Patch Enumeration: Automated Penetration Testing

TL;DR

Automatically identify missing security patches on target systems during a penetration test to quickly pinpoint vulnerabilities. This guide covers using tools like nmap, nessuscli and custom scripting for efficient patch enumeration.

1. Initial Reconnaissance with Nmap

Start by discovering the operating system (OS) of your target machines. Nmap is excellent for this.

1. Run an OS detection scan: Use the -O option to attempt OS fingerprinting. Be aware that firewalls and other security measures can interfere with accurate OS detection.

   nmap -O 

2. Review Nmap Output: Look for the ‘OS details’ section in the output. This will give you information like the operating system family, version and vendor. Accurate OS identification is crucial for targeted patch enumeration.

2. Vulnerability Scanning with Nessus

Nessus provides a comprehensive vulnerability assessment including missing patches.

1. Install Nessus: Download and install Nessus from Tenable’s website.
2. Configure a Scan Policy: Create or modify a scan policy to include patch detection plugins. The ‘Basic Network Vulnerability Assessment’ template is a good starting point.
3. Run the Scan: Initiate a scan against your target IP address(es).

   nessuscli scan -p  

4. Review Nessus Results: Nessus will generate a report listing identified vulnerabilities, including missing patches. Filter the results by ‘Patch’ or specific OS to quickly identify relevant findings.

3. Scripting for Targeted Patch Enumeration (Windows)

For more granular control and automation on Windows systems, use PowerShell.

1. Connect to the Target Machine: Use Invoke-Command or remote PowerShell sessions.
2. Query Installed Updates: Use the Get-HotFix cmdlet to retrieve a list of installed updates. Compare this against known patch lists for your OS version.

   $updates = Get-HotFix -ComputerName  | Select-Object HotFixID, Description, InstalledOn

3. Compare with Known Patch Lists: Download a list of patches from Microsoft’s Update Catalog or other reliable sources. Parse the patch IDs and compare them to the $updates variable.
4. Report Missing Patches: Output any missing patches for further investigation.

   # Example comparison (requires loading a list of expected patches)

4. Scripting for Targeted Patch Enumeration (Linux)

Use shell scripting and package managers to enumerate missing patches on Linux systems.

1. Identify Package Manager: Determine which package manager the target system uses (e.g., apt, yum, dnf).
2. List Installed Packages: Use the appropriate command to list installed packages.
   • Debian/Ubuntu:

     dpkg -l | grep ^ii

   • Red Hat/CentOS/Fedora:

     rpm -qa

3. Compare with Known Package Lists: Download a list of packages for your OS version from the distribution’s repositories. Compare this against the installed package list.
4. Report Missing Patches: Output any missing patches for further investigation.

   # Example comparison (requires loading a list of expected packages)

5. Automation and Reporting

Combine these techniques into automated scripts to streamline the patch enumeration process.

• Create Scripts: Develop scripts that run Nmap, Nessus scans, and custom queries automatically.
• Schedule Scans: Use a task scheduler (e.g., cron on Linux, Task Scheduler on Windows) to regularly scan your target systems.
• Generate Reports: Format the results into clear, concise reports that highlight missing patches and associated vulnerabilities.