Friday, 8 December 2017

Wake on lan (WOL) from Microsoft SCCM through Cisco Layer3 Switches

How to securely forward wake-on-lan packets from remote subnets through Cisco layer 3 switches

To facilitate software deployments, we need to wake PCs up from the deployment server. As the server uses directed broadcasts to the destination subnet, this fails in any reasonably secure network.

In our scenario, the SCCM server resides in VLAN10, while the destination PC lives in VLAN20. The SCCM server sends a "magic packet" to This packet will normally be discarded by the router / L3 switch.

To be a bit more obscure, we have choosen port 12287. During the tests it seemed like the packet needed to be allowed in several ways:

  1. explicitly enable forwarding for udp 12287
  2. explicitly allow such a packet on the ingress interface with an ACL
  3. explicitly allow the packet on the egress interface with an ACL
    (but I might be mistaken here. -> needs testing if it works without)

Despite the fact that we do use a Microsoft SCCM server, it's WOL function wouldn't work for us. We used a 3rd party WOL tool instead and schedule the wake-ups. Wolcmd could do that for you.

Friday, 1 December 2017

Some fun with bad-usb devices (not rubber ducky)

Some fun with Leonardo-like usb devices

No, it is not rubber-ducky.

I was looking for a cheaper alternative to the rubber ducky devices to use for a user security awareness training at the media company I work for.

Comprehensive video instructions >>>HERE<<<

mmmmh... Payroll data. Who could resist?
I found those USB devices resembling an ordinary thumb drive here:
At a little under 10€, it is a somewhat overpriced Leonardo without any useable GPIOs. But it perfectly serves my purpose.

From what I could see with Wireshark's USB sniffer, my devices came without anything malicious preinstalled. As expected, the device identified as an Arduino Leonardo board.

Being what it is, it can easily be programmed in the Arduino IDE.
Simply use it as a Leonardo board

 Some fun with Keyboard Emulation  
 Shuts down a windows machine after 20 seconds  
 // the following line may not be needed by current versions of the IDE  
 //#include "Keyboard.h"  
 //some definitions, I do not really use  
 char ctrlKey = KEY_LEFT_CTRL;  
 char winKey = KEY_LEFT_GUI;  
 char altKey = KEY_LEFT_ALT;  
 void setup() {  
  // we only need a keyboard for this prank...  
 void loop() {  
 // 20 seconds to load a new sketch  
 //Now run the shutdown command;'r');  
  Keyboard.print("shutdown /t 1 /f /s");  
  // wait forever...   
  while (true);  

This script works as expected and shuts down the PC. It could just as well start an Internet Explorer and visit a malicious web site.
Keep in mind that everything runs under the current user's privileges, so users without administrative privileges can only do limited damage.

It became very clear to everyone attending my training, that plugging in an USB device of unknows contents and origin is simply a bad idea.