Clientes VPN, Radius, Network Access Protection, logs? Windows server 2012

Amigos de Inseguros !!!

Dicen en mi barrio que todo lo malo se pega. Eso me decía mi madre de pequeño cuando me juntaba con los chicos más estudiosos del lugar !!!


Del mundo Linux tengo que decir que lo que más me ha calado hondo son los Logs.

Aunque tenemos información de bajo nivel mediante el visor de sucesos de Windows, en ocasiones necesitamos acceder a información detallada de un evento, y para eso tenemos los ficheros de logs.

Al más puro estilo linux, vamos a ver un log de Windows del que no se presta mucha atención, el de los servicios de acceso a redes, vpn y demás farándulas.

Para empezar, el típico tail -F de Linux, para ver en tiempo real el log, lo tenemos con : Get-Content -Path C:\Windows\system32\LogFiles\IN***.log -Wait

A muestra de ejemplo, voy a pegar un log. Los datos sensibles los omito.

"JANGO","RAS",01/27/2015,17:48:46,1,"dominio.COM\jmolina","dominio.com/Users/Joaquín Molina ","ip servidor","ipcliente",,,"JANGO","ipservidor",51,,"piservidor","JANGO",,,5,,1,2,4,"Conexiones al servidor de Enrutamiento y acceso remoto de Microsoft",0,"311 1 ip servidor 01/08/2015 12:10:52 640",,,,,,,,,"78",,,,,,,,,1,1,"ip cliente","ip servidor",,,,,,,"MSRASV5.20",311,,,,,"Directiva del Servicio de enrutamiento y acceso remoto de Microsoft",1,,,"MSRAS-0-MIACA-PC","MSRASV5.20"

Como se puede apreciar, tenemos todo tipo de información de la autenticación de nuestros clientes de redes remotos.

Si necesitas concretar alguno de los campos, lo mejor es tener la descripción oficial de Microsoft a mano. Pongo un ejemplo con la descripción concreta:

"CLIENTCOMP","IAS",03/07/2008,13:04:33,2,,"npsclientdc/Users/client",,,,,,,,9,"10.10.10.10","npsclient",,,,,,2,1,"Allow access if dial-in permission is enabled",0,"311 1 10.10.10.11 03/07/2008 20:04:30 1",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,


Value shown in example Attribute Data type Description
"CLIENTCOMP" ComputerName Text The name of the server where the packet was received (this is an IAS-internal attribute).
"IAS" ServiceName Text The name of the service that generated the record—IAS or the Routing and Remote Access service (this is an IAS-internal attribute).
03/07/2008 Record-Date Time The date at the NPS or Routing and Remote Access server (this is an IAS-internal attribute).
13:04:33 Record-Time Time The time at the NPS or Routing and Remote Access server (this is an IAS-internal attribute).
1 Packet-Type Number The type of packet, which can be:
  • 1 = Access-Request
  • 2 = Access-Accept
  • 3 = Access-Reject
  • 4 = Accounting-Request
This is an IAS-internal attribute.
"client" User-Name Text The user identity, as specified by the user.

Fully-Qualified-Distinguished-Name Text The user name in canonical format (this is an IAS-internal attribute).

Called-Station-ID Text The phone number dialed by the user.

Calling-Station-ID Text The phone number from which the call originated.

Callback-Number Text The callback phone number.

Framed-IP-Address Text The framed address to be configured for the user.

NAS-Identifier Text The text that identifies the network access server originating the request.

NAS-IP-Address Text The IP address of the network access server originating the request.

NAS-Port Number The physical port number of the network access server originating the request.
9 Client-Vendor Number The manufacturer of the network access server (this is an IAS-internal attribute).
"10.10.10.10" Client-IP-Address Text The IP address of the RADIUS client (this is an IAS-internal attribute).
"npsclient" Client-Friendly-Name Text The friendly name for the RADIUS client (this is an IAS-internal attribute).

Event-Timestamp Time The date and time that this event occurred on the network access server.

Port-Limit Number The maximum number of ports that the network access server provides to the user.

NAS-Port-Type Number The type of physical port that is used by the network access server originating the request.

Connect-Info Text Information that is used by the network access server to specify the type of connection made. Typical information includes connection speed and data encoding protocols.

Framed-Protocol Number The protocol to be used.

Service-Type Number The type of service that the user has requested.
1 Authentication-Type Number The authentication scheme, which is used to verify the user and can be:
  • 1 = PAP
  • 2 = CHAP
  • 3 = MS-CHAP
  • 4 = MS-CHAP v2
  • 5 = EAP
  • 7 = None
  • 8 = Custom
This is an IAS-internal attribute.

Policy-Name Text The friendly name of the network policy that either granted or denied access. This attribute is logged in Access-Accept and Access-Reject messages. If a user is rejected because none of the network policies matched, then this attribute is blank.
0 Reason-Code Number The reason for rejecting a user, which can be:
  • 0 = IAS_SUCCESS
  • 1 = IAS_INTERNAL_ERROR
  • 2 = IAS_ACCESS_DENIED
  • 3 = IAS_MALFORMED_REQUEST
  • 4 = IAS_GLOBAL_CATALOG_UNAVAILABLE
  • 5 = IAS_DOMAIN_UNAVAILABLE
  • 6 = IAS_SERVER_UNAVAILABLE
  • 7 = IAS_NO_SUCH_DOMAIN
  • 8 = IAS_NO_SUCH_USER
  • 16 = IAS_AUTH_FAILURE
  • 17 = IAS_CHANGE_PASSWORD_FAILURE
  • 18 = IAS_UNSUPPORTED_AUTH_TYPE
  • 32 = IAS_LOCAL_USERS_ONLY
  • 33 = IAS_PASSWORD_MUST_CHANGE
  • 34 = IAS_ACCOUNT_DISABLED
  • 35 = IAS_ACCOUNT_EXPIRED
  • 36 = IAS_ACCOUNT_LOCKED_OUT
  • 37 = IAS_INVALID_LOGON_HOURS
  • 38 = IAS_ACCOUNT_RESTRICTION
  • 48 = IAS_NO_POLICY_MATCH
  • 64 = IAS_DIALIN_LOCKED_OUT
  • 65 = IAS_DIALIN_DISABLED
  • 66 = IAS_INVALID_AUTH_TYPE
  • 67 = IAS_INVALID_CALLING_STATION
  • 68 = IAS_INVALID_DIALIN_HOURS
  • 69 = IAS_INVALID_CALLED_STATION
  • 70 = IAS_INVALID_PORT_TYPE
  • 71 = IAS_INVALID_RESTRICTION
  • 80 = IAS_NO_RECORD
  • 96 = IAS_SESSION_TIMEOUT
  • 97 = IAS_UNEXPECTED_REQUEST
This is an IAS-internal attribute.

Class Text The attribute that is sent to the client in an Access-Accept packet.

Session-Timeout Number The length of time (in seconds) before the session is terminated.

Idle-Timeout Number The length of idle time (in seconds) before the session is terminated.

Termination-Action Number The action that the network access server takes when service is completed.

EAP-Friendly-Name Text The friendly name of the EAP-based authentication method that was used by the access client and NPS server during the authentication process. For example, if the client and server use Extensible Authentication Protocol (EAP) and the EAP type MS-CHAP v2, the value of EAP-Friendly-Name is “Microsoft Secured Password (EAP-MSCHAPv2)."

Acct-Status-Type Number The number that specifies whether an accounting packet starts or stops a bridging, routing, or Terminal Server session.

Acct-Delay-Time Number The length of time (in seconds) for which the network access server has been sending the same accounting packet.

Acct-Input-Octets Number The number of octets received during the session.

Acct-Output-Octets Number The number of octets sent during the session.

Acct-Session-Id Text The unique numeric string that identifies the server session.

Acct-Authentic Number The number that specifies which server authenticated an incoming call.

Acct-Session-Time Number The length of time (in seconds) for which the session has been active.

Acct-Input-Packets Number The number of packets received during the session.

Acct-Output-Packets Number The number of packets sent during the session.

Acct-Terminate-Cause Number The reason that a connection was terminated.

Acct-Multi-Ssn-ID Text The unique numeric string that identifies the multilink session.

Acct-Link-Count Number The number of links in a multilink session.

Acct-Interim-Interval Number The length of interval (in seconds) between each interim update that the network access server sends.

Tunnel-Type Number The tunneling protocol to be used.

Tunnel-Medium-Type Number The medium to use when creating a tunnel for protocols. For example, L2TP packets can be sent over multiple link layers.

Tunnel-Client-Endpt Text The IP address of the tunnel client.

Tunnel-Server-Endpt Text The IP address of the tunnel server.

Acct-Tunnel-Conn Text An identifier assigned to the tunnel.

Tunnel-Pvt-Group-ID Text The group ID for a specific tunneled session.

Tunnel-Assignment-ID Text The tunnel to which a session is assigned.

Tunnel-Preference Number The preference of the tunnel type, as indicated with the Tunnel-Type attribute when multiple tunnel types are supported by the access server.

MS-Acct-Auth-Type Number A Routing and Remote Access service attribute. For more information, see RFC 2548.

MS-Acct-EAP-Type Number A Routing and Remote Access service attribute. For more information, see RFC 2548.

MS-RAS-Version Text A Routing and Remote Access service attribute. For more information, see RFC 2548.

MS-RAS-Vendor Number A Routing and Remote Access service attribute. For more information, see RFC 2548.

MS-CHAP-Error Text A Routing and Remote Access service attribute. For more information, see RFC 2548.

MS-CHAP-Domain Text A Routing and Remote Access service attribute. For more information, see RFC 2548.

MS-MPPE-Encryption-Types Number A Routing and Remote Access service attribute. For more information, see RFC 2548.

MS-MPPE-Encryption-Policy Number A Routing and Remote Access service attribute. For more information, see RFC 2548.

Proxy-Policy-Name Text The name of the connection request policy that matched the connection request.

Provider-Type Number Specifies the location where authentication occurs. Possible values are 0, 1, and 2. A value of 0 indicates that no authentication occurred. A value of 1 indicates that authentication occurs on the local NPS server. A value of 2 indicates that the connection request is forwarded to a remote RADIUS server for authentication.

Provider-Name Text A string value that corresponds to Provider-Type. Possible values are "None" for a Provider-Type value of 0, "Windows" for a Provider-Type value of 1, and "Radius Proxy" for Provider-Type value of 2.

Remote-Server-Address IP address The IP address of the remote RADIUS server to which the connection request was forwarded for authentication.
"CLIENTCOMP" MS-RAS-Client-Name Text The name of the remote access client. The Vendor-Length of the Value field, including the vendor ID, vendor-type, vendor-length, and value, must be at least 7 and less than 40.
Value, which specifies the computer name of the endpoint that is requesting network access, is sent in ASCII format and is null terminated.
The valid character set for the computer name includes letters, numbers, and the following symbols: ! @ # $ % ^ & ‘ ) ( . - _ { } ~.

MS-RAS-Client-Version Number The operating system version that is installed on the remote access client. The Vendor-Length of the Value field, including the vendor ID, vendor-type, vendor-length, and value, must be at least 7.
Value, which specifies the version of the operating system on a remote access client, is a string that is in network byte order.

Como siempre, gracias por leerme. Espero que os guste.

Recuerda que puedes buscar entre mis libros de hacking en español en en recopilatorio de libros sobre hacking