Lan-Secure Blog

USB flash drives are very common and can be found in almost every computerized environment for storing and transferring data between computers. These USB devices make it really easy for potential attacker to exploit unprotected computers with malicious virus and Trojan software and provide a gateway to the network for manipulating sensitive data.

Detecting USB storage devices
There are some nice tools that can be found on the net that will notify about USB devices on local and remote windows platforms. But most of them are not free and will require an installation of an agent on the remote windows platforms. Using the preinstalled Windows Management Instrumentation (WMI) on windows platforms is free and will not require any remote agent. It will only require a simple script that can be run manually from a privileged user account or from another network monitoring software like Lan-Secure Security Center and Lan-Secure Switch Center Protector network security scanners.

WMI notification event script
The following USB notification event script will send an event message in response to any operation of USB device on local or remote windows platform. For simplicity, the script is using a temporary event subscription, which exists only as long as the script is running. Some modifications will be needed for a permanent event subscription that will not require a perpetually running script:

VBScript (should be copied and saved as .vbs file):
strComputer = "." '(Any computer name or address)
Set wmi = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set wmiEvent = wmi.ExecNotificationQuery("select * from __InstanceOperationEvent within 1 where TargetInstance ISA 'Win32_PnPEntity' and TargetInstance.Description='USB Mass Storage Device'")
While True
Set usb = wmiEvent.NextEvent()
Select Case usb.Path_.Class
Case "__InstanceCreationEvent" WScript.Echo("USB device found")
Case "__InstanceDeletionEvent" WScript.Echo("USB device removed")
Case "__InstanceModificationEvent" WScript.Echo("USB device modified")
End Select
Wend

JScript (should be copied and saved as .js file):
strComputer = "."; //(Any computer name or address)
var wmi = GetObject("winmgmts:\\\\" + strComputer + "\\root\\cimv2");
var wmiEvent = wmi.ExecNotificationQuery("select * from __InstanceOperationEvent within 1 where TargetInstance ISA 'Win32_PnPEntity' and TargetInstance.Description='USB Mass Storage Device'");
while(true) {
var usb = wmiEvent.NextEvent();
switch (usb.Path_.Class) {
case "__InstanceCreationEvent": {WScript.Echo("USB device found"); break;}
case "__InstanceDeletionEvent": {WScript.Echo("USB device removed"); break;}
case "__InstanceModificationEvent": {WScript.Echo("USB device modified"); break;}}}

Labels: Management, Security

Every Network Interface Card (NIC) on any platform has unique MAC address that used to access Ethernet networks. The MAC address is hard coded by the network card manufacturer and on many security systems used as a platform identity for network access permission. Using the MAC address of a platform with network permission rights by an intruder or malicious software instead of its original address called MAC spoofing.

MAC address network access control
MAC address spoofing is quite an easy task for a potential intruder especially when using MAC address of network nodes that are inactive most of the time like network printers and networking time and attendance systems. This is the main reason for not using MAC address protection as a single network access control (NAC) mechanism but combining multiple protection methods to create safe and reliable security protection like Lan-Secure Security Center and Lan-Secure Switch Center Protector network security scanners.

MAC address spoofing
There are some nice tools and drivers that can be found on the net that will change MAC address of specific platform to any other MAC address. But it can be done easily on any windows platform using the windows built in registry editor. Here are the steps needed to change windows platform MAC address and gain access to the network as another platform MAC address:

Changing MAC address
1. Open windows registry editor by clicking the Start button selecting Run command and typing “RegEdit”.
2. Open registry folder HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}.
3. Select the appropriate network card folder by viewing the data written on the folder DriverDesc value.
4. On the network card folder create new String Value named NetworkAddress and modify its data to the preferred MAC address using its 12 hexadecimal characters in a row.
5. Reset the network card adapter by disable and enable the card from windows Network Connections control panel.
6. Use IpConfig /all windows command to verify the new network card MAC address.

Clearing MAC address
1. Open windows registry editor by clicking the Start button selecting Run command and typing “RegEdit”.
2. Open registry folder HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}.
3. Select the appropriate network card folder by viewing the data written on the folder DriverDesc value.
4. Delete the String Value named NetworkAddress.
5. Reset the network card adapter by disable and enable the card from windows Network Connections control panel.

Labels: Security

Lan-Secure blog provides network security and management knowledge base information including technical articles on how to improve networks efficiency and reliability.

Labels: Management, Security