PsExec.exe @hosts.txt -s -c installsnmp.cmd

Below is the file to download.  Rename the file to installsnmp.cmd
installsnmp.cmd.txt

As always, please contact me if you have questions.

@echo off

cls

REM Detect if the system is Windows Server 2003
systeminfo | find "2003" > nul
if %ERRORLEVEL% == 0 goto 2003

REM Detect if the system is Windows XP
systeminfo | find "XP Pro" > nul
if %ERRORLEVEL% == 0 goto XPPro

REM Detect if the system is Windows XP
systeminfo | find "2008" > nul
if %ERRORLEVEL% == 0 goto 2008

REM If the system is Windows Vista, Windows Server 2008, or higher, 
REM they have the required files built in.
goto ERROR

:2003
REM If Windows 2003, set the path to the i386 directory
REM Note: The path needs to be one level above the i386 directory
REM Example: if the path is \\server\share\windows2003\i386\ then
REM the path would be \\server\share\windows2003\
REM Note that the you need both a 32bit and 64bit versions

if (%PROCESSOR_ARCHITECTURE%) == (AMD64) (
echo Windows Registry Editor Version 5.00
echo.
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
echo "SourcePath"="\\\\server\\share\\Extracted\\Win2003x64\\"
echo "ServicePackSourcePath"="\\\\server\\share\\Extracted\\Win2003x64\\"
) > %temp%\setW2003Path.reg

IF (%PROCESSOR_ARCHITECTURE%) == (x86) (
echo Windows Registry Editor Version 5.00
echo.
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
echo "SourcePath"="\\\\server\\share\\Extracted\\Win2003\\"
echo "ServicePackSourcePath"="\\\\server\\share\\Extracted\\Win2003\\"
) > %temp%\setW2003Path.reg

REM Installing the created Registry File
regedit /s /q %temp%\setW2003Path.reg

goto SNMP

:XPPro
REM If Windows XP Professional, set the path to the i386 directory
REM Note: The path needs to be one level above the i386 directory
REM Example: if the path is \\server\share\windowsXP\i386\ then
REM the path would be \\server\share\windowsXP\
if (%PROCESSOR_ARCHITECTURE%) == (AMD64) (
(
echo Windows Registry Editor Version 5.00
echo.
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
echo "SourcePath"="\\\\server\\share\\Extracted\\XPProx64\\"
echo "ServicePackSourcePath"="\\\\server\\share\\Extracted\\XPProx64\\"
) > %temp%\setXPProPath.reg
) ELSE IF (%PROCESSOR_ARCHITECTURE%) == (x86)
(
echo Windows Registry Editor Version 5.00
echo.
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
echo "SourcePath"="\\\\server\\share\\Extracted\\XPPro\\"
echo "ServicePackSourcePath"="\\\\server\\share\\Extracted\\XPPro\\"
) > %temp%\setXPProPath.reg
)

REM Installing the created Registry File
regedit /s /q %temp%\setXPProPath.reg.reg

goto SNMP

:2008
REM Since 2008 stopped using the sysocmgr.exe to install features, in Vista and higher
REM you need to use the servermanagercmd.exe to add features. A great list of the 
REM features and their command line install string is at:
REM http://www.techrepublic.com/blog/datacenter/install-windows-server-2008-features-with-servermanagercmd/294

servermanagercmd.exe -install SNMP-Services

goto Strings

:SNMP
REM Building the Unattended Install

(
echo ;SetupMgrTag
echo [NetOptionalComponents]
echo SNMP=1
echo [SNMP]
echo Any_Host=YES
) > %temp%\snmp.txt

REM Installing the SNMP application with the Unattended Install

sysocmgr /i:%windir%\inf\sysoc.inf /u:%temp%\snmp.txt

goto Strings

:Strings

REM Removing the public string
(
echo Windows Registry Editor Version 5.00
echo.
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SNMP\Parameters\ValidCommunities]

REM Removing the only allow localhost communication, by default 2008 will only allow the 
REM localhsot to talk to the SNMP service
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SNMP\Parameters\PermittedManagers]

REM Setting the SNMP strings
echo.

REM Setting the SNMP Contact Info
echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SNMP\Parameters\RFC1156Agent]
echo "sysContact"="Server Administrators"
echo "sysLocation"="Server Room"
echo "sysServices"=dword:0000004f
echo.
REM Setting the Read Only and Read Write Communities
echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SNMP\Parameters\ValidCommunities]
echo "readonly"=dword:00000004
echo "readwrite"=dword:00000008
echo.
REM Creating the Permitted Managers Key
echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SNMP\Parameters\PermittedManagers]
echo.
) > %temp%\setupsnmp.reg

REM Installing the created Registry File

regedit /s /q %temp%\setupsnmp.reg

REM Cleaning Up

IF EXIST %temp%\setupsnmp.reg del %temp%\setupsnmp.reg
IF EXIST %temp%\setW2003Path.reg del %temp%\setW2003Path.reg
IF EXIST %temp%\setXPProPath.reg.reg del %temp%\setXPProPath.reg.reg
IF EXIST %temp%\snmp.txt del %temp%\snmp.txt

echo %COMPUTERNAME% Complete >> \\server\share\SNMP\SNMPInstall.txt

goto END

:ERROR
echo.
echo Could not determine the OS type
pause

goto END

:END

Pictures of notes and more details here:
http://www.fbi.gov/news/stories/2011/march/cryptanalysis_032911/cryptanalysis_032911

It is pretty easy to work with.  Lauch the app and off you go.  When you are done, click “Upload to WiGLE.net” and your data is being processed.  In just a quick drive I found 385 networks.

<more about the app>

—————————————————————–

## Generate the local key
openssl genrsa -out linux0001.key 4096

## Generate the csr
opensll req -new -key linux0001.key -out linux0001.csr

## Submit the .csr file to the CA

## Move the original certs for backup purposes
mv cert.pem cert.pem.bak
mv privkey.pem privkey.pem.bak

## Convert the binary cert to a standard cert
openssl x509 -in certnew.cer -inform DER -out cert.pem -outform PEM

## Copy the new files in the Splunk folder
cp linux0001.key /opt/splunk/share/splunk/certs/privkey.pem
cp cert.pem /opt/splunk/share/splunk/certs/cert.pem

## Restart Splunk
/opt/splunk/bin/splunk restart

Software is getting scary.  Almost to the Hollywood Hacker style of breaking in to websites.

Type=”Failure Audit” sourcetype=”WinEventLog:Security” | chart count by User_Name | sort – count

Here is a few of the reports I have scheduled to get every morning to take a look at what has happened in my environment.

User Accounts deleted:

EventCode=”630″ | fields Caller_User_Name, Target_Domain,  Target_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename Target_Account_Name as Deleted_Account | rename host as DomainController | rename Target_Domain as Users_Domain

User Accounts created:

EventCode=”624″ | fields Caller_User_Name, New_Domain, New_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename Target_Account_Name as Modified_Account | rename host as DomainController | rename New_Domain as New_Account_Domain

Computer Accounts deleted:

EventCode=”647″ | fields Caller_User_Name, Target_Domain, Target_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename Target_Account_Name as Deleted_Computer | rename host as DomainController | rename Target_Domain as Removed_Domain

Computer Accounts created:

EventCode=”645″ | fields Caller_User_Name, New_Domain, New_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename New_Account_Name as New_Computer | rename host as DomainController | rename New_Domain as Joined_Domain

The searches below show how this can be used wrongly.

Want to know who goes to the Bank of America at E 4th Street in New York City?
http://foursquare.com/venue/246931

or the Quiznos on Broadway and 12th in New York?
http://foursquare.com/venue/129297

People have been complaining that “Big Brother” is always watching them and their privacy is being invaded.  How can this be when you share everything about your life online?