Windows Testing Functionality Provided by the smb_hotfixes.inc Include File

If the remote host’s registry has been allowed access from a remote location, Nessus can gather information from it and store it in the knowledge base. Once the information is in the knowledge base, different types of tests can be created. The most common tests are service pack and hotfix presence verification.

All of the following functions work only if the remote host’s registry has been enumerated. If the registry hasn’t been enumerated, version-returning functions will return NULL, while product installation-checking functions will return minus one (-1) as the result. Furthermore, because registry enumeration relies on the ability to successfully launch the smb_hotfixes.nasl test, it has to be provided as a dependency to tests you write using any of the following functions:

·         hotfix_check_exchange_installed This function returns the version of the Exchange Server if one has been installed on the remote host.

·         hotfix_data_access_version This function returns the version of the Access program if one has been installed on the remote host.

·         hotfix_check_office_version This function returns the version of the remote host’s Office installation. To determine the version, one of the following programs must be installed on the remote host: Outlook, Word, Excel, or PowerPoint.

·         hotfix_check_word_version, hotfix_check_excel_version, hotfix_check_powerpoint_version, hotfix_check_outlook_version These functions return the version of the Word, Excel, PowerPoint, or Outlook program if one has been installed on the remote host.

·         hotfix_check_works_installed This function returns the version of the MS Works program if one has been installed on the remote host.

·         hotfix_check_iis_installed This function returns either the value of one or zero depending on whether the remote host has IIS (Internet Information Server) installed or not.

·         hotfix_check_wins_installed, hotfix_check_dhcpserver_installed These functions return either the value of one or minus one depending on whether the remote host has the WINS (Windows Internet Naming Service) server or DCHP (Dynamic Host Control Protocol) server present or not.

·         hotfix_check_nt_server This function returns either zero or one depending on whether the remote host is a Windows NT server or not.

·         hotfix_check_domain_controler This function returns either zero or one depending on whether the remote host is a Windows Domain Controller or not.

·         hotfix_get_programfilesdir This function returns the location of the Program Files directory on the remote host.

·         hotfix_get_commonfilesdir This function returns the location of the Common Files directory on the remote host.

·         hotfix_get_systemroot This function returns the location of the System Root directory on the remote host.

·         hotfix_check_sp This function verifies whether a certain service pack has been installed on the remote host. The function uses the provided services pack levels to verify whether the remote host is running the specified product type and whether the remote host has the appropriate service pack installed. The function returns minus one if the registry hasn’t been enumerated, zero if the requested service pack level has been properly installed, and one if the requested service pack level hasn’t been installed.

·         hotfix_missing This function verifies whether a certain hotfix has been installed on the remote host. The function returns minus one if the registry hasn’t been enumerated, zero if the requested hotfix has been properly installed, and one if the requested hotfix hasn’t been installed.

Master Craftsman

Registry Keys Stored in the Knowledge Base

The functions provided by the smb_hotfixes.inc include file all return values stored in the registry. By extending the amount of information Nessus holds in its knowledge base, you can speed up the scanning process. One example of doing this would be to include information about whether the ISA (Internet Security and Acceleration) server is installed on the remote server, what version is installed, and if any service packs/feature packs are installed for it. As of the writing of this book, seven tests can verify if the ISA server is installed on a remote server. Because all these tests call cached registry items, the time it takes to verify whether the remote host is vulnerable is negligible to reconnecting to the remote host’s registry and pulling the required registry keys seven times.

For example, Microsoft has recently released an advisory called Vulnerability in Web View Could Allow Remote Code Execution. The vulnerability described in this advisory affects Windows 2000, Windows 98, Windows 98SE, and Windows ME. As you will see later in this chapter, it is fairly easy to add a registry-based test for the aforementioned security advisory’s hotfix presence and to inform the user if it is in fact not present on the remote host.

Currently, Nessus supports security testing for only Windows NT, 2000, 2003, and XP. Moreover, as stated in the advisory, once Service Pack 5 is installed on the remote host, the Windows 2000 installation will be immune.

To create a test that verifies whether the remote host is immune to the vulnerability, you first need to verify that such a service pack has not been installed and that in fact the remote host is running Windows 2000. To do this, utilize the following lines:

nt_sp_version = NULL;

win2k_sp_version = 5;

xp_sp_version = NULL;

win2003_sp_version = NULL;

if ( hotfix_check_sp( nt:nt_sp_version,

win2k:win2k_sp_version,

xp:xp_sp_version,

win2003:win2003_sp_version) <= 0 ) exit(0);

Before calling the aforementioned lines, you must first satisfy a dependency on smb_hotfixes.nasl and verify that the remote registry has been enumerated. That is done by ensuring that the knowledge base item SMB/Registry/Enumerated is present. This is done by adding the following lines to the script:

script_dependencies("smb_hotfixes.nasl");

script_require_keys("SMB/Registry/Enumerated");

Next, verify that hotfix Q894320 has been installed on the remote host. Do this by executing the following lines:

if ( hotfix_missing(name: "Q894320") > 0 )

security_hole(get_kb_item("SMB/transport"));

The two functions you used in the code in the previous example are defined in the smb_hotfixes.inc file, which must be included before the functions can be called by adding the following line to your code:

include("smb_hotfixes.inc");

Swiss Army Knife

Microsoft's MSSecure.xml

Microsoft’s Windows Update, Microsoft Baseline Security Analyzer, and Shavilk’s HFNetCheck all use an XML file that contains the most current information on the latest software versions, service packs, and security updates available for various Microsoft operating systems, BackOffice components, services, and so on. Microsoft provides this file to the public for free. The MSSecure.xml file is both machine readable and human readable; thus, administrators can use the file to easily spot relevant patches or make an automated script that performs this task for them.

All the information required for the above Hotfix testing sample can be found in the MSSecure.xml’s MS05-024 advisory section.