Open-AudIT
https://www.open-audit.org/phpBB3/

Execution of audit_windows.vbs fails at every Computer
https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=6663
Page 1 of 1

Author:  Gwahlers [ Thu Feb 15, 2018 9:28 pm ]
Post subject:  Execution of audit_windows.vbs fails at every Computer

After discovery copied the audit_windows.vbs file to the target computer, the executions fails. There are no more log entries like those in the attachment. Are there any more ways to debug? Which command will be executed remotely so i can try and fix? I already read the documentation about problems with auditing computers.

From Domainserver to Domaincomputer on other subnet.

Attachments:
2018-02-15 11_58_52-Open-AudIT.jpg
2018-02-15 11_58_52-Open-AudIT.jpg [ 179.21 KiB | Viewed 44459 times ]

Author:  Gwahlers [ Thu Feb 15, 2018 9:37 pm ]
Post subject:  Re: Execution of audit_windows.vbs fails at every Computer

I can execute the script via console manually. The audit will pass.

Attachments:
2018-02-15 12_35_22-mRemoteNG - rwggnb.xml - G20585OPENAUDIT.jpg
2018-02-15 12_35_22-mRemoteNG - rwggnb.xml - G20585OPENAUDIT.jpg [ 93.21 KiB | Viewed 44458 times ]

Author:  jpa [ Fri Feb 16, 2018 1:28 am ]
Post subject:  Re: Execution of audit_windows.vbs fails at every Computer

Set debugging=3 in the command line and see what the output looks like. Hopefully it's more instructive.

Author:  Gwahlers [ Fri Feb 16, 2018 2:27 am ]
Post subject:  Re: Execution of audit_windows.vbs fails at every Computer

[quote="jpa"]Set debugging=3 in the command line and see what the output looks like. Hopefully it's more instructive.
The script works perfectly manually over the command line as you see in my second post. But not as a part from discover_subnets.vbs executed by Web-Frontend or called by cmd-File. If i put debugging=3 in my cmd-file as parameter for discover_subnets.vbs there are no more infos shown.

Automatic discovery copies the file audit_windows.vbs in the admin$-Directory of the target computer. But there is no successful execution. I can manually execute the file by commandline with the same command shown up in discovery_log.

Author:  jpa [ Fri Feb 16, 2018 4:07 am ]
Post subject:  Re: Execution of audit_windows.vbs fails at every Computer

In your original log screenshot did you blank out the password because the password was there or did you blank out a bunch of ********? The log should not show your password but instead should show ********. Maybe a character in the password is not getting properly escaped by OpenAudit?

Author:  jpa [ Fri Feb 16, 2018 9:00 am ]
Post subject:  Re: Execution of audit_windows.vbs fails at every Computer

It looks like the logging could use a bit of work as the output in the screenshot is a bit confusing. include_input_discoveries.php around line 1048 could use some more "$log->file =" instances to make the output a bit better.

Another thing I noticed is that the code in the copy_to_windows function escapes double-quotes while the code in execute_windows does not.

Author:  Gwahlers [ Fri Feb 16, 2018 6:33 pm ]
Post subject:  Re: Execution of audit_windows.vbs fails at every Computer

[quote="jpa"]In your original log screenshot did you blank out the password because the password was there or did you blank out a bunch of ********? The log should not show your password but instead should show ********. Maybe a character in the password is not getting properly escaped by OpenAudit?

You're right.

Attachments:
2018-02-16 09_31_54-Open-AudIT.jpg
2018-02-16 09_31_54-Open-AudIT.jpg [ 29.56 KiB | Viewed 44438 times ]

Author:  Gwahlers [ Fri Feb 16, 2018 6:47 pm ]
Post subject:  Re: Execution of audit_windows.vbs fails at every Computer

Erm, okay. Is there anything i could do, or do i have to wait for further updates?

Author:  jpa [ Sat Feb 17, 2018 4:52 am ]
Post subject:  Re: Execution of audit_windows.vbs fails at every Computer

If your password has a double-quote in it this might fix your problem.

Edit code_igniter/application/helpers/wmi_helper.php and change line 217 from:
[code]
$command_string = 'c:\\xampplite\\open-audit\\other\\paexec.exe \\\\' . $ip . ' -u ' . $domain . $username . ' -p "' . $credentials->credentials->password . '" cmd /c "' . $command . '"';
[/code]

to:
[code]
$password = str_replace('"', '\"', $credentials->credentials->password);
$command_string = 'c:\\xampplite\\open-audit\\other\\paexec.exe \\\\' . $ip . ' -u ' . $domain . $username . ' -p "' . $password . '" cmd /c "' . $command . '"';
[/code]

I haven't tested this but it's a simple change so it should work.

Author:  Gwahlers [ Mon Feb 19, 2018 8:34 pm ]
Post subject:  Re: Execution of audit_windows.vbs fails at every Computer

Our domain-admin password contains only lowercase letters. Is the logged command the same as the executed command?

The remote wmic-commands are executed perfectly. Only the remote execution of audit_windows.vbs fails.
The failed command does not contain double-quotes for the "-u" parameter.

Attachments:
2018-02-19 11_36_32-Open-AudIT.jpg
2018-02-19 11_36_32-Open-AudIT.jpg [ 94.68 KiB | Viewed 44373 times ]
2018-02-19 11_35_30-Open-AudIT.jpg
2018-02-19 11_35_30-Open-AudIT.jpg [ 114.13 KiB | Viewed 44373 times ]

Author:  Gwahlers [ Wed Feb 21, 2018 1:38 am ]
Post subject:  Re: Execution of audit_windows.vbs fails at every Computer

I can remote open programs like Outlook.exe with paexec.exe from the OA-Server. How can i turn off the parameter self_delete=y so i can see if the audit_windows.vbs is copied successfully?

Author:  jpa [ Wed Feb 21, 2018 4:39 am ]
Post subject:  Re: Execution of audit_windows.vbs fails at every Computer

Edit include_input_discoveries.php line 998 to remove the self_delete=y.

It also looks like the "use system account" option was [url=https://github.com/Opmantek/open-audit/commit/d504cc56688b060fa36b4413190f2813f44d26c7]recently added[/url] to the paexec call. Not sure if that would help or not.

Author:  Gwahlers [ Wed Feb 21, 2018 6:19 pm ]
Post subject:  Re: Execution of audit_windows.vbs fails at every Computer

Edited the file. In C:\Windows there is no audit file. May not being copied correctly?
Now im auditing with an cmd-script. Better with built-in discover_subnet.vbs.
The remote execution of audit_windows.vbs works on our not domained computers, but not on our domained ones.

Page 1 of 1 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/