Splunk & Active Directory Password Expiry

So the other day I was asked by our IT Helpdesk if I could send them an alert when a VIP user's password is close to expiring so that they could pro-actively go through the laborious process of changing the password on multiple devices (a topic for another day)

Since it took me a bit of time to get it right, I thought I would share the search I used so that it might help someone else as well.

If you spot errors (which is quite easy when trying to work with Active Directory timestamps), let me know so we can fix it for everyone.

The search uses "ldapsearch" of course, which is yet again a topic for another day, and assumes that your password expiry is set to 30 days and you want to be warned 5 days before it expires.

It looks like this:

| ldapsearch domain=DOMAIN search="&(objectCategory=user)(|(sAMAccountName="user1")(sAMAccountName="user2"))"
| eval pwd=strptime(pwdLastSet,"%Y/%m/%d %T")
| eval pwdExpires=pwd+(30*86400)
| eval pwdAge=round((now()-pwd)/86400,0)
| convert timeformat="%Y/%m/%d %H:%M:%S" ctime(pwdExpires) as pwdExpires
| table cn,description,userAccountControl,sAMAccountName,pwdLastSet,pwdExpires,pwdAge
| sort pwdExpires
| where pwdAge > 25

Installing Metasploit and Armitage on Mac OSX 10.9 Mavericks

Like most people out there, I have tried to install Metasploit and Armitage using other blog posts first and found that the process failed somewhere along the line.
This is yet another attempt to document my experience with the installation, that does borrow heavily from other sources, with a few minor tweaks.

Maybe, just maybe, this is the one that works for you too from start to finish....

Assumptions:

I assume that like me, you have a pretty fresh mac to do the installation on. This will probably fail spectacularly if you have macports installed already, or have upgraded from a previous OSX version with metasploit installed.

Metasploit Installation:

 

XCode:

1. Install Xcode from the App Store, its free
2. Now its imperative that you install the command line developer tools. On mavericks its done by running 

xcode-select --install


The Xcode command line tools installation MUST complete successfully before you continue

MacPorts:

1. Install MacPorts from http://www.macports.org/install.php
2. After installation run

sudo port selfupdate
sudo port upgrade outdated
sudo port install nmap
sudo port install wget

Ruby and Friends (Ruby Version Manager):

 

curl -#L https://get.rvm.io | bash -s stable --autolibs=3 --ruby 
 
After the installation of RVM, you often have to close the terminal and re-open it before you do the following:

rvm requirements
rvm install ruby-1.9.3-p448
rvm gemset create msf
rvm use ruby-1.9.3-p448 --default
source ~/.rvm/scripts/rvm

Ruby Gems:

gem install sqlite3 msgpack hpricot

PostgreSQL:

sudo port install postgresql93-server
gem install pg -v '0.16.0' -- --with-pg-config=/opt/local/lib/postgresql93/bin/pg_config

sudo gem install pg -v '0.16.0' -- --with-pg-config=/opt/local/lib/postgresql93/bin/pg_config

Yes I did both a normal and a sudo install, seemed it was needed on my system 

Create a database instance:

 sudo mkdir -p /opt/local/var/db/postgresql93/defaultdb
 sudo chown postgres:postgres /opt/local/var/db/postgresql93/defaultdb

Start the database server:

sudo su postgres -c '/opt/local/lib/postgresql93/bin/postgres -D /opt/local/var/db/postgresql93/defaultdb' &

To start the server automatically at boot time:

sudo launchctl load -w /Library/LaunchDaemons/org.macports.postgresql93-server.plist

Setup your PATH:

export PATH=/opt/local/lib/postgresql93/bin:$PATH

Create the user and database:

createuser msf -h localhost

createdb metasploitdb

Install Metasploit:

 

sudo su
mkdir -p /opt/
cd /opt
git clone https://github.com/rapid7/metasploit-framework.git msf
exit
export PATH=/opt/msf:$PATH

Configure the Metasploit Database:

 

sudo echo export MSF_DATABASE_CONFIG=/opt/msf/database.yml >> ~/.bash_profile
sudo vi /opt/msf/database.yml

Paste the following into the database.yml file

production:
   adapter: postgresql
   database: metasploitdb
   username: msf
   password:
   host: 127.0.0.1
   port: 5432
   pool: 75
   timeout: 5

Install Metasploit Bundles:

cd /opt/msf/
sudo bundle install

Create symlinks for Armitage:

 

sudo ln -s /opt/msf/msf* /opt/local/bin/

Run Metasploit!

 

cd /opt/msf
sudo msfconsole

See if you can connect to the database

msf > db_connect msf@metasploitdb
[*] Rebuilding the module cache in the background...
msf > db_status
[*] postgresql connected to metasploitdb
msf > workspace
* default

Armitage Installation:

 

Download and install Armitage

 

Click here to to download Armitage for OSX.
Armitage should be installed the same way you would install any other OSX app. Open the DMG file, and drag the application to your Applications folder.

Download and install Java:

 

Apple is no longer developing its own version of Java, it is recommended to use the Oracle version of Java that can be downloaded and installed from http://www.java.com/en/download/mac_download.jsp?locale=en

You also need to install the JDK so you can run java from the command line

http://download.oracle.com/otn-pub/java/jdk/7u55-b13/jdk-7u55-macosx-x64.dmg

Start Armitage and MSFRPCD:

 

Starting Armitage with sudo from the command line seems to work best, and also starts MSFRPCD for you

sudo -E java -jar /Applications/Armitage.app/Contents/Java/armitage.jar