Week 10 Lab 10

TASK 1:

In this task we viewed the security logs in the windows 2003 system. We then saved these logs to the desktop and cleared them so we could view what we were doing next. In the command prompt we then made a new user. After doing this we went into the event viewer and saw that making the user had been logged.

1. Name the three main Windows Event Logs.

Application log - issues with system software
System log - issues with system hardware
Security log - successful and failed attempts to access resources

2. Explain why saving Event Logs regularly is a good practice.

Logs can be deleted without the users knowledge, so its good to have evidence of them happening in any situation where you may need them after they have been erased.

3. Event Logs can be saved as which three different formats?

EVT
TXT
CSV

4. Adding a user account to the system will trigger an event in which log?

The security log under account management

TASK 2:

In this task we changed the audit policy on logging the failed attempts to log on to the administrative server. After making it log the failed log in attempts we updated the policies and then failed two log ins and then viewed them in the events security logs.

1. Which is more important, auditing for successes or failures?

In my opinion it is more important to log the failures as you can see if someone is attempting to get into your system who doesn't have permission, however if they are succeeding with their log in then that is a bigger issue but once they are in it is hard to stop them, stopping them is easier on the outside. Although you would want to know if someone is on the system so both are useful to have on.

2. Where do you go in Windows to examine the audit policy?

GP edit.msc

3. What are two ways that you can get to the Event Viewer in Windows?

run event viewer.msc
start>administrativeTools>eventviewer

4. What is the command line tool that can be used to update security settings?

gpupdate /force


TASK 3:

In this lab we used the backtrack 5 machine to access the windows 2003 machine and clear the logs on that machine.

1. What happens when the security log is cleared?

There is only one log left, it being the log telling you that all the logs are cleared.

2. What is the difference between the ClearLogs tool and the clearev command?

clearev clears all of the logs and ClearLogs allows you to clear individual logs in the system.

3. Why might a hacker clear the logs?

They clear the evidence that they were on the machine and it also prevents a forensic examiner from doing timeline analysis.

4. What would be an indicator that a hacker may have cleared one or more logs?

It logs that there has been a log cleared.

Week 9 Lab 6

TASK 1:

In this task we checked to see what ports were available and open on the network that the backtrack 5 system was on. After checking what was available we then started up metasploit and used the open port to get access to the vulnerable windows 2003 system.

  

1. What is the command to scan the 192.168.100.0/24 network for hosts?

nmap -sP 192.168.100.*

2. What is the command to scan 192.168.100.147 for open TCP ports?

nmap -O 192.168.100.201

3. How can you determine the operating system that the target system is running?

nmap -T4 -A -v 192.168.100.201

4. What command must be run before utilizing the db_autopwn command?

db_nmap 192.168.100.201 -p 21-445


TASK 2:

In this task we used the command prompts commands and copied them to the ir.txt file to log data attributed to the machine. This meant we could put in the time date system information into a text file and save that to the system.

1. What is the command to get important information about a Windows system?

systeminfo

2. What is the command to view active connections to a machine?

netstat –an | findstr “ESTABLISHED”

3. What is the command to list all of the processes on a machine?

pslist

4. What is the command to view the routing table?

netstat - r

TASK 3:

In this task we looked in the computers files to determine when and on what networks we were trying to be hacked.

1. Where are the log files stored on a Windows system?

system 32 log

2. Where are the FTP log files stored on a Windows system?

MSFTPSVC1

3. Where are the WWW log files stored on a Windows system?

W3SVC1 directory

4. Explain the naming format for log files within Windows.

They are organised by the date that they occurred