News Contact Company



June 2010 Newsletter

Having trouble reading this email? View it in your browser.

TrueSec

News and Geek Stuff

June 2010

We’ve been busy presenting at both MMS in Las Vegas late April and last week at TechEd in New Orleans. It’s a privilege and honor to be invited to present at those events and as always very inspiring.

“Authentication & Passwords: The Good the bad and the really ugly”, the highest rated session at TechEd, and possibly the most important one, was held by Marcus Murray our MVP in Security. His session is available at http://www.msteched.com/2010/NorthAmerica/SIA338 for viewing. If you attended and like to get more of Marcus then sign up for his class “Hacking the Windows platform” in New York August 10-12.

Deployment Fundamentals, the one and only book in the market covering deployment of Windows 7 using MDT 2010 Lite Touch, is now available at www.amazon.com

Both Johan Arwidmark and Mikael Nystrom ran sessions at TechEd covering deployment with Zero Touch and Lite Touch. Our sessions are posted at http://www.msteched.com



johan-arwidmark-soft-mugshot.png

Outside the box thinking - Or when the standard deployment tools weren't cool enough

Hey fellow deployment friends, this is Johan Arwidmark back at the office after a few “exciting” weeks on the battlefield of Windows deployment. Some of you may have seen my latest blog posts on deployvista.com and wondered where in the world they came down from… Well, here is the full story...

The week before TechEd in New Orleans I had to go onsite to a customer outside Boston. The mission was to assist them deploying Windows Embedded to some 800 Wyse Terminals they got as part of acquiring another company. The company was already using MDT 2010 to deploy their normal Windows clients, so their immediate question was, “Well rather than used the existing Linux based Wyse Deployment solution, wouldn't it be possible to deploy these machines using MDT 2010?”

-Absolutely was my immediate response - which i regretted later - but in my defense I actually had deployed embedded devices using MDT in the past with great success, even though the solutions do not officially support it.

That being said, we took one of the devices and tried to boot Windows PE 3.0 on it… It immediately froze to a dead stop, tried again, same result. We spent a few hour upgrading drivers, firmware, checking bios settings – nothing helped. The machine was ACPI 2.0 compliant, had 1 GB of memory and should support Windows PE 3.0 fine. It didn’t. We tried Windows PE 2.1 and Windows PE 2.0, the machine still halted… We then downloaded Windows PE 1.6 (2005) which the machine happily booted from… At last some success, finally.

Now came the next problem, we had figured out we could use Windows PE 1.6 to apply the image to the machine, but Windows Deployment Services in Windows Server 2008 R2 don’t support Windows PE 1.6, so we couldn’t PXE boot it… Or so we thought – After spending the next 12 hours investigating what made Windows PE 1.6 tick, We discovered a way to actually PXE boot it on Windows Server 2008 R2. By adding another boot menu to WDS we could provide the exact parameters Windows PE 2005 needed for a PXE boot. That research lead to the following “outside-the box thinking” blog posts… Hope you will find them interesting…

/ Johan

The posts…

Adding a boot menu to Windows Server 2008 R2 WDS
http://www.deployvista.com/Home/tabid/36/EntryID/126/language/en-US/Default.aspx

How to boot WinPE 2005 (WinPE 1.6) from WDS in Windows Server 2008 R2
http://www.deployvista.com/Home/tabid/36/EntryID/141/language/sv-SE/Default.aspx

How to create a custom WinPE 2005 SDI image
http://www.myitforum.com/articles/8/view.asp?id=8832

Reducing WinPE 2005 size (Step 4 in the below article)
http://www.deployvista.com/Blog/JohanArwidmark/tabid/78/EntryID/20/language/en-US/Default.aspx



mikael-nystrom-soft-mugshot.png

Hyper-V and snapshots, you know the nice part, here is the ugly stuff

I do OS deployment for both servers and clients and I also do virtualization. At MMS 2010 in Las Vegas, I was scheduled to run a session on ”OS Deployment for ordinary administrators”. About 18 hours before my session, Michael Niehaus from Microsoft one of the brains behind BDD/MDT, shows up in our booth asking me the following:

- Hey Mike, we have a speaker stuck in Europe, he was supposed to run a session on Server deployment in conjunction with SCCM, SCVMM, OpsMgr and Datacenter solution, and the only one we believe can do that kind of session is you? Can you?
- Well If Johan Arwidmark can take my session I can take it, is there anything prepared, like slides or demos?
- No, but you have 18 hours to build a datacenter on whatever you have here.

Of course I said yes, so I spent 17 hours building a datacenter on two HP 8510w and I did do the session.
Anyway, that means that I do deploy server farms from time to time with Hyper-V as a platform and there is this one thing that everyone I have met so far did not realized before I told them and that is the behavior of Snapshots, let me explain this.

So, you have a Hyper-V host, everything is great, no problem so far. One day you receive an update that needs to be applied to one or more of the guests, it could also be a change in the configuration, so you decide to use the snapshot feature. So you right-click the machine and you do your snapshot, done!

Now, with a snapshot as protection you proceed with the update/modification. You test the stuff and it works, but to be sure you keep on running using the snapshot. After a week, you delete the snapshot since you don’t need it anymore and it is bad thing to run a production environment on snapshot disks (snapshot disks are dynamic and can/will grow over time with the risk of OS running out of space, which is really ugly when it happens, besides the ugly part it is a slower too).

Now comes the interesting part: even if you don’t seem to have any snapshots you will still have the system running on the snapshot disk and there is a very simple explanation for this. To be able to stop running on snapshot disk, you need to merge the differencing disk (the snapshot disk behaves like a diff disk) with the original disk, but that cannot be done since the VM is running. The merge process will occur when the VM is turned off! Not before. So be aware, it could take a day or two jut to merge the disk if you turn off the VM.

Check my blog for more details on this: http://itbloggen.se/cs/blogs/micke/archive/2008/09/20/like-snapshots-in-hyper-v-please-read-this.aspx

And yes here are some really important KB’s for Hyper-V, these are the nasty ones, hard to find since all of them is “random”

http://support.microsoft.com/kb/975530

 

Stop error message on an Intel Xeon 5500 series processor-based computer that is running Windows Server 2008 R2 and that has the Hyper-V role installed: "0x00000101 - CLOCK_WATCHDOG_TIMEOUT"

This computer has one or more Intel CPUs code-named Nehalem installed. For example, the Nehalem CPU for a server is from Intel Xeon processor 5500 series and for a client is from Intel Core-i processor series.

http://support.microsoft.com/kb/981618/EN-US

 

The computer stops responding or restarts during the Hyper-V Live Migration process in Windows Server 2008 R2

When you run Windows Server 2008 R2 Hyper-V on a computer that uses AMD Family 10h processors, the host computer may restart unexpectedly or stop responding. When the computer restarts or stop responding, you receive no error messages.

http://support.microsoft.com/kb/974909/en-us

 

The network connection of a running Hyper-V virtual machine is lost under heavy outgoing network traffic on a Windows Server 2008 R2-based computer

That’s all for this time

/mike

marcus-murray-soft-mugshot.png

The mystery of predictable computer account passwords!


One of the final actions during the operative phase of a penetration test is to extract all the password hashes from the target domain (Active directory) and crack them to check the quality of the passwords.

One thing that has puzzled us over the last years is that we often find a small amount of computer accounts with the password set to the computer name in lower case minus the dollar sign.

As a penetration tester or a hacker this information is very useful since it´s usually not that difficult to enumerate the computer accounts from a domain using a classic null session and a user2sid/sid2user-based enumeration. A simple well-known public tool for this is GetAcct (http://www.securityfriday.com/tools/GetAcct.html).

So why is this a problem? Well, if you can guess the password of a computer account then you can authenticate to servers and resources in the domain as a valid domain member. Not only can you enumerate important info from the domain itself, like for example the members of the domain admins group etc.
More importantly it’s usually very common that these accounts has access to various file shares. The reason for this is that a logged on computer account becomes member of the authenticated users group and that group is a member of the domain group users. Is very common that the IT-staff allows members of the users group access to file shares. During penetration testing we always parse all the shares looking for juicy information like admin passwords in configuration scripts, backup folders, personal notes and similar. In many cases this leads to complete domain compromise.

For quite some time we did not really understand how these weak passwords were introduced into the environments. After a little bit of research we came to the conclusion that when computer accounts are created to support pre-windows 2000 computers the predictable password is set. This happens for example when the command “net computer /add” is used. Also many code samples in Microsofts own articles states that the password must be the computer name in lowercase minus the dollar sign

Example article: Steps and Sample Code for Making a Machine Account http://support.microsoft.com/kb/255042

Normally this password is changed every 30 days and the change is initiated by the client computer over a secure channel. When we find these predictable passwords in a domain the reason must be because of the way the computer account was created (see above) AND the fact that the computer never initiated the password change, either it was never physically put in the environment, or it was taken offline within the first 30 days or the client initiated password update failed.

So.
If you are not a 100% sure that all your existing active computer accounts were created using a method that sets a random password I strongly recommend a change of deployment process and/or an inventory of weak computer account passwords. The easiest way to test this is simply to script a logon attempt using each computer account and the corresponding predictable password. (Caution! Beware of lockouts. The script must be configured to only do one attempt.!!)

/Marcus Murray



Where to find us

Come meet us at any of our labs. Below is a where we will hold labs during the next 3 months

Coming Labs:

Deployment Geek Week in Las Vegas July 12-16

Mastering SCCM 2007, New York July 26-28

Hacking the Windows Platform, New York
August 10-12

Zero Touch with Johan, Los Angeles August 24 -26

Lite Touch with Mikael, New York September 14-16

For complete schedule listing go to http://en.truesec.com

 

Unsubscribe | To contact us please email info@truesec.com

 

 




TrueSec Inc    |     +1(425) 285-4477     |     info[at]truesec.com    |     Infrastructure    |     Security    |     Pentesting    |     TrueSec Inc. Website Privacy Statement