Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

PLUGIN HELP

from [John Scherff] Network Security [Permanent Link]
Subject: PLUGIN HELP
Date: Thu, 10 May 2007 08:28:57 -0700 
(This is a re-post. Tenable support kicked my ticket (BFP-98828-930) to
the curb, so I figured I'd ask one last time here... C'mon you
@tenablesecurity.com folks, help a fella out...)
 
I wrote a plugin (attached) to verify compliance with company standards
regarding local users and groups (renaming admin, decoy accounts, group
memberships, disabled accounts, etc.) I had no problem getting NASL to
do what I wanted, with ONE exception:

I need to be able to use the local host SID and local group RIDs to
retrieve the actual NAMEs of local groups.

I can establish a session to the $IPC share, I can get the local group
RIDs using NetUserGetLocalGroups(), I can an LSA handle with
LsaOpenPolicy(), I can get the hex sid of the host from the KB, and I
can convert the hex sid + group RID to a raw sid with hex2raw2().

If I comment out the hex host SID -> raw host SID + group RID -> raw
group SID conversion, and then paste just the raw group sid from, say,
smb_group_backup_op.nasl, my plugin converts the raw SID to a group
name.

The group in question is the local Users group. NetUserGetLocalGroups
returns '545' for this group, which I assume is the RID.

- John

Attachment: 24hr_local_01_accounts.nasl
Description: 24hr_local_01_accounts.nasl

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • PLUGIN HELP, John Scherff <=
Previous by Date:  Re: Filter query, George A. Theall
Next by Date:  Nessus and Nikto, Holstein, Robert - BLS CTR
Previous by Thread:  Filter query, Steven McIntosh
Next by Thread:  Nessus and Nikto, Holstein, Robert - BLS CTR
Indexes:  [Date] [Thread] [Top] [All Lists]