Wednesday, 26 June 2013

Active Directory Password Hell

A few months ago we started to enforce an incorrect password lockout policy at work, causing a huge spike of phone calls from users to unlock their account. Submitting a helpdesk ticket requires logging on to a pc or emailing from an external source. The problem is - if they can't log on, they can't submit a ticket. The volume of calls for this issue got so bad we had to start trialling an on-call phone, just in-case they were locked out when the office was closed overnight. I took this up as a challenge, there must've been a simpler solution than  an on-call phone.

Looking for a software solution, my manager Mandy found ADSelfService Plus by Manage Engine. It's a really cool piece of software and works really great, adding a link to the logon screen that allows you to unlock your account by answering a few security questions. I deployed it across the network but ran into another problem, we use a Virtual Desktop Infrastructure. It's fine for desktop pc's so what's the problem you ask? Here goes.................

Our Remote Desktop Servers require network level authentication. That means you have to be authenticated before a connection is allowed to the server. If you fail to authenticate from any client, you won't get a logon screen, so no link to reset your password. I could simply turn off NLA, but the servers are clustered using round robin. When an RDP connection is made from a Wyse terminal via hostname, it will connect to the first RDS server that DNS returns. The server will then interrogate the broker and redirect the connection to the RDS server with the least load. Without NLA enabled, users would have to retype their username and password over and over until they hit a server with less load than the others. Not only annoying for users, but a much wider window for users to lock themselves about a logical paradox!    

It turns out the solution was pretty simple with a bit of C# magic.

All we used to publish to the Wyse desktop was a pop up box asking for a username and password. When the user connects, the Wyse would RDP to the Remote Desktop Farm. If I added a second connection that somehow connected the user to the helpdesk without supplying any credentials, they could submit a ticket if they were locked out! I wrote a program in C# that would simply load the webpage on a windows form. I published the application using Remote App on Server 2008 R2 and deployed a new RDP connection to the Wyse terminals using a generic logon called self service. Now the users could click either an icon called "logon" or another called "Help Desk".

Problem solved?
Nope. Users started to log vague tickets such as "Please help me to log on", leaving no name or contact details - all tickets logged this way from were from the user "self service", even though I coded a message box to pop up and remind users to leave their name.

What next?
Well, we have partners who have their own support company but use our devices from our offices. They are not connected to our network so the only way they can log support calls is by email. Then came the light bulb moment.............I could write a program that emails the helpdesk after verifying that their username exists.

Final Solution:
A really simple program with three text boxes and a button:

  1. Username
  2. Subject
  3. Details of issue 
I published the program in Remote App and added the connection to the wyse wnos.ini file and it works like a charm. An elegant solution to a very complex problem, just saying :) .

The program checks the username supplied against Active Directory and if it exists, it appends "" to the username and sends and email to the help desk from the user's email address. The help desk will send an email to the support team and also to the user to notify us that a ticket has been logged. A simple function validates the whole form, catching all the exceptions I could find. If all goes well and the email is sent, a message box pops up saying so, then logs the session off. I'll explain in another post on how to verify a username against Active Directory in C# and how to send an email in C#. You can find the Visual Studio 2012 project here.

Monday, 3 June 2013

Decoding Pager Traffic with PDW and SDR#

Today I uploaded a video on youtube showing how to decode pager traffic using sdr#, pdw and virtual audio cable. Pager sniffing is the hacker term. I am able to detect about 20 unique transmissions in total which are mostly POCSAG and Flex-A (1600 and 3200 baud). Most of the traffic is found around 152-155Mhz and 135-138Mhz, though I pick up a few faint signals between 454-460Mhz.

Software used:
SDR# - Used to detect signals with USB DVB-T dongle
PDW - Radio signal decoder
Virtual Audio Cable - Used like an audio mixer to send sdr audio output to pdw sound input

Hardware used:
Genius TVGo - rtl2832 dongle with fc0012 tuner
Wire Antenna - 2m of copper wire from a lan cable

Analysis of the traffic makes it obvious that some channels are being shared by multiple services, probably linked nationwide. Most of it is sent in plain text though the odd channel or transmission (and one notably strong one) is encrypted and appears as garbage in pdw. Some just spit out page tests all day long. Services include Fire, Ambulance and delivery companies. People also send SNMP data over the pager network, with messages such as ping failures, server failures and device offline notifications.

 Shout out to superphish on youtube, I did notice the signals but had no idea what they were. Found out it was pager traffic after watching one of his videos.