{"id":89,"date":"2009-03-06T08:06:16","date_gmt":"2009-03-06T14:06:16","guid":{"rendered":"http:\/\/www.jedge.com\/wordpress\/?p=89"},"modified":"2012-07-05T22:45:22","modified_gmt":"2012-07-06T04:45:22","slug":"auditing-remote-services-from-the-command-line","status":"publish","type":"post","link":"https:\/\/www.jedge.com\/wordpress\/2009\/03\/auditing-remote-services-from-the-command-line\/","title":{"rendered":"Auditing Remote Services from the Command Line"},"content":{"rendered":"

During an audit I had to determine whether a particular remote control service was installed on the Domain workstations and servers. It was determined during the interview process that no remote control software was in use.\u00a0 I decided to obtain the evidence to the contrary.\u00a0 I had already compromised a Domain Administrator account so I had the appropriate permissions.
\n
\nGet a list of servers and workstations.
\nC:\\>net view \/domain
\nC:\\>net view \/domain:<domain_name> >> host_list.txt<\/kbd><\/p>\n

The host_list.txt will need to be edited as descriptions of the workstations and servers will show up to the right of the host name. You can quickly edit it in Excel (text to columns). Of course if this was Linux and \/or you had awk you could pipe it and choose the first column (| awk ‘{print $1}’)<\/p>\n

The command we will be using to query remote services is called Service Control (sc) from the Windows Resource Kit.\u00a0 For more information on the command see this site<\/a>.<\/p>\n

C:\\>for \/f %i in (host_list.txt) do @echo %i >> results.txt && sc %i query <Service_Name><\/kbd><\/p>\n

In addition to the service results I would like to have the fully qualified domain name and ip address of the server or workstation I am querying.\u00a0 A quick addition of the nslookup command you and you get this:<\/p>\n

C:\\>for \/f %i in (host_list.txt) do @nslookup %i >> results.txt && sc %i query <Service_Name> >> results.txt<\/kbd><\/p>\n

Finally, I would like to know, with reasonable assurance, the user of that workstation.\u00a0 For that we will be using a command line tool from the pstools<\/a> tool kit called psloggedin.\u00a0 Once that tool is installed on your auditor workstation\/laptop you can add it to our command.<\/p>\n

C:\\>for \/f %i in (host_list.txt) do @nslookup %i >> results.txt && sc %i query <Service_Name >> results.txt && psloggedin -l -x %i >> results.txt<\/kbd><\/p>\n

I wrote a quick script to parse the output of the above command so it can be sorted and analyzed in your preferred spreadsheet application.
\n

\n#!\/usr\/bin\/perl\n\n$numArgs = $#ARGV +1;\nif($numArgs &lt; 1){\n  print "Invalid Number of Arguments\\n";\n  print "serviceparse.pl \\n\\n";\n  exit;\n}\n\n#open the file\n$infile = "$ARGV[0]";\nopen(DAT, $infile) || die("Something did not work.  You figure it out.");\n\n#save file contents into an array\n@raw_data=;\nclose(DAT);\n\n#Cycle through the entire array\nfor($count=0;$count&lt;=$#raw_data;$count++){\n\n  #get fully qualified domain name\n  if(@raw_data[$count] =~ \/Name:\/){\n    @array = split(\/:\/, @raw_data[$count]);\n    $host = @array[1];\n    $host =~ s\/^s+\/\/;\n    $host =~ s\/s+$\/\/;\n\n    #get ip address\n    @array = split(\/:\/, @raw_data[$count+1]);\n    $ip = @array[1];\n    $ip =~ s\/^s+\/\/;\n    $ip =~ s\/s+$\/\/;\n\n    $service = "";\n    $user = "";\n    for($c=$count+1;$c&lt;=$#raw_data;$c++){\n\n      if(@raw_data[$c] =~ \/RUNNING\/){\n        $service = "Installed and Running";\n      }\n      if(@raw_data[$c] =~ \/STOPPED\/){\n        $service = "Installed and Stopped";\n      }\n      if(@raw_data[$c] =~ \/FAILED 1722\/){\n        $service = @raw_data[$c+2];\n        $service =~ s\/^s+\/\/;\n        $service =~ s\/s+$\/\/;\n      }\n      if(@raw_data[$c] =~ \/FAILED 1060\/){\n        $service = @raw_data[$c+2];\n        $service =~ s\/^s+\/\/;\n        $service =~ s\/s+$\/\/;\n      }\n\n      if(@raw_data[$c] =~ \/locally:\/){\n        @array = split(\/\/, @raw_data[$c+3]);\n        $user = @array[1];\n        $user =~ s\/^s+\/\/;\n        $user =~ s\/s+$\/\/;\n      }else {if(@raw_data[$c] =~ \/Error opening HKEY_USERS\/){$user = "";}}\n\n      if(@raw_data[$c] =~ \/Server:\/){print "$host,$ip,$service,$user\\n";last;}\n    }\n  }\n}\n<\/code><\/pre>
\nRun this script from the command line and pipe it to save the output.<\/p>\n
$perl serviceparse.pl results.txt > parseresults.csv<\/kbd><\/p>\n","protected":false},"excerpt":{"rendered":"
During an audit I had to determine whether a particular remote control service was installed on the Domain workstations and servers. It was determined during the interview process that no remote control software was in use.\u00a0 I decided to obtain the evidence to the contrary.\u00a0 I had already compromised a Domain Administrator account so I […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[7,10],"tags":[87,69,90,33,89,91,88,80,26],"class_list":["post-89","post","type-post","status-publish","format-standard","hentry","category-scripts","category-using-the-tools","tag-command","tag-command-line","tag-net-view","tag-perl","tag-psloggedin","tag-pstools","tag-remote-services","tag-script","tag-windows"],"_links":{"self":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/89","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/comments?post=89"}],"version-history":[{"count":39,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/89\/revisions"}],"predecessor-version":[{"id":583,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/89\/revisions\/583"}],"wp:attachment":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/media?parent=89"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/categories?post=89"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/tags?post=89"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}