krypted.com

Tiny Deathstars of Foulness

Here ya’ go!

netsh advfirewall firewall add rule name=”KryptedWebhook” dir=in protocol=tcp localport=8443 profile=private remoteip=any action=allow

Wait, what’s that?!?! Let’s break down the options I used here:

  • advfirewall: Yup, it’s the new firewall.
  • firewall: Yup, it’s a firewall.
  • add: I’m adding a new rule. I also could have used delete along with the rule name and removed one. Or show to see one. Or set to augment one.
  • rule: It’s all about rules. Each rule allows for a port and/or an action.
  • name: Every rule needs a unique name. Namespace conflicts will result in errors. If programmatically creating rules, I’ve found it undesirable to use a counter and instead moved to using GUIDs and a hash table.
  • dir: The direction traffic is flowing. In is for incoming traffic or out would be to block outgoing traffic.
  • protocol: Use the protocol, typically tcp or ump, but if pings, might be one of the icmps.
  • localport: The port that is being used (there’s also a remoteport operator for reflections).
  • profile: I mostly use profile of private.
  • remoteip: Set to any but could be set to a given IP for increased security (yes, I know people can spoof these – so your version of the word might be different.
  • action: I used allow, but could have been block (which denies traffic) or bypass.

For further security, I might add a security operator, to allow for an authentication string. You can

You might also need to allow traffic for a given app. To do so, let’s add a rule that does so, the only option for which not mentioned above is program, which is the path to the binary we’re allowing:

netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\kryptedscripts\kryptedcompiledwebapp.exe" enable=yes

To then see the rules and validate that your rules were indeed installed, use:

netsh advfirewall firewall show rule name=all

The reason I call this quick and dirty is that I’m really only covering a small subset of options. Additionally, it would be a bit more modern to do this via powershell using New-NetFirewallRule or one of the many, many other commandlets, such as Copy-NetFirewallRule, Enable-NetFirewallRule, Disable-NetFirewallRule, Get-NetFirewallAddressFilter, Get-NetFirewallApplicationFilter, Get-NetFirewallInterfaceFilter, Get-NetFirewallInterfaceTypeFilter, Get-NetFirewallPortFilter, Get-NetFirewallRule, Get-NetFirewallSecurityFilter, New-NetFirewallRule, Open-NetGPO (cause you can configure the firewall through a GPO), Remove-NetFirewallRule, Rename-NetFirewallRule, Save-NetGPO, Set-NetFirewallRule, Set-NetFirewallSetting, and Show-NetFirewallRule.

January 27th, 2017

Posted In: Windows Server, Windows XP

Tags: , ,

One of the easiest things to do in OS X is to remotely run an installation package using the installer command. You can do some similar tasks in Windows, although the commands aren’t quite as cut and dry. The Start-Process command can be used to kick off an executable. Here, we will kick off the msiexec.exe and feed it an argument, which is the msi file to install silently. We’ll then wait for it to complete:

{Start-Process -FilePath "msiexec.exe" -ArgumentList "/i TEST.msi /qb" -Wait -Passthru}

August 19th, 2015

Posted In: Windows Server, Windows XP

Tags: , , , , ,

In Windows 10, Microsoft has finally baked a package manager called OneGet into Windows. It works similarly to apt-get and other package managers that have been around for decades in the Linux world; just works in PowerShell, rather than bash. So let’s take a quick peak. First, import it as a module from a PowerShell prompt:

Import-Module -Name OneGet

Next, use Get-Command to see the options for the OneGet Module:

Get-Command -Module OneGet

This will show you the following options:

Find-Package
Get-Package
Get-PackageProvider
Get-PackageSource
Install-Package
Register-PackageSource
Save-Package
Set-PackageSource
Uninstall-Package
Unregister-PackageSource

Next, look at the repositories of package sources you have:

Get-PackageSource

You can then add a repo to look at, using Register-PackageSource. Or, we’ll just fire away at locating our first package, Acrobat:

Find-Package -Name AdobeReader

Or you could pipe that output to the Install-Package option:

Find-Package -Name AdobeReader | Install-Package

Or Firefox, verbosely:

Install-Package -Name Firefox -Verbose

Or ASP.NET MVC silently (using -Force):

Install-Package Microsoft.AspNet.Mvc -Force

In some cases, you can also use the -Version option to define a specific version, which is why I ended up writing this in the first place – swapping between versions of asp has been a bit of a pain since the introduction of its first update, it seems…
PowerShell logo

February 26th, 2015

Posted In: Windows Server, Windows XP

Tags: , , , , , , , , , , , , , ,

A few people have hit me up about issues getting Windows machines to play nice with the SMB built into Yosemite Server and Windows. Basically, the authentication dialog keeps coming up even when a Mac can connect. So there are two potential issues that you might run into here. The first is that the authentication method is not supported. Here, you want to enable only the one(s) required. NTLMv2 should be enabled by default, so try ntlm:

sudo serveradmin settings smb:ntlm auth = "yes"

If that doesn’t work (older and by older I mean old as hell versions of Windows), try Lanman:

sudo serveradmin settings smb:lanman auth = “yes"

The second is that the authentication string (can be seen in wireshark) doesn’t include the workgroup/domain. To resolve this, simply include the Server name or workgroup in the beginning of the username followed by a backslash(\). So you might do this as a username if your NetBios name were kryptedserver:

kryptedserver\charles

To get that exact name, use serveradmin again, to look at the smb:NetBIOSName attribute:

smb:NetBIOSName = "kryptedserver"

November 4th, 2014

Posted In: Mac OS X Server, Windows Server, Windows XP

Tags: , , , , , , , , ,

There are a number of tools available for using Syslog in a Windows environment. I’ll look at Snare as it’s pretty flexible and easy to configure. First download the snare installation executable from http://sourceforge.net/projects/snare. Once downloaded run the installer and simply follow all of the default options, unless you’d like to password protect the admin page, at which point choose that. Note that the admin page is by default only available to localhost.

Once installed, run the “Restore Remote Access to Snare for Windows” script.

Screen Shot 2014-04-10 at 10.56.43 AM

Then open http://127.0.0.1:6161 and click on Network Configuration in the red sidebar. There, we can define the name that will be used in syslog (or leave blank to use the hostname), the port of your syslog server (we used 514 here) and the address of your syslog server (we used logger here but it could be an IP or fqdn).

Screen Shot 2014-04-08 at 10.58.04 AM

 

Once you have the settings you’d like to use, scroll down and save your configuration settings. Then, open Services and restart the Snare service.

Screen Shot 2014-04-08 at 10.56.22 AM

Then run the Disable Remote Access to Snare for Windows option and you’re done. Now, if you’re deploying Snare across a lot of hosts, you might find that scripting the config is faster. You can send the Destination hostname (here listed as meh) and Destination Port (here 514) via regedit commands (Destination and DestPort respectively) and then restart the service.

Screen Shot 2014-04-08 at 10.56.51 AM

I’ll do another article at some point on setting up a logstash server to dump all these logs into. Logstash can also parse the xml so you can search for each attribute in the logs and with elasticsearch/hadoop/Kibana makes for an elegant interface for parsing through these things.

April 13th, 2014

Posted In: Active Directory, Windows Server, Windows XP

Tags: , , , , , , ,

You have a lot of boxes. You would like to be able to parse through the logs of all those boxes at the same time, searching for a given timestamp across a set of machines for a specific string (like a filename or a port number). elasticsearch, logstash and kibana are one way to answer that kind of need. This will involve downloading three separate packages (which for this article, we’ll do in /usr/local) and creating a config file.

First, install the latest Java JDK. This is available at jdk8-downloads-2133151.html.

The following is going to download the latest version of logstash and untar the package into /usr/local/logstash (I like nesting that logstash-1.4.0 inside logstash so when the next version comes out I can have it there too, I have plenty of space so keeping a couple versions back helps in the event I need some old binary and can’t get to it ’cause they revved out the version I wrote a script against at some point):

curl -O https://download.elasticsearch.org/logstash/logstash/logstash-1.4.0.tar.gz
mkdir /usr/local/logstash
tar zxvf logstash-1.4.0.tar.gz -C /usr/local/logstash

Once we have log stash, we’ll grab elastic search similarly:

curl -O https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.0.1.tar.gz
mkdir /usr/local/elasticsearch
tar zxvf elasticsearch-1.0.1.tar.gz -C /usr/local/elasticsearch

Then we’ll untar kibana in the same manner:

curl -O https://download.elasticsearch.org/kibana/kibana/kibana-3.0.0.tar.gz
mkdir /usr/local/kibana
tar zxvf kibana-3.0.0.tar.gz -C /usr/local/kibana

Next we’ll make a very simple config file that we call /usr/local/stashbox.conf that listens on port 514 for syslog:

input {
tcp {
port => 514
type => syslog
}
udp {
port => 514
type => syslog
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch { host => localhost }
stdout { codec => rubydebug }
}

Next, we’ll enable elastic search:

/usr/local/elasticsearch/elasticsearch-1.0.1/bin/elasticsearch

And finally, in a different window we’ll call logstash with that file as the config file:

/usr/local/logstash/logstash-1.4.0/bin/logstash -f /usr/local/stashbox.conf

Having each of these open in different Terminal windows allows you to see logs in stdout. Next, point a host at your new syslog box. You can use http://krypted.com/windows-server/use-syslog-on-windows for installing Windows clients or http://krypted.com/mac-security/redirect-logs-to-a-syslog-server-in-os-x/ for  a Mac. Once done, let’s get Kibana working. To do so, first edit the config.js.

vi /usr/local/kibana/kibana-3.0.0/config.js

Locate the elastic search setting and put the name of the host running logstash in there (yes, it can be the same as the actual logstash box as long as you install a web server on the logstash box). Then save the changes.

Now move the contents of that kibana-3.0.0 folder into your web directory. Let’s say this is a basic OS X Server, that would be:

cp -R /usr/local/kibana/kibana-3.0.0/* /Library/Server/Web/Data/Sites/Default/

You can then check out your Kibana site at http://localhost or http://localhost/index.html#/dashboard/file/logstash.json for the actual search pages, which is what I’ve bookmarked.

Screen Shot 2014-04-10 at 10.37.51 PM

For example, to see the impact of periodic scripts in System Logs:

Screen Shot 2014-04-12 at 9.07.44 AM

 

April 11th, 2014

Posted In: Active Directory, Mac OS X, Mac OS X Server, Microsoft Exchange Server, Network Infrastructure, Ubuntu, Unix, VMware, Windows Server

Tags: , , , , , ,

Pretty much every operating system has a hosts file. In that file, you can define a hostname and then set a target IP. In Windows, that file is called hosts.txt and located in %systemroot%\system32\drivers\etc\.

By default, that %systemroot% is going to be C:\Windows. This makes the path to the file C:\Windows\system32\drivers\etc\hosts.txt.

By default, you’ll see the following:

127.0.0.1 localhost loopback
::1 localhost

When you edit the file, add a new line with the IP address then a tab then the hostname that you’d like to be able to ping to get the address in question. For example, to add server.krypted.com to point to 192.168.210.210, you’d add some lines to make it look as follows:

127.0.0.1 localhost loopback
::1 localhost
192.168.210.210 server.krypted.com

Then save and try pinging the host:

ping server.krypted.com

April 2nd, 2014

Posted In: Windows Server, Windows XP

Tags: , , , , ,

I recently needed to check and see whether a backup drive (which was just a 4TB USB drive) was plugged into a server. But the server had no GUI, so I had to use the command line. There was no drive letter mapped to this drive, so I needed to use something else and I needed to make a script that could be used long-term. Luckily, PowerShell can be used to obtain WMI information on the hardware installed on a computer. This allows administrators to query WMI about the USB devices currently installed on a server. In the following command, we’re going to use gwmi from PowerShell and we’re going to query
for Win32_USBControllerDevice. We’re going to run the command against the computer name in question (example here is host.krypted.com although if we left the -computername option off it would run against the host the command is run on).

Get-WMiObject Win32_USBControllerDevice -computername host.krypted.com | fl Antecedent,Dependent

This will apply a filter, similar to using grep in bash. That filters only the antecedent and dependent fields from the host.krypted.com computer. You could also remove the pipe and pull a full export, but if I’m using this in a script the less data to parse the better. If you think of WMI as containing a big tree about the hardware installed, the filter for Antecedent brings back what must be running in order for the drive to be present and the Dependent returns those that are dependent on the drive.

You can also obtain a lot more information through WMI. For example, you can pull information from any of the WMI classes, such as win32_bios

Get-WmiObject win32_bios -computername host.krypted.com

Note, you can derive properties and methods for a given class by using the get-member commandlet:

Get-WmiObject win32_bios | get-member

Once you know which property you need, you can then parse the information a little further to get a very specific answer:

get-wmiobject win32_bios -computername host.krypted.com | Select-Object displayname

Finally, you can shorten this by replacing the Get-WmiObject commandlet with gwmi, which is an alias for that command. Test it out, if you like:

gwmi win32_bios | get-member

March 28th, 2014

Posted In: Windows Server, Windows XP

Tags: , , , ,

You always want to stop a process gracefully. However, sometimes it’s just not possible to do so. Sometimes, you have to kill a process. Sometimes you have to end a process or a process tree when you can’t restart them gracefully.

To stop a process in Linux and Mac, use the kill command. In Windows, there’s a Powershell cmdlet called Stop-Process that enables you to terminate a process. As with kill, just add the process ID at the end of the command. For example, to stop process 318:

Stop-Process 318

Or you can stop based on the name of the process using the -processname option. For example, to kill a process called minesweeper:

Stop-Process -processname minesweeper

Note: You can include wildcards in these commands as well.

Be careful what you wish for. The reason you’d kill a process rather than reboot is that you don’t want to reboot because other processes are working out just fine. You can always kill a process, but some will reboot your boxen.

Finally, there’s also taskkill.exe, which can be used as well:

taskkill.exe /F /IM minesweeper.exe /T

February 6th, 2014

Posted In: Active Directory, Microsoft Exchange Server, Windows Server, Windows XP

Tags: , , , , ,

I’ve written plenty about exporting mailboxes from Exchange. But what if you need to perform a selective import into Outlook? This is helpful for importing mail in date ranges, using an import to search for terms (common with litigation holds) and importing contacts and calendars.

To get started, click Open from the File ribbon.

Screen Shot 2014-02-03 at 10.51.01 AM

When prompted, click on Import/Export.

Screen Shot 2014-02-03 at 10.51.11 AM

At the Import and Export Wizard screen, click on “Import from another program or file”

Screen Shot 2014-02-03 at 10.51.27 AM

At the “Import a File” screen, click on “Outlook Data File (pst)”

Screen Shot 2014-02-03 at 10.51.41 AM

 

At the Import Outlook Data File screen, choose the mailbox to import into and then click on the Filter button. Using the filtering options, you can choose to import based on date ranges, using search terms, selecting specific folders or a combination of all of these.

February 4th, 2014

Posted In: Microsoft Exchange Server

Tags: , , , , , , , ,

Next Page »