Friday 29 January 2016

Setting up a non-transitive trust with Active Directory

Forest trusts can be useful during a merger of two organizations that what to keep in tact their hierarchical structure or between two entities that require organizational segregation maybe for security purposes.

A forest trust is recusrive and hence a trust in a forest will incorporate all child nodes (domains.)

So lets say we have two root domains (Domain A and Domain B) within two separate forests (Forest A and Forest B) - we would like to a allow a user of domain A to logon as themselves on domain B.

Firstly we need to ensure that are domain and forest functional levels are at least Server 2003 as below this forest trusts are not supported. i.e. They are supported in Server 2003 and above.

It is also worth mentioning that you can have two forests with different functional levels that share a trust between them (as longs the above is adheared to.)

For specific port requirements for trusts please refer to the following:

https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx#w2k3tr_trust_how_knfk

There are two major types - unidrectional and bidirectional:

Unidirectional - where users from a specific domain can be authenticated on another domain.
Bidirectional - where users from both domain (A and B) can be authneticated on each others domains.

We will need to ensure that both domains can resolve each other - the easiest way to provide reception to the other domain (on Domain A) from your domain controller in Domain B by creating a conditional DNS forwarder within your existing DNS infrastructure and visa versa for the other domain.

We will also need to ensure that each DC in the domains can resolve each other's Computer Name NOT just thier FQDN. To do this you can either use a host file or simply add a dns suffix for the other domain in each DC.

In this tutorial I will be setting up a unidirectional (one-way) trust - so that users on Domain B can be authneitcated on Domain A - so Domain A from the start menu we go to >> Administrative Tools >> Sites and Services >> right-hand click on our domain node and hit 'Properties' >> Trusts tab >> 'Create Trust' and enter the trust name (which should be the FQDN of your domain name on Domain B).

We now have two options - we can either create an external trust (for domain to domain) or a forest trust (that will create a trust between two forests and all of the domains below it.) We should then select a one-way trust (incoming) and enter a password and we do not want to confirm the incoming trust until we have created the trust on the other domain! - So select 'No, do not confirm the incoming trust'.

Now we can hop onto a DC in domain B and create a new trust (as before) but this time we will specify the other domain FQDN (Domain A) and then specify a 'one-way outgoing' trust, as well as specifiying the same password you enterted for the other trust wizard and ensure 'confirm trust' is checked during this wizard.

Then go back Domain A DC and view the trust properties of the trust we created prior and hit the 'Validate trust' - which will confirm the trust on this side.

There are a few usefull utilites to help diagnose any trust issues:

NETDOM: Used to establish or break trust types.
NETDIAG: The output of this tool can give basic status on trust relationships.
NLTEST: Can be used to verify a trust relationship

Domain controller discovery process

In Active Directory Domain Services a client / computer uses a process called the 'DC Locator' to firstly identify the site that it is in (by matching up it's subnet with those assosiated with the sites in AD) and seconadly an available domain controller(s) in that site that contains the computer object.

This is done during Windows startup using the 'DsGetSiteName' method and will periodically refresh.

Now when a user hits Ctrl+Alt-Del to logon to ANOTHER domain specific DNS queries are made to identify any available domain controllers that the user of that domain can authneticate against.

You can mimic the process with something like:

nslookup
set type=srv
_ldap._tcp.<Computer Site Name>._sites.dc._msdcs.<User Domain>.int

(where <Computer Site Name> is the current site name of the COMPUTER and <User Domain>.int is the domain name for the USER you are logging in with.)

The query will fail (as the site does not exist for the specified domain) - so a query will now be run omitting the site portion e.g.:

_ldap._tcp.dc._msdcs.<User Domain>.int

Which will return all DC's tied to that domain and could return multiple DC's - hence why it will not always identify the 'closest' DC for that domain!

Monday 25 January 2016

Wednesday 20 January 2016

Setting up SNMP on Cisco Routers / Switches

SNMP is a great way of monitoring your network equipment that might not work with some of these modern monitoring solutions that provide you with a fancy client.

The process is pretty simple from the CLI:

ip access-list standard mgmt-snmp
1 permit 10.0.0.0 0.0.0.255
10 deny any log
snmp-server view SNMPView iso included
snmp-server community <community-name> view SNMPView RO mgmt-snmp
snmp-server host <remote-server> version 2c <community-name>
snmp-server enable traps snmp linkdown linkup coldstart warmstart

Monday 18 January 2016

Setting up and configuring Varnish Cache as a reverse proxy

** I will be using Debian Jessie for this tutorial **

We should firstly install the relevent packages we will require:

sudo apt-get update && sudo apt-get install apt-transport-https
curl https://repo.varnish-cache.org/GPG-key.txt | sudo apt-key add -
echo "deb https://repo.varnish-cache.org/debian/ jessie varnish-4.1" >> /etc/apt/sources.list.d/varnish-cache.list
sudo apt-get update
sudo apt-get install varnish libvarnishapi-dev build-essential libmicrohttpd-dev pkg-config libcurl4-openssl-dev autogen dh-autoreconf libmicrohttpd-dbg

We can now unmask the service:

sudo systemctl unmask varnish.service

and then ensure the service is started:

sudo service varnish status

Varnish will bind to two ports by default:

Port 6081: Provides client / proxy access
Port 6082: Management interface (that is bound to loopback only)

Accessing <your-ip-address>:6081 should return something like:

Error 503 Backend fetch failed

You can edit any default startup options (i.e. ports etc.) by editing:

sudo vi /etc/default/varnish

and we can then grab 'Varnish Client 2' from github:

https://github.com/varnish/vagent2

and compile with:

./autogen.sh

./configure
make
make install

We then want to run the varnish agent interactively (you can ommit this in future by removing the '-r' argument) to easily debug any initial errors:

sudo /usr/local/bin/varnish-agent -d

(You might see it complaining about not being able to connect to VAC - the enterprise control panel - don't worry about this unless you are using the paid version of Varnish)

And then attempt to access the varnish agent GUI with:

http://<your-ip-address>:6085/html

We can now edit the default VCL and configure it too act as a reverse proxy to another webserver running somewhere else:

sudo vi /etc/varnish/default.vcl

backend default {
    .host = "10.11.12.12";
    .port = "8080";
}

** There is some great documentation here (https://www.varnish-cache.org/docs/2.1/tutorial/vcl.html) that explains the Varnish Configuration Language (VCL) **



Setting up PostgreSQL on Debian Jessie



Firstly we install the server and client with:
apt-get install postgresql postgresql-client
Now change user to 'postgres' and launch the postgres shell:
sudo su postgres
psql
Now we can exit the shell by typing:
\q
and then pressing enter. ('exit' or 'quit' will not work)

In order to create a new user we should run a command (as the postgres user) directly from bash:
createuser --interactive
e.g.
createuser --interactive
Enter name of role to add (the username): myuser
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) y
Shall the new role be allowed to create more new roles? (y/n) n
and to set a password issue:
psql
ALTER USER myuser WITH PASSWORD 'mystrongpassword';
And now to create a new database we can issue:
createdb mydatabase
and to grant permisions to a user for a specific database we can use something like:
GRANT ALL PRIVILEGES ON DATABASE mydatabase to myuser;

Thursday 14 January 2016

Take ownership of folder recursively without losing NTFS permissions

If you are not careful when taking ownership of files you can easily accidentally strip the NTFS permissions of residing files and folders!

The easiest way we can take ownership recursively (and retain existing permissions!) is to  issue the following command:
TAKEOWN /A /R /F D:\FolderName
Although ensure you hit 'No / N' when it asks whether you would like to grant you the permission to access files and folders - otherwise all of the permissions will be overwritten!

In order to add yourself (or the administrators group) permissions to access the folder and files we should issue something like:

psexec -i -s cmd.exe
icacls "D:\RoamingProfiles" /t /c /GRANT "Domain Admins":(OI)(CI)F

F= Full Control
CI= Container Inherit - This flag indicates that subordinate containers will inherit this ACE.
OI= Object Inherit - This flag indicates that subordinate files will inherit the ACE.

4.3.2 The maximum number of concurrent connections has exceeded a limit, closing transmission channel

4.3.2 The maximum number of concurrent connections has exceeded a limit, closing transmission channel

This error cropped up in the protocol log for an external (internet-facing) receive connector.s

The receive connector this was happening on was receiving traffic solely from a smarthost and hence typically would have a fair number of connections originating from a single source.

To remediate this try:
Get-RecieveConnector "your-connector" | FL *MaxInbound*
and changing to something like:
Set-ReceiveConnector "your-connector" -MaxInboundConnection 5000 -MaxInboundConnectionPerSource 500 -MaxInboundConnectionPercentagePerSource 20

Wednesday 13 January 2016

Locate a specific existing or deleted mail item with the Search-Mailbox cmdlet

The below is an example of how you can search for mail items within a mailbox database:
Get-Mailbox –Database VIP -ResultSize Unlimited | Search-Mailbox -TargetMailbox AdminSearchMailbox -TargetFolder "Search Results" -SearchQuery {Subject:"Your Subject" AND From:"user@domain.com" AND Sent:"20/01/2016"} -LogOnly -LogLevel Full –SearchDumpster
** Where AdminSearchBox is equal to the mailbox where you want the results delivered too **

The addition of 'SearchDumpster' allows you to search for deleted items that are recoverable.

Once you have identified the mail you want you can then re-run the command - this time excluding the '-LogOnly' switch. This will prompt Exchange to copy all of found message(s) to a folder within the target mailbox.
Get-Mailbox –Database VIP -ResultSize Unlimited | Search-Mailbox -TargetMailbox AdminSearchMailbox -TargetFolder "Search Results" -SearchQuery {Subject:"Your Subject" AND From:"user@domain.com" AND Sent:"20/01/2016"} -LogLevel Full –SearchDumpster

Tuesday 12 January 2016

Tarpit for 'XX:XX:xx' due to 'DelayedAck',Delivered

The following message cropped up in the protocol logs for a receive connector (this was checked due to mail taking around 30 seconds to connect during the SMTP process!)

2015-12-14T17:01:41.664Z,IRIS\ExternalServer,08D304A743990E3E,24,10.0.2.40:25,10.0.2.24:1200,<,RCPT TO:<user@domain.com>,
2015-12-14T17:01:41.664Z,IRIS\ExternalServer,08D304A743990E3E,25,10.0.2.40:25,10.0.2.24:1200,>,250 2.1.5 Recipient OK,
2015-12-14T17:01:41.664Z,IRIS\ExternalServer,08D304A743990E3E,26,10.0.2.40:25,10.0.2.24:1200,<,DATA,
2015-12-14T17:01:41.664Z,IRIS\ExternalServer,08D304A743990E3E,27,10.0.2.40:25,10.0.2.24:1200,>,354 Start mail input; end with <CRLF>.<CRLF>,
2015-12-14T17:01:48.809Z,IRIS\ExternalServer,08D304A743990E3E,28,10.0.2.40:25,10.0.2.24:1200,*,Tarpit for '0.00:00:06.988' due to 'DelayedAck',Delivered

It turns out that this is a built-in / default feature (tarpit) that Microsoft applies to receive connectors to prevent spam - the maxacknowledgement is typically used as a protection mechanism to ensure that when receiving mail from non-exchange server that it is firstly delivered to the recipient before sending acknowledgment to the original sender / mail server.

To verify your existing settings issue:
Get-ReceiveConnector | select name,maxacknowledgementdelay,tarpitinterval 
To amend your current setting issue:
Set-receiveconnector "myrecieveconnector" -tarpitinterval 00:00:00
Set-receiveconnector "myrecieveconnector" -maxacknowledgementdelay 0

Saturday 9 January 2016

How to find out your PPPoA username and password for Sky Broadband / SR102

After purchasing a new ADSL modem I firstly rang Sky for my PPPoA settings (of which most were already readily available online - with the exception of the user/pass of course) but unfortuanterly they simply said due to policy they are unable to provide the user/pass since it's not 'officially' supported on any other devices.

So this tutorial will explain the process of capturing that information:

For this tutorial we will need Wireshark - its pretty simple too.

So firstly get Wireshark loaded up and start a capture on the interface connected to the router - then login to your Sky Router >> Maintianence >> Diagnostics >> Reboot Router.

Now after the router has come back up we want to stop the packet capture and inspect the DHCP packets - specifically the Discover process.

To view the relevent traffic quickly we can use the following filter on Wireshark:

bootp

Inspect one of the DHCP Discover packets and expand 'Bootstrap Protocol' and then look for Option 61 Client Identifier in the property view - now right hand click on it and go to: Copy > As Plain Text and you should end up with sometihng like:

=cj57fj8Lpod1@skydsl|af83kfop

Remove the '=' and strip the '|' - then you should end up with something like:

cj57fj8Lpod1 af83kfop

The first part your username and the second part your password!

Full credit to the following post for sharing this method:

http://www.skyuser.co.uk/forum/sky-router/55168-extract-username-password-sr102.html

Friday 8 January 2016

TFTP Open Timeout and Cisco Woes

The dreaded 'TFTP Open Timeout' - I encountered this while configuring PXE on a Cisco router. This message can usually occurs because either the TFTP server in inaccessible / incorrect or the boot image can't be retrieved / is incorrectly specified.

After a bit of google'ing I came across a lot of threads claiming this could be due to a UDP port overlap with services such as DNS hosted on the same server - although in my case the DNS server was hosted elsewhere - hence I could easily rule this one out.

I decided to manually connect to the tftp service with my linux box - with something like:

apt-get install tftp
tftp 1.2.3.4
> mode binary
> get boot\x64\wdsnbp.com

Since I could successfully download this manually I suspected it was likely establishing a connection OK and maybe it was something a little deeper in WDS.

So we can enable WDS client debugging with the following:

WDSUTIL /Set-Server /WDSClientLogging /Enabled:Yes
WDSUTIL /Set-Server /WDSClientLogging /LoggingLevel:info

We should now review the Event Log (Windows Logs\Applications and Services Logs\Microsoft\Windows\Deployment-Services-Diagnostics) for any warning / errors that might be of interest.

Unfortunately I did not se anything interesting here (apart from the manual attempts i'd made via the tftp client.)

So the next step was to do a packet capture using something like Wireshark, tcpdump etc.

So firstly download a tool called 'DHCPTest' http://blog.thecybershadow.net/2013/01/10/dhcp-test-client/ that will show you all of the DHCP options the DHCP server is presenting you.

Now before running 'DHCPTest' ensure that you have Wireshark setup capturing traffic on the relevent interface on a client machine. Run DHCPTest and then filter the traffic with something like:

bootp

I noticed that for some reason that the TFP Server Name (Option 66) was '\n' (which I presume was a linebreak) which I found this rather odd as it has been defined within the DHCP scope on the router (option 66 ip 1.2.3.4)


So I decided instead to change the line on the cisco router to something like:

ip dhcp pool vlanXX
option 66 ascii 1.2.3.4

Although frustratingly this time after reviewing the capture I didn't even see option 66 being advertised.

After pulling my hair out for a few hours I came across some documentation referring to the 'next-server' variable. Funnily enough it seems (at least in my experience) that adding option 66 to the DHCP scope did not work and the 'next-server' (which identifies the tftp server) should be specified instead e.g.

ip dhcp pool vlanXX
next-server 1.2.3.4
option 67  boot\x64\wdsnbp.com

Funilly enough option 67 can also be specified with the 'bootfile' variable - although simply using 'option 67' will work too unlike 'option 66'!

I restarted the PXE boot and it went through perfectly - at last!

Tuesday 5 January 2016

Setting up an OpenWRT / ADSL connection with the TP-Link WT710N and Thompson SpeedTouch 330

As a kind of learning exercise and to jump into OpernWRT I decided to replace my existing Sky Hub router / modem I planned to install OpenWRT on a TP-Link TL-WR710N and hook it up to a Thompson SpeedTouch 330.

The idea that the TL-WR710N (around 12 GBP) would act as the router (since it is pretty cheap) and can be connected directly to the SpeedTouch 330 (around 4 GBP on eBay - which acts as the modem) since the TL-WR710N has a free usb port available.

OpenWRT was a new area for myself - my understanding was that it was built with the linux kernel and typically intended for embedded devices.

So after referring to the following article on the OpenWRT website that most of the models (excluding the Chinese version) should run OpenWRT just fine.

After research I also noted that (dependent on version) at least 4MB of ROM (ideally 8MB+ if you want to add extra functionality to the box) is needed on the device and at least 32MB of RAM for the latest version of OpenWRT.

Now firstly since I had purchased the device through Amazon.co.uk I was unsure of the version (versions described here) - although thankfully TP-Link provide guidance on how to identify which version your model is here.

Unfortunately I drew the short straw and ended up with 4MB flash (2.0) version (ah well..!)

After plugging in the device and it booting (a green solid light should eliminate when it has finished booting) I got hold of a standard patch cable and plugged it into my computer directly into the router's LAN port.

Presuming the router is fresh out of the box you should get some DHCP reception (192.168.0.0/24) - now navigate to http://192.168.0.254 (admin/admin for login) and we can load our OpenWRT Firmware by going to:

System >> Upgrade Firmware >> Select your firmware

After 60 or so seconds the firmware should have been successfully applied and the device should have rebooted.

Now we will need to re-configure our TCP/IP settings on our computer as OpenWRT uses 192.168.1.0/24. Once re-configured attempt to ping 192.168.1.1 - if all looks good use PuTTY, OpenSSH etc. to telnet into 192.168.1.1: You should see a welcome message - change your password like follows:

passwd

Disconnect from your telnet session and then attempt to connect via SSH to the device:

Username: root
Password: <yourpassword>

Now we can review our interface settings by inspecting the following files:

vi /etc/config/network
vi /etc/config/wireless

In order to enable WiFi we must firstly comment out (or flip the 1) the following line in the /etc/config/wireless file:

option disabled 1

and restart networking:

/etc/init.d/network restart

You should now see a SSID named 'OpenWRT' - after connecting you should be served up an IP address over DHCP (this scope is defined in /etc/config/network)

Now you will also likely want to set up some kind of encryption - ideally something like WPA2-PSK:

vi /etc/config/wireless

Now the specific line we are after is: 'option encryption' under the wifi-iface section.

Although in order to setup WPA we require one of several possible packages - although for simplicity and file size I recommend the wpad-mini package - this can be installed with:

opkg update
opkg install wpad-mini

Although because this requires an internet connection we must plug the other ethernet port on our device (the one labelled 'LAN / WAN') into another router connected to the internet (you could also download the packages required above manually.)

This was pretty painless - after plugging into my existing router and getting an address I could ping 8.8.8.8 - so now we can attempt to download those packages again:

opkg update
opkg install wpad-mini

Now we can edit the wireless file and replace / add where necasery:

vi /etc/config/wireless

option encryption psk
option key yourpassword

and then restart networking:

/etc/init.d/networking restart

* You can also make changes using the 'uci set xxxxxx' command *

You might also want to setup public nameservers for any public DNS quries - this can be done pretty easily be editing:

vi /etc/dnsmasq.conf

and adding the lines:

server=8.8.8.8
server=8.8.4.4

Now we will need a final few packages for our ADSL modem:

opkg install kmod-atm kmod-usb-atm-speedtouch kmod-usb-uhci

We can now unplug the cable going into our main router as it's no longer needed.

Now the next part (coming soon) will be configuring the Thompson SpeedTouch modem and ATM.

Monday 4 January 2016

Quickly mount a windows share on a linux host

I typically often run my hypervisor on Linux - so quite often I find the need to copy files from Windows guest's onto my Linux host.

To quickly get access - simply create a standard SMB fileshare on your windows box and ensure the correct permissions are set.

On the linux host we can do something like:
apt-get install cifs-utils
mkdir /media/myfileshare
sudo mount -t cifs //mywindowshost/myshare /media/myfileshare -o username=myusername,domain=domain.com,iocharset=utf8,file_mode=0777,dir_mode=0777