Today we launched our own anonymous web proxy: http://www.edgeproxy.net. Like most security tools, anonymous proxies are incredibly useful but also controversal. Web proxies mask your activities on the net in two ways: First, they allow you to access one web site through another, hiding you IP address from the target; Second, they encode the target URL hiding it from any local firewalls or proxies you might be sitting behind. They are great for pen testing where you want to hide your activities, especially if you want to mask your location. They are a nightmare if you are trying to manage a web filter and your users are able to bypass your filters.

Web Proxies are very popular among with students whose schools block access to MySpace and Facebook. We launched it because we needed a reliable proxy we control for testing. We debated whether it was wise to provide a public vehicle for bypassing someone else’s security controls, but felt in the end that adding one more proxy on the net will not increase the web’s threat profile. Our TOCs state that we will cooperate will law enforcement if we determine that our site is being used for nefarious purposes. Hopefully, that will be enough to scare away those who hide behind proxies to abuse the web.

The first script in the series is a Windows Services lockdown script for Windows XP & 2003. Disabling services is generally a good idea to reduce the threat profile of your computer, and to improve its performance. Every security guide out there tells you to disable unnecessary services. A few of them also give some guidance as to which services are unnecessary. Few of them tell you how to disable them consistently.

There are three ways to disable services: 1) Use the Services MMC GUI. This is a time consuming process and is prone to mistakes. 2) Use Group Policy. This works well for environments that use Group Policy, but is harder to implement for stand-alone servers, such as web servers. 3) Use the sc.exe command line utility.

If you do not know the sc command, learn it! sc is a powerful utility for controlling services on local or remote hosts. sc will let you configure how services start, change the user account and password they run under, and start/stop/pause the services. The basic syntax of sc is:

sc <server> [command] [service name] <option1> <option2>

We are going to use 2 different sc commands in our service lockdown script: config & stop. These should be self explanatory, but config will allow us to disable the service, and stop will stop the service. To make this work, we need three files: 1) The script batch file; 2) a list of servers by name called hosts.txt; 3) a list of services we want to disable called services.txt. The two text files must be in the same directory as the batch file. The code is fairly simple:

REM***(c) 2007 William L. Dougherty
REM***Script created by Bill Dougherty to disable services on Windows 2003 & XP
for /f %%a in (hosts.txt) do call :serviceconfig %%a
goto :eom
:serviceconfig
for /f %%b in (services.txt) do (sc \\%1 config %%b start= disabled)
for /f %%c in (services.txt) do (sc \\%1 stop %%c)
:eom

Pretty simple, huh? We loop through a list of servers, and then for each server, we loop through a list of services. The service list must be the service name and not the display name of the services. Some service names are less than intuitive, such as the service name for IPSEC Services is PolicyAgent. You can get the service name from the services MMC by clicking the service and looking at its properties, or from the command line using sc query. Either way, once you build your service list the first time, you’ll rarely need to revist this.

This script requires you to have administrator access on the target host. This works great in a domain environment, but what if you are dealing with stand-alone servers? You can still use this script so long as the user credentials you are logged in as have admin access on the target. If not, the you’ll need to log into each server and run the script locally. If this is the case, you only need the script file and the list of services. You should modify the script like this:

for /f %%b in (services.txt) do sc config %%b start= disabled
for /f %%c in (services.txt) do sc stop %%c
:eom

This script works with both Windows XP and Windows 2003, although the two platforms have different services. There are several good sources for figuring out which services are unnecessary. I highly recommend the TechRepublic guides: XP Services Guide and 2003 Services Guide. Over the years, I have developed my own lists. I highly recommend you spend the time to research these services, and test the impact of disabling them BEFORE you run this script against your production network!

Windows 2003 services that can be disable:

Alerter
AppMgmt
ClipSrv
TrkWks
TrkSvr
MSDTC
ERSvc
helpsvc
HidServ
ImapiService
IsmServ
LicenseService
Messenger
mnmsrvc
NetDDE
NetDDEdsdm
nla
NtLmSsp
WmdmPmSM
appmgr
RemoteAccess
SCardSvr
SENS
LmHosts
TapiSrv
TlntSvr
Tssdis
Themes
uPS
uploadmgr
WebClient
AudioSrv
stisvc
WZCSVC

Windows XP services that can be disabled:

Alerter
AppMgmt
ClipSrv
TrkWks
MSDTC
ERSvc
FastUserSwitchingCompatibility
helpsvc
HidServ
CiSvc
Messenger
mnmsrvc
NetDDE
NetDDEdsdm
nla
NtLmSsp
SysmonLog
WmdmPmSM
RSVP
RemoteAccess
SCardSvr
SSDPSRV
LmHosts
TapiSrv
TlntSvr
Themes
uPS
upnphost
WZCSVC

I hope you find this script useful. Check back often for additional scripts in the series.

-Bill

Occasionally, I find a simple solution to a complex problem that works better than expected. Office of Foreign Assets Control (OFAC) compliance can be difficult. OFAC is the treasury department responsible for, among other things, enforcing the PATRIOT ACT and Terrorism Sanction Regulations regarding blocking financial transactions with suspected terrorists. Basically, OFAC requires you to compare your client list regularly to the published terrorist watch lists. If you find a match, you are required to stop doing business, freeze the money, and contact the Feds.

The hard part of OFAC compliance is matching your clients to the watch list. OFAC publishes a list on a regular basis, but the list is not exactly user friendly. Complicating matters is the fact that the list contains lots of Mohammeds, Usamas, and John Smiths. Most names on the list also have dozens of aliases. Obviously, not everyone named Mohammed doing business with you is a terrorist, so how do you distinguish the good from the bad?

Enter Bridger Insight from ChoicePoint. For about $6K per year, Bridger provides a simple software solution that lets you track your customers against the OFAC list, the Dept of Homeland Security Terrorist Watch List, the FBI Most Wanted List, and numerous international lists from the UK, the UN and Interpol. Bridger matches your customers based upon name, company name, address, phone number, social security #, driver’s license #, passport #, and account #s. The power of the Bridger match is that it creates a ranked score. You can filter your results down, based on a degree of sensitivity to reduce false-positives.

For example, if the list matches your customer named Paddy O’Leary to a Paddy O’Leary in Dublin, Ireland, but your customer lives in Dublin, California, the match might score an 85% probability. If you have set your filter to 90% probability, Bridger would filter the match from you. Bridger also allows you to flag false-positives that you have verified as false to an exception list. That way, you won’t be bothered with the same alert the next time you run your check.

Perhaps the best part of Bridger is that you can set it up to run in a mostly automated state. Each of the different sources of watch lists updates at different frequencies. Bridger will check on a daily, or even hourly basis, for updates and install them automatically. You can also map Bridger to your customer list data source, and then schedule it to run checks on whatever frequency you want. All that is left to you is to periodically review the results and take action if you think you’ve found a match.

OFAC applies to “All U.S. persons and entities (companies, non-profit groups, government agencies, etc.) wherever located,” so you can not simply ignore this compliance issue. For smaller companies that don’t deal much with foreign customers, the risk of non-compliance is fairly small. For larger companies, especially financial firms, OFAC compliance is not optional. If you do not already have a solution in place, Bridger may be the solution for you.

-Bill

Fortunately, it is possible to perform a rapid clean up if you follow a simple process, and use tools to help. This process is specific to the platform the administrator supported. The process for cleaning up after a Windows administrator is as follows:

1. Create a list of all servers in your environment. If you aren’t sure, check DNS and Active Directory
2. Search Active Directory for all users with privileged (admin) group memberships
3. Search every server for services that run under domain or local accounts instead of LocalSystem or NT
4. Search every server for scheduled tasks that run under domain or local accounts
5. Change the password on every privileged user account. Assume that the old admin could have had access to every account at some point.
6. Change the password on every service and scheduled task to match the new passwords in step 5.
7. Change any service or scheduled task that runs under the old admin’s account to run under a new service account
8. Review any scheduled tasks that are scripts, to make sure you know what they do. A clever admin could bury a script to recreate his admin account inside of another script.
9. Disable the old admin account

There are many good commercial tools available for searching servers for service accounts and scheduled task accounts, but I’m a big believer in using simple scripts where possible to get the job done. If you want a commercial product to help, check out:

• ScriptLogic Service Explorer
• Service Account Manager

If like me, you hate to spend good money for tools that duplicate the built-in power of Windows, then these scripts are for you:

Code:

This script does a couple of basic things, but it does them well. First, it prints out the group memberships of the four Windows admin groups. This tells you which accounts need to be changed. Second, it searches every server listed in the “servers.txt” file for any services running under a domain or local account, instead of LocalSystem or NT. This tells you which services need to be changed. Lastly, it tells you every scheduled task running on every server in the “servers.txt” file. This tells you which scheduled tasks need to be changed. Once you have your lists of services and tasks that need to be updated, you can also script the update.

Code to update Scheduled Tasks:

REM ***Create a new document called tasklist.txt with 2 columns, separated by a comma.
REM ***Column 1 should be the server name. Column 2 should be the scheduled task name
REM ***EXAMPLE: server1,task1
REM ***These names can be extracted from the checkthesetasks.txt file
set /P newpassword=Enter the new password you want each scheduled task to run with:
for /f “tokens=1-2 delims=,” %%a in (tasklist.txt) do (schtasks /change /s %%a /RP %newpassword% /TN %%b)

Code to update Services:

REM ***Create a new document called servicelist.txt with 2 columns, separated by a comma.
REM ***Column 1 should be the server name. Column 2 should be the service name
REM ***EXAMPLE: server1,service1
REM ***These names can be extracted from the checktheseservices.txt fileset /P newpassword=Enter the new password you want each service to run with:
for /f “tokens=1-2 delims=,” %%a in (servicelist.txt) do (sc %%a config “%%b” password= %newpassword%)

After you have changed the services and scheduled tasks, you should be safe to disable the old admin’s account. Although the above scripts apply to Windows servers, the same concepts can be applied to other platforms: Identify any processes/services/scripts that run with privileged user access and change them; Identify all privileged accounts and change them as well; Remove the admin’s account from the system.

This process is not foolproof. A determined, disgruntled admin could install rootkits, keyloggers, trojans, and logic bombs prior to leaving. Administrators are GOD on their systems, so the only defense against this is to diligently screen your admins before you hire them. This process WILL allow you to locate and clean up access that was legitimate when it was created, even if it is not well documented. I hope you find these scripts useful.

-Bill

Digg This Story!

Which brings me to the title of this article. During my studies for the CEH exam, I was exposed to the seriously flawed CartIt.cgi shopping cart application. CartIt.cgi is a widely used shopping cart that stopped being developed last year. The reason this application is flawed is that it uses hidden fields within the HTML POST to submit the price and quantity when the user clicks on the add-to-cart button. Hidden fields are easy to manipulate. One of the easiest is to use a local proxy, such as Paros, to intercept the POST, effectively launching a man-in-the-middle attack. This allows you to change the price before it is submitted to the server.

Example:

Doing a simple Google search for cartit.cgi+plasma, I found a web site that sells plasma TVs (Which shall remain nameless to prevent being sued). The website thinks it is selling TVs for $7,599, but we can pay whatever we want by intercepting the POST and changing the price. If you think the company would catch this error, think again. Many companies outsource the fulfillment of orders, and never check the prices being charged. Note: I do not endorse e-shoplifting, so I did not complete the above transaction, but I know for a fact that the site will accept the order for $.99. Now, $.99 is extreme enough to *maybe* raise a flag. A simpler approach is to just move the decimal over 1 or 2 places. This way, if the company does notice, they will assume it was a processing error on their side. So maybe this article should be titled: “How to buy a 65″ plasma for $75.99.”

Another simple search for CartIt reveals that many hosting companies are still actively supporting CartIt.cgi. For example, IM1 Web Hosting calls CartIt “a powerful e-commerce solution for merchants and professional Webmasters…CartIt is an extensible, scalable shopping cart system that can handle just about any product or product combination you throw at it.” Disgraceful.

Note also that the shopping cart displayed above was deemed secure by VeriSign, Control Scan, BBB Online, Mastercard, & Visa. How much confidence do you have in those programs now??? Hopefully not much.

The exploit described above is not unique to CartIt. There are many shopping carts that use hidden POST fields. A shopping cart should allow the user to submit the SKU and the quantity, but never the price. The price should be queried from a database. The point here is that if you do not know how your applications work, you cannot rely upon their security. If you are using a shopping cart provided by your hosting company to run your site, we recommend you check it for these exploits. Failing to do so can be hazardous to your bottom line.

-Bill

Digg This Story!

Editor’s note: The techniques described in this article are for educational purposes only. We do not encourage or endorse the manipulation of 3rd party web applications to change the price. E-Shoplifting is a crime.

My best advice for those crazy enough to desire a career in infosec is always to start with the technology they already know, learn how it works at a low level and how to break it, and then learn how to protect it. After that, security is a non-stop learning process. The best security guys I know spend hours reading, surfing, and studying every night. Sleep is for the weak!

I compiled the list of books below as a representative sample of the books on my shelf that I reach for regularly. In my (never) humble opinion, every infosec professional should own (and read) each of these, or others in the same category. Originally, I intended this to be a Top 10 list, but I had too many books on my list. 20 is the shortest I could get it and still be representative.

1. Business and Finance for IT People – First on the list is a non-technical business book. Security management is 100% about risk management. To succeed, you need to be able to talk to the CEO and CIO in their language. Give them reasonable solutions that calculate business risk and true return on investment (ROI) and you’ll go far.
2. Technical Writing: Principals, Strategies & Readings – Surprise, the 2nd book is also non-technical. In security, communication is key. You must be able to convey technical subjects to both technical and non-technical audiences.
3. Protect Your Windows Network – Occasionally, Microsoft produces good security products, such as this book. I’ve mentioned it before in previous articles. This book covers a broad range of security topics, and does it in an entertaining manner. For Windows admins, this should be your first security related book. For everyone else, it is still a fine place to start.
4. Internetworking Technologies Handbook – The original Cisco networking bible is still the best. This is a great starting reference for networking theory.
5. DNS on Windows Server 2003 – Break DNS and you break everything. Understanding DNS and how to protect it is vital. If you have a Windows domain (and these days, who doesn’t?), you have Windows DNS. This book is also a good general DNS reference, and is much more readable than O’Reilly’s DNS and BIND.
6. Gray Hat Hacking: The Ethical Hacker’s Handbook – “Hacking” is the thing most non-security guys think of when considering a change to infosec. It seems exciting and cool, and let’s face it: it is! If you want a career in security, rather than a stint in prison, then ethical hacking is the way to go. This book explains the difference and teaches you how to start playing security offense.
7. Google Hacking – Google knows more about your company than you do. The bad guys already know this and are using it against you while you read this. This book will teach you how to find out what Google knows.
8. Unix in a Nutshell – This book covers Linux, Solaris and BSD. It’s a great resource for ‘nix info.
9. Windows Security Resource Kit – Like I said before, Microsoft occasionally produces good security products. This book is a checklist for how to improve your server and domain security.
10. Auditing & Security: AS/400, NT, UNIX & Disaster Recovery – Like it or not, homogenous networks are rare these days. That big black box in the corner is not going away anytime soon, and chances are it contains some of your company’s most valuable information. Buy this book for the AS/400 (iSeries) reference and learn to embrace the dark side.
11. Windows 2000 Commands Pocket Reference – Who says Windows can’t be managed from a command line? I have long maintained that most problems in Windows can be solved with a 3-line script. There are more complete Windows scripting books but none that will fit in your back pocket. I use this book almost daily. The upcoming release of MONAD will replace many of these commands with a new language. Hopefully, O’Reilly will put out a new pocket reference soon. Until then, this handy little book is priceless.
12. Sarbanes-Oxley Guide for Finance & IT Professionals – If you work for a public company, SOX is a fact of life. Compliance is a huge problem for most companies and security managers must be well versed in the SOX obligations.
13. Writing Information Security Policies – Policy writing is another less-than-glamorous task for infosec pros. This book provides you sample language and the reasoning behind it.
14. Cisco Wireless LAN Security – If you have a wireless LAN, you’ve got a security problem. Learn why and what to do about it. Although this is a Cisco Press book, it covers general 802.11 theory including new standards such as EAP, 802.1x & NAC.
15. UML: A Beginner’s Guide – Companies that do in-house development should include the security team in their Software Development Life Cycle (SDLC). Although you don’t need to learn every language they use, you should understand their processes and documentation. Many developers (especially those using Agile or Extreme programming techniques) use UML to document their code designs. UML is good for documenting use cases and process flows.
16. Nessus Network Auditing – Nessus is a great tool for performing vulnerability assessments, and it’s free! There are a lot of good books on Nessus, but this is by far the best.
17. Penetration Tester’s Open Source Toolkit – This book covers a lot of different tools, but you should buy it for the chapters on MetaSploit.
18. Incident Response and Computer Forensics – Eventually, you will have a system compromised. Planning in advance will help you minimize the damage. This will help you devise a response strategy and give you the tools necessary to determine what happened.
19. CISSP Certification Passport – If you’ve read the 1st 18 books on this list, you are ready to prove it. The CISSP is the gold standard for IT security management. Certification should never replace experience, but for skilled practitioners, a couple of certs will show your dedication to your craft. CISSPs are in heavy demand, so you’ll likely earn more with it than without it. If you know your stuff, this book is a quick study guide that will prepare you for the test.
20. Security Warrior – If Gray Hat Hacking (above) is the introduction to playing offense, this book is the Masters program. This is a great read, but it is not for beginners. Of the books on this list, buy it last.

For those trying to break into infosec, this list should give you guidance for the breadth of knowledge you must attain to succeed. Buying these books isn’t cheap. On Amazon, this list will cost you close to $800, but the investment is well worth it. Most of the information in these books is available for free on the Internet, but nothing replaces a full bookshelf. Curl up with one of these books every night and you’ll be on your way to becoming an infosec superstar. If you think I missed any books that have been critical to your success, drop me a comment. I’m always looking for something new to read. Thanks for stopping by.

-Bill

Digg This Story!

After reading this book, I decided to write my own updated list of 10 Immutable Laws of Information Security. These 10 rules represent years of experience, hundreds of projects, and countless mistakes:

1. There is no such thing as perfect security – Systems designed by humans are vulnerable to humans. Bugs exist. Mistakes are made. The things that make your computers useful, i.e. communication, calculation and code execution also make them exploitable. Information Security is the management of risk. A good infosec design starts with a risk profile, and then matches solutions to the likely threat.
2. If you’re not part of the solution, you are part of the bot net – Failing to protect your systems is no longer an option. Firewalls, anti-virus, and patch management are required as a cost of doing business. Every system you fail to protect will quickly become a launching point for more attacks against others. Wide spread attacks such as Code Red and Nimbda spread because basic security mechanisms were not employed. Your mistakes threaten my systems, and my mistakes threaten you.
3. Your defenses must be perfect every time; the attacker only needs to be lucky once – See rule 1. Attackers look for the easy way. The best firewall in the world will not prevent a hard drive from being stolen. Your security policy must take a holistic approach to your systems, and then minimize the impact of an exploit. A good place to start are the 10 security domains identified by the ISC2: Access Control, Application Security, Business Continuity & Disaster Recovery, Cryptography, Risk Management, Compliance, Operations Security, Physical Security, Security Architecture & Design, and Telecommunications & Network Security. Analyze each of these areas against the 11 Security Dimensions in the Open Source Security Testing Methodology Manual(OSSTMM) and you’ll be on your way to a solid defense: Visibility, Access, Trust, Authentication, Non-Repudiation, Confidentiality, Privacy, Authorization, Integrity, Safety & Alarm.
4. Your data center is only as secure as your administrator’s PC – These days, most data centers have good physical security, but none of that matters if the administrator has full remote control of his systems. Install a key-logger on the admin box, and you own the network. Forcing privileged users to sit in an unrestricted cube farm with the rest of your employees is just asking for trouble.
5. An unsupervised janitor is the richest guy in your company – See rule 4. As I’ve discussed before, a USB key with U3 and a PC with AutoPlay is all it takes to get passwords, install software, and generally 0wn a PC. Couple that with your administrator’s terminals and you have a recipe for disaster. Would you really trust your janitor to do the right thing if I offered him $1,000 to plug a USB drive into a PC for 10 minutes and then bring it back to me? Physical security extends beyond the data center to include every system that has privileged access. How secure are your admin’s home PCs? Your CIO’s?
6. Everybody Lies – Your users lie when they say they didn’t open that attachment. Your administrators lie when they say they’ve verified all your backups. Your vendors lie when they say their solution will fix all your problems. The attacker on the phone claiming to be a help desk agent who needs your password is lying. Good security minimizes the capability to lie, and the impact of the lie.
7. Usability increases security – The best security controls are the ones that are mandatory and transparent to the end user. The worst controls are difficult to use and require the user to change his/her behavior. Automatically redirecting your web pages to pages that use SSL increases privacy while being effortless on the part of your user. Requiring a user to have 36-character password with special characters, and forcing them to change it every 7 days, may seem more secure but it forces the user to write the new password down and tape it to their monitor just so they can remember how to log in. Don’t confuse complexity with security. Usually, the opposite is true.
8. It is easier to design security upfront, than to bolt it on later – Often, small changes to an application or a network can yield big security returns. Making these changes once the system is in production, however, can be very costly. Adding a security review to the early stages of your projects will prevent many future headaches.
9. If a defense can fail, it will – Murphy was right! Build redundancy and defense-in-depth into every design. Focus both on preventing a failure and on minimizing its impact. Storing confidential data encrypted inside a database will minimize the loss if the database authentication fails. Adding anti-virus firewalls to your network will help stop the spread of WORMS from personal (unprotected) laptops. Always assume the worst case and plan accordingly.
10. A motivated attacker will always trump a diligent defender – See rule 1. If the bad guy wants in, and has enough motivation, he will get in. Period. Why do the best protected networks of the DOD and FBI still get compromised? Because the motivation to get in is high, and the attacker has unlimited time. Fortunately, the reverse is also true: An unmotivated attacker will always lose to a diligent defender. Hackers are lazy and they go after the low hanging fruit first. Minimize your public profile, and you will reduce the number of attacks. A web server that is filtered by a firewall and only allows port 80 & 443 looks a lot less attractive than an unprotected web server that also responds to a couple dozen other ports. Reducing the number of attack vectors reduces the number of attacks and attackers.

That’s my list. Ignore it at your peril! Leave me a comment with your top laws, and thanks for stopping by.

-Bill

Digg This Story!

U3

U3 reinforces the old security axiom, “if I can touch it, I own it.” Using auto-play with exploit code is nothing new. CDs can be used in this manner. What is new is the ability to run this on a writeable device. As the hak5 guys have proven, this is a deadly combo. Plug your USB drive in, wait for it to suck off password hashes or key files, install a back-door, and be gone. This works even if the screen is locked. One more reason why at some companies, the janitor is the richest guy in the place.

As pen testers, U3 is just one more tool to make our lives easier. As security managers, developing a defense in depth against U3 is difficult. Here are a few suggestions to make it easier. Most of these are just good general security practices, but U3 increases their importance:

1. Assign the least amount of privileges possible to your users. Programs run with U3 execute with the privileges of the logged-on user. Unless, of course, the hacker includes a privilege escalation exploit on the drive.
2. Keep systems patched. This reduces the # of possible exploits.
3. Never leave systems logged in with admin access. Locking the screen does not protect against auto-play. Admins should always log out when done.
4. Disable auto-play. (Instructions below)
5. Restrict USB devices. Several vendors offer solutions to disable USB ports, or restrict them to authorized devices.
• GFI EndPoint Security
• ControlGuard Endpoint Access Manager
• SafeEnd Protector
• Device Lock
• SecureWave Sanctuary
• DeviceWall
• TriGeo USB-Defender

There are mulitple ways to disable auto-run. The best way is to use group policy. Go to computer config>admin templates>system and find the “turn autoplay off option. This option makes a registry entry in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer. You can also create this key manually. For stand-alone PCs, the TweakUI PowerToy from Microsoft can also be used. TweakUI offers a disable autoplay option under the “My Computer section.

The last tool in your arsenal is training. Teach your users not bring in USB devices from home, or plug-in flash drives the find or are sent in the mail. This seems like common sense, but several security testers have shown that users will pickup drives on the ground and plug them in to their PCs to see what is on them. The most famous example of this is the test Steve Stasiukonis wrote about in the Dark Reading blog. 20 Flash drives on the ground outside a bank yielded 15 compromised systems. Flash drives work better for this type of test than CDs, because users perceive them as valuable since they are re-writable. A good security education program would prevent this.

If you have other ideas for protecting against flash drives and U3, we’d love to hear about them.

-Bill

We determined that the likely scenario would be that the staff plugged it in to the network and obtained an “external” IP address from our DHCP servers. The likelihood that they would have statically assigned an IP seemed slim since they would have no way to determine which IPs would fall outside the DHCP range. Also, we counted on laziness to rule the day, since it would work fine with DHCP.

I came up with the following batch script to run against our DHCP servers. It dumps all current DHCP lease holders, and then checks them for known AP MAC address prefixes.

«File Download»

This is a simple but effective script. Put the main section of code in between the REM statements into a batch file. Create a text file called servers.tx2 with the IP addresses of your DHCP servers. Put the MAC addresses into a file called macs.tx2, and you are good to go. Note: you must be logged in as a domain admin, or at least as a user with rights to manage DHCP.

Sometimes the simplest answers are the best. When performing security audits, it is not practical or even possible to test every threat. A good security tester creates scenarios based upon the likely actions of the user, tests those scenarios, and then mitigates the threat. In this case, rogue APs were found and eliminated. Does this mean a more skilled person couldn’t figure out how to statically assign an IP and mask the AP from DHCP? Of course not. But the tests for that threat are harder, take longer, and cost more. Sometimes you go for the low hanging fruit. This test took less than 30 minutes to create, but yielded huge results. Hopefully you too will find it useful. If so, drop me a comment and let me know.

-Bill

UPDATE: The NETSH command used in this script requires Windows 2003 server. The WindowsXP version of NETSH does not have the DHCP option. Thanks to ALUNG for helpin me debug!

Digg This Story!

A firewall is the focal point in network and system security. This paper will look at proper firewall standards and best practices, modeled after Cisco SAFE and CERT, for using a firewall in an e-commerce network. Proper DMZ design and the physical placement of the firewall will be discussed. Also, firewall security policy rules, and how best to configure them. Besides normal firewall design, this paper will list other ways to secure the firewall itself, with proper logging and daily backups of the configuration, security audits, and disabling unneeded settings.

This paper will give network administrators a proper guide to securing a network and the firewall.

«download here»