Anthony Reinke

Posts Tagged ‘user’

Currently I am having an issue with not knowing information about the servers I am responsible.   I am not happy not knowing things.  I spent a little time gather different parts of different scripts (hacker / script kiddie style) and compiling them in to one Visual Basic Script.  This script is designed to work against Dell Servers.  It will ask the computer for it name, the OS, OS version number, Service Packs, Bit Level (32 or 64 bit), Dell Warranty info, list of local users, and a list of local groups and the users in the groups.  It takes the list of servers from “hosts.txt” which is just a list of servers or ip addresses where there is one per line.  It will write all the information it gathers in to a file called “report.txt”.

Download the .VBS File

Here is the code:

Option Explicit

Dim url, svctag, wshShell, wshNetwork

Dim strComputer, colGroups, objGroup, objUser

Dim objWMIService, colItems, objItem

Dim warrantyRows, warrantyCols

Dim objsvc,svccount, errorChecking,svc,objNetwork,colAccounts

Dim get_OS_Bit, info, strComputer2, oReg, strKeyPath, strValueName, strValue

Dim objShell, objIE, objWMI

Dim colOSes, objOS

Dim objFSO, objTextFile, objTextFileW, objTextFileO, strNextLine, arrServiceList

Dim i, result

Const ForReading = 1

Const ForAppending = 8

Set objFSO = CreateObject(“Scripting.FileSystemObject”)

Set objTextFileW = objFSO.OpenTextFile (“report.txt”, ForAppending, True)

Set objFSO = CreateObject(“Scripting.FileSystemObject”)

Set objTextFileO = objFSO.OpenTextFile _

(“hosts.txt”, ForReading)

Do Until objTextFileO.AtEndOfStream

strNextLine = objTextFileO.Readline

arrServiceList = Split(strNextLine , “,”)

strComputer = arrServiceList(0)

wscript.echo strComputer

On Error Resume Next

Set colOSes = objWMIService.ExecQuery(“Select * from Win32_OperatingSystem”)

For Each objOS in colOSes

objTextFileW.Writeline “########################################”

objTextFileW.Writeline

objTextFileW.Writeline “========================================”

objTextFileW.Writeline “==            Computer Info           ==”

objTextFileW.Writeline “========================================”

objTextFileW.WriteLine “Computer Name      : ” & objOS.CSName

Next

objTextFileW.WriteLine

Set objWMI = GetObject(“winmgmts:\” & strComputer & “rootCIMV2″)

Set colItems = objWMI.ExecQuery(“SELECT * FROM Win32_OperatingSystem”,,48)

For Each objItem in colItems

objTextFileW.WriteLine “Operating System   : ” & objItem.Caption

objTextFileW.WriteLine “OS Version Number  : ” & objItem.Version

objTextFileW.WriteLine “Service Pack       : ” & objItem.ServicePackMajorVersion

objTextFileW.WriteLine

Next

const HKEY_LOCAL_MACHINE = &H80000002

Set oReg=GetObject(“winmgmts:{impersonationLevel=impersonate}!\” & strComputer & “rootdefault:StdRegProv”)

strKeyPath = “HARDWAREDESCRIPTIONSystemCentralProcessor”

strValueName = “Identifier”

oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue

if (instr(strValue,”x86″)) then

get_OS_Bit=”32″

elseif (instr(strValue,”64″)) then

get_OS_Bit=”64″

else

get_OS_Bit=”NotSure”

end if

objTextFileW.WriteLine “OS is              : ” & get_OS_Bit & “bit”

objTextFileW.WriteLine

objTextFileW.Writeline “========================================”

objTextFileW.WriteLine “==  Get the Dell warranty information ==”

objTextFileW.Writeline “========================================”

url = “http://support.dell.com/support/topics/global.aspx/support/my_systems_info/details?c=us&cs=RC956904&l=en&s=hied&~lt=bodyonly&~wsf=tabs&servicetag=”

set objIE=createobject(“internetexplorer.application”)

set objShell = WScript.CreateObject(“WScript.Shell”)

set objWMI = GetObject(“winmgmts:{impersonationLevel=impersonate}!\” & strComputer & “rootcimv2″)

If InStr(UCase(objWMI.ExecQuery(“Select Manufacturer From Win32_ComputerSystem”).ItemIndex(0).Manufacturer), “DELL”) = 0 then Err.Raise 2, “This is not a Dell dude!”, “No Service Tag”

svctag = objWMI.ExecQuery  (“Select SerialNumber from Win32_BIOS”).ItemIndex(0).SerialNumber

Set objWMIService = GetObject(“winmgmts:” _

& “{impersonationLevel=impersonate}!\” _

& strComputer & “rootcimv2″)

objTextFileW.WriteLine “Service Tag        : ” & svctag

objIE.navigate url & svctag

do while objIE.readystate<>4 : wscript.sleep 50 : loop

set warrantyRows = objIE.document.getElementsByTagName(“table”).item(1).getElementsByTagName(“table”).item(2).getElementsByTagName(“table”).item(0).getElementsByTagName(“tr”)

For i = 1 to warrantyRows.length – 1

set warrantyCols = warrantyRows.item(i).getElementsByTagName(“td”)

objTextFileW.WriteLine “Description        : ” & warrantyCols.item(0).innerText

objTextFileW.WriteLine “Provider           : ” & warrantyCols.item(1).innerText

objTextFileW.WriteLine “Warranty Extension : ” & warrantyCols.item(2).innerText

objTextFileW.WriteLine “Start Date         : ” & warrantyCols.item(3).innerText

objTextFileW.WriteLine “End Date           : ” & warrantyCols.item(4).innerText

objTextFileW.WriteLine “Days Left          : ” & warrantyCols.item(5).innerText

objTextFileW.WriteLine

Next

objTextFileW.Writeline “========================================”

objTextFileW.WriteLine “==       List all local users         ==”

objTextFileW.Writeline “========================================”

Set objNetwork = CreateObject(“Wscript.Network”)

‘strComputer = objNetwork.ComputerName

Set colAccounts = GetObject(“WinNT://” & strComputer & “”)

colAccounts.Filter = Array(“user”)

For Each objUser In colAccounts

objTextFileW.WriteLine “Local User         : ” & objUser.Name

Next

objTextFileW.WriteLine

objTextFileW.Writeline “===========================================”

objTextFileW.WriteLine “== List all local groups and their users ==”

objTextFileW.Writeline “===========================================”

Set colGroups = GetObject(“WinNT://” & strComputer & “”)

colGroups.Filter = Array(“group”)

For Each objGroup In colGroups

objTextFileW.WriteLine “Group              : ” & objGroup.Name

For Each objUser in objGroup.Members

objTextFileW.WriteLine “User               : ” & objUser.Name

Next

objTextFileW.WriteLine

Next

objTextFileW.WriteLine “== List all services ==”

set objsvc = GetObject(“winmgmts:{impersonationLevel=impersonate}\” & strComputer & “rootcimv2″).ExecQuery (“SELECT * FROM Win32_Service”)

for each svc in objsvc

objTextFileW.WriteLine “Service            : ” & svc.displayname

objTextFileW.WriteLine “Current Status     : ” & svc.state

objTextFileW.WriteLine “Startus Type       : ” & svc.startmode

objTextFileW.WriteLine “Run Server As      : ” & svc.startname

objTextFileW.WriteLine

next

objTextFileW.WriteLine

Loop

objTextFileW.Close

This will help to track down failed logins.  This could be due to someone changing their password and still are logged in to a server with the old account information.  The other side is that someone could be trying to brute force an account.

Type=”Failure Audit” sourcetype=”WinEventLog:Security” | chart count by User_Name | sort – count

So I am a full convert and profit of Splunk now.  I have been using it at work for around 4 months now.  I have rolled it out to our domain controllers and have started rolling it to all our Windows and *nix servers.  The ability to find out who did what has made my job so much easier.  There was an incident where an OU was deleted in our AD.  I was able to see exactly who and when did it.  Normally this type of searching wasn’t possible or at least hard to get due to the size of our infrastructure.  Our Event Logs roll over around once an hour.  The OU was deleted 8 hours before we were contacted.

Here is a few of the reports I have scheduled to get every morning to take a look at what has happened in my environment.

User Accounts deleted:

EventCode=”630″ | fields Caller_User_Name, Target_Domain,  Target_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename Target_Account_Name as Deleted_Account | rename host as DomainController | rename Target_Domain as Users_Domain

User Accounts created:

EventCode=”624″ | fields Caller_User_Name, New_Domain, New_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename Target_Account_Name as Modified_Account | rename host as DomainController | rename New_Domain as New_Account_Domain

Computer Accounts deleted:

EventCode=”647″ | fields Caller_User_Name, Target_Domain, Target_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename Target_Account_Name as Deleted_Computer | rename host as DomainController | rename Target_Domain as Removed_Domain

Computer Accounts created:

EventCode=”645″ | fields Caller_User_Name, New_Domain, New_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename New_Account_Name as New_Computer | rename host as DomainController | rename New_Domain as Joined_Domain

I am finding in my daily work that everyone talks about and wants the least privilege security model until want access to something. We can redesign a network share and say that only groups are allowed and that we are not to allow user access to directly to have access and within a month of going live there is a handful of user accounts listed. What I also find funny is how people react when you ask why? Why do you need this access? You would think I am asking them to justify why they exist. My goal is to be able to document and justify why I have granted access to something (share, server, etc.) and they get offended. Using the model of least privilege help to protect everyone and the company.