miércoles, 28 de enero de 2015

martes, 27 de enero de 2015

Clientes VPN, Radius, Network Access Protection, logs? Windows server 2012

Amigos de Inseguros !!!

Dicen en mi barrio que todo lo malo se pega. Eso me decía mi madre de pequeño cuando me juntaba con los chicos más estudiosos del lugar !!!


Del mundo Linux tengo que decir que lo que más me ha calado hondo son los Logs.

Aunque tenemos información de bajo nivel mediante el visor de sucesos de Windows, en ocasiones necesitamos acceder a información detallada de un evento, y para eso tenemos los ficheros de logs.

Al más puro estilo linux, vamos a ver un log de Windows del que no se presta mucha atención, el de los servicios de acceso a redes, vpn y demás farándulas.

Para empezar, el típico tail -F de Linux, para ver en tiempo real el log, lo tenemos con : Get-Content -Path C:\Windows\system32\LogFiles\IN***.log -Wait

A muestra de ejemplo, voy a pegar un log. Los datos sensibles los omito.

"JANGO","RAS",01/27/2015,17:48:46,1,"dominio.COM\jmolina","dominio.com/Users/Joaquín Molina ","ip servidor","ipcliente",,,"JANGO","ipservidor",51,,"piservidor","JANGO",,,5,,1,2,4,"Conexiones al servidor de Enrutamiento y acceso remoto de Microsoft",0,"311 1 ip servidor 01/08/2015 12:10:52 640",,,,,,,,,"78",,,,,,,,,1,1,"ip cliente","ip servidor",,,,,,,"MSRASV5.20",311,,,,,"Directiva del Servicio de enrutamiento y acceso remoto de Microsoft",1,,,"MSRAS-0-MIACA-PC","MSRASV5.20"

Como se puede apreciar, tenemos todo tipo de información de la autenticación de nuestros clientes de redes remotos.

Si necesitas concretar alguno de los campos, lo mejor es tener la descripción oficial de Microsoft a mano. Pongo un ejemplo con la descripción concreta:

"CLIENTCOMP","IAS",03/07/2008,13:04:33,2,,"npsclientdc/Users/client",,,,,,,,9,"10.10.10.10","npsclient",,,,,,2,1,"Allow access if dial-in permission is enabled",0,"311 1 10.10.10.11 03/07/2008 20:04:30 1",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,


Value shown in example Attribute Data type Description
"CLIENTCOMP" ComputerName Text The name of the server where the packet was received (this is an IAS-internal attribute).
"IAS" ServiceName Text The name of the service that generated the record—IAS or the Routing and Remote Access service (this is an IAS-internal attribute).
03/07/2008 Record-Date Time The date at the NPS or Routing and Remote Access server (this is an IAS-internal attribute).
13:04:33 Record-Time Time The time at the NPS or Routing and Remote Access server (this is an IAS-internal attribute).
1 Packet-Type Number The type of packet, which can be:
  • 1 = Access-Request
  • 2 = Access-Accept
  • 3 = Access-Reject
  • 4 = Accounting-Request
This is an IAS-internal attribute.
"client" User-Name Text The user identity, as specified by the user.

Fully-Qualified-Distinguished-Name Text The user name in canonical format (this is an IAS-internal attribute).

Called-Station-ID Text The phone number dialed by the user.

Calling-Station-ID Text The phone number from which the call originated.

Callback-Number Text The callback phone number.

Framed-IP-Address Text The framed address to be configured for the user.

NAS-Identifier Text The text that identifies the network access server originating the request.

NAS-IP-Address Text The IP address of the network access server originating the request.

NAS-Port Number The physical port number of the network access server originating the request.
9 Client-Vendor Number The manufacturer of the network access server (this is an IAS-internal attribute).
"10.10.10.10" Client-IP-Address Text The IP address of the RADIUS client (this is an IAS-internal attribute).
"npsclient" Client-Friendly-Name Text The friendly name for the RADIUS client (this is an IAS-internal attribute).

Event-Timestamp Time The date and time that this event occurred on the network access server.

Port-Limit Number The maximum number of ports that the network access server provides to the user.

NAS-Port-Type Number The type of physical port that is used by the network access server originating the request.

Connect-Info Text Information that is used by the network access server to specify the type of connection made. Typical information includes connection speed and data encoding protocols.

Framed-Protocol Number The protocol to be used.

Service-Type Number The type of service that the user has requested.
1 Authentication-Type Number The authentication scheme, which is used to verify the user and can be:
  • 1 = PAP
  • 2 = CHAP
  • 3 = MS-CHAP
  • 4 = MS-CHAP v2
  • 5 = EAP
  • 7 = None
  • 8 = Custom
This is an IAS-internal attribute.

Policy-Name Text The friendly name of the network policy that either granted or denied access. This attribute is logged in Access-Accept and Access-Reject messages. If a user is rejected because none of the network policies matched, then this attribute is blank.
0 Reason-Code Number The reason for rejecting a user, which can be:
  • 0 = IAS_SUCCESS
  • 1 = IAS_INTERNAL_ERROR
  • 2 = IAS_ACCESS_DENIED
  • 3 = IAS_MALFORMED_REQUEST
  • 4 = IAS_GLOBAL_CATALOG_UNAVAILABLE
  • 5 = IAS_DOMAIN_UNAVAILABLE
  • 6 = IAS_SERVER_UNAVAILABLE
  • 7 = IAS_NO_SUCH_DOMAIN
  • 8 = IAS_NO_SUCH_USER
  • 16 = IAS_AUTH_FAILURE
  • 17 = IAS_CHANGE_PASSWORD_FAILURE
  • 18 = IAS_UNSUPPORTED_AUTH_TYPE
  • 32 = IAS_LOCAL_USERS_ONLY
  • 33 = IAS_PASSWORD_MUST_CHANGE
  • 34 = IAS_ACCOUNT_DISABLED
  • 35 = IAS_ACCOUNT_EXPIRED
  • 36 = IAS_ACCOUNT_LOCKED_OUT
  • 37 = IAS_INVALID_LOGON_HOURS
  • 38 = IAS_ACCOUNT_RESTRICTION
  • 48 = IAS_NO_POLICY_MATCH
  • 64 = IAS_DIALIN_LOCKED_OUT
  • 65 = IAS_DIALIN_DISABLED
  • 66 = IAS_INVALID_AUTH_TYPE
  • 67 = IAS_INVALID_CALLING_STATION
  • 68 = IAS_INVALID_DIALIN_HOURS
  • 69 = IAS_INVALID_CALLED_STATION
  • 70 = IAS_INVALID_PORT_TYPE
  • 71 = IAS_INVALID_RESTRICTION
  • 80 = IAS_NO_RECORD
  • 96 = IAS_SESSION_TIMEOUT
  • 97 = IAS_UNEXPECTED_REQUEST
This is an IAS-internal attribute.

Class Text The attribute that is sent to the client in an Access-Accept packet.

Session-Timeout Number The length of time (in seconds) before the session is terminated.

Idle-Timeout Number The length of idle time (in seconds) before the session is terminated.

Termination-Action Number The action that the network access server takes when service is completed.

EAP-Friendly-Name Text The friendly name of the EAP-based authentication method that was used by the access client and NPS server during the authentication process. For example, if the client and server use Extensible Authentication Protocol (EAP) and the EAP type MS-CHAP v2, the value of EAP-Friendly-Name is “Microsoft Secured Password (EAP-MSCHAPv2)."

Acct-Status-Type Number The number that specifies whether an accounting packet starts or stops a bridging, routing, or Terminal Server session.

Acct-Delay-Time Number The length of time (in seconds) for which the network access server has been sending the same accounting packet.

Acct-Input-Octets Number The number of octets received during the session.

Acct-Output-Octets Number The number of octets sent during the session.

Acct-Session-Id Text The unique numeric string that identifies the server session.

Acct-Authentic Number The number that specifies which server authenticated an incoming call.

Acct-Session-Time Number The length of time (in seconds) for which the session has been active.

Acct-Input-Packets Number The number of packets received during the session.

Acct-Output-Packets Number The number of packets sent during the session.

Acct-Terminate-Cause Number The reason that a connection was terminated.

Acct-Multi-Ssn-ID Text The unique numeric string that identifies the multilink session.

Acct-Link-Count Number The number of links in a multilink session.

Acct-Interim-Interval Number The length of interval (in seconds) between each interim update that the network access server sends.

Tunnel-Type Number The tunneling protocol to be used.

Tunnel-Medium-Type Number The medium to use when creating a tunnel for protocols. For example, L2TP packets can be sent over multiple link layers.

Tunnel-Client-Endpt Text The IP address of the tunnel client.

Tunnel-Server-Endpt Text The IP address of the tunnel server.

Acct-Tunnel-Conn Text An identifier assigned to the tunnel.

Tunnel-Pvt-Group-ID Text The group ID for a specific tunneled session.

Tunnel-Assignment-ID Text The tunnel to which a session is assigned.

Tunnel-Preference Number The preference of the tunnel type, as indicated with the Tunnel-Type attribute when multiple tunnel types are supported by the access server.

MS-Acct-Auth-Type Number A Routing and Remote Access service attribute. For more information, see RFC 2548.

MS-Acct-EAP-Type Number A Routing and Remote Access service attribute. For more information, see RFC 2548.

MS-RAS-Version Text A Routing and Remote Access service attribute. For more information, see RFC 2548.

MS-RAS-Vendor Number A Routing and Remote Access service attribute. For more information, see RFC 2548.

MS-CHAP-Error Text A Routing and Remote Access service attribute. For more information, see RFC 2548.

MS-CHAP-Domain Text A Routing and Remote Access service attribute. For more information, see RFC 2548.

MS-MPPE-Encryption-Types Number A Routing and Remote Access service attribute. For more information, see RFC 2548.

MS-MPPE-Encryption-Policy Number A Routing and Remote Access service attribute. For more information, see RFC 2548.

Proxy-Policy-Name Text The name of the connection request policy that matched the connection request.

Provider-Type Number Specifies the location where authentication occurs. Possible values are 0, 1, and 2. A value of 0 indicates that no authentication occurred. A value of 1 indicates that authentication occurs on the local NPS server. A value of 2 indicates that the connection request is forwarded to a remote RADIUS server for authentication.

Provider-Name Text A string value that corresponds to Provider-Type. Possible values are "None" for a Provider-Type value of 0, "Windows" for a Provider-Type value of 1, and "Radius Proxy" for Provider-Type value of 2.

Remote-Server-Address IP address The IP address of the remote RADIUS server to which the connection request was forwarded for authentication.
"CLIENTCOMP" MS-RAS-Client-Name Text The name of the remote access client. The Vendor-Length of the Value field, including the vendor ID, vendor-type, vendor-length, and value, must be at least 7 and less than 40.
Value, which specifies the computer name of the endpoint that is requesting network access, is sent in ASCII format and is null terminated.
The valid character set for the computer name includes letters, numbers, and the following symbols: ! @ # $ % ^ & ‘ ) ( . - _ { } ~.

MS-RAS-Client-Version Number The operating system version that is installed on the remote access client. The Vendor-Length of the Value field, including the vendor ID, vendor-type, vendor-length, and value, must be at least 7.
Value, which specifies the version of the operating system on a remote access client, is a string that is in network byte order.

Como siempre, gracias por leerme. Espero que os guste.

Recuerda que puedes buscar entre mis libros de hacking en español en en recopilatorio de libros sobre hacking 

martes, 20 de enero de 2015

Operaciones con el DNS de Windows Server que deberías saber !!

Estimados amigos de Inseguros !!!

Todos sabemos lo fácil que es instalar un servidor DNS en Windows. Siguiente siguiente siguiente y está listo. Sobre todo, si lo integramos con Active Directory en la creación de nuestro primer Domain Controller, la tarea es realmente sencilla.


A lo largo de mis 15 años de administración de sistemas AD el error número uno es la configuración del cliente. Si usas un servidor DNS interno, TODOS los equipos deben apuntar al sistema DNS interno.

El segundo fallo que más me he encontrado es el tema de los reenviadores. Cuando tienes un servidor interno DNS, el servidor conoce los recursos INTERNOS. Tiene un registro del tipo A para cada equipo, como pueda ser: Servidor-172.16.1.1. Lo que tenemos claro es que no tiene un registro para TODOS LOS DOMINIOS DE INTERNET, serían unos cuantos Gigas.

Los reenviadores nos permiten configurar un servidor externo ( por lo general) que será el encargado de resolver las direcciones externas, las que nuestro server interno no conoce, por ejemplo www.1gbdeinformacion.com.

Si no configuras correctamente un reenviador "cercano", como pueda ser el de tu ISP, o el famoso 8.8.8.8 de Google, la resolución de nombres la reenviará hacia los servidores ROOT dns de internet, es decir, los padres de Internet !!! xD.


Bien, y la seguridad?

Hay varias guías de buenas prácticas en seguridad para el DNS de Windows.

La parte que ahora me interesa es la auditoria o logging de las peticiones de los clientes.

Monitorizando tráfico desde una interface privada del firewall a la WAN o interface de Internet he detectado peticiones UDP contra servidores DNS que no deberían. Tambien he detectado respuestas.

Me gustaría saber qué equipos están haciendo qué peticiones, por lo que voy a activar la auditoria en detalle de las peticiones DNS de los clientes de mi red interna.

Vamos a instalar este HotFix para nuestro server DNS support.microsoft.com/kb/2956577
Ojo, solo es válido para Windows Server 2012 R2.

Instalamos y si, amigos, tenemos que reiniciar...

A continuación, en el visor de sucesos, bajo la rama aplicaciones, windows, Dns-Server habilitamos los registros.



Ahora podemos ver las peticiones desde el equipo cliente con el nombre.


Por si os sirve de ayuda, aquí os pego la información de los registros.

Como siempre, espero que os guste y gracias por leerme !!!

Event ID Type Category Level Event text
257
Response success
Lookup
Informational
RESPONSE_SUCCESS: TCP=%1; InterfaceIP=%2; Destination=%3; AA=%4; AD=%5; QNAME=%6; QTYPE=%7; XID=%8; DNSSEC=%9; RCODE=%10; Port=%11; Flags=%12; Scope=%13; Zone=%14; PolicyName=%15; PacketData=%17
258
Response failure
Lookup
Error
RESPONSE_FAILURE: TCP=%1; InterfaceIP=%2; Reason=%3; Destination=%4; QNAME=%5; QTYPE=%6; XID=%7; RCODE=%8; Port=%9; Flags=%10; Zone=%11; PolicyName=%12; PacketData=%14
259
Ignored query
Lookup
Error
IGNORED_QUERY: TCP=%1; InterfaceIP=%2; Reason=%3; QNAME=%4; QTYPE=%5; XID=%6; Zone=%7; PolicyName=%8
260
Query out
Recursive query
Informational
RECURSE_QUERY_OUT: TCP=%1; Destination=%2; InterfaceIP=%3; RD=%4; QNAME=%5; QTYPE=%6; XID=%7; Port=%8; Flags=%9; ServerScope=%10; CacheScope=%11; PolicyName=%12; PacketData=%14
261
Response in
Recursive query
Informational
RECURSE_RESPONSE_IN: TCP=%1; Source=%2; InterfaceIP=%3; AA=%4; AD=%5; QNAME=%6; QTYPE=%7; XID=%8; Port=%9; Flags=%10; ServerScope=%11; CacheScope=%12; PacketData=%14
262
Recursive query timeout
Recursive query
Error
RECURSE_QUERY_TIMEOUT: TCP=%1; InterfaceIP=%2; Destination=%3; QNAME=%4; QTYPE=%5; XID=%6; Port=%7; Flags=%8; ServerScope=%9; CacheScope=%10
263
Update in
Dynamic update
Informational
DYN_UPDATE_RECV: TCP=%1; InterfaceIP=%2; Source=%3; QNAME=%4; XID=%5; Port=%6; Flags=%7; SECURE=%8; PacketData=%10
264
Update response
Dynamic update
Informational
DYN_UPDATE_RESPONSE: TCP=%1; InterfaceIP=%2; Destination=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8; PolicyName=%9; PacketData=%11
265
IXFR request out
Zone XFR
Informational
IXFR_REQ_OUT: TCP=%1; InterfaceIP=%2; Source=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; PacketData=%9
266
IXFR request in
Zone XFR
Informational
IXFR_REQ_RECV: TCP=%1; InterfaceIP=%2; Source=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; PacketData=%9
267
IXFR response out
Zone xfr
Informational
IXFR_RESP_OUT: TCP=%1; InterfaceIP=%2; Destination=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8; PacketData=%10
268
IXFR response in
Zone xfr
Informational
IXFR_RESP_RECV: TCP=%1; InterfaceIP=%2; Destination=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8; PacketData=%10
269
AXFR request out
Zone XFR
Informational
AXFR_REQ_OUT: TCP=%1; Source=%2; InterfaceIP=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; PacketData=%9
270
AXFR request in
Zone XFR
Informational
AXFR_REQ_RECV: TCP=%1; Source=%2; InterfaceIP=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; PacketData=%9
271
AXFR response out
Zone XFR
Informational
AXFR_RESP_OUT: TCP=%1; InterfaceIP=%2; Destination=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8
272
AXFR response in
Zone XFR
Informational
AXFR_RESP_RECV: TCP=%1; InterfaceIP=%2; Destination=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8
273
XFR notification in
Zone XFR
Informational
XFR_NOTIFY_RECV: Source=%1; InterfaceIP=%2; QNAME=%3; ZoneScope=%4; Zone=%5; PacketData=%7
274
XFR notification out
Zone XFR
Informational
XFR_NOTIFY_OUT: Destination=%1; InterfaceIP=%2; QNAME=%3; ZoneScope=%4; Zone=%5; PacketData=%7
275
XFR notify ACK in
Zone XFR
Informational
XFR_NOTIFY_ACK_IN: Source=%1; InterfaceIP=%2; PacketData=%4
276
XFR notify ACK out
Zone XFR
Informational
XFR_NOTIFY_ACK_OUT: Destination=%1; InterfaceIP=%2; Zone=%3; PacketData=%5
277
Update forward
Dynamic update
Informational
DYN_UPDATE_FORWARD: TCP=%1; ForwardInterfaceIP=%2; Destination=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8; PacketData=%10
278
Update response in
Dynamic update
Informational
DYN_UPDATE_RESPONSE_IN: TCP=%1; InterfaceIP=%2; Source=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8; PacketData=%10
279
Internal lookup CNAME
Lookup
Informational
INTERNAL_LOOKUP_CNAME: TCP=%1; InterfaceIP=%2; Source=%3; RD=%4; QNAME=%5; QTYPE=%6; Port=%7; Flags=%8; XID=%9; PacketData=%11
280
Internal lookup additional
Lookup
Informational
INTERNAL_LOOKUP_ADDITIONAL: TCP=%1; InterfaceIP=%2; Source=%3; RD=%4; QNAME=%5; QTYPE=%6; Port=%7; Flags=%8; XID=%9; PacketData=%11

miércoles, 14 de enero de 2015

Política de retención de backups del sistema en Windows 2012

Amigos de Inseguros !!!

Seguro que muchos habéis leído el post de mi compañero 1gbdeinformación sobre como montar tus backups del sistema Windows 2012 con la utilidad que trae por defecto.


Es muy aconsejable realizar esta copia, para restablecer el sistema en caso de un "problema" gordo.

Una de las cosas que no se suele tener en cuenta es la política de retención de copias.

Una imagen vale más que mil palabras.


Teniendo esta configuración, de copias de seguridad, podemos observar como tenemos 228 versiones de nuestra copia de seguridad. Esto que nos aporta? tener granularidad de fechas en la restauración. Podemos restaurar desde cualquier punto.


Esto positivo. Recuerda que si solo tienes un archivo de backup, y vas sobrescribiendo cuando realizas tu backup, tienes el peligro de que se corrompa mientras se realiza la copia, y pierdas el backup. Esto se llamaba Ley de Murphy 1.0 :-)

Que va a pasar con este planteamiento? Que nos vamos a quedar sin disco rápidamente... La solución de Microsoft es crear una tarea programada, por ejemplo una vez cada semana, en la que borramos todas las versiones, todas las fechas, y dejamos solo las 7 últimas. Que comando usamos? 


WBADMIN DELETE SYSTEMSTATEBACKUP -keepVersions:

Si quieres ampliar un poco más en las opciones del comando, aquí tenemos al "hombre" xD.

Espero que os guste este pequeño truco para gestionar la retención de nuestros backups de sistemas.

Espero que os sirva de ayuda, gracias por leerme !!!