Open-AudIT

Hello,

just installed OpenAudit on a Win2k3-Server, Domain-Auditing with audit.vbs works very nice.
Now I tried to scan my network with nmap.vbs, which seems to work fine too (nmap and winpcap is installed).

My question now is:

Does nmap add to the OpenAudit-Database, too?
For example it discovers the X.X.X.1 host as Cisco CatOS but I can't find that host in OA?

Did I miss anything?

If the test works fine we'd like to use OA with around 20 different subnets, can you recommend a solution to do this?
How to scan multiple subnets and audit them then?

Which ports do audit.vbs and nmap.vbs need? Only 135/TCP?


Regards,
Hype

_________________
OS: Windows Server 2003
Auditing: ~ 800 Clients, ~ 900 Servers
Multiple Subnets, multiple Domains, all the OA databases get merged every night by several scripts and tasks.

Can anyone give me a hint please?

I can't get nmap to write in my database, it opens IE and saves it but the DB stays empty.
What's the problem?


---

Just tried winventory 0.9 nmap.vbs and it works, it correctly writes switches/routers to the DB.
But I can't get it to work with OpenAudit

_________________
OS: Windows Server 2003
Auditing: ~ 800 Clients, ~ 900 Servers
Multiple Subnets, multiple Domains, all the OA databases get merged every night by several scripts and tasks.

Sounds like a config issue, can you post the audit.config.. note also that the config must live in the same folder as nmap.vbs or it wont be picked up.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

[code]
audit_location = "l"
verbose = "n"
online = "yesxml"
strComputer = ""
ie_visible = "y"
ie_auto_submit = "y"
ie_submit_verbose = "n"
ie_form_page = "http://<correctpath>/admin_pc_add_1.php"
non_ie_page = "http://<correctpath>/admin_pc_add_2.php"
input_file = ""
email_to = ""
email_from = ""
email_server = ""
audit_local_domain = "y"
local_domain = "LDAP://<domain>"
hfnet = "n"
Count = 0
number_of_audits = 20
script_name = "audit.vbs"
monitor_detect = "y"
printer_detect = "y"
software_audit = "y"
uuid_type = "mac"
'
' Nmap section
'
nmap_subnet = "192.168.XXX." ' The subnet you wish to scan
nmap_subnet_formatted = "192.168.XXX." ' The subnet padded with 0's
nmap_ie_form_page = "http://<correctpath>/admin_nmap_input.php"
nmap_ie_visible = "n"
nmap_ie_auto_close = "y"
nmap_ip_start = 1
nmap_ip_end = 2
[/code]

_________________
OS: Windows Server 2003
Auditing: ~ 800 Clients, ~ 900 Servers
Multiple Subnets, multiple Domains, all the OA databases get merged every night by several scripts and tasks.

[code]
nmap_subnet = "192.168.XXX." ' The subnet you wish to scan
nmap_subnet_formatted = "192.168.XXX." ' The subnet padded with 0's
nmap_ie_form_page = "http://<correctpath>/admin_nmap_input.php"
nmap_ie_visible = "n"
nmap_ie_auto_close = "y"
nmap_ip_start = 1
nmap_ip_end = 2
[/code]

Do you only want to scan the first two IP addresses?

Try this..

[code]
nmap_subnet = "192.168.XXX." ' The subnet you wish to scan
nmap_subnet_formatted = "192.168.XXX." ' The subnet padded with 0's
nmap_ie_form_page = "http://<correctpath>/admin_nmap_input.php"
nmap_ie_visible = "y"
nmap_ie_auto_close = "y"
nmap_ip_start = 1
nmap_ip_end = 255
[/code]

I have....
[code]
'
' Nmap section
'
nmap_tmp_cleanup = true ' Set this false if you want to leave the tmp files for analysis in your tmp folder
nmap_subnet = "192.168.00." ' The subnet you wish to scan
nmap_subnet_formatted = "192.168.000." ' The subnet padded with 0's
nmap_ie_form_page = audit_host + "/openaudit/admin_nmap_input.php"
nmap_ie_visible = "n"
nmap_ie_auto_close = "y"
nmap_ip_start = 1
nmap_ip_end = 254
nmap_syn_scan = "n" ' Tcp Syn scan
nmap_udp_scan = "n" ' UDP scan
nmap_srv_ver_scan = "n" ' Service version detection.
nmap_srv_ver_int = 0 ' Service version detection intensity level. Values 0-9, 0=fast
[/code]

.. using the latest SVN version.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

I think I am having the same issue as the original poster. I am running the latest SVN on a Windows 2003 SP2 box, IIS 6.0, 5.0.51b-community-nt MySQL Community Edition (GPL), PHP version 5.2.6, NMAP 4.68. My nmap scans appear to run, and even appears to post results, but there is nothing listed when I attempt to list discovered ports.

The audit.config file I am using is below:

audit_location = "l"
verbose = "y"
audit_host="http://<server name>"
online = "yesxml"
'online = "n"
strComputer = ""
ie_visible = "n"
ie_auto_submit = "y"
ie_submit_verbose = "n"
ie_form_page = "http://<server name>/admin_pc_add_1.php"
non_ie_page = "http://<server name>/admin_pc_add_2.php"
input_file = ""
'
email_to = "<my email address>"
email_from = "Open-AudIT@<my company>.com"
'email_sender = "My Name"
email_server = "smtprelay.<my company>.com" ' IP address or FQDN
email_port = "25" ' The SMTP port
email_auth = "0" ' 0 = Anonymous, 1 = Clear-text Authentication, 2 = NTLM
email_user_id = "myemail@mydomain.com" ' A valid Email account in user@domain format
email_user_pwd = "Password" ' The SMTP email password
email_use_ssl = "false" ' True/False
email_timeout = "60" ' In seconds
'
audit_local_domain = "y"
'domain_type = "ldap"
local_domain = "LDAP://<my company>.com"
hfnet = "n"
Count = 0
number_of_audits = 10
script_name = "audit.vbs"
monitor_detect = "y"
printer_detect = "y"
software_audit = "y"
uuid_type = "uuid"


nmap_subnet = "161.36.90."
nmap_subnet_formatted = "161.36.090."
'nmap_ie_form_page = "http://<server name>/admin_nmap_input.php"
nmap_ie_visible = "y"
nmap_ie_auto_close = "n"
nmap_ip_start = 70
nmap_ip_end = 73
nmap_tmp_cleanup = false
keep_audit_log = "y"
nmap_ie_form_page = audit_host + "/admin_nmap_input.php"
nmap_syn_scan = "n" ' Tcp Syn scan
nmap_udp_scan = "n" ' UDP scan
nmap_srv_ver_scan = "n" ' Service version detection.
nmap_srv_ver_int = 0 ' Service version detection intensity level. Values 0-9, 0=fast

Still doesn't work, no one got an idea?

_________________
OS: Windows Server 2003
Auditing: ~ 800 Clients, ~ 900 Servers
Multiple Subnets, multiple Domains, all the OA databases get merged every night by several scripts and tasks.

Problem was that I tried to scan different subnets from where the scanning server is in.
That doesn't work due to technical restrictions.
If I scan a host in the same subnet it works.

I've rewritten the admin_nmap_input.php script so it inserts hosts even if they don't have a mac.

_________________
OS: Windows Server 2003
Auditing: ~ 800 Clients, ~ 900 Servers
Multiple Subnets, multiple Domains, all the OA databases get merged every night by several scripts and tasks.

[quote="hype"]Problem was that I tried to scan different subnets from where the scanning server is in.
That doesn't work due to technical restrictions.
If I scan a host in the same subnet it works.

I've rewritten the admin_nmap_input.php script so it inserts hosts even if they don't have a mac.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

Well, it's not really good, as it simply inserts anything where nmap finds an OS.
We got a subnet with only 2 active hosts, but nmap seems to find 254 Windows 2003 Servers, so that sucks a bit
So I think we'll only scan specific IPs.
I'll have a look on it again and post it here then.

_________________
OS: Windows Server 2003
Auditing: ~ 800 Clients, ~ 900 Servers
Multiple Subnets, multiple Domains, all the OA databases get merged every night by several scripts and tasks.

Made a few changes to enter nmap ports if a mac address is found.

made a change to the scan so nmap scans using the -A switch for OS detection as this returns a line

|_ NBSTAT: NetBIOS name: SERVER-NAME, NetBIOS MAC: 33:EE:CC:DD:EE:23

search for this line and then for the mac address.

seems to be working but needs more testing

audit.config change
admin_nmap_input.php change
nmap.vbs change

audit.config file changes

[code] nmap_ie_form_page = audit_host + "/audit/admin_nmap_input.php"
changed to
nmap_ie_form_page = audit_host + "/audit/admin_nmap_input_nomac.php"[/code]


admin_nmap_input.php copied to admin_nmap_input_nomac.php
Org around line 20
[code]
if (isset($_POST["submit"])){
$input = $_POST['add'];
$input = explode("\n", $input);
foreach ($input as $split) {
if (substr($split, 0, 12) == "MAC Address:") {
// OK - we have a hit.
$mac = substr($split,13,17);
echo "Mac Address: " . $mac . "<br />";
$temp = explode(")",substr($split, strpos($split, "(")+1));
$manufacturer = $temp[0];
echo "Manufacturer: " . $manufacturer . "<br />";
}[/code]

Added in
==================
[code] if (substr($split, 0, 25) == "|_ NBSTAT: NetBIOS name: ") {
// OK - we have a hit.
$nomac=strrchr($split,", NetBIOS MAC: ");
$mac=substr($nomac,15,17);
}[/code]
===================

around line 20

[code]if (isset($_POST["submit"])){
$input = $_POST['add'];
$input = explode("\n", $input);
foreach ($input as $split) {
if (substr($split, 0, 25) == "|_ NBSTAT: NetBIOS name: ") {
// OK - we have a hit.
$nomac=strrchr($split,", NetBIOS MAC: ");
$mac=substr($nomac,15,17);
}
if (substr($split, 0, 12) == "MAC Address:") {
// OK - we have a hit.
$mac = substr($split,13,17);
echo "Mac Address: " . $mac . "<br />";
$temp = explode(")",substr($split, strpos($split, "(")+1));
$manufacturer = $temp[0];
echo "Manufacturer: " . $manufacturer . "<br />";
}
[/code]


Also in admin_nmap_input_namac.php

at line 255 changed
[code]
echo "<form action=\"admin_nmap_input.php\" method=\"post\">\n";
to
echo "<form action=\"admin_nmap_input_nomac.php\" method=\"post\">\n";[/code]



changes to nmap.vbs
-A added to the basic command options
[code]
nmap = "nmap.exe sV -n -O -v " & sTempFile & " " & nmap_subnet

changed to

nmap = "nmap.exe -A sV -n -O -v " & sTempFile & " " & nmap_subnet[/code]




[size=85]OA Server: Windows Server 2003 / WAMP
Auditing: 3500+ Workstations, 200+ Servers
OS's: Windows / Linux / VMWare
LDAP: Active Directory[/size]