A scenario on basic incident response and showing how Microsoft uses a service that automatically creates a Man in the Middle incident. It also covers an overview on some inherent tools and how to use them for security operations
4. Overview
Event Scenario & Discovery
Microsoft Wake-Up Proxy Service
Tools that aren't tools?
Key Takeaways
5. Scenario Details
- Upgrading Windows XP to 7!
- 3 or more Windows 7 Machines
- Offending MACs matched peer Win 7 devices
- Reoccurred in unpredictable patterns
- Occurred after the post install script
- Related to the SCCM agent?
Layer 2 Switch
00:00:0A 00:00:0B 00:00:0C
10. Log Files
• <![LOG[Not becoming a guardian because we are the only machine in
the subnet running WakeUp Proxy Service]LOG]!><time=“x:x:x.xxx”
component=“SleepAgent” … >
• <![LOG[Sending a port-grabbing frame for x.x.x.x / xxMACxx from
xxMACxx]LOG]!><time=“x:x:x.xxx” component=“SleepAgent” … >
11. Microsoft Wake-Up Proxy Service
• SCCM 2012 SP1
• “Configuration Manager supports traditional wake-up packets to wake up
computers in sleep mode when you want to install required software, such as
software updates and applications.”
• “…on a network that uses 802.1X network access control, wake-up proxy will not
work and can disrupt the network service.”
https://docs.microsoft.com/en-us/sccm/core/clients/deploy/plan/plan-wake-up-clients
24. Microsoft
Wake-Up
Proxy Service
Monitor and parse traffic from
attached VLAN
Undetected scanning of peer
computer listening ports
Craft custom packets for service
exploits
Ability to wake-up sleeping or
powered off computersCompromised
Box Anywhere in
Domain
26. netstat
•Displays all active TCP connections and the TCP/UDP ports on which the
computer is listening“-a”
•Displays active TCP connections, however, addresses and port numbers
are expressed numerically and no attempt is made to determine names“-n”
•Displays active TCP connections and includes the PID for each connection
“-o”
•(admin) Displays the binary program’s name involved in creating each
connection or listening port“-b”
27. tasklist
• Specifies the name or IP address of a
remote computer“/s <Computer>”
• Lists all the service information for each
process without truncation“/svc ”
• Specifies the types of processes to include
in or exclude from the query“/fi <Filter>”
28. tcpdump
•“tcpdump –nn –c 1000 | awk ‘{print $3}’ | cut –d. –f1-4 | sort –n | uniq
–c | sort –nr”
Top talkers after
1,000 packets:
•“tcpdump –n –A –s0 port http or port ftp or port smtp or port imap or
port pop3 | egrep –I
‘pass=|pwd=|log=|login=|user=|username=|pw=|passw=
|passwd=|password=|pass:|user:|username:|password:|login:|pass
|user ‘ –color=auto --line-buffered –B20”
Clear text
protocol
passwords:
29. WMI
objects &
PowerShell
• Searches through sysvol on your domain for passwords,
files, usernames and anything else that may be
erroneously stored in a publicly readable space.
Domain_File_Search.ps1
• Domain Active directory queries from PowerShell using
native .net libraries only for LDAP connections.Native AD-SCAN
• Scan common ports of every endpoint of a give subnet. In
progress to build out enumeration of adjacent networks
by hop for additional enumeration and scanning.
Power-SCAN