Re: WMIC guru's - come in!

[Jason Jarvis <k41zen () me com>]

So the nested FOR loops used FINDSTR along with CACLS to get the job done, thanks commandlinekungfu.com, so I may just 
use that but PowerShell was so much smaller and well......sexier!

I've looked into it briefly but I'm guessing there's no way of executing PowerShell remotely, and therefore not 
installing it, as it doesn't do stdin or stdout well unless I use netcat?



On 10 Sep 20 at 17:47, Scott Webster <websterstech () gmail com> wrote:

> Jason,
>
> You have a difficult road ahead of you. 
>
> Take a look at this:
> http://gallery.technet.microsoft.com/ScriptCenter/en-us/a7f4694d-c71b-4b47-a
> 781-4c4f832e87d7
>
> and use this to make the changes to look for the specific ACE you have. 
>
> http://msdn.microsoft.com/en-us/library/aa394063(VS.85).aspx
>
> Also pay attention to the ACEType, there you will find your Denied entries.
>
> You may want to consider using one of the tools mentioned before combined
> with psexec with the -c switch to copy the exe to the remote computer.
>
> OR just use CACLS to enumerate the ACE's. You could even take text output
> and parse it. It may be easier then writing the WMI/WMIC code.
>
> Good luck,
>
> Scott
>
>
> -----Original Message-----
> From: pauldotcom-bounces () mail pauldotcom com
> [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Jason Jarvis
> Sent: Friday, September 10, 2010 8:39 AM
> To: PaulDotCom Security Weekly Mailing List
> Subject: Re: [Pauldotcom] WMIC guru's - come in!
>
>
> Sorry I should have said, in true Ed style I want to be able to use built in
> tools.
>
>
> On 10 Sep 2010, at 16:32, Bugbear <gbugbear () gmail com> wrote:
>
> > oldie bu goodie
> >
> > DumpSec , its free, will allow you to filter for specific user or
> > group, and only dump sub folders/files that differ from root folder
> >
> > http://www.systemtools.com/download/dumpacl.zip
> >
> >
> >
> > On Fri, Sep 10, 2010 at 10:01 AM, Pommerening, Jeremy
> > <jpommerening () symbion com> wrote:
> > > Take a look at accessenum and shareenum and see if they'll do what you
> want.  They're part of the sysinternals tool suite.
> > > http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
> > >
> > >
> > >
> > > Jeremy Pommerening
> > > MGR, Information Security
> > > Symbion, Inc.
> > > GIAC - GCFA  GPEN  GAWN  GCFW
> > > GIAC Advisory Board Member
> > > MCSE Win2K, MCSE NT4,
> > > CompTia SERVER+, HP APS
> > >
> > >
> > > -----Original Message-----
> > > From: pauldotcom-bounces () mail pauldotcom com
> [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of k41zen Me
> > > Sent: Friday, September 10, 2010 5:10 AM
> > > To: PaulDotCom Security Weekly Mailing List
> > > Subject: [Pauldotcom] WMIC guru's - come in!
> > >
> > > I need to conduct folder permissions audit on folders with specific names
> and then check to make sure that a specific group is explicitly denied.
> > > I produced some powershell code to do that and was fairly happy:
> > >
> > > Get-Childitem -path S: -recurse -include
> *classified*,*sensitive*,restricted* -exclude *notsensitive* | where {
> $_.Attributes -match "d" } | Get-Acl | where { $_.AccessToString -notmatch
> "DOMAIN\\GROUP" } | select PSPath, AccessToString | export-csv
> outputfilename.csv
> > > This works a treat until I realised that there are 140 remote locations
> where I don't have powershell installed. Considering the time to get this
> deployed and the latest Dave Kennedy/Josh Kelly work, this may not be the
> ideal solution. I do have WMI to hand though.
> > > Before I begin to fry my brain with working out how to do this, has
> anyone done something similar in WMIC? I know some of the commandlinekungfu
> kings are on this list.
> > > Grateful for any help.
> > >
> > > k41zen
> > >
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail pauldotcom com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> > >
> > >
> > > Disclaimer: The email and files transmitted with it are confidential and
> are intended solely for the use of the individual or entity to whom they are
> addressed.  If you are not the original recipient or the person responsible
> for the delivering the email to the intended recipient, be advised that you
> have received this email in error, and that any use, dissemination,
> forwarding, printing or copying of this email is strictly prohibited.  If
> you received this email in error, please delete it from your system without
> copying it, and notify the sender by reply email so that our address record
> can be corrected.  Thank you. Symbion, Inc.
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail pauldotcom com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com