Archive

Archive for November, 2009

Defending Windows Networks – Day 1

November 30, 2009 Leave a comment

Day1….
If you’ve read the previous blog article “CISSP Training” posted severals weeks ago or have had any direct communication with yours truly, then you would know I recently took advantage of an “unlimited” training package offered by Global Knowledge. It includes unlimited training (certain classes not optional) within 4 months for one set price. If permitted to take all the classes requested the total value of the package would come close to $30,000, of which i paid a mere $4,400 in comparison. Such an opportunity is rare indeed so I decided to sign up and have not regretted it one bit.

Today I began a week long training session called “Defending Windows Networks”. The instructor, Karl Koeler, has brought an enourmous amount of energy and knowledge to the class and I have enjoyed his instructional style, as well as admire his level of security expertise.  

The following key concepts will be covered during the training:

  • Security: From Concept to Policy
  • Encryption Concepts
  • Evaluating the Threat
  • Target Acquisition
  • Sniffing Around (network monitoring)
  • Comprising Windows Authentication
  • Account Discovery
  • Trojan Horse
  • Defeating and Defending the Firewall
  • Defending Against Other Windows Exploits
  • Wireless Intrusion
  • Using Windows Certificate Services
  • Laptops
  • Leveraging Security Policies

The package includes 3 books:

  • Global Knowledge course content (developed by Karl)
  • Lab Guide
  • Hacking Windows Exposed by Joel Scambray & Stuart McClure (third edition)

I had purchased and read the original “Hacking Exposed” book sometime in 2001 and just remembered an incident in which i made a poor decision in downloading and testing one of the free HTTP vulnerability scanners at my then current position as Helpdesk Analyst at TimeInc.  Let’s just say the incident brought much attention to me and after careful explanation and an overwhelming apology I was lucky to keep my job.  I was also advised to not bring or be seen reading Hacking Exposed on company property.   Of couse I couldn’t help bringing the book as reading material for the train ride in\out of manhattan but it remained safe and sound inside my bag while onsite.

So today’s class covered setting up VirtualPC in order to utilize preconfigured virutal machines as well as the following concepts:

  • Security: From Concept to Policy
  • Encryption Concepts

Completed the following labs:

  • Designing security policy
  • Setting up the lab environment
Categories: Security

No Ordinary Moments….

November 29, 2009 Leave a comment

There are times I forget that this blog, although dedicated almost solely to my vigorous and insatiable appetite for technology, is also a tool I should use to divuldge such insights I think need spoken of. Life has a way of expressing itself in all avenues of human spirit. Colors and form reflect that of the painter, Shape and stone to the sculptor….could it not be that my words, seen through internet eyes as just another fellow “Anonymous” contributor, might be able to change the world one bit or byte at a time. Would seem pompous of me to think such truth and so I merely hope my words fall on open ears and hearts, for technology, at the end of the day, does nothing to feed our soul. We have but a short time in this life to express who we are and I think the world deserves to hear our vision, and not just my voice but yours as well…So what are you waiting for…go get your own blog and get your speak on…Lol…..

So today I read the following saying:

“Life is not measured by the number of breaths we take but by the number of moments that take our breath away”

Is there anyone who can argue with that? Is there no truth in mans ability to live the days..But not the day…Finding peace in the ordinary and routine…neglecting their own convictions….only to realize, at the end of days, that there are no ordinary moments in life, even though it may seem otherwise at the time…

I recently took my son to the park and was relieved to see some middle to senior aged individuals practicing Tai Chi, in open view, and open to anyone wishing to join. Those daring among them did join, even though the man teaching was an elderly man of Chinese decent who taught in Chinese…not English. I don’t believe I heard him say one word in English. There were actually a few others in his group with the same background. How many people would feel comfortable in joining such an activity? Even I would feel a bit “uncomfortable” is such a situation, knowing the emotion is merely superficial at most…Letting the moment take our breath away and ignoring all critique, is a sure sign of an elevated spirit. A higher conscious even, without the pomp and circumstance.

Another image comes to mind. Several years ago as I headed into a big corporate building in midtown Manhattan, I noticed a young man moving his hands in such a way that I could only describe as “wing chung”, which is close contact martial arts style. It is best defined by its close contact and circular motions for the purpose of redirecting an attacker’s force and simultaneously attaching. Now, I didn’t find him actually practicing the technique to be unordinary, just his choice of location. He did it in plain sight while waiting for the elevator, in a lobby of corporate America. Surely he has a much deeper appreciation for living the moment.

There are many things that make us who we are. Nature is forever married to Nuture and they together define who we are at this very moment in time. Body and mind are intertwined with one having equal influence over the other. When they are developed together they naturally complement each other. Freeing the heart to express itself, the eyes to see in new light and to allow the moment to simply take our breath away.

Categories: Daily Insights

Powershell in Action….

November 23, 2009 Leave a comment

I’m by no means a scripting expert and the experience I do have is limited to that of simple VBScript.  I do however recognize its importance and believe that not only learning a scripting language will provide for greater efficiency, but it’s now a requirement in the world of Windows IT administration. It was with that conviction that I signed up for a 3 day Powershell class titled “Automating Windows Server 2008 Administration with Windows Powershell” at Global Knowledge. It was an official Microsoft course 6434A and was taught by Brian Langan. I have to admit that, at times, it was a bit dry but when it comes to learning the basics of scripting it’s what I expected. I now use the book, along with online content, to further develop my understanding of Powershell.

Having recently migrated over from MCSE to MCITP, I’ve been required to both learn and teach Powershell fundamentals.  The Microsoft Press books provide several examples regarding creating users, group and computers as well as a few other administrative tasks.    I decided, however, that the best way to learn to “Powershell” was to come up with a list of basic tasks that could be scripted with the end result of saving a minimum of 1/2 hour in manual configurations.  I now needed to decide on the following:

  1. List of required tasks
  2. Calculate their total configuration time
  3. Decide on which tasks were best suited for my first script

Since I’m required to build new servers for every upcoming class, as well as bring new ones online to implement test scenarios, it seemed this would be the best place to start making a list of tasks needed to accomplish my goal. Although the manual configurations would seem redundant to anyone who has set up a test lab environment for the 100th time, the desire to automate such processes seems daunting in comparison.

My theory is that if it’s worth doing then it shouldn’t be easy, otherwise everyone would do it. Anyway, what doesn’t kill you makes you stronger, so let’s exercise our Powershell brain one line of code at a time.

I put together the following list of tasks I felt would best be automated and will update their manual configuration times in future updates to this blog.

Task

Time

Configure a static IP and DNS address

 

Install Active Directory

 

Reboot server

 

Create an MCITP OU

 

Create a new admin account

 

Create a new MCITP Global Group

 

Add new admin account to MCITP GL

 

Add MCITP Global group to Domain Admins GL

 

Verify DNS address configuration and reset if needed (ongoing issue with VirtualPC)

 

Install DHCP

 

Configure DHCP scopes

 

Enable Remote Desktop

 

Enable Remote Administration

 

Create the following folder: C:\Software

 

Share the C:\Software folder as “Software”

 

Map a network drive to the Software share for all Domain Users

 

Create the following folder C:\Documents

 

Share the C:\Documents folder as “Docs”

 

Map a network drive to the Docs share for all Domain Users

 

 

I just doing some online research looking for a viable way to accomplish the very first task “Configure static IP & DNS address”, and although the code is out there the examples I came across were prepared as functions. Since my knowledge of Powershell is limited at best, and the same holds true for my scripting abilities in general, I do understand some of the basic scripting principles, such as variables, arrays, and of course functions.

Ok..so what is a function? A function is a chunk of code that performs an easily reusable set of instructions. Functions have the following benefits:

  • you can repeat the block of code easily and reliably by calling the Function’s name 
  • you can introduce parameters which modify the code

Now knowing what a function does is a far cry from being able to actually write one so I decided to use the example code found on Andy Schneider’s Blog, as well as on the Powershell Code Repository web site. The code on the Powershell Code Repository is actually Andy’s original function but it includes some additional information.

 

References

Computerperformance

Powershell Code Repository

Categories: Powershell

Is Free Something Of The Past?

November 14, 2009 Leave a comment

I recently upgraded a client’s laptop hard drive from 40 to 250 GB. The replacement went without issue and Windows XP along with all user data was migrated using Norton Ghost, which took a few hours to complete. Although the user’s request did not go beyond the hard drive upgrade, I decided to run Windows Update to verify the OS, in this case XP, was up to date. I was unable however to connect to the internet even though the current IP settings were configured correctly.

I ran some normal checks to verify reliable network connectivity like pinging both the router and a web site address, in this case www.google.com, all of which confirmed that there was an active internet connection, yet I was unable to open a web site directly. This lead me to believe there was an issue with Internet Explorer so I decided to further investigate by running the NETSTAT –an command and exporting the results to a text file.




I needed to remove several thousand lines from the initial text file as it appeared that the machine was using it’s loopback address (127.0.0.1) as both source and destination address and was cycling through source ports 1024 through 4998 trying to connect to a single destination port 8085. If this wasn’t strange enough it then reversed itself and used a constant source port of 8085 while connecting to destination ports 1024 through 5000.

This is clearly not normal behavior so I decided to examine running processes and perhaps reveal a source for this unusual network traffic. Task Manager is the standard Windows utility used to examine currently running applications and processes so I ran the following command and exported the results to a text file. Although I removed several processes from the final list to save on space I choose to keep several standard windows processes and highlighted those I felt were suspicious in red.

Image Name PID Services

========================= ====== =============================================

System Idle Process 0 N/A

System 4 N/A

smss.exe 632 N/A

csrss.exe 680 N/A

winlogon.exe 704 N/A

services.exe 748 Eventlog, PlugPlay

lsass.exe 760 PolicyAgent, ProtectedStorage, SamSs

svchost.exe 928 DcomLaunch, TermService

ld11.exe 18040 N/A

freddy46.exe 264 N/A

mstre19.exe 15780 N/A

pp10.exe 15828 N/A

IEXPLORE.EXE 18448 N/A

GoogleToolbarNotifier.exe 18468 N/A

msmsgs.exe 18512 N/A

wuauclt.exe 19552 N/A

wuauclt.exe 20012 N/A

drwtsn32.exe 20404 N/A

taskmgr.exe 19324 N/A

cmd.exe 19564 N/A

wmiprvse.exe 20216 N/A

tasklist.exe 1152 N/A

 

After an initial Google search I discovered on the www.virusremovalguru.com and www.bleepingcomputer.com web site that all 4 files were variants of the Koobface virus. Although the virusremovalguru web site had a removal tool I wanted to get a final opinion (not that I needed one) by running the http://housecall.trendmicro.com online virus scan. The results from Trend Micro (seen below) confirmed once again that the files were that of the Koobface virus.

 

I proceeded to use the “Fix Now” option, and then reran the scan to verify that it was removed. It’s quite possible however that this one infection could have already led to further infections of which the current analysis tools were insufficient to detect. At this time I have two recommendations….

 

1. Reinstall the OS and then install Norton 360

2. Install Norton 360 on the current OS and clean for known infections

 

Either way I would highly recommend installing a premium antivirus\spyware application with as many tools available to detect malicious behavior from several points of attack. There was a time I would have suggested a free antivirus like AVG but given the steady growth in hacker expertise focused solely on financial gain, it seems more prudent today that we require elevated measures of security to protect our greatest assest…our identify . We are now in an age where free is something of the past.

Categories: Security

CISSP Training

November 8, 2009 Leave a comment

I recently attended training for the CISSP exam at Global Knowledge located at the tip of Manhattan. The course was taught by Michael Greggs, author of several Exam Cram study guides and CEO of www.thesolutionsfirm.com. He specializes in security auditing, training and penetration testing. It was a pleasure having been able to take the class with someone of such refined security expertise.

There are many security certifications available in the market today and the CISSP has become known as an industry standard for security administrators who seek to understand the whole picture when it comes to implementing best security practices. The class was given in lecture format and focused on the terms and concepts required to needed for the exam. Although there were no hands on exercises, the high level of technical expertise available in the class made for interesting conversation when it came to questions and discussions.

Although I have no intension of taking the CISSP exam, which consists of 250 Q’s with a 6hr limit, the knowledge gained during that week will be applied to the CEH exam, which I hope to take in the not too distant future. It’s a more hands on, real world hacking exam that focuses on using the tools and doing the hack. The CISSP consists of 250 questions with a 6 hour limit and focuses on 10 security domains.

Categories: Training