Practical audit advice you can use today.

Quick and Easy How-To with Powershell!
Published: 2012-03-15 (Length: 20:21)

Screencast_icon
Welcome to our next episode! Last time we were talking about Powershell, demonstrating some different ways that we could use it to begin to automate some of our audit and administrative tasks. For example, pulling some information out of our Active Directory.

In this week's AuditCast we're going to continue on and try to modularize some of the code that we wrote last week. At the same time, we'll try to simplify, clean it up, and finally generalize it just a bit, to create something that we can use in many different tasks that we'll be examining over the next couple of weeks. Before starting the AuditCast, I actually did do one or two things that I've done ahead of time.

The first thing is that I took some of the code that we were working with last week, the code that actually got the handle for doing a domain search, and I moved that into what's called a "function." This week we'll see how we can leverage these sorts of things. You should be able to see that see that this code is essentially exactly the same code we wrote last week; the only difference is it's in a function.

For a full write-up along with the source code for the scripts written in this episode, please go here:

http://it-audit.sans.org/blog/2012/03/15/learning-powershell-how-to-extract-user-objects-from-active-directory-using-powershell/

Basic Powershell Scripting for the Masses!
Published: 2012-03-05 (Length: 28:55)

Screencast_icon
A common question in an audit of information resources is whether or not accounts for users are being properly managed. One aspect of that is determining whether or not the accounts created are needed while another is looking for evidence that accounts for terminated users are being disabled or deleted in a timely fashion. An easy way to answer both of these questions is through the use of Active Directory queries! This screencast demonstrates exactly how to do just that.

While it's true that the information that we're looking for can be obtained directly from the Active Directory using tools like DSQuery and DSGet, in the long term I think it's far wiser to learn a little bit of basic scripting that will allow you to perform just about any kind of query you'd ever want to in Active Directory, even if your admins have customized the Active Directory Schema!

Learning to write Powershell scripts, though, can seem daunting. Not only will we have to face the differences between different versions of Powershell and the .NET requirements that sometimes lead to software conflicts when we're still using some legacy code, but some Powershell scripts just look downright confusing! Not to worry.

Rather than trying to learn everything that there is to know about Powershell and directory queries, there's a great deal of value in learning some basic "recipes" that can be used to extract useful data using a script. Once we've got a good handle on the recipe, it's much easier to just adjust the "ingredients", if you will, to get at what we're looking for.

In the various classes that I teach for Auditors, whenever there's an opportunity to do so, I strongly recommend that auditors take some time to learn some basic scripting. This screencast is a perfect example. Once you've got a few of the basics in the script, you can easily modify the script to look for just about anything you'd want to. Not only that, you can make those modifications without ever really getting a deep understanding of exactly what an Active Directory Search object is and how it works!

The source code for this script can be obtained here: http://it-audit.sans.org/blog/2012/03/05/identifying-inactive-and-unnecessary-user-accounts-in-active-directory-with-powershell

From Discovery through Metasploit module!
Published: 2011-11-16 (Length: 01:04:57)

Screencast_icon
This webcast is a bit off the normal track for us. This recording was made live at a conference a few months back. (Sorry that the first few minutes have the screen capture software in view. Be patient, it goes away before we get to anything really good!) In the recording, David Hoelzer walks through a demonstration of the various phases that a security researcher (or hacker) would go through to discovery a vulnerability, build a proof of concept and finally create a working exploit.

A major take-away from this demonstration is how quickly this can be done. The actual demonstration takes only 60 minutes from beginning to end and that's with all of the talking and explaining. This exploit could, after being discovered, have a working POC exploit and Metasploit module written in about 15 minutes.

I've had people say, "Well, sure, there's a flaw, but it would be really hard to exploit it." Guess what.. In many cases they're just plain wrong!

Quick and easy demo combining DNS Spoofing with WPAD for a man in the middle attack!
Published: 2011-11-09 (Length: 11:36)

Screencast_icon
How hard is it for someone to insert a proxy between you and the rest of the Internet without you knowing? Will running a Mac or Linux protect you?

In this episode we combine the concepts from Episode 20 with the WPAD style attack that was discussed back in Episode 17, creating a quick and easy how-to when it comes to creating a man in the middle attack that will work against any system that has Automatic Proxy Discovery enabled.

This feature is sometimes thought to be a Windows specific issue, but as we demonstrate here by transparently creating a man in the middle proxy for a Mac, it really does apply everywhere. There are just a few simple pieces that you need to accomplish this attack and there are some quick and easy things that you can do to defend yourself or that you can look for during an audit.

For more details and a link to the source code, please check the Blog article here:

http://it-audit.sans.org/blog/2011/11/09/it-security-audit-what-about-wpad/

Fixing Permissions for Visual Sniff
Published: 2011-11-08 (Length: 04:11)

Screencast_icon
This screencast was created specifically as a support video for our VisualSniff product. The default permissions that are set on the BPF adapters on OS X are a bit atypical and make it impossible for a user to start a sniffer without becoming an administrator. Using the directions in the video with the accompanying script resolves this issue so that VisualSniff will work correctly. The script referenced can be downloaded here: http://enclaveforensics.com/ClientFiles/VisualSniffPerms.sh