We have good reasons to obtain information from our servers
for security and audit information. Cyber criminals also have good reasons in
needing the same information. Security professionals and code developers also
need to understand what information is easily available for the asking.
Remember we can’t protect our systems unless we know what to protect. We have
to protect our servers, data and applications from unauthorized access. We also
have to protect our assets from users trying to escalate their access beyond what has
been granted to them.
The
following information can be accessed with a simple program. What information
would help a user gain further unauthorized access?
System Environment Information:
COMPUTERNAME - WIN-39OLKRF40NJ
VisualStudioDir -
\\vmware-host\Shared Folders\Documents\Visual Studio 2008
HOMEPATH - \Users\User_Name
LOCALAPPDATA -
C:\Users\User_Name\AppData\Local
PSModulePath -
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
PROCESSOR_ARCHITECTURE - AMD64
CommonProgramW6432
- C:\Program Files\Common Files
CommonProgramFiles(x86) - C:\Program Files (x86)\Common Files
ProgramFiles(x86) -
C:\Program Files (x86)
PROCESSOR_LEVEL - 6
LOGONSERVER - \\WIN-39OLKRF40NJ
USERNAME - User_Name
HOMEDRIVE - C:
USERPROFILE -
C:\Users\User_Name
SystemRoot -
C:\Windows
TEMP - C:\Users\USERN~1\AppData\Local\Temp
PUBLIC -
C:\Users\Public
ALLUSERSPROFILE -
C:\ProgramData
FP_NO_HOST_CHECK -
NO
APPDATA - C:\Users\User_Name\AppData\Roaming
ProgramData - C:\ProgramData
PATHEXT -
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
OS - Windows_NT
CommonProgramFiles
- C:\Program Files\Common Files
PROCESSOR_IDENTIFIER - Intel64 Family 6 Model 23 Stepping 10, GenuineIntel
ComSpec -
C:\Windows\system32\cmd.exe
SESSIONNAME -
Console
SystemDrive - C:
PROCESSOR_REVISION
- 170a
ProgramFiles -
C:\Program Files
NUMBER_OF_PROCESSORS - 1
VS90COMNTOOLS -
C:\Program Files (x86)\Microsoft Visual Studio 9.0\Common7\Tools\
WecVersionForRosebud.268 - 2
TMP - C:\Users\USERN~1\AppData\Local\Temp
ProgramW6432 -
C:\Program Files
USERDOMAIN - WIN-39OLKRF40NJ
windir -
C:\WindowsEnvironment.SpecialFolder: C:\Windows\system32
LogicalDrives: A:\,
C:\, D:\, Z:\
System Path:
C:\Windows\system32
C:\Windows
C:\Windows\System32\Wbem
C:\Windows\System32\WindowsPowerShell\v1.0\
c:\Program Files
(x86)\Microsoft SQL Server\100\Tools\Binn\
c:\Program Files
(x86)\Microsoft SQL Server\100\DTS\Binn\
Chipset information in Win Registry
GenuineIntel running at 2522 MHz.
Oem Id: 9
Page Size: 4096
Minimum Application
Address: 65536
Maximum Application
Address: 0
ProcessorMask:
4294901759
Number Of
Processors: 2047
Processor Type: 1
Allocation
Granularity: 0
Processor
Level: 1
Current Windows
user log in: WIN-39OLKRF40NJ\User_Name
-----------------------------------Win32_UserAccount instance
Caption: WIN-39OLKRF40NJ\Administrator
Description:
Built-in account for administering the computer/domain
Domain: WIN-39OLKRF40NJ
FullName:
LocalAccount: True
Lockout: False
Name: Administrator
PasswordChangeable:
True
PasswordExpires:
False
PasswordRequired:
True
Caption: WIN-39OLKRF40NJ\Guest
Description:
Built-in account for guest access to the computer/domain
Domain: WIN-39OLKRF40NJ
FullName:
LocalAccount: True
Lockout: False
Name: Guest
PasswordChangeable:
False
PasswordExpires:
False
PasswordRequired:
False
Caption: WIN-39OLKRF40NJ\User_Name
Description:
Domain: WIN-39OLKRF40NJ
FullName:
LocalAccount: True
Lockout: False
Name: User_Name
PasswordChangeable:
True
PasswordExpires:
True
PasswordRequired:
True
-----------------------------------ACL Registry Info - Current access
rules:
User: CREATOR OWNER
Type: Allow
Rights: 268435456
Inheritance: ContainerInherit
Propagation:
InheritOnly
Inherited? False
User: NT AUTHORITY\SYSTEM
Type: Allow
Rights: 268435456
Inheritance:
ContainerInherit
Propagation:
InheritOnly
Inherited? False
User: NT AUTHORITY\SYSTEM
Type: Allow
Rights: FullControl
Inheritance: None
Propagation: None
Inherited? False
User: BUILTIN\Administrators
Type: Allow
Rights: 268435456
Inheritance:
ContainerInherit
Propagation:
InheritOnly
Inherited? False
User: BUILTIN\Administrators
Type: Allow
Rights: FullControl
Inheritance: None
Propagation: None
Inherited? False
User: BUILTIN\Users
Type: Allow
Rights: -2147483648
Inheritance:
ContainerInherit
Propagation:
InheritOnly
Inherited? False
User: BUILTIN\Users
Type: Allow
Rights: ReadKey
Inheritance: None
Propagation: None
Inherited? False
using System; using System.Collections; using Microsoft.Win32; using System.Runtime.InteropServices; using System.Windows.Forms; using System.Security.Principal; using System.Management; using System.Security.AccessControl; namespace env { public class SystemEnvironement : System.Windows.Forms.Form { private System.Windows.Forms.TextBox textBox1; WindowsPrincipal wp; String DomainName; [StructLayout(LayoutKind.Sequential)] public struct SYSTEM_INFO { public uint dwOemId; public uint dwPageSize; public uint lpMinimumApplicationAddress; public uint lpMaximumApplicationAddress; public uint dwActiveProcessorMask; public uint dwNumberOfProcessors; public uint dwProcessorType; public uint dwAllocationGranularity; public uint dwProcessorLevel; public uint dwProcessorRevision; } [DllImport("kernel32")] static extern void GetSystemInfo(ref SYSTEM_INFO pSI); public SystemEnvironement() { this.SuspendLayout(); InitForm(); SystemInformation(); } private void InitForm() { this.textBox1 = new System.Windows.Forms.TextBox(); this.textBox1.Location = new System.Drawing.Point(12, 12); this.textBox1.Multiline = true; this.textBox1.ScrollBars = System.Windows.Forms.ScrollBars.Vertical; this.textBox1.Size = new System.Drawing.Size(560, 740); this.textBox1.TabIndex = 1; this.ClientSize = new System.Drawing.Size(584, 757); this.Controls.Add(this.textBox1); } private void SystemInformation() { string[] pathparts; textBox1.Text += "System Environment Information: \r\n"; IDictionary environmentVariables = Environment.GetEnvironmentVariables(); foreach (DictionaryEntry de in environmentVariables) { if (!de.Key.Equals("Path")) { textBox1.Text += "\r\n " + de.Key + " - " + de.Value; } if (de.Key.Equals("USERDOMAIN")) { DomainName = de.Value.ToString(); } } textBox1.Text += "Environment.SpecialFolder: " + Environment.GetFolderPath(Environment.SpecialFolder.System); String[] drives = Environment.GetLogicalDrives(); textBox1.Text += "\r\n LogicalDrives: " + String.Join(", ", drives); textBox1.Text += "\r\n\r\n System Path: \r\n"; pathparts = Environment.GetEnvironmentVariable("PATH").Split(new[] { System.IO.Path.PathSeparator }); int max = pathparts.Length - 1; for (int i = 0; i < max; i++) { textBox1.Text += "\r\n " + pathparts[i]; } RegistryKey RegKey = Registry.LocalMachine; RegKey = RegKey.OpenSubKey("HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0"); Object cpuSpeed = RegKey.GetValue("~MHz"); Object cpuType = RegKey.GetValue("VendorIdentifier"); textBox1.Text += "\r\n\r\n Chipset information in Win Registry " + cpuType + " running at " + cpuSpeed + " MHz."; textBox1.Text += "\r\n "; try { SYSTEM_INFO sysInfo = new SYSTEM_INFO(); GetSystemInfo(ref sysInfo); textBox1.Text += "\r\n " + "Oem Id: " + sysInfo.dwOemId; textBox1.Text += "\r\n " + "Page Size: " + sysInfo.dwPageSize; textBox1.Text += "\r\n " + "Minimum Application Address: " + sysInfo.lpMinimumApplicationAddress; textBox1.Text += "\r\n " + "Maximum Application Address: " + sysInfo.lpMaximumApplicationAddress; textBox1.Text += "\r\n " + "ProcessorMask: " + sysInfo.dwActiveProcessorMask; textBox1.Text += "\r\n " + "Number Of Processors: " + sysInfo.dwNumberOfProcessors; textBox1.Text += "\r\n " + "Processor Type: " + sysInfo.dwProcessorType; textBox1.Text += "\r\n " + "Allocation Granularity: " + sysInfo.dwAllocationGranularity; textBox1.Text += "\r\n " + "Processor Level: " + sysInfo.dwProcessorLevel; } catch (Exception e) { Console.WriteLine(e.ToString()); } textBox1.Text += "\r\n "; textBox1.ReadOnly = true; wp = new WindowsPrincipal(WindowsIdentity.GetCurrent()); textBox1.Text += "\r\n " + "Current Windows user log in: " + wp.Identity.Name; textBox1.Text += "\r\n "; ManagementObjectSearcher mSearcher = new ManagementObjectSearcher("root\\CIMV2","SELECT * FROM Win32_UserAccount"); try { textBox1.Text += "-----------------------------------"; textBox1.Text += "Win32_UserAccount instance"; foreach (ManagementObject queryObj in mSearcher.Get()) { textBox1.Text += "\r\n " + "Caption: " + queryObj["Caption"].ToString(); textBox1.Text += "\r\n " + "Description: " + queryObj["Description"].ToString(); textBox1.Text += "\r\n " + "Domain: " + queryObj["Domain"].ToString(); textBox1.Text += "\r\n " + "FullName: " + queryObj["FullName"].ToString(); textBox1.Text += "\r\n " + "LocalAccount: " + queryObj["LocalAccount"].ToString(); textBox1.Text += "\r\n " + "Lockout: " + queryObj["Lockout"].ToString(); textBox1.Text += "\r\n " + "Name: " + queryObj["Name"].ToString(); textBox1.Text += "\r\n " + "PasswordChangeable: " + queryObj["PasswordChangeable"].ToString(); textBox1.Text += "\r\n " + "PasswordExpires: " + queryObj["PasswordExpires"].ToString(); textBox1.Text += "\r\n " + "PasswordRequired: " + queryObj["PasswordRequired"].ToString(); textBox1.Text += "\r\n "; } textBox1.Text += "\r\n "; } catch (Exception ex) { Console.WriteLine(ex.ToString()); } textBox1.Text += "-----------------------------------"; textBox1.Text += "ACL Registry Info - Current access rules:"; RegistryKey rk = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\"); RegistrySecurity rSec = rk.GetAccessControl(); foreach (RegistryAccessRule ar in rSec.GetAccessRules(true, true, typeof(NTAccount))) { textBox1.Text += "\r\n " + "User: " + ar.IdentityReference; textBox1.Text += "\r\n " + "Type: " + ar.AccessControlType; textBox1.Text += "\r\n " + "Rights: " + ar.RegistryRights; textBox1.Text += "\r\n " + "Inheritance: " + ar.InheritanceFlags; textBox1.Text += "\r\n " + "Propagation: " + ar.PropagationFlags; textBox1.Text += "\r\n " + "Inherited? " + ar.IsInherited; textBox1.Text += "\r\n "; } } static void Main(string[] args) { Application.Run(new SystemEnvironement()); } // end of main } // end of class } // end of namespace
No comments:
Post a Comment