Everhart,Glenn From: Eric Arnold [earnold@hitech.eds.com] Sent: Monday, March 30, 1998 2:59 PM To: Remo Pini Cc: ntsecurity@iss.net Subject: Re: [NTSEC] Unknown NT RAS Server TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net Contact ntsecurity-owner@iss.net for help with any problems! --------------------------------------------------------------------------- At 12:22 PM 03/29/98 +0200, you wrote: >Some dopes set up an unknown quantity of NT-RAS servers on our network >(>4000 user). We discovered that through our DHCP-server logs. Is there an >easy way to discover, which stations support the RAS-service without >visiting all of them? Here's a PERL script I wrote to do just that very thing. It will find any NT machine running RAS. I run it every once in a while at night, since most RAS servers get left on. NOTE: You might need to check the formatting, since I've got this thing indented quite a bit and some mailers tweak the line ends. BEGIN PERL SCRIPT **************************** #**************************************************** # Ras Finder Script # Written 4-12-97 Eric Arnold (just to see if I could) # Permission is granted to use and modify, as long as this # original header remains in place. # # earnold@hitech.eds.com #**************************************************** # ********************** Parameters you will need to change for your own environment # top level domain (required) $top = "130.212"; # a list of each subnet you have, if you are unfortunate # enough to not have contiguous subnets (like us) (required) @subnets = (1,21,35); # who to notify if a problem exists, either a machine name or username(optional) $admin = "Administrator"; # ********************* End of parameters $subnum = @subnets; for($i=0; $i<$subnum; $i++) { $subnet = $subnets[$i]; # uncomment this line if you want to watch the progress by subnet # print "Scanning subnet $subnet\n"; $start = "1"; $end = "254"; $now = localtime(time); open(LOGFILE, ">ras_find.log") || die "Can't open logfile"; print LOGFILE "\nScan Run Started on: $now\n\n"; while ($start <= $end) { $host = "$top\.$subnet\.$start"; # uncomment this line if you want to watch the progress by host # print "Scanning host $host\n"; #**************************************************** # Basically what I do here is ping the host with a single ping # If it comes back as dead, I do it again just to make sure, cause # we're on a switched network and sometines there's a delay in # making the first connection. Anyway, its still dead, note that and loop. # If its up, do an "nbtstat -A" on it, and check the results. # If there is a "<06>" entry, then its running RAS, otherwise it isn't. # (NOTE: You can change this part to look for all kinds of stuff) # and write that out to log. If it answers on the first ping, do the same thing. #**************************************************** $result = `ping -n 1 $host`; if ($result =~ /timed out/) { $result2 = `ping -n 1 $host`; if ($result2 =~ /timed out/) { print LOGFILE "Host $host is dead\n\n"; } else { $nbtresult = `nbtstat -A $host`; if ($nbtresult =~ /not found/) { print LOGFILE "Host $host is probably not an NT Box\n\n"; } elsif ($nbtresult =~ /<06>/) { # Strip out all occurences of the word "Registered" (very annoying this word) $nbtresult =~ s/\bRegistered\b/ /g; print LOGFILE "RESULTS FOR $host:\n\n ***************** POSSIBLE RAS SERVER ****************\n"; print LOGFILE "\n$nbtresult\n=======================\n\n"; } else { print LOGFILE "Host $host does not seem to be running a RAS server\n\n"; } } } else # It answered the first ping { $nbtresult = `nbtstat -A $host`; if ($nbtresult =~ /not found/) { print LOGFILE "Host $host is probably not an NT Box\n\n"; } elsif ($nbtresult =~ /<06>/) { $nbtresult =~ s/\bRegistered\b/ /g; print LOGFILE "RESULTS FOR $host:\n\n ***************** POSSIBLE RAS SERVER ****************\n"; print LOGFILE "\n$nbtresult\n=======================\n\n"; } else { print LOGFILE "Host $host does not seem to be running a RAS server\n\n"; } } # end of first if $start++; } # end of while loop } # end of for loop (this is for me cause I get confused sometimes) `net send $admin Greetings Professor Falken, I'm done scanning`; close(LOGFILE); exit; END PERL SCRIPT ******************************************************* _________________________________________________ Eric Arnold | "Uh,... okay, I get it. So what?" earnold@hitech.eds.com | - Albert Einstein EDS/Philips, Sunnyvale | "Einstein's Conversations with Derrida"