Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. plugins
Accessing multiple sub keys in the Windows registery
jfvanmeter at comcast
Apr 5, 2006, 10:37 AM
Post #1 of 5 (2799 views)
Permalink
Hello, I'm looking for someone to point me in the right direction on a problem that I"m having.

I'm trying to write a plugin that will open the following registery key
HKEY_CLASSES_ROOT\AppID

then look at all subkeys looking for and record the following Values
LaunchPermission (Reg_Bin)
RunAs (Reg_Sz)

I'm having the problem recording the AppID of the subkey, then dumping all the subkeys that contain LaunchPermission and RunAs Values
Example HKEY_CLASSES_ROOT\AppID\{0C155DD2-B99E-4702-9DCC-1BFA042FEE4F}
AppID = 0C155DD2-B99E-4702-9DCC-1BFA042FEE4F
LaunchPermissions = (a very long binary string that changes according to the RunAs Value)
RunAs = Interactive, System, User, Domain Administrators

If someone can point me in the right direction that would really help me out.

Thanks --John
Re: Accessing multiple sub keys in the Windows registery [ In reply to ]
jfvanmeter at comcast
Apr 6, 2006, 6:04 AM
Post #2 of 5 (2712 views)
Permalink
Would this work to to enumerate all the keys below a specified key and store the values? when i run nasl -t localhost appid.nasl I dont' receive any errors, thanks in advance --John

RegistryLocation = "AppID\.Default";
Text1 = ReadRegistry(HKEY_CLASSES_ROOT, RegistryLocation, "");
Res = ReadRegistryGetSubkey(HKEY_CLASSES_ROOT, "AppID", i);
Do Until Res = "Not Found"
Text1.Text = Text1.Text & " " & Res
i = i + 1
Res = ReadRegistryGetSubkey(HKEY_CLASSES_ROOT, "AppID", i);

-------------- Original message --------------
From: jfvanmeter@comcast.net

Hello, I'm looking for someone to point me in the right direction on a problem that I"m having.

I'm trying to write a plugin that will open the following registery key
HKEY_CLASSES_ROOT\AppID

then look at all subkeys looking for and record the following Values
LaunchPermission (Reg_Bin)
RunAs (Reg_Sz)

I'm having the problem recording the AppID of the subkey, then dumping all the subkeys that contain LaunchPermission and RunAs Values
Example HKEY_CLASSES_ROOT\AppID\{0C155DD2-B99E-4702-9DCC-1BFA042FEE4F}
AppID = 0C155DD2-B99E-4702-9DCC-1BFA042FEE4F
LaunchPermissions = (a very long binary string that changes according to the RunAs Value)
RunAs = Interactive, System, User, Domain Administrators

If someone can point me in the right direction that would really help me out.

Thanks --John

Attached Files:

Re: Accessing multiple sub keys in the Windows registery [ In reply to ]
theall at tenablesecurity
Apr 6, 2006, 8:08 AM
Post #3 of 5 (2711 views)
Permalink
On Thu, Apr 06, 2006 at 01:04:46PM +0000, jfvanmeter@comcast.net wrote:

> Would this work to to enumerate all the keys below a specified key and
> store the values?

Personally, I'd find it more useful if you included actual code snippets
along with any output you do receive.

> when i run nasl -t localhost appid.nasl I dont'
> receive any errors,

What happens when you run it via nessusd?


George
--
theall@tenablesecurity.com
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: Accessing multiple sub keys in the Windows registery [ In reply to ]
jfvanmeter at comcast
Apr 6, 2006, 8:49 AM
Post #4 of 5 (2709 views)
Permalink
Thank you for the Help
Below is the code that I'm working with

if(description)
{
script_name(english:"DCOM LaunchPermissions");
desc["english"] = "

Solution : Verify that the Launch Permission are correct and meet the requires outlined in the
organization security Policy
Reference http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/msdn_dcomtec.asp
Risk factor : High";
script_description(english:"Connect to a remote registry and check the DCOM Launch Permissions");
script_summary(english:"connects on remote tcp port 135");
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script was written by ***");
script_dependencies("netbios_name_get.nasl",
"smb_login.nasl", "smb_registry_access.nasl");
script_require_keys("SMB/transport", "SMB/name", "SMB/login", "SMB/password", "SMB/registry_access");
script_require_ports(139, 445);
exit(0);
}

# Setup Connection
if ( ! get_port_state(port) ) exit(0);
soc = open_sock_tcp(port);
if ( ! soc ) exit(0);
session_init(socket:soc, hostname:name);
r = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if ( r != 1 ) exit(0);

#To read the value of a subkey; Function ReadRegistryGetSubkey which allows you to enumerate
#all the keys below a specified key. Useful for building a directory tree of the registry just call it
#continuously until "Not Found" is returned and store the returned value(s) in an array or something.
Text1 = 0;
Res = 0;
i = 0;
Text1.Text = [ "one", "two", "three" ];
RegistryLocation = "AppID\.Default";
Text1 = ReadRegistry(HKEY_CLASSES_ROOT, RegistryLocation, "");
Res = ReadRegistryGetSubkey(HKEY_CLASSES_ROOT, "AppID", i);
Do Until Res = "Not Found"
Text1.Text = Text1.Text & " " & Res
i = i + 1
Res = ReadRegistryGetSubkey(HKEY_CLASSES_ROOT, "AppID", i);
exit(0);
}

What I'm trying to do is take the output from the loop, and write it to an array.

When I run nasl -t localhost ip address /opt/nessus/lib/nessus/plugins/dcom2.nasl
I get an error, syntax error, unexpected IDENT
on or near line 48

Nessusd loads all the other plugins but fails the dcom2.nasl
-------------- Original message --------------
From: "George A. Theall" <theall@tenablesecurity.com>

> On Thu, Apr 06, 2006 at 01:04:46PM +0000, jfvanmeter@comcast.net wrote:
>
> > Would this work to to enumerate all the keys below a specified key and
> > store the values?
>
> Personally, I'd find it more useful if you included actual code snippets
> along with any output you do receive.
>
> > when i run nasl -t localhost appid.nasl I dont'
> > receive any errors,
>
> What happens when you run it via nessusd?
>
>
> George
> --
> theall@tenablesecurity.com
> _______________________________________________
> Plugins-writers mailing list
> Plugins-writers@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: Accessing multiple sub keys in the Windows registery [ In reply to ]
theall at tenablesecurity
Apr 6, 2006, 12:51 PM
Post #5 of 5 (2728 views)
Permalink
On Thu, Apr 06, 2006 at 03:49:24PM +0000, jfvanmeter@comcast.net wrote:

> # Setup Connection
> if ( ! get_port_state(port) ) exit(0);

You haven't initialized 'port'.

> #To read the value of a subkey; Function ReadRegistryGetSubkey which
> allows you to enumerate
> #all the keys below a specified key. Useful for building a directory
> tree of the registry just call it
> #continuously until "Not Found" is returned and store the returned
> value(s) in an array or something.
> Text1 = 0;
> Res = 0;
> i = 0;
> Text1.Text = [ "one", "two", "three" ];
> RegistryLocation = "AppID\.Default";
> Text1 = ReadRegistry(HKEY_CLASSES_ROOT, RegistryLocation, "");
> Res = ReadRegistryGetSubkey(HKEY_CLASSES_ROOT, "AppID", i);
> Do Until Res = "Not Found"
> Text1.Text = Text1.Text & " " & Res
> i = i + 1
> Res = ReadRegistryGetSubkey(HKEY_CLASSES_ROOT, "AppID", i);
> exit(0);

Where did you come up with this? This looks like VisualBasic, not NASL.

Take a look at Michel Arboi's on-line NASL reference,
<http://michel.arboi.free.fr/nasl2ref/>, especially the part about
smb_nt.inc. Then take an existing plugin and use it as a template to do
what you want. For example, gator.nasl is a really simple one that pulls
info from the registry.

Btw, note that you can't use the commandline NASL interpreter to access
the remote Windows registry; you will need to run your scripts using
nessusd.


George
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal