In this post I present a short piece of PowerShell that helped me find missing patches in a .net application. The target was a thick client where source code was not provided. Almost everything has outdated dependencies and the goal for me is to see if any of them will provide an obvious way to exploit the target. Even if the dependencies are not exploitable it is great to get an insight into the development practices.
The backwards/hard way (No Source code)
The problem (for .net) can be broken into two stages:
- Identify the version information for all .dll files.
- Grunt work using Google to find the latest versions and any known vulnerabilities.
The first part was solved by the PowerShell below. Simply change the path and you get the filename and version number comma separated:
Get-ChildItem "C:\<path>\<to>\<folder>" -Filter *.dll |
Foreach-Object {
$version = (Get-Command $_.FullName).FileVersionInfo.FileVersion
echo "$_,$version"
}
Then for the dirty task. Opening that output in Excel and using Google to confirm which were outdated. There is probably a short cut somewhere for this task but in the time available that did me.
What if you have the source code?
When you have source code access then your go to is to use OWASP’s Dependency-Check.
While I love Dependency-check, and feel like it is the best catch all due to the wide range of languages it supports. I have also found that it is prone to false-positives. Working with the formats it outputs is often a lot of work for me at least. It is definitely a worthy tool and I will continue to use it.
If you have access to the source then I generally get better and more actionable information using language specific tools such as:
- Node – npm-outdated or npm-audit.
- Java – maven display-dependency-updates.
- DotNet – PowerShell commands for nuget.
Hope this helped you in your hour of need.