Category Archives: Labs

Netsh commands

Posted on by
Reply

 

This is nothing new or exciting, I just keep forget the syntax so I’m leaving here to make it much easier to find/remember.

Interface Configuration

Interface named Local Area Connection with the static IP address 192.168.66.100, the subnet mask of 255.255.255.0, and a default gateway of 192.168.66.1:

netsh interface ip set address name=”Local Area Connection” static 192.168.66.100 255.255.255.0 192.168.66.1 1

Add multiple ip addresses

netsh interface ip add address ” Local Area Connection ” 192.168.66.101 255.255.255.0

netsh interface ip add address ” Local Area Connection ” 192.168.66.102 255.255.255.0

Configure DNS

netsh interface ip set dns “Local Area Connection” static 192.168.66.200

Add multiple DNS entries

netsh interface ip set dns “Local Area Connection” static 192.168.66.200primary
netsh interface ip add dns name=”Local Area Connection” 192.168.66.201 index=2

Configure WINS

netsh interface ip set wins “Local Area Connection” static 192.168.66.200

DHCP

Automatically obtain an IP address from a DHCP server:
netsh interface ip set address “Local Area Connection” dhcp

Get DHCP DNS/WINS settings:

netsh interface ip set dns “Local Area Connection” dhcp

netsh interface ip set wins “Local Area Connection” wins

Rename interface names

netsh.exe interface set interface name = “Local Area Connection” newname = “INT”

netsh.exe interface set interface name = “Local Area Connection(2)” newname = “Internet”

Disabling/enabling an interface


netsh interface set interface name = “Local Area Connection” admin = disabled

netsh interface set interface name = “Local Area Connection” admin = enable

Export your current IP settings

netsh -c interface dump > c:\current1.txt
import your IP settings
netsh -f c:\current1.txt
You can also use the global EXEC switch instead of -F:
netsh exec c:\current1.txt

LOOPS

FOR /L %I IN (2,1,20) DO netsh interface ip add address “Local Area Connection” 192.168.66.%I 255.255.255.0

This will add ip addresses from 192.168.66.2 to 192.168.66.20 with 1 step each time.

Examples:

http://technet.microsoft.com/en-us/library/bb490943.aspx

http://ss64.com/nt/netsh.html

From SANS 709: brute-forcing Address Space Layout Randomization (ASLR) on Linux

Posted on by
1

In my other rush to get up to speed for SANS 709 Developing Exploits for Penetration Testers and Security Researchers I’m looking for any material that will easy that learning curve.

Steve Sims has just posted up two YouTube videos on brute-forcing Address Space Layout Randomization (ASLR) on Linux straight out of the 709 courseware. Excellent timing.

Part 1: http://www.youtube.com/watch?v=DcaVyy4yu88
Part 2: http://www.youtube.com/watch?v=LRjsv5zAHjQ

Plus here is his article in Hackin9 on Hacking ASLR & Stack Canaries on Modern Linux http://hakin9.org/magazine/918-21st-century-hacking-technique

Wifu Aireplay-ng SKA attack problem with Linksys WAP54G

Posted on by
Reply

While (finally) working through the last hands on practical of the excellent Offensive Security’s Wifu course, I hit an odd road block.

The Aireplay-ng  attack on SKA was not going well. This was annoying, to say the least.

My command airodump-ng  –channel 1 –bssid 00:01:02:03:04:05 –w ska wlan0 was running fine and capturing traffic happily from my test  Linksys WAP54G firmware v3.1

The four output files generated from the command appeared, but the magic .xor file refused to appear despite issuing numerous de-authentication commands

airodump-ng  -0 10 –a 00:01:02:03:04:05  -c 00:00:DE:AD:BE:EF wlan0

Turning off and on the wireless client machine’s NIC didn’t fix this either.

I noticed the banner of the airodump-ng output:

CH 1 ][ Elapsed: 10 mins ][ 2010-04-01 09:48 ][ Broken SKA: 00:01:02:03:04:05

A quick search turned up a link to http://www.aircrack-ng.org/doku.php?id=airbase-ng, then the searching turned up various people ranting and talking madness.

Just to finish off my evening study on a sane note, I dug out an old Netgear wireless router and set it up for shared WEP encryption. Joy of joys airodump-ng saw the authentication handshake and dumped it out in to a .xor file just as it did in the notes.

I was then able to crack the massively secure 64 bit (okay 40 bit) shared WEP key in about 10 seconds after generating enough IV’s – Hurra!

METASPLOIT UNLEASHED – MASTERING THE FRAMEWORK

Posted on by
Reply

Stumbled over this while working on my offensive security course work. The study took a “short break” while I thumbed through the pages.

So far, it looks excellent and for a great cause too.

METASPLOIT UNLEASHED – MASTERING THE FRAMEWORK

This free information security training is brought to you in a community effort to promote awareness and raise funds for underprivileged children in East Africa. Through a heart-warming effort by several security professionals, we are proud to present the most complete and in-depth open course about the Metasploit Framework.      This is the free online version of the course. If you enjoy it and find it useful, we ask that you make a donation to the HFC (Hackers For Charity), $4.00 will feed a child for a month, so any contribution is welcome. We hope you enjoy this course as much as we enjoyed making it.  The “full” version of this course includes a PDF guide (it has the same material as the wiki) and a set of flash videos which walk you though the modules. You may purchase these materials from the Offensive Security Training page. All proceeds from this course go to HFC.

Forefront Vs Conficker

Posted on by
Reply

Conficker has been doing the rounds for awhile, so it was only a matter of time before it found a way on to the network.

There are some fantastic write ups on how Conficker acts: Sneaky tricks, Autorun.inf , working groups , detection methods and resources.

Here’s how Forefront deals with it.

From a USB drive

When Conficker is on a USB drive, Forefront reports it as conficker.x!inf, x being the version, and happily wipes the autorun.inf file on the USB drive. It doesn’t remove the hidden file at detection; a scan has to be run on the USB drive to remove it. Nice and straightforward.

ON the network

When you get Forefront detected Conficker on a machine warning, this is the time you need to be worried. Why is it a worry?

Well gentle reader, this means Conficker was able to infect the machine and Forefront has stepped in to clean it after the fact.

By after the fact, I mean Conficker has attacked the system and dropped it’s dll and AT1.job in to a local folder on the attacked system.

Look in the attacked machine’s System event log, two Event ID 3004, Source FCSAM followed by a Event ID 3005, Source FCSAM have been generated.

Event ID 3004 is Forefront detecting and suspending the file, Event ID 3005 is Forefront removing the file.

Event ID from System

IMPORTANT NOTE:

If someone is logged on to the machine Forefront is protecting and Conficker attacks it, the Forefront icon turns in to a red cross. If the user simply ignores this, that is doesn’t click the icon and press smart clean, after ten minutes Forefront removes or quarantines the file.

This means for those ten minutes the AT1.Job file and the .dll are on the attacked system, despite being in a suspended state. By suspended state, the files are still visible.

So how did Conficker get on the machine in the first place?

There are only three ways that can happen:

1)      Conficker was on the machine before you installed Forefront and Forefront detects it on first scan

2)      The patch to protect against Conficker, MS08-086 KB958644, is not installed and Conficker attacks the machine

3)      And the worst, by far, is an administrative account has been used to attempt to install Conficker on the machine

Ignoring the first way and using the deployment tool of your choice to patch your machines for the second way, let’s talk about big bad number three.

Here are some of the scenarios for way number three can occur first:

1)      You have a terrible password policy and the password of a local administrator account is in the guessing file of Conficker

2)      Conficker successfully attacks a machine left logged in as a local Admin with no AV

3)      Someone with administrator rights plugs in a infected USB in to the machine without antivirus (or the antivirus is horribly out of date)

So having Forefront installed on all machines and up to date is step one. Step two is user education on USB sticks. Step three is an awareness campaign to all of your IT admins. Since you’re using Forefront, Active Directory should be in use as well. If you don’t have money for smarter tools just use software deployment GPO’s to install Forefront and then use WSUS to push out the updates.

So now that I’ve taught you to suck eggs, here are some suggestions to actually help.

Group policy objects (GPO) can aid find Conficker infected machines First enable audit policies (Computer Configuration – Windows Settings – Security Settings – Local Policies – Audit Policies), with the most important being Audit account login events. Set this to success and failure.

With this GPO enabled and applied, when the next machine reports being attacked by Conficker connect to the machines Security event log and filter by Event ID 680. This ID deals with which account login in to the machine and from which machine.

Event ID from Security

What we want is the 680 successes as our number one priority, as this means Conficker has an account that can connect to the system. The 680 failures still tell which machines are attacking and can be add to the clean up task.

There a number of log parsing tools and scripts out there to automate finding the 680 event id on multiple systems, pick your favourite and use that.

The two pieces of information we are interested in are Logon Account and Source Workstation within the 680 event id. These two wonderful fields tell us which account and which computer successful attacked the machine.

Stating the obvious, run a cleaning tool Ms tool or any one of these or format and rebuild the computer only after taking a copy of the event logs. The more important part is the user account. In a number of companies, every machine has the same local administrator account. If this is a poor password, it is time to change it. Script out a password change for all machines, plenty of examples on how to do this are online.

BackTrack 4 setup for A Windows Dummy

Posted on by
Reply

Installing BackTrack 4 on to an old laptop is easy. Boot from the CD, then run the install.sh script on the Backtrack desktop.

Now as a Windows Admin, I have to updated everything. I have no choice, otherwise my MCSE status is revoked.

Once you have logged in to the laptop, plugged it in to LAN connection and are then faced the $ promp:

sudo start-network

This starts the networking manager (wicd) and will kick off DHCP, then to the updating of the OS and core BackTrack components.This includes a whole heap of the tools.

From the Offensive security blog

sudo apt-get update
sudo apt-get install -d linux-image
cd /var/cache/apt/archives/
sudo dpkg -i –force-all linux-image-2.6.30.5_2.6.30.5-10.00.Custom_i386.deb
sudo apt-get dist-upgrade

UPDATE: something appears broken in the update in postgresql-8.3

Errors were encountered while processing:
postgresql-8.3
postgresql
E: Sub-process /usr/bin/dpkg returned an error code (1)

Full credits to Dave for posting this fix:

cd /etc/ssl/certs
make-ssl-cert generate-default-snakeoil –force-overwrite
/etc/init.d/postgresql-8.3 restart

Everything is happy again, back to the install -

sudo apt-get install madwifi-drivers
sudo apt-get install r8187-drivers

Sudo shutdown -r now

sudo fix-splash (This fixes the boot up screen to have the pretty BackTrack border)

NOTE there are two dashes (-) in front of the force all switch, if you don’t put in two dashes, it gives you a nasty error message.

This little lot is about 400mb in downloads.

Then type startx at the $ prompt to get back to the safe and comforting Windows environment – phew.

Now, I like all the shiny tools in MetaSploit and frankly want to have them all now, regardless if I can use them.

So from a terminal console window

cd /pentest/exploits/framework3/

$ sudo svn update

Then in to Firefox

Tools – AddOns and Find Updates

The only annoying thing is there is an old version of Wireshark which does not want to be updated. Will work on that.

Kicking off the MCITP:Enterprise Study

Posted on by
Reply
(or MCSE 2008 as the rest of us call it)

For reasons only known to myself, I’ve stupidly decided to kick off the final two MCITP: Enterprise exams starting with 70-649.

Ah, nothing like making bets, attempting to get a bit of competition going, that you can get certified before the rest of the team.

In front the Boss. (He’s a hockey playing, beer drinking, Northern ninja for randomly appearing like that!)

Pure Muppet magic on my part! Meep.

Hum ho.

Why the Enterprise rather than the long winded 70-647 update exam first? After skimming the objectives, it looks less work and studying for 749 will help out with 647 at a guess.

Check List:

Study guide:                                         Ms Press Self paced 70-647 Training kit

Hands on:                                              Build a virtual lab on Windows 2008 and use the Ms Virtual Labs

Pick a date to get this done by:    Monday 23rd of March 2009

Better get on with it then.

So, kick off by designing and build and small self contained Windows 2008 domain. This is all built on a physical machine, running Windows 2008 Server x64 with 8GB of RAM, lots of hard disk space and a couple of NICs. Hyper-V is installed.

I’ve added three additional networks in the Virtual Network Manger: Domain_Internal, DMZ and Hyper-V_External. Hyper-V_External is connected to the router for direct Internet access.

I’ve build, installed the Integration tools and patched (32updates and 159mb later) one VM, then cloned it (done by copying it to a new location, starting it up and running newsid) to speed things up and save download bandwidth. I should have used Windows Deployment Services (WDS), but I get around to that later.

The master network plan is below

This isn’t information leakage and I haven’t forgotten to add IPv6 addresses in, just a basic network diagram!

So once everything has finished installing, on with setting it up.

Now to start going through the notes and playing!

Notes Part 1

Blogging with Office 2007 – the blog add-in

Posted on by
1

Huge surprise that I’d be using Microsoft products to talk about other Microsoft products. Or maybe not.

Mucking around with the Word 2007 Blog post template, out of that Sunday evening curiosity phase and not wanting to iron shirts or think about the working week.

Anyway, Fyodor, of Nmap fame has a book out on NMAP. Click on the eye to have a read.

Look forward to grabbing a hard copy of it as web site aren’t as easy to scribble on.

SANS GSEC – thoughts and studying for the 401 exam

Posted on by
11

I took the GSEC course in July with around 70 other folks in Canberra. I’ve taken a number of other SANS courses already, but wanted to see what I’d missed.

In hind sight it would have been great to have taken the GSEC (401 track) course as my starting point to my SANS training, but things didn’t work out that way. Doing the course was like revisiting old haunts to find new paths or to avoid getting to carried away in too many fluffy lines, it was well worth revisiting the core topics and looking at them again.

We had Steven Sims provide guidance on the broad canvas of all the topics the 401 track. He proved to be a brilliant and entertaining instructor, who coloured the course work with his own personal experiences and insights. Steven had a couple of topics close to his own heart during the six days, which I’m sure if he was allowed, could have talked for hours – possibility days – on them. It made a fascinating and seemly very short six days. I was all fired up, ready to kick start my exam prep as soon as I go home and complete this sucker before the month ended!

Then you get home, then back to work and reality sets in.

After the first three weeks of shifting the books from one spot to another, I talked to one of the guys I’d taken the course with and drew up a basic time line and study plan. We kept it simple and straight forward. Four hours of study a week and listen to the audit files on the commute in and out of work. The working target was to sit the exam three months down the line, giving a month’s breathing space before the exam deadline date. The four hours of studying was to include using the pre-defined courseware scenarios and supplied tools on virtual lab systems we’d pre-built. I ended up with a couple of Windows domains (no surprise there) and a couple of random Linux boxes sitting on VMware and Hyper-V for practicing on. Since the VM’s were isolated, I didn’t need to install AV software which plays havoc with the SANS supplied tools on the CD. This gave me the ability to break and quickly restore test systems, which avoid the questions of having attack tools on work machines :-)

The audio portion was taken from a class in the US, by another SANS instructor, Dr Eric Cole. Eric has a very distinctive American New York accent, which kinda made me think that one of the Sopranos’ was teaching me IT security. I guess it’s a perspective thing. Dr Cole had his own take on the material and it was a superb counter point to Steven’s. Twice the instructor at half the price ;-)

Dr Cole accompanied me for the next two months commuting to work and those long, random shopping trips guys get dragging in to. I re-read and annotated the six course books on the bus; occasionally while half watching bad TV cop shows and two attempts at painting the kitchen.

Study suggestions

Put together a simple time line and goal plan. E.g. read book 1 properly, with notes and comments in two weeks, and then repeat again for the other 5 books.

If you can get someone to study with, even if as a form of encouragement, it really helps maintain focus. If you at a conference, swap email addresses with other doing the exam.

Get the little post notes stickies in different colours. Title the main chapters and sub sections first, then start creating tabs on topics or tools. Go mad with the sections you weaker on. The day six (Unix) book looks like I’ve double its depth with the things.

Create yourself little challenges on the sections you feel most confident on as a reality check. On the Windows day book, I was “I’m an Ms god! I work with this stuff every day. This is too easy!” Still a couple of the test questions had me scrabbling for the book as it was left field of my thinking.

Play with the tools and, if you can, build a lab. I still struggle with Linux/Unix and it was my biggest source of failed questions during the exam. More hands on practice would have flipped those wrongs to right answers.

Listen to the audio records. Download them and have a listen when you’re in the car, in the shower or in board meetings. Just joking, showering could damage the mp3 player. You get the idea.

Avoid watch junk TV while studying, put 40 minutes aside to concentrate on the material. It’s not like you don’t know how the show is going to end; oddly enough they’ll be in the same peril again next week and somehow escape/solve it in 40 minutes. You think they find some other career less risky…

Don’t just put the books away after the exam. Pick one or two areas to study more on and think about taking the Gold paper challenge or simply challenging yourself to learn one more piece in depth.

My exam tips

Its 180 questions in 300 minutes (that’s 5 hours) needing 126 right answers to pass.

Be nice to the Proctor :-)

Get a good night sleep before the exam. Avoid going in to the exam with any pressing time issues hanging over you (like painting a kitchen before everyone gets, for example …)

Have a clear space around to spread out the books.

Have any liquid in a container with a lid. It’s amazing how often a cup can be knocked over near paper or a computer. Both do an excellent job of absorbing that liquid. :-(

Use the five skip question options if you spend more than 5 minutes figuring out the question. You can get hung up on the wording or meanings, so coming back to it later can help and avoid derailing you.

Use the break time of 15 minutes at the half way point, so at about Question 90. Take this to stretch your legs and take a break from the screen. Exam fatigue sets in staring at the questions and the screen. You can get a little click happy otherwise, just to finish up faster. Don’t use it as a last minute revision scramble! It’s there to relax.