Friday, March 13, 2015

Using SCCM Task Sequences to perform complex application upgrades

In System Center Configuration Manager (SCCM) applications are typically deployed and managed in one of two ways: Applications and Packages.

Sometimes you need something a little more powerful. When we originally installed KwikTag, it didn't have an installer. It was a folder that had to be copied to the computers and run a batch file to register the dll's. Now we need to upgrade, which involves unregistering the dll's, deleting files out of each user's %appdata% folder, and finally deleting the folder out of "Program Files". If that weren't enough, the upgrade must include logic for "Program Files" as well as "Program Files (x86)", and I have a mix of computers with the old version, the new version, and no version installed.

Normally SCCM Task Sequences are for operating system deployment, but you can use them for much more.

When creating the Task Sequence, choose "New custom task sequence" and do not choose a boot disk.

Here's my overall "Upgrade KwikTag" Task Sequence:

You'll notice that I grouped the steps and used an "If" condition to specify to only run the TS if none of the conditions are true, as in only if the new version of the application is not installed. For all except the Install and Restart, I checked "Continue on Error" which covers those cases in which the program was never installed and the files don't exist.

My Powershell script loops through the all user's %appdata% folder and cleans up the files.

Thursday, March 12, 2015

Hacking the network with Scapy and Python

I've been learning Python for infosec work. Scapy is built on Python and allows you to interact with the network at a much lower level than the Python sockets library. If I were to say it allows you to build your own packets/frames that would be an understatement.

From the Scapy home page:

What is Scapy

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc. See interactive tutorial and the quick demo: an interactive session (some examples may be outdated).

What makes scapy different from most other networking tools

First, with most other tools, you won't build someting the author did not imagine. These tools have been built for a specific goal and can't deviate much from it. For example, an ARP cache poisoning program won't let you use double 802.1q encapsulation. Or try to find a program that can send, say, an ICMP packet with padding (I said padding, not payload, see?). In fact, each time you have a new need, you have to build a new tool.
Second, they usually confuse decoding and interpreting. Machines are good at decoding and can help human beings with that. Interpretation is reserved to human beings. Some programs try to mimic this behaviour. For instance they say "this port is open" instead of "I received a SYN-ACK". Sometimes they are right. Sometimes not. It's easier for beginners, but when you know what you're doing, you keep on trying to deduce what really happened from the program's interpretation to make your own, which is hard because you lost a big amount of information. And you often end up using tcpdump -xX to decode and interpret what the tool missed.
Third, even programs which only decode do not give you all the information they received. The network's vision they give you is the one their author thought was sufficient. But it is not complete, and you have a bias. For instance, do you know a tool that reports the padding ?
Scapy tries to overcome those problems. It enables you to build exactly the packets you want. Even if I think stacking a 802.1q layer on top of TCP has no sense, it may have some for somebody else working on some product I don't know. Scapy has a flexible model that tries to avoid such arbitrary limits. You're free to put any value you want in any field you want, and stack them like you want. You're an adult after all.
In fact, it's like building a new tool each time, but instead of dealing with a hundred line C program, you only write 2 lines of Scapy.
After a probe (scan, traceroute, etc.) Scapy always gives you the full decoded packets from the probe, before any interpretation. That means that you can probe once and interpret many times, ask for a traceroute and look at the padding for instance.

Here are my notes on Scapy. For detailed usage examples see the link below.

  • The ls() command shows a list of all available protocols.
    • For a listing of individual protocol options and defaults, use ls(protocol). For example ls(TCP)
  • To see a list of scapy commands: lsc()
  • Packets need to be created from a header perspective:
    • Ethernet | IP | TCP/UDP | Application
    • Ether()/IP()/TCP()/Data
  • Send a layer 3 packet ICMP example: (scapy handles the ethernet frame for you)
    • pkt = IP(dst="")/ICMP()/"data")
    • send(pkt)
  • To send a layer 3 TCP packet, you must add a port.
    • pkt = IP(dst="")/TCP()/(dport=23))
  • For an easier to read format of your sent or received packet, use:
  • To add a layer 2 frame you must add the ethernet header and include the interface. Note that we are now using sendp vs send.
    • example: sendp(Ether()/IP(dst="")/ICMP()/"data", iface="eth0")
  • Sending a packet repeatedly:
    • sendp(Ether()/IP(dst="")/ICMP()/"data", iface="eth0", loop=1)
  • To add a sending interval: (Interval is seconds)
    • sendp(Ether()/IP(dst="")/ICMP()/"data", iface="eth0", inter=1)
  • So far we have only seen the sent packets. To send and receive:
    • Layer 3:
      • sr() returns answers and unanswered packets
        • sr(IP(dst="")/ICMP()/"data")
      • To see the response (or lack of)
        • response, no_response = _
        • response[0]
        • no_response[0]
        • In Python,  the "_" variable is used to store the result of the last evaluation.
      • sr1() returns only answer or sent packets (1 packet)
    • Layer 2:
      • srp()
      • srp1()
  • You can manipulate the routing table in scapy without affecting the global routing table which is useful when you have a multihomed host.
    • Show the routing table: conf.route
    • add a host route: conf.route.add(host="", gw="")
    • add a network route: conf.route.add(net="", gw="")
    • To reset scapy's routing table: conf.route.resync()
  • Packet sniffing: pkts = sniff(iface="eth0", filter="arp", count=3)
    • Allows the use of bpf (Berkely packet filters)
    • Save sniffed packets to a file: pkts = sniff(offline="offline.pcap")
    • Print packets live while sniffing:
      • pkts=sniff(iface="eth0", filter="arp", count=20, prn=lambda x: x.summary())
  • Write packets to a pcap file: wrpcap("demo.pcap", pkts)

  • Read packets from a pcap file: rdpcap("demo.pcap")

Update KB3033929 fails with error code 80004005

KB3033929, Microsoft security advisory: Availability of SHA-2 code signing support for Windows 7 and Windows Server 2008 R2: March 10, 2015

The process is the same every time:
- downloads and installs the update
- requests a restart
- before shutting down and restarting, it 'Configures Windows' for a while
- after restart, it is 'Preparing to configure Windows', gets to about 72%, reports 'Failure configuring Windows update. Reverting changes'
- restarts automatically
- 'prepares to configure Windows' once again, shows the 'Failure configuring Windows update. Reverting changes' once again
- shows the login screen

While I'm thankful for those that patch immediately on Patch Tuesday as they sound the alarm for the rest of us, it's insane for anyone who is responsible for business computers to do so. I've been in IT for going on 10 years next month, and I've never had a single issue with Microsoft updates because I don't even begin to test them until a few days after release, with the exception of exceptionally critical security updates. That gives Microsoft enough time to pull any updates that cause issues before my systems get them.

Edit: I've seen some reports of dual booting Windows/Linux systems having an issue with this update, and either unplugging the Linux drive or changing your system to only boot to Windows may fix it. I've seen reports of others that do not dual boot having a problem with this patch as well.

Rvnlord suggests the following to fix the issue on computers without a dual boot (grub):

1. Open directory where is the file mentioned in the error, in my case: "C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.18741_none_b9293c0383618646\winresume.exe"
2. Right Click on the file > Properties > Security > Advanced > Owner > (Set it to your Account) > OK
3. In previous Window: Edit > Add
4. You need to add two accounts
- "NT SERVICE\TrustedInstaller"
5. Give them both Read, Write, Execute permissions. > OK
6. Now KB3033929 which is one big nightmare should install without any problems and ask you to restart your computer afterwards.

For computers dual booting Windows and Linux using Grub, boot into Linux and turn the Linux active flag on the partition off. When you reboot you should go directly into Windows and the update should install successfully. You will have to use a Linux boot CD to turn the active flag on for the Linux partition to restore access.

Wednesday, March 11, 2015

GoToMeeting FREE

Free · No sign up · Screen sharing · Up to 3 people

I read the FAQ's and couldn't find a "catch". It did say it's experimental, so it is possible that the free offer can end in the near future.

If you've used free GoToMeeting I'd like to hear about your experience.

Using Powershell to update the hosts file on remote computers

Today I had the need to edit the hostfile on all the computers in a particular Active Directory OU.

I had previously set entries in the hosts file in a small remote office to test some system changes before rolling out the changes to everyone via DNS.

I edited my own hosts file and then ran this Powershell script to copy it to all computers in the target OU.

Import-Module ActiveDirectory
$Comps = Get-ADComputer -SearchBase 'OU=Comp,OU=OUname,DC=domainname,DC=com' -Filter '*' | Select -ExpandProperty Name
$source = "C:\Windows\System32\drivers\etc\hosts"
$path = "Windows\System32\drivers\etc\hosts"
$hamptonComps | foreach {Copy-Item $source -Destination \\$_\c$\$path}

Thursday, March 5, 2015

Kali Linux 1.1 image for Raspberry Pi 2

There has been a lot of talk around (Reddit) about Kali Linux 1.1 for the latest Raspberry Pi version 2. There were instructions around on how to build it yourself. If you want to download the official image from Offensive Security, get it here.

The image doesn't have raspi-config preinstalled. If you're not familiar, raspi-config is a configuration tool that makes it easy to expand your filesystem, overclock, activate a camera, set the hostname, and more.

To install raspi-config:

dpkg -i triggerhappy_0.3.4-2_armhf.deb
dpkg -i lua5.1_5.1.5-4+deb7u1_armhf.deb
dpkg -i raspi-config_20150131-1_all.deb

Once you've run raspi-config, expanded your filesystem and restarted, you may want to install more Kali packages as the image comes with very little preinstalled and it doesn't have the traditional Kali menu. Here's how to add Kali metapackages.

Update: I'm finding broken applications after an "apt-get install kali-linux-full". I ran "service metasploit start" and got an error "unknown service". Running "apt-get install metasploit" should fix that, even though metasploit was already in the Kali menu.