Authentication Archaeology - PowerPoint PPT Presentation

1 / 8
About This Presentation
Title:

Authentication Archaeology

Description:

Authentication Archaeology – PowerPoint PPT presentation

Number of Views:34
Avg rating:3.0/5.0
Slides: 9
Provided by: kenh151
Category:

less

Transcript and Presenter's Notes

Title: Authentication Archaeology


1
Authentication Archaeology
Or, my password is in the security log? In
PLAINTEXT?!?
Kenneth J. Hoover Senior Systems Programmer Yale
University ITS Academic Media
Technology Windows in Higher Education
Conference April 24, 2005 Redmond, WA
2
Surveying Authentication Activity
  • Scanning logs is B-O-R-I-N-G.
  • Tools that watch in real time (MOM, Argent, etc),
    aggregate logs (syslog) and/or create summary
    reports help a LOT.
  • What is worth looking into?
  • Large number of failed authentication attempts.
  • Clients that attempt to connect to a large number
    of other machines.
  • Attempted use of disabled or locked accounts.
  • Connections by unexpected users to sensitive
    systems.
  • Anything else that doesnt make sense in your
    environment.

3
Windows Authentication Subsystems
  • Kerberos (W2K and higher)
  • Event IDs 672 through 681
  • LAN Manager events
  • Event IDs 528 through 540
  • Logon Types
  • Network-based versus console-based

4
PERL module Win32EventLog
  • Point to log on server
  • eventlog Win32EventLog-gtnew(log, server)
  • Find the oldest event in the log
  • eventlog-gtGetOldest(oldest)
  • Read the oldest event (into a hashref)
  • eventlog-gtRead (EVENTLOG_FORWARDS_READEVENTLOG_S
    EEK_READ,
  • oldest, evtHashRef)
  • get the text of the event
  • Win32EventLogGetMessageText(evtHashRef)

5
Demo Summarize with Perl
  • There were 17 successful logon events from 1
    unique users
  • 2 console logins (type 2)
  • 13 from unlocking the workstation (type
    7)
  • 2 used locally-cached credentials (type
    11)
  • There were 15 user logoff events.
  • there were 2 more logon events than logoff
    events.
  • There were 2 attempts to log on with an invalid
    username and/or password (event type 529)
  • unknown)\ken.hoover_at_yale.edu from PHOENICIA gt
    2

6
Demo Now use PerlScript and ASP
  • http//amt-sus1.its.yale.edu/cat

7
Frustration
  • Inconsistent recording of logoff events (ID 538)
    makes it difficult/impossible to track a users
    session effectively.
  • Pre-WS 2003 machines only record the NetBIOS name
    of a client when a network connection is made.

8
Keep in mind
  • Since use of a domain account requires
    verification by a DC, footprints are left on the
    client, the server, and the DC that authenticated
    the user so each machine has a different piece of
    the puzzle if youre doing forensics.
  • Users can be authenticated by any DC so you
    need to check them all if youre looking for
    something specific.
  • Username YALE\kjh27, password mypASSw0RD!
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Authentication Archaeology" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!