On June 30, 1999, sheriff’s officers in St. Louis, Missouri discovered the body of 41-year-old Ricky McCormick. He had been murdered and dumped in a field. The only clues regarding the homicide were two encrypted notes found in the victim’s pants pockets.
Pictures of notes and more details here:
http://www.fbi.gov/news/stories/2011/march/cryptanalysis_032911/cryptanalysis_032911
On January 17th, 2011 I wrote about a script I wrote to gather information on my network (http://www.anthonyreinke.com/?p=384). I ran the scan a few time with a lot of errors. The issues were due to the different domains. It can’t scan all the machines since it runs as the person running. It doesn’t have the ability to try multiple different credentials.
So I started looking for products to get the information. After a lot of trail and errors I found Lansweeper. This software gives you the incite in to your network that is hard to find. It not only scans the machines, but active directories as well. As for the price, it is hard to bet at $299 per year.
Currently I am having an issue with not knowing information about the servers I am responsible. I am not happy not knowing things. I spent a little time gather different parts of different scripts (hacker / script kiddie style) and compiling them in to one Visual Basic Script. This script is designed to work against Dell Servers. It will ask the computer for it name, the OS, OS version number, Service Packs, Bit Level (32 or 64 bit), Dell Warranty info, list of local users, and a list of local groups and the users in the groups. It takes the list of servers from “hosts.txt” which is just a list of servers or ip addresses where there is one per line. It will write all the information it gathers in to a file called “report.txt”.
Download the .VBS File
Here is the code:
Option ExplicitDim url, svctag, wshShell, wshNetworkDim strComputer, colGroups, objGroup, objUserDim objWMIService, colItems, objItemDim warrantyRows, warrantyColsDim objsvc,svccount, errorChecking,svc,objNetwork,colAccountsDim get_OS_Bit, info, strComputer2, oReg, strKeyPath, strValueName, strValueDim objShell, objIE, objWMIDim colOSes, objOSDim objFSO, objTextFile, objTextFileW, objTextFileO, strNextLine, arrServiceListDim i, resultConst ForReading = 1Const ForAppending = 8Set objFSO = CreateObject(“Scripting.FileSystemObject”)Set objTextFileW = objFSO.OpenTextFile (“report.txt”, ForAppending, True)Set objFSO = CreateObject(“Scripting.FileSystemObject”)Set objTextFileO = objFSO.OpenTextFile _(“hosts.txt”, ForReading)Do Until objTextFileO.AtEndOfStreamstrNextLine = objTextFileO.ReadlinearrServiceList = Split(strNextLine , “,”)strComputer = arrServiceList(0)wscript.echo strComputerOn Error Resume NextSet colOSes = objWMIService.ExecQuery(“Select * from Win32_OperatingSystem”)For Each objOS in colOSesobjTextFileW.Writeline “########################################”objTextFileW.WritelineobjTextFileW.Writeline “========================================”objTextFileW.Writeline “== Computer Info ==”objTextFileW.Writeline “========================================”objTextFileW.WriteLine “Computer Name : ” & objOS.CSNameNextobjTextFileW.WriteLineSet objWMI = GetObject(“winmgmts:\” & strComputer & “rootCIMV2”)Set colItems = objWMI.ExecQuery(“SELECT * FROM Win32_OperatingSystem”,,48)For Each objItem in colItemsobjTextFileW.WriteLine “Operating System : ” & objItem.CaptionobjTextFileW.WriteLine “OS Version Number : ” & objItem.VersionobjTextFileW.WriteLine “Service Pack : ” & objItem.ServicePackMajorVersionobjTextFileW.WriteLineNextconst HKEY_LOCAL_MACHINE = &H80000002Set oReg=GetObject(“winmgmts:{impersonationLevel=impersonate}!\” & strComputer & “rootdefault:StdRegProv”)strKeyPath = “HARDWAREDESCRIPTIONSystemCentralProcessor�”strValueName = “Identifier”oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValueif (instr(strValue,”x86″)) thenget_OS_Bit=”32″elseif (instr(strValue,”64″)) thenget_OS_Bit=”64″elseget_OS_Bit=”NotSure”end ifobjTextFileW.WriteLine “OS is : ” & get_OS_Bit & “bit”objTextFileW.WriteLineobjTextFileW.Writeline “========================================”objTextFileW.WriteLine “== Get the Dell warranty information ==”objTextFileW.Writeline “========================================”url = “http://support.dell.com/support/topics/global.aspx/support/my_systems_info/details?c=us&cs=RC956904&l=en&s=hied&~lt=bodyonly&~wsf=tabs&servicetag=”set objIE=createobject(“internetexplorer.application”)set objShell = WScript.CreateObject(“WScript.Shell”)set objWMI = GetObject(“winmgmts:{impersonationLevel=impersonate}!\” & strComputer & “rootcimv2”)If InStr(UCase(objWMI.ExecQuery(“Select Manufacturer From Win32_ComputerSystem”).ItemIndex(0).Manufacturer), “DELL”) = 0 then Err.Raise 2, “This is not a Dell dude!”, “No Service Tag”svctag = objWMI.ExecQuery (“Select SerialNumber from Win32_BIOS”).ItemIndex(0).SerialNumberSet objWMIService = GetObject(“winmgmts:” _& “{impersonationLevel=impersonate}!\” _& strComputer & “rootcimv2”)objTextFileW.WriteLine “Service Tag : ” & svctagobjIE.navigate url & svctagdo while objIE.readystate<>4 : wscript.sleep 50 : loopset warrantyRows = objIE.document.getElementsByTagName(“table”).item(1).getElementsByTagName(“table”).item(122).getElementsByTagName(“table”).item(0).getElementsByTagName(“tr”)For i = 1 to warrantyRows.length – 1set warrantyCols = warrantyRows.item(i).getElementsByTagName(“td”)objTextFileW.WriteLine “Description : ” & warrantyCols.item(0).innerTextobjTextFileW.WriteLine “Provider : ” & warrantyCols.item(1).innerTextobjTextFileW.WriteLine “Warranty Extension : ” & warrantyCols.item(122).innerTextobjTextFileW.WriteLine “Start Date : ” & warrantyCols.item(3).innerTextobjTextFileW.WriteLine “End Date : ” & warrantyCols.item(4).innerTextobjTextFileW.WriteLine “Days Left : ” & warrantyCols.item(5).innerTextobjTextFileW.WriteLineNextobjTextFileW.Writeline “========================================”objTextFileW.WriteLine “== List all local users ==”objTextFileW.Writeline “========================================”Set objNetwork = CreateObject(“Wscript.Network”)‘strComputer = objNetwork.ComputerNameSet colAccounts = GetObject(“WinNT://” & strComputer & “”)colAccounts.Filter = Array(“user”)For Each objUser In colAccountsobjTextFileW.WriteLine “Local User : ” & objUser.NameNextobjTextFileW.WriteLineobjTextFileW.Writeline “===========================================”objTextFileW.WriteLine “== List all local groups and their users ==”objTextFileW.Writeline “===========================================”Set colGroups = GetObject(“WinNT://” & strComputer & “”)colGroups.Filter = Array(“group”)For Each objGroup In colGroupsobjTextFileW.WriteLine “Group : ” & objGroup.NameFor Each objUser in objGroup.MembersobjTextFileW.WriteLine “User : ” & objUser.NameNextobjTextFileW.WriteLineNextobjTextFileW.WriteLine “== List all services ==”set objsvc = GetObject(“winmgmts:{impersonationLevel=impersonate}\” & strComputer & “rootcimv2”).ExecQuery (“SELECT * FROM Win32_Service”)for each svc in objsvcobjTextFileW.WriteLine “Service : ” & svc.displaynameobjTextFileW.WriteLine “Current Status : ” & svc.stateobjTextFileW.WriteLine “Startus Type : ” & svc.startmodeobjTextFileW.WriteLine “Run Server As : ” & svc.startnameobjTextFileW.WriteLinenextobjTextFileW.WriteLineLoopobjTextFileW.Close
A big problem for computer technicians is trying to reproduce the error that the client is encountering. If we don’t know exactly what they did to cause it, it is hard to track down the problem. This is where an application built into Windows 7 called “Problem Step Recorder” can help.
Read more at:
Windows 7 Problem Step Recorder – Create Step By Step Recordings | Technibble.
I was playing around on the Android market place and notice Wigle Wifi. I remembered Wigle from the old War Driving days. I downloaded the app and started to play with it.
It is pretty easy to work with. Lauch the app and off you go. When you are done, click “Upload to WiGLE.net” and your data is being processed. In just a quick drive I found 385 networks.
When the hacker’s system crashes in Windows, as with all typical Windows crashes, Heckman said the user would be prompted to send the error details — including the malicious code — to Microsoft. The funny thing is that many say yes, according to Heckman.
I prefer to use a signed web certificate and not the self signed certificate. I found a couple different topics on the process, but found that most of them referred to the distributive searching certificate. Here are the step to generate the certificate and get it in to the right place for Splunk to use it.
—————————————————————–
## Generate the local key
openssl genrsa -out linux0001.key 4096
## Generate the csr
opensll req -new -key linux0001.key -out linux0001.csr
## Submit the .csr file to the CA
## Move the original certs for backup purposes
mv cert.pem cert.pem.bak
mv privkey.pem privkey.pem.bak
## Convert the binary cert to a standard cert
openssl x509 -in certnew.cer -inform DER -out cert.pem -outform PEM
## Copy the new files in the Splunk folder
cp linux0001.key /opt/splunk/share/splunk/certs/privkey.pem
cp cert.pem /opt/splunk/share/splunk/certs/cert.pem
## Restart Splunk
/opt/splunk/bin/splunk restart
Demo of Hacktics’ Seeker New Generation Application Security Testing Software.
Software is getting scary. Almost to the Hollywood Hacker style of breaking in to websites.
I have begun building my own dashboards in Splunk. Once I have the custom views built, I will post them up here. So far everything I have been working on is with a system’s administrator in mind because that is what I have been doing for the past 12 years (wow, thats a long time). Currently I am building a view for searching failed logins and the source of lockouts. They tie in to one another. Our technicians want to be more involved in the systems administration and hopefully this will help them respond quicker to our customers. Everything comes from Splunk being installed on all our domain controllers. From there we get all the logs in to our central logging system (Splunk). Due to the amount of data we are pushing now everyday, we might have to build a backup environment just for our Splunk data. How awesome is this!
This will help to track down failed logins. This could be due to someone changing their password and still are logged in to a server with the old account information. The other side is that someone could be trying to brute force an account.
Type=”Failure Audit” sourcetype=”WinEventLog:Security” | chart count by User_Name | sort – count