TheInterW3bs.com

Just another guy griping on his blog

Archive for category Windows

Low-end Windows Patching

Sep 23

Posted by nick in Security, Windows

In every environment you will run across systems that are missing some patches.  Sometimes your patch management tool fails or the other circumstances prevent you from getting a patch to a machine.  Most places I see, prevent their machines from going straight to Windows Update and I’ve found myself in situations before where I want the simplest solution to apply a patch on a remote machine without the user knowing and without going thru some SCCM or [INSERT TOOL HERE] hell.  Here is a simple method that I have used in the past.  It is a great cheap Windows patching solution.  Of course you need remote admin on the machines in need of the patch to perform these actions.
First visit the appropriate IT professional page to determine the correct switches (usually /quiet /norestart).  For example, for MS11-058 http://technet.microsoft.com/en-us/security/bulletin/ms11-058.  Then create a text file containing the names or IP addresses of the machines in need of the same patch.

type ms11-058.txt
windowsbox1
172.16.2.2
172.16.3.3
windowsbox2
windowsbox3
windowsbox4
windowsbox5

Then create a batch file that reads the ms11-058.txt and copies the patch to the remote machine’s c:\windows\temp and then runs the patch command syntax on the machine.

type ms11-058.bat
@echo off
REM MS11-058

FOR /F "tokens=*" %%G IN (ms11-058.txt) DO xcopy Windows6.0-KB2562485-x86.msu \\%%G\c$\windows\temp\

wmic /node:"@ms11-058.txt" /user:YourAdminAccount process call create "cmd.exe /c cd c:\Windows\Temp && C:\Windows\Temp\Windows6.0-KB2562485-x86.msu /quiet /norestart"

And if the Microsoft gods are smiling on you that day, the pc should now be patched.

No Comments

Kludge 3.0

Sep 24

Posted by nick in Forensics, Windows

The other month I updated my remote information gathering script, Kludge to include some extra features and redid the method in which it is deployed to the target machine.  Basically, I added some timeline creation reports and made it a easier to deploy.

To run Kludge, download it here and unzip.  There should be 3 files.

  • Run-Kludge.bat
  • kludge.zip
  • 7za.exe

Running the Batch file should copy the kludge.zip and 7za.exe over to the target machine, unzip the kludge.zip to c:\windows\temp\analysis and then it runs another batch file that was unzipped.  Once the script is done a zipped Report file will be copied back to the machine you initiated it from.

When you run the batch file via cmd line or double click the Run-Kludge.bat it should prompt you to answer some questions.

  • An Option Level (1 – 3)
  • An associated Ticket Number
  • The Analyst’s first name
  • Remote machine name/IP
  • Your Admin username
  • A local directory on your machine where the report should be saved (you can just use a period for the current directory)

It will prompt you for your password twice.  If you fat-finger the password and hit Enter then it is best to Ctrl+C it and start over.  It is not very forgiving.

The Batch script performs the following actions

  • copy kludge.zip to the targets c:\windows\temp
  • copy 7za.exe to the targets c:\windows\temp
  • Create a process on the target using wmic to unzip kludge.zip to c:\windows\temp\analysis
  • wmic will then ask the analyst to enter their admin pasword
  • Create a process on the target using wmic that executes a batch file starting the data collection
  • wmic will prompt again for a password
  • Once the file exists, the following steps will happen
  • A zipped up Report file will be copied from the target to your local machine
  • The extracted zip folder “analysis”, kludge.zip and 7za.exe will be deleted from the target
  • If memory was captured it will also be copied over

An overview and the script can be downloaded from the links below
Kludge –> kludge-3.20110223.zip
Kludge Overview PDF – Kludge.pdf

6 Comments

wmic not working

Mar 5

Posted by nick in Windows

I ran across a machine today that wasn’t letting me run wmic commands on it. I was getting a few different errors

Description = The RPC server is unavailable.
Facility = Win32
Parsing Mof File: C:\WINDOWS\System32\wbem\Cli.mof(Phase Error - 3)

After a good deal of fiddling I got it to work by doing the following

Stop winmgmt and it’s needed dependencies
goto \\remotemachine\c$\windows\system32\wbem
rename the Repository directory to something else
start winmgmt on the remotemachine
open cmd window via psexec on the remote machine and add a hkcu key

sc \\remotemachine stop winmgmt and it's needed deps
rename remotemachine's c:\windows\system32\wbem\repository
sc \\remotemachine start winmgmt
psexec \\remotemachine cmd.exe
reg add "hkcu\Environment" /v PROCESSOR_ARCHITECTURE /t REG_SZ /d x86

Then while still in the remote cmd window try wmic and it should work

wmic process list brief
No Comments