VBS Script to map NAS network smb drives over specific SSID wifi homenets (non GPO script)

I recently posted this script on usenet because some many people now
have NAS storage devices accessible via there home wifi networks.

This script should help out the people with the question on how to mount a network attached storage device (like my coolmax NAS) to there windows profile during windows boot.

This vbs works by utilizing the wmi and cimv2 mappings to access the the MSNdis_80211_Configuration and the Win32_NetworkAdapter references.

You need to have the local WMI service enabled for this to work.

FYI:This has been tested under Windows XP.

'file: nasmapper.vbs
'launch with "cscript c:\nasmapper.vbs //nologo" -> /programs/startup
'VBS Script to map NAS over wifi homenets (non GPO script)

'Shadowbq - 2009 BSD License
'Reference Functions: ScriptGuy! (MS)
', quiet_lurker (neowin), Aaron P(neowin)

Option Explicit

Dim objWMIService, objNet
Dim intSleep, WNICName, knownSSID, retries, maxRetries
Dim mapDrive, mapLocation, mapUsername, mapPassword

knownSSID="URWP80" 'SSID of Hotspot that has mapped location
WNICName="Dell Wireless 1470 Dual Band WLAN Mini-PCI Card"
'Nic name listed in WMI
maxRetries = 10
'maxRetries * intSleep/1000 ~= total possible seconds
intSleep = 2000 'wait cycles
mapDrive = "Y:" 'Map to Drive
mapLocation = "\\storage\public" 'Location of Share
mapUsername = "Guest" 'User Account for Share
mapPassword = "" 'User Password for Share

'If your having problems finding the WNICName you can use the
'\\root\wmi call to ("Select * From MSNdis_80211_Configuration") flip
' through all wireless devices..


Private Sub GetWMI(WMIArray, WMIQuery, WMIRoot)
'On error resume Next
DIM WMIClass

Set WMIClass = GetObject("winmgmts:{impersonationLevel=impersonate}!\_
\.\root\" & WMIRoot)
If not(WMIClass is nothing) Then Set WMIArray = WMIClass.ExecQuery_
(WMIQuery)

End Sub


Function SSID()
'On error resume Next
DIM objSSIDSet, objSSID, ID, i

Call GetWMI(objSSIDSet, "Select * from_
MSNdis_80211_ServiceSetIdentifier Where active=true", "wmi")

For Each objSSID in objSSIDSet
ID = ""

For i = 0 to objSSID.Ndis80211SsId(0)
ID = ID & chr(objSSID.Ndis80211SsId(i + 4))
Next

SSID = ID
Next
End Function

Function WNICStatus()
Dim colItems, objItem, strStatus

Call GetWMI(colItems, "Select * from Win32_NetworkAdapter where Name_
= '" & WNICName & "'", "cimv2")

For Each objItem in colItems
Select Case objItem.NetConnectionStatus
Case 0 strStatus = "Disconnected"
Case 1 strStatus = "Connecting"
Case 2 strStatus = "Connected"
Case 3 strStatus = "Disconnecting"
Case 4 strStatus = "Hardware not present"
Case 5 strStatus = "Hardware disabled"
Case 6 strStatus = "Hardware malfunction"
Case 7 strStatus = "Media disconnected"
Case 8 strStatus = "Authenticating"
Case 9 strStatus = "Authentication succeeded"
Case 10 strStatus = "Authentication failed"
Case 11 strStatus = "Invalid address"
Case 12 strStatus = "Credentials required"
End Select
Next

WNICStatus = strStatus
End Function

Function fnMapNetworkDrive (Drive, Path, Uname, Upass)
Dim i, oDrives
set objNet = Wscript.CreateObject("Wscript.Network")
Set oDrives = objNet.EnumNetworkDrives
For i = 0 to oDrives.Count - 1 Step 2
' Find out if an existing network drive exists
If oDrives.Item(i) = Drive Then
WScript.Echo "Removing drive: " & Drive
objNet.RemoveNetworkDrive Drive, true, true
End If
Next
WScript.Echo "Mapping drive: " & Drive & " to path: " & Path
objNet.MapNetworkDrive Drive, Path, false, Uname, Upass
fnMapNetworkDrive = "[completed mapping drive]"
Set i = Nothing
Set oDrives = Nothing
Set Drive = Nothing
Set Path = Nothing
End Function

Dim nicStatus, nicSSID

WScript.Echo "NAS Wifi Mapper"
WScript.Echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-"
WScript.Echo "[Checking NIC Status]"

nicStatus = WNICStatus()
retries = 0

while (StrComp(nicStatus, "Connected") <> 0)
If (retries < maxRetries) Then
retries = retries + 1
Wscript.Echo "Nic " & nicStatus & ".."
Wscript.Sleep intSleep
nicStatus = WNICStatus()
Else
Wscript.Error "*** Max # of connection attempts reached"
End If
Wend
Wscript.Echo "Connected .. continuing"

WScript.Echo "[Checking SSID Status]"
nicSSID = SSID()
nicSSID = Left(nicSSID, len(nicSSID)-1)

Wscript.Echo "SSID: " & nicSSID

If (StrComp(nicSSID, knownSSID) = 0) Then
Wscript.Echo "[Correct SSID]"
Else
On Error Resume Next
Dim errDescription, errSource
errSource = "NAS Mapper"
errDescription = "Incorrect SSID for network share to be established"
Wscript.Echo "An Error:'" & errDescription & "' by '" & errSource &_
"'."
WScript.Quit 8
End If

WScript.Echo "[Mapping Drive] "
Wscript.Echo fnMapNetworkDrive (mapDrive, mapLocation, mapUsername,
mapPassword)

WScript.Quit

Command Line Capistrano Forked

#!/usr/local/bin/ruby

# Command Line Capistrano Forked
# (Forked version)
# written by Scott MacGregor - 2008

require 'rubygems'
require 'capistrano/configuration'
require 'stringio'
require 'optparse'
require 'syslog'


#Gather list of hosts and create capistrano role string
def monitorlist(hostlist)
commandstring = "role :sensor, "
if hostlist.respond_to? :last
hostlist.each do |hosttarget|
hosttarget == hostlist.last ? commandstring << "\"#{hosttarget.strip}\"" : commandstring << "\"#{hosttarget.strip}\", "
end
else
commandstring << "\"#{hostlist.strip}\""
end
return commandstring
end

#Perfom desired login method
def logit (outputIO, logmethod)
if logmethod
Syslog.open('monitord')
outputIO.string.each {|line|

#ignore monitord information lines
if line.include?("\[monitord\]")
next
end


#strip out tty special characters
# ^\[[33m
line.gsub!(/\^\[\[[0-9]+m/,"")
# \e[37m
line.gsub!(/\e\[[0-9]+m/,"")
# \033[31m
line.gsub!(/\\[0-9]+\[[0-9]+m/,"")

#strip out preceding stars
line.gsub!(/^\s*[*]*/,"")

line.strip!

#uncomment this line if you want STDOUT while SYSLOGING
#p line

if line.downcase.include?("fail")
Syslog.crit(line)
else
Syslog.notice(line)
end
}
end
end

# Run Forked Process
def tick(queryhost, outputIO, logmethod)
pid = fork {

pidhost = Capistrano::Configuration.new
if OPTIONS[:syslog]
pidhost.logger = Capistrano::Logger.new(:output => outputIO)
else
pidhost.logger = Capistrano::Logger.new
end
pidhost.load(File.dirname(File.expand_path(__FILE__)) + "/capfile")
pidhost.load(:string => monitorlist(queryhost.strip))

# pidhost.set :user, 'capistrano'
# pidhost.ssh_options[:username] = monitord'
# pidhost.ssh_options[:host_key] = 'ssh-dsa'
# pidhost.ssh_options[:paranoid] = false

pidhost.logger.level = OPTIONS[:debug_level]
begin
#Call the Capistrano Namespace & command to fork
pidhost.monitor.default
rescue Exception => e
puts "\t[" + queryhost.strip + "] " + " Failed to establish connection."
outputIO.puts "\t[" + queryhost.strip + "] " + " Failed to establish connection."
end

logit(outputIO, logmethod)

}
Process.waitpid(pid, Process::WNOHANG)
end


# Set default options and initializations
OPTIONS = {
:file => "monitorlist",
:syslog => false,
:debug_level => 0,
:dest => File.expand_path(File.dirname($0)),
:hostslist => ""
}
hosts=[]

#Read Command Line Options
ARGV.options do |o|
script_name = File.basename($0)

o.set_summary_indent(' ')
o.banner = "Usage: #{script_name} [OPTIONS]"
o.define_head "Run capistrano command forked from outside capistrano with additional options.\nWritten by: Scott MacGregor 2008"

o.separator ""
o.separator "Monitord options:"
o.on("-R", "--read=[val]", String,
"Read monitor host list from file",
"Default: #{OPTIONS[:file]}") { |OPTIONS[:file]| }
o.on("-L", "--hosts=[val]", String,
"List of comma seperated hosts. Encased in double quotes.", "(*OVERRIDES -R option)" ) { |OPTIONS[:hostslist]| }
o.on("-S", "--syslog",
"SYSLOG all output") { |OPTIONS[:syslog]| }

o.separator ""
o.separator "Common Usage: "
o.separator "\t./monitord --hosts=\"hostname1, hostname2\""
o.separator "\t./monitord -R \"customhosts.txt\""

o.separator ""
o.separator "Common options:"
o.on("--debug=[0-3]", Integer,
"Debug verbosity level",
"Default: #{OPTIONS[:debug_level]}") { |OPTIONS[:debug_level]| }
o.on_tail("-h", "--help", "Show this help message.") { puts o; exit }

begin
o.parse!
rescue OptionParser::InvalidOption => e
abort "-h --help Show this help message."
end

end

if OPTIONS[:hostslist] == ""
#Read standard Capistrano Role string configuration file.
File.open(File.dirname(File.expand_path(__FILE__)) + "/#{OPTIONS[:file]}").each { |line|
hosts = line[(line.index(",")+2)..-1].gsub("\"","").strip.split(',') if not line =~ /^\s*#/
}
else
#Read env option string
hosts = OPTIONS[:hostslist].split(',')
end

# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#Begin Main Loop

outputIO = StringIO.new
logmethod = OPTIONS[:syslog]

for host in hosts
tick(host.strip, outputIO, logmethod)
end

# End Main Loop
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

DNS version attempts & tools

There has been some DNS junk flying around again.. so refresh.

Dont forget how easy it is to do a DNS version attempt.

dig @ns.example.com -c CH -t txt version.bind

Make sure your BIND/Named is obfuscated/disabled with custom message..

options
{
version "Generic DNS Server";
}

Not that it helps much with fpdns around.

anonymous@:~$ fpdns -D google.com
fingerprint (google.com, 216.239.34.10): ISC BIND 8.3.0-RC1 -- 8.4.4
fingerprint (google.com, 216.239.36.10): ISC BIND 8.3.0-RC1 -- 8.4.4

Perl: (Fingerprint.PM)


Make sure your read basic DNS information like

Cisco's: DNS Best Practices, Network Protections, and Attack Identification

And understand the principles laid out in Secure BIND configurations such as:
http://www.cymru.com/Documents/secure-bind-template.html

Look into DNS Debug tools such as DNSwalk, dlint, & DOC

And for reverse lookups use where there is no PTR record try A record caches like:
Passive DNS Replication @
http://cert.uni-stuttgart.de/stats/dns-replication.php

Simple http get request... snooze.

Lets get some basic headers using sbd.exe, nc, telnet whatever..

telnet www.microsoft.com 80
nc www.microsoft.com 80
sbd -c off www.microsoft.com 80

Enter default HTTP / GET|OPTIONS|PUT|POST|HEAD|TRACE Command
(Using Host header is only important when there is vhosting on the IP/hostname)

GET / HTTP /1.1
Host: www.microsoft.com
Press Enter twice

(Windows telnet lameness.. Turning on local echo..)

Type "Ctrl+]"
Type "set localecho"
Press Enter twice

Digg + Idiots + RapidShare = p0wn3d

God damn it.. dumb ideas just stay around for far too long.

Ok we all know what the hell rapidshare is. It's a waste of internet space. One thing though a couple of years ago somebody dugg an article on a way to get around restrictions using a server script called rapidleech. Ok all in good fashion, but come on... you leave this open on apache server which can process php files.. and allow public upload to your server from any url.. (r57.php c99/100.php the list just goes on and on.. ) Renaming the file really helped huh..?

Just look at the multiversion google dork:
[2 years later and still 117+ zombies waiting to happen]
"Bugs Report to Rapidget.bug"

Digg idiots: http://digg.com/tech_news/RapidLeech

Capistrano with highline menu.

Example Capistrano file using the highline menu system..

(Capistrano really needs some better docs.)

#example capistrano menu using highline menu system
# Published under BSD license
# written by:shadowbq - http://shad0wbq.blogspot.com
# verified on: capistrano 2.2.0 & highline 1.4.0

role :comps, "localhost"

desc "Example Highline menu"
task :menu do
Capistrano::CLI.ui.say("\nThis is with a different layout...")
Capistrano::CLI.ui.choose do |menu|
menu.layout = :one_line

menu.header = "Execute"
menu.prompt = "Application? "

menu.choice :hello do
helloworld
end
menu.choices(:skip, :exit) do
Capistrano::CLI.ui.say("Choose not to run..")
end
end

end

task :helloworld do
run "echo helloworld."
end

Mozilla Prism & Pen-testing

Mozilla Prism , one in a series of recent site-specific-browsers(ssb) has become a fairly useful tool for me. I can run the web applications under different users (run as.. ). This allows limiting access and resources to the web application. It also allows running multiple different cookie sets at one time.

Simple example is having multiple gmail accounts logged in at one time. A more complex example is cookie manipulation while authenticated during access level enumeration.

Prism allows for the fine tuning of ssb to accommodate multiple pentesting angles.In the past I've rebranded Firefox and done similar things as running as guest users, but it was never this easy.

Prism and Flash on Windows
Its is pretty simple to enable your plugins (not talking extensions here.. ) on Prism on a windows system. All you have to do is copy your {program files}\Mozilla Firefox\plugins directory to your {program files}\Prism\Plugins directory. The Prism plugins directory doesnt exist by default and needs to be created. You may also want to copy the files into the XULRunner plugins directory. XUL runner handles any XUL apps that may depend on those plugins as well.