Research and Development

NOPC (Nessus-based Offline Patch Checker) is a patch-checker for primarily Linux distribution and UNIX-based systems. It is a shell script that utilises Nessus’ nasls and gives instructions on what data is needed to be obtained from the system to perform to derive a list of missing security patches. This was developed for situations when network connectivity to the systems under review is not possible.

Key features

  • The ability to perform analysis on the following Linux/Unix based distributions:
    • AIX
    • HP-UX
    • MacOS X
    • Solaris (Not 11)
    • Debian
    • FreeBSD
    • Gentoo
    • Mandrake
    • Redhat
    • Redhat Centos
    • Redhat Fedora
    • Slackware
    • SuSE
    • Ubuntu
  • The ability to perform analysis on Cisco IOS/ASA devices
  • Output in CSV format with CVSS scores

Overview

Ever tried to perform a patch analysis of a UNIX based machine without network access to it? It can be an eyesore and feel like a wrestling match to make reasonable sense of the output from tools like:

$ /bin/rpm -qa –qf ‘%{NAME}-%{VERSION}-%{RELEASE}|%{EPOCH}\n’ > patchlist.txt

Out of this evolved NOPC, which utilises Nessus’ ability to perform an accurate patch analysis with the information extracted from the system. NOPC instructs you on how to manually recover this same information.

Installation

As NOPC is a shell script, it can be run anywhere. Unzip and extract the download in a directory. There are 2 files:

  • nopc.sh
  • README.txt

The only prerequisite is that the system where the shell script has Nessus running with up to date nessus plugins. The script assumes the default locations for the nasl command line (/opt/nessus/bin/nasl) and nessus plugins directory (/opt/nessus/lib/plugins)

These locations can be defined with the ‘d’ option for the directory where NOPC will look for nessus plugins and the ‘n’ option for the location of the nasl command line.

$ ./nopc.sh -d '/Library/Nessus/run/lib/nessus/plugins/'
$ ./nopc.sh -n '/local/bin/nasl'

Usage

Interactive Mode

Running through the interactive mode should be straight forward. NOPC asks for
the following:
* Output Type (e.g. list of missing patches, csv of missing patches)
* Distribution that missing patches to be checked against
* Specific system information required to perform checking (e.g. Patchlist, Release, OS Level, Hardware)

$ nopc.sh
Version: nopc.sh  0.4.7d
[+] Which output format would you like to use?
 0 - Displays Outdated Packages only
 1 - Displays NASL name and Outdated Packages
 2 - CSV output of CVE, KB and description (comma)
 3 - CSV output of CVE, CVSSv2, Severity, KB, Description (comma)
 4 - CSV output of CVE, KB and description (tab)
 5 - CSV output of CVE, CVSSv2, Severity, KB, Description (tab)

Enter 1-5? 3
[+] What type of system have you got the patch output for?
 1 - AIX
 2 - HP-UX
 3 - MacOS X *
 4 - Solaris (!11) *
 5 - Debian
 6 - FreeBSD
 7 - Gentoo
 8 - Mandrake
 9 - Redhat
 10 - Redhat (Centos)
 11 - Redhat (Fedora)
 12 - Slackware
 13 - SuSE *
 14 - Ubuntu
 15 - Cisco IOS/ASA *

 * EXPERIMENTAL!!

Enter 1-15? 1
[+] AIX Selected
[+] Run 'lslpp -Lc > patchlist.txt' 
[+] Enter Location of file: aix-7.1-patchlist.txt
[+] Enter the AIX Release e.g. 6.1 
[+] Enter Text Requested: 7.1
[+] Enter the output of 'oslevel -s' e.g. 6100-04-04-1441 
[+] Enter Text Requested: 7100-03-04-1441
[+] To run this in a script the command would be:

/opt/bin/nopc.sh -l '3' -s '1' 'aix-7.1-patchlist.txt' '7.1' '7100-03-04-1441'

[+] Locating Nasls
[+] Checking for 11206 Missing Patches
NOPC, AIX
Plugin ID, CVE, CVSSv2, Severity, KB, Title
81920, "CVE-2014-8769", 6.4, Medium, "IV67588", "AIX 7.1 TL 3 : tcpdump (IV67588)"
82900, , 7.5, High, "openssl_advisory13", "AIX OpenSSL Advisory : openssl_advisory13.asc"
83135, "CVE-2015-0138, CVE-2015-2808", 4.3, Medium, "java_apr2015_advisory", "AIX Java Advisory : Multiple Vulnerabilities"
...

In the above case, several missing patches were identified.

Note that the output type and distribution can be bypassed if these details are known.
For example, for a detailed report of missing Redhat patches in csv format:

$ nopc.sh -l '3' -s '9'
Version: nopc.sh  0.4.7d
[+] Redhat Selected
[+] Run '/bin/rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE}|%{EPOCH}\n' > patchlist.txt' 
[+] Enter Location of file: patch-redhat-1.txt
[+] Enter the contents of /etc/redhat-release
[+] Enter Text Requested: Red Hat Enterprise Linux Server release 5
[+] Enter value of 'uname -m' e.g. x86_64, i686
[+] Enter Text Requested: i686
[+] To run this in a script the command would be:

/opt/bin/nopc.sh -l '3' -s '9' 'patch-redhat-1.txt' 'Red Hat Enterprise Linux Server release 5' 'i686'

[+] Locating Nasls
[+] Checking for 3620 Missing Patches
NOPC, Redhat
Plugin ID, CVE, CVSSv2, Severity, KB, Title
58262, "CVE-2012-0768, CVE-2012-0769", 10, High, "redhat-RHSA-2012-0359", "RHEL 5 / 6 : flash-plugin (RHSA-2012-0359)"
55813, "CVE-2011-2130, CVE-2011-2134, CVE-2011-2135, CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2139, CVE-2011-2140, CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417, CVE-2011-2424, CVE-2011-2425", 10, High, "redhat-RHSA-2011-1144", "RHEL 5 / 6 : flash-plugin (RHSA-2011-1144)"
nopc
nopc-0.4.7.tar.bz2
September 29, 2015
Version: 0.4.7d
12.7 KiB
MD5 hash: 052c08188e61c9080cd84a421c966e7c
Details
Nopc-0.4.5 Tar
nopc-0.4.5.tar.bz2
February 13, 2014
Version: 0.4.5
17.7 KiB
MD5 hash: 180e64cce6a8bfee6d375bb796798c6e
Details
Nopc-0.4.2 Tar
nopc-0.4.2.tar.bz2
April 26, 2013
11.7 KiB
MD5 hash: 3912a7b8a7eea99c0313378dd0843bad
Details
Nopc-0.4.1 Tar
nopc-0.4.1.tar.bz2
April 26, 2013
11.6 KiB
MD5 hash: 9c82bddb9e214c5cf4fde1eccddc0096
Details
Nopc-0.4 Tar
nopc-0.4.tar.bz2
April 26, 2013
11.7 KiB
MD5 hash: 7da2f9f63e0c2efb051e4b18a92b8d73
Details
Nopc-0.3 Tar
nopc-0.3.tar.bz2
April 26, 2013
10.4 KiB
MD5 hash: b69d91c8e7bc2490391891926c48c8f8
Details

Request to be added to the Portcullis Labs newsletter

We will email you whenever a new tool, or post is added to the site.

Your Name (required)

Your Email (required)