Bytes & Badz

Listing Members of the Local Administrators Group of Computers in a Domain

2009-08-30T07:49:00.000-07:00

Here's a script which lists all members of the local administrators group for each computer in a domain. The computers.ini file contains the list of hostnames of all computers in the domain whereas the results.csv file will store the local administrators information. The usual disclaimer applies:

Microsoft Technet Summer Scripting Games : Javelin Throw

2009-07-06T16:09:00.001-07:00

I was invited to be a guest commentator for the Javelin Throw event during the recently concluded Microsoft Technet's Summer Scripting Games. For this scenario, I had to write a time logger with time-stamped text entries that describe a particular activity. I created a VB script that accepts user inputs as arguments, stores these together with the date and time of the activity, amount of time spent on the activity, the status of the activity and some remarks onto a CSV file.

You can find my write-up and solution at this link:

http://blogs.technet.com/heyscriptingguy/archive/2009/06/24/hey-scripting-guy-event-9-solutions-from-expert-commentators-beginner-and-advanced-the-javelin-throw.aspx

Checking for Remote Desktop Status of a Remote Server

2009-06-25T20:22:00.001-07:00

Here's a script that checks for the Remote Desktop feature status of a remote server. The server hostnames are read off a servers.ini file. The server's registry is then queried for the DWORD value of fDenyTSConnections under the server's HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server registry key.

List Local Users of Remote Systems (Powershell)

2009-06-24T00:26:00.000-07:00

Here's a Powershell script that reads the hostnames off a text file (hosts.ini) and lists all the local users of the remote host:

My Photos in Flickr Explore

2009-05-12T05:13:00.000-07:00

It has been roughly 3 months since I first joined Flickr. Close to 200 shots later, I had four of my uploaded photos featured in Flickr Explore. As of 12 May 2009, here are the four photos and some background story regarding each.

The Old Clifford Pier (Marina South Pier) - EXPLORED (09 May 2009)

With the construction of the Marina Barrage, the Clifford Pier ceased operation in 2006 and was replaced by the Marina South Pier, which is currently being developed as a retail, leisure and an entertainment center. This SOOC shot (except for the sig) was taken from a vantage point at One Fullerton.

EXIF:
F-stop: f/18
Exposure: 30s
ISO: 200
Focal length: 21mm
Aperture: 3.8

Kwentong Kalye - Street Stories (HDR)

The Philippines is known to be the texting capital of the world. It is very common to see people texting (SMS) in every nook and corner of the country (well, as long as there is a carrier signal). I caught these two ladies happily SMSing and sharing notes at the corner of Aurora Blvd and Imperial St somewhere in Quezon City. I applied a dash of post-processing on the photo, specifically HDRed it for a more dramatic effect.

What you get with a loose tripod head!

Taken from the median strip on the Hotel Fullerton side of the Esplanade Bridge, this "strange" photo was the unexpected result when I wanted to shoot a long exposure shot of the traffic crossing the bridge. I had accidentally loosened my tripod head which caused it to tilt unevenly and by the time I was able to attach it firmly, the exposure finished.

'garilyo - Cigarette Street Vendor

They are a common sight in the streets of urban Philippines. They would snappily flick their wooden boxes for that catchy ta-ka-tak sound; to a driver all stressed out getting stuck in a jam, they are heaven-sent. I was on a cab on the way to Quezon City when I passed by one cigarette vendor; I managed to get a shot although the taxi was moving, albeit, at a slow pace. I did a bit of post-processing, added a li'l vignette and put more contrast to get this final piece.

Flaming Flower

2009-03-31T07:42:00.001-07:00

Flaming Flower
Originally uploaded by Badz Manaois

I was trying to upload this photo to my Flickr account when I decided to play around with the filters that come with my GIMP installation. Under the Filters menu, I chose Render --> Nature --> Flame. I tweaked the default settings for this filter and came up with this surreal result. The rendering itself close to 10 minutes; this should be relatively faster on a more powerful computer. The photo somewhat retained its original vivid colors and the soft bokeh. I'm still trying to figure out how to do post processing of my shots; I'll try some infrared stuff later.

Rebooting a computer (VBS)

2009-03-31T00:12:00.000-07:00

The script shown in this post pops up a message to the current logged-in user informing him that a reboot is required.

The user has the option to proceed with the reboot or he can choose to click the "No" button and abort the reboot. Clicking "Yes" will invoke the ShutMeDown procedure which uses the .Reboot method to reboot the computer. Clicking "No" will display the following pop-up:

Not clicking on either the "Yes" or "No" after 60 seconds will abort the script from continuing.

For what possible situations can this script be used? Follow the discussing from the following thread in The Official Scripting Guys Forum on Technet:

http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/65e8699f-fca4-4e08-a181-8b621acbf963

Enumerating Members of a Group (including Nested Groups)

2009-03-30T22:26:00.000-07:00

Here's another simple and straightforward script that queries and enumerates the members of an active directory group. If there are nested groups within the groups being queried, these will also be subsequently checked and their members listed.

This is the main body of the script. I have, for this example, three sites where two groups are being queried (one group, for example, is EU-ServerAdmins-G). There is a call in the main body to the EnumGroups function where three parameters are passed - strSite, strDN and strGroupName).

The EnumGroups function queries the strDN parameter where its members are checked. In the Select-Case loop, the object class is further checked; if the object is a group by itself, the function executes again with this group as part of the parameters passed (hence, nested groups will also be queried).

The output of this script is written onto a file (groups.csv). An example output file would look like this:

Stopping and Restarting Multiple Services using VBS

2009-03-23T17:23:00.000-07:00

Here's a script that will stop and then restart multiple services using VB script. It stores the services under an array (in this example, I was working on the BITS, Browser, and wuauserv services). Do note that the Win32_Service.Name property should be used and not the Win32_Service.DisplayName; if you want to make use of the more user-friendly or readable .DisplayName property, you have to modify the query for the variable colListOfServices. This script can also be enhanced to accept arguments from the CLI or read off an input file for a list of services to stop.

This script was created for the following thread from the Microsoft Technet's The Official Scripting Guys Forum:

http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/3db5d54d-1d7f-46c5-9129-2130a7bdfaa8/

Aiza Seguerra @ Singapore Mosaic Music Festival 2009

2009-03-21T07:29:00.000-07:00

The 5th annual Mosaic Music Festival in Singapore kicked off last week and will end tomorrow (22 March). This event features a hotchpotch of bands, artists and musicians of different musical genre from across the world. The Esplanade has played host to this modern day Woodstock (sans the booze and drugs) where the musicians play both indoors and outdoors.

I, together with my wife and kids, had the opportunity to watch Aiza Seguerra perform tonight at the festival outside of the Esplanade. The total performer that she is, she was able to captivate the predominantly Filipino crowd with her OPM-laden set. She was a real gem to watch, a dervish with her six-string. Despite the heavy rain before the show and the slight drizzle when it started, the crowd overflowed even to the stairs leading to the Esplanade itself. She closed her set (her first of the night, I wasn't able to watch the last set though) with a tribute to the King of Pinoy Rap, Francis M, who passed away recently. Her rendetion of FrancisM's Kaleidoscope World literally brought the house down.

Here are some of the pictures I had taken including one showing my kids during the meet-and-greet session with Aiza.

Stage with the Singapore Integrated Resort as the backdrop:

Aiza weaves her magic onstage:

Aiza with Amberdawn and Raidon:

Macro Madness - Part 1

2009-03-07T19:12:00.000-08:00

Okay, a lot of things has kept me busy the past days; I just might blog about some of these activities when time permits. But I did find some time to fiddle with my camera for a few shots. I've always been fascinated with macros, and I did try my hand on shooting some which I would like to share in this post.

Macro Angel (shot taken from my room):

Lilies (Singapore Botanical Gardens):

Photography has been therapeutic for me; it keeps me relaxed and focused. One need not have the best of the camera bodies nor the finest piece of glass. Even an entry-level P&S can capture vivid pictures. So for those looking for some relaxing and fun activity, try photography. =)

Moderating the "The Official Scripting Guys" Forum in Technet

2009-02-27T06:34:00.001-08:00

Yep, I am now one of the moderators of "The Official Scripting Guys Forum" in Technet. I feel humbled to be in the company of the other moderators, the best of the best, whom I have looked up to in the past. This is my own little way of "paying it forward"...

Checking for the Uptime of a Remote Computer

2009-02-12T18:21:00.000-08:00

I've created this script to query for the uptime of a remote computer. It takes, for an argument, the hostname or IP address of the remote machine. Here's the main body of the script:

The main body checks for 1 argument passed when the script is ran; if the number of arguments is not equal to 1, then the script exits. It then calls for the GetUptime procedure:

The GetUptime procedure queries WMI for the Win32_PerfRawData_PerfOS_System class, in particular the Timestamp_Object, Frequency_Object, and the SystemUpTime properties. To calculate for the system uptime in seconds (in my example, I used the iUptimeInSec variable), the following formula was used:

iUptimeInSec = (intPerfTimeStamp - intCounter)/intPerfTimeFreq

This value is then passed to the ConvertTime(seconds) function.

The iUptimeInSec variable was converted to an easier-t0-read format, eg. days, hours, minutes and seconds.

Identifying the current logged in user of a remote host

2009-01-19T18:17:00.001-08:00

Here's a short and simple script to check for the currently logged-in user of a remote computer. This script has been tested on Windows XP and Vista; it may or may not work for older Windows OSes. Save the script as check-user.vbs and pass the remote host (or IP address) as an argument when launching the script (ie, check-user.vbs remote_host). You have to be an administrator of the remote machine being queried in order for the script to run properly.

Conficker.vbs - Conficker (Worm_DownAD) Detector

2009-01-08T21:26:00.000-08:00

Heard from the grapevine that the Conficker (Worm_DownAD) worm is still in the wild (http://msforums.ph/forums/t/50980.aspx). This worm generates randomly named services which makes it a tad difficult to detect and contain. Here's a short script I created to detect for possible rogue services triggered by this worm. The usual disclaimer applies:

The code should be self-explanatory. =)

Walkthrough: Boot WinPE on a USB Thumbdrive

2008-11-25T06:47:00.000-08:00

I was in a bind. I had onhand, a Lenovo X200 which I was trying to install a Vista image on. But this unit had neither a built-in nor an external CD or DVD drive. And all I had my trusted {Insiders} USB thumbdrive:

The WinPE image I was using to boot up is in an ISO format. I used MagicISO to mount the ISO file to access the image's folder structure and its files. Once I had the files and folders ready, I had to do the following steps to be able to boot from my USB thumbdrive:

list disk - displays disk information including disk number, size, and status
select disk x - focuses all subsequent commands on a particular disk
clean - cleans and removes all configuration information from the disk
create partition primary - create a partition (of type primary in our example)
list partition - displays partition information of the disk in focus
select partition y - moves the focus to the partition y
active - marks the partition in focus as the active boot partition
format fs=fat32 - formats the active partition with the FAT32 file system
assign - assigns a drive letter (the next available one) to the disk

I then copied mounted my WinPE ISO and copied the files/folders to the USB thumbdrive. And off I go, booting up WinPE from my {Insiders} USB thumbdrive.

New-Look Gmail

2008-11-20T18:55:00.001-08:00

Have you noticed your new and spanking Gmail lately?

Log-in to your gmail account. Click on Settings --> Themes.

Choose a new theme (you can also add features under Labs). Save the changes and voila, a cool-looking Gmail UI.

Microsoft To Phase-out Live OneCare

2008-11-19T05:56:00.000-08:00

Two years after a very hyped launching of Windows Live OneCare, Microsoft just announced today that the product will be phased out next year and a free security solution (codenamed "Morro") will be released to replace it. The yet-to-be-announced product will offer realtime anti-malware protection solution. OneCare, on the other hand, offers this capability on top of backup and management features. This is to be expected given the fact that Morro, according to Microsoft, is designed to use minimal computing resources to make it amenable to low-bandwidth scenarios and less powerful PCs hence the smaller footprint.

Microsoft also announced that sales of the Windows Live OneCare subscription service as well as Windows Live OneCare for Server on SBS 2008 will end on June 30, 2009. OneCare users will have the option to move to Morro (it will be available everywhere OneCare currently is). The fact that Morro is FOC may also entice end-user adoption. However, I doubt it is capable of dislodging the industry leaders off their roosts in the enterprise security field.

Microsoft's entry to the consumer/enterprise security market way back in 2006 was met with mixed reactions. And with this setback, whatever is left of Microsoft's foothold on this arena has taken a major beating.

Deleting *.bak Files When the Computer Turns Idle (VBS)

2008-11-18T04:30:00.000-08:00

A similar thread from the Technet Forums:
http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/2991aa59-07c6-413e-8bf0-9ffa2bd8f0d3

Here is a script that deletes all *.bak files on a computer's D: drive when the computer becomes idle after 10 minutes.

There is actually a trick behind this script. Using a script to check whether a computer is idle is not really straightforward, but rather relatively complicated (read my lips, I don't know how to do it). I made use of the Screen Saver timeout property via a registry hack, setting it to trigger after 10 minutes (600 seconds) via the sub procedure SetScrSvrTime():

The script checks if the screen saver process is running (it is implied that in this example, the computer is configured with the "Mystify.scr" screen saver). A connection to the WMI service on the local computer is made and an event notification query which fetches within 20 seconds a list of running processes:

The Do-While loop processes the information gathered from this query and checks for the screen saver "Mystify.scr" process. If found, it goes to another loop where a call to the DelFiles(strDrv) sub procedure is launched (strDrv is the parameter passed to the sub procedure which is actually the drive where the *.bak files are going to be deleted). This sub procedure then recursively checks and deletes all *.bak files found:

This script can be further customize to accomplish other things when the computer goes idle. For example, you may want to send out notification, defrag the hard disk, run a back-up and so on. The possibilities are endless, let your imagination loose!

For those interested to have a copy of this script, please drop this post a comment.

MILF Website Hacked

2008-11-17T06:19:00.000-08:00

The Web site of the Moro Islamic Liberation Front (MILF), http://www.luwaran.com/, was reportedly defaced by unidentified hackers last week. It was restored last Saturday after being offline for a number of days.

Mohagher Iqbal, a senior MILF leader, confirmed Saturday that their Web site was hacked by unknown individuals last October 4. Television giant GMA 7 reported that the MILF website had several photos of pigs, animals considered unclean by Muslims. Links to news articles in the MILF website also led to defaced pages featuring pigs. "I love pigs," "i love pigs :D," "Prite bac Prite" and "digdigdig," the headlines read.

Iqbal said that he has no suspect to pinpoint at the moment, refusing to speculate that the Armed Forces of the Philippines (AFP) may be behind it. Meanwhile, the AFP insisted that they have nothing to do with the problem encountered by the MILF website.

A quick check of the http://www.luwaran.com/ domain shows a lot of updates from August to October 2008. The hosting ISP also changed a number of times. I'm still checking for a mirror of the defaced site to provide more clues as who the culprits are. Hackers normally feel they have one-upped the administrators and oftentimes cocky enough to display their tags and "gr33tz".

White Tigers Maul Zoo Cleaner to Death

2008-11-16T05:46:00.000-08:00

Last Thursday, white tigers attacked and killed a Malaysian working as a cleaner in the Singapore Zoo after the man jumped into their enclosure. It was reported in the papers that the man, apparently showing signs of distress and uneasiness, leapt into the moat of the white tiger exhibit and was attacked. The attack happened in full view of a number of people who tried to distract the tigers away from the man by throwing rocks at them. Keepers and other zoo workers managed to pull the man away when the tigers went back to their den obviously distracted by the raucous crowd. The man, however, died on the way to the hospital.

An endangered species, white tigers are mostly found in the wild in South Asia, predominantly in India. A full grown white tiger could weigh over 100 kg and 8 feet from nose to tail. Their distinctive color is actually due to a genetic condition that strips their fur of the orange pigment, leaving the animal with snow white fur, black stripes and blue eyes.

The zoo has temporarily closed the tiger exhibit.

VBS Logoff Script to Log User Information

2008-11-14T04:43:00.000-08:00

Part 1:
http://badzmanaois.blogspot.com/2008/11/script-to-track-local-logins-vbs.html

Here's a follow-up of the login script posted earlier. This is executed when the user logs off. It will log the following information to the output log file:

Event Type (Login/Logoff)
User (Full User Name)
Computer
Date & Time of the Event

The output log file looks like this:

The script defines the location and name of the output log file (C:\LogFile\Login.csv) and calls the sub procedure Main:

The sub procedure Main checks for the current logged in user's account properties such as .UserName, .DomainName, and .ComputerName. The user's full name is then extracted and is passed to the log file (together with the other earlier-mentioned variables):

The user must have modify permission on the output log file.

Microsoft Fixes 7-Year Old Flaw + MS08-068 Exploit

2008-11-12T05:28:00.000-08:00

One of the two patches released by Microsoft for the month of November addresses a vulnerability first reported in 2001 by Josh Buchbinder, better known as Sir Dystic from the Cult of the Dead Cow (cDc). He found a vulnerability in Microsoft operating systems which enables an attacker to gain complete access to a user's computer. He wrote a utility, SMBRelay (and its NETBIOS-bound brother, SMBRelay2), which demonstrates the flaw. Employing man-in-the-middle tactics, the program receives a connection on port 139, connects back to the connecting computer's port 139, and relays the packets between the client and server of the connecting Windows machine, making modifications to these packets when necessary. On top of that, SMBRelay collects the NTLM password hashes and saves it to a file readable by L0pthcrack for cracking.

Apparently, it took Microsoft 7 years to finally address this vulnerability as mentioned here. According to this article, exploit code of this flaw is currently available in the internet. In fact, Metasploit has a PoC/working exploit which runs under the 'sploit framework.

The released patch, although given just a criticality rating of "Important" (whereas, MS08-069 was rated "Critical"), appears more interesting given the fact that this fixes a 7-year old flaw.

Going back to the SMBRelay tool, here are some switches and parameters that the tool uses:

Usage: smbrelay [options]
Options:

/D num - Set debug level, current valid levels: 0 (none), 1, 2 (Default is 0)
/E - Enumerates interfaces and their indexes
/IL num - Set the interface index to use when adding local IP addresses
/IR num - Set the interface index to use when adding relay IP addresses
Defaults to 1. Use /E to display the adapter indexes
/L[+] IP - Set the local IP to listen on for incoming NetBIOS connections
Use + to first add the IP address to the NIC
Defaults to primary host IP
/R[-] IP - Set the starting relay IP address to use
Use - to NOT first add each relay IP address to the NIC
Defaults to 192.1.1.1
/S name - Set the source machine name
Defaults to CDC4EVER

SMBRelay2, on the other hand, has the following switches and parameters:

SMBRelay2 [Options]
Options:
/A LanaNum - Use LanaNum
Defaults to 0
/D DebugLevel - Level of debug messages, valid levels 0 - 3
Defaults to 0
/L LocalName - Listen for primary connection on LocalName
Defaults to SERVER
/R RelayName - Listen for relay connection on RelayName
Defaults to RELAY
/S SourceName - Use SourceName when connecting to target
Defaults to CDC4EVER
/T TargetName - Connect to TargetName for relay
Defaults to connecting back to client

Siloso Beach Sentosa (Singapore)

2008-11-11T05:23:00.000-08:00

Considered as one of the better beaches in Singapore, Siloso Beach lies on the west portion of the southern coast of the island resort of Sentosa. The stretch of beach is home to a number of dining and shopping outlets. However, Siloso beach is better known for the outdoor activities that the beach-going patrons usually engage with such as beach volleyball, canoeing, skim boarding, mountain biking and rollerblading.

Each time my family goes to Sentosa, a Siloso beach stopover is always part of the itinerary. The kids love to frolic by the beach, building sand castles, scouring for sea shells, the usual kidstuff. Me, I just relax and enjoy the scenery. With my wife beside me, of course.

Microsoft Security Bulletin Advance Notification for November 2008

2008-11-10T08:15:00.000-08:00

The usual heads-up from Microsoft for this month mentions two vulnerabilities, one critical and one important. The patches which will address these vulnerabilities will be released on 11 November 2008 (12 November for those in Asia-Pac) during the routine "Patch Tuesday" cycle. Both the vulnerabilities affect the Windows OS from Windows 2000 Pro/Server up to Windows Server 2008 including Windows XP/Vista and Windows Server 2003. Furthermore, a Microsoft Office component is affected. For more information on the affected OS and application plus other relevant information pertaining to the release, please visit the following link:

http://www.microsoft.com/technet/security/Bulletin/MS08-nov.mspx

Expect another busy week ahead, what with all the regression testing, deployment tests, and more that the sys admins and application owners/testers will go through prior to the productive release of the patches in an enterprise. No rest. For the wicked admins.