Clientes VPN, Radius, Network Access Protection, logs? Windows server 2012
Amigos de Inseguros !!!
Dicen en mi barrio que todo lo malo se pega. Eso me decía mi madre de pequeño cuando me juntaba con los chicos más estudiosos del lugar !!!
Del mundo Linux tengo que decir que lo que más me ha calado hondo son los Logs.
Aunque tenemos información de bajo nivel mediante el visor de sucesos de Windows, en ocasiones necesitamos acceder a información detallada de un evento, y para eso tenemos los ficheros de logs.
Al más puro estilo linux, vamos a ver un log de Windows del que no se presta mucha atención, el de los servicios de acceso a redes, vpn y demás farándulas.
Para empezar, el típico tail -F de Linux, para ver en tiempo real el log, lo tenemos con : Get-Content -Path C:\Windows\system32\LogFiles\IN***.log -Wait
A muestra de ejemplo, voy a pegar un log. Los datos sensibles los omito.
"JANGO","RAS",01/27/2015,17:48:46,1,"dominio.COM\jmolina","dominio.com/Users/JoaquÃn Molina ","ip servidor","ipcliente",,,"JANGO","ipservidor",51,,"piservidor","JANGO",,,5,,1,2,4,"Conexiones al servidor de Enrutamiento y acceso remoto de Microsoft",0,"311 1 ip servidor 01/08/2015 12:10:52 640",,,,,,,,,"78",,,,,,,,,1,1,"ip cliente","ip servidor",,,,,,,"MSRASV5.20",311,,,,,"Directiva del Servicio de enrutamiento y acceso remoto de Microsoft",1,,,"MSRAS-0-MIACA-PC","MSRASV5.20"
Como se puede apreciar, tenemos todo tipo de información de la autenticación de nuestros clientes de redes remotos.
Si necesitas concretar alguno de los campos, lo mejor es tener la descripción oficial de Microsoft a mano. Pongo un ejemplo con la descripción concreta:
Como siempre, gracias por leerme. Espero que os guste.
Recuerda que puedes buscar entre mis libros de hacking en español en en recopilatorio de libros sobre hacking
Dicen en mi barrio que todo lo malo se pega. Eso me decía mi madre de pequeño cuando me juntaba con los chicos más estudiosos del lugar !!!
Del mundo Linux tengo que decir que lo que más me ha calado hondo son los Logs.
Aunque tenemos información de bajo nivel mediante el visor de sucesos de Windows, en ocasiones necesitamos acceder a información detallada de un evento, y para eso tenemos los ficheros de logs.
Al más puro estilo linux, vamos a ver un log de Windows del que no se presta mucha atención, el de los servicios de acceso a redes, vpn y demás farándulas.
A muestra de ejemplo, voy a pegar un log. Los datos sensibles los omito.
"JANGO","RAS",01/27/2015,17:48:46,1,"dominio.COM\jmolina","dominio.com/Users/JoaquÃn Molina ","ip servidor","ipcliente",,,"JANGO","ipservidor",51,,"piservidor","JANGO",,,5,,1,2,4,"Conexiones al servidor de Enrutamiento y acceso remoto de Microsoft",0,"311 1 ip servidor 01/08/2015 12:10:52 640",,,,,,,,,"78",,,,,,,,,1,1,"ip cliente","ip servidor",,,,,,,"MSRASV5.20",311,,,,,"Directiva del Servicio de enrutamiento y acceso remoto de Microsoft",1,,,"MSRAS-0-MIACA-PC","MSRASV5.20"
Como se puede apreciar, tenemos todo tipo de información de la autenticación de nuestros clientes de redes remotos.
Si necesitas concretar alguno de los campos, lo mejor es tener la descripción oficial de Microsoft a mano. Pongo un ejemplo con la descripción concreta:
"CLIENTCOMP","IAS",03/07/2008,13:04:33,2,,"npsclientdc/Users/client",,,,,,,,9,"10.10.10.10","npsclient",,,,,,2,1,"Allow access if dial-in permission is enabled",0,"311 1 10.10.10.11 03/07/2008 20:04:30 1",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,| Value shown in example | Attribute | Data type | Description |
|---|---|---|---|
| "CLIENTCOMP" | ComputerName | Text | The name of the server where the packet was received (this is an IAS-internal attribute). |
| "IAS" | ServiceName | Text | The name of the service that generated the record—IAS or the Routing and Remote Access service (this is an IAS-internal attribute). |
| 03/07/2008 | Record-Date | Time | The date at the NPS or Routing and Remote Access server (this is an IAS-internal attribute). |
| 13:04:33 | Record-Time | Time | The time at the NPS or Routing and Remote Access server (this is an IAS-internal attribute). |
| 1 | Packet-Type | Number | The type of packet, which can be:
|
| "client" | User-Name | Text | The user identity, as specified by the user. |
| Fully-Qualified-Distinguished-Name | Text | The user name in canonical format (this is an IAS-internal attribute). | |
| Called-Station-ID | Text | The phone number dialed by the user. | |
| Calling-Station-ID | Text | The phone number from which the call originated. | |
| Callback-Number | Text | The callback phone number. | |
| Framed-IP-Address | Text | The framed address to be configured for the user. | |
| NAS-Identifier | Text | The text that identifies the network access server originating the request. | |
| NAS-IP-Address | Text | The IP address of the network access server originating the request. | |
| NAS-Port | Number | The physical port number of the network access server originating the request. | |
| 9 | Client-Vendor | Number | The manufacturer of the network access server (this is an IAS-internal attribute). |
| "10.10.10.10" | Client-IP-Address | Text | The IP address of the RADIUS client (this is an IAS-internal attribute). |
| "npsclient" | Client-Friendly-Name | Text | The friendly name for the RADIUS client (this is an IAS-internal attribute). |
| Event-Timestamp | Time | The date and time that this event occurred on the network access server. | |
| Port-Limit | Number | The maximum number of ports that the network access server provides to the user. | |
| NAS-Port-Type | Number | The type of physical port that is used by the network access server originating the request. | |
| Connect-Info | Text | Information that is used by the network access server to specify the type of connection made. Typical information includes connection speed and data encoding protocols. | |
| Framed-Protocol | Number | The protocol to be used. | |
| Service-Type | Number | The type of service that the user has requested. | |
| 1 | Authentication-Type | Number | The authentication scheme, which is used to verify the user and can be:
|
| Policy-Name | Text | The friendly name of the network policy that either granted or denied access. This attribute is logged in Access-Accept and Access-Reject messages. If a user is rejected because none of the network policies matched, then this attribute is blank. | |
| 0 | Reason-Code | Number | The reason for rejecting a user, which can be:
|
| Class | Text | The attribute that is sent to the client in an Access-Accept packet. | |
| Session-Timeout | Number | The length of time (in seconds) before the session is terminated. | |
| Idle-Timeout | Number | The length of idle time (in seconds) before the session is terminated. | |
| Termination-Action | Number | The action that the network access server takes when service is completed. | |
| EAP-Friendly-Name | Text | The friendly name of the EAP-based authentication method that was used by the access client and NPS server during the authentication process. For example, if the client and server use Extensible Authentication Protocol (EAP) and the EAP type MS-CHAP v2, the value of EAP-Friendly-Name is “Microsoft Secured Password (EAP-MSCHAPv2)." | |
| Acct-Status-Type | Number | The number that specifies whether an accounting packet starts or stops a bridging, routing, or Terminal Server session. | |
| Acct-Delay-Time | Number | The length of time (in seconds) for which the network access server has been sending the same accounting packet. | |
| Acct-Input-Octets | Number | The number of octets received during the session. | |
| Acct-Output-Octets | Number | The number of octets sent during the session. | |
| Acct-Session-Id | Text | The unique numeric string that identifies the server session. | |
| Acct-Authentic | Number | The number that specifies which server authenticated an incoming call. | |
| Acct-Session-Time | Number | The length of time (in seconds) for which the session has been active. | |
| Acct-Input-Packets | Number | The number of packets received during the session. | |
| Acct-Output-Packets | Number | The number of packets sent during the session. | |
| Acct-Terminate-Cause | Number | The reason that a connection was terminated. | |
| Acct-Multi-Ssn-ID | Text | The unique numeric string that identifies the multilink session. | |
| Acct-Link-Count | Number | The number of links in a multilink session. | |
| Acct-Interim-Interval | Number | The length of interval (in seconds) between each interim update that the network access server sends. | |
| Tunnel-Type | Number | The tunneling protocol to be used. | |
| Tunnel-Medium-Type | Number | The medium to use when creating a tunnel for protocols. For example, L2TP packets can be sent over multiple link layers. | |
| Tunnel-Client-Endpt | Text | The IP address of the tunnel client. | |
| Tunnel-Server-Endpt | Text | The IP address of the tunnel server. | |
| Acct-Tunnel-Conn | Text | An identifier assigned to the tunnel. | |
| Tunnel-Pvt-Group-ID | Text | The group ID for a specific tunneled session. | |
| Tunnel-Assignment-ID | Text | The tunnel to which a session is assigned. | |
| Tunnel-Preference | Number | The preference of the tunnel type, as indicated with the Tunnel-Type attribute when multiple tunnel types are supported by the access server. | |
| MS-Acct-Auth-Type | Number | A Routing and Remote Access service attribute. For more information, see RFC 2548. | |
| MS-Acct-EAP-Type | Number | A Routing and Remote Access service attribute. For more information, see RFC 2548. | |
| MS-RAS-Version | Text | A Routing and Remote Access service attribute. For more information, see RFC 2548. | |
| MS-RAS-Vendor | Number | A Routing and Remote Access service attribute. For more information, see RFC 2548. | |
| MS-CHAP-Error | Text | A Routing and Remote Access service attribute. For more information, see RFC 2548. | |
| MS-CHAP-Domain | Text | A Routing and Remote Access service attribute. For more information, see RFC 2548. | |
| MS-MPPE-Encryption-Types | Number | A Routing and Remote Access service attribute. For more information, see RFC 2548. | |
| MS-MPPE-Encryption-Policy | Number | A Routing and Remote Access service attribute. For more information, see RFC 2548. | |
| Proxy-Policy-Name | Text | The name of the connection request policy that matched the connection request. | |
| Provider-Type | Number | Specifies the location where authentication occurs. Possible values are 0, 1, and 2. A value of 0 indicates that no authentication occurred. A value of 1 indicates that authentication occurs on the local NPS server. A value of 2 indicates that the connection request is forwarded to a remote RADIUS server for authentication. | |
| Provider-Name | Text | A string value that corresponds to Provider-Type. Possible values are "None" for a Provider-Type value of 0, "Windows" for a Provider-Type value of 1, and "Radius Proxy" for Provider-Type value of 2. | |
| Remote-Server-Address | IP address | The IP address of the remote RADIUS server to which the connection request was forwarded for authentication. | |
| "CLIENTCOMP" | MS-RAS-Client-Name | Text | The name of the remote access client. The Vendor-Length of the Value field, including the vendor ID, vendor-type, vendor-length, and value, must be at least 7 and less than 40. Value, which specifies the computer name of the endpoint that is requesting network access, is sent in ASCII format and is null terminated. The valid character set for the computer name includes letters, numbers, and the following symbols: ! @ # $ % ^ & ‘ ) ( . - _ { } ~. |
| MS-RAS-Client-Version | Number | The operating system version that is installed on the remote access client. The Vendor-Length of the Value field, including the vendor ID, vendor-type, vendor-length, and value, must be at least 7. Value, which specifies the version of the operating system on a remote access client, is a string that is in network byte order. |
Como siempre, gracias por leerme. Espero que os guste.
Recuerda que puedes buscar entre mis libros de hacking en español en en recopilatorio de libros sobre hacking
