Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Corey Steele (CSteelegood-sam.com)
Date: Mon Aug 13 2001 - 15:52:48 CDT
one word: "perl". it'd be a simple script... the only hard part would be telling it what files to finger-print.
I'd setup two default NT boxes, one with IIS, the other without. I would then ghost those systems. Then, I'd fingerprint them (bare, no SPs at all). Then, I'd go through each SP and finger print them again, then, I'd dump all that in to a database and slap a web-based front-end on it and live happy. All you'd have to do is fingerprint the system after applying each patch and then dumping the data into the database again... you could automate this all very very easily with Perl...
Perl is a great glue language and would work for doing like an MD5 `sum` of each binary/dll, and would also be good for talking to different databases.
That's my two cents on that one.
Corey J. Steele, Security Analyst
Good Samaritan Society
voice: (605) 362-3899
>>> "Forrester, Mike" <mforresterhsacorp.net> 08/10/01 01:57PM >>>
I was thinking of starting a collection of checksums of Windows binaries and
figured I'd first check to see if anyone has done this yet and made it
available on the web. I did a quick search of google and the focus-ms
archives and couldn't find anything. Does anyone know of a webiste similiar
to the Solaris Fingerprint Database for Windows?
Also, what recommendations do people have on already made and FREE tools
that might help with creating such a database? I found a couple of tools
that sounded interesting but the links were dead.
From: RH [mailto:RHbeulah.org]
Sent: Wednesday, August 08, 2001 12:51 PM
To: 'MadHat'; focus-mssecurityfocus.com
Subject: RE: DLL versioning info
This is something that Microsoft should make a tool for and put in plain
site on the patch area of their web site. It should should have remote
connect capabilities, and a virus-scanner-like "signature" database of
patches that can be kept auto-updated.
I know that several MS employees read this list, so how about it? :-)
From: MadHat [mailto:madhatunspecific.com]
Sent: Tuesday, August 07, 2001 3:47 PM
Subject: DLL versioning info
I have seen a few people mention that the only real way of verifying that a
hotfix is installed is by checking the version of the DLL, knowing that
info in the registry may not be accurate because of reinstall apps (like
IIS) may overwrite the newer DLL and the registry entry for the hotfix
would still exist. So with this in mind, does anyone know of a
comprehensive list of DLLs and the proper, most up to date versions, or
versions that fix problem X?
So a listing like
IDA/CodeRed, idq.dll, 5.0.2195.3645 on W2K, 5.0.1781.3 on NT 4.0
-- MadHat at unspecific.com