Archive

Archive for December, 2009

Installing Powershell v2 CTP 3

December 31, 2009 Leave a comment

I’ve recently made a commitment to myself to learn Powershell.   What began with the necessity to learn Powershell basics in order to teach it as part of the MCITP:Server Adminstration track quickly evolved into a growing collection of index cards and a morning regiment of Powershell commands.  I even posted a blog article recently on using the Get-Eventlog cmdlet which I now incorporate into any class which even remotely mentions the Windows event logs in passing.  Well it’s not like the Tech Cafe couldn’t use the hits….:)
Read more…

Advertisements
Categories: Powershell

Using the Get-Eventlog Cmdlet

December 23, 2009 2 comments

Let’s examine how to use Powershell to look through the security log for suspicious events, specifically those related to clearing the log as well as  unsuccessful logon attempts.  Powershell offers the get-eventlog cmdlet for viewing event logs.  In order to get a better idea of what the get-eventlog cmdlet can do lets use get-help. Read more…

Categories: Powershell

iPowershell iPhone App

December 22, 2009 Leave a comment

In a previous blog post I created a list of tasks that I intended to convert into a Powershell script. The objective was to have the script perform these tasks with the intention of saving myself, or anyone else, a minimum of ½ hour of manual labor. The term “manual” takes on a new form as it pertains to computers and in this context it means having to perform configurations either from the gui (graphical user interface) or command line without the use of scripts.

During my research I’ve found some very helpful and informative sites which complement the training I’ve recently taken at Global Knowledge called “Automating Windows Server 2008 Administration with Windows Powershell”. Using both of these resources have allowed me to gain a better understanding of Powershell and as an additional means to further my memorization of the commands and their corresponding syntax I’ve created several index cards as a means of porting this new knowledge with me where ever I travel.

In my curiosity I decided to see if there was an iPhone or iPod Touch app created to assist in learning Powershell and as expected one has been created by Sapien Technologies called iPowershell. Even though the app is free I don’t yet have an iphone or ipod touch to test it out but this has presented me with yet one more reason to buy one.


 

Categories: Powershell

Using WinPE & Diskpart to Restore Files

December 16, 2009 Leave a comment

I was recently teaching a class on the Windows Server 2008 Backup & Restore features and options. Once everyone had performed a successful backup we examined the destination location and I pointed out that the backup data is stored in .VHD format with several corresponding .XML files.  Considering that most students taking the class are relatively new to both Windows Server Backup and Virtual PC I thought it would be important to see how  VHD files were used outside of Virtual PC. After doing a quick Google search on how to perform a repair using the WinPE boot disk and VHD files, I found a step by step run through on the Microsoft Newsgroups which describes how to access the .VHD backup file using the diskpart utility when booting from WinPE.   I thought this might also interest them as just days ago we had performed a fresh install of Server 2008 Enterprise and used diskpart to setup the hard drive to support Bit Locker encryption. Although we ultimately could utilize Bit Locker due to lack of a TPM chip and Virtual PC’s inability to access USB thumb drives, I did emphasize that when studying for the 646 Server Administrator exam it would be necessary to become familiar with diskpart and some of its parameters.

The step by step resolution below was provided in response to the following issue…

“Hello, I would like to restore a few files using Windows Server Backup coming with Windows Server 2008 R2. The OS is not booting so I started Windows PE. I use WBadmin with the option -itemtype:file to start the recovery but WBadmin claims that it is not supported to recover files or applications in Windows Preexecution Environment. Is there a trick to overcome this flaw? By the way, I installed Windows Server 2008 R2 in a VHD and now try to figure out how to backup and restore the OS. “WBadmin start backup -allCritical” is not possible. “WBadmin start backup -include:c:” works, but as I explained it is not possible to restore the VHD file in Win PE”

  1. Boot from Win7 R2/Client setup DVD (same architecture as installed OS)
  2. Goto Repair Windows -> Cmd prompt (WinRE)
  3. Run diskpart.exe -> list vol, you can identify the drive where backup is stored
  4. Go to the location where VHD’s are kept (WindowsImageBackup\<computername>\Backup…\*.vhd
  5. Mount the vhd’s through Diskpart -> select vdisk file=<vhd-file> attach vdisk.
  6. List volume to get the drive letter of mounted VHD partition
  7. Copy required files from mounted VHD volume to the recovery target. xcopy.exe /cherky <mountedvhd>:\… <recovery-target> .. E.g: Xcopy /cherky G:\*.ps1 C:\ . Then run detach vdisk
  8. Then run detach vdisk

This resolution is a perfect example of a viable workaround to an existing issue. Another would have been to mount the .VHD file in an existing Virtual Machine.

References:

Using Wbadmin

Microsoft Technet Newsgroups

Categories: Server2008

Wireless LAN Foundations – Day 1

December 7, 2009 Leave a comment

Day 1…..

It’s not surprising that wireless technologies have begun to integrate into the mainstream of our daily lives.  I would go so far as to say that in the near future we will see an exlosion of devices all connected wirelessly.    With that understanding I’ve decided to seek out formal training in this wireless arena and have cashed in on my “all you can eat” training at Global Knowledge to take a “Wireless LAN Foundations” class.  It’s meant to provide the fundamentals of wireless technologies as well as assist in preparing for the CWNA exam.  The instructors name is Ben Miller (CWNA, CWNP) and his blog is www.sniffwifi.com.  The class provided the following material:

  1. Wireless LAN Foundations course curriculum
  2. Lab Guide
  3. Official CWNA Study Guide (Certified Wireless Network Administrator)
  4. CWNA practice exam from CWNA
  5. CWNA practive exam from Sybex
  6. CWNA exam voucher
  7. Wireless enabled laptop (Dell D620)

I’m trying to document as much as possible but the amount of material that Ben ads to the slides is more then I feel needs to be included in this blog.  As I re-edit this article over the next several hours and\or days, I will remove or add content that I feel best captures the concepts of the this course.   After one full day of CWNA training I’ve come to the conclusion that, although the class is informative, the material is beyond my scope of security objectives and I will not pursue the certification.   That being said I will use the free voucher and take the exam once this course is complete and maybe with a bit of luck from the god’s I’ll pass.   Who am I kidding…If you were sitting next to me you’d have the same lost look on your face as I’ve had for the last hour or so.  I will however continue to document all class material that I feel can be best represented as “blog material” but much of the course content will be omitted. 

The first slide introduces the  3 components used for wireless networks:

  1. Transmitter
  2. RF Channel
  3. Receiver

Ben then used several questions to provide further explanations into this simple diagram.

How do we get data on the channel?

  • Amplitude = wave height
  • Frequency = # of wave cycles per second.  1 wave cycle per second is 1Hz.
  • Phase = is the starting point of wave

Frequency modulation is not used in 802.11a,b,g,n.   Modern wireless networks use amplitude (height of wave) which is used at higher WLAN speeds.    The best way to describe a phase is to compare a wave to a clock with 12 being highest and 3 lowest point.

How do we differentiate channels?

Frequencies are used to differentiate channels. 

  • Band = series of channels. 

Unlicensed frequency bands used in wireless are 2.4 & 5 GHz (billions of cycles per second).  One drawback to using these frequencies is that it is currently used by all WLANs and therefore issues will arise at times when multiple devices are using the same frequency and channel. 

What is  behind the wireless link?

  • P2P
  • WLAN
  • Wireless broadband

802.15 standard is used for wireless personal are networks.  One of the well known technologies used today is bluetooth.  Some of the characteristics of bluetooth are:

  • 2.4 GHz band
  • Fast FHSS (frequency hop spread spectrum)
  • Speeds: up to 3 Mbps
  • Range: Class 1(300 ft),  2(30 ft),  3(3 ft)

Some other less known p2p wireless technologies are ZigBee and Z-Wave.   They have much lower bandwidth transmission rates, 250Kbps which requires less power.

WLAN = specific technology used to extend a lan wirelessly

802.11 = standard for the technology

WiFi = certification for real world products

Section 2: WLAN Infrastructure

Wireless works at Layers 1 & 2 of the OSI model.  These layers deal with wireless standards such as 802.11a\b\g\n and MAC addresses.  The most common WLAN connectivity device is the Access Point.  The following are standard configuration parameters for AP’s:

  • SSID
  • Channel
  • Power
  • Security
  • Optional

In addition all AP’s have a BSSID or Basic Service Set ID. 

Some recommendations are to use a very familiar SSID name so that it will not be uniquely identified on war driving sites like www.wigle.net.  I just did a search for both of the SSID’s and to my surprise…there I was.  It was able to provide even the generalized location of the access point but no address.  So much for anonminity

Section 3: Wi-Fi Standards

 There are a few characteristics that define the wifi standards:

  • Frequency band (2.4 GHz: 3 channels)
  • Air Interference (DSSS: max 2 Mbps)
  • Data Rate: how much data can be sent in one frame
  • Throughput: how much data is actually being sent
  • Dynamic Rate Switching: all devices will negotiate data rate based on interference

There are several extra services at the MAC layer which are used to support Layer 1 wireless functionality:

  • Addressing
  • BSS membership (roaming)
  • Arbitration (channel sharing)
  • WEP
  • Fragmentation (collision handling)

There are 3 approved standards and I have included their corresponding air interference methods:

  • A (OFDM)
  • B (HR-DSSS)
  • G (ERP-OFDM \ HR-DSSS)
  • N (HT OFDM \ OFDM \ HR-DSSS) *OFDM is used with MIMO

It’s coming to a close for day 1 and the material covered so far has been…well how do I say this…technically dry and unmotivating.  This is no reflection on Ben’s teaching style but more so directed at the course content.  The saving grace has been the lab exercises and not to mention documenting all this on the blog.  Self expression always seems to elevate the spirit. 

Lab 1: WLAN Client Management

  1. Configure Basic Client Settings
  2. Configure Preferred Networks
  3. Configure Advanced Client Settings

These were simple exercises and I was aware of all settings in exercises 1 & 2 but some of the Advanced Client Settings I had yet to configure.   Some of the settings on configuring your basic wireless settings are seen below.  Anyone who has had to setup an XP wireless connection will be familiar with these settings.  As can be seen no encryption has been set and the SSID is unique, something that would be discovered on the www.wigle.net.  (of course I verfied this)

 

Some of the additional settings that I have been introduced in exercise 3 were:

  • Disable Upon Wired Connect (self explanitory)
  • Band Preference (

Both of these setting are below:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Section 4: RF Fundamentals

Raw signal strength is measured in dBm.  So what represents a good signal in dBm?.  -70dBm or higher is good (that is a negative #).  SNR is Signal Minus Noise.  Most devices will be > or = 10 dB.  I’m still not too sure what these numbers mean but I do remember seeing them on a site I found on how to build your own wireless antenna.  I never built the antenna and after a quick review of the site realize that I still have a very limited understanding of the fundamentals of this technology.

RF energy is directed based on antenna structure.  All antenna’s give more coverage in one direction then all directions.   The concept of isotropic radiator is theoretical circular coverage area around of an antenna.  No antenna works in this fashion.  Antenna gain is measure in dBi which is calculated as the additional coverage extended in an oval pattern away from the antenna.   There are 3 types of antennas:

  • Omnidirectional – all horizontal directions
  • Semidirectional – limited vertical direction – Yagi
  • Highly directional – point to point
Categories: Training

Defending Windows Networks – Full 5 Days

December 3, 2009 Leave a comment

Day1….
If you’ve read the previous blog article “CISSP Training” posted severals weeks ago or have had any direct communication with yours truly, then you would know I recently took advantage of an “unlimited” training package offered by Global Knowledge. It includes unlimited training (certain classes not optional) within 4 months for one set price. If permitted to take all the classes requested the total value of the package would come close to $30,000, of which i paid a mere $4,400 in comparison. Such an opportunity is rare indeed so I decided to sign up and have not regretted it one bit.

Today I began a week long training session called “Defending Windows Networks”. The instructor, Karl Koeler, has brought an enourmous amount of energy and knowledge to the class and I have enjoyed his instructional style, as well as admire his level of security expertise.  

The following key concepts will be covered during the training:

  • Security: From Concept to Policy
  • Encryption Concepts
  • Evaluating the Threat
  • Target Acquisition
  • Sniffing Around (network monitoring)
  • Comprising Windows Authentication
  • Account Discovery
  • Trojan Horse
  • Defeating and Defending the Firewall
  • Defending Against Other Windows Exploits
  • Wireless Intrusion
  • Using Windows Certificate Services
  • Laptops
  • Leveraging Security Policies

The package includes 3 books:

  • Global Knowledge course content (developed by Karl)
  • Lab Guide
  • Hacking Windows Exposed by Joel Scambray & Stuart McClure (third edition)

I had purchased and read the original “Hacking Exposed” book sometime in 2001 and just remembered an incident in which i made a poor decision in downloading and testing one of the free HTTP vulnerability scanners at my then current position as Helpdesk Analyst at TimeInc.  Let’s just say the incident brought much attention to me and after careful explanation and an overwhelming apology I was lucky to keep my job.  I was also advised to not bring or be seen reading Hacking Exposed on company property.   Of couse I couldn’t help bringing the book as reading material for the train ride in\out of manhattan but it remained safe and sound inside my bag while onsite.

So today’s class covered setting up VirtualPC in order to utilize preconfigured virutal machines as well as the following concepts:

  • Security: From Concept to Policy
  • Encryption Concepts

Completed the following labs:

  • Designing security policy
  • Setting up the lab environment

Day2..

So today, after an initial introduction into several of the free available security tools, we were required to update our toolbox with several new versions of the following softwware of which I have included thier corresponding web sties:

Karl had already created a Security Tools folder which contained a multitude of other security tools along with this  mornings downloads as seen below.

Once they were downloaded we began Exercise 3 “Installing Security Tools”.  This involved installing the following from the list above

  • Wireshark
  • LANguard
  • Metasploit
  • LC5
  • Superscan
  • BackOrifice
  • Aircrack-ng

It appears however that we may need to downgrade the Metaploit install as the new version is currently command line only and runs using Linux commands.

After installing the utilities we continued with section 3:”Target Aquisition” which describes the organizations that have a high profile of attack like government agencies, finanical institutions, miliatry and schools.   After deciding on who to attack the next step is to do some reconisaince on the internet in order to discover as much information about that organization such as the following:

  • Job postings (can reveal what technologies they are currently impleting)
  • DNS registries (usually looking for admin contact info or IP address ranges)
  • Google Hacks (looking for specific file types associated with that company)

It was just a matter of time before the topic of “Windows Hacking” was discussed and for obvious reasons.  It is by far the most popular OS being used by both home and corporate  desktop users, who are almost always poorly trained regarding best practices as they apply to computer security.  The users who write their passwords down on sticky notes and post them on their monitor are at risk of compromising their immediate divisions resources and quite possibly other sections of the network environment.   The same person wouldn’t leave their house key attached to the front door for anyone to use, but they don’t apply the same principles to computer security.  This doesn’t make them idiots, just uneducated in best security practices…Well, maybe the sticky notes might qualify them for idiot status but there are many other areas of possible compromise that could be avoided with a little bit of training. 

And so it is now time for Exercise 4 : “Network Scanning and Footprinting”. This exercise uses the following tools in order to scan for open ports and then determine thier corresponding services:

  • Superscan
  • LANguard
  • Zenmap (gui version of nmap)

The most effective tool by far was LANguard as it detected the most information far beyond just open ports.  I did like however the topology view in Zenmap as it color coded the machines based on their attack and vulnerability status.

After lunch we have now moved onto section 5: “Sniffing Around”, covering such tools like Wireshark and Cain & Able to sniff network traffic and use the results as a means of discovery.  The first demonstration using Cain & Able was used to discover FTP and Outlook Express POP3 usernames\passwords.   I have to admit that I was not aware that outlook express sends credentials in plain text but now in hindsight I realize just how obvious this was.  Neither FTP, POP3, SMTP, or Telnet encrypt traffic.  When accessing Hotmail using the web, the original connection used to authenticate via username\password is actually transmitted using HTTPS (encrypted), all subsequent traffic utilizes HTTP.   When using Outlook Express all email traffic uses either POP3 (download) or SMTP (send). 

Cain & Able can also be used to sniff in passive mode (your mac only) which goes undetected by Intrusion Detection Systems (IDS).  This is contrary to placing the network adapter card in promiscous mode (all mac’s on the wire) which would be flagged by an IDS as it is more vocal about it’s desire to capture all traffic on the switch.  Capturing data sent to\from your machine is fairly simple using tools like Wireshark and Cain and Able but the real gem would be to capture all traffic transversing a switch.  There are 2 ways to do this:

  • Attach machine to mirrored port on switch
  • Arp cache poisining

Of the two ways arp cache poisining is the easiest to do as it is software based and requires no physical access to the switch.  The idea is to send out false arp traffic to the switch that it becomes overwhelmed and turns itself into a hub thereby allowing all traffic to be sniffed.  Arp poisining can also be extended to redirect traffic to a specific host machine that was originally destined for another client on the network.  Once this is done the machine receiving the data can then, with additional software, be configured to act as a proxy and forward the data to the appropriate machine.  In this instance neither party would be aware that traffic is being captured  as there would be no disruption in network communication.  Below are the configurations available via C&A regarding arp cache poisining:

Having the ability to discover usernames\passwords in clear text has it’s limitations.  This is due to the fact that current authentication mechanisms don’t send passwords in clear text over the wire.  This takes us to section 6: “Compromising Windows Authentication”. 

After a brief review of the history of LM, NTLMv1,v2 & Kerberos authentication schemes, at the end of the day it all boils down to the simple principle “You don’t  hack systems, you hack people”.  When people unknowingly install a trojan which then uses pwdump or fgdump to download usernames and thier encrypted passwords for both local and cached domain accounts it’s possible to use Rainbow tables to crack them.  As I have just learned there is no shelter to be found from the password cracker. 

Some sites that assist in accessing rainbow tables, either free or paid for are:

Categories: Security

Defending Windows Networks – Day 4

December 3, 2009 Leave a comment

Day 4…..

Section 9: Defeating and Defending the Firewall

After a brief description of a firewall’s basic funtionality, we discussed some of the most commonly used ports that should be blocked outgoing via the firewall:

  • 23 – telnet
  • 88 – kerberos
  • 135 – rpc
  • 139 – netbios
  • 445 – cifs (smb)
  • 3268 – gc
  • 3269 – gc
  • 3389 – rdp

The reasoning for blocking these ports is to prevent a reverse connecting trojan, once installed, from connecting back to the hackers box.  Each restricted port provides another barrier which the hacker must circumvent.  Although this is a minor detail it still falls withing the realm of best practices.  So what ports do need to be open in order to provide internet resource functionality. Below is a list of ports that would most likely be permitted:

  • 25 –  smtp
  • 53 – dns
  • 80 – http
  • 443 – http

There would most likely be a few more ports depending on the needs of the organization but these ports would provide Internet and email access of which both are required in today’s corporate environment. 

 Lab 9: Reverse Connection Trojans

  1. Preparing the Lab System VMs
  2. Using the Reverse Connecting Trojan
  3. Use Yet Another Binder and BO2K Together

This lab was similiar to lab 8. 

Section 10: Defending Against Other Windows Exploits

One of the best security measures that can be implemented to limit our attack surface is to install all required security patches and service packs as advised by Microsoft of any other vendor for which we  have their software installed. 

Buffer overflows were some of the original attacks used to compromise a system.  This required an indepth knowledge of programming which limited the scope of individuals capable of performing such attacks.  There are now tools such as Metasploit (free) which can be used to launch known exploits against a target with limited or no knowledge of programming what so ever.  I just watched a demonstration where an exploit was used to create a user and add them to the adminstrators group on the remote system.  Granted the system was a Windows 2000 server but what’s important is that this hack would have failed if the box was fully patched.

Not only does Metasploit permit a non programmer to compromise a remote machine with relative ease, but it also provides the code used to perform the hack.  This allows the hacker to learn how it was done by examining the code so it’s also an educational too as well. 

There are several ways to automate the install of approved patches and updates in a windows environment:

  • Widows Server Update Server (WSUS)
  • System Center Essentials (SCE)
  • System Center Configuration Manager (SCCM)

Lab 10: Using Metasploit

  1. Exploring the Metasploit Framework
  2. Using the metaspoit Framework against a Target
  3. Other Target systems

This exercise used Metasploit to add a user to a remote windows 2000 server using the ms06_n40_netapi exploit, as we demonstrated earlier by Karl.  An inital search for vulnerabilities found on a win 2000 machine diplays the ms06 exploit to be used.   Once you have choosen the specific exploit to try double clicking it opens us a wizard.   This allows you to decide the OS type upon which the exploit should be tried as well as which specific action to perform, such as add user (choosen below), create a remote shell or use RDP to open a remote session. The only info required now is the destination address and the user\password to be created.   Once this is info is choosen clicking on forward begins the hack.   I was ultimately able to create the user as well as use additional exploits to connect using RDP and remote shell.  This is truly assembly line…automated hacking.  Very little knowledge is required to use this tool which means children can have a field day attacking and compromising machines all day long.  The lesson to be learned here is that patching a system is critical.  I would even go so far to say that it supercedes other security measures in precedence of implementation. 

Proof of Concept Exercise

 So now the challenge has come, as I assumed it would eventually.  Karl provided us with the some helpful information that he was able to retrieve using fgdump.  The following info is from the fgdump log file:
— fgdump session started on 10/15/2008 at 11:26:43 —
— Command line used: fgdump —
— Session ID: 2008-10-15-15-26-43 —
Starting dump on 192.168.33.192

** Beginning local dump **
OS (192.168.33.192): Microsoft Windows XP Professional Service Pack 2 (Build 2600) 
Passwords dumped successfully
Cache dumped successfully

—–Summary—–

Failed servers:
NONE

Successful servers:
192.168.33.192

Total failed: 0
Total successful: 1

The second file contained the results for a pwdump which dumps the password LM & NTLM hashes as seen below:

alan.williams:””:””:54EFE73AD39140061D71060D896B7A46:50F80BC2DD53977DC12E62A47FA89936
bruce.allen:””:””:192952D20C6387390252988B7F3344D2:D791EA573757EE12FA62301C8C731716
donna.miller:””:””:1D78D1BE16E7B685417EAF50CFAC29C3:37C5A55D91F32C7B7E7917A2128E8F5E
gloria.stevens:””:””:3A73C6AEDE34096054E7DD20734381A2:848B7B06FE806E66B6FF73181C647729
harvey.griffen:””:””:F259B08FB884FC036AC880E74F6A4030:4A9F9DAB27AA32FC0E755991D25A3FA5
kara.thompson:””:””:4AAAE0837EFDAECCBA05464FA3D7F5C8:B2FD02C490D462F9145CC1643A2E785F
mike.billings:””:””:1DD7C4F9D60B760E1104594F8C2EF12B:74658CED156CA88541E12B33FAA40FD7
pete.lawton:””:””:684E71A8F720071FFDCFC2AFB2D1BE34:E2EFB65DE9D2EF3BB22B5C337517B3A0
tony.knottsworth:””:””:AB036EB55A7F7FB17820C2EDEF86CC9B:CFEDF9AC49131F4DD53B5E20879AF3E9

This was all the info he provided and from this we were supposed to compromise the box and gain access to a users bank account info.  To keep things simple I’ve documented only the steps used to compromise the box and have left out any issues I encountered during the process.

  1. Used both Cain & Able and LC5 to crack the passwords.  What LC5 couldn’t crack C&A was able to using Rainbowtables
  2. Ran GFI Languard and Zenmap against the IP address taken from the fgdump log file and looked for open ports
  3. Discovered the following open ports:  139, 445, 3389 (139\445 = file sharing , 3389 = Remote Desktop)
  4. I then tried mapping a network drive from the command promt as follows: net use * \\192.168.33.192\c$.  I tried all user accounts until i found the one that worked
  5. Browsed that users Documents & Settings folder (XP) and discovered from their Favorites that they most likely did peronal banking online
  6. Browsed further into their profile and discovered Outlook Express mail had been setup
  7. Copied over the Outlook Express folder to my machine and imported the folders
  8. Examied their Inbox and discovered an email from their bank which contained their account name
  9. Used account name from email along with the cracked password and I was able to access their account

There isn’t a class that I’ve taught were I didn’t discuss the default shares that exist on every Windows machine known to man.  The C$ is a hidden share which provides access to the whole C: drive, provided you have a username\password that can authenticate.  Most students are unaware of this as well as being able to use this to connect remotely.  A simple command like Net Share (done from command promt) will reveal all shares (hidden or not) that exist on the local machine.  The following are the 3 default shares:

  • C$ (c:\)
  • ADMIN$ (c:\windows)
  • IPC$ (used for Interprocess communication)

If you have any additional drives or volumes then they also will be shared.   Accompany that with an Administrator account and no password and the situation is ripe for exploitation.

Categories: Security