Last Updated on 16 March 2012
Published on 03 February 2012
/ 2
Scenario:
You are working with a computer in your domain and you discover a unknown user account in the document and settings or users (windows 7) folder of the computer. You search your Active Directory for that user and don't find them. You then check the local computer users and computers to find that this is a back door administrator. Then you have to ask several questions: (I added my answers below each question)
- How did this local user account come to be on this computer?
- A boot disk was used to bypass the local security and create a backdoor administrator account.
- How did they compromise your security?
- They where able to use the F12 to gain access through the boot menu.
- Who is the most likely to be responsible for compromising the security of the system?
- This computer was a student computer and is most likely caused by students.
- How far spread is this problem?
- Apone check several computers in this computer cart I discovered it was a school wide problem. = (
- How can we fix this?
- Remove the Local Admin users
- Remove ability to boot to USB drive and CD/DVD drive
- What is the next step?
- Create a script to do it for me to all computers on the server!
Students created backdoor admin accounts with Hiren's Boot CD http://www.hiren.info/pages/bootcd it allows them to boot in from the cd drive and add backdoor admin that can be used to bypass the security of the domain.
The Solution
Bios Settings
In the Bios you will need to ensure the following
- The bios is password protected
- In the boot order remove the
- USB Drive
- CD Drive
- DIskette Drive
Discover how wide spread the problem is
To Discover how wide speard this problem is I need to create a script that does several functions. I first need it to go through a list of computers (within my Active Directory) and then have it test if the computers is on, if it is I want it to get a list of all the local accounts with Local Administrator Access to the machine.
Script for Discovering local admins in your domain.
Run this script as a domain admin
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' List local administrators across a network domain
'Copyright GPLv2 TechandWebGuy.com
' Related Article with attachments
' http://webandtechguy.com/technology-blog/scripting-blog/90-vbs-scripting/90-checking-for-backdoor-admin-accounts-on-ad-domain
'Free use - just leave this in your script - its only fair
'REPLACE | with
' If you want to debug the just remove the ' from the 'WScript.Echo
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'Set Global Variables
Dim oDomain, strComputer,oLocalGroup,Item,IsOnline
Dim filesys, testfile, strUser, WshEnv, WshShell, newUser, strLine
'Set variables for writing to text files
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Set filesys = CreateObject("Scripting.FileSystemObject")
' Set the path for the output file. The d$ is an admin share that I use for getting write access. I use this for security reasons.
Set testfile = filesys.OpenTextFile("||server|d$|Share|LocalAdminList.csv", ForAppending, True)
'This file is for pulling a list of computers - I used another script to make this
'There are no spaces before or after the computer name in this file. You can use notepad++ to search and remove ZERO's.
'Find example at my website - see link at to of script
Set sourceFile = filesys.OpenTextFile("||domain|NETLOGON|Scripts|Computer|ComputerList.txt", ForReading, True)
On Error Resume Next
'This will read the computerList.txt file and pull one line at a time for reading
Do Until sourceFile.AtEndOfStream
strNextLine = sourceFile.Readline
If strNextLine <> "" Then
IsOnline=PcOnline(strNextLine)
'If so then list the local Administrators
If IsOnline = true Then
' WScript.Echo strNextLine
Set oLocalGroup = GetObject("WinNT://" & strNextLine & "/Administrators,group")
testfile.Write strNextLine & ", " & date() &", " & time()
For Each item In oLocalGroup.Members
' Write it to a CSV File
returnName()
testfile.Write ", " & newUser
Next
testfile.Write ", " &VBCRLF
End If
Else
testfile.Close
End If
Loop
'Closes the file
testfile.Close
'This lets you know the script is done
WScript.Echo "Done"
' This ends the Script
WScript.Quit
Function returnName()
' Local Variable
Dim count
' This section removes the leading section from the Account type - it will only show the name
Trim(item.ADsPath)
count = Len(item.ADsPath)
' You may need to change this from 14 to another size depending on the name of the domain
fromRight = count - 14
newUser = Right(item.ADsPath, fromRight)
'WScript.Echo fromRight
'WScript.Echo newUser
End Function
Function PcOnline (strComputer)
'Check if the remote machine is online.
Dim objPing,objStatus
Set objPing = GetObject("winmgmts:{impersonationLevel=impersonate}")._
ExecQuery("select Replysize from Win32_PingStatus where address = '" & strComputer & "'")
For Each objStatus in objPing
If IsNull(objStatus.ReplySize) Then
PcOnline=False
' Wscript.Echo strComputer & " is NOT available"
Else
PcOnline = True
'Wscript.Echo strComputer & " is responding to a ping"
End If
Next
Set objPing=Nothing
Set objStatus=Nothing
End Function
Explained:
This script looks at a list of computers located on a server. It will use the name of each line, break then go to the next line. Once it has the computer name it will then check that the computer is online. If it is online it will then write to a file a list of accounts listed in the local Administrators group. When the script is fhinished it will prompt completed.
It run my entire directory it took about 45mins and returned about 275 computers that where on.
Delete the Local Admins
This code will delete the local compters based on their names.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' List local administrators across a network domain
'Copyright GPLv2 TechandWebGuy.com
' Related Article with attachments
' http://webandtechguy.com/technology-blog/scripting-blog/90-vbs-scripting/90-checking-for-backdoor-admin-accounts-on-ad-domain
'Free use - just leave this in your script - its only fair
' If you want to debug the just remove the ' from the 'Debug
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' Add the list of computers here
strMachines = "computer1;Techandwebguy-computer;domain-computer1"
'List the users you found here
strUser = "backdooradmin;anotheruser;ronpaul"
aMachines = split(strMachines, ";")
aUsers = split(strUser, ";")
For Each machine in aMachines
Set objPing = GetObject("winmgmts:{impersonationLevel=impersonate}")._
ExecQuery("select * from Win32_PingStatus where address = '"_
& machine & "'")
For Each objStatus in objPing
If IsNull(objStatus.StatusCode) or objStatus.StatusCode<>0 Then
' Debug "The Computer is OFF"
Else
For Each users in aUsers
setDelete()
'Debug "The Computer is ON"
Next
End If
Next
Next
WScript.Echo "The Script is done running. "
WScript.Quit
function setDelete()
Dim copyAccount,objComputer
On Error Resume Next
Set objComputer = GetObject("WinNT://" & machine & "")
If Err = 0 Then
objComputer.Delete "user", users
returnDel = "True"
objExcel.Cells(intRow, colDelete).Value = "Completed"
'Debug "Deleted Local user: " & user & " if the existed on the target machine"
Else
'Debug("TheDelete account Failed with the Error of: ")
DisplayErrorInfo
End If
End function
Sub Debug( myText )
' Uncomment the next line to turn off debugging
' Exit Sub
If Not IsObject( objIEDebugWindow ) Then
Set objIEDebugWindow = CreateObject( "InternetExplorer.Application" )
objIEDebugWindow.Navigate "about:blank"
objIEDebugWindow.Visible = True
objIEDebugWindow.ToolBar = True
objIEDebugWindow.Width = 600
objIEDebugWindow.Height = 400
objIEDebugWindow.Left = 10
objIEDebugWindow.Top = 10
Do While objIEDebugWindow.Busy
WScript.Sleep 100
Loop
objIEDebugWindow.Document.Title = "IE Debug Window" & Date & Time
objIEDebugWindow.Document.Body.InnerHTML = _
"<b>" & Now & "</b></br>"
End If
objIEDebugWindow.Document.Body.InnerHTML = _
objIEDebugWindow.Document.Body.InnerHTML _
& myText & "<br>" & vbCrLf
End SubThe End Results
- I removed the ability to boot to another other device than the Harddrive.
- Was able to list all the local admin accounts to determine the usernames of backdoor administrators
- Ran a script that deleted the local admin accounts on the machines
In the end I was able to locate the local admin in each computer on my domain. I could then look for users that didn't belong in the local administrator group adding each suer the script. Then I took each compuoter that had a rouge admin account and add it to the script. Running the final script will delete the users from the computers all from the comfort of your chair!
See attched Sample files for examples of the files used with this script.
| File | Description | File size | Last modified |
|---|---|---|---|
 CheckForLocalAdmins.txt | This script runs the a check for local admins and outputs it to a csv file. | 3 Kb | 02/05/12 03:54 |
| ComplterList.txt | This is the sources listed used for the vbs script | 0 Kb | 02/05/12 01:18 |
| Delete Local Admins | This script deletes the local admins from a string of computers | 2 Kb | 02/05/12 03:44 |
Category: VBS
Michael Jasinski
Posted at 2012-02-13 18:21:49
Brilliant!
Reply to comment