Author Archives: paularquette

Re-Joining Twitch.TV In The Hopes of Further Knowledge Sharing

I have changed my username on Twitch, and I’m hoping to start being more active on the platform. While I have gathered a lot of knowledge from high school and college, most of my recent knowledge has come from colleagues and/or other prominent folks in the IT Community that give back.

I’m hoping to start using the channel once a week and plan out what the topics of discussion will be at the end of the month for the next month. If I can get going fast enough, I’m hoping to start this in February and will be posting a schedule for February soon! I’m tentatively thinking Thursday nights in the Eastern Time Zone, USA. I’m hoping to maybe try to fill at least a half-hour of content. I’ll plan to let Twitch record so if you can’t make it you can watch the recording.

Topics for discussion will range anywhere from:

  • Lessons Learned From Working in IT
  • VMware Administration
  • Active Directory Administration
    • Federated Services
    • Certificate Services
    • Group Policy
    • Security
  • Powershell Concepts & Scripting
  • Information Security Concepts
  • Palo Alto PanOS
  • Windows Server Concepts
  • Linux Server Concepts
  • The art of Googling to keep your technology job
  • Cool projects I am working on or have worked on
  • Locking down your home network

Feel free to join me over on Twitch at BlameTheFirepaul

Windows Server 2022 Core – Failed to release DHCP lease

There appears to be a bug in Server Core 2022 in regards to changing the network settings through “sconfig”.

I’m deploying a new server from template in vCenter and by default it drops onto a private network with DHCP. The first thing I will do is go edit the settings of the VM and drop it on the proper network. After the VM is properly configured I will then go through “sconfig” to reset the IP to a static IP.

In “sconfig” you punch in number “8” for “Network Settings” and select “1” for the only NIC in the machine and you will be at the following prompt:

Here you will select “1” for 1) set network adapter address.

Then select “S” for (S)tatic IP Address.

Follow the on-screen prompts to enter IP, Subnet Mask, and Default Gateway. It is here you may be prompted with the error.

Setting NIC to static IP…

Failed to release DHCP lease.

Result code: 83

Method name: ReleaseDHCPLease

If you run into this issue you can enter “15” on sconfig and drop to Powershell. You can then run the following commands:

Get-NetAdapter

This will provide the NICs and more importantly the “Name” field which will be needed below

Remove-NetIPAddress -InterfaceAlias Ethernet0 -confirm:$False

Even after getting this far you may still not be able to assign the IP through “sconfig” in which case you can do it with Powershell.

New-NetIPAddress -InterfaceAlias Ethernet0 -IPAddress 172.16.1.2 -PrefixLength 24 -DefaultGateway 172.16.1.1

You can now launch “sconfig” go back to “8” Network Settings and configure your DNS servers.

Monitoring Domain Controller Windows Firewall Logs (Part of Active Directory Hardening Series)

The first step before you can monitor the local DC firewall logs is to make sure you have properly setup your domain controllers to log firewall activity. If you have not already turned on firewall logging and increased the log size to the maximum you can configure that by looking at my prior post: https://paularquette.com/lock-down-your-active-directory-domain-controllers-internet-access-part-of-my-active-directory-hardening-series/

I have shared a new script on GitHub to do some basic monitoring of dropped traffic on your Domain Controllers. https://github.com/paularquette/Active-Directory/blob/main/AD_Monitor_DC_Firewall_Logs.ps1

I currently run this script every hour and I get plenty of overlap for logs. The logs roll relatively quick but not that quick. I’m also logging all allows and I may change that in the future to only log drops.

In order to see dropped traffic outbound you would have to have outgoing firewall rules in place. By default traffic is not blocked going out. You can reference my previous post linked above.

In the example below you can see I’m limiting all TCP/UDP outbound traffic on Non HTTP ports to a certain subset of IP ranges:

If this Domain Controller tries to send any NON-HTTP(s) traffic outside of the organization it will show up in the DC firewall logs.

Example of HTML Report:

If your IT Security group has the hardware firewalls super locked down you may not see much if any traffic being dropped on the local DCs, but it still isn’t a bad idea to have another layer of security around such a high profile service!

Changing vCenter Authentication [AD over LDAP(s)]

For reference we already had our linked vCenter talking to Active Directory over LDAPS. However, we are currently in the process of migrating all of our VMs over to new hardware. When we tried to move the main Active Directory server providing authentication to vCenter, lets just say it was not happy.

Upon trying to enter into the Identity Sources and update the server(s) manually on the Identity Source that was already being used we received the following message: “Check the network settings and make sure you have network access to the identity source”.

It was not found until after doing some Googling that you have to remove your current running Identity Source in order to make changes. In other words delete the current identity source and add a “new” one in order to make the changes you want to make.

This just seems bad.

However, after doing a lot of testing in our TEST environment I could not seem to run into any snags. If you login with administrator@vsphere.local and delete and then immediately re-add the identity source back with the same domain name, alias, etc, there does not seem to be any issues. All of your permissions on objects defined with AD groups will remain.

I used the method listed in this VMware KB for grabbing the certificates I needed for both the Primary and Secondary Active Directory Servers. (https://kb.vmware.com/s/article/2041378).

Lock down your Active Directory Domain Controllers internet access! (Part of my Active Directory Hardening Series)

If you want to follow the Security Technical Implementation Guide (STIG) for Active Directory you will come across V-53727, AD.0015, stating that internet access should be restricted. If you ask Microsoft what you should do, they also state internet access should be restricted but provide no clear mechanism to do so.

(https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack#blocking-internet-access-for-domain-controllers)

What is the best way to turn off browsing the internet on Domain Controllers that doesn’t involve contacting your Information Security team? I’m glad you asked. I’m going to walk you through the process I’ve put forward to implement locked down Windows Firewall rules on the Domain Controllers.

There may be criticism here that things could be locked down even more, and I DO NOT disagree with you. This article is more about getting started on locking down your Domain Controllers not the solve-all be-all guide. This write-up is one of many I hope to include in a Domain Controller Hardening Series.

NOTE: These Firewall Rules May Not Work For Your Organization! We are not running DHCP, WINS, or Integrated AD DNS. We also have RPC dynamic ports locked to 1,000 ports.

For changing RPC ports on the Domain Controllers, I followed this article:

https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-rpc-dynamic-port-allocation-with-firewalls

Create Group Policy and link it to Domain Controllers OU for Firewall Rules
(Set the scope to one DC if you are worried)

In this Group Policy, open it up and edit it and navigate to the following area:

  1. Computer Configuration
  2. Policies
  3. Windows Settings
  4. Security Settings
  5. Windows Firewall with Advanced Security

If you are implementing changes like this in a TEST environment which I highly recommend first and you happen to be connected to one of the DCs to do this work you will want to perform the following things first to prevent being disconnected.

These Domain Controllers should be behind a hardware firewall, so leaving all remote addresses set to ANY while you configure, you should still have protection from your hardware firewall until you can go through rule-by-rule and lock them down. I’m not providing any guidance here as all organizations are different.

Go to Inbound Rules and create your base ruleset.

Rule NameProtocolLocal Port
Active Directory Web ServicesTCP9389
NetBIOS Session ServiceTCP139
ICMPv4ICMPv4ANY
ICMPv6ICMPv6ANY
KerberosTCP88
KerberosUDP88
Kerberos Password ChangeTCP464
Kerberos Password ChangeUDP464
LDAPTCP389
LDAPUDP389
LDAP Global CatalogTCP3268
LDAPSTCP636
LDAPS Global CatalogTCP3269
NetBIOS Name ServiceTCP137
NetBIOS Name ServiceUDP137
NetBIOS Datagram ServiceUDP138
NTPUDP123
Remote Desktop ProtocolTCP3389
Remote Desktop ProtocolUDP3389
RPC Endpoint MapperTCP135
RPC Dynamically Assigned PortsTCP Example: 50000-51000
SMBTCP445
Windows Remote Management (WinRM)TCP5985-5986
These are created on ALL profiles

Go to Outbound Rules and create your base ruleset.

Rule NameRemote AddressProtocolLocal PortRemote Port
Allow ICMPv4, ICMPv6 OutboundAnyICMPv4/ICMPv6ANYANY
Allow All Traffic Outbound (TCP)AnyTCPANY1-79,81-442,444-65535
Allow All Traffic Outbound (UDP)AnyUDPANY1-79,81-442,444-65535
Allow Outbound Web Traffic Exceptions<IPs> Crowdstrike, PKI, etc.TCPANY80, 443
Allow Outbound Web Traffic Exceptions<IPs> Crowdstrike, PKI, etc.UDPANY80, 443
These are created on ALL profiles

By default Windows Firewall will allow all traffic outbound. These outbound rules are needed because I’m going to change the behavior to block traffic outbound by default and then put in an exception to most traffic out.

This is done to stop web traffic outbound on ports 80/443, except for the IPs we know are OK (for example Crowdstrike, or PKI services). You could and should argue that outbound traffic should be limited to your workplace but I’m not covering that level of specifics in this guide.

Right-Click “Windows Firewall with Advanced Security – LDAP://…” and click Properties.

Make sure the Firewall State is “On”, and Inbound Connections are set to “Block (default)” and Outbound Connections are set to “Block”. Verify these settings for all three Domain Profiles (Domain, Private, Public).

Next, while still in this dialog box under “Domain Profile” click Customize under Settings. I have turned off displaying a notification when a program is blocked. I have also disallowed rule merging. By turning off Rule Merging you will remove a lot of the “garbage” Microsoft Firewall Rules that are created by default. This will allow you full control of the Windows Firewall.

Next, click “Customize” under Logging, on the Domain Profile tab. Here, I’m using the default log location:
%systemroot%\system32\logfiles\firewall\pfirewall.log

I’ve also maximized the firewall log to 32MB, and I’m logging dropped packets and successful connections, this is needed for troubleshooting later.

Once this is complete you should be able to to run “gpupdate /force” on one of your Domain Controllers and launch Windows Firewall. The Windows Firewall current rules that are being enforced are found under “Monitoring -> Firewall”

You should see all of the rules that you setup enforced and you can now begin to lock down things potentially even more-so than the hardware firewall depending on your IT Security team.

This should be enough to get you started on your journey. If you have a close relationship with your IT Security Team, it would also be good to reach out to them and get their rule-set for your Domain Controllers. You may find that you can help IT Security lock down the hardware firewall even more!

PrintNightmare – [0Day] Windows Critical Vulnerability

I had been watching Twitter all day yesterday and amongst all the #infosecbikini photos filling up InfoSec Twitter there was mention of this critical Windows vulnerability. At first it sounded like the June patches would protect you, then Twitter seemed to lose faith that was the case.

The US Cybersecurity & Infrastructure Security Agency (CISA) released the following notice the evening of June 30, 2021. (https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability)

It has been recommended to disable the Windows Print spooler service on Domain Controllers and any systems that do not print.

EDIT: As of writing this entry the best workaround I have been able to find if you need to keep print services running is here: https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/

EDIT 2: Microsoft has finally responded: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

EDIT 3: CISA put out emergency directive: https://cyber.dhs.gov/ed/21-04/

For your meme viewing pleasure:

Extending Volumes in Windows Server Core

If you add space to a Windows Server Core hard disk in a virtual platform like VMware and need to extend the disk in the Operating System you will have to complete it all via command line.

Step 1

Add the space to the hard drive in your virtualization platform

Step 2

Login to the server and launch diskpart. You can then issue the command “list disk” to see which disks are on the system and which ones have free space.

Step 3

Type in “Select Disk <number>” in order to choose the disk you want to modify. You can then issue the command “List Volume” to provide the volumes on that disk in order to find the volume you want to expand.

Step 4

As you can see from the image in “Step 2”, we have 100GB that is listed as “Free”. We want to add that free space to the currently large volume, which you can see from “Step 3” is listed as “Volume 2”.

Type in “select volume <number>” and then type in “extend” in order to extend the volume for the full length that we can.

Running another “list volume” should show that the volume size is now increased to 199GB.

Adding a UPN Suffix to Active Directory

Have you recently setup a Test Active Directory and are using it to test out your scripts but you quickly realized that the alternate UPN suffixes that you forgot you didn’t create aren’t there?

Or.. maybe you just haven’t done this in forever like myself and had to Google how to add a UPN suffix to AD.

Well if either or none of those cases match why you are reading this right now, no need to worry, I’ll tell you anyway.

Adding UPN Suffix to Active Directory

Launch Active Directory Domains and Trusts and right-click on “Active Directory Domains and Trusts [dc.domain] at the top of the left pane and click Properties.

On the next window, add the alternate UPN suffixes you want added.

You will now see these UPNs available in the drop-down menu when you create a new user account, or modify an already existing one.

HackTheBox Writeup for “Lame”

This is my first official writeup for a machine on HackTheBox

I’m trying to get better at my report writing as well as just documentation in general. I have many machines that I have pwned on HackTheBox but very little or no notes to show for it.

I’m digging into the retired boxes that I’ve previously hacked and putting together much better documentation for the process I used to hack them by re-hacking them and sharing my thought process.

LAME:

The first thing I notice on an nmap scan is FTP is open with anonymous login allowed. This is where I decided to start.

A Google search will point you to a major backdoor in this version where you just have to send a smiley face : ) in the username during login in order to trigger the backdoor on port 6200.
https://westoahu.hawaii.edu/cyber/forensics-weekly-executive-summmaries/8424-2/

The article above provides both the manual way to exploit this vulnerability and the Metasploit way. However, I could not get the Metasploit module to trigger and I could not seem to trigger the exploit manually. I also tried to login to the ftp server to see if I could do anything and found my rights limited… So, I’m moving on.

The next thing I decided to check was SMB, which is running version 3.0.20 according to nmap. Googling this version does provide potential exploits. The first exploit I find is a Rapid 7 article called “Samba username map script” for a Metasploit module called “usermap_script”

https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script/

I start up Metasploit with the command “msfconsole” and find the module that is specified in the link above and “show options” so I can see what the required parameters are.

There are two options that we need to change. RHOSTS needs to be the IP address of the machine you are attacking, and LHOST needs to be the VPN connection of your local system. The LHOST value is needed so Metasploit can properly connect a reverse shell back to your system. After setting these values we are ready to attempt an exploit.

You will see the exploit does properly fire off and although it doesn’t look like we have a shell you can type in a command and see that you really do.

There is not even any privilege escalation needed for this box, this exploit gives you ROOT. You will find the root.txt flag file under /root, and looking under /home you will find a user account name makis that contains a user.txt (/home/makis).

Server 2012R2 in place upgrade to Server 2019 on VMware

I’m personally not a fan of in place Microsoft Server upgrades but I suppose they have their time and place.

Since many of our 2012R2 servers are from the 5.1 and 5.5 days of VMware many of them are still running Virtual Hardware v9. This hardware version needs to be upgraded to perform the OS upgrade.

I was able to successfully re-create the issue with an upgrade of a clean 2012R2 install on v9 hardware. After the first reboot you will get stuck at the black screen with blue window, with no circle running underneath. I let this run for two full days (48 hours) before cancelling it.

After cancelling it and resetting the VM, you will be given the following error message:

We couldn’t install Windows Server 2019

We’ve set your PC back to the way it was right before you started installing Windows Server 2019.

0xC1900101 – 0x20017

The installation failed in the SAFE_OS phase with an error during BOOT operation

VMware generally states that you shouldn’t upgrade the VM hardware version unless there is a need. In this case there is a need.

My recommendations would be to do the following:

  1. Shut down the VM you want to perform an in place upgrade on
  2. Take a snapshot with the VM off
  3. Upgrade the Virtual Machine hardware version (We went to v15)
  4. Power on the VM, mount the ISO, run the upgrade

This process seems to be working for us, and although this may be a no-brainer, I’m putting it out there for the search engines to index in case it does help someone.