MBSA - Microsoft Baseline Security Analyzer

I came to an asigbment that reuiqres me to use MBSA.

Wadehel? i never used this tool before. well, it turns out its quite direct enough. a brief example, a copy paste from here and there. Hope this helps anyone.

MBSA basically uses "Remote Registry" and SMB to login and gather all data it wants. it can check ffor few things:

ok.. skip the intro, more info go rtfm here : http://technet.microsoft.com/en-us/security/cc184924.aspx

Erm, the stupid simple working is that the PC which is canning, and the target PC must have the same password/username, so that MBSA will then login and check for what it needs, and the username must have administrative privilleges.

so, is there anyway that you cna set the username/password in mbsa.exe? NO! is there anyway you can login as a domain account in your scanning pc, because the target pc is using domain logins? NO. stupid .

solution? use mbsacli.exe. Yup command line. Heres what i did; in my case, i needed to login as a domain account instead of local account, and i scan only "MS Windows Updates".

Now, a little explanation on the flags i used.

/n os - menas check sos components only, updates, etc.
/o "%D% - %C% - %IP% (%T%)" - the output filename format, its date computer name ip address and time.mbsa
/wi - show also non approved windows updates (wadehel is this?)
/nvc - perhaps stands for no versio check, means no need to chceck wheter mbsa have new version of not.
/unicode - outputs saved in unicode formating
/target - the traget

erm.. for scanning a range of IPs.. cna use /r ipsatrt-ipends or if you put ip list in a text file, can use /filelist file.txt and if you have a saperate folder for the output besides the default %UserProfile%\SecurityScans you can usse /rd c:\example

more help is available via mbsacli.exe /?

very2 good references:
- http://msdn.microsoft.com/en-us/library/ff647642.aspx
- http://www.petri.co.il/mbsa.htm
- http://msdn.microsoft.com/en-us/library/ff647981.aspx
- http://technet.microsoft.com/en-us/security/cc184922.aspx

Good luck sulaiman! :D



Popular posts from this blog

SAP Backdoors {placeholder Post]

Fiori Apps Keep Calling Internal Hostname / Internal FQDN