Hunting and Netbios Name Resolution

I was running into some issues with name lookup using the Wins server. The names did not always accurately reflect the real system scanned. Paul from over at Pauldotcom Security Weekly turned me onto nbtscan. This does a much better job of resolving the actual name if the host has netbios. However this created a discrepancy of number of names resolved to just raw IPs. So I modified a general port finding script as you can see below. Note the temp file is gone now. You get just the IP and lookup lists since you can awk the output of nbtscan.

I could not find nbtscan in darwinports for my powerbook so I just sought out an nbtscan BSD source code tarball. The README for .configure, make and make install worked like a champ. I just dropped nbtscan in my path after compile and was ready to go.

Paul made a Perl script version of this sort of thing which I will talk about more once I play with it and learn how it works. He also pointed out adding the -n option on nmap might speed it up a hair since we do name resolution later.

You can apply all these modifications and cleanups to the previous scripts for finding VNC and Missing AV installs.


# Scan Network Input File for active hosts saving IPS to $FNips.txt
nmap -sS -p $PORT -n -iL $NETWORKTARGET -oG – | grep open | awk ‘/[1-9].[1-9]/ {print $2}’ > ${FN}ips.txt

# use nbtscan to find hostnames and generate the ip to name $FNlookup file
nbtscan -f ${FN}ips.txt | awk ‘/[1-9].[1-9]/ {print $1 ” ” $2}’ > ${FN}lookup.txt

echo “Scan Complete”
echo “Port Scanned: “$PORT
NUMIPS=cat ${FN}ips.txt | wc -l
NUMHOSTS=cat ${FN}lookup.txt | wc -l
echo “Number of IPs Found: “$NUMIPS ” See file ${FN}ips.txt”
echo “Number of Netbios Names Found: “$NUMHOSTS ” See file ${FN}lookup.txt”


More Hunting. Shhhh be vewwwy quiet.

Well ok so not hunting white rabbits, yet… I modified my original findvnc script to hunt down pcs that are responding as possibly not running our antivirus software of choice (eTrust from Computer Associates).

Again the arguments are a text file of nmap compatible network ranges like and an IP of a Wins server to lookup the host names. Note this method can result in some false positives if you have say Linux hosting SMB shares. But likely if you are running Linux you know which IPs those are.

You could do this trick for other antivirus products. I have not tested it but for example Symantec uses tcp port 2967 according to their knowledgebase. Trendmicro appears to use one you choose at install time.


# Remove Previous Temp Files
rm temp.txt

# Scan Network Input File for active MS hosts without eTrust saving IPS to noetrustips.txt
# ID hosts by them responding on port TCP 139 SMB but NOT on TCP 42510 etrust
nmap -sS -p 139,42510 -iL $NETWORKTARGET -oG – | grep 139/open | grep 42510/closed | awk ‘/[1-9].[1=9]/ {print $2}’ > noetrustips.txt

# Loop through found noetrust IPs to build temp file of Netbios lookups from Wins Server
cat noetrustips.txt | while read host; do nmblookup -A -U $WINS -R $host >> temp.txt

# Parse temp.txt to build list of Host names
cat temp.txt | grep “<00>” | grep -v GROUP | awk ‘{print $1}’ > noetrusthosts.txt

# Combine Hostnames and IPS into lookup table noetrustlookup.txt
paste noetrustips.txt noetrusthosts.txt > noetrustlookup.txt

rm temp.txt
cat noetrustlookup.txt

exit 0


Nessus Report with PC Names – VNC Hunt Part Two

Here ya go. There are two scripts that actually came from my old college Unix book. Amazingly “The Unix Programming Environment” by Kernighan and Pike is still out there. I use the overwrite and replace scripts straight from the book. Just download their code sample. Unzip. Rename the Overwrite3 script to just overwrite and you will need the replace script. Both are in the Misc folder.

Once you have those. You will need to make a script file with the below code.

cat $1 | while read host; do echo “./replace “$host “$2″| sh ; done
echo “Replacement complete.”
exit 1

So all you have to do is run the previous script I wrote. Import the vncips.txt into your nessus client. Select just VNC vulnerability plugins. Run your Nessus scan. Export the results to an HTML file. Last step. Call the above script with two arguments. vnclookup.txt that was generated by the first script and the report.html or whatever name you gave it. It will overwrite the report in place changing all the IPs to the discovered PC names.


Vnc hunting.

I got the urge to whip up a script on my powerbook using nmap to build a list of hosts on the network running VNC. The final output is a nice table IP to PC name of the hosts. The first argument is a text file for nmap networks to scan such as The second argument is the IP address of a Wins server used by the PCs on the network. Ultimately I use the text files made by this script to feed and change an exported Nessus scan for vulnerable VNC hosts so the report shows PC names.

Thanks to Paul from Pauldotcom Security Weekly for pointing out I could save a file output by using – as the nmap output to send the greppable format to standard out.

# Remove Previous Temp Files
rm temp.txt

# Scan Network Input File for active VNC hosts saving IPS to vncips.txt
nmap -sS -p 5900 -iL $NETWORKTARGET -oG – | grep open | awk ‘/[1-9].[1=9]/ {print $2}’ > vncips.txt

# Loop through found VNC IPs to build temp file of Netbios lookups from Wins Server
cat vncips.txt | while read host; do nmblookup -A -U $WINS -R $host >> temp.txt

# Parse temp.txt to build list of VNC Host names
cat temp.txt | grep “<00>” | grep -v GROUP | awk ‘{print $1}’ > vnchosts.txt

# Combine VNC hostnames and IPS into lookup table vnclookup.txt
paste vncips.txt vnchosts.txt > vnclookup.txt

rm temp.txt
cat vnclookup.txt

exit 0


More Log Reports

I added this little bat file to make a report of just certain events the MS security guide says are good to correlate for potential attacks on credentials.  Note it assumes you ran the previous batfile that collects all the security logs from your domain controllers into temp.csv
LogParser -i:CSV -headerRow on -iTSFormat:”yyyy-MM-dd” “SELECT *, SUBSTR(EXTRACT_TOKEN(Strings, 2,’^’), 13) AS Account INTO seclog-credentials-report.csv FROM temp.csv WHERE EventID IN (529; 539; 675) ORDER BY DATE, Time”


Dell Hell

I stumbled onto this article in the New Jersey Star Ledger about “Dell Hell”. This is funny considering today at work I had to threaten to use Tee Morris‘ phrase “podcast their a**” Though I did not say that to them specifically. We ordered memory for a PowerEdge 2650 server almost a month ago. My coworker struggled with our Dell rep to track it down. That pulled in another Dell employee. After the run around for a few days we find out someone canceled our order. Dell still has not said whom on their end did it. We sure didn’t. We need this memory for our email server. My coworker had enough when the new person in the mix from Dell gave her the run around asking for the PO Number. Yeah the one that was in the subject line of every email in the chain. Sheesh. Dell has just gotten so pathetic. We got a two month run round earlier this year just trying to order one desktop. Another time another coworker even emailed our rep’s boss and got no response and finally got our rep to reply. Earlier in 2006 I got the three week run around just trying to order a mini PCI wireless card for a desktop. This all would not be so sad if it were not for the fact that Dell goes through such trouble to slap Service Tags on everything. Ordering stuff should be as simple as citing the service tag, getting the quote for the right part, submitting the PO and getting your part a few days later. But it isn’t. Do yourself a favor and consider other vendors than Dell at least for another year. At least unless you can threaten to tell 2000+ IT admins via a podcast you cohost and eliminate Dell from your global employer as a vendor. All for a few sitcks of memory. It is the only way to make them take your money.


Fun with dumpevt and MS Log Parser

I have been having fun learning how to combine Dumpevt from Somarsoft and MS Log Parser. Let me say once you start to get the hang of it you can do some cool things. Also MS makes a great PDF for Security Event information. You can modify the below to make your own reports for those various IDs.
For example the below makes a CSV (comma seperated file) showing all user accounts who had EventID 644 lockouts the previous day. Download dumpevt, MS Log parser the header file I made all into a folder together. Then put the below commands into a bat file in the same folder. Remove my comments that are in bold.

  • First we call dumpevt for three domain controllers. Obviously this bat file has to be executed as a user whom has rights to pull the logs remotely. Dumpevt will actually concatenate the dumps into one file.

del c:\logs\644.csv
del c:\logs\errors.txt
dumpevt /computer=PDC /logfile=sec /outdir=c:\logs\ /outfile=644.csv /all >> c:\logs\errors.txt
dumpevt /computer=BDC01 /logfile=sec /outdir=c:\logs\ /outfile=644.csv /all >> c:\logs\errors.txt
dumpevt /computer=BDC02 /logfile=sec /outdir=c:\logs\ /outfile=644.csv /all >> c:\logs\errors.txt

  • Second we create a temp.csv file concatenating the header I provided with the output of the dumpevt calls.

type dumpevt-header.csv > temp.csv
type 644.csv >> temp.csv

  • Next we call Log Parser. We tell it the input is in CSV format and the first row is the header. We specify what format we want the timestamps in for output. Next we select all fields, parse out the user account name where eventID is 644 and the date is the previous day. We go from temp.csv into a new file temp2.csv and have the output in date-time order.

LogParser -i:CSV -headerRow on -iTSFormat:”yyyy-MM-dd” “SELECT *, SUBSTR(EXTRACT_TOKEN(Strings, 1,’^’), 23) AS Account INTO temp2.csv FROM temp.csv WHERE EventID = 644 AND Date = TO_DATE(SUB( SYSTEM_TIMESTAMP(), TIMESTAMP(‘2’, ‘d’))) ORDER BY DATE, Time

  • Last we run the temp2.csv through Log Parser once more. This will generate a csv file called 644report.csv with the columns Date, Time, Computer and the Account that was locked out. Note it drops all entries where the user account name is blank. This happens with some 644 events. I am not sure yet why but I am still teaching myself all about this log parsing and interpretation.

LogParser -i:CSV -headerRow on -iTSFormat:”yyyy-MM-dd” “SELECT DATE, TIME, Computer, Account INTO 644report.csv FROM temp2.csv WHERE STRLEN(Account) >1”