Anthony Reinke Just getting a few things out of my head

27Jul/091

OSSEC and Splunk

I have been playing with OSSEC and Splunk.  OSSEC is a Host based Intrusion Detection System (HIDS).  Splunk is a log archiving and searching system.  OSSEC is open source and is multiple platform.  You can run it on Linux/Unix and Windows.  I am using OSSEC to forward Windows Event Logs to Splunk.  Splunk makes the searching and correlation.  Splunk can do WMI.  This would be great since no agent would need to be installed.  The problems is that if you have more than 30-50 systems, the amount time and traffic would cause issues.  Using the OSSEC agent, I am able to push the event logs to the OSSEC server.  From there the OSSEC server will upload to the Splunk server via Syslog.

Right now I have the servers all talking but I do need to adjust a few things.  Right now Splunk sees all the hosts as the OSSEC server.  I believe I just need to tweak the fields.  The question is how.

Splunk
http://www.splunk.com

OSSEC
http://www.ossec.net

Tagged as: , , , , , , , , 1 Comment
26Jun/090

2 Old Tools and 1 New Tool

Many time you might need to access a system but have been locked out or the password to access the local system has been forgotten. There are many ways to deal with that.

NT Offline
If you just want to get in quickly you can use NT Offline. NT Offline will allow you to blank/clear or change the password of an existing local account.  This boots up in to a linux command line utility.  From here you select the drive the OS is on, the path to the config files, and then which account(s) you would like to modify.

fgdump
Being able to change  a password is great and all but what if you need to get the password.  fgdump will allow you to dump the dump the LSASS.  This will allow you to get the users accounts and their hashed passwords.  How to find the password from the hash is another story.  You might start by looking at RainbowTables.

KonBoot
This is the new tool.  It is getting quite a bit of hype right now.  This tool will boot a different kernel of the OS and then load Windows or Linux during the boot.  Once you get to the login screen, simple select a local user or a cached user and press enter with no password and you are in.  There is not much you can do to the account, but you have access to the machine.

Yes I know that these can be listed as "hacker" tools.  But the "hacker" tools are a administrator's best friend.

I will post these in the links section also.

Tagged as: , , , , , , , , , , , , , No Comments
   

Archives

Tags

administrator blog chat clever cmd coach command prompt computer create daily delete desktop drink energy energy drink esxi event firefox first page hack hello help id idea ids linux new ossec practice report security server splunk start system ted user vent video website windows witulski wordpress work wrestling

Begging for money

Search & Win