Ron Gula wrote:
Of course, there is the chance that no-one is logged in at the remote
Windows computer.
Actually I've already thought of that - I just wanted to kick off a
conversation on the topic :-)
I already have a shell-script I use to find out this information in a
more effective (IMO) manner here - I'd love to see it done in a similar
manner under Nessus (I would like to see this as a standard Nessus
check, as I would think discovering ownership of machines was something
a lot of organizations have difficulty with?)
I use smbclient to do a directory listing of "Documents and Settings"
("Users" for Vista) and then choose the dirname with the newest date as
the evidence of the last logged-in user - which will also include the
currently logged in one. I also remove "system accounts" like
administrator, helpdesk accounts, etc - as my intent is to show the
"owner" of a PC - not really literally the last logged in user.
You can do a WMI script to get the username with the following querry:
SELECT UserName FROM Win32_ComputerSystem
That's what I needed - the following NASL scriptlet sets "CurrUser" to
the logged in user, which can then be output'ed via "report"/etc.
------------------------------------------------
import("wmi_func.nlib");
wmiObject = WMI_ConnectServer ("root\CIMV2");
if ( isnull(wmiObject) ) exit(0);
res = WMI_ExecQuery(wmiObject, "SELECT UserName FROM Win32_ComputerSystem");
if ( res )
{
info = WMI_GetNextElement (res);
CurrUser=info["UserName"];
CurrUser = str_replace(find:"\", replace:"/", string:CurrUser);
#foreach key ( keys(info) ) display(key, " : ", info[key], "\n");
}
--------------------------------------------------
Thanks!
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
