Sunday, September 23, 2012

Office 365 Deployment


Office 365 Deployment
Initial Setup
Setup your Office 365 account at www.office365.com according to your environment.
Add your domain to your account.
o   Go to the Admin page and click Domains under the Management heading.
o   Verify your domain via a txt record under your authoritative DNS server.  See the online instructions for your particular provider.
o   Define the services you will enroll for Office365.
 Single Sign-On
Prepare Active Directory
If needed, create UPN to match your external domain - http://technet.microsoft.com/en-us/library/cc772007.aspx
Set users to default to this new UPN.
impADFS 2.0 Deployment
o   For redundancy, consider using a federation farm (WID – Windows Internal Database) with proxies and Network Load Balancers.
§  ADFS servers – Domain joined and not a DC
§  ADFS Proxies – Not domain joined and located in the DMZ (Port 443)
o   Configure internal DNS to point to the cluster name.
o   Configure external DNS to point to the NLB for the cluster.
o   Certificates
§  Secure Channel (SSL) from a 3rd party
§  Token Signing – Auto generated – USE SELF-SIGNED
§  Token Description – Not used often
o   Install ADFS 2.0
§  Run the ADFSSetup.exe
§  After Installation is complete open the AD FS 2.0 Management and Create a new Federation Service.  You will need to choose either a Stand-Alone or Farm Deployment.  Ensure your SSL certificate matches the Federation Service Name.  Make sure to use auto generated certs for the Token Signing.
§  You can ignore the message asking to Add a trusted relying party.  This will be done at a later step.
§  Verify the federation server is operational
        • https://fs.domain.com/FederationMetadata/2007-06/FederationMetadata.xml
§  For more details you can go to the online help here:

o   Install Update Rollup 2 for ADFS 2.0
o   ADFS Proxies
§  Consider deploying two federation server proxies to provide fault tolerance and use a network load balancer.
§  Run the ADFSSetup.exe
·         After accepting the license agreement the Server Role page will appear.  Select Federation server proxy.  A restart may be required.
·         Configure the necessary SSL Certificates (3rd Party).
·         Enter a Federation Service name that matches your certificate.  I used sts.domain.com.
·         Enter credentials with the required permissions to authorize a federation server proxy.
·         Review the settings and click next and close.
·         Verify that the proxy is operational.  Check the event logs for event ID 198 under the application logs.
Microsoft Online Services Module for PowerShell
Download and install Microsoft Online Services Sign-In Assistant version 7.0 or greater
http://onlinehelp.microsoft.com/office365-enterprises/hh124998.aspx
Download the Microsoft Online Services Module
o   http://onlinehelp.microsoft.com/office365-enterprises/hh124998.aspx
Import the module
o   PS C:\> Import-Module msonline
Connect to the MS Online Services
o   PS C:\> $cred = Get-Credential
o   PS C:\> Connect-MsolService -Credential $cred
List Commandlets   
o   PS C:\> Get-Command -Module msonline
Connecting to Microsoft Office 365 with PowerShell
$cred = get-credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $cred -Authentication Basic –AllowRedirection
Import-PSSession $Session
Directory Synchronization
Use the Microsoft Office 365 Deployment Readiness Tool to check for compatibility.
Do not install on a DC. Can be combined with AD FS.
Activate directory synchronization
o   In your portal, click Admin then Users.  At the top of the page next to the Active Directory synchronization, click Set up and manage Active Directory synchronization and Activate.
o   Install the Directory Synchronization tool – Not on a Domain Controller
§  Download and install the Dir Sync tool for your OS
·         Enterprise Admin permissions are required and a new service account will be created – MSOL_AD_SYNC
·         Once installed, you can manually force a synchronization with the start-onlinecoexistencesync command.  You will need to open the DirSyncConfigShell.psc1 PowerShell command prompt located under the install directory.
Outlook Anywhere
Install a valid SSL certificate for Exchange which includes your autodiscover host name.
Install RPC over HTTP proxy component.
Wait 15 mins or reboot server.
Enable Outlook Anywhere on your Exchange 2007.
Wait 15 mins or reboot server.
If running Windows 2008, you may need to edit your hosts files to include:
o   Internal IP and hostname – 192.168.1.10     exchange
o   Internal IP and internal FQDN – 192.168.1.10 exchange.domain.local
Configure your public autodiscover DNS record to point to your DMZ IP address.
Configure your firewall to allow external access for port 443 to your server.

Hostnames/Certificates/Ports Accessible
Server
Hostname
Certificate
Ports
AD FS Server
fs.domain.com
Auto/3rd Party SSL
443
AD FS Proxy
Sts.domain.com
3rd Party SSL
443
Exchange
Exchange
Mail.domain.com
Webmail.domain.com
Autodiscover.domain.com
3rd Party UC/SAN SSL
25/443









Monday, September 17, 2012

Hacking WPA


WPA/WPA2 is susceptible to dictionary based attacks. The best way to protect against this type of attack is to use a complex passphrase used to create the Pre-Shared Key (PSK) and change it regularly.

WPA creates a per-session key called the Pairwise Transient Key (PTK). This key is created using the PSK and other parameters such as the SSID, ANounce, Snounce, AP MAC, and Client MAC. The only parameter not easily available to an attacker is the PSK. The PSK key is created using the passphrase and SSID which is passed through the Password Based Key Derivation Function (PBKDF2). The output is a 256-bit shared key.

An attacker will use a dictionary attack to create the 256-bit PSK which combine with the other parameters will create a PTK. The PTK is used with the Message Integrity Check (MIC) in one of the packets of the handshake to determine if they match. If they do, then the passphrase was guessed properly. If not, the process repeats itself throughout the dictionary.

This is for educational purposes only.  Do not attempt this on networks without their explicit permission. The steps below will illustrate the process:

  1. airodump-ng mon0 –channel X –write target.cap (Wait for a WPA Handshake)
  2. aircrack-ng target.cap -w dictionary (Performs the dictionary attack)

Once you have the key, you can use Wireshark or airdecap-ng to view the packets.

Many thanks to Vivek Ramachandran of Securitytube for explaining the material!

Wednesday, September 12, 2012

Converting Primary Zones to AD Integrated Zones

The process of converting your primary DNS zones to AD integrated zones is a relatively simple process involving  the selection of the check box to store the zone in Active Directory.  There are a few things to consider when making these changes.
  • The DNS server must also be a domain controller.
  • Only primary zones can be stored in AD.
  • Secondary zones installed on other domain controllers will be converted when the primary zone is changed.  This process will occur once AD DS has been restarted.
  • In large environments, this process can take time.
  • Once the process has been complete, review the DNS logs and verify the zones are functioning properly.

Monday, September 3, 2012

Who's in the middle

When your at your local coffee shop or joining that "Free Wifi" hotspot, you might want to think twice!  Anything you send and receive can be "sniffed" without you knowing.  I will demonstrate how easy it is to perform a Man in the Middle (MiTM) attack.  I will setup a "Free Wifi" hotspot and have my test machine connect for some "Free" browsing! You'll need a wireless card that supports packet injection.  The Alfa AWUS036H is a great model and well supported with Backtrack.

*******************************************************************************
 DISCLAIMER - This is only for educational purposes to help make you aware of the risks with wireless.

*******************************************************************************

The first step is to ensure your interfaces are up.










Next you'll need to put your card in monitor mode.  Additional commands may be used to resolve warning messages.




















Now lets set the channel for our wireless card and the monitor interface.





It is now time to create our "Free Wifi" hotspot.  This command will remain open during the test.  You will see when "clients" connect.










A new interface will be created (at0) and will need be brought up.  We will use brctl to create a bridge so that our "clients" can access the internet through eth0.









Next we'll need to assign IP addresses to the interfaces and bring up the bridge.














At this point all traffic is now routed through the attackers machine.  Tools such as Wireshark, Urlsniff, driftnet, or webspy could be used to monitor "client" traffic.

If you use public wifi,  keep these things in mind.  Using a VPN is a good idea.