Bookmark this page now!
|
|
Bookmark this page now!
|
|
|
Thursday, January 26. 2012Windows Registry ForensicsDocument created by Yakov Goldberg UBSERC TEAM Our website: http://www.ubersec.com Follow Us in Twitter: http://twitter.com/#!/ubersec Windows Registry Forensics BACKGROUND Most of Windows Operating Systems (OS) contain a database called the Windows registry. The Windows registry consists of Windows data files that contain imperative information about the Windows Operating System (OS), software applications that are installed in Windows, hardware information and various system components. The registry is designed with folders called keys and values that contain specific information about the keys which they represent. By browsing through the keys and reading the values, users can find information about applications that have been installed in the system, files that were used recently and applications and services that are running throughout the Windows start-up process. The information in this article will present some interesting locations within the Windows registry. That information can be viewed by all users and help them to learn and understand the registry and also realize what is getting logged by Windows inside the registry. Likewise, the information in this article can help users to perform some simple forensics analysis of their Windows registry for learning purposes or for troubleshooting purposes as needed. THE REGISTRY HIVES To load the Windows registry editor, type the following: click on the START button ► the click on RUN ►and then type regedt32 And now you should see the following,  As you can see, the registry shows five different registry hives. Keep in mind however, that Windows Vista and Windows 7 also include an additional registry hive files besides those that are loaded by the registry editor. - HKEY_CLASSESS_ROOT (HKCR): this hive contains configuration information that specifies which applications are used to open each file format within the system. - HKEY_CURRENT_USER (HKCU): this hive contains information about the current user that is currently logged on to the system and information about the current user profile of that user as well. The HKCU folder is actually corresponding to the NTUSER.dat file located in the following location in your hard-drive, For Windows XP users, C:\Documents and Settings\username\NTUSER.dat For Windows Vista and 7 users, C:\Users\username\NTUSER.dat Note that there are some open-source tools on the Internet that can allow you to view the information within the NTUSER.dat file without having to logon as each user and then access that registry hive. However, if you are a professional forensics analyst, login in to an OS that is used as evidence in criminal investigation under the criminal’s Windows profile only to collect artifacts from the registry pertain to the crime is NOT a GOOD idea because you will contaminate the timelines stored within the NTUSER.dat file (or HKCU) and the evidence will not be admissible in court. The information within that NTUSER.dat must only be viewed by booting up an external OS (such as Linux) on a CD or USB and then mounting to the local drive and then viewing the information in each file. Backtrack distribution consist some great tools that can help user to do this task. In addition, you may choose to download a demo of AccesData Registry viewer and/or purchase that application for helping you to collect information from other users’ NTUSER.dat files without having to worry about contaminating the integrity of the evidence. - HKEY_LOCAL_MACHINE (HKLM): this hive by far contains a lot of information regarding the OS configuration state and the hardware and software settings as well. Upon expanding the HKLM tree, you should see the following sub-folders,  These folders are actually corresponds to data files that are located in the following location in your hard-drive, %WINDIR%\system32\config Note that there are some open-source tools on the Internet that can let you to view the information within each file without having to use the registry. However, since these files are protected by the OS once the OS is loaded to the system, the information within each file can only be viewed by booting up an external OS (such as Linux) on a CD or USB and then mounting to the local drive and then viewing the information in each file. Backtrack distribution consist some great tools that can help user to do this task. - HKEY_USERS (HKU): this hive contains information about the settings that apply to all the users that logged on into the system. In addition, it contains the default profile configuration for new user profiles. - HKEY_CURRENT_CONFIG (HKCC): this hive contains information about the hardware profile the OS uses throughout the start-up process. WARNING Before attempting to view the registry or change any values in any of the hives, it is a good idea to back-up the registry to your local drive. Often people change values and key within the registry and that result their OS to crash and Windows to fail booting and so on. To back-up the registry to a file you can use the export option located in the File tab within the registry editor. Once you click on export, save the file to your local C: drive root folder. If after changes to the registry you have realized that you need to restore the registry to a state prior of the changes that you have made, you can always import that file back to your registry. INSTRUCTIONS First let’s start with key and values that exist in the HKEY_LOCAL_MACHINE (HKLM) location. Listing applications that are lunched throughout OS boot process: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ That location in the HKLM, HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ And that location in the HKCU, HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ The following location specifies all the services that are loaded to the Windows OS system. HKLM\System\CurrentControlSet\Services Alternatively, to see all services NOT using the registry type the followings, click on the START button ► the click on RUN ►and then type services.msc Then you should see the following,  Under the Services key, you should see more sub-folders corresponding to each service that is loaded to the Windows system. Upon clicking on the desired key, you should see the values pertaining to the key on the right pane of your registry screen. One of these values is the start value. Look below,  If that start value is set to 0x02 it means that the particular service starts once the Windows OS is booting up. In the following location you can find the computer’s name, HKLM\CurrentControlSet\Control\ComputerName\ActiveComputerName In the following location you will find the OS Product-ID, Product-Name, System Root, etc. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion In the following location you can find the time and date in which the OS was last shut down, HKLM\System\CurrentControlSet\Control\Windows After clicking on the Windows key, you should see the value ShutdownTime on the right pane. However, you cannot read this information unless you know how to convert a REG_BINARY key to readable value. Yet, you can download the script LastShutDown.bvs script below and run it on the system. root@ubersec$ sudo wget http://www.ubersec.com/downloads/LastShutDown.vbs The results should look like the following,  In the following location you can find information about the systems such as the BIOS and product information. The information includes the BIOS versions and release date. HKLM\HARDWARE\DESCRIPTION\System\BIOS In the following location you can find a list of registered applications with Windows, HKLM\SOFTWARE\RegisteredApplications In the following location you can find time-zone information about the system: HKLM\System\CurrentControlSet\Control\TimeZoneInformation In the following location you can find information about the system network cards. Once you expends the NetworkCards tree you should see a key for each corresponding network card in the system, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards In the following location you can find information about all the Internet Protocol (IP) addresses that were assigned or are assigned to the network interface, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\IntranetAuth In the following location you can find information about all the printer drivers that are currently exist in the system. Forensics analysts can find information such as a model value that indicate the printer name and driver that was installed and the installdate value which represents the date which the printer drive was installed, HKLM\SYSTEM\ControlSet001\Control\Print\Printers In the following location you can find out whether the TimeStamp feature for NFS is disabled or enabled. The TimeStamp feature is a timelog that tells the user when a folder was last accessed. HKLM\SYSTEM\CurrentControlSet\Control\FileSystem And now look for the value NtfsDisableLastAccessUpdate. If the value is set to 0 then this feature is disabled. However, you can choose to set the value to 1 and then the feature will be enabled. 0 = NTFS updates the last-accessed timestamp of a file whenever that file is opened. 1 = NTFS does not update the last-access timestamp of a file when that file is opened. The results should look like the following,  For more information about this features, check out the NtfsDisableLastAccessUpdate article at Technet. TO BE CONTINUED… 
UBERHARVEST 2.86 STABLE is out!I am happy to announce that a newer version of uberharvest is out! UBERHARVEST 2.86 STABLE is out! - Bug fixes with updates - Added security controls - Improved functionality - Now printing an entire header string information - Added new phone option [Look below in example] - Functionality improvement - Added logo - Improved proxy functionality - Added more email harvesting rules THE CURRENT UBERHARVEST VERSION CAN BE DIRECTLY DOWNLOADED FROM: root@ubersec$ sudo wget http://ubersec.com/downloads/uberharvest.tar.bz2 MD5 Hash = aa959ffaee3e7957774e438c3f1800f1 OR, Users can update uberharvest directly from your command line by typing, root@ubuntu:~/uberharvest#./uberharvest --update New Features FEATURE 1 EXAMPLE OF USE, root@ubuntu:~/uberharvest#./uberharvest -m OR -l and –phone –random -xml - phone : This option will harvest for phone number from the main page of your target website. Then the harvested phone numbers will be checked with yellowpages.com for phone listing information - xml : This option will create an XML report along with XSL style-sheet which then the user can take and visually read through a web browser such as Firefox, Internet Explorer, etc. - random : This option will get uberharvest to always use a different user-agent every time a target website is scanned. That option should help with evasion as possible. THE RESULTS  Keep in mind that –xml option may slow down the scan process. In addition, the –xml option cannot be included with verbosity option (-v or –verbose). I had to erase target information for privacy purposes. For more information, please go to our tutorial page. Please report any errors by emailing to support@ubersec.com
Friday, January 20. 2012Use netcatpro and otp.py to transfer files using encryption
Document created by Yakov Goldberg
UBSERC TEAM Our website: http://www.ubersec.com Follow Us in Twitter: http://twitter.com/#!/ubersec Use netcatpro and otp.py to transfer files using encryption! Background This article can be used by network administrators, security administrator and anyone that desires to transfer files from one Linux/Unit systems to another using crypcat or netcat (also known by many security professionals as the Swiss Army Knife). Yet, most importantly, the goal of this article is to take the reader through the steps of transferring files from one system to another using encryption algorithm known as one-time pad to encrypt the transferred files by creating a one-time session key (which also must be used to decrypt the encrypted files). Likewise, the goal of this article is to get the user to use cryptcat for creating an encrypted tunnel while transferring any encrypted files that were encrypted by the one-time pad encryption algorithms. Encryption Cryptcat tool – uses twofish encryption algorithm to create the encrypted tunnel between the source and target Linux systems. Otp.py open-source Python tool – to encrypt the desired file using one-time pad encryption. In reality a one-time pad must only be used once. Hence, it is called one-time pad. With one time pad there should be high entropy (or randomness) to the point that no one that gets a hold of the encrypted file(s) can actually perform cryptanalysis to break the encryption algorithm. With that being said, while you go through the instructions below you will have to create a session key (also known as private key). That session key is used to encrypt a text file and then decrypt that text file with the same session key after the file has been successfully transferred to the target system. Thus, key management is imperative since if the key gets to the wrong hands, it can be used to decrypt any encrypted file(s) that was/were encrypted using the same session key. If that situation ever occurs, the parties whom are using that compromised session key must create a new key and use it instead. Credits -Thank you for the Nectcat and cryptcat creators. - Thanks to my friend @MarioVilas at Twitter for crating this great one-time pad generator tool open-source tool called otp.py. More information about the tool can be found at http://breakingcode.wordpress.com/2010/02/17/one-time-pad-encryption-in-python/ Tested on the following Operating Systems (OS) Distributor ID: Ubuntu Description: Ubuntu 10.04.2 LTS Release: 10.04 Codename: lucid Distributor ID: Ubuntu Description: Ubuntu 10.10 Release: 10.10 Codename: maverick Distributor ID: BackTrack Description: BackTrack 4 R2 Release: 4 R2 Codename: Nemesis Distributor ID: Ubuntu Description: Ubuntu 11.10 Release: 11.10 Codename: oneiric And Backtrack 5 Instructions The following steps must be done on the sender (source) PC: Do the following steps: $su root Log in as root user to your terminal root@ubersec:~/#wget http://www.ubersec.com/wp-content/files/netcatpro_v1.tar.bz2 MD5 Hash = b91cd513f05dcd68fd61b83ff56de5f4 root@ubersec:~/#md5sum netcatpro_v1.tar.bz2 Now compare the MD5sum value with the value provided above to ensure they are accurate root@ubersec:~/#bzip2 -cd netcatpro_v1.tar.bz2| tar xvf – root@ubersec:~/#cd [to the extracted folder location] OR, root@ubersec:~/#cd netcatpro/ #wget http://winappdbg.sourceforge.net/blog/otp.py Now change the permissions to the otp.py file so you can execute the file #chmod 755 otp.py # touch test_current.txt #echo ‘Hello World!’ > test_current.txt #cat test_current.txt Look below,  Now that the file was created, we need to encrypt the file with a one-time pad using the otp.py script. Do the following, #./otp.py generate session.key -s 1024 #./otp.py generate session.key test_current.txt –f OR #./otp.py generate session.key test_current.txt –f -p Features -f using that tag will cause otp.py to force overwriting of any output file. In the case it will be the test_current.txt -p using that tag will cause opt.py to use the paranoid option which uses the /dev/random module to produce random steams of numbers. That will allow creating even stronger one-time pad. Let’s keep on going. Do the following, #./otp.py encrypt test_current.txt session.key test_current.crypto Now that we are done creating the encrypted file test_current.crypto let’s create the sender.py and receiver.py files using the nc_generate tool. For that process you will need the name of the encrypted file, the ports numbers (chosen by the user) for the sender and receiver PCs and the target file name that will be received by the receiver PC over the network. Do the following, #./nc_generate -sf test_current.crypto -tf test_new.crypto -p 4444 -e -v -h 192.168.111.141 Features - sf : The source file name that you want to send - tg : The target file name that you want to receive. That can be a different name than that current name of the source file. -p : port number. It is recommended to select ports that are bigger than 1024 and smaller than 65535 (1024 < port number < 65535) -e : Use cryptcat for encrypted tunnel using twofish encryption algorithm. Not using this command will default to use netcat which does not provide encrypted tunnel and the files will get transferred from source to destination in clear-text. -v : add verbosity to netcat or cryptcat -h : Add the target host name IP address Look below in the picture,  In the image above you can see that nc_generate has created two files. The first file sender.py must be used on the sender (source) PC and the receiver.py file must get copied or moved to the receiver (target) PC. In addition, you must also copy the session.key file to the receiver (target) PC so you can decrypt that transferred file once the transfer process has been completed. However, before you copy the receiver.py file and the session.key file to the target PC, it is a good time to perform MD5SUM to the source file test_current.crypto. The reason that you would want to do it is so you can ensure that once the target PC has received the file after the transfer process has been completed, the receiver (either it is you on target PC as well or someone else) can also run MD5SUM on the received file and then compare the two hash functions of each files together. Doing so, will allow you and the receiver to check that integrity was not compromised and the file was not corrupted or compromised and modified throughout the transfer. Therefore, the MD5 hash must match on both hands. First, let’s run md5sum to the test_current.crypto on the sender PC. #md5sum test_current.crypto MD5=1571825247ab7145316d933193159850 Look below in picture,  Now copy both the receiver.py and the session.key files to the receiver PC. WARNING!!! Throughout the transfer of the session.key file from the source PC to the target PC the user(s) must ensure that the file does not get compromised by a malicious entity. Since the file can be used to encrypt and decrypt files, if that file gets compromised throughout the process of giving it to the receiving entity, the malicious entity that now have that session.key file in his/her possession can now also decrypt the encrypt the file test_current.crypto. Even though we have used the otp.py file to generate a one-time pad encryption key (which is impossible to defeat if used once hence, one-time pad), if the key gets compromised neither the sender or receiver should use that key again. Rather, the sender must re-generate a new key using the otp.py file and then encrypt that source file once again. Key management is by far the most important thing to think about while dealing with private and/or session keys. The following steps must be done on the receiver (target) PC: Below you can see that I have copied the receiver.py and the session.key files to the target PC (IP address 192.168.111.141).  Now you will need to download the otp.py file from http://breakingcode.wordpress.com/2010/02/17/one-time-pad-encryption-in-python/ to target PC since you will need to use that file along with the session.key file to decrypt the transferred file. #wget http://winappdbg.sourceforge.net/blog/otp.py Change permissions to the file so you can execute the file #chmod 755 otp.py Now you (or the receiving entity) needs to execute the receiver.py file on the target PC. Be advised that you will only have about 30 seconds before that session dies and you will be required to execute the receiver file once again. #./receiver.py Look below in image,  Now go back to the sender PC and execute the sender.py file. #./sender.py Once the process is completed, you should now have the file test_new.crypto in your receiving (target) PC. It is now also a good time to execute md5sum to the transferred file to assure that it was transferred completely with no errors. #md5sum test_new.crypto MD5=1571825247ab7145316d933193159850 Look below in the picture,  Now compare the hashes between the test_current.crypto file and the test_new.cryptofile. If all is good, you should be able now to decrypt the file using otp.py file and the session.key file. #./otp.py decrypt test_new.crypto session.key test_new.txt #ls –al #cat test_new.txt Look below in image,  Remember, You can try to use regular netcat excluding the (–encrypt) option while creating the sender and receiver files with the nc_generate tool. Since your file is encrypted with a one-time pad session (private) key, in reality that should suffice security and encryption. However, it never hurts to take extra step of precaution and also create an encrypted tunnel with cryptcat while transferring the file from source to destination and vice versa. The more security layer that you add the better it is to help decrease the likelihood that someone may compromise your information or in this particular case, that file. Thus, adding layer upon layer of security is always good and that process is called in the cyber world as defense-in-depth. And there you have it! You are all done! As always, if you find grammar problem or any technical errors with this article, please report it to us at support@ubersec.com
Tuesday, January 17. 2012UBERHARVEST 2.84 STABLE is out!I am happy to announce that a newer version of uberharvest is out! UBERHARVEST 2.84 STABLE is out! - Bug fixes with updates - Improved functionality - Now printing an entire header string information - Added new phone option [Look below in example] - Functionality improvement - Added logo - Improved proxy functionality - Added more email harvesting rules THE CURRENT UBERHARVEST VERSION CAN BE DIRECTLY DOWNLOADED FROM: root@ubersec$ sudo wget http://www.ubersec.com/wp-content/files/uberharvest.tar.bz2 MD5 Hash = 19a9b40e49a3477af0b34c7ff619ca46 OR, Users can update uberharvest directly from your command line by typing, root@ubuntu:~/uberharvest#./uberharvest --update New Features FEATURE 1 EXAMPLE OF USE, root@ubuntu:~/uberharvest#./uberharvest -m OR -l and –phone –random -xml - phone : This option will harvest for phone number from the main page of your target website. Then the harvested phone numbers will be checked with yellowpages.com for phone listing information - xml : This option will create an XML report along with XSL style-sheet which then the user can take and visually read through a web browser such as Firefox, Internet Explorer, etc. - random : This option will get uberharvest to always use a different user-agent every time a target website is scanned. That option should help with evasion as possible. THE RESULTS Keep in mind that –xml option may slow down the scan process. In addition, the –xml option cannot be included with verbosity option (-v or –verbose). I had to erase target information for privacy purposes. For more information, please go to our tutorial page. Please report any errors by emailing to support@ubersec.com
Thursday, January 5. 2012WSUS server clients troubleshoot techniques
Document created by Yakov Goldberg
UBSERC TEAM Our website: http://www.ubersec.com Follow Us in Twitter: http://twitter.com/#!/ubersec WSUS server clients troubleshoot techniques Background The following information should help System Administrators (SAs) to determine why client Personal Computers (PCs) do not communicate with Windows Server Update Services (WSUS) server. Likewise, the following information may assist SAs to reset/repair client PCs that cannot receive updates from WSUS server properly or fail to install updates once the synchronization process with WSUS server is completed between the PCs and WSUS server. The information in this article was written with the perception that SAs already have WSUS server working and functioning properly and is a part of their domain environment. Likewise, the article also assumes that the WSUS server is also set to enforce clients PCs to synchronize with the server through GPO or registry settings server (look below in the picture). And finally, the article also assume that all client PCs receive their updates for Windows (and any other Microsoft products) from WSUS server rather than receiving updates from Microsoft’s website as usual.  This article assumes that a GPO that enforces the synchronization of client PCs with the WSUS server was created by downloading the wuau.adm template file from Microsoft’s Group Policy ADM Files website. Then the wuau.adm template should have been added to the GPO (look below in the picture) under the Administrative Template in Computer Configuration.  Once that process has been completed, the Windows updates section (look below) should have been modified to direct all client PCs to WSUS server for getting their updates. In addition, setting up updates time and the process that updates are downloaded and installed on all clients PCs should have been also determined and configured.  Then that GPO should have been applied to the Organizational Unit (OU) that contain all the client PCs (or at the root OU since some organizations divide their client PCs via branches, department, etc). Operating Systems: The script has been tested in the following OS: - Windows XP - Windows Vista - Windows 7 And with: - WSUS version 2 and 3 Instructions PROBLEM 1 When I look at my computer list in WSUS under the “All Computers” I cannot see some client PCs in the list. Yet, I know that the WSUS GPO has been applied to all my client PCs so they are all must be seen in that “All Computer” container. What can I do? Or what was possibly done wrong?  ANSWER 1 If you use some sort of a ghost application to image your client PCs in your organization, then your client PCs’ Windows Operating Systems (OS) are probably having the same SusClientID registry value (look below) across your entire imaged client PCs. Hence, WSUS server can only recognize one OS that corresponds with one SusClientID value and all other identical PCs that contain the same value cannot register with WSUS. To fix that issue, you must remove that value from your registry on each client machine.  You can choose to remove the SusClientId value by opening your regedit and browse to Computer\HKEY_LOCAL_MACHINE_SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate and then remove that value manually. OR, You can download the following VBScript and add it to the same GPO that you initially created for enforcing your client PCs to synchronize (look in background section) with your WSUS server. That script must get added to your Startup Scripts under Computer Configuration (look below).  Once you have completed that process, assure that you restart the client PCs that are not seen by the WSUS server. Once the value has been removed by the execution of that VBscript file upon restart, WSUS server should now start registering each PC one at the time. You may want to be patient since that process takes some time to occur. Be advised that removing that value from the registry is none invasive and does not cause any functional issues to the OS whatsoever. PROBLEM 2 What is the most effective way to know whether a client PC registers properly with WSUS without having to look and read big logs and what not? ANSWER 2 For that process you can download and use the clientdiag.exe tool from the following link: Once the file has been downloaded, copy the file to the system drive windows system32 folder location (usually at C:\Windows\System32\) of any given client PC that you wish to check. Then go to the command line on that PC and type ClientDiag.exe  If all things are good, you should see the PASS value across the report. However, if you see that few things have failed rather than passed then the problem can vary. You will have to troubleshoot that problem based on that problem. However, if you wish to push this executable across your entire client PCs rather than having to copy the file individually to each PC, then you can download the following VBScript: And then place it along with the clientdiag.exe in your Startup Scripts under Computer Configuration (look below) under the same WSUS GPO that you use to enforce WSUS synchronization to your client PCs with WSUS server.  The only thing that you MUST modify within that script is the SourceLocation value for the location of the clientdiag.exe file. Hence, search for the following line and change it in accordance: SourceLocation = "Change me" My clientdiag.exe and the Copyfile.vbs files are located in: SourceLocation = \\ubersec.com\SysVol\ubersec.com\Policies\{4D1A508B-47ED-4B40-86A4-123FA5EBAF4C}\Machine\Scripts\Startup\ Thus, your files may be located in a different location. So adjust the location within that script before you add it to your GPO. Once you were successfully able to perform these steps, upon restarting each client PC, the script should copy the file clientdiag.exe to the system32 folder and then you can choose to run that script on any given PC to check whether that PC communicates with WSUS server or not and then troubleshoot as needed. PROBLEM 3 My client PCs receives their updates from WSUS server but the updates keep failing upon installation. What should I do? ANSWER 3 Well in that case the problem can vary from WSUS delivering updates that do not match the current OS in use or any Microsoft applications that are in use. Believe me when I say it, but I already have seen some crazy stuff like that happening once before. In addition, there can also be a problem with the OS itself that can cause these issues. For the most part you will have to check on Microsoft’s website for the solution. However, you can always download the following scripts and run each one (depending on the problem and the OS version) against any given PC that is having issues installing updates. Scripts for Windows XP: Scripts for Windows 7: If you have any other questions or if you came across some other scripts or cool ways to troubleshoot WSUS related problems, please feel free to email me at support@ubersec.com
Wednesday, January 4. 2012WSUS server database cleanup Powershell script
Document created by Yakov Goldberg
UBSERC TEAM Our website: http://www.ubersec.com Follow Us in Twitter: http://twitter.com/#!/ubersec WSUS server database clean-up Powershell script Background Many organizations utilize Windows Server Update Services (WSUS) server to centralize Windows updates and distribute them to all client machines that run Windows Operating Systems (OS) accordingly. On many occasions however, WSUS server will keep downloading updates from Microsoft for a variety of products and keep these updates in the hard-drive until the administrator decides to run the Server Cleanup Wizard manually from the Options tab in Update services. Yet, the administrator must always remember to execute that option manually or otherwise, WSUS server will keep downloading new updates while keeping older updates in the system. Thus, the server will get filled up with more and more updates until the hard-disk have reached full capacity. To help and reduce the likelihood for something like as such to occur, administrator can utilize Powershell WSUS clean-up script to clean older updates from WSUS server automatically. The following instructions will show administrator how to create a Powershell script that cleans up older updates (older than 30 day or unapproved updates) and then send the recipient (usually the administrator) an email with the results. Keep in mind that for the script to work properly you will need your email server (usually exchange) to be an open-relay server. From a security perspective, this is not an always a good thing to have an email open-relay server since malicious attackers can find out the Internet Protocol (IP) of your email server and use it to send emails on the behalf of your company since your email server is open-relay server. My script is basic and doesn’t contain any security features in mind. Feel free to tweak or modify the script to enforce more security and authentication to your email server by creating a special account for that script in Active Directory (AD). Operating Systems: The script has been tested in the following OS: - Windows 2003 - Windows 2008 - Windows 2008 R2 With - WSUS version 2 and 3 Instructions First and foremost you must assure that PowerShell 2.0 is installed and running on your WSUS Server. To do that, please go to your command line and type: powershell  If you windows have lunched Powershell you should see the letters PS next to the prompt line (look above). If Windows does not recognize the command “powershell”, you will have to download the Windows Management Framework Core (WinRM 2.0 and Windows Powershell 2.0) and install is on your Wsus server from the following link: Once you have downloaded and completed the Powershell (PS) installation on your wsus server, you will need to set Powershell restriction policy level to Unrestricted. To do that, type the followings Set-ExecutionPolicy Unrestricted in your command line: PS C:\> Set-ExecutionPolicy Unrestricted Setting the execution policy level to unrestricted allow the user to execute Powershell scripts on the system. Keep in mind that setting the policy to unrestricted is not always a good idea since you allow your server to execute any PS script. Thus, attackers could run their scripts on that server as well if they were ever successful gaining access to the server. For more information about the PS Execution policy please refer to the following link: Now you should be able to copy and paste the following script to your notepad and change server variables such as the From and To addresses and your Fully Qualified Domain Name (FQDN) of your WSUS server and your Exchange server (or any other email server you may be using). #Region VARIABLES # WSUS Connection Parameters: ## Change settings below to your situation. ## # Enter your FQDN of the WSUS server [String]$parentServer = "wsusserver.ubersec.com" # Use secure connection $True or $False [Boolean]$useSecureConnection = $False [Int32]$portNumber = 80 # From address for email notifications. You can name it to whatever you want. [String]$emailFromAddress = WsusAdmin@ubersec.com # To address for email notifications. The recipient whom needs to receive emails upon the cleanup completion. [String]$emailToAddress = uberadmingroup@ubersec.com # Subject of email notification [String]$emailSubject = "WSUS Cleanup Results" # Enter your FQDM for Exchange server [String]$emailMailserver = "emailmxsrv.ubersec.com" # Cleanup Parameters: ## Set to $True or $False ## # Decline updates that have not been approved for 30 days or more, are not currently needed by any clients, and are superseded by an approved update. [Boolean]$supersededUpdates = $True # Decline updates that aren't approved and have been expired my Microsoft. [Boolean]$expiredUpdates = $True # Delete updates that are expired and have not been approved for 30 days or more. [Boolean]$obsoleteUpdates = $True # Delete older update revisions that have not been approved for 30 days or more. [Boolean]$compressUpdates = $True # Delete computers that have not contacted the server in 30 days or more. [Boolean]$obsoleteComputers = $True # Delete update files that aren't needed by updates or downstream servers. [Boolean]$unneededContentFiles = $True #EndRegion VARIABLES #Region SCRIPT # Load .NET assembly [void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration"); # Connect to WSUS Server $wsusParent = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($parentServer,$useS ecureConnection,$portNumber); # Log the date first $DateNow = Get-Date # Perform Cleanup $Body += "$parentServer ($DateNow ) :" | Out-String $CleanupManager = $wsusParent.GetCleanupManager(); $CleanupScope = New-Object Microsoft.UpdateServices.Administration.CleanupScope($supersededUpdates,$expiredUpdates ,$obsoleteUpdates,$compressUpdates,$obsoleteComputers,$unneededContentFiles); $Body += $CleanupManager.PerformCleanup($CleanupScope) | Out-String #Get list of downstream servers $wsusDownstreams = [Microsoft.UpdateServices.Administration.AdminProxy]::DownstreamServerCollection; $wsusDownstreams = $wsusParent.GetDownstreamServers(); #Clean each downstream server $wsusDownstreams | ForEach-Object { $ping = New-Object System.Net.NetworkInformation.Ping $DSServer = $_.FullDomainName Try{ $Reply = $ping.send($DSServer) $ReplyStatus = $Reply.Status Write-Host $ReplyStatus } catch{ $ReplyStatus = "False" Write-Host $ReplyStatus } if ($ReplyStatus -eq "Success") { # Log the date first $DateNow = Get-Date $Body += $DSServer + " ($DateNow ) : " | Out-String $wsusReplica = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($_.FullDomainName, $useSecureConnection,$portNumber); $CleanupManager = $wsusReplica.GetCleanupManager(); $CleanupScope = New-Object Microsoft.UpdateServices.Administration.CleanupScope($supersededUpdates,$expiredUpdates ,$obsoleteUpdates,$compressUpdates,$obsoleteComputers,$unneededContentFiles); $Body += $CleanupManager.PerformCleanup($CleanupScope) | Out-String }else{ # Log the date first $DateNow = Get-Date $Body += $DSServer + " ($DateNow ) : not pingable`n" | Out-String } } # Send the results in an email #Send-MailMessage -From $emailFromAddress -To $emailToAddress -Subject $emailSubject -Body $Body -SmtpServer $emailMailserver # Mail the report... $message = new-object Net.Mail.MailMessage $mailer = new-object Net.Mail.SmtpClient($emailMailserver) # From address for email notifications. You can name it to whatever you want. $message.From = wsusadmin@ubersec.com # To address for email notifications. The recipient whom needs to receive emails upon the cleanup completion. $message.To.Add("uberadmingroup@ubersec.com ") $message.Subject = "Windows Update - Server Clean-Up Wizard" $message.Body = ($Body) $mailer.Send($message) #EndRegion SCRIPT #You are done! Don't forget that you will have to change the MX server FQDN and the WSUS server FQDN in the lines at the top of the script. In addition, you will also have to add the [TO] and [FROM] email addressees. You can also download the script and modify the lines that say ”Change me” for your convenience from the following link: Now you can setup a scheduled job on your WSUS server to run that script once a week. Keep in mind that if you have Windows 2003 server you may not be able to run a Powershell scripts directly as a scheduled tasks. Rather, you will need to create a batch file that execute that script and then run that batch file in the schedule. The content of the batch file should look as the followings: @echo off cls powershell c:\>Wsus_script.ps1 Once the batch file is executed, it will execute the Powershell script and once this process is completed, your Admin group should receive an email that looks as the followings: wsusserver.ubersec.com (01/01/2012 02:01:39 ) : SupersededUpdatesDeclined : 0 ExpiredUpdatesDeclined : 0 ObsoleteUpdatesDeleted : 0 UpdatesCompressed : 79 ObsoleteComputersDeleted : 0 DiskSpaceFreed : 0 If successful, you are done!
Monday, January 2. 2012UBERHARVEST 2.80 STABLE is out!I am happy to announce that a newer version of uberharvest is out! UBERHARVEST 2.80 STABLE is out! - Added XML report feature. Look below for example - Removed all broken proxy server and added new working proxies to anonymous.txt file - Added more user-agents for (--random) option - Bug fixes - Now working with Python 2.52 and UP - Improved functionality - Added new setup file for automatic installation of perquisites packages - Application have been tested and is stable with the following Ubuntu/Backtrack distributions: Distributor ID: Ubuntu Description: Ubuntu 10.04.2 LTS Release: 10.04 Codename: lucid Distributor ID: Ubuntu Description: Ubuntu 10.10 Release: 10.10 Codename: maverick Distributor ID: BackTrack Description: BackTrack 4 R2 Release: 4 R2 Codename: Nemesis Distributor ID: Ubuntu Description: Ubuntu 11.10 Release: 11.10 Codename: oneiric And Backtrack 5 THE CURRENT UBERHARVEST VERSION CAN BE DIRECTLY DOWNLOADED FROM: root@ubersec$ sudo wget http://ubersec.com/downloads/uberharvest_2_80.tar.bz2 MD5 Hash = 90f16241b80c371d722f4450d89e9cb7 Please go to the downloads page to get directions about some modules that are required to be installed prior to using uberharvest. OR, Users can update uberharvest directly from your command line by typing, root@ubuntu:~/uberharvest#./uberharvest --update New Features FEATURE 1 For users’ convenience I added another option for creating XML reports after scans. The option can be used along with –m option (for scanning on target website) or –l option (for loading text file to scan multiple targets). To create the XML report, please add the following option to the scan (--xml or –xml). Look below for example. EXAMPLE OF USE, root@ubuntu:~/uberharvest#./uberharvest -m OR -l and -xml  Keep in mind that –xml option may slow down the scan process. In addition, the –xml option cannot be included with verbosity option (-v or –verbose). For more information, please go to our tutorial page. Please report any errors by emailing to support@ubersec.com THE CURRENT uberharvest VERSION CAN BE DOWNLOADED FROM: root@ubersec$ sudo wget http://ubersec.com/downloads/uberharvest_2_80.tar.bz2 MD5 Hash = 90f16241b80c371d722f4450d89e9cb7
Friday, December 23. 2011Installing Python version manager for quick python version switch
UBERHARVEST version 2.75 STABLE is out!
Monday, November 7. 2011UBERHARVEST version 2.67 is out!I am happy to announce that a new version of Uberharvest is out! UBERHARVEST 2.67 is out! - Bug fixes - Added history option for more efficiency. - Added another domain(s) search through Google. - Improved functionality THE CURRENT uberharvest VERSION CAN BE DOWNLOADED FROM: root@ubersec$ sudo wget http://ubersec.com/downloads/uberharvest_2_67.tar.bz2 Please go to the downloads page to get directions about some modules that are required to be installed prior to using Uberharvest. OR update Uberharvest directly from your command line by typing, root@ubuntu:~/uberharvest#./uberharvest --update New Features FEATURE 1 The new Google feature allows the user to receive results about other domains (and their IP addresses) corresponds with the target website. For instance, if your target website is ubersec.com then Uberharvest will search through Google for other domains that belong to ubersec.com. Look in the picture below inside the red box for an example. EXAMPLE OF USE, root@ubuntu:~/uberharvest#./uberharvest -m  FEATURE2 Uberharvest is now saving records of all user input and history while entering data to uberharvest. The folder location that records are stored is [uberharvest/History]. The user can simply use the UP ARROW (in his/her keyboard) to use previous inputs in order to increase time and efficiency. In addition, users can now have a record of what they have been typing from the moment they started using this new Uberharvest version. The threshold of the history file is 10MB. At 10MB and up, Uberharvest will overwrite the log file. Users can remove the older file to a different location if they wish to save history for their convenience. Please report any errors by emailing to support@ubersec.com THE CURRENT Uberharvest VERSION CAN BE DOWNLOADED FROM: root@ubersec$ sudo wget http://ubersec.com/downloads/uberharvest_2_67.tar.bz2
Saturday, October 29. 2011UBERHARVEST version 2.65 is out!I am happy to announce that a new version of uberharvest is out! UBERHARVEST 2.65 is out! - Major bug fixes - Improved functionality THE CURRENT uberharvest VERSION CAN BE DOWNLOADED FROM: root@ubersec$ sudo wget http://ubersec.com/downloads/uberharvest_2_65.tar.bz2 Please go to the downloads page to get directions about some modules that are required to be installed prior to using uberharvest. BUG PROBLEM HAS BEEN RESOLVED! If you are running an older version of uberharvest smaller than version 2.60 and you run into the following error through trying to update uberharvest: Extracting: /tmp/uberharvest_2_60.tar.bz2 Traceback (most recent call last): File "uberharvest.py", line 2099, in File "uberharvest.py", line 629, in checkver UnboundLocalError: local variable 'dst1' referenced before assignment root@ubuntu:~/uberharvest# Then please just download a new fresh copy of uberharvest from the link above. This bug has been fixed with the current version. Please report any errors by emailing to support@ubersec.com THE CURRENT uberharvest VERSION CAN BE DOWNLOADED FROM: root@ubersec$ sudo wget http://ubersec.com/downloads/uberharvest_2_65.tar.bz2
Friday, October 21. 2011UBERHARVEST version 2.62 is out!I am happy to announce that a new version of uberharvest is out! UBERHARVEST 2.62 is out! - Bug fixes - Added new get web server header feature THE CURRENT uberharvest VERSION CAN BE DOWNLOADED FROM: root@ubersec$ sudo wget http://ubersec.com/downloads/uberharvest_2_62.tar.bz2 Please go to the downloads page to get directions about some modules that are required to be installed prior to using uberharvest. New Features FEATURE 1 I added a new feature that reads the target web server header. If the header is not protected or the information from the header has not been removed by the company that hosts that server, uberharvest will show the target web server version and style. In addition, uberharvest will also show the [X-Powered–By] feature which shows the dynamic website language that the website uses. With that information, security professionals can check online for exploits that in principle could be used to exploit that web server. EXAMPLE OF USE, root@ubuntu:~/uberharvest#./uberharvest -m  FEATURE 2 I added a GEO database for retrieving the geographical location of the harvested website(s) domain. That feature can help security professional with the reconnaissance processes. The more information you know about the target the better it is. Be advised that you will have to either download the GEO database manually to you Linux OS or once you have downloaded and extracted the new version of uberharvest, please type the following: root@ubersec:~/uberharvest#./uberharvest -geo And you should see the following: Please wait while downloading and extracting GEO Database to your system. Downloading: GeoLiteCity.dat.gz Bytes: 18815214 EXAMPLE OF USE, root@ubuntu:~/uberharvest#./uberharvest -m And below is an image of a GEO location of a target ubersec.com website:  BUG PROBLEM HAS BEEN RESOLVED! If you are running an older version of uberharvest smaller than version 2.60 and you run into the following error through trying to update uberharvest: Extracting: /tmp/uberharvest_2_60.tar.bz2 Traceback (most recent call last): File "uberharvest.py", line 2099, in File "uberharvest.py", line 629, in checkver UnboundLocalError: local variable 'dst1' referenced before assignment root@ubuntu:~/uberharvest# Then please just download a new fresh copy of uberharvest from the link above. This bug has been fixed with the current version. Please report any errors by emailing to support@ubersec.com THE CURRENT uberharvest VERSION CAN BE DOWNLOADED FROM: root@ubersec$ sudo wget http://ubersec.com/downloads/uberharvest_2_62.tar.bz2
Wednesday, October 12. 2011UBERHARVEST version 2.60 is out!I am happy to announce that a new version of uberharvest is out! UBERHARVEST 2.60 is out! - Bug fixes - Added webpage GEO database - Fixed update issues THE CURRENT uberharvest VERSION CAN BE DOWNLOADED FROM: root@ubersec$ sudo wget http://ubersec.com/downloads/uberharvest_2_60.tar.bz2 Please go to the downloads page to get directions about some modules that are required to be installed prior to using uberharvest. New Feature I added a GEO database for retrieving the geographical location of the harvested website(s) domain. That feature can help security professional with the reconnaissance processes. The more information you know about the target the better it is. Be advised that you will have to either download the GEO database manually to you Linux OS or once you have downloaded and extracted the new version of uberharvest, please type the following: root@ubersec:~/uberharvest#./uberharvest -geo And you should see the following: Please wait while downloading and extracting GEO Database to your system. Downloading: GeoLiteCity.dat.gz Bytes: 18815214 EXAMPLE OF USE, root@ubuntu:~/uberharvest#./uberharvest -m And below is an image of a GEO location of a target ubersec.com website: BUG PROBLEM HAS BEEN RESOLVED! If you are running an older version of uberharvest smaller than version 2.60 and you run into the following error through trying to update uberharvest: Extracting: /tmp/uberharvest_2_60.tar.bz2 Traceback (most recent call last): File "uberharvest", line 2099, in File "uberharvest", line 629, in checkver UnboundLocalError: local variable 'dst1' referenced before assignment root@ubuntu:~/uberharvest# Then please just download a new fresh copy of uberharvest from the link above. This bug has been fixed with the current version. Please report any errors by emailing to support@ubersec.com THE CURRENT uberharvest VERSION CAN BE DOWNLOADED FROM: root@ubersec$ sudo wget http://ubersec.com/downloads/uberharvest_2_60.tar.bz2
|
Calendar
QuicksearchCategoriesBlog AdministrationTwitter Timeline
Search on Google SitePowered by
|
|||||||||||||||||||||||||||||||||||||||||||||||||
