Chris Reeves' Blog - Page 9 of 13 - Just another IT Blog

Login VB Script to Map Network Shares by Active Directory Group

Posted 05/09/2013 by Chris & filed under Active Directory.

There are a few different ways to map drives when a user logs in, if you already have a log in script you can simply copy parts of the following code into the script to be able to map drives.

This is a very simple script, when it comes to login scripts, the less complex the better as troubleshooting and loading times are reduced!

' ####################################
' # %company% login script #
' # Author: Chris Reeves #
' ####################################
' # Change Log #
' ####################################
'
' ver initial date / Description
'------------------------------------------------------------------------------
' 0.1 XX %%%%%% / Inital script created, header and change log created
' added mapping drives based on group membership.
' 0.2 XX %%%%%% / Changed x and y drive maps to X and Y.
'
'
' # Active Directory group membership script
'
On Error Resume Next

Set objSysInfo = CreateObject("ADSystemInfo")
Set objNetwork = CreateObject("Wscript.Network")

strUserPath = "LDAP://" &amp; objSysInfo.UserName
Set objUser = GetObject(strUserPath)

For Each strGroup in objUser.MemberOf
strGroupPath = "LDAP://" &amp; strGroup
Set objGroup = GetObject(strGroupPath)
strGroupName = objGroup.CN
'
' # Drive mapping segment
'
Select Case strGroupName
Case "GROUP NAME HERE"
objNetwork.MapNetworkDrive "S:", "\123.456.789.001share1$"

Case "GROUP NAME HERE"
objNetwork.MapNetworkDrive "T:", "\123.456.789.001share2$"

End Select
Next
'
' # Script Complete

Modifications

You will need to change the following:

Group Name Here

Change these strings to the group name you wish to use to map to the location.

\123.456.789.001share#$

Configuring in Active Directory

Netlogon

You will need to copy the script file to the \activedirectoryservernetlogon path and ideally call the file something like login.vbs

User Management

You will need to type the file name only into the “Login Script” path under the profile tab in the Active Directory users profile.

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Deny ICMP Ping on Outside Dialer Interface (Cisco Router)

Posted 20/08/2013 by Chris & filed under Hardening.

How to guide to stop and deny icmp ping replies on the outside dialer interface on a Cisco router using access lists.

Deny ICMP Ping on Outside Dialer Interface for a Cisco Router

I am a firm believer of “if you don’t need it, turn it off”, icmp ping is no exception. Doing such reduces the surface area of attack, as most port scanners initially ping the target to see if there is a replying host at the other end. I configured my Cisco router to deny icmp on the “Dialer0” interface, you might need to tweak this to suit your access lists and WAN interface.

Leaving this feature on does give you extra troubleshooting abilities should you need it, don’t disable it if you do use the ping against your router to see if its up.

Shell on to the router or connect using a console cable.

Run all commands without the “#”

#en
#configure terminal
#access-list 101 deny icmp any any echo
#access-list 101 permit ip any any
#interface dialer0
#ip access-group 101 in
#exit
#exit

Now test to see whether an icmp packet is turned when pinging from a different internet connection.

Should you be happy with the configuration, simply run the following commands:

#en
#configure terminal
#copy running-config startup-config
#exit

If you want to revert to previous config you can either reload the router to clean the changes or reverse the changes manually:

To revert to previous configuration past this point.

To reverse the changes, simply remove “ip access-group 101 in” from the dialer interface by running the following commands:

#en
#configure terminal
#interface dialer0
#no ip access-group 101 in
#exit
#exit

To clean up the unused access lists:

#en
#configure terminal
#no access-list 101 deny icmp any any echo
#access-list 101 permit ip any any
#exit

If you have any questions or suggestions, please feel free to comment in the comments below.

Exporting Citrix XenApp Applications to file

Posted 19/08/2013 by Chris & filed under XenApp.

How to export Citrix XenApp applications

I have had to rebuild a Citrix XenApp farm in the past, which was a long process of building the server, installing Citrix XenApp, installing the applications and republishing the applications in Citrix. I found one of the longest parts of the process is publishing all the applications from scratch. You might have “tweaked” certain settings or have a long list of access controls which can be annoying to set back up again.

A quick way to capture those settings is by exporting the published application to file so you have the ability to import later on.

Log into Citrix AppCenter
Expand “Applications”
Locate the applications(s) you wish to export
Right click -> Other Tasks -> Export Application settings to file -> Entire Application
Choose a location (create folders based on your Citrix folders)

You should end up with %application%.app

A good folder path to use would be /%farm name%/%folder%/%application%.app

If you only want to export the server list of the application (not sure why you would only want to do that) then right click on the application, go down to “other tasks” then “export application settings to a file” and click on “Server list only”. You will be prompted with a save as box with a location to save the file with the extension “asl”.

Obviously to import the applications back into Citrix XenApp from a .app file is to right click on the folder you wish to import the application into, move down to “other tasks” and click on “import new applications from file”.

You will once again, see your application with all settings imported into the folder you right clicked on.

This should be a fairly easy guide to follow, should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Secure Administrator account in Active Directory

Posted 16/08/2013 by Chris & filed under Active Directory, Hardening.

Securing the Administrator account in Active Directory

You may be thinking this should be common knowledge but time and time again I see directories with the Administrator account still in the “Domain Admins” group and active!

Before you do this, ensure you are not using the domain administrator account for authenticating!

I always follow a simple step process to securing the Administrator account:

Remove from “Domain Admins” group
Rename the account
Move the account to a different folder within Active Directory folders OU’s
Change the password to 56 character set
Disable account (you cannot remove it)
Create a new account

Before you can remove the domain admins group you will need to add the domain users group and set it as the primary group.

When renaming the account, you can simply right click on the account and click “rename”. I usually change this to something obscure to make it harder to know it was the administrator account in the past. This doesn’t stop someone trying to attack it as it could be traced back to the SID as all administrator account SIDs end with a 500.

Password generation in KeePass

I highly recommend using a random password generator for changing the password, for my example I use the one inbuilt into KeePass. I have used every type of character possible with a 56 character length giving a total of 282bits of encryption goodness.

Don’t worry, I didn’t actually use this password!

When creating a new account, try and come up with a name that hasn’t been used before, so before you think sysadmin is a name, don’t, other people use it!

This might not be full proof but it will deter most attacks unless someone is targeting you for a particular reason.

“You can never completely defend against an attack but you can make it so hard for the attacker that they will change the target to something easier”

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Setting up BackTrack 5 R3

Posted 14/08/2013 by Chris & filed under Linux & Unix, Penetration Testing.

Setting up BackTrack 5 R3

Out of the box you might find that BackTrack 5 doesn’t give you some basic services, this is just a quick note on how to make things work.

Run all commands without the “#”

Update Packages

#apt-get update
#apt-get upgrade

Enable SSH Keys

Generate SSH Keys

#sshd-generate

AutoStart SSH

#update-rc.d ssh defaults

Change Root Password

By default the password is “toor”, you should change this!

#passwd

Install VM-Tools

These commands will only work if you have deployed BackTrack on a VMware virtualised environment

Initiate VMtools deployment from the virtualisation console

Replace VMwareTools-#.#.#-#.tar.gz with the actual package name

#mkdir -p /mnt/vmtools
#mkdir -p /mnt/vmtools/extract
#mount /dev/cdrom /mnt/vmtools
#tar -xvf VMwareTools-#.#.#-#.tar.gz /mnt/vmtools/extract
#cd /mnt/vmtools/extract
#./install

Follow prompts and reboot

Packages

Packages can be found in the /pentest folder

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Reference guide to basic Telnet Commands

Posted 13/08/2013 by Chris & filed under Microsoft.

Reference guide to basic Telnet Commands

Occasionally you might need to test a mail server manually using Telnet and SMTP commands.

Before running Telnet you might need to install it (Microsoft Windows 7 and above) by following either three of the following steps:

By Command Prompt

Open a command prompt
type “appwiz”
Click on “Turn Windows features on or off”
Click on “Telnet Client” and click OK

By Windows

Open Control Panel
If view by “Category” Click on “Get Programs” under “Programs”
If view by “Small icons” Click on “Programs and Features”
Click on “Telnet Client” and click OK

Other Versions of Windows

http://technet.microsoft.com/en-us/library/cc771275(v=ws.10).aspx

This is great for troubleshooting a SMTP mail server as the process of sending an email can come up with errors along the way that a fat mail client might hide from you.

HELO <hostname> = This command initiates the SMTP conversation. The host connecting to the remote SMTP server identifies itself by its fully qualified domain name.

EHLO = An alternative command for starting the conversation. This states that he sending server wants to use the extended SMTP (ESMTP) protocol.

MAIL FROM: = This is the start of an email message. The source email address is what will appear in the “from” field of the message

RCPT TO: = This identifies the recipient of the email message. This command can be repeated multiple times for a given message in order to deliver a single message to multiple recipients.

DATA = This command signifies that a stream of data, i.e the email message body will follow. The stream of data is terminated by a “.” on a line by itself.

“.” = To end the body of the message, type a full stop on a single line by itself.

QUIT = Quits out of the Telnet session

Example

Summary

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

How to deploy, configure and troubleshoot Postfix on Debian 7 (Wheezy)

Posted 12/08/2013 by Chris & filed under Linux & Unix.

How to deploy, configure and troubleshoot Postfix on Debian 7 (Wheezy)

Postfix is a free, open source mail transfer agent (MTA) that routes and delivers electronic mail.

I recently decided it might be a good idea to deploy the package in my own local network as it is a central point of configuration to an upstream SMTP server. This will come in handy later on should I decide to physically relocate my hardware and at the same time change my internet service provider.

Run commands without the “#” at the beginning.

Installing

#su – root
#apt-get update
#apt-get upgrade
#apt-get install postfix

Configuring SMTP Authentication to Smarthost

If your upstream SMTP host requires SMTP authentication, you will need to create a password file and add it to /etc/postfix/main.cf configuration file.
Ignore if not required

#cd /etc/postfix
#vi password

Add the following line
smtp.relay.com [email protected]:password

The first part needs to be the upstream SMTP server, this example is smtp.relay.com, separate by tab and type your username, add a “:” and type your password

#chown root:root password
#chmod 0600 password
#postmap hash:password

Configuring

#vi /etc/postfix/main.cf

Change:

“relayhost” to your smart host upstream
“inet_interfaces =” to all

Add:

mynetworks = Add network address of internal network
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/password
smtp_sasl_security_options =
:wq

Finishing Setup

#postfix check
#postfix reload
#netstat –tan

Check to see Local Address of “0.0.0.0:25” is in a state of “LISTEN”

Troubleshooting

Check to see if postfix is running by executing the following command:

#ps aux | grep postfix

Open a second terminal and monitor the mail.log file while in another session telnet to the Postfix server on port 25 and attempt to send a message manually

#tail –f /etc/log/mail.log

This is an example of a successful sent email

Conclusion

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

How to stress test websites with ApacheBench

Posted 07/08/2013 by Chris & filed under Linux & Unix, Penetration Testing.

How to stress test websites with ApacheBench

Okay so you have a Microsoft IIS or Apache web server, you placed a website on it and want to know if it will “fall over” under load, well I have just the tool for that!

ApacheBench (aka AB) is a stress testing tool part of Apache, it is fully configurable tool to allow you to specify the amount of attempts on the web server and the amount of concurrent connections.

ApacheBench is part of the Apache installation so simply installing Apache2 will give you access to the tool.

To install Apache, run the following:

#apt-get install apache2

The tool requires three switches in order to work, they are the following:

-c
1. Concurrent connections. How many connections at once. The more the harder it will be stressed.
-n
1. The number of connection attempts in total. The more, the longer it will run
http://address/
1. The website address to stress test. If stressing the root of the address a trailing “/” is required after the address. e.g http://domain.com/

Depending on hardware, software and network/internet configurations, you might not be able to stress the website to the max and might end up with all types of errors when running “ab”.

I recommend looking at also using two other switches:

-k
1. Keepalive. This can be helpful if the connection drops out half way through a stress test.
-r
1. Don’t exit on socket receive error. This is probably the more important of the two additional switches and can resolve a lot of problems.

This tool can be used in two ways, for good or for bad. A denial of service can be run against a server to purposefully overload the connections to the point the server will reject any new connections.

An example of running Apachebench can be seen in the screenshot below:

This is an example of running apachebench

Examples of running ApacheBench:

ab -n 1000 -c 100 http://domain.com/
ab -n 10000 -c 1000 -k -r http://domain.com/index.html
ab -n 10000 -c 1000 -k -r http://domain.com/about.html

Happy stressing!

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

How to break WPA2 key with Reaver WPS Attack

Posted 19/07/2013 by Chris & filed under Penetration Testing.

How to break WPA2 key with Reaver WPS Attack

When routers are enabled with WPS (aka Wi-Fi Protected) they are anything but “protected”, the way WPS works is by a eight digit key exchange between device and router. The key exchange is not encrypted and can be “brute forced” exposing the WPA or WPA2 wireless encryption key.

WPS lets you use push buttons or PINS instead of entering a network name (SSID) and a wireless security key by hand.

With the right hardware and software, this attack can be setup in minutes and take no more than a day to expose the key, or in my case just set and forget until the next morning.

I bought a new router and changed the firmware to DD-WRT so I could turn this “feature” off, it doesn’t matter how strong your WPA key is, it comes down to a eight digit string.

One important note to take from this is that once you find out the eight digit key from the router, if the WPA key is changed on the router it can be cracked in seconds as the WPS PIN doesn’t change.

To successfully do this, you will need the following:

BackTrack 5 R3
ALFA USB Wifi AWUSO36NHA
Reaver

Reaver comes with Backtrack 5 R3, the ALFA USB Wifi adapter is not “needed” but if you don’t have a compatible wireless adapter to use in BackTrack you might be unsuccessful.

If you want to run Reaver without it being on BackTrack, install it using the following commands:

Run all commands without the “#” at the front

#apt-get update
#apt-get upgrade
#apt-get install reaver aircrack-ng

To tweak the attack with switches you can run “reaver” which will output the following:

Shell into BackTrack 5
#su – root
#iwconfig
#airmon-ng start wlan0
#airodump-ng mon0
#reaver -i mon0 -b 01:AA:02:CC:03:DD -vv
Result! (I reused the pin from an old succesful attempt)

Diagnosing the problem(s) can be helped by using the –vv switch, it will show you step by step what the current action and result is.

If you are getting unexpected results, I highly suggest using the following switches:

-d 5 (add a delay to allow the router to recover)
-w (act as a Windows 7 operating system)
-c ## (lock to the actual channel of the router to prevent channel bouncing)
-a (auto detect the best advanced settings to use on the router)
–dh-small (instructs Reaver to use small diffie-hellman secret numbers to reduce the load on the router)

To scan all routers to see if they are vulnerable you can run the following command:

#wash -i mon0

The whole process can take between 4-10 hours unless you are lucky and the router has a “default” PIN, which Reaver will try first.

Happy crackin’

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

M	T	W	T	F	S	S
« Aug
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
31

Deny ICMP Ping on Outside Dialer Interface (Cisco Router)

Deny ICMP Ping on Outside Dialer Interface for a Cisco Router

Exporting Citrix XenApp Applications to file

How to export Citrix XenApp applications

Secure Administrator account in Active Directory

Securing the Administrator account in Active Directory

Setting up BackTrack 5 R3