#!perl -w # This script looks for Microsoft OS machines on a list of subnets; if our context gives us # sufficient rights to read the resulting machine's registries, add them to a report. The # point is to run this under a context which shouldn't have access to the target registries # ... and thus discover which machines are more 'open' than anticipated. # V Who When What # --------------------------------------------------------------------------- # 1.0 skendric 10-27-2003 First Version # # Author: Stuart Kendrick, sbk {insert 'at' sign here} skendric {insert '.' here} com # # Source: http://www.skendric.com/microsoft # # This software is available under the GNU GENERAL PUBLIC LICENSE, see # http://www.fsf.org/licenses/gpl.html # # # I used Paul Popour's (ppopour@infoave.net) SRVCPUMEM.PL script as inspiration # # This script takes the following approach: # -Ping first address on first subnet # -If answers, query for a test registry entry # -If succeed, query for a list of interesting registry entries # -Add to report # # Requirements: # -The target(s) must be pingable (ICMP Echo) and must be listening # and reachable on either TCP port 139 or 445 # -You must run the script under the context of an account which # has sufficient privileges to read the registry on the remote # machines of interest to you # -Net::Ping, Net::Telnet, Win32, Win32::AdminMisc, Win32::MachineInfo, # Win32::NetAdmin, Win32::NBTStat, Win32::TieRegistry # # # Assumptions: # # # Tested on: # -perl-5.8.0 # # # Instructions: # -Customize the script for your site: find the 'user-configurable # variables' section and modify as appropriate # -Try it out: "open-ms-hosts.pl 127.0.0.1" # -Go for the gusto: "open-ms-hosts.pl" # # # Caveats: # # # Known Bugs: # # # To do: # -Figure out a way to more accurately identify devices running a # Microsoft OS # # Begin script # Load modules use strict; use Net::Ping; use Net::Telnet; our $Registry; use Win32; use Win32::AdminMisc; use Win32::MachineInfo; use Win32::NetAdmin; use Win32::NBTStat; use Win32::TieRegistry ( TiedRef => \$Registry, Delimiter => "/", ArrayValues => 1, SplitMultis => 1, AllowLoad => 1, qw( REG_SZ REG_EXPAND_SZ REG_DWORD REG_BINARY REG_MULTI_SZ KEY_READ KEY_WRITE KEY_ALL_ACCESS ), ); # Declare variables our @class; # A, B, or C our $debug; # Debug level our @host; # Device(s) to query our $guest; # Name of "guest" account to examine our $guestEnable; # Set to '1' if $guest is enabled our $guestPriv; # 'guest', 'user', 'admin', or 'unknown' our $i; # Iterates across @majorNetwork, @class, and @mask our $icmpTimeout; # Timeout in seconds for ICMP Echo our @mask; # Subnet mask used in @majorNetwork our $netString; # Holds text used in reports our @majorNetwork; # Major network number our $report; # Report file our @sample; # Addresses we ping to determine whether or not a subnet # is alive our @subNet; # A list of subnets to ping our @suffix; # @majorNetwork with the trailing zeroes stripped off our $tcpTimeout; # Timeout in seconds for TCP SYN our $verbose; # Print status to the screen our $ComputerName; our $CurrentBuildNumber; our $OSVersion; our $ServicePack; our $DefaultUser; # Define global variables $| = 1; # Set AUTOFLUSH to true to support # printing the "!" progress marks $debug = 0; # 3 = Enable grody debugging # 2 = Enable verbose debugging # 1 = Enable basic debugging # 0 = Disable debugging # Define user-configureable variables $guest = "guest"; $report = "c:\\temp\\open-ms-hosts.txt"; $icmpTimeout = 1; $tcpTimeout = 2; $verbose = 1; # Network definition @class = qw /B/; @majorNetwork = qw /10.1.0.0/; @mask = qw /24/; @sample = qw /1 255/; @subNet = qw / 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 /; # Calculated variables # Create @suffix for (my $i = 0; $i < @majorNetwork; $i++) { if ($class[$i] eq "A") { ($suffix[$i]) = ($majorNetwork[$i] =~ /(\d+)\./); } elsif ($class[$i] eq "B") { ($suffix[$i]) = ($majorNetwork[$i] =~ /(\d+\.\d+)\./); } elsif ($class[$i] eq "C") { ($suffix[$i]) = ($majorNetwork[$i] =~ /(\d+\.\d+\.\d+)\./); } } # Build $netString for (my $i = 0; $i < @majorNetwork; $i++) { if (defined $netString) { $netString = $netString . "\n# "; $netString = $netString . $majorNetwork[$i]; } else { $netString = $majorNetwork[$i]; } } # Grab arguments @host = @ARGV; ##### Begin Main Program ############################################### { &error_check; &prepare; &walk_targets; &clean_up; } ##### End Main Program ################################################# ######################################################################## # Clean up ######################################################################## sub clean_up { # Debug trace if ($debug) { &trace_location("begin") } close OUTPUT; # Debug trace if ($debug) { &trace_location("end") } return 1; } ######################################################################## # Check for obvious errors ######################################################################## sub error_check { # Debug trace if ($debug) { &trace_location("begin") } # Class must belong to A|B|C foreach my $class (@class) { unless ($class eq "A" or $class eq "B" or $class eq "C") { die "\@class must contain only A|B|C\n"; } } # Debug trace if ($debug) { &trace_location("end") } return 1; } ######################################################################## # Gather data ######################################################################## sub gather_data { my %info; my $key; my $target = shift; # Address to examine my %Attribs; # Debug trace if ($debug) { &trace_location("begin") } # Use Win32::MachineInfo to acquire a bunch of stats (Win32::MachineInfo::GetMachineInfo($target, \%info)); # ComputerName $ComputerName = $info{computer_name}; # OSVersion $OSVersion = $info{osversion}; # Service Pack $ServicePack = $info{service_pack}; ($ServicePack) = ($ServicePack =~ /Service Pack (\d+)/); # CurrentBuildNumber if ($key = $Registry->Open("//$target/LMachine/SOFTWARE/Microsoft/Windows NT/CurrentVersion/", {Access=>KEY_READ}) ) { $CurrentBuildNumber = $key->GetValue("CurrentBuildNumber"); } # Read the registry for the rest # DefaultUserName if ($key = $Registry->Open("//$target/LMachine/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon/", {Access=>KEY_READ}) ) { $DefaultUser = $key->GetValue("DefaultUserName"); } # Examine the $guest account if (Win32::NetAdmin::UsersExist($target, $guest)) { my $host = "\\\\" . $target; if (Win32::AdminMisc::UserGetMiscAttributes($host, $guest, \%Attribs)) { if (! ($Attribs{USER_FLAGS} & UF_ACCOUNTDISABLE) ) { $guestEnable = 1; if ($Attribs{USER_PRIV} == 0) { $guestPriv = "guest" } elsif ($Attribs{USER_PRIV} == 1) { $guestPriv = "user" } elsif ($Attribs{USER_PRIV} == 2) { $guestPriv = "admin" } else { $guestPriv = "unk" } } else { $guestEnable = 0; $guestPriv = "n/a"; } } } # Debug trace if ($debug) { &trace_location("end") } return 1; } ######################################################################## # Figure out if this address is alive ######################################################################## sub is_alive { my $alive; # Does it an answer an ICMP Echo? my $p; # Net::Ping object my $target = shift; # IP address to ping # Debug trace if ($debug > 1) { &trace_location("begin") } # Send an ICMP Echo to the target, set $alive appropriately $p = Net::Ping->new("icmp", $icmpTimeout); if ($p->ping($target)) { $alive = 1; } else { $alive = 0; } $p->close(); # Entertain operator if ($verbose) { if ($alive) { print "!" } else { print "." } } # Debug trace if ($debug > 2) { if ($alive) { print "$target is alive\n" } else { print "$target is dead\n" } } if ($debug > 1) { &trace_location("end") } # Return answer return $alive; } ######################################################################## # Figure out if this target is running a Microsoft OS. This routine # incorrectly identifies machines running Samba and other SMB servers # as running Windows. ######################################################################## sub is_microsoft { my $microsoft; # Is this device running a Microsoft OS? my $mode; # Errmode for Net::Telnet my $obj; my $ok; # Result of Net::Telnet my $p; # Net::Ping object my @ports; # TCP ports to try my $target = shift; # Address to examine my $timeout; # How long to wait for machine to respond # Debug trace if ($debug > 1) { &trace_location("begin") } # Define variables $microsoft = 0; $mode = "return"; @ports = qw /445 139/; $timeout = 5; # If the target is listening on port 445 or 139, assume that it is running # a Microsoft OS foreach my $port (@ports) { $obj = new Net::Telnet ( Errmode => $mode, Port => $port, Timeout => $timeout ); $ok = $obj->open($target); if ($ok) { $microsoft = 1; last; } } # Debug trace if ($debug > 2) { if ($microsoft) { print "$target smells like Windows\n" } else { print "$target not Windows\n" } } if ($debug > 1) { &trace_location("end") } # Return answer return $microsoft; } ######################################################################## # Figure out whether or not we can read this machine's registry ######################################################################## sub is_ours { my $identifier; my $key; my $obj; my $ours; # Does this device fall within our purvue? my $target = shift; # Address to examine # Debug trace if ($debug > 1) { &trace_location("begin") } # If we can attach to the registry and read System{Identifier}, set $ours appropriately if ($key = $Registry->Open("//$target/LMachine/HARDWARE/DESCRIPTION/System/", {Access=>KEY_READ}) ) { if ($identifier = $key->GetValue("Identifier") ) { $ours = 1; } else { $ours = 0; } } else { $ours = 0; } # If the box isn't ours, record its IP address, ComputerName, and UserName and move on unless ($ours) { $obj = new Win32::NBTStat (ip => $target); if (defined $obj->computername) { $ComputerName = $obj->computername } else { $ComputerName = "" } if (defined $obj->username) { $DefaultUser = $obj->username } else { $DefaultUser = "" } print OUTPUT "$target\t$ComputerName\t$DefaultUser\n"; } # Debug trace if ($debug > 2) { if ($ours) { print "$target is ours\n" } else { print "$target not ours\n" } } if ($debug > 1) { &trace_location("end") } # Return answer return $ours; } ######################################################################## # Open report file ######################################################################## sub prepare { # Debug trace if ($debug) { &trace_location("begin") } # Wipe old report if (-e $report) { unlink $report or die "Can't erase $report:$!" } # Open report open (OUTPUT, ">>$report") or die "Can't open $report:$!"; print OUTPUT "IP\tName\tUser\tVersion\tBuild\tSP\tguestPriv\n"; # Debug trace if ($debug) { &trace_location("end") } return 1; } ######################################################################## # Print data ######################################################################## sub print_data { my $target = shift; # Address we have been examining # Debug trace if ($debug) { &trace_location("begin") } # Add a line to the report print OUTPUT "$target\t$ComputerName\t$DefaultUser\t$OSVersion\t$CurrentBuildNumber\t$ServicePack\t"; # If the $guest account is enabled, add privilege level if ($guestEnable) { print OUTPUT "\t$guestPriv" } # Finish with a carriage return print OUTPUT "\n"; # Verbosity if ($verbose) { print "\nProcessing $target: $ComputerName\n"; } # Debug trace if ($debug) { &trace_location("end") } return 1; } ######################################################################## # Show the progRammer where we are ######################################################################## sub trace_location { my $location = shift; my ($subroutine) = (caller (1))[3]; if ($location eq "begin") { print "\nEntering &$subroutine\n"; } elsif ($location eq "end") { print "Leaving &$subroutine\n"; } return 1; } ######################################################################## # Walk hosts, gathering data and adding to the report as we go ######################################################################## sub walk_hosts { my $host; # Debug trace if ($debug) { &trace_location("begin") } # Walk through hosts foreach $host (@host) { # If it answers a ping if (&is_alive($host)) { # If it is running a Microsoft OS if (&is_microsoft($host)) { # If it falls within our purvue, then ask it questions and add it # to the report if (&is_ours($host)) { &gather_data($host); &print_data($host); } # Ours } # Microsoft } # Alive } # Hosts # Debug trace if ($debug) { &trace_location("end") } return 1; } ######################################################################## # Walk networks ######################################################################## sub walk_networks { my $subNet; my $target; # Debug trace if ($debug) { &trace_location("begin") } # Loop through networks for ($i = 0; $i < @suffix; $i++) { if ($class[$i] eq "A") { foreach $subNet (@subNet) { $target = $suffix[$i] . "." . $subNet; foreach $subNet (@subNet) { $target = $target . "." . $subNet; &walk_subnets ($target); } } } elsif ($class[$i] eq "B") { foreach $subNet (@subNet) { $target = $suffix[$i] . "." . $subNet; &walk_subnets ($target); } } elsif ($class[$i] eq "C") { $target = $suffix[$i]; &walk_subnets ($target); } } # Debug trace if ($debug) { &trace_location("end") } return 1; } ######################################################################## # Walk subnets, gathering data and appending to report ######################################################################## sub walk_subnets { my $alive; # Does the subnet exist? my $ip; # Address we are currently examining my $network = shift; # Class C network to examine my $p; # Net::Ping object my $test_address; # Address to ping to determine whether or # not the subnet exists # Debug trace if ($debug) { &trace_location("begin") } # See if the subnet exists by pinging the @sample addresses on it # Assume that if fping returns "is alive" for any one address # that the subnet exists. If fping returns "Permission denied" (the OS # on which I develop this script refuses to allow pings to the broadcast # address if it knows that this is a broadcast address), assume that the # subnet is alive. $alive = 0; foreach my $sample (@sample) { $test_address = $network . "." . $sample; if (&is_alive($test_address)) { $alive = 1; last; } } # If the subnet exists, then ping the nodes on it if ($alive) { # Walk through nodes foreach my $node (1 .. 254) { $ip = $network . "." . $node; # If it answers a ping if (&is_alive($ip)) { # If it is running a Microsoft OS if (&is_microsoft($ip)) { # If it falls within our purvue, then ask it questions and add it # to the report if (&is_ours($ip)) { &gather_data($ip); &print_data($ip); } # Ours } # Microsoft } # Alive } # Nodes } # Subnet exists # Otherwise, subnet does not exist: do nothing else { my $target = $network . ".0/" . $mask[$i]; if ($debug > 2) { print "$target is not reachable\n" } } # Debug trace if ($debug) { &trace_location("end") } return 1; } ######################################################################## # Walk targets ######################################################################## sub walk_targets { # Debug trace if ($debug) { &trace_location("begin") } if (@host) { &walk_hosts } else { &walk_networks } # Debug trace if ($debug) { &trace_location("end") } return 1; }