Showing posts with label Hacking. Show all posts
Showing posts with label Hacking. Show all posts

How to enable (and hack) Cisco AnyConnect VPN through Remote Desktop

Tuesday, April 14, 2020


If you get the following error when connecting to a Cisco AnyConnect VPN from Windows, it's because the VPN establishment capability in the client profile doesn't allow connections from a remote desktop session.
VPN establishment capability for a remote user is disabled. A VPN connection will not be established.
The client profile is an XML file that gets pushed out to the AnyConnect client every time the VPN is established. The correct way to fix this is by configuring the Citrix VPN profile on the ASA. Usually this is done by the ASA administrator using the Cisco Adaptive Security Device Manager (ASDM). If you're the ASA administrator read this article for instructions how to configure this.

But what if you're not the ASA administrator or the admin can't/won't to make this change for some reason? We can hack it! I don't normally write blog posts like this, but I honestly can't think of a single good reason to block VPN access from a remote desktop, so I don't consider this bypassing a security setting. Here's how to get around it.

First, open the client profile XML file in Notepad. It's located in the C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile folder.

Edit the <WindowsVPNEstablishment> tag to use AllowRemoteUsers instead of LocalUsersOnly.



For example, change:
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
To:
<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
Now save the profile to your Desktop or another location with a .BAK extension. For example, if the original profile name is ContosoVPN.xml, save it as ContosoVPN.bak.

Move the modified .BAK file to the C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile folder. This will normally require admin rights. You should now have two client profile files there, for example ContosoVPN.xml and ContosoVPN.bak.

Now open Event Viewer and navigate to Applications and Services Logs > Cisco AnyConnect Secure Mobility Client. Search for Event ID 3021 from source acvpnui. It should be near the top of the Cisco logs if you just tried to connect to the AnyConnect VPN.



Right-click that event and select Attach Task To This Event. The Create Basic Task Wizard will open.

Click Next.
Click Next again.
Click Next again.
Configure the program to run using the settings below, then click Next.
Program/script:
C:\Windows\System32\cmd.exe
Arguments:
/c cd "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile" && copy *.bak *.xml /y
This task tells Windows to copy the modified .BAK profile over the .XML file that the AnyConnect client downloads from the ASA whenever acvpnui logs event ID 3021.

Check the box to open the properties for the task when finished and click Finish.
The task properties will open in a new window.


Now test it out. You should be able to connect to the AnyConnect VPN using a remote desktop (RDP).

Be aware that if things change (ports, IPs, etc.) they will be lost/overwritten by the static BAK file. If that happens you can simply delete the BAK file, attempt a connection, and edit the new XML file with the new settings again.

Read more ...
by at No comments:
Tags , , , , , ,

Automatically Reset the FTP Service in Windows Server 2008

Monday, March 3, 2008

One of the more popular tips I've posted is, "How to automatically reset the FTP service," in Windows Server 2003. This tip is useful for public FTP sites where bad guys are trying to hack in, usually using a dictionary attack.

Doing the same thing in Windows Server 2008 is slightly different and has an important caveat - It will not work with the Microsoft FTP Publishing Service for IIS 7.0 yet. It will work fine if you use the standard FTP Publishing Service, included on the Windows Server 2008 DVD.

As in my original post, create a batch file named C:\Scripts\ResetFTPService.bat, as follows:
net stop msftpsvc
ping -n 10 127.0.0.1
net start msftpsvc
The batch file stops the FTP service, pings the loopback adapter 10 times to create a 10 second pause, and starts the FTP service again. Stopping the FTP service causes the hacker's session to be dropped immediately. Since no one can connect for 10 seconds, this creates a form of "tarpitting", making it too expensive to continue the attack.

To make the script run automatically on the correct event, use the Windows Server 2008 Task Manager:

  • Right-click Task Manager (under Configuration in Server Manager) and select Create a Basic Task

  • Name the task, "Reset FTP Service" and click Next

  • Choose When a specific event is logged as the Task Trigger, click Next

  • Select Log: System, Source: IIS-FTP, and Event ID: 100. Click Next

  • Select Start a program and click Next

  • Enter C:\Scripts\ResetFTPService.bat for the Program/script and click Next

  • Click the checkbox for Open the Properties dialog for this task when I click Finish and then click Finish

  • In the Properties window select Run whether user is logged on or not and Run with highest privileges

  • Click OK

  • Enter the User name and Password for running this task

This causes the ResetFTPService.bat batch file to run whenever an event ID 100 with source IIS-FTP is logged in the System event log.

Remember, this will not work with the Microsoft FTP Publishing Service for IIS 7.0 because this service strangely does not log failed logon attempts to the event log. I've posted a request to the IIS7 team for this functionality.

Read more ...
by at No comments:
Tags , , , , , ,

Automatically Reset the FTP Service

Saturday, November 17, 2007

[Click here for a Windows Server 2008 version of this article]

A client of mine utilizes the Microsoft FTP service in Windows Server 2003 IIS 6.0 on a public web server.

Unfortunately, the FTP service is notoriously insecure since it transmits passwords in plain text. It also does not offer any way to block brute force or dictionary attacks. Because of this, the client was seeing multiple failed logins from the Administrator account, several times per second. These show up as warnings in the System event log from the MSFTPSVC source with event ID 100. Since I always rename the Administrator account as a standard best practice, it was obvious these attempted logins were coming from an attacker.

Windows Server 2008 will offer Secure FTP (or FTP over SSL) as a separate download for IIS7, which will be the first major improvement to the protocol since it was developed. But being that my client is running Windows 2003, this isn't an option.

The solution I used involves the Windows EventTriggers utility. I created a batch file named C:\Scripts\ResetFTPService.bat, as follows:

net stop msftpsvc
ping -n 10 127.0.0.1
net start msftpsvc
The batch file stops the FTP service, pings the loopback adapter 10 times to create a 10 second pause, and starts the FTP service again. Stopping the FTP service causes the hacker's session to be dropped immediately. Since no one can connect for 10 seconds, this creates a form of "tarpitting", making it too expensive to continue the attack.

To make the script run automatically on the correct event, I use EventTriggers as follows:


eventtriggers /CREATE /TR "Reset FTP Service" /TK C:\Scripts\ResetFTPSVC.bat /L System /EID 100 /SO MSFTPSVC /RU ""
This causes the ResetFTPService.bat batch file to run whenever an event ID 100 with source MSFTPSVC is logged in the System event log. The /RU switch causes the task to run under the Local System account, which has the rights necessary to run unattended.
Read more ...
by at 2 comments:
Tags , , , , ,

Good Day Today

Wednesday, June 6, 2007
Today was a good session day. I got to start and end it with Marcus Murray, who finished the day to a PACKED session in the TLC Library showing how easy it is to perform a buffer overrun exploit. Scary, scary stuff. The guy is a rockstar.

Other sessions included Paul Robichaux, talking about Forefront Security for Exchange, and a good session on architecting and upgrading WSUS 3.0.

I got to see our friends at Sam's Publishing in the vendor booth. Sams publishes the Microsoft "Unleashed" series, including Microsoft Exchange Server 2007 Unleashed and Microsoft Exchange Server 2003 Unleashed, both of which I am a cowriter of. Fellow CCO consultant, Michael Noel was there at the Sams booth on Tuesday. Be sure to check out his sessions on SharePoint 2007 here at TechEd!

I'll post a summary of the items discussed at the WSUS session in a future blog. For now, I'm going to get ready for the Microsoft Influencer's Party at Margaritaville and the Double-Take party at the Hard Rock. Woo-hoo!
Read more ...
by at No comments:
Tags , , , ,

Knocked my Socks Off

Wednesday, June 6, 2007
My first session this morning was "Why I can Hack Your Network in a Day!", by Marcus Murray. The information and demos he gave were absolutely frightening. He showed how to gain full access to almost any domain with ease. Amazing stuff. It's his first US TechEd and I'm sure it won't be his last. Now if he'd only do a session on securing networks, I'll sleep better.
Read more ...
by at No comments:
Tags , ,
Subscribe to: Posts (Atom)