Saturday, May 9, 2009

Windows Eventlog Fun with Free Tools

This week at work I was asked to find why a specific account was constantly being locked out. Sounds pretty easy eh. Well the thing is, this was a service account and I have quite a lot of DC's where this could be happening from.

I did a little research on my favorite site and ran a few tests to make sure I new what I was looking for and I set about getting the remote logs to my site so I could perform some analysis.

I started out with Dumpevt from Somarsoft. I could just grab a single event log using the following:

dumpevt.exe /computer=SERVER01 /logfile=sec /outdir=c:\Temp\Dump /all

But then I figured that I really needed to automate the retrieval of the logs so I threw in a FOR loop to go through a list of servers:

FOR /f %i in (c:\servers.txt) do @dumpevt.exe /computer=%i /logfile=sec /outfile=c:\Temp\Dump\%i-SecLog-%random% /all

As I sat back and waited...and waited .....and waited I figured that this probably wasn't the most efficient use of time or bandwidth as the logs were all over 250MB in size. I took the logs I had so far and opened them in Mandiant's excellent tool Highlighter. Well that's when I hit my second problem. Highlighter took absolutely ages to open the logs using my measly 512MB of RAM.

So I needed a way to parse the logs on the server and return just the events of interest. I then turned to the Microsoft tool EventComb. This tool is allowed me to search through a list of servers for just the events I needed. It had predefined searches in that could be useful. Eventcomb also allowed me to set the amount of threads I wanted to run and allowed me to search through events within a specific date range. The events were then output from each server to individual text files which allowed me to search through them easily with highlighter.

Whilst I was having all this fun I also wrote a few scripts in log parser for fun. Here's a couple of the scripts I put together in LogParser and the commandline to run them:

LogParser.exe file:logon-failure.sql -i:EVT -o:datagrid

ComputerName, Timegenerated AS LogonTme, EventID, EventType, EventCategoryName,
extract_token(strings, 1, '|') AS ComputerName,
extract_token(strings, 0, '|') AS User,
extract_token(strings, 2, '|') AS Logon_Type,
extract_token(Message, 0, ':') AS Message,
extract_token(Message, 2, ':') AS Reason

FROM \\Server01\Security


And for the account lockouts here's an example of throwing the script into a loop that I could just cut and paste onto the commandline to output the results from multiple servers into a csv file:

FOR /f %i in (c:\servers.txt) do @LogParser.exe -i:EVT -o:csv -headers:auto -Filemode:0 "Select ComputerName, Timegenerated AS LogonTme, EventID, EventType, EventCategoryName, extract_token(strings, 1, '|') AS ComputerName, extract_token(strings, 0, '|') AS User INTO C:\failedlogons-%random%.csv FROM \\%i\Security WHERE EventID IN (644)"

My conclusion from this was whilst I really like LogParser it does take a while to get it tuned to find exactly what I wanted. However, it is an extremely flexible tool for searching many different types of logs and if you get the Syngress book there is a great example of creating an IDS tool with LogParser. The benefit of LogPaser is that it can be scripted to run regularly as a scheduled task for arching those events you might be interested in.

EventComb was easy to use, let me save my searches for reuse later and used along with Highlighter proved to be just what I needed to get to the detail very quickly and resolve my problem.


Saturday, May 2, 2009

Toying With Terminal Services - Part 1

Whilst on holiday this week I began to get bored in the evenings with no internet access and whilst everyone else watched TV. So I decided to set myself a little VM lab up on my Mac and play with Terminal Services.

My aim was pretty simple, from a very locked down desktop I wanted to bypass the restrictions put in place and see how I could get to programs that the admin had tried to prevent me from getting to.

As we can see, all I have access to is a desktop with Notepad. No right click, Internet Options are restricted, the desktop is extremely locked down by group policies.

So once again I'm on the hunt for holes in the group policy so I can enumerate the domain and get to websites to post data or for additional tools etc...

As I start to hunt around I figured instead of accessing the desktop as I am supposed to, what if I configured my RDP client to launch one of the programs that I need straight after login instead of going to the desktop.

And what do you know........Bingo!

Although in group policy the admin could have restricted access to cmd.exe it's pretty hard to run login scripts etc.. so most admins won't, they'll just make it difficult to get to.

Of course this worked for launching an MMC also, and pretty much any program. Again the snappins for MMC's can be restricted in group policy but how many admins are going to go to that level?

Coming up.......More Terminal Services goodness.