لطفا منتظر باشید ...
Hack 73 Find All Computers that Are Running a Service
Use this script to find rogue web servers,misconfigured clients, and other potentially insecure systems on your
network.Querying the status of a service across multiple computers can
be an extremely useful tool. You can check for the SMS client
service, antivirus services, or even viruses/Trojans that run as a
service. Under most interfaces, such as WMI or ADSI, you need to
check the status of services with an account that has administrator
rights on the machine you are targeting. It turns out that in many
organizations there are quite a few PCs on the network that have done
a phenomenal job of removing most of the IT
department's administrator rights. These unmanaged
PCs can be a real risk at times.One day, I noticed that when you query a remote box with the Windows
2000 services snap-in for the MMC, you do not need administrator
rights to check on the services that reside on remote boxes. You
simply need an account in a trusted domain with simple user-level
rights. On further investigation, it was revealed that what in fact
was going on was a direct query to the Service Control Manager (SCM),
as opposed to some API call through WMI or ADSI. One of the best free
third-party tools that also queries the SCM is Psservice from
Sysinternals (http://www.sysinternals.com). Although this
is strictly a command-line utility, we can tweak it with some
parameters and do some fancy parsing to make efficient use of it in a
script.First, the script will search IP addresses by subnet, using a ping
response, and find the Windows-based machines by parsing out a
NetBIOS call. Then, it will determine if the machine is running a
particular service, by querying it with Psservice, and log the
results in tab-delimited format. This will retrieve the following
data in the log file: IP address, computer name, currently logged-on
user, domain or workgroup to which the machine is joined, and the
status of the service. The IP address is included even if the node is
not pingable and can be treated as a key in most cases. The computer
name is resolved with a DNS lookup on the IP address and then, if a
NetBIOS name is found, it is switched to that name. Note that this
could be blank if both methods fail. The currently logged-on user
field should display data if the machine is NetBIOS-compatible and
someone is currently logged on. However, if no one is logged on, it
will be blank. Note that this logon name could be a domain account or
a local account; there is no way to tell. The domain (or workgroup)
to which the machine is joined is the domain (or workgroup)
associated with the computer account, not the user account.The status of the service can be any of seven possible values, as
shown in Table 8-2.
Status | Description |
|---|---|
UnPingable | The IP address does not respond |
RUNNING | Service is running |
STOPPED | Service is stopped |
PENDING | Service is starting or stopping |
Blank | Service does not exist |
Access is Denied | Your account does not have minimal user-level rights to the box |
The RPC server is unavailable | Computer is running Win9x,Win 3.x, or is a Samba box |
First, you need the Psservice utility that comes with the Pstools
suite from Sysinternals. Place the
psservice.exe utility in the same directory as
the script itself. You also need to register the free System
Scripting Runtime COM object from Netal
(http://www.netal.com/ssr). To register
the COM object, copy the DLL to your system32 directory and use
regsvr32 to register it. You'll
need to do this for every box you run the script from, but this does
not need to be done on the remote machines. By
the way, I highly suggest reading through the documentation on both
of these valuable pieces of software.
The Code
Type the following script into Notepad (with Word Wrap disabled) and
save as FindNTService.vbs. Alternatively, since
this is a long one, you're probably better off
downloading the source from http://www.oreilly.com/catalog/winsvrhks/.
' Dennis Abbott - speckled_trout@hotmail.com
' you need to register the Scripting System Runtime from www.netal.com in
' your System32 directory on the machine you are running this script from
' first.
' You also need the utility psservice.exe from www.sysinternals.com in
' the same directory as this script and you need a text file with the
' subnets listed with a linefeed after each subnet.
'
' example of subnet listing
'
' 192.168.0.0
' 192.168.1.0
' 34.54.78.0
'
' You can view the script in action by opening the log file with a
' realtime log file viewer such as SMS Trace from Mircosoft.
'
'On Error Resume Next
Option Explicit
Dim Title 'used for dialog boxes as well as the log file name
Dim PathToScript 'path to the directory that the script is running from
Dim PathToLogFile 'full path including filename of the log file
Dim WshShell 'shell object
Dim WshNet 'network object
Dim WshFso 'file system object
Dim WshSysEnv 'environment variable object
Dim ScriptNet 'System Scripting Runtime object from www.netal.com
Dim ComSpec 'path to cmd.exe
Dim DataFile 'file containing machine names
Dim LogFile 'log file for stats
Dim CompName 'name of the current remote target computer
Dim User 'user logged on to remote computer
Dim Domain 'domain that the remote computer is joined to
Dim IP 'IP address of remote computer
Dim CurLine 'used when parsing text files
Dim NbtFile 'file parsed for NetBIOS information
Dim SubnetFileName 'file containing subnets to be searched
Dim I 'counter
Dim SysFolder 'the system folder
Dim TimeOut 'timeout in milliseconds for ping
Dim Go 'gives user option to quit
Dim ServiceToCheck 'name of the service to look for--NOT THE DISPLAY NAME
Dim EditSubnets 'give user option of editing subnet file
Dim File 'File object
Dim Subnet 'current subnet being searched
Dim Service 'Status of the service
Dim ServFile 'file parsed for the service information
Set WshShell = CreateObject("WScript.Shell")
Set WshFso = CreateObject("Scripting.FileSystemObject")
Set WshNet = CreateObject("WScript.Network")
Set ScriptNet = CreateObject("SScripting.IPNetwork")
SysFolder = WshFso.GetSpecialFolder(1)
PathToScript = Left(WScript.ScriptFullName, & _
(Len(WScript.ScriptFullName) - (Len(WScript.ScriptName) + 1)))
Title = "FindNTService"
Set WshSysEnv = WshShell.Environment("SYSTEM")
ComSpec = WshSysEnv("COMSPEC")
Timeout = 125
'collect input
Go = MsgBox("This utility will search the network by subnet to find " & _
"all machines running a particular service." & vbcrlf & _
"To do this you must supply a text file with the subnets and the name of " & _
"the service." & vbcrlf & vbcrlf & "Do you wish to continue?",vbyesno,Title)
Select Case Go
Case VbYes
Case VbNo Wscript.Quit(0)
End Select
If WshFso.FileExists(PathToScript & "\psservice.exe") <> True Then
MsgBox "The PSSERVICE utility does not exist....GOODBYE" & vbcrlf & _
"You can get PSSERVICE from www.sysinternals.com",vbok + vbcritical, _
Title Wscript.Quit(0)
End If
If WshFso.FileExists(SysFolder & "\sscrrun.dll") <> True Then
MsgBox "The sscrrun.dll does not exist....GOODBYE" & vbcrlf & "You can
get sscrrun.dll from www.netal.com",vbok + vbcritical, Title
Wscript.Quit(0)
End If
ServiceToCheck = InputBox("enter the service name(not display name) that " & _
"you want to search for.",Title,"w3svc")
If ServiceToCheck = " Then
MsgBox "you did not enter a service name....GOODBYE",vbok + vbcritical, Title
Wscript.Quit(0)
End If
SubnetFileName = InputBox("enter the path to the file that contains " & _
"the subnets.",Title,PathToScript & "\subnets.txt")
If WshFso.FileExists(SubnetFileName) <> True Then
MsgBox "The subnet file does not exist....GOODBYE", _
vbok + vbcritical, Title
Wscript.Quit(0)
End If
EditSubnets = MsgBox("Do you want to edit the subnets file?",vbyesno,Title)
Select Case EditSubnets
Case vbyes WshShell.Run "notepad " & SubnetFileName,1,True
Case vbno
End Select
PathToLogFile = PathToScript & "\" & Title & "_" & Month(Now) & "_"
& Day(Now) & "_" & Year(Now) & "-" & Hour(Now) & "_" &
Minute(Now) & ".log"
Set LogFile = WshFso.CreateTextFile(PathToLogFile)
Set File = WshFso.GetFile(SubnetFileName)
Set DataFile = File.OpenAsTextStream(1,0)
LogFile.WriteLine "IPaddress" & vbtab & "ComputerName" & vbtab & _
"LoginName" & vbtab & "Domain" & vbtab & "Status"
Do While Not DataFile.AtEndOfStream
Subnet = DataFile.ReadLine
LogFile.WriteLine subnet & vbtab & vbtab & vbtab & vbtab & _
"beginning subnet " & Now
Discover(subnet)
Loop
MsgBox Title & " script is done. The log file is located here." & _
vbcrlf & PathToLogFile
Function Discover(boundary)
Subnet = Left(boundary,InstrRev(boundary,"."))
For i = 1 to 254
IP = subnet & i
CompName = Null
User = Null
Domain = Null
Curline = Null
Service = Null
If ScriptNet.Ping(ip,,,Timeout) <> 0 Then
LogFile.WriteLine IP & vbtab & vbtab & vbtab & vbtab _
& "UnPingableClient"
Else
CompName = ScriptNet.DNSlookup(IP)
If InStr(CompName,".") <> 0 Then
CompName = Left(CompName,InStr(CompName,".")-1)
End If
Call GetNBTstat(IP,User,Domain)
Call GetService(IP, Service)
Call WriteToLog(IP,CompName,User,Domain,Service)
End If
Next
End Function
Function GetNBTstat(IP,User,Domain)
WshShell.Run ComSpec & " /c nbtstat -a " & IP & " >" & PathToScript & _
"\nbt.txt",6,True
Set NbtFile = WshFso.OpenTextFile(PathToScript & "\nbt.txt", 1, True)
Do While NbtFile.AtEndOfStream <> True
CurLine = NbtFile.ReadLine
If InStr(CurLine,"---") <> 0 Then
CurLine = NbtFile.ReadLine
CompName = Trim(Left(CurLine,InStr(CurLine,"<")-1))
End If
If InStr(CurLine,"<03>") <> 0 Then
If Trim(Left(CurLine,InStr(CurLine,"<03>")-1)) <> _
UCase(CompName) and Trim(Left(CurLine,InStr(CurLine,"<03>")-1)) <> _
UCase(CompName) & "$" Then
User = Trim(Left(CurLine,InStr(CurLine,"<03>")-1))
End If
End If
If InStr(CurLine,"<1E>") <> 0 Then
If Trim(Left(CurLine,InStr(CurLine,"<1E>")-1)) <> _
UCase(CompName) and Trim(Left(CurLine,InStr(CurLine,"<1E>")-1)) <> _
UCase(CompName) & "$" Then
Domain = Trim(Left(CurLine,InStr(CurLine,"<1E>")-1))
End If
End If
Loop
NbtFile.Close
End Function
Function GetService(IP,Service)
If CompName <> " and User <> " or Domain <> " Then
WshShell.Run ComSpec & " /c " & PathToScript & "\psservice \\" _
& IP & " query " & Chr(34) & ServiceToCheck & Chr(34) & " >" _
& PathToScript & "\service.txt",6,True
Set ServFile = WshFso.OpenTextFile(PathToScript _
& "\service.txt", 1, True)
Do While ServFile.AtEndOfStream <> True
CurLine = ServFile.ReadLine
If InStr(CurLine,"STATE") <> 0 Then
Service = Trim(Right(CurLine,InStr(CurLine," ")-1))
End If
If InStr(CurLine,"RPC") <> 0 Then
Service = CurLine
End If
If InStr(CurLine,"Access") <> 0 Then
Service = CurLine
End If
If InStr(CurLine,"function") <> 0 Then
Service = CurLine
End If
If InStr(CurLine,"Unable") <> 0 Then
Service = CurLine
End If
Loop
If InStr(Service,vbcr) <> 0 Then
Service = Left(Service,InStr(Service,vbcr)-1)
End If
End If
End Function
Function WriteToLog(IP,CompName,User,Domain,Service)
If IP <> " Then
LogFile.Write IP
End If
LogFile.Write vbtab
If CompName <> " Then
LogFile.Write CompName
End If
LogFile.Write vbtab
If User <> " Then
LogFile.Write User
End If
LogFile.Write vbtab
If Domain <> " Then
LogFile.Write Domain
End If
LogFile.Write vbtab
If Service <> " Then
LogFile.Write Service
End If
LogFile.WriteLine
End Function
Running the Hack
First, create a text file that contains the subnets you wish to
query. Each subnet should end with .0 and be on
its own line in the file. You can name the file subnets.txt
and save it in the same directory as the script. Now,
simply run the script by double-clicking on it; it will prompt you
for input. The first input is just an introduction to the script.
Clicking No will exit the script altogether.The next input is the name of the service; this is not the same as
the display name, so be careful here. Table 8-3
shows some examples of services for which the display name differs
greatly from the service name. This information can help you detect
rogue web servers running secretly on your network, client machines
whose antivirus software has been disabled, or machines with SMS
client software disabled, making them difficult to keep updated with
security patches and service packs.
Display name | Service name |
|---|---|
World Wide Web Publishing Service | w3svc |
Norton Antivirus Client | Norton Antivirus Server |
SMS Client Service | clisvc |
subnets. At this point, you can enter a different text file if you
wish. Lastly, you have the opportunity to modify the subnets file
before you begin. The scan will begin either after you click No or
after you close Notepad. You will be notified when the script is
finished with a pointer to the log file; there is no progress
indicator as the script runs. If you need to cancel the script, go
into Task Manager and kill the wscript.exe
process.I have used this script to find machines on which the SMS Client
Service has been disabled. I have also found numerous IIS web servers
and their owners. Lastly, this utility does a great job of finding
the FLC service, which is better known as the FunLove virus. I get a
big kick out of sending directors a list of developer machines that
have FunLove on their box, have also disabled SMS, and are not
running antivirus software.
|
