Tuesday, December 1, 2020

Get Zerlologons CVE-2020-1472 using PowerShell

Find attached a script to get all systems that using zerologon (event 5829) described in CVE-2020-1472. I want to upload this script to my technet gallery, but MS changed it all so I cant acces it...

More infos about this topic and how to handle the update process:

https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e

You can change the event to find other objects like trusts etc.

# --------------------------------------------------------------------------------------------------------
# Author: Tim Buntrock
# Script: Get_ZeroLogons5829.ps1
# Description: Get all machinesamaccountnames that appear in Event 5829, to find systems using zerologon!
# --------------------------------------------------------------------------------------------------------


# Prepare Variables
Param (
        [parameter(Mandatory=$false,Position=0)][String]$DCName = "localhost",
        [parameter(Mandatory=$false,Position=1)][Int]$Minutes = 15)

# Create an Array to hold the values
$InsecureNetLogons = @()

# Grab the appropriate events
$Events = Get-WinEvent -ComputerName $DCName -FilterHashtable @{Logname='System';Id=5829; StartTime=(get-date).AddMinutes("-$Minutes")}

# Loop through each event
ForEach ($Event in $Events) {
    $eventXML = [xml]$Event.ToXml()
    $Client = ($eventXML.event.EventData.Data[0]) #get Machinesamaccountname
    # Add Them To a Row in our Array
    $Row = "" | select Client
    $Row.Client =$Client
    # Add the row to our Array
    $InsecureNetLogons += $Row    
}

# Dump it all out to a CSV and open gridview
Write-Host $InsecureNetLogons.Count "records found ... saving unique entries to .\InsecureNetLogons.csv for DC" $ComputerName -ForegroundColor DarkYellow
$InsecureNetLogons | Sort-Object -Unique -Property Client| Export-CSV -NoTypeInformation .\InsecureNetLogons.csv
$InsecureNetLogons | Sort-Object -Unique -Property Client| Out-GridView

Thursday, June 25, 2020

Enabling debug logging for the Netlogon service

Activate debug logging using nltest and set log size using registry

Type the following command, and then press Enter to enable logging:

Nltest /DBFlag:2080FFFF

 

Setting the maximum log file size for Netlogon logs using Registry

The MaximumLogFileSize registry entry can be used to specify the maximum size. You must create this entry, because it doesn´t exist.

Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Value Name: MaximumLogFileSize

Value Type: REG_DWORD

Value Data: <max log file size in bytes>

1073741824 Bytes is 1 GB

This registry setting specify the disk space for the Netlogon.log and Netlogon.bak file. For example, a setting of 1 GB can require 2 GB of disk space.


Using Policy to enable logging and configuring log size

You can use the following Computer policy to configure the log file size in bytes and debug level:

Computer Configuration\Administrative Templates\System\Net Logon\Specify maximum log file size

1073741824  (1073741824 is 1 GB)

Computer Configuration\Administrative Templates\System\Net Logon\Specify log file debug output level

545325055     (545325055 is equivalent to 0x2080FFFF and enables verbose Netlogon logging!)








 


Monday, June 15, 2020

LDAP Binds and LDAPS

Bind operations are used to authenticate clients to the Domain Controller, to establish an authorization identity that will be used for subsequent operations processed on that connection, and to specify the LDAP protocol version that the client will use.

This LDAP authentication process supports three types:

  1. Simple bind
  2. Simple Authentication and Security Layer (SASL) bind
  3. Sicily bind


Simple Bind

With a LDAP Simple Bind, the credentials of a user, that are used to bind the LDAP client to the Domain Controller are unencrypted.

SASL

SASL is the term for a framework of mechanisms that allow for secured authentication to take place over an unencrypted or encrypted communications channel. In this case Kerberos V5 is used for authentication. Most Microsoft Consoles using SASL to authenticate.

Sicily authentication

Active Directory also supports this authentication approach during LDAP binds and is intended for compatibility with legacy systems and will result in NTLM being used as underlying authentication protocol.


So let´s clarify what´s LDAPS about... 

LDAPS

It's a mechanism that uses TLS to secure communication between LDAP clients and Domain Controllers to avoid insecure simple bind or securing auth for clients that are not supporting SASL.

The following scenarios are possible:

LDAPS over port 636 (DC) or port 3269 (GC) where the connection is immediately secured by the certificate. SSL/TLS is negotiated before any LDAP traffic happens.

LDAP using StartTLS over port 389 (DC) or 3268 (GC) where the StartTLS operation is used to establish secure communications. It requires the LDAP client to support StartTLS operation.


Tuesday, June 9, 2020

Create a keytab file to use SSO for KeyCloak or another tool

You can use this post to create a KeyTab file for your application to use SSO.

Find attached the details for the sample setup.
Domain: test.zz
user: srviceuser1
pw: HDPw8912hs17!/hsd7
url: auth-test.service.test.zz
Required enycryption: AES256

Command:
ktpass -out c:\auth-test.keytab -princ HTTP/auth-test.test.zz@TEST.ZZ -mapuser srviceuser1 -pass HDPw8912hs17!/hsd7 -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1
If another type of encryption is needed you should have a look at the following article:

You can verify if the spn is applied to the account using the following command.
setspn -L srviceuser1

The last thing we have to do is to enable the support of AES256 encryption on the account serviceuser1. Open Active Directory  Users & Computers, select properties of serviceuser1, go to the account tab and select the following checkbox in Account options: “This account supports Kerberos AES 256 bit encryption”


Monday, June 1, 2020

Microsoft Security Compliance Toolkit

For someone who hasn‘t any sec baseline tools for Windows and Microsoft products, you should check it out. Microsoft Security Compliance Toolkit is a collection of tools and templates released by Microsoft to give security admins access to recommended security configuration baselines for Windows OS and some Microsoft products. You can manage both domain and local policies!

You can download the tool here:

Wednesday, April 1, 2020

Test connection speed between NetApp ONTAP 9.3+ and Windows Client

Today I wanna show you, how to perform a speed test between a Windows Client and your NetApp filer.

Logon to your NetApp filer using SSH.

Set priv to advanced:
netapp::> set -privilege advanced

Warning: These advanced commands are potentially dangerous; use them only when
         directed to do so by NetApp personnel.
Do you want to continue? {y|n}: y
netapp::> y


Start iperf server:
netapp::*> network test-link  start-server


Install and run iperf on Windows:
- Logon into the Windows client
- Download iperf3 and extract it
  https://iperf.fr/en/iperf-download.php#windows
- browse to iperf3.exe and run
  iperf -c serveripaddress


Example execution and output:
iperf3.exe -c 10.1.1.10
Connecting to host 10.4.248.156, port 5201
[  4] local 10.2.1.2 port 61373 connected to 10.1.1.10 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  91.2 MBytes   762 Mbits/sec
[  4]   1.00-2.00   sec  88.1 MBytes   742 Mbits/sec
[  4]   2.00-3.00   sec  99.6 MBytes   835 Mbits/sec
[  4]   3.00-4.00   sec  95.6 MBytes   802 Mbits/sec
[  4]   4.00-5.00   sec  95.1 MBytes   798 Mbits/sec
[  4]   5.00-6.00   sec  94.1 MBytes   790 Mbits/sec
[  4]   6.00-7.00   sec  92.9 MBytes   779 Mbits/sec
[  4]   7.00-8.00   sec  93.2 MBytes   782 Mbits/sec
[  4]   8.00-9.00   sec  94.8 MBytes   795 Mbits/sec
[  4]   9.00-10.00  sec  91.2 MBytes   765 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   936 MBytes   785 Mbits/sec                  sender
[  4]   0.00-10.00  sec   936 MBytes   785 Mbits/sec                  receiver

iperf Done.


Stop iperf server on NetApp:
netapp::*> network test-link  stop-server

Wednesday, March 11, 2020

Hunting insecure LDAP Binds


Look at your DC Event log for Event ID 2886 and 2887 in your Directory Service log.
If Event ID 2886 is logged, it indicates that LDAP signing is not being enforced by your DC!
The second Event ID 2887 occurs every 24 hours and will report how many unsigned / clear text binds has occurred to your DC.

How do we get the systems that performing such binds?
We need to set our logging, so we can get a new Event with the ID 2889 logged. With that event we can see the IPs and accounts that are binding insecurely.

Set Simple LDAP Bind Logging:
Set-ItemProperty -Path 'HKLM:SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics' -Name '16 LDAP Interface Events' -Value "2"

Later use this PS command to disable Simple LDAP Bind Logging:
Set-ItemProperty -Path 'HKLM:SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics' -Name '16 LDAP Interface Events' -Value "0"

After enabling, we can see the event in our Directory Services log.

To get an overview about that events you can use the following script:
Query-InsecureLDAPBinds.ps1

Just change the last part to only get unique entries:
$InsecureLDAPBinds | Sort-Object -Unique -Property User,Ipaddress| Export-CSV -NoTypeInformation .\InsecureLDAPBinds.csv

The script exports a CSV from the specified domain controller containing all unsigned and Clear-text LDAP binds made to the DC by extracting Event 2889 from the "Directory Services" event log.

Example execution to get all insecure binds happening in the last 24 hours for DC01:
.\Query-InsecureLDAPBinds.ps1 -computername DC01 -Hours 24
The output .CSV will include IP Addresses, Ports, Username and the binding type.

"IPAddress","Port","User","BindType"
"10.120.0.88","60966","TIM\ldapuser","Simple"
"10.120.1.110","65445","TIM\ldapuser2","Simple"

Thursday, February 20, 2020

PowerShell Get LDAP limits / Default Query Policy

Hi guys,
to get the LDAP limits, defined in the Default Query Policy just run the PowerShell snippet. Before you do so replace DC=DOMAIN,DC=ZZ with your domain!

Get-ADObject -Filter 'ObjectClass -eq "querypolicy"' -SearchBase 'CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=DOMAIN,DC=ZZ' -Properties lDAPAdminLimits | foreach {$_.lDAPAdminLimits}

Monday, February 17, 2020

Configure ADWS debug Log

To configure ADWS debug logging, you have to add some lines to the <appSettings> section:
First you have to set the log level:

<add key="DebugLevel" Value="<Loglevel>" />

<Loglevel> could be one of following values:
None, Error, Warn or Info.

Than you must configure the debug file path:

<add key=”DebugLogFile” value=”<Logpath>” />

To log Error and Warnings you should add these two lines:

<add key="DebugLevel" Value="Warn" />

<add key="DebugLogFile" value="C:\AdwsDebug.log" />

After that you have to restart ADWS:
Restart-Service –name ADWS

Tuesday, February 11, 2020

Restore files from previous versions including all file information

In the following post we will use Robocopy to restore files from previous version including all file information like attributes, timestamps, NTFS ACLs etc

The most admins just move the files from previous versions and lose the original file information.

If files were encrypted our deleted you can use the following method to restore your files, including all information, if shadow copies was configured!

First we need to get the path of the previous version:
















Than we could run the following command to restore our files:
robocopy "\\fileserver\c$\data001\@GMT-2019.11.28-11.06.38\testtree" "\\fileserver\c$\data001\testtree" /E /COPYALL /DCOPY:T

Explanation of the switches used in robocopy:
Copy directory recursively (/E)

Copy all file information (/COPYALL, equivalent to /COPY:DATSOU, D=Data, A=Attributes, T=Timestamps, S=Security=NTFS ACLs, O=Owner info, U=Auditing info)

Preserve original directories Timestamps (/DCOPY:T).

Friday, February 7, 2020

GET AZURE AD USER SYNCHRONIZATION TIME

First you have to connect to MSOnline using your credentials:

$credential = Get-Credential
Import-Module MSOnline
Connect-MsolService -Credential $credential

Than you can get the attribute called LastDirSyncTime using the following command:

Get-MSOlUser -UserPrincipalName "tim.buntrock@domain.com" | Select-Object LastDirSyncTime