Mailing List Archive

Extracting info from the Windows registry
Hi,

I have had many abortive attempts at trying to get report using the plug-in
mentioned in " Sucking the Machine Name out of the Registry" from John Eder
in 2004 .

Does anyone actually have a plug-in that they care to share? All I am
trying to do is to extract the computer name from our Windows machines'
registry to help with our AV audit that we run each week as our current
naming resolution is a bit ....err .... umm .....on the flaky side ...

Kind Regards<?xml:namespace prefix = o ns =
"urn:schemas-microsoft-com:office:office" />



Phil
Re: Extracting info from the Windows registry [ In reply to ]
It should be along the lines of

computername = get_kb_item("
System\CurrentControlSet\Control\ComputerName\ComputerName\ComputerName");

which is where the name of the computer is kept.

you will likely need to have

script_require_keys("SMB/Registry/Enumerated");

somewhere at the beginning. Another way to handle it would be to do
something like what is found in the smb_reg_loginscreen.nasl script, which
is pretty much the exact same thing (querying a single key and getting a
value) only using System\CurrentControlSet\Control\ComputerName\ComputerName
as the key and "Computer Name" as the item

that's actually a pretty handy thing. Useful for writing some other things
like "why is your machine name and dns name not the same".

On 12/14/06, Morris, Philip (JSY) <Philip.Morris@kbci.com> wrote:
>
> Hi,
>
> I have had many abortive attempts at trying to get report using the
> plug-in mentioned in " Sucking the Machine Name out of the Registry" from
> John Eder in 2004 .
>
> Does anyone actually have a plug-in that they care to share? All I am
> trying to do is to extract the computer name from our Windows machines'
> registry to help with our AV audit that we run each week as our current
> naming resolution is a bit ....err .... umm .....on the flaky side ...
>
> Kind Regards
>
>
>
> Phil
>
>
> _______________________________________________
> Plugins-writers mailing list
> Plugins-writers@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/plugins-writers
>
>


--
Doug Nordwall
Unix, Network, and Security Administrator
Noise proves nothing. Often a hen who has merely laid an egg cackles as if
she laid an asteroid. -- Mark Twain
RE: Extracting info from the Windows registry [ In reply to ]
I wrote this plugin YEARS ago, I have no clue if it still works. It did
at one point.
......................................................


#
# (C) Jeff Adams <jadams@netcentrics.com>
#
if(description)
{
script_id(98781);
script_version("$Revision: 1.1 $");
name["english"] = "Host Info Gathering Script";

script_name(english:name["english"]);

desc["english"] = "
This script collects information useful in assisting corporations
(System Administrators) in identifying machines on their local LANs.
It is most useful when used in locating and identifying machines flagged
as vulnerable by other plug-ins.
The following information will be collected:
User, Host, Domain, Owner, Org, OS, Version, Service Pack, Start Time,
Manufacturer, Model, and CPU.

Solution: Info Only
Risk factor: None";

script_description(english:desc["english"]);

summary["english"] = "Host Info Gathering Script";

script_summary(english:summary["english"]);

script_category(ACT_GATHER_INFO);

script_copyright(english:"This script is Copyright (C) 2004 Jeff
Adams");
family["english"] = "Windows";
script_family(english:family["english"]);

script_dependencies("netbios_name_get.nasl",
"smb_login.nasl","smb_registry_full_access.nasl");
script_require_keys("SMB/name", "SMB/login", "SMB/password",
"SMB/registry_full_access");


script_require_ports(139, 445);
exit(0);
}

include("smb_nt.inc");
port = get_kb_item("SMB/transport");
if(!port)port = 139;



user = registry_get_sz(key:"SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon", item:"DefaultUserName");
domain = registry_get_sz(key:"SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon", item:"DefaultDomainName");
host =
registry_get_sz(key:"SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"
, item:"Hostname");
owner = registry_get_sz(key:"SOFTWARE\Microsoft\Windows
NT\CurrentVersion", item:"RegisteredOwner");
org = registry_get_sz(key:"SOFTWARE\Microsoft\Windows
NT\CurrentVersion", item:"RegisteredOrganization");
os = registry_get_sz(key:"SOFTWARE\Microsoft\Windows NT\CurrentVersion",
item:"ProductName");
ver = registry_get_sz(key:"SOFTWARE\Microsoft\Windows
NT\CurrentVersion", item:"CurrentVersion");
sp = registry_get_sz(key:"SOFTWARE\Microsoft\Windows NT\CurrentVersion",
item:"CSDVersion");
time = registry_get_sz(key:"SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Prefetcher", item:"StartTime");
make =
registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUp
date\OemInfo", item:"WbemOem");
model =
registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUp
date\OemInfo", item:"WbemProduct");
cpu =
registry_get_sz(key:"HARDWARE\DESCRIPTION\System\CentralProcessor\0",
item:"ProcessorNameString");

report = string ("This script collects information useful in assisting
corporations (System Administrators) in identifying machines on their
local LANs.
It is most useful when used in locating and identifying machines flagged
as vulnerable by other plug-ins.

The following information was gathered about the remote host:
User: ", user, "
Domain: ", domain, "
Host Name: ", host, "
Registered Owner: ", owner, "
Registrered Org: ", org, "
OS: ", os, "
Version: ", ver, "
Service Pack : ", sp, "
Start Time: ", time, "
Manufacturer: ", make, "
Model: ", model, "
CPU: ", cpu);
security_note(port:port, data:report);

________________________________

From: plugins-writers-bounces@list.nessus.org
[mailto:plugins-writers-bounces@list.nessus.org] On Behalf Of Morris,
Philip (JSY)
Sent: Thursday, December 14, 2006 11:26 AM
To: 'plugins-writers@list.nessus.org.'
Subject: [Plugins-writers] Extracting info from the Windows registry


Hi,

I have had many abortive attempts at trying to get report using the
plug-in mentioned in " Sucking the Machine Name out of the Registry"
from John Eder in 2004 .

Does anyone actually have a plug-in that they care to share? All I am
trying to do is to extract the computer name from our Windows machines'
registry to help with our AV audit that we run each week as our current
naming resolution is a bit ....err .... umm .....on the flaky side ...

Kind Regards



Phil

_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
RE: Extracting info from the Windows registry [ In reply to ]
Thanks for the replies chaps

The Script still works Jeff, and with the odd tweak as suggested by Doug, I
am now good to go.

Kind regards
Phil

-----Original Message-----
From: Morris, Philip (JSY)
Sent: 14 December 2006 16:26
To: 'plugins-writers@list.nessus.org.'
Subject: Extracting info from the Windows registry


Hi,

I have had many abortive attempts at trying to get report using the plug-in
mentioned in " Sucking the Machine Name out of the Registry" from John Eder
in 2004 .

Does anyone actually have a plug-in that they care to share? All I am
trying to do is to extract the computer name from our Windows machines'
registry to help with our AV audit that we run each week as our current
naming resolution is a bit ....err .... umm .....on the flaky side ...

Kind Regards



Phil



* * * * * * D I S C L A I M E R * * * * * * *

This email and any attachments transmitted with it are
intended solely for the addressee(s) and may be legally
privileged and/or confidential. If you have received this
email in error you may not copy, forward, disclose or use
the contents, attachments or information or any part
thereof in any way. Please destroy it and contact the
sender via our switchboard on +44(0) 1534 613000 for Jersey
and +44(0) 1481 727111 for Guernsey or via return email.
Any unauthorised use or disclosure may be unlawful.
Kleinwort Benson (Channel Islands) Limited ("the bank") give
no warranty as to the accuracy or completeness of this email
after it is sent over the Internet and accept no
responsibility for change made after it was sent.
Any opinions expressed in this email may be personal to the
author and may not necessarily reflect the opinions of
Dresdner Bank or its affiliates. They may also be subject to
change without notice. It is the responsibility of the
recipient to ensure that this e-mail is virus free and no
responsibility is accepted by the Bank for any loss or damage
arising in any way from receipt or use of it.
Re: RE: Extracting info from the Windows registry [ In reply to ]
any interest in pushing that back out to the list?

On 12/21/06, Morris, Philip (JSY) <Philip.Morris@kbci.com> wrote:
>
> Thanks for the replies chaps
>
> The Script still works Jeff, and with the odd tweak as suggested by Doug,
> I am now good to go.
>
> Kind regards
> Phil
>
> -----Original Message-----
> *From:* Morris, Philip (JSY)
> *Sent:* 14 December 2006 16:26
> *To:* 'plugins-writers@list.nessus.org.'
> *Subject:* Extracting info from the Windows registry
>
> Hi,
>
> I have had many abortive attempts at trying to get report using the
> plug-in mentioned in " Sucking the Machine Name out of the Registry" from
> John Eder in 2004 .
>
> Does anyone actually have a plug-in that they care to share? All I am
> trying to do is to extract the computer name from our Windows machines'
> registry to help with our AV audit that we run each week as our current
> naming resolution is a bit ....err .... umm .....on the flaky side ...
>
> Kind Regards
>
>
>
> Phil
>
>
>
> * * * * * * D I S C L A I M E R * * * * * * *
>
> This email and any attachments transmitted with it are
> intended solely for the addressee(s) and may be legally
> privileged and/or confidential. If you have received this
> email in error you may not copy, forward, disclose or use
> the contents, attachments or information or any part
> thereof in any way. Please destroy it and contact the
> sender via our switchboard on +44(0) 1534 613000 for Jersey
> and +44(0) 1481 727111 for Guernsey or via return email.
> Any unauthorised use or disclosure may be unlawful.
> Kleinwort Benson (Channel Islands) Limited ("the bank") give
> no warranty as to the accuracy or completeness of this email
> after it is sent over the Internet and accept no
> responsibility for change made after it was sent.
> Any opinions expressed in this email may be personal to the
> author and may not necessarily reflect the opinions of
> Dresdner Bank or its affiliates. They may also be subject to
> change without notice. It is the responsibility of the
> recipient to ensure that this e-mail is virus free and no
> responsibility is accepted by the Bank for any loss or damage
> arising in any way from receipt or use of it.
>
>
> _______________________________________________
> Plugins-writers mailing list
> Plugins-writers@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/plugins-writers
>
>


--
Doug Nordwall
Unix, Network, and Security Administrator
Noise proves nothing. Often a hen who has merely laid an egg cackles as if
she laid an asteroid. -- Mark Twain