** Analyzecsvde – pre release
** Version 1.0 (Build 1.0.0.15)
** 1 December 2006


** 1 ** Introduction

A few months ago I asked on the Pentest mailing list if a basic Windows audit tool would be interesting enough. Reactions were positive, so I built a tool that I would like to use myself.

I have rewritten a set of scripts that I use for Windows audits into a “neatly” packaged application. It still has that clunky “script” feeling, but it is a lot easier to use.

This is an informal pre-release version. I have used it in real audits and colleagues of mine are also using it. It seems to work.

I will be delighted with any feedback, tips, questions or bug-reports.


** 2 ** What it does

If you dump your Windows Active Directory into a CSVDE file with the "CSVDE" command you get a text file that contains a lot of interesting information. But it has a badly readable format (for humans) and can be very big (100Mb is no exception).

Analyzecsvde reads this file and translates it into a set of more readable files that can be handy during (SOX-type) Windows audits.

If you know Dumpsec or Hyena-exporter the output will not surprise you. The output is a bit more modern than Dumpsec (it knows about OU’s and Group Policies) and I’ve tuned it to my personal preferences:

* It tries to pinpoint accounts and groups thet might be badly configured or plain "wrong".
* It produces statistics about users and groups, which I always missed in the common dump programs.
* It tries to separate personal accounts (belonging to "flesh-and-bones" people) from non-personal (service) accounts.
* It uses two different methods to try to find “stale” accounts.
* It has an in-built file viewer, so you don’t need a spreadsheet to view the input- and output files. * You can search the output using regular expressions.

The main advantage is that you don’t need to install or connect any program to a customer’s infrastructure. Some customers are very paranoid about external software. CSVDE is a native function present on any Domain Controller.

The most important output file is the "11_statistics" file. This contains a lot of "quick win" information that should be of interest to any auditor:

* Number of users and groups
* Active and inactive accounts
* Administrators
* Sleeping users and computers
* Organizational units and their content of users and computers
* Number of file servers and their users
* Recently created objects (to check on change- and account management)
* "Weird" accounts and groups

More "quick win" information is placed in these files:

* Domain policy
* Organizational Units and Group Policies

The rest of the files contain detailed data for "in depth" auditing.

Also try the "find passwords" function. Most often it doesn't find anything, but if it does you also have nice "quick win" results.


** 3 ** Known bugs

* If you enter “?” as a regular expression in the viewer - the program crashes (it does not happen with “\?”). I don’t know yet what causes this.

* There is a Microsoft bug in Active Directory that doesn't set the "ACCOUNT LOCKED OUT" flag correctly. So I search for "Nr_of_lockouts = Maximum_lockout" count. But this way I only get the locked out users on the nearest Domain controller. So don't trust this value in the output, it is too low.


* I have trouble getting the "User cannot change password" (ADS_UF_PASSWD_CANT_CHANGE, &H0040) to work. Even users that I've changed manually end up with values of 512, which doesn't include the 64 bit. So don't trust this value in the output.
 

** 4 ** Updates since previous version

* Corrected a lot of small bugs
* Added lots more statistics
* I use the “AdminCount” attribute to find administrator accounts
* Administrators sometimes write passwords in the “description” field. The program now looks for these.


** 5 ** Where to download it

If you want to try the software, you can download it here for free:

http://www.xs4all.nl/~kazil/testfiles/analyzecsvde/

Here you find the following files:

analyzecsvde_pre10_publish_with_installer.zip
Clicking the setup.exe file will install the application neatly, ignore the warning about unsigned software.

analyzescvde_example_input_file.zip
You can play with the program using this input file, but a real, big csvde dump will be more interesting.

analyzescvde_name_keyword_lists.zip
Three lists that are necessary to separate real persons from computer accounts.

analyzecsvde_pre10_installation_screenshots.zip
A few screenshots of the installation process, including the download of the .NET framework.

analyzecsvde_pre10_project_with_source.zip
The whole project - if you drop this in Visual Studio you can work with the program code immediately.


** 6 ** License

I haven’t had time to think about licensing. I think the GNU General Public License is applicable. http://www.gnu.org/copyleft/gpl.html

You can use the program as you like, but I guarantee nothing and give no warranty. It still may be full of horrible bugs. I’m not responsible for any problems you get using the software.


** 7 ** Installation

You will need: 
.NET Framework version 2
 Microsoft Installer

If you don't have these the application will try to download and install them when you run the setup.
Screenshots of an installation are here:
http://www.xs4all.nl/~kazil/testfiles/analyzecsvde/analyzecsvde_pre10_installation_screenshots.zip


** 8 ** TODO + weak points 

The “personal accounts” function uses lists of names and keywords. At the moment I have lists that are optimized for the Dutch language. They should work, but will not give optimal results. You will have to build lists for your own language.

There is no documentation yet. But the use of the application should be self explanatory – my colleagues use it without any documentation at all.

A few useful functions are still missing:

* I still have to program a OU-tree output (now it’s a table).
* I still have to program a Group-tree output (using member-of and member).
* I need to write a final consistency check after the analysis is finished (to check that I’ve skipped nothing).

* Test for usefulness of the following user fields:
* Password has expired  ADS_UF_PASSWORD_EXPIRED &H800000
* Encrypted text password allowed ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED &H0080
* Account does not require a password  ADS_UF_PASSWD_NOTREQD  &H0020
* Account requires a home directory ADS_UF_HOMEDIR_REQUIRED &H0008

The code is not as elegant as it could be. I started with a “script” mindset and haven’t used all the new elegant structures that are available. I hope to improve the code in later versions.

I'm afraid the code will never work under Unix.


** 9 ** Contact

You can contact me at the following mail address : spooklight@gmail.com

Note: the account name means nothing, it's a leftover from playing with Gmail.


Greetings, Petr Kazil