Writing a Active Directory Audit Module - Creating the Project

I got in my head this week that I would like to write a Windows PowerShell module for getting information from Active Directory for the purpose of gathering information to aid in detecting miss configurations and also aid in incident response. My idea is to write the module and start publishing blog posts as I go through the process of writing the code and how I go about it. This will be my first experience with Pester also so I think it would be a fun adventure.

Requirements

I start by setting goals for the module, these are:

  • All output from each function will be objects.
  • I will assign each object a custom type so I can create custom views for the output.
  • The module must not depend on the ActiveDirectory module that ships with the different RSAT tools and use .NET and COM so as to leverage the use alternate credentials.
  • Module should be able to pull information as a base for Users, Groups, Computers, Sites, Domains, Forest, OUs and GPOs.
  • Module will be PSv3 or above so as to use new improvements int he latest versions of Windows PowerShell.
Read More

Are we measuring Blue and Red right?

in

In security many people see solutions of problem as a whole, all or nothing. Many times even worst they see the security as a hindrance to the delivery of a project or even day to day actions. Even internally in some organization with the size and level of maturity of having both a Red and Blue team you have rivalry between both. In this blog post I would like to cover my idea on how we should think when measuring the performance of the internals sub teams inside of security. Some of this ideas can be even expanded later to how the team can interact with the DevOps, Support, Sales, Finance and other teams in the organization if there is a possibility to unify the metrics to provide a series or high level or single goal for the organization as a whole.

 

Read More

Tip: Meterpreter SSL Certificate Validation

Have you ever been in a pentest where the defenders know their stuff and are actively looking to detect and sabotage all of your actions? If not I can say only one thing, it changes the way you approach, plan and execute a penetration test drastically. 

I want to share a simple tip on how to secure your initial staged connection for Meterpreter by having it check the certificate of the listener it is connecting to. 

Read More

RDP TLS Certificate Deployment Using GPO

in

Remote Desktop has been the Go To remote administration tool for many IT professionals and sadly many even expose it to the internet leading to brutefoce attacks and Man in the Middle attacks. I still remember the fist time I saw how easy it is from Irongeek examples using Cain & Able http://www.irongeek.com/i.php?page=videos/cain-rdp-terminal-server-mitm-sniff and http://www.irongeek.com/i.php?page=security/cain-rdp-mitm-parser I have taken great care to make sure RDP connections in my network and customer networks are as secure as possible. Here is an example on how to deploy TLS certificates for use of RDP via GPO and how to configure some none Microsoft systems.

 

Read More

WinRM SSL Certificate Deployment via GPO

I really like using WinRM (Windows Remote Management) to manage my servers and lab. It serves as the basis for server management that Microsoft is moving in to. It provides several advantages:

  • It is secured by default by leveraging strong encryption to protect traffic.
  • It is standards based so it allows for interoperability with other platforms. 
  • it is SOAP based making it firewall friendly and easier to route in segmented enviromentes. 
  • I can leverage Kerberos for authentication. 
  • It allows me to query WMI information from the host without the need of opening RPC ports or dealing with DCOM it self.

One of the problems with WinRM is that by being compatible it provides downgrading of its security for compitibility or user error. In Windows one can disable encryption when connecting and also specify Basic for auth exposing credentials. In a Windows only environment one could set it up to enforce encryption and force stronger authentication methods but we hardly see that kind of enviroment often that is why I prefer SSL when possible. To protect me from user naivate and have already a foundation for future integrations.

Read More