Nessus 3.2 BETA -- Example WMI library usage

The Nessus 3.2 BETA includes many new features, including a library that allows users to program their own WMI queries to Windows systems. This blog entry discuses some example WMI NASL scripts that make use of the new library and identify interesting asset and configuration information about Windows Hosts.

Tenable has already released several Windows security audits based on Nessus 3's WMI implementation. These checks are only available as Nessus 3 .nbin files. The ideas discussed in this blog may be released as future Nessus 3 .nbin files. However, if readers want to experiment with WMI today, they can try the BETA.

Installing Nessus 3.1 and the WMI .nlib library

The BETA of Nessus 3.2 has a designation version of "3.1". At the time of this blog draft, Tenable had released version 3.1.2. It can be obtained at nessus.org. The BETA can be installed over an existing Nessus 3 installation, but you should keep in mind that it still has the BETA designation and shouldn't be placed into production.

The WMI library can be downloaded from here. The file wmi_func.nlib should be installed into the plugins directory such as /opt/nessus/lib/nessus/plugins on Red Hat Linux.

Running A First Query -- Getting the System Name

Remote WMI queries can get a wide variety of asset information about a Windows server. Consider the following Visual Basic code which enumerates a system name:

'ENumerates System Name
On Error Resume Next
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_Processor",,48)
WScript.Echo "SystemName: " & wbemObject.SystemName

The same set of code in NASL with the WMI library looks like this:

import("wmi_func.nlib");
wmiObject = WMI_ConnectServer("root\CIMV2");
if ( isnull(wmiObject) ) exit(0);
res = WMI_ExecQuery(wmiObject, "SELECT * FROM Win32_Processor");
info = WMI_GetNextElement (res);
display(info["SystemName"], "\n");
WMI_ReleaseObject(res);
WMI_ReleaseObject(wmiObject);

Here is an example running from the command line using the nasl binary:

[root@demo3 plugins]# /opt/nessus/bin/nasl -t 192.168.20.16 wmi_test1_name.nasl
Login : Administrator
Password : *******
Domain :
TENABLED-9U86TO

The name "TENABLED-9U86TO" was obtained through a WMI query. Also note for readers not that familiar with running the nasl binary from the command line, it will ask you for credentials as well as other items and preferences at run time.

Second Query - Get the OS and Patch Level

Using WMI to obtain the specific operating system release and patch level is a simple query.

import("wmi_func.nlib");

wmiObject = WMI_ConnectServer("root\CIMV2");
if ( isnull(wmiObject) ) exit(0);

res = WMI_ExecQuery(wmiObject, "SELECT * FROM Win32_OperatingSystem");
repeat {
info = WMI_GetNextElement (res);
display(info["Caption"], " ", info["ServicePackMajorVersion"], "\n");
} until (isnull(info));

WMI_ReleaseObject(res);
WMI_ReleaseObject(wmiObject);

And here is the output:

[root@demo3 plugins]# /opt/nessus/bin/nasl -t 192.168.20.16 wmi_test2_os_patch.nasl
Login : Administrator
Password : *******
Domain :
Microsoft(R) Windows(R) Server 2003, Standard Edition 1

Third Example - Listing Recent Windows Events

WMI can also be used to remotely obtain Windows events. The following code shows how to obtain the last 10 events out of the Windows "Application" log file:

import("wmi_func.nlib");

wmiObject = WMI_ConnectServer("root\CIMV2");
if ( isnull(wmiObject) ) exit(0);

res = WMI_ExecQuery(wmiObject, "Select * from Win32_NTEventLogFile Where LogFileName = 'Application'");
info = WMI_GetNextElement (res);

records = int(info["NumberOfRecords"]);
display("Number of Records : ", records , "\n");

last10 = 0;
if (records > 10) {last10 = records - 10;}
for (i=last10; i<records; i++)
        {
        querry_string = "Select * from Win32_NTLogEvent Where LogFile = 'Application' AND RecordNumber =" + i;
        res = WMI_ExecQuery(wmiObject, querry_string);
        info = WMI_GetNextElement (res);
        display("ComputerName:", info["ComputerName"], "\n");
        display("EventCode:", info["EventCode"], "\n");
        display("Message:", info["Message"], "\n");
        }

WMI_ReleaseObject(res);
WMI_ReleaseObject(wmiObject);

and here is an example run of the code:

[root@demo3 plugins]# /opt/nessus/bin/nasl -t 192.168.20.16 wmi_test4_events.nasl
Login : Administrator
Password : ********
Domain :
Number of Records : 2307
ComputerName:TENABLED-9U86TO
EventCode:1
Message:Connections: accepted: 192.168.20.199::3139
ComputerName:TENABLED-9U86TO
EventCode:1
Message:Connections: closed: 192.168.20.199::3139 (Clean disconnection)
ComputerName:TENABLED-9U86TO
EventCode:1
Message:Connections: accepted: 192.168.20.199::3520
ComputerName:TENABLED-9U86TO
EventCode:1
Message:Connections: closed: 192.168.20.199::3520 (reading version failed: not an RFB client?)
ComputerName:TENABLED-9U86TO
EventCode:1
Message:Connections: blacklisted: 192.168.20.199
ComputerName:TENABLED-9U86TO
EventCode:1
Message:Connections: blacklisted: 192.168.20.199
ComputerName:TENABLED-9U86TO
EventCode:1
Message:Connections: blacklisted: 192.168.20.199
ComputerName:TENABLED-9U86TO
EventCode:1
Message:HTTPServer: untrapped: End of stream
ComputerName:TENABLED-9U86TO
EventCode:1
Message:Connections: accepted: 192.168.20.199::1549
ComputerName:TENABLED-9U86TO
EventCode:1
Message:DeviceFrameBuffer: BitBlt failed:5

There are many possibilities for performing security audits based on Windows event logs.

Enterprise Security and Compliance Relevance

The WMI technology on Nessus allows for very close inspection of many 1000s of Windows servers without an agent. Tests to look for specific configurations can shed light on any organization's IT management practices as well as to look for unauthorized configurations.

For More Information

Microsoft has an MSDN site with many very useful examples of Visual Basic scripts to query just about anything on the remote computer through WMI.

Tenable is actively developing .nbin plugins to perform a variety of audits using WMI. With the Nessus 3.2 BETA and the WMI .nlib library, anyone can quickly prototype queries and test them out. Please feel free to discuss these on the Nessus mailing list, or to send your ideas to Tenable.