Using WMIC to communicate with remote hosts

We can manager user accounts on a Windows computer using wmic commands. You can find commands for various operations below.

WMIC can collect a list of the currently running processes similar to what you’d see in “Task Manager” using the following command:
#wmic process list

Note that some of the WMIC built-ins can also be used in “brief” mode to display a less verbose output. The process built-in is one of these, so you could collect more refined output using the command:
#wmic process list brief

Start an Application
#wmic process call create "calc.exe"

Terminate an Application
#wmic process where name="calc.exe" call terminate

Change Process Priority
#wmic process where name="explorer.exe" call setpriority 64

Get List of Process Identifiers

#wmic process where (Name='svchost.exe') get name,processid

Find a specific Process
#wmic process list brief find "cmd.exe"

You can collect a listing of the environment variables (including the PATH) with this command:
#wmic environment list

OS/System Report HTML Formatted
#wmic /output:c:os.html os get /format:hform

Products/Programs Installed Report HTML Formatted
#wmic /output:c:product.html product get /format:hform

Turn on Remoted Desktop Remotely
#Wmic /node:"servername" /user:"user@domain" /password: "password" RDToggle where ServerName="server name" call SetAllowTSConnections 1

Get Server Drive Space Usage Remotely
#WMIC /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format:csv MORE /E +2 >> SRVSPACE.CSV

Get PC Serial Number
#wmic /node:<ID Address> bios get serialnumber

Get PC Product Number
#wmic /node:"HOST" baseboard get product

Find stuff that starts on boot
#wmic STARTUP GET Caption, Command, User

Reboot or Shutdown
#wmic os where buildnumber="2600" call reboot

Get Startup List
#wmic startup list full

Information About Harddrives
#wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber

Information about os
#wmic os get bootdevice, buildnumber, caption, freespaceinpagingfiles, installdate, name, systemdrive, windowsdirectory /format:htable > c:osinfo.htm

Information about files
#wmic path cim_datafile where "Path='\windows\system32\wbem\' and FileSize>1784088" > c:filedetails.txt

The following global switches are available:
/NAMESPACE           Path for the namespace the alias operate against.
/ROLE                Path for the role containing the alias definitions.
/NODE                Servers the alias will operate against.
/IMPLEVEL            Client impersonation level.
/AUTHLEVEL           Client authentication level.
/LOCALE              Language id the client should use.
/PRIVILEGES          Enable or disable all privileges.
/TRACE               Outputs debugging information to stderr.
/RECORD              Logs all input commands and output.
/INTERACTIVE         Sets or resets the interactive mode.
/FAILFAST            Sets or resets the FailFast mode.
/USER                User to be used during the session.
/PASSWORD            Password to be used for session login.
/OUTPUT              Specifies the mode for output redirection.
/APPEND              Specifies the mode for output redirection.
/AGGREGATE           Sets or resets aggregate mode.
/AUTHORITY           Specifies the <authority type> for the connection.
/?[:<BRIEF|FULL>]    Usage information.

Use Case Examples 01:

Use of WMIC to query remote servers to get the hardware serial numbers.

In order to run against ab entire subnet and output to a text document, I used the below approach. This helps me to verify the inventory of computers.

I placed the IP list after node: node:ip1,ip2,ip3, or sometime used a text file when the list is so large with a file node:@file:

#wmic /node:@nodes.txt /user:administrator /password:mypassword /output:out.csv bios get serialnumber /format:csv

Use Case Example 02:

While investigating suspicious behaviours recorded on windows computers, I have some times seen entries shown as below which suspicious

#wmic  /node:<IP ADDRESS> /user:<USERNAME> /password:<PASSWORD> process call create "cmd /c start c:\windows\system32\<processname>.exe"

#wmic  /node:<IP ADDRESS> /user:<USERNAME> /password:<PASSWORD> process call create "cmd /c del c:\windows\system32\<processname>.exe"

Read More

Searching Through /var/log Folder

To check for all user logins and logsouts
#last -f wtmp

Wtmp is a file on the Linux, Solaris, and BSD operating systems that keeps a history of all logins and logouts. On Linux systems, it is located at /var/log/wtmp. Various commands access wtmp to report login statistics, including the who and lastb commands

To check for failed login attempts
#last -f btmp
btmp logs failed attempts into your system. In theory this could mean someone is trying to brute force passwords. You can empty this file but should not remove it since software could crash when it expects the file to be there.

Using ausearch

Searching for user ssh login attempts on the audit logs located in audit log folder.
# ausearch --input <filename> -i | grep -i sshd | grep -i USER_AUTH
USER_AUTH is triggered when a user-space authentication attempt is detected.

• -i,--interpret            Interpret results to be human readable
• -if,--input                 Specify the file name rather than default audit file
• -a,--event <Audit event id>    search based on audit event id
• -gi,--gid <Group Id>        search based on group id
• -ui,--uid <User Id>        search based on user id
• --session <login session id>    search based on login session id

TTY ports are direct connections to the computer such as a keyboard/mouse or a serial connection to the device. PTS connections are SSH connections or telnet connections.

Some of the usefull Audit record types are listed below.

Audit Record Types:

• ADD_USER    Triggered when a user-space user account is added.
• CRED_ACQ    Triggered when a user acquires user-space credentials.
• CRED_DISP    Triggered when a user disposes of user-space credentials.
• CRED_REFR    Triggered when a user refreshes their user-space credentials.
• CRYPTO_KEY_USER    Triggered to record the cryptographic key identifier used for cryptographic purposes.
• CRYPTO_LOGIN    Triggered when a cryptographic officer login attempt is detected.
• CRYPTO_LOGOUT    Triggered when a crypto officer logout attempt is detected.
• DEL_GROUP    Triggered when a user-space group is deleted
• DEL_USER    Triggered when a user-space user is deleted
• SYSTEM_RUNLEVEL    Triggered when the system's run level is changed.
• SYSTEM_SHUTDOWN    Triggered when the system is shut down.
• USER_LOGIN    Triggered when a user logs in.
• USER_LOGOUT    Triggered when a user logs out.
• USER_START    Triggered when a user-space session is started.

Regex with gedit

To check for any post requests in the web log files on a given date. Below regex can be used with gedit.
At lease one work shoudl match: ^.*(21/May/2020|POST).*$
Both word should match: ^(?=.*21/MAY/2020)(?=.*POST).*$

Reference:
RedHat Audit record type can be found on:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-audit_record_types

Read More

Poking a hole through a firewall

Allowing highly critical network services such as Oracle (1521/tcp), MySQL (3306/tcp), MSSQL (1433/tcp) through firewalls to untrusted network are similar to poking a hole through a firewall.

For example, leaving the Oracle Listener port 1521 open to untrusted networks, allow the database to connect to the Internet or the Internet to connect with the database. This could introduce significant security vulnerabilities that hackers are likely to exploit. Hackers could enable even more port openings through the firewall, create multithreaded operating system server problems, and enable access to crucial information on databases behind the firewall.

If the database listener services are running without passwords or with weak credentials, then hackers can probe for critical details about the databases on which it is listening. These details include trace and logging information, banner information, and database descriptors and service names, enabling malicious and damaging attacks on the target databases.

When it comes to database traffic, it is always recommended to encrypt network traffic when transmitting over untrusted networks. For example you may  utilize Oracle Advanced Security to encrypt network traffic between clients, databases, and application servers.

Further I recommend to harden the host operating system of the database server by disabling all unnecessary operating system services. Many UNIX and Windows services are not necessary for most deployments. Such services include FTP, TFTP, TELNET, and so forth. For each disabled service, be sure to close both the UDP and TCP ports. Leaving either type of port enabled leaves the operating system vulnerable.

Finally It is generally not acceptable to allow all source addresses to access your server management ports (22 for Linux SSH and 3389 for Windows RDP) or database (1433 for SQL Server, 1521 for Oracle, and 3306 for MySQL). Be as specific as practical about who can reach these ports. When it is impractical to define source IP addresses for network management, you might consider another solution like a remote access VPN as a compensating control to allow the access required and protect your network.

Read More

Redirecting a custom domain to a website hosted at AWS S3 with CloudFront

One of my friend was having a bit hard time in redircting a custom domain to website hosted hosted at AWS S3 with CloudFront. Then I was helping him with possible options and decided to write an article with my suggestions.

If you are new to webhosting with S3, you may refer the URLs given as references.

To stard with possible DNS records to be configured to direct your URL to web hosting server at the Domain Name service provider i.e. GoDaddy, 123-Reg

A Records:

A Records are the most basic type of DNS record and are used to point a domain or subdomain to an IP address. Assigning a value to an A record is as simple as providing your DNS management panel with an IP address to where the domain or subdomain should point and a TTL.

CNAME:

CNAME records can be used to alias one name to another. CNAME stands for Canonical Name. A common example is when you have both example.com and www.example.com pointing to the same application and hosted by the same server. In this case, to avoid maintaining two different records, it’s common to create:

    An A record for example.com pointing to the server IP address
    A CNAME record for www.example.com pointing to example.com

As a result, example.com points to the server IP address, and www.example.com points to the same address via example.com. Should the IP address change, you only need to update it in one place: just edit the A record for example.com, and www.example.com automatically inherits the changes.

What is CloudFront?

Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users. CloudFront delivers your content through a worldwide network of data centers called edge locations. When a user requests content that you're serving with CloudFront, the user is routed to the edge location that provides the lowest latency (time delay), so that content is delivered with the best possible performance.

My friend had purchased a custom domain (Let's assume "www.example.com") from 123-Reg and he wanted to redirect www.example.com and example.com both to a website hosted at AWS S3. He had already configured CloudFront and let's assume his clourd front URL is as d4k69jpeqpexyz.cloudfront.net.

In CloudFront, an alternate domain name, also known as a CNAME, lets use the custom domain name (www.example.com) for links to files instead of using the domain name that CloudFront assigns to the distribution (d4k69jpeqpexyz.cloudfront.net

). Both web and RTMP distributions support alternate domain names.

When you use the CloudFront domain name for your files, the URL for a file called /images/image.jpg is:

http://d4k69jpeqpexyz.cloudfront.net/images/image.jpg

If you want to use your own domain name www.example.com, instead of the cloudfront.net domain name, you can add an alternate domain name to your distribution, like www.example.com. You can then use the following URL to view /images/image.jpg:

http://www.example.com/images/image.jpg

However you will not be able to configure alternative domain name as example.com. You can only configure it as www.example.com. Then you will face the same problem as my friend did.

Once the cloudfront configuration is ready, we need to configure the DNS record at DNS provider.  In our case 123-reg.

Using the DNS provider's tools, (123-reg in our case) we created a CNAME record to map www.example.com to d4k69jpeqpexyz.cloudfront.net

The CNAME is the only thing we needed if we wanted www.example.com. Unfortunately as most people do, we wanted "example.com" to work so we need another step.

example.com is often referred to as a naked domain or the apex record of the domain. The reason it's a problem is that it can't be a CNAME. CNAMEs only work on subdomains like "www." This makes it is difficult to point as a subdomain.

The remaining approach was to use a service to automatically redirect any request going to example.com to point to www.example.com. This picks up the CNAME record and the site will be served from CloudFront.

The automatic redirect is not possible with plain old DNS so we used another service. Some DNS providers offer this service along with their DNS (godaddy does, 123-reg does not.)

When the DNS provider doesn't do it, there are a few free services. One that We've used is http://wwwizer.com/naked-domain-redirect - it doesn't require any registration or payment.

To use this type of service, we need to create a DNS "A" record for the naked domain "example.com". For the wwwizer.com service, we needed to create an A record to point example.com to 174.129.25.170. That's all!

So, with this setup, if a user types example.com into their browser, the following would happen:

    DNS query: example.com -> 174.129.25.170 (wwwizer.com's service)
    HTTP request to 174.129.25.170 for example.com
    174.129.25.170 redirects example.com -> www.example.com
    DNS query: www.example.com -> CNAME to d4k69jpeqpexyz.cloudfront.net
    DNS query: d4k69jpeqpexyz.cloudfront.net -> points to Amazon S3
    HTTP request for www.example.com is now served by Amazon S3

Reference:
Web hosting with S3: https://medium.com/@kyle.galbraith/how-to-host-a-website-on-s3-without-getting-lost-in-the-sea-e2b82aa6cd38
Record Types: https://kb.pressable.com/article/dns-record-types-explained/
Configure DNS with GoDaddy: https://www.godaddy.com/garage/configuring-and-working-with-domains-dns/
CloudFront: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html
Configure CloudFront: https://medium.com/@kyle.galbraith/how-to-make-use-of-cloudfront-for-secure-delivery-of-static-websites-to-the-world-d2f54e8b096

Read More

Run SNMPWALK on CISCO Switch from Ubuntu Desktop

To check the SNMP agent status of the targeted switch. A remote connection or terminal session is required for the Switch to configure SNMP.

Switch# show snmp

When the SNMP agent is not enabled.

Switch# configure terminal
Switch (Config)# snmp-server enable traps
Switch (Config)# snmp-server community public ro    //ro - read-only
Switch (Config)# snmp-server community private rw    //rw - read-write
Switch (Config)# snmp-server location myoffice-location   
Switch (Config)# snmp-server contact myoffice-contact
Switch (Config)# end
Switch# show snmp                     //display the current configuration


Lets do a SNMPWALK to snmp configuration (SNMPv1 or SNMPv2). This was tested using ubuntu
First to install snmp
# apt install snmp

Then to run a snmpwalk
#snmpwalk -v 1 -c public 192.168.10.1 1.3.6.1.2.1.2

For more information on snmpwalk attributes refer the man page

For more information on SMP MIBs, refer the below guide.

Base OID for MIB-2 defined SNMP variables

Superior references

    1.3.6.1.2 - IETF Management
    1.3.6.1 - OID assignments from 1.3.6.1 - Internet
    1.3.6 - US Department of Defense
    1.3 - ISO Identified Organization
    1 - ISO assigned OIDs
    Top of OID tree

Subsidiary references (single level)

    1.3.6.1.2.1.1 - SNMP MIB-2 System
    1.3.6.1.2.1.2 - SNMP MIB-2 Interfaces
    1.3.6.1.2.1.3 - at
    1.3.6.1.2.1.4 - ip
    1.3.6.1.2.1.5 - icmp
    1.3.6.1.2.1.6 - tcp
    1.3.6.1.2.1.7 - udp
    1.3.6.1.2.1.8 - egp
    1.3.6.1.2.1.9 - cmot
    1.3.6.1.2.1.10 - transmission
    1.3.6.1.2.1.11 - snmp
    1.3.6.1.2.1.14 - OSPF Version 2 MIB
    1.3.6.1.2.1.15 - BGPv4
    1.3.6.1.2.1.16 - Managed Objects for Bridges
    1.3.6.1.2.1.17 - Bridge Mib
    1.3.6.1.2.1.22 - rptrHealth
    1.3.6.1.2.1.25 - HOST-RESOURCES-MIB, from RFC 1514
    1.3.6.1.2.1.26 - Ethernet MAU mib
    1.3.6.1.2.1.27 - Application MIB module
    1.3.6.1.2.1.28 - MTA MIB module
    1.3.6.1.2.1.29 - X.500 Directory MIB module
    1.3.6.1.2.1.31 - ifMib
    1.3.6.1.2.1.33 - upsMIB
    1.3.6.1.2.1.34 - snaNode
    1.3.6.1.2.1.38 - mdmMib
    1.3.6.1.2.1.41 - sdlcStatus
    1.3.6.1.2.1.43 - Printer-MIB
    1.3.6.1.2.1.47 - entity-mib
    1.3.6.1.2.1.69 - docsDev
    1.3.6.1.2.1.92 - notificationLogMIB

Read More

CISCO Switch Port Mirroring to Capture Traffic

Network traffic passing through ports can be analyzed by using Switched Port Analyzer (SPAN). This sends a copy of the traffic to another port on the switch that has been connected to a SwitchProbe device, another Remote Monitoring (RMON) probe or security device. SPAN mirrors receive or transmit (or both) traffic on one or more source ports to a destination port for analysis.

To display the details of available interfaces
Switch# show interface status

To display the details of configured vlans
Switch# show vlan

If the switch needs to be accessed over the network, IP address needs to be assigned.

Switch# enable
Switch# configure terminal
Switch(config)# interface vlan 1
Switch(config if)# ip address 192.168.10.1 255.255.255.0
Switch(config if)# no shutdown
Switch(config if)# exit
Switch(config)# exit
Switch#

This example shows how to set up a SPAN session (session 1) for monitoring source port traffic to a destination port.

Check for up and running interfaces of the Switch
Switch# show ip interface brief


Check if any already configured monitoring sessions are available
Switch# show monitor session 1

If any monitoring sessions are available. Need to remove them first. To remove that, switch to configuration mode.
Switch# configure terminal
Switch(config)# no monitor session 1

To configure monitoring sessions. Interface 1/1 to 1/5 is going to be monitored from the interface 1/15.

Switch(config)# monitor session 1 source interface fastEthernet 1/1 - 5
Switch(config)# monitor session 1 destination interface fastEthernet 1/15 encapsulation replicate
Switch(config)# exit

Further you can also configure to monitor traffic on a VLAN traffic. In order to monitor traffic for a particular vlan:

Switch(config)# monitor session 1 source vlan 1

Switch(config)# monitor session 1 destination interface fastEthernet 1/15 encapsulation replicate
Switch(config)# exit

Copy running config to startup config:
Switch# copy running-config startup-config


When a PC, which is running a network traffic capturing solution such as wireshark, connected to interface 1/15, network traffic can be captured.

Read More

Mounting / Unmounting encrypted external drive over command line in Ubuntu 18.04

If you have an encrypted external disk (or an internal disk that is not in fstab), you will see an entry for it in Nautilus. You can click on this volume, and am prompted for a password to decrypt and mount the device. However if you want mount and unmount the same over command line.

I follow the below steps to mount and unmount encrypted partitions.

You may require to install cryptsetup first.

sudo apt-get install cryptsetup

To decrypt the volume:

sudo cryptsetup luksOpen /dev/sda1 my_encrypted_volume

Now you can mount it as usual:

sudo mkdir /media/my_device
sudo mount /dev/mapper/my_encrypted_volume /media/my_device

To lock the container again, it needs to be unmounted first:

sudo umount /media/my_device
sudo cryptsetup luksClose my_encrypted_volume

To automatically put it in the /media location, use the udisks tool

sudo udisks --mount /dev/mapper/my_encrypted_volume

Read More