Upload
doanhanh
View
217
Download
2
Embed Size (px)
Citation preview
page | 1
Contents
Virtual Machine .................................................................. 2
What’s Included ................................................................ 2
Before Using ................................................................... 2
Required Components .............................................................. 2
Virtual Machine Required Components: ........................................... 2
Tools ............................................................................ 4
Active Directory Configuration ................................................. 4
Backup Configuration ........................................................... 5
Domain Login Scripts ........................................................... 5
DNS Configuration & DHCP Configuration ......................................... 5
Event Logs ..................................................................... 8
Exchange Configuration ......................................................... 8
Group policy ................................................................... 8
Local Computer Policies ........................................................ 9
Network Storage ................................................................ 9
Main Script ..................................................................... 10
Maintenance ................................................................... 24
Nessus .......................................................................... 27
Includes the following scans: ................................................. 27
Nessus Tutorial ............................................................... 27
Output Files .................................................................... 28
Contact Information ............................................................. 29
page | 2
Virtual Machine
What’s Included
Virtual Machine name: ADCaRS_VM
Operating system: Microsoft Windows 7 Professional
Up-to-date Windows Updates
A Snapshot of original state
Preloaded Required Components (see Required Components for more details)
All required scripts (see Tools for more details)
Nessus Home (See Nessus for more details)
Before Using Follow the following steps to get the VM ready for scanning:
1. Log into provided account:
Domain\Username: SixtyFPS\Administrator
Password: see VM description
2. Configure any IP if necessary
3. Log into client’s domain
4. Restart
5. VM is now ready to use. Run ‘C:\ADCaRS.ps1’
Required Components
Virtual Machine Required Components: “C:\Required Components” contains all related installation files
1. Windows Management Framework 4.0
http://www.microsoft.com/en-ca/download/details.aspx?id=40855
Windows6.1-KB2819745-x64-MultiPkg.msu
2. Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1)
http://www.microsoft.com/en-us/download/details.aspx?id=7887
Windows6.1-KB958830-x64-RefreshPkg.msu
Enable the following Windows Features:
page | 3
a. Group Policy Management Tools
b. Active Directory Module for Windows PowerShell
Import Active Directory module into PowerShell with the following command Import-Module ActiveDirectory
3. Microsoft Exchange Management Tool
Enable the following Windows Features:
a. IIS 6 Management Console
page | 4
b. IIS Metabase and IIS 6 configuration compatibility
Exchange 2010 Architecture Report V2 PowerShell script: https://gallery.technet.microsoft.com/office/Exchange-2010-Architecture-9368ff56
Tools Active Directory Configuration
FILENAME: ad_config.ps1
AUTHOR: Krzysztof Pytko (iSiek)
LINKS: http://kpytko.pl/active-directory-domain-services/active-directory-
reporting-version-2/
REQUIREMENTS (see Required Components):
Active Directory Module for Windows PowerShell
Active Directory PowerShell Module
CODE: Please see link for actual code.
page | 5
Backup Configuration
FILENAME: backup_config.ps1
AUTHOR: SixtyFPS
LINKS: https://technet.microsoft.com/en-us/library/ee706683.aspx
CODE: Start-Transcript "C:\Temp\Backup Configuration.txt"
Write-Host "Backup Policies"
Invoke-Command -ComputerName $servername2 -ScriptBlock {Get-WBPolicy}
Write-Host "Backup Files"
Invoke-Command -ComputerName $servername2 -ScriptBlock {Get-WBBackupSet}
Stop-Transcript
Domain Login Scripts FILENAME: domain_login_scripts.ps1
AUTHOR: SixtyFPS
LINKS: http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-
directory-module-in-powershell-in-windows-7.aspx
http://oxfordsbsguy.com/2013/04/16/powershell-get-aduser-to-retrieve-
logon-scripts-and-home-directories/
CODE:
Get-ADUser -filter * -properties scriptpath| ft Name, ScriptPath > "C:\Temp\Domain Login Scripts.txt"
DNS Configuration & DHCP Configuration FILENAME: dns_dhcp.ps1
AUTHOR: Karl Mitschke
LINKS: https://gallery.technet.microsoft.com/Gather-DNS-settings-from-fec23eaa
http://unlockpowershell.wordpress.com/2010/05/12/powershell-wmi-gather-
dns-settings-for-all-servers-2/
CODE: [CmdletBinding(SupportsShouldProcess=$false, ConfirmImpact='Medium')]
param (
[parameter(
Mandatory=$false,
ValueFromPipeline=$true)
]
[String[]]$ComputerName=$Env:ComputerName,
[Parameter(
page | 6
Position = 1,
Mandatory = $false
)]
$Credential
)
BEGIN{
#region PSBoundParameters modification
if ($Credential -ne $null -and $Credential.GetType().Name -eq "String"){
$PSBoundParameters.Remove("Credential") | Out-Null
$PSBoundParameters.Add("Credential", (Get-Credential -Credential $Credential))
}
#endregion
$AllServers = @()
$ServerObj = @()
$Member = @{
MemberType = "NoteProperty"
Force = $true
}
}
PROCESS{
$PSBoundParameters.Remove("ComputerName") | Out-Null
foreach ($StrComputer in $ComputerName){
$NetItems = $null
Write-Progress -Status "Working on $StrComputer" -Activity "Gathering Data"
$ServerObj = New-Object psObject
$ServerObj | Add-Member @Member -Name "Hostname" -Value $StrComputer
$NetItems = @(Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter "IPEnabled =
'True'" -ComputerName $StrComputer @PSBoundParameters)
$intRowNet = 0
$ServerObj | Add-Member -MemberType NoteProperty -Name "NIC's" -Value $NetItems.Length -Force
[STRING]$MACAddresses = @()
[STRING]$IpAddresses = @()
[STRING]$DNS = @()
[STRING]$DNSSuffix = @()
foreach ($objItem in $NetItems){
if ($objItem.IPAddress.Count -gt 1){
$TempIpAdderesses = [STRING]$objItem.IPAddress
$TempIpAdderesses = $TempIpAdderesses.Trim().Replace(" ", " ; ")
$IpAddresses += $TempIpAdderesses
}
else{
$IpAddresses += $objItem.IPAddress +"; "
}
if ($objItem.{MacAddress}.Count -gt 1){
$TempMACAddresses = [STRING]$objItem.MACAddress
$TempMACAddresses = $TempMACAddresses.Replace(" ", " ; ")
$MACAddresses += $TempMACAddresses +"; "
}
else{
$MACAddresses += $objItem.MACAddress +"; "
}
if ($objItem.{DNSServerSearchOrder}.Count -gt 1){
$TempDNSAddresses = [STRING]$objItem.DNSServerSearchOrder
page | 7
$TempDNSAddresses = $TempDNSAddresses.Replace(" ", " ; ")
$DNS += $TempDNSAddresses +"; "
}
else{
$DNS += $objItem.{DNSServerSearchOrder} +"; "
}
if ($objItem.DNSDomainSuffixSearchOrder.Count -gt 1){
$TempDNSSuffixes = [STRING]$objItem.DNSDomainSuffixSearchOrder
$TempDNSSuffixes = $TempDNSSuffixes.Replace(" ", " ; ")
$DNSSuffix += $TempDNSSuffixes +"; "
}
else{
$DNSSuffix += $objItem.DNSDomainSuffixSearchOrder +"; "
}
$SubNet = [STRING]$objItem.IPSubnet[0]
$intRowNet = $intRowNet + 1
}
$ServerObj | Add-Member @Member -Name "IP Address" -Value
$IpAddresses.substring(0,$ipaddresses.LastIndexOf(";"))
$ServerObj | Add-Member @Member -Name "IP Subnet" -Value $SubNet
$ServerObj | Add-Member @Member -Name "MAC Address" -Value
$MACAddresses.substring(0,$MACAddresses.LastIndexOf(";"))
$ServerObj | Add-Member @Member -Name "DNS" -Value $DNS
$ServerObj | Add-Member @Member -Name "DNS Suffix Search Order" -Value $DNSSuffix
$ServerObj | Add-Member @Member -Name "DNS Enabled For Wins" -Value
$objItem.DNSEnabledForWINSResolution
$ServerObj | Add-Member @Member -Name "Domain DNS Registration Enabled" -Value
$objItem.DomainDNSRegistrationEnabled
$ServerObj | Add-Member @Member -Name "Full DNS Registration Enabled" -Value
$objItem.FullDNSRegistrationEnabled
$ServerObj | Add-Member @Member -Name "DHCP Enabled" -Value $objItem.DHCPEnabled
$ServerObj | Add-Member @Member -Name "DHCP Lease Obtained" -Value $objItem.DHCPLeaseObtained
$ServerObj | Add-Member @Member -Name "DHCP Lease Expires" -Value $objItem.DHCPLeaseExpires
$AllServers += $ServerObj
}
}
END{
Write-Output -InputObject $AllServers
}
page | 8
Event Logs FILENAME: eventlog.ps1
AUTHOR: SixtyFPS
LINKS: http://www.computerperformance.co.uk/powershell/powershell_eventlog.htm
https://msdn.microsoft.com/en-us/library/aa394226%28v=vs.85%29.aspx
CODE: Clear-Host
Write-host "Getting Event Logs......"
$Logs = Get-WmiObject -ComputerName $servername2 -Credential $cred2 -query `
"SELECT * FROM Win32_NTLogEvent WHERE (logfile='Application') OR (logfile='System') AND
(type='error')"
$Logs | Format-Table LogFile, EventCode, SourceName, EventType, Message -auto -wrap | out-file
"C:\Temp\Event Log Analysis.txt"
Exchange Configuration FILENAME: E2K10_Architecture_V2.02(folder)
AUTHOR: Franck NEROT ([email protected])
Pascal THEIL ([email protected])
LINKS: https://gallery.technet.microsoft.com/office/Exchange-2010-
Architecture-9368ff56
CODE: Please see link for actual code. Below is our code to call the actual script.
Write-Host "Getting Exchange Configurations..."
cd "C:\TOOLS\E2K10_Architecture_V2.02"
.\E2K10_Architecture_CMD_V2.02 6
Move-Item *.htm "C:\Temp\Exchange Configuration.htm"
Group policy
FILENAME: group_policies.ps1
AUTHOR: SixtyFPS
LINKS: https://technet.microsoft.com/en-ca/library/ee461027.aspx
REQUIREMENTS (see Required Components):
Group Policy Management Tools
CODE: Get-GPOReport -All -Domain $domainname2 -Server $servername2 -ReportType HTML -Path "C:\Temp\Group
Policy Configuration.htm"
page | 9
Local Computer Policies
FILENAME: local_policies.ps1
AUTHOR: SixtyFPS
LINKS: http://community.spiceworks.com/topic/336425-script-to-export-local-
security-policy
CODE: SecEdit /export /cfg "C:\Temp\Local Computer Policies.txt"
Network Storage FILENAME: sydi-server-2.4 (folder)
AUTHOR: Patrick Ogenstad
LINKS: http://sydiproject.com/download/
CODE: Please see link for actual code. Below is our code to call the actual script.
cd "C:\TOOLS\sydi-server-2.4"
cscript.exe sydi-server.vbs -t -ew -o"C:\Temp\SYDI Overview (Inclu. Network Storage).doc"
page | 10
Main Script
FILENAME: ADCaRS.ps1
AUTHOR: SixtyFPS
LINKS: http://oxfordsbsguy.com/2013/04/29/powershell-get-aduser-to-retrieve-logon-scripts-and-home-directories-part-2/ https://technet.microsoft.com/en-ca/library/ee461027.aspx http://www.tenable.com/products/nessus-vulnerability-scanner https://quickclix.wordpress.com/2012/08/14/making-powershell-menus/ https://gallery.technet.microsoft.com/scriptcenter/Open-Internet-Explorer-e4f8ae4b https://technet.microsoft.com/en-us/library/ee176874.aspx http://superuser.com/questions/741945/delete-all-files-from-a-folder-and-its-sub-folders
CODE: <# ADCaRS.ps1 Team: Sixty FPS Members: Justin Sam, Alan Ly, and Laszlo Anda Contact: [email protected] Institution: SAIT Polytechnic Capstone: Project ADCaRS Designed for: Graycon Group Winter/Spring 2015 #> <# Index: Numerals denote value of variable "menu" <Example: "1" is the “Information/About” Menu ($menu=1)> Values inside parantheses denote the name of the function <Example: "(clientname)" is the "clientname" function> 0 - Main 1 - Information/Hints 2 - Start (clientname) - Client Name (reqinfo) - Enter Credentials (exepol) - Execution Policy (auto) - Auto 3 - Manual (exchange) - Exchange Configuration (nas) - SYDI Overview & Network Storage (bkpconf) - Backup Configuration (adconfig) - AD Configuration (domlog) - Domain Login Scripts (locpol) - Local Computer Policies (grppol) - Group Policy Configuration (eventlogs) - Event Log Analysis (domsecpw) - Domain Security Password Policy (dnsconf) - DNS & DHCP Configuration #UNSTABLE, CAN'T GUARANTEE IT'LL WORK, NOT INCLUDED IN AUTO SCAN 4 - Nessus 5 - Walkthrough/Information Information DNS Information Vulnerabilities (Critical, High, Medium, and Low)
page | 11
Open Ports Installed Software Enumeration Virtual Machine Detection Local Password Policies Operating Systems Assessment User Account Scan Patch Report Missing Patches Report Open Tutorial (nessus) - Launch Nessus (postscan) - Post-scan (verify) - Verify Report Generation (export) - Export All #> <############################ START VARIABLES AREA ############################> [BOOLEAN]$global:ExitSession=0 #If set to 1, close PowerShell session [INT]$global:menu=0 #Variable to denote which menu you're in <############################ END VARIABLES AREA ############################> <############################ START FUNCTIONS AREA ############################> function LOADMENU() #Main { while ($menu -eq 0 -and $ExitSession -ne 1) { #Start menu=0 CLS status Write-Host "`n`tProject ADCaRS - Main Menu`n" -ForegroundColor cyan Write-Host "`t`tCHOOSE AN OPTION:`n" Write-Host "`t`t[1] Information/Hints`n" Write-Host "`t`t[2] START`n" Write-Host "`t`t[3] EXIT`n" -Fore red [int]$choice = Read-Host "`t`tENTER CHOICE: " if ($choice -lt 1 -or $choice -gt 3) { Write-Host "`tInvalid option; please enter a correct numerical value.`n" -Fore magenta start-Sleep -Seconds 1 e2c $menu=0 } Switch ($choice) { 1 { $menu=1 break } 2 { $menu=2 break } 3 { exiting break } default { $menu=0
page | 12
break } } } #End menu=0 while ($menu -eq 1) { #Start menu=1 CLS Write-Host "Information/Hints`n" Write-Host "`n`t`tOpening webpage... (C:\TOOLS\Tutorial\Nessus\information.html)" -Fore yellow $Url="C:\TOOLS\Tutorial\Nessus\information.html" $IE = New-Object -com internetexplorer.application; $IE.visible = $true; $IE.navigate($url); Write-Host "`n`t`t[1] RETURN`n" -Fore yellow [int]$choice = Read-Host "`t`tENTER CHOICE: " if ($choice -lt 1 -or $choice -gt 1) { Write-Host "`tInvalid option; please enter a correct numerical value.`n" -Fore magenta start-Sleep -Seconds 1 e2c $menu=1 } Switch ($choice) { 1 { RETURNing $menu=0 break } default { $menu=1 break } } } #End menu=1 while ($menu -eq 2) { #Start menu=2 CLS status Write-Host "`n`nSTART`n" Write-Host "`t`tCHOOSE AN OPTION:`n" Write-Host "`t`t[1] Client Name`n" Write-Host "`t`t[2] Enter Credentials`n" Write-Host "`t`t[3] Set Execution Policy`n" Write-Host "`t`t[4] Auto`n" Write-Host "`t`t[5] Manual`n" Write-Host "`t`t[6] Nessus`n" Write-Host "`t`t[7] Verify Report Generation`n" Write-Host "`t`t[8] Export All`n" Write-Host "`t`t[9] RETURN`n" -Fore yellow [int]$choice = Read-Host "`t`tENTER CHOICE: " if ($choice -lt 1 -or $choice -gt 9) { Write-Host "`tInvalid option; please enter a correct numerical value.`n" -Fore magenta start-Sleep -Seconds 1 e2c
page | 13
$menu=2 } Switch ($choice) { 1 #Enter Client Name { clientname $menu=2 break } 2 #Enter Credentials { reqinfo $menu=2 break } 3 #Set Execution Policy { exepol $menu=2 break } 4 #Auto { auto e2c $menu=2 break } 5 #Manual { $menu=3 break } 6 #Nessus { $menu=4 break } 7 #Verify Report Generation { verify e2c $menu=2 break } 8 #Export All { export e2c $menu=1 break } 9 { RETURNing $menu=0 break } default {
page | 14
$menu=2 break } } while($menu -eq 3) { #Start menu=3 CLS Write-Host "`n`tManual`n" Write-Host "`t`tCHOOSE AN OPTION:`n" Write-Host "`t`t[1] Exchange Configuration`n" Write-Host "`t`t[2] SYDI Overview & Network Storage`n" Write-Host "`t`t[3] Backup Configuration`n" Write-Host "`t`t[4] Active Directory Configuration`n" Write-Host "`t`t[5] Domain Login Scripts`n" Write-Host "`t`t[6] Local Computer Policies`n" Write-Host "`t`t[7] Group Policy Configuration`n" Write-Host "`t`t[8] Event Log Analysis`n" Write-Host "`t`t[9] Domain Security Password Policy`n" Write-Host "`t`t[10] DNS & DHCP Configuration (UNSTABLE, NOT INCLUDED IN AUTO)`n" Write-Host "`t`t[11] RETURN`n" -Fore yellow [int]$choice = Read-Host "`t`tENTER CHOICE: " if ($choice -lt 1 -or $choice -gt 11) { Write-Host "`tInvalid option; please enter a correct numerical value.`n" -Fore magenta start-Sleep -Seconds 1 e2c $menu=3 } Switch ($choice) { 1 #Exchange Configuration { exchange e2c $menu=3 break } 2 #SYDI Overview & Network Storage { nas e2c $menu=3 break } 3 #Backup Configuration { bkpconf e2c $menu=3 break } 4 #AD Configuration { adconfig e2c $menu=3 break } 5 #Domain Login Scripts
page | 15
{ domlog e2c $menu=3 break } 6 #Local Computer Policies { locpol e2c $menu=3 break } 7 #Group Policy Configuration { grppol e2c $menu=3 break } 8 #Event Log Analysis { eventlogs e2c $menu=3 break } 9 #Domain Security Password Policy { domsecpw e2c $menu=3 break } 10 #DNS & DHCP Configuration (UNSTABLE) { dnsconf e2c $menu=3 break } 11 { RETURNing $menu=2 break } default { $menu=3 break } } } #End menu=3 while ($menu -eq 4) { #Start menu=4 CLS Write-Host "`n`tNessus`n" Write-Host "`t`tCHOOSE AN OPTION:`n" Write-Host "`t`t[1] Walkthrough/Information`n" Write-Host "`t`t[2] Launch Nessus`n" Write-Host "`t`t[3] Post-scan`n"
page | 16
Write-Host "`t`t[4] RETURN`n" -Fore yellow [int]$choice = Read-Host "`t`tENTER CHOICE: " if ($choice -lt 1 -or $choice -gt 4) { Write-Host "`tInvalid option; please enter a correct numerical value.`n" -Fore magenta start-Sleep -Seconds 1 e2c $menu=2 } Switch ($choice) { 1 { $menu=5 break } 2 { nessus e2c $menu=4 break } 3 { postscan e2c $menu=4 break } 4 { RETURNing $menu=2 break } default { $menu=4 break } } while ($menu -eq 5) { #Start menu=5 CLS Write-Host "`n`tNessus: Walkthrough/Information`n" Write-Host "`t`tCHOOSE AN OPTION:`n" Write-Host "`t`t[1] List: Type of Data Collected by ADCaRS`n" Write-Host "`t`t[2] Open Tutorial`n" Write-Host "`t`t[3] RETURN`n" -Fore yellow [int]$choice = Read-Host "`t`tENTER CHOICE: " if ($choice -lt 1 -or $choice -gt 3) { Write-Host "`tInvalid option; please enter a correct numerical value.`n" -Fore magenta start-Sleep -Seconds 1 e2c $menu=5 } Switch ($choice)
page | 17
{ 1 { CLS Write-Host "DNS Information`n- Vulnerabilities (Critical, High, Medium, and Low)`n- Open Ports`n- Installed Software Enumeration`n- Virtual Machine Detection`n- Local Password Policies`n- Operating Systems Assessment`n- User Account Scan`n- Patch Report`n- Missing Patches Report" e2c $menu=5 break } 2 { nessus $Url="C:\TOOLS\Tutorial\Nessus\index.html" $IE = New-Object -com internetexplorer.application; $IE.visible = $true; $IE.navigate($url); e2c $menu=5 break } 3 { RETURNing $menu=4 break } default { $menu=5 break } } } #End menu=5 } #End menu=4 } #End menu=2 } #End of LOADMENU function status() #Status column showing { Write-Host "Execution Policy: " -Fore green; Get-ExecutionPolicy if ($clientname -eq $null) { Write-Host "Client name is not entered" -Fore red } else { Write-Host "Client name is entered as [$clientname]" -Fore green } if ($servername2 -eq $null) { Write-Host "Credentials are not entered" -Fore red } else { Write-Host "Credentials are entered for [$servername2]" -Fore green } }
page | 18
function clientname() #Sets the $clientname variable to be used as the final name of the dir that will hold all the reports { CLS Write-Host "Please enter the name you would like saved as the client's folder: " -Fore yellow Write-Host "(Do not use any characters that cannot be used in the naming of files, paths, and namespaces." Write-Host "For more information: https://msdn.microsoft.com/en-us/library/aa365247)" $global:clientname = Read-Host "Client name" e2c RETURN } function exepol() #Sets your execution policy to bypass to avoid any odd security interactions { CLS Write-Host "Setting Execution Policy to [Bypass]..." Set-ExecutionPolicy Bypass Get-ExecutionPolicy e2c RETURN } function reqinfo() #Enter administrator credentials to use within the domain { CLS Write-Host "Please enter the following credentials: " -Fore yellow $servername = Read-Host "Server Name" $global:servername2 = $servername $domainname = Read-Host "Domain: " $global:domainname2 = $domainname $username = Read-Host "Domain\User" $global:username2 = $username read-host "Password: " -assecurestring | convertfrom-securestring | out-file C:\Temp\securestring.txt $password = cat C:\Temp\securestring.txt | convertto-securestring $global:password2 = $password $cred = new-object -typename System.Management.Automation.PSCredential ` -argumentlist $username2, $password2 $global:cred2 = $cred Write-Host "`nServer Name: $servername" -Fore cyan Write-Host "`nDomain: $domainname" -Fore cyan Write-Host "`nUser: $username`n" -Fore cyan e2c RETURN } function auto() #Run all the scripts automatically { CLS $autotitle = "Auto" $automessage = "Would you like to run the auto-scan?" $autoyes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", ` "Automatically run all the scripts." $autono = New-Object System.Management.Automation.Host.ChoiceDescription "&No", ` "RETURN to previous menu." $autooptions = [System.Management.Automation.Host.ChoiceDescription[]]($autoyes, $autono) $autoresult = $host.ui.PromptForChoice($autotitle, $automessage, $autooptions, 0) switch ($autoresult) { 0 {nas; exchange; bkpconf; adconfig; domlog; locpol; grppol; eventlogs; domsecpw} 1 {RETURN} } }
page | 19
function verify() #Verifies if the report files were generated { CLS status Write-Host "`nVerification of Generated Files`n" -ForegroundColor cyan #For this portion we will simplify the indentation to save space Write-Host "`tInfrastructure:`n" -ForegroundColor cyan If(Test-Path "C:\Temp\Active Directory Configuration.txt"){Write-Host "`t`t[X] Active Directory Configuration`n"}Else{Write-Host "`t`t[ ] Active Directory Configuration`n"} If(Test-Path "C:\Temp\Backup Configuration.txt"){Write-Host "`t`t[X] Backup Configuration`n"}Else{Write-Host "`t`t[ ] Backup Configuration`n"} If(Test-Path "C:\Temp\DNS Information.txt"){Write-Host "`t`t[X] DNS Information`n"}Else{Write-Host "`t`t[ ] DNS Information`n"} If(Test-Path "C:\Temp\Domain Login Scripts.txt"){Write-Host "`t`t[X] Domain Login Scripts`n"}Else{Write-Host "`t`t[ ] Domain Login Scripts`n"} If(Test-Path "C:\Temp\Event Log Analysis.txt"){Write-Host "`t`t[X] Event Log Analysis`n"}Else{Write-Host "`t`t[ ] Event Log Analysis`n"} If(Test-Path "C:\Temp\Exchange Configuration.htm"){Write-Host "`t`t[X] Exchange Configuration`n"}Else{Write-Host "`t`t[ ] Exchange Configuration`n"} If(Test-Path "C:\Temp\Group Policy Configuration.htm"){Write-Host "`t`t[X] Group Policy Configuration`n"}Else{Write-Host "`t`t[ ] Group Policy Configuration`n"} If(Test-Path "C:\Temp\Installed Software Enumeration.txt"){Write-Host "`t`t[X] Installed Software Enumeration`n"}Else{Write-Host "`t`t[ ] Installed Software Enumeration`n"} If(Test-Path "C:\Temp\List of Virtual Machines.txt"){Write-Host "`t`t[X] List of Virtual Machines`n"}Else{Write-Host "`t`t[ ] List of Virtual Machines`n"} If(Test-Path "C:\Temp\Local Computer Policies.txt"){Write-Host "`t`t[X] Local Computer Policies`n"}Else{Write-Host "`t`t[ ] Local Computer Policies`n"} If(Test-Path "C:\Temp\Patch Report.txt"){Write-Host "`t`t[X] Patch Report`n"}Else{Write-Host "`t`t[ ] Patch Report`n"} If(Test-Path "C:\Temp\Missing Patches Report.txt"){Write-Host "`t`t[X] Missing Patches Report`n"}Else{Write-Host "`t`t[ ] Missing Patches Report`n"} If(Test-Path "C:\Temp\SYDI Overview (Inclu. Network Storage).doc"){Write-Host "`t`t[X] SYDI Overview & Network Storage`n"}Else{Write-Host "`t`t[ ] SYDI Overview & Network Storage`n"} Write-Host "`tSecurity:`n" -ForegroundColor cyan If(Test-Path "C:\Temp\User Account Scan.txt"){Write-Host "`t`t[X] User Account Scan`n"}Else{Write-Host "`t`t[ ] User Account Scan`n"} If(Test-Path "C:\Temp\Domain Security Password Policy.txt"){Write-Host "`t`t[X] Domain Security Password Policy`n"}Else{Write-Host "`t`t[ ] Domain Security Password Policy`n"} If(Test-Path "C:\Temp\Local Password Policies.txt"){Write-Host "`t`t[X] Local Password Policies`n"}Else{Write-Host "`t`t[ ] Local Password Policies`n"} If(Test-Path "C:\Temp\Operating Systems.txt"){Write-Host "`t`t[X] Operating Systems`n"}Else{Write-Host "`t`t[ ] Operating Systems`n"} If(Test-Path "C:\Temp\Ports & Services Report.txt"){Write-Host "`t`t[X] Ports & Services Report`n"}Else{Write-Host "`t`t[ ] Ports & Services Report`n"} If(Test-Path "C:\Temp\Vulnerabilities_Critical.txt"){Write-Host "`t`t[X] Vulnerabilities: Critical`n"}Else{Write-Host "`t`t[ ] Vulnerabilities: Critical`n"} If(Test-Path "C:\Temp\Vulnerabilities_High.txt"){Write-Host "`t`t[X] Vulnerabilities: High`n"}Else{Write-Host "`t`t[ ] Vulnerabilities: High`n"} If(Test-Path "C:\Temp\Vulnerabilities_Medium.txt"){Write-Host "`t`t[X] Vulnerabilities: Medium`n"}Else{Write-Host "`t`t[ ] Vulnerabilities: Medium`n"} If(Test-Path "C:\Temp\Vulnerabilities_Low.txt"){Write-Host "`t`t[X] Vulnerabilities: Low`n"}Else{Write-Host "`t`t[ ] Vulnerabilities: Low`n"} } function export() #Final step, exports all the files to their respective folders under the designated name for easy copy later on { if ($clientname -eq $null) { Write-Host "`t`tClient name is not entered!`n`t`tPlease enter a client name before proceeding to export." -Fore red e2c
page | 20
break } else { CLS $exporttitle = "Export" $exportmessage = "Would you like to export all for [$clientname]?" $exportyes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", ` "Export all reports to specified client's folder." $exportno = New-Object System.Management.Automation.Host.ChoiceDescription "&No", ` "RETURN to previous menu." $exportoptions = [System.Management.Automation.Host.ChoiceDescription[]]($exportyes, $exportno) $exportresult = $host.ui.PromptForChoice($exporttitle, $exportmessage, $exportoptions, 0) switch ($exportresult) { 0 { Write-Host "Exporting..." New-Item -ItemType Directory -Path "C:\CLIENTS\$clientname" Move-Item C:\TEMP\*.txt "C:\CLIENTS\$clientname" Move-Item C:\TEMP\*.doc "C:\CLIENTS\$clientname" Move-Item C:\TEMP\*.htm "C:\CLIENTS\$clientname" Move-Item C:\TEMP\*.html "C:\CLIENTS\$clientname" Write-Host "Export to dir [$clientname] finished." -Fore green } 1 {RETURN} } } RETURN } function exchange() #Exchange Configuration { C:\TOOLS\exchange.ps1 } function nas() #SYDI Overview & Network Storage { C:\TOOLS\sydi.ps1 } function bkpconf() #Backup Configuration { C:\TOOLS\backup_config.ps1 } function adconfig() #Active Directory Configuration { C:\TOOLS\ad_config.ps1 } function domlog() #Domain Login Scripts { C:\TOOLS\domain_login_scripts.ps1 } function locpol() #Local Computer Policies { C:\TOOLS\local_policies.ps1 -ComputerName $servername2 -Credential $cred2 } function grppol() #Group Policy Configuration { C:\TOOLS\group_policies.ps1 } <#(THIS DOES NOT WORK ANYMORE, IT BROKE)
page | 21
function dnsconf() #DNS Configuration { C:\TOOLS\dnsdhcp.ps1 -ComputerName $servername2 -Credential $cred2 | out-file "C:\Temp\DNS & DHCP Configuration.txt" } #> function eventlogs() #Event Log Analysis { C:\TOOLS\eventlog.ps1 } function domsecpw() #Domain Secure Password Policy { Get-ADDefaultDomainPasswordPolicy > "C:\Temp\Domain Security Password Policy.txt" } function nessus() #Launch Nessus using Internet Explorer { $Url="https://localhost:8834/nessus6.html#/scans" $IE = New-Object -com internetexplorer.application; $IE.visible = $true; $IE.navigate($url); while ($IE.Busy -eq $true) { Start-Sleep -Milliseconds 2000; } $ie.Document.getElementByID("overridelink").Click() #Automatically bypass certificate error screen (IE Only) Start-Sleep -Seconds 3; Write-Host "$username" Write-Host "$password" while ($IE.Busy -eq $true) { Start-Sleep -Milliseconds 2000; } } function postscan() #Run this after Nessus to create all the reports { CLS $posttitle = "Post-scan" $postmessage = "Have you imported the Nessus scan into a .csv file and are ready to create your reports?" $postyes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", ` "Prompt for Nessus .csv file name." $postno = New-Object System.Management.Automation.Host.ChoiceDescription "&No", ` "RETURN to previous menu." $postoptions = [System.Management.Automation.Host.ChoiceDescription[]]($postyes, $postno) $postresult = $host.ui.PromptForChoice($posttitle, $postmessage, $postoptions, 0) switch ($postresult) { 0 { Write-Host "`t`nEnter the ABSOLUTE path to the .csv file: " Write-Host "`t`(Example: C:\REPORTS\Nessus.csv)" -Fore Yellow $global:csv = Read-Host if ($csv -like "*.csv") { Import-Csv $csv | Where-Object {$_.Name -eq "Windows DNS Server Enumeration"} > "C:\Temp\DNS Information.txt" Import-Csv $csv | Where-Object {$_.Risk -eq "Critical"} > "C:\Temp\Vulnerabilities_Critical.txt" Import-Csv $csv | Where-Object {$_.Risk -eq "High"} > "C:\Temp\Vulnerabilities_High.txt"
page | 22
Import-Csv $csv | Where-Object {$_.Risk -eq "Medium"} > "C:\Temp\Vulnerabilities_Medium.txt" Import-Csv $csv | Where-Object {$_.Risk -eq "Low"} > "C:\Temp\Vulnerabilities_Low.txt" Import-Csv $csv | Where-Object {$_.Name -eq "Netstat Connection Information"} > "C:\Temp\Ports & Services Report.txt" Import-Csv $csv | Where-Object {$_.Name -eq "Microsoft Windows Installed Software Enumeration (credentialed check)"} > "C:\Temp\Installed Software Enumeration.txt" Import-Csv $csv | Where-Object {$_.Name -eq "Patch Report"} > "C:\Temp\Patch Report.txt" Import-Csv $csv | Where-Object {$_.Name -eq "Microsoft Windows Summary of Missing Patches"} > "C:\Temp\Missing Patches Report.txt" Import-Csv $csv | Where-Object {$_.Name -eq "VMware Virtual Machine Detection"} > "C:\Temp\List of Virtual Machines.txt" Import-Csv $csv | Where-Object {$_.Name -eq "Microsoft Windows SMB : Obtains the Password Policy"} > "C:\Temp\Local Password Policies.txt" Import-Csv $csv | Where-Object {$_.Name -eq "OS Identification"} > "C:\Temp\Operating Systems.txt" Import-Csv $csv | Where-Object {$_.Name -eq "Enumerate Local Users"} > "C:\Temp\User Account Scan.txt" Write-Host "Task finished." -Fore Green } else { Write-Host "Please enter the ABSOLUTE path to the .csv file!" -Fore red } } 1 {RETURN} } RETURN } function exiting() #Exit confirmation & deletion of securestring.txt { CLS $exittitle = "Exit" $exitmessage = "Are you sure you want to exit?`n(All temporary information and files will be lost.)" $exityes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", ` "Exit PowerShell and delete securestring.txt." $exitno = New-Object System.Management.Automation.Host.ChoiceDescription "&No", ` "RETURN to previous menu." $exitoptions = [System.Management.Automation.Host.ChoiceDescription[]]($exityes, $exitno) $exitresult = $host.ui.PromptForChoice($exittitle, $exitmessage, $exitoptions, 0) switch ($exitresult) { 0 {$global:ExitSession=$true;} 1 {RETURN} } } function RETURNing() #Aesthetics { CLS Write-Host "`n`tRETURNING.`n" -Fore Yellow; start-Sleep -m 500 CLS Write-Host "`n`tRETURNING..`n" -Fore Yellow; start-Sleep -m 500 RETURN } function e2c() #Press enter to continue { Read-Host "`tPress (ENTER) to continue" }
page | 23
<############################ END FUNCTIONS AREA ############################> <############################ START CODE AREA ############################> CLS LOADMENU #Main If ($ExitSession -eq 1) #Quit PowerShell { Get-ChildItem -Path C:\TEMP -Include "securestring.txt" -File -Recurse | foreach { $_.Delete()} #Deletes any instance of "securestring.txt" Get-ChildItem -Path C:\CLIENTS -Include "securestring.txt" -File -Recurse | foreach { $_.Delete()} #Deletes any instance of "securestring.txt" CLS; Write-Host "`n`tExiting.`n" -Fore Red; start-Sleep -m 500; CLS; Write-Host "`n`tExiting..`n" -Fore Red; start-Sleep -m 500; CLS exit-pssession RETURN } else #Persist PowerShell session { C:\ADCaRS.ps1 }
page | 24
Maintenance Important notes to begin: Project ADCaRS has been coded specifically to run under the following conditions:
1. Script must be named ADCaRS.ps1 and reside in the root menu of C:\ 2. C:\ MUST include the directories “Temp”, “CLIENTS”, “REPORTS”, “Tutorials”,
“TOOLS”. 3. Any additional functions that you may add that do not output to C:\TEMP will
not be exported properly. 4. Your execution policy must be set to an unrestricted setting (such as bypass)
to allow for a more reliable execution. 5. Internet Explorer is installed.
It is recommended to run adcars.ps1 by calling it in a PowerShell instance, rather than click-opening it. This is so that if you encounter any error codes the instance will not close and you will be able to read any warnings. This also allows for a larger viewing window which is more convenient due to the large output screens on the menu.
I will be using the following keywords to explain maintenance on Project ADCaRS: ***Click on [WHERE] between brackets to jump to the bookmarked location*** [WHERE] – Denotes where in the code you should be focusing on. [ADD] - Add the following line/section in the appropriate spot. [EDIT] - Edit an existing line of code, changes will be noted in red. [REMOVE] – Remove the following line/section in the appropriate spot. [OPTIONAL] – Changes that do not impact the functionality of ADCaRS but should be considered. Comments will be noted in green and should not be entered into the code itself.
Nessus updates and uses a different URL [WHERE] function nessus() [EDIT] $URL to the new url of the Nessus client. [OPTIONAL] Update the hyperlink in the C:\Tutorials\Nessus\index.html (Nessus Tutorial) webpage. (Line 48)
Steps to add a new function and script scan (non-Nessus) In this scenario, you would like to add the function "Misc Scan" to the menu and would like it to run with "auto" as well as be a "manual" option. Your misc scan outputs a report called “misc.txt”. [EDIT] The index at the beginning of ADCaRs.ps1 should be updated to reflect your changes. Start with the manual menu.
page | 25
[WHERE] Anywhere after any function between the <### START FUNCTIONS AREA ###> and the <### END FUNCTIONS AREA ###> for the sake of cleanliness. [ADD] function miscscan() { Script goes here } [WHERE] while($menu -eq 3) Add a new option to the menu format. [ADD] Write-Host "`t`t[11] Misc Scan`n" Change the selection of return to accommodate the change. [EDIT] Write-Host "`t`t[12] RETURN`n" -Fore yellow Change the “if” statement to accommodate the extra option (the value should match the same option number as “RETURN”). [EDIT] if ($choice -lt 1 -or $choice -gt 12) Add the new functionality to the switch. [ADD] 11
{ miscscan Calls your new “miscscan” function $menu=2 Break } [EDIT]12 { RETURNing $menu=2 Break } Now you need to add the function to the auto function. [WHERE] function auto() [EDIT] 0 {nas; exchange; bkpconf; adconfig; domlog; locpol; grppol; dnsconf; eventlogs; domsecpw; miscscan} Now you have to add your misc scan to the verification of generated files option. [WHERE] function verify() [ADD] If(Test-Path "C:\Temp\misc.txt"){Write-Host "`t`t[X] Misc Scan`n"}Else{Write-Host "`t`t[ ] Misc Scan`n"} [OPTIONAL] If your misc function outputs a file other than .txt, .doc, .htm, or .html then you need to configure the export function to export your file to the proper directory. For this example your misc scan outputs a file called “misc.xml”. [WHERE] function export() [ADD] Move-Item C:\TEMP\*.xml "C:\CLIENTS\$clientname" For cleanliness I recommend putting the above line of code underneath the “Move-Item C:\TEMP\*.html "C:\CLIENTS\$clientname" line of code, or somewhere similar.
Steps to add a new report from any Nessus plugin In this scenario, you would like to include a report for the plugin in Nessus called “Service Detection”, plugin ID 22964.
page | 26
[WHERE] function postscan() [ADD] Import-Csv $csv | Where-Object {$_.Name -eq "Service Detection"} > "C:\Temp\Service Detection.txt" The important things to note here is that the “$_.Name -eq” portion MUST match the exact name of the Nessus plugin. This should go underneath the other lines of code that start with “Import-Csv $csv” After you add the Nessus functionality you should update the verifier [WHERE] function verify() [ADD] If(Test-Path "C:\Temp\Service Detection.txt"){Write-Host "`t`t[X] Service Detection`n"}Else{Write-Host "`t`t[ ] Service Detection`n"} [OPTIONAL] It is recommended to update the “List: Type of Data Collected by ADCaRS” in the “Nessus Walkthrough/Information” portion of the menu. [WHERE] while($menu -eq 5) [EDIT] Write-Host "- Vulnerabilities (Critical, High, Medium, and Low)`n- Open Ports`n- Installed Software Enumeration`n- Virtual Machine Detection`n- Local Password Policies`n- Operating Systems Assessment`n- Service Detection`n" “`n” (back-tick n) creates a new line break for aesthetic purposes.
page | 27
Nessus
Includes the following scans:
Infrastructure
Installed Applications
Patch Levels
Missing Patches
Security
DNS Information
Domain Security Password Policy
End of Life Operating Systems
External Vulnerability
External Port/Services
Internal Vulnerability
Local Security Password Policy
Software Patch Level
Security Configuration
User Accounts
Vulnerable Service or System Configurations
Nessus Tutorial
Please visit the local webpage on the Virtual Machine:
C:\TOOLS\Tutorial\Nessus\index.html
page | 28
Output Files
All output files will generated in the following path during operation: C:\TEMP
After selecting the export option, all output files will move to their appropriate
folder (by client name) and into C:\CLIENT
Item Output Filename
Installed Applications on Windows Servers
Installed Software Enumeration.txt
Exchange Configuration Exchange Configuration.htm
Network Storage SYDI Overview (Inclu. Network Storage).doc
Backup Configuration Backup Configuration.txt
Active Directory Configuration Active Directory Configuration.txt
Domain Login Scripts Domain Login Scripts.txt
Group Policy Configuration Group Policy Configuration.htm
Internal DNS Configuration DNS Information.txt
DHCP Configuration DNS & DHCP Configuration.txt
Event Log Analysis Event Log Analysis.txt
Local Computer Policies Local Computer Policies.txt
VMware Configuration List of Virtual Machines.txt
External/Internal Vulnerability Scan
Vulnerabilities_Critical.txt Vulnerabilities_High.txt Vulnerabilities_Medium.txt Vulnerabilities_Low.txt
External/Internal Port/Service Scan Ports & Services Report.txt
User Account Scan User Account Scan.txt
Software Patch Level Patch Report.txt Missing Patches Report.txt
Identify Operating Systems Operating Systems.txt
Domain Security Password Policy Domain Security Password Policy.txt
Local Security Password Policy Local Password Policies.txt
page | 29
Contact Information
For additional support, please contact the SixtyFPS team:
Alan Ly [email protected]
Justin Sam [email protected]
Laszlo Anda [email protected]