PowerShellRay

Posted on: May 12, 2017

Honeypots are an information system resource whose value lies in the unauthorized or illicit use of that resources.

 “A server that is configured to detect an intruder by mirroring a real production system. It appears as an ordinary server doing work, but all the data and transactions are phony. Located either in or outside the firewall, these are used to learn about an intruder’s techniques as well as determine vulnerabilities in the real system. “Before proceeding further, the first thing is to understand what the actual honeypots are. To be very frank, honeypots do not solve a specific problem. Instead, they are a highly flexible tool that comes in many shapes and sizes. They can do everything from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud. It is what honeypots have their strong stand.

The basic consideration is that honeypots record all actions and interactions with users. Since these don’t provide any legitimate services, all activity is unauthorized (and possibly malicious).

Types of Honeypots

Honeypots are wide stream and can be classified based on their deployment and based on their level of involvement.

Based on deployment, honeypots may be classified as:

  1. Production honeypots
  2. Research honeypots

Production honeypots: These are easy to use, capture only limited information, and are used primarily by companies or corporations. Production honeypots are placed inside the production network with other production servers by an organization to improve their overall state of security. Normally, production honeypots are low-interaction honeypots, which are easier to deploy. They give less information about the attacks or attackers than research honeypots do.

 

Research honeypots: They are run to gather information about the motives and tactics of the Black hat community targeting different networks. These honeypots do not add direct value to a specific organization, instead, they are used to research the threats organizations face and to learn how to better protect against those threats. Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations.

Based on design criteria, honeypots can be classified as

  1. Low-interaction honeypots
  2. Medium-interaction honeypots
  3. High-interaction honeypots

Low-interaction honeypots simulate only the services frequently requested by attackers. Since they consume relatively few resources, multiple virtual machines can easily be hosted on one physical system, the virtual systems have a short response time, and less code is required, reducing the complexity of the security of the virtual systems.

Low-interaction honeypots present the hacker emulated services with a limited subset of the functionality they would expect from a server, with the intent of detecting sources of unauthorized activity. For example, the HTTP service on low-interaction honeypots would only support the commands needed to identify that a known exploit is being attempted. Some authors classify a third category, medium-interaction honeypots, as providing expanded interaction from low-interaction honeypots but less than high-interaction systems

Medium-interaction honeypots might more fully implement the HTTP protocol to emulate a well-known vendor’s implementation, such as Apache. However, there are no implementations of a medium-interaction honeypots and for the purposes of this paper, the definition of low-interaction honeypots captures the functionality of medium-interaction honeypots in that they only provide partial implementation of services and do not allow typical, full interaction with the system as high-interaction honeypots.

High-interaction honeypots imitate the activities of the real systems that host a variety of services. It let the hacker interact with the system as they would any regular operating system, with the goal of capturing the maximum amount of information on the attacker’s techniques. Any command or application an end-user would expect to be installed is available and generally, there is little to no restriction placed on what the hacker can do once he/she comprises the system. Per recent researches in high interaction honeypot technology, by employing virtual machines, multiple honeypots can be hosted on a single physical machine. Therefore, even if the honeypot is compromised, it can be restored more quickly. Although high interaction honeypots provide more security by being difficult to detect, but it has the main drawback that it is costly to maintain. If virtual machines are not available, one honeypot must be maintained for each physical computer, which can also lead to an increase of cost. Example: Honeynet.

Summarized difference between Low-interaction honeypots and High-interaction honeypots

Low-interaction Solution emulates operating systems and services. High-interaction No emulation, real operating systems, and services are provided.
·         Easy to install and deploy. Usually requires simply installing and configuring software on a computer.

·         Minimal risk, as the emulated services control, what attackers can and cannot do.

·         Captures limited amounts of information, mainly transactional data and some limited interaction.

·         Can capture far more information, including new tools, communications, or attacker keystrokes.

·         Can be complex to install or deploy (commercial versions tend to be much simpler).

·         Increased risk, as attackers are provided real operating systems to interact with

Advantages of honeypots

They provide several advantages over other security solutions, including network intrusion detection systems:

  • Minimal resources: Honeypots require minimal resources, they only capture bad activity.
  • New tools and tactics: Honeypots are designed to capture anything thrown at them, including tools or tactics that have never been seen before.
  • Small data sets of high value: Honeypots collect small amounts of information. Instead of logging a one GB of data a day, they can log only one MB of data a day. Instead of generating 10,000 alerts a day, they can generate only 10 alerts a day. Any interaction with a honeypot is most likely unauthorized or malicious activity.
  • Encryption facility: Honeypots work in encrypted or IPv6 environments unlike most security technologies (such as IDS systems). It does not matter what the bad guys throw at a honeypot, the honeypot will detect and capture it.
  • Simplicity: Finally, honeypots are conceptually very simple. There are no fancy algorithms to develop, state tables to maintain, or signatures to update. The simpler a technology, the less likely there will be mistakes or misconfigurations.

Disadvantages of honeypots:

Every technology that we use may have a wide range of advantages, but they also have their disadvantages. They also have their weaknesses as given:

  • It can only track and capture activity that directly interacts with them. It will not capture attacks against other systems unless the attacker or threat interacts with the honeypots also.
  • Can be used by attacker to attack other systems
  • Can potentially be detected by the attacker

 

Honeypots are an information system resource whose value lies in the unauthorized or illicit use of that resources.

A server that is configured to detect an intruder by mirroring a real production system. It appears as an ordinary server doing work, but all the data and transactions are phony. Located either in or outside the firewall, these are used to learn about an intruder’s techniques as well as determine vulnerabilities in the real system. Before proceeding further, the first thing is to understand what the actual honeypots are. To be very frank, honeypots do not solve a specific problem. Instead, they are a highly flexible tool that comes in many shapes and sizes. They can do everything from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud. It is what honeypots have their strong stand.

The basic consideration is that honeypots record all actions and interactions with users. Since these don’t provide any legitimate services, all activity is unauthorized (and possibly malicious).

Types of Honeypots

Honeypots are wide stream and can be classified based on their deployment and based on their level of involvement.

Based on deployment, honeypots may be classified as:

1. Production honeypots

2. Research honeypots

Production honeypots: These are easy to use, capture only limited information, and are used primarily by companies or corporations. Production honeypots are placed inside the production network with other production servers by an organization to improve their overall state of security. Normally, production honeypots are low-interaction honeypots, which are easier to deploy. They give less information about the attacks or attackers than research honeypots do.

Research honeypots: They are run to gather information about the motives and tactics of the Black hat community targeting different networks. These honeypots do not add direct value to a specific organization, instead, they are used to research the threats organizations face and to learn how to better protect against those threats. Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations.

Based on design criteria, honeypots can be classified as

1. Low-interaction honeypots

2. Medium-interaction honeypots

3. High-interaction honeypots

Low-interaction honeypots simulate only the services frequently requested by attackers. Since they consume relatively few resources, multiple virtual machines can easily be hosted on one physical system, the virtual systems have a short response time, and less code is required, reducing the complexity of the security of the virtual systems.

Low-interaction honeypots present the hacker emulated services with a limited subset of the functionality they would expect from a server, with the intent of detecting sources of unauthorized activity. For example, the HTTP service on low-interaction honeypots would only support the commands needed to identify that a known exploit is being attempted. Some authors classify a third category, medium-interaction honeypots, as providing expanded interaction from low-interaction honeypots but less than high-interaction systems

Medium-interaction honeypots might more fully implement the HTTP protocol to emulate a well-known vendor’s implementation, such as Apache. However, there are no implementations of a medium-interaction honeypots and for the purposes of this paper, the definition of low-interaction honeypots captures the functionality of medium-interaction honeypots in that they only provide partial implementation of services and do not allow typical, full interaction with the system as high-interaction honeypots.

High-interaction honeypots imitate the activities of the real systems that host a variety of services. It let the hacker interact with the system as they would any regular operating system, with the goal of capturing the maximum amount of information on the attacker’s techniques. Any command or application an end-user would expect to be installed is available and generally, there is little to no restriction placed on what the hacker can do once he/she comprises the system. Per recent researches in high interaction honeypot technology, by employing virtual machines, multiple honeypots can be hosted on a single physical machine. Therefore, even if the honeypot is compromised, it can be restored more quickly. Although high interaction honeypots provide more security by being difficult to detect, but it has the main drawback that it is costly to maintain. If virtual machines are not available, one honeypot must be maintained for each physical computer, which can also lead to an increase of cost. Example: Honeynet.

Summarized difference between Low-interaction honeypots and High-interaction honeypots

Low-interaction
Solution emulates operating systems and services.

High-interaction
No emulation, real operating systems, and services are provided.

· Easy to install and deploy. Usually requires simply installing and configuring software on a computer.

· Minimal risk, as the emulated services control, what attackers can and cannot do.

· Captures limited amounts of information, mainly transactional data and some limited interaction.

· Can capture far more information, including new tools, communications, or attacker keystrokes.

· Can be complex to install or deploy (commercial versions tend to be much simpler).

· Increased risk, as attackers are provided real operating systems to interact with

Advantages of honeypots

They provide several advantages over other security solutions, including network intrusion detection systems:

· Minimal resources: Honeypots require minimal resources, they only capture bad activity.

· New tools and tactics: Honeypots are designed to capture anything thrown at them, including tools or tactics that have never been seen before.

· Small data sets of high value: Honeypots collect small amounts of information. Instead of logging a one GB of data a day, they can log only one MB of data a day. Instead of generating 10,000 alerts a day, they can generate only 10 alerts a day. Any interaction with a honeypot is most likely unauthorized or malicious activity.

· Encryption facility: Honeypots work in encrypted or IPv6 environments unlike most security technologies (such as IDS systems). It does not matter what the bad guys throw at a honeypot, the honeypot will detect and capture it.

· Simplicity: Finally, honeypots are conceptually very simple. There are no fancy algorithms to develop, state tables to maintain, or signatures to update. The simpler a technology, the less likely there will be mistakes or misconfigurations.

Disadvantages of honeypots:

Every technology that we use may have a wide range of advantages, but they also have their disadvantages. They also have their weaknesses as given:

· It can only track and capture activity that directly interacts with them. It will not capture attacks against other systems unless the attacker or threat interacts with the honeypots also.

· Can be used by attacker to attack other systems

· Can potentially be detected by the attacker

Intro about MFA how it works

clip_image002

clip_image004

Configuring Azure Multifactor Authentication with Exchange 2013 SP1

We will see how to configure Azure Cloud MFA with Exchange 2013 SP1 on premise, this will be a long blog with multiple steps done at multiple levels, so I suggest to you to pay a very close attention to the details because it will be tricky to troubleshoot the config later.

Here are the high level steps:

  • Configure Azure AD
  • Configure Directory Sync.
  • Configure multifactor Authentication Providers.
  • Install/Configure MFA Agent on the Exchange server.
  • Configure MFA Agent to use basic and form based settings.
  • Sync Users into MFA agent.
  • Configure users from the desired login type.
  • Enroll users and test the config.

Setting up Azure AD/MFA:

Setting up Azure AD/MFA is done by visiting https://manage.windowsazure.com , here you have 2 options (I will list them because I had them both and it took me a while to figure it out):

  • If you have never tried azure, you can sign up for a new account and start the configuration.
  • If you have Office 365 enterprise subscription, then you will get Azure AD configured, so you can sign in into Azure using the same account in Office 365 and you will find Azure AD configured for you (I had this option so I had to remove SSO from the previous account and setting it up again).

Once you login to the portal, you can setup Azure AD by clicking add:

clip_image006

Since I had Office 365 subscription, It was already configured, so if you click on the directory, you can find list of domains configured in this directory:

clip_image008

If you will add a new domain, click on add and add the desired domain, you will need to verify the domain by adding TXT or MX record to prove you domain ownership, once done you will find the domain verified and you can configure it, the following screenshots illustrates the verification process:

Once done, go to Directory Integration  and choose to activate directory integration:

clip_image009

One enabled, download the DirSync tool on a computer joined to the domain:

clip_image010

clip_image011

clip_image012

clip_image013

clip_image014

clip_image015

Once installed, you will run through the configuration wizard which will ask you about the azure account and the domain admin account to configure the AD Sync:

clip_image016

clip_image017

clip_image018

clip_image019

clip_image020

clip_image021

clip_image022

clip_image023

Once done, you can check the users tab in Azure AD to make sure that users are sync’d to Azure successfully:

clip_image025

If you select a user, you can choose to Manage Multifactor Authentication

clip_image027

you will be prompt to add a multifactor authentication provider, the provider essentially controls the licensing terms for each directory because you have per user or per authentication payment, once selected you can click on manage to manage it:

clip_image029

clip_image031

Once you click manage, you will be taken to the phone factor website to download the MFA agent:

clip_image033

clip_image034

click on downloads to download the MFA agent, you will install this agent on:

  • A server that will act as MFA agent and provides RADIUS or windows authentication from other clients or
  • Install the agent on the Exchange server that will do the authentication (frontend servers or CAS servers).

Since we will use Exchange, you will need to install this agent on the Exchange server, once install you will need to activate the server using the email and password you acquired from the portal:

clip_image036

Once the agent installed, it is time to configure the MFA Agent.

clip_image038

clip_image039

clip_image041

clip_image043

Put name of group

Click No

clip_image044

clip_image046

clip_image048

Once the agent installed, it is time to configure the MFA Agent.

Configuring the MFA Agent:

The first step is to make sure tha you have correct name space and SSL certificate in place, typically you will need users to access the portal using specific FQDN, since this FQDN will point to the Exchange server so you will need to publish the following:

  • Extra directories for MFA portal, SDK and mobile app.
  • or Add a new DNS record and DNS name to the SSL certificate and publish it.

In my case, I chose to use a single name for Exchange and MFA apps, I chose https://mfa.azureinaction.com, MFA is just a name so it could be anything.

SSL certificate plays a very important role, this is because the portal and mobile app speaks to SDK over SSL (you will see that later) so you will need to make sure that correct certificate in place as well as DNS records because the DNS record must be resolvable internally.

Once the certificate/DNS issue is sorted, you can proceed with the install, first you will install the user portal, users will use this portal to enroll as well as configuring their MFA settings.

From the agent console, choose to install user portal:

clip_image049

It is very important to choose the virtual directory carefully, I highly recommend changing the default names because they are very long, in my case I chose using MFAPORTAL as a virtual directory.

clip_image050

clip_image051

clip_image052

clip_image053

once installed, go the user portal URL and enter the URL (carefully as there is no auto detection or validation method)

clip_image055

Once done, Proceed with SDK installation, again, I highly recommend changing the name, I chose MFASDK

clip_image056

clip_image057

Once installed, you are ready to proceed with the third step, installing the mobile app portal, to do this browse to the MFA agent installation directory, and click on the mobile app installation, also choose a short name, I chose MFAMobile

clip_image058

clip_image059

Once Installed, you will have to do some manual configuration in the web.config files for the portal and the mobile app.

You will have to specify SDK authentication account and SDK service URL, this configuration is a MUST and not optional.

To do so, first make sure to create a service account, the best way to do it is to fire you active directory users and computers management console, find PFUP_MFAEXCHANGE account and clone it.

Once cloned, open c:intepubwwwroot<MFAportal Directory> and <MFA Mobile App Directory> and edit their web.config files as following:

For MFA portal:

clip_image061

clip_image063

For MFA mobile App:

clip_image064

clip_image066

Once done, you will need to configure the MFA agent to do authentication for IIS.

Configure MFA to do authentication from IIS:
To configure MFA agent to kick for OWA, you will need to configure OWA to do basic authentication, I searched on how to do FBA with MFA, but I didn’t find any clues (if you have let me know).

Once you configured OWA/ECP virtual directories to do basic authentication, go to the MFA agent , from there go to IIS Authentication , HTTP tab, and add the OWA URL:clip_image068

Go to Native Module tab, and select the virtual directories where you want MFA agent to do MFA authentication (make sure to configure it on the front end virtual directories only):

clip_image069

Go to the MFA agent , from there go to IIS Authentication , Form-Based tab, and add the OWA URL:clip_image071

clip_image073

To get the variables and login URL is the login website of OWA, the variables is username and password as shown below when you click F12 on internet explorer

clip_image075

Why we configured HTTP and Form-Based

We used HTTP configuration as the IIS on Exchange Front End/CAS servers is basic authentication and we need to configure the Form-Based authentication because the login page is Form-Based because Exchange behavior after taking the authentication from the Form-Based site and changed to basic authentication on the server to match the IIS so form based configuration is needed to detect the username that is logging

You can also configure a user to do phone app auth:

Once all set, finally, you can enroll users.

Users can enroll by visiting the user portal URL and signing with their username/password, once signed they will be taken to the enrolment process.

for phone call MFA, they will receive a call asking for their initial PIN created during their configuration in MFA, once entered correctly, they will be prompted to enter a new one, once validated the call will end.

In subsequent logins, they will receive a call asking them to enter their PIN, once validated successfully, the login will be successful and they will be taken into their mailbox.

In mobile app, which will see here, they will need to install a mobile app on their phones, once they login they can scan the QR code or enter the URL/Code in the app:

clip_image077

clip_image079

clip_image081

Once validated in the app, you will see a screen similar to this:

clip_image083

Next time when you attempt to login to OWA, the application will ask you to validate the login:

clip_image085

Once authentication is successful, you will see:

clip_image087

and you will be taken to OWA.

write-Verbose "Change in Resource Manager cmdlets"
Switch-AzureMode -Name AzureResourceManager
write-Verbose "give you permission on Azure subscription"
Add-AzureAccount
write-Verbose "Select Azure subscription"
Select-AzureSubscription -SubscriptionName "Visual Studio Ultimate with MSDN"
write-Verbose "Create Resource Group"
New-AzureResourceGroup -Name PublicDNS -location "North Europe"
write-Verbose "Regester Azure provider for Microsoft Network"
Register-AzureProvider -ProviderNamespace Microsoft.Network
write-Verbose "Create Azure DNS Zone"
New-AzureDnsZone -Name powershellrayco.com -ResourceGroupName PublicDNS

write-Verbose "Get DNS records in the DNS Zone"
Get-AzureDnsRecordSet -ZoneName powershellrayco.com -ResourceGroupName PublicDNS

 

# For the below command
PS C:\WINDOWS\system32> Get-AzureDnsRecordSet -ZoneName powershellrayco.com -ResourceGroupName PublicDNS

 

<#Output will be like what shown below

Name              : @

ZoneName          : powershellrayco.com

ResourceGroupName : PublicDNS

Ttl               : 3600

Etag              : 6bcfa6dc-fb2b-4a77-8c6a-70fa6f0a4d00

RecordType        : SOA

Records           : {[ns1-03.azure-dns.com,msnhst.microsoft.com,3600,300,2419200,300]}

Tags              : {}

Name              : @

ZoneName          : powershellrayco.com

ResourceGroupName : PublicDNS

Ttl               : 3600

Etag              : 14006a73-f681-4e30-9a71-cb4eec2f9256

RecordType        : NS

Records           : {ns1-03.azure-dns.com, ns2-03.azure-dns.net, ns3-03.azure-dns.org, ns4-03.azure-dns.info}

Tags              : {}

 

Below are all cmdlets used for Azure DNS administration

CommandType     Name                                               Version    Source                                                                                                
———–     —-                                               ——-    ——                                                                                                
Cmdlet          Add-AzureDnsRecordConfig                          0.9.8      AzureResourceManager                                                                                  
Cmdlet          Get-AzureDnsRecordSet                                  0.9.8      AzureResourceManager                                                                                  
Cmdlet          Get-AzureDnsZone                                             0.9.8      AzureResourceManager                                                                                  
Cmdlet          New-AzureDnsRecordSet                                0.9.8      AzureResourceManager                                                                                  
Cmdlet          New-AzureDnsZone                                           0.9.8      AzureResourceManager                                                                                  
Cmdlet          Remove-AzureDnsRecordConfig                  0.9.8      AzureResourceManager                                                                                  
Cmdlet          Remove-AzureDnsRecordSet                         0.9.8      AzureResourceManager                                                                                  
Cmdlet          Remove-AzureDnsZone                                    0.9.8      AzureResourceManager                                                                                  
Cmdlet          Set-AzureDnsRecordSet                                    0.9.8      AzureResourceManager                                                                                  
Cmdlet          Set-AzureDnsZone                                               0.9.8      AzureResourceManager                                                                                  
Cmdlet          Test-AzureDnsAvailability                                0.9.8      AzureResourceManager#>                                                                             

 

VerbosePreference = "continue"
 
Write-verbose "Setting Environment Variables"
 
$ResourceGroup = "RayNorthEurope"
 
$VNETName = "RayNorthEuropeVN01"
 
$SubnetName = "Subnet-2"
 
$SubnetPrefix = "10.0.1.0/24"
 
Write-verbose "Adding a New Subnet to an Existing ARM based Virtual Network"
 
$vnet   = Get-AzureVirtualNetwork -ResourceGroupName $ResourceGroup -Name $VNETName
 
$vnet | Add-AzureVirtualNetworkSubnetConfig -Name $SubnetName -AddressPrefix $SubnetPrefix | Set-AzureVirtualNetwork
 
Write-verbose "Output of the Subnet's Associated with the ARM based Virtual Network $VNETName"
 
$VNET1 = Get-AzureVirtualNetwork -ResourceGroupName $ResourceGroup -Name $VNETName
 
$VNET1
 
Write-Verbose "Successfully Executed the Script"

 

Switch-AzureMode -Name AzureResourceManager
 
$VerbosePreference = "continue"
 
Write-verbose "Setting Environment Variables"
 
$ResourceGroup = "RayNorthEurope"
 
$Location = "North Europe"
 
$VNETName = "RayNorthEuropeVN01"
 
$AddressPrefix = "10.0.0.0/16"
 
$SubnetName = "Subnet-1"
 
$SubnetPrefix = "10.0.0.0/24"
 
 
 
Write-Verbose "Creating a New Azure Resource Group $ResourceGroup"
 
New-AzureResourceGroup -Name $resourcegroup -Location $Location
Write-Verbose "Creating a ARM based Virtual Network $VNETNAME within the Resource Group $ResourceGroup"  
$VNET = New-AzureVirtualNetwork -ResourceGroupName $ResourceGroup -Location $Location -Name $VNETName -AddressPrefix $AddressPrefix
 
Write-Verbose "Adding a $SubnetName to the ARM based Virtual Network $VNETNAME"
 
$VNET | Add-AzureVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix $subnetPrefix | Set-AzureVirtualNetwork
 
Write-verbose "Output of the Subnet's Associated with the ARM based Virtual Network $VNETName"
 
$VNET1 = Get-AzureVirtualNetwork -ResourceGroupName $ResourceGroup -Name $VNETName
 
$Subnet = Get-AzureVirtualNetworkSubnetConfig -Name $SubnetName -VirtualNetwork $VNET1
 
$subnet
 
Write-Verbose "Successfully Executed the Script"

The Below script help you to move any resource to any resource group; as example move classic virtual machines to virtual machines (resource manager) in resource group.

Here is the link that show you the supported service that can be moved to Azure resource group.

I am using symbol # to comment the first command that will not work and the unsupported service which is virtual network (for the time being).

write-Verbose "Switch Azure Mode to manage Azure Resource Manager"
Switch-AzureMode -Name AzureResourceManager
write-Verbose "Move resource using resource id"
#Get-AzureResource -OutputObjectFormat New |?{$_.ResourceId  -eq "/subscriptions/a56a09ff-4c5e-4817-8352-bb22e389a9c5/resourceGroups/RayMFA/providers/Microsoft.ClassicCompute/virtualMachines/MFA01"} | Move-AzureResource  -DestinationResourceGroupName RayNorthEurope -force
write-Verbose "Move Cloud Service and Virtual Machines at same time"
Get-AzureResource -OutputObjectFormat New |?{$_.ResourceName  -in "dc01", "raydc"} | Move-AzureResource  -DestinationResourceGroupName RayNorthEurope -force
write-Verbose "Move Azure Virtual Network"
#(Get-AzureResource -OutputObjectFormat New|?{$_.ResourceName  -eq "rayvnet01"}) | Move-AzureResource  -DestinationResourceGroupName RayNorthEurope -force
write-Verbose "Move Storage Account"
Get-AzureResource -OutputObjectFormat New |?{$_.ResourceName  -in "raystoragefiles01"} | Move-AzureResource  -DestinationResourceGroupName RayNorthEurope -force
write-Verbose "Switch back to Azure Service Mode"
Switch-AzureMode -Name AzureServiceManagement
%d bloggers like this: