2015-00 System Setup

Introduction

In our class, we are going to be using a very wide range of systems; these include

  • Windows 7 (x86)
  • Windows 7 (x64) (SP 1)
  • Windows 8 (x86)
  • Windows 8 (x64)
  • Windows 2008 R2 (x64)
  • Windows 2012 (x64)
  • CentOS 6.2 (x64)
  • Ubuntu 12.04 (x86) Desktop
  • Ubuntu 12.04 (x64) Server
  • Mint 13 (x64) Cinnamon
  • Mint 13 (x86) KDE
  • Kali 1.0.5

These images will be present on your laboratory system when you start class. They are all VMWare images, and they all have a Snapshot named "Ready for Class". If you want to revert your image back to the way it was at the start of class, just revert to that snapshot. If you accidentally delete an image from your system, you can grab a fresh copy from the class lab server at //kestrel/labshare. Just remember that these images come to a total of 140 GB of goodness, so don’t expect anything to happen quickly.

Additional systems will be provided as the course moves along; you will learn about these in class.

On many (many) occasions, you will need to set up a new copy of one of these systems. The catch is that this is not as simple as just making a copy of the virtual machine and powering it on. These notes provide a reference for what needs to be done when duplicating one of these virtual machines, all in one place to make life easier for you, the student. Don’t worry- I have plenty of ways that’ll make your life, ummm, interesting as the course goes on.

Moving versus Copying Virtual Machines

As you probably have guesses, the easiest way to duplicate a virtual machine is to simple copy the files to a new directory. However, when a virtual machine is moved from one place to another in the file system, e.g. by copying it to a new directory, then VMWare will ask you the first time the system is then run if the system has been "moved" or "copied". In general, you want to select "copied" here. When a system is "moved", the system’s MAC address remains unchanged. In that case if the original is also still on the network then you end up with two systems trying to communicate with identical MAC addresses, and then bad things happen.

Authentication Credentials

All of the systems have the same set of default credentials:

  • User: zathras
  • Password: password1!

Now you may be asking- who is Zathras? Well, Zathras is your network administrator; Zathras lives quite the sad life. Now you may wonder why Zathras uses the same account name on each system; for that you’ll have to ask Zathras. At least Zathras is trained in crisis management- a skill that will be important in our class.

On the Windows systems, this is an administrator account. On the CentOS 6.2 system, the root password is the same: "password1!". The Ubuntu systems and the Mint system (as an Ubuntu derivative) do not have a root account.

You may want to change these passwords, quickly.

Network Structure

The classroom network structure has been designed for the easy use of virtual machines as well as to separate out different network spaces for different purposes.

All of the physical systems (hosts) on the lab network take an address via DHCP in the 10.0.0.0/24 network, meaning that they live in the space 10.0.0.1 – 10.0.0.253. The gateway for that subnet is at 10.0.0.254. Systems with this address are considered out-of-bounds for offensive operations. Remember that other classes use this same lab, and we need to leave the room in a fully functional state when we leave.

Virtual machines that are started in the lab can ask for an address via DHCP; one will be assigned in the 10.0.1.0/24 network, and they will receive addresses in the 10.0.1.1 – 10.0.1.253 range. The gateway for this subnet is 10.0.1.254. Students may set up and use this address space freely. All systems set up in this subnet are considered in-play and fair targets during any exercise.

The instructor reserves the subnet 10.0.2.0/24; the gateway is 10.0.2.254. Systems that are part of exercise control will live on this subnetwork; this address space will also be used for demonstration purposes. No student system should be set up in this address space. During live exercises, systems set up on this subnet may or may not be in play; details will be provided with the instructions for the exercise.

Students will be in one of four teams; each team has its own subnet for addressing:

  • Team A: 10.0.3.0/24, gateway 10.0.3.254
  • Team B: 10.0.4.0/24, gateway 10.0.4.254
  • Team C: 10.0.5.0/24, gateway 10.0.5.254
  • Team D: 10.0.6.0/24, gateway 10.0.6.254

For large exercises, an additional network space has been reserved for each team

  • Team A: 10.1.0.0/16, gateway 10.1.254.254
  • Team B: 10.2.0.0/16, gateway 10.2.254.254
  • Team C: 10.3.0.0/16, gateway 10.3.254.254
  • Team D: 10.4.0.0/16, gateway 10.4.254.254

Students can use the addresses in their subnet however they feel; they can even set up a DHCP server that serves addresses in all or part of that range. Students should only use the address space that belong to their team. All systems on these subnets are in-play during live exercises.

Setting up CentOS 6.2

Start up your CentOS 6.2 system and log in. If you take a look at your network configuration, you might notice something unusual:

[zathras@localhost ~]$ su -
Password: 
[root@localhost ~]# ifconfig
eth1      Link encap:Ethernet  HWaddr 00:0C:29:BD:39:38  
          inet addr:10.0.2.146  Bcast:10.0.2.255  Mask:255.255.255.0
          inet6 addr: 2601:a:700:289:20c:29ff:febd:3938/64 Scope:Global
          inet6 addr: fe80::20c:29ff:febd:3938/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1323 errors:0 dropped:0 overruns:0 frame:0
          TX packets:77 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:99526 (97.1 KiB)  TX bytes:11341 (11.0 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:480 (480.0 b)  TX bytes:480 (480.0 b)

Notice that the first ethernet card is labelled eth1 rather than the usual eth0. Why? When the system was "copied" (not "moved") onto your system and started, VMWare assigned the system a new MAC address. Hurrah! This is what we wanted to happen. However, Linux treats this as if a new ethernet card was inserted into the machine. It keeps the configuration information for the old card, and calls the new one eth1. Though this works, in general it can cause some trouble later, so let’s tell Linux to forget about the older card.

The hardware is managed by a subsystem called udev, and the rules it uses are contained in the directory /etc/udev/rules.d. In that directory is a file, 70-persistent-net.rules; if you open it in a text editor you are presented with something like the following:

# This file was automatically generated by the /lib/udev/write_net_rules
# program, run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single
# line, and change only the value of the NAME= key.

# PCI device 0x8086:0x100f (e1000)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", 
ATTR{address}=="00:0c:29:29:d1:1d", ATTR{type}=="1", 
KERNEL=="eth*", NAME="eth0"

# PCI device 0x8086:0x100f (e1000)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", 
ATTR{address}=="00:0c:29:bd:39:38", ATTR{type}=="1", 
KERNEL=="eth*", NAME="eth1"

You can see that there are two network cards, one with MAC address 00:0c:29:29:d1:1d and the second with address 00:0c:29:bd:39:38 specified in this file. Further, looking back at the output of our ifconfig command, we see that the MAC address for eth1 matches.

Delete the line that refers to eth0 and the MAC address you no longer have (you can remove the comment as well). Update the second line so that the NAME is eth0 instead of eth1; then reboot.

I recommend that you reboot the system to ensure that the changes propagate correctly- it definitely makes subsequent configuration simpler if you reboot first. When it reboots, you should check your configuration again and verify that everything is as it ought to be:

[root@localhost ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:BD:39:38  
          inet addr:10.0.2.146  Bcast:10.0.2.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:febd:3938/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:20 errors:0 dropped:0 overruns:0 frame:0
          TX packets:43 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:10365 (10.1 KiB)  TX bytes:6026 (5.8 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:480 (480.0 b)  TX bytes:480 (480.0 b)

There will be at least one other remnant on your system; if you use the graphical tool (System → Preferences → Network Connetcions) to modify your network settings, you will now see two options- "System eth0" and "Auto eth0"

CentOS 6.2 (x64) (2014 Base)-2014-01-18-10-45-22

If you edit the "System eth0" entry and check the MAC address, you will discover that it matches the MAC address that we have already removed. The "Auto eth0" entry has the correct MAC address, and can be used to configure the interface.

Why is there a difference? I just don’t know. Really, there should only be one eth0 entry. You can delete the "System eth0" if you want (this is what I did!) but this will cause us some minor trouble in a few steps. You can keep them both, though I don’t know if that will cause us trouble later.

To change the host name of the system, we edit the file /etc/sysconfig/network and modify the the HOSTNAME line. Be sure to enter the FQDN here; in my example, I will call the host "acheron" with parent domain "cosc.tu" giving me the file:

NETWORKING=yes
HOSTNAME=acheron.cosc.tu

Documentation is available in usr/share/doc/initscripts-9.03.27/sysconfig.txt.

You also need to modify the entries in the file /etc/hosts; in particular you need to make sure that all of the aliases for 127.0.0.1 are appropriate. As an example, we can set that file to look like

127.0.0.1   localhost localhost.localdomain acheron acheron.cosc.tu
::1         localhost localhost.localdomain acheron acheron.cosc.tu

so that any of the four names "localhost", "localhost.localdomain", "acheron" and "acheron.cosc.tu" will refer to 127.0.0.1

At this point, you can reboot the machine. Mind you, this is not strictly necessary, as the changes can also be made live by using the hostname command. Note that changes made via the hostname comment only persist until a reboot when the configuration files are re-read. Nonetheless, I recommend rebooting (and checking that everything works as you expect) so that if something is amiss, you won’t have to wade through a large number of changes to the system to start debugging. For example, once the system reboots, you should see your new FQDN when the system asks you to login.

It should be noted that, once changes are made to the /etc/sysconfig/network, if you have used su to become root, then attempts to open graphical tools from the command prompt may fail with the odd error

[root@acheron ~]# gedit /etc/sysconfig/network &
[1] 2713
[root@acheron ~]# No protocol specified

(gedit:2713): Gtk-WARNING **: cannot open display: :0.0

This simple solution is to finish making the hostname changes, then reboot the system. If you ever figure out the underlying cause of this error, please let me know.

Now we want to modify the network settings for our interface. We can use the GUI, but we have seen that it got itself a little confused, so let’s look directly at the configuration files. The file we want is called /etc/sysconfig/network-script/ifcfg-eth0. What? It isn’t there? Remember that minor problem the GUI was going to cause- this is it. For whatever reason, getting rid of the spurious entry in the GUI removed this file. No matter, we can rebuild it. We have the technology.

DEVICE="eth0"
ONBOOT="yes"
BOOTPROTO="none"
HWADDR="00:0C:29:3C:21:1E"
NETMASK="255.255.255.0"
IPADDR="10.0.2.2"
GATEWAY="10.0.2.254"
TYPE="Ethernet"
USERCTL="no"
IPV6INIT="no"
PEERDNS="no"
DNS1="10.0.2.100"
DNS2="10.0.2.101"
DOMAIN="cosc.tu"

The meaning of most of these lines is self-explanatory. Just be sure that you have the right MAC address in the HWADDR line, or the system will whine a bit.

We haven’t yet set up a proper DNS structure yet, so the primary and secondary DNS server addresses are just dummy values; we will need to change them as well.

Once you make the changes, you can simply restart networking to see all is as it ought to be:

[root@acheron ~]# service network restart
Shutting down interface eth0:  Device state: 3 (disconnected)
                                                           [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:  Active connection state: activated
Active connection path: /org/freedesktop/NetworkManager/ActiveConnection/1
                                                           [  OK  ]
[root@acheron ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:BD:39:38  
          inet addr:10.0.2.2  Bcast:10.0.2.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:febd:3938/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:31 errors:0 dropped:0 overruns:0 frame:0
          TX packets:66 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:19192 (18.7 KiB)  TX bytes:9744 (9.5 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:480 (480.0 b)  TX bytes:480 (480.0 b)

The simplest way to manage the firewall on the CentOS system is to use the provided GUI tool. Simply select System → Administration → Firewall. For the most part, the tool is self-explanatory.
Screenshot-Firewall Configuration

Setting up Ubuntu 12.04 Desktop

Ubuntu Desktop 12.04 also uses udev to manage devices, however it does not retain information about previous network cards, so we do not need to make the changes in /etc/udev/rules.d that we did in our CentOS system.

To update the network configuration, let’s use the provided graphical tool. From the left menu, select system settings, then choose network
Ubuntu (x86) (Desktop) (2014 Base)-2014-01-18-11-32-55

The changes to the IP address, netmask, gateway, DNS servers, and DNS search domain are all made directly from the GUI. Select Options, then select the IPv4 Settings tab to make the changes.
Ubuntu (x86) (Desktop) (2014 Base)-2014-01-18-11-38-30

To change the hostname, modify the file /etc/hostname to include the full name (FQDN) of the host. In my example, I will call my system achilles.cosc.tu. Modify /etc/hosts in the same fashion as we did for CentOS 6.2; you do not need to keep separate entries for 127.0.0.1 and 127.0.1.1.

As before, once the changes to the system name are complete, you may wish to reboot and verify that these settings are correctly retained.

Unlike CentOS, the firewall for Ubuntu is disabled by default; you can verify this by running

zathras@achilles:~$ sudo ufw status
[sudo] password for zathras: 
Status: inactive
zathras@achilles:~$ 

Ubuntu 12.04 does not have a graphical interface for the firewall in its default install; however one is available.

To install it, you also need to install the GObject introspection data for PolicyKit package as well. Download both, and be sure to verify their MD5 hashes. [Both of these are also available on the labshare.] Installation can be done via dpkg.

zathras@achilles:~$ md5sum Desktop/gufw_12.04.1-0ubuntu1_all.deb 
31697d433aaaab3ad54e84399463fb14  Desktop/gufw_12.04.1-0ubuntu1_all.deb

zathras@achilles:~$ md5sum Desktop/gir1.2-polkit-1.0_0.104-1ubuntu1.1_i386.deb 
378d45634d5cb6b7e06ded5f26354ea7  Desktop/gir1.2-polkit-1.0_0.104-1ubuntu1.1_i386.deb

zathras@achilles:~$ sudo dpkg -i Desktop/gufw_12.04.1-0ubuntu1_all.deb Desktop/gir1.2-polkit-1.0_0.104-1ubuntu1.1_i386.deb 
[sudo] password for zathras: 
(Reading database ... 141020 files and directories currently installed.)
Preparing to replace gufw 12.04.1-0ubuntu1 (using .../gufw_12.04.1-0ubuntu1_all.deb) ...
Unpacking replacement gufw ...
Selecting previously unselected package gir1.2-polkit-1.0.
Unpacking gir1.2-polkit-1.0 (from .../gir1.2-polkit-1.0_0.104-1ubuntu1.1_i386.deb) ...
Setting up gir1.2-polkit-1.0 (0.104-1ubuntu1.1) ...
Setting up gufw (12.04.1-0ubuntu1) ...
Processing triggers for man-db ...
Processing triggers for desktop-file-utils ...
Processing triggers for bamfdaemon ...
Rebuilding /usr/share/applications/bamf.index...
Processing triggers for gnome-menus ...
Processing triggers for hicolor-icon-theme ...
zathras@achilles:~$ 

The resulting tool can be started directly from the command line (sudo gufw)
Ubuntu (x86) (Desktop) (2014 Base)-2014-01-18-13-12-04

Setting up Ubuntu 12.04 Server

Like Ubuntu 12.04 Desktop, Ubuntu 12.04 server does not have issues caused by the udev subsystem.

To modify the networking setting for the system, the file /etc/network/interfaces must be modified. The comments and the material on the loopback interface can be retained, but the configuration for the eth0 should look something like the following

auto eth0
iface eth0 inet static
address 10.0.2.4
netmask 255.255.255.0
gateway 10.0.2.254
dns-nameservers 10.0.2.100 10.0.2.101
dns-search cosc.tu

You can save these changes by then running

zathras@ubuntu:~$ sudo /etc/init.d/networking restart

To change the hostname, modify the file /etc/hostname to include the full name (FQDN) of the host. Modify /etc/hosts in the same fashion as we did for CentOS 6.2; you do not need to keep separate entries for 127.0.0.1 and 127.0.1.1.

Like Ubuntu desktop, the firewall for Ubuntu server is disabled by default. However, by default it has no listening processes.

Setting up Mint 13

Two Mint 13 systems are provided, one with the KDE Window Manager and one with the Cinnamon Window Manager (which is based on Gnome). Despite the differences in appearance, the systems really are quite similar.

Because Mint is based on Ubuntu, again there is no need to worry about udev or the changes in MAC address when a system is copied.

Setting the network up via the GUI is straightforward in either case, but the method does depend on the Window manager. In KDE, start by selecting Computer, then System Settings:
Mint 13 (x86) (Agrippa)-2014-01-18-14-44-08

From there, select Network Settings, then Network Connections, then the Wired Tab. Simply edit the information for Wired connection 1:
Mint 13 (x86) (Agrippa)-2014-01-18-16-05-38

If you have not seen it before, the KWallet service is used to store credentials on the system. You can use the same or a different password than the one used to log in to the system.

On the Cinnamon system, navigate System Tools → Preferences → Network Connection. You then are presented with the same options that we saw for our CentOS 6.2 system.
Mint 13 (x64) (Alexander)-2014-01-18-16-22-06

In either case, the file that contains the information about the connection is not where we have seen it so far. Instead, it is located in the file /etc/NetworkManager/system-connections/Wired connection 1, where it has content similar to

zathras@mint-base /etc/NetworkManager/system-connections $ sudo cat 
Wired\ connection\ 1 
[sudo] password for zathras: 

[802-3-ethernet]
duplex=full
mac-address=00:0C:29:1F:84:73

[connection]
id=Wired connection 1
uuid=ffd73af1-3818-4de0-958e-32b7d3dd885b
type=802-3-ethernet
timestamp=1390080060

[ipv6]
method=auto

[ipv4]
method=manual
dns=10.0.2.100;10.0.2.100
dns-search=cosc.tu;
addresses1=10.0.2.6;24;10.0.2.254;

Here you see the information we have added to the system, including the IP address of the system, the netmask (24), and the gateway; we also have the information for DNS, including the default search domain.

To change the hostname, we work as before and modify the file /etc/hostname to include the full name (FQDN) of the host. Modify /etc/hosts in the same fashion as we did for before; you do not need to keep separate entries for 127.0.0.1 and 127.0.1.1

Setting up Windows 7

When the system starts with the new MAC address, Windows will not know what type of network it is- Home, Work, or Public. We are going to be simulating various business scenarios, so in each case you should select "Work". Please note this recommendation! Students in past years have tried other settings (most notably public) and then, only much later, discovered how things no longer worked as they ought; then only after many (many) hours of debugging were they able to trace the source of the problem back to this setting. Remember- you are setting up a simulated corporate network, so "work" is the only reasonable choice.

To set the networking, select the Start button → Control Panel → Network and Internet → Network and Sharing Center → Change Adapter Settings; you end up with a dialog box like the following
Adapter Settings
Why is it Network 3 in this picture? Remember that the system has been connected to multiple networks with multiple MAC addresses, even before it got to you.

Select properties, then select Internet Protocol Version 4 (IPv4), and press the properties button from the following dialog
Windows 7 (x64)-2014-01-18-19-19-46
Fill in the required address data in the usual fashion.

To set up the hostname for these Windows system, navigate to the Start button → Computer (right click) → Properties. You should end up with a dialog box roughly like the following
Windows Properties

In the section labelled Computer name, domain, and workgroup settings, select the Change Settings link; you end with a dialog box like the following:
Windows Name

Select the Change button to be presented with a dialog box to allow you to change the host name. Note that the hostname is different than the FQDN. Suppose that I want the FQDN of my system to be anubis.cosc.tu; then the hostname is anubis, while the primary domain suffix is cosc.tu. The hostname is specified in the hostname box, but to set the primary domain suffix you need to select the More button and make your changes there. The net result looks something like the following (you can click on the picture to embiggen)
Windows 7 (x86) (2014 Base)-2014-01-18-19-33-18

Changing the hostname does require a restart of the system.

All modern Windows systems come with an integrated firewall managed through the Control Panel. To configure it navigate Start → Control Panel → System and Security → Windows Firewall.

Setting up Windows 8

To set up our Windows 8 system, we need to find the Control Panel. From the Metro screen, right click, then select the "All apps" button. Scroll to the right, and then select "Control Panel".
Start Menu

If you want to get to the Control Panel from the desktop, hit <Win>-R, then type "control panel" into the resulting Run box.

Either way, once you manage to locate the Control Panel, changing the network setting proceed as we did in Windows Vista and 7; navigate Network and Internet → Network and Sharing Center &rarr Ethernet → Properties.

Once the changes have been made, you will be on the Windows 8 Desktop; to get back to the Metro screen, press the Windows button on the keyboard.

To change the hostname, again right click on the Metro screen to select "All apps". Now right-click on "Computer" you will be presented with a context menu similar to the following:
Computer Properties 2

Select Properties and you will drop to the Desktop with a dialog box similar to what we saw for Windows 7; in the section labelled Computer name, domain, and workgroup settings, select the Change Settings link and make the required changes.
Windows 8 (x64) (Cadmus)-2014-01-18-20-47-10

A restart is required.

The Windows 8 firewall is managed through the Control Panel as well in the same fashion as Windows Vista and 7.

Setting up Windows 2008 Server

We will focus our attention on Windows Server 2008 R2, however most of these still apply to the older Windows Server 2008.

When these systems first boot, you will be presented with the Initial Configuration Tasks dialog box:
WinBoot

Select the "Configure Networking" link. You will be shown all of the network connections on the system; at the start there should be just one, labelled "Local Area Connection". Right-click on it, and select properties; then select Internet Protocol 4 (IPv4) and select properties; you can then enter the IP address for the system as well as specify the DNS server the system should use.
Server 2008 R2 (Charon)-2014-01-18-20-59-12

To change the hostname of the system, return to the Initial Configuration and Tasks dialog box, and select the link "Provide computer name and domain". The system name and primary domain suffix are changed just as we did for other versions of Windows. A re-boot will be required.

On Windows Server systems, you can manage the firewall by navigating Start → Administrative Tools → Windows Firewall with Advanced Security rather that going through the Control Panel.

Setting up Windows 2012 Server

The process here is similar to what we observed for Windows Server 2008, save the rather significant changes in the interface. Now when you log onto the system after boot, you are taken to Server Manager.
Server Manager

Selecting "Configure this local server" takes you to the Local Server page.
Local Server

As before, start by configuring the Ethernet0 address; this is done in exactly the same fashion as in Server 2008. The hostname is also changed in the same fashion by selecting either the computer name or the workgroup. As is usual, a restart is required after a change in the host name.

Windows SID’s, Windows Servers, and Sysprep

Each Windows system has its own Machine SID. An SID is a Security Identifier, and Microsoft systems have them for users, groups, computers, and other security principals. You can see the SIDs for the users on a system from the command prompt with the aid of wmic. Here is what results if you run wmic on our Windows Server 2012 system

C:\Users\zathras>wmic useraccount get name,sid
Name           SID
Administrator  S-1-5-21-395221050-4232060781-697866707-500
Guest          S-1-5-21-395221050-4232060781-697866707-501
zathras        S-1-5-21-395221050-4232060781-697866707-1001

Here you see the (local) accounts on the system, as well as the SID for each; the SID is the number that begins S-1-5-21.

You can also find the SID of a computer, but in this case we need an extra tool, the PSGetSid.exe tool from the Sysinternals PSTools suite. Running it on the domain member, we find

C:\Users\zathras\Desktop\PSTools>PsGetsid.exe

PsGetSid v1.44 - Translates SIDs to names and vice versa
Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

SID for \\CHURCHILL:
S-1-5-21-395221050-4232060781-697866707

Looking at these, the SID of the user is just the SID of the system followed by a relative ID; administrator accounts have the relative ID of 500 (which is why renaming administrator accounts provides less security than might be imagined), the guest account has relative ID 501, and subsequent accounts start at 1000 and go up from there.

Duplicate Machine SIDs?

Now all of the various Windows systems are copies of a single master system, which means that they have the same Machine SID. In fact, if you run these tools on a Windows Server 2012 system in the lab, you will see that you have the exact same system SID. Similarly, all of the Windows Server 2008 systems have identical SIDs, and all so on.

In olden days, this might have been a problem, but it should not be, at least for systems after Windows Vista.

In fact, there used to be a SysInternals tool to update a systems Machine SID, but that has long since been discontinued. The author, Mark Russinovich, back in 2009 wrote on his blog "… I became convinced that machine SID duplication – having multiple computers with the same machine SID – doesn’t pose any problem, security or otherwise."

This is true.

Almost.

It turns out that there are a couple of places where duplicate SIDs will be a problem, especially when setting up and configuring file servers. In particular, if the domain controller an a file server on the domain have the same SID, then some very nasty and difficult to track down error will occur.

Given these problems, what is the solution? Windows comes with a tool called Sysprep; among other things it will change the SID of the system. It is simple enough to do, but you must do it before you configure your system; in fact it should be the first thing that you do.

Navigate to c:\Windows\System32\Sysprep and run the program c:\Windows\System32\Sysprep\Sysprep. Be sure to check the Generalize box.

Server 2012 (Churchill)-2014-01-18-22-08-02

Let the program run; it will reboot the system. Once it re-boots you can begin the process of configuring your system as you see fit. After this completes, you can see that the system has a new SID

C:\Users\zathras\Desktop\PSTools>PsGetsid.exe

PsGetSid v1.44 - Translates SIDs to names and vice versa
Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

SID for \\WIN-LG35NO9SJAM:
S-1-5-21-4077250738-2818941885-749555898

On the other hand, the system has been re-set essentially to a new state, so all of your settings will have been lost, including hostname and IP addressing. Thus, it is important that this step be done before significant work has been done on the configuration of the system.

Setting up Kali

Unlike the other systems provided, the Kali image has been modified from its stock configuration. The system was installed as a Kali 1.05 system, then updated to the 1.0.6 standard. It has been fully updated as of mid-January 2014, and Metasploit has been updated to include all of the latest attacks.

Kali systems use the same udev system that is used by other Linux distributions, but like the Ubuntu and Mint systems, this does not cause any issues.

Network setting can be modified appropriate section in /etc/network/interfaces; you can set it to something like the following:

auto eth0
iface eth0 inet static
address 10.0.2.250
netmask 255.255.255.0
gateway 10.0.2.254

To specify the location of the DNS servers, update /etc/resolv.conf, and modify that file to that it looks something like

nameserver 10.0.2.100
nameserver 10.0.2.101
domain cosc.tu
search cosc.tu

To change the hostname, modify the file /etc/hostname to include the full name (FQDN) of the host. Modify /etc/hosts in the same fashion as we did for CentOS 6.2; you do not need to keep separate entries for 127.0.0.1 and 127.0.1.1.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: