I ran across a problem with my backup software and USB drives a while back. Namely, when I changed out the drives they would sometimes randomly change the drive letter, since the backup was looking for a specific path E:\ or whatever it would fail. Failed backups are of no use to me. I don't want to take the time to go plug in the backup drives, then log into the server and check to make sure they have the proper drive letter assigned. It's a repetitive task the does not offer me any gained value.
The biggest hassle of this is that I use diskpart. Microsoft has seen fit to have diskpart not display the same output two times in a row when running diskpart and not keeping it open. So if you run diskpart and output volumes list, then close it and run it again you're going to get two different outputs, same data, different order. Long story short you have to keep diskpart running somewhere in the background to get the output of commands to be the same.
-=Script=-
@echo off
Set mm=%date:~4,2%
Set dd=%date:~7,2%
Set yyyy=%date:~10,4%
Set h=%time:~0,2%
if "%h:~0,1%"==" " set h=0%time:~1,1%
set m=%time:~3,2%
start /min diskpart.exe
diskpart /s script.txt > output.txt
for /f "tokens=3,4 delims= " %%a in (output.txt) do if /i %%b==VOLUMENAME if /i %%a==G goto end1
for /f "tokens=3,4 delims= " %%a in (output.txt) do if /i %%b==VOLUMENAME if /i not %%a==G goto AssignG
:AssignG
echo Assigning G
for /f "tokens=1,2 delims= " %%a in ('type output.txt ^| find /i "VOLUMENAME"') do echo select %%a %%b > assigng.txt
echo assign letter = G >> assigng.txt
diskpart /s assigng.txt
del /f/ q assigng.txt
echo %mm%/%dd%/%yyyy% %h%:%m% >> logs.txt
echo Drive letter was changed and should be assigned properly >> logs.txt
taskkill /f /im diskpart.exe
del /f /q output.txt
exit
:end1
echo %mm%/%dd%/%yyyy% %h%:%m% >> logs.txt
echo drive letter assigned properly >> logs.txt
taskkill /f /im diskpart.exe
del /f /q output.txt
exit
The beginning part is just some log keeping I like to do, sets variables with the date and time.
Then we start our background diskpart, this allows us to get consistent output from diskpart. The diskpart script (diskpart /s script.txt) is simply "list volume", basically dumping a list of all volumes currently on the system.
Next we do some checks to see if VOLUMENAME (replace with the name of the volume you're looking for) matches the letter it needs to be (in this case G).
If everything is proper and VOLUMENAME is assigned the drive letter G then it writes the output to the log file and exits.
If something has gone awry and VOLUMENAME is not assigned to G then it set off to change it in the :AssignG
AssignG sets to writing out a diskpart script to change the drive letter to G. It then starts diskpart /s assigng.txt to do the actual work, then does a bit of logging to tell me that it had to change it.
Then it kills the background diskpart task, as we can't have these things running about wild.
That's is. It's handy. One less thing I have to do everyday. Less repetitive tasks are better, that leaves more time for mayhem.
Showing posts with label Usefull. Show all posts
Showing posts with label Usefull. Show all posts
Tuesday, July 10, 2012
Wednesday, June 27, 2012
DIY Replace the USB cable for WASP WLS9500
I'd like to take a moment and call WASP out on their complete bullshit overpriced USB cables for their barcode scanners. Specifically the WLS9500:
First off the cables have about a 80% failure rate within 3-4 months, from my experience.
Second the price they want for a replacement cable is ridiculous, on average around the web about $55 USD.
They use a RJ-50 aka the RJ-45 10 pin adapter for the connection to the scanner. Why an RJ-50? They must be using those 10 pins for something really cool right? Surely they wouldn't do this just to charge more to their customers and make it difficult to fix yourself...
When you take the plug end out of the scanner to look at the pin out you see this:
1- Black
2- Red
3- Black
4- White
5- White
6- Black
7- Green
9- White
10-White
When you get down to it and manage to get the actual plug end uncovered from the "protective" sleeve that they've glued and molded onto the plug, which is no small task might I add, you see that most of it is just blank pieces of plastic taking up space.
Pins 4,8,9, and 10 are complete bullshit, just pieces of plastic, there's not even copper wire in them, 100% plastic. Useless, unneeded, plastic that serves no purpose.
Pins 1 and 6 are looped together with one piece of wire in a U shape. And wouldn't you know, it doesn't work properly without 1 and 6 looped, what an amazing coincidence that you COULD make this thing with just a standard RJ45, or a RJ11 and make it easily serviceable, replaceable, and able to be done in house.
So after you eliminate those 6 pins you're left with your regular 4 USB wires in slots 2,3,5,7.
Actual pinout
1- Black - Looped to 6
2- Red - USB
3- Black - USB
4- Useless
5- White - USB
6- Black - Looped to 1
7- Green - USB
8- Useless
9- Useless
10- Useless
Ordered the equipment online, crimper ~$40, ends .99 / each. If you have a small fleet of these things to take care of, like I do, I suggest you make the investment also and tell WASP to get bent.
 |
| Overly Complicated for Profit |
First off the cables have about a 80% failure rate within 3-4 months, from my experience.
Second the price they want for a replacement cable is ridiculous, on average around the web about $55 USD.
They use a RJ-50 aka the RJ-45 10 pin adapter for the connection to the scanner. Why an RJ-50? They must be using those 10 pins for something really cool right? Surely they wouldn't do this just to charge more to their customers and make it difficult to fix yourself...
When you take the plug end out of the scanner to look at the pin out you see this:
1- Black
2- Red
3- Black
4- White
5- White
6- Black
7- Green
9- White
10-White
When you get down to it and manage to get the actual plug end uncovered from the "protective" sleeve that they've glued and molded onto the plug, which is no small task might I add, you see that most of it is just blank pieces of plastic taking up space.
Pins 4,8,9, and 10 are complete bullshit, just pieces of plastic, there's not even copper wire in them, 100% plastic. Useless, unneeded, plastic that serves no purpose.
 | |
| White Lies |
Pins 1 and 6 are looped together with one piece of wire in a U shape. And wouldn't you know, it doesn't work properly without 1 and 6 looped, what an amazing coincidence that you COULD make this thing with just a standard RJ45, or a RJ11 and make it easily serviceable, replaceable, and able to be done in house.
 |
| The "Magic" Wire |
 |
| Awesome Splice Job |
Actual pinout
1- Black - Looped to 6
2- Red - USB
3- Black - USB
4- Useless
5- White - USB
6- Black - Looped to 1
7- Green - USB
8- Useless
9- Useless
10- Useless
Ordered the equipment online, crimper ~$40, ends .99 / each. If you have a small fleet of these things to take care of, like I do, I suggest you make the investment also and tell WASP to get bent.
Friday, March 23, 2012
Download from the internet with a batch file
So occasionally I want to write a script but I'll need it to download something from a website or wherever. Without using 3rd party utilities you're pretty well hosed in the windows world. Except for BITSadmin.
Bitsadmin is very handy for this process, sometimes it doesn't work and spouts out some error about server didn't respond with file size or some such nonsense, but for the most part it's fairly reliable.
-=The Script=-
@echo off
bitsadmin /transfer jobname /download /priority normal http://addreess.com/file.ext "%cd%\whatever.ext"
Bitsadmin is very handy for this process, sometimes it doesn't work and spouts out some error about server didn't respond with file size or some such nonsense, but for the most part it's fairly reliable.
-=The Script=-
@echo off
bitsadmin /transfer jobname /download /priority normal http://addreess.com/file.ext "%cd%\whatever.ext"
Batch Ping Scan and Name Resolution
It's not fancy, but if you can't "import" any tools to a windows system this will do a basic job of finding hosts and resolving their names.
Quick, simple, uses nothing but built in components in the windows system.
@echo off
Title Scan
mode con: cols=20 lines=5
echo Enter Network:
echo [Example 192.168.1]
set /p network=
cls
mode con: cols=60 lines=254
title Scanning Network %network%.0/24
echo Scanning...
for /L %%i in (1,1,255) do ping -n 1 -w 60 %network%.%%i | find /i "reply" >> ~temp1
for /f "tokens=3 delims=: " %%i in (~temp1) do echo %%i >> ~temp2
del /f /q ~temp1 > nul
cls
title Resolving Network %network%.0/24
for /f %%i in (~temp2) do for /f "tokens=2 delims=: " %%g in ('nslookup %%i 2^>nul ^| find /i "name"') do echo %%i %%g
for /f %%i in (~temp2) do for /f "tokens=1 delims=: " %%g in ('nslookup %%i 2^>^&1 ^| find /i "***"') do echo %%i Hostname Lookup Failed
del /f /q ~temp2 > nul
pause
Quick, simple, uses nothing but built in components in the windows system.
@echo off
Title Scan
mode con: cols=20 lines=5
echo Enter Network:
echo [Example 192.168.1]
set /p network=
cls
mode con: cols=60 lines=254
title Scanning Network %network%.0/24
echo Scanning...
for /L %%i in (1,1,255) do ping -n 1 -w 60 %network%.%%i | find /i "reply" >> ~temp1
for /f "tokens=3 delims=: " %%i in (~temp1) do echo %%i >> ~temp2
del /f /q ~temp1 > nul
cls
title Resolving Network %network%.0/24
for /f %%i in (~temp2) do for /f "tokens=2 delims=: " %%g in ('nslookup %%i 2^>nul ^| find /i "name"') do echo %%i %%g
for /f %%i in (~temp2) do for /f "tokens=1 delims=: " %%g in ('nslookup %%i 2^>^&1 ^| find /i "***"') do echo %%i Hostname Lookup Failed
del /f /q ~temp2 > nul
pause
Thursday, March 22, 2012
RDP Over Tor
Привет мои товарищи России
Sometimes I like to use Tor for stuff. Sometimes that stuff is the Remote Desktop Protocol
This requires you have TOR setup and know how to use it and aren't an idiot that thinks just turning on TOR will make you invisible to the world.
You'll also need a handy little program called socat:
----------
UPDATE
----------
Since this is the most popular post I have (I'm looking at you Russia) I figured I'd be a decent guy and find the socat binaries on the web and link to them.
Here's the link for Socat:
Socat Binaries For Windows
(French description on top, scroll to the bottom for English)
Respect to the Blog of the Nice Kiwi.
Extract that into one folder and add script from below.
Toss until evenly coated.
You'll need to adjust path for where TOR is installed for you.
-=The Script=-
@echo off
set c=%random%
if %c% GTR 15 goto less
if %c% LEQ 15 goto rainbow
:less
set c=%c:~1%
if %c% LEQ 15 goto rainbow
if %c% GTR 15 goto less
:rainbow
if %c% EQU 1 color 01
if %c% EQU 2 color 0A
if %c% EQU 3 color 03
if %c% EQU 4 color 04
if %c% EQU 5 color 05
if %c% EQU 6 color 0D
if %c% EQU 7 color 07
if %c% EQU 8 color 0F
if %c% EQU 9 color 09
if %c% EQU 10 color 02
if %c% EQU 11 color 0B
if %c% EQU 12 color 0C
if %c% EQU 13 color 06
if %c% EQU 14 color 0E
if %c% EQU 15 color 09
cls
Title Starting TOR
Echo Connecting to the DarkWebs
start "TOR" /DC:\progra~1\vidali~1\tor\tor.exe
cls
Title Meow~~~
echo ************
echo RDP over TOR
echo ************
echo +Enter Victim Address:
set /p victim=
cls
title Meow~~~ +%victim%
echo +Enter Victim Port: *default 3389
set /p port=
cls
title Meow~~~ +%victim%:%port%
echo +Enter Local Port to Listen on: *ex: 1234
set /p lport=
cls
title Meow~~~ +%victim%:%port% from 127.0.0.1:%lport%
echo #Give a CTRL+C to bail
echo +Launching MSTSC for you...
start mstsc /V:127.0.0.1:%lport%
echo +Connecting...
socat TCP4-LISTEN:%lport%,fork SOCKS4A:localhost:%victim%:%port%,socksport=9050
exit
***************
*BONUS STAGE*
***************
Same script except I got rid of the auto launch of mstsc and changed RDP to VNC in the text.
-=The Script=-
@echo off
@echo off
set c=%random%
if %c% GTR 15 goto less
if %c% LEQ 15 goto rainbow
:less
set c=%c:~1%
if %c% LEQ 15 goto rainbow
if %c% GTR 15 goto less
:rainbow
if %c% EQU 1 color 01
if %c% EQU 2 color 0A
if %c% EQU 3 color 03
if %c% EQU 4 color 04
if %c% EQU 5 color 05
if %c% EQU 6 color 0D
if %c% EQU 7 color 07
if %c% EQU 8 color 0F
if %c% EQU 9 color 09
if %c% EQU 10 color 02
if %c% EQU 11 color 0B
if %c% EQU 12 color 0C
if %c% EQU 13 color 06
if %c% EQU 14 color 0E
if %c% EQU 15 color 09
cls
Title Starting TOR
Echo Connecting to the DarkWebs
start "TOR" /DC:\progra~1\vidali~1\tor\tor.exe
cls
Title Meow~~~
echo ************
echo VNC over TOR
echo ************
echo +Enter Victim Address:
set /p victim=
cls
title Meow~~~ +%victim%
echo +Enter Victim Port: *default 5900
set /p port=
cls
title Meow~~~ +%victim%:%port%
echo +Enter Local Port to Listen on: *ex: 1234
set /p lport=
cls
title Meow~~~ +%victim%:%port% from 127.0.0.1:%lport%
echo Connect VNC to 127.0.0.1:%lport%
echo +Connecting...
socat TCP4-LISTEN:%lport%,fork SOCKS4A:localhost:%victim%:%port%,socksport=9050
exit
Change your ports and any program that can run through SOCKS can be run through TOR with these scripts and socat.
Sometimes I like to use Tor for stuff. Sometimes that stuff is the Remote Desktop Protocol
This requires you have TOR setup and know how to use it and aren't an idiot that thinks just turning on TOR will make you invisible to the world.
You'll also need a handy little program called socat:
----------
UPDATE
----------
Since this is the most popular post I have (I'm looking at you Russia) I figured I'd be a decent guy and find the socat binaries on the web and link to them.
Here's the link for Socat:
Socat Binaries For Windows
(French description on top, scroll to the bottom for English)
Respect to the Blog of the Nice Kiwi.
Extract that into one folder and add script from below.
Toss until evenly coated.
You'll need to adjust path for where TOR is installed for you.
-=The Script=-
@echo off
set c=%random%
if %c% GTR 15 goto less
if %c% LEQ 15 goto rainbow
:less
set c=%c:~1%
if %c% LEQ 15 goto rainbow
if %c% GTR 15 goto less
:rainbow
if %c% EQU 1 color 01
if %c% EQU 2 color 0A
if %c% EQU 3 color 03
if %c% EQU 4 color 04
if %c% EQU 5 color 05
if %c% EQU 6 color 0D
if %c% EQU 7 color 07
if %c% EQU 8 color 0F
if %c% EQU 9 color 09
if %c% EQU 10 color 02
if %c% EQU 11 color 0B
if %c% EQU 12 color 0C
if %c% EQU 13 color 06
if %c% EQU 14 color 0E
if %c% EQU 15 color 09
cls
Title Starting TOR
Echo Connecting to the DarkWebs
start "TOR" /DC:\progra~1\vidali~1\tor\tor.exe
cls
Title Meow~~~
echo ************
echo RDP over TOR
echo ************
echo +Enter Victim Address:
set /p victim=
cls
title Meow~~~ +%victim%
echo +Enter Victim Port: *default 3389
set /p port=
cls
title Meow~~~ +%victim%:%port%
echo +Enter Local Port to Listen on: *ex: 1234
set /p lport=
cls
title Meow~~~ +%victim%:%port% from 127.0.0.1:%lport%
echo #Give a CTRL+C to bail
echo +Launching MSTSC for you...
start mstsc /V:127.0.0.1:%lport%
echo +Connecting...
socat TCP4-LISTEN:%lport%,fork SOCKS4A:localhost:%victim%:%port%,socksport=9050
exit
***************
*BONUS STAGE*
***************
Same script except I got rid of the auto launch of mstsc and changed RDP to VNC in the text.
-=The Script=-
@echo off
@echo off
set c=%random%
if %c% GTR 15 goto less
if %c% LEQ 15 goto rainbow
:less
set c=%c:~1%
if %c% LEQ 15 goto rainbow
if %c% GTR 15 goto less
:rainbow
if %c% EQU 1 color 01
if %c% EQU 2 color 0A
if %c% EQU 3 color 03
if %c% EQU 4 color 04
if %c% EQU 5 color 05
if %c% EQU 6 color 0D
if %c% EQU 7 color 07
if %c% EQU 8 color 0F
if %c% EQU 9 color 09
if %c% EQU 10 color 02
if %c% EQU 11 color 0B
if %c% EQU 12 color 0C
if %c% EQU 13 color 06
if %c% EQU 14 color 0E
if %c% EQU 15 color 09
cls
Title Starting TOR
Echo Connecting to the DarkWebs
start "TOR" /DC:\progra~1\vidali~1\tor\tor.exe
cls
Title Meow~~~
echo ************
echo VNC over TOR
echo ************
echo +Enter Victim Address:
set /p victim=
cls
title Meow~~~ +%victim%
echo +Enter Victim Port: *default 5900
set /p port=
cls
title Meow~~~ +%victim%:%port%
echo +Enter Local Port to Listen on: *ex: 1234
set /p lport=
cls
title Meow~~~ +%victim%:%port% from 127.0.0.1:%lport%
echo Connect VNC to 127.0.0.1:%lport%
echo +Connecting...
socat TCP4-LISTEN:%lport%,fork SOCKS4A:localhost:%victim%:%port%,socksport=9050
exit
Change your ports and any program that can run through SOCKS can be run through TOR with these scripts and socat.
Services Report
I was checking for weaknesses in services on a remote machine one time but going through them one at a time was annoying and I really wanted to just have a text file with all the info I could transfer off the machine to peruse at my leisure. So I made this. It enumerates all the services and then does a sc query on them and dumps the output to a text file.
It could be improved by doing a cacls report on the Binary_Path_Name of the service to see if there's write / modify access to the folder. Feel free to improve on it.
-=The Script=-
@echo off
sc query state= all | find /i "Service_Name:" >> test.txt
for /f "tokens=2* delims= " %%a in (test.txt) do echo %%a %%b>> test2.txt
for /f "tokens=* delims=" %%x in (test2.txt) do (
call :sub1 %%x)
goto :next
:sub1
if %1'==' goto :eof
echo %*>> clean.txt
goto :eof
:next
for /f "tokens=* delims=" %%v in (clean.txt) do sc qc "%%v" >> finally.txt
del /f /q test.txt
del /f /q test2.txt
del /f /q clean.txt
exit
It could be improved by doing a cacls report on the Binary_Path_Name of the service to see if there's write / modify access to the folder. Feel free to improve on it.
-=The Script=-
@echo off
sc query state= all | find /i "Service_Name:" >> test.txt
for /f "tokens=2* delims= " %%a in (test.txt) do echo %%a %%b>> test2.txt
for /f "tokens=* delims=" %%x in (test2.txt) do (
call :sub1 %%x)
goto :next
:sub1
if %1'==' goto :eof
echo %*>> clean.txt
goto :eof
:next
for /f "tokens=* delims=" %%v in (clean.txt) do sc qc "%%v" >> finally.txt
del /f /q test.txt
del /f /q test2.txt
del /f /q clean.txt
exit
Find Processes Running as a Domain Admin
You'll need a user account that's admin on all the local machines to run this one.
Searches all running processes on all computers reported from net view for a username that matches one from the file names.txt (you make that yourself). I suppose this could be augmented with another script to dump the net localgroup administrators /domain and parse that out into the names.txt file. I'll leave that as an exercise to the reader.
Useful for finding a token to steal or maybe a process to inject into.
-=The Script=-
@echo off
echo Enter Username
set /p user=
echo Enter Password
set /p password=
net view >> comp.txt
Echo Parsing Results...
for /f "tokens=1" %%i in (comp.txt) do echo %%i >> comp2.txt
for /f "delims=\" %%i in (comp2.txt) do echo %%i >> ips.txt
del /f /q comp.txt
del /f /q comp2.txt
FOR /F %%i in (ips.txt) DO @echo [+] %%i && @tasklist /V /S %%i /U %user% /P %password% 2>NUL > output.txt && FOR /F %%n in (names.txt) DO @type output.txt | findstr %%n > NUL && echo [!] %%n was found running a process on %%i && pause
Searches all running processes on all computers reported from net view for a username that matches one from the file names.txt (you make that yourself). I suppose this could be augmented with another script to dump the net localgroup administrators /domain and parse that out into the names.txt file. I'll leave that as an exercise to the reader.
Useful for finding a token to steal or maybe a process to inject into.
-=The Script=-
@echo off
echo Enter Username
set /p user=
echo Enter Password
set /p password=
net view >> comp.txt
Echo Parsing Results...
for /f "tokens=1" %%i in (comp.txt) do echo %%i >> comp2.txt
for /f "delims=\" %%i in (comp2.txt) do echo %%i >> ips.txt
del /f /q comp.txt
del /f /q comp2.txt
FOR /F %%i in (ips.txt) DO @echo [+] %%i && @tasklist /V /S %%i /U %user% /P %password% 2>NUL > output.txt && FOR /F %%n in (names.txt) DO @type output.txt | findstr %%n > NUL && echo [!] %%n was found running a process on %%i && pause
Start cmd.exe as system in 1 minute
Not sure exactly why I wrote this one but it's come in handy a few times. For those times when Admin rights just aren't enough...
Starts cmd.exe running as system from the AT task scheduler one minute from the time the script is run.
-=The Script=-
@echo off
set tm=%time:~3,2%
set hr=%time:~0,2%
if "%hr:~0,1%"==" " set hr=0%time:~1,1%
set tens=%time:~3,1%
set ones=%time:~4,1%
echo %tm%
echo %tens%
echo %ones%
if %ones% == 0 set bt=1
if %ones% == 1 set bt=2
if %ones% == 2 set bt=3
if %ones% == 3 set bt=4
if %ones% == 4 set bt=5
if %ones% == 5 set bt=6
if %ones% == 6 set bt=7
if %ones% == 7 set bt=8
if %ones% == 8 set bt=9
if %ones% == 9 set goto jmpten
at %hr%:%tens%%bt% /interactive cmd.exe
exit
:jmpten
if %tens% == 0 set btt=1
if %tens% == 1 set btt=2
if %tens% == 2 set btt=3
if %tens% == 3 set btt=4
if %tens% == 4 set btt=5
if %tens% == 5 set btt=6
if %tens% == 6 set btt=7
if %tens% == 7 set btt=8
if %tens% == 8 set btt=9
if %tens% == 9 set goto badend
at %hr%:%btt%%bt% /interactive cmd.exe
exit
:badend
echo I'm lazy and didn't want to code this extra bit for the event of an hour change
echo Just wait a minute and run it again.
pause > nul
Starts cmd.exe running as system from the AT task scheduler one minute from the time the script is run.
-=The Script=-
@echo off
set tm=%time:~3,2%
set hr=%time:~0,2%
if "%hr:~0,1%"==" " set hr=0%time:~1,1%
set tens=%time:~3,1%
set ones=%time:~4,1%
echo %tm%
echo %tens%
echo %ones%
if %ones% == 0 set bt=1
if %ones% == 1 set bt=2
if %ones% == 2 set bt=3
if %ones% == 3 set bt=4
if %ones% == 4 set bt=5
if %ones% == 5 set bt=6
if %ones% == 6 set bt=7
if %ones% == 7 set bt=8
if %ones% == 8 set bt=9
if %ones% == 9 set goto jmpten
at %hr%:%tens%%bt% /interactive cmd.exe
exit
:jmpten
if %tens% == 0 set btt=1
if %tens% == 1 set btt=2
if %tens% == 2 set btt=3
if %tens% == 3 set btt=4
if %tens% == 4 set btt=5
if %tens% == 5 set btt=6
if %tens% == 6 set btt=7
if %tens% == 7 set btt=8
if %tens% == 8 set btt=9
if %tens% == 9 set goto badend
at %hr%:%btt%%bt% /interactive cmd.exe
exit
:badend
echo I'm lazy and didn't want to code this extra bit for the event of an hour change
echo Just wait a minute and run it again.
pause > nul
Ghetto As All Get Out Port Scanner
You're stuck in a network without internet access, you don't have a port scanner with you, can't leave to get one, no other options..... what do you do? WHAT DO YOU DO????
Thus was born the Ghetto as All Get Out Port Scanner. What an ugly bit of code.
This was being built into a larger script so there's some stuff missing here obviously. The File ~temp2 would have the list of ip addresses. You would need to change the port (9100 in this case) or assign a new variable to handle running through the ports you wanted to check.
Of course you need telnet installed so this isn't windows vista / 7 compatible.
-=The Script=-
@echo off
for /f %%i in (~temp2) do (
start /min telnet %%i 9100
ping -n 5 127.0.0.1 > nul
netstat -n | find /i "%%i:9100" | find /i "Established" && echo %%i >> up.txt
taskkill /f /IM telnet.exe
)
exit
Thus was born the Ghetto as All Get Out Port Scanner. What an ugly bit of code.
This was being built into a larger script so there's some stuff missing here obviously. The File ~temp2 would have the list of ip addresses. You would need to change the port (9100 in this case) or assign a new variable to handle running through the ports you wanted to check.
Of course you need telnet installed so this isn't windows vista / 7 compatible.
-=The Script=-
@echo off
for /f %%i in (~temp2) do (
start /min telnet %%i 9100
ping -n 5 127.0.0.1 > nul
netstat -n | find /i "%%i:9100" | find /i "Established" && echo %%i >> up.txt
taskkill /f /IM telnet.exe
)
exit
Make a list of who is currently logged on to all computers
I wanted to start keeping a running sheet on who was logged in where so I wrote this guy up. Dumps a list from net view and parses it out then does a for loop to run a wmic command to see who's actively logged on to a computer.
-=The Script=-
@echo off
if exist C:\list2.txt del /f /q C:\list2.txt
net view >> C:\list.txt
for /F "skip=3 tokens=1" %%c IN (C:\list.txt) DO echo %%c >> c:\parsed0.txt
for /f %%G in (C:\parsed0.txt) do if NOT %%G==The echo %%G >> C:\parsed1.txt
for /F "delims=\\ tokens=1" %%g IN (C:\parsed1.txt) DO echo %%g >> C:\list2.txt
del /f /q C:\parsed0.txt > nul
del /f /q C:\parsed1.txt > nul
del /f /q C:\list.txt
echo List Generated
for /f %%i in (C:\list2.txt) do (
for /f "skip=1" %%v in ('wmic /failfast:2000 /node:%%i computersystem get username') do (
for /f "tokens=2 delims=\" %%c in ("%%v") do (
for /f "tokens=3,4" %%f in ('net user %%c /domain ^|find /i "Full Name"') do echo %%i %%v %%f %%g >> C:\whosthere.txt
)
)
)
)
echo Done.
del /f /q C:\list2.txt
Pause > nul
-=The Script=-
@echo off
if exist C:\list2.txt del /f /q C:\list2.txt
net view >> C:\list.txt
for /F "skip=3 tokens=1" %%c IN (C:\list.txt) DO echo %%c >> c:\parsed0.txt
for /f %%G in (C:\parsed0.txt) do if NOT %%G==The echo %%G >> C:\parsed1.txt
for /F "delims=\\ tokens=1" %%g IN (C:\parsed1.txt) DO echo %%g >> C:\list2.txt
del /f /q C:\parsed0.txt > nul
del /f /q C:\parsed1.txt > nul
del /f /q C:\list.txt
echo List Generated
for /f %%i in (C:\list2.txt) do (
for /f "skip=1" %%v in ('wmic /failfast:2000 /node:%%i computersystem get username') do (
for /f "tokens=2 delims=\" %%c in ("%%v") do (
for /f "tokens=3,4" %%f in ('net user %%c /domain ^|find /i "Full Name"') do echo %%i %%v %%f %%g >> C:\whosthere.txt
)
)
)
)
echo Done.
del /f /q C:\list2.txt
Pause > nul
Retrieve logon name from Human Name
I hate it when I can't do something in pure batch. But, sometimes you just gotta bite the bullet and use another language. Here's a (choke, vomit) VBS script to return the logon name given a users human name.
And right now all of you that are saying "well that's retarded their username is just first initial last name" well not everyone rolls like that. Sometimes users get assigned random ass strings as their logon names and it gets pretty freaking annoying having to connect to the DC, find the user, look up their logon name.
You'll need to modify the LDAP address in the second to last part.
Now that I think about this I may have swiped this from somewhere else, I don't remember. If so sorry about not giving credit where credit is due...
-=The Script=-
On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2
strAnswer = InputBox("Please enter in Display Name for User you want Logon Name for:", _
"Logon Name")
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT sAMAccountName FROM 'LDAP://dc=ACME,dc=local' WHERE objectCategory='user' " & _
"AND displayName = '" & strAnswer & "'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
Wscript.Echo objRecordSet.Fields("sAMAccountName").Value
objRecordSet.MoveNext
Loop
Now that I think about it, I think I can do this in batch... I'll update this if I get time to do it.
And right now all of you that are saying "well that's retarded their username is just first initial last name" well not everyone rolls like that. Sometimes users get assigned random ass strings as their logon names and it gets pretty freaking annoying having to connect to the DC, find the user, look up their logon name.
You'll need to modify the LDAP address in the second to last part.
Now that I think about this I may have swiped this from somewhere else, I don't remember. If so sorry about not giving credit where credit is due...
-=The Script=-
On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2
strAnswer = InputBox("Please enter in Display Name for User you want Logon Name for:", _
"Logon Name")
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT sAMAccountName FROM 'LDAP://dc=ACME,dc=local' WHERE objectCategory='user' " & _
"AND displayName = '" & strAnswer & "'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
Wscript.Echo objRecordSet.Fields("sAMAccountName").Value
objRecordSet.MoveNext
Loop
Now that I think about it, I think I can do this in batch... I'll update this if I get time to do it.
Change IP Script
Got tired of all the clicking and right clicking to change my interface address one day while setting up a bunch of equipment that lived in different subnets.
-=The Script=-
@echo off
title Set IP
echo Which Interface?
netsh interface show interface
set /p int=
cls
echo Interface %int%
Echo Static (s) or DHCP (d)
set /p con=
if %con%==s goto setip
if %con%==d goto dhcp
:setip
cls
echo Interface %int%
Echo Enter IP Address
set /p ipadd=
echo Enter Subnet Mask
set /p subnet=
echo Enter Default Gateway
set /p defgat=
echo Do you want to set DNS servers also? (y/n)
set /p ans=
if %ans%==y goto sdns
if %ans%==n echo DNS servers will not be set.
Echo Setting IP Address...
netsh interface ip set address "%int%" static %ipadd% %subnet% %defgat% 1
pause
exit
:sdns
cls
echo DNS Server Setup
echo Enter the IP address of the first dns server
set /p one=
echo Enter the IP address of the second dns server
set /p two=
echo Adding DNS 1...
netsh interface ip add dns "%int%" %one%
echo Adding DNS 2...
netsh interface ip add dns "%int%" %two%
Echo Setting IP Address...
netsh interface ip set address "%int%" static %ipadd% %subnet% %defgat% 1
exit
:dhcp
cls
Echo Interface %int%
echo Setting Interface to DHCP...
netsh interface ip set address "%int%" dhcp
pause
exit
-=The Script=-
@echo off
title Set IP
echo Which Interface?
netsh interface show interface
set /p int=
cls
echo Interface %int%
Echo Static (s) or DHCP (d)
set /p con=
if %con%==s goto setip
if %con%==d goto dhcp
:setip
cls
echo Interface %int%
Echo Enter IP Address
set /p ipadd=
echo Enter Subnet Mask
set /p subnet=
echo Enter Default Gateway
set /p defgat=
echo Do you want to set DNS servers also? (y/n)
set /p ans=
if %ans%==y goto sdns
if %ans%==n echo DNS servers will not be set.
Echo Setting IP Address...
netsh interface ip set address "%int%" static %ipadd% %subnet% %defgat% 1
pause
exit
:sdns
cls
echo DNS Server Setup
echo Enter the IP address of the first dns server
set /p one=
echo Enter the IP address of the second dns server
set /p two=
echo Adding DNS 1...
netsh interface ip add dns "%int%" %one%
echo Adding DNS 2...
netsh interface ip add dns "%int%" %two%
Echo Setting IP Address...
netsh interface ip set address "%int%" static %ipadd% %subnet% %defgat% 1
exit
:dhcp
cls
Echo Interface %int%
echo Setting Interface to DHCP...
netsh interface ip set address "%int%" dhcp
pause
exit
Find domain users who changed their passwords today
Wrote this one up just to see if I could. Thought it might make for a good post exploit drop in case you wanted to monitor which users changed their passwords, maybe have it trigger a fresh dump of the domain hashes and mail them to you or post them somewhere. Whatever.
Spits out some errors about user names not found sometimes but it seems to get the job done.
-=The Script=-
@echo off
Echo +Getting User List
for /f "tokens=1,2,3 skip=6" %%a in ('net user /domain') do echo %%a >> C:\people.txt && echo %%b >> C:\people.txt && echo %%c >> C:\people.txt
Echo +Cleaning User List
for /f "tokens=*" %%d in (C:\people.txt) do if not "%%d" == "ECHO is on." if not "%%d" == "ECHO is off." if not "%%d" == "The " if not "%%d" == "command " if not "%%d" == "completed " echo %%d >> C:\cleanpeople.txt
del /f /q C:\people.txt
Echo +Setting Time Variables
if 0 == %date:~4,1% set mn=%date:~5,1%
if not 0 == %date:~4,1% set mn=%date:~4,2%
if 0 == %date:~7,1% set dy=%date:~8,1%
if not 0 == %date:~7,1% set dy=%date:~7,2%
set now=%mn%/%dy%/%date:~10,4%
Echo +Finding Active Accounts
for /f %%g in (C:\cleanpeople.txt) do for /f "tokens=3" %%h in ('net user %%g /domain ^| find /i "Account Active"') do if %%h == Yes echo %%g >> C:\activecleanpeople.txt
del /f /q C:\cleanpeople.txt
cls
Echo +Finding Users Who Changed Their Passords Today
for /f %%e in (C:\activecleanpeople.txt) do for /f "tokens=4" %%f in ('net user %%e /domain ^| find /i "Password last set"') do if %%f == %now% echo %%e changed their password today
del /f /q C:\activecleanpeople.txt
Echo Finished.
pause > nul
Spits out some errors about user names not found sometimes but it seems to get the job done.
-=The Script=-
@echo off
Echo +Getting User List
for /f "tokens=1,2,3 skip=6" %%a in ('net user /domain') do echo %%a >> C:\people.txt && echo %%b >> C:\people.txt && echo %%c >> C:\people.txt
Echo +Cleaning User List
for /f "tokens=*" %%d in (C:\people.txt) do if not "%%d" == "ECHO is on." if not "%%d" == "ECHO is off." if not "%%d" == "The " if not "%%d" == "command " if not "%%d" == "completed " echo %%d >> C:\cleanpeople.txt
del /f /q C:\people.txt
Echo +Setting Time Variables
if 0 == %date:~4,1% set mn=%date:~5,1%
if not 0 == %date:~4,1% set mn=%date:~4,2%
if 0 == %date:~7,1% set dy=%date:~8,1%
if not 0 == %date:~7,1% set dy=%date:~7,2%
set now=%mn%/%dy%/%date:~10,4%
Echo +Finding Active Accounts
for /f %%g in (C:\cleanpeople.txt) do for /f "tokens=3" %%h in ('net user %%g /domain ^| find /i "Account Active"') do if %%h == Yes echo %%g >> C:\activecleanpeople.txt
del /f /q C:\cleanpeople.txt
cls
Echo +Finding Users Who Changed Their Passords Today
for /f %%e in (C:\activecleanpeople.txt) do for /f "tokens=4" %%f in ('net user %%e /domain ^| find /i "Password last set"') do if %%f == %now% echo %%e changed their password today
del /f /q C:\activecleanpeople.txt
Echo Finished.
pause > nul
Subscribe to:
Posts (Atom)