Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Fri Mar 29, 2024 11:33 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 8 posts ] 
Author Message
PostPosted: Sat May 03, 2014 1:35 am 
Offline
Newbie

Joined: Fri May 02, 2014 7:05 pm
Posts: 5
I've installed OA 1.2.1 and I'm trying to discover hosts on my network. I can successfully audit Linux hosts using SSH. However, I'm unable to audit Windows machines using WMI. If a try to Discover a Windows computer, I always get WMI Status: false.

I disabled Windows firewall on the client hosts, turned off UAC (not sure if required), checked that WMI is enabled (in the Control Panel under Computer Management) and that the user Administrator has remote access WMI permissions. Nothing helps. WMI status is still FALSE.

I'm able to run the audit manually by downloading and running the VBS script on the client host, but still cannot discover it and audit it from outside. I also tried to install winexe on the server and OA 1.3 for Windows on the Windows client host, but withnout success.

I'm trying to run the discovery using the following URL: [url]http://IP/open-audit[/url] Then using the ADMIN -> Discover a Windows computer menu.

I'm not familiar with WMI at all, but I installed the WMI tools from Microsoft and checked the connection using the WMI Event Viewer. I can successfully connect, even if I don't know whether its sufficient for OA.

Unfortunatelly, I haven't found any requirements for the Windows client host in the OA documentation, so I suppose this might be a problem with the client.


Top
 Profile  
Reply with quote  
PostPosted: Tue May 13, 2014 10:35 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia
Copy audit_windows.vbs (from /usr/local/open-audit/other) to a Windows machine.
On that Windows machine, open a command prompt and cd into the directory of the script.
Run the script with
cscript REMOTE_PC_NAME audit_windows.vbs submit_online=n create_file=y
Substitute REMOTE_PC_NAME with another Windows machine, NOT that machine you are currently user. You should get an XML file. If this doesn't work it's a client side (target PC) issue.

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Wed May 14, 2014 10:56 pm 
Offline
Newbie

Joined: Fri May 02, 2014 7:05 pm
Posts: 5
Thanks for the tip.

I am able to audit the Windows PC from another WIndows PC (i.e. remotely) the way you've described, i.e. by invoking:
[code]cscript audit_windows.vbs strcomputer=IPADDRESS struser=Administrator strpass=admin[/code]
This means that the client host settings are OK.

However, there's no audit_windows.sh script in the directory /usr/local/open-audit/other. Does it mean that the linux installation of OpenAudit cannot audit windows hosts? Or does it use Samba and/or WMI to run the audit on another type of system? In that case, how to run the audit from the linux host? (I'm still getting WMI status: false). Is there any command to run the audit of a windows host remotely from a linux host?


Top
 Profile  
Reply with quote  
PostPosted: Thu May 15, 2014 1:18 am 
Offline
Newbie

Joined: Fri May 02, 2014 7:05 pm
Posts: 5
And one more question. Can I audit a target Windows host remotely when I supply the credentials of a non-admin user to this target host? I'm able to audit as admin, but unable as regular user (firewall enables WMI, WMI is turned on completely for authorized users, I also tried to turn off UAC even if this is not needed for admins). I'm still getting the following error code as regular non-admin user:
[code]
Problem authenticating (1) ...
Error Number:424
Error Description:Object required
[/code]
The documentation How to audit a subnet using a script says:
For this reason you should run the first script (audit_subnet_window.vbs) as a user with local admin on the target systems.

The scenario could be to audit all IPs on a network by running the following cscript command on one Windows client (scanner) for each IP regularly and thus store the results on the Linux OpenAudit server (by passing the url= parameter).
[code]
cscript audit_windows.vbs strcomputer=IPADDRESS struser=Administrator strpass=admin url=http://audit/open-audit/index.php/system
[/code]


Top
 Profile  
Reply with quote  
PostPosted: Thu May 15, 2014 8:55 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia
[quote="lukas.baxa"]I am able to audit the Windows PC from another WIndows PC

Sounds like your Windows machines should be fine. I'm more concerned by the wmi_status = false. Unless that is true, the Open-AudIT server won't attempt to audit the Windows target machine. Can you email me your copy of /open-audit/code_igniter/application/controllers/discovery.php - you may need to rename it to .txt.

[quote="lukas.baxa"]However, there's no audit_windows.sh script in the directory /usr/local/open-audit/other. Does it mean that the linux installation of OpenAudit cannot audit windows hosts?
No, the audit_windows.vbs script is copied to the target Windows machine and a process is then started on that machine to run the script.

[quote="lukas.baxa"]Is there any command to run the audit of a windows host remotely from a linux host?
Have a look at /open-audit/code_igniter/application/controllers/discovery.php
You will need to copy the script to the target machine, then execute it using winexe.

[quote="lukas.baxa"]Can I audit a target Windows host remotely when I supply the credentials of a non-admin user
Short answer - no. You need admin rights on the target systems. This is required for both copying the audit_windows.vbs script to $admin share and when the script is run, certain functions within it require admin as well.

There should be no real need now to manually use the scripts. Discovery should "just work" and do all the right things for you. Obviously the wmi_status = false is the issue. get that fixed and you should be fine.

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Fri May 16, 2014 12:25 am 
Offline
Newbie

Joined: Fri May 02, 2014 7:05 pm
Posts: 5
Thanks for the answers and explanation. It helped me to focus in the right direction. The WMI status is true now when running a Windows machine discovery from a Linux OpenAudit server. The problem wasn't neither on the client machine nor on the server, it was on our company firewall (the two machines are in different networks).

I checked the PHP code in discovery.php and I'am able to run a Windows host audit from the Linux command-line (using smbclient and winexe). However, when I run it from the PHP application, no audit is run, just the basic discovery with a limited amount of information. I'm using ADMIN -> Discovery -> Discover a Windows computer. Should the discovery run full audit as well? If discovery.php is used, then it probably should... Or should I try to discover full subnet to get this functionality? I see the smbclient and winexe commands are invoked in the discovery::process_subnet method.


Top
 Profile  
Reply with quote  
PostPosted: Sat May 17, 2014 1:01 am 
Offline
Newbie

Joined: Fri May 02, 2014 7:05 pm
Posts: 5
I've checked the code in discovery.php and I found out that it is necessary to enter also the WIndows domain, not only username and password, whichever it is. Otherwise the audit doesn't run. Just the discovery.

It's working now. Thanks for help.


Top
 Profile  
Reply with quote  
PostPosted: Sat May 17, 2014 7:27 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia
Yes, Windows Domain is just as important as user and password - otherwise Windows auth just won't work :-)
Great to hear everything works as it should.

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 8 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group