Security Stories and Help with Network Documentation

Having written SYDI from scratch, I know it inside and out. Unfortunately I don’t think I’ve managed to communicate how SYDI works in an efficient way. The readme file included in SYDI is far from perfect. While people in this line of business can usually figure out how it works, others will just ignore reading the manual anyway. In this how-to I will go through the basics of how SYDI-Server works and then describe how I use SYDI-Server.

Getting the Software

You probably have the software already, but just in case. Download it from the SYDI website, or if you love this site and don’t want to leave it no matter what: you can download it from here. This guide is written for SYDI-Server 2.0, if there is a newer version when you read this, don’t worry; it should be useful anyway. Just be sure to check the changelog.txt file for new features.

Unzip the file to your target directory.

Running SYDI in default mode

To see what the software does, open a command prompt and navigate to your sydi directory. This step requires you to have Microsoft Word installed on your computer. Type the command:

cscript.exe sydi-server.vbs [enter]

A message box appears and asks you which host you want to target, the default is localhost. You can select another host if you have administrative access on that machine. Though for now, just press enter.

In the command prompt window you will now see that SYDI starts to gather information about your machine. Soon a Word document is created and SYDI writes the information gathered into the document.

Take a look at the document. Not all this information will be relevant to you and you can remove the parts you don’t want by reading further. Close Word, or save the file it if you want to.

The Options

To view the available options use the help command (-h):

cscript.exe sydi-server.vbs -h [enter]

Options in five categories will be listed; Gathering, Output, Word, XML and Other. In reality there are only two, Gathering and Output.

Gathering the Information

Breaking down the gathering option we have five different arguments -w for WMI options, -r for Registry options and -u and -p for username and password if you want to connect to a different user. Finally we have the -t option where you specify which host you want to target against.

Looking closer at the -w argument from the help menu (-h) you could see that SYDI defaults to using -wabefghipPqrsSu, meaning everything gathered from the WMI providers will be included.

You cannot remove everything from the report, but let’s create a document without all the extra information. Run:

cscript.exe sydi-server.vbs -w [enter]

As you can see the report created is much shorter than the previous one. We have removed the optional WMI providers, but we still have the basic ones and the information coming from the Registry.

To choose which options you want, just check the help menu and see what they mean. If we want to add Bios Information, Printers and Services we would run:

cscript.exe sydi-server.vbs -wbps [enter]

This way you can pick and choose the options you want. The Registry switch works the same way. For an even smaller report you can run:

cscript.exe sydi-server.vbs -w -r [enter]

Now you can add the registry options that you want. Please note though that a lot of the “Computer Roles” are gathered from the Windows Components, so if you want these roles you must have the Windows Components in your report (-rc).

Using the -t option removes the message box asking you which host you want to target. A few examples of using the -t switch:

cscript.exe sydi-server.vbs -tServer1
cscript.exe sydi-server.vbs -tDC1
cscript.exe sydi-server.vbs -tWebServer
cscript.exe sydi-server.vbs -t192.168.0.10

The user and password options should work as you would expect them to, if they don’t: report the bug to me

Word Options

As you’ve seen, sydi-server defaults to writing output to Word. The reason for this is so that you can get a quick overview of what the script can collect without having to do any tricks. Having said that, I only use the Word option to get a quick view of a machine, later I throw away the document. I always use the XML format which I later convert to a Word document, more on that later. Even though you won’t use the Word options much we’ll just take a quick look at them to see what you can do, it won’t be a total waste as a few of the options are used by another script called ss-xml2word.vbs.

-b is for the border of the tables created in the document. As you might have noticed there isn’t any borders by default (when you print the document). You can use all borders you have installed in Word. To test it, type:

cscript.exe sydi-server.vbs -b”Table Contemporary” [enter]

-f is if you want different font sizes, the default font size for the text is 12. To change it, use:

cscript.exe sydi-server.vbs -f8

-d tells SYDI not to display Word until the entire report is written. Using the -d option makes the process go faster. Also if you want to save the file (-o option, more on that later), you might not want to see Word at all. For example if you are running a scheduled task you don’t want a GUI to be loaded.

-n will remove all the text inside the brackets, such as “Logical location: [provide info: Server VLAN 2]“. This way you won’t have a bad conscience about not completing the documentation. But as I have already stated, the whole idea of sydi-server writing directly to word is obsolete. If you start changing the document after it is created and want to run SYDI again your changes will be lost, or you will have to cut and paste them to the new document. There is a way around this though (hint: continue reading!).

-T This is if you want to specify a corporate Word Template file (.dot), which enables you to choose which fonts you want to have as well as their size. This way you can get your “look and feel” in the document.

Read Part 2
Read Part 3

Tags: network documentation, server documentation, sydi, how to, tutorial

“Can you really break out of jail with just Microsoft Word, or are you just pulling my leg?”

No I would never do that, Word is really powerful, it can take you places!

Intended audience

If you are a convicted felon and reading this from prison; sorry but you are not the target audience. However, don’t despair: there’s something in here for you too!

This article is for people who care about security. If you don’t fall into this second category you really are in the first group, i.e. not the intended audience. When I’m talking about “jail”, I’m referring to a restricted Windows environment. What I mean with this is a locked down Terminal Services session, or a public Windows XP box in “kiosk” mode.

Administrators who have locked down their terminal services sessions care about what the users can do on the machine. They only want users to run the programs that are approved by the security policy. This means no cmd.exe, no freecell and no poking around in the system.

So why isn’t this article for people who haven’t locked down their environments? Because of the good ol’ “Security is a Weakest Link Problem”, meaning if you haven’t even tried to lock down your environment, you have other issues to take care of before you read this article.

Operation Lockdown

For the environment that I have set up to test this, I’ve installed a Windows Server 2003 machine and set it up to run Terminal Services. I’ve also installed Office, the goal here is to only allow a user to run Microsoft Word and nothing else.
The user’s desktop is then redirected to a share where the user doesn’t have write access. The desktop contains one item; a link to Word. Logging in to the terminal server, everything looks good; the user can basically run Word and change his password.

Apart from the above setting the rest of the GPO settings are located at the end of this article. It’s basically a few lockdown settings and a software restriction policy defaulting to “disallowed”, with an additional path rule allowing Microsoft Word.

Given this configuration let’s see what we can do.

Where does Word enter into it?

I guess the title says it all; Yes, Word is the application we are going to use to break out of the locked down jail. If you’ve tried my SYDI project, you’ve probably realized that I like Office automation. This concept would work in any Office application but I have chosen Word. If you don’t have Office installed in your locked down environment, I still think you should continue reading. Hopefully you’ll enjoy the article anyway.

What I’ve done is to write a Word macro which allows me to run shell commands or code of my choice.

You might object and say, “So? I have Macro Security set to Very High. You’d have to digitally sign the macro first.”

I most certainly would not! The Macro setting in the Office suite is to protect you against an entirely different threat. In that scenario the threat is that an attacker can send us (or our users) a Word document with an evil macro inside which is run when we open the document.

This setting does not disallow developers to create macros, run them while developing and then sign them when they are in a state where they can be shared with others.

What does this mean for us? It means that we cannot use a pre-created Word document which contains the macro. We have to create the macro ourselves on the fly each time we want to run macros. See the difference? The security setting in Word doesn’t disallow you to create and run your own macros. If we would save the document and open it again, then the security setting would kick in and disallow the macro. If we had signed it before saving then we would be allowed to run it.

In order to prevent this we would have to have a setting in office called “Don’t Allow Users to Develop Macros”.

VBA-PrisonBreak

I named the macro I created VBA-PrisonBreak (I must have been watching too much TV). You can download the VBA-PrisonBreak from here. To test it in your environment open up Microsoft Word and press [Alt]+[F11] to enter the VBA editor. Double click on “This Document”. This will give you a code Window on the right side. Copy the contents from the VBA-PrisonBreak.txt file and paste it in the Window. The file contains different subroutines, or programs if you will.

To run one of these programs you set the cursor somewhere after the Sub [Program] and before the End statement. To execute the program you press Play or [F5].

To give it a try and test something harmless, start the routine called RunCommand() and enter.

ping 127.0.0.1

When the command is completed, go back to the Word document. If everything worked out as it should you will see which command you tried to run and the results.

Let’s see if we can poke around a bit:

cmd /c dir

Hm, this won’t work unless we have command prompt scripting allowed. Then again we can create scripts of our own and run them instead. Another sub routine of VBA-PrisonBreak is called ListFilesinFolder() and takes a directory as an argument. This is just a simple example but a lot can be accomplished by scripting.

So we haven’t done anything terribly exiting. The commands we can run by using the RunCommand() routine depend on a few factors, we will look at the Software Restriction Policies. We know we can run Word, but what about the default additional ones? Among others this includes commands under c:\windows and c:\windows\system32.

“net view” and “net user /domain” might be interesting and could give us some information. After looking around we might come to the conclusion that we want to run a command which isn’t allowed by the software restriction policy.

As a normal unprivileged user we will not have write access to c:\windows or c:\windows\system32, so we can’t place any files in those directories. But in our configuration we have write access to c:\windows\temp, and even better CREATOR_OWNER has Full Control. If we can place a file in this directory we will be able to run it with RunCommand() by entering:

C:\windows\temp\mycommand.exe

Now how would we place a file there? We can’t just use copy since cmd.exe is blocked. We might be able to use xcopy or tftp. If tftp isn’t available we might still be able to expand (.exe) it from c:\windows\i386\tftp.ex_. There is also a function in VBA-PrisonBreak which lets you download files through http (HTTPDownload()). It takes source url and target file as arguments.

From here we can download netcat and gain shell access to the server. Note that cmd.exe is still restricted; unfortunately an attacker can use another file or edit a version of cmd.exe. This edited shell file can then be placed under c:\windows\temp.

It is important to realize that the credentials used in this shell will be that of the unprivileged user account.

How to Protect Yourself

It’s really easy to protect yourself against this feature, remember this is not a vulnerability or an exploit in Windows or Word. We are trying to remove features from Windows (such as disabling cmd.exe), since the features we want to remove can be used in harmful ways.

When you install Office you don’t have to install all the features, one of these features is vba (Visual Basic for Applications). Without vba this prison break wouldn’t be possible (in the way I’ve described). You can find information about this in the Office Security pages. However as you can see on the page, Microsoft recommends that you don’t disable vba and also lists the reasons why, so you have to decide for yourself. This page also mentions the “very high” macro setting, but remember what I said before: this setting doesn’t apply in this context.

Another option is to disable vba through group policies. You can do this by using the .ADM files for Microsoft Office. This is only an option if you won’t be using any macros.

Even if your business requires you to be able to run vba, I have three words for you; Defense in Depth. If one part of the system fails, this shouldn’t mean that the defense has been breached.

The default Software Restriction Policies obviously didn’t restrict as much as we would have hoped. We will definitely want to explore these settings. If a user has write (and execute) permissions to any location within a SRP Path rule that user can run whatever he wants. You could set up deny rules for these directories or you could tighten the NTFS permissions and remove execute permissions.

It would be nice if the default policies provided some sort of protection, at least since Microsoft has written in several places that they shouldn’t be changed unless you are an “advanced user”. But the Software Restriction Policies can be fixed and in this case that’s not really the problem. Since we can write VBA code we have a lot of options. VBA-PrisonBreak is mostly a proof of concept; it doesn’t really do much.

On a network level if we take the example with tftp, there’s no reason why this should be allowed to or from your machine. If we were only supposed to run Word, allowing http doesn’t make much sense either.

Earlier on I said it would be good if there was a setting in Office called “Don’t Allow Users to Develop Macros”. Unfortunately, as far as I know this kind of setting doesn’t exist. However we can create one of our own. The VBA editor is using vbe6ext.olb which by default is located in this location:

C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6EXT.OLB

If we deny the execute permission (NTFS) to this file for the users we want to lock down they won’t be able to launch the vba editor, but will be able to run signed macros. A little word of caution; I don’t know if there are any other issues you should be aware removing execute permissions to this file, but I don’t think there is.

The problem with scripting

The macro RunCommand() creates an object called Wscript.Shell. Is this required by your business? If you remove the NTFS execute permission (for the terminal services users) to the file c:\windows\system32\scrrun.dll, they won’t be able to use the RunCommand().

Is there another library an attacker can use if you deny the features from Wscript.Shell? Disabling scrrun.dll would still allow a malicious user to download files with HTTPDownload() it uses an object called Microsoft.XMLHTTP. There are a lot of scriptable libraries in Windows. Chasing them all down is hard, and it wouldn’t solve the whole problem.

As I said above the problem isn’t related to Software Restriction Policies. Even if the SRPs are set up in a way that would prohibit the user to run a non approved executable, that user would still be able to write vba code. If vba code isn’t scary enough, an attacker could pre compile a dll with a com interface and load the functions from that dll from vba.

The Weakest Link

To find the weakest link you might have to think outside the box. But that is the fun part of security.

Ask Jesper what he thinks of Security Guides and he will tell you that they won’t make you secure (or in Jesper-/Stevespeak you won’t be Protected).

I think security guides are great but still they are just guides, not a blue print for a secure network. Most guides are fairly generic and you have to decide what parts of it to use in your environment. The security of a network isn’t as strong as the sum of all security settings; it’s as strong as the weakest link. When it comes to SRPs, a guide can’t tell you which applications makes sense in you environment.

Summary

VBA-PrisonBreak in itself won’t allow a malicious user to take control of your server. That user would have to escalate his privileges first, unless the attacker was a “power user” or an administrator to start with.

VBA-PrisonBreak is just a way to gain another foot-hold in your environment. When trying to protect our networks we don’t want to give any more ground than we have to.

If you are a criminal and have been wondering through this article how Word can help you to get out of a real prison: It’s quite easy really; just open up Word and start writing “Dear Congressman”, press [enter] twice and write your plea for pardon. If you’re really lucky a magical paper clip will come to your aid!

Note: We did not lock down the Help Menu in Word, but since we didn’t use it to gain access that way I chose to ignore that and a few other threats in this article.

Credits

I, Patrick Ogenstad, work at Netsafe. I would like to thank John Laerum from Cornerstone for providing feedback on this article.

If you liked this article, please stick around! You can subscribe to the “feed”, or get updates by email. Also be sure to check out my security fiction stories.

If you have any feedback concerning this, please post a comment or contact me.

Appendix

The group policy settings used in the test environment:

• Hide these specified drives on My Computer – All Drives
• Prevent Access to Drives on My Computer – All Drives
• Remove My Computer Icon on the Desktop
• Remove My Documents icon from Start Menu
• Remove Help Menu from Start Menu
• Remove and prevent access to the shutdown command
• Remove All Programs list from the Start Menu
• Prohibit Access to Control Panel
• Removed pinned Program list from Start Menu
• Remove frequent program list from Start Menu
• Remove Search Menu from Start Menu
• Remove Run Menu from Start Menu
• Remove Recycle Bin icon from Desktop
• Prevent Access to the Command Prompt – Disable Command prompt scripting also
• Prevent Access to registry editing tools
• Run Only Allowed Windows Applications – winword.exe
• Software Restriction Policies – Default Security Level – Disallowed

I have left the default additional path rules as unrestricted:

• %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
• %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe
• %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe
• %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%

Office in installed on D:\ so I added one path rule:

• D:\Program Files\Microsoft Office\OFFICE11\winword.exe

Tags: Security, Locked Down, Software Restriction Policies, Terminal Services, VBA

Two weeks later a server from Exibice connected to a box under n3m0’s control. Show time, I wonder if Mark can say ‘Schema Admin’.

At Beateval

“Hello, this is Thomas how may I help you?”
“Hi, my computer just went all blue. I tried turning off the power but now it doesn’t start.”
“Did you change anything on your computer?”
“No, and my colleagues have the same problem.”
“Huh,” suddenly Thomas saw the counter for incoming calls rising drastically.

Someone shouted behind him when he looked back on his computer screen he saw that the virtual machine he had connected to the Exibice network had crashed. The host machine on the Beateval network was running fine.

At Exibice

“What is happening?” Mark roared.
“We don’t know,” Keith whispered.
“What do you mean don’t know, what have you done?”
“It was just patch Tuesday, one of the updates might have been flawed.” Ben said, his voice not much louder than Keith’s.
“Then remove the damn flaw!”
After a moments silence Keith worked up the courage to answer, “We can’t.”
Mark just stared at him, Ben jumped in.
“We can’t get into the servers, our passwords doesn’t work. Something must be wrong with the AD.”
“The local server passwords don’t work either.”
“Oh, how delightful,” Mark said sarcastically. At least I won’t have to spend a fortune on Christmas bonuses. “Didn’t you write the passwords down somewhere?”
“Yes, but we think someone might have… changed them.” Keith said nervously.
“Thank god it’s Friday then, now you know what to do during the weekend. Let me know when this is fixed, I don’t care what time you call.” Mark walked away.

Ben and Keith exchanged a glance, neither of them looked confident.

Mark called them both several times during the weekend, not once did they have any good news to share with him. When Monday came the network was still a mess, and nobody could work.

Two weeks later the network had been redesigned from scratch. The board of directors wasn’t impressed. Shortly thereafter Mark was sacked and a new CTO was hired along with a separate CIO.

Please note this is a purely fictional story, any names found here are made up. I’ve written this because I like writing, if someone reads it and enjoy it: great. If they get more conscious about security, that’s a bonus. If you have feedback or comments on the story please share them.

Further Reading:

• Enemy at the Water Cooler: Real-Life Stories of Insider Threats and Enterprise Security Management Countermeasures

• Disgruntled employees and Intellectual Property Protection

• Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Theft

Tags: security, security fiction, fiction, insider threat, disgruntled employee, physical security

Hours later when n3m0 left the server room, he felt like a plague bearer. Almost everything in the server room had been infested; the sysadmins would still believe they were in control. They needed to be secure in that belief for the time being. n3m0 didn’t want anything to happen while he still worked there. After leaving his employment, n3m0 would be glad to enlighten the network guys and show they who was in control.

He had copied several gigabytes of corporate information, along with the customer database, to Peter’s desktop. Now all he had to do was to transfer it to his external USB drive. It was far too late, or early, to go home. Even if he had the time he would have to use his access card to leave the building and that kind of log entry was unacceptable. Fortunately n3m0 had brought extra clothes in his rucksack, so he changed into “tomorrow’s” clothes. Can’t do much about the smell though, n3m0 thought as he unplugged the USB drive and shut down the computer. Again he headed for the storage room and settled in to sleep.

An hour and forty minutes later he woke up as he heard people talking outside the room. He gathered his things, when the conversation died out he headed for a toilet. His mirror reflection told him he had made a good call going there first, his hair was pointing everywhere. I could star in a zombie movie!

He tried to fix his hair as best he could and headed for his workstation. n3m0 spent the day trying not to fall asleep, he would hand Jennifer his resignation tomorrow. Not having a clue what Exibice offered in terms of employee exit policy he didn’t want to risk being escorted out by security guards, at least not when he had the USB drive in his rucksack.

The second reason he wanted to stay was that he wanted to see if anyone had noticed his nocturnal activities. During lunch n3m0 saw several of the network staff who were smiling and chatting away. They don’t have a clue.

n3m0 crashed in his bed when he came home and slept until morning. He woke up starving, he didn’t have any kind of food at home. As he was going to quit his job today he didn’t feel a pressing need to show up in time. He stopped by McDonalds on the way.

“Good luck in the future, clear your desk and leave.” n3m0 hadn’t expected tears from Jenifer, but perhaps more than ten words.

Tags: security, security fiction, fiction, insider threat, disgruntled employee, physical security

Yesterday I updated the address to the RSS Feed, the new address is http://feeds.ogenstad.net/Ogenstad. If you don’t know what a Feed is read about it on this page. If you want to stay up to date with the site but don’t want to use the RSS Feeds you also have the option to subscribe by email.

The old feeds will continue to work but that might change in the future so please point your RSS readers to the new url.

The Tale of the Disgruntled Employee is coming to an end. The next story will be about midfr0st. If you have any thoughts or feedback regarding the stories or site in general please share them, either as comments or you can contact me.

If you haven’t read all the stories (I’m saying all here since it sounds more than five :)) you can find them in the story section. I will add all the links for the Disgruntled Employee as soon as the story is finished. Hopefully this list will grow large.

Tags: rss, feed, url, security fiction

n3m0 inserted the power cord again and started the machine. He placed his CD in the tray and made sure the server booted from it. The boot process seemed to take forever. He jumped when a tape robot came alive behind him and started rotating tapes.

“Damn”, n3m0 screamed. If he was lucky, and the sysadmins sloppy, they might not notice that the server had “crashed” during the night, but if the backup failed someone would check it out. I have to get the server back up again.

Finally the system was done loading, he configured the network, opened up a command prompt and typed:

c:
cd temp
md temp
cd temp
copy c:\windows\system32\cmd.exe

He opened the Opera browser and downloaded srvany.exe which he placed in the C:\temp directory. n3m0 grabbed another tool and double clicked on the application, RegistryEditorPe. When the registry loaded, he browsed to the HKLM\_REMOTE_SYSTEM\ControlSet001\Services key. He added a new key and called it revenge. Under his revenge service he filled in Type, Start, ErrorControl, ObjectName, ImagePath. This will be perfect, n3m0 was humming to himself as he added a new key; Parameters.

Under it he created two entries Application with the value ‘C:\temp\cmd.exe’ and AppParameters with the value ‘/k dsadd user “cn=root,cn=users,dc=exibice,dc=com” -samid root -pwd Password13 -memberof “cn=Domain Admins,cn=users,dc=exibice,dc=com”‘

n3m0 closed the registry editor and clicked start, shutdown options, reboot (eject CDs). Again the boot process took an eternity. He wished he had a blue pill to feed the server. When Windows was done booting, n3m0 issued the three finger salute, and entered root and password Password13. The instant he hit enter he was presented with a message box.

Logon Message
The system could not log you on. Make sure your User name and domain are correct, then type your password again. Letters in passwords must be typed using the correct case.

n3m0 just stared at the message box, this is not happening. He knew he had typed it in right, but tried again anyway. The same message was returned.

Something inside n3m0 clicked and he started swearing and shouting at the server. After a few minutes he calmed down, he was sitting on the switch again talking to the server.

“You know, I wish someone would develop artificial intelligence. That way you’d understand how much I hate you.”

In his imagination the server answered him. “I might be slow, but you’re not the sharpest tool in the box either.”

Slow, of course, n3m0 pulled the power cord and booted from the CD again. He added a parameter to his revenge service; DependOnService with the value; dns netlogon.

After another long reboot n3m0 logged as root, the newly created domain administrator on the Exibice network.

0wned!

Tags: security, stories, fiction, insider threat, disgruntled employee, physical security

The humming servers seemed to sing to n3m0. He walked around the server room watching all the different LEDs. This is what my apartment should look like, n3m0 smiled as he grabbed the CD from his backpack. He was whistling as he began to spin the disc on his index finger, the label read ubcd4win.

On the previous occasion he had had a quick peek inside the server room, this time he walked around and really absorbed his surroundings. He found himself yawning and feeling a bit cold, he only had his t-shirt and the cooling system was a bit too effective for his liking.

n3m0 saw a lot of equipment that he wanted for himself. Thoughts of his own economy were returning to him, if he didn’t take the “job” at Beateval he would be broke. I’m already broke. n3m0 took a seat on a disconnected switch.

I’m not working for Jennifer, he just sat on the switch and stared at one of the racks. n3m0 missed the adrenaline rush he usually felt when breaking into systems. He started seeing images of his land lord kicking him out and he was still pissed at orion’s inability to get him some sort of job. The taste of the coffee felt sour in his mouth.

The spinning sound of a bad fan woke n3m0 up an hour later, he had fallen asleep sitting on the switch. With a severe pain in his neck, he turned his head to see that his pillow had been a server. It had a sticker which read “Exibice Forest Root 2 - EXDC02″.

He inhaled sharply and felt his heart beating faster. Just watching the sticker made him feel the same way he had when Jennifer made eye contact with him that first time. He laid his hand on the server.

“We are going to have a good time.”

While dreaming, n3m0 had seen himself as a powerful man with thousands obeying his will; his worries about his financial situation had vanished.

He felt a moment of panic when he realized the CD had disappeared; n3m0 wiped of some drool on his sleeve and stood up. He saw the CD under the switch, picked it up and carefully wiped away the dust.

He felt the rush coming and sweeping him up, he wondered if Thomas would get any blame for what he was about to do. n3m0 found the thought very amusing. Thomas’ idea of living wild went as far as solving sudoku with a non erasable pen.

“Don’t worry dear, this won’t hurt a bit,” he told the server as he pulled out the power cord.

Tags: security, stories, fiction, insider threat, disgruntled employee, physical security

I’ve just received two more translation files for SYDI-Server 2.0, or more specifically for the script ss-xml2word.vbs which converts an XML file from sydi-server into a Microsoft Word document. It also uses a language file which contains a lot of the text that is written to the final word document.

To use this file files you run:

cscript.exe ss-xml2word.vbs –xServer1.xml –llang_dutch.xml –sServer1_docs.xml

I’ve gotten quite a few emails from people who aren’t able to get the script working correctly. In those cases this has been due to path issues. Instead of the expected result you’d only get a small doc file without any relevant information. In the above example it is assumed that all the files (ss-xml2word.vbs, server1.xml, lang_dutch.xml and Server1_docs.xml) are all located in the same directory. If your files are in different locations you have to include the path to the files.

I will try to use a more user friendly error in the next version version of ss-xml2word.vbs.

The file I specified in the –s parameter is optional. This is a file you create, there are examples in the example directory. In the file you can specify information such as physical location of the server, service contract, and contact information for the administrator. Basically it’s in that file you are supposed to write the documentation about the server, this way you can keep the written documentation separate from the wmi information sydi-server has gathered.

At the moment I’ve just added the files as patches, the Dutch file can be downloaded from here and the Portuguese file from here! I’ve also added all the translation files I’ve received so far to the download section on the SYDI site.

I would like to thank Kilian Wester for sending the Dutch file and Luis Barreto for the Portuguese version!

Tags: sydi, network documentation, dutch, portuguese, translation, software, inventory, vbscript

The wait was killing him. His iPod had gone dead an hour ago. How could I forget to charge the batteries? It was still an hour until show time, n3m0 had considered going before his set out time but in the end he forced himself to stay put. It’s better if no one is around.

The last hour seemed to take longer than the entire day. When the alarm he had set finally went off, n3m0 felt sore and tired. Here goes, he thought while leaving the room.

His first stop was the coffee machine. It tasted like the coffee had been scraped of the wheel of a car before being brewed. But it was late and n3m0 needed to stay awake. He returned to his cubicle farm, booted up Thomas’ computer and entered Thomas’ username and password. n3m0 had been practicing his shoulder surfing skills and didn’t think his coworkers were aware of his exercises. He knew what Thomas’ password was two months ago, if it didn’t match now all he had to do was to increment the last digit by a number or two.

Off to the throne room then. Next to the entry door was a keypad with the numbers 0-9. n3m0 chuckled at the memory of Mark and a sysadmin guy telling the helpdesk staff about the security in place to protect the company assets. When talking about the lock that n3m0 was standing in front of now, Mark had said:

“To pass the door an attacker has to enter the correct four digit code.”
Keith, the sysadmin, filled in, “if someone tries more than five times within half an hour the alarm goes off.”
“And how many combinations were there, three million?” Mark asked with a smile.
“Let’s see,” Keith pretended to think. “It might have been four, well it’s millions anyway.”
“Not even I know the code, and you’re not going to tell me are you?”
“I could,” Keith started, “but I would have to kill you.”
Mark laughed together with the group.
“I guess a good sledgehammer would do the trick.” James pointed out.
“Not true,” Mark said, “if the door isn’t opened by the keypad the alarm goes off.

It might have had millions of combinations when the system was introduced. Mark’s had made the mistake of viewing security as a constant; once in place it would always protect you. The only constant is change, n3m0 thought. The numbers 0, 1, 2, 6, 7, 9 looked like they had never been used, the numbers 3 4 5 8 were so worn that it was hard to make out the digits.

A million different combinations, ha! Try 24! (4*3*2*1) A few months ago n3m0 had wanted to see what the server room looked like, so when he was leaving for the day he had walked by the server room and punched in three different codes. Mark might have lied about the number of codes you could try before the alarm went off and n3m0 didn’t want to risk that by testing five in one go. Anyway, at a rate of three he would have access to the server room in eight days, if he really wanted to it could be done in a day if he went there once every 30 minutes. He had opened the door on the fourth day, but on the third he didn’t even try since someone had been standing outside the door.

n3m0 punched in the code 5834. A green light was lit and the door opened, he could hear the buzz from the servers on the inside.

Tags: security, stories, fiction, insider threat, disgruntled employee, physical security