There are many third-party tools in the security industry that can perform a security audit of your Windows system. Some are standalone executable, some are frameworks, some are free and some you have to shell out money for. But what if you these tools are not available to you, you are stuck with a Windows servers and essentially what Windows has given you. This article will look at executable programs under Windows that can be use audit services.
So you want to audit a Windows system with the credentials given. You may be able to download and install your own software but what if you are not permitted. What can you do?
Windows have native programs on-board that can be used to gather information about your system, for example:
Using those commands and some clever batch processing, you can gather useful information. In this article, we will look specifically at auditing what Windows services are run and could be overrun with WMIC and CACLS.
Windows Management Instrumentation Command-Line (WMIC) extends WMI for operation using a command-line interface to get and modify details about a Windows system. As a consequence, you must be a local administrator (a member of the local Administrators group).
Details about the services running under Windows can be observed by loading the “services” console under Administrative Tools in Control Panel or running “services.msc”. To access services information running on a system using WMIC, you need to be logged with an administrative account and type:
C:\> wmic service get /all
You can get specific information from the service and even place it to a nice format as follows:
C:\> wmic service get DisplayName, Name C:\> wmic service get Name, ProcessID, StartName C:\> wmic service get Name, PathName /format: csv.xsl
The following is the help file for its usage:
Property get operations. USAGE: GET [<property list>] [<get switches>] NOTE: <property list> ::= <property name> | <property name>, <property list> The following properties are available: Property Type Operation ======== ==== ========= AcceptPause N/A N/A AcceptStop N/A N/A Caption N/A N/A CheckPoint N/A N/A CreationClassName N/A N/A Description N/A N/A DesktopInteract N/A N/A DisplayName N/A N/A ErrorControl N/A N/A ExitCode N/A N/A InstallDate N/A N/A Name N/A N/A PathName N/A N/A ProcessId N/A N/A ServiceSpecificExitCode N/A N/A ServiceType N/A N/A StartMode N/A N/A StartName N/A N/A Started N/A N/A State N/A N/A Status N/A N/A SystemCreationClassName N/A N/A SystemName N/A N/A TagId N/A N/A WaitHint N/A N/A The following GET switches are available: /VALUE - Return value. /ALL(default) - Return the data and metadata for the attribute. /TRANSLATE:<table name> - Translate output via values from <table name>. /EVERY:<interval> [/REPEAT:<repeat count>] - Returns value every (X interval) seconds, If /REPEAT specified the command is executed <repeat count> times. /FORMAT:<format specifier> - Keyword/XSL filename to process the XML results. NOTE: Order of /TRANSLATE and /FORMAT switches influences the appearance of output. Case1: If /TRANSLATE precedes /FORMAT, then translation of results will be followed by formatting. Case2: If /TRANSLATE succeeds /FORMAT, then translation of the formatted results will be done.
Now you can gather the executable program that are run in services using pathname property:
C:\>wmic service get pathname PathName C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe C:\WINDOWS\system32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\svchost.exe -k netsvcs C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe ... "C:\Program Files\WinPcap\rpcapd.exe" -d -f "C:\Program Files\WinPcap\rpcapd.ini" "C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe" "C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe" "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe" ...
As you can see here, not only are the program names are included but its parameters. You pipe the information into a file and sort (i.e. wmic service get pathname | sort > services.txt). You could remove the parameters manually (or using a script).
Using this file you can enumerate each file location with CACLS/ICACLS
CACLS and its replacement, ICACLS, are Microsoft Windows native command line utilities capable of displaying and modifying the security permissions on folders and files, controlling who can access it.
Putting everything together
You can use a for loop to execute cacls/icacls to identify what permissions are set for each service program:
for /f "tokens=*" %a in (services.txt) do cacls %a >> s_cacls.txt
From here, you can determine which services have a weak by searching for strings that do not contain Administrative users and assessing the permissions for remaining non-administrative users:
findstr /s /n /i /p /v "Administrator Power Authority" s_cacls.txt
Batch Script Example
I have written a window batch script that grabs the pathname and does some pre-processing (sorting, removing duplicates, removing parameters) as follows:
REM s_cacls.bat REM REM The batch file extracts the services and finds the permissions for the underlying file REM * Uses 'wmic service' to get program executable for each service REM * Sort and process the list of programs REM * Perform cacls :: SETUP for filenames and directories SET dirscacls=scacls SET fileservices=services.txt SET fileservicessort=services-sorted.txt SET fileservicesuniq=services-uniq.txt SET filetemp=temp.txt md %dirscacls% cd %dirscacls% :: Extract program executable for each service for /F "skip=1 tokens=*" %%a in ('wmic service get pathname') do ( setlocal enableDelayedExpansion set _str=%%a set ^"_str=!_str: =^ !" for /f "eol= delims=" %%S in ("!_str!") do ( if "!!"=="" endlocal @echo|set/p=%%S>>%fileservices% @echo.>>%fileservices% ) endlocal ) :: Strip out options. Assumption made that each service is using .exe file for /f "tokens=*" %%a in (%fileservices%) do ( setlocal enableDelayedExpansion set _str=%%a set ^_str=!_str:.exe=^ !" for /f "eol= delims=" %%S in ("!_str!") do ( if "!!"=="" endlocal @echo|set/p=%%S.exe>>%filetemp% @echo.>>%filetemp% ) endlocal ) :: Sort the file of programs into alphabetical order ::call:sort8ren "%filetemp%", "%fileservices%" sort %filetemp% > "%fileservicessort%" del %filetemp% for /f "tokens=*" %%A IN (%fileservicessort%) DO ( SETLOCAL EnableDelayedExpansion if /i not [%%A]==[!LN!] ( set "LN=%%A" echo %%A>>%fileservicesuniq% ) ) ENDLOCAL call:sicaclsloop %fileservicesuniq% cd .. goto:EOF :scaclsloop for /f "tokens=*" %%a in (%~1) do ( cacls "%%a" >> scacls_%%~na.txt ) goto:EOF :sicaclsloop for /f "tokens=*" %%a in (%~1) do ( icacls "%%a" >> sicacls_%%~na.txt ) goto:EOF :sort8ren sort %~1 > %~2 del %~1 rename %~2 %~1 goto:EOF
It is possible to find out details of the Windows for auditing using the native Windows programs. In this article, we have managed to audit Windows services using WMIC, CACLS and some batch processing.