Tech Line
Capture the Script
Here’s how Ethereal can be used to capture the contents of a batch start-up script.
Chris, I recently changed all of the local admin passwords on all our users' computers after we got hacked a couple of weeks ago. I created a batch file with the net user administrator newpassword command and used it in GPO as a start-up script on our Windows 2003 domain. For the batch file itself, I changed the NTFS permissions so that only the computers had read access to it and not the users. Is this secure? When computers start up and read the policy, can a hacker sniff the packet and read what the password is?
— Giraffe
Tech Help—Just An
E-Mail Away |
|
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
at mailto:[email protected];
the best questions get answered in this column and garner
the questioner with a nifty MCPmag.com baseball-style
cap.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
|
|
|
Good question, Giraffe. The short answer to your question is Yes. However, network sniffing is not as easy as it used to be, since most networks are now interconnected using switches. With several hosts connected to a switch, running a promiscuous capture on one switch is only going to show local traffic to and from the host running the capture, as well as broadcast traffic. Unicast traffic between two other hosts connected to the switch will not be captured. For networking monitoring, such as with an Intrusion Detection System (IDS), many managed switches support port mirroring. Port mirroring allows you to set a switch so that traffic seen on one switch port is mirrored to an alternate switch port. So with port mirroring, you could capture unicast traffic between different hosts on the switch. Cisco refers to their port mirroring implementation as the Switched Port Analyzer (SPAN) feature.
Of course, if your systems are interconnected via a hub, then you could easily capture all data to and from any system interconnected through the hub. As you can see, without the use of port mirroring, capturing unicast traffic through a switch would be difficult. On a side note, the virtual host-only switches used by VMware workstation act as fully mirrored switches, enabling you to run a capture from a host system and view traffic between two virtual machines. I’m mentioning this because this is very useful for any testing that involves data captures.
Just because data may be a little difficult to capture, that doesn’t mean that you should assume it is secure. I duplicated your scenario in my lab, using a Windows Server 2003 domain controller, Windows XP workstation, and ran the capture using Ethereal from a second workstation that was not part of the domain. Here are the steps that I took to capture the contents of the batch file:
- Connect two hosts (XP domain member and system running the capture) to a hub and uplink to a switch. This is something that is pretty easy for anyone with some IT knowledge to do, and keeping the hub hidden would not be too difficult.
- Open Ethereal, and then click the Capture menu and select Capture Options.
- Ensure that the correct interface is selected, verify that the "Capture packets in promiscuous mode" box is checked, and click Start. Alternatively, you could also consider clicking the "Update list of packets in real time" and "Automatically scrolling live capture" checkboxes. This allows you to see each frame as it's captured. Note that capture filters could also be configured here to limit the amount of data that is captured.
- Boot up (or reboot) the XP system that is part of the domain. During the start-up process, any GPOs assigned to the workstation’s container in Active Directory would be processed, and the start-up script would be read and executed.
- After the system finishes booting (login screen is visible), wait about a minute, and then click Stop to stop the capture.
- Scroll down the captured frames, paying attention to the Info column on the far right-hand side of the window. Look for information referring to the UNC path of your start-up script location. For example, in my capture, I was able to see a frame with the information "NT Create AndX Request, Path: \mcpmag.com\Policies\ {6473C1E0-5E8F-4436-9E7E-0F02DE64A4F5}\Machine\Scripts\Startup\ ChangePass.bat."
- Once you find a frame referencing your scripts folder or specific batch file, right-click on the frame and select Follow TCP Stream. This will show you all of the captured frames in that stream, in a single ASCII file. You could save the data as a text file, making it easy to search, or could copy and paste it into a text editor as well.
- If you scroll down the captured stream, you should be able to find the batch file command (see Figure 1). Again, if you have trouble finding the needed information, copy and paste the data into a text editor and search for key words such as "net user" or "administrator."
[Click on image for larger view.] |
| Figure 1: Captured batch file content. |
As you can see, with a few steps, capturing script data can be done rather quickly. My batch script used a password of MCPm@g!, which was easy to spot in the capture.
There are other ways to change your local administrator passwords besides using a batch file and GPO. See my columns, "Local Admin Password Problem" and "Automating Local Admin Password Changes," for readers who weigh in to offer some alternative methods for changing your local administrator passwords.
Hopefully this has persuaded you to use an alternate method to change your local administrator passwords. As a kid, I always wanted to have Superman’s x-ray vision. While I still don’t have that, I can at least take satisfaction in having Ethereal to x-ray my network traffic.