Practical audit advice you can use today.
# 35 : Course Notes - 507
Greetings!

A few quick things. First, many folks from the class said that they knew others in the office who should attend this class. If you do know someone like that, there’s a vLive class (taught completely online, two nights each week over six weeks) starting on August 4. I’m pretty sure that there’s even an offer to get an Apple Laptop or get $850 off of the class for the session that’s starting up. If you know someone who would benefit from attending, auditor or not, please let them know! (Discount/laptop deal: https://www.sans.org/vlive/specials - AUD507 - https://www.sans.org/vlive/details/35515)

Here are the course notes that I made during our recent 507 class. If there’s something else that you’re looking for that I forgot to include below, please let me know! Also, please remember that you can use your existing VPN credentials to our lab to connect to and work on the AuditWars challenge at https://score.enclaveforensics.com. Of course, that link will only work if you are already connected to our VPN (Don’t forget to run the interface as an administrator!) Finally, I’ve attached a set of handy Powershell scripts that a student donated to the end of this email. To use them you will want to open them up and search for the word “insert” so that you can insert the relevant information from your domain.

If you try to watch the Lab videos (Disks 3 & 4) and find that some of them don’t seem to work, it is probably a missing Codec. If you go to http://videolan.org and download that *free* player, they work just fine. :)

Feel free to link to me: http://www.linkedin.com/profile/view?id=34778231

I also try to tweet useful stuff now and then: http://twitter.com/it_audit

And periodically post useful YouTube videos: https://www.youtube.com/user/DHAtEnclaveForensics

Have a great day!

Day 2 Stuff:

Router Auditing: http://auditcasts.com/screencasts/2-do-differences-matter

NMap Management & Auditing Scripts: http://www.unspecific.com/nmap

WPA2 PSK Hacking Demo: http://auditcasts.com/screencasts/3-auditing-hacking-wpa-wpa2

Finding Wireless Clients: http://auditcasts.com/screencasts/4-can-you-hear-me-now

NMap Difference Tracking: http://auditcasts.com/screencasts/5-herding-the-cats

NMap Difference Tracking Continued: http://auditcasts.com/screencasts/6-cat-herding-part-deux-nmap-differences

Day 3:

Fuzzing with WebScarab: http://auditcasts.com/screencasts/8-effective-webscarab-fuzzing

Scaling WebApp Fuzzing: http://it-audit.sans.org/blog/2011/07/25/scaling-input-fuzzing-with-webscarab

Day 4:

Getting users:

dsquery user -s 507dc.enclaveforensics.com -u auditor -p Password1

Getting users whose passwords never expire:

dsquery * -filter "(&(objectCategory=Person)(ObjectClass=User)

(userAccountControl:1.2.840.113556.1.4.803:=65536))" -s

507dc.enclaveforensics.com -u auditor -p Password1

Bit masking for LDAP:(userAccountControl:1.2.840.113556.1.4.803:=####)

Users who are not required to have a password:

dsquery * -filter "&(objectCategory=Person)(objectClass=User)

(useraccountcontrol:1.2.840.113556.1.4.803:=544)"

-s 507dc.enclaveforensics.com -u auditor -p Password1 -attr samaccountname

Getting last logon timestamps:

dsquery * -filter "(&(objectCategory=Person)(objectClass=user))" -attr

lastLogonTimeStamp sAMAccountName -s 507dc.enclaveforensics.com

-u auditor -p Password1

Useful bit values for UAC:

2 Disabled Account

16 Locked Out

32 Password not required (can be blank)

512 Normal account

65536 Password never expires

http://auditcasts.com/screencasts/19-detecting-signs-of-apt-and-malware

UAC values:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144

Screencast_icon

View All