Network Survival WCS

yes yeah it's five so you can go whenever okay all right uh good evening my name is James Costello and this is Network survival WCS I am the cissp a compa atme which basically means I'm one of the guys who write helps write the tests that people take at CompTIA um my specialty is the security plus I'm a cnse a ccsp and mcse and blah blah blah blah blah blah blah blah blah I'm currently the director of uh engineering for a Armada Data Solutions a consultancy out of Atlanta um I'm a founding member of SEC casc and c and CCC casc uh I blog occasionally at at this address and I'm neither a ninja nor a

pirate um Network survival WCS wor scenario this is for me this is my personal worst case scenario you start a new job your boss comes to you hands you a Windows 7 laptop and says all right I want you to find out as much as you possibly can about the about the network in the next 45 minutes but here's the cave eyes you have a basic image without any of your favorite tools on it you you've got a basic user account so you've got no elevated administrative privileges to do anything with your boss wants you to find out as much on the network as you can you're not allowed to install any new software on the system your internet

browsing is going to be strictly monitored and you cannot elevate your permissions on your local workstation so we'll we'll knock it down into into three basic areas black white black gray and white black is don't do anything that's um violates your boss rules so you can't go and install any software on there um getting a block page on your internet browsing will get you into trouble with your boss um there can be other things that that you can come up with that that will be in this black area anything that really violates the the spirit of the this worst case scenario that you're in some of the gray areas loading and running software off a

USB key yeah you didn't really install it on the computer but you ran it um and using your cell phone to do your searches I call I'm calling that gray because it kind of violates the the real Spirit of uh the exercise um and then why it's just using what you've got so first off I just want to remind everybody if you're ever in this situation don't be Bob you might know Bob from his appearances on various podcasts uh Bob does things without permission um being Bob can make you lose your job and in this scenario that I've said if you do a bob related action your boss has told you you're G to get fired um Bob has

lots of great stories but most of them are really object lessons and not really instructions for living um Bob might end up under indictment at some point don't be Bob all right really what I'm looking for people to do in this this whole scenario is think Inside the Box we've spent a lot of time trying to get outside the box and we've really lost focus on what the things are inside the boxes um working within the limitations that are provided to you using what you have available to you and potentially repurposing something that you got on your system that wasn't initially intended to do what you want it to do so it's not this box and it's not that

box and it's definitely not those boxes um just like the Tardis the your box is bigger on the inside than you really think about there's a lot more to it than a lot of people take into consideration because there's a lot you can do with just a base install um one of the neat things you've got there just without getting to the command line you've got Network Explorer if your box has been connected to the network for a little bit of time you open this up and you can start looking for other computers that are connected there so you can start finding things out now if you can quickly determine what the naming scheme for

devices are you'll start figuring out what things are out there servers have role specific names Associated to them workstations those can really vary a lot of people just simply use either the person's name and PC or they go in and they set something uh on some naming scheme um some naming schemes aren't going to make any sense to you um flourish um the servers in my home network are all based on Harry Potter's uh instances nobody really knows what they do except me so it it gets a little more complicated for other people to come look at my system but you might be in a business environment they're going to name them things that they're going

to know what they are so this will give you some insight into um the network and it's just one piece you can also see any of the printers or any of the other devices that are out there you can just do a screen capture from this and go okay here's the first piece I'm going to do one of the things that I always recommend when we get into the next part is is bring up notepad and start taking notes it's a simple application and you can put a lot of information into it the other piece that's in there you can also use OneNote one note is beautiful for taking screen caps and sticking them in

there it'll tell the time that you were doing things and in the scenario that I've created here it'll show your boss in the 45 minutes you were looking through things here's the information that you found during this time period and it'll also do texts those things copied into it it really is kind of a neat tool to to use now I'm going to go further into the box here and start talking about the the command line there's 368 different command line um Tools in Windows 7 and server 8 uh or Server 2008 not all of them are really available to you because some of them require elevated Privileges and some of them just aren available on a regular workstation um

there's approximately 60 of them that are going to be helpful in finding out more information about the network I brok them down into four categories uh your local system information finding out more about your box because your box can actually tell you a lot about way the ways that the network is connected um the network and remote system information this is how you're going to go out and find different pieces and then once you start knowing where things are at Network and remote access getting into those things that they're out there and then I've got the advanced tools the things that are deeper into the box the things that are probably going to have me doing other

talks because there's a lot you can do with the tools in that section um your local system information here's the here's the whole list of the the ones that uh I've I think are are useful um that's a lot to go through so I cut it down a little bit um it local system information has the the largest number of tools some of these things are going to be really familiar to you ip config ARP net NBT stat NBT stat is still in Windows 7 it's in Windows 8 it's a it we're we're supposed to have gotten rid of net bios forever ago but everybody still uses it it it it just amazes me that still there

um some things you might not not know or use because you might use things that are um more graphically based you might use a tool that does all of your registry entries you got reg edit you can do regge control via regge um you can look at the routes that are on your network if you're being passed different routes via DHCP you'll know that okay now I got two paths to check out when I start pinging things and who am I um I PE and fig um two of the ones that are really really good in this is all this is going to show you your your gateways what network you're on what your DNS servers are because that's

going to give you some targets to start looking at when you get into the second section it also tells you how your box is configured the other piece that this is really good for is if you reboot your DNS cache is flushed but when you re Boot and log in what's the things that you're going to immediately connect to you're going to connect to your domain controllers and you're going to need to know the names of them to be able to connect to them and all of that information is available via the display DNS fan or the display DNS key or switch it really is kind of cool to be able to to to see all of these things that are in

there um if you ever log into somebody's box and you wonder kind of where they've been recently IP can play config SL display DNS it'll dump the whole thing for you and you can know where somebody has been browsing on that system um R this is your Mac address information it's really useful for things that are on your same Network anything that's off your network is going to use the MAC address of whatever Gateway that the system goes through um combined with ip config all and pain you can determine what type of device is out there because there's you have the ability to go out and see what something is Apple products use Apple network

cards IBM printers use IBM network cards HPS the same way you can start telling things about devices without ever knowing their names um it it really becomes something much more useful than just oh hey I know a couple of things I can do an r/ and show everything you can start figuring out what these devices immediately around you are net this is kind of a powerful command we we used to use it in the in the Dos days to map network drives um now you've got some other things that are there the uh the display that you got when you went into the U this the Explorer to show all the different things you can do

that at the command line and it shows as many devices that it's aware of in your domain um net user you can enumerate local accounts even ones you don't have access to or are above privilege to you so you can figure out some of the things that are are there um n statistics you gather information about the workstation and server processes on the local computer uh net Stat or NBT stat um get their net bios information um you can see where your windows and SMB servers are where are your file shares where can you start looking for data um very useful for statistics Gathering it's very useful for figuring out okay I I get all of these things okay this is

where my file Shares are this is where the uh all of the network documents seem to be I'm going to I'll be able to start tracking back to those route this is your display your routing information are there multiple gateways on your system that can be very telling um on a system not most people use one route out of a network but every now and then you really complex Network you might have multiple routes to get out of something um set via DHCP on a workstation or uh manually Set uh on the server so that's going to tell you a little bit more about that Reg is really good now here's one of the crazy things

about this you can query about 95% of what's in your registry with the reg command just you just need to know what strings to look at and it'll tell you command completion it'll show you what where pieces of the registry are um you can do it in such a way that you're not making any changes all you're doing is getting information and it it becomes very easy to to start telling information about okay here's the domain I belong to here are the uh other systems in in the forest what what can I start gaining information about who am I get your ldap information about your account this is going to give you group information the full string of

where your account is this can be very very useful when you start want if you get that list of um local accounts that are on the system or system accounts that are there um you use this now you know what the login parameters for that person are going to be because you can tell based on that what they are all right then your network and remote system information Gathering again you've got quite a bit of things here um that you're going to start looking at uh so I narrow it down a little bit more uh again we're going to go we've got the some things we're familiar with the Ping the path ping Tracer NS look up um but some of the

other ones that are are more interesting off of a Windows system to another Windows system that you have wres on you can use some of these things to gather information about that remote box without having administrative rights on the r box ping is pretty powerful you can create scripts that you can use to basically do a ping sweep of an entire network using single pings um I refer to it as the noisy cricet of on your computer reason I do that is because if you do the standard three ping any IDS system out there is going to be looking for that a single a single here and there it's not going to notice those as

much but three ping in a row followed by three ping in a row the next address that's where you're going to start running into things you can resolve hostings based on IP addresses by having it it Reach Out And Touch those things limit the number of P of of attempts um you can determine the source address that it's going out from on your box if your box has multiple addresses assigned to it so you can know okay when I if you're this isuse troubleshooting if you're sitting there and you try and ping a system and you can't ping it it may be because it's actually pinging from a source that does that cannot actually reach that it may be

something where you've been given two different routes but the the firewall that you're routing through on the secondary interface the the secondary address is actually looking for a different Source address for it to be coming from other than the one that is currently assigned on your system and if you've used windows uh systems for a long time you know that reboot to reboot there can be times when the The Source address on your server will change it can be very frustrating this will help you troubleshoot that particular one Tracer not to be C confused with Tracer T YouTube link is right there um you can test the path that your packets take um rather than just knowing oh I got there

I know what path I followed are you taking multiple hops am I on the same network what kind of information can you gather off of that path Bing I like path Bing because not only does it tell you um the path that it takes it tells you basically how responsive the systems are along the path because it does a whole series of pings along the way um latency and loss information you can identify Downs are on your network so if you're trying to get to a you get a server name and you do a path ping to it and you get this really long delay during a section of it that server may not be in your local

office it may be somewhere remote and you've just discovered the path that it takes to get to another location in the company NS lookup you've got the ability to go through and connect your DNS servers and pull what your domain controllers are um if they've Set uh the for your mail servers internally you can find your directory replication servers those things that are you've got one shared directory that people are on that that is the master directory that's copied between multiple servers you can find where all of those servers are because it uses DNS to sync between them I like getmac because you have the ability to reach out to another server and go hey tell me your Mac address I

don't know what this remote devices but if it's a Windows device and I've Got U I can reach out to it it'll come back and tell me oh hey I've got this Mac address okay now I know now I've got a good guess as to what it is if it says it's got a Dell network card on it more than likely it's a Dell server or a Dell workstation that's out there um it's got it really is limited to Windows devices I would love if this application had the ability to reach out to anything else and go hey can tell me address is but it doesn't netsh you can gather Network information about your about local and

remote systems look for other DNS servers that are out there you can pull that information off of remote boxes look for other gateways that are out there so you can follow different paths now this is one of the more interesting ones that are out there um if you remember in Windows Server 8 you started putting these up on your network and you would remote desktop to something and you needed to put a new address in there and you inadvertently hit that drop down and suddenly you have this list of servers that are out there this is the back end piece that's going out there and finding out where all of the terminal servers are this will show you remote desktop

session posts out there terminal servers so now you know what servers can be remotely accessed that gives you a more information about what things are used if one of them happens to say Bastion host there's a good sign that that one has access to pretty much everything else you might need access to now getting a little bit tighter your network and remote system access tools again we've got some that are familiar finger mstsc but a couple that you may not be familiar with um irfp and RS finger is kind of one of those funny things the remote server got to have the finger service running but you can gather a lot of information using finger

you can pull back configuration information especially if finger is not really well configured on the remote side if You' got a Windows box running finger more than likely somebody just turned the service on and it's got no controls on it um you can do user uh Windows 2003 and older don't have it but uh Windows 2008 and later do it it can be there and it's it can be a lot of information that you might not be able to get elsewhere mstsc I actually prefer to use this than to pull up the remote desktop client just because it's a single string type it up you're ready to go you can pass parameters on your and 2003 servers you

can get to the admin console the actual terminal console that's sitting there on the box so you can get to that so you don't have two but three remote desktop sessions on a box um you can also set it to non-caching mode so you're not really caching a lot it gets a little your performance degrades a little bit um you can also turn on support for multiple monitors here it's an entire script to just you can script this out and say hey I want to be able to hit this it'll pop it up and you can put the information in there you can also put in username and password right there of course it's going to appear in

clear text if you're putting that in a script so I would advise against that IR FP one of the things that inspired this talk was I doing work for a client they shipped me a laptop it's completely locked down I'm looking at it one of the things I notice is oh hey it has the USB controls on there I can't download files off there oh okay they they've got some security thought here but as I'm doing this talk as I'm prepping it I'm looking there's got to be some other ways to get around this well if you've got a USB infrared dongle you plug that in it's a hi device it's not a storage device so those USB

controls don't affect it IR FP I can FTP servers FTP files to another system using infar I just have to be within close distance I can put another notebook right up next to it transfer files right across I think one's pretty scary I don't know why that's there uh I think a lot of it was originally designed for um syncing a phone passing data to a phone that would have the those infrared uh systems on it um passing data to a printer but you can do storage transfers with it I mean you are going across infrared so it is pretty slow so if you're going to copy 10 gigs of files be prepared to wait

when RS basically a remote shell on a system manage and execute processes on there you can call any and all of the related commands that we've talked about so far here on those remote systems if you've got the right rights to be able to do it and most Mo since most of these have been just uh since these have all been basic utilities you can win RS and tell it to give you back that up of a system so you able to pull data information off of that remote box so now your Advanced tools these are the things that are a little more in depth they've got a little more to them um and a couple of them start to get um

into that gray almost black area um because they they're a little more powerful than that you really need elevated privileges to get them I also refer to these as my opportunities for more talks um it's a comp it's file compare utility I can look at two servers and compare information that's on those two two systems see if there are are differences what what kind of information can I gather from these boxes uh once you find something of interest and it's in two possible locations you find uh a password. text file on two different servers you want to compare the two see if they're exactly the same even though they've got different dates that'll be able to tell you if

they're if they're the same run as now this is definitely going to get you into the I don't elevate your privileges because this is the way you elevate your privileges it's Windows version of pseudo um allows you to run more tools reg add reg delete uh wi wiat which is going to give you even more information than a lot of the utilities that we've talked about so far wmic it's a powerful tool for gathering information scheduling tasks launching applications quering event logs rebooting systems wmic can be really useful for looking on your own box to go through your log files to know hey I want to know what's connecting to me I want to see what services have gone

up and down in the last uh few hours on this box um you can be local and remote it's very very powerful pretty much everyone that I've who who hasn't mastered it yet has told me it's very complicated and it can take a long while to really get used to some of the the tweaks that are in there but once you once you get your mind around it it's really a powerful tool um a lot a lot of that push back from wmic got put into Powers shell and Microsoft refers to it as a task based command line shell and scripting language designed Administration there's a lot of things you can't do on a default box you don't have tet

you can't do a port scan you can't really do set and off file changes uh on a within the system um you've got the ability to do add-ons into this that'll allow you to do SSH you can do HTTP uh gets https so you can use apis and doing uh some of the things that you can do with python or or some other languages that are out there you can do in Powershell so a lot of scripting that is in Python will translate over there it's going to be a little clunky because not all of the same things are there but you really have the ability to use it uh I'm currently work this is the next

piece that I'm I'll talk about uh in more depth because there's a lot to it um tet not being on your system can be really frustrating because one of the things that even though we don't tell net to other boxes the thing we use it for now is I want to go check and see if if a port is specifically open on a box that's what most people use tnet for now and when we don't have it it gets really frustrating to go tet oh it's not installed you can use Powershell to go out and do those Port checks you can actually a bunch of scripting with this and be able to reach out to various

different boxes and do health checks on them hey is Port 80 up no okay connect to the remote box recycle the the the worldwide web service so that make sure that's back up do I am I having issues what kind of things can you do with that and you can do if thens within it it really is powerful now I'm open it up to questions um so when you do an information gathering are you compiling a final report in this scenario in this scenario not necessarily a final report for the 45 minutes your b the original idea is how much information can you get what can you find out about the network in this and it's really okay so what do you

know what can you do because you you you you've got the job now you've got to prove that you you know things and and these are these are some really pretty straightforward pretty simple tools to be able to reach out and do things on a very lock down box you could you could probably just patch the output to a file M that way you can easily just say here here's all the files like here's here's everything I found yep and that can do that yes have to ad right to set uh depends uh the the way you get around doing uned like that is you open the script up and copy and paste it in

so um unfortunately that's if you've got if you've got access to the Box signed unsigned kind of goes away because you can open up the the script and just run it a line at a time to get that information go new script yes that is that is then signed by your local system which it then say oh hey I can run that any other questions are all the catch names stting one um I have no idea these were all ones that I grabbed off of uh flicker using the Creative Commons uh search off of creative com.org so I was just it I I thought each one seemed to fit the slides so anything any other

questions that that y yeah it car sh can can open up a a whole world things that you can do with a box and not and most of them don't even require that you elevate your privileges and that's one of the other things is you can run a power shell script as somebody else using run ads so what I one of the things that I use Powershell for quite often is I dump out configurations from from firewalls and because I'm on a Windows platform I use it as for set and off commands to find things and change things and and gather more information out of a just a plain dump of a firewall config and then make

the changes that I need to do and repport the the lines that I've changed so that it could be a very functional thing when I I can do entire report do an entire report into an Excel spreadsheet using that to pull it out of the the firewall and then put it into the Excel spreadsheet broken down by what type of rule it is um the name what the configuration is so it it can be very powerful for um tweaking and and modifying the the information that you've gathered in other things yes yes so it is it is it I I I'm the more I use Powershell the more I enjoy it so I I I think it's definitely something if

you haven't touched yet really get into it because Microsoft even on their server side has moved a lot of things into the Powershell um exchang the the last couple of versions of exchange there are things you can't do in in in the goys you actually have to go to the the poers shell and make these changes there um one of the other things that's really useful about that is is you can script out entire changes um for those kinds of things um say your company gets gets purchased and you need to change everyone's email address name add an email address to absolutely everyone you run script to do that rather than going in and clicking and

adding and clicking and adding and clicking and adding it'll take you 45 minutes to write the script to to do that or three days go through 3,000 people

comp yeah the we I worked for a web hosting company for about three years and one of the guys I worked with hammered into everybody who was new and and who was coming in to do things if you do something once get it done if you do something twice script it because there's going to be a pretty good possibility that you're going to have to do it more times than twice so the more you get into scripting the you actually can simplify your life and you can get into doing more other things of The Thinking Inside the Box if you spend all your time going clicky clicky clicky click to to get through things you don't

have time to go look and and parse your logs to be able to look for hey I I've had somebody trying to log in to this box remotely for the last two days you can use Powershell to to go through and pull the pull those pull those logs and be able to say okay I'm looking for uh denies on this and if I see X number within this amount of send an email uh to this email address hey i' I've seen 15 attempts to log into this system that were unsuccessful in the last three minutes that's typically an indication that someone is is going up going after after your system or someone has completely forgotten their password

and you need to go do that being able to call someone because they've tried their password six times and their account is locked out and go hey I notic your account was locked out do you want me to reset that for you does amazing things to your work relationship with those people because you're now looking out for them you're able to do things proactively you're not waiting for them to to get a call for you to fix something that proactive nature um wins you points with everybody you work with because you're looking out for them they're able to continue to do their job rather than have to pick up their phone and go through the help des

and all of these things the more you can do in a proactive and and and active form the better off your life is going to be you'll get to do more of those fun things like reading logs and actually really if you're if you're reading logs now other than to find out oh hey I installed a new piece of software I need to figure out what how it actually wres logs into the log system what information is there so go in and and write scripts to look for things that are are related to that stop and start the service see if you can kill the the service see what it does when those things happen so you can

script all of that so you can set alerts for your Powershell to kick off on a regular basis to do those kinds of things if you're just to yours at to events good out to build

thats anyone else I just want to agree with what he said yeah I I definitely agree with what Tim has brought up having your take a take a focused approach to anything you do um a lot of people troubleshoot in a nonlinear fashion this popped into my head this popped into my head this popped into my head um if you can start doing those kinds of things a little more linear what are the top 10 things that are going on all right we've got these kinds of issues going on here this particular thing has been hitting us again and again and again when you focus on that and now I can Fus on the next thing that's doing

it low hanging fruit high visibility things um when you take care of those kinds of things your stock in the company will go up because if it's something that takes down the system and it's something simple to fix your bosses will love you because you're looking out for things if you're not if you stop being reactive of oh hey the server is down you get you you really get a lot more interaction with your your boss and it you can actually start getting more than just here's an assignment here here's the thing they'll start asking you hey what do you want to add to this so you can walk in and on your first day show your boss everything

that you found and then you can start saying here are the things that I kind of noticed about this here are the things that I suggest that we start moving because this could really be a test more than anything it could be it's not just necessarily that everybody gets a non-administrative access to their machine and the ability to do that it could simply be a test of what are you able to do when you don't have a lot and

jam if you got fragile thats Over All you can now go in and look at the logs maybe when ites it doesn't WR logs that it wres there every seconds so instead Windows say it's still running if you look in the say know it's been minutes I haven't seen any activity from this software in the log you can just go ahead and stop the service restart it and that it crashed day this time continue call from say oh the server's done again I know you just left the office you turn around and come back it's 5:00 get this you can't go to your meeting afternoon Issa or is to because this is fall over again 10 time this

we it's definitely true the the the the pro a proactive approach and inside the Box knowing your box what it does what applications are there W with Powershell you can look you can have your box tell you oh these are all the applications that are installed have that run on on a daily weekly basis and have it compare the two and when you see a change and you haven't installed anything on there okay what's going on here if it's got a q number and a in a string oh it got patched by our patch server that's something new that's there that's something that I I just need to go back and verify that that was something we actually pushed

out a little easier to do but if suddenly you've got a whole bunch of new processes that are running on here now you can start looking at it okay so what can I do what can I I I start reaching out and start doing with this box proactive Administration being able to reach in and know what your box does I've been on numerous conference calls where I've asked the person who has identified themselves as the server owner the server administrator what software do you have installed on this software on this server and the response is I don't know I I don't get that it and being proactive and knowing what's on there then you can know oh hey

this this software is running on here I don't think anybody thinks that it's still running on here but I'm still getting connections on it I know it was supposed to move to another server I think they haven't reconfigured the other end properly so maybe we just need to sit down and and and have have a talk with your application people of hey I know you you you thought you moved it over here but I'm still seeing traffic for it your net stats your um that you can start pulling net stat via Powers shell because any any of those other commands that are there you can have po shell call them and pull that information in

says okay here's here's my net stats here are all the connections if I say if I say okay number of connections to this particular server it's a a remote desktop server or it's uh it's it it has a specific purpose and this particular Port should have like between 60 and 500 connections at any given point and if I but we do occasionally Spike up to a th so if I hit 10,000 if I do a net stat and it shows me oh hey I've got, 148 connections going on this I want to be alerted on that because that's more than double what I'm expecting and it's it it you're going to be able you need to be able to to react

to that um finding out about an incident six months down the line because all your credit card all the credit cards that you had on your your system at that time had gotten compromised is a lot different than ohy uh we saw this start we blocked remaining numbers of those connections um

right because all of these tools become more powerful for you once you start being able to use all the things that you can run with elevated privileges so you've got it gives you opportunity and it gives you those is to run things and gather more information because knowing what your system is doing knowing what it's connected to goes beyond this worst case scenario of your first day on a new job where you're sitting there and trying to to to find out what what's all out there and it becomes more powerful of in our server in our server subnet I've got 52 servers suddenly I've got six servers in there and I'm the only person who installs systems into that

Network something's going on um having the ability if if you don't provide Wi-Fi or you've got a segment of your your network where there isn't a Wi-Fi hotspot and it's done there intentionally you can start scanning your IP ranges and and look especially in the segment that you know that covers that particular area if you see a new device that matches a A vcon or a that's one of a a home based routers Mac address you know have the ability to start go looking for hey somebody's plugged in a wireless access point over

herea IP add has just g a

any any any other

questions I I want to say thank you to uh SE KC who actually helped me come up with the concept for doing this talk um we do um five minute tool talk on C Linux we do three of those every month and I'm sitting there and I Was preparing one to to give because I found a tool that I really liked and I went wait a minute what about all the tools that are in Windows let let's go back and start looking at some of those um besides Las Vegas for having me and Sky talks over at deathcon for allowing me to present there as well um inspired me for this were jurist Heaven Sent and Jason Street

thanks to my wife wife and daughter and the furry animals that live and work in my office and keep me companying during a good day and thank you to all of you for coming tonight I really appreciate you coming out and spending some time with me now I'm gonna go take a nap I'm kind of tired [Applause]

m