Analysis and Evaluation of the Windows Event Log - Bill Buchanan

More documents

Recommendations

Info

C:\Documents and Settings\Barrie\My ...-aes\simpletcpserver-aes\Program.cs using System; using System.Collections; using System.Net; using System.Net.Sockets; using System.Text; using System.IO; using System.Security.Cryptography; using System.Xml; 1 public class SimpleTcpSrvr { public static void Main() { int recv; byte[] data = new byte[10240]; IPEndPoint ipep = new IPEndPoint(IPAddress.Any, 13000); Socket newsock = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp); newsock.Bind(ipep); newsock.Listen(10); Console.WriteLine("Waiting for a client..."); Socket client = newsock.Accept(); IPEndPoint clientep = (IPEndPoint)client.RemoteEndPoint; Console.WriteLine("Connected with {0} at port {1}", clientep.Address, clientep. Port); string welcome = "You are connected to the server."; data = Encoding.ASCII.GetBytes(welcome); client.Send(data, data.Length, SocketFlags.None); //Generate random keys Console.Write("Generating new key pairs... "); int dwKeySize = 1024; RSACryptoServiceProvider RSAProvider = new RSACryptoServiceProvider(dwKeySize); string publicAndPrivateKeys = RSAProvider.ToXmlString(true); string justPublicKey = RSAProvider.ToXmlString(false); Console.WriteLine("Done!"); Console.Write("Sending public key to client... "); data = Encoding.ASCII.GetBytes(justPublicKey); client.Send(data, data.Length, SocketFlags.None); Console.WriteLine("Done!"); // Receive Encrypted Shared Key from Client data = new byte[10240]; recv = client.Receive(data); string encryptedKey = Encoding.ASCII.GetString(data, 0, recv); // Decrypt With Private Key RSAProvider.FromXmlString(publicAndPrivateKeys); int base64BlockSize = ((dwKeySize / 8) % 3 != 0) (((dwKeySize / 8) / 3) * 4) + 4 : ((dwKeySize / 8) / 3) * 4; int iterations = encryptedKey.Length / base64BlockSize; ArrayList arrayList = new ArrayList(); for (int i = 0; i < iterations; i++) { byte[] encryptedBytes = Convert.FromBase64String(encryptedKey.Substring (base64BlockSize * i, base64BlockSize)); arrayList.AddRange(RSAProvider.Decrypt(encryptedBytes, true)); } string decryptedKey = Encoding.UTF32.GetString(arrayList.ToArray(Type.GetType( "System.Byte")) as byte[]); // Assign values from XML string XmlDocument doc = new XmlDocument(); doc.LoadXml(@decryptedKey); XmlNode element = doc.SelectSingleNode("/AES/passPhrase"); string passPhrase = element.InnerText; element = doc.SelectSingleNode("/AES/saltValue"); string saltValue = element.InnerText; element = doc.SelectSingleNode("/AES/hashAlgorithm"); string hashAlgorithm = element.InnerText;
C:\Documents and Settings\Barrie\My ...-aes\simpletcpserver-aes\Program.cs element = doc.SelectSingleNode("/AES/passwordIterations"); int passwordIterations = Convert.ToInt16(element.InnerText); element = doc.SelectSingleNode("/AES/initVector"); string initVector = element.InnerText; element = doc.SelectSingleNode("/AES/keySize"); int keySize = Convert.ToInt16(element.InnerText); if(!(Directory.Exists("C:\\Logs\\" + clientep.Address))) Directory.CreateDirectory("C:\\Logs\\" + clientep.Address); 2 string logFile = "C:\\Logs\\" + clientep.Address +"\\EvtLog2.log"; TextWriter tsw; try { tsw = File.AppendText(logFile); } catch { tsw = new StreamWriter(@logFile); } tsw.WriteLine("Connected with {0} at port {1}", clientep.Address, clientep.Port); int myCount = 0; recv = 0; while (true) { data = new byte[10240]; recv = client.Receive(data); if (recv == 0) break; string encryptedMessage = Encoding.ASCII.GetString(data, 0, recv); string decryptedMessage = Decrypt(encryptedMessage, passPhrase, saltValue, hashAlgorithm, passwordIterations, initVector, keySize); decryptedMessage = "" + DateTime.Now + "" + decryptedMessage; myCount++; Console.Write(myCount + " "); tsw.WriteLine(decryptedMessage); client.Send(data, recv, SocketFlags.None); } Console.WriteLine("Disconnected from {0}", clientep.Address); tsw.WriteLine("Disconnected from {0}", clientep.Address); tsw.Close(); client.Close(); newsock.Close(); } static void writekey(string publickey) { StreamWriter fs = new StreamWriter("public.xml"); fs.Write(publickey); fs.Close(); } public static string Decrypt(string cipherText,string passPhrase,string saltValue, string hashAlgorithm,int passwordIterations,string initVector,int keySize) { byte[] initVectorBytes = Encoding.ASCII.GetBytes(initVector); byte[] saltValueBytes = Encoding.ASCII.GetBytes(saltValue); byte[] cipherTextBytes = Convert.FromBase64String(cipherText); PasswordDeriveBytes password = new PasswordDeriveBytes(passPhrase,saltValueBytes, hashAlgorithm,passwordIterations); byte[] keyBytes = password.GetBytes(keySize / 8); RijndaelManaged symmetricKey = new RijndaelManaged(); symmetricKey.Mode = CipherMode.CBC; ICryptoTransform decryptor = symmetricKey.CreateDecryptor(keyBytes,initVectorBytes) ; MemoryStream memoryStream = new MemoryStream(cipherTextBytes); CryptoStream cryptoStream = new CryptoStream(memoryStream,decryptor, CryptoStreamMode.Read); byte[] plainTextBytes = new byte[cipherTextBytes.Length]; String plainText; try
Page 1 and 2:
Analysis and Evaluation of the Wind
Page 3 and 4:
Barrie Codona, BSc (Hons) Network C
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46: Barrie Codona, BSc (Hons) Network C
Page 75 and 76: Appendix A: Diary Sheets
Page 77 and 78: NAPIER UNIVERSITY SCHOOL OF COMPUTI
Page 85 and 86: Appendix B: Preliminary Gantt Chart
Page 87 and 88: Nov '07 Dec '07 Jan '08 Feb '08 Mar
Page 89 and 90: C:\Documents and Settings\Barrie\My
Page 95: Appendix D: Server Application Code
Page 99 and 100: Appendix E: Event Viewer Code
Page 105 and 106: Appendix G: Processor Monitor Code
Page 107 and 108: Appendix H: HMAC Brute Force Cracke
Page 113 and 114: Appendix I: Windows Event Log Tests
Page 115 and 116: Copy Security Log C:\windows\system
Page 117 and 118: Another look at the Security Log re
Page 119 and 120: The Event Service is then restarted
Page 121 and 122: Another look at the ‘c:\windows\s
Page 123 and 124: CO42019 - Project 4 Computer Name P
Page 125 and 126: CO42019 - Project 4 Turned off the
Page 127 and 128: CO42019 - Project 4 And then restar
Page 129 and 130: CO42019 - Project 4 Modify the ‘l
Page 131 and 132: CO42019 - Project 4 Project - Week
Page 137 and 138: CO42019 - Project 4 As previously d
Page 139 and 140: CO42019 - Project 4 The screenshot
Page 141 and 142: CO42019 - Project 4 Displaying the
Page 143 and 144: CO42019 - Project 4 Modifying the r
Page 145 and 146: CO42019 - Project 4 Master File Tab
Page 147 and 148:
CO42019 - Project 4 Modify the sect
Page 149 and 150:
CO42019 - Project 4 Sectors 3748520
Page 151 and 152:
CO42019 - Project 4 This now shows
show all

Analysis and Evaluation of the Windows Event Log - Bill Buchanan

Create successful ePaper yourself

Delete template?

Save as template?