Vulnerability Management Pt. 1

We’ve established one thing I absolutely hate is inventory management, but with a few tricks up my sleeve it can become so much easier.  First, let’s look at device information, and what we’re missing.

Windows Management Instrumentation

Windows Management Instrumentation (WMI) is an amazing part of the Windows OS.  I’m amazed at the amount of information that can be pulled out of WMI, but also the number of IT Administrators out there that still don’t realize it’s there.  When I started moving into server administration WMI became an important part of my day to day operations.  After moving into Infosec, I use it just as much to gather information on domain systems that’s not readily available to help manage vulnerabilities.

In every talk I give on this topic, I seem to come back to the same classes for obtaining system information.

  • Win32_OperatingSystem
  • Win32_ComputerSystem
  • Win32_Process
  • Win32_Service
  • Win32_BIOS

Of these five Win32 classes, I pull the most information out of the OperatingSystem, BIOS, and ComputerSystem classes.

Putting it to work

The easiest way to get information out of WMI is with PowerShell’s Get-WMIObject cmdlet.  Example:

Get-WMIObject

This will return specific information as it pertains to the computer system.  Take advantage of PowerShell’s pipeline to export the data to CSV,  export to Excel using Doug Finke’s Import Excel Module, or use PowerShell and COM.  In my case, I have a local SQL database installed, and will export to CSV and import the data.

To get the data out of the computers on your network via WMI, add the -ComputerName parameter.  When combining with the Get-ADComputer cmdlet, you will read the data from all the systems joined to the domain.  We’ll put that to use later on in this series.

For more information head over to the Win32 Provider’s MSDN Page.

Now the why

Although it sounds a bit cliche, it really is impossible to protect what is unknown.  This will allow admins to get back to some of the fundamentals of information security and gaining an understanding of what is on the network.  If there is one thing I’ve learned, even though I hate inventory, it is a great feeling being able to know what the impact is to the systems on my network when a new critical vulnerability is released.  Using PowerShell and WMI gives me the ability to understand what exists without having to rely on expensive tools to do it for me, and I’m able to transfer my scripts to any Windows domain I’m working with relative ease.

Experiment with the different WMI classes, and see what more useful information can be pulled.  In the next part in this series, we’ll start looking at how to track vulnerabilities uncovered as a part of the inventory process.