45 replies to this topic

[blackhat420]

Damn Ignatius your just full of clever ideas huh :-)
You are right on the money, a batch script could be made for EXACTLY that purpose. The batch script could most definitely be run at login through either the registry under hkey_current_users i believe, this will be run upon login. I don't believe you can with native capabilities execute a script at logoff, that would be nice though. Instead of that you could design 2 batch scripts one that corrects the route, and one that mangles it. The script that mangles it goes on the dis-allowed IE people, while the correction script goes on the users who are allowed internet access.

[rlastinger]

These type of restrictions are best placed in the infrastructure (routers, switches, content filtering). Anything you do on the computer could be reversed by the user, especially if they have elevated privileges, such as local admin. If your users knowledge isn't basic, anything you implement locally would only serve as a temporary measure at best.

Personally, I think 5 is the easiest if you don't have access to the network equipment, but have access to the machine. 7 can get dangerous when corrupting the stack, but you can google that and learn a bit about it. As for 8, google tools like ettercap, cain and abel,etc... There's a few out there that do that. Most of the good one's should be listed at insecure.org's top 100 security tools.

5 is too easy to solve. They aren't computer geeks but they will try to solve an IP address related issue and in the end they will succeed, even randomly  But a more subtle solution would be very difficult for them to solve. I will research something about TCP stack corruption. If you can point me to some good article I'm glad to know :-)

Oh, yes, they have admin access. Some other useful information: the internet connection is wireless and the PC is a portable computer. I think this could make mitm and request redirection more difficult and not so reliable. Am I wrong?

That is correct. With this being portable, it will be more difficult.

I picked up this pdf by Aleph1 at phrack the other day called "Smashing the Stack for Fun and Profit" the other day. I'm at work right now and can't easily browse the site to give you a direct link to it, but take a look. I'm pretty sure that's where I got it.

Another possibility might be to attempt a local policy that gets pushed for that user. That disables internet access or maybe even IE?

Just a thought. I haven't created many local policies on a PC before. I've pushed several out through a domain though.

[Ignatius]

I picked up this pdf by Aleph1 at phrack the other day called "Smashing the Stack for Fun and Profit" the other day. I'm at work right now and can't easily browse the site to give you a direct link to it, but take a look. I'm pretty sure that's where I got it.

Another possibility might be to attempt a local policy that gets pushed for that user. That disables internet access or maybe even IE?

I came across this article (hxxp://www.phrack.org/issues.html?issue=49&id=14#article) but couldn't find a pdf version. I'm afraid this document is way over my head so hope that it makes sense to someone who might be able to give some clues as to what exactly's happening!

I've been thinking about simply disabling IE and suspect that a user could get around that by using an alternative browser. I think that "attacking" the network connection in some way (such as using a dead proxy) would be the way to go. I'm particularly interested in registry tweaks or policies that can be used.

[Helgenen]

The batch script could most definitely be run at login through either the registry under hkey_current_users i believe, this will be run upon login. I don't believe you can with native capabilities execute a script at logoff, that would be nice though.

have a look at this site: hxxp://vlaurie.com/computers2/Articles/group_policy_editor.htm
It shows how you could add your script to logon or logoff from the gpo (local or domain policy)

[rlastinger]

The batch script could most definitely be run at login through either the registry under hkey_current_users i believe, this will be run upon login. I don't believe you can with native capabilities execute a script at logoff, that would be nice though.

have a look at this site: hxxp://vlaurie.com/computers2/Articles/group_policy_editor.htm
It shows how you could add your script to logon or logoff from the gpo (local or domain policy)

I'll try to jump on one of my boxes tonight and try to work this policy out. Nice find on the site. I was just going to say go to control panel and administration tools. haha

[Ignatius]

I'll try to jump on one of my boxes tonight and try to work this policy out. Nice find on the site. I was just going to say go to control panel and administration tools. haha

I'm fairly sure that a colleague did some work with this before. As I recall, when the PC starts or shuts down, it announces that a script is running. Ideally, I'd like it to run silently.

[Ignatius]

I've been researching further and the use of IPSec looks promising to block specific ports and protocols. I've managed to block 80 and 443 on my PC and, needless to say, it blocked internet access but I could still use Outlook to access my e-mail. It's quite fiddly to set up but that's because I'm not familar with it and I'm sure that further exposure and practice will help. I've not tried the command line procedure (yet!).

hxxp://support.microsoft.com/kb/813878#top#top
hxxp://windows.uwaterloo.ca/Security/Hardening/IP_Security/W2Kwrkst_IPSEC.htm
hxxp://www.petri.co.il/block_web_browsing_with_ipsec.htm

[Little_Dice]

To disable outlook you will have to close its ports. I think these are all the ports it uses 143, 993, 110, 995, 135, 593, and 25. These are the ports for pop3, pop3 over ssl, imap, imap over ssl, rpc, rpc over html, and finally smtp.

[Ignatius]

To disable outlook you will have to close its ports. I think these are all the ports it uses 143, 993, 110, 995, 135, 593, and 25. These are the ports for pop3, pop3 over ssl, imap, imap over ssl, rpc, rpc over html, and finally smtp.

I posted a comment on Nov 17 about one of the proposed techniques blocking Outlook as well as internet access. I experimented and found that the IPSec technique blocked the internet but allowed Outlook to work.

I'm intrigued to learn that Outlook uses so many ports. Did you get this list by investigating your own system or by research on the internet? I'd no idea that ports specific for pop3 and imap over ssl existed! I must look into this further.

[Little_Dice]

I did a little of both. A great place to look for a lot of this stuff is your own firewall and google.

[gapingvoid]

Many of these are good suggestions and will make access more difficult for the user. However, none of them will stop an intelligent and determined user if he has the ability to plug in his own usb device, load a cd, floppy or run arbitrary applications. Even if you eliminate port 80 & 443 through filtering, if any port on which his system can communicate is permitted egress through the firewall to the internet or can reach an open proxy on your own network, then he will be able to use various tunneling utilities (e.g. httptunnel, cryptcat, ssh, stunnel, vpn) to reach his home system through which he could proxy web connections.

I would also wonder about your motivation for this. Possibilities:

1) You have organizational authority and some good reason; in which case you should be able to gain the cooperation of the firewall/router admin through the support of upper management if the reason is legit. You wouldn't have needed to post this question.
2) You just want to mess with the guy. Hey, have fun. All these suggestions have that potential.
3) Your purpose has something malicious behind it. Find something better to do.

[Ignatius]

That's interesting. I think we've exhausted the techniques (or at least no-one's coming up with any new ones!) to block internet access so I'd already turned my thoughts to how someone could circumvent one or more of the blocks that's been discussed.

I intend nothing malicious - I simply want to extend my knowledge. I've seen comments on Computer Forensics sites where to "good guys" have researched the techniques used by the "bad guys" so they can level the playing field.

[blackhat420]

Like I always say... if it wasn't for the black hats, the white hats wouldn't have a job! So we should all play nice together.

[ShadowWeaver44]

Hey i dont know 100% if this is the right thread and i apologize if it is, BUT i have herd that you can change your IP address on your router so that is because very hard to get into the actual computer because if dead ends? if this is remotly possible please PM with a "how to" or "get the hell of this thread" or what ever u see fit. Teachers comming i have to go, thanks for the time.

[SuBSe7eN]

hhmm go to BIOS and disable the networking devices there and put a bios password so that they cant open