Information Gathering on My Own Servers

Currently I am having an issue with not knowing information about the servers I am responsible.   I am not happy not knowing things.  I spent a little time gather different parts of different scripts (hacker / script kiddie style) and compiling them in to one Visual Basic Script.  This script is designed to work against Dell Servers.  It will ask the computer for it name, the OS, OS version number, Service Packs, Bit Level (32 or 64 bit), Dell Warranty info, list of local users, and a list of local groups and the users in the groups.  It takes the list of servers from “hosts.txt” which is just a list of servers or ip addresses where there is one per line.  It will write all the information it gathers in to a file called “report.txt”.

Download the .VBS File

Here is the code:

Option Explicit
Dim url, svctag, wshShell, wshNetwork
Dim strComputer, colGroups, objGroup, objUser
Dim objWMIService, colItems, objItem
Dim warrantyRows, warrantyCols
Dim objsvc,svccount, errorChecking,svc,objNetwork,colAccounts
Dim get_OS_Bit, info, strComputer2, oReg, strKeyPath, strValueName, strValue
Dim objShell, objIE, objWMI
Dim colOSes, objOS
Dim objFSO, objTextFile, objTextFileW, objTextFileO, strNextLine, arrServiceList
Dim i, result
Const ForReading = 1
Const ForAppending = 8
Set objFSO = CreateObject(“Scripting.FileSystemObject”)
Set objTextFileW = objFSO.OpenTextFile (“report.txt”, ForAppending, True)
Set objFSO = CreateObject(“Scripting.FileSystemObject”)
Set objTextFileO = objFSO.OpenTextFile _
(“hosts.txt”, ForReading)
Do Until objTextFileO.AtEndOfStream
strNextLine = objTextFileO.Readline
arrServiceList = Split(strNextLine , “,”)
strComputer = arrServiceList(0)
wscript.echo strComputer
On Error Resume Next
Set colOSes = objWMIService.ExecQuery(“Select * from Win32_OperatingSystem”)
For Each objOS in colOSes
objTextFileW.Writeline “########################################”
objTextFileW.Writeline “========================================”
objTextFileW.Writeline “==            Computer Info           ==”
objTextFileW.Writeline “========================================”
objTextFileW.WriteLine “Computer Name      : ” & objOS.CSName
Set objWMI = GetObject(“winmgmts:\” & strComputer & “rootCIMV2”)
Set colItems = objWMI.ExecQuery(“SELECT * FROM Win32_OperatingSystem”,,48)
For Each objItem in colItems
objTextFileW.WriteLine “Operating System   : ” & objItem.Caption
objTextFileW.WriteLine “OS Version Number  : ” & objItem.Version
objTextFileW.WriteLine “Service Pack       : ” & objItem.ServicePackMajorVersion
const HKEY_LOCAL_MACHINE = &H80000002
Set oReg=GetObject(“winmgmts:{impersonationLevel=impersonate}!\” & strComputer & “rootdefault:StdRegProv”)
strKeyPath = “HARDWAREDESCRIPTIONSystemCentralProcessor�”
strValueName = “Identifier”
oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
if (instr(strValue,”x86″)) then
elseif (instr(strValue,”64″)) then
end if
objTextFileW.WriteLine “OS is              : ” & get_OS_Bit & “bit”
objTextFileW.Writeline “========================================”
objTextFileW.WriteLine “==  Get the Dell warranty information ==”
objTextFileW.Writeline “========================================”
url = “”
set objIE=createobject(“internetexplorer.application”)
set objShell = WScript.CreateObject(“WScript.Shell”)
set objWMI = GetObject(“winmgmts:{impersonationLevel=impersonate}!\” & strComputer & “rootcimv2”)
If InStr(UCase(objWMI.ExecQuery(“Select Manufacturer From Win32_ComputerSystem”).ItemIndex(0).Manufacturer), “DELL”) = 0 then Err.Raise 2, “This is not a Dell dude!”, “No Service Tag”
svctag = objWMI.ExecQuery  (“Select SerialNumber from Win32_BIOS”).ItemIndex(0).SerialNumber
Set objWMIService = GetObject(“winmgmts:” _
& “{impersonationLevel=impersonate}!\” _
& strComputer & “rootcimv2”)
objTextFileW.WriteLine “Service Tag        : ” & svctag
objIE.navigate url & svctag
do while objIE.readystate<>4 : wscript.sleep 50 : loop
set warrantyRows = objIE.document.getElementsByTagName(“table”).item(1).getElementsByTagName(“table”).item(122).getElementsByTagName(“table”).item(0).getElementsByTagName(“tr”)
For i = 1 to warrantyRows.length – 1
set warrantyCols = warrantyRows.item(i).getElementsByTagName(“td”)
objTextFileW.WriteLine “Description        : ” & warrantyCols.item(0).innerText
objTextFileW.WriteLine “Provider           : ” & warrantyCols.item(1).innerText
objTextFileW.WriteLine “Warranty Extension : ” & warrantyCols.item(122).innerText
objTextFileW.WriteLine “Start Date         : ” & warrantyCols.item(3).innerText
objTextFileW.WriteLine “End Date           : ” & warrantyCols.item(4).innerText
objTextFileW.WriteLine “Days Left          : ” & warrantyCols.item(5).innerText
objTextFileW.Writeline “========================================”
objTextFileW.WriteLine “==       List all local users         ==”
objTextFileW.Writeline “========================================”
Set objNetwork = CreateObject(“Wscript.Network”)
‘strComputer = objNetwork.ComputerName
Set colAccounts = GetObject(“WinNT://” & strComputer & “”)
colAccounts.Filter = Array(“user”)
For Each objUser In colAccounts
objTextFileW.WriteLine “Local User         : ” & objUser.Name
objTextFileW.Writeline “===========================================”
objTextFileW.WriteLine “== List all local groups and their users ==”
objTextFileW.Writeline “===========================================”
Set colGroups = GetObject(“WinNT://” & strComputer & “”)
colGroups.Filter = Array(“group”)
For Each objGroup In colGroups
objTextFileW.WriteLine “Group              : ” & objGroup.Name
For Each objUser in objGroup.Members
objTextFileW.WriteLine “User               : ” & objUser.Name
objTextFileW.WriteLine “== List all services ==”
set objsvc = GetObject(“winmgmts:{impersonationLevel=impersonate}\” & strComputer & “rootcimv2”).ExecQuery (“SELECT * FROM Win32_Service”)
for each svc in objsvc
objTextFileW.WriteLine “Service            : ” & svc.displayname
objTextFileW.WriteLine “Current Status     : ” & svc.state
objTextFileW.WriteLine “Startus Type       : ” & svc.startmode
objTextFileW.WriteLine “Run Server As      : ” & svc.startname

Windows 7 Problem Step Recorder – Create Step By Step Recordings | Technibble

A big problem for computer technicians is trying to reproduce the error that the client is encountering. If we don’t know exactly what they did to cause it, it is hard to track down the problem. This is where an application built into Windows 7 called “Problem Step Recorder” can help.

Read more at:
Windows 7 Problem Step Recorder – Create Step By Step Recordings | Technibble.

WarDriving on the Droid

I was playing around on the Android market place and notice Wigle Wifi.  I remembered Wigle from the old War Driving days.  I downloaded the app and started to play with it.

It is pretty easy to work with.  Lauch the app and off you go.  When you are done, click “Upload to” and your data is being processed.  In just a quick drive I found 385 networks.

<more about the app>

Web (http) Certificate for Splunk

I prefer to use a signed web certificate and not the self signed certificate.  I found a couple different topics on the process, but found that most of them referred to the distributive searching certificate.  Here are the step to generate the certificate and get it in to the right place for Splunk to use it.


## Generate the local key
openssl genrsa -out linux0001.key 4096

## Generate the csr
opensll req -new -key linux0001.key -out linux0001.csr

## Submit the .csr file to the CA

## Move the original certs for backup purposes
mv cert.pem cert.pem.bak
mv privkey.pem privkey.pem.bak

## Convert the binary cert to a standard cert
openssl x509 -in certnew.cer -inform DER -out cert.pem -outform PEM

## Copy the new files in the Splunk folder
cp linux0001.key /opt/splunk/share/splunk/certs/privkey.pem
cp cert.pem /opt/splunk/share/splunk/certs/cert.pem

## Restart Splunk
/opt/splunk/bin/splunk restart

Splunk Dashboards

I have begun building my own dashboards in Splunk.  Once I have the custom views built, I will post them up here.  So far everything I have been working on is with a system’s administrator in mind because that is what I have been doing for the past 12 years (wow, thats a long time).  Currently I am building a view for searching failed logins and the source of lockouts.  They tie in to one another.  Our technicians want to be more involved in the systems administration and hopefully this will help them respond quicker to our customers.  Everything comes from Splunk being installed on all our domain controllers.  From there we get all the logs in to our central logging system (Splunk).  Due to the amount of data we are pushing now everyday, we might have to build a backup environment just for our Splunk data.  How awesome is this!

Another good report

This will help to track down failed logins.  This could be due to someone changing their password and still are logged in to a server with the old account information.  The other side is that someone could be trying to brute force an account.

Type=”Failure Audit” sourcetype=”WinEventLog:Security” | chart count by User_Name | sort – count

Daily Splunk Reports

So I am a full convert and profit of Splunk now.  I have been using it at work for around 4 months now.  I have rolled it out to our domain controllers and have started rolling it to all our Windows and *nix servers.  The ability to find out who did what has made my job so much easier.  There was an incident where an OU was deleted in our AD.  I was able to see exactly who and when did it.  Normally this type of searching wasn’t possible or at least hard to get due to the size of our infrastructure.  Our Event Logs roll over around once an hour.  The OU was deleted 8 hours before we were contacted.

Here is a few of the reports I have scheduled to get every morning to take a look at what has happened in my environment.

User Accounts deleted:

EventCode=”630″ | fields Caller_User_Name, Target_Domain,  Target_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename Target_Account_Name as Deleted_Account | rename host as DomainController | rename Target_Domain as Users_Domain

User Accounts created:

EventCode=”624″ | fields Caller_User_Name, New_Domain, New_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename Target_Account_Name as Modified_Account | rename host as DomainController | rename New_Domain as New_Account_Domain

Computer Accounts deleted:

EventCode=”647″ | fields Caller_User_Name, Target_Domain, Target_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename Target_Account_Name as Deleted_Computer | rename host as DomainController | rename Target_Domain as Removed_Domain

Computer Accounts created:

EventCode=”645″ | fields Caller_User_Name, New_Domain, New_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename New_Account_Name as New_Computer | rename host as DomainController | rename New_Domain as Joined_Domain

FourSquare – Why would you use this?

I don’t understand the need for people to share all their information with everyone.  This software will let you let the world know where you are.  Ok, great, but why?  There have been reports now that people are getting their houses/apartments broken in to when people see they are on vacation or away from their place.  This software has now generated a website call Please Rob Me (  This will list people that are no longer in their home location that you set in the application.

The searches below show how this can be used wrongly.

Want to know who goes to the Bank of America at E 4th Street in New York City?

or the Quiznos on Broadway and 12th in New York?

People have been complaining that “Big Brother” is always watching them and their privacy is being invaded.  How can this be when you share everything about your life online?