Suraj Singh's information Security Blog

For people who work on information Security.
Options
Search Blogs
Tags
Archive
Archives

December, 2011

TechNet Blogs » Suraj Singh's information Security Blog » December, 2011
Sort by: Most Recent | Most Views | Most Comments
Excerpt View | Full Post View

  • Using Eventmon and Nmcap to take network monitor trace when a particular Event is generated.

    Posted over 3 years ago
    by Suraj Singh MSFT}

    There are times when you want to take netmon trace when a certain event is generated on the server/machine. There is a nice blogpost that explains the usage of Eventmon and Nmcap

    http://blogs.technet.com/b/netmon/archive/2007/02/22/eventmon-stopping-a-capture-based-on-an-eventlog-event.aspx

     

    To elaborate further to simply it, i thought of adding more info here

    we need to install network monitor (=>3.4  approximately).

    1. create a batch file as explained in above post and put that in the netmon installation folder in
    the program files.

    Batch file(taken from above blog post link)

    **********************copy following in a notepad and save it for example as nmcap.bat*********************

    @echo off
    if "%1"=="" goto Usage
    if "%2"=="" goto Usage

    REM Following line is wrapped
    start cmd.exe /c nmcap /network * /capture /file %1 /stopwhen /frame "ipv4.DestinationAddress==4.3.2.1" /DisableConversations

    cscript //NoLogo EvtMon.vbs %2 %3
    ping -n 1 4.3.2.1

    goto :EOF

    :Usage
    echo Usage:
    echo   %0 CaptureFile EventNumber [LogFile]
    echo       Logfile is optional.  If used, the eventlog name
    echo       file ie, applicaiton, system, security, etc... 

     

    -->new note : While working on another case i came to scenario where we wanted to capture specific traffic between two machines so varion in above in nmcap would be(rest remaining the same)

    *****************replace following line with above nmcap for specific traffic*********

    start cmd.exe /c nmcap /network * /maxframelength 256  /capture  (ipv4.address==30.30.30.4 and ipv4.address==30.30.30.4 )   /file %1 /stopwhen /frame "ipv4.DestinationAddress==4.3.2.1" /DisableConversations

    ********************************************************************************

     

    2. Copy the contents of the script given in above post shown below in a notepad and save it as EvtMon.vbs and put this in netmon installation directory

     

    '======================================================================
    ' Print out the help when something is not typed in correctly or when
    ' nothing at all is typed in.

    Public Sub PrintHelp
        Wscript.Echo "Usage:"
        Wscript.Echo "  EvtMon EventNumber [LogFileDisplayName]"
        Wscript.Echo "    LogFile is optional.  If used, the eventlog name"
        Wscript.Echo "    file ie, application, system, security, etc..."
    End Sub

    ' Get the arguments.  Check for event nubmer and log file as arugments
    Set objArgs = WScript.Arguments

    ' See how many arguments we have and colect them.
    if objArgs.Count < 1 OR objArgs.Count > 2 Then
        PrintHelp
    ElseIf objArgs.Count > 1 Then
        EventNumber = objArgs(0)
        LogFile = objArgs(1)
    Else
        EventNumber = objArgs(0)
        LogFile = ""
    End If

    If EventNumber <> "" Then

        strComputer = "."

        ' Attatch to the WMI Service
        Set objWMIService = GetObject("winmgmts:{(Security)}\\" & _
                strComputer & "\root\cimv2")

        ' if the LogFile is populated add this to our query.  Create a
        ' Event Log monitoring object and send it a query.
        If LogFile = "" Then
            Set colMonitoredEvents = objWMIService.ExecNotificationQuery _   
                ("Select * from __InstanceCreationEvent Where " _
                    & "TargetInstance ISA 'Win32_NTLogEvent' " _
                        & "and TargetInstance.EventCode = '" _
                        & EventNumber & "'")
        Else
            Set colMonitoredEvents = objWMIService.ExecNotificationQuery _   
                ("Select * from __InstanceCreationEvent Where " _
                    & "TargetInstance ISA 'Win32_NTLogEvent' " _
                        & "and TargetInstance.EventCode = '" _
                        & EventNumber _
                        & "' and TargetInstance.LogFile = '" _
                        & LogFile & "'")
        End If

        ' Create an object which returns when the next event occurs.
        Set objLatestEvent = colMonitoredEvents.NextEvent
       
        ' Print some info based on the event log we encountered.
        Wscript.Echo objLatestEvent.TargetInstance.User
        Wscript.Echo objLatestEvent.TargetInstance.TimeWritten
        Wscript.Echo objLatestEvent.TargetInstance.Message
        WScript.Echo objLatestEvent.TargetInstance.Logfile
        Wscript.Echo
    End If

    3. Also copy cmd.exe from system32 folder to the netmon installation folder , your netmon installation foldet would like like this

    4. Then you can run the batch file in command prompt as below

    Here trace.cap is the name of the network trace file and 4624 is an event id for which we want to take a trace in this example.


     
      
      
      
      
      
      
      
      
      
      
      
      
     
     
     


  • Finding Duplicate SPN, for ISA/TMG KCD scenarios

    Posted over 3 years ago
    by Suraj Singh MSFT}

    While working on a case  came across a link and thought of sharing with all

    http://support.microsoft.com/kb/321044

    it gives details about how to find out duplicate SPNs or query SPNs