Archive for March, 2009
Auditing Remote Services from the Command Line
During an audit I had to determine whether a particular remote control service was installed on the Domain workstations and servers. It was determined during the interview process that no remote control software was in use. I decided to obtain the evidence to the contrary. I had already compromised a Domain Administrator account so I had the appropriate permissions.
Get a list of servers and workstations.
C:\>net view /domain
C:\>net view /domain:<domain_name> >> host_list.txt
The host_list.txt will need to be edited as descriptions of the workstations and servers will show up to the right of the host name. You can quickly edit it in Excel (text to columns). Of course if this was Linux and /or you had awk you could pipe it and choose the first column (| awk ‘{print $1}’)
The command we will be using to query remote services is called Service Control (sc) from the Windows Resource Kit. For more information on the command see this site.
C:\>for /f %i in (host_list.txt) do @echo %i >> results.txt && sc %i query <Service_Name>
In addition to the service results I would like to have the fully qualified domain name and ip address of the server or workstation I am querying. A quick addition of the nslookup command you and you get this:
C:\>if /f %i in (host_list.txt) do @nslookup %i >> results.txt && sc %i query <Service_Name> >> results.txt
Finally, I would like to know, with reasonable assurance, the user of that workstation. For that we will be using a command line tool from the pstools tool kit called psloggedin. Once that tool is installed on your auditor workstation/laptop you can add it to our command.
C:\>if /f %i in (host_list.txt) do @nslookup %i >> results.txt && sc %i query <Service_Name >> results.txt && psloggedin -l -x %i >> results.txt
I wrote a quick script to parse the output of the above command so it can be sorted and analyzed in your preferred spreadsheet application.
#!/usr/bin/perl
$numArgs = $#ARGV +1;
if($numArgs < 1){
print "Invalid Number of Arguments\n";
print "serviceparse.pl \n\n";
exit;
}
#open the file
$infile = "$ARGV[0]";
open(DAT, $infile) || die("Something did not work. You figure it out.");
#save file contents into an array
@raw_data=;
close(DAT);
#Cycle through the entire array
for($count=0;$count<=$#raw_data;$count++){
#get fully qualified domain name
if(@raw_data[$count] =~ /Name:/){
@array = split(/:/, @raw_data[$count]);
$host = @array[1];
$host =~ s/^s+//;
$host =~ s/s+$//;
#get ip address
@array = split(/:/, @raw_data[$count+1]);
$ip = @array[1];
$ip =~ s/^s+//;
$ip =~ s/s+$//;
$service = "";
$user = "";
for($c=$count+1;$c<=$#raw_data;$c++){
if(@raw_data[$c] =~ /RUNNING/){
$service = "Installed and Running";
}
if(@raw_data[$c] =~ /STOPPED/){
$service = "Installed and Stopped";
}
if(@raw_data[$c] =~ /FAILED 1722/){
$service = @raw_data[$c+2];
$service =~ s/^s+//;
$service =~ s/s+$//;
}
if(@raw_data[$c] =~ /FAILED 1060/){
$service = @raw_data[$c+2];
$service =~ s/^s+//;
$service =~ s/s+$//;
}
if(@raw_data[$c] =~ /locally:/){
@array = split(//, @raw_data[$c+3]);
$user = @array[1];
$user =~ s/^s+//;
$user =~ s/s+$//;
}else {if(@raw_data[$c] =~ /Error opening HKEY_USERS/){$user = "";}}
if(@raw_data[$c] =~ /Server:/){print "$host,$ip,$service,$user\n";last;}
}
}
}
Run this script from the command line and pipe it to save the output.
$perl serviceparse.pl results.txt > parseresults.csv
Auditing Folder (and subfolder) Permissions using CACLS
CACLS.exe is a great builtin Windows utility that allows you to list the permissions on a file or folder. This command has been used in an audit to get the permissions of the folders on an agency file server that served the “private” shares to each Domain user. The findings we would be looking for when examining the results are improper access to the “private” shares by other Domain users.
For CACLS options and how to interpret the results see this site.
The command that I run is as follows:
c:\>for /f "delims=" %a in ('dir /b') do @cacls "%a" >> savefile.txt
Once results are obtained they need to be parsed so they can be analyzed. I have written a perl script to add the correct folder name to each permission. This is so they can be sorted by permission in your spreadsheet application of choice.
#!/usr/bin/perl
$numArgs = $#ARGV +1;
if($numArgs < 2){
print "Invalid Number of Arguments\\\\n";
print "caclsparse.pl <filename> <foldername>\\\\n\\\\n";
print "foldername example: D:\\\\\\\\Share\\\\n";
print "You need to escape the backslash twice.\\\\n";
exit;
}
#open the file
$infile = "$ARGV[0]";
open(DAT, $infile) || die("Something did not work. You figure it out.");
#save file contents into an array
@raw_data=<DAT>;
close(DAT);
#Cycle through the entire array
for($count=0;$count<=$#raw_data;$count++){
#pull folder name, split it, and print it
#the first record in each grouping is the only record with the folder name
if(@raw_data[$count] =~ /($ARGV[1])/){
$x = 0;
while(substr(@raw_data[$count+1],$x,1) eq " "){
$x++;
}
$folder = substr(@raw_data[$count],0,$x-1);
$permissions = substr(@raw_data[$count],$x,length(@raw_data[$count]) - $x);
print "$folder,$permissions\\\\n";
#cycle through the permissions listed below the folder name
for($c=$count+1;$c<=$#raw_data;$c++){
#clear all whitespace
$permissions = substr(@raw_data[$c],$x,length(@raw_data[$c]) - $x);
$permissions =~ s/^s+//;
$permissions =~ s/s+$//;
#print until you get to the next folder item
if(@raw_data[$c] =~ /($ARGV[1])/){last;}
print "$folder,$permissions\\\\n";
}
}
}
Save the code and run it as follows:
$perl caclsparse.pl savefile.txt D:\\Share >> parseresults.csv
NOTE: I run it from Linux but ActivePerl for Windows will work as well. Installing perl is outside the scope of this posting.
Open parseresults.csv in Excel/OO Calcs/Gnumeric and begin analyzing the results!