Mailing List Archive

Ryan,

If you want to read the registry or check for a file you have to get
some access first, by connecting to SMB.
So you'll need an account. It doesn't always have to be an admin acount,
but of cours this account can do the most on the remote system.

If the account you uses can read the registry or access files (if you
are talking about windows) in normal way it should be possible with
nessus. Take a look at the smb*.inc files.

regarding executing netstat -n (or other commands) that is not possible
by default.
These scripts have to be signed with a private key from nessus.
Because with this function you can do more harm then other security
checks. But in short there are ways to do this, but again you'll first
need access (and permissions)

-- Ferdy

Ryan Petti wrote:
> I’m attempting to write a plugin to test for the presence of a specific
> application on a client’s machine. Problem is I won’t have admin access
> to any of them. I’m wondering if it’s possible to do ANY ONE of the
> following tasks without having admin rights to a client machine:
>
>
>
> 1) Check for the presence of a service and if possible whether it is
> active or not
>
>
>
> OR
>
>
>
> 2) Check for the presence of a specific file on the client system
>
>
>
> OR
>
>
>
> 3) Check for the presence of an active connection on the client machine
> using a dynamic source address to a another specific server on a
> specific static destination port. For example, using netstat -a (in
> windows), this is the type of connection I would need to detect:
>
>
>
> Proto Local Address Foreign
> Address State
>
> TCP <localmahine>:<dyn source port> <specific
> server>:<static dest port> CLOSE_WAIT
>
>
>
> Thanks!
>
>
>
> Ryan
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Plugins-writers mailing list
> Plugins-writers@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/plugins-writers
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

That's part of it. I'm assuming I won't have an account to access these
machines at all. They're student machines at a college, so account
access is pretty much impossible. I was hoping there was another way to
possibly check one of the three conditions I listed. And the third one
not necessarily by actually running netstat, I just threw that in there
to show an example of the kind of connection I'd be looking for using a
port scanner or some other script.

-----Original Message-----
From: Ferdy Riphagen [mailto:f.riphagen@nsec.nl]
Sent: Tuesday, June 13, 2006 12:51 PM
To: Ryan Petti
Cc: plugins-writers@list.nessus.org
Subject: Re: [Plugins-writers] Check for an application

Ryan,

If you want to read the registry or check for a file you have to get
some access first, by connecting to SMB.
So you'll need an account. It doesn't always have to be an admin acount,
but of cours this account can do the most on the remote system.

If the account you uses can read the registry or access files (if you
are talking about windows) in normal way it should be possible with
nessus. Take a look at the smb*.inc files.

regarding executing netstat -n (or other commands) that is not possible
by default.
These scripts have to be signed with a private key from nessus.
Because with this function you can do more harm then other security
checks. But in short there are ways to do this, but again you'll first
need access (and permissions)

-- Ferdy

Ryan Petti wrote:
> I'm attempting to write a plugin to test for the presence of a
specific
> application on a client's machine. Problem is I won't have admin
access
> to any of them. I'm wondering if it's possible to do ANY ONE of the
> following tasks without having admin rights to a client machine:
>
>
>
> 1) Check for the presence of a service and if possible whether it is
> active or not
>
>
>
> OR
>
>
>
> 2) Check for the presence of a specific file on the client system
>
>
>
> OR
>
>
>
> 3) Check for the presence of an active connection on the client
machine
> using a dynamic source address to a another specific server on a
> specific static destination port. For example, using netstat -a (in
> windows), this is the type of connection I would need to detect:
>
>
>
> Proto Local Address Foreign
> Address State
>
> TCP <localmahine>:<dyn source port> <specific
> server>:<static dest port> CLOSE_WAIT
>
>
>
> Thanks!
>
>
>
> Ryan
>
>
>
------------------------------------------------------------------------
>
> _______________________________________________
> Plugins-writers mailing list
> Plugins-writers@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/plugins-writers

_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

On Tue, Jun 13, 2006 at 11:24:35AM -0400, Ryan Petti wrote:

> I’m wondering if it’s possible to do ANY ONE of the
> following tasks without having admin rights to a client machine:
...
> 1) Check for the presence of a service and if possible whether it is
> active or not

Generally no, unless the service listens remotely and offers some way to
detect it.

> 2) Check for the presence of a specific file on the client system

No, not generally.

> 3) Check for the presence of an active connection on the client machine
> using a dynamic source address to a another specific server on a
> specific static destination port. For example, using netstat -a (in
> windows), this is the type of connection I would need to detect:

No, but in this case you might consider a different tool. Tenable's
Passive Vulnerability Scanner, formerly known as NeVO, would let you do
this and complement Nessus nicely. Or you could write a special rule in,
say, Snort.

George
--
theall@tenablesecurity.com
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers