -Descending | Select-Object -Property @{n='VolumeCount';e={$_.Count}},@{n='BitLockerStatus';e={if ($_.Name -match 'Off') {'Unencrypted'} elseif ($_.Name -match 'On') {'Encrypted'}}},@{n='TotalData(GB)';e={($_.Group | Measure-Object -Property SizeGB -Sum).Sum}}

Microsoft Windows SMB Service Config Enumeration (44401)

Get-TenablePluginOutput -PluginID 44401 | ForEach-Object {
    $IpAddress = $_.IpAddress
    $NetBiosName = $_.NetBiosName
    $_.PluginOutput -split "`n`n" | Where-Object { $_ -match 'Executable' } | ForEach-Object {
        $Lines = $_ -split "`n" | ForEach-Object { $_.Trim() }
        $EachOne = @{}
        $Lines | ForEach-Object {
            $Key = ($_ -split '\s:\s')[0].Trim()
            $Value = ($_ -split '\s:\s')[-1].Trim()
            $EachOne.Add($Key,$Value)
            [pscustomobject][ordered]@{
                IpAddress = $IpAddress
                NetBiosName = $NetBiosName
                DisplayName = $EachOne['Display name']
                ServiceName = $EachOne['Service name']
                LogOnAs = $EachOne['Log on as']
                ExecutablePath = $EachOne['Executable path']
            }
        }
    }
} | Where-Object { $_.ExecutablePath -and $_.ServiceName } |
Group-Object -Property ExecutablePath |
Sort-Object -Property Count -Descending |
Select-Object -Property Count,
                        @{n='DisplayName';e={$_.Group[0].DisplayName}},
                        @{n='ExecutablePath';e={$_.Name}},
                        @{n='Systems';e={[string]($_.Group.NetBiosName -join ', ')}} |
Export-Csv .\xyz-tenable-44401-service-config.csv

Microsoft Windows SMB Share Permissions Enumeration (60119)

Get-TenablePluginOutput -PluginID 60119 | ForEach-Object {
    $IpAddress = $_.IpAddress
    $NetBiosName = $_.NetBiosName
    $_.PluginOutput -split "`n`n" |
    Where-Object { $_ -match 'Share\spath' } | ForEach-Object {
        $ShareAccess = $_.Trim()
        $ShareName = ($ShareAccess -split "`n")[0].Split(':')[-1].Trim()
        $LocalPath = ($ShareAccess -split "`n")[1].Split(':')[-1].Trim()
        $ShareACL = ($ShareAccess -split "`n" | Select-Object -Skip 2) -join "`r`n"
        $ShareACL -split '\[\*]\s' |
        Where-Object { $_ -match '\sACE\sfor\s' } | ForEach-Object {
            $Lines = $_ -split "`n" | ForEach-Object { $_.Trim() }
            $EachOne = @{}
            $Lines | ForEach-Object {
                $Key = ($_ -split ':\s')[0].Trim()
                $Value = ($_ -split ':\s')[-1].Trim()
                $EachOne.Add($Key,$Value)
            }
            $AccessType = $Lines[0].Split(' ')[0].Trim()
            $Principal = ($Lines[0] -split '\sACE\sfor\s')[-1].Split(':')[0].Trim()
            $HexACL = $Lines[0].Split(':')[-1].Trim()
            [pscustomobject][ordered]@{
                IpAddress = $IpAddress
                NetBiosName = $NetBiosName
                ShareName = $ShareName
                LocalPath = $LocalPath
                AccessType = $AccessType
                Principal = $Principal
                HexACL = $HexACL
                Read = $EachOne['FILE_GENERIC_READ']
                Write = $EachOne['FILE_GENERIC_WRITE']
                Execute = $EachOne['FILE_GENERIC_EXECUTE']
            }
        }
    }
} | Export-Csv .\xyz-tenable-60119-share-access.csv

Antivirus Software Check (16193)

Get-TenablePluginOutput -PluginID 16193 | ForEach-Object {
    $IpAddress = $_.IpAddress
    $NetBiosName = $_.NetBiosName
    $_.PluginOutput -split "`n`n" |
    Where-Object { $_ -match 'Product\sname' } |
    ForEach-Object { $_.Trim() } | ForEach-Object {
        $Lines = $_ -split "`n" | ForEach-Object { $_.Trim() }
        $EachOne = @{}
        $Lines | ForEach-Object {
            $Key = ($_ -split '\s:\s')[0].Trim()
            $Value = ($_ -split '\s:\s')[-1].Trim()
            $EachOne.Add($Key,$Value)
        }
        [pscustomobject][ordered]@{
            IpAddress = $IpAddress
            NetBiosName = $NetBiosName
            ProductName = $EachOne['Product name']
            Path = $EachOne['Path']
            Version = $EachOne['Version']
            EngineVersion = $EachOne['Engine version']
            AntiVirusSigVersion = $EachOne['Antivirus signature version']
            AntiSpywareSigVersion = $EachOne['Antispyware signature version']
        }
    }
} | Export-Csv .\xyz-tenable-16193-antivirus-software-check.csv

Netstat Portscanner (WMI) (34220)

Get-TenablePluginOutput -PluginID 34220 -Flatten |
Where-Object { $_.PluginOutput -and $_.PluginOutput -notmatch 'Nessus was able to find' } |
Select-Object -Property IpAddress,
                        NetBiosName,
                        @{n='Port';e={$_.PluginOutput.Split(' ')[1].Split('/')[0].Trim()}},
                        @{n='Protocol';e={$_.PluginOutput.Split(' ')[1].Split('/')[-1].Trim()}} |
Export-Csv .\xyz-tenable-34220-netstat-portscanner-wmi.csv

Microsoft Windows SMB : WSUS Client Configured (50859)

Get-TenablePluginOutput -PluginID 50859 | ForEach-Object {
    $IpAddress = $_.IpAddress
    $NetBiosName = $_.NetBiosName
    $Lines = $_.PluginOutput -split "`n" | Where-Object { $_ } | ForEach-Object { $_.Trim() }
    $WsusServer = $Lines | Where-Object { $_ -match '^http' }
    $EachOne = @{}
    $Lines | ForEach-Object {
        $Key = ($_ -split '\s:\s')[0].Trim()
        $Value = ($_ -split '\s:\s')[-1].Trim()
        $EachOne.Add($Key,$Value)
    }
    [pscustomobject][ordered]@{
        IpAddress = $IpAddress
        NetBiosName = $NetBiosName
        WsusServer = $WsusServer
        ElevateNonAdmins = $EachOne['ElevateNonAdmins']
        TargetGroup = $EachOne['TargetGroup']
        AUOptions = $EachOne['AUOptions']
        AutoInstallMinorUpdates = $EachOne['AutoInstallMinorUpdates']
        DetectionFrequency = $EachOne['DetectionFrequency']
        NoAutoRebootWithLoggedOnUsers = $EachOne['NoAutoRebootWithLoggedOnUsers']
        NoAutoUpdate = $EachOne['NoAutoUpdate']
        ScheduledInstallDay = $EachOne['ScheduledInstallDay']
        ScheduledInstallTime = $EachOne['ScheduledInstallTime']
    }
} | Export-Csv .\xyz-tenable-50859-wsus-client-settings.csv

Nessus SYN scanner (11219)

Get-TenablePluginOutput -PluginID 11219 -Flatten |
Where-Object { $_.PluginOutput -and $_.PluginOutput -notmatch 'Nessus was able to find' } |
Select-Object -Property IpAddress,
                        NetBiosName,
                        @{n='Port';e={$_.PluginOutput.Split(' ')[1].Split('/')[0].Trim()}},
                        @{n='Protocol';e={$_.PluginOutput.Split(' ')[1].Split('/')[-1].Trim()}} |
Export-Csv .\xyz-tenable-11219-syn-scanner.csv

Microsoft Windows Wireless Network History (66350)

Get-TenablePluginOutput -PluginID 66350 | ForEach-Object {
    $IpAddress = $_.IpAddress
    $NetBiosName = $_.NetBiosName
    $_.PluginOutput -split "`n`n" | Where-Object { $_ -cmatch 'SSID\s:\s' } |
    ForEach-Object { $_.Trim() } |
    ForEach-Object {
        $Lines = $_ -split "`n" | ForEach-Object { $_.Trim() }
        $EachOne = @{}
        $ErrorActionPreferenceBak = $ErrorActionPreference
        $ErrorActionPreference = [System.Management.Automation.ActionPreference]::SilentlyContinue
        $Lines | ForEach-Object {
            $Key = ($_ -split '\s:\s')[0].Trim()
            $Value = ($_ -split '\s:\s')[-1].Trim()
            $EachOne.Add($Key,$Value)
        }
        [pscustomobject][ordered]@{
            IpAddress = $IpAddress
            NetBiosName = $NetBiosName
            SSID = $EachOne['SSID']
            DefaultGatewayMac = $EachOne['DefaultGatewayMac']
            DnsSuffix = $EachOne['DnsSuffix']
            SecurityMode = $EachOne['Security Mode']
            Encryption = $EachOne['Encryption']
            DateCreated = $(([datetime]$($EachOne['DateCreated'])).GetDateTimeFormats('s'))
            DateLastConnected = $(([datetime]$($EachOne['DateLastConnected'])).GetDateTimeFormats('s'))
        }
        $ErrorActionPreference = $ErrorActionPreferenceBak
    }
} | Export-Csv .\xyz-tenable-66350-wifi-history.csv

Microsoft Windows SMB Sessions (92373)

Get-TenablePluginOutput -PluginID 92373 -Flatten |
Where-Object { $_.PluginOutput -and $_.PluginOutput -notmatch 'Extended SMB session information attached.' } |
Group-Object -Property NetBiosName |
Sort-Object -Property Count -Descending |
Select-Object -Property @{n='Count';e={($_.Group.PluginOutput | Sort-Object -Unique).Count}},
                        @{n='ComputerName';e={$_.Name}},@{n='IpAddress';e={$_.Group.IpAddress[0]}},
                        @{n='SMB Sessions';e={[string](($_.Group.PluginOutput | Sort-Object -Unique) -join ', ')}} |
Sort-Object -Property Count -Descending | Export-Csv .\xyz-tenable-92373-smb-sessions.csv
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment