Recently I needed to write a script that could locate a folder on a system that had particular characteristics. I was looking for hidden folders that the logged on user had rights to read, write/append and execute on. ie, they can drop a binary into the folder and then run it.
This is the script I came up with. It uses a WMI query and method to first locate all the hidden folders on the system, and then compare each ones effective permissions to a mask I created:
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!" & strComputer & "rootcimv2")
Set colFiles = objWMIService.ExecQuery _
("Select * from Win32_Directory Where Hidden = True")
wscript.echo "Hidden folders which you can write to..."
intW = 0 ' initialise Writable folder count
' Iterate through each hidden folder on the computer
For Each objFile in colFiles
' Ignore some well known hidden folders
If InStr(lcase(objFile.Name), "documents and settings") or _
InStr(lcase(objFile.Name), "$nt") or _
InStr(lcase(objFile.Name), "$hf_mig$") or _
InStr(lcase(objFile.Name), "ie7updates") or _
InStr(lcase(objFile.Name), "visual studio") or _
InStr(lcase(objFile.Name), "dllcache") or _
InStr(lcase(objFile.Name), "$patchcache$") Then
Else
' Can we read (1), write (2, 4), and execute (32) in this folder?
intPermissions = 39
' Use WMI method to compare permissions
If objFile.GetEffectivePermission(intPermissions) Then
wscript.echo objFile.Name
intW = intW + 1
End If
End If
Next
wscript.echo intW & " vulnerable folders."
This was important as part of a wider effort to prove a particular vulnerability existed. Imagine the scenario where a standard user is prevented from running unknown binaries except for one hidden folder somewhere on the system which is excluded from this protection. If one could quickly find that folder, the user could run whatever he liked.
I’m aware that there are plenty of command line tools that would have helped in this endeavour (such as AccessChk) but remember: this is a system where unauthorised apps can not be run. It’s VBScript or nothing.
This is a bit of code I wish I’d found sooner. There is a - it seems mostly undocumented - feature of the ldap provider in Server 2003 that allows you to form an ldap query just on the SID of an account:
bindSid = "LDAP://<sid =" & SID & ">"
set oVal = GetObject(bindSid)
Result = oVal.Get("cn")
set oVal = Nothing
So if you have a list of SIDs and want to translate them into meaningful account names, this will do it without relying on using WMI - which on a lot of secure networks is locked down (or at least should be!).
Why do I need this? It’s a part of a larger script I’m writing that will archive specific Group Policy Objects from the \SYSVOL\<domainname>\Policies\ folder of a PDCe. One of the files in a GPO is the GptTmpl.inf file which gives a list of the User Rights Assignments (SeBackupPrivilege, SeShutdownPrivileg etc) along with the SIDs of the accounts that have been given those privileges (e.g. S-1-5-19). I wrote a script that reads the SIDs and queries the DC for the account names. This code fragment works more reliably (and I think faster) than the WMI calls I was previously using.
I love this image (click it to enlarge). It’s a brilliant example of how strong security measures applied inappropriately (like in the wrong place) can be tantamount to no security at all, as your users will just find ways to circumvent them. For example; enforce passwords so strong that users can’t remember them anymore and just resort to writing them down on postits.
In case you weren’t aware, using WEP to secure your home network is a bit like putting a sign on your front door letting everyone know that you do have a key to keep it locked, but if they can work out your clue they’ll be able to find it. And then leaving your key under the mat.
I’ve tried cracking WEP before with limited success - relying on the network to be busy enough to capture packets doesn’t make for reliable cracking, but this method is different - forcing the access point to produce all the packets we need for analysis. I thought it was time I finally proved to myself that it was possible so I dug out the old BT Homehub device and switched on the wireless before booting my MacBook Pro off an excellent pen test Live CD – BackTrack. Continue reading ‘Clientless WEP Cracking’
At the cinema tonight I paid for the tickets with a card that was issued very soon after Chip & Pin came out, as such I had never used the card in a situation where I needed to sign - it has only been used with Chip & Pin (progress, woo!). Until tonight, where the cinema haven’t upgraded their point of sale systems yet still require a signature for verification.
So, I handed over the card. The clerk looked at it, flipped it over, looked at it some more and then said falteringly, “It’s not, urm, signed…” He handed it back. He was right, it wasn’t - I’d obviously never got round to signing the strip on the back and having only ever paid with Chip & Pin no one else had ever noticed. Oops. What happened next was brilliant, and I thought only the stuff of urban legend… he handed me a pen. Then he watched me sign the back of the card. Then he handed me the payment slip and watched me sign that too. Then, and this is what really made me laugh: he checked them!
I asked him “Do they match?” at which point he realised how dumb the whole process had been. I then showed him other cards in my wallet that proved my signature was mine. A saluatory lesson in what happens when you train people to blindly follow a process without actually thinking about the security requirement behind it…
Oh and Alien Autopsy is a fun little film which gets away with the trick of making you forget that Ant & Dec are, well, Ant & Dec. Also worth it for Jimmy Carr and Omid Djalilli’s appearances.
Recent Comments