Colin’s IT, Security and Working Life blog

January 11, 2010

Search entire domains for service accounts

Filed under: Programs and Scripts — chaplic @ 6:29 pm


Have you ever been in a scenario where you need to change a password on a service account but don’t know what service on what servers use the account? You could pick through audit logs and it still might not tell you if a service hasn’t been restarted recently. Regscan will visit all machines in your domain and give you a list of machines that use that account



Simply enter

regscan account domain [textfile.txt]


  • account is the account you are searching for. Don’t put the domain name first, regscan will pick out either notation from the service list
  • domain is the netbios domain name to search
  • textfile.txt (optional, but reccommended) Specifies a list of servers to search, one per line. In large domains, this is a more reliable method than leaving the program to scan the domain to find machines.


Grab the program here. Let us know how you get on with it.

December 4, 2009

FTP Test

Filed under: Programs and Scripts — chaplic @ 4:11 pm


FTPTest is a small application for testing the reliability of FTP servers. You supply it with a file, how many times you want the upload the file and it does the rest.  I wrote it to test the most horrible problem to fix – an intermittent fault.

If your source file was test.txt and you selected to upload to times, you would get testn.txt on the remote FTP server, where n is an increasing number

FTPTest is configured via a small INI file, simply edit this in notepad or similar:

#host – address of FTP server

#directory – what directory to change to after login

#username – what user to login as

#password – what password to use

#origfile – what file to upload. This is copied to
# filenameN where N is an incrementing number depending on howmany

#howmany – number of repetitions of upload

To download the program, click on this link. Be sure to get in touch to say hello if you find it of use!

November 29, 2009

Cisco Syslog Firewall Rules Parser

Filed under: Programs and Scripts — chaplic @ 7:05 pm

Scenario: You’ve got a Cisco ASA Protecting some servers. The ruleset isn’t a tight as you’d like. You know some of the ports, source and destination machines that are in use, but cannot tell exactly what communications are going on.

The cisco is syslogging but it produces verbose text, like this:

009-11-25 18:14:08    Local4.Warning    %ASA-4-106100: access-list InterfaceA_access_in permitted tcp InterfaceA/Server6S009(2326) -> InterfaceB-Intl/ hit-cnt 1 first hit [0xda6858dc, 0xe76db01]
2009-11-25 18:14:09    Local4.Warning    %ASA-4-106100: access-list Outside_access_in permitted udp Outside/ -> InterfaceB-Intl/Server6S002(5560) hit-cnt 1 first hit [0x4429e5e8, 0xed2c2df8]
2009-11-25 18:14:09    Local4.Warning    %ASA-4-106100: access-list InterfaceB-DMZ_access_in permitted udp InterfaceB-Intl/Server6S002(39330) -> Outside/ hit-cnt 1 first hit [0xab98913c, 0x5268eddb]
2009-11-25 18:14:10    Local4.Warning    %ASA-4-106100: access-list Outside_access_in permitted udp Outside/Server5S002(56942) -> InterfaceA/Server6S011(53) hit-cnt 1 first hit [0xa57e4b1c, 0xf0e9804c]
2009-11-25 18:14:11    Local4.Warning    %ASA-4-

Difficult to  pick out what’s going on and get the information you need. You could manually pick through it, or you could tightly configure the ASA to only log the rules and information you’re interested in. Tricky, time consuming and might not be possible if the firewall logging settings cannot be changed.

The solution therefore is a little script to scan the logfiles and pick out the interesting detail, aggregate and present it in a useful format.

I knocked up a little script to do this in Perl; it would be do-able in powershell or VBScript, but I just like the really nice text manipulation features of Perl. I saw it as further proof that any techie worth their salt must be able to knock together scripts to do little jobs like this.

All the script is doing is looking for lines like this

106100: access-list InterfaceB-DMZ_access_in permitted udp InterfaceB-Intl/Server6S002(39330) -> Outside/

From there, it’s pretty straightforward to grab the source server, destination server, protocol and ports used then do some maths on it.

The output of the processing is shown here:

Technorati Tags: ,,



A nicely presented list showing source and destination, port, protocol and how many times it’s appeared in the syslog

To run the tool, from the command line enter:

syslogparser filename.txt

And a file filename.txt.csv will be output.

Get the application here

Blog at