Have you ever wanted (i.e., needed) to install a piece of software on a client's resource (e.g., laptop) and couldn't because a., their uber paranoid security team locked it down, b., to much effort to crack it open using devious methods, c., and heres the kicker - you have an ethical (and contractual) objection not to? Me too!
It was one of those days I had some idle time for whatever the legitimate reasons were. I was being bugged by a vendor to give their absolutely, positively, false positive free, error free application security scanners a try. But how can I? After all, I barely had enough rights to even login.
Off the top of my head I had an idea that seem simple enough to try. Sure, I could have come up with a dastardly social engineer scheme to be granted admin rights (REM the aforementioned boundaries), or an easier route would be to just install virtual environment. But that meant going back to the first problem statement, or does it? Can you say portal app.
Did you know that VMware Player is a portable application? Knowing this dubious trick, I now have a way to setup a platform were I can pretend to be the almighty admin. Now onto avoiding the next snare in our path, access to the installation image of a Microsoft Windows operatin system.
Since the demise of my Technet account, I could no longer just pop over and download what I wanted anymore. So that left me no other option given I left my ISOs in my other pants pocket. And of course an idea popped into my head that essentially is an nonoption option and something to avoid for all the obvious reasons. Don't tell me you haven't done this one before, download "free" software from some nefarious website with a product key that had a only a slight chance of actually working. (Not to mention all of the "tag alongs"...)
Guess what I found? Out of the goodness of Microsoft's heart, (Yay Microsoft! Yeah I said it...), they provide VM images free of charge for just this sort of purpose. Their actual intent is to give developers a test bed to run the various incarnations of the Internet Explorer browser against their web site. What they actually gave us is a fully functioning operating system that happens to have the browser installed. The only downside, it expires after 90 days. But for my purposes this was 89 more days then I needed.
And at the time this blog was written, its available without having to give up any of your personal information. You know the drill; register, wait for creds, check your email and then login. (In reality, you probably already provided all of your personal information just by visiting their site.) Not paranoid much, just saying...
The URI is:
Check here to goto https://dev.windows.com/en-us/microsoft-edge/tools/vms/windows/
You might also want to check out their scanner that suppose to help you find what configuration settings are missing.
Check here to goto https://dev.windows.com/en-us/microsoft-edge/tools/staticscan/
[BTW, if you didn't first peek at the link to where the URI is taking you, you're doing it wrong.]
Also, here is a list of websites to test the vendor's fabulous guarantee to not fail tool against. A couple of list to choice from:
https://www.vulnhub.com/
http://blog.taddong.com/2011/10/hacking-vulnerable-web-applications.html
Google, (yes I said Google, the source of all evil, oh wait isn't that Microsoft?) if you don't like the choices I've provided.
The rest is pretty straight forward. See Dick install, see Jane configure, see Spot install and configure blindfolded with one paw tied behind his back, now run. Because the dog can apparently kick your butt.
No comments:
Post a Comment