Open-AudIT

What's on your network?
It is currently Fri Apr 20, 2018 3:41 am

All times are UTC + 10 hours




Post new topic Reply to topic  [ 14 posts ] 
Author Message
PostPosted: Sat Jun 03, 2017 2:14 am 
Offline
Newbie

Joined: Fri Jan 09, 2015 3:34 am
Posts: 14
Hello,

When I manually upload the script to a computer and run it, it returns back everything I would expect. Software Info, Hardware Info etc.

When I run it from the webpage discovery, It has the computer name and most of the Device Details. But the left hand only has SUMMARY and SETTINGS. Missing are: HARDWARE and SOFTWARE.

I am not sure where to look to see why this is happening.

Any ideas where to start?

Thanks,
Danno


Top
 Profile  
Reply with quote  
PostPosted: Sat Jun 03, 2017 6:40 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1254
Check the Debug box on the Discover a device page and parse through the debug output looking for a problem?

I don't use the web page discovery method myself.


Top
 Profile  
Reply with quote  
PostPosted: Tue Jun 06, 2017 1:54 am 
Offline
Newbie

Joined: Fri Jan 09, 2015 3:34 am
Posts: 14
This seems to be the only error in the log:

DEBUG - Windows Copy Command: smbclient \\\\10.42.235.41\\\admin$ -U "domainname\userwithadminrights%******" -c "put /usr/local/open-audit/other/scripts/audit_windows_17_06_05_10_49_56.vbs audit_windows.vbs 2>&1"
LOG - Linux attempt (1) to copy file to 10.42.235.41 succeeded in wmi_helper::copy_to_windows


A PHP Error was encountered


Severity: Notice

Message: Undefined offset: 1

Filename: helpers/wmi_helper.php

Line Number: 173


DEBUG - Command Executed: screen -D -m timeout 5m /usr/local/open-audit/other/winexe-static -U /domainname\userwithadminrights%****** --uninstall //10.42.235.41 "cscript c:\windows\audit_windows.vbs submit_online=y create_file=n strcomputer=. url=http://10.42.233.16/open-audit/index.php/system/add_system debugging=3 system_id=6 last_seen_by=audit_wmi"
DEBUG - Result: success


Top
 Profile  
Reply with quote  
PostPosted: Tue Jun 06, 2017 8:36 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1254
From the error message it looks like OpenAudit is expecting the username for the credential it uses to connect to the target system to be of the form username@domain. What format do you have for the username in Admin->Credentials->List Credentials?


Top
 Profile  
Reply with quote  
PostPosted: Wed Jun 07, 2017 12:12 am 
Offline
Newbie

Joined: Fri Jan 09, 2015 3:34 am
Posts: 14
Yea, I caught that as well after I looked at the logs some more. And I did have my credentials in as domainname\username. But I have tried other combinations of username@domainname and can't get it to authenticate. I will mess with it some more today and see if I can come up with anything. If I can't, I will post a new log.

Thanks for your help!
Danno


Top
 Profile  
Reply with quote  
PostPosted: Wed Jun 07, 2017 2:16 am 
Offline
Newbie

Joined: Fri Jan 09, 2015 3:34 am
Posts: 14
I finally tracked it down to our anti-virus. Even though I white listed the hash of that file, it still blocked the script from running. I can whitelist that location BUT it looks like it copies it to C:\windows and then runs it.

Is there anyways to force it to copy that script somewhere else? I hate to whitelist scripts running in all of c:\windows

Does it have the capability to possible create a folder on C: and then copy into that folder. It would be great if I can just make a random folder name up. Something like C:\openaudittrail

Then have it copy the vbs into that folder and run from there.

I would feel more comfortable whitelisting a non-standard named folder like openaudittrail.

Thanks!
Danno


Top
 Profile  
Reply with quote  
PostPosted: Wed Jun 07, 2017 2:37 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1254
It does not have that capability right now. You could probably make it happen by editing functions in discovery.php. Too much hassle I'd say.

OpenAudit is executing "cscript <auditscript name>.vbs" to run the script. Thus the failure of whitelisting the script hash. Can you whitelist cscript.exe to run?


Top
 Profile  
Reply with quote  
PostPosted: Wed Jun 07, 2017 6:38 am 
Offline
Newbie

Joined: Fri Jan 09, 2015 3:34 am
Posts: 14
I can whitelist cscript but the logs of my antivirus aren't showing it block that. It is very tight script control and is actually blocking the script. I have some work arounds that I can implement, but for long term, I'd really like to find a way to create a folder name of my choice to run the script from.

I have tried a few things with discovery.php but it still puts the file into C:\windows (I basically changed every instance of C:\Windows to C:\dannotest. It didn't break anything but still put and ran the file from c:\Windows. You are probably right..too much hassle...but I still want to try..

Any other ideas where it might be telling smb to put that file?


Top
 Profile  
Reply with quote  
PostPosted: Wed Jun 07, 2017 7:52 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1254
Without having tested this myself one thing you could try...

Edit the $destination variable in discovery.php at line 1318.
Code:
$destination = 'audit_windows.vbs';
to
Code:
$destination = 'temp\\audit_windows.vbs';


Edit the $command at line 1360 to something like
Code:
$command = "cscript c:\\windows\\temp\\audit_windows.vbs submit_online=y create_file=n strcomputer=. url=".$url."index.php/system/add_system debugging=" . $debugging . " system_id=".$details->id." last_seen_by=audit_wmi";


I used "temp" in "C:\Windows" because the folder must already exist for smbclient to copy the file over successfully. Whitelist the "c:\windows\temp" folder or whatever existing folder or path you choose instead.

It doesn't look like OpenAudit remove the script from the target system after doing the audit.

All the code is available so you could have OpenAudit create the target folder in C:\Windows before copying over the audit script and then remove it after.


Top
 Profile  
Reply with quote  
PostPosted: Fri Jun 09, 2017 12:45 am 
Offline
Newbie

Joined: Fri Jan 09, 2015 3:34 am
Posts: 14
That worked perfectly. Now I am trying to figure out how to do the same with discover_domain.vbs

I have made a few changes but it is still copying to Windows or getting an error.

I am trying to send it to c:\Windows\Logs

That allows me to ONLY whitelist "logs" for vb scripts. Still pretty secure.


Top
 Profile  
Reply with quote  
PostPosted: Fri Jun 09, 2017 12:59 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1254
Have you already tried something like this and it failed?

discovery.php line 380
Code:
$command_string = "smbclient \\\\\\\\".$_POST['server']."\\\\admin$ -U \"".$_POST['windows_domain']."\\".$_POST['windows_username']."%".$_POST['windows_password']."\" -c \"put $filepath/discover_domain.vbs logs/discover_domain.vbs\" 2>&1";


discovery.php line 404
Code:
$command_string = "smbclient \\\\\\\\".$_POST['server']."\\\\admin$ -U \"".$_POST['windows_domain']."\\".$_POST['windows_username']."%".$_POST['windows_password']."\" -c \"put $filepath/audit_windows.vbs logs/audit_windows.vbs\" 2>&1";


discovery.php line 428
Code:
$command_string = "screen -D -m timeout 5m /usr/local/open-audit/other/winexe-static -U ".$_POST['windows_domain']."/".$_POST['windows_username']."%".$_POST['windows_password']." --uninstall //".$_POST['server']." \"cscript //nologo c:\windows\logs\discover_domain.vbs local_domain=LDAP://".$_POST['windows_domain']." number_of_audits=".$_POST['number_of_audits']." script_name=c:\windows\logs\audit_windows.vbs url=".$url." limit=".$limit." debugging=0 struser=".$_POST['windows_domain']."\\".$_POST['windows_username']." strpass=".$_POST['windows_password']." \" ";


Top
 Profile  
Reply with quote  
PostPosted: Fri Jun 09, 2017 6:18 am 
Offline
Newbie

Joined: Fri Jan 09, 2015 3:34 am
Posts: 14
That did the trick. You have no idea how much this helped me! Thank you so much for your valuable time.

I think this would be a great added feature IMO.


Danno


Top
 Profile  
Reply with quote  
PostPosted: Fri Jun 09, 2017 6:40 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1254
Great. Don't know how likely this would become a feature. I suspect not much.

Watch out when upgrading to the next version (which is not out yet). The locations for the edits have changed (i.e. different files).


Top
 Profile  
Reply with quote  
PostPosted: Thu Jun 15, 2017 8:34 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1944
Location: Brisbane, Australia
I'll add this to our ticket list as a new feature.
We already do this for Linux audit scripts, so why not Windows as well?
:-)

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group