Thanks for the info. The plugin I wrote for Andrew depends on work done
by 13855. Does 13855 collect Vista hotfixes? If so, I might have
missed that bit (13855 is pretty big). Should just be a matter of
adding the vista-specific Nessus KB keys to the script below.
-----Original Message-----
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of Pavithra H
Sent: Wednesday, October 31, 2007 9:42 AM
To: Andrew Court; nessus@list.nessus.org
Subject: Re: Plugin 13855 - installed hotfixes
Hey,
Note that it does not work on Windows Vista since the hotfix doesnt
updates registry when it has been installed. You need to have an
alternative method to get a list of installed hotfixes, like WMI
Interface.
On Oct 31, 2007 4:18 PM, Andrew Court <andrew.court@bt.com> wrote:
Hi John, Thanks for our help. I really appreciate it. Ill test it
today and let you know how it goes.
Thanks again,
Andrew Court
IT Security Specialist | BT Retail - Ireland | E:Andrew.Court@bt.com
|Mobile: +353 86 1720 692 | Fax: +353 1 432 5899| www.btireland.com
-----Original Message-----
From: John Scherff [mailto:jscherff@gmail.com]
Sent: 27 October 2007 07:09
To: Andrew Court
Cc: nessus@list.nessus.org
Subject: RE: Plugin 13855 - installed hotfixes
Andrew,
Not sure if you received this earlier. I sent it to you and to the
list this morning from my work account ( jscherff@24hourfit.com), but
it never showed up on the list so we might be having SMTP issues.
Anyway, here it is from my personal email account, just in case.
John
* * * * * *
Andrew,
Nessus will tell you if you're missing any hotfixes.
However, if you really need the list, try the below script... I tested
it on a couple hosts and it seems to work. Name it
smb_hotfixes_list.nasl or something, pick a different plugin ID if you
wish (I can never remember which range I'm supposed to use), place it
in the /opt/nessus/lib/nessus/plugins directory, run
/opt/nessus/sbin/nessusd -t, restart nessusd (just to be sure), and
then run a scan. FYI, I put the results in a hash first (rather than
concatenating directly to the report
string) to remove duplicates and sort the output.
If you want these in MSYY-NNN format, you'll have to write an include
file that does the mapping for you... probably an exercise in
futility.
Cheers,
John Scherff
24 Hour Fitness
Sr. IT Security Engineer
# ==========================================================
# Author: John Scherff, 24 Hour Fitness, 25 October 2007 #
==========================================================
desc["english"] = "
Synopsis :
Installed Windows Hotfixes
Description :
The Windows hotfixes listed below are installed on this computer.
Risk factor :
None";
if( description ) {
script_id( 66001 );
script_version( "$Revision: 1.60 $" );
script_description( english: desc["english"] );
script_category( ACT_GATHER_INFO );
name["english"] = "Installed Windows Hotfix List";
script_name( english: name["english"] );
summary["english"] = "Lists Windows hotfixes that have been
installed on the computer.";
script_summary( english: summary["english"] );
copyright["english"] = "This Script is Copyright (C) 2007 John
Scherff /
24 Hour Fitness";
script_copyright( english: copyright["english"] );
family["english"] = "Windows";
script_family( english: family["english"] );
script_dependencies( "smb_hotfixes.nasl" );
script_require_keys( "SMB/Registry/Enumerated" );
exit( 0 );
}
smbEnumerationStatus = get_kb_item( "SMB/Registry/Enumerated" ); if(
smbEnumerationStatus != TRUE ) exit( 0 );
hotfixHash = make_array();
hotfixList = '';
kbPrefixAry = make_list(
"SMB/Registry/HKLM/SOFTWARE/Microsoft/Updates/*",
"SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows
NT/CurrentVersion/HotFix/*",
"SMB/Registry/HKLM/SOFTWARE/Microsoft/Fpc/Hotfixes/*",
"SMB/Registry/HKLM/SOFTWARE/Microsoft/Updates/Windows Media
Player/*"
);
foreach kbPrefix ( kbPrefixAry ) {
kbHash = get_kb_list( kbPrefix );
foreach kbKey ( keys( kbHash ) ) {
if( kbHash[kbKey] == TRUE ) {
match = eregmatch(
pattern: '/(KB[0-9]{6}[A-Z0-9_]{0,6})',
string: kbKey,
icase: TRUE
);
if( match ) hotfixHash[match[1]] = 1;
}
}
}
foreach hotfixKey ( sort( keys( hotfixHash ) ) ) {
hotfixList += ' - ' + hotfixKey + '\n'; }
if( hotfixList) {
report = string( desc["english"], '\n\nPlugin Output :\n\n' +
hotfixList + '\n' );
security_note( port: 0, data: report ); }
________________________________
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of Andrew Court
Sent: Thursday, October 25, 2007 12:10 PM
To: nessus@list.nessus.org
Subject: Plugin 13855 - installed hotfixes
Hi,
This is probably pretty basic, but, here goes. Plugin 13855 enumerates
the list of installed hotfixes on a windows box. It stores the
information in the KB to prevent extended use of the remote registry.
However I want that list of installed hotfixes. How do I include it in
the nsr/nbe report that nessus outputs. I know I can use get_kb_item
in a nasl script to get information from the kb but I am not sure how
to tell it which info to get.
I want the list of installed patches for a patch audit, so if anyone
has any custom scripts they have used for patch audits, I would be
very much obliged if they sent them to me.
Kind Regards,
Andrew Court
IT Security Specialist | BT Retail - Ireland |
E: Andrew.Court@bt.com |Mobile: +353 86 1720 692 | Fax: +353 1 432
5899| www.btireland.com
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
--
Thanks,
Pavithra.H
Research Analyst, Thirdbrigade Labs
Bangalore
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
