1. Travis Schack, CISSP Travis@Vitalisec.com Auditing Toolkit for Windows NT and 2000 Denver ISACA April 25, 2003

2. Audit Areas System Information Patches/Hotfixes Scheduled Tasks Registry Permissions Registry Values User Accounts Group Accounts User Rights Account Policies Auditing Log Settings Event Log Services Service Permissions Processes Drives Share Permissions Directory Permissions Device Drivers Printer Permissions Remote Access Trusted Relationships

3. Tool Types OS Resource Kit 3 rd Party Local Remote GUI Command Line

4. NT vs. 2000

5. WinNT vs. Win2k Most of core features of architecture and object-oriented design of Win2k came from WinNT. Win2k is a tuned, tweaked, and extended WinNT, but is not new. Security – Active Directory, Group Policies, Encrypted File System, Kerberos, CryptoAPI, IP Security, PKI, and Kernel security enhancements.

6. Overview of Windows Security

7. System Architecture

8. Auditing System Information

9. Useful Commands CommandResults verDisplays the Windows version setDisplays Windows environment variables ipconfig /allShows detailed IP configuration nbtstat -anLocal Server name, MAC address, domain, logged on user nbtstat –A nbtstat –a Remote Server name, MAC address, domain, logged on user netstat –rn route print Display routing table netstat -anDisplays all connections and listening ports findstrSearches for strings in files, can use regular expressions findSearches for a text string in a file or files compCompares the contents of two files or sets of files byte to byte fcCompares two files or sets of files and displays the differences between them

10. Windows Command Reference http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/win dows2000/en/server/help/ntcmds.htm

11. netstat –an (Ports) IANA port assignments –http://www.isi.edu/in-notes/iana/ assignments/port-numbers Possible Trojans –http://www.simovits.com/nyheter9902.html

12. ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Roger Rabbit\Application Data CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=Acme-Lap ComSpec=C:\WINNT\system32\cmd.exe DIRCMD=/o/a HOMEDRIVE=H: HOMEPATH=\ HOMESHARE=\\carrot\Roger Rabbit$ include=C:\Program Files\Microsoft Visual Studio\VC98\atl\include;C:\Program Files\Microsoft Visual Studio\VC98\mfc\include;C:\Program Files\Microsoft Visual Studio\VC98\include lib=C:\Program Files\Microsoft Visual Studio\VC98\mfc\lib;C:\Program Files\Microsoft Visual Studio\V C98\lib LOGONSERVER=\\Acme-Lap MSDevDir=C:\Program Files\Microsoft Visual Studio\Common\MSDev98 NUMBER_OF_PROCESSORS=1 ORACLE_HOME=c:\oracle\ora81 OS=Windows_NT Os2LibPath=C:\WINNT\system32\os2\dll; Path=C:\oracle\ora81\bin;C:\Program Files\Oracle\jre\1.1.7\bin;C:\WINNT\system32;C:\WINNT;C:\WINNT\S ystem32\Wbem;C:\PROGRA~1\MICROS~2\Office;C:\perl\bin;c:\sectools;C:\Program Files\Common Files\Adapt ec Shared\System;C:\MSSQL7\BINN;C:\Program Files\Resource Pro Kit\;C:\NTOFW;C:\Program Files\Microso ft Visual Studio\Common\Tools\WinNT;C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin;C:\P rogram Files\Microsoft Visual Studio\Common\Tools;C:\Program Files\Microsoft Visual Studio\VC98\bin PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 6, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=0806 ProgramFiles=C:\Program Files PROMPT=$P$G SMS_LOCAL_DIR=C:\WINNT SystemDrive=C: SystemRoot=C:\WINNT TEMP=C:\Temp TMP=C:\Temp USERDOMAIN=Acme USERNAME=Roger Rabbit USERPROFILE=C:\Documents and Settings\Roger Rabbit windir=C:\WINNT Environment Variables - set

13. Local Area Connection: Node IpAddress: [192.168.0.1] Scope Id: [] NetBIOS Local Name Table Name Type Status ------------------------------------------------------------------- Acme-Lap UNIQUE Registered Acme GROUP Registered Acme UNIQUE Registered..__MSBROWSE__. GROUP Registered Carrot GROUP Registered nbtstat -an (local)

14. nbtstat –A Local Area Connection: Node IpAddress: [192.168.0.1] Scope Id: [] NetBIOS Remote Machine Name Table Name Type Status ----------------------------------------------------------------- Acme-PDC UNIQUE Registered Acme GROUP Registered Carrot GROUP Registered Acme UNIQUE Registered Acme GROUP Registered Acme-PDC UNIQUE Registered Acme UNIQUE Registered..__MSBROWSE__. GROUP Registered Acme-PDC UNIQUE Registered MAC Address = 00-80-5F-65-AC-A8

15. Meaning of NetBIOS Names ValueMeaning or Status 00Computer names and workgroup names 01Master Browser 03Messaging/alerter service; username of user with logon session 20Names of available resources on server 1BName of domain master browser 1CName of domain controller 1EResponse to election announcement

16. find/findstr – audit tool?

18. Search files for passwords, sensitive information that should be encrypted, etc. Pipe output of utilities and search for specific information. findstr is more powerful than find. Examples: Search all files on system for “password” C:\findstr /I /S /M "password" *.* > results.out Search all files on system for “password”, “pwd”, and “passwd” C:\findstr /I /S /M "password pwd passwd" *.* > results.out If you want to search for several different items in the same set of files, create a text file that contains each search criterion on a new line. C:\findstr /I /S /M /g:finddata.txt *.* > results.out

19. Msinfo32 Windows 2000 includes Microsoft System Information (Msinfo32.exe), which is an updated version of the Microsoft Windows NT Diagnostics tool (Winmsd.exe). System Information displays a comprehensive view of your hardware, system components, and software environment. Msinfo32.exe is located in the Program Files\Common Files\Microsoft Shared\MSInfo folder. Msinfo32.exe Usage: /? - Displays the Help dialog box /msinfo_file=filename - Opens the specified.nfo or.cab file /nfo or /s filename - Outputs a.nfo file to the specified file /report filename - Outputs a text-format file to the specified file /computer computername - Connects to the specified computer /categories (+|-)(all | categoryname) +|-(categoryname)... - Displays or outputs specified categories /category categoryname - Sets focus to a specific category at startup

20. Msinfo32 Example The following example gathers each high-level category into a separate.nfo file, which can be read by Msinfo32.exe. start /wait msinfo32.exe /nfo syssum.nfo /categories +SystemSummary start /wait msinfo32.exe /nfo cmpnt.nfo /categories +components start /wait msinfo32.exe /nfo swenv.nfo /categories +swenv start /wait msinfo32.exe /nfo hwdres.nfo /categories +resources start /wait msinfo32.exe /nfo ie.nfo /categories +internetexplorer start /wait msinfo32.exe /nfo apps.nfo /categories +Apps The start /wait switch is used in the examples for batch file and/or command-line execution from a Cmd.exe command prompt. The start switch is required to start Msinfo32.exe and the /wait switch does not process the next item until the current item completes. Using the start /wait switches ensures that the computer is not overloaded because some of the Msinfo32.exe categories can use a large amount of CPU time.

23. How to start Msinfo32

24. Msinfo32 (local)

25. Msinfo32 (remote) Click on Action and Propterties

26. srvinfo(Resource Kit) SrvInfo for NT Version 2.50 ===================================================== Remotely gather information about a target server. Assume local machine if no computer name is provided. ===================================================== Usage: SRVINFO [[-?|-ns|-d|-v|-s] \\computer_name] -?: Show usage -ns: Do NOT show any service information -d: Show service drivers and service -v: Get version info for Exchange, IIS, SQL -s: Show shares

27. C:\>srvinfo -ns Server Name: Acme-Lap Security: Users NT Type: NT Advanced Server - Version: 5.0 Build: 2195, Service Pack 2 Current Type: Uniprocessor Free Product Name: Microsoft Windows 2000 Registered Owner: Acme Registered Organization: Acme ProductID: 51874-OEM-0000696-50052 Original Install Date: Thu Dec 31 17:47:17 1998 Domain: Acme PDC: \\Acme-PDC CPU[0]: x86 Family 6 Model 8 Stepping 6: 696 MHz Srvinfo (truncated)

28. Dumpwin (3 rd Party) http://www.nii.co.in/research/tools.html#sysinfo Command line tool (local only) $ DumpWin DumpWin v2.00 (Windows NT/2K) Network Intelligence India Pvt. Ltd. http://www.nii.co.in Arjun Pednekar (arjunp@nii.co.in) Parameters : -i : List installed Programs. -d : Drive Information. -s : System Information. -m : Check for Modem Drivers. -h : List shares present. -t : List Startup Programs. -p : List active Processes. -v : List of Services. -g : List Local Group Accounts -u : List User Accounts. -l : dumpACL -n : Account Lockout Policy -a : All of above.

29. Dumpwin – System Information $ DumpWin -s ===================== System Information ===================== Microsoft Windows 2000 Workstation version 5.0 Service Pack 2 (Build 2195) Computer name : Acme-Lap User name : Roger Rabbit System directory : C:\WINNT\System32 Windows directory : C:\WINNT Network Card IP Address : 0 192.168.0.1 Memory Information Total Physical Memory(RAM) : 327152 KB Free Physical Memory(RAM) : 119948 KB Total Virtual Memory : 2097024 KB Free Virtual Memory : 2073252 KB

30. Dumpwin – System Information (cont’d) Hardware information: OEM ID : 0 Number of processors : 1 Page size : 4096 Processor type : 586 Minimum application address : 10000 Maximum application address : 7ffeffff Active processor mask : 1 Keyboard Manufacturer : IBM enhanced (101- or 102-key) keyboard No. of Function Keys : 12

31. Dumpwin – Installed Software $ DumpWin -i ===================== List of Installed Programs ===================== Reg Key : Ad-aware 5.83 Product : Ad-aware 5.83 Reg Key : AddressBook Reg Key : Adobe Acrobat 5.0 Product : Adobe Acrobat 5.0 Reg Key : AOL Instant Messenger Product : AOL Instant Messenger

32. Psinfo (3 rd Party) http://www.sysinternals.com/ntw2k/freeware/pstools.shtml Command line tool (local or remote) PsInfo returns information about a local or remote Windows NT/2000/XP system. Usage: psinfo [-h] [-s] [-d] [-c] [\\RemoteComputer [-u Username [-p Password]]] -u Specifies optional user name for login to remote computer. -p Specifies password for user name. -h Show installed hotfixes. -s Show installed software. -d Show disk volume information. -c Print in CSV format

33. Psinfo – No Arguments $ psinfo PsInfo 1.34 - local and remote system information viewer Copyright (C) 2001-2002 Mark Russinovich Sysinternals - www.sysinternals.com System information for \\Acme-Lap: Uptime: 1 day, 2 hours, 40 minutes, 13 seconds Kernel version: Microsoft Windows 2000, Uniprocessor Free Product type: Professional Product version: 5.0 Service pack: 2 Kernel build number: 2195 Registered organization: Acme Registered owner: Acme Install date: 5/22/2000, 10:14:21 AM IE version: 5.5000 System root: C:\WINNT Processors: 1 Processor speed: 700 MHz Processor type: Intel Pentium III Physical memory: 320 MB

34. Psinfo – Software Installed $ psinfo -s System information for \\Acme-Lap: Uptime: 1 day, 2 hours, 58 minutes, 2 seconds Kernel version: Microsoft Windows 2000, Uniprocessor Free Product type: Professional Product version: 5.0 Service pack: 2 Kernel build number: 2195 Registered organization: Acme Registered owner: Acme Install date: 5/22/2000, 10:14:21 AM IE version: 5.5000 System root: C:\WINNT Processors: 1 Processor speed: 700 MHz Processor type: Intel Pentium III Physical memory: 320 MB Applications: AOL Instant Messenger ATI Display Driver Utilities ATI Win2k Display Driver ActivePerl 5.6.1 Build 633 5.6.633 Ad-aware 5.83 5.83 Adobe Acrobat 5.0 5.0

35. Patches/Hotfixes

36. Psinfo – Hotfixes $ psinfo -h System information for \\Acme-Lap: Uptime: 1 day, 2 hours, 55 minutes, 53 seconds Kernel version: Microsoft Windows 2000, Uniprocessor Free Product type: Professional Product version: 5.0 Service pack: 2 Kernel build number: 2195 Registered organization: Acme Registered owner: Acme Install date: 5/22/2000, 10:14:21 AM IE version: 5.5000 System root: C:\WINNT Processors: 1 Processor speed: 700 MHz Processor type: Intel Pentium III Physical memory: 320 MB OS Hot Fix Installed Q147222 1/1/1999 Q295688 4/15/2002 Q296185 11/21/2002 Q298012 9/7/2001 Q299553 11/21/2002 Q300845 4/15/2002

37. Microsoft Baseline Security Analyzer (MBSA) http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ security/tools/Tools/MBSAhome.asp Command line or GUI - Administrator access is required The Microsoft® Baseline Security Analyzer (MBSA) is a tool that allows users to scan one or more Windows®-based computers for common security misconfigurations. MBSA determines which critical security updates are applied to a system by referring to an Extensible Markup Language (XML) file (mssecure.xml) that's continuously updated by Microsoft and using the HFNetChk tool technology. Windows NT 4.0 Windows 2000 Windows XP Internet Explorer 5.01 and later Windows Media Player 6.4 and later IIS 4.0 and 5.0 SQL Server 7.0 and 2000 (including Microsoft Data Engine) Exchange 5.5 and 2000 (including Exchange Admin Tools)

38. Microsoft Baseline Security Analyzer

43. Microsoft Baseline Security Analyzer Command Line C:\Program Files\Microsoft Baseline Security Analyzer>mbsacli /? Examples: MBSACLI MBSACLI /n Password MBSACLI /c MyDomain\MyComputer /n Password+Updates+SQL MBSACLI /d MyDomain MBSACLI /i 200.0.0.1 MBSACLI /r "200.0.0.1-200.0.0.50" MBSACLI /l MBSACLI /ld "Domain - Computer (03-01-2002 12-00 AM)" MBSACLI /f "C:\results.txt" MBSACLI /sus "http://corp_sus" MBSACLI /hf -?

44. Microsoft Baseline Security Analyzer Command Line C:\Program Files\Microsoft Baseline Security Analyzer>mbsacli Version 1.1 Engine version 3.7.0.5 Security update checker version 3.81.0.9 Attempting to load XML from https://www.microsoft.com/technet/security/search/mssecure.xml XML successfully loaded. =============================================================== Scan performed Mon Mar 17 05:25:58 2003 Using XML data version = 1.0.1.464 Last modified on 2/25/2003. Scanning... [ ] 0 of 1 computer scan(s) complete.............................................................................[..........] 1 of 1 computer scan(s) complete. Scan Complete. Computer Name, IP Address, Assessment, Report Name ------------------------------------------------------------------------------- \Acme-Lap, 192.168.0.1, Severe Risk, Acme – Acme-Lap (03-17-2003 05-27 AM)

45. Microsoft Baseline Security Analyzer Command Line C:\Program Files\Microsoft Baseline Security Analyzer>MBSACLI /hf --------------------------------------- Acme-Lap (192.168.0.1) --------------------------------------- * WINDOWS 2000 SP2 Warning The latest service pack for this product is not installed. Currently SP2 is installed. The latest service pack is SP3. Note MS01-022 296441 Note MS02-008 318202 Note MS02-008 318203 Note MS02-008 317244 Note MS02-053 324096 Patch NOT Found MS02-055 323255 Note MS02-064 327522 Note MS02-065 329414 * INTERNET EXPLORER 5.5 SP2 Warning MS02-009 318089 * WINDOWS MEDIA PLAYER 7.1 GOLD Information All necessary hotfixes have been applied.

46. Auditing Scheduled Tasks

47. OS command - at The AT command schedules commands and programs to run on a computer at a specified time and date. The Schedule service must be running to use the AT command. AT [\\computername] [ [id] [/DELETE] | /DELETE [/YES]] AT [\\computername] time [/INTERACTIVE] [ /EVERY:date[,...] | /NEXT:date[,...]] "command“ Run at from command line to view current schedule Great tool to run periodic audits!

48. Resource Kit – jt.exe

49. http://www.jsifaq.com/subf/tip2600/rh2621.htm The Microsoft ® Task Scheduler Command Line Utility, jt.exe, allows you to manage the Task Scheduler from the command line. Examples C:\>jt /se [TRACE] Enumerating jobs and queues JSI005_State.job Windows Critical Update Notification.job C:\>jt /se p [TRACE] Enumerating jobs and queues [TRACE] Activating job 'JSI005_State.job' [TRACE] Printing all job properties

51. Resource Kit – jt.exe Generate a CSV file of scheduled tasks and their credentials http://www.jsifaq.com/SUBL/tip5700/rh5712.htm Batch file called Credentials.bat The CSV file contains: "\\ComputerName","Credentials","JobName“ The syntax for using Credentials.bat is: Credentials ComputerName ReportFile where: ComputerName is the NetBIOS computer name, without leading \\. ReportFile is the path to the output CSV file.

52. dumpwin (3 rd Party)

53. Auditing Registry Permissions

54. Registry A central hierarchical database used in Microsoft Windows 9x, Windows CE, Windows NT, and Windows 2000 used to store information necessary to configure the system for one or more users, applications and hardware devices. The Registry contains information that Windows continually references during operation, such as profiles for each user, the applications installed on the computer and the types of documents that each can create, property sheet settings for folders and application icons, what hardware exists on the system, and which ports are being used. The Registry replaces most of the text-based.ini files used in Windows 3.x and MS-DOS configuration files, such as the Autoexec.bat and Config.sys. Although the Registry is common to several Windows platforms, there are some differences among them. Registry isn't simply one large file but a set of discrete files called hives.

55. Registry Root Keys KeyDescription HKEY_CLASSES_ROOTSymbolic link to HKEY_LOCAL_MACHINE \SOFTWARE \Classes. HKEY_CURRENT_USERSymbolic link to a key under HKEY_USERS representing a user's profile hive. HKEY_LOCAL_MACHINEPlaceholder with no corresponding physical hive. This key contains other keys that are hives. HKEY_USERSPlaceholder that contains the user-profile hives of logged-on accounts. HKEY_CURRENT_CONFIGSymbolic link to the key of the current hardware profile under HKEY_LOCAL_MACHINE \SYSTEM CurrentControlSet\ Control\IDConfigDB\Hardware Profiles. HKEY_DYN_DATAPlaceholder for performance data lookups. This key has no corresponding physical hive.

56. Hive Registry Paths Hive Registry PathHive File Path HKEY_LOCAL_MACHINE \SYSTEM\winnt\system32\config\system HKEY_LOCAL_MACHINE \SAM\winnt\system32\config\sam HKEY_LOCAL_MACHINE \SECURITY\winnt\system32\config\security HKEY_LOCAL_MACHINE \SOFTWARE\winnt\system32\config\software HKEY_LOCAL_MACHINE \HARDWAREVolatile hive HKEY_LOCAL_MACHINE \SYSTEM \CloneVolatile hive HKEY_USERS \UserProfileProfile; usually under \winnt\profiles\users HKEY_USERS.DEFAULT\winnt\system32\config\default

57. Slow Way!!!!

58. regedt32

60. Faster Way!!!

61. Resource Kit - subinacl

62. verbose=1

63. verbose=2 (default)

64. subinacl with wildcards Subinacl allows you to use wildcards for objects (all services, all registry subkeys, etc.) Examples All top-level registry keys –subinacl /verbose=1 /keyreg * > c:\registryanalyze.txt Remote all top-level registry keys (authentication already in place) –subinacl /verbose=1 /regkey \\s-rwv2\* Every subkey of the Windows registry on the local system –subinacl /verbose=1 /subkey * > c:\registryanalyze.txt Caution - processor-intensive and takes a while to execute Subinacl Reference Sheet http://www.asia.cnet.com/i/it/2002/itm_downloads/Subinacl_Usage.zip http://www.kouti.com/samplescripts/AllConstants.vbs.txt

65. Fastest & Easiest Way!!!!!!

66. Dumpsec (3 rd Party) http://www.somarsoft.com/ GUI and command-line Reports –File System Permissions –Registry Permissions –Printer Permissions –Shares Permissions –Shared Directory Permissions –All Shared Directories Permissions –Users –Groups –Policies –Rights –Services

68. Dumpsec (3 rd Party) Select and WAIT! =)

70. Examples: DumpSec.exe c:\temp\users.dcl Start Somarsoft DumpSec interactively, load and display a report that was previously saved in native format in c:\temp\users.dcl. DumpSec.exe /rpt=dir=c:\users /showaudit /outfile=c:\temp\users.dcl Run Somarsoft DumpSec batch mode, produce a report of directory permissions for the c:\users directory showing owner, permissions and audit settings and store the report in native file format in c:\temp\users.dcl. The report will show only those directories and files whose permissions or audit settings differ from those of parent directory. DumpSec.exe /computer=\\server1 /rpt=users /saveas=csv /outfile=c:\temp\users.txt Run Somarsoft DumpSec in batch mode, produce a report showing all user information in table format for users defined on \\server1, and store the report in comma separated columns format in c:\temp\users.txt. DumpSec.exe /computer=\\server1 /rpt=share=sales /outfile=c:\temp\users.dcl /showalldirs Run Somarsoft DumpSec in batch mode, produce a report of permissions for the \\server1\sales shared directory, showing owner and permissions but not audit settings, and store the report in native file format in c:\temp\users.dcl. The report will show all directories under the \\server1\sales tree, and only those files whose permissions differ from those of the parent directory.

71. Auditing Registry Values

72. Resource Kit - reg

73. reg query

76. reg query - remote

77. RestrictAnonymous System Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA Value RestrictAnonymous

78. Legal Notice System Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System Value LegalNoticeText

79. Other Registry Tools ToolSourceDescription RegdumpResource KitDump the registry on both local and remote machines. RegfindResource KitFind and edit registry keys. ScanregResource KitSearch specific keys and entries on remote hosts.

80. regfind

81. http://www.winguides.com/registry/

82. Auditing User Accounts

83. Useful OS Commands CommandResults net userDisplays the current local users on the server net user Displays information on local user net user /domainDisplays current users on the domain net user /domain Displays information on domain user

84. net user syntax $ net user /? The syntax of this command is: NET USER [username [password | *] [options]] [/DOMAIN] username {password | *} /ADD [options] [/DOMAIN] username [/DELETE] [/DOMAIN]

85. net user C:\>net user User accounts for \\Acme-Lap ------------------------------------------------------------------------------- Guest_Disabled RogerRabbit Administrator VUSR_Acme-Lap The command completed successfully.

86. C:\>net user VUSR_Acme-Lap User name VUSR_Acme-Lap Full Name VSA Server Account Comment Account for the Visual Studio Analyzer server components User's comment Country code 000 (System Default) Account active No Account expires Never Password last set 2/7/2002 10:08 PM Password expires Never Password changeable 2/7/2002 10:08 PM Password required No User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon Never Logon hours allowed All Local Group Memberships Global Group memberships *None The command completed successfully.

87. Net user (domain information) C:\>net user /domain The request will be processed at a domain controller for domain Acme. User accounts for \\Acme-PDC ------------------------------------------------------------------------------- Roger Rabbit Baby Herman Eddie Valiant Maroon Dolores Jessica

88. C:\isaca>net user Jessica /domain The request will be processed at a domain controller for domain Acme. User name Jessica Full Name Jessica Rabbit Comment Cabaret Singer User's comment Country code 000 (System Default) Account active Yes Account expires Never Password last set 12/27/2002 8:36 AM Password expires 3/27/2003 8:36 AM Password changeable 12/27/2002 8:36 AM Password required Yes User may change password Yes Workstations allowed All Logon script Acme.bat User profile Home directory \\carrot\Jessica$ Last logon 3/17/2003 1:39 PM Logon hours allowed All Local Group Memberships Global Group memberships *Domain Users *GRP_Bar_Users *GRP_Singers The command completed successfully.

89. Enum (3 rd Party) http://razor.bindview.com/tools/files/enum.tar.gz Using null sessions, enum can retrieve userlists, machine lists, sharelists, namelists, group and member lists, password and LSA policy information. enum is also capable of a rudimentary brute force dictionary attack on individual accounts. C:\isaca>enum usage: enum [switches] [hostname|ip] -U: get userlist -M: get machine list -N: get namelist dump (different from -U|- M) -S: get sharelist -P: get password policy information -G: get group and member list -L: get LSA policy information -D: dictionary crack, needs -u and -f -d: be detailed, applies to -U and -S -c: don't cancel sessions -u: specify username to use (default "") -p: specify password to use (default "") -f: specify dictfile to use (wants -D)

90. What is a null session? ID named SYSTEM exists on every Windows system. Has almost unlimited privileges on the local computer and has no password. You cannot log on to this account. Privileged processes in Windows run as SYSTEM PROBLEM When a service that runs as SYSTEM need to access a remote computer. Destination computer does not recognize the local SYSTEM ID. SOLUTION Through SMB, a connection is made using NULL as the user ID and password. net use \\ \IPC$ “” /user:””

91. enum user list C:\isaca>enum -U Acme-PDC server: Acme-PDC setting up session... success. getting user list (pass 1, index 0)... success, got 6. Roger Rabbit Baby HermanEddie Valiant MaroonDoloresJessica cleaning up... success.

92. Accessed Denied? C:\isaca>enum -U Acme-PDC server: Acme-PDC setting up session... success. getting user list (pass 1, index 0)... fail return 5, Access is denied. cleaning up... success.

93. RestrictAnonymous HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA ValueMeaning 0Disabled. Anonymous users are not restricted. 1Enabled. Users who log on anonymously (also known as null session connections) cannot display lists of domain user names or share names. Also, these users cannot view security permissions, and they cannot use all of the features of Windows Explorer, Local Users and Groups, and other programs that enumerate users or shares. 2Anonymous users have no access without explicit anonymous permissions. Data typeRangeDefault value REG_DWORD0 | 1 | 20

94. enum user list C:\isaca>enum -U –u Roger Rabbit –p ToonTown Acme-PDC username: Roger Rabbit password: ToonTown server: Acme-PDC setting up session... success. getting user list (pass 1, index 0)... success, got 6. Roger Rabbit Baby HermanEddie Valiant MaroonDoloresJessica cleaning up... success.

95. RestrictAnonymous=1 has no meaning! Userdump http://www.hammerofgod.com/download/userdump.zip Command-line tool that performs SID walking Must know at least one account name or group name on system Walksam http://razor.bindview.com/tools/files/rpctools-1.0.zip Command-line tool that performs SID walking GetAcct http://www.securityfriday.com/ToolDownload/GetAcct/getacct_doc.html GetAcct sidesteps "RestrictAnonymous=1" and acquires account information on Windows NT/2000 machines GUI tool that performs SID walking

96. SID Walking? Security Identifiers (SIDs) Three Types –Account SIDs –Group SIDs –Computer SIDs RIDAccount 500Default Administrator 501Guest 1000+Nondefault account S-1-5-21-917267712-1342860078-1792151419-500 SIDs are assigned automatically and are unique within every domain, server, and workstation (exception!) They remain the same if the name of the account changes, but once deleted, they are gone forever A SID contains: User and group security descriptors 48-bit ID authority Revision level Variable sub-authority values

97. Userdump C:\isaca>userdump UserDump v1.11 - thor@hammerofgod.com Usage: userdump \\servername guest MaxQueries Where \\servername is the name of a DC guest is the name of an known user or group MaxQueries is number of user loops to try UserDump will always get SID 500 (Admin) first, and then begins at 1001 + MaxQueries MaxQueries of 0 or blank returns SID 500 and 1001

99. Walksam Usage: walksam [options] options: -p protocol_sequence -e endpoint examples: walksam 192.168.1.1 walksam -p ncacn_ip_tcp -e 1054 192.168.1.2 It supports both the 'traditional' method of doing this via Named Pipes, but also supports the additional protseqs that are used by W2K's Domain Controllers. By default, walksam will use the named pipes approach, and so will use either your current credentials, or whatever credentials have been specified with a "net use \\target\ipc$..." command. If an alternative protocol sequence is specified, then walksam will always attempt to use a null session.

101. GetAcct

102. Dumpsec (3 rd Party)

103. Auditing Group Accounts

104. Useful OS Commands CommandResults net groupThis command can be used only on a Windows 2000 Domain Controller. net group Displays users that are a member of a global group. net group /domainDisplays global groups for domain. net group /domain Displays users that are a member of a global group. net localgroupDisplays the local groups on the computer. net localgroup Displays users that are a member of the local group on the machine. net localgroup /domainDisplays the local groups on a domain controller. net localgroup /domain Displays users that are a member of the domain local group.

105. net group syntax The syntax of this command is: NET GROUP [groupname [/COMMENT:"text"]] [/DOMAIN] groupname {/ADD [/COMMENT:"text"] | /DELETE} [/DOMAIN] groupname username [...] {/ADD | /DELETE} [/DOMAIN]

106. net group /domain C:\isaca>net group /domain The request will be processed at a domain controller for domain Acme. Group Accounts for \\Acme-PDC ------------------------------------------------------------------------------- *Toon_Administrators *Toon_Legal *Toon_Executives *Toon_Stunts *Toon_Accountants *Toon_Marketing

107. C:\isaca>net group /domain Toon_Legal The request will be processed at a domain controller for domain Acme. Group name Toon_Legal Comment Toon Town Legal Department Members ------------------------------------------------------------------------------- Judge_Juddy Harry_Larry Judge_Dread The command completed successfully. net group /domain

108. net localgroup C:\isaca>net localgroup Aliases for \\WKS-RR ------------------------------------------------------------------------------- *Administrators *Backup Operators *Debugger Users *Guests *Power Users *Users The command completed successfully.

109. net localgroup C:\isaca>net localgroup Administrators Alias name Administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Acme\Toon_Administrators Acme\Roger_Rabbit Roger_Rabbit Administrator SMSCliSvcAcct& The command completed successfully.

110. net localgroup /domain C:\isaca>net localgroup /domain The request will be processed at a domain controller for domain Acme. Aliases for \\Acme-PDC ------------------------------------------------------------------------------- *Administrators *Backup Operators *Guests *Helpdesk *Print Operators *Replicator *Server Operators *Users The command completed successfully.

111. net localgroup /domain C:\isaca>net localgroup /domain Helpdesk The request will be processed at a domain controller for domain Acme. Alias name Helpdesk Comment Phone Reps Members ------------------------------------------------------------------------------- HD0001 HD0002 HD0003 HD0004 The command completed successfully.

112. Useful Resource Kit Commands CommandResults showgrpsDisplays the groups to which a given user belongs, optionally within a given network domain. showmbrsDisplays the usernames of members of a given group, optionally within a given network domain. local Displays members of local groups on remote servers or domains. global Displays members of global groups on remote servers or domains.

113. showgrps C:\isaca>showgrps /? Usage: showgrps [/A] domain\user or showgrps [/A] user /A - Check all known trusted domains

114. C:\isaca>showgrps Acme\RR User: [Acme\RR], is a member of: Acme\Toon_Marketing Acme\Toon_Land Acme\Toon_Executives Acme\Toon_Operators Acme\Toon_Guests Acme\Toon_Cleaning Acme\Toon_Movies Acme\Domain Users \Everyone

115. showmbrs C:\isaca>showmbrs /? Usage: showmbrs domain\group or showmbrs \\domain\group or showmbrs group

116. C:\isaca>showmbrs Acme\Toon_Cleaning Members of global group [Acme\Toon_Cleaning]: RR Sam Gweedo Ralphy Bubba Leon Doc MisterM Sonny Sid Don_Don ECapizzi RockyB JackieC

117. local

118. global

119. getuserinfo (3 rd Party) http://www.joeware.net/ Free Win32 C++ Based Tools section Usage: GetUserInfo [(domain)(\\servername)\]userid [/p] domain Domain to execute command against server Server to execute command against userid Userid to get info for. /p Displays primary group info. If domain/server not specifed uses local machine If. specified for userid, enumerate all local/global accounts

121. Dumpsec (3 rd Party)

122. Auditing User Rights

123. User Rights Two Categories Logon rights User privileges

124. Logon Rights RightDescription Access this computer from the network The user can connect to the computer remotely. Deny access to this computer from the network The user cannot connect to the computer remotely. Deny logon as a batch job Deny logon as a service Logon as a batch job Logon as a serviceThis right is used by background applications. The rights are required for the service to function Log on locally

125. User Privileges PrivilegePermits user to SeAssignPrimaryTokenPrivilegeReplace a process level token. SeAuditPrivilegeGenerate security audits. SeBackupPrivilegeBack up files and directories. SeBatchLogonRightLogon as a batch job. SeChangeNotifyPrivilegeBypass traverse checking. SeCreatePagefilePrivilegeCreate a pagefile. SeCreatePermanentPrivilegeCreate permanent shared objects. SeCreateTokenPrivilegeCreate a token object. SeDebugPrivilegeDebug programs. SeIncreaseBasePriorityPrivilegeIncrease scheduling priority. SeIncreaseQuotaPrivilegeIncrease quotas. SeInteractiveLogonRightLog on locally.

126. User Privileges PrivilegePermits user to SeAssignPrimaryTokenPrivilegeReplace a process level token. SeAuditPrivilegeGenerate security audits. SeBackupPrivilegeBack up files and directories. SeBatchLogonRightLogon as a batch job. SeChangeNotifyPrivilegeBypass traverse checking. SeCreatePagefilePrivilegeCreate a pagefile. SeCreatePermanentPrivilegeCreate permanent shared objects. SeCreateTokenPrivilegeCreate a token object. SeDebugPrivilegeDebug programs. SeIncreaseBasePriorityPrivilegeIncrease scheduling priority. SeIncreaseQuotaPrivilegeIncrease quotas. SeInteractiveLogonRightLog on locally.

127. User Privileges PrivilegePermits user to SeLoadDriverPrivilegeLoad and unload device drivers. SeLockMemoryPrivilegeLock pages in memory. SeMachineAccountPrivilegeAdd workstations to domain. SeNetworkLogonRightAccess this computer from the network. SeProfileSingleProcessPrivilegeProfile single process. SeRemoteShutdownPrivilegeForce shutdown from a remote system. SeRestorePrivilegeRestore files and directories. SeSecurityPrivilegeManage auditing and security log. SeServiceLogonRightLog on as a service. SeShutdownPrivilegeShut down the system. SeSystemEnvironmentPrivilegeModify firmware environment values.

128. User Privileges PrivilegePermits user to SeSystemProfilePrivilegeProfile system performance. SeSystemtimePrivilegeChange the system time. SeTakeOwnershipPrivilegeTake ownership of files or other objects. SeTcbPrivilegeAct as part of the operating system. SeUnsolicitedInputPrivilegeRead unsolicited input from a terminal device.

129. Resource Kit - showpriv

130. SeTakeOwnershipPrivilege

131. Resource Kit - whoami WHOAMI [/option] [/option]... Where /option is one of the following: /ALL = Display all information in the current access token. /NOVERBOSE = Display minimal information. * /USER = Display user. /GROUPS = Display groups. /PRIV = Display privileges. /LOGONID = Display Logon ID. /SID = Display SIDs. * /HELP = Display help. * Must be used with option /USER, /GROUPS, /PRIV or/LOGONID Samples are as follows: WHOAMI WHOAMI /ALL WHOAMI /USER /SID WHOAMI /GROUPS WHOAMI /GROUPS /NOVERBOSE WHOAMI /USER /GROUPS /SID WHOAMI /PRIV /NOVERBOSE WHOAMI /USER /GROUPS /PRIV WHOAMI /HELP

133. Dumpsec (3 rd Party) http://www.somarsoft.com/

134. Auditing Account Policies

135. Useful OS command CommandResults net accountsDisplays the current settings for password, logon limitations, and domain information. net accounts /domainDisplays the current domain settings for password, logon limitations, and domain information.

136. net accounts The syntax of this command is: NET ACCOUNTS [/FORCELOGOFF:{minutes | NO}] [/MINPWLEN:length] [/MAXPWAGE:{days | UNLIMITED}] [/MINPWAGE:days] [/UNIQUEPW:number] [/DOMAIN]

139. dumpwin (3 rd Party)

140. Auditing “Auditing”

141. Resource Kit - auditpol AuditPol [\\computer] [/enable | /disable] [/help | /?] [/Category:Option]... /Enable = Enable audit (default). /Disable = Disable audit. Category = System : System events Logon : Logon/Logoff events Object : Object access Privilege : Use of privileges Process : Process tracking Policy : Security policy changes Sam : SAM changes Option = Success : Audit success events Failure : Audit failure events All : Audit success and failure events None : Do not audit these events Samples are as follows: AUDITPOL \\MyComputer AUDITPOL \\MyComputer /enable /system:all /object:failure AUDITPOL \\MyComputer /disable AUDITPOL /logon:failure /system:all /sam:success /privilege:none AUDITPOL /HELP | MORE displays Help one screen at a time.

143. Dumpsec (3 rd Party)

144. Auditing Log Settings

145. Windows Logging Three Types System Log –Tracks miscellaneous system events, e.g. track events during system startup and hardware and controller failures. Application Log –Tracks application related events, e.g. applications generate informational such as failing to load a DLL will appear in the log. Security Log –Tracks events such as logon, logoff, changes to access rights, and system startup and shutdown. NOTE: By default the security log is turned off. %SYSTEMROOT%\system32\config\SysEvent.Evt %SYSTEMROOT%\system32\config\SecEvent.Evt %SYSTEMROOT%\system32\config\AppEvent.Evt

146. Event Viewer

148. Using the Event Log for Auditing

149. ntlast (3 rd Party) http://www.foundstone.com

150. Resource Kit - dumpel dumpel.exe - create ASCII log files –can be imported into Excel or Access –eliminate acceptable entries –sort by workstation or login ID Track unique Logon ID for each session –match logon/logoff

151. Logon Types 2 - Interactive 3 - Network 4 - Batch Process 5 - Service 6 - Proxy 7 - Screen Saver

152. Resource Kit - dumpel

153. Eldump (3 rd Party) http://www.ibt.ku.dk/jesper/ELDump/default.htm It is very much like the tool DumpEL from the NT Resource Kit, but ELDump is more versatile and sometimes quite a lot faster. Most important ELDump can: –Dump from active event logs or from saved event logs with full message texts. –Filter on all the same fields as the Event Viewer. –Dump only the message strings instead of the full message texts. This is a lot faster and also makes it easier to parse the messages with other programs. –Look for the message texts on an other server. This means you get message text even if all the applications and drivers that has logged messages are not installed on the machine where you are running ELDump. –Dump several logs from several servers with one invocation of the ELDump command.

154. Dump the application log from the current machine to the file el-appl.txt: eldump >el-appl.txt Dump the system log from server \\serv1: eldump -s \\serv1 -l system or the same but shorter: eldump \\serv1 sys Dump error messages about node1 from a single day: eldump -T error -c node1 -a 19970109000000 -b 1997010000000 or the same but shorter: eldump err -cnode1 -a970109 -b97010 Dump messages saved from the system log at \\serv1 in file \\serv1\d$\system.log, with centuries in the event dates and GMT times: eldump -F \\serv1\d$\system.log -l system -x \\serv1 -K -G or the same but shorter: eldump \\serv1\d$\system.log sys -KG Dump error messages saved from the system and application logs at the servers \\serv1 and \\serv2: eldump -s \\serv1 -s \\serv2 -l system -l application -T error or the same but shorter: eldump \\serv1 \\serv2 sys app err

155. Event IDs Event IDDescription 517Audit log cleared 532User account has expired 608/609User rights assigned/removed 610/611New trusted domain/removed 612Audit policy changed 624/629User account created/disabled 630User account deleted 643Domain policy changed http://www.counterpane.com/log-windows.html

156. Auditing Processes

157. Resource Kit - pulist

159. Resource Kit - tlist

163. pslist (3 rd Party) http://www.sysinternals.com/ntw2k/freeware/pslist.shtml

165. dumpwin (3 rd Party)

167. Auditing Drives

168. Psinfo – Disk Information $ psinfo -d System information for \\Acme-Lap: Uptime: 1 day, 2 hours, 54 minutes, 25 seconds Kernel version: Microsoft Windows 2000, Uniprocessor Free Product type: Professional Product version: 5.0 Service pack: 2 Kernel build number: 2195 Registered organization: Acme Registered owner: Acme Install date: 5/22/2000, 10:14:21 AM IE version: 5.5000 System root: C:\WINNT Processors: 1 Processor speed: 700 MHz Processor type: Intel Pentium III Physical memory: 320 MB Volume Type Format Label Size Free Free C: Fixed NTFS 11.2 GB 5.8 GB 52% D: CD-ROM 0% E: Fixed FAT PGPDISK 499.7 MB 326.8 MB 65% K: Remote NTFS 440.9 GB 108.0 GB 25% P: Remote NTFS Drive_E 339.2 GB 166.0 GB 49%

169. Dumpwin – Drive Information $ DumpWin.exe -d ===================== Drive Information ===================== Drive C:\ : Fixed Volume Name : File System : NTFS Free Clusters : 1523887 Total Clusters : 2946502 Drive D:\ : CD-ROM Drive E:\ : Fixed Volume Name : PGPDISK File System : FAT Free Clusters : 41826 Total Clusters : 63966 Drive H:\ : Network drive Drive K:\ : Network drive Drive P:\ : Network drive

170. Auditing Share Permissions

171. Useful OS command net share Lists resources being shared on computer

172. dumpwin (3 rd Party)

173. Resource Kit - srvcheck

174. Dumpsec (3 rd Party)

175. Net use \\ \IPC$ /user: \

176. Auditing Directory Permissions

177. Resource Kit - xcacls

180. Resource Kit - subinacl

181. Auditing Services

182. Resource Kit - sclist

184. Resource Kit - netsvc

185. netsvc list services

186. netsvc service status

187. psservice (3 rd Party) http://www.sysinternals.com/ntw2k/freeware/psservice.shtml

189. Dumpsec (3 rd Party)

191. dumpwin (3 rd Party)

192. NetViewX (3 rd Party) http://www.ibt.ku.dk/jesper/NetViewX It is a bit like the NT "net view /domain" command, but it allows you to list only servers with specific services, and it uses a list format that is easily parsable.

193. Netviewx (3 rd Party)

194. Auditing Service Permissions

195. Resource Kit - subinacl

197. Auditing Device Drivers

198. dumpsec

200. Auditing Printer Permissions

201. Resource Kit - subinacl

202. Dumpsec (3 rd Party)

203. Auditing Remote Access

204. Resource Kit - raslist Displays the names of all hosts within a domain network that are running RAS

205. Resource Kit - rasusers

206. Auditing Trusted Relationships

207. Resource Kit - nltest

208. Resource Kit - nlmon

209. DNS Zone Transfers Internet Accessible http://www.nscan.org/?index=dns

210. Where Credit is Due... This following script was created by James M. Hackett Administrative ISO, Yale University. This script demonstrates the resulting audit process based on the tools that have been discussed.

211. shd_srv_audit01.bat @echo off REM dump system, security and application logs e:\audit\tools\dumpel -l system -f g:\audit\%1_sys_log.txt -s %1 -c e:\audit\tools\dumpel -l security -f g:\audit\%1_sec_log.txt -s %1 -c e:\audit\tools\dumpel -l application -f g:\audit\%1_app_log.txt -s %1 -c e:\audit\tools\dumpel -l security -m security -e 639 640 641 642 643 -f g:\audit\%1_acct_chg.txt -s %1 -c REM dump port information e:\audit\tools\netstat -a > g:\audit\%1_ports_a.txt e:\audit\tools\netstat -r > g:\audit\%1_ports_r.txt REM dump service information e:\audit\tools\netsvc \\%1 /list > g:\audit\%1_services.txt REM dump users and groups e:\audit\tools\addusers /d g:\audit\%1_usr_grps.txt /s:, \\%1

212. shd_srv_audit01.bat REM sysdiff the system e:\audit\tools\sysdiff /diff e:\audit\base\%1\base.img g:\audit\%1_diff.img e:\audit\tools\sysdiff /dump g:\audit\%1_diff.img g:\audit\%1_diff.txt REM dump ACL’s e:\audit\tools\xcacls %systemroot%\*.* /T > g:\audit\%1_acl.txt REM dump file stamps dir %systemroot% /s/t:c > g:\audit\%1_stamps.txt REM ** End Data Gathering ** REM ********************************** REM ** Begin Report Generation ** echo Audit Report shd_srv_audit01 for %1 >g:\audit\%1_report.txt time /t >>g:\audit\%1_report.txt date /t >>g:\audit\%1_report.txt

213. shd_srv_audit01.bat echo @@@ Service Ports @@@ >> g:\audit\%1_report.txt fc /n g:\audit\%1_ports_a.txt e:\audit\base\%1\ports_a.txt >>g:\audit\%1_report.txt echo @@@ Route Table @@@ >> g:\audit\%1_report.txt fc /n g:\audit\%1_ports_r.txt e:\audit\base\%1\ports_r.txt >>g:\audit\%1_report.txt echo @@@ Services @@@ >> g:\audit\%1_report.txt fc /n g:\audit\%1_services.txt e:\audit\base\%1\services.txt >>g:\audit\%1_report.txt echo @@@ Users and Groups @@@ >> g:\audit\%1_report.txt fc /n g:\audit\%1_usr_grps.txt e:\audit\base\%1\ usr_grps.txt >>g:\audit\%1_report.txt

214. shd_srv_audit01.bat echo @@@ SYS DIFF @@@ >> g:\audit\%1_report.txt type g:\audit\%1_diff.txt >>g:\audit\%1_report.txt echo @@@ ACLs @@@ >> g:\audit\%1_report.txt fc /n g:\audit\%1_acl.txt e:\audit\base\%1\acl.txt >>g:\audit\%1_report.txt echo @@@ File Stamps @@@ >> g:\audit\%1_report.txt fc -n g:\audit\%1_stamps.txt e:\audit\base\%1\stamps.txt >>g:\audit\%1_report.txt echo @@@ Account Changes @@@ >> g:\audit\%1_report.txt type g:\audit\%1_acct_chg.txt >> g:\audit\%1_report.txt echo End Audit Report shd_srv_audit01 for %1 >>g:\audit\%1_report.txt time /t >>g:\audit\%1_report.txt date /t >>g:\audit\%1_report.txt

215. The Audit Report

217. Reference Sites Resource Kit http://www.dynawell.com/support/ResKit/win2k.asp Windows Ports http://www.poopoccurs.com/windows/2kports.html Tool Repository http://packetstormsecurity.com/ http://www.securiteam.com/tools/archive.html http://www.somarsoft.com/ http://www.sysinternals.com Security and SA Sites http://www.labmice.net/Security/default.htm http://is-it-true.org/nt/

218. Reference Sites http://www.yale.edu/its/security/ http://www.cert.org/ http://www.ciac.org/ ftp://coast.cs.purdue.edu/pub/tools/ windows/windowsNT/ http://www.microsoft.com/security/ http://www.sans.org/ Windows Scripting http://msdn.microsoft.com/library/default.asp?url=/nhp/Default. asp?contentid=28001169 http://www.jsifaq.com/ http://www.roth.net/

219. Questions? Thank You!