Research and Development

NOPC (Nessus-based Offline Patch Checker) is a patch-checker for primarily Linux distribution and UNIX-based systems. It is a shell script that utilises Nessus’ nasls and gives instructions on what data is needed to be obtained from the system to perform to derive a list of missing security patches. This was developed for situations when network connectivity to the systems under review is not possible.

Key features

  • The ability to perform analysis on the following Linux/Unix based distributions:
    • AIX
    • HP-UX
    • MacOS X
    • Solaris (Not 11)
    • Debian
    • FreeBSD
    • Gentoo
    • Mandrake
    • Redhat
    • Redhat Centos
    • Redhat Fedora
    • Slackware
    • SuSE
    • Ubuntu
  • The ability to perform analysis on Cisco IOS/ASA devices
  • Output in CSV format with CVSS scores

Overview

Ever tried to perform a patch analysis of a UNIX based machine without network access to it? It can be an eyesore and feel like a wrestling match to make reasonable sense of the output from tools like:

$ /bin/rpm -qa –qf ‘%{NAME}-%{VERSION}-%{RELEASE}|%{EPOCH}\n’ > patchlist.txt

Out of this evolved NOPC, which utilises Nessus’ ability to perform an accurate patch analysis with the information extracted from the system. NOPC instructs you on how to manually recover this same information.

Installation

As NOPC is a shell script, it can be run anywhere. Unzip and extract the download in a directory. There are 2 files:

  • nopc.sh
  • README.txt

The only prerequisite is that the system where the shell script has Nessus running with up to date nessus plugins. The script assumes the default locations for the nasl command line (/opt/nessus/bin/nasl) and nessus plugins directory (/opt/nessus/lib/plugins)

These locations can be defined with the ‘d’ option for the directory where NOPC will look for nessus plugins and the ‘n’ option for the location of the nasl command line.

$ ./nopc.sh -d '/Library/Nessus/run/lib/nessus/plugins/'
$ ./nopc.sh -n '/local/bin/nasl'

Usage

Interactive Mode

Running through the interactive mode should be straight forward. NOPC asks for
the following:
* Output Type (e.g. list of missing patches, csv of missing patches)
* Distribution that missing patches to be checked against
* Specific system information required to perform checking (e.g. Patchlist, Release, OS Level, Hardware)

$ nopc.sh
Version: nopc.sh  0.4.7d
[+] Which output format would you like to use?
 0 - Displays Outdated Packages only
 1 - Displays NASL name and Outdated Packages
 2 - CSV output of CVE, KB and description (comma)
 3 - CSV output of CVE, CVSSv2, Severity, KB, Description (comma)
 4 - CSV output of CVE, KB and description (tab)
 5 - CSV output of CVE, CVSSv2, Severity, KB, Description (tab)

Enter 1-5? 3
[+] What type of system have you got the patch output for?
 1 - AIX
 2 - HP-UX
 3 - MacOS X *
 4 - Solaris (!11) *
 5 - Debian
 6 - FreeBSD
 7 - Gentoo
 8 - Mandrake
 9 - Redhat
 10 - Redhat (Centos)
 11 - Redhat (Fedora)
 12 - Slackware
 13 - SuSE *
 14 - Ubuntu
 15 - Cisco IOS/ASA *

 * EXPERIMENTAL!!

Enter 1-15? 1
[+] AIX Selected
[+] Run 'lslpp -Lc > patchlist.txt' 
[+] Enter Location of file: aix-7.1-patchlist.txt
[+] Enter the AIX Release e.g. 6.1 
[+] Enter Text Requested: 7.1
[+] Enter the output of 'oslevel -s' e.g. 6100-04-04-1441 
[+] Enter Text Requested: 7100-03-04-1441
[+] To run this in a script the command would be:

/opt/bin/nopc.sh -l '3' -s '1' 'aix-7.1-patchlist.txt' '7.1' '7100-03-04-1441'

[+] Locating Nasls
[+] Checking for 11206 Missing Patches
NOPC, AIX
Plugin ID, CVE, CVSSv2, Severity, KB, Title
81920, "CVE-2014-8769", 6.4, Medium, "IV67588", "AIX 7.1 TL 3 : tcpdump (IV67588)"
82900, , 7.5, High, "openssl_advisory13", "AIX OpenSSL Advisory : openssl_advisory13.asc"
83135, "CVE-2015-0138, CVE-2015-2808", 4.3, Medium, "java_apr2015_advisory", "AIX Java Advisory : Multiple Vulnerabilities"
...

In the above case, several missing patches were identified.

Note that the output type and distribution can be bypassed if these details are known.
For example, for a detailed report of missing Redhat patches in csv format:

$ nopc.sh -l '3' -s '9'
Version: nopc.sh  0.4.7d
[+] Redhat Selected
[+] Run '/bin/rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE}|%{EPOCH}\n' > patchlist.txt' 
[+] Enter Location of file: patch-redhat-1.txt
[+] Enter the contents of /etc/redhat-release
[+] Enter Text Requested: Red Hat Enterprise Linux Server release 5
[+] Enter value of 'uname -m' e.g. x86_64, i686
[+] Enter Text Requested: i686
[+] To run this in a script the command would be:

/opt/bin/nopc.sh -l '3' -s '9' 'patch-redhat-1.txt' 'Red Hat Enterprise Linux Server release 5' 'i686'

[+] Locating Nasls
[+] Checking for 3620 Missing Patches
NOPC, Redhat
Plugin ID, CVE, CVSSv2, Severity, KB, Title
58262, "CVE-2012-0768, CVE-2012-0769", 10, High, "redhat-RHSA-2012-0359", "RHEL 5 / 6 : flash-plugin (RHSA-2012-0359)"
55813, "CVE-2011-2130, CVE-2011-2134, CVE-2011-2135, CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2139, CVE-2011-2140, CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417, CVE-2011-2424, CVE-2011-2425", 10, High, "redhat-RHSA-2011-1144", "RHEL 5 / 6 : flash-plugin (RHSA-2011-1144)"

Request to be added to the Portcullis Labs newsletter

We will email you whenever a new tool, or post is added to the site.

Your Name (required)

Your Email (required)