Category: Computers and Internet


Remotely enable PSRemoting and Unrestricted PowerShell Execution using PsExec and PSSession, then run PSRecon

Option 1 — WMI:
PS C:\> wmic /node:”10.10.10.10″ process call create “powershell -noprofile -command Enable-PsRemoting -Force” -Credential Get-Credential

Option 2 – PsExec:
PS C:\> PsExec.exe \\10.10.10.10 -u [admin account name] -p [admin account password] -h -d powershell.exe “Enable-PSRemoting -Force”

Next…

PS C:\> Test-WSMan 10.10.10.10
PS C:\> Enter-PSSession 10.10.10.10
[10.10.10.10]: PS C:\> Set-ExecutionPolicy Unrestricted -Force

Then…

Option 1 — Execute locally in-memory, push evidence to a share, and lock the host down:
[10.10.10.10]: PS C:\> IEX (New-Object Net.WebClient).DownloadString(‘https://github.com/gfoss/PSRecon/psrecon.ps1’)
[10.10.10.10]: PS C:\> Copy-Item PSRecon_* -Recurse [network share]
[10.10.10.10]: PS C:\> rm PSRecon_* -Recurse -Force
[10.10.10.10]: PS C:\> Invoke-Lockdown; exit

Option 2 — Exit PSSession, execute PSRecon remotely, send the report out via email, and lock the host down:
[10.10.10.10]: PS C:\> exit
PS C:\> .\psrecon.ps1 -remote -target 10.10.10.10 -sendEmail -smtpServer 127.0.0.1 -emailTo greg.foss[at]logrhythm.com -emailFrom psrecon[at]logrhythm.com -lockdown

Be careful! This will open the system up to unnecessary risk!!
You could also inadvertently expose administrative credentials when authenticating to a compromised host.
If the host isn’t taken offline, PSRemoting should be disabled along with disallowing Unrestricted PowerShell execution following PSRecon

Advertisements

Windows XP/2003/2012 and greater support drive mapping back to the client workstation during a Terminal Services (Remote Desktop) session. This means you can copy files from the server to the client and vice versa.

Each volume (removable, fixed or network) available on the client workstation is mapped (A for drive A:, C for drive C:, X for drive X: etc) and the remote Terminal Services session inherits the user’s permission. So if you are logged on to the workstation as user A and you log in to the Terminal Services server as user B, the session will have access to the drives according to A’s permissions.

Drives can also be mapped like a network drive. The client drives are accessible as \\TSCLIENT\C. Note the client workstation’s machine name is not used, it is always referenced with the generic name TSCLIENT.

To display the files on TSCLIENT:

DIR \\TSCLIENT\C

So you can map a drive as follows:

NET USE Y: \\TSCLIENT\C

or simply use the Universal Naming Convention (UNC) syntax:

COPY \\TSCLIENT\C\MYDIR\*.XLS D:\DOCUMENTS\ 

example:

ROBOCOPY \\TSCLIENT\C\MYDIR D:\DOCUMENTS *.XLS /Z /ETA

ROBOCOPY \\TSCLIENT\C\MYDIR D:\DOCUMENTS *.* /MIR /Z /ETA /r:1 /w:1 /Log+:d:\log.txt

 

Note: If you receive an “Attempt to access invalid address” error when using the UNC path \\tsclient\c, then the problem is on the client side.

Likely, the Windows firewall is turned on and blocking file shares, or “File and Printer Sharing For Microsoft Networks” is turned off in the NIC properties, the Server service is disabled, or simple file sharing is enabled on the client

 

How to create and deploy a client certificate for MAC: http://blogs.technet.com/b/configmgrteam/archive/2013/04/05/how-to-create-and-deploy-a-client-cert-for-mac-independently-from-configmgr.aspx

Transforming .cer to .pem or vice-versa: https://www.sslshopper.com/ssl-converter.html

using openssl to convert a certificate format to another format: https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them

Exporting a private key: https://technet.microsoft.com/en-us/library/cc754329.aspx

 

 

https://gallery.technet.microsoft.com/Cryptography-Fundamentals-0e08b260

Types of Security Zones

Internet Zone

This zone contains Web sites that are not on your computer or on your local intranet, or that are not already assigned to another zone. The default security level is Medium.

Local Intranet Zone

By default, the Local Intranet zone contains all network connections that were established by using a Universal Naming Convention (UNC) path, and Web sites that bypass the proxy server or have names that do not include periods (for example, http://local), as long as they are not assigned to either the Restricted Sites or Trusted Sites zone. The default security level for the Local Intranet zone is set to Medium (Internet Explorer 4) or Medium-low (Internet Explorer 5 and 6). Be aware that when you access a local area network (LAN) or an intranet share, or an intranet Web site by using an Internet Protocol (IP) address or by using a fully qualified domain name (FQDN), the share or Web site is identified as being in the Internet zone instead of in the Local intranet zone. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

303650 Intranet site is identified as an Internet site when you use an FQDN or an IP address

Trusted Sites Zone

This zone contains Web sites that you trust as safe (such as Web sites that are on your organization’s intranet or that come from established companies in whom you have confidence). When you add a Web site to the Trusted Sites zone, you believe that files you download or that you run from the Web site will not damage your computer or data. By default, there are no Web sites that are assigned to the Trusted Sites zone, and the security level is set to Low.

Restricted Sites Zone

This zone contains Web sites that you do not trust. When you add a Web site to the Restricted Sites zone, you believe that files that you download or run from the Web site may damage your computer or your data. By default, there are no Web sites that are assigned to the Restricted Sites zone, and the security level is set to High.

The Restricted Sites zone contains Web sites that are not on your computer or on your local intranet, or that are not already assigned to another zone. The default security level is Medium.

Note Security settings are applied only to files on your computer that are in the Temporary Internet Files folder. These settings use the security level of the Web site from which the files came. All other files are assumed to be safe.

Comparing the IE security zones (IEZoneAnalyzer tool):

http://blogs.technet.com/b/fdcc/archive/2009/10/01/viewing-and-comparing-ie-security-zone-settings.aspx

See also  http://blogs.technet.com/b/fdcc/archive/2011/04/14/iezoneanalyzer-v3.aspx

Setting up Trusted Zones for all your users on the network

Edit your IE settings GPO (or create a new one) with the following:

Computer Configuration – Administrative Templates – Windows Components – Internet Explorer – Internet Control Panel – Security Page – Site to Zone Assignment List – Enabled

Then click the Show button – and add the appropriate Value Name and Value – eg: http://www.mycleverwebsite.com with a value of 2 for Trusted Sites Zone, or 1 for Intranet Zone

NOTE: Users can not modify the list themselves, it is locked down via this GPO.

Due to security regulation and compliancy, what are the ways to monitor proactively Windows shares and file system. The answer is: there is no built-in Windows tool to do that, except the NTFS audit, or using Powershell filesystemwatcher primitives: this activity can be time consuming and can increase drastically the IT workload with also an impact on server performance. Be careful when implementing NTFS Auditing or if selecting a third-party tool,

here are some third-party tools:

Www.quest.com (cf Quest change auditor for file servers)

Www.ManageEngine.com

Www.beyondtrust.com

Www.isdecisions.com

Www.gfisecurity.com  

Else some freeware tools (but not enterprise-class product): Netsharemonitor, Sharewatch, Sharemonitor

 

http://msdn.microsoft.com/en-us/library/windows/hardware/dn529134

 
Windows 2008 R2 RTM is announced for Week 29 Rire
 
main benefits:
 
ADDS improvements: new management console, 85+ cmdlets powershell
Powershell v2 and windows remoting
ADCS : new inter-forest support and new cryptographic providers
Core server: will support .net framework and IIS 7.5
Hyper-V v2 with live migration