Create a Nessus .Audit File and Using Windows Management Instrumentation Command-line (WMIC)


Published on

Create a Custom Nessus .Audit File and Using Windows Management Instrumentation Command-line (WMIC)

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Create a Nessus .Audit File and Using Windows Management Instrumentation Command-line (WMIC)

  1. 1. CREATING A NESSUS AUDIT FILE    Nessus Plugins are written in the NASL (Nessus Attack Scripting Language) scripting language. Nessus compliance checks are written as an .AUDIT file. With over 55,000 NASL plugins offered for download to Nessus subscribers, anything that is not covered by an existing NASL plugin is more easily written as a .audit policy. Nessus audit files are a specific language containing syntax similar to XML. The Tenable Support Portal provides a number of pre-written audit files for customers. These audit files have been written by Tenable, and many of them are certified by the appropriate governing body. To perform a compliance scan on a Windows target, a scan policy needs to be created. This scan policy must contain the following items at a minimum: a name, administrative level credentials, the Windows compliance plugin, and a compliance check audit file. There are also a number of tools available to generate your own audit files, rather than using the pre-written audit files available via the Tenable Support Portal. The i2a tool (version 2.0.0) is available from the customer support portal. It generates version 2 compliant audit policies based on existing Windows GPO .inf files. The Nessus Compliance Checks Reference document goes into extensive detail on how to construct your own audit file, syntax of the language, and more. There are currently five different structures for audit files, depending on the target: * Windows, for both server and desktop operating systems; * Unix, for Linux and Unix operating systems; * Database, for SQL servers; * Cisco, for Cisco brand devices on the network, and * Windows File Content, which is used to check Windows hosts for potentially sensitive content that is unencrypted. For example, a Windows audit file contains a check type item followed by a group policy item. After the group policy items, there are a series of individual checks. This is somewhat different from Unix audit files, which do not contain a group policy tag. There are a series of built-in checks that Windows audit files use. These checks are designed to simplify audit file creation. * Account checks allow you to verify the minimum password length, password complexity, group settings, and the status of the targets account lockout. * Service checks are built-in compliance audits for status and permissions of running services. * Audit checks show what type of Windows auditing is turned on such as logins and login failures, policy changes, and system events and process tracking.    In addition to having a series of built-in checks for Windows auditing, the Tenable audit files can check the Windows system registry to confirm specific keys contain expected values.  In addition to pre-written checks, as well as files and registry checks, Nessus also supports portions of Windows PowerShell. For example, you can look for existing services and determine if they are currently running. 1   
  2. 2. CREATING A NESSUS AUDIT FILE    The IT systems management field uses Windows Management Instrumentation (WMI) to develop scripts and automation procedures. Some pen testers use the Windows Management Instrumentation Command-line (WMIC) interface to query Windows system internals. Most administrators rely on a WMI-compatible tool such as Microsoft Operations Manager (MOM) or Security Center Operations Manager (SCOM), instead of trying to master WMIC commands. Related Links: Enabling Compliance Checks with Nessus Nessus Compliance Check Reference Manual Tenable Compliance Check Guide Version 2 of Windows Compliance Checks Available for Testing (ia2 Tool) CommandLineKingFu Blog SANS WMIC Cheat Sheet Security Center Operations Manager (SCOM)   2