sponsored by Graycon Group

Justin Sam, Alan Ly, Laszlo Anda

Published on April 9, 2015

page | 1

Contents

Virtual Machine .................................................................. 2

What’s Included ................................................................ 2

Before Using ................................................................... 2

Required Components .............................................................. 2

Virtual Machine Required Components: ........................................... 2

Tools ............................................................................ 4

Active Directory Configuration ................................................. 4

Backup Configuration ........................................................... 5

Domain Login Scripts ........................................................... 5

DNS Configuration & DHCP Configuration ......................................... 5

Event Logs ..................................................................... 8

Exchange Configuration ......................................................... 8

Group policy ................................................................... 8

Local Computer Policies ........................................................ 9

Network Storage ................................................................ 9

Main Script ..................................................................... 10

Maintenance ................................................................... 24

Nessus .......................................................................... 27

Includes the following scans: ................................................. 27

Nessus Tutorial ............................................................... 27

Output Files .................................................................... 28

Contact Information ............................................................. 29

page | 2

Virtual Machine

What’s Included

Virtual Machine name: ADCaRS_VM

Operating system: Microsoft Windows 7 Professional

Up-to-date Windows Updates

A Snapshot of original state

Preloaded Required Components (see Required Components for more details)

All required scripts (see Tools for more details)

Nessus Home (See Nessus for more details)

Before Using Follow the following steps to get the VM ready for scanning:

1. Log into provided account:

Domain\Username: SixtyFPS\Administrator

Password: see VM description

2. Configure any IP if necessary

3. Log into client’s domain

4. Restart

5. VM is now ready to use. Run ‘C:\ADCaRS.ps1’

Required Components

Virtual Machine Required Components: “C:\Required Components” contains all related installation files

1. Windows Management Framework 4.0

http://www.microsoft.com/en-ca/download/details.aspx?id=40855

Windows6.1-KB2819745-x64-MultiPkg.msu

2. Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1)

http://www.microsoft.com/en-us/download/details.aspx?id=7887

Windows6.1-KB958830-x64-RefreshPkg.msu

Enable the following Windows Features:

page | 3

a. Group Policy Management Tools

b. Active Directory Module for Windows PowerShell

Import Active Directory module into PowerShell with the following command Import-Module ActiveDirectory

3. Microsoft Exchange Management Tool

Enable the following Windows Features:

a. IIS 6 Management Console

page | 4

b. IIS Metabase and IIS 6 configuration compatibility

Exchange 2010 Architecture Report V2 PowerShell script: https://gallery.technet.microsoft.com/office/Exchange-2010-Architecture-9368ff56

Tools Active Directory Configuration

FILENAME: ad_config.ps1

AUTHOR: Krzysztof Pytko (iSiek)

LINKS: http://kpytko.pl/active-directory-domain-services/active-directory-

reporting-version-2/

REQUIREMENTS (see Required Components):

Active Directory Module for Windows PowerShell

Active Directory PowerShell Module

CODE: Please see link for actual code.

page | 5

Backup Configuration

FILENAME: backup_config.ps1

AUTHOR: SixtyFPS

LINKS: https://technet.microsoft.com/en-us/library/ee706683.aspx

CODE: Start-Transcript "C:\Temp\Backup Configuration.txt"

Write-Host "Backup Policies"

Invoke-Command -ComputerName $servername2 -ScriptBlock {Get-WBPolicy}

Write-Host "Backup Files"

Invoke-Command -ComputerName $servername2 -ScriptBlock {Get-WBBackupSet}

Stop-Transcript

Domain Login Scripts FILENAME: domain_login_scripts.ps1

AUTHOR: SixtyFPS

LINKS: http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-

directory-module-in-powershell-in-windows-7.aspx

http://oxfordsbsguy.com/2013/04/16/powershell-get-aduser-to-retrieve-

logon-scripts-and-home-directories/

CODE:

Get-ADUser -filter * -properties scriptpath| ft Name, ScriptPath > "C:\Temp\Domain Login Scripts.txt"

DNS Configuration & DHCP Configuration FILENAME: dns_dhcp.ps1

AUTHOR: Karl Mitschke

LINKS: https://gallery.technet.microsoft.com/Gather-DNS-settings-from-fec23eaa

http://unlockpowershell.wordpress.com/2010/05/12/powershell-wmi-gather-

dns-settings-for-all-servers-2/

CODE: [CmdletBinding(SupportsShouldProcess=$false, ConfirmImpact='Medium')]

param (

[parameter(

Mandatory=$false,

ValueFromPipeline=$true)

]

[String[]]$ComputerName=$Env:ComputerName,

[Parameter(

page | 6

Position = 1,

Mandatory = $false

)]

$Credential

)

BEGIN{

#region PSBoundParameters modification

if ($Credential -ne $null -and $Credential.GetType().Name -eq "String"){

$PSBoundParameters.Remove("Credential") | Out-Null

$PSBoundParameters.Add("Credential", (Get-Credential -Credential $Credential))

}

#endregion

$AllServers = @()

$ServerObj = @()

$Member = @{

MemberType = "NoteProperty"

Force = $true

}

}

PROCESS{

$PSBoundParameters.Remove("ComputerName") | Out-Null

foreach ($StrComputer in $ComputerName){

$NetItems = $null

Write-Progress -Status "Working on $StrComputer" -Activity "Gathering Data"

$ServerObj = New-Object psObject

$ServerObj | Add-Member @Member -Name "Hostname" -Value $StrComputer

$NetItems = @(Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter "IPEnabled =

'True'" -ComputerName $StrComputer @PSBoundParameters)

$intRowNet = 0

$ServerObj | Add-Member -MemberType NoteProperty -Name "NIC's" -Value $NetItems.Length -Force

[STRING]$MACAddresses = @()

[STRING]$IpAddresses = @()

[STRING]$DNS = @()

[STRING]$DNSSuffix = @()

foreach ($objItem in $NetItems){

if ($objItem.IPAddress.Count -gt 1){

$TempIpAdderesses = [STRING]$objItem.IPAddress

$TempIpAdderesses = $TempIpAdderesses.Trim().Replace(" ", " ; ")

$IpAddresses += $TempIpAdderesses

}

else{

$IpAddresses += $objItem.IPAddress +"; "

}

if ($objItem.{MacAddress}.Count -gt 1){

$TempMACAddresses = [STRING]$objItem.MACAddress

$TempMACAddresses = $TempMACAddresses.Replace(" ", " ; ")

$MACAddresses += $TempMACAddresses +"; "

}

else{

$MACAddresses += $objItem.MACAddress +"; "

}

if ($objItem.{DNSServerSearchOrder}.Count -gt 1){

$TempDNSAddresses = [STRING]$objItem.DNSServerSearchOrder

page | 7

$TempDNSAddresses = $TempDNSAddresses.Replace(" ", " ; ")

$DNS += $TempDNSAddresses +"; "

}

else{

$DNS += $objItem.{DNSServerSearchOrder} +"; "

}

if ($objItem.DNSDomainSuffixSearchOrder.Count -gt 1){

$TempDNSSuffixes = [STRING]$objItem.DNSDomainSuffixSearchOrder

$TempDNSSuffixes = $TempDNSSuffixes.Replace(" ", " ; ")

$DNSSuffix += $TempDNSSuffixes +"; "

}

else{

$DNSSuffix += $objItem.DNSDomainSuffixSearchOrder +"; "

}

$SubNet = [STRING]$objItem.IPSubnet[0]

$intRowNet = $intRowNet + 1

}

$ServerObj | Add-Member @Member -Name "IP Address" -Value

$IpAddresses.substring(0,$ipaddresses.LastIndexOf(";"))

$ServerObj | Add-Member @Member -Name "IP Subnet" -Value $SubNet

$ServerObj | Add-Member @Member -Name "MAC Address" -Value

$MACAddresses.substring(0,$MACAddresses.LastIndexOf(";"))

$ServerObj | Add-Member @Member -Name "DNS" -Value $DNS

$ServerObj | Add-Member @Member -Name "DNS Suffix Search Order" -Value $DNSSuffix

$ServerObj | Add-Member @Member -Name "DNS Enabled For Wins" -Value

$objItem.DNSEnabledForWINSResolution

$ServerObj | Add-Member @Member -Name "Domain DNS Registration Enabled" -Value

$objItem.DomainDNSRegistrationEnabled

$ServerObj | Add-Member @Member -Name "Full DNS Registration Enabled" -Value

$objItem.FullDNSRegistrationEnabled

$ServerObj | Add-Member @Member -Name "DHCP Enabled" -Value $objItem.DHCPEnabled

$ServerObj | Add-Member @Member -Name "DHCP Lease Obtained" -Value $objItem.DHCPLeaseObtained

$ServerObj | Add-Member @Member -Name "DHCP Lease Expires" -Value $objItem.DHCPLeaseExpires

$AllServers += $ServerObj

}

}

END{

Write-Output -InputObject $AllServers

}

page | 8

Event Logs FILENAME: eventlog.ps1

AUTHOR: SixtyFPS

LINKS: http://www.computerperformance.co.uk/powershell/powershell_eventlog.htm

https://msdn.microsoft.com/en-us/library/aa394226%28v=vs.85%29.aspx

CODE: Clear-Host

Write-host "Getting Event Logs......"

$Logs = Get-WmiObject -ComputerName $servername2 -Credential $cred2 -query `

"SELECT * FROM Win32_NTLogEvent WHERE (logfile='Application') OR (logfile='System') AND

(type='error')"

$Logs | Format-Table LogFile, EventCode, SourceName, EventType, Message -auto -wrap | out-file

"C:\Temp\Event Log Analysis.txt"

Exchange Configuration FILENAME: E2K10_Architecture_V2.02(folder)

AUTHOR: Franck NEROT (fnerot66@hotmail.com)

Pascal THEIL (skall_21@hotmail.com)

LINKS: https://gallery.technet.microsoft.com/office/Exchange-2010-

Architecture-9368ff56

CODE: Please see link for actual code. Below is our code to call the actual script.

Write-Host "Getting Exchange Configurations..."

cd "C:\TOOLS\E2K10_Architecture_V2.02"

.\E2K10_Architecture_CMD_V2.02 6

Move-Item *.htm "C:\Temp\Exchange Configuration.htm"

Group policy

FILENAME: group_policies.ps1

AUTHOR: SixtyFPS

LINKS: https://technet.microsoft.com/en-ca/library/ee461027.aspx

REQUIREMENTS (see Required Components):

Group Policy Management Tools

CODE: Get-GPOReport -All -Domain $domainname2 -Server $servername2 -ReportType HTML -Path "C:\Temp\Group

Policy Configuration.htm"

page | 9

Local Computer Policies

FILENAME: local_policies.ps1

AUTHOR: SixtyFPS

LINKS: http://community.spiceworks.com/topic/336425-script-to-export-local-

security-policy

CODE: SecEdit /export /cfg "C:\Temp\Local Computer Policies.txt"

Network Storage FILENAME: sydi-server-2.4 (folder)

AUTHOR: Patrick Ogenstad

LINKS: http://sydiproject.com/download/

CODE: Please see link for actual code. Below is our code to call the actual script.

cd "C:\TOOLS\sydi-server-2.4"

cscript.exe sydi-server.vbs -t -ew -o"C:\Temp\SYDI Overview (Inclu. Network Storage).doc"

page | 10

Main Script

FILENAME: ADCaRS.ps1

AUTHOR: SixtyFPS

LINKS: http://oxfordsbsguy.com/2013/04/29/powershell-get-aduser-to-retrieve-logon-scripts-and-home-directories-part-2/ https://technet.microsoft.com/en-ca/library/ee461027.aspx http://www.tenable.com/products/nessus-vulnerability-scanner https://quickclix.wordpress.com/2012/08/14/making-powershell-menus/ https://gallery.technet.microsoft.com/scriptcenter/Open-Internet-Explorer-e4f8ae4b https://technet.microsoft.com/en-us/library/ee176874.aspx http://superuser.com/questions/741945/delete-all-files-from-a-folder-and-its-sub-folders

CODE: <# ADCaRS.ps1 Team: Sixty FPS Members: Justin Sam, Alan Ly, and Laszlo Anda Contact: jyiusam@gmail.com Institution: SAIT Polytechnic Capstone: Project ADCaRS Designed for: Graycon Group Winter/Spring 2015 #> <# Index: Numerals denote value of variable "menu" <Example: "1" is the “Information/About” Menu ($menu=1)> Values inside parantheses denote the name of the function <Example: "(clientname)" is the "clientname" function> 0 - Main 1 - Information/Hints 2 - Start (clientname) - Client Name (reqinfo) - Enter Credentials (exepol) - Execution Policy (auto) - Auto 3 - Manual (exchange) - Exchange Configuration (nas) - SYDI Overview & Network Storage (bkpconf) - Backup Configuration (adconfig) - AD Configuration (domlog) - Domain Login Scripts (locpol) - Local Computer Policies (grppol) - Group Policy Configuration (eventlogs) - Event Log Analysis (domsecpw) - Domain Security Password Policy (dnsconf) - DNS & DHCP Configuration #UNSTABLE, CAN'T GUARANTEE IT'LL WORK, NOT INCLUDED IN AUTO SCAN 4 - Nessus 5 - Walkthrough/Information Information DNS Information Vulnerabilities (Critical, High, Medium, and Low)

page | 11

Open Ports Installed Software Enumeration Virtual Machine Detection Local Password Policies Operating Systems Assessment User Account Scan Patch Report Missing Patches Report Open Tutorial (nessus) - Launch Nessus (postscan) - Post-scan (verify) - Verify Report Generation (export) - Export All #> <############################ START VARIABLES AREA ############################> [BOOLEAN]$global:ExitSession=0 #If set to 1, close PowerShell session [INT]$global:menu=0 #Variable to denote which menu you're in <############################ END VARIABLES AREA ############################> <############################ START FUNCTIONS AREA ############################> function LOADMENU() #Main { while ($menu -eq 0 -and $ExitSession -ne 1) { #Start menu=0 CLS status Write-Host "`n`tProject ADCaRS - Main Menu`n" -ForegroundColor cyan Write-Host "`t`tCHOOSE AN OPTION:`n" Write-Host "`t`t[1] Information/Hints`n" Write-Host "`t`t[2] START`n" Write-Host "`t`t[3] EXIT`n" -Fore red [int]$choice = Read-Host "`t`tENTER CHOICE: " if ($choice -lt 1 -or $choice -gt 3) { Write-Host "`tInvalid option; please enter a correct numerical value.`n" -Fore magenta start-Sleep -Seconds 1 e2c $menu=0 } Switch ($choice) { 1 { $menu=1 break } 2 { $menu=2 break } 3 { exiting break } default { $menu=0

page | 12

break } } } #End menu=0 while ($menu -eq 1) { #Start menu=1 CLS Write-Host "Information/Hints`n" Write-Host "`n`t`tOpening webpage... (C:\TOOLS\Tutorial\Nessus\information.html)" -Fore yellow $Url="C:\TOOLS\Tutorial\Nessus\information.html" $IE = New-Object -com internetexplorer.application; $IE.visible = $true; $IE.navigate($url); Write-Host "`n`t`t[1] RETURN`n" -Fore yellow [int]$choice = Read-Host "`t`tENTER CHOICE: " if ($choice -lt 1 -or $choice -gt 1) { Write-Host "`tInvalid option; please enter a correct numerical value.`n" -Fore magenta start-Sleep -Seconds 1 e2c $menu=1 } Switch ($choice) { 1 { RETURNing $menu=0 break } default { $menu=1 break } } } #End menu=1 while ($menu -eq 2) { #Start menu=2 CLS status Write-Host "`n`nSTART`n" Write-Host "`t`tCHOOSE AN OPTION:`n" Write-Host "`t`t[1] Client Name`n" Write-Host "`t`t[2] Enter Credentials`n" Write-Host "`t`t[3] Set Execution Policy`n" Write-Host "`t`t[4] Auto`n" Write-Host "`t`t[5] Manual`n" Write-Host "`t`t[6] Nessus`n" Write-Host "`t`t[7] Verify Report Generation`n" Write-Host "`t`t[8] Export All`n" Write-Host "`t`t[9] RETURN`n" -Fore yellow [int]$choice = Read-Host "`t`tENTER CHOICE: " if ($choice -lt 1 -or $choice -gt 9) { Write-Host "`tInvalid option; please enter a correct numerical value.`n" -Fore magenta start-Sleep -Seconds 1 e2c

page | 13

$menu=2 } Switch ($choice) { 1 #Enter Client Name { clientname $menu=2 break } 2 #Enter Credentials { reqinfo $menu=2 break } 3 #Set Execution Policy { exepol $menu=2 break } 4 #Auto { auto e2c $menu=2 break } 5 #Manual { $menu=3 break } 6 #Nessus { $menu=4 break } 7 #Verify Report Generation { verify e2c $menu=2 break } 8 #Export All { export e2c $menu=1 break } 9 { RETURNing $menu=0 break } default {

page | 14

$menu=2 break } } while($menu -eq 3) { #Start menu=3 CLS Write-Host "`n`tManual`n" Write-Host "`t`tCHOOSE AN OPTION:`n" Write-Host "`t`t[1] Exchange Configuration`n" Write-Host "`t`t[2] SYDI Overview & Network Storage`n" Write-Host "`t`t[3] Backup Configuration`n" Write-Host "`t`t[4] Active Directory Configuration`n" Write-Host "`t`t[5] Domain Login Scripts`n" Write-Host "`t`t[6] Local Computer Policies`n" Write-Host "`t`t[7] Group Policy Configuration`n" Write-Host "`t`t[8] Event Log Analysis`n" Write-Host "`t`t[9] Domain Security Password Policy`n" Write-Host "`t`t[10] DNS & DHCP Configuration (UNSTABLE, NOT INCLUDED IN AUTO)`n" Write-Host "`t`t[11] RETURN`n" -Fore yellow [int]$choice = Read-Host "`t`tENTER CHOICE: " if ($choice -lt 1 -or $choice -gt 11) { Write-Host "`tInvalid option; please enter a correct numerical value.`n" -Fore magenta start-Sleep -Seconds 1 e2c $menu=3 } Switch ($choice) { 1 #Exchange Configuration { exchange e2c $menu=3 break } 2 #SYDI Overview & Network Storage { nas e2c $menu=3 break } 3 #Backup Configuration { bkpconf e2c $menu=3 break } 4 #AD Configuration { adconfig e2c $menu=3 break } 5 #Domain Login Scripts

page | 15

{ domlog e2c $menu=3 break } 6 #Local Computer Policies { locpol e2c $menu=3 break } 7 #Group Policy Configuration { grppol e2c $menu=3 break } 8 #Event Log Analysis { eventlogs e2c $menu=3 break } 9 #Domain Security Password Policy { domsecpw e2c $menu=3 break } 10 #DNS & DHCP Configuration (UNSTABLE) { dnsconf e2c $menu=3 break } 11 { RETURNing $menu=2 break } default { $menu=3 break } } } #End menu=3 while ($menu -eq 4) { #Start menu=4 CLS Write-Host "`n`tNessus`n" Write-Host "`t`tCHOOSE AN OPTION:`n" Write-Host "`t`t[1] Walkthrough/Information`n" Write-Host "`t`t[2] Launch Nessus`n" Write-Host "`t`t[3] Post-scan`n"

page | 16

Write-Host "`t`t[4] RETURN`n" -Fore yellow [int]$choice = Read-Host "`t`tENTER CHOICE: " if ($choice -lt 1 -or $choice -gt 4) { Write-Host "`tInvalid option; please enter a correct numerical value.`n" -Fore magenta start-Sleep -Seconds 1 e2c $menu=2 } Switch ($choice) { 1 { $menu=5 break } 2 { nessus e2c $menu=4 break } 3 { postscan e2c $menu=4 break } 4 { RETURNing $menu=2 break } default { $menu=4 break } } while ($menu -eq 5) { #Start menu=5 CLS Write-Host "`n`tNessus: Walkthrough/Information`n" Write-Host "`t`tCHOOSE AN OPTION:`n" Write-Host "`t`t[1] List: Type of Data Collected by ADCaRS`n" Write-Host "`t`t[2] Open Tutorial`n" Write-Host "`t`t[3] RETURN`n" -Fore yellow [int]$choice = Read-Host "`t`tENTER CHOICE: " if ($choice -lt 1 -or $choice -gt 3) { Write-Host "`tInvalid option; please enter a correct numerical value.`n" -Fore magenta start-Sleep -Seconds 1 e2c $menu=5 } Switch ($choice)

page | 17

{ 1 { CLS Write-Host "DNS Information`n- Vulnerabilities (Critical, High, Medium, and Low)`n- Open Ports`n- Installed Software Enumeration`n- Virtual Machine Detection`n- Local Password Policies`n- Operating Systems Assessment`n- User Account Scan`n- Patch Report`n- Missing Patches Report" e2c $menu=5 break } 2 { nessus $Url="C:\TOOLS\Tutorial\Nessus\index.html" $IE = New-Object -com internetexplorer.application; $IE.visible = $true; $IE.navigate($url); e2c $menu=5 break } 3 { RETURNing $menu=4 break } default { $menu=5 break } } } #End menu=5 } #End menu=4 } #End menu=2 } #End of LOADMENU function status() #Status column showing { Write-Host "Execution Policy: " -Fore green; Get-ExecutionPolicy if ($clientname -eq $null) { Write-Host "Client name is not entered" -Fore red } else { Write-Host "Client name is entered as [$clientname]" -Fore green } if ($servername2 -eq $null) { Write-Host "Credentials are not entered" -Fore red } else { Write-Host "Credentials are entered for [$servername2]" -Fore green } }

page | 18

function clientname() #Sets the $clientname variable to be used as the final name of the dir that will hold all the reports { CLS Write-Host "Please enter the name you would like saved as the client's folder: " -Fore yellow Write-Host "(Do not use any characters that cannot be used in the naming of files, paths, and namespaces." Write-Host "For more information: https://msdn.microsoft.com/en-us/library/aa365247)" $global:clientname = Read-Host "Client name" e2c RETURN } function exepol() #Sets your execution policy to bypass to avoid any odd security interactions { CLS Write-Host "Setting Execution Policy to [Bypass]..." Set-ExecutionPolicy Bypass Get-ExecutionPolicy e2c RETURN } function reqinfo() #Enter administrator credentials to use within the domain { CLS Write-Host "Please enter the following credentials: " -Fore yellow $servername = Read-Host "Server Name" $global:servername2 = $servername $domainname = Read-Host "Domain: " $global:domainname2 = $domainname $username = Read-Host "Domain\User" $global:username2 = $username read-host "Password: " -assecurestring | convertfrom-securestring | out-file C:\Temp\securestring.txt $password = cat C:\Temp\securestring.txt | convertto-securestring $global:password2 = $password $cred = new-object -typename System.Management.Automation.PSCredential ` -argumentlist $username2, $password2 $global:cred2 = $cred Write-Host "`nServer Name: $servername" -Fore cyan Write-Host "`nDomain: $domainname" -Fore cyan Write-Host "`nUser: $username`n" -Fore cyan e2c RETURN } function auto() #Run all the scripts automatically { CLS $autotitle = "Auto" $automessage = "Would you like to run the auto-scan?" $autoyes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", ` "Automatically run all the scripts." $autono = New-Object System.Management.Automation.Host.ChoiceDescription "&No", ` "RETURN to previous menu." $autooptions = [System.Management.Automation.Host.ChoiceDescription[]]($autoyes, $autono) $autoresult = $host.ui.PromptForChoice($autotitle, $automessage, $autooptions, 0) switch ($autoresult) { 0 {nas; exchange; bkpconf; adconfig; domlog; locpol; grppol; eventlogs; domsecpw} 1 {RETURN} } }

page | 19

function verify() #Verifies if the report files were generated { CLS status Write-Host "`nVerification of Generated Files`n" -ForegroundColor cyan #For this portion we will simplify the indentation to save space Write-Host "`tInfrastructure:`n" -ForegroundColor cyan If(Test-Path "C:\Temp\Active Directory Configuration.txt"){Write-Host "`t`t[X] Active Directory Configuration`n"}Else{Write-Host "`t`t[ ] Active Directory Configuration`n"} If(Test-Path "C:\Temp\Backup Configuration.txt"){Write-Host "`t`t[X] Backup Configuration`n"}Else{Write-Host "`t`t[ ] Backup Configuration`n"} If(Test-Path "C:\Temp\DNS Information.txt"){Write-Host "`t`t[X] DNS Information`n"}Else{Write-Host "`t`t[ ] DNS Information`n"} If(Test-Path "C:\Temp\Domain Login Scripts.txt"){Write-Host "`t`t[X] Domain Login Scripts`n"}Else{Write-Host "`t`t[ ] Domain Login Scripts`n"} If(Test-Path "C:\Temp\Event Log Analysis.txt"){Write-Host "`t`t[X] Event Log Analysis`n"}Else{Write-Host "`t`t[ ] Event Log Analysis`n"} If(Test-Path "C:\Temp\Exchange Configuration.htm"){Write-Host "`t`t[X] Exchange Configuration`n"}Else{Write-Host "`t`t[ ] Exchange Configuration`n"} If(Test-Path "C:\Temp\Group Policy Configuration.htm"){Write-Host "`t`t[X] Group Policy Configuration`n"}Else{Write-Host "`t`t[ ] Group Policy Configuration`n"} If(Test-Path "C:\Temp\Installed Software Enumeration.txt"){Write-Host "`t`t[X] Installed Software Enumeration`n"}Else{Write-Host "`t`t[ ] Installed Software Enumeration`n"} If(Test-Path "C:\Temp\List of Virtual Machines.txt"){Write-Host "`t`t[X] List of Virtual Machines`n"}Else{Write-Host "`t`t[ ] List of Virtual Machines`n"} If(Test-Path "C:\Temp\Local Computer Policies.txt"){Write-Host "`t`t[X] Local Computer Policies`n"}Else{Write-Host "`t`t[ ] Local Computer Policies`n"} If(Test-Path "C:\Temp\Patch Report.txt"){Write-Host "`t`t[X] Patch Report`n"}Else{Write-Host "`t`t[ ] Patch Report`n"} If(Test-Path "C:\Temp\Missing Patches Report.txt"){Write-Host "`t`t[X] Missing Patches Report`n"}Else{Write-Host "`t`t[ ] Missing Patches Report`n"} If(Test-Path "C:\Temp\SYDI Overview (Inclu. Network Storage).doc"){Write-Host "`t`t[X] SYDI Overview & Network Storage`n"}Else{Write-Host "`t`t[ ] SYDI Overview & Network Storage`n"} Write-Host "`tSecurity:`n" -ForegroundColor cyan If(Test-Path "C:\Temp\User Account Scan.txt"){Write-Host "`t`t[X] User Account Scan`n"}Else{Write-Host "`t`t[ ] User Account Scan`n"} If(Test-Path "C:\Temp\Domain Security Password Policy.txt"){Write-Host "`t`t[X] Domain Security Password Policy`n"}Else{Write-Host "`t`t[ ] Domain Security Password Policy`n"} If(Test-Path "C:\Temp\Local Password Policies.txt"){Write-Host "`t`t[X] Local Password Policies`n"}Else{Write-Host "`t`t[ ] Local Password Policies`n"} If(Test-Path "C:\Temp\Operating Systems.txt"){Write-Host "`t`t[X] Operating Systems`n"}Else{Write-Host "`t`t[ ] Operating Systems`n"} If(Test-Path "C:\Temp\Ports & Services Report.txt"){Write-Host "`t`t[X] Ports & Services Report`n"}Else{Write-Host "`t`t[ ] Ports & Services Report`n"} If(Test-Path "C:\Temp\Vulnerabilities_Critical.txt"){Write-Host "`t`t[X] Vulnerabilities: Critical`n"}Else{Write-Host "`t`t[ ] Vulnerabilities: Critical`n"} If(Test-Path "C:\Temp\Vulnerabilities_High.txt"){Write-Host "`t`t[X] Vulnerabilities: High`n"}Else{Write-Host "`t`t[ ] Vulnerabilities: High`n"} If(Test-Path "C:\Temp\Vulnerabilities_Medium.txt"){Write-Host "`t`t[X] Vulnerabilities: Medium`n"}Else{Write-Host "`t`t[ ] Vulnerabilities: Medium`n"} If(Test-Path "C:\Temp\Vulnerabilities_Low.txt"){Write-Host "`t`t[X] Vulnerabilities: Low`n"}Else{Write-Host "`t`t[ ] Vulnerabilities: Low`n"} } function export() #Final step, exports all the files to their respective folders under the designated name for easy copy later on { if ($clientname -eq $null) { Write-Host "`t`tClient name is not entered!`n`t`tPlease enter a client name before proceeding to export." -Fore red e2c

page | 20

break } else { CLS $exporttitle = "Export" $exportmessage = "Would you like to export all for [$clientname]?" $exportyes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", ` "Export all reports to specified client's folder." $exportno = New-Object System.Management.Automation.Host.ChoiceDescription "&No", ` "RETURN to previous menu." $exportoptions = [System.Management.Automation.Host.ChoiceDescription[]]($exportyes, $exportno) $exportresult = $host.ui.PromptForChoice($exporttitle, $exportmessage, $exportoptions, 0) switch ($exportresult) { 0 { Write-Host "Exporting..." New-Item -ItemType Directory -Path "C:\CLIENTS\$clientname" Move-Item C:\TEMP\*.txt "C:\CLIENTS\$clientname" Move-Item C:\TEMP\*.doc "C:\CLIENTS\$clientname" Move-Item C:\TEMP\*.htm "C:\CLIENTS\$clientname" Move-Item C:\TEMP\*.html "C:\CLIENTS\$clientname" Write-Host "Export to dir [$clientname] finished." -Fore green } 1 {RETURN} } } RETURN } function exchange() #Exchange Configuration { C:\TOOLS\exchange.ps1 } function nas() #SYDI Overview & Network Storage { C:\TOOLS\sydi.ps1 } function bkpconf() #Backup Configuration { C:\TOOLS\backup_config.ps1 } function adconfig() #Active Directory Configuration { C:\TOOLS\ad_config.ps1 } function domlog() #Domain Login Scripts { C:\TOOLS\domain_login_scripts.ps1 } function locpol() #Local Computer Policies { C:\TOOLS\local_policies.ps1 -ComputerName $servername2 -Credential $cred2 } function grppol() #Group Policy Configuration { C:\TOOLS\group_policies.ps1 } <#(THIS DOES NOT WORK ANYMORE, IT BROKE)

page | 21

function dnsconf() #DNS Configuration { C:\TOOLS\dnsdhcp.ps1 -ComputerName $servername2 -Credential $cred2 | out-file "C:\Temp\DNS & DHCP Configuration.txt" } #> function eventlogs() #Event Log Analysis { C:\TOOLS\eventlog.ps1 } function domsecpw() #Domain Secure Password Policy { Get-ADDefaultDomainPasswordPolicy > "C:\Temp\Domain Security Password Policy.txt" } function nessus() #Launch Nessus using Internet Explorer { $Url="https://localhost:8834/nessus6.html#/scans" $IE = New-Object -com internetexplorer.application; $IE.visible = $true; $IE.navigate($url); while ($IE.Busy -eq $true) { Start-Sleep -Milliseconds 2000; } $ie.Document.getElementByID("overridelink").Click() #Automatically bypass certificate error screen (IE Only) Start-Sleep -Seconds 3; Write-Host "$username" Write-Host "$password" while ($IE.Busy -eq $true) { Start-Sleep -Milliseconds 2000; } } function postscan() #Run this after Nessus to create all the reports { CLS $posttitle = "Post-scan" $postmessage = "Have you imported the Nessus scan into a .csv file and are ready to create your reports?" $postyes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", ` "Prompt for Nessus .csv file name." $postno = New-Object System.Management.Automation.Host.ChoiceDescription "&No", ` "RETURN to previous menu." $postoptions = [System.Management.Automation.Host.ChoiceDescription[]]($postyes, $postno) $postresult = $host.ui.PromptForChoice($posttitle, $postmessage, $postoptions, 0) switch ($postresult) { 0 { Write-Host "`t`nEnter the ABSOLUTE path to the .csv file: " Write-Host "`t`(Example: C:\REPORTS\Nessus.csv)" -Fore Yellow $global:csv = Read-Host if ($csv -like "*.csv") { Import-Csv $csv | Where-Object {$_.Name -eq "Windows DNS Server Enumeration"} > "C:\Temp\DNS Information.txt" Import-Csv $csv | Where-Object {$_.Risk -eq "Critical"} > "C:\Temp\Vulnerabilities_Critical.txt" Import-Csv $csv | Where-Object {$_.Risk -eq "High"} > "C:\Temp\Vulnerabilities_High.txt"

page | 22

Import-Csv $csv | Where-Object {$_.Risk -eq "Medium"} > "C:\Temp\Vulnerabilities_Medium.txt" Import-Csv $csv | Where-Object {$_.Risk -eq "Low"} > "C:\Temp\Vulnerabilities_Low.txt" Import-Csv $csv | Where-Object {$_.Name -eq "Netstat Connection Information"} > "C:\Temp\Ports & Services Report.txt" Import-Csv $csv | Where-Object {$_.Name -eq "Microsoft Windows Installed Software Enumeration (credentialed check)"} > "C:\Temp\Installed Software Enumeration.txt" Import-Csv $csv | Where-Object {$_.Name -eq "Patch Report"} > "C:\Temp\Patch Report.txt" Import-Csv $csv | Where-Object {$_.Name -eq "Microsoft Windows Summary of Missing Patches"} > "C:\Temp\Missing Patches Report.txt" Import-Csv $csv | Where-Object {$_.Name -eq "VMware Virtual Machine Detection"} > "C:\Temp\List of Virtual Machines.txt" Import-Csv $csv | Where-Object {$_.Name -eq "Microsoft Windows SMB : Obtains the Password Policy"} > "C:\Temp\Local Password Policies.txt" Import-Csv $csv | Where-Object {$_.Name -eq "OS Identification"} > "C:\Temp\Operating Systems.txt" Import-Csv $csv | Where-Object {$_.Name -eq "Enumerate Local Users"} > "C:\Temp\User Account Scan.txt" Write-Host "Task finished." -Fore Green } else { Write-Host "Please enter the ABSOLUTE path to the .csv file!" -Fore red } } 1 {RETURN} } RETURN } function exiting() #Exit confirmation & deletion of securestring.txt { CLS $exittitle = "Exit" $exitmessage = "Are you sure you want to exit?`n(All temporary information and files will be lost.)" $exityes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", ` "Exit PowerShell and delete securestring.txt." $exitno = New-Object System.Management.Automation.Host.ChoiceDescription "&No", ` "RETURN to previous menu." $exitoptions = [System.Management.Automation.Host.ChoiceDescription[]]($exityes, $exitno) $exitresult = $host.ui.PromptForChoice($exittitle, $exitmessage, $exitoptions, 0) switch ($exitresult) { 0 {$global:ExitSession=$true;} 1 {RETURN} } } function RETURNing() #Aesthetics { CLS Write-Host "`n`tRETURNING.`n" -Fore Yellow; start-Sleep -m 500 CLS Write-Host "`n`tRETURNING..`n" -Fore Yellow; start-Sleep -m 500 RETURN } function e2c() #Press enter to continue { Read-Host "`tPress (ENTER) to continue" }

page | 23

<############################ END FUNCTIONS AREA ############################> <############################ START CODE AREA ############################> CLS LOADMENU #Main If ($ExitSession -eq 1) #Quit PowerShell { Get-ChildItem -Path C:\TEMP -Include "securestring.txt" -File -Recurse | foreach { $_.Delete()} #Deletes any instance of "securestring.txt" Get-ChildItem -Path C:\CLIENTS -Include "securestring.txt" -File -Recurse | foreach { $_.Delete()} #Deletes any instance of "securestring.txt" CLS; Write-Host "`n`tExiting.`n" -Fore Red; start-Sleep -m 500; CLS; Write-Host "`n`tExiting..`n" -Fore Red; start-Sleep -m 500; CLS exit-pssession RETURN } else #Persist PowerShell session { C:\ADCaRS.ps1 }

page | 24

Maintenance Important notes to begin: Project ADCaRS has been coded specifically to run under the following conditions:

1. Script must be named ADCaRS.ps1 and reside in the root menu of C:\ 2. C:\ MUST include the directories “Temp”, “CLIENTS”, “REPORTS”, “Tutorials”,

“TOOLS”. 3. Any additional functions that you may add that do not output to C:\TEMP will

not be exported properly. 4. Your execution policy must be set to an unrestricted setting (such as bypass)

to allow for a more reliable execution. 5. Internet Explorer is installed.

It is recommended to run adcars.ps1 by calling it in a PowerShell instance, rather than click-opening it. This is so that if you encounter any error codes the instance will not close and you will be able to read any warnings. This also allows for a larger viewing window which is more convenient due to the large output screens on the menu.

I will be using the following keywords to explain maintenance on Project ADCaRS: ***Click on [WHERE] between brackets to jump to the bookmarked location*** [WHERE] – Denotes where in the code you should be focusing on. [ADD] - Add the following line/section in the appropriate spot. [EDIT] - Edit an existing line of code, changes will be noted in red. [REMOVE] – Remove the following line/section in the appropriate spot. [OPTIONAL] – Changes that do not impact the functionality of ADCaRS but should be considered. Comments will be noted in green and should not be entered into the code itself.

Nessus updates and uses a different URL [WHERE] function nessus() [EDIT] $URL to the new url of the Nessus client. [OPTIONAL] Update the hyperlink in the C:\Tutorials\Nessus\index.html (Nessus Tutorial) webpage. (Line 48)

Steps to add a new function and script scan (non-Nessus) In this scenario, you would like to add the function "Misc Scan" to the menu and would like it to run with "auto" as well as be a "manual" option. Your misc scan outputs a report called “misc.txt”. [EDIT] The index at the beginning of ADCaRs.ps1 should be updated to reflect your changes. Start with the manual menu.

page | 25

[WHERE] Anywhere after any function between the <### START FUNCTIONS AREA ###> and the <### END FUNCTIONS AREA ###> for the sake of cleanliness. [ADD] function miscscan() { Script goes here } [WHERE] while($menu -eq 3) Add a new option to the menu format. [ADD] Write-Host "`t`t[11] Misc Scan`n" Change the selection of return to accommodate the change. [EDIT] Write-Host "`t`t[12] RETURN`n" -Fore yellow Change the “if” statement to accommodate the extra option (the value should match the same option number as “RETURN”). [EDIT] if ($choice -lt 1 -or $choice -gt 12) Add the new functionality to the switch. [ADD] 11

{ miscscan Calls your new “miscscan” function $menu=2 Break } [EDIT]12 { RETURNing $menu=2 Break } Now you need to add the function to the auto function. [WHERE] function auto() [EDIT] 0 {nas; exchange; bkpconf; adconfig; domlog; locpol; grppol; dnsconf; eventlogs; domsecpw; miscscan} Now you have to add your misc scan to the verification of generated files option. [WHERE] function verify() [ADD] If(Test-Path "C:\Temp\misc.txt"){Write-Host "`t`t[X] Misc Scan`n"}Else{Write-Host "`t`t[ ] Misc Scan`n"} [OPTIONAL] If your misc function outputs a file other than .txt, .doc, .htm, or .html then you need to configure the export function to export your file to the proper directory. For this example your misc scan outputs a file called “misc.xml”. [WHERE] function export() [ADD] Move-Item C:\TEMP\*.xml "C:\CLIENTS\$clientname" For cleanliness I recommend putting the above line of code underneath the “Move-Item C:\TEMP\*.html "C:\CLIENTS\$clientname" line of code, or somewhere similar.

Steps to add a new report from any Nessus plugin In this scenario, you would like to include a report for the plugin in Nessus called “Service Detection”, plugin ID 22964.

page | 26

[WHERE] function postscan() [ADD] Import-Csv $csv | Where-Object {$_.Name -eq "Service Detection"} > "C:\Temp\Service Detection.txt" The important things to note here is that the “$_.Name -eq” portion MUST match the exact name of the Nessus plugin. This should go underneath the other lines of code that start with “Import-Csv $csv” After you add the Nessus functionality you should update the verifier [WHERE] function verify() [ADD] If(Test-Path "C:\Temp\Service Detection.txt"){Write-Host "`t`t[X] Service Detection`n"}Else{Write-Host "`t`t[ ] Service Detection`n"} [OPTIONAL] It is recommended to update the “List: Type of Data Collected by ADCaRS” in the “Nessus Walkthrough/Information” portion of the menu. [WHERE] while($menu -eq 5) [EDIT] Write-Host "- Vulnerabilities (Critical, High, Medium, and Low)`n- Open Ports`n- Installed Software Enumeration`n- Virtual Machine Detection`n- Local Password Policies`n- Operating Systems Assessment`n- Service Detection`n" “`n” (back-tick n) creates a new line break for aesthetic purposes.

page | 27

Nessus

Includes the following scans:

Infrastructure

Installed Applications

Patch Levels

Missing Patches

Security

DNS Information

Domain Security Password Policy

End of Life Operating Systems

External Vulnerability

External Port/Services

Internal Vulnerability

Local Security Password Policy

Software Patch Level

Security Configuration

User Accounts

Vulnerable Service or System Configurations

Nessus Tutorial

Please visit the local webpage on the Virtual Machine:

C:\TOOLS\Tutorial\Nessus\index.html

page | 28

Output Files

All output files will generated in the following path during operation: C:\TEMP

After selecting the export option, all output files will move to their appropriate

folder (by client name) and into C:\CLIENT

Item Output Filename

Installed Applications on Windows Servers

Installed Software Enumeration.txt

Exchange Configuration Exchange Configuration.htm

Network Storage SYDI Overview (Inclu. Network Storage).doc

Backup Configuration Backup Configuration.txt

Active Directory Configuration Active Directory Configuration.txt

Domain Login Scripts Domain Login Scripts.txt

Group Policy Configuration Group Policy Configuration.htm

Internal DNS Configuration DNS Information.txt

DHCP Configuration DNS & DHCP Configuration.txt

Event Log Analysis Event Log Analysis.txt

Local Computer Policies Local Computer Policies.txt

VMware Configuration List of Virtual Machines.txt

External/Internal Vulnerability Scan

Vulnerabilities_Critical.txt Vulnerabilities_High.txt Vulnerabilities_Medium.txt Vulnerabilities_Low.txt

External/Internal Port/Service Scan Ports & Services Report.txt

User Account Scan User Account Scan.txt

Software Patch Level Patch Report.txt Missing Patches Report.txt

Identify Operating Systems Operating Systems.txt

Domain Security Password Policy Domain Security Password Policy.txt

Local Security Password Policy Local Password Policies.txt

page | 29

Contact Information

For additional support, please contact the SixtyFPS team:

Alan Ly alanly025@gmail.com

Justin Sam jyiusam@gmail.com

Laszlo Anda laszloanda13@gmail.com