tag:blogger.com,1999:blog-62951380658174777352011-11-28T01:08:03.689+01:00The Admin Guy's SandBoxRandom thoughts from the system administratorThe Admin Guyhttp://www.blogger.com/profile/03648335659283707124noreply@blogger.comBlogger21100tag:blogger.com,1999:blog-6295138065817477735.post-40278077571765071592009-05-16T16:15:00.001+02:002009-05-16T16:46:25.086+02:00Portscan with Powershell<p>So I found myself in need of a tool which could check whether or not one or more ports are open on a large amount of servers. <br />I ended up with this in powershell:</p> <pre class="code"><font color="blue">param</font><font color="black">([</font><font color="teal">string</font><font color="black">]</font><font color="purple">$list1</font><font color="black">,[</font><font color="teal">string</font><font color="black">]</font><font color="purple">$list2</font><font color="black">)<br /><br /><br /></font><font color="blue">if </font><font color="black">(</font><font color="purple">$list1 </font><font color="red">-eq </font><font color="maroon">""</font><font color="black">){<br /><br /><br /> </font><font color="#5f9ea0">Write-Host </font><font color="maroon">"Please supply Host-list!!" </font><font color="#5f9ea0">-ForegroundColor </font><font color="maroon">Red<br /><br /><br /> </font><font color="blue">break<br /><br /><br /> </font><font color="black">}<br /><br /><br /></font><font color="blue">If </font><font color="black">(</font><font color="purple">$list2 </font><font color="red">-eq </font><font color="maroon">""</font><font color="black">){<br /><br /><br /> </font><font color="#5f9ea0">Write-Host </font><font color="maroon">"Please supply Port-List!!" </font><font color="#5f9ea0">-ForegroundColor </font><font color="maroon">Red<br /><br /><br /> </font><font color="blue">break<br /><br /><br /> </font><font color="black">}<br /><br /><br />[</font><font color="teal">Array</font><font color="black">]</font><font color="purple">$hostlist </font><font color="red">= </font><font color="#5f9ea0">Get-Content </font><font color="purple">$list1<br /><br /><br /></font><font color="black">[</font><font color="teal">Array</font><font color="black">]</font><font color="purple">$ports </font><font color="red">= </font><font color="#5f9ea0">Get-Content </font><font color="purple">$list2<br /><br /><br /></font><font color="navy">$ErrorActionPreference </font><font color="red">= </font><font color="maroon">"SilentlyContinue"<br /><br /><br /></font><font color="purple">$ping </font><font color="red">= </font><font color="#5f9ea0">new-object </font><font color="maroon">System.Net.NetworkInformation.Ping<br /><br /><br /></font><font color="blue">foreach </font><font color="black">(</font><font color="purple">$ip </font><font color="blue">in </font><font color="purple">$hostlist</font><font color="black">) {<br /><br /><br /> </font><font color="purple">$rslt </font><font color="red">= </font><font color="purple">$ping</font><font color="black">.send(</font><font color="purple">$ip</font><font color="black">)<br /><br /><br /> </font><font color="blue">if </font><font color="black">(</font><font color="red">! </font><font color="navy">$?</font><font color="black">){<br /><br /><br /> </font><font color="#5f9ea0">Write-Host </font><font color="maroon">"Host: $ip - not found" </font><font color="#5f9ea0">-ForegroundColor </font><font color="maroon">Red<br /><br /><br /> </font><font color="black">}<br /><br /><br /> </font><font color="blue">else </font><font color="black">{<br /><br /><br /> </font><font color="blue">if </font><font color="black">(</font><font color="purple">$rslt</font><font color="black">.status.tostring() –eq </font><font color="maroon">“Success”</font><font color="black">) {<br /><br /><br /> </font><font color="#5f9ea0">write-host </font><font color="maroon">"Host: $ip - Ports: " </font><font color="#5f9ea0">-foregroundColor </font><font color="maroon">Green </font><font color="#5f9ea0">-NoNewline<br /><br /><br /> </font><font color="blue">foreach </font><font color="black">(</font><font color="purple">$port </font><font color="blue">in </font><font color="purple">$ports</font><font color="black">){<br /><br /><br /> </font><font color="purple">$socket </font><font color="red">= </font><font color="#5f9ea0">new-object </font><font color="maroon">System.Net.Sockets.TcpClient</font><font color="black">(</font><font color="purple">$ip</font><font color="black">, </font><font color="purple">$port</font><font color="black">)<br /><br /><br /> </font><font color="blue">if </font><font color="black">(</font><font color="purple">$socket </font><font color="black">–eq </font><font color="purple">$null</font><font color="black">) {<br /><br /><br /> </font><font color="#5f9ea0">write-host </font><font color="maroon">"$port," </font><font color="#5f9ea0">-ForegroundColor </font><font color="maroon">Red </font><font color="#5f9ea0">-NoNewline<br /><br /><br /> </font><font color="black">}<br /><br /><br /> </font><font color="blue">else </font><font color="black">{<br /><br /><br /> </font><font color="#5f9ea0">write-host </font><font color="maroon">"$port,"</font><font color="#5f9ea0">-foregroundcolor </font><font color="maroon">Green </font><font color="#5f9ea0">-NoNewline<br /><br /><br /> </font><font color="purple">$socket </font><font color="red">= </font><font color="purple">$null<br /><br /><br /> </font><font color="black">}<br /><br /><br /> }<br /><br /><br /> }<br /><br /><br /> </font><font color="blue">else </font><font color="black">{<br /><br /><br /> </font><font color="#5f9ea0">write-host </font><font color="maroon">"Host: $ip - down" </font><font color="#5f9ea0">-ForegroundColor </font><font color="maroon">Red<br /><br /><br /> </font><font color="black">}<br /><br /><br /> }<br /><br /><br /></font><font color="#5f9ea0">Write-Host </font><font color="maroon">""<br /><br /><br /></font><font color="black">}<br /><br /><br /></font><font color="purple">$ping </font><font color="red">= </font><font color="purple">$null</font></pre><br /><br /><p>The script is executed in the following manner:</p><br /><br /><p><strong>[ ] PS> .\script.ps1 hostlist.txt portlist.txt</strong></p><br /><br /><p>In this version, the output of the script is not suited to be piped to a file, as port status is indicated with color.</p> <div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6295138065817477735-4027807757176507159?l=theadminguy.blogspot.com' alt='' /></div>The Admin Guyhttp://www.blogger.com/profile/03648335659283707124noreply@blogger.com0tag:blogger.com,1999:blog-6295138065817477735.post-57960364323652744682009-05-16T16:13:00.002+02:002009-05-16T16:51:39.695+02:00Run MBSA against all machines in WSUS<p></p> <p>As a WSUS administrator, I often find the various views and reports frustrating. </p> <p>Say you have a number of machines, which you want to see the status of from a OS security perspective, but you are not interested in the various other MS products (office, Exchange etc.) – No joy. </p> <p>WSUS will show the machines overall status including <em>everything</em>. Handing report based on that, over to others will surely guarantee that all sorts of time will have to spent explaining all sorts of stuff.</p> <p>Now, I’m sure that some may say that all the information can be gathered from the SQL database in one form or another, in that case, please let me know <img alt=":-)" src="http://s.wordpress.com/wp-includes/images/smilies/icon_smile.gif" /></p> <p>From another perspective, the WSUS also acts like a good database of machines in scope. It provides various key information about the environment, which can surely be used for something..</p> <p>The result of the above was a powershell script to get all the machines in WSUS and perform an MBSA scan against all of them.</p> <p>The MBSA scan’s have the nice, self-explanatory reports and as a bonus they are also able to check for other things than patch status.</p> <p>The script: </p> <pre class="code"><span style="color: green">#We need a date to append to the log files<br /></span><span style="color: purple">$date </span><span style="color: red">= </span><span style="color: black">(</span><span style="color: #5f9ea0">Get-Date</span><span style="color: black">).toshortdatestring()<br /><br /></span><span style="color: green">#Connect to WSUS, if needed load assembly<br /></span><span style="color: purple">$wsusrv </span><span style="color: red">= </span><span style="color: black">[Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer()<br /></span><span style="color: blue">If </span><span style="color: black">(</span><span style="color: red">! </span><span style="color: navy">$?</span><span style="color: black">){<br /> [</span><span style="color: teal">Reflection.Assembly</span><span style="color: black">]::</span><span style="color: #8b4513">LoadWithPartialName</span><span style="color: black">(</span><span style="color: maroon">"Microsoft.UpdateServices.Administration"</span><span style="color: black">)<br /> </span><span style="color: purple">$wsusrv </span><span style="color: red">= </span><span style="color: black">[Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer()<br /> }<br /> <br /></span><span style="color: green">#Get all machines in WSUS<br /></span><span style="color: purple">$wsusrv</span><span style="color: black">.getcomputertargets() | </span><span style="color: #5f9ea0">select </span><span style="color: maroon">FullDomainName</span><span style="color: black">,</span><span style="color: maroon">IPAddress</span><span style="color: black">,</span><span style="color: maroon">RequestedTargetGroupName </span><span style="color: #5f9ea0">`<br /> </span><span style="color: black">| </span><span style="color: #5f9ea0">tee -Variable </span><span style="color: maroon">wsustargets </span><span style="color: black">| </span><span style="color: #5f9ea0">Export-Csv -NoTypeInformation </span><span style="color: maroon">"$pwd\WSUSTargets-$date.csv"<br /><br /></span><span style="color: green">#Part to remove certain machines which we cannot scan <br />#(like machines with different permissions than the bulk)<br /></span><span style="color: blue">foreach </span><span style="color: black">(</span><span style="color: purple">$target </span><span style="color: blue">in </span><span style="color: purple">$wsustargets</span><span style="color: black">){<br /> </span><span style="color: blue">if </span><span style="color: black">(</span><span style="color: purple">$target</span><span style="color: black">.RequestedTargetGroupName </span><span style="color: red">-eq </span><span style="color: maroon">"SomeFolder"</span><span style="color: black">){<br /> }<br /> </span><span style="color: blue">ElseIf </span><span style="color: black">(</span><span style="color: purple">$target</span><span style="color: black">.RequestedTargetGroupName </span><span style="color: red">-like </span><span style="color: maroon">"*SomeOtherFolder*"</span><span style="color: black">){<br /> }<br /> </span><span style="color: blue">Else </span><span style="color: black">{<br /> </span><span style="color: green">#create array of machines to be scanned<br /> </span><span style="color: black">[</span><span style="color: teal">Array</span><span style="color: black">]</span><span style="color: purple">$MBSAList </span><span style="color: red">+= </span><span style="color: purple">$target</span><span style="color: black">.IPAddress<br /> </span><span style="color: purple">$MBSAList </span><span style="color: black">| </span><span style="color: #5f9ea0">Out-File </span><span style="color: maroon">"$pwd\MBSATargets-$date.csv"<br /> </span><span style="color: black">}<br />}<br /><br /></span><span style="color: green">#execute MBSA against the array created. This array must have been loaded to a file<br /></span><span style="color: purple">$mbsacli </span><span style="color: red">= </span><span style="color: maroon">"C:\Program Files\Microsoft Baseline Security Analyzer 2\mbsacli.exe"<br /></span><span style="color: purple">$cmdline </span><span style="color: red">= </span><span style="color: maroon">"/listfile " </span><span style="color: red">+ </span><span style="color: maroon">'"' </span><span style="color: red">+ </span><span style="color: maroon">"$pwd\MBSATargets-$date.csv" </span><span style="color: red">+ </span><span style="color: maroon">'"' </span><span style="color: red">+ </span><span style="color: #5f9ea0">`<br /> </span><span style="color: maroon">" /n OS+SQL+IIS+Password /nvc /wa /o " </span><span style="color: red">+ </span><span style="color: maroon">'"%d% - %c% - %IP% (%t%)"' </span><span style="color: red">+ </span><span style="color: #5f9ea0">`<br /> </span><span style="color: maroon">" /qe /qr /rd D:\MBSA_scan_auto"<br /></span><span style="color: purple">$cmdline<br />$process </span><span style="color: red">= </span><span style="color: black">[</span><span style="color: teal">System.Diagnostics.Process</span><span style="color: black">]::</span><span style="color: #8b4513">Start</span><span style="color: black">(</span><span style="color: purple">$mbsacli</span><span style="color: black">,</span><span style="color: purple">$cmdline</span><span style="color: black">)<br /></span><span style="color: purple">$process</span><span style="color: black">.WaitForExit()</span></pre><br /><a href="http://11011.net/software/vspaste"></a><br /><br /><p><br /> <br />Now, very off character for me, I have added some comments in the script, but it is fairly straight forward. </p><br /><br /><p>A list of machines is gathered from the WSUS server and stuffed in a file. The MBSAcli.exe utility is then executed using that file. It is of course possible to execute the MBSAcli.exe using the powershell array:</p><br /><br /><pre class="code"><span style="color: purple">$mbsacli </span><span style="color: red">= </span><span style="color: maroon">"C:\Program Files\Microsoft Baseline Security Analyzer 2\mbsacli.exe"<br /></span><span style="color: blue">foreach </span><span style="color: black">(</span><span style="color: purple">$target </span><span style="color: blue">in </span><span style="color: purple">$MBSAList</span><span style="color: black">){<br /> </span><span style="color: purple">$cmdline </span><span style="color: red">= </span><span style="color: maroon">"/target $target /n OS+SQL+IIS+Password /nvc /wa /o " </span><span style="color: red">+ </span><span style="color: #5f9ea0">`<br /> </span><span style="color: maroon">'"%d% - %c% - %IP% (%t%)"' </span><span style="color: red">+ </span><span style="color: maroon">" /qe /qr /rd D:\MBSA_scan_auto"<br /> </span><span style="color: purple">$process </span><span style="color: red">= </span><span style="color: black">[</span><span style="color: teal">System.Diagnostics.Process</span><span style="color: black">]::</span><span style="color: #8b4513">Start</span><span style="color: black">(</span><span style="color: purple">$mbsacli</span><span style="color: black">,</span><span style="color: purple">$cmdline</span><span style="color: black">)<br /> </span><span style="color: purple">$process</span><span style="color: black">.WaitForExit()<br />}</span></pre><br /><a href="http://11011.net/software/vspaste"></a><br /><br /><p>But the load of MBSA before each scan will lengthen the scan and will consume more resources (it’s not friendly as it is <img alt=":-)" src="http://s.wordpress.com/wp-includes/images/smilies/icon_smile.gif" /> ) </p><br /><br /><p>But of course there will be machines which cannot be scanned for whatever reason. Above I excluded the once I was sure would fail (due to other permissions) , but some machines may be offline, some with special permissions may hide somewhere etc. </p><br /><br /><p>So in order to get an overview of which machines that do not have a report, I did the following script: </p><br /><br /><pre class="code"><span style="color: blue">param</span><span style="color: black">(</span><span style="color: purple">$mbsareportstore </span><span style="color: red">= </span><span style="color: maroon">"SomeFolder"</span><span style="color: black">)<br /><br /></span><span style="color: green">#Connect to WSUS, if needed load assembly<br /></span><span style="color: purple">$wsusrv </span><span style="color: red">= </span><span style="color: black">[Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer()<br /></span><span style="color: blue">If </span><span style="color: black">(</span><span style="color: red">! </span><span style="color: navy">$?</span><span style="color: black">){<br /> [</span><span style="color: teal">Reflection.Assembly</span><span style="color: black">]::</span><span style="color: #8b4513">LoadWithPartialName</span><span style="color: black">(</span><span style="color: maroon">"Microsoft.UpdateServices.Administration"</span><span style="color: black">)<br /> </span><span style="color: purple">$wsusrv </span><span style="color: red">= </span><span style="color: black">[Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer()<br />}<br /><br /></span><span style="color: green">#Get all machines in WSUS<br /></span><span style="color: purple">$wsusrv</span><span style="color: black">.getcomputertargets() | </span><span style="color: #5f9ea0">select </span><span style="color: maroon">FullDomainName</span><span style="color: black">,</span><span style="color: maroon">IPAddress </span><span style="color: black">|</span><span style="color: #5f9ea0">tee -Variable </span><span style="color: maroon">wsustargets </span><span style="color: #5f9ea0">`<br /> </span><span style="color: black">| </span><span style="color: #5f9ea0">Export-Csv -NoTypeInformation </span><span style="color: maroon">"$pwd\NewWSUSTargets-$date.csv"<br /><br /></span><span style="color: green">#Get all reports in the scanfile store<br /></span><span style="color: black">(</span><span style="color: #5f9ea0">Get-ChildItem </span><span style="color: purple">$mbsareportstore </span><span style="color: black">| </span><span style="color: #5f9ea0">select </span><span style="color: maroon">name </span><span style="color: black">| </span><span style="color: #5f9ea0">tee -Variable </span><span style="color: maroon">reports</span><span style="color: black">)<br /><br /></span><span style="color: green">#Create the status csv file<br /></span><span style="color: maroon">"Machine,Status,Reportname" </span><span style="color: black">| </span><span style="color: #5f9ea0">out-file </span><span style="color: maroon">"$PWD\FindReportStatus.txt"<br /><br /></span><span style="color: green">#Do something...<br /></span><span style="color: blue">foreach </span><span style="color: black">(</span><span style="color: purple">$target </span><span style="color: blue">in </span><span style="color: purple">$wsustargets</span><span style="color: black">){<br /> <br /> </span><span style="color: green">#because the targets are reurned from WSUS in FQDN format, but reports are stored <br /> #with hostname the domain name is cut of.<br /> </span><span style="color: purple">$b </span><span style="color: red">= </span><span style="color: black">(</span><span style="color: purple">$target</span><span style="color: black">.FullDomainName.ToString()).Split(</span><span style="color: maroon">"."</span><span style="color: black">)<br /> </span><span style="color: purple">$c </span><span style="color: red">= </span><span style="color: purple">$b</span><span style="color: black">[0]<br /> <br /> </span><span style="color: green">#Using Select-string to look for the hostname ($c) in each of the filenames<br /> </span><span style="color: purple">$reports </span><span style="color: black">| </span><span style="color: #5f9ea0">% </span><span style="color: black">{</span><span style="color: #5f9ea0">select-String -pattern </span><span style="color: purple">$c </span><span style="color: #5f9ea0">-inputobject </span><span style="color: navy">$_ </span><span style="color: black">| </span><span style="color: #5f9ea0">tee -variable </span><span style="color: maroon">slct</span><span style="color: black">}<br /> <br /> </span><span style="color: green">#If the hostname is not found in any filename, this is logged in the status file <br /> #and added to a new targetfile for MBSA to use<br /> #Write-Host lines can be removed if script is not executed interactively<br /> </span><span style="color: blue">if </span><span style="color: black">(</span><span style="color: purple">$slct </span><span style="color: red">-eq </span><span style="color: purple">$null</span><span style="color: black">){<br /> </span><span style="color: #5f9ea0">Write-Host </span><span style="color: maroon">"Report Not found for " </span><span style="color: purple">$target</span><span style="color: black">.FullDomainName </span><span style="color: #5f9ea0">-foregroundcolor </span><span style="color: maroon">red<br /> "$c,ReportNotFound,N/A" </span><span style="color: black">| </span><span style="color: #5f9ea0">out-file -append </span><span style="color: maroon">"$PWD\FindReportStatus.txt"<br /> </span><span style="color: purple">$target</span><span style="color: black">.FullDomainName | </span><span style="color: #5f9ea0">Out-File -Append </span><span style="color: maroon">"$PWD\MBSAScanMissing.txt"<br /> </span><span style="color: black">}<br /> </span><span style="color: blue">Else </span><span style="color: black">{<br /> </span><span style="color: #5f9ea0">Write-Host </span><span style="color: maroon">"Report found for " </span><span style="color: purple">$target</span><span style="color: black">.FullDomainName </span><span style="color: #5f9ea0">-foregroundcolor </span><span style="color: maroon">green<br /> "$c,ReportFound,$slct" </span><span style="color: black">| </span><span style="color: #5f9ea0">out-file -append </span><span style="color: maroon">"$PWD\FindReportStatus.txt"<br /> </span><span style="color: purple">$slct </span><span style="color: red">= </span><span style="color: purple">$Null<br /> </span><span style="color: black">}<br />}</span></pre><br /><a href="http://11011.net/software/vspaste"></a><br /><br /><p>This script simply gets the list from WSUS and checks whether a report of each machine exists in the report store. The 2 scripts could be fused into one, but for my purposes, where I need to run script 1 on a regular basis and script 2 on demand, this is the best way.</p> <div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6295138065817477735-5796036432365274468?l=theadminguy.blogspot.com' alt='' /></div>The Admin Guyhttp://www.blogger.com/profile/03648335659283707124noreply@blogger.com1