old school trick bag
tricks i've learned over the years...
Tuesday, May 8, 2012
hunting computers in Active Directory
@echo off
REM this section is just to setup a switch in the script that allows you to grab all attributes from an object.
REM I'm only giving myself the chance to either use the switch in the first or second variable but feel free to
REM add more.
if "%1"=="/a" goto :a1
if "%2"==/a" goto :a2
REM This means that I will be searching through Active Directory with the object's name in question as my first
REM variable. Any word that I use after that can be an Object's Attribute that I wish to grep.
dsquery * -filter "(name=%1)" -attr %*
goto :end
:a1
REM This will pull all the attributes if your switch (/a) is the first variable. It's handy if you can't remember an
REM attributes exact syntax
dsquery * -filter "(name=%2)" -attr *
goto :end
:a2
REM This will pull all attributes if your switch (/a) is the second variable.
dsquery * -filter "(name=%1)" -attr *
:end
This script requires the W2k3 Administrator's Tools on WinXP, or RSAT on Vista/7. Some useful attributes to grep are:
lastLogonTimestamp
operatingSystem
distinguishedName
whenCreated
whenChanged
memberOf
Tuesday, April 3, 2012
Extension Renamer
WHAM
for /r c:\SOURCE %i in (*.csv) do mkdir "c:\DESTINATION%~pi"& move "%~fi" "c:\DESTINATION%~pi%~ni.txt"
Because I am wishing to create a mirror of my original directory tree (and not do a in-place upgrade), the easiest way to do it was have a SOURCE tree, and a DESTINATION tree, so replace these variables in the command above.
What this loop is doing is searching through the tree for any files of a CSV extension. When it finds one, it will create the path in the DESTINATION tree, and then move the file into the corresponding folder, stripping the CSV extension and appending the TXT extension.
As a side note, it is interesting that as a default in Windows mkdir will automatically create intermediate directories if they do not exist. This is different from Linux, in which you need to append a -p switch to make it so. You can turn on command extensions as they are called, by running cmd /e:on or off with cmd /e:off in Windows when launching your shell.
In this Recursive for loop I am taking advantage of special FOR variables to make my substitutions. For a full list, check 'for /?'. I recommend doing so, it is full of useful hacks you can do to make an ordinary loop extremely powerful.
%~pi stands for Path Only
%~fi stands for Fully Qualified Path Name
%~ni stands for Name Only
Luckily I did not care about any other files that were not CSV's in this structure. If I had, I would have probably re-run the loop, changing out CSV for the target extension, and doing a simple move, instead of stripping the iterator's value to the path minus then extension and tacking on the extension.
Like so
for /r c:\SOURCE %i in (*.doc) do mkdir c:\DESTINATION\%pi"& move "%~fi" "c:\DESTINATION%~pi%~nxi
%~nxi stands for Name with Extension
Tuesday, February 14, 2012
Squid Monitoring with Zabbix
Anyways, I followed the instructions located here: http://www.zabbix.com/wiki/howto/monitor/web/squid. My updated config is here:
UserParameter=squid.http_requests,squidclient mgr:info|grep 'Number of HTTP requests received:'|cut -d':' -f2| tr -d ' \t'
UserParameter=squid.clients,squidclient mgr:info|grep 'Number of clients accessing cache:'|cut -d':' -f2| tr -d ' \t'
UserParameter=squid.icp_received,squidclient mgr:info|grep 'Number of ICP messages received:'|cut -d':' -f2| tr -d ' \t'
UserParameter=squid.icp_sent,squidclient mgr:info|grep 'Number of ICP messages sent:'|cut -d':' -f2| tr -d ' \t'
UserParameter=squid.icp_queued,squidclient mgr:info|grep 'Number of queued ICP replies:'|cut -d':' -f2| tr -d ' \t'
UserParameter=squid.htcp_received,squidclient mgr:info|grep 'Number of HTCP messages received:'|cut -d':' -f2| tr -d ' \t'
UserParameter=squid.htcp_sent,squidclient mgr:info|grep 'Number of HTCP messages sent:'|cut -d':' -f2| tr -d ' \t'
UserParameter=squid.req_fail_ratio,squidclient mgr:info|grep 'Request failure ratio:'|cut -d':' -f2| tr -d ' \t'
UserParameter=squid.avg_http_req_per_min,squidclient mgr:info|grep 'Average HTTP requests per minute since start:'|cut -d':' -f2| tr -d ' \t'
UserParameter=squid.avg_icp_msg_per_min,squidclient mgr:info|grep 'Average ICP messages per minute since start:'|cut -d':' -f2| tr -d ' \t'
UserParameter=squid.request_hit_ratio,squidclient mgr:info|grep 'Request Hit Ratios:'|cut -d':' -f3|cut -d',' -f1|tr -d ' %'
UserParameter=squid.byte_hit_ratio,squidclient mgr:info|grep 'Hits as % of bytes sent:'|cut -d':' -f4|cut -d',' -f1|tr -d ' %'
UserParameter=squid.request_mem_hit_ratio,squidclient mgr:info|grep 'Hits as % of all requests:'|cut -d':' -f4|cut -d',' -f1|tr -d ' %'
UserParameter=squid.request_disk_hit_ratio,squidclient mgr:info|grep 'Disk hits as % of hit requests:'|cut -d':' -f4|cut -d',' -f1|tr -d ' %'
UserParameter=squid.servicetime_httpreq,squidclient mgr:info|grep 'HTTP Requests (All):'|cut -d':' -f2|tr -s ' '|awk '{print $1}'
UserParameter=squid.process_mem,squidclient mgr:info|grep 'Process Data Segment Size via sbrk'|cut -d':' -f2|awk '{print $1}'
UserParameter=squid.cpu_usage,squidclient mgr:info|grep 'CPU Usage:'|cut -d':' -f2|tr -d '%'|tr -d ' \t'
UserParameter=squid.cache_size_disk,squidclient mgr:info|grep 'Storage Swap size:'|cut -d':' -f2|awk '{print $1}'
UserParameter=squid.cache_size_mem,squidclient mgr:info|grep 'Storage Mem size:'|cut -d':' -f2|awk '{print $1}'
UserParameter=squid.mean_obj_size,squidclient mgr:info|grep 'Mean Object Size:'|cut -d':' -f2|awk '{print $1}'
UserParameter=squid.filedescr_max,squidclient mgr:info|grep 'Maximum number of file descriptors:'|cut -d':' -f2|awk '{print $1}'
UserParameter=squid.filedescr_avail,squidclient mgr:info|grep 'Available number of file descriptors:'|cut -d':' -f2|awk '{print $1}'
Wednesday, December 15, 2010
live process priority changing
Today I wanted to lower the priority of a McAfee Full Scan going on my system, as it was seriously hosing my work PC. Yes I could have used the old AT trick to get system priv. but my work pc is fairly locked down w/o Task Scheduler running. Yes, I could have killed the process and restarted it with a low priority with the start command. The only problem was that it was about 1/4 of the way through, and I did not feel like starting over. I tried going into task manager and adjusting the priority, but of course I got an “Access Denied” message. What to do?
psexec /s /i /d taskmgr
This will launch task manager with SYSTEM privileges, so you can go ahead and change that process priority. /s gives it system powers, /I makes it interactive so you can see it in the same session, and /d detaches the psexec from your cmd to free it up from your console. You’re going to need admin privileges for this psexec switch, so don’t go thinking it’s a “hack”. However with LSA powers you can do a lot of interesting stuff that even an Admin cannot.
Thursday, November 18, 2010
network enumeration
OK, just wanted to go over some Windows Active Directory tools found in the Windows 2003 Admin Pack. These are basic tools that often get overlooked in favor of massive VB scripts. I use them daily to pull reports on users, groups, or computers. The Active Directory tool in Windows is very limited, and with these commands you can pipe, output, parse, and loop to your heart's content. So lets just start off with some one-liners.
Need a list of all the PC’s in the Domain?
dsquery computer –limit 0 | dsget computer –name
What we are doing here is using dsquery to query the Domain Controller for computers with no limit on the results, chaining it to dsget, which is used for grabbing specific bits of information, this time a computer’s name. If we were to omit the dsget command, it would return the Fully Qualified Domain Name of all the computers in the domain, which is nice for some things, like chaining dsmod commands, but not for human readable results.
Working in the registry and need a SID?
dsquery user –name “*NAME*” | dsget user –sid –display
Here we are querying for user information, and using the wild cards (*) to allow for information to the left or right of the name variable, which could be a first name, last name or both. Using dsget switches we are grabbing the user’s SID as well as the display name. Grabbing the display name as well helps us to differentiate any false positiees you may have if you are using just a First Name in the query command.
Does your boss need all the users of a group in a text file with their telephone number?
dsquery group -name "GROUP_NAME" | dsget group –members | dsget user –display –tel>c:\file-for-boss.txt
Here we are querying for the group information, notice no wild cards. This would be the case if we new exactly what group we are looking for. Chaining the query to dsget, we grab the members, but remember since we are looking for user information and not group, we pipe once more into a dsget user, grabbing display name and telephone number which will actually output very nicely.
Most of these one liners I wrap into small shell scripts so I can fire them off with little typing involved. Here’s one that takes care of a pet peeve of mine; AD’s refusal to perform wildcard searches, i.e. having to know the exact spelling of a group in order to search for it. This will allow you to search for a group name with just a partial keyword:
for /f “tokens=1,2 delims==,” %%i in (‘dsquery group -name “*%1*” ^| sort’) do @echo %%j
Here I am wrapping the command that’s in the parenthesis around a for loop to parse it out nicely. The %1 allows you to run the script with an argument, in this case the name of the group you are looking for. So if I were calling this script from the Command Line, I would do this:
script_name [group name]
So far I’ve only talked about using these tools for reporting, but there are also dsmod, dsadd, and dsrm. Using dsmod and dsadd, I’ve written scripts to build PC’s that mirror other workstations already in the domain, and used dsrm to perform bulk removes of stale accounts.
Monday, October 18, 2010
starting off with a push
psexec \\TARGET_MACHINE cmd /c "pushd \\LINUX_SHARE$\ && psexec.exe /accepteula /i /x /d explorer.exe"
OK, so we use psexec against the target machine, but since we can't immediately start explorer with /x we are going to get cmd going and then immediately use pushd to UNC to the linux box.
I'm using && as a logic gate so that if the first command fails, the second won't try and run. Once we have the target machine mapped to the Linux box, we kick off psexec with the switches /accepteula /i /x /d, starting the explorer process. The /i switch allows us to see the results on-screen, the /x switch is the linchpin that allows us to launch the command in question on a locked PC, and the /d switch will release the shell after the command is run so we can continue to run commands. The command will also stall out if /accepteula isn't thrown in, because the EULA would be hidden to the GUI.
A nice side-effect of using the pushd command to map to the Linux share is that it leaves you with a link to the target machine, so you can browse the share from your command-prompt as well. Whenever you want to get back to your own PC, you can popd back.
Once you've logged into the locked computer, a couple of interesting things happens. For one, Group Policy (if you are on a domain) does not seem to apply to the second session. Also, the second or first session can be logged on or off without touching the other session. Note, sometimes Windows Themes can become screwy on the first session, but a restart will fix it.
This trick can come in handy for many reasons, I like to use it as a last resort when I need to access the GUI on a locked computer; install software, or configure settings when the user is unavailable to unlock the computer.