Category Archives: Workstation Fixes

Increase bitlocker cypher strength to AES 256 | Plus automated drive dismounting!

Bitlocker is good. Im not going to say great but good as in good enough to get the job done while giving users a relatively safe encryption suite built right into Microsoft that will keep your files (when implements properly) safe from people who may want access to your pc or laptop. Millage may vary when dealing with government entities.

However did you know that Bitlocker has various settings that can be configured to increase overall security? If your using the default settings take a look below:

Problem: How do I set bitlocker up to be more secure?

Solution: Change the cipher strength higher.
Before I show you how I want to make something clear and apparent. Assume everything you encrypt can be decrypted, it is just a matter of time. This does not mean don’t encrypt… it just means that encryption will only buy you time when dealing with government entities now, or a passionate individual with a 32 GPU cluster and a vendetta.

Either way more security is always better than none at all. Back on task!

First we need to set the cipher strength, if you have already encrypted the drive you will need to do it again. Open up gpedit.msc with Start > Run > gpedit.msc

Once you have it open expand the following tree:
Tree

Here you will see various options but the one we want is: Choose drive encryption and cipher strength. Set it to Enabled and choose from the dropdown AES 256-bit.
CS

Once this is set press OK. There you go, now you will need to set back up bitlocker, it is assumed you have done this already if not head on over to MS and they will provide you with instructions.

BONUS ROUND! How can I automatically dismount encrypted bitlocker drives?

Don’t forget to error is human! Leaving your drives mounted could lead to unforeseen consequences if you are visited late at night buy unsavory officials, someone breaks into your house / hotel room, or steals your laptop. With the drives left mounted the keys are both in memory, and the drives accessible. They do not lock until you reboot.

So how can you solve this? Easy, create a scheduled task in order to lock the drive after a predefined time of idleness or on a schedule.

First hit start > type in Task Scheduler and open it up.
tsk

Next Right Click and choose Create Basic Task.. don’t worry we will change it during the setup process.
tsk2

Give it a name and a snazzy description.
tsk3

The next two windows are at your discretion fill out based off needs seeing as they have to do with how often the job will run. You will be eventually asked What action do you want the task to perform? Choose Start a program.
tsk4

The next window you will want to paste in:
manage-bde.exe -lock -ForceDismount E:

E: is the drive letter you want to lock with bitlocker, you need to customize this to your own setup. Windows will tell you your dome and don’t know proper syntax. This is fine for the sake of not wanting two screenshots in the article it windows will do it for you if you hit Yes.
tsk5

Voila! Hit Next and your done! You have not just increased the security of your bitlocker setup with minimal effort but maximum gain.

Here is a list of other BitLocker command options in case your interested.

THC Hydra Remote Desktop Bruteforce Example | A lesson in Network Level Security

This write up has a disclaimer at the bottom that you agree to prior to reading any other content on this post.

Today I asked myself, what is my attack surface, and how can I lower it. One function that computer admins love is remote desktop. It is amazing. It makes life so easy we would be willing to make security exceptions just to have it such as forwarding a port to be able to use it.

 

The problem with remote desktop is that it opens a very real security risk to our network, assume you are an admin on your box and someone was able to gain access to your RDP without you knowing. That box is connected to you home network where photos and excel sheets of budgets and CC info lay. Priceless videos of kids and important PDFs of job applications, let alone backups of those items. Drobo’s , media centers, installed apps with remember my password checked and whatnot. These are all things that a would be bruteforcer might want.

So in here lies the problem… I will split this into two problems but they have a single solution.

Problem: I want remote desktop access, but I want to mitigate as many risks as possible when I expose myself to the WAN. If you don’t care about the bruteforce guide you can skip to the solution below.

Problem: I would like to see how a bruteforce attack would work against a RDP connection so I can better defend against it.

First of all you will need a few pieces of software to get started.
-A Linux Box (Windoze can be substituted but this is beyond the scope of this guide)
-THC Hydra that can be download here.
-A word list (You can make one when we get to that point for the example)
-A target windows host that is able to accept RDP connections

THC Hydras logo

Once you have your Linux box up and running you need to install THC Hydra, download and extract it. The application requires assembly via make so change directory to the extracted files.

Type in:
./configure

Then:
make

Then:
make install
This may need to be sudo make install depending on you level of access / where you are working

Once completed if you put in ls you should see a green hydra file. This what we will be using from now on.

Next we need to make a word list. This is the list that hydra will use against the remote host, it will contain passwords only. To save on room I have made the simplified list below, your list will be custom to you testing as it needs to contain at least one correct password.

Open up nano by typing: nano wordlist.txt

Enter in the following lines:
123456
654321
password
445566
001100

The password that my test box has for it is the word password I have placed it in the middle since I don’t want to make this too easy. Press Ctl+X to save the file.

Now we want to execute the attack, you will need the victims *ahem* test boxes IP address as well ass the assumed username, generally there is a administrator account, however if you are testing a domain / specific target you may want to change this.

Enter in the command:
hydra -t 1 -V -f -l administrator -P wordlist.txt rdp://192.168.0.100

Ok les break this down nice and quick:
hydra – The program assembled we via make.
-t 1 – Tasks set to 1, good enough for a VM but you can up it if you have a physical pc dedicated to this, too many threads will yield false results. Play with it.
-V – verbose, give me all output while you work
-f – quit once you found a positive user:pass match
-l administrator – use the username admin to attempt to login
-P wordlist.txt – This is the word list that we will be pulling passwords from.
rdp://192.168.0.100 – This is the target IP, customize to your liking attacks can be carried out over the WAN.

But my client is using port 3390, or 3391 or some other arbitrary port that they should not be using in the predefined port range! …No problem simply use the -s option followed by the port number to specify.

Your output will say something along the lines of:
[ATTEMPT] target 192.168.0.100 – login “administrator” – pass “123456” …
[ATTEMPT] target 192.168.0.100 – login “administrator” – pass “654321” …
[ATTEMPT] target 192.168.0.100 – login “administrator” – pass “admin” …
[3389][rdp] host 192.168.0.100 login: administrator  password: admin
[STATUS] attack was finished…

*Note: The user will be kicked to the lock screen if you get a successful user:pass while they are using the computer.

If your attack did not work, then its probably due to windows firewall being enabled or Network Level Authentication being set to on. I cover this in the solutions section below.

Solution: Enable Network Level Authentications, don’t use basic authentication.
This can be overlooked due to the fact when most users set up RDP they just want it to work, this is the problem with RDP. Scrubs spend so much time just trying to get it to work and think about security after so they choose (more compatible) when they set it up not (more secure). So by changing this setting you force the client to authenticate before making the RDP connection so that THC Hydra will fail. Interesting side not is it does not fail, it just sees all passwords as wrong. This setting will cause issues with services in a win/linux environment that use services like xrdp.

Another solution is to move the RDP port to something more obscure like 50001, this maybe not be obscure but most of the utilities i looked at automatically try ports 3389 (RDPs default) 3390 and 3391.

The final and more annoying but secure option is to look into 2FA or two factor authentication. This provides two kinds of protection, one that only the user with the device can log in, and notification when a user attempts to log in but is unsuccessful. This will help you gauge the amount of RDP attempts without having to look at the event viewer. Duo Security is not too bad I have used them in the past and they offer free accounts to non corporate users.

How ever implementing 2FA in you organization may be difficult so you may have to rely on event log. To do this I highly recommend Overseer Network Monitor, this is not an ad, or a scare and but tactic. I love this product, we used it in my previous environment and I would love it where I am working now. It allows event monitoring and email notifications.

There you have it! 4 ways to protect yourself from exploitation via RDP!

*2016-09-16 Update: I have been playing around with various 2FA solutions and I feel the Yubikey is a exellent solution for protecting RDP if properly implemented.

Disclaimer:
The instructions below should only be used on a local network against your own equipment unless granted explicit permission to do so from the owner of said equipment. This guide is not to be used to attack users over the WAN or people you don’t like / want to hack. The guide is provided for informational purposes only. 

Be smart. Stay Safe.

 

Forget VNC for connecting to your linux VMs for interactivity. Use NoMachine!

Problem: I want to be able to connect to my linux host from windows and run apps seamlessly.

Solution: freeVNC or better yet NoMachine!

Recently I have been searching for a good, easy to use way for me to visually connect to my linux VMs on a windows host. Sure I can use the ESX console and its ok but I have been searching for something more seamless quick. freeVNC is kind of slow and not very quick to deploy in my opinion. Also it seems to have tons of tearing when working with layered or apps that call 3d raster functions.

Then came NoMachine, this app is stellar. Very simple to install even if you are foreign to linux operating systems. The app needs to be installed on both hosts and then they will discover one and other, obviously there is a bit of a security issue here but for home labs it is more than fine seeing as you need a username and password to log in.

access-any-desktop

I have been using it for a little over a week and have found a use for it in my VMs and in my hashtopus stack. More on hashtopus another day.

Best part? NoMachine is free! I highly recommend this application and think you should give it a hand if you are in a multi OS or headless RDP restricted environment.

A remote desktop without boundaries

https://www.nomachine.com/ 

Apple and OSX disk encryption | Or how did this get deployed to management before IT.

So I ended up having a client who decided to let their manager set up a laptop prior to us getting it. This laptop was one of the new macbooks that by default encrypt the disk (Yosemite and up I think) during the initial setup. This was a pain for me since I needed to split the PC with bootcamp in order to have Windows and OSX running together. As you would imagine this is a problem when the entire volume is being crypted.

Problem: I cant install bootcamp while my disk is being encrypted. I just got a new mac and the disk is locked due to encryption. I want to stop the encryption process on my mac.

Solution: We use terminal to end the process and roll back the changes to the disk.
Requirements: The users encryption phrase / password.

First this is a really easy to do using terminal so if you are not used to it don’t fret. The sooner you start decrypting the disk the sooner you can go back to using your aerospace looking laptop.

First head on over to Applications  and search for Terminal.term1

 

Now you will need to find out what disk ID is being crypted. Enter in the following command:

diskutil list

This will output a list of all the disks on the system.  You will need the title of the disk that is being crypted for the next part.

diskutil cs revert /Volumes/title_drive -passphrase

Now your done just wait! If your impatient then throw a few:

diskutil cs list

at it and it will give a ETA so you know if you have time to run to get a coffee.

 

 

Loading other users mailboxes in OWA | Or side loading so I can set the OOA.

Before I begin please ensure you follow your companies guidelines to data access prior to pulling this stunt.

Problem: My boss has asked me to audit a users mailbox but I don’t want to reset their password. I need to inspect a mailbox but I don’t want to sync the entire mailbox to a PC in order to see in side. I need to set a out of office alert for a user who is not in the office.

Solution: Grant permissions to the mailbox and use OWA to load the box ontop of the account with permissions.

First of all we need to set up full access to the mailbox using the EMC. Open up your MMC and navigate to Recipient Configuration > Mailbox you will need to find the mailbox you are looking for in this example we are using the totally legit user temp123@mydomain.com

Right click the mailbox and choose Manage Full Access a new menu will appear.

2015-04-16_8-43-58

 

 

For this example we want all of IT to have access to this mailbox. I would suggest setting up groups in order to make it easier but today we will be using the domain group Domain Admins. Click Add and search for the group. Then click Ok and Manage.

2015-04-16_8-45-03

 

Accept the confirmation showing you that it has completed.

2015-04-16_8-45-50

 

Now go on over to your webmail login. You will want to log in as if you were yourself (assuming you are a member of domain admins).

2015-04-16_8-46-45

 

Once logged in you need to append to the URL to access the other mailbox. You will see:

https://webmail.mydomain.com/owa/

Change it to say:

https://webmail.mydomain.com/owa/temp123@mydomain.com

And your in!

Find Serial Number or Express Service Tag with ease!

Have you ever needed to find the serial number of service tag of a Dell or other host? I can be a pain if the PC is nestled somewhere deep, dirty or just plain missing. This is mostly a personal note on how to do this but I use it about twice a week so I figure someone else might too.

Problem: You have a host that you need the express service tag for in order to get the correct drivers.

2345

Solution: use WMIC as administrator

This sounds complex but it isnt really. First you need to open a new command line window press Start then Run then type CMD.

Once it is open drop in the following line:

wmic csproduct get vendor,name,identifyingnumber

Now you will see something like below:

555

perfect now get back to inventory tracking or get those missing drivers! This can be saved into a batch file and stored on the network for those of you who don’t want to commit this one liner to memory. Simple I know but very effective if your not sitting in front of the computer.

 

Brother HL Series – Toner Light Reset

We have a number of these (roughly 12) at my work so this is just for personal refrence but feel free to comment if it helps you.

Problem: Brother printers HL-2720DW series printer shows a amber toner light, despite new toner it will not clear.

Solution: First do everything a normal person would reboot, clean the head as instructed on every toner change. If this does not resolve it follow below:

1. Open front door the light will change color.
2. Turn off printer with the switch on the side.
3. While holding down the green GO button, turn printer back on  using the switch on the side.
4. When all four LEDs light up release GO button. All LEDs will turn off
5. Press the GO button 2 times. The 3 LEDs (toner, drum, paper) will light up solid
6. Press the GO button 5 times
7. Paper light will be blinking
8. At this point the toner end-of-life condition has been reset. Close front door.

Print.

Bypass Windows 8 , 8.1, Server 2012 product key on install

Have you been like me and gone to install Windows 8 , 8.1 or even Server 2012R2 and seen the most annoying screen below? Like how annoying is this?

 

1

Well let me show you a neat way of getting around the key that will not violate the TOS.

Problem: Microsoft wont allow me to install windows without first putting in a valid license key. Or maybe your key is on another partition you want to get to after install : )

Solution: Build a new USB install of Windows 8 / 8.1 / Server 2012 with a OEM config file to bypass this prompt.

First you need to have a built Windows 8 / 8.1 install on a USB stick from ISO. This can be don’t with the Microsoft USB Download tool. This tool has recently been pulled from the Microsoft store but you can download it here.

Once you have built your USB stick (not covered in this article) then you need to go into the folder on the newly created drive. Look for a folder called Sources\ .

Create or modify if it already exists a file called ei.cfg in notepad. Paste in the following text:

[EditionID]

[Channel] OEM [VL] 0

Ensure you save the file as a .cfg not as a .txt file!

Now use that USB stick to install the desired version and edition of Windows. If you are unable to make the guide work then you can use some of the keys Microsoft provides to volume licensing folks. This will not activate windows but simply allow you to finish the install.

The keys can be found mid way down the page here.
Enjoy your new Windows install!

Cant sync Google Calendar to Windows 8 or Outlook.com? Fix it with ICAL!

Recently Google pulled the plug on using Microsoft’s EAS (ActiveSync) technology and only made it available to people who pay for GoogleApps for Business. This sucks for us little people who dont have Apps and who want to have one calendar system regardless of provider.

Google’s solution is to buy Google Apps (50$ a year), Microsoft’s is to export all your data into their system. As a avid android and Windows 8 user I came up with a solution that I was unable to find anywhere else on the net.

Issue: Google calendar will not sync with Windows 8. *note you can still sync mail by ensuring you have the contacts and calendar button unchecked.Screenshot of adding a Google account in the Mail app

When adding a Google account to Windows 8 you will notice it can be difficult. Simply un check “Include your Google contacts and calendars” then you can add the account, this is not required for this guide but may be of some use if you want to get mail.

Solution: We will use ICAL settings to create a sync relationship via a private url. All these settings will be applied in the browser, it will apply to the OS when we are done automatically.
This sounds hard but its easy, I have included lots of images to make this easy.

5-23-2013 5-01-03 PMFirst Im going to assume you have a Google and Outlook.com / Hotmail.com / .NET account. Head on over to https://www.google.com/calendar and log in. Lets make an event called  A Google Event for today.

Now you will need to pick the down arrow next to the calendar you want. Chose Calendar Settings. .

This will open a new menu.

5-23-2013 5-04-43 PMNow you will see a bunch of options scroll down to the bottom and look for a green ICAL button next to the words Private Address.

Click this button and a new window will appear.

 

 

5-23-2013 5-08-14 PMIn this new window is a private URL, dont share it with anyone. Copy the URL from the window make sure its correct.

5-23-2013 5-10-36 PMNow we need to head over to calendar.live.com once there look for a Import button near the top left.

 

 

You will be taken to a new screen Click on Subscribe on the left, you will then need the URL you copied from5-23-2013 5-12-16 PM Google and paste it in the Calendar URL, give it a quick name and anything else you want.

Click Subscribe.

 

 

It may take some time for the calendar to sync but mine was almost instant. *Note Google states ICAL will update every few hours (2 – 24 hours). Keep this in mind as your next Google event wont show up until the refresh.

Great! Now we have Google events going to Outlook.com you will also see them appear in Windows 8 (provided you use the same account there). To make it full circle we need to do the same with Outlook.com to Google.

5-23-2013 5-27-35 PMIn the main menu of Outlook Calendar click the Share button, pick the calendar you want to sync.

 

5-23-2013 5-28-30 PMThen choose Get a link you will want to pick the ICS link. Copy the entire URL into your clipboard and lets head back to Google quickly.

 

5-23-2013 5-32-22 PMNow that we are back at Google Calendar with our URL . You will want to click on the arrow next to Other Calendars then pick Add by URL.

 

Now you will need to paste the URL into the field just be sure to change the text from webcals:// to https://

5-23-2013 5-33-24 PM

 

 Pasted, but incorrect, this will throw a error.

5-23-2013 5-34-39 PM

 

Correct header this will work.

 

 

After that you should see a new calendar added and Google will update shortly.

Your done!

Deploy with ease | A Windows Deployment Service guide | Windows Server 2012

Rolling out PC’s can be boring and a pain. Using Acronis Snap and Deploy can help (that was not a sponsored ad, however acronis if you want to pay me to post this please give me a copy the trial ran out.) but the software can be expensive.

So what does a sysadmin do then? Whats free with my Server 2012 installation that can help me roll out my PC’s faster? PXE and WDS. Using a simple mix of PXE and Windows Deployment Services you can guarantee a quick and painless roll out.

Issue: I want to deploy Windows to a bunch of hosts but I also want to play Portal 2.

Solution: Install WDS

First we need a Windows Server 2012 install and a DHCP server that works I am going to assume you have both. These dont have to be on the same host but you can if you like (as is this case).

If you are using Windows Server 2012 as your DHCP this will be super easy. Before you start I would reccomend adding a new virtual disk for your images. ~200GB would be good for working room but I used 40GB in my lab. In this example we are going to be using disk D:

5-10-2013 8-28-18 PMOnce the disk has been added and formatted simply go to the server manager and choose Add or Remove Roles. Click next till you get to server roles. Scroll down to Windows Deployment Services.

Install the role and reboot if necessary.

 

5-10-2013 8-32-59 PMNow you will see a new icon under the start menu (metro).

Click it to open it up.

 

You will be prompted for an  initial setup where you will be asking items like:
-Is this a DHCP server (this is the most important step).
-Where should I store the data for these images? Keep this path simple let it pick the path simply pick the disk. This will be covered in a different article where I show you how to add ISOs (memtest, konboot) and other items into WDS that  shouldn’t be there.

Once you have completed these steps its time to add some ISOs and Images. To be clear on this you will need some OEM ISOs, or  genuine  disks that came with the PC or something that came from MSDN. Simply take your iso and extract it with WinRAR or with Windows Server 2012’s built in ISO mounter.

Now you should have some files that look like this:
5-10-2013 8-43-30 PM

Inside this \sources\ folder you will find some WIM files. These are what you need you can leave them here though. We now need to tell the WDS about these disks.

5-10-2013 8-48-09 PMWith the WDS MMC still open choose Boot Images, then right click in the window on the right and choose Add Boot Image…

Please note I already had images in here you will not have.

 

 

5-10-2013 8-48-30 PM A menu will appear prompting you for the location of your DVD.

Simply go to the folder that you extracted the contents of your Windows installation DVD to and open the /sources/ folder.

 

Open the boot.wim file then choose Next. You then will be asked for some info on what you wanted it named fill out as desired.

5-10-2013 8-55-07 PM

5-10-2013 8-55-19 PM

This is great but you still cant install windows with just this added. We still need to add the install.wim to the WDS server. This is done by right clicking on Install Images and selecting Add Install Image… 

You will be prompted to make a group. Name accordingly. I use MSDN and OEM just so I am aware what is what. However you may wish to do it by OS level.

 

 

 

 

After you have added an image your basically good to go. Power up a VM and press F12.
5-10-2013 8-59-22 PM

You can now see all your new .wim installs there! This creates a easy method for booting into the install  environment. Now you will need to install and capture your image and your good to go!
5-10-2013 8-59-50 PM