Finding KMS Violators in the Enterprise

I use bash to do almost everything.  Even when I’m neck-deep in Windows and I need to solve a problem, my first thought is a bash script.

Recently, I was working in a large distributed enterprise that utilizes Microsoft KMS to manage the enterprise licensing.  For the most part, all was well, and the new Windows machines that came online were getting licensed and working perfectly.

However, there were a few locations that accidentally turned a few of the downstream location servers into sub-domain KMS servers by improperly installing the license, and some new workstations in that local DNS sub domain were finding, using, and becoming loyal to those errant KMS servers.  My job was to root out all the errant KMS servers.  To the bash!

First thing I did was make a list of the DNS sub domains into a file called “subdomains.txt”, with one per line like this:


And if you have a nameserver that you trust, then you can just call that file in a “for” loop like this:

for item in `cat subdomains.txt`; do nslookup -type=srv _vlmcs._tcp.$item.parentdomain.local |egrep -e "_vlmcs" -e "service"|awk '{ print $7 }'>>kmsViolators.txt;done

…replacing parentdomain.local with your parent domain.  And then you can view the output file to see if you caught any “fish”.

You can make more sense out of the list of results with:

for item in `cat kmsViolators.txt`;do nmblookup -A $item;done

…and just to see if the KMS service is really still running on those machines (and not blocked)…. scan them like this:

for item in `cat kmsViolators.txt`; do nmap -sT -p 1688 $item;done |egrep -v -e "Starting" -e "Nmap finished" -e "STATE"

Then, if you found some violators in one (or more) of the sub domains, you might want to see if the DNS servers agree on the KMS server listings.  So to focus on just one of the sub domains and test against all listed DNS servers, you can do this:

for item in `nslookup -type=ns parentdomain.local |grep "internet address"|awk '{ print $5 }'`; do echo "For nameserver $item:";echo "----------------------------------";echo "";nslookup -type=srv _vlmcs._tcp.sub1.parentdomain.local $item;done >> sub1-nsResults.txt

…replacing parentdomain.local with your parent domain, and replacing sub1 with the sub domain you wish to more closely inspect.

Ten, analyze the results file and see if you indeed caught the “trophy fish”!

Leave a Comment

Your email address will not be published. Required fields are marked *