Re: Plugin 13855 - installed hotfixes

Hey,
Note that it does not work on Windows Vista since the hotfix doesnt
updates registry when it has been installed. You need to have an
alternative method to get a list of installed hotfixes, like WMI
Interface.

On Oct 31, 2007 4:18 PM, Andrew Court <andrew.court@bt.com> wrote:
> Hi John, Thanks for our help. I really appreciate it. Ill test it today and
> let you know how it goes.
>
> Thanks again,
>
>
> Andrew Court
>
> IT Security Specialist | BT Retail - Ireland |
> E:Andrew.Court@bt.com |Mobile: +353 86 1720 692 | Fax: +353 1 432 5899|
> www.btireland.com
>
>
> -----Original Message-----
> From: John Scherff [mailto:jscherff@gmail.com]
> Sent: 27 October 2007 07:09
> To: Andrew Court
> Cc: nessus@list.nessus.org
> Subject: RE: Plugin 13855 - installed hotfixes
>
>
> Andrew,
>
> Not sure if you received this earlier.  I sent it to you and to the list
> this morning from my work account ( jscherff@24hourfit.com), but it never
> showed up on the list so we might be having SMTP issues.  Anyway, here it is
> from my personal email account, just in case.
>
> John
>
> * * * * * *
>
>
>
> Andrew,
>
> Nessus will tell you if you're missing any hotfixes.
>
> However, if you really need the list, try the below script... I tested it on
> a couple hosts and it seems to work. Name it smb_hotfixes_list.nasl or
> something, pick a different plugin ID if you wish (I can never remember
> which range I'm supposed to use), place it in the
> /opt/nessus/lib/nessus/plugins directory, run /opt/nessus/sbin/nessusd -t,
> restart nessusd (just to be sure), and then run a scan.  FYI, I put the
> results in a hash first (rather than concatenating directly to the report
> string) to remove duplicates and sort the output.
>
> If you want these in MSYY-NNN format, you'll have to write an include file
> that does the mapping for you... probably an exercise in futility.
>
> Cheers,
>
> John Scherff
> 24 Hour Fitness
> Sr. IT Security Engineer
>
>
>
> # ==========================================================
> # Author: John Scherff, 24 Hour Fitness, 25 October 2007
> # ==========================================================
>
> desc["english"] = "
> Synopsis :
>
> Installed Windows Hotfixes
>
> Description :
>
> The Windows hotfixes listed below are installed on this computer.
>
> Risk factor :
>
> None";
>
> if( description ) {
>
>   script_id( 66001 );
>   script_version( "$Revision: 1.60 $" );
>   script_description( english: desc["english"] );
>   script_category( ACT_GATHER_INFO );
>
>   name["english"] = "Installed Windows Hotfix List";
>   script_name( english: name["english"] );
>
>   summary["english"] = "Lists Windows hotfixes that have been installed on
> the computer.";
>   script_summary( english: summary["english"] );
>
>   copyright["english"] = "This Script is Copyright (C) 2007 John Scherff /
> 24 Hour Fitness";
>   script_copyright( english: copyright["english"] );
>
>   family["english"] = "Windows";
>   script_family( english: family["english"] );
>
>   script_dependencies( "smb_hotfixes.nasl" );
>   script_require_keys( "SMB/Registry/Enumerated" );
>
>   exit( 0 );
> }
>
> smbEnumerationStatus = get_kb_item( "SMB/Registry/Enumerated" );
> if( smbEnumerationStatus != TRUE ) exit( 0 );
>
> hotfixHash = make_array();
> hotfixList = '';
>
> kbPrefixAry = make_list(
>   "SMB/Registry/HKLM/SOFTWARE/Microsoft/Updates/*",
>   "SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/HotFix/*",
>   "SMB/Registry/HKLM/SOFTWARE/Microsoft/Fpc/Hotfixes/*",
>   "SMB/Registry/HKLM/SOFTWARE/Microsoft/Updates/Windows Media Player/*"
> );
>
> foreach kbPrefix ( kbPrefixAry ) {
>   kbHash = get_kb_list( kbPrefix );
>   foreach kbKey ( keys( kbHash ) ) {
>     if( kbHash[kbKey] == TRUE ) {
>       match = eregmatch(
>         pattern: '/(KB[0-9]{6}[A-Z0-9_]{0,6})',
>         string: kbKey,
>         icase: TRUE
>       );
>       if( match ) hotfixHash[match[1]] = 1;
>     }
>   }
> }
>
> foreach hotfixKey ( sort( keys( hotfixHash ) ) ) {
>   hotfixList += ' - ' + hotfixKey + '\n';
> }
>
> if( hotfixList) {
>   report = string( desc["english"], '\n\nPlugin Output :\n\n' + hotfixList +
> '\n' );
>   security_note( port: 0, data: report );
> }
>
>
>
>
>
>  ________________________________
>  From: nessus-bounces@list.nessus.org
> [mailto:nessus-bounces@list.nessus.org] On Behalf Of Andrew Court
> Sent: Thursday, October 25, 2007 12:10 PM
> To: nessus@list.nessus.org
> Subject: Plugin 13855 - installed hotfixes
>
>
>
>
> Hi,
>
> This is probably pretty basic, but, here goes. Plugin 13855 enumerates the
> list of installed hotfixes on a windows box. It stores the information in
> the KB to prevent extended use of the remote registry. However I want that
> list of installed hotfixes. How do I include it in the nsr/nbe report that
> nessus outputs. I know I can use get_kb_item in a nasl script to get
> information from the kb but I am not sure how to tell it which info to get.
> I want the list of installed patches for a patch audit, so if anyone has any
> custom scripts they have used for patch audits, I would be very much obliged
> if they sent them to me.
>
> Kind Regards,
>
> Andrew Court
>
> IT Security Specialist | BT Retail - Ireland |
> E: Andrew.Court@bt.com |Mobile: +353 86 1720 692 | Fax: +353 1 432 5899|
> www.btireland.com
>
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus



-- 
Thanks,
Pavithra.H
Research Analyst, Thirdbrigade Labs
Bangalore
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus