Docstoc

Travis Schack CISSP

Document Sample
Travis Schack CISSP Powered By Docstoc
					 Auditing Toolkit for
Windows NT and 2000

      Denver ISACA
      April 25, 2003


     Travis Schack, CISSP
     Travis@Vitalisec.com
                   Audit Areas
•   System Information     •   Event Log
•   Patches/Hotfixes       •   Services
•   Scheduled Tasks        •   Service Permissions
•   Registry Permissions   •   Processes
•   Registry Values        •   Drives
•   User Accounts          •   Share Permissions
•   Group Accounts         •   Directory Permissions
•   User Rights            •   Device Drivers
•   Account Policies       •   Printer Permissions
•   Auditing               •   Remote Access
•   Log Settings           •   Trusted Relationships
Tool Types
 • OS
 • Resource Kit
 • 3rd Party

 • Local
 • Remote

 • GUI
 • Command Line
NT vs. 2000
          WinNT vs. Win2k
• Most of core features of architecture and
  object-oriented design of Win2k came
  from WinNT.
• Win2k is a tuned, tweaked, and extended
  WinNT, but is not new.
• Security – Active Directory, Group
  Policies, Encrypted File System, Kerberos,
  CryptoAPI, IP Security, PKI, and Kernel
  security enhancements.
   Overview
      of
Windows Security
                                     System Architecture
                          Logon            DOS                  Windows16           Windows32         Other clients
User Mode (2-4 GB)




                         process           client                 client              client          (OS/2, Posix,
                        (Winlogon)                                                                       RAS)



                                                                  WOW


                         Security                                                                         Other
                        subsystem                                                   Windows32          subsystems
                                                                  VDM
                          (LSA)                                                     subsystem         (OS/2, Posix,
                                                                                                          RAS)


                                                           Executive Services
Kernel Mode (0-2 GB)




                       I/O     Obj   SRM     LPC         Proc     VMM        GDI     P&P        Pwr   Cfg     Cache
                       Mgr     Mgr          Facility     Mgr                Win32               Mgr   Mgr      Mgr



                                                                   Micro Kernel

                                                       Hardware Abstraction Layer (HAL)


                                                                 Hardware
Auditing System Information
                    Useful Commands
 Command                                       Results
ver             Displays the Windows version
set             Displays Windows environment variables
ipconfig /all   Shows detailed IP configuration
nbtstat -an     Local Server name, MAC address, domain, logged on user
nbtstat –A      Remote Server name, MAC address, domain, logged on user
nbtstat –a
netstat –rn     Display routing table
route print
netstat -an     Displays all connections and listening ports
findstr         Searches for strings in files, can use regular expressions
find            Searches for a text string in a file or files
comp            Compares the contents of two files or sets of files byte to byte
fc              Compares two files or sets of files and displays the differences
                between them
    Windows Command Reference
•   http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/win
    dows2000/en/server/help/ntcmds.htm
            netstat –an (Ports)
• IANA port assignments
  – http://www.isi.edu/in-notes/iana/ assignments/port-numbers


• Possible Trojans
  – http://www.simovits.com/nyheter9902.html
Environment Variables - set
      ALLUSERSPROFILE=C:\Documents and Settings\All Users
      APPDATA=C:\Documents and Settings\Roger Rabbit\Application Data
      CommonProgramFiles=C:\Program Files\Common Files
      COMPUTERNAME=Acme-Lap
      ComSpec=C:\WINNT\system32\cmd.exe
      DIRCMD=/o/a
      HOMEDRIVE=H:
      HOMEPATH=\
      HOMESHARE=\\carrot\Roger Rabbit$
      include=C:\Program Files\Microsoft Visual Studio\VC98\atl\include;C:\Program Files\Microsoft Visual
      Studio\VC98\mfc\include;C:\Program Files\Microsoft Visual Studio\VC98\include
      lib=C:\Program Files\Microsoft Visual Studio\VC98\mfc\lib;C:\Program Files\Microsoft Visual Studio\V
      C98\lib
      LOGONSERVER=\\Acme-Lap
      MSDevDir=C:\Program Files\Microsoft Visual Studio\Common\MSDev98
      NUMBER_OF_PROCESSORS=1
      ORACLE_HOME=c:\oracle\ora81
      OS=Windows_NT
      Os2LibPath=C:\WINNT\system32\os2\dll;
      Path=C:\oracle\ora81\bin;C:\Program Files\Oracle\jre\1.1.7\bin;C:\WINNT\system32;C:\WINNT;C:\WINNT\S
      ystem32\Wbem;C:\PROGRA~1\MICROS~2\Office;C:\perl\bin;c:\sectools;C:\Program Files\Common Files\Adapt
      ec Shared\System;C:\MSSQL7\BINN;C:\Program Files\Resource Pro Kit\;C:\NTOFW;C:\Program Files\Microso
      ft Visual Studio\Common\Tools\WinNT;C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin;C:\P
      rogram Files\Microsoft Visual Studio\Common\Tools;C:\Program Files\Microsoft Visual Studio\VC98\bin
      PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
      PROCESSOR_ARCHITECTURE=x86
      PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 6, GenuineIntel
      PROCESSOR_LEVEL=6
      PROCESSOR_REVISION=0806
      ProgramFiles=C:\Program Files
      PROMPT=$P$G
      SMS_LOCAL_DIR=C:\WINNT
      SystemDrive=C:
      SystemRoot=C:\WINNT
      TEMP=C:\Temp
      TMP=C:\Temp
      USERDOMAIN=Acme
      USERNAME=Roger Rabbit
      USERPROFILE=C:\Documents and Settings\Roger Rabbit
      windir=C:\WINNT
          nbtstat -an (local)
Local Area Connection:
Node IpAddress: [192.168.0.1] Scope Id: []

           NetBIOS Local Name Table

    Name                             Type           Status
  -------------------------------------------------------------------
  Acme-Lap                   <00> UNIQUE              Registered
  Acme                       <00> GROUP               Registered
  Acme                       <1E> GROUP                Registered
  Acme                       <1D> UNIQUE               Registered
  ..__MSBROWSE__.<01> GROUP                            Registered
  Carrot                     <00> GROUP                Registered
         nbtstat –A <IP>
Local Area Connection:
Node IpAddress: [192.168.0.1] Scope Id: []

       NetBIOS Remote Machine Name Table

     Name                            Type             Status
  -----------------------------------------------------------------
  Acme-PDC                  <00> UNIQUE              Registered
  Acme-PDC                  <20> UNIQUE              Registered
  Acme                      <00> GROUP               Registered
  Acme                      <1C> GROUP                Registered
  Carrot                    <00> GROUP               Registered
  Acme                      <1B> UNIQUE              Registered
  Acme                      <1E> GROUP               Registered
  Acme-PDC                  <03> UNIQUE              Registered
  Acme                       <1D> UNIQUE              Registered
  ..__MSBROWSE__.<01> GROUP                           Registered
  Acme-PDC                   <01> UNIQUE              Registered

  MAC Address = 00-80-5F-65-AC-A8
     Meaning of NetBIOS Names
Value Meaning or Status
00     Computer names and workgroup names
01     Master Browser
03     Messaging/alerter service; username of
       user with logon session
20     Names of available resources on server
1B     Name of domain master browser
1C     Name of domain controller
1E     Response to election announcement
find/findstr – audit tool?
          find/findstr – audit tool?
• Search files for passwords, sensitive information that should be
  encrypted, etc.
• Pipe output of utilities and search for specific information.
• findstr is more powerful than find.

Examples:
• Search all files on system for “password”
         C:\findstr /I /S /M "password" *.* > results.out
• Search all files on system for “password”, “pwd”, and “passwd”
         C:\findstr /I /S /M "password pwd passwd" *.* > results.out
• If you want to search for several different items in the same set of
  files, create a text file that contains each search criterion on a new
  line.
         C:\findstr /I /S /M /g:finddata.txt *.* > results.out
                          Msinfo32
• Windows 2000 includes Microsoft System Information
  (Msinfo32.exe), which is an updated version of the Microsoft
  Windows NT Diagnostics tool (Winmsd.exe).
• System Information displays a comprehensive view of your
  hardware, system components, and software environment.
• Msinfo32.exe is located in the Program Files\Common
  Files\Microsoft Shared\MSInfo folder.

Msinfo32.exe Usage:

/? - Displays the Help dialog box
/msinfo_file=filename - Opens the specified .nfo or .cab file
/nfo or /s filename - Outputs a .nfo file to the specified file
/report filename - Outputs a text-format file to the specified file
/computer computername - Connects to the specified computer
/categories (+|-)(all | categoryname) +|-(categoryname)... - Displays or
    outputs specified categories
/category categoryname - Sets focus to a specific category at startup
               Msinfo32 Example
• The following example gathers each high-level category into a
  separate .nfo file, which can be read by Msinfo32.exe.

start /wait msinfo32.exe /nfo syssum.nfo /categories +SystemSummary
start /wait msinfo32.exe /nfo cmpnt.nfo /categories +components
start /wait msinfo32.exe /nfo swenv.nfo /categories +swenv
start /wait msinfo32.exe /nfo hwdres.nfo /categories +resources
start /wait msinfo32.exe /nfo ie.nfo /categories +internetexplorer
start /wait msinfo32.exe /nfo apps.nfo /categories +Apps

• The start /wait switch is used in the examples for batch file and/or
  command-line execution from a Cmd.exe command prompt. The
  start switch is required to start Msinfo32.exe and the /wait switch
  does not process the next item until the current item completes.
  Using the start /wait switches ensures that the computer is not
  overloaded because some of the Msinfo32.exe categories can use a
  large amount of CPU time.
How to start Msinfo32
Msinfo32 (local)
Msinfo32 (remote)
  Click on Action and Propterties
           srvinfo (Resource Kit)
SrvInfo for NT
Version 2.50
=====================================================
Remotely gather information about a target server.
Assume local machine if no computer name is provided.
=====================================================

Usage: SRVINFO [[-?|-ns|-d|-v|-s] \\computer_name]
 -?: Show usage
 -ns: Do NOT show any service information
 -d: Show service drivers and service
 -v: Get version info for Exchange, IIS, SQL
 -s: Show shares
  Srvinfo (truncated)
C:\>srvinfo -ns

Server Name: Acme-Lap
Security: Users
NT Type: NT Advanced Server -
Version: 5.0
Build: 2195, Service Pack 2
Current Type: Uniprocessor Free
Product Name: Microsoft Windows 2000
Registered Owner: Acme
Registered Organization: Acme
ProductID: 51874-OEM-0000696-50052
Original Install Date: Thu Dec 31 17:47:17 1998
Domain: Acme
PDC: \\Acme-PDC
CPU[0]: x86 Family 6 Model 8 Stepping 6: 696 MHz
            Dumpwin (3rd Party)
• http://www.nii.co.in/research/tools.html#sysinfo
• Command line tool (local only)

$ DumpWin
DumpWin v2.00 (Windows NT/2K)
Network Intelligence India Pvt. Ltd.
http://www.nii.co.in
Arjun Pednekar (arjunp@nii.co.in)

Parameters :
    -i : List installed Programs.  -d : Drive Information.
    -s : System Information.       -m : Check for Modem Drivers.
    -h : List shares present.        -t : List Startup Programs.
    -p : List active Processes.     -v : List of Services.
    -g : List Local Group Accounts -u : List User Accounts.
    -l : dumpACL                    -n : Account Lockout Policy
    -a : All of above.
Dumpwin – System Information
$ DumpWin -s
=====================
System Information
=====================
Microsoft Windows 2000 Workstation version 5.0 Service Pack 2 (Build
   2195)
Computer name       : Acme-Lap
User name             : Roger Rabbit

System directory    : C:\WINNT\System32
Windows directory     : C:\WINNT
Network Card IP Address :
               0     192.168.0.1

Memory Information
   Total Physical Memory(RAM) : 327152 KB
   Free Physical Memory(RAM) : 119948 KB
   Total Virtual Memory   : 2097024 KB
   Free Virtual Memory    : 2073252 KB
    Dumpwin – System Information (cont’d)

Hardware information:
    OEM ID              :0
    Number of processors        :1
    Page size            : 4096
    Processor type          : 586
    Minimum application address : 10000
    Maximum application address : 7ffeffff
    Active processor mask       :1

    Keyboard Manufacturer : IBM enhanced (101- or 102-key) keyboard
    No. of Function Keys : 12
Dumpwin – Installed Software
      $ DumpWin -i
      =====================
      List of Installed Programs
      =====================

       Reg Key : Ad-aware 5.83
       Product : Ad-aware 5.83

       Reg Key : AddressBook

       Reg Key : Adobe Acrobat 5.0
       Product : Adobe Acrobat 5.0

       Reg Key : AOL Instant Messenger
       Product : AOL Instant Messenger
               Psinfo (3rd Party)
• http://www.sysinternals.com/ntw2k/freeware/pstools.shtml
• Command line tool (local or remote)
• PsInfo returns information about a local or remote Windows
  NT/2000/XP system.


Usage: psinfo [-h] [-s] [-d] [-c] [\\RemoteComputer [-u Username [-p
  Password]]]
  -u     Specifies optional user name for login to
        remote computer.
  -p     Specifies password for user name.
  -h     Show installed hotfixes.
  -s     Show installed software.
  -d     Show disk volume information.
  -c     Print in CSV format
Psinfo – No Arguments
 $ psinfo

 PsInfo 1.34 - local and remote system information viewer
 Copyright (C) 2001-2002 Mark Russinovich
 Sysinternals - www.sysinternals.com

 System information for \\Acme-Lap:
 Uptime:           1 day, 2 hours, 40 minutes, 13 seconds
 Kernel version:       Microsoft Windows 2000, Uniprocessor
     Free
 Product type:        Professional
 Product version:       5.0
 Service pack:        2
 Kernel build number:      2195
 Registered organization: Acme
 Registered owner:        Acme
 Install date:      5/22/2000, 10:14:21 AM
 IE version:        5.5000
 System root:         C:\WINNT
 Processors:          1
 Processor speed:        700 MHz
 Processor type:        Intel Pentium III
 Physical memory:         320 MB
Psinfo – Software Installed
  $ psinfo -s

  System information for \\Acme-Lap:
  Uptime:             1 day, 2 hours, 58 minutes, 2 seconds
  Kernel version:        Microsoft Windows 2000, Uniprocessor Free
  Product type:          Professional
  Product version:         5.0
  Service pack:          2
  Kernel build number:       2195
  Registered organization: Acme
  Registered owner:         Acme
  Install date:       5/22/2000, 10:14:21 AM
  IE version:          5.5000
  System root:           C:\WINNT
  Processors:           1
  Processor speed:          700 MHz
  Processor type:         Intel Pentium III
  Physical memory:          320 MB
  Applications:
   AOL Instant Messenger
   ATI Display Driver Utilities
   ATI Win2k Display Driver
   ActivePerl 5.6.1 Build 633 5.6.633
   Ad-aware 5.83 5.83
   Adobe Acrobat 5.0 5.0
Patches/Hotfixes
   Psinfo – Hotfixes
$ psinfo -h

System information for \\Acme-Lap:
Uptime:              1 day, 2 hours, 55 minutes, 53 seconds
Kernel version:         Microsoft Windows 2000, Uniprocessor
    Free
Product type:          Professional
Product version:         5.0
Service pack:          2
Kernel build number:        2195
Registered organization: Acme
Registered owner:          Acme
Install date:        5/22/2000, 10:14:21 AM
IE version:          5.5000
System root:           C:\WINNT
Processors:            1
Processor speed:          700 MHz
Processor type:          Intel Pentium III
Physical memory:           320 MB
OS Hot Fix Installed
Q147222       1/1/1999
Q295688       4/15/2002
Q296185       11/21/2002
Q298012       9/7/2001
Q299553       11/21/2002
Q300845       4/15/2002
      Microsoft Baseline Security Analyzer
                    (MBSA)
• http://www.microsoft.com/technet/treeview/default.asp?url=/technet/
  security/tools/Tools/MBSAhome.asp
• Command line or GUI - Administrator access is required
• The Microsoft® Baseline Security Analyzer (MBSA) is a tool that
  allows users to scan one or more Windows®-based computers for
  common security misconfigurations.
• MBSA determines which critical security updates are applied to a
  system by referring to an Extensible Markup Language (XML) file
  (mssecure.xml) that's continuously updated by Microsoft and using
  the HFNetChk tool technology.
• Windows NT 4.0
• Windows 2000
• Windows XP
• Internet Explorer 5.01 and later
• Windows Media Player 6.4 and later
• IIS 4.0 and 5.0
• SQL Server 7.0 and 2000 (including Microsoft Data Engine)
• Exchange 5.5 and 2000 (including Exchange Admin Tools)
Microsoft Baseline Security Analyzer
Microsoft Baseline Security Analyzer
Microsoft Baseline Security Analyzer
Microsoft Baseline Security Analyzer
Microsoft Baseline Security Analyzer
      Microsoft Baseline Security Analyzer
                 Command Line
C:\Program Files\Microsoft Baseline Security Analyzer>mbsacli /?


Examples:
  MBSACLI
  MBSACLI /n Password
  MBSACLI /c MyDomain\MyComputer /n Password+Updates+SQL
  MBSACLI /d MyDomain
  MBSACLI /i 200.0.0.1
  MBSACLI /r "200.0.0.1-200.0.0.50"
  MBSACLI /l
  MBSACLI /ld "Domain - Computer (03-01-2002 12-00 AM)"
  MBSACLI /f "C:\results.txt"
  MBSACLI /sus "http://corp_sus"
  MBSACLI /hf -?
             Microsoft Baseline Security Analyzer
                        Command Line
C:\Program Files\Microsoft Baseline Security Analyzer>mbsacli

Version 1.1
Engine version 3.7.0.5
Security update checker version 3.81.0.9
Attempting to load XML from
    https://www.microsoft.com/technet/security/search/mssecure.xml

XML successfully loaded.
===============================================================
Scan performed Mon Mar 17 05:25:58 2003
Using XML data version = 1.0.1.464 Last modified on 2/25/2003.

Scanning...
[          ] 0 of 1 computer scan(s) complete.......................................................
......................[..........] 1 of 1 computer scan(s) complete.
Scan Complete.

Computer Name, IP Address, Assessment, Report Name
-------------------------------------------------------------------------------
\Acme-Lap, 192.168.0.1, Severe Risk, Acme – Acme-Lap (03-17-2003 05-27 AM)
               Microsoft Baseline Security Analyzer
                          Command Line
C:\Program Files\Microsoft Baseline Security Analyzer>MBSACLI /hf
---------------------------------------
Acme-Lap (192.168.0.1)
---------------------------------------

      * WINDOWS 2000 SP2

      Warning
      The latest service pack for this product is not installed.
      Currently SP2 is installed. The latest service pack is SP3.

      Note      MS01-022    296441
      Note      MS02-008    318202
      Note      MS02-008    318203
      Note      MS02-008    317244
      Note      MS02-053    324096
      Patch NOT Found MS02-055    323255
      Note      MS02-064    327522
      Note      MS02-065    329414

      * INTERNET EXPLORER 5.5 SP2

      Warning             MS02-009        318089

      * WINDOWS MEDIA PLAYER 7.1 GOLD

      Information All necessary hotfixes have been applied.
Auditing Scheduled Tasks
               OS command - at
• The AT command schedules commands and programs to run on a
  computer at a specified time and date.

• The Schedule service must be running to use the AT command.

       AT [\\computername] [ [id] [/DELETE] | /DELETE [/YES]]
       AT [\\computername] time [/INTERACTIVE]
          [ /EVERY:date[,...] | /NEXT:date[,...]] "command“

• Run at from command line to view current schedule


             Great tool to run periodic audits!
Resource Kit – jt.exe
            Resource Kit – jt.exe
• http://www.jsifaq.com/subf/tip2600/rh2621.htm
• The Microsoft ® Task Scheduler Command Line Utility, jt.exe,
  allows you to manage the Task Scheduler from the command line.

Examples

C:\>jt /se
 [TRACE] Enumerating jobs and queues
  JSI005_State.job
  Windows Critical Update Notification.job

C:\>jt /se p
[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'JSI005_State.job'
[TRACE] Printing all job properties
            Resource Kit – jt.exe
     Generate a CSV file of scheduled tasks and their credentials

• http://www.jsifaq.com/SUBL/tip5700/rh5712.htm
• Batch file called Credentials.bat


The CSV file contains:
  "\\ComputerName","Credentials","JobName“

The syntax for using Credentials.bat is:
  Credentials ComputerName ReportFile
where:
  ComputerName is the NetBIOS computer name, without leading \\.
  ReportFile is the path to the output CSV file.
dumpwin (3rd Party)
Auditing Registry Permissions
                            Registry
• A central hierarchical database used in Microsoft Windows 9x,
  Windows CE, Windows NT, and Windows 2000 used to store
  information necessary to configure the system for one or more
  users, applications and hardware devices.

• The Registry contains information that Windows continually
  references during operation, such as profiles for each user, the
  applications installed on the computer and the types of documents
  that each can create, property sheet settings for folders and
  application icons, what hardware exists on the system, and which
  ports are being used.

• The Registry replaces most of the text-based .ini files used in
  Windows 3.x and MS-DOS configuration files, such as the
  Autoexec.bat and Config.sys. Although the Registry is common to
  several Windows platforms, there are some differences among
  them.

• Registry isn't simply one large file but a set of discrete files called
  hives.
                Registry Root Keys
                Key                       Description

HKEY_CLASSES_ROOT        Symbolic link to HKEY_LOCAL_MACHINE
                         \SOFTWARE \Classes.
HKEY_CURRENT_USER        Symbolic link to a key under HKEY_USERS
                         representing a user's profile hive.
HKEY_LOCAL_MACHINE       Placeholder with no corresponding physical
                         hive. This key contains other keys that are
                         hives.
HKEY_USERS               Placeholder that contains the user-profile
                         hives of logged-on accounts.

HKEY_CURRENT_CONFIG      Symbolic link to the key of the current
                         hardware profile under
                         HKEY_LOCAL_MACHINE \SYSTEM
                         CurrentControlSet\
                         Control\IDConfigDB\Hardware Profiles.

HKEY_DYN_DATA            Placeholder for performance data lookups.
                         This key has no corresponding physical hive.
                Hive Registry Paths
            Hive Registry Path                      Hive File Path

HKEY_LOCAL_MACHINE \SYSTEM          \winnt\system32\config\system

HKEY_LOCAL_MACHINE \SAM             \winnt\system32\config\sam

HKEY_LOCAL_MACHINE \SECURITY        \winnt\system32\config\security

HKEY_LOCAL_MACHINE \SOFTWARE        \winnt\system32\config\software

HKEY_LOCAL_MACHINE \HARDWARE        Volatile hive

HKEY_LOCAL_MACHINE \SYSTEM \Clone   Volatile hive

HKEY_USERS \UserProfile             Profile; usually under \winnt\profiles\users

HKEY_USERS.DEFAULT                  \winnt\system32\config\default
Slow Way!!!!
regedt32
Faster Way!!!
Resource Kit - subinacl
verbose=1
verbose=2 (default)
          subinacl with wildcards
• Subinacl allows you to use wildcards for objects (all services, all
  registry subkeys, etc.)

Examples
• All top-level registry keys
   – subinacl /verbose=1 /keyreg * > c:\registryanalyze.txt
• Remote all top-level registry keys (authentication already in place)
   – subinacl /verbose=1 /regkey \\s-rwv2\*
• Every subkey of the Windows registry on the local system
   – subinacl /verbose=1 /subkey * > c:\registryanalyze.txt
   Caution - processor-intensive and takes a while to execute

• Subinacl Reference Sheet
 http://www.asia.cnet.com/i/it/2002/itm_downloads/Subinacl_Usage.zip
• http://www.kouti.com/samplescripts/AllConstants.vbs.txt
Fastest & Easiest Way!!!!!!
Dumpsec (3rd Party)
  • http://www.somarsoft.com/
  • GUI and command-line

  Reports
     –   File System Permissions
     –   Registry Permissions
     –   Printer Permissions
     –   Shares Permissions
     –   Shared Directory Permissions
     –   All Shared Directories Permissions
     –   Users
     –   Groups
     –   Policies
     –   Rights
     –   Services
Dumpsec (3rd Party)




 Select and WAIT! =)
Examples:

•   DumpSec.exe c:\temp\users.dcl

•   Start Somarsoft DumpSec interactively, load and display a report that was
    previously saved in native format in c:\temp\users.dcl.

•   DumpSec.exe /rpt=dir=c:\users /showaudit /outfile=c:\temp\users.dcl

•   Run Somarsoft DumpSec batch mode, produce a report of directory
    permissions for the c:\users directory showing owner, permissions and audit
    settings and store the report in native file format in c:\temp\users.dcl. The
    report will show only those directories and files whose permissions or audit
    settings differ from those of parent directory.

•   DumpSec.exe /computer=\\server1 /rpt=users /saveas=csv
    /outfile=c:\temp\users.txt

•   Run Somarsoft DumpSec in batch mode, produce a report showing all user
    information in table format for users defined on \\server1, and store the report
    in comma separated columns format in c:\temp\users.txt.

•   DumpSec.exe /computer=\\server1 /rpt=share=sales /outfile=c:\temp\users.dcl
    /showalldirs

•   Run Somarsoft DumpSec in batch mode, produce a report of permissions for
    the \\server1\sales shared directory, showing owner and permissions but not
    audit settings, and store the report in native file format in c:\temp\users.dcl.
    The report will show all directories under the \\server1\sales tree, and only
    those files whose permissions differ from those of the parent directory.
Auditing Registry Values
Resource Kit - reg
reg query
reg query
reg query
reg query - remote
              RestrictAnonymous
• System Key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
• Value
RestrictAnonymous
                        Legal Notice
• System Key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
• Value
LegalNoticeText
             Other Registry Tools
          Tool           Source        Description

Regdump           Resource Kit    Dump the registry on
                                  both local and remote
                                  machines.
Regfind           Resource Kit    Find and edit registry
                                  keys.
Scanreg           Resource Kit    Search specific keys
                                  and entries on remote
                                  hosts.
regfind
http://www.winguides.com/registry/
Auditing User Accounts
            Useful OS Commands
           Command                      Results
net user               Displays the current local users on the
                       server
net user <user_name>   Displays information on local user
net user /domain       Displays current users on the domain
net user <user_name>   Displays information on domain user
/domain
                  net user syntax

$ net user /?
The syntax of this command is:



NET USER [username [password | *] [options]] [/DOMAIN]
    username {password | *} /ADD [options] [/DOMAIN]
    username [/DELETE] [/DOMAIN]
                                   net user
C:\>net user

User accounts for \\Acme-Lap

-------------------------------------------------------------------------------
Guest_Disabled                RogerRabbit                     Administrator
VUSR_Acme-Lap

The command completed successfully.
C:\>net user VUSR_Acme-Lap
User name           VUSR_Acme-Lap
Full Name           VSA Server Account
Comment              Account for the Visual Studio Analyzer server
    components
User's comment
Country code          000 (System Default)
Account active        No
Account expires        Never

Password last set    2/7/2002 10:08 PM
Password expires      Never
Password changeable     2/7/2002 10:08 PM
Password required     No
User may change password Yes

Workstations allowed     All
Logon script
User profile
Home directory
Last logon           Never

Logon hours allowed       All

Local Group Memberships
Global Group memberships *None
The command completed successfully.
   Net user (domain information)
C:\>net user /domain
The request will be processed at a domain controller for
  domain Acme.


User accounts for \\Acme-PDC

-------------------------------------------------------------------------------
Roger Rabbit               Baby Herman               Eddie Valiant
Maroon                     Dolores                    Jessica
C:\isaca>net user Jessica /domain
The request will be processed at a domain controller for domain
     Acme.

User name              Jessica
Full Name             Jessica Rabbit
Comment                Cabaret Singer
User's comment
Country code           000 (System Default)
Account active         Yes
Account expires         Never

Password last set    12/27/2002 8:36 AM
Password expires      3/27/2003 8:36 AM
Password changeable      12/27/2002 8:36 AM
Password required     Yes
User may change password Yes

Workstations allowed       All
Logon script          Acme.bat
User profile
Home directory          \\carrot\Jessica$
Last logon           3/17/2003 1:39 PM

Logon hours allowed        All

Local Group Memberships
Global Group memberships  *Domain Users
                        *GRP_Bar_Users            *GRP_Singers
The command completed successfully.
                 Enum (3rd Party)
• http://razor.bindview.com/tools/files/enum.tar.gz
• Using null sessions, enum can retrieve userlists, machine lists,
  sharelists, namelists, group and member lists, password and LSA
  policy information. enum is also capable of a rudimentary brute force
  dictionary attack on individual accounts.
                  C:\isaca>enum
                  usage: enum [switches] [hostname|ip]
                   -U: get userlist
                   -M: get machine list
                   -N: get namelist dump (different from -U|-
                       M)
                   -S: get sharelist
                   -P: get password policy information
                   -G: get group and member list
                   -L: get LSA policy information
                   -D: dictionary crack, needs -u and -f
                   -d: be detailed, applies to -U and -S
                   -c: don't cancel sessions
                   -u: specify username to use (default "")
                   -p: specify password to use (default "")
                   -f: specify dictfile to use (wants -D)
          What is a null session?
• ID named SYSTEM exists on every Windows system.
• Has almost unlimited privileges on the local computer and has no
  password.
• You cannot log on to this account.
• Privileged processes in Windows run as SYSTEM

PROBLEM
• When a service that runs as SYSTEM need to access a remote
  computer.
• Destination computer does not recognize the local SYSTEM ID.

SOLUTION
• Through SMB, a connection is made using NULL as the user ID and
  password.
               net use \\<system>\IPC$ “” /user:””
              enum user list

C:\isaca>enum -U Acme-PDC
server: Acme-PDC
setting up session... success.
getting user list (pass 1, index 0)... success, got 6.
Roger Rabbit          Baby Herman           Eddie Valiant
Maroon                Dolores               Jessica
cleaning up... success.
  Accessed Denied?

C:\isaca>enum -U Acme-PDC
server: Acme-PDC
setting up session... success.
getting user list (pass 1, index 0)... fail
return 5, Access is denied.
cleaning up... success.
               RestrictAnonymous
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

           Data type              Range              Default value
        REG_DWORD                 0|1|2                    0

Value                                Meaning
 0       Disabled. Anonymous users are not restricted.
 1       Enabled. Users who log on anonymously (also known as null
         session connections) cannot display lists of domain user names or
         share names. Also, these users cannot view security permissions,
         and they cannot use all of the features of Windows Explorer, Local
         Users and Groups, and other programs that enumerate users or
         shares.
  2      Anonymous users have no access without explicit anonymous
         permissions.
                enum user list
C:\isaca>enum -U –u Roger Rabbit –p ToonTown Acme-PDC
username: Roger Rabbit
password: ToonTown
server: Acme-PDC
setting up session... success.
getting user list (pass 1, index 0)... success, got 6.
Roger Rabbit          Baby Herman           Eddie Valiant
Maroon                Dolores               Jessica
cleaning up... success.
   RestrictAnonymous=1 has no meaning!
Userdump
• http://www.hammerofgod.com/download/userdump.zip
• Command-line tool that performs SID walking
• Must know at least one account name or group name on system

Walksam
• http://razor.bindview.com/tools/files/rpctools-1.0.zip
• Command-line tool that performs SID walking

GetAcct
• http://www.securityfriday.com/ToolDownload/GetAcct/getacct_doc.html
• GetAcct sidesteps "RestrictAnonymous=1" and acquires account
  information on Windows NT/2000 machines
• GUI tool that performs SID walking
                      SID Walking?
  • Security Identifiers (SIDs)    •SIDs are assigned automatically and
                                   are unique within every domain, server,
  • Three Types                    and workstation (exception!)
     – Account SIDs                •They remain the same if the name of
     – Group SIDs                  the account changes, but once deleted,
     – Computer SIDs               they are gone forever

                                       S-1-5-21-917267712-1342860078-1792151419-500
A SID contains:
                                                RID                Account

•User and group security descriptors    500                   Default
                                                              Administrator
•48-bit ID authority
•Revision level                         501                   Guest
•Variable sub-authority values          1000+                 Nondefault
                                                              account
              Userdump
C:\isaca>userdump

    UserDump v1.11 - thor@hammerofgod.com

Usage: userdump \\servername guest MaxQueries
Where \\servername is the name of a DC
guest is the name of an known user or group
MaxQueries is number of user loops to try

UserDump will always get SID 500 (Admin) first,
and then begins at 1001 + MaxQueries
MaxQueries of 0 or blank returns SID 500 and 1001
                           Walksam
                 Usage: walksam [options] <target>
                 options:
                  -p protocol_sequence
                  -e endpoint
                 examples:
                  walksam 192.168.1.1
                  walksam -p ncacn_ip_tcp -e 1054 192.168.1.2

It supports both the 'traditional' method of doing this via Named Pipes, but
also supports the additional protseqs that are used by W2K's Domain
Controllers.

By default, walksam will use the named pipes approach, and so will use
either your current credentials, or whatever credentials have been
specified with a "net use \\target\ipc$ ..." command. If an alternative
protocol sequence is specified, then walksam will always attempt to use a
null session.
GetAcct
Dumpsec (3rd Party)
Auditing Group Accounts
             Useful OS Commands
            Command                          Results
net group                   This command can be used only on a
                            Windows 2000 Domain Controller.
net group <group>           Displays users that are a member of a
                            global group.
net group /domain           Displays global groups for domain.
net group /domain <group>   Displays users that are a member of a
                            global group.
net localgroup              Displays the local groups on the
                            computer.
net localgroup <group>      Displays users that are a member of the
                            local group on the machine.
net localgroup /domain      Displays the local groups on a domain
                            controller.
net localgroup /domain      Displays users that are a member of the
<group>                     domain local group.
           net group syntax
The syntax of this command is:
NET GROUP [groupname [/COMMENT:"text"]] [/DOMAIN]
     groupname {/ADD [/COMMENT:"text"] | /DELETE}
  [/DOMAIN]
     groupname username [...] {/ADD | /DELETE} [/DOMAIN]
                     net group /domain
C:\isaca>net group /domain
The request will be processed at a domain controller for domain Acme.


Group Accounts for \\Acme-PDC

-------------------------------------------------------------------------------
*Toon_Administrators
*Toon_Legal
*Toon_Executives
*Toon_Stunts
*Toon_Accountants
*Toon_Marketing
       net group /domain <group>
C:\isaca>net group /domain Toon_Legal
The request will be processed at a domain controller for domain Acme.

Group name Toon_Legal
Comment    Toon Town Legal Department

Members

-------------------------------------------------------------------------------
Judge_Juddy                   Harry_Larry                   Judge_Dread
The command completed successfully.
                          net localgroup
C:\isaca>net localgroup

Aliases for \\WKS-RR

-------------------------------------------------------------------------------
*Administrators *Backup Operators *Debugger Users
*Guests                  *Power Users                  *Users
The command completed successfully.
             net localgroup <group>
C:\isaca>net localgroup Administrators
Alias name Administrators
Comment        Administrators have complete and unrestricted access to
   the computer/domain

Members

-------------------------------------------------------------------------------
Acme\Toon_Administrators
Acme\Roger_Rabbit
Roger_Rabbit
Administrator
SMSCliSvcAcct&
The command completed successfully.
              net localgroup /domain
C:\isaca>net localgroup /domain
The request will be processed at a domain controller for domain Acme.


Aliases for \\Acme-PDC

-------------------------------------------------------------------------------
*Administrators          *Backup Operators                    *Guests
*Helpdesk                *Print Operators                    *Replicator
*Server Operators               *Users
The command completed successfully.
net localgroup /domain <group>
C:\isaca>net localgroup /domain Helpdesk
The request will be processed at a domain controller for domain Acme.

Alias name         Helpdesk
Comment            Phone Reps

Members

-------------------------------------------------------------------------------
HD0001
HD0002
HD0003
HD0004
The command completed successfully.
Useful Resource Kit Commands
         Command                    Results
showgrps           Displays the groups to which a given user
                   belongs, optionally within a given network
                   domain.
showmbrs           Displays the usernames of members of a
                   given group, optionally within a given
                   network domain.

local              Displays members of local groups on
                   remote servers or domains.
global             Displays members of global groups on
                   remote servers or domains.
    showgrps

C:\isaca>showgrps /?

Usage:

showgrps [/A] domain\user or
showgrps [/A] user

/A - Check all known trusted
  domains
C:\isaca>showgrps Acme\RR

User: [Acme\RR], is a member of:

 Acme\Toon_Marketing
 Acme\Toon_Land
 Acme\Toon_Executives
 Acme\Toon_Operators
 Acme\Toon_Guests
 Acme\Toon_Cleaning
 Acme\Toon_Movies
 Acme\Domain Users
 \Everyone
   showmbrs

C:\isaca>showmbrs /?

Usage:

showmbrs domain\group or
showmbrs \\domain\group or
showmbrs group
C:\isaca>showmbrs Acme\Toon_Cleaning

Members of global group
  [Acme\Toon_Cleaning]:

 RR
 Sam
 Gweedo
 Ralphy
 Bubba
 Leon
 Doc
 MisterM
 Sonny
 Sid
 Don_Don
 ECapizzi
 RockyB
 JackieC
local
global
          getuserinfo (3rd Party)
• http://www.joeware.net/
• Free Win32 C++ Based Tools section

Usage:
GetUserInfo [(domain)(\\servername)\]userid [/p]

 domain       Domain to execute command against
 server      Server to execute command against
 userid      Userid to get info for.
 /p        Displays primary group info.

 If domain/server not specifed uses local machine
 If . specified for userid, enumerate all local/global accounts
Dumpsec (3rd Party)
Auditing User Rights
 User Rights


Two Categories

• Logon rights
• User privileges
                         Logon Rights
                 Right                       Description
Access this computer from the     The user can connect to the
network                           computer remotely.
Deny access to this computer from The user cannot connect to the
the network                       computer remotely.
Deny logon as a batch job
Deny logon as a service
Logon as a batch job
Logon as a service                This right is used by background
                                  applications. The rights are
                                  required for the service to function
Log on locally
                    User Privileges
            Privilege                      Permits user to
SeAssignPrimaryTokenPrivilege     Replace a process level token.
SeAuditPrivilege                  Generate security audits.
SeBackupPrivilege                 Back up files and directories.
SeBatchLogonRight                 Logon as a batch job.
SeChangeNotifyPrivilege           Bypass traverse checking.
SeCreatePagefilePrivilege         Create a pagefile.
SeCreatePermanentPrivilege        Create permanent shared objects.
SeCreateTokenPrivilege            Create a token object.
SeDebugPrivilege                  Debug programs.
SeIncreaseBasePriorityPrivilege   Increase scheduling priority.
SeIncreaseQuotaPrivilege          Increase quotas.
SeInteractiveLogonRight           Log on locally.
                    User Privileges
            Privilege                      Permits user to
SeAssignPrimaryTokenPrivilege     Replace a process level token.
SeAuditPrivilege                  Generate security audits.
SeBackupPrivilege                 Back up files and directories.
SeBatchLogonRight                 Logon as a batch job.
SeChangeNotifyPrivilege           Bypass traverse checking.
SeCreatePagefilePrivilege         Create a pagefile.
SeCreatePermanentPrivilege        Create permanent shared objects.
SeCreateTokenPrivilege            Create a token object.
SeDebugPrivilege                  Debug programs.
SeIncreaseBasePriorityPrivilege   Increase scheduling priority.
SeIncreaseQuotaPrivilege          Increase quotas.
SeInteractiveLogonRight           Log on locally.
                  User Privileges
            Privilege                      Permits user to
SeLoadDriverPrivilege             Load and unload device drivers.
SeLockMemoryPrivilege             Lock pages in memory.
SeMachineAccountPrivilege         Add workstations to domain.
SeNetworkLogonRight               Access this computer from the
                                  network.
SeProfileSingleProcessPrivilege   Profile single process.
SeRemoteShutdownPrivilege         Force shutdown from a remote
                                  system.
SeRestorePrivilege                Restore files and directories.
SeSecurityPrivilege               Manage auditing and security log.
SeServiceLogonRight               Log on as a service.
SeShutdownPrivilege               Shut down the system.
SeSystemEnvironmentPrivilege      Modify firmware environment
                                  values.
                  User Privileges
            Privilege                  Permits user to
SeSystemProfilePrivilege      Profile system performance.
SeSystemtimePrivilege         Change the system time.
SeTakeOwnershipPrivilege      Take ownership of files or other
                              objects.
SeTcbPrivilege                Act as part of the operating
                              system.
SeUnsolicitedInputPrivilege   Read unsolicited input from a
                              terminal device.
Resource Kit - showpriv
SeTakeOwnershipPrivilege
Resource Kit - whoami
 WHOAMI [/option] [/option] ...

 Where /option is one of the following:

  /ALL      = Display all information in the current access
     token.
  /NOVERBOSE = Display minimal information. *
  /USER      = Display user.
  /GROUPS = Display groups.
  /PRIV     = Display privileges.
  /LOGONID = Display Logon ID.
  /SID    = Display SIDs. *
  /HELP      = Display help.

 * Must be used with option /USER, /GROUPS, /PRIV
     or/LOGONID

 Samples are as follows:

  WHOAMI
  WHOAMI /ALL
  WHOAMI /USER /SID
  WHOAMI /GROUPS
  WHOAMI /GROUPS /NOVERBOSE
  WHOAMI /USER /GROUPS /SID
  WHOAMI /PRIV /NOVERBOSE
  WHOAMI /USER /GROUPS /PRIV
  WHOAMI /HELP
Dumpsec (3rd Party)
   http://www.somarsoft.com/
Auditing Account Policies
               Useful OS command
        Command                        Results
net accounts           Displays the current settings for
                       password, logon limitations, and domain
                       information.
net accounts /domain   Displays the current domain settings for
                       password, logon limitations, and domain
                       information.
                      net accounts
The syntax of this command is:


NET ACCOUNTS [/FORCELOGOFF:{minutes | NO}] [/MINPWLEN:length]
      [/MAXPWAGE:{days | UNLIMITED}] [/MINPWAGE:days]
      [/UNIQUEPW:number] [/DOMAIN]
dumpwin (3rd Party)
Auditing “Auditing”
    Resource Kit - auditpol
AuditPol [\\computer] [/enable | /disable] [/help | /?] [/Category:Option] ...

 /Enable = Enable audit (default).

 /Disable = Disable audit.

 Category = System : System events
       Logon : Logon/Logoff events
       Object : Object access
       Privilege : Use of privileges
       Process : Process tracking
       Policy : Security policy changes
       Sam      : SAM changes

 Option     = Success : Audit success events
          Failure : Audit failure events
          All    : Audit success and failure events
          None     : Do not audit these events


Samples are as follows:

 AUDITPOL \\MyComputer
 AUDITPOL \\MyComputer /enable /system:all /object:failure
 AUDITPOL \\MyComputer /disable
 AUDITPOL /logon:failure /system:all /sam:success /privilege:none

AUDITPOL /HELP | MORE displays Help one screen at a time.
Dumpsec (3rd Party)
Auditing Log Settings
                Windows Logging
Three Types
• System Log
    – Tracks miscellaneous system events, e.g. track events during
      system startup and hardware and controller failures.
• Application Log
    – Tracks application related events, e.g. applications generate
      informational such as failing to load a DLL will appear in the log.
• Security Log
    – Tracks events such as logon, logoff, changes to access rights,
      and system startup and shutdown. NOTE: By default the security
      log is turned off.

          %SYSTEMROOT%\system32\config\SysEvent.Evt
          %SYSTEMROOT%\system32\config\SecEvent.Evt
          %SYSTEMROOT%\system32\config\AppEvent.Evt
Event Viewer
Using the Event Log for Auditing
ntlast (3rd Party)
 http://www.foundstone.com
       Resource Kit - dumpel
• dumpel.exe - create ASCII log files
  – can be imported into Excel or Access
  – eliminate acceptable entries
  – sort by workstation or login ID
• Track unique Logon ID for each session
  – match logon/logoff
              Logon Types
•   2 - Interactive
•   3 - Network
•   4 - Batch Process
•   5 - Service
•   6 - Proxy
•   7 - Screen Saver
Resource Kit - dumpel
                Eldump (3rd Party)
• http://www.ibt.ku.dk/jesper/ELDump/default.htm

• It is very much like the tool DumpEL from the NT Resource Kit, but
  ELDump is more versatile and sometimes quite a lot faster. Most
  important ELDump can:
    – Dump from active event logs or from saved event logs with full
       message texts.
    – Filter on all the same fields as the Event Viewer.
    – Dump only the message strings instead of the full message
       texts. This is a lot faster and also makes it easier to parse the
       messages with other programs.
    – Look for the message texts on an other server. This means you
       get message text even if all the applications and drivers that has
       logged messages are not installed on the machine where you
       are running ELDump.
    – Dump several logs from several servers with one invocation of
       the ELDump command.
Dump the application log from the current machine to the file el-appl.txt:

eldump >el-appl.txt

Dump the system log from server \\serv1:

eldump -s \\serv1 -l system

or the same but shorter:

eldump \\serv1 sys

Dump error messages about node1 from a single day:

eldump -T error -c node1 -a 19970109000000 -b 1997010000000

or the same but shorter:

eldump err -cnode1 -a970109 -b97010

Dump messages saved from the system log at \\serv1 in file \\serv1\d$\system.log, with centuries in the event dates
   and GMT times:

eldump -F \\serv1\d$\system.log -l system -x \\serv1 -K -G

or the same but shorter:

eldump \\serv1\d$\system.log sys -KG

Dump error messages saved from the system and application logs at the servers \\serv1 and \\serv2:

eldump -s \\serv1 -s \\serv2 -l system -l application -T error

or the same but shorter:

eldump \\serv1 \\serv2 sys app err
                     Event IDs
          Event ID                         Description
517                             Audit log cleared
532                             User account has expired
608/609                         User rights assigned/removed
610/611                         New trusted domain/removed
612                             Audit policy changed
624/629                         User account created/disabled
630                             User account deleted
643                             Domain policy changed


          http://www.counterpane.com/log-windows.html
Auditing Processes
Resource Kit - pulist
Resource Kit - tlist
          pslist (3rd Party)
http://www.sysinternals.com/ntw2k/freeware/pslist.shtml
dumpwin (3rd Party)
dumpwin (3rd Party)
Auditing Drives
Psinfo – Disk Information
 $ psinfo -d

 System information for \\Acme-Lap:
 Uptime:            1 day, 2 hours, 54 minutes, 25 seconds
 Kernel version:       Microsoft Windows 2000, Uniprocessor Free
 Product type:        Professional
 Product version:       5.0
 Service pack:        2
 Kernel build number:      2195
 Registered organization: Acme
 Registered owner:        Acme
 Install date:      5/22/2000, 10:14:21 AM
 IE version:        5.5000
 System root:         C:\WINNT
 Processors:          1
 Processor speed:        700 MHz
 Processor type:        Intel Pentium III
 Physical memory:         320 MB
 Volume Type      Format Label                   Size    Free Free
    C: Fixed   NTFS                     11.2 GB 5.8 GB 52%
    D: CD-ROM                                         0%
    E: Fixed   FAT      PGPDISK             499.7 MB 326.8 MB 65%
    K: Remote NTFS                        440.9 GB 108.0 GB 25%
    P: Remote NTFS         Drive_E           339.2 GB 166.0 GB 49%
Dumpwin – Drive Information
     $ DumpWin.exe -d
     =====================
     Drive Information
     =====================

     Drive C:\ : Fixed
          Volume Name :
          File System : NTFS
          Free Clusters : 1523887
          Total Clusters : 2946502

     Drive D:\ : CD-ROM
     Drive E:\ : Fixed
          Volume Name : PGPDISK
          File System : FAT
          Free Clusters : 41826
          Total Clusters : 63966

     Drive H:\ : Network drive
     Drive K:\ : Network drive
     Drive P:\ : Network drive
Auditing Share Permissions
           Useful OS command
net share
• Lists resources being shared on computer
dumpwin (3rd Party)
Resource Kit - srvcheck
Dumpsec (3rd Party)
Net use \\<machine>\IPC$ /user:<domain>\<user ID>
Auditing Directory Permissions
Resource Kit - xcacls
Resource Kit - subinacl
Auditing Services
Resource Kit - sclist
Resource Kit - netsvc
netsvc list services
netsvc service status
       psservice (3rd Party)
http://www.sysinternals.com/ntw2k/freeware/psservice.shtml
Dumpsec (3rd Party)
dumpwin (3rd Party)
             NetViewX (3rd Party)
• http://www.ibt.ku.dk/jesper/NetViewX

• It is a bit like the NT "net view /domain" command, but it allows you
  to list only servers with specific services, and it uses a list format
  that is easily parsable.
Netviewx   (3rd   Party)
Auditing Service Permissions
Resource Kit - subinacl
Resource Kit - subinacl
Auditing Device Drivers
dumpsec
Auditing Printer Permissions
Resource Kit - subinacl
Dumpsec (3rd Party)
Auditing Remote Access
            Resource Kit - raslist
• Displays the names of all hosts within a domain network that are
  running RAS
Resource Kit - rasusers
Auditing Trusted Relationships
Resource Kit - nltest
Resource Kit - nlmon
                           DNS
• Zone Transfers
• Internet Accessible
• http://www.nscan.org/?index=dns
      Where Credit is Due . . .

This following script was created by James M. Hackett
Administrative ISO, Yale University.

This script demonstrates the resulting audit process
based on the tools that have been discussed.
               shd_srv_audit01.bat
@echo off
REM dump system, security and application logs
e:\audit\tools\dumpel -l system -f g:\audit\%1_sys_log.txt -s %1 -c
e:\audit\tools\dumpel -l security -f g:\audit\%1_sec_log.txt -s %1 -c
e:\audit\tools\dumpel -l application -f g:\audit\%1_app_log.txt -s %1 -c
e:\audit\tools\dumpel -l security -m security -e 639 640 641 642 643
                         -f g:\audit\%1_acct_chg.txt -s %1 -c
REM dump port information
e:\audit\tools\netstat -a > g:\audit\%1_ports_a.txt
e:\audit\tools\netstat -r > g:\audit\%1_ports_r.txt
REM dump service information
e:\audit\tools\netsvc \\%1 /list > g:\audit\%1_services.txt
REM dump users and groups
e:\audit\tools\addusers /d g:\audit\%1_usr_grps.txt /s:, \\%1
             shd_srv_audit01.bat

REM sysdiff the system
e:\audit\tools\sysdiff /diff e:\audit\base\%1\base.img g:\audit\%1_diff.img
e:\audit\tools\sysdiff /dump g:\audit\%1_diff.img g:\audit\%1_diff.txt
REM dump ACL’s
e:\audit\tools\xcacls %systemroot%\*.* /T > g:\audit\%1_acl.txt
REM dump file stamps
dir %systemroot% /s/t:c > g:\audit\%1_stamps.txt
REM ** End Data Gathering **
REM **********************************
REM ** Begin Report Generation **
echo Audit Report shd_srv_audit01 for %1 >g:\audit\%1_report.txt
time /t >>g:\audit\%1_report.txt
date /t >>g:\audit\%1_report.txt
           shd_srv_audit01.bat
echo @@@ Service Ports @@@ >> g:\audit\%1_report.txt
fc /n g:\audit\%1_ports_a.txt e:\audit\base\%1\ports_a.txt
     >>g:\audit\%1_report.txt
echo @@@ Route Table @@@ >> g:\audit\%1_report.txt
fc /n g:\audit\%1_ports_r.txt e:\audit\base\%1\ports_r.txt
     >>g:\audit\%1_report.txt
echo @@@ Services @@@ >> g:\audit\%1_report.txt
fc /n g:\audit\%1_services.txt e:\audit\base\%1\services.txt
     >>g:\audit\%1_report.txt
echo @@@ Users and Groups @@@ >> g:\audit\%1_report.txt
fc /n g:\audit\%1_usr_grps.txt e:\audit\base\%1\ usr_grps.txt
     >>g:\audit\%1_report.txt
               shd_srv_audit01.bat
echo @@@ SYS DIFF @@@ >> g:\audit\%1_report.txt
type g:\audit\%1_diff.txt >>g:\audit\%1_report.txt
echo @@@ ACLs @@@ >> g:\audit\%1_report.txt
fc /n g:\audit\%1_acl.txt e:\audit\base\%1\acl.txt >>g:\audit\%1_report.txt
echo @@@ File Stamps @@@ >> g:\audit\%1_report.txt
fc -n g:\audit\%1_stamps.txt e:\audit\base\%1\stamps.txt
     >>g:\audit\%1_report.txt
echo @@@ Account Changes @@@ >> g:\audit\%1_report.txt
type g:\audit\%1_acct_chg.txt >> g:\audit\%1_report.txt
echo End Audit Report shd_srv_audit01 for %1 >>g:\audit\%1_report.txt
time /t >>g:\audit\%1_report.txt
date /t >>g:\audit\%1_report.txt
The Audit Report
The Audit Report
                   Reference Sites
Resource Kit
• http://www.dynawell.com/support/ResKit/win2k.asp

Windows Ports
• http://www.poopoccurs.com/windows/2kports.html

Tool Repository
• http://packetstormsecurity.com/
• http://www.securiteam.com/tools/archive.html
• http://www.somarsoft.com/
• http://www.sysinternals.com

Security and SA Sites
• http://www.labmice.net/Security/default.htm
• http://is-it-true.org/nt/
                 Reference Sites
•   http://www.yale.edu/its/security/
•   http://www.cert.org/
•   http://www.ciac.org/
•   ftp://coast.cs.purdue.edu/pub/tools/ windows/windowsNT/
•   http://www.microsoft.com/security/
•   http://www.sans.org/

Windows Scripting
• http://msdn.microsoft.com/library/default.asp?url=/nhp/Default.
  asp?contentid=28001169
• http://www.jsifaq.com/
• http://www.roth.net/
Questions?



Thank You!