DavidLago Posted November 25, 2015 Share Posted November 25, 2015 I have no idea how to even start to describe it...I have an AutoIT script that works a "RunAsWait" with a different user (DOMAIN\ControlTeamUser) on a 7zip.exe with a parameter to extract a file and read its content to an array. Works perfectly.But the networks team found a crazy behavior in the Firewall. When the button that triggers the RunAsWait line is pressed for the first time, lots of access requests from the computer's IP address appears shooting at random external IP Addresses (Some of them point to Akamai's IPs), the crazy thing is, it runs under the user DOMAIN\ControlTeamUser (yeah, like wtf!!??!!)I thought it would be the 7Zip trying to look for updates or something, but there's more. If you uninstall 7zip and run the script again, it won't find the 7z.exe, and there will be an error, of course, but, some requests still come up at the firewall, and if you ping 8.8.8.8 from a mere CMD window, it hits the firewall as the user DOMAIN\ControlTeamUser.Crazy, right?Have ANY of you ever seen anything like this crazy behaviour? Maybe there is a known issue... Link to comment Share on other sites More sharing options...
iamtheky Posted November 25, 2015 Share Posted November 25, 2015 How are you authenticating that user? Posting your script always helps, but I imagine you would see the same traffic if you tried to simply authenticate to a file share and that you are seeing an LDAP configuration moreso than an autoit configuration. ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
DavidLago Posted November 25, 2015 Author Share Posted November 25, 2015 boththose, I'll post the lines that make the crazy things happen: $Descompactador = IniRead("CONFIG.ini", "CONFIG", "Descompactador", "") While 1 Local $file = FileFindNextFile($search1) If @error Then ExitLoop $ultima_pasta = $file WEnd FileDelete(@UserProfileDir & "\" & $NomeArquivo) $pass = decrypt("?????????????????????????????????????????ENCRYPTEDPASS??????????????????????????????") RunAsWait("ControlUser", "DOMAIN", $pass, 2, @ComSpec & " /c " & "copy " & $Caminho & "\" & $ultima_pasta & "\" & $NomeArquivo & " " & @UserProfileDir & "\" & $NomeArquivo, @UserProfileDir, @SW_HIDE) $pass = "" RunWait($Descompactador & " " & @UserProfileDir & "\" & $NomeArquivo, @UserProfileDir, @SW_HIDE) And, actually, the RunAsWait only does a file copy. The 7z.exe ($Descompactador) is only called at the RunWait. Link to comment Share on other sites More sharing options...
iamtheky Posted November 25, 2015 Share Posted November 25, 2015 (edited) And, actually, the RunAsWait only does a file copySo....I win? How about making a single line script that does nothing but authenticate this user and ping 127.0.0.1, and then another that simply pings 127.0.0.1.that way we can maybe isolate it to the authentication.Im also going to take a not so wild guess that your enterprise is using Office 365. Edited November 25, 2015 by boththose ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
DavidLago Posted November 25, 2015 Author Share Posted November 25, 2015 So....I win? How about making a single line script that does nothing but authenticate this user and ping 127.0.0.1, and then another that simply pings 127.0.0.1.that way we can maybe isolate it to the authentication.Im also going to take a not so wild guess that your enterprise is using Office 365.Well... I think we're looking through different angles. Let me explain again.This file copy needs to happen, and needs to be done with that specific user, because it will reach a file that is in a specific app folder within a server, in which only this user has the permissions to access it.What is troubling me is that after running that RunAsWait copying the file from the server to the local computer, all outside traffic (such as a ping request to 8.8.8.8) turns to be requested through the user from RunAsWait.My guess is that, somehow, the RunAsWait invokes a User/Pass ticket within itself, or within the OS, that stays in memory and messes up or mixes up with the Windows ones, hence the ping 8.8.8.8 hitting the firewall as the Generic "ControlUser".But I've never seen anything like it. Link to comment Share on other sites More sharing options...
iamtheky Posted November 25, 2015 Share Posted November 25, 2015 What account are you logged in as when you execute this script?To confirm your suspicions, you should write a script that runs Dir. What I imagine is happening is @UserProfileDir is eating your lunch, use literal paths or variables you acquire while in the shell. DavidLago 1 ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
DavidLago Posted November 26, 2015 Author Share Posted November 26, 2015 (edited) Hey there.Got it. It might be happening. I compiled a new version with some changes, and also, another one changing the auth method from 2 to 1 as below: RunAsWait("ControlUser", "DOMAIN", $pass, 1, @ComSpec & " /c " & "copy " & $Caminho & "\" & $ultima_pasta & "\" & $NomeArquivo & " " & @UserProfileDir & "\" & $NomeArquivo, @UserProfileDir, @SW_HIDE)Let's see how both tests will come out.Thanks. Edited November 26, 2015 by DavidLago Link to comment Share on other sites More sharing options...
iamtheky Posted November 26, 2015 Share Posted November 26, 2015 (edited) I would recommend consolewriting or msgboxing that command directly prior to its execution, so you are absolutely positive that all variables and macros have the expected value. Then comment that biatch out when everything is all clean. Edited November 26, 2015 by boththose ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
DavidLago Posted November 30, 2015 Author Share Posted November 30, 2015 I think I've found where the problem was. I'll have to run some tests to confirm it first, but it seems that the problem sits within the Firewall config. Something user-cache related. Link to comment Share on other sites More sharing options...
DavidLago Posted December 7, 2015 Author Share Posted December 7, 2015 Just an update.Still confirming... Link to comment Share on other sites More sharing options...
DavidLago Posted December 11, 2015 Author Share Posted December 11, 2015 OK. Firewall was the issue. Some specific setting displays the user that is running the request for the internet (any), and that's not reliable. For example. ping requests do not send username embedded, and the firewall was recognizing an username. I assume these are caused by a cache or something. Anyway, that's not an AutoIT bug.Thanks for everyone (Iamtheky) that helped. Link to comment Share on other sites More sharing options...
iamtheky Posted December 11, 2015 Share Posted December 11, 2015 (edited) no worries, did you by chance get any PCAPs or events that popped? I would be interested in the enterprise firewall trigger, we just dropped some new PaloAltos and I would want to see if the same traffic appears.Thank you for the follow up, most users are not as helpful when having to research themselves. Edited December 11, 2015 by iamtheky ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now