Security Notes: March 2008

Tuesday, March 11, 2008

RealVNC System Tray Icon Hack

If you manage a large network, you know that keeping an eye on users is an essential part of your daily management. For those of you that use RealVNC to remotely work on computers, here is a little hack that will let you do it without the user knowing. RealVNC is a nice program for the domain environment as it will not let a regular user open the management interface and make changes. The thing with RealVNC is that when you make a connection the icon on the system tray changes colors. This is a problem if you are trying to ''catch someone in the act''. Rather than hide the tray icon you may want to make it look like they are never being watched. This gives the user a false sense of security as they ''know'' when someone is watching (they think they are only watched when the icon changes color; you hacked the program so it does NOT change color when a connection is made). Follow these steps to make it happen.

1. Google & Download ''Resource Hacker''
2. Shutdown The RealVNC Service (right-click on system tray icon and choose close will work)
3. Open Resource Hacker And Open ''winvnc4''

4. Expand ''Icon Group''; Then ''101''
5. Save ''[Icon Group : 101 : 2057]'' As Whatever You Wish (I Did ''101'')

6. Expand ''105''
7. Right-Click And Select ''Replace Resource...''

7. Click ''Open File With New Icon...''
8. Navigate To Where You Saved Step 5
9. Select Your Saved File (Mine Was ''101'')
10. Make Sure Your ''Select New Icon:'' Shows The Correct Icon
11. Make Sure The ''Select Icon To Replace:'' Is Selected With ''105'' AND Shows The OLD Icon

12. Click Replace
13. Save The Modifications And Either Restart The Service Or Reboot The Machine (I Recommend A Reboot To Make Sure Everything Starts Cleanly)
14. Log In Remotely via VNC And Check Icon Status

That wasn't so bad was it? :) Enjoy!!

Note: This Was Last Checked With RealVNC 4.1.2

Thursday, March 6, 2008

Shell Script - rdesktop.sh (updated)

Ok. I have made some major changes to my rdesktop.sh script. I was looking at it and said to myself 'why the crap did I do that'. ha It is much faster now as it doesn't check to see if the remote host is running remote desktop. I just let it assume that it is. It will fail and then move on faster than if a check is done to see if its running the service. I also made it a bit more interactive as you can change the username AND password for each instance you run the script. That makes it so you can run multiple username & password combos against a host (I think I may write a script to take input from a username file and a password file to make it even more dynamic).

rdesktop.sh (updated)

#! /bin/bash

clear
echo "------------------------------------------------------------"
echo "This Will ATTEMPT To Log Into Machines Running Remote"
echo "Desktop With Username And Password Of Your Choice"
echo "------------------------------------------------------------"
sleep 4
clear

echo "-----------------------------"
echo "Enter First 3 Octets (x.x.x):"
read ipthree
echo "-----------------------------"
echo "Enter 4th Octet FIRST IP:"
read ipfirst
echo "-----------------------------"
echo "Enter 4th Octet ENDING IP:"
read iplast
echo "-----------------------------"
sleep 1
clear

echo "------------------------------------------"
echo "Enter The Username To Try: (Administrator)"
read usern
echo "------------------------------------------"
echo "Enter The Password To Try:"
read passn
echo "------------------------------------------"
sleep 1
clear

iprange=`echo $ipthree | cut -d. -f1-3`
# Use If First IP Range Is Giving Trouble - CAUTION, May Give Unwanted Results If 'ipthree' Is Fatfingered
#iprange=`echo $ipthree`

for (( i = $ipfirst ; i <= $iplast ; i++ ))
do

echo "Trying $iprange.$i...."
rdesktop -k en-us -a 16 -u $usern -p "$passn" $iprange.$i
clear

done

Shell Script - software.sh

This is a handy script in case you know you have machines running SNMP (see shell script - snmp.sh). It will make an attempt to identify what software is installed. It outputs to a semi-colon delimited file to make it easy to parse it apart. I have tested this against XP Pro machines only. If you have success with others (or needed to modify it to work with others) let me know. :)

software.sh

#! /bin/bash

clear
echo "------------------------------------------------------------"
echo "This Will ATTEMPT To Pull A List Of Software Installed On"
echo "Computers via SNMP. You Can The Grep Out A Specific"
echo "Program Or Just Browse The List"
echo "Just FYI... You Probably Need To Run This As ROOT"
echo "------------------------------------------------------------"
echo "Continue? [y/n]"
read cont
if [ cont = n ]
then
exit
else
sleep 1
fi
clear

echo "--------------------------------------------"
echo "Output Will Go To 'software.sh.txt' & The Screen"
echo "--------------------------------------------"
sleep 3
clear

echo "-----------------------------"
echo "Enter First 3 Octets (x.x.x):"
read ipthree
echo "-----------------------------"
echo "Enter 4th Octet FIRST IP:"
read ipfirst
echo "-----------------------------"
echo "Enter 4th Octet ENDING IP:"
read iplast
echo "-----------------------------"
sleep 1
clear

echo "-----------------------------------------------------"
echo "Enter The Community String For Making The Connection:"
echo "(most default strings are: public)"
read string
echo "-----------------------------------------------------"
sleep 1
clear

echo "Results Start From : `date`" > software.sh.txt
echo "-------------------------------------------------------" >> software.sh.txt
echo "IP Range: $ipthree.$ipfirst-$iplast" >> software.sh.txt
echo "-------------------------------------------------------" >> software.sh.txt
echo "Community: $string" >> software.sh.txt
echo "-------------------------------------------------------" >> software.sh.txt

iprange=`echo $ipthree | cut -d. -f1-3`
# Use If First IP Range Is Giving Trouble - CAUTION, May Give Unwanted Results If 'ipthree' Is Fatfingered
#iprange=`echo $ipthree`

for (( i = $ipfirst ; i <= $iplast ; i++ ))
do

snmpwalk -v 1 -c $string $iprange.$i | grep SWInstalledName | cut -d: -f4 | cut -d'"' -f2 | sed -e "s/^/$iprange.$i:/" >> software.sh.txt

clear
cat software.sh.txt

done

Tuesday, March 4, 2008

Shell Script - snmp.sh

This script is another one that will ATTEMPT to identify machines running SNMP on a network. I wrote this so I could guarantee that the machine is running SNMP. It will acutally pull data from a 'snmpwalk' and then grep out 'SNMP' from the first line. This is because the first line shows what version snmp is running. The script assumes the service is version 1. There is also input so you can add your own text for the community. Enjoy!

snmp.sh

#! /bin/bash

clear
echo "------------------------------------------------------------"
echo "This Will ATTEMPT To Identify Nodes Running SNMP"
echo "Just FYI... You Probably Need To Run This As ROOT"
echo "------------------------------------------------------------"
sleep 5
clear

echo "--------------------------------------------"
echo "Output Will Go To 'snmp.sh.txt' & The Screen"
echo "--------------------------------------------"
sleep 3
clear

echo "-----------------------------"
echo "Enter First 3 Octets (x.x.x):"
read ipthree
echo "-----------------------------"
echo "Enter 4th Octet FIRST IP:"
read ipfirst
echo "-----------------------------"
echo "Enter 4th Octet ENDING IP:"
read iplast
echo "-----------------------------"
sleep 1
clear

echo "-----------------------------------------------------"
echo "Enter The Community String For Making The Connection:"
echo "(most default strings are: public)"
read string
echo "-----------------------------------------------------"
sleep 1
clear

echo "Results Start From : `date`" > snmp.sh.txt
echo "-------------------------------------------------------" >> snmp.sh.txt
echo "IP Range: $ipthree.$ipfirst-$iplast" >> snmp.sh.txt
echo "-------------------------------------------------------" >> snmp.sh.txt
echo "Community: $string" >> snmp.sh.txt
echo "-------------------------------------------------------" >> snmp.sh.txt

for (( i = $ipfirst ; i <= $iplast ; i++ ))
do
result=`snmpwalk -v 1 -c $string $ipthree.$i | head -n1 | cut -c1-4`

if [ $result = SNMP ]
then
echo "Y:$ipthree.$i" >> snmp.sh.txt
clear
cat snmp.sh.txt
else
clear
cat snmp.sh.txt
fi

done

Shell Script - os.sh

This is a script that will ATTEMPT to identify what operating systems are running on a network. I made it so it will output to the screen and to a file. So far it has been somewhat successful in identifying operating systems. I give no guarantee that it will get -every- o.s. on your network.

os.sh

#! /bin/bash

clear
echo "------------------------------------------------------------"
echo "This Will ATTEMPT To Identify Operating Systems On A Network"
echo "Just FYI... You Probably Need To Run This As ROOT"
echo "------------------------------------------------------------"
sleep 5
clear

echo "------------------------------------------"
echo "Output Will Go To 'os.sh.txt' & The Screen"
echo "------------------------------------------"
echo "Results Start From : `date`" > os.sh.txt
echo "----------------------------------------------------------------------------" >> os.sh.txt
sleep 3
clear

echo "-----------------------------"
echo "Enter First 3 Octets (x.x.x):"
read ipthree
echo "-----------------------------"
echo "Enter 4th Octet FIRST IP:"
read ipfirst
echo "-----------------------------"
echo "Enter 4th Octet ENDING IP:"
read iplast
echo "-----------------------------"
sleep 1
clear

iprange=`echo $ipthree | cut -d. -f1-3`
# Use If First IP Range Is Giving Trouble - CAUTION, May Give Unwanted Results If 'ipthree' Is Fatfingered
#iprange=`echo $ipthree`

for (( i = $ipfirst ; i <= $iplast ; i++ ))
do
nmaplist=`nmap -P0 -O $iprange.$i | grep Running`
nmapcut=`echo $nmaplist | cut -c1-3`

if [ $nmapcut = Run ]
then
echo "$iprange.$i :$nmaplist" >> os.sh.txt
clear
cat os.sh.txt
else
clear
cat os.sh.txt
fi

done

Security Notes