October 2013 – Stephen Hirst

Smartcard

Logical Access Library http://liblogicalaccess.islog.com/wiki/doku.php/start

Windows Smartcard Authentication http://msdn.microsoft.com/en-us/library/windows/desktop/aa380142(v=vs.85).aspx

MSDN Magazine (2007) Customising login experience with credential provider http://msdn.microsoft.com/en-us/magazine/cc163489.aspx

NXP documents:

Windows 8 virtual smart card http://windowsitpro.com/windows-8/creating-virtual-smart-card-windows-8 Understand and evaluate virtual smart cards

tpmvscmgr.exe  create /name testvsc /pin prompt /puk prompt /adminkey random /generate

Security Monitoring

Here are some links related to security monitoring.

ELSA

Microsoft LogParser to send events to ELSA

"c:\Program Files (x86)\Log Parser 2.2\logparser.exe" -i:EVT -o:SYSLOG "select * INTO @1xx.xx.xx.xx from \\SyslogHost\Security"

Evtsys config file to include sysmon logs

XPath:Application:<Select Path="Application">*</Select>
XPath:Security:<Select Path="Security">*</Select>
XPath:System:<Select Path="System">*
XPath:Microsoft-Windows-Sysmon/Operational:<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>

Accessing the ELSA api from PowerShell, and the git respostory
Selecting images and SHA hashes from Sysmon log

(New-ElsaResults -query "host=xx.xx.xx.xx eventid=1").results | % {$_ -Replace '^.*Image: (.+) CommandLine:.+SHA1=([a-f0-9]{40}) .*$','$2,$1'} | Sort-Object -Unique

Get the addresses of all DCs logging to ELSA for current domain or all domains in the forest

((Get-ADDomainController  -Filter *).HostName | Resolve-DnsName).IpAddress | % {(New-ElsaResults -query "host=$_" -limit 1).results} | % {$_.host}
((Get-ADForest | % {$_.Domains} | Get-ADDomain | % {(Get-ADDomainController -Filter * -Server $_.PDCEmulator)}).HostName | Resolve-DnsName).IpAddress | % {(New-ElsaResults -query "host=$_" -limit 1).results} | % {$_.host}

Useful resources

Pcaps for testing (security onion)

Open Source Security Tools
Critical Stack Intel Feeds Tao Security Blog

IDS Testing http://www.testmyids.com http://secanalysis.com/black-sunday-in-your-idsips-for-testing/

SQL Alias

SQL Alias is accessible through the registry. I first came across this through http://habaneroconsulting.com/en/insights/Automating-the-SharePoint-2013-installation-and-creating-a-farm-with-PowerShell.aspx#.UmUrb7hwbyE

Copied from the above blog:

#This is the name of your SQL Alias
$AliasName = "SPFarmAlias"
  
#This is the name of your SQL server (the actual name!)
# In this case we're using the current computer name as we are assuming SharePoint and SQL are on the same server
# Change this if this isn't the case in your environment!
$ServerName = $env:computername
  
#These are the two Registry locations for the SQL Alias locations
$x86 = "HKLM:\Software\Microsoft\MSSQLServer\Client\ConnectTo"
$x64 = "HKLM:\Software\Wow6432Node\Microsoft\MSSQLServer\Client\ConnectTo"
  
#We're going to see if the ConnectTo key already exists, and create it if it doesn't.
if ((test-path -path $x86) -ne $True)
{
    write-host "$x86 doesn't exist"
    New-Item $x86
}
if ((test-path -path $x64) -ne $True)
{
    write-host "$x64 doesn't exist"
    New-Item $x64
}
  
#Adding the extra "fluff" to tell the machine what type of alias it is
$TCPAlias = ("DBMSSOCN," + $ServerName)
  
#Creating our TCP/IP Aliases
New-ItemProperty -Path $x86 -Name $AliasName -PropertyType String -Value $TCPAlias
New-ItemProperty -Path $x64 -Name $AliasName -PropertyType String -Value $TCPAlias
 
# Open cliconfig to verify the aliases
Start-Process C:\Windows\System32\cliconfg.exe
Start-Process C:\Windows\SysWOW64\cliconfg.exe

Universal Windows Apps

Windows development centre

API Reference

Building universal Windows apps

Threading http://msdn.microsoft.com/en-us/library/windows/apps/xaml/hh465290.aspx

        public event PropertyChangedEventHandler PropertyChanged;
        private void NotifyPropertyChanged(String info)
        {
            if (PropertyChanged != null)
            {
                if (Windows.ApplicationModel.Core.CoreApplication.MainView.CoreWindow.Dispatcher.HasThreadAccess)
                {
                    PropertyChanged(this, new PropertyChangedEventArgs(info));
                }
                else
                {
                    Windows.ApplicationModel.Core.CoreApplication.MainView.CoreWindow.Dispatcher.RunAsync(Windows.UI.Core.CoreDispatcherPriority.Normal,()=>{NotifyPropertyChanged(info);});
                }
            }
        }

Universal analogue clock sample

Bluetooth

MSDN Bluetooth reference

Bluetooth api

Windows Store and Windows Phone App-to-App communication over Bluetooth

Windows 8.1: Play with Bluetooth Rfcomm

Tap and send

Samples

Networking

Datagram sockets

The system administrator has set policies to prevent this installation

Rebuilding systems frequently means I am constantly coming across the message: The system administrator has set policies to prevent this installation. For unmanaged MSI’s the registry key DisableMSI is required:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer 
DisableMSI REG_DWORD value 0

If this is unsuccessful consider the Software Restriction Policies within Local Security Policies.

UAG and Windows 8.1

At the time of writing UAG appears not to operate with Windows 8.1 and Internet Explorer 11. The following post provides a workaround:

http://blogs.msdn.com/b/testingspot/archive/2013/09/09/fix-for-microsoft-uag-connection-errors-when-using-internet-explorer-11-with-windows-8-1.aspx

The work around includes adding the site to the compatibility list and changing the browser user agent string through the IE developer tools.

Daktronics RTD

Taken from http://timingguys.com/eve/forums/a/tpc/f/2976090511/m/4007070563:

Position Text message:

<syn> + HEADER + <soh> + CONTROL + <stx> + TEXT + <eot> + SUM + <etb>

Where:

<syn> ::= 0x16
<soh> ::= 0x01
<stx> ::= 0x02
<eot> ::= 0x04
<etb> ::= 0x17
HEADER ::= '20000000'
CONTROL ::= '004010NNNN' 
(NNNN is the decimal offset to place text)
TEXT ::= message to be sent to screen
SUM ::= sum of character values from header to (and including) <eot> mod 256 as hex string

Example to place the string 'hello' at offset 35:

'\x1620000000\x010040100035\x02hello\x048A\x17'

Venus will respond with an acknowledge - so if you are using a 422/485 link, just connect the 422 rcv instead of the 485, or else the ack may collide with your next message.

http://dakfiles.daktronics.com/

Manuals, Software and controller manuals

Description of serial RTD

Serialtools.tv FAQ

Security Onion configuration

snort configuration file /etc/nsm/SO2012-eth3/snort.conf

Managing over active signatures

Rules to ignore various packets

/etc/nsm/rules/local.rules

pass udp 8.8.8.8 53 -> 192.168.1.1 any (msg:"Ignore google dns"; sid:22222228;)
#pass tcp $HOME_NET any <> $WINDOWS_UPDATE 80 (msg:"Ignore Windows Update"; sid:
22222229;)
pass tcp $HOME_NET any <> any 80 (msg:"Ignore Windows Update"; content:"Host|3a|
 download.windowsupdate.com"; http_header; classtype: web-application-activity;
sid:22222230;)
pass tcp $HOME_NET any <> any 80 (msg:"Ignore DynDNS Updates"; content:"Host|3a|
 checkip.dyndns.com"; http_header; classtype: web-application-activity; sid:2222
2231;)

/etc/nsm/pulledpork/disablesid.conf

1:2013914 # User Agent to Backtrack Repository
1:2014726 # Outdated Windows Flash Version ID
1:15169 # XBOX Live Kerberos authentication request
1:16739 # FILE-MULTIMEDIA MultiMedia Jukebox playlist file handling heap over

119:19 # http_inspect: LONG HEADER
123:8 # frag3: Fragmentation overlap
128:4 # ssh: Protocol mismatch
129:4 # stream5: TCP Timestamp is outside of PAWS window
129:5 # stream5: Bad segment, overlap adjusted size less than/equal 0
129:7 # stream5: Limit on number of overlapping TCP packets reached
129:12 # stream5: TCP Small Segment Threshold Exceeded
129:15 # stream5: Reset outside window
138:5 # sensitive_data: sensitive data - eMail addresses

Update Rules: /usr/bin/rule-update

Fine tuning snort rules: http://www.doctorchaos.com/fine-tuning-snort-rules-in-security-onion/