Thursday, January 29, 2015

SCCM client doesn't connect to the local SMP during OSD

I recently noticed that one of my computers was connecting to an SMP/DP across a T1 to a remote office to store user state during OSD. After reviewing the logs I saw that it was connecting to the local DP for content, but not for user state storage.

I couldn't find anything in the logs that explained this behavior, and I checked my boundaries and boundary groups and everything looked good. After failing to resolve this on my own over a few days, I opened a ticket with Microsoft support.

It turns out that while using boundaries to connect a client to the local DP is a feature, connecting to the SMP at the local site is not and the client can connect to any writable SMP, even if its across your slowest WAN connection to a remote office.

You have two options to avoid having the client connect across the WAN for user state storage; check "Enable restore-only mode" in your State Migration Point properties under Administration > Servers and Site System Roles, or check "Capture locally by using links instead of copying files" under the "Capture User Files and Settings" step in your OSD.

Enabling restore-only mode will prevent the SMP from being used to store user state, and user state already stored on the SMP is still available. The problem with this approach is that not only will your other sites not use that SMP to store user state, the local clients won't use it either so they will be sending user state across the WAN to another SMP. You may have to enable or disable this setting as needed, for example if you are imaging multiple workstations in the same office you could enable this setting on all other SMP's except the one at the site where computers are being imaged.

Capturing locally by using links instead of copying files would prevent you from having to remember to change the SMP settings frequently as it would be a "set it and forget it" solution which is what I prefer.

Tuesday, January 20, 2015

Creating custom SonicWall IPS signatures

Creating custom SonicWall IPS signatures

I’m going to show how to use Kali Linux and Windows 7 Pro running in VMware Workstation to create a packet capture for the creation of a SonicWall IPS signature to detect a reverse shell. Before writing this article I talked to SonicWall support and asked them if the IPS signatures already detected netcat reverse shells and was told that they do not. After creating this article, I discovered during testing that they actually do. We can still use this article as a reference to create custom IPS signatures in the future so all is not wasted.

On your Kali vm, open a terminal and enter “ncat -l”. This starts ncat listening for our reverse shell on the default port 31337. You may specify a different port: “ncat -l 4444” for example.

In Kali, start Wireshark and make a note of the IP address of the interface you are using for your capture. Start the Wireshark capture.

In Windows, download netcat from and unzip it to the directory of your choice. Open a cmd prompt and either cd to the directory where netcat is extracted, or enter the path with the following command: “nc -e 31337”

On Kali, once the Windows 7 machine connects to our ncat listener you will see your Windows command prompt with the Windows version number. Stop the Wireshark capture. In wireshark, enter a filter to find the right packet: ip.src== and apply it.

Scroll down through the filtered frames until you see:

Click File > Export selected packet, and check “Selected packet only” and save it to your desktop.

I installed the Okteta hex editor in Kali; “apt-get install okteta”. There is a command line hex editor already installed in Kali, however I didn’t want to take the time to learn a cli hex editor since I had a deadline to get this done. I’ll take the time to learn hexedit later.

Open Okteta and open your packet capture that contains the one frame we’re interested in that you previously saved. Highlight the part you see highlighted below since we don’t want to include the directory path in our signature since that may vary. If you use anything beyond “Version 6.1.” then you will need to edit the capture in your hex editor and export a copy for EVERY version of Windows that you need to protect.

Click File > Export > Values, delete out the space in the Separation field to remove the spaces in the Preview field, and click the Export to File button.

To add the new signature, you need to add a new “Match Object”. In the SonicWall web interface, go to Firewall > Match Objects, and at the bottom click “Add new match object”. Enter your object name, I used “Windows Reverse Shell”, Match Object Type should be “Custom Object”, Match Type should be “Exact Match”, Input Representation should be “Hexadecimal”, now paste your hex code you extracted from the hex editor earlier and then click “Add” and then “Ok”.

Create a new app rule:

Thursday, January 15, 2015

Python script to search Cisco CUCM Call Detail Records

If you manage Cisco CUCM and get requests for Call Detail Records, you know how frustrating it can be to have to:
  1. import the csv file to Excel
  2. delete out all but 4 of over 60 columns
  3. search thousands of rows of data to narrow down to the one extension
  4. convert epoch time to something a human understands
The first time I had to fulfill a request for call records, it took me most of the day to figure it out. Before I wrote this script it took me an average of a couple hours. That's two hours too long. With this script and Python installed, you can have a csv file to import into Excel in seconds.

Tuesday, January 13, 2015

Deploying Java 8 update 25 with SCCM

Product: Java 8 Update 25 -- Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action installexe, location: C:\WINDOWS\Installer\MSI789B.tmp, command: /s INSTALLDIR="C:\Program Files (x86)\Java\jre1.8.0_25\\" EULA=0 REPAIRMODE=0

Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor.

Fix: Put this in your Installation program: msiexec /i jre1.8.0_25.msi JU=0 JAVAUPDATE=0 AUTOUPDATECHECK=0 RebootYesNo=No WEB_JAVA=1 /q

Saturday, January 3, 2015

Being true to yourself

I've always had a passion for computer/network security. Looking back, I was a hacker (in the good sense of the word) ever since I bought my first computer. I was in the Navy and used my reenlistment bonus to buy my first computer, a Radio Shack Tandy T1000. I picked it up going into a three-day weekend and spent the whole weekend tinkering with it; taking it apart and putting it back together and ultimately breaking it so badly that phone tech support couldn't help me restore the partition table that I had deleted. I ended up fixing that myself and calling to tell tech support how I did it so that they could add it to their notes.

I not only wanted to know how computers worked, I was also intrigued with how to get computers to do things that were undocumented, like some kind of black magic. I was fascinated with hackers and hacking. Once I discovered VMware Workstation and Server, I was running labs in my garage to learn server OS and security. Meanwhile I was in the Navy as an Aviation Electrician and was raising a family. I never really learned as much as I wanted to about programming and low level operating system details. I just didn't have the time.

During my last tour of duty in the Navy before retiring I managed to work my way into the IT department of the command where I was stationed. I had the right skills, in the right place, and at the right time. I worked my way up from help desk, to system administrator and Assistant Information System Security Manager over that three years. During that time I also finished my degree in Networking and Security Management.

My first (and current) civilian job was "Network Support" and I was promoted to "System Engineer" around two years later. Since then my job has taken me in a direction other than where I had intended. These days I rarely get to work on the networking and security side, and spend most of my time with Citrix, VMware, and System Center Configuration Manager (SCCM). I am very thankful for the opportunities that my employer has given me and the training I've received. I alone am responsible for keeping myself on track to reach my goals, and ultimately the things I've learned outside of security will help me in the long run.

While studying for Citrix and VMware certifications, I realized that I had to push myself to do it. I didn't feel a "pull" to do it so I lacked the motivation to succeed. In evaluating my goals I realized how far I had strayed from my passion for information security. I'm certainly not getting any younger, and I'm feeling a sense of urgency to be true to myself this late in life. While I'm not old, I am on my second career after retiring from the Navy.

I've decided to change my goals to realign myself for my passion for information security. While I've attempted to learn Python in the past, I usually got sidetracked and never completed it. I've found Codeacademy where I'm currently learning Python interactively. I'm also getting back on track by studying for the Certified Ethical Hacker v8 certification. While many people may look down on certifications, I'm using it as a way to stay focused and on track. I'll be posting my study notes here over time for others to use.

Be true to yourself. Its a drag trying to force yourself to stay motivated for something that doesn't make you happy in the long run.