## VBScript: Zip & Organize Files by Year / Month

Organizing large amounts of files can be a real pain in the ass! If you’ve ever had the need to organize large numbers of files then you probably had a script or really wish your had a script to do this incredibly boring and monotonous task.

I had just such a task in my role as a site reliability engineer for a set of load balanced IIS web servers a couple of years ago. I needed to archive the IIS web server log files by server / year / month.

The VBScript I’m sharing with you in this article, archives two kinds of files for the example. In this example they live in the same folder but most likely in the real world they won’t so adjust the script to your needs. I just show you two ways to parse the date out of files named differently.

1. IIS Log File
2. Custom CSV Log File

This example does not delete the original file after a copy has been moved to the zip folder. You can add that later or just manually delete all the files after they are all moved to zipped files.

From the example you should be able to figure out to implement this in your own use case. Good luck!

## Organizing Files Using VBScript

This is one of my favorite VBScripts even though I did not write all of it myself. I’ve left credit in the comments for the zip file code I borrowed and implemented in this solution.

## VBScript Code

'File System Object Prep
Const ForReading = 1
Const ForWriting = 2

sFolder = InputBox("Enter log folder path:","Select a Log Folder to Compress","C:\inetpub\logs\LogFiles\W3SVC3")
Set oFSO = CreateObject("Scripting.FileSystemObject")

For Each oFile In oFSO.GetFolder(sFolder).Files

on error resume next
'Breakdown file name
strFileType = Right(oFile.Name,3)

if strFileType = "csv" then
strTemp = Replace(Mid(oFile.Name,20,Len(oFile.Name)-4),".csv","")
arrDate = Split(strTemp,"_")
iYear = Left(arrDate(0),2)
iMonth = arrDate(1)
if Len(iMonth) < 2 then
iMonth = "0" & iMonth
end if
CheckValue = arrDate(1)
CurrentMonth = Mid(DatePart("yyyy", Now()),3,2) & DatePart("m", Now())

if iYear & iMonth = CurrentMonth and (strFileType = "log" OR strFileType = "csv")	then
'Do not process current month file, only archive previous months
'msgbox("Skipping " & sFolder & "\" & oFile.Name)
else
WindowsZip sFolder & "\" & oFile.Name, sFolder & "\" & iYear & iMonth & ".zip"
end if
end if

if strFileType = "log" then
iYear = Mid(oFile.Name,5,2)
iMonth = Mid(oFile.Name, 7,2)
CheckValue = iYear & iMonth
CurrentMonth = Mid(DatePart("yyyy", Now()),3,2) & DatePart("m", Now())

if iYear & iMonth = CurrentMonth and (strFileType = "log" OR strFileType = "csv")	then
'Do not process current month file, only archive previous months
'msgbox("Skipping " & sFolder & "\" & oFile.Name)
else
WindowsZip sFolder & "\" & oFile.Name, sFolder & "\" & iYear & iMonth & ".zip"
end if
end if

Next

Function WindowsUnZip(sUnzipFileName, sUnzipDestination)
'This script is provided under the Creative Commons license located
'at http://creativecommons.org/licenses/by-nc/2.5/ . It may not
'be used for commercial purposes with out the expressed written consent
'of NateRice.com

Set oUnzipFSO = CreateObject("Scripting.FileSystemObject")
If Not oUnzipFSO.FolderExists(sUnzipDestination) Then
oUnzipFSO.CreateFolder(sUnzipDestination)
End If

With CreateObject("Shell.Application")
.NameSpace(sUnzipDestination).Copyhere .NameSpace(sUnzipFileName).Items
End With

Set oUnzipFSO = Nothing
End Function

'To Test Windows Zip Function Separately
'WindowsZip "C:\test\test2.txt","C:\test\test.zip"

Function WindowsZip(sFile, sZipFile)
'This script is provided under the Creative Commons license located
'at http://creativecommons.org/licenses/by-nc/2.5/ . It may not
'be used for commercial purposes with out the expressed written consent
'of NateRice.com

Set oZipShell = CreateObject("WScript.Shell")
Set oZipFSO = CreateObject("Scripting.FileSystemObject")

If Not oZipFSO.FileExists(sZipFile) Then
NewZip(sZipFile)
End If

Set oZipApp = CreateObject("Shell.Application")
sZipFileCount = oZipApp.NameSpace(sZipFile).items.Count
aFileName = Split(sFile, "\")
sFileName = (aFileName(Ubound(aFileName)))

'listfiles
sDupe = False

For Each sFileNameInZip In oZipApp.NameSpace(sZipFile).items
If LCase(sFileName) = LCase(sFileNameInZip) Then
sDupe = True
Exit For
End If
Next

If Not sDupe Then
oZipApp.NameSpace(sZipFile).Copyhere sFile
'Keep script waiting until Compressing is done
On Error Resume Next
sLoop = 0
Do Until sZipFileCount < oZipApp.NameSpace(sZipFile).Items.Count
Wscript.Sleep(100)
sLoop = sLoop + 1
Loop
On Error GoTo 0
End If
End Function

Sub NewZip(sNewZip)
'This script is provided under the Creative Commons license located
'at http://creativecommons.org/licenses/by-nc/2.5/ . It may not
'be used for commercial purposes with out the expressed written consent
'of NateRice.com

Set oNewZipFSO = CreateObject("Scripting.FileSystemObject")
Set oNewZipFile = oNewZipFSO.CreateTextFile(sNewZip)

oNewZipFile.Write Chr(80) & Chr(75) & Chr(5) & Chr(6) & String(18, 0)
oNewZipFile.Close

Set oNewZipFSO = Nothing
Wscript.Sleep(500)
End Sub



## How to Hide an Executable File Inside and Text File

Did you know that hackers can hide an executable file inside of a text file using a technique that uses something called data streams to trick a computer system from seeing text and or executable written in an alternate data stream inside a common text file.

I was pretty impressed the first time I watched someone demonstrate this. I was like, NO WAY! I really thought that this was some wizard level hacker stuff.

I’m no wizard level hacker, although I aspire to be, but I should be good enough to show you how to embed a simple calculator app inside a text file using an alternate data stream.

A big thank you to Cyber Security Expert, Malcolm Shore who presented a similar example in his Cyber Security Foundation online course I recently completed.

## How Do Alternate Data Streams Work?

Way back in the old Wild West days when we had the DOS operating system, files used to be simple strings of data. Files are read btye by byte.

Later, in the NTFS file system, files are complex structures. NTFS files at a minimum contain a section called $Data where data is read by an application.$Data is the Data Stream.

Files may have many other sections or streams other than just the $Data section. This is what we call “Alternate Streams”. THIS IS IMPORTANT: Windows only recognizes data in the$Data section so any data we put in an alternate data stream is not read by the Windows Operating System. We cloak data we want to hide in an alternate data stream. That’s the basics of how this works.

The data we are hiding could be a malicious malware payload or encrypted espionage message for our spy ring but in this example, it is just the simple calc.exe file you can find on any Windows PC for the last 20+ years.

## Creating an Alternate Data Stream in a Text File

The screenshot below shows the three (3) files we’ll be using in this demonstration.

• Simple text file with some string data.
• calc.exe application or executable binary file
• Secret text file with some string data

We can see the size of the text file is just 1 KB and the calc.exe file is 897 KB.

If we open the text-data.txt file with Notepad we’ll see just a simple line of text and the same with the secret-data.txt file.

To hide our secret message inside the the text data file, we’ll use this command line command.

C:\text\>type secret-data.txt > text-data.text:hidden.text

## Screenshot of Alternate Data Stream: Insert Hidden Text

Below is a screenshot of the command line command “type” that we used in this example to insert our secret-data.txt file into an Alternate Data Stream inside of another text file.

If we type the command “more” we can look for the secret message.

The screenshot below shows the text file that contains our hidden text being opened in Notepad where we can’t see the hidden text we saved to the file. If we type the command line command below, we can read the hidden text we wrote to our Alternate Data Stream by keying in on the specific data stream.

c:\test>more < text-data.txt:hidden:text

## Hiding an Executable Inside a Text File

Hiding an executable file inside a text file using the exact same Alternate Data Stream technique we just used in the the Secret text file example above but this time we’ll simply replace the Secret text file with the Windows Calculator application executable file.

The screenshot below shows the command line command to save the calc.exe file in an Alternate Data Stream in side our target text file.

Notice this time, the Alternate Data Stream is named “mycalc.exe”. Don’t get to hung up on this, it is just a name that is basically meta data that is saved with the data that we can use to filter the data we get out of the file. I hope that makes sense.

Important to note at this point that the file sizes didn’t change when we inserted the calc.exe file. It is still showing 52KB.

## How to Execute a File Saved in an Alternate Data Stream

To execute a file you’ve stored in an Alternate Data Stream, we’ll need to use the wmic command as is done in the following example.

c:\test>wmic process call "c:\test\text-data.txt:mycalc.exe"

As you can see from the working example above, I was able to embed the calc.exe file inside as well as text file and a secret message.

If the data is text we just need to indicate which stream we saved the data in to retrieve it.

If the data we hid was an executable file, we’ll need to use the Windows “wmic” command line command to call the executable from inside the text file by keying in on the Alternate Data Stream name.

In summary, the technique is crazy easy to pull off without any 3rd party hacking tools. It just requires a little Windows Operating System inside knowledge but is something every good hacker should know.

I hope this helped somebody!
~Cyber Abyss

## How to Transfer Files from Windows PC to Linux Server Using Putty’s PSCP Command

Many blogs and web applications are being hosted on cloud based web servers. Of those web servers, many are running some flavor of the Linux operating system (OS).

If you’re a Windows PC user who is using a Linux web server for your online project then you have unique challenge that comes with being a dual OS user.

How will we transfer our files from our Windows development PC to our Linux cloud hosted blog or web app? Enter Putty and the PSCP command line tool!

## What is Putty?

Putty is a Client application that handles connections to remote computers via the Telnet, SFTP and SSH protocols.

## What is PSCP?

PSCP is a command line application that is typically included in the Putty installation. PSCP transfers files between two computers from the Windows command line as long as firewalls allow the traffic on the designated ports for each type of traffic.

## Transferring Files with PSCP from the Command Line

If you’ve installed Putty in the default directory, it will be here.

C:\Program Files\PuTTY

Open a Windows command line by clicking on the Windows start menu icon then entering “cmd” in the search field then find and click on the cmd icon.

Navigate to the Putty Directory by entering the command below.

C:\>CD c:\Program Files\Putty

Let’s look at an example PSCP command to transfer a file from a Windows PC to a Linux cloud web server with a fake user named root, IP of 45.99.99.99 and a target folder of /var/www/html

### PSCP Command Example

c:\>C:\Program Files\Putty\pscp c:\temp\sample.txt root@45.99.99.99:/var/www./html

#### Screenshot

That’s all you should need to know about connecting to a Linux cloud based web server from a Windows PC using the Putty SSH client.

Hope this helps you on your Cyber journey!

~Cyber Abyss

## Website Uptime Monitoring: The Basics

There are lots of website uptime monitoring services out there but all the components you need to build your own website monitoring tool can be found in good ole’ Microsoft VBScript.

Stop laughing, I’m not kidding!

In this article, I’ll share with you some scripts and tips I’ve used successfully in the past for monitoring website uptime even if your website is running in a complex load balanced enterprise environment which some of mine are.

## VBScript Components for Uptime Monitor

Most people don’t know that VBScript can make Ajax HTTP calls but it can.

We will use VBScript’s ability to make Ajax HTTP calls to our website to see if it responds then put some simple logic around that response to log the results in a text/csv file.

It really is amazingly simple once you get all the code components together.

## The ISWebSiteUp Function

The ISWebsiteUp function takes a URL string and makes an Ajax HTTP call to see if we get a HTTP code 200 or 404 returned meaning website loaded OK.

Once we get our 200 or 404 HTTP response code that, script returns true in the form of a text message box or if script times out you’ll get a false in an error message box.

You might be saying to yourself about now, what about the 404 response code for page not found. Yes, you might want to add some more code to handle that differently than a 2oo OK response but for this script, we just want to know if server is up. If we are pointing to a page at the root of a domain, we don’t typically get 404 errors in reality.

## The Script Code

To use this code, copy it in to a text file and save it with a .vbs file extension for VBScript. Once you have the .vbs file, double click on it and you should get a message box with the names of the logged in user on the specified Windows PC on your network.


'isWebsiteUp: Takes String URL
'isWebsiteUp: Returns strMessage in Message Box
Function isWebsiteUp(strURL)

On Error Resume Next

Set http = CreateObject("MSXML2.ServerXMLHTTP")
'Set http = CreateObject("Microsoft.XmlHttp")
http.open "GET", strURL, False
http.send ""

'Only check for error of the HTTP Get request for 200 or 404 code returned. If any status is returned then the server is up
if http.responseText <> "" AND err.number = 0 then
'Commented out showing the response text. Use this for troubleshooting or exploring.
'msgbox(http.responseText)
isWebsiteUp = true
strMessage = "is up"
else
isWebsiteUp = false
strMessage = "is down"
end if
Set http = Nothing

msgbox(strURL & ":" & strMessage)
err.clear
End Function

call isWebsiteUp("https://www.google.com") 

## What the Web Server Sees in the HTTP call: WinHTTPRequest User Agent

The VBScript Ajax HTTP call to the web server presents itself as a web browser asking for the home page.

In the server logs a server admin may see this “User Agent” in their logs.

Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

## Script Errors & Blocked HTTP Calls

This script works out of the box. Google is the most open website in the world in terms of IPs that their servers accept traffic from as they are in the business of collecting data about everything including every system that connects to it.

Other web servers, like ones I run, may not be so forgiving. Many server admins use many tools at their disposal to filter HTTP request at various levels.

Here are some examples of tools Windows Server Admin have at their disposal to block or filter your script from connecting to their web servers.

## Windows Server Admin Tools for Handling HTTP Traffic

• Firewall IP Restrictions (Window Server Admin)
• HTTP Response Filtering (IIS Application Server Admin)
• IP Restrictions (IIS Application Server Admin)

## VBScript WMI: How to Get Computer Serial Number from Local or Remote Windows PC

This Windows WMI script using VBScript, retrieves the serial number of the local or networked computer.

To use this code, copy it in to a text file and save it with a .vbs file extension for VBScript. Once you have the .vbs file, double click on it and you should get a message box with the names of the logged in user on the specified Windows PC on your network.

## Windows WMI VBScript

Function GetComputerSerialNumber(strComputer)
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colComputer = objWMIService.ExecQuery _
("SELECT * FROM Win32_ComputerSystemProduct",,48)

For Each objComputer in colComputer
GetComputerSerialNumber = objComputer.IdentifyingNumber
Next

End Function

'strComputer = "XPS1234"
strComputer = "."

' Pass a . to run this on your own PC or add a string value for another on your network
call msgbox(GetComputerSerialNumber(strComputer))

## VBScript WMI: How to Get Logged in User from a Windows PC

If your in need of finding out who is logged on to a specific Windows PC on your network, run the VBScript below.

When executed, you’ll see a message box with the name of the account currently logged in the computer specified.

## The VBScript Code

To use this code, copy it in to a text file and save it with a .vbs file extension for VBScript. Once you have the .vbs file, double click on it and you should get a message box with the names of the logged in user on the specified Windows PC on your network.

Function GetLoggedinUser(strComputer)
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colComputer = objWMIService.ExecQuery _
("Select * from Win32_ComputerSystem")

For Each objComputer in colComputer
Wscript.Echo "Logged-on user: " & objComputer.UserName
Next

End Function

' Pass a . to run this on your own PC or add a string value name for PC on your network
'strComputer = "XPS1234"
strComputer = "."

call msgbox(GetLoggedinUser(strComputer))

Stay tuned for more scripts in upcoming blog posts!

Hope this helps somebody!
~Cyber Abyss

## VBScript WMI: Get List of Administrators from Windows PC

I’m breaking down a large VBScript I wrote as part of a larger computer inventory system prototype I built for what later became a much larger company.

This project was a big time investment for me that provided a lot of value to the company until they went out and purchased a commercial product and even then, the commercial product had things it did not do as well as my prototype.

The scanning volume eventually got so big that I had to run copies of the script on different parts of Active Directory at the same time to try and scale the scanning of computers on the network with all the data being stored in a SQL database backend.

This script and others I’ll be sharing in this series were contained within a loop of Active Directory computer records for a good size enterprise with about 10,000 desktops and laptops for some Active Directory OUs.

This script leverages Windows Management Instrumentation (WMI) to query what’s going on with this Windows network PC.

The first piece of code I’m sharing is for querying the Windows WMI to get a list of Administrators from a Windows PC. This code was used as part of a project to determine if any computers had unauthorized admin accounts we didn’t know about.

To use this code, copy it in to a text file and save it with a .vbs file extension for VBScript. Once you have the .vbs file, double click on it and you should get a message box with the names of the admin accounts from the target device.

Function GetAdministrators(strComputerName)
On Error Resume Next

Dim objWMIService, strQuery, colItems, Path, strMembers, strAdminList, iCounter
iCounter = 0
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputerName & "\root\cimv2")
strQuery = "select * from Win32_GroupUser where GroupComponent = " & chr(34) & "Win32_Group.Domain='" & strComputerName & "',Name='Administrators'" & Chr(34)
Set ColItems = objWMIService.ExecQuery(strQuery,,48)
strMembers = ""
For Each Path In ColItems
Dim strMemberName, NamesArray, strDomainName, DomainNameArray
NamesArray = Split(Path.PartComponent,",")
strMemberName = Replace(Replace(NamesArray(1),Chr(34),""),"Name=","")
DomainNameArray = Split(NamesArray(0),"=")
strDomainName = Replace(DomainNameArray(1),Chr(34),"")
If strDomainName <> strComputerName Then
strMemberName = strDomainName & "\" & strMemberName
if iCounter = 0 then
else
strAdminList = strAdminList & " > " & strMemberName
end if
iCounter = iCounter + 1

End If
Next

End Function
' Pass a . to run this on your own PC or add a string value for another on your network
call msgbox(GetAdministrators("NetworkComputer1"))

Stay tuned for more scripts in upcoming blog posts!

Hope this helps somebody!
~Cyber Abyss

## How to Join MP4 Files Together Using the Windows Command Line

I have two MP4 files that I need to merge together into one single file.

You might think that you would need a special piece of software to combine two MP4 video files but all it takes is a single command from the Windows command line to do the job.

copy /b "C:\File1.mp4" + "C:\File2.mp4" NewCombinedMoveFile.mp4


That’s all it takes to combine two MP4 movies files in to one since file.

Hope this helps sombody!

~ CyberAbyss

## 3 Low Cost Ideas to Address RDP Brute Force Attacks on Your Windows Web Server

Its late at night, I’m remoted in to my Windows web server. I’m reviewing the event logs and see something suspicious. Audit failures in the Security event logs.

The next 7 hours had me consumed in learning everything I can about “Brute Force RDP Attacks” and try to apply it to my server ASAP.

Before I go any further, I want to reiterate that this a hobby server I run. This is not a server I work on for my day job in a large enterprise environment. Hence the focus on low cost solutions.

First, Remote Desktop Protocol (RDP), is probably one of the most commonly unsecured items on Windows web servers which is also why your server is going to be relentlessly pounded by scanning tools and hackers trying to access your server via RDP, usually via port 3389.

## Video: Brute Force Attack with Hydra Hacking Tool

I could just block port 3389 and move on with my life but I personally prefer to access this particular server via RDP to handle administrative tasks. Everything else is done via FTP or telnet.

I run all my hobby servers on a super tight budget. This article will discuss what I learned and how I applied that knowledge to mitigate some of the risk associated with managing Windows servers exposed to the Wild Wild West (WWW) with RDP connections using techniques that are no cost except for your time to implement.

## Low Cost Ideas for Mitigating RDP Brute Force Attacks on Your Windows Servers

1. Use Strong Passwords
• Strong passwords are your first and best defense for any RDP brute force attack.
• Use a password with a length or 12 character or more.
• Don’t use words that can be found in a dictionary
• Use a combination of UPPER CASE, lower case, numbers and special characters
• Be Social Media aware! Don’t use friends, family, pets or info that could be derived from Social Media posts.
2. Clean Up Old User Accounts
• Make sure only the accounts you need are on your server.
• Fewer accounts reduces possible attack vectors.
• Also validate the level of access of the accounts on your server.
3. Update Windows Firewall Rules
• Exclude IP Ranges for Countries with highest amount of hacking.
• See steps below for updating your Windows Firewall configuration to block IP ranges for China, Russia and North Korea.

## Before You Mess with Your Firewall

The PowerShell script I cover below worked great but then decided to build a firewall rule manually for South American IP addresses and re-learned a very important lesson about working with Firewalls.

A word of caution: Don’t build your Firewall IP restrictions manually.

Always script them out in PowerShell. If you’re not 100% awake and paying attention, you will find yourself blocked out of your server and kicking yourself in the ass like I did.

Thankfully, I have a great hosting company, AccuWebHosting, who has been able to un-do all my screw ups so far. I’ve used them happily for many years and highly recommend them. I pay about \$500 a year for a decent Windows server VPS with great support.

## Use Windows Firewall to Block IP Ranges for China, Russia and North Korea and many others.

The steps to block IP ranges using Windows Firewall are pretty simple.

1. Create a directory for working with PowerShell and PowerShell Scripts.
• Example: C:\ip-security
3. Extract contents of the the ip-security-package.zip file to your “C:\ip-security” folder.
• You folder should look like this:
4. Open PowerShell from the Command Line as an Administrator so you’ll have the correct rights to make changes to the Windows Firewall
5. Run this command to make sure PowerShell is in the right mode
• “Set-ExecutionPolicy Bypass”
• Type “Y” when prompted to access the change
6. Type the following commands to import the IP Range Exclusions in to Windows Firewall.
• Import-Firewall-Blocklist.ps1 -inputfile china.zone.txt
• Import-Firewall-Blocklist.ps1 -inputfile russia.zone.txt
• Import-Firewall-Blocklist.ps1 -inputfile northkorea.txt
7. You should now have IP blocks in your firewall.

If you’ve done these three things, your web server is better prepared than most.

## Some Closing Thoughts on Web Server Security

Security on the internet is hard and ever changing. Running your own server for your hobby or side hustle can be done but can be very frustrating and overwhelming at times. Do as much of what I covered as you can.

We covered a few options above, but if you get nothing else from this article, make sure your passwords are long and hard to guess as this is the last defense before a bad guy gets access to your system.

From meetings I’ve been in with Enterprise engineers, passwords of 12 characters or more are best. Rainbow hash attacks can typically get most common passwords less than 12 characters. Scary, right?

Don’t use passwords made from words that can be found in a dictionary and now with the new world of social media, avoid using your kids, significant other or pet’s name or other references that can be guessed from online posts.

In one of the attacks that prompted me to write this article, one attacker used my youngest Son’s full name. I don’t use Facebook anymore so there only a few places you could go to figure that out.

I hope this story helps someone else on their IT Journey.

Regards,
Rick Cable
Lost in the Cyber Abyss

## References:

https://www.gregsitservices.com/blog/2016/02/blocking-unwanted-countries-with-windows-firewall/

http://www.ipdeny.com/ipblocks/

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-6

## How to Use Windows Snipping Tool to Capture Right Click Context Menus

I’m working on a huge documentation project where I’m documenting operational support for a suite of C# MVC portal sites with a lot of back end SQL administrative functions.

I used to have SnagIt but my company has been cutting back on licenses.

I’m forced to rely on the Windows native screenshot tool, the Windows Snipping Tool.

One of my first big struggles was how do I capture right click context menus with the Windows Snipping Tool.

In my case, I’m documenting a folder structure and how to commit code to a SVN repository.

1. Open Snipping Tool, cancel current snippet and leave in standby mode.
2. Get focus on your window / folder.
3. Keys: Shift + F10
4. Keys: Ctrl + fn + Print Screen (prtsc)
5. You should have right click menu open and Snipping Tool should prompt you to select an area to capture. Select your menu area.