so one aspect i love about this stuff is that it isn't all attackers and russian mobsters and chinese govt and such...
it's all about the CIA triad...
so maybe that's a pissed off employee, or maybe it is an earthquake... either which way, there's always something to think about, even if there aren't red lights flashin on your IDS...
Wednesday, January 30, 2008
Sunday, January 27, 2008
local admin password change script
ok, so from time to time an admin leaves and you need to change local admin on a bunch of computers... annoying how ms doesn't let you just click to do it for the domain via AD...
so i had to do this recently, and after searching the net for script examples, i put this together. basically, it lets you update the local admin accout (or any acct, note that "administrator" isn't a variable in the script like it should be ;). you can do it for a domain, or for an ou, or for a group of boxes...
the way i used it was to run it on a domain, and then use grep, sed, awk, and wc to pull out the failed boxes, and then plug them back into the script as a list of individual boxes. you can do this a number of times and catch stragglers (boxes that are ooto or off), and also end up w/ a list of machines which still have the old password...
so anywho, it was useful for me, hopefully it will be useful for other ppl... enjoy...
btw, blogger totally butchered my whitespacing and all of that... sry...
so i had to do this recently, and after searching the net for script examples, i put this together. basically, it lets you update the local admin accout (or any acct, note that "administrator" isn't a variable in the script like it should be ;). you can do it for a domain, or for an ou, or for a group of boxes...
the way i used it was to run it on a domain, and then use grep, sed, awk, and wc to pull out the failed boxes, and then plug them back into the script as a list of individual boxes. you can do this a number of times and catch stragglers (boxes that are ooto or off), and also end up w/ a list of machines which still have the old password...
so anywho, it was useful for me, hopefully it will be useful for other ppl... enjoy...
btw, blogger totally butchered my whitespacing and all of that... sry...
''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''
''
'' Local Admin Password Update script by rwnin
''
'' Update the local admin password on a domain
'' or group of computers.
''
''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''
option explicit
on error resume next
const forWriting = 2
const forAppending = 8
dim objUpdates
dim objLocalUser
dim objFSO
dim objLog
dim objItem
dim i
dim numUpdates
dim errText
dim errLog
dim newPassword
dim strBox
dim arrHostnames()
dim tempArr
newPassword = "y3r#n3w#p4ss#h3r3"
errLog = "pupdate_log.txt"
'' prep our logging
set objFSO = CreateObject("Scripting.FileSystemObject")
if (objFSO.FileExists(errLog) = false) then
set objLog = objFSO.CreateTextFile(errLog)
end if
set objLog = nothing
set objLog = objFSO.OpenTextFile(errLog, forWriting, true)
set objFSO = nothing
objLog.WriteLine("Executing at: " & date & " " & time)
'' Kludge Alert:
''
'' for pulling hostnames, the .Count method isn't implemented, n .PropertyCount
'' method seems to return the count of all of the objects in the collection, not the
'' filtered ones... so i decided to iterate once to count and then again to collect the
'' names. it could be done in a single loop, but then you'd have to redim (right?) for
'' each iteration, and that seems more expensive than just doing 2 loops...
''
'' also, for querying via OU, i know you can set the scope to subtree w/ a straight
'' query, but i haven't figured out how to do it w/ the getobject call... so, atm it
'' will only query the OU you specify. if you're doing sub OUs you have to say:
'' OU=subou, OU=mainou, DC=etc etc etc... i should update it, but i'm bein lazy...
''
''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''
'' uncomment for domain query
''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''
'set objUpdates = GetObject("WinNT://your.addomain.tld,domain")
'objUpdates.Filter = Array("Computer")
'numUpdates = 0
'for each objItem in objUpdates
' numUpdates = numUpdates + 1
'next
'redim arrHostnames(numUpdates)
'i = 0
'for each objItem in objUpdates
' arrHostnames(i) = objItem.Name
' i = i + 1
'next
''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''
'' _OR_ uncomment for OU query
''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''
'set objUpdates = GetObject("LDAP://OU=subsubou, OU=subou, OU=ou, DC=your, DC=addomain, DC=tld")
'objUpdates.Filter = Array("Computer")
'numUpdates = 0
'for each objItem in objUpdates
' numUpdates = numUpdates + 1
'next
'redim arrHostnames(numUpdates)
'i = 0
'for each objItem in objUpdates
' arrHostnames(i) = objItem.CN
' i = i + 1
'next
''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''
'' _OR_ uncomment to manually define a list
''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''
'' stupid vbs doesn't let you copy arrays to dim'd variables
'numUpdates = 3
'redim arrHostnames(numUpdates)
'tempArr = Array("box1", "box2", "box3")
'for i = 0 to (numUpdates - 1)
' arrHostnames(i) = tempArr(i)
'next
'' now we loop through and try our updates. timeout on hosts that don't respond can
'' be approx 20 sec in my experience, so give this some time...
for i = 0 to (numUpdates - 1)
'' build the string and get the object...
set objLocalUser = GetObject("WinNT://" & arrHostnames(i) & "/Administrator")
if (err.number <> 0) then
select case Err.Number
case -2147024843
errText = arrHostnames(i) & ": Unable to connect to host"
case else
errText = arrHostnames(i) & ": Unknown error (num: " & err.number & ") occured"
end select
err.clear
objLog.WriteLine(errText)
else
'' attempt to set the password
objLocalUser.SetPassword(newPassword)
if (err.number <> 0) then
select case Err.Number
case 424
errText = arrHostnames(i) & ": Unable to connect to host"
case else
errText = arrHostnames(i) & ": Unknown error (num: " & err.number & ") occured"
end select
err.clear
objLog.WriteLine(errText)
else
objLog.WriteLine("Updated " & arrHostnames(i))
end if
end if
next
objLog.WriteLine("Completed...")
objLog.Close
set objLog = nothing
set objLocalUser = nothing
set objUpdates = nothing
Tuesday, January 15, 2008
Friday, January 11, 2008
one more time
and this one comes via my dad... he thought i'd surely have known about this, but i'd never heard a thing about it...
the app
pretty simple concept. let your apps read from disk, but only let them write to a sandbox. obviously not an extrustion prevention solution, but it is a really simple concept that seems like it could prevent a lot of badness... kinda chroot jail-ish imo...
anyway, just another cool idea to be a potential solution to some problems. but as per my last post, it is kinda laughable how this essentially just attempts to impose proper perms to tmp dirs on windows browsers. following that reasoning, just quit windows and run *nix where the browser can read the /tmp dir chmoded out at 777, and virtually nothing else.
and this also suffers from the same problems as many other security products. yea, i can build a *nix server w/ buffer overflow protections, and a hardened kernel, and other general hardening. and i can put it out on inet running services and feel pretty confident that i'll probably see any attempted attack on the machine if i watch my logs and am careful about configuration in general. but the fact that i can do that doesn't really help 99% of machines out there. this app might have potential, but 99% of ppl out there will never hear of it. i mean, i still have to tell people what no-script is. all of these patch-like solutions and add-ons need a better distribution method so the risk mitigation can reach the masses...
the app
pretty simple concept. let your apps read from disk, but only let them write to a sandbox. obviously not an extrustion prevention solution, but it is a really simple concept that seems like it could prevent a lot of badness... kinda chroot jail-ish imo...
anyway, just another cool idea to be a potential solution to some problems. but as per my last post, it is kinda laughable how this essentially just attempts to impose proper perms to tmp dirs on windows browsers. following that reasoning, just quit windows and run *nix where the browser can read the /tmp dir chmoded out at 777, and virtually nothing else.
and this also suffers from the same problems as many other security products. yea, i can build a *nix server w/ buffer overflow protections, and a hardened kernel, and other general hardening. and i can put it out on inet running services and feel pretty confident that i'll probably see any attempted attack on the machine if i watch my logs and am careful about configuration in general. but the fact that i can do that doesn't really help 99% of machines out there. this app might have potential, but 99% of ppl out there will never hear of it. i mean, i still have to tell people what no-script is. all of these patch-like solutions and add-ons need a better distribution method so the risk mitigation can reach the masses...
mbr sploit
this comes to me via a friend... i woulda completely missed it since i long ago ditched /. for digg...
mbr sploit
if you read the referenced article it has a fair amt of good info... the bit i don't understand (beyond the ASM) is at the very end where it says that they have a detection mechanism...
they say, do a userland api query of the mbr and compare it to a kernel level call using IRP_MJ_READ... well, earlier they say that IRP_MJ_READ is compromised, and also say that the original mbr is backed up to a diff disk sector, so why on earth would the software return different mbr results between these two calls???
anyway, other thoughts... for one, i've gotta point out that i got to see the offical debut of the referenced pagefile attack by joanna at blackhat a while back... she has got a great head on her shoulders, and it is great to listen to her talk and absorb the shit she is hacking around in... between owning the crap outta vista before it hit street, the blue-pill stuff, and now her research into hypervisor compromises (leading to loss of integrity between your VMs), i just get to feelin like i'm spinnin my wheels and not workin on stuff as important or nifty as i should be workin on... man, i'd love to be able to talk to her for an hour or two over a few beers, just to hear what she's workin on and the way she attacks problems and develops ideas...
also, i got really bummed by the fact that this mbr sploit is in the wild after being based on techniques from the DoS days, and sample code from 2005... there are just so many hosts running code which will be vulnerable to these attacks and others based on old flaws, and they aren't going to go away any time soon...
i started thinkin that i donno if there is any solution to the windows security pardigm... just don't run it. you can't secure it. it is millions upon millions of lines of shit which isn't readily reviewable by security experts due to the closed nature as well as the size and complexity.
that's pretty pecimistic i guess. but still, it is a programming philosophy that you don't try to put band-aids on PoS code. you rewrite it if it is that bad, b/c you aren't gonna be able to find and fix all of the bugs.
look at our usage habits nowadays. imo, most people use their boxes to surf the web, and watch flash videos on the web. email is on the web via gmail, along w/ all the psuedo 2.0 tech. so let's get our end-user computers thin and usable and protectable. maybe the browser based OS that has been getting kicked around. i donno. most people use their boxes for a subset of tasks which, between solid coding and more modern tech like buffer overflow protection mechanisms, can probably be reasonably protected.
give the avg user a web browser that can be used for browsing, email, and vids, and then include some basic music playing and file xfer capability (for hooking up their ipod), and that's pretty much all they will need it to do. i'll build another box so i can play games.
mbr sploit
if you read the referenced article it has a fair amt of good info... the bit i don't understand (beyond the ASM) is at the very end where it says that they have a detection mechanism...
they say, do a userland api query of the mbr and compare it to a kernel level call using IRP_MJ_READ... well, earlier they say that IRP_MJ_READ is compromised, and also say that the original mbr is backed up to a diff disk sector, so why on earth would the software return different mbr results between these two calls???
anyway, other thoughts... for one, i've gotta point out that i got to see the offical debut of the referenced pagefile attack by joanna at blackhat a while back... she has got a great head on her shoulders, and it is great to listen to her talk and absorb the shit she is hacking around in... between owning the crap outta vista before it hit street, the blue-pill stuff, and now her research into hypervisor compromises (leading to loss of integrity between your VMs), i just get to feelin like i'm spinnin my wheels and not workin on stuff as important or nifty as i should be workin on... man, i'd love to be able to talk to her for an hour or two over a few beers, just to hear what she's workin on and the way she attacks problems and develops ideas...
also, i got really bummed by the fact that this mbr sploit is in the wild after being based on techniques from the DoS days, and sample code from 2005... there are just so many hosts running code which will be vulnerable to these attacks and others based on old flaws, and they aren't going to go away any time soon...
i started thinkin that i donno if there is any solution to the windows security pardigm... just don't run it. you can't secure it. it is millions upon millions of lines of shit which isn't readily reviewable by security experts due to the closed nature as well as the size and complexity.
that's pretty pecimistic i guess. but still, it is a programming philosophy that you don't try to put band-aids on PoS code. you rewrite it if it is that bad, b/c you aren't gonna be able to find and fix all of the bugs.
look at our usage habits nowadays. imo, most people use their boxes to surf the web, and watch flash videos on the web. email is on the web via gmail, along w/ all the psuedo 2.0 tech. so let's get our end-user computers thin and usable and protectable. maybe the browser based OS that has been getting kicked around. i donno. most people use their boxes for a subset of tasks which, between solid coding and more modern tech like buffer overflow protection mechanisms, can probably be reasonably protected.
give the avg user a web browser that can be used for browsing, email, and vids, and then include some basic music playing and file xfer capability (for hooking up their ipod), and that's pretty much all they will need it to do. i'll build another box so i can play games.
more random postage
assuming everyone heard about the sears incident... didn't anyone in the company pay attention to the sony fiasco?
note to everyone out there... crypt your jump drives... i can't believe i still have cleartext ones i use...
note to everyone out there... crypt your jump drives... i can't believe i still have cleartext ones i use...
Wednesday, January 9, 2008
phy sec... or not...
while on a job where i was shadowing a soon to be ex-employee for this client, i had the chance to visit a local ISP CoLo facility... this is not a mom n pop ISP... it is a brand name you would recognize...
this experience has reminded me of the importance of visiting any co location / remote data-center type place that i might be responsible for...
background: this is a new CoLo for the company i'm working for. we haven't got our access badges yet, and as of yet we have no equipment in the facility.
so we roll up there and ring the bell outside the facility. a guy comes on the com, and we're like:
"hey, we need access to the data center, but we don't have our keys yet. we're supposed to talk to alice or bob about that" (not real names; also not people we've ever met).
"umm, yea, hold on a sec, i'll see if i can find someone to let you in"
(waiting)
(cold outside and more waiting)
"hey, are we gonna have to wait outside much longer? it's kinda freezing"
"umm, i can't find alice or bob. can you come down to the other entrance? we'll have someone let you in"
so we proceed down to the other entrance, and an older engineer (assumption) w/ a pot belly and a wicked gray ponytail is outside waiting for us. he says:
"you guys need access to the data center?"
"yep"
"you guys supposed to be in there?"
"yep"
"alright, follow me"
"you can trust us," i add
so we get walked into the building. we end up wandering around (unattended) a cubical farm looking for the person we're supposed to be talking to. well, bob isn't around, so we stop by and talk to charlie. he is the head of infosec for this company. he is quite helpful, and goes to bobs office and starts digging around for keys we can use.
oh yea, here is the whiteboard outside of charlies office:
since he can't find any, he just lets us into the dc, where we proceed to load up network gear and servers.
so, we get all of our stuff hooked up, and they eventually find bob, who comes and gives us our keys.
they didn't ask our names. they didn't check our ids. they didn't make any phone calls. and they gave us access to their client (unescorted for over an hour) and private (escorted) data centers. anyway, it was kinda fun, considering that was completely not the job i was there to do. but now i know, if i've got to do a physical pen for this ISP, all i need is the name of a client and to know the name of someone who works there...
here's some pics... not too great, my camera phone kinda sucks...
and one last note on this big sec pic post... this pic is craptastic, but it is a sec camera... i talked to the contractor who put it up... the little black bit in the center is the camera, and all that white stuff around the outside are infrared LEDs. the device is approx 6-8 inches in diameter... anyway, i was asking the tech how much light that thing threw, since most of the ones i encounter have like 8 or 12 lights... he points down the alley and across the street and says:
"you see that van?" (over 100 yards away)
"yea..."
"well at night you could read the writing on the side of it"
wowza...
this experience has reminded me of the importance of visiting any co location / remote data-center type place that i might be responsible for...
background: this is a new CoLo for the company i'm working for. we haven't got our access badges yet, and as of yet we have no equipment in the facility.
so we roll up there and ring the bell outside the facility. a guy comes on the com, and we're like:
"hey, we need access to the data center, but we don't have our keys yet. we're supposed to talk to alice or bob about that" (not real names; also not people we've ever met).
"umm, yea, hold on a sec, i'll see if i can find someone to let you in"
(waiting)
(cold outside and more waiting)
"hey, are we gonna have to wait outside much longer? it's kinda freezing"
"umm, i can't find alice or bob. can you come down to the other entrance? we'll have someone let you in"
so we proceed down to the other entrance, and an older engineer (assumption) w/ a pot belly and a wicked gray ponytail is outside waiting for us. he says:
"you guys need access to the data center?"
"yep"
"you guys supposed to be in there?"
"yep"
"alright, follow me"
"you can trust us," i add
so we get walked into the building. we end up wandering around (unattended) a cubical farm looking for the person we're supposed to be talking to. well, bob isn't around, so we stop by and talk to charlie. he is the head of infosec for this company. he is quite helpful, and goes to bobs office and starts digging around for keys we can use.
oh yea, here is the whiteboard outside of charlies office:
since he can't find any, he just lets us into the dc, where we proceed to load up network gear and servers.
so, we get all of our stuff hooked up, and they eventually find bob, who comes and gives us our keys.
they didn't ask our names. they didn't check our ids. they didn't make any phone calls. and they gave us access to their client (unescorted for over an hour) and private (escorted) data centers. anyway, it was kinda fun, considering that was completely not the job i was there to do. but now i know, if i've got to do a physical pen for this ISP, all i need is the name of a client and to know the name of someone who works there...
here's some pics... not too great, my camera phone kinda sucks...
...
(snip)after thinking about this bit a tad more, i've decided to pull it(/snip)
...
and one last note on this big sec pic post... this pic is craptastic, but it is a sec camera... i talked to the contractor who put it up... the little black bit in the center is the camera, and all that white stuff around the outside are infrared LEDs. the device is approx 6-8 inches in diameter... anyway, i was asking the tech how much light that thing threw, since most of the ones i encounter have like 8 or 12 lights... he points down the alley and across the street and says:
"you see that van?" (over 100 yards away)
"yea..."
"well at night you could read the writing on the side of it"
wowza...
Subscribe to:
Posts (Atom)