Mailing List Archive

> -----Original Message-----
> From: plugins-writers-bounces@list.nessus.org
> [mailto:plugins-writers-bounces@list.nessus.org] On Behalf Of
> tom@dyll.com
> Sent: Saturday, February 25, 2006 11:36 PM
> To: plugins-writers@list.nessus.org
> Subject: [Plugins-writers] Writing to the registry_open_hkcu function.
>
>
> Hi Everyone,
>

> It would be a huge help if anyone knows the complete syntax to use the
> registry_open_hkcu() function, knows of a plugin that already
> uses it, or has
> examples that I can work from.

grep is your friend:

grep registry_open_hkc *.inc
smb_nt.inc:function registry_open_hkcr(soc, uid, tid, pipe)

find ./ -name '*.nasl' -exec grep -H registry_open_hkcu {} \;

(seems it exists in smb_nt.inc but not in any current plugins)


_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

> savers do not reside there. For my purposes I need to query
> HKEY_CURRENT_USER.

One possible problem:
It might not show anything if there is no current user logged on anyway.
Haven't used it, but if you look at regedit, you see CURRENTUSER, but
you see any other users not currently logged on as separate SIDS's
there.

Not sure if plugin will return one answer for each possible user, or
just the current logged on user.

If target system is 2002+ with AD, you might find these in domain
security policies (which would enforce them anyway, with ability to
prevent luser from disabling it)

Might be able to use BOUND LDAP queries on AD to find this information.
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

Thanks for the inital response. I want to keep the dialog open because of two
reasons. 1st, I was suprised to see no information on this topic when I first
started searching with Google. Hopefully we will help others out too. 2nd,
validating screen saver settings a real security problem. In our environment
and I am sure others there are workstations and kiosks that need not only
network security settings monitored but physical security settings to.

>> -----Original Message-----
> One possible problem:
> It might not show anything if there is no current user logged on anyway.
> Haven't used it, but if you look at regedit, you see CURRENTUSER, but
> you see any other users not currently logged on as separate SIDS's
> there.
>
> Not sure if plugin will return one answer for each possible user, or
> just the current logged on user.
>
> If target system is 2002+ with AD, you might find these in domain
> security policies (which would enforce them anyway, with ability to
> prevent luser from disabling it)
>
> Might be able to use BOUND LDAP queries on AD to find this information.

Thanks for the work around suggestions and potential fixes but I had considered
these before I started. They are not options because some of the devices are
not part of an AD domain. The fun of working in my environment.

I am aware that it if the plugin is working that it may not show any information
for HKEY_CURRENT_USER if no one was logged in. That makes sense and I assume if
no one is logged in then the screen saver time out is not an issue since the
device would require authentication anyways. Its a good thought but its not the
problem.

I can tell using Ethereal that the reqistry query is failing. It took me a while
to understand why Ethereal was decoding the return packet as: WINREG OpenKey
respons, Error: File no found (pathname error).

Here is a portion of my code:

hcu = RegConnectRegistry(hkey:HKEY_CURRENT_USER);
if ( isnull(hcu) )
{
NetUseDel();
exit(0);
}
key = "Control Panel\Desktop";
keyh = RegOpenKey(handle:hcu, key:key, mode:MAXIMUM_ALLOWED);

The confusing part is that RegConnectRegistry(hkey:HKEY_CURRENT_USER) works. In
Ethereal you seen the connection to HKEY_CURRENT_USER as successful. What was
confusing was that RegOpenKey(handle:hcu, key:key, mode:MAXIMUM_ALLOWED) was
failing. I believe this is because it never really attached to
HKEY_CURRENT_USER. Instead it was looking at HKEY_LOCAL_MACHINE.

This is the reason that I started looking at registry_open_hkcu() as an
alternative and my prior post was looking for more information on how to use
it.


>> -----Original Message-----
>> It would be a huge help if anyone knows the complete syntax to use the
>> registry_open_hkcu() function, knows of a plugin that already
>> uses it, or has
>> examples that I can work from.
>
> grep is your friend:
>
> grep registry_open_hkc *.inc
> smb_nt.inc:function registry_open_hkcr(soc, uid, tid, pipe)
>
> find ./ -name '*.nasl' -exec grep -H registry_open_hkcu {} \;
>
> (seems it exists in smb_nt.inc but not in any current plugins)


You really threw me for a loop on this one but make an excellent point.

You greped for hkc and not hkcu. This returned only hkcr which I believe is
HKEY_CLASSES_ROOT. I verified it in my installation too.

So now the big question is: Does this mean that registry_open_hkcu() does not
exist at all?


_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

On Sat, 2006-02-25 at 23:36 -0500, tom@dyll.com wrote:

>
> After a lot of scratching my head I realized that the function RegOpenKey() only
> works with HKEY_LOCAL_MACHINE.

Wrong.
You can open HKLM/HKU/HKCR/HKCU.

> Unfortunately, registry settings for screen
> savers do not reside there.
> For my purposes I need to query HKEY_CURRENT_USER.

HKEY_CURRENT_USER is not the best solution (there is a typo in
smb_header.inc by the way) because that only checks settings of the
current logged user.
Screensaver settings are complex to check because if you define this
entry in your domain policy, the setting in KKEY_CURRENT_USER is created
during the log on process.


> A book by Syngress called Nessus, Snort, & Ethereal Power Tools makes reference
> to some NASL plugin functions that I can not find detailed information about.
> The chapter that talks about it can be seen online at
> http://www.securityfocus.com/excerpts/19. Here is the part I am referencing:
>
> "To use the following lower-level functions, you need to set up a socket to the
> appropriate host and log in to the remote host:
>
> registry_open_hklm, registry_open_hkcu, registry_open_hkcr Returns the
> equivalent to the MSDN’s RegConnectRegistry() when its provided with a socket,
> user id, tree id, and a pipe name. The return value is suitable to be used by
> registry_get_key()."

You should not use those deprecated functions. Use smb_func.inc instead.


Nicolas

_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

I was able to find Michel Arboi's The NASL2 reference manual at
http://michel.arboi.free.fr/nasl2ref/nasl2_reference.pdf. This is a great pdf
but also makes no reference to registry_open_hkcu. In fact ita appers as if
registy_open_hklm was only in the works around the time that it was written.




_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

> > grep registry_open_hkc *.inc
> > smb_nt.inc:function registry_open_hkcr(soc, uid, tid, pipe)
> >
> > find ./ -name '*.nasl' -exec grep -H registry_open_hkcu {} \;
> >
> > (seems it exists in smb_nt.inc but not in any current plugins)
>
>
> You really threw me for a loop on this one but make an
> excellent point.
>
> You greped for hkc and not hkcu. This returned only hkcr
> which I believe is
> HKEY_CLASSES_ROOT. I verified it in my installation too.

Sorry, premature grepulation:

>
> So now the big question is: Does this mean that
> registry_open_hkcu() does not
> exist at all?

Looks like its missing.
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

>> After a lot of scratching my head I realized that the function
>> RegOpenKey() only
>> works with HKEY_LOCAL_MACHINE.
>
> Wrong.
> You can open HKLM/HKU/HKCR/HKCU.

Maybe we were both wrong? I realized that I had only tried to use RegOpenKey()
for HKLM and HKCU. Turns out when I try to query HKCU it actually opens HKU. I
verified this several times. Here is my code:

hkey = RegConnectRegistry(hkey:HKEY_CURRENT_USER);
if ( isnull(hkey) )
{
NetUseDel();
exit(0);
}

## Key below is from HKEY_USERS
key = ".DEFAULT";
## Key Below is from HKEY_CURRENT_USER
## key = "Control Panel"

key_h = RegOpenKey(handle:hkey, key:key, mode:MAXIMUM_ALLOWED);

As you can see I attempt to open HKCU but what it actually does is open HKU. I
verified it by successfully querying HKU and not HKCU. I also have the Ethereal
traces if you would like to see them.

Anything you can do to point me in the right direction to get the function to
work or figure out how to fix it is appreciated.


_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

On Sun, 2006-02-26 at 19:26 -0500, tom@dyll.com wrote:
> >> After a lot of scratching my head I realized that the function
> >> RegOpenKey() only
> >> works with HKEY_LOCAL_MACHINE.
> >
> > Wrong.
> > You can open HKLM/HKU/HKCR/HKCU.
>
> Maybe we were both wrong? I realized that I had only tried to use RegOpenKey()
> for HKLM and HKCU. Turns out when I try to query HKCU it actually opens HKU. I
> verified this several times. Here is my code:


As I told you there was a mistake in smb_header.inc.
I have just fixed it. You will just have to update your plugins (wait at
least one hour for server synchronization) and you will be able to use
both HKEY_USERS and HKEY_CURRENT_USER.

Nicolas



_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

> As I told you there was a mistake in smb_header.inc.
> I have just fixed it. You will just have to update your plugins (wait at
> least one hour for server synchronization) and you will be able to use
> both HKEY_USERS and HKEY_CURRENT_USER.

I did not fully understand when you said there was a typo. I poked
around in the
smb_header.inc file but without knowing what you were talking about I did not
see the problem. I went back to trying to figure out what I was doing wrong. I
had no idea that you were fixing the issue.

Thanks for the clairification and all you work.

Tom

_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers