diff --git a/README.md b/README.md index e3b5148..d8863de 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,8 @@ available for the missing bulletins. It requires the 'systeminfo' command output from a Windows host in order to compare that the Microsoft security bulletin database and determine the -patch level of the host. +patch level of the host. Can also parse 'systeminfo' generated using +PowerShell Win32_OperatingSystem and Get-Hotfix. It has the ability to automatically download the security bulletin database from Microsoft with the --update flag, and saves it as an Excel spreadsheet. @@ -87,6 +88,11 @@ $ ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --ostext 'windo [M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical ``` +PowerShell system and hotfix information that mimics "systeminfo" command +``` +PS C:\Users\user> Get-WmiObject Win32_OperatingSystem | Select * | Out-File -Encoding ASCII ${env:COMPUTERNAME}_$(get-date -f yyyyMMdd)_checks.txt; Get-Hotfix | Select-Object HotfixID | Out-File -Append -Encoding ASCII ${env:COMPUTERNAME}_$(get-date -f yyyyMMdd)_checks.txt +``` + LIMITATIONS =========== Currently, if the 'systeminfo' command reveals 'File 1' as the output for diff --git a/windows-exploit-suggester.py b/windows-exploit-suggester.py index 108c1b6..f24f8cf 100755 --- a/windows-exploit-suggester.py +++ b/windows-exploit-suggester.py @@ -2,7 +2,7 @@ # -*- coding: utf-8 -*- # # Windows Exploit Suggester -# revision 3.3, 2017-02-13 +# revision 3.4, 2019-03-04 # # author: Sam Bertram, Gotham Digital Science # contact: labs@gdssecurity.com,sbertram@gdssecurity.com,sammbertram@gmail.com @@ -165,6 +165,12 @@ # Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 # # CHANGE LOG +# v34 2019-03-04 +# - added Service Pack test to accept ServicePackMajorVersion for Powershell sysinfo +# - added Archtecture test to accept -bit for Powershell sysinfo +# - Can now parse the output of the following PowerShell command that gathers system info and hotfixes +# - Get-WmiObject Win32_OperatingSystem | Select * | Out-File -Encoding ASCII ${env:COMPUTERNAME}_$(get-date -f yyyyMMdd)_checks.txt; Get-Hotfix | Select-Object HotfixID | Out-File -Append -Encoding ASCII ${env:COMPUTERNAME}_$(get-date -f yyyyMMdd)_checks.txt +# # v33 2017-02-13 # - added links to exploits and resources for each bulletins. can be ignored with the -q/--quiet flag # - hard coded ms11-011 to ignore false positives @@ -571,11 +577,11 @@ def run(database): release = getrelease(haystack) # similar to OS, there is the words 'Service Pack' - if "Service Pack" in haystack and not servicepack: + if "Service Pack" in haystack or "ServicePackMajorVersion" in haystack and not servicepack: servicepack = getservicepack(haystack) # get architecture only if -based is in the line, and --ostext hasn't been used - if "-based" in haystack and not architecture: + if "-based" in haystack or "-bit" in haystack and not architecture: architecture=getarchitecture(haystack) # look for kbs @@ -1031,7 +1037,7 @@ def getarchitecture(ostext): # target Itanium with a simple search for 'tani' if "tani" in s: architecture="Itanium" - if getname(ostext) == "2008" and getrelease(ostext) == "2" and architecture == "32": + if getname(ostext) == "2008" and getrelease(ostext) == "3" and architecture == "32": if ARGS.verbose: ALERT("forcing unidentified architecture to 64-bit because OS identified as Windows 2008 R2 (although could be Itanium and wasn't detected?)") architecture = "64"