Open-AudIT
https://www.open-audit.org/phpBB3/

Current Windows audit script
https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=5864
Page 2 of 4

Author:  robert1234 [ Wed Feb 13, 2013 7:09 pm ]
Post subject:  Re: Current Windows Audit Script

Please tell me how audit windows domain (active directory)
When I run script, i have error:
audit_domain_windows.vbs(135, 2) Active Directory: server does not work.
In config I have:
domain_array = array("LDAP://my_domain")

I did not find the settings for the Active Directory.

Thanks for reply

Author:  jpa [ Thu Feb 14, 2013 5:57 am ]
Post subject:  Re: Current Windows Audit Script

That should work. Make sure you've got the domain spelled correctly.

Author:  Mark [ Thu Feb 14, 2013 7:55 am ]
Post subject:  Re: Current Windows Audit Script

And make sure it's the full domain name, not the short one.
IE - ldap://my_domain.com.au and not ldap://my_domain

Author:  Mark [ Tue Feb 26, 2013 4:23 pm ]
Post subject:  Re: Current Windows audit script

Bump - v13 released.

Author:  4077 [ Tue Feb 26, 2013 6:14 pm ]
Post subject:  Re: Current Windows audit script

You have set debugging to "3" by mistake.

Author:  Mark [ Tue Feb 26, 2013 6:31 pm ]
Post subject:  Re: Current Windows audit script

No mistake - debugging to MAXIMUM!!!
Turn it down to 2, 1 or 0 if you like :lol:

Author:  4077 [ Tue Feb 26, 2013 7:00 pm ]
Post subject:  Re: Current Windows audit script

Then - of course - my mistake! :lol:
I took your debugging level entries above as the only allowed values.

Author:  Mark [ Tue Feb 26, 2013 7:14 pm ]
Post subject:  Re: Current Windows audit script

Well, that's probably how it _should_ be!
I should really audit the audit script!
0,1,2 are all valid and I think there are a few "if debugging > 2" spot in there, too...

Author:  jpa [ Wed Feb 27, 2013 6:48 am ]
Post subject:  Re: Current Windows audit script

I totally missed the point of this earlier post by tekkie330 on the updates required for decoding modern Windows keys. Here's v13 attached with updates to hopefully get Windows and Office keys decoded correctly.

However, I'm not sure I've done it the best way and I don't have the greatest test environment because we use Volume License a lot. Basically I took the new decode method that handles Win8 and added in the new Office decode changes. Seems to work in my testing and actually gets the correct Win8 keys which the original v13 does not.

I also added in the Office 2013 decode stuff which is missing in v13. But I don't have Office 2013 installed to test. I'll try to get a VM with Office 2013 to test in but it might take a while.

I also think that the current code will miss Office 20XX 64bit installed on 64bit machines when audited from a 32bit machine. I haven't tested this to check my thinking is correct.

Author:  jpa [ Wed Feb 27, 2013 8:53 am ]
Post subject:  Re: Current Windows audit script

And I messed it up at the last second with a stupid cut-n-paste typo that breaks all Office and Win key decoding.

In v15 change line 6776 from
Code:
if (isarray(rpk)) then
to
Code:
if (isarray(Key)) then

Author:  Mark [ Wed Feb 27, 2013 6:22 pm ]
Post subject:  Re: Current Windows audit script

Fixed. v16 uploaded :lol:

Author:  jpa [ Sat Mar 02, 2013 3:24 am ]
Post subject:  Re: Current Windows audit script

v15 and v16 are identical so my stupid bug isn't fixed yet.

And the Registration Key for Office 64bit installed on Windows 64bit is not audited when using the 32bit SysWOW6432\cscript. So no key decode in your future use case of automatically running the downloaded script on Win64 using 32bit IE.

I could fix this if you want to support that case.

Author:  Mark [ Wed Mar 06, 2013 11:04 am ]
Post subject:  Re: Current Windows audit script

jpa wrote:
v15 and v16 are identical so my stupid bug isn't fixed yet.
Uploaded v17 to fix my mis-fix!
jpa wrote:
And the Registration Key for Office 64bit installed on Windows 64bit is not audited when using the 32bit SysWOW6432\cscript. So no key decode in your future use case of automatically running the downloaded script on Win64 using 32bit IE. I could fix this if you want to support that case.
Please do and send it to me.

Author:  losh [ Wed Mar 06, 2013 7:36 pm ]
Post subject:  Re: Current Windows audit script

hello,

i use the current audit script (audit_windows_v17.vbs) on win7 32bit and 64bit.
it works fine except one thing: when running the audit it always "removes" the org_id set on the audit-server.
am i the only one facing this problem? how can i fix it?

thanks in advance

Author:  Franck [ Wed Mar 06, 2013 8:29 pm ]
Post subject:  Re: Current Windows audit script

Hi,
With the v17, OS Family for W7&8 doesn't appear, JPA solved the problem by use this :

function os_family(os)
os = replace(os, chr(160)," ")
if InStr(os, " 95") then os_family="Windows 95"
if InStr(os, " 98") then os_family="Windows 98"
if InStr(os, " NT") then os_family="Windows NT"
if InStr(os, "2000") then os_family="Windows 2000"
if InStr(os, " XP") then os_family="Windows XP"
if InStr(os, "2003") then os_family="Windows 2003"
if InStr(os, "Vista") then os_family="Windows Vista"
if InStr(os, "2008") then os_family="Windows 2008"
if InStr(os, "Windows 7") then os_family="Windows 7"
if InStr(os, "Windows 8") then os_family="Windows 8"
if InStr(os, "2012") then os_family="Windows 2012"
end function

also Teamviewer client id's doesn't work, the strKeyPath since to be wrong but with a good one I have the same result :(

''''''''''''''''''''''''''''''''
' TeamViewer 5
''''''''''''''''''''''''''''''''
strKeyPath = "Software\TeamViewer\Version5"
key_name = "TeamViewer 5"
key_edition = ""
key_release = "5"
subKey = "ClientID"
oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,subKey,key_text
if IsNull(key_text) then
' do nothing
else
subKey = "LicenseVersion"
oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,subKey,key_release
result.WriteText " <key>" & vbcrlf
result.WriteText " <key_name>" & escape_xml(key_name) & "</key_name>" & vbcrlf
result.WriteText " <key_text>" & escape_xml(key_text) & "</key_text>" & vbcrlf
result.WriteText " <key_release>" & escape_xml(key_release) & "</key_release>" &

vbcrlf
result.WriteText " <key_edition>" & escape_xml(key_edition) & "</key_edition>" &

vbcrlf
result.WriteText " </key>" & vbcrlf
key_text = ""
key_release = ""
key_edition = ""
end if


strKeyPath = "Software\Wow6432Node\TeamViewer\Version5"
key_name = "TeamViewer 5"
key_edition = ""
key_release = "5"
subKey = "ClientID"
oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,subKey,key_text
if IsNull(key_text) then
' do nothing
else
subKey = "LicenseVersion"
oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,subKey,key_release
result.WriteText " <key>" & vbcrlf
result.WriteText " <key_name>" & escape_xml(key_name) & "</key_name>" & vbcrlf
result.WriteText " <key_text>" & escape_xml(key_text) & "</key_text>" & vbcrlf
result.WriteText " <key_release>" & escape_xml(key_release) & "</key_release>" &

vbcrlf
result.WriteText " <key_edition>" & escape_xml(key_edition) & "</key_edition>" &

vbcrlf
result.WriteText " </key>" & vbcrlf
key_text = ""
key_release = ""
key_edition = ""
end if


''''''''''''''''''''''''''''''''
' TeamViewer 6
''''''''''''''''''''''''''''''''
strKeyPath = "Software\TeamViewer\Version6"
key_name = "TeamViewer 6"
key_edition = ""
key_release = "6"
subKey = "ClientID"
oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,subKey,key_text
if IsNull(key_text) then
' do nothing
else
subKey = "LicenseVersion"
oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,subKey,key_release
result.WriteText " <key>" & vbcrlf
result.WriteText " <key_name>" & escape_xml(key_name) & "</key_name>" & vbcrlf
result.WriteText " <key_text>" & escape_xml(key_text) & "</key_text>" & vbcrlf
result.WriteText " <key_release>" & escape_xml(key_release) & "</key_release>" &

vbcrlf
result.WriteText " <key_edition>" & escape_xml(key_edition) & "</key_edition>" &

vbcrlf
result.WriteText " </key>" & vbcrlf
key_text = ""
key_release = ""
key_edition = ""
end if


strKeyPath = "Software\Wow6432Node\TeamViewer\Version6"
key_name = "TeamViewer 6"
key_edition = ""
key_release = "6"
subKey = "ClientID"
oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,subKey,key_text
if IsNull(key_text) then
' do nothing
else
subKey = "LicenseVersion"
oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,subKey,key_release
result.WriteText " <key>" & vbcrlf
result.WriteText " <key_name>" & escape_xml(key_name) & "</key_name>" & vbcrlf
result.WriteText " <key_text>" & escape_xml(key_text) & "</key_text>" & vbcrlf
result.WriteText " <key_release>" & escape_xml(key_release) & "</key_release>" &

vbcrlf
result.WriteText " <key_edition>" & escape_xml(key_edition) & "</key_edition>" &

vbcrlf
result.WriteText " </key>" & vbcrlf
key_text = ""
key_release = ""
key_edition = ""
end if


''''''''''''''''''''''''''''''''
' TeamViewer 7
''''''''''''''''''''''''''''''''
strKeyPath = "Software\TeamViewer\Version7"
key_name = "TeamViewer 7"
key_edition = ""
key_release = "7"
subKey = "ClientID"
oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,subKey,key_text
if IsNull(key_text) then
' do nothing
else
subKey = "LicenseVersion"
oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,subKey,key_release
result.WriteText " <key>" & vbcrlf
result.WriteText " <key_name>" & escape_xml(key_name) & "</key_name>" & vbcrlf
result.WriteText " <key_text>" & escape_xml(key_text) & "</key_text>" & vbcrlf
result.WriteText " <key_release>" & escape_xml(key_release) & "</key_release>" &

vbcrlf
result.WriteText " <key_edition>" & escape_xml(key_edition) & "</key_edition>" &

vbcrlf
result.WriteText " </key>" & vbcrlf
key_text = ""
key_release = ""
key_edition = ""
end if


strKeyPath = "Software\Wow6432Node\TeamViewer\Version7"
key_name = "TeamViewer 7"
key_edition = ""
key_release = "7"
subKey = "ClientID"
oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,subKey,key_text
if IsNull(key_text) then
' do nothing
else
subKey = "LicenseVersion"
oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,subKey,key_release
result.WriteText " <key>" & vbcrlf
result.WriteText " <key_name>" & escape_xml(key_name) & "</key_name>" & vbcrlf
result.WriteText " <key_text>" & escape_xml(key_text) & "</key_text>" & vbcrlf
result.WriteText " <key_release>" & escape_xml(key_release) & "</key_release>" &

vbcrlf
result.WriteText " <key_edition>" & escape_xml(key_edition) & "</key_edition>" &

vbcrlf
result.WriteText " </key>" & vbcrlf
key_text = ""
key_release = ""
key_edition = ""
end if

''''''''''''''''''''''''''''''''
' TeamViewer 8
''''''''''''''''''''''''''''''''
strKeyPath = "Software\TeamViewer\Version8"
key_name = "TeamViewer 8"
key_edition = ""
key_release = "8"
subKey = "ClientID"
oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,subKey,key_text
if IsNull(key_text) then
' do nothing
else
subKey = "LicenseVersion"
oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,subKey,key_release
result.WriteText " <key>" & vbcrlf
result.WriteText " <key_name>" & escape_xml(key_name) & "</key_name>" & vbcrlf
result.WriteText " <key_text>" & escape_xml(key_text) & "</key_text>" & vbcrlf
result.WriteText " <key_release>" & escape_xml(key_release) & "</key_release>" &

vbcrlf
result.WriteText " <key_edition>" & escape_xml(key_edition) & "</key_edition>" &

vbcrlf
result.WriteText " </key>" & vbcrlf
key_text = ""
key_release = ""
key_edition = ""
end if


strKeyPath = "Software\Wow6432Node\TeamViewer\Version8"
key_name = "TeamViewer 8"
key_edition = ""
key_release = "8"
subKey = "ClientID"
oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,subKey,key_text
if IsNull(key_text) then
' do nothing
else
subKey = "LicenseVersion"
oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,subKey,key_release
result.WriteText " <key>" & vbcrlf
result.WriteText " <key_name>" & escape_xml(key_name) & "</key_name>" & vbcrlf
result.WriteText " <key_text>" & escape_xml(key_text) & "</key_text>" & vbcrlf
result.WriteText " <key_release>" & escape_xml(key_release) & "</key_release>" &

vbcrlf
result.WriteText " <key_edition>" & escape_xml(key_edition) & "</key_edition>" &

vbcrlf
result.WriteText " </key>" & vbcrlf
key_text = ""
key_release = ""
key_edition = ""
end if


Thanks!

Page 2 of 4 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/