Looking for KRACK'd Intel Drivers with PowerShell
Monday, October 16, 2017 at 7:55PM
Mike Lombardi in cybersecurity

As many people know by now, WPA2 AES was broken by Mathy Vanhoef's excellent work.  I won't go into the details of his research, as you should read it yourself at KRACK Attacks.  Many vendors have been working to proactively put out patches prior the publishing of the vulnerabilities that occurred today.  That being said there is still a great deal of concern as to whether clients are patched from all sides.  

In response to client concerns about whether the installed versions Intel WLAN drivers were susceptible to the caveats mentioned in Microsoft's CVE-2017-13080 guidance, I wrote the basic script to query any drivers with the string Intel in them and return the hostname, driver name, and driver version.  Just add your text file containing a list of hostnames and set your output directory for the results.  Launch the script, tell your boss that you're on it, and comeback in a few for a peek at your results file.  A quick filter with Excel and a sys admin can check all the Intel WLAN drivers on his or her network and whether they are vulnerable to KRACK.

Apologies in advance for the lousy embedded formatting, but pasting into a text editor will clean up the wrap around mess below.

 

#This script is pulling back all drivers with the word "intel" anywhere in the driver name.  

#For targeted search of Intel Wireless drivers susceptible to KRACK, change "*Intel*" to "*Dual Band Wireless-AC*".  CAREFUL though because you'll miss the AMT entries with this change.

#See https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00101&languageid=en-fr for vulnerable Intel drivers and fixed versions.

$Machines = Get-Content "C:\Your\List\of\Hosts.TXT"

$results = @()

ForEach ($machine in $Machines)

{         

$results += $var = Get-WmiObject -ComputerName $machine Win32_PnPSignedDriver| select PSComputerName, devicename, driverversion | where {$_.devicename -like "*Intel*"}

}

$results | Export-Csv C:\Your\Desired\Output\Directory\IntelDriverCheck.csv -NoTypeInformation -Append

 

See Intel's guidance on vulnerable WLAN drivers and AMT to determine if one of your machines is using a KRACK'd driver.

See "Does this security update fully address these vulnerabilities on Microsoft Platforms, or do I need to perform any additional steps to be fully protected?"

Article originally appeared on Vertigrate - From the Server Room to the Courtroom (http://www.vertigrate.com/).
See website for complete article licensing information.