| NT Admin Tip #353: Carvdawg's Perl Page |
Hits: Failed to execute CGI : Win32 Error Code = 3
|
I've needed a forum for posting my Perl scripts, so that I can get them out there. Any comments or questions that you have can be .
There is no particular order to these scripts. They are mostly just things I've pulled together over time, found useful, and decided to share. Many of these scripts have appeared in my presentations or published articles. Also, many of these scripts have been successfully compiled with Perl2Exe and employed as binary executables.
Null.pl
My particular favorite is null.pl. This script performs null session enumeration from NT and 2K machines. I've tested it by running it NT -> NT, NT -> 2K, and 2K -> NT. Works great! In fact, it was mentioned in Todd Sabin's (RAZOR Team from BindView) presentation during BlackHat in Feb, '01.
FSW.pl
File System Watcher is my first shot at developing a means to watch changes to the file system, without using the EventLog. FSW.pl uses the Win32::AdvNotify module, which is a great leap forward from the Win32::ChangeNotify module. Furture advances include incorporating Win32::Daemon, event notification, and directory mirroring and replication, and distribution as a standalone .exe file.
Sniffer.pl
This script is used to detect the presence of the WinPcap packet capture device driver. This is intended as an alternative for admins who wish to detect the use of packet sniffers. This is not a complete solution, but many of the available packet sniffer tools (snort, WinDump, Ethereal, and even L0phtCrack3) require the use of the device driver. Administrators can run sniffer.pl from a centralized location, or locally as part of an incident response investigation. Other steps may include locating packet.sys and packet.dll within the file system, or using keytime.pl on the Registry keys to determine when the drivers were installed.
Mdmchk.pl
This script checks remote NT machines for the existence of a modem driver. This is particularly useful in determining if a workstation has a modem installed.
Startup.pl
This script checks the startup configuration of local and remote NT systems. The idea is to check all locations (ie, files, directories, and Registry keys) for suspicious entries. In the case of shortcuts located in the StartUp folders of users, the executables linked to can be 'fingerprinted' using MD5 hashes as an extra step to ensure that the files haven't been overwritten by something very, very bad. (This will become more important as Internet worms continue to evolve).
Astream.pl and ads.pl
Astream.pl is a Perl script that demonstrates how an NTFS alternate data stream (ADS) can be created programmatically. Ads.pl is a script that detects ADSs. Ads.pl is based on Dave Roth's streams.pl script from his latest book, with some modifications added to include checking the directory listing. Thanks goes to Frank Heyne for pointing out how to check the directory listing for ADSs.
Service.pl
This script retrieves information about services from NT and 2K systems. The output is in comma-delimited text, suitable for piping across a socket and opening with Excel.
Share.pl
Share.pl retrieves information about shares from NT/2K systems.
Mac.pl
Mac.pl retrieves file MAC times from NT/2K systems. Updates as of 5 Oct: collecting owner information.
Finfo.pl
This script retrieves file information from the resource section of an executable file. This information usually includes such things as company name, product description, product version, etc., if it is provided. Updates as of 5 Oct: collection of MAC times and owner before accessing the file.
DumpEvt.pl
DumpEvt.pl dumps the contents of the EventLogs to STDOUT in a comma-delimited format, suitable for opening in Excel. This script has the added benefit of retrieving audit configuration information, as well. Note: As of 5 Oct '01, this script has been updated. Some minor issues with the handling of the event description were addressed.
Sigs.pl
This script allows the administrator to perform file signature analysis. To use this script, the administrator should first copy the file signatures from the bottom of the script to a file called 'sigs'...with NO extension. This file should be in the same directory as the script. Then, simply run the script against a file. This script can be easily modified using code from the 'mac.pl' script to perform file signature analysis on more than one file at a time.
Keytime.pl
This script retrieves the LastWrite times from Registry keys. Simply enter the full path of the Registry key at the command line...any keys with spaces in the names should be wrapped in double quotes (ie, "...").
Rights.pl
Rights.pl displays the rights and privileges a user has on NT/2K systems. In verbose mode, it also displays group membership.
Hasher.pl
Hasher.pl is a script that creates a Tk GUI to implement a hashing utility for NT/2K. I wrote this at the request of a friend, and he specifically wanted a GUI. The script was successfully compiled using Perl2Exe, and the resulting standalone .exe file was successfully tested on NT SP6a and 2K SP2.
The CLI (command line interface) version of this tool is located in the Hash.zip archive. Simply unzip all of the files to a directory, and run the tool. The only argument it takes is the name of a file or directory.
C:\>hash c:\temp\somefile.tmp
C:\>hash c:\
If a directory is passed to the tool, it returns MD5 and SHA1 hashes for all of the files in that directory.
a must have for Perl programmmers
|
|
written for several different platforms: unix, nt, MacOS and aimed at beginning perl programmers
|
|
|
|