slaughter Posted February 26, 2014 Share Posted February 26, 2014 CODE do not get correct Source Network Address and much more values. Any recommendations? Or it is BUG? using on MS Server 2008 R2 expandcollapse popup#include <GUIConstantsEx.au3> #include <EventLog.au3> #RequireAdmin Global $iMemo _Main() Func _Main() Local $hEventLog, $aEvent ; Create GUI GUICreate("EventLog", 604, 604) $iMemo = GUICtrlCreateEdit("", 2, 2, 600, 600) GUICtrlSetFont($iMemo, 9, 400, 0, "Courier New") GUISetState() ; Read most current event record $hEventLog = _EventLog__Open("", "Security") Local $i = 0 ;While IsArray($aEvent) While $i <= 100 $aEvent = _EventLog__Read($hEventLog, True, False) ; read last event if IsArray($aEvent) Then ConsoleWrite($aEvent[8]& @CRLF) if ($aEvent[8] = "Failure audit") Then MemoWrite("Result ............: " & $aEvent[0]) MemoWrite("Record number .....: " & $aEvent[1]) MemoWrite("Submitted .........: " & $aEvent[2] & " " & $aEvent[3]) MemoWrite("Generated .........: " & $aEvent[4] & " " & $aEvent[5]) MemoWrite("Event ID ..........: " & $aEvent[6]) MemoWrite("Type ..............: " & $aEvent[8]) MemoWrite("Category ..........: " & $aEvent[9]) MemoWrite("Source ............: " & $aEvent[10]) MemoWrite("Computer ..........: " & $aEvent[11]) MemoWrite("Username ..........: " & $aEvent[12]) MemoWrite("Description .......: " & $aEvent[13]) Else ;MemoWrite($aEvent[8]) EndIf EndIf $i = $i + 1 WEnd _EventLog__Close($hEventLog) ; Loop until user exits Do Until GUIGetMsg() = $GUI_EVENT_CLOSE EndFunc ;==>_Main ; Write a line to the memo control Func MemoWrite($sMessage) GUICtrlSetData($iMemo, $sMessage & @CRLF, 1) EndFunc ;==>MemoWrite What i get from autoit code expandcollapse popupResult ............: True Record number .....: 10920 Submitted .........: 02/25/2014 10:20:54 PM Generated .........: 02/25/2014 10:20:54 PM Event ID ..........: 4625 Type ..............: Failure audit Category ..........: 12544 Source ............: Microsoft-Windows-Security-Auditing Computer ..........: Hyper-V Username ..........: Description .......: An account failed to log on. Subject: Security ID: S-1-5-18 Account Name: HYPER-V$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: S-1-5-181 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: user Account Domain: HYPER-V Failure Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status: S-1-5-180 Process Information: Caller Process ID: S-1-5-188 Caller Process Name: S-1-5-189 Network Information: Workstation Name: S-1-5-184 Source Network Address: HYPER-V$0 Source Port: HYPER-V$1 Detailed Authentication Information: Logon Process: S-1-5-182 Authentication Package: S-1-5-183 Transited Services: S-1-5-185 Package Name (NTLM only): S-1-5-186 Key Length: S-1-5-187 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. What is in Windows log expandcollapse popupAn account failed to log on. Subject: Security ID: SYSTEM Account Name: HYPER-V$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 10 Account For Which Logon Failed: Security ID: NULL SID Account Name: cashier Account Domain: HYPER-V Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0xab0 Caller Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: HYPER-V Source Network Address: 212.143.166.113 Source Port: 43451 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. In progress: Windows Server bruteforce GUARD Admin Tools (Remote client control) Bypasing firewall Old stuff: [font="Verdana;"]MD5 Auto Update Calendar XP SS multi usser server & client Autoit Remote Control (ARC)[/font] Link to comment Share on other sites More sharing options...
Moderators JLogan3o13 Posted February 26, 2014 Moderators Share Posted February 26, 2014 Are you seeing what you would expect if you use the wevtutil app instead? Run(@ComSpec & " /c wevtutil.exe qe security /c:3 /rd:true /f:text>C:\wevtutil.txt", "", @SW_HIDE) "Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball How to get your question answered on this forum! Link to comment Share on other sites More sharing options...
slaughter Posted March 5, 2014 Author Share Posted March 5, 2014 (edited) Are you seeing what you would expect if you use the wevtutil app instead? Run(@ComSpec & " /c wevtutil.exe qe security /c:3 /rd:true /f:text>C:\wevtutil.txt", "", @SW_HIDE) I used it and it retuns as expected good results expandcollapse popupEvent[0]: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2014-03-05T07:58:26.590 Event ID: 4625 Task: Logon Level: Information Opcode: Info Keyword: Audit Failure User: N/A User Name: N/A Computer: mSrv Description: An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Igor Account Domain: L987TA Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: IGORIS Source Network Address: 192.168.1.43 Source Port: 1238 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. Event[1]: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2014-03-05T01:00:00.171 Event ID: 4625 Task: Logon Level: Information Opcode: Info Keyword: Audit Failure User: N/A User Name: N/A Computer: mSrv Description: An account failed to log on. Subject: Security ID: S-1-5-18 Account Name: MSRV$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 4 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: backup Account Domain: MSRV Failure Information: Failure Reason: Account currently disabled. Status: 0xc000006e Sub Status: 0xc0000072 Process Information: Caller Process ID: 0x3b4 Caller Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: MSRV Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. Event[2]: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2014-03-05T00:20:31.042 Event ID: 4625 Task: Logon Level: Information Opcode: Info Keyword: Audit Failure User: N/A User Name: N/A Computer: cvx Description: An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: reer Account Domain: sdfsdfdsf Failure Information: Failure Reason: Account currently disabled. Status: 0xc000006e Sub Status: 0xc0000072 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: ksadhkashdkassd Source Network Address: 192.168.2.253 Source Port: 2721 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. I could use this tool for getting information for each event but it would be very annoying and i guess would take longer. Edited March 7, 2014 by slaughter In progress: Windows Server bruteforce GUARD Admin Tools (Remote client control) Bypasing firewall Old stuff: [font="Verdana;"]MD5 Auto Update Calendar XP SS multi usser server & client Autoit Remote Control (ARC)[/font] Link to comment Share on other sites More sharing options...
slaughter Posted March 6, 2014 Author Share Posted March 6, 2014 Are you seeing what you would expect if you use the wevtutil app instead? Run(@ComSpec & " /c wevtutil.exe qe security /c:3 /rd:true /f:text>C:\wevtutil.txt", "", @SW_HIDE) now I will try to get event description for each event by executing wevtutil qe security "/q:*[System [(EventID=4625)]]" /c:1 /rd:true /f:text and phrasing it to what i need if no solution is found. In progress: Windows Server bruteforce GUARD Admin Tools (Remote client control) Bypasing firewall Old stuff: [font="Verdana;"]MD5 Auto Update Calendar XP SS multi usser server & client Autoit Remote Control (ARC)[/font] Link to comment Share on other sites More sharing options...
slaughter Posted March 6, 2014 Author Share Posted March 6, 2014 For now using JLogan3o13 offered solution it is working, but slow. Is there possibility to make this faster? expandcollapse popup#include <GUIConstantsEx.au3> #include <EventLog.au3> #include <Constants.au3> #RequireAdmin #include <Array.au3> Global $iMemo _Main() Func _Main() Local $hEventLog, $aEvent ; Create GUI GUICreate("EventLog", 604, 604) $Progress1 = GUICtrlCreateProgress(8, 25, 580, 25) $Label1 = GUICtrlCreateLabel("Reading event log: 0/200", 8, 8, 430, 17) $iMemo = GUICtrlCreateEdit("", 2, 60, 600, 600) GUICtrlSetFont($iMemo, 9, 400, 0, "Courier New") GUISetState() ; Read most current event record $hEventLog = _EventLog__Open("", "Security") Local $i = 0 Local $IPArray[1][5] ;While IsArray($aEvent) $rad_events = 100 While $i <= $rad_events $prc = Round(100 / $rad_events * $i) GUICtrlSetData($Label1, "Reading event log: "& $i &"/"&$rad_events) GUICtrlSetData($Progress1, $prc) $aEvent = _EventLog__Read($hEventLog, True, False) ; read last event if IsArray($aEvent) Then ConsoleWrite($aEvent[8]& @CRLF) if ($aEvent[8] = "Failure audit") Then Local $foo = Run(@ComSpec & ' /c wevtutil qe security "/q:*[System [(EventID='& $aEvent[6] &')]]" /c:1 /rd:true /f:text', @SystemDir, @SW_HIDE, $STDERR_CHILD + $STDOUT_CHILD) Local $line $line = '' While 1 $line = $line & StdoutRead($foo) If @error Then ExitLoop ;MsgBox(0, "STDOUT read:", $line) WEnd While 1 $line = $line & StderrRead($foo) If @error Then ExitLoop ;MsgBox(0, "STDERR read:", $line) WEnd $size = UBound($IPArray) + 1 ReDim $IPArray[$size][5] $ix = $size -1 $network = "Source Network Address:\s*+(.*)" $array = StringRegExp($line, $network, 1) If IsArray($array) Then $IPArray[$ix][2] = $array[0] EndIf $account = "Account Name:\s*+(.*)" $array = StringRegExp($line, $account, 3) If IsArray($array) Then ;_ArrayDisplay($array) $IPArray[$ix][1] = $array[1] EndIf $IPArray[$ix][0] = $aEvent[4] & " " & $aEvent[5] ;MemoWrite($line) Else ;MemoWrite($aEvent[8]) EndIf EndIf $i = $i + 1 WEnd _EventLog__Close($hEventLog) _ArrayDisplay($IPArray, "IP LIST") ; Loop until user exits Do Until GUIGetMsg() = $GUI_EVENT_CLOSE EndFunc ;==>_Main ; Write a line to the memo control Func MemoWrite($sMessage) GUICtrlSetData($iMemo, $sMessage & @CRLF, 1) EndFunc ;==>MemoWrite What it does? It reads security log for failed audits (logins to system). Then reads date of event, IP address who tried to login and what user name he tried. In progress: Windows Server bruteforce GUARD Admin Tools (Remote client control) Bypasing firewall Old stuff: [font="Verdana;"]MD5 Auto Update Calendar XP SS multi usser server & client Autoit Remote Control (ARC)[/font] Link to comment Share on other sites More sharing options...
slaughter Posted March 7, 2014 Author Share Posted March 7, 2014 Updated to work more faster, but now not using event log read, because its not giving corect data and works slow expandcollapse popup#RequireAdmin #include <GUIConstantsEx.au3> #include <Constants.au3> #include <Array.au3> #include <File.au3> #include <Array.au3> #include <MsgBoxConstants.au3> Global $iMemo _Main() Func _Main() Local $hEventLog, $aEvent ; Create GUI GUICreate("EventLog", 604, 604) $Progress1 = GUICtrlCreateProgress(8, 25, 590, 25) $Label1 = GUICtrlCreateLabel("Reading event log", 8, 8, 430, 17) $iMemo = GUICtrlCreateEdit("", 2, 60, 600, 542) GUICtrlSetFont($iMemo, 9, 400, 0, "Courier New") GUISetState() $read_events = 50 GUICtrlSetData($Label1, "Reading event log: 0/" & $read_events) GUICtrlSetData($Progress1, 1) $cmd = 'wevtutil qe Security "/q:*[System[band(Keywords,8010000000000000)]]" /c:'& $read_events &' /rd:true /f:xml>C:\wevtutil.xml' FileDelete ( "c:\wevtutil.xml" ) Local $foo = RunWait(@ComSpec & ' /c '& $cmd, @SystemDir, @SW_HIDE, $STDERR_CHILD + $STDOUT_CHILD) $data = FileRead('C:\wevtutil.xml') MemoWrite($data) GUICtrlSetData($Label1, "Reading event log: "& $read_events &"/" & $read_events) GUICtrlSetData($Progress1, 100) ; Define a variable to pass to _FileReadToArray. Local $aArray = 0 ; Read the current script file into an array using the variable defined previously. If Not _FileReadToArray("C:\wevtutil.xml", $aArray) Then MsgBox($MB_SYSTEMMODAL, "", "There was an error reading the file. @error: " & @error) ; An error occurred reading the current script file. EndIf ; Display the array in _ArrayDisplay. ;_ArrayDisplay($aArray) Local $IPArray[1][5] For $vElement In $aArray $size = UBound($IPArray) + 1 ReDim $IPArray[$size][5] $ix = $size -1 $date = "<TimeCreated SystemTime='(.*?)'/>" $array = StringRegExp($vElement, $date, 1) If IsArray($array) Then $IPArray[$ix][3] = $array[0] EndIf $network = "<Data Name='IpAddress'>(.*?)</Data>" $array = StringRegExp($vElement, $network, 1) If IsArray($array) Then $IPArray[$ix][2] = $array[0] EndIf $account = "<Data Name='TargetUserName'>(.*?)</Data>" $array = StringRegExp($vElement, $account, 1) If IsArray($array) Then ;_ArrayDisplay($array) $IPArray[$ix][1] = $array[0] EndIf Next _ArrayDisplay($IPArray, "IP LIST") ; Loop until user exits Do Until GUIGetMsg() = $GUI_EVENT_CLOSE EndFunc ;==>_Main ; Write a line to the memo control Func MemoWrite($sMessage) GUICtrlSetData($iMemo, $sMessage & @CRLF, 1) EndFunc ;==>MemoWrite In progress: Windows Server bruteforce GUARD Admin Tools (Remote client control) Bypasing firewall Old stuff: [font="Verdana;"]MD5 Auto Update Calendar XP SS multi usser server & client Autoit Remote Control (ARC)[/font] Link to comment Share on other sites More sharing options...
slaughter Posted March 8, 2014 Author Share Posted March 8, 2014 Moving to other post now '?do=embed' frameborder='0' data-embedContent>> In progress: Windows Server bruteforce GUARD Admin Tools (Remote client control) Bypasing firewall Old stuff: [font="Verdana;"]MD5 Auto Update Calendar XP SS multi usser server & client Autoit Remote Control (ARC)[/font] Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now