Practical audit advice you can use today.

Baltimore/Australia Notes
Published: 2014-07-21 (Length: )


A few quick things. First, many folks from the class said that they knew others in the office who should attend this class. If you do know someone like that, there’s a vLive class (taught completely online, two nights each week over six weeks) starting on August 4. I’m pretty sure that there’s even an offer to get an Apple Laptop or get $850 off of the class for the session that’s starting up. If you know someone who would benefit from attending, auditor or not, please let them know! (Discount/laptop deal: - AUD507 -

Here are the course notes that I made during our recent 507 class. If there’s something else that you’re looking for that I forgot to include below, please let me know! Also, please remember that you can use your existing VPN credentials to our lab to connect to and work on the AuditWars challenge at Of course, that link will only work if you are already connected to our VPN (Don’t forget to run the interface as an administrator!) Finally, I’ve attached a set of handy Powershell scripts that a student donated to the end of this email. To use them you will want to open them up and search for the word “insert” so that you can insert the relevant information from your domain.

If you try to watch the Lab videos (Disks 3 & 4) and find that some of them don’t seem to work, it is probably a missing Codec. If you go to and download that *free* player, they work just fine. :)

Feel free to link to me:

I also try to tweet useful stuff now and then:

And periodically post useful YouTube videos:

Have a great day!

Day 2 Stuff:

Router Auditing:

NMap Management & Auditing Scripts:

WPA2 PSK Hacking Demo:

Finding Wireless Clients:

NMap Difference Tracking:

NMap Difference Tracking Continued:

Day 3:

Fuzzing with WebScarab:

Scaling WebApp Fuzzing:

Day 4:

Getting users:

dsquery user -s -u auditor -p Password1

Getting users whose passwords never expire:

dsquery * -filter "(&(objectCategory=Person)(ObjectClass=User)

(userAccountControl:1.2.840.113556.1.4.803:=65536))" -s -u auditor -p Password1

Bit masking for LDAP:(userAccountControl:1.2.840.113556.1.4.803:=####)

Users who are not required to have a password:

dsquery * -filter "&(objectCategory=Person)(objectClass=User)


-s -u auditor -p Password1 -attr samaccountname

Getting last logon timestamps:

dsquery * -filter "(&(objectCategory=Person)(objectClass=user))" -attr

lastLogonTimeStamp sAMAccountName -s

-u auditor -p Password1

Useful bit values for UAC:

2 Disabled Account

16 Locked Out

32 Password not required (can be blank)

512 Normal account

65536 Password never expires

UAC values:;en-us;Q305144

What's the Real Impact?
Published: 2014-04-14 (Length: 13:45)

Heartbleed has been making headlines for the last week and you can find some saying that it's 11 out of 10 on the impact scale while others are downplaying the severity of the flaw and the long term impact. What's the real deal? What are you telling your CEO when he asks you what this means for your company?

In this short video we'll take a look at how quickly and easily a site can be attacked and then we'll look at actual captured data to see what the impact could be. With that data as context we'll explain to you why this matters and what it means for your company if your server was vulnerable.

Especially since there is mounting evidence that this vulnerability was known by attackers since as early as October of 2013, organizations could be looking at massive amounts of leaked data from busy vulnerable servers.

How to Find Misconfigured Switches in Your Network!
Published: 2014-02-14 (Length: 24:10)

Layer 2 management protocols like STP, MSTP, TRILL, SPB, CDP, VTP, HSRP, etc., should never be visible on user facing ports. There are some technical challenges when deploying something like VOIP in a converged network solution, but barring this, having these protocols exposed is an easy to find and obvious indication of misconfiguration.

In this short video we look at a quick intro to Wireshark, look at a few of the features and see easy ways to find these packets if they are visible. We also talk about how a network engineer or security engineer would weed out traffic, identifying interesting traffic that does not belong.

This video is a sample of one of the labs covered in the SANS Advanced Audit course (AUD507) by David Hoelzer. Visit for more information!

ESXi and vSphere: Basic Security Audit Questions and Answers
Published: 2013-10-19 (Length: 34:39)

Virtualization is here to stay. That's not to say it's a bad thing, but among the things that we spend some time talking about in the SANS Audit 507 course are the most common and most serious security mis-configurations and hazards that we find in virtualized environments. Also in the course we spend time demystifying the VMWare Best Practices guide and give super clear reasons why some of what it recommends is just plain old bad advice!

This video, however, gives you a brief 34 minute look at one of the lab exercises in that audit/security course. The lab will give you broad-brush familiarity with the vSphere management client, discuss common issues in ESXi configurations in addition to demonstrating how to get specific data that is related to some of the more common problem areas in these systems. For a more detailed discussion into this topic and many others you might consider this class:

Baselining Startup Processes!
Published: 2013-10-14 (Length: 13:47)

UNIX systems, at least up to a point, tend to be deterministic systems. This is quite different from Windows hosts which are completely non-deterministic.

What this means for the System Administrator and the Auditor is that it is not only possible to accurately baseline which processes should be running on the system but also to tie those processes to specific process ID numbers! Especially when faced with detecting compromise and the possible installation of malware, this becomes an incredibly valuable detection technique. If malware is installed by an attacker it will typically be installed in such a way that it will automatically restart the next time that the system is booted. Since We now have a baseline of which processes should be running and also know precisely which process IDs they should have, even if the malware is hidden we can see that it has displaced the process IDs!