Software

This section looks at what is new in the world of software (Operating Systems included) and how to take best advantage of what is out there.

Following on from some recent OpenVAS testing and in turn discovering that some of our PHP versions were sorely out of date I’ve set about to patch and document all of the installations. In turn we have a simple guide on how to update PHP security releases!

Please note – this guide is aimed at really simple single server instances of PHP that are being used by Microsoft IIS, be sure to test the upgrade outside of your production environment before deploying it.

For this guide you will also need this link – http://windows.php.net which contains the downloads for PHP on Windows.

Troubleshooting:

  • If you encounter an error message during the overwrite of the existing PHP install consider stopping the IIS server service first and then restarting it with the following commands from an elevated command/PowerShell prompt.
    • net stop WAS
    • net start W3SVC
This entry is part 1 of 4 in the series A Windows SysAdmin installs and uses OpenVAS

This guide covers one (of I’m sure a 1,000) ways to deploy and use OpenVAS 9 in your environment on Ubuntu Server 16.04 for the purpose of White Hat Penetration Testing, more so it’s also written from the viewpoint of a SysAdmin who mainly works with Windows Systems (Windows Server/Hyper-V/PowerShell/suchlike) and so takes a very simplistic approach to the setup.

The goals of this project are to

  • Install Ubuntu Server 16.04 LTS on Hyper-V
  • Deploy OpenVAS to that server
  • Execute scripted commands against OpenVAS from a remote system
  • Light up with a big warning sign all of the unknown issues within a network

Lets get started!

To start out you will need

  • A Hyper-V host (although no reason not to run it on VMWare/whatnot)
  • The latest ISO for Ubuntu Server 16.04 LTS saved somewhere your Hyper-V server can get to
    • Download from – https://www.ubuntu.com/download/server
    • Worth noting that only the 16.04 LTS release is going to work with this guide, when I first tried getting OpenVAS to work with 17.04 (a newer release) there were various blocking issues that I could not overcome. In short – use 16.04!!!

Step 0 – Get DNS in the right place

Configuring DNS correctly in particular with relation to Reverse Lookup will help your OpenVAS deployment loads, for a good guide on how to setup Reverse Lookup take a look at this link – http://de.community.dell.com/techcenter/os-applications/w/wiki/684.how-to-configure-dns-reverse-lookup-zone-in-windows-server-2012 (don’t worry about the de. its in English!).

Step 1 – Configure a Hyper-V VM for OpenVAS

In this next step we configure a Hyper-V VM running on Windows Hyper-V Server 2016 (which is free by the way!).

Step 2 – Install Ubuntu Server

Next up the install of Ubuntu Linux, as I understand OpenVAS can be installed on all kinds of flavours of Linux however the support I’ve seen in the past around Ubuntu seems much better than other options. This portion of the guide assumes you are not running your OpenVAS server on a network that’s got DHCP enabled (in this example it’s on our Servers VLAN).

Step 3 – First Boot

Next up we have some housekeeping for Ubuntu, making sure it’s up to date and getting OpenSSH server running so we can move to using something like PuTTY (download from – https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) to manage the server.

For this portion of the guide you will need the following lines of script-

sudo apt-get update
sudo apt-get upgrade

sudo apt-get install openssh-server

sudo reboot

Step 4 – Install OpenVAS

Here comes the good bit! The initial installation of OpenVAS and downloading of the lists of vulnerabilities.

For this portion of the guide you will need the following lines of script-

Step 5 – Change the default password!!!

Now that OpenVAS is running it’ll be using the default username/password combination of admin/admin, how brilliant is that!

Step 6 – Allow API Access

For the last step in this guide we will set it so that the port for API Access to OpenVAS is enabled on every boot of the machine.

sudo nano /etc/rc.local

sudo openvasmd -p 9390 -a 0.0.0.0

sudo /etc/rc.local

Next up….

So that’s things setup, in the next guide (hopefully following in a day or two) we will be using the API to create a list of victims to test against and generate reports for a ‘list of things to do’.

If you are running (or use) the Sympa Mailing List but also use Windows PowerShell then you may want to be aware of PSSympa which recently went v1.0 on GitHub and the PowerShell Gallery.

In this release we have…

Functions

  • Get-SympaLogin (to login and get a session cookie – the result of which is used with all other functions)
  • Get-SympaMailingListMember (get the members of a list or list(s))
  • Add-SympaMailingListMember (add a member(s) to a list)
  • Remove-SympaMailingListMember (removes a member(s) from a list)
  • Test-SympaMailingListMember (checks to see if someone is a Subscriber, Owner or Editor of a list)
  • Sync-SympaMailingList (based on the contents of a reference CSV makes changes to the membership of a list)

Samples

  • How a CSV storing credentials might look (samplecredsfile.csv)
  • How a CSV that is used to Add/Remove members in bulk to/from a single list (samplememberslist.csv)
  • How a CSV that is used with the Sync- function would look (samplesynclist.csv)

Super Awesome Features

  • Credentials can be stored in a CSV to avoid them being typed in as part of a wider script
  • Pipeline support for members in lists

How to get it

The PowerShell Gallery is the best route to get your hands on the Module, see this link – https://www.powershellgallery.com/packages/PSSympa for the full details in short though you should only need to run the following command at your PowerShell prompt (assuming you are running a recent version of PowerShell) to install the module on your PC.

Install-Module -Name PSSympa

Continue reading

With the continued rise of ‘Next Generation’ Anti-Virus like Sophos Intercept X and PaloAlto Traps the question from many SysAdmins might be well how do I deploy these?

If you are looking at Intercept X and you already are Running Sophos Central (with Endpoint Protection) the simple answer is a press a few buttons in the Admin Console.

In short, login to Sophos Central (https://cloud.sophos.com/manage/login) go to Endpoint Protection > Computers > Manage Endpoint Software > Intercept X > Add your computers from the displayed list > click Save.

For a more in depth walkthrough take a look at the screenshots below. One quick note – due to the changing nature of Sophos Central (previously Sophos Cloud) its quite possible that the look/feel of the Admin Console will have changed between the time I published this article and you read it.

Once you have deployed Intercept X to your existing machines be sure to update your installers to use when deploying new computers. You can download these from the ‘Protect Devices’ button on the Admin Console Dashboard.

One of my favourite features of PowerShell is the Invoke-RestMethod cmdlet which (among a great many other things) can download the data from an RSS feed. One application I’ve found for this is to stay on top of security bulletins from organisations like Adobe and Drupal.

However just downloading the data from the feed and kicking it out in an email isn’t quite good enough for my needs thus the script below gets data from a CSV which contains the URL to the feed as well as some extra details to inject into any email notification (e.g. a link to the guide on how to deploy Adobe Updates).

In my production environment this script creates tickets on a FreskDesk helpdesk to log and manage any new update notifications. In the attached example below the script just fires off email notifications.

Have a look at the screenshot sequence below for more info!

  Get-Rss (4.0 KiB, 234 hits)

Update 09/05/2017 – v0.2 – Now handles XML and Arrays in the link and title objects (good for reddit and blogspot!)

As some readers may know I currently work in Higher Education and while all of the business data is trivial to backup providing any level of backup service to students and academics is significantly harder. The challenges faced include the myriad of Operating Systems in use (Windows/OSX/Linux), the fact that the devices being backed up are inherently ‘untrusted’ (i.e. owned by the individual) and that they are often on networks (be it eduroam/public/home) that have no direct connectivity back to the internal trusted network.

Most enterprise class backup systems just aren’t suited to this kind of environment in that they cannot be securely published through a firewall or have exorbitant licencing costs for the number of devices to be protected (a few file servers vs 500+ student owned laptops).

One solution to this issue cropped up at a recent trade show where Synology were demonstrating their Synology DiskStation Manager NAS software which set itself apart from the traditional enterprise backup solutions with…

  • Support up to 16,000 users on high end models (and 2048 on the kind of model that we would consider using) with no extra licencing costs, users can have storage quotas set either by group or per user
  • Secure remote access (simply publish a single port which can be protected by HTTPS for encryption in transit)
  • Home grown backup clients for modern versions of Windows, OSX/macOS and Linux
  • On the point of OSX/macOS the backup client for Synology does not rely on Time Machine and so overcomes the issues associated with having to be on the same network as your backup device
  • Home grown Btrfs file system which auto detects (and fixes) corrupted files through metadata along with extensive snapshot support
  • Up to 32 recovery points and real-time file protection (when connected to the DiskStation)

So time for some screenshots! Below we have the initial setup of the Disk Station Manager and the installation of the client on a Windows PC.

Then restoring a file that has been deleted on the Windows PC; note that you can restore either individual files or entire folders to a point in time.

The same but for OSX…

So that’s all of the good, the only downside we have found thus far is while shared drives can be protected with encryption it is not possible to protect each individual home area (per user) with a unique encryption key thus opening up issues with data privacy. However, if you consider the following scenario…

  • A business needs to provide backup to remote workers
    • Those remote workers do not connect to the trusted network often
      • Perhaps they don’t like VPNs/DirectAccess (and so rules out using Offline Files)
    • and those remote workers do not use a commercial ‘cloud’ service to protect their data with
      • Perhaps trusting a 3rd party to host the data is not an option
    • The remote workers use OSX/macOS

…then using a Synology DiskStation should be a serious consideration for that business.

So this post is a more a reminder to me than anything else but…having recently come across the Microsoft TechNet article ‘Keyboard Shortcuts for the Windows PowerShell ISE’ (https://msdn.microsoft.com/powershell/scripting/core-powershell/ise/keyboard-shortcuts-for-the-windows-powershell-ise) I thought it necessary to highlight the two keyboard shortcuts….

Ctrl + J – brings up a list of code snippet templates (e.g. try-catch-finally and do-until)
Ctrl + M – expand or collapse braces

See the screenshots below for a demo and do make sure you try them yourself!

If you are looking for a free tool to manage some of the more intricate features of the Gemalto IDPrime .NET and MD cards then the Mini-Driver Manager (downloadable from http://www.gemalto.com/products/dotnet_card/resources/development.html) may well fit the bill. However it has one small downfall in that out of the box it only allows you to manage cards with the Admin Key set to 48 0s or 48 Fs with neither option being much use to anyone once they have changed the Admin PIN.

Luckily these values are only set in a INI file so its pretty easy to change them to anything else.

Please note that this guide uses a feature in Notepad++ to elevate an application to have local Admin access, you can download Notepad++ from https://notepad-plus-plus.org however you could also use plain old Notepad you’ll just need to launch it as an Administrator and browse to the INI file within Notepad.

On with the guide!!

So after meaning to play with Smart Cards in greater detail for some time we’ve just received a set of cards and accessories from Smartcard Focus (http://www.smartcardfocus.com/) including….

  • Gemalto GemPC Shell Token V2 (IDBridge K30) (a USB dongle style Smart Card reader which you can see in the screen shot sequence below)
  • Gemalto IDPrime .NET smartcard – SIM cut (to go in the IDBridge K30)
  • Gemalto IDPrime .NET card – just your standard Smart Card
  • Omnikey 3121 – just your standard Smart Card reader

One of the first things I wanted to do was get PIN complexity and policy defined; the chaps over at Gemalto provide a number of tools which can be used to manage the cards which can be downloaded from the links below…

http://www.gemalto.com/products/dotnet_card/resources/development.html

http://www.gemalto.com/products/dotnet_card/resources/libraries.html

So time to get on with the guide (which also shows you which downloads are needed from the links)!

48 0s typed out… 🙂

000000000000000000000000000000000000000000000000