4 Replies Latest reply on Nov 1, 2010 10:09 AM by rcg921

    How to determine if report ran with credentials or not?

      How to determine if report ran with credentials or not?  Is there something in the report that says "could not login with provided credentials" or "login successful"?

        • 1. Re: How to determine if report ran with credentials or not?

          Hi Brian,

           

          Yes, you can see this in the "Windows Host Access" report.  Or for Shell it's "Unix Host Access".

           

          -Cathy

          • 2. Re: How to determine if report ran with credentials or not?

            If it is blank, I assume credentials did not authenticate?  How does it display if credentials were used and authenticated?  How does it display if credentials were used but not authenticated or did not use credentials at all...?

            • 3. Re: How to determine if report ran with credentials or not?

              There is a KEY that explains the access that was gained.

               

              See attached.

              • 4. Re: How to determine if report ran with credentials or not?
                rcg921

                Our results that we need to provide to the client has to list which IP's were not credentialed and which IP's were successfully credentialed.

                 

                For this, I use a grep command and it works fine. You will need to edit the command to fit your enviroment, these are the results I would get (edited):

                 

                Example1 (192.168.10.12): Found valid credentials (Domain\username)
                Example2 (192.168.10.14): Found valid credentials (Domain\username)
                Example3 (192.168.10.16): Found valid credentials (Domain\username)

                 

                Then compare that to the target list and you will have the IP's not credentialed also.

                 

                The log file is located in Foundstone\logs.

                At the command prompt, you will need to get to that location to do the grep.
                Edit the command to put the job number after the JN, and you can edit inside the quotes for the date.

                You can name the output file anything you want, I use intel_creds.txt.

                if you add another '>', it will append to that file instead of overwriting it.

                For example:

                For this example, say my job ran 10:00 PM to 1:00 AM on 4-10 to 4-11, so I will have two dates for the logs.The job number was 5.
                Open command prompt.
                type d:\
                cd Foundstone
                cd Logs
                edit the grep, replace '3' with '5'.
                Replace the date with 2010-04-10
                so this original....

                grep JN3 LogFile.2010-04-16.txt|grep "Found valid cred"|cut -d "|" -f 6|cut -d ";" -f1 > intel_creds.txt
                now looks like.....
                grep JN5 LogFile.2010-04-10.txt|grep "Found valid cred"|cut -d "|" -f 6|cut -d ";" -f1 > intel_creds.txt

                Then do the same with the next date, and append so its added to the file...
                grep JN5 LogFile.2010-04-11.txt|grep "Found valid cred"|cut -d "|" -f 6|cut -d ";" -f1 >> intel_creds.txt

                To retrieve the file, it is located in the same logs folder as the scan log.