Hi All, In addition to the earlier and per the request of few auditors who does system audits, I am providing you with the below script will be helpful to scan / review / find all the user or system (PC) specific environment details. The environment details usually explore lots of information as said earlier...
---------- start of script --------- @echo off >> report.txt echo >> ******************************************************************************* >> report.txt echo >> ******************************************************************************* >> report.txt echo >> ******************************************************************************* >> report.txt echo. >> report.txt echo. set /p userdata=Enter notes for this location: >> report.txt echo %userdata% >> report.txt echo %date% %time% if [%1]==[] goto NOARG goto GOTARG :NOARG >> report.txt echo. >> report.txt echo ******** IPCONFIG COMMAND ******** >> report.txt echo. ipconfig /all > ~ip05.txt >> report.txt type ~ip05.txt echo FINDING CURRENT IP ADDRESS ipconfig | find "IP Address" > ~ip01.txt for /f "tokens=1-2 delims=:" %%i in (~ip01.txt) do echo %%j> ~ip02.txt for /f "tokens=1-3 delims=." %%i in (~ip02.txt) do echo %%i.%%j.%%k> ~ip03.txt >> report.txt echo. >> report.txt echo ******** ROUTE COMMAND ******** >> report.txt echo. >> report.txt route print >> report.txt echo. >> report.txt echo ******** NSLOOKUP COMMAND ******** >> report.txt echo. >> report.txt nslookup . | find "." >> report.txt echo. goto REPORT :GOTARG > ~ip02.txt echo %1 for /f "tokens=1-3 delims=." %%i in (~ip02.txt) do echo %%i.%%j.%%k> ~ip03.txt goto REPORT :REPORT >> report.txt echo ******** PING COMMAND ******** >> report.txt echo. echo PINGING HOSTS IN SUBNET for /f %%i in (~ip03.txt) do call :PING %%i >> report.txt type ~ip04.txt >> report.txt echo. >> report.txt echo ******** HTTP WEB SERVERS ******** if not exist %0 goto NOHTTP >> report.txt echo. echo CHECKING FOR WEB SERVERS type %0 | find " " | find /v "not me!" > ~ip00.vbs for /f %%x in (~ip04.txt) do call :HTTP %%x type ~ip13.txt >> report.txt type ~ip13.txt >> report.txt echo. :NOHTTP >> report.txt echo ******** NBTSTAT COMMAND ******** >> report.txt echo. echo CHECKING NAMES WITH NBTSTAT for /f %%x in (~ip04.txt) do echo %%x & echo %%x >> report.txt & nbtstat -A %%x | find "Registered" >> report.txt && echo %%x>> ~ip11.txt >> report.txt echo. >> report.txt echo ******** NET USE COMMAND ******** >> report.txt echo. echo CHECKING SHARES WITH NET USE for /f %%x in (~ip04.txt) do call :NETUSE %%x net use | find "\\" > ~ip10.txt >> report.txt type ~ip10.txt >> report.txt echo. >> report.txt echo ******** NET VIEW COMMAND ******** >> report.txt echo. echo LISTING SHARED RESOURCES WITH NET VIEW net view | find "\\" > ~ip08.txt type ~ip08.txt >> report.txt echo ---------- >> report.txt type ~ip08.txt >> report.txt echo ---------- >> report.txt echo. if exist ~ip11.txt for /f %%x in (~ip11.txt) do call :NETVIEW %%x >> report.txt echo. >> report.txt echo ******** ARP COMMAND ******** >> report.txt echo. >> report.txt arp -a | find "-" | find /v "invalid" >> report.txt echo %date% %time% >> report.txt echo. >> report.txt echo. >> report.txt echo >> ******************************************************************************* >> report.txt echo >> ******************************************************************************* >> report.txt echo >> ******************************************************************************* If not exist ~ip06.txt goto NOSHARE set /p userdata=View remote shares (y/n)? if [%userdata%]==[y] for /f %%x in (~ip06.txt) do start \\%%x :NOSHARE if not exist ~ip13.txt goto NOWEB set /p userdata=View web sites (y/n)? if [%userdata%]==[y] for /f %%x in (~ip13.txt) do start http://%%x :NOWEB :CLEANUP echo y>~ip09.txt type ~ip09.txt | net use * /delete del ~ip??.??? goto :EOF :NETUSE net use \\%1\IPC$ "" /USER:"" | find "success"> ~ip12.txt if not errorlevel 1 echo %1> ~ip06.txt goto :EOF :HTTP cscript.exe ~ip00.vbs %1 >> ~ip13.txt goto :EOF On Error Resume Next Set oHttp = CreateObject("WinHttp.WinHttpRequest.5.1") oHttp.SetTimeouts 1000, 1000, 1000, 1000 oHttp.Open "GET", "http://"; & WScript.Arguments(0), False oHttp.Send If err.number = 0 Then Wscript.Echo WScript.Arguments(0) & " " & oHttp.Status Set oHttp = Nothing :NETVIEW net view \\%1 > ~ip07.txt type ~ip07.txt | find "\\" type ~ip07.txt | find "Disk" type ~ip07.txt | find "\\" >> report.txt type ~ip07.txt | find "Disk" >> report.txt goto :EOF :PING for /L %%x in (1,1,254) do echo %1.%%x & ping -n 1 -w 50 -i 6 %1.%%x | find "Reply" && echo %1.%%x>> ~ip04.txt goto :EOF ---------- end of script ----------- I hope it will be helpful.... Thanks! Regards Sandeep Thakur On Fri, Jun 4, 2010 at 8:37 PM, Sandeep Thakur <[email protected]> wrote: > Thanks for sharing this information already Naik, I just wanted to share > where can we apply this process. > > This will be really helpful in processess like auditing the users system > and / or during network security testing, compliance audits with respect to > international standards, etc. > > How?, during the above processes, it would be essential to know the user > activity with network or internet in atleast past 2hrs when the users might > already have cleared their favorites (links) of access to various > environments before any auditor comes to them or cleared his cookies / > history / etc. > > Finally, combining the above procedure with few other information > caches (arp, netstat, nbtstat, recently opened documents) we would know > whether the user / network under audit has done something unexpected or > something which he is not intented to do at corporate. > > > > Regards > Sandeep Thakur > > On Sat, Apr 3, 2010 at 5:55 PM, Srinivas Naik <[email protected]>wrote: > >> Good Evening, >> >> Since, the web site of SATYAM got diverted to a web page, representaing " >> This site is on SALE!!!!!". Pleople now focused more on such DNS poisioning >> attacks. >> >> The below procedure is a part of investigating the DNS Cache poisioning >> Attacks. >> >> So, according to the SANS methodology for collecting forensic information >> in vivo (one of the most prestigious). >> The order of volatility of digital evidence is as follows: >> 1) CPU, cache and register contents >> 2) routing table, ARP table, process table, kernel statistics >> 3) Memory >> 4) temporary files, swap space >> 5) Information on hard disks >> 6) Information recorded remotely >> 7) Data stored in storage devices >> >> The more volatile is the evidence, you must be retrieved to >> prevent spoilage. >> >> To retrieve this cache can use the ipconfig command as follows: >> >> C:\>ipconfig /displaydns >> >> The output format is as follows: >> >> abctest.net >> ---------------------------------------- >> ---------------------------------------- >> Name registration. : abctest.net : Abctest.net >> Record Type. . . : 1 1 >> Lifespan. . . . . : 84627 : 84,627 >> Length of data. . . : 4 4 >> Section. . . . . . . . . . . . . : Response >> A record (host). . . : 10.0.0.150 : 10.0.0.150 >> >> >> At first glance we can see the usefulness of this information. It >> allows us to determine that DNS names are resolved lately they have been >> introduced in the cache. >> That is, we can deduce quite accurately what sites have been connected >> from the computer in the last hours or minutes (depending on the expiration >> time of each record). >> >> This information can be very interesting if not long after the incident >> to investigate, but remember that this information is highly volatile and >> disappears quickly. >> >> To calculate the time which created the entry in the cache have to do a >> simple calculation: Get the expiry time of registration and deduct the >> remaining lifetime. >> The difference will be the time that has passed since registration was >> introduced in the cache. >> >> In this example: >> >> C: \> nslookup-type = A-debug abctest.net | findstr ttl >> Non-authoritative answer: >> ttl = 27338 (7 hours 35 mins 38 secs) ttl = 27,338 (7 hours 35 mins 38 >> secs) >> ttl = 86400 (1 day) <- Revocation of registration >> >> >> We get the following calculation: >> 86,400 to 84,627 = 1773 -> 30 minutes ago that >> created the entry in the cache. >> >> You can automate this process for a summary of all entries that exist in >> the cache and to obtain an approximate timeline of the recent >> DNS activity on the computer (and from this deduce the network activity). >> >> >> >> Thanks & Regards, >> Srinivas Naik >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "nforceit" group. >> To post to this group, send an email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]<nforceit%[email protected]> >> . >> For more options, visit this group at >> http://groups.google.com/group/nforceit?hl=en-GB. >> > > -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
