Re: WMIC guru's - come in!

[Jason Jarvis <k41zen () me com>]

Scott,

Thanks for the info. I did originally write a nested FOR loop which also worked well. I guess I've certainly learned 
the power of PowerShell having squashed this down to a line or two.

I'll look into the links you've provided but may have to resurrect the FOR loops :(



On 10 Sep 2010, at 17:47, Scott Webster <websterstech () gmail com> wrote:

> Jason,
>
> You have a difficult road ahead of you. 
>
> Take a look at this:
> http://gallery.technet.microsoft.com/ScriptCenter/en-us/a7f4694d-c71b-4b47-a
> 781-4c4f832e87d7
>
> and use this to make the changes to look for the specific ACE you have. 
>
> http://msdn.microsoft.com/en-us/library/aa394063(VS.85).aspx
>
> Also pay attention to the ACEType, there you will find your Denied entries.
>
> You may want to consider using one of the tools mentioned before combined
> with psexec with the -c switch to copy the exe to the remote computer.
>
> OR just use CACLS to enumerate the ACE's. You could even take text output
> and parse it. It may be easier then writing the WMI/WMIC code.
>
> Good luck,
>
> Scott
>
>
> -----Original Message-----
> From: pauldotcom-bounces () mail pauldotcom com
> [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Jason Jarvis
> Sent: Friday, September 10, 2010 8:39 AM
> To: PaulDotCom Security Weekly Mailing List
> Subject: Re: [Pauldotcom] WMIC guru's - come in!
>
>
> Sorry I should have said, in true Ed style I want to be able to use built in
> tools.
>
>
> On 10 Sep 2010, at 16:32, Bugbear <gbugbear () gmail com> wrote:
>
> > oldie bu goodie
> >
> > DumpSec , its free, will allow you to filter for specific user or
> > group, and only dump sub folders/files that differ from root folder
> >
> > http://www.systemtools.com/download/dumpacl.zip
> >
> >
> >
> > On Fri, Sep 10, 2010 at 10:01 AM, Pommerening, Jeremy
> > <jpommerening () symbion com> wrote:
> > > Take a look at accessenum and shareenum and see if they'll do what you
> want.  They're part of the sysinternals tool suite.
> > > http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
> > >
> > >
> > >
> > > Jeremy Pommerening
> > > MGR, Information Security
> > > Symbion, Inc.
> > > GIAC - GCFA  GPEN  GAWN  GCFW
> > > GIAC Advisory Board Member
> > > MCSE Win2K, MCSE NT4,
> > > CompTia SERVER+, HP APS
> > >
> > >
> > > -----Original Message-----
> > > From: pauldotcom-bounces () mail pauldotcom com
> [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of k41zen Me
> > > Sent: Friday, September 10, 2010 5:10 AM
> > > To: PaulDotCom Security Weekly Mailing List
> > > Subject: [Pauldotcom] WMIC guru's - come in!
> > >
> > > I need to conduct folder permissions audit on folders with specific names
> and then check to make sure that a specific group is explicitly denied.
> > > I produced some powershell code to do that and was fairly happy:
> > >
> > > Get-Childitem -path S: -recurse -include
> *classified*,*sensitive*,restricted* -exclude *notsensitive* | where {
> $_.Attributes -match "d" } | Get-Acl | where { $_.AccessToString -notmatch
> "DOMAIN\\GROUP" } | select PSPath, AccessToString | export-csv
> outputfilename.csv
> > > This works a treat until I realised that there are 140 remote locations
> where I don't have powershell installed. Considering the time to get this
> deployed and the latest Dave Kennedy/Josh Kelly work, this may not be the
> ideal solution. I do have WMI to hand though.
> > > Before I begin to fry my brain with working out how to do this, has
> anyone done something similar in WMIC? I know some of the commandlinekungfu
> kings are on this list.
> > > Grateful for any help.
> > >
> > > k41zen
> > >
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail pauldotcom com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> > >
> > >
> > > Disclaimer: The email and files transmitted with it are confidential and
> are intended solely for the use of the individual or entity to whom they are
> addressed.  If you are not the original recipient or the person responsible
> for the delivering the email to the intended recipient, be advised that you
> have received this email in error, and that any use, dissemination,
> forwarding, printing or copying of this email is strictly prohibited.  If
> you received this email in error, please delete it from your system without
> copying it, and notify the sender by reply email so that our address record
> can be corrected.  Thank you. Symbion, Inc.
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail pauldotcom com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com