John, You right! According smb_hotfixes.nasl you have grabbed all hotfix related registry keys. But even this plugin doesn't list Hotfixes on Vista since there are no Vista specific registry keys to list Hotfixes. Usually to my understanding, they look for affected dlll fileversion instead of checking hotfixes. I have no idea about how do Nessus makes use of WMI interface to check the status of Hotfix.
On Nov 2, 2007 3:50 AM, John Scherff <[EMAIL PROTECTED]> wrote: > Thanks for the info. The plugin I wrote for Andrew depends on work done > by 13855. Does 13855 collect Vista hotfixes? If so, I might have > missed that bit (13855 is pretty big). Should just be a matter of > adding the vista-specific Nessus KB keys to the script below. > > -----Original Message----- > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Pavithra H > Sent: Wednesday, October 31, 2007 9:42 AM > To: Andrew Court; [email protected] > Subject: Re: Plugin 13855 - installed hotfixes > > Hey, > Note that it does not work on Windows Vista since the hotfix doesnt > updates registry when it has been installed. You need to have an > alternative method to get a list of installed hotfixes, like WMI > Interface. > > On Oct 31, 2007 4:18 PM, Andrew Court <[EMAIL PROTECTED]> wrote: > > > > > > Hi John, Thanks for our help. I really appreciate it. Ill test it > > today and let you know how it goes. > > > > Thanks again, > > > > > > Andrew Court > > > > IT Security Specialist | BT Retail - Ireland | E:[EMAIL PROTECTED] > > |Mobile: +353 86 1720 692 | Fax: +353 1 432 5899| www.btireland.com > > > > > > -----Original Message----- > > From: John Scherff [mailto:[EMAIL PROTECTED] > > Sent: 27 October 2007 07:09 > > To: Andrew Court > > Cc: [email protected] > > Subject: RE: Plugin 13855 - installed hotfixes > > > > > > Andrew, > > > > Not sure if you received this earlier. I sent it to you and to the > > list this morning from my work account ( [EMAIL PROTECTED]), but > > it never showed up on the list so we might be having SMTP issues. > > Anyway, here it is from my personal email account, just in case. > > > > John > > > > * * * * * * > > > > > > > > Andrew, > > > > Nessus will tell you if you're missing any hotfixes. > > > > However, if you really need the list, try the below script... I tested > > > it on a couple hosts and it seems to work. Name it > > smb_hotfixes_list.nasl or something, pick a different plugin ID if you > > > wish (I can never remember which range I'm supposed to use), place it > > in the /opt/nessus/lib/nessus/plugins directory, run > > /opt/nessus/sbin/nessusd -t, restart nessusd (just to be sure), and > > then run a scan. FYI, I put the results in a hash first (rather than > > concatenating directly to the report > > string) to remove duplicates and sort the output. > > > > If you want these in MSYY-NNN format, you'll have to write an include > > file that does the mapping for you... probably an exercise in > futility. > > > > Cheers, > > > > John Scherff > > 24 Hour Fitness > > Sr. IT Security Engineer > > > > > > > > # ========================================================== > > # Author: John Scherff, 24 Hour Fitness, 25 October 2007 # > > ========================================================== > > > > desc["english"] = " > > Synopsis : > > > > Installed Windows Hotfixes > > > > Description : > > > > The Windows hotfixes listed below are installed on this computer. > > > > Risk factor : > > > > None"; > > > > if( description ) { > > > > script_id( 66001 ); > > script_version( "$Revision: 1.60 $" ); > > script_description( english: desc["english"] ); > > script_category( ACT_GATHER_INFO ); > > > > name["english"] = "Installed Windows Hotfix List"; > > script_name( english: name["english"] ); > > > > summary["english"] = "Lists Windows hotfixes that have been > > installed on the computer."; > > script_summary( english: summary["english"] ); > > > > copyright["english"] = "This Script is Copyright (C) 2007 John > > Scherff / > > 24 Hour Fitness"; > > script_copyright( english: copyright["english"] ); > > > > family["english"] = "Windows"; > > script_family( english: family["english"] ); > > > > script_dependencies( "smb_hotfixes.nasl" ); > > script_require_keys( "SMB/Registry/Enumerated" ); > > > > exit( 0 ); > > } > > > > smbEnumerationStatus = get_kb_item( "SMB/Registry/Enumerated" ); if( > > smbEnumerationStatus != TRUE ) exit( 0 ); > > > > hotfixHash = make_array(); > > hotfixList = ''; > > > > kbPrefixAry = make_list( > > "SMB/Registry/HKLM/SOFTWARE/Microsoft/Updates/*", > > "SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows > NT/CurrentVersion/HotFix/*", > > "SMB/Registry/HKLM/SOFTWARE/Microsoft/Fpc/Hotfixes/*", > > "SMB/Registry/HKLM/SOFTWARE/Microsoft/Updates/Windows Media > Player/*" > > ); > > > > foreach kbPrefix ( kbPrefixAry ) { > > kbHash = get_kb_list( kbPrefix ); > > foreach kbKey ( keys( kbHash ) ) { > > if( kbHash[kbKey] == TRUE ) { > > match = eregmatch( > > pattern: '/(KB[0-9]{6}[A-Z0-9_]{0,6})', > > string: kbKey, > > icase: TRUE > > ); > > if( match ) hotfixHash[match[1]] = 1; > > } > > } > > } > > > > foreach hotfixKey ( sort( keys( hotfixHash ) ) ) { > > hotfixList += ' - ' + hotfixKey + '\n'; } > > > > if( hotfixList) { > > report = string( desc["english"], '\n\nPlugin Output :\n\n' + > > hotfixList + '\n' ); > > security_note( port: 0, data: report ); } > > > > > > > > > > > > ________________________________ > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Court > > Sent: Thursday, October 25, 2007 12:10 PM > > To: [email protected] > > Subject: Plugin 13855 - installed hotfixes > > > > > > > > > > Hi, > > > > This is probably pretty basic, but, here goes. Plugin 13855 enumerates > > > the list of installed hotfixes on a windows box. It stores the > > information in the KB to prevent extended use of the remote registry. > > However I want that list of installed hotfixes. How do I include it in > > > the nsr/nbe report that nessus outputs. I know I can use get_kb_item > > in a nasl script to get information from the kb but I am not sure how > to tell it which info to get. > > I want the list of installed patches for a patch audit, so if anyone > > has any custom scripts they have used for patch audits, I would be > > very much obliged if they sent them to me. > > > > Kind Regards, > > > > Andrew Court > > > > IT Security Specialist | BT Retail - Ireland | > > E: [EMAIL PROTECTED] |Mobile: +353 86 1720 692 | Fax: +353 1 432 > > 5899| www.btireland.com > > > > _______________________________________________ > > Nessus mailing list > > [email protected] > > http://mail.nessus.org/mailman/listinfo/nessus > > > > > > -- > Thanks, > Pavithra.H > Research Analyst, Thirdbrigade Labs > Bangalore > _______________________________________________ > Nessus mailing list > [email protected] > http://mail.nessus.org/mailman/listinfo/nessus > -- Thanks, Pavithra.H Research Analyst, Thirdbrigade Labs Bangalore _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
