IE Aurora’s dust was not even settled in our minds and yet another critical vulnerability in IE has emerged with a bang !!

A Security Consultant from CORE Security Technologies, Mr.Jorge Luis Alvarez Medina discussed a vulnerability in BlackHat DC 10 conference. His presentation demonstrated a Proof of Concept code which exploits this vulnerability and allows an attacker to access any file from victim’s machine.

Medina chained “Bypassing URL security Zone feature” and Browser file sharing protocol attacks and showed how easy it is to read a file from a known location.

Medina further said that these vulnerabilities are weak Internet Explorer features that leave an open door for different kinds of attacks.

Microsoft has acknowledged the vulnerability and issued a security advisory.

Microsoft has also confirmed that Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

According to Advisory Protected Mode in Internet Explorer on Windows Vista and later limits the impact of the vulnerability while risk is highest for IE users running Windows XP or who have disabled the browser’s Protected Mode feature.

Core security group has released a white paper on “Abusing insecure features of IE” which demonstrates the internals of the exploitation process.

References:

  1. Microsoft Security Advisory 980088
  2. Internet Explorer turns your personal computer into a public file server
  3. Internet Explorer URL Zone Security Bypass
  4. Download White Paper from Core Security Group

To avoid physical security breaches and un-authorized access from publicly available network ports laying in lobby or reception, companies use port based authentication schemes.
Once implemented device needs to authenticate itself with the authenticating server to prove its identity and once proved, gets access to the network. Thus providing authentication mechanism to devices wishing to attach to a LAN port.
These implementations are more common in Wireless access points however nowadays wired networks also are taking their fair share.
I will break up this tutorial in two parts:

  1. Setting up 802.1x authentication in Wired VoIP network.
  2. Breaking Port based Authentication to gain unauthorized access.

Some Basics Theory:

802.1X provides port-based authentication, which involves communications between a supplicant, authenticator, and authentication server.

The supplicant is often software on a client device, such as a laptop, the authenticator is a wired Ethernet switch or wireless access point, and an authentication server is generally a RADIUS database.
The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity is authorized.

With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification.

If the credentials are valid (in the authentication server database), the supplicant (client device) is allowed to access resources located on the protected side of the network.
If the authenticating server accepts the request, the authenticator sets the port to the “authorized” mode and normal traffic is allowed.

When the supplicant logs off, it sends an EAP-logoff message to the authenticator. The authenticator then sets the port to the “unauthorized” state, once again blocking all non-EAP traffic.

The basic authentication transaction can be shown as:
We will setup up the port based authentication using following supplicants, authenticator and Authentication server.

  • Supplicant: Cisco Unified IP Phone 7961G-GE
  • 802.1x Authenticator: Cisco Catalyst 3560 (WS-C3560G-24PS)
  • Radius Server: CiscoSecure ACS 4.1

I will not go through the whole installation and configuration procedure of all the above mentioned devices. I hope you already have same or equivalent devices in your network. Here we will cover only needed configuration steps.

Radius Server Configuration:

  • One can do administrative tasks once Cisco ACS 4.1 server is successfully installed.
  • First talk is to setup Authenticator.
  • Click on Network Configuration from left pane.
  • Add Your Authenticator details as shown in following screenshots including shared secret of Authenticator.
  • Click on Submit+Apply Button.
  • Now add users to authenticate in the user database.
  • Click on User Setup: First button from left pane.
  • Add the username in the input box and click on Add.
  • You can find the username from phone security settings.


  • Under user setup form, Enter shared secret(password) for the device. This password will be used as authentication secret by phone device.
  • Repeat above steps for all the devices present in the network.

802.1x Authenticator:

  • Login to the switch and go to configure mode.
  • Under config mode use following CLI to enable authenticator functionality.
WS-C3560G-24PS(config)# aaa authentication dot1x default group radius
WS-C3560G-24PS(config)# radius-server host <ipAddr_Radius_Server> auth-port 1645 acct-port 1646 key <sharedsecret with radius server>
  • Now configure switch ethernet interfaces for 802.1x authetication using following sequence of CLI’s

WS-C3560G-24PS(config)#interface GigabitEthernet0/7
WS-C3560G-24PS(config-if)#dot1x pae authenticator
WS-C3560G-24PS(config-if)#dot1x port-control auto
WS-C3560G-24PS(config-if)#dot1x violation-mode protect
WS-C3560G-24PS(config-if)#dot1x timeout reauth-period 20
WS-C3560G-24PS(config-if)#dot1x reauthentication
WS-C3560G-24PS(config-if)#end
WS-C3560G-24PS(config)# write mem

Supplicant Configuration:

I am using Cisco 7961G IP Phone as a supplicant here. All the configuration steps mentioned here are same for all Cisco IP Phone supporting 802.1x Authentication supplicant.

  • Unlock the Phone configuration by pressing *##*
  • Once unlocked. Go to Options and “Security Configuration” menu.
  • Scroll down till you come across 802.1x Authentication sub-menu.
  • Select “Device Authentication” and Change it to “Enable“. By default, Device Authentication is Disabled.
  • Now select “EAP-MD5” Sub-menu and configure a “shared secret” for authentication which we have configured in the Radius Server.
  • Refer to adjacent screen shots for more details.
  • Save the configuration and reboot the phone.

If everything is setup fine on all the 3 tiers then you will see phone getting IP address after successful 802.1x authentication.

Following Wireshark Capture depicts typical conversation between Supplicant and Authenticator.

Wireshark trace

If any other device tries to connect itself on the same Ethernet port, it will get challenged by Authenticator. Devices unsuccessful in correct response to the challenge, will get blocked from accessing services in wired LAN network.

This mechanism is fair enough to stop some physical security breaches. In the next part, we’ll see how this Port Based Authentication can be hacked to gain un-authorized access in the wired network implementing EAP-MD5 802.1x authentication mechanism.
Stay tuned…

30 Jan 2010

Apple iPad SEO poisoning attack

Author: Abhijeet | Filed under: General Talks, Information Security, Web Security

What is SEO

Search engine optimization (SEO) is the process of improving the volume or quality of traffic to a web site.  As an internet marketing strategy, webmasters edit the HTML content to increase its relevance to popular keywords; thereby raising ranking of their websites.

SEO techniques can be broadly categorized under white hat and black hat techniques.
Wikipedia says

“A search engine optimization technique is considered white hat SEO if it conforms to the search engines’ guidelines and involves no deception while Black hat SEO attempts to improve rankings in ways that are disapproved of by the search engines, or involve deception. One black hat technique uses text that is hidden, either as text colored similar to the background, in an invisible iframe tag.”

SEO poisoning attacks are primarily the attacks on popular websites that make use of  hidden iframe tags. An attacker creates a fake web page with proper SEO and using hidden iframes redirects web browsers to rouge websites.

The recently released Apple ipad is utilized for Blackat SEO poisoning attack.

When searched with keywords such as “Apple ipad”, “Apple tablet”, “Apple tablet announcement” or “Apple ipad rumor” on Google or any search engine, the results yield websites which may compromise your system.

SEO Poisoned URL

Usage of Search Engine Optimization (SEO) Poisoning pushes the infected URLs to the top of the search results, thus, increasing the chance of a user clicking the malicious URL.
Hypothetically, if a user clicks the URL from a search result, he gets redirected to a malicious web site pretending as fake anti-virus or fake video codec software.
Fake infection warningFor instance, when I clicked on one such link, I was redirected to a website pretending to be rogue antivirus software which freely scanned my laptop online and displayed bunch of virus infections.

Virus Infection summary from my system

After the scan, website also popped up a message box asking me to fix the problems. As soon as I clicked on the message box, a rogue antivirus software installer was downloaded on my system.

Fake AV software installer

After installation of this so-called antivirus, it performed a complete scan of my system and displayed numerous problems which even my fully updated commercial antivirus software was unable to make out. When asked to fix the discovered problems, it invited me to purchase a full version of software for a discounted price of $69. ;)

Beware of such websites !!!

Conclusion:

No anti-virus software ever does free online scanning and display infections on your screen. These are just sophisticated social engineering techniques used by malicious hackers to fool users.

Cyber criminals are targeting popular and controversial events and harvesting keywords to perform SEO poisonings attacks. They tend to catch attention of users who later get trapped in this vicious circle.  The Tiger Woods story is one such incident that made mole out of the mountain.

So, all that glitters is not gold, apni akal lagao ;)

References:

29 Jan 2010

Lit up your iPhone

Author: bughira | Filed under: General Talks, Uncategorized, iPhone

Smule released a supercool app for iPhone on 16th Sept that can actually simulate real lighter.
Just flick on the iPhone and tilt screen to enjoy the flame reactions. Sonic lighter truly demonstrates the power of accelerometer and sound frameworks.

The best features of sonic lighter is it can lite up another iPhone. Utility emits some sound from speaker and once you put your Sonic Lighter near another iphone, it will lite up the flame from the installed Sonic Lighter application on other iphone. Isn’t that cool?

Sonic Lighter is available on apple store only on 99 cents.
Adjacent image shows typical usage examples.

Here is a small video showing Sonic Lighter in Action.

YouTube Preview Image

OK we know from previous post that malware is trying to connect testirc1.sh1xy2bg.NET. To learn more about its intentions, i added fake DNS entry in the XP host configuration file and pointed testirc1.sh1xy2bg.NET to my BackTrack 3 Machine. I then rebooted the live analysis machine and started Wireshark again on BT3 system.

As malware has configured itself to start whenever windows boots, it gets executed and tries to connect his master. This time its DNS query gets resolved and it tries to connect to TCP port 6667. TCP port 6667 is happened to be an IRC port.  Recall that I have already installed IRC server on the BT3 machine.  Lets start IRC Service and re-start the malware from process from Process Explorer.

This time malware connects to IRC server and joins the channel name “Chalenge” with password “happy12″. Refer to wireshark trace screenshot. Malware then changes the channel mode to monitor and hidden by mode -mnst channel control command. Changes the topic to “.asc vnc 100 0 0 -r -b”
Now I can conclude that malware is getting controlled via IRC Channel. Now the question arises: Which type of and what services malware provides to
his master? There are two ways to find this out

  1. Code Analysis Via Reverse Engineering
  2. Controlling the malware by connecting it.

I chose both ways simultaneously. I installed XChat2, IRC client and also joined the same channel. Unpacked strings output gave me some clues regarding the possible command malware might accept like sysinfo, driveinfo, uptime, netinfo etc.
Malware didnt respond, When I tried sending these command. There can be again two reasons behind such behavior.

  • I  am trying wrong commands
  • Malware has authentication.

Second reason looks obvious as why will malware author allow any Tom, Dick and Harry to control his bot? So lets find out the password for connecting malware.
Lets try to authenticate ourself as malware master. I decided to try password kind of strings from gathered string output as potential password.

<bughira> .login admin123
-USA[XP]1123037- Are you a Fucker?. (bughira!BT@738FBBA.E0CB536.5CF86F75.IP).
-USA[XP]1123037- No pass for you.

To find the password we will need to start looking into binary source code of the Malware as Password has to be hardcoded in the source code. OK lets start hunting for the string “No Pass for you” in IDA pro. IDA Pro is one of the most famous and best suited debugger/disassembler for malware analysis.
The code from the snapshot has a reference for the string named “gemp123″ which is being checked against our user input.

.text:004089BE ProcessCredentials:                             ; CODE XREF: sub_403EF2+6D2j
.text:004089BE                                         ; sub_403EF2+6E7j
.text:004089BE                 mov     esi, [ebp+esi+var_9C]
.text:004089C5                 cmp     esi, ebx
.text:004089C7                 mov     dword ptr [ebp+dwProcessId], esi
.text:004089CA                 jz      loc_404369
.text:004089D0                 cmp     [ebp+var_A8], ebx
.text:004089D6                 jnz     loc_404369
.text:004089DC                 push    offset asc_425B84 	; Use Delimiter "!"
.text:004089E1                 push    [ebp+var_A0]    		; Our Supplied Nick and Domain name.
.text:004089E7                 call    _strtok			; Separate NickName from the string.
.text:004089EC                 mov     esi, eax
.text:004089EE                 push    offset word_475DB4 	; char *
.text:004089F3                 push    ebx             		; char *
.text:004089F4                 inc     esi
.text:004089F5                 call    _strtok
.text:004089FA                 push    offset asc_423648 	; "~"
.text:004089FF                 push    eax             		; Push the domain name string to get exact domain name token
.text:00408A00                 call    _strtok
.text:00408A05                 push    dword ptr [ebp+PId] 	; Push our supplied password
.text:00408A08                 mov     edi, eax                 ; Store complete domain string in EDI for further usage if needed.
.text:00408A0A                 push    offset aGemp123 		; Password for the Malware : "gemp123"
.text:00408A0F                 call    _strcmp			; Compare supplied password with gemp123
.text:00408A14                 add     esp, 20h			; ReOrganize stack
.text:00408A17                 test    eax, eax			; Check the return value of strcmp
.text:00408A19                 jz      short loc_408A66		; If Zero,Login Successful
.text:00408A1B                 lea     eax, [ebp+var_C8] 	; Login Failed. Insult Connected user.
.text:00408A21                 push    edi			; Push our Domain name
.text:00408A22                 push    eax			; Push Our nick Name
.text:00408A23                 lea     eax, [ebp+var_C8]        ;
.text:00408A29                 push    eax             		; Push Malware Bot name
.text:00408A2A                 push    offset WrnPassMsg 	; "NOTICE %s :Are you a Fucker?. (%s!%s).\r"...
.text:00408A2F                 push    [ebp+arg_4]     		;  Socket Descriptor
.text:00408A32                 call    SendMessage		; Send Message over socket.
.text:00408A37                 lea     eax, [ebp+var_C8]
.text:00408A3D                 push    eax             		; Push Malware Bot name.
.text:00408A3E                 push    offset WrnPassMesg1	; "NOTICE %s :No pass for you.\r\n"
.text:00408A43                 push    [ebp+arg_4]     		; Socket Descriptor
.text:00408A46                 call    SendMessage		; Send message over a socket
.text:00408A4B                 push    edi			; Push Domain name and other information for
.text:00408A4C                 push    esi			; logging purpose.
.text:00408A4D                 push    offset aRealmbotIrc_35 	; "RealmBoT (irc.p.l.g) .++.  *Failed pass"...

Lets try to use “gemp123″ as a password.

<bughira> .login gemp123
-USA[XP]2866523- WTF!? no yet fucker!. (bughira!BT@738FBBA.E0CB536.5CF86F75.IP).
-USA[XP]2866523- Orders: No Talk with you.

It looks like password is correct but malware is not liking something that may be my nickname or something else. Let try to digg more under debugger.
Again I searched for the string “WTF!? no yet fucker!.” under IDA and get all its references.  When streching eyes in Hex code, I found a function which was checking my nickname and domain with “*@legalize.it”. This made me sure that malware is accepting master only from legalize.it domain. S/He may use any nick name.

I decided to patch the malware source code and make it accept request from any domain. Refer to the screenshot where actual patching is being done.

patching1I saved the binary with same name and restarted the process Winsec32.exe and this is what I got.
.login gemp123
[REALMBOT] : Thank for trying.

Bingo!!! We are inn. Lets explore the malware functionality by trying the earlier commands. Refer to the screenshots for the output of tried commands.

commandsJust searching throught the binary code helped me finding out different functionality of the malware. I was able to confirm that malware has capability to perform different DoS and DDos attacks.

When you ask Malware to start Webserver, you will get Following Screenshot  kinda Output. Similarly Malware can also start FTP server on Victim Machine allowing its master to use space for data storage.

webserver

Malware is also capable of exploiting DCOM and VNC vulnerabilities on unpatched system.Following are the some of the  commands supported by Malware.

        login authentication (login password)
        logout                
        chghttp                Change HTTP Settings.
        lockdown.off           Disables 'secure' mode visit irc.v
        web.off                Disable httpd
        ftpd.off               Disable ftpd
        log.off                Disable logging
        proxy.redirect.off     Disable TCP redirector
        ddos.off               Disable all DDoS attacks
        syn.off                Disable SYN flood
        udp.off                Disable UDP flood
        ping.off               Disable ping flood
        proc.off               List processes (?)
        clone.off              kills clone
        clone                  creates a clone of self secure.stop Terminates thread processes
        scanstop               Stop Port scan thread.
        id                     Returns PID of its own process.
        status                 Sends Status information
        reboot                 As name suggest, reboots the host machine
        clearlog               Clears the maintained log file.
        opencmd                Open a command shell
        closecmd               Closes a command shell
        flusharp               Flushes the ARP cache
        flushdns               Flush DNS Cache
        prockillid             Kills a proceess by PID
        readfile               Read specific file from Disk
        keylog.on              Start Keylogging thread
        update                 Updates itself from http://www.Nivdav.net/Winsec32.exe
        execute                Execute specified command on remote system
        udpflood               Start UDP Flood DoS module
        pingflood              Start PING Flood DoS Module.
        advscan                Start port and service scan thread.
        ftp.upload             Upload file using FTP

Malware also tried to scan random hosts for  VNC service. Random IP addresses calculated from my network configuration. Here are some of the IP address contacted.

		192.168.209.95:5900
		192.168.155.129:5900
		192.168.1.19:5900
		192.168.105.160:5900
		192.168.206.49:5900
		192.168.52.194:5900
		192.168.153.83:5900
		192.168.1.225:5900
		192.168.103.113:5900
		192.168.204.2:5900

Static Binary analysis under IDA pro revealed much more information about malware like

  • When Malware copies itslef in %SYSTEMROOT% folder, it creates a file with READONLY|SYSTEM|HIDDEN permissions.
  • Malware makes sure only single copy of itself in running my creating a Mutex at the beginnning.
  • Malware first checks if host has internet connection or network attached.
  • Malware tries to exploit SMB shares.

Looking at the supported commands list we can categorized this malware under IRC bot category capable of performing DoS and DDoS attacks. We can also sub-categorized it under Keylogging, Credential Stealing.
I will conclude second installment here and will post about generating Signature of Malware and code snippets of removal tool in last and final part of this series.  I hope to you guys soon..

References:

  1. Analyzing IRCBOTS: Part I( Static and Behavioural Analysis)
  2. Analyzing IRCBOTS: Part III( Removal Tool and Signature Generation)
  3. IDA Pro
  4. OllyDbg
29 Jan 2010

How to RESET iPhone/iTouch R00t Passwd.

Author: bughira | Filed under: iPhone

Hmmmm, so you unlocked your new 1.1.4 iPhone and started playing around with various applications. Have you ever been in a situation where you installed OpenSSH ( Usually no need to install it manually, most of the jailbreaking tools will installed it for you ), and logged in from some remote machine and tried to change its default root password by using regular ‘passwd’ command and it caused underlaying BSD Substem to Crash?

The same thing happened with me also in the recent past. After changing the root password, i happily closed the SSH connection and started to browse and make some calls. I changed the summerboard theme and restarted SpringBoard to apply changes; thats it, my iphone went in endless loop, never allowed me to even open any of the applications. It restored my cool wallpaper to the original one (earth) and was looking like this –
If same thing has happened with you too, then read on or even if not still read on ;)
There is a bug in the encryption logic of ‘passwd’ command which changes the /etc/master.passwd file. The only way to recover from this crash is to restore back the iPhone.

Format of Sample /etc/master.passwd file:
##
# User Database
#
# Note that this file is consulted when the system is running in single-user
# mode. At other times this information is handled by lookupd. By default,
# lookupd gets information from NetInfo, so this file will not be consulted
# unless you have changed lookupd’s configuration.
##
nobody:*:-2:-2::0:0:Unprivileged User:/var/empty:/usr/bin/false
root:someJunkChars:0:0::0:0:System Administrator:/var/root:/bin/sh
mobile:someJunkChars:501:501::0:0:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1::0:0:System Services:/var/root:/usr/bin/false
unknown:*:99:99::0:0:Unknown User:/var/empty:/usr/bin/false
_securityd:*:64:64::0:0:securityd:/var/empty:/usr/bin/false


How to change the deafult r00t password?
====================================
Instead of using ‘passwd‘ command, use following manual steps.

1) On Terminal use any one of the following way to generate cypto password.

root@iBughira:~# perl -e ‘print crypt(“myPasswd”, “XX”).”\n”‘
OR
root@iBughira:~# openssl passwd -salt “XX” “myPasswd”
XXd3otv/H89.E
root@iBughira:~# openssl passwd -salt “XX” “myPasswd123″
Warning: truncating password to 8 characters
XXd3otv/H89.E
root@iBughira:~#
Where, Password must be <= 8 chars
XX = 2 char Salt.
OR
Click here to generate the new crypt password online.
2) Copy the output of this command.
3) Login to your iPhone using SSH.
4) Open the /etc/master.passwd file in vi or nano editor.
5) Replace the string after root: from /etc/master.passwd. ( i.e Replace “someJunkChars” from above sample file.)
6) Save and exit the editor.

Thats it, you are done. Root password has been changed. If this helped you, do leave comment/feedback.

URL shortening is a technique in the World Wide Web wherein a provider makes a web page available under a very short URL in addition to the original address.

For example, the page http://blog.chackraview.net/2010/01/19/operation-aurora/ can be shortened to http://bit.ly/5RJICq

As web clients tends to pass more and more data in the URL to communicate with web server; it makes URL became ugly and difficult to recall.
IM clients; and especially social networking and micro blogging client twitter are making URL shortening more and more popular.

URL shortening service providers keep one to one mapping of long vs. short URLs and that’s how web client gets redirected to the actual website.

Following are then most popular available URL shortening service providers.

In a way URL shortening has provided end user the freedom to cut down the length of long URLs and made them human readable, but on the other hand it can lead to sophisticated attacks.

Confused?? Let me explain how..

URL shortening is a special way of URL redirection, using which these short URLs redirects a web client to the actual long URL. Short URLs hide the target URL which can be absolutely anything including bank phishing website, malicious website etc. You will never know unless you actually visit the webpage.

Symantec security response team has created a small video on malicious use of URL shortening service. This video shows how a user can be fooled into downloading rouge Antivirus by making him look like his PC is infected.

YouTube Preview Image

This can happen with any of us unless we take necessary precautions.

Precautions:

We can actually install following plugins for our browsers

  1. “bit.ly preview” plugin for mozilla firefox
  2. “Bit.ly” extension for google Chrome.

These plugins displays a tooltip that shows the Page Title, Long URL, and any Click Data it contains about the page the URL links to, whenever you hover over a bit.ly URL on any web page.

bit.ly plugin configuration

To use these plugins, you need a valid username and API key from bit.ly service. You can register for free on bit.ly and use your API key to avail this service.

bit.ly plugin showing long url corresponding to the short one.

This way at least we can know where we may get redirected to. This is not a foolproof solution but at least will reduce the chances of falling prey to such social engineering tricks.

Stay safe !!!

References:

  1. Bit.ly Preview firefox plugin
  2. Bit.ly google chrome extension

Note: Above mentioned plugins can map short URLs only from bit.ly. I am not aware if there are more such plugins for various other URL shortening services.

25 Jan 2010

Blogs contents: My First Blog

Author: bughira | Filed under: Uncategorized

Hi all,

This is my first blog. I thought of writing blogs long back but work never allowed me or i may be never took it seriously. But from now on words i have committed myself to write at least 2 posts in a week.

I am an Information Security freak and loves to explore gadgets. So the blog post will likely contain all the things i come across while working or while exploring new gadgets, tools. I may post some advisories, security tutorials and sample codes. While doing research i often have to deal with new network topologies, Virtualization and interoperability with different gadgets. So there are slim chances of you finding some admin stuffs too. You can also expect reviews on security tools, books etc.

I might upload some tools and which i am planning to develop on my iPhone ;) and some HOWTO’s for iphone/ipods.

I hope you people out there will comment on my writeup and give feedbacks/suggestions so that i can improve quality of the writeup and keep my blogging spirit high.

Thank you,

25 Jan 2010

OCS 2007 R2 Installation

Author: bughira | Filed under: General Talks, HOWTO's, OCS, VMWare, Voice Over IP

In the increasing race of deploying VoIP solutions, Microsoft announced new release of its Office Communication Server 2007 at voicecon. In spite of having all the deployment and installation guides for OCS server, many people are clueless about its installation. The main reason behind it is its complexity. Looking at wide range of service portfolios covered by Microsoft we can not blame them for  putting such complex install procedure. Another reason behind finding OCS installation hard is length of install guide( 150 odd pages). To be honest, I was too lazy to read install guide for OCS R1 installation though was able to successfully installed it.

Following are the key features implemented in R2 release of MS- Office Communication Sever.

  1. Dial-in audioconferencing
  2. Desktop sharing
  3. Persistent group chat
  4. Attendant console and delegation
  5. Session Initiation Protocol trunking
  6. Response groupMobility and single-number reach
  7. New Developer Tools for Business Applications.

Read References for details about the features.

Backed up with OCS R1 installation experience, I started going through System Requirements of OCS R2, Collected required install hardware & media  and sat for its installation. This post is about installing Office Communication Server R2 in easy 21 steps. I have not elaborated the steps with their internals else it would have been another install guide of 150 odd pages. Few Screen shots are provided for reference.

Before we start, you should know Office Communications Server 2007 R2 is available only in a 64-bit edition, which requires 64-bit hardware and a 64-bit edition of Windows Server. This avoids smooth upgrade from OCS R1 to R2.  Official web site for Office Communication Server has many other system requirements. To cut their long story short, following are the systems that I used for my Virtual OCS Lab.

Requirements:

  • Two machines with Windows 2003 server edition installed.
  • Two Static IPs – One for ADS & one for OCS
  • Windows 2003 Install Media.
  • Office Communication server R2 & Communicator Install Media.

I used following Naming convention for my setup.

  • ADS                      ( Static IP:192.168.14.128)       ( Windows 2003 R2 Enterprise Endition )
  • OCS                       ( Static IP:192.168.14.129)       ( Windows 2003 R2 Enterprise Endition )
  • Client                   ( Static IP:192.168.14.130)       ( Windows XP SP2 )
  • Domain Name:  Bughiralab.net

Procedure:

  • Install Windows2003 64 bit Standard/Enterprise Server edition on both systems and Configure them with static IP addresses.
  • Promote ADS to Domain Controller(Install Active Directory) with domain name Bughiralab.net. Choose Install DNS Server options at the time of installation.
  • Add OCS into the newly created domain Bughiralab.net.
  • Now create some Normal and special users/Groups in active directory.
    • Normal Username: bughira, sherkhan, kaa etc. (We will use them as OCS users )
    • Special Username: RTCService, RTCComponentService  ( Needed for SIP service and other  Components services )
      • Make sure you choose “Password Never Expires and User Can not change password” options for above special users. These users are directly involved with OCS services. If password expires for these services; OCS server wont start.
      • Choose complex password for these accounts and happily forget it.
    • Special Group: RTCSetupDelegate.
    • Select RTCSetupDelegate as Distribution group and not Security Group. Select Universal as its Group Type.
  • Install IIS server on both ADS and OCS Machines.
    • Go to Add/Remove programs from control panel, click on Add/Remove Windows components and select Application Server.
  • Install Certificate services on the ADS.
    • Go to Add/Remove programs from control panel, click on Add/Remove Windows components and select Certificate services.
  • Raise Domain Functional Level of Domain Controller to Windows 2003.
    • Go to Active Directory Users and Group. Right click on Domain Name( Forest) and Choose Raise Domain Functional Level from Context menu.

Once you are done with above steps, you are all set for getting your hands dirty.

  • Login on OCS.Bughiralab.net as domain administrator or any other user with install and delegate permissions.
    • Login on Domain in stead of local computer at the time of login prompt.
  • Select Standard Edition from Autorun menu of OCS R2 install Media.

startscreen

  • Click on Prepare Active Directory Option to start with the actual installation procedure. There are 3 sub steps under this step.
    • click on Prep Schema. This step usually never fails. Even if it fails OCS installer provides nice log information to resolve it.
    • Run Prep forest wizard to proceed. Only need to run once per deployment. It creats Global Settings and Universal Groups needed for Office Communication Server.
    • Click on Prep Domain wizard to proceed.
    • Successful completion of above steps completes the Active Directory Preparation Stage of Installation.

installstep2

  • Now Click on most important installation step: Delegate Setup and Administration Wizard. We will make use of our created special users and groups here.
    • On asking for the Universal group specify group name as RTCSetupDelegate (Default)and click next.

setupdelegate

    • ON the next screen enter the container group name with valid LDAP string syntax. As we have already created RTCSetupDelegate Universal group, following syntax can be used.
    • "CN=RTCSetupDelegate,CN=Users,DC=bughiralab,dc=net"
    • Enter the user names for  SIP Service and Component Service as RTCService and RTCComponentService users in the next wizard screen.
  • Now click “back” button twice and Choose Deploy Server Step from the install Screen.
    • Installer will install MS SQL Server.
    • Use default users and database values and click next on each screen. This will complete the Deploy server stage.

r2install3

  • Next step of installation is Configure Server wizard. Here you are required to configure your OCS R2 Server with Internal or External users along with SIP domains allowed.
    • We will configure server for internal users only and will provide default inputs where ever asked.

configureserver

  • Launch the configure certificate wizard and create a new certificate for our OCS server choosing CA server as our ADS Machine.

certificate-2

    • Click on Assign Certificate button to assign the certificate on OCS server.
    • We will need this certificate in case of deploying Edge server.
  • If you want to make use of  Web Conferencing service, you need to assign above created certificate on the IIS server started on OCS server.
    • Go to IIS server and Choose properties of Default Web site from Context Menu.

iis_certificate

    • Assign Certificate needed for Web Component Server.

iis_certificate1

  • Successful completion of above steps will open Start Services wizard. Click on next to start related services.

startservices

  • On completion, login on ADS machine and Install OCS Administration tools from OCS install Media.
    • You will find option for installing Admin tools on bottom right pane of the OCS install screen.
    • Select created OCS users from Active Directory and from properties select “Communication” tab
    • Select Enable for Office Communication Sever option, key in required details and click OK.

    useradd

  • Login from Communicator using SIP enabled users and Enjoy supercool OCS VoIP Services.

References:

VIPER Lab researchers once again kept their promise of delivering exciting and freaky features in the upcoming version of videoJak.

VideoJak rocked Defcon 17 with some thrilling video attack demonstrations which we have seen only in Bond movies.

My earlier post talked about the old version of VideoJak which was used to demonstrate proof of concept (PoC) Video DoS attack against Cisco 7985 IP video phones.

VideoJak is updated with two brand new attacks.

  1. Video Replay, where same video stream is repeatedly played on the target video phone of  Cisco Surveillance  camera.
  2. Inserts completely random video stream in the ongoing video conversation or live feed from Surveillance  cameras.

Video Replay attack demo showed stealing of water bottle from the chair by replacing the live feed with the still video captured before the attack. While the second video attack demonstration played a short video clip from the movie “The Italian job”, thereby, replacing the live feed from surveillance camera.

We demand video solutions. Video solutions demand security ;)

Here is the video demonstration of both of the above attacks.

[brightcove vid=31005440001&exp3=1813626064&surl=http://c.brightcove.com/services&pubid=1564549380&w=404&h=436]

Get Adobe Flash playerPlugin by wpburn.com wordpress themes