Non-Invasive Forensics Information Gatherer
Results 1 to 5 of 5

Thread: Non-Invasive Forensics Information Gatherer

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    Non-Invasive Forensics Information Gatherer

    I have been dabbling with VBScripts over the past week or so and have put together a non-invasive and quick method to document the current state of a machine remotely over the network. To be absolutlely honest all I have done is taken the freely available scripts from Microsoft's Scripting Center and cobbled the useful ones together into a tool that will enumerate all the information you might want as to the current state of a remote machine.

    You must have admin rights over the remote machine or it won't work and there are restrictions on it's use against certain older Windows OS's, (see the link above for what is required on systems older than Win2k)

    It asks for the IP address of the remote machine, the complete filename of the output file, (eg: a:\computer27.txt), and your full name, (eg: Bill Smith).

    The output contains the following:-

    The OS and SP level
    Installed Hotfixes
    The role of the computer in the domain
    The currently logged on user
    All the local User accounts
    The local group memberships
    Ip address info
    network adapter information
    network protocols information
    The start-up options
    Boot config options
    Start-up commands
    Current shares
    Running processes and their owners
    Thread states for running processes
    The status of all installed services

    It carries a header that documents this as being non-invasive forensic information for computer xxx.xxx.xxx.xxx at xx:xx:xx hours on xx/xx/xx day by [Your name here]

    Yes it is a vbs script...... Yes it could do nasty things if you run it..... No I do not work for the NSA, Federal Government, State Government, County Governement or Local Government for the benefit of the more suspicious amongst you...... OTOH, it does not do nasty things and you might even find it of use in an emergency.

    I would appreciate someone who has a basic understanding of VBScript taking a quick look to verify here in the forum that it only pulls information to the file you designate and that it does nothing harmful, thanks to whoever.

    To run it you need to unzip it on a machine capable of running vbscripts, (I use Win2k). Put it in a folder, (c:\scripts is good), open a cmd prompt in that folder and type:-

    cscript currentstate.vbs

    It will ask for the IP of the remote machine, (you can put the local machines IP in if you want), then the filename for the output and finally your name.

    I think you would find it useful and quick to run at the start of an investigation and I have already started to baseline my machines using it so that I can document changes in case of a compromise.

    I would appreciate any feedback and any suggestions as to other information that pwoplw would like gathered.

    Have fun.......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830
    Great tool.

    It worked great on my local machine, but when I tried to do my laptop, which is on my same subnet, but is a member of a different domain and is not in my workgroup, I just got symbols and no real data.

    Is there a way to pass it a username and password so you can access remote systems with administrative privileges? Or, can you think of a different reason why I couldn't get a valid response from that machine?

    Thanks for taking the time to put this tool together.

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Yes, I had similar results with it. Localhost info is great but any other machine on my subnet returns poo poo. If nothing else, this is a good tool for server admins who are documenting server configs, etc.

    As always, thanks for popping this tool on AO.

    I will fire up VB studio and check this guy out and see what I can find....
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Hrrrmph.... I do this as domain admin..... I wasn't really thinking of it as a tool to be used on non-domain machines...... My bad.... I'll take a look and see if I can add the user/password combo to the routines.....

    But on second thoughts that might not be possible unless the user/password combo was already an admin of the remote since the SID would be different. Thus i'm thinking that the tool would be useless on a machine that you did not already have admin rights to. I think the only way it would work this way is if you used pwdump2 or 3 and JTR to get the SID/PW combo and fake it..... I dunno.... need to think more..... works a treat for domain admins though... and since that's my job the tool was written for me really.....

    on third thoughts..... if you put it on a floppy or cd....fire up cmd from the floppy or cd and run the script to the floppy back to a floppy on the local machine it might pull some of the info, (if not all), depending who's context you are working in and it would still be non-invasive

    Working..... Thinking.......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Ok......

    After digging around and begging for help elsewhere someone came up with the code I needed to make this baby run on a remote machine that you do not inherently have rights. I have tested it against a machine while logged into my local machine, (not the domain), against an employees machine using her admin name /password combo and it functioned perfectly.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides