Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Tue Mar 19, 2024 9:09 pm

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 13 posts ] 
Author Message
PostPosted: Thu Feb 15, 2018 9:28 pm 
Offline
Newbie

Joined: Mon Jan 29, 2018 6:55 pm
Posts: 26
After discovery copied the audit_windows.vbs file to the target computer, the executions fails. There are no more log entries like those in the attachment. Are there any more ways to debug? Which command will be executed remotely so i can try and fix? I already read the documentation about problems with auditing computers.

From Domainserver to Domaincomputer on other subnet.


Attachments:
2018-02-15 11_58_52-Open-AudIT.jpg
2018-02-15 11_58_52-Open-AudIT.jpg [ 179.21 KiB | Viewed 44331 times ]


Last edited by Gwahlers on Thu Feb 15, 2018 9:39 pm, edited 1 time in total.
Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 15, 2018 9:37 pm 
Offline
Newbie

Joined: Mon Jan 29, 2018 6:55 pm
Posts: 26
I can execute the script via console manually. The audit will pass.


Attachments:
2018-02-15 12_35_22-mRemoteNG - rwggnb.xml - G20585OPENAUDIT.jpg
2018-02-15 12_35_22-mRemoteNG - rwggnb.xml - G20585OPENAUDIT.jpg [ 93.21 KiB | Viewed 44330 times ]
Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 16, 2018 1:28 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
Set debugging=3 in the command line and see what the output looks like. Hopefully it's more instructive.


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 16, 2018 2:27 am 
Offline
Newbie

Joined: Mon Jan 29, 2018 6:55 pm
Posts: 26
[quote="jpa"]Set debugging=3 in the command line and see what the output looks like. Hopefully it's more instructive.

The script works perfectly manually over the command line as you see in my second post. But not as a part from discover_subnets.vbs executed by Web-Frontend or called by cmd-File. If i put debugging=3 in my cmd-file as parameter for discover_subnets.vbs there are no more infos shown.

Automatic discovery copies the file audit_windows.vbs in the admin$-Directory of the target computer. But there is no successful execution. I can manually execute the file by commandline with the same command shown up in discovery_log.

Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 16, 2018 4:07 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
In your original log screenshot did you blank out the password because the password was there or did you blank out a bunch of ********? The log should not show your password but instead should show ********. Maybe a character in the password is not getting properly escaped by OpenAudit?


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 16, 2018 9:00 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
It looks like the logging could use a bit of work as the output in the screenshot is a bit confusing. include_input_discoveries.php around line 1048 could use some more "$log->file =" instances to make the output a bit better.

Another thing I noticed is that the code in the copy_to_windows function escapes double-quotes while the code in execute_windows does not.


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 16, 2018 6:33 pm 
Offline
Newbie

Joined: Mon Jan 29, 2018 6:55 pm
Posts: 26
[quote="jpa"]In your original log screenshot did you blank out the password because the password was there or did you blank out a bunch of ********? The log should not show your password but instead should show ********. Maybe a character in the password is not getting properly escaped by OpenAudit?


You're right.

Attachments:
2018-02-16 09_31_54-Open-AudIT.jpg
2018-02-16 09_31_54-Open-AudIT.jpg [ 29.56 KiB | Viewed 44310 times ]
Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 16, 2018 6:47 pm 
Offline
Newbie

Joined: Mon Jan 29, 2018 6:55 pm
Posts: 26
Erm, okay. Is there anything i could do, or do i have to wait for further updates?


Top
 Profile  
Reply with quote  
PostPosted: Sat Feb 17, 2018 4:52 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
If your password has a double-quote in it this might fix your problem.

Edit code_igniter/application/helpers/wmi_helper.php and change line 217 from:
[code]
$command_string = 'c:\\xampplite\\open-audit\\other\\paexec.exe \\\\' . $ip . ' -u ' . $domain . $username . ' -p "' . $credentials->credentials->password . '" cmd /c "' . $command . '"';
[/code]

to:
[code]
$password = str_replace('"', '\"', $credentials->credentials->password);
$command_string = 'c:\\xampplite\\open-audit\\other\\paexec.exe \\\\' . $ip . ' -u ' . $domain . $username . ' -p "' . $password . '" cmd /c "' . $command . '"';
[/code]

I haven't tested this but it's a simple change so it should work.


Top
 Profile  
Reply with quote  
PostPosted: Mon Feb 19, 2018 8:34 pm 
Offline
Newbie

Joined: Mon Jan 29, 2018 6:55 pm
Posts: 26
Our domain-admin password contains only lowercase letters. Is the logged command the same as the executed command?

The remote wmic-commands are executed perfectly. Only the remote execution of audit_windows.vbs fails.
The failed command does not contain double-quotes for the "-u" parameter.


Attachments:
2018-02-19 11_36_32-Open-AudIT.jpg
2018-02-19 11_36_32-Open-AudIT.jpg [ 94.68 KiB | Viewed 44245 times ]
2018-02-19 11_35_30-Open-AudIT.jpg
2018-02-19 11_35_30-Open-AudIT.jpg [ 114.13 KiB | Viewed 44245 times ]
Top
 Profile  
Reply with quote  
PostPosted: Wed Feb 21, 2018 1:38 am 
Offline
Newbie

Joined: Mon Jan 29, 2018 6:55 pm
Posts: 26
I can remote open programs like Outlook.exe with paexec.exe from the OA-Server. How can i turn off the parameter self_delete=y so i can see if the audit_windows.vbs is copied successfully?


Top
 Profile  
Reply with quote  
PostPosted: Wed Feb 21, 2018 4:39 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
Edit include_input_discoveries.php line 998 to remove the self_delete=y.

It also looks like the "use system account" option was [url=https://github.com/Opmantek/open-audit/commit/d504cc56688b060fa36b4413190f2813f44d26c7]recently added[/url] to the paexec call. Not sure if that would help or not.


Top
 Profile  
Reply with quote  
PostPosted: Wed Feb 21, 2018 6:19 pm 
Offline
Newbie

Joined: Mon Jan 29, 2018 6:55 pm
Posts: 26
Edited the file. In C:\Windows there is no audit file. May not being copied correctly?
Now im auditing with an cmd-script. Better with built-in discover_subnet.vbs.
The remote execution of audit_windows.vbs works on our not domained computers, but not on our domained ones.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 13 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group