Security

Check Point Firewall: Disconnect VPN or Mobile Access Clients

If you have a need to disconnect a user from the firewall forcibly. There are a few ways I am aware of that will force users off the VPN.

Installing Security Policy (link)-  clears the cached authentication of the remote user, although this doesn’t seem to disconnect them it prompts them to re-enter credentials.

Expire the user with SmartDashboard or change the user’s password and then push the Security Policy.

Logging into the console of the firewall and using the vpn tu command to disconnect users.
(link) – VPN Commands:  (link)

My favorite method is to SmartVire Monitor:

Open SmartView Monitor > Users > click on any of the options: Users by Gateway, Users by Name, All Users, CheckPoint Mobile Users and after finding the user you want to disconnect, right click on it and Reset Tunnel.

Gain access to former user’s OneDrive data

In most organizations, you will have the employees leave at some point.  In most cases, you will you probably want to access and protect their data. Data such as documents and emails and then transfer ownership to a manager or new employee.  Performing a dump of the users home directories and contents of a hard drive is common practice, like that of exporting their PST from Outlook or even directly out of Office 365’s compliance center.  Often overlooked is the contents of the users OneDrive.

OneDrive for Business may have been used to not only store and share documents but an archive space for the employee.  Please note that OneDrive offers the user the ability to keep its contents synced with the user’s computer or just in-cloud.  So the traditional method of backing up the computer may not always apply in this area.

I suggest taking the following steps to gain access and download the contents:

  1. Sign in to Office 365 with your admin account – Account having administrative privileges
  2. Go to the Office 365 admin center.
  3. Go to Active users and select the user.
  4. Expand OneDrive Settings in the user details pane, and then click Access files.
  5. Copy the files to your own OneDrive for Business or a common location.

Note:

  • If you only remove a user’s license but don’t delete the account, the content in the user’s OneDrive will remain accessible to you even after 30 days by default
  • Before you delete the account, you should move the content of their OneDrive to another location that’s easy for you to access. If you already deleted their account, you have 30 days to restore it.

If the account license has been removed, then the following steps can be used:

  1. Sign in to Office 365 with your admin account – Account having administrative privileges
  2. Go to the Office 365 admin center.
  3. Goto SharePoint
  4. In the SharePoint admin center, Select ‘user profiles’
  5. Select manage user profiles
  6. Enter former user’s account name under find. – Note: you may have to switch from Active Profiles to Profiles Missing from Import

  7. Choose the account and click the small (almost not seen) black arrow and select Manage site collection owners to add your admin account site collection administrators
  8. Once added as a site collection owner you can choose manage the personal site to access the setting page of that user’s OneDrive for business site settings
  9. Next, change the URL “setting.aspx” at the end of the url to “onedrive.aspx”

You should now be in the users One Drive Folder to view contents.

 

 

Windows Server 2016, AppLocker Rules

AppLocker rules can be set up by using group policy in a Windows domain and have been very useful in limiting the execution of arbitrary executable files. AppLocker takes the approach of denying all executables from running unless they have specifically been whitelisted and allowed.

AppLocker is available in Windows Desktop and Servers.  Desktop Windows require Enterprise Editions.
The AppLocker requirements can be found here.

Note:  before implementing AppLocker rules in a production environment it is important to perform thorough testing. AppLocker will not allow anything to run unless it has been explicitly whitelisted. So keep in mind those non-standard installs to the system root or other drives (C:\ or E:\).

 

AppLocker Rule Types:

  • Executable Rules: These rules apply to executables, such as .exe and .com files.
  • Windows Installer Rules: These rules apply to files used for installing programs such as .msi, .mst and .msp files.
  • Script Rules: These rules apply to scripts such as .bat, .js, .vbs, .cmd, and .ps1 files.
  • Packaged App Rules: These rules apply to the Windows applications that may be downloaded through the Windows store with the .appx extension.

With each of these rules, we can also whitelist based on the publisher, path, or file hash.

  • Publisher: This method of whitelisting items is used when creating default rules as we’ll soon see, it works based on checking the publisher of the executable and allowing this. If the publisher, file name or version etc change then the executable will no longer be allowed to run.
  • Path: Executables can be whitelisted by providing a folder path, for example, we can say that anything within C:\tools is allowed to be run by a specific active directory user group.
  • File Hash: While this may be the most secure option, it is inconvenient to work with and manage. If a file changes at all, for instance, if an executable is updated, it will not be allowed to run as the allowed hash will have changed too.

 

AppLocker Configuration:

  • Open Server Manager, selecting Tools, followed by Group Policy Management.
  • From the Group Policy Management window that opens, we’ll select the group policy objects folder within the domain, right click and select new to create a new group policy object (GPO). In this case, we’ll create one called AppLocker Rules.
  • From within the Group Policy Management Editor (GPME). Select Computer Configuration > Policies > Windows Settings > Security Settings > Applications Control Policies > AppLocker
  • In the main AppLocker interface where we can create executable, windows installer, script, and packaged app rules. We can get started with the default settings by clicking the “Configure rule enforcement”  By default each of these four items is unticked and not enabled, we can tick the box next to “Configured” to enable to set the rules to be “Enforced”.

 

 


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more info: https://www.microsoft.com/en-us/learning/exam-70-744.aspx

Phishing Attacks using Office 365 and SharePoint

The bad guys are at it once again and now have a new slick way of stealing your login credentials, by sending you an invite via email to open a SharePoint document. The link(s) takes you to an actual SharePoint page where you will see a OneDrive prompt.

This prompt will have an “Access Document” link in it – don’t click this link!

This link is malicious and will take you to a fake Office 365 login screen. Any credentials you enter here will be sent to the bad guys. Don’t be tricked.

Whenever you’re submitting login credentials to any site, make sure to check the URL of the page for accuracy. Also, remember to always hover over links to see where they are taking you.

Remember, Think Before You Click.

Here’s how the Phish / Scam attack works

  • You the Friendly Office 365 user receives the malicious email –Often the use of URGENT or ACTION REQUIRED to instill a sense of immediacy to respond. The email contains a link to a SharePoint Online-based document.
  • The link directs to SharePoint – Attackers are using true-to-form SharePoint Online-based URLs, which adds credibility and legitimacy to the email and link since the user is being directed to a known-good hosting site.
  • You are then shown a OneDrive prompt – The SharePoint file impersonates a request to access a OneDrive file (again, a known cloud entity), with an “Access Document” hyperlink that is actually a malicious URL, as shown below.
  • You are then presented with an Office 365 login screen – Here is where the scam takes place. Using a very authentic-looking login page where the cybercriminals harvest the user’s credentials.

Here are is an example of a phishing email:

Just some advice – Jermal

 

How to search for Open Amazon S3 Buckets and their contents

How to search for Open Amazon s3 Buckets and their contents — https://buckets.grayhatwarfare.com

GrayHatWarfare created https://buckets.grayhatwarfare.com/ a free tool that lists open s3 buckets and helps you search for interesting files.

For an intro on what Amazon open buckets are, please read the following: https://blog.rapid7.com/2013/03/27/open-s3-buckets/

In essence, many files are publicly accessible, some by design. These files sometimes include very sensitive data. https://github.com/nagwww/s3-leaks has a list of the biggest leaks recorded.

Another reason why application owners who provide backups solutions and cloud storage should be encrypting their data before placing it on S3.  Anything less is negligence on their part.

Since this was exposed, many projects have been created that can enumerate s3 buckets:

All these tools/projects have some common problems:

  • The real problem is where to find the list to brute-force for buckets,  and not actually doing the brute-force.
  • All tools/projects only scan the first page for results.
  • thebuckhacker.com includes uninteresting files and useful results tend to be lost in the noise. Also, the first 1000 results of each bucket are fairly limited.
  • The process is slow and not productive. It’s not very useful for pen-testers to run a tool to run for days, save the exports somewhere and then grep them whenever they want to search for something. What is better is a useful tool in front of a large database.

 

Now there is  http://buckets.grayhatwarfare.com/.  Which took the ideas of the many projects and tools previously mentioned above.

The project’s features are:

  • It is a searchable database of open buckets.
  • Includes millions of results within buckets (In the future might be more).
  • Cleaned up and removed uninteresting files like images. Most images names are auto-generated.
  • Currently has ~180.000.000 files. Included are all images that number would go up to a few billion, which is a completely different system.
  • As of today, 70 000 and growing buckets are listed (not all of them have “interesting” files)
  • Full-text search with binary logic (can search for keywords and also stopwords)
  • List of the buckets.
  • The user can browse the contents of the bucket.
  • Excluded a lot of other things that are not interesting like cloud-watch logs.
  • Found a solution to the problem on how to generate possible names for buckets. The process reviles some hundreds of new buckets per day.
  • Automated the process.

The project is currently free and running on servers paid by me. There are some limitations in place to protect resources, but otherwise pentesters can use this on their daily tasks.

Whats to come in grayhatwarfare.com

Lots of cool things:

  • Subdomains pointing to expired buckets which can lead to something like this: https://www.reddit.com/r/netsec/comments/8t0pb2/how_i_hacked_applecom/
  • Huge lists of exposed version control (.git) which can expose the website’s repository (Source, password files, log files etc).
  • Exposed cameras/IOT devices.
  • Huge resources like extremely large (actual) cracked password lists.

 

Ref Source