Monday, July 27, 2009

Getting into a Gold Disk-locked laptop and scanning a laptop not set up with network connectivity

Back from testing. It was a packed couple of days, and we worked in a pretty tough environment. Anyway, we had two sets of laptops that Retina could not scan, as it couldn't connect to the registry; even when we had the correct admin user name and password.

In the first case, we needed to scan two laptops that were not connected to the network. We had crossover cables, and we tried running the scans; each time though, we couldn't connect to the registry. My co-worker came up with a good trick. Because the laptops were in a workgroup, we were able to run the network setup. From there we ran the wizard, picked home network, but didn't actually set up anything. The process installs and starts the "server" service which allows the sharing of the drive. After that, we were able to run our scan and connect to the registry.

The second case presented an interesting problem. Again, we couldn't connect to the registry. However, this time, a little investigating turned up the cause. The client had run Gold Disk on the machine, and immediately clicked "remediate" when Gold Disk was finished. Yep, they locked up the box something good. Logging in to the machine from the network was not possible. To fix this, we went to Control Panel -> Administrative Tools -> Local Policies -> Security Options. From there, allow network login access.

Friday, July 17, 2009

Exchange 2003/2007 benchmark tool?

I've got a testing engagement next week, that covers lots of technologies. One type of server we will be testing that we normally do not test is an Exchange server. As of today, the DISA checklist is in draft. That will help us out. However, while searching for further guidance, I came across CISecuritiy's benchmark page. They have a page dedicated to Exchange and it appears that they had a tool at one time, but there is no longer a link to the tool.

Does anyone have a tool that will run against an Exchange Server looking at Exchange specific issues? Certainly, the server will have Gold Disk, Oval and Retina run against it looking for vulnerabilities, but I'm looking for something more targeted.

Friday, July 10, 2009

Reading List

I'm just starting the SANS 508 class in the @Home format. That will prevent me from doing as much reading as I would like. And, in the class, we'll be reading File System Forensics (which I can't wait to delve into.)

After that, my list looks like:
Perl Scripting for Windows Security by Harlan Carvey
Windows Forensics Analysis (2nd Edition) by Harlan Carvey
SQL Server Forensic Analysis by Kevvie Fowler
Windows Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition by Mark Russinovich and David A. Solomon
SQL Injection Attacks and Defense by Justin Clarke
The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws by Dafydd Stuttard and Marcus Pinto
The Seven Deadliest Web Application Attacks by Mike Shema
Hacking Exposed Web Applications (2nd Edition) by Joel Scambray, Mike Shema, and Caleb Sima

edit 7-13-09 to add SQL Server Forensic Analysis
edit 9-1-09 to add Windows Internals
edit 12-5-09 to add SQL Inject Attacks and Defense
edit 1-7-2010 to add The Web Application Hacker's Handbook
edit 3-3-2010 to add the Seven Deadliest Web Application Attacks
edit 3-27-2010 to add Hacking Exposed Web Applications

I'm still alive....

I've been away on a week's vacation. And I've spent this week reconnecting to the real world. So, that's why there have not been any posts for a bit. A couple of odds and ends:

  • The books and materials for the SANS 508 class have been arriving over the last two days. I must say, I feel like it's Christmas time, and I can't wait to tear into them. If you've never taken a SANS class, I highly recommend it. I took 504 with Ed Skoudis, and I'll be taking 508 with author Rob Lee.

  • 363 days (or so) until the next WhatWorks Summit in Forensics and Incident Response. I'm using this year's training budget to take the 508 class. Many of my co-workers are using their training budget by going to Black Hat / Defcon. Next year, my money is going to the Summit. I've missed it the last two years, I don't want to miss it again. I'm already starting to read reports on this year's summit in the blogosphere.

  • With regards to my own company, I'm really pushing to get into the corporate environment. I've done a lot of residential work, and while it pays the bills, it's not where my heart is. First stop is to revamp the website, then jump into the marketing (yuck.) I'm hoping it will payoff.

So, I expect to busy for a bit. I've got a testing trip coming up, and another potential trip in August. I hope to keep making time to write up my thoughts.