Software

This section looks at what is new in the world of software (Operating Systems included) and how to take best advantage of what is out there.

A little bit of fun today with Milestone XProtect (in our case the express version) today; with the goal of improving our documentation I wanted to somehow obtain a list of all of the hardware devices (and to some degree the cameras) including there names, MAC addresses and IP addresses from our XProtect server.

Lone behold the configuration.xml file typically stored at “C:\ProgramData\Milestone\Milestone Surveillance\configuration.xml” held just the information I wanted; a little bit of PowerShell later and I had CSVs with the information in a human readable form.

To do the same on your server follow the guide using the Export-MilestoneConfig.ps1 script show below.

Download Export-MilestoneConfig.ps1 (download from GitHub)

If you are running an HPE Aruba (formally ProCurve) switch you may come across cases where your switch (in the example above a 5400R zl2) has multiple IP Addresses/VLANs and you need it to talk to another service (in my case syslog and sFlow receivers) on a set interface.

When this occurs you can use the ip source-interface command (make sure you are in config mode first) to define the IP Address or VLAN that you want the switch to talk out on. In my case VLAN2 which is used as the management network for the network switches (VLAN1 being the default network that switches use if multiple addresses are configured).

Not the first time I’ve run into this issue and probably won’t be the last! While building a new Windows Server 2016 (Full) Microsoft Deployment Toolkit server when attempting to run the ‘Update Deployment Share’ wizard I was getting the following error message.

Unable to mount the WIM, so the update process cannot continue.

The solution is simple; if you are running this machine on Hyper-V (presumably other Hypervisors as well) you will need to shutdown the VM, disable Secure Boot (on the VM only) and then power it back on. The next time you run the wizard it will complete as normal.

The error message in full context for reference.

=== Making sure the deployment share has the latest x86 tools ===
=== Making sure the deployment share has the latest x64 tools ===

=== Processing LiteTouchPE (x64) boot image ===

Building requested boot image profile.
Determining if any changes have been made in the boot image configuration.
No existing boot image profile found for platform x64 so a new image will be created.
Calculating hashes for requested content.
Changes have been made, boot image will be updated.
Windows PE WIM C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim will be used.
Unable to mount the WIM, so the update process cannot continue.

=== Completed processing platform x64 ===

 

=== Processing complete ===

This entry is part 3 of 4 in the series A Windows SysAdmin installs and uses OpenVAS

Following on from more work with OpenVAS and after resolving issues around PHP/MySQL the next largest priority was flagged as issues with the Remote Desktop Server (this applies if the server is being used as a Session Host or is just running Windows Server/Client). Here are two pointers in the right direction to get these port 3389 issues resolved!

SSL/TLS: Report Weak Cipher Suites and SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability

To resolve this issue I would suggest you look at the free IISCrypto tool (https://www.nartac.com/Products/IISCrypto) which (after a reboot) disables weak cipher suites and ensures that the correct key exchange mechanisms are used on your servers and clients. Note this software doesn’t just apply to IIS (Internet Information Services) but also Remote Desktop and any other Microsoft technology that makes use of schannel.

Although it takes a little while longer you can also examine the registry (see https://www.nartac.com/Support/IISCrypto/FAQ) and deploy a Group Policy to apply the same settings to your machines.

If you can I would suggest you opt for the PCI 3.1 template (which also culls TLS1.0 support) however as I found out you may have to resort to the ‘Best Practices’ which keeps TLS1.0 enabled and in turn allows things like 802.1x EAPOL and older versions of Microsoft SQL Server to work. Really is worth doing extensive testing with all of your applications (network services included!) before you go and roll this tool out to your full environment!

SSL/TLS: Certificate Signed Using A Weak Signature Algorithm

In this case we are looking at the self signed Remote Desktop Protocol certificate which just so happens to be SHA1. To resolve this issue have a look at this blog post – https://www.darkoperator.com/blog/2015/3/26/rdp-tls-certificate-deployment-using-gpo which covers in great detail how to use an Active Directory Certificate Services Server to issue SHA256 certificates to your machines to use with Remote Desktop.

Following on from some recent OpenVAS testing and in turn discovering that some of our PHP versions were sorely out of date I’ve set about to patch and document all of the installations. In turn we have a simple guide on how to update PHP security releases!

Please note – this guide is aimed at really simple single server instances of PHP that are being used by Microsoft IIS, be sure to test the upgrade outside of your production environment before deploying it.

For this guide you will also need this link – http://windows.php.net which contains the downloads for PHP on Windows.

Troubleshooting:

  • If you encounter an error message during the overwrite of the existing PHP install consider stopping the IIS server service first and then restarting it with the following commands from an elevated command/PowerShell prompt.
    • net stop WAS
    • net start W3SVC
This entry is part 1 of 4 in the series A Windows SysAdmin installs and uses OpenVAS

This guide covers one (of I’m sure a 1,000) ways to deploy and use OpenVAS 9 in your environment on Ubuntu Server 16.04 for the purpose of White Hat Penetration Testing, more so it’s also written from the viewpoint of a SysAdmin who mainly works with Windows Systems (Windows Server/Hyper-V/PowerShell/suchlike) and so takes a very simplistic approach to the setup.

The goals of this project are to

  • Install Ubuntu Server 16.04 LTS on Hyper-V
  • Deploy OpenVAS to that server
  • Execute scripted commands against OpenVAS from a remote system
  • Light up with a big warning sign all of the unknown issues within a network

Lets get started!

To start out you will need

  • A Hyper-V host (although no reason not to run it on VMWare/whatnot)
  • The latest ISO for Ubuntu Server 16.04 LTS saved somewhere your Hyper-V server can get to
    • Download from – https://www.ubuntu.com/download/server
    • Worth noting that only the 16.04 LTS release is going to work with this guide, when I first tried getting OpenVAS to work with 17.04 (a newer release) there were various blocking issues that I could not overcome. In short – use 16.04!!!

Step 0 – Get DNS in the right place

Configuring DNS correctly in particular with relation to Reverse Lookup will help your OpenVAS deployment loads, for a good guide on how to setup Reverse Lookup take a look at this link – http://de.community.dell.com/techcenter/os-applications/w/wiki/684.how-to-configure-dns-reverse-lookup-zone-in-windows-server-2012 (don’t worry about the de. its in English!).

Step 1 – Configure a Hyper-V VM for OpenVAS

In this next step we configure a Hyper-V VM running on Windows Hyper-V Server 2016 (which is free by the way!).

Step 2 – Install Ubuntu Server

Next up the install of Ubuntu Linux, as I understand OpenVAS can be installed on all kinds of flavours of Linux however the support I’ve seen in the past around Ubuntu seems much better than other options. This portion of the guide assumes you are not running your OpenVAS server on a network that’s got DHCP enabled (in this example it’s on our Servers VLAN).

Step 3 – First Boot

Next up we have some housekeeping for Ubuntu, making sure it’s up to date and getting OpenSSH server running so we can move to using something like PuTTY (download from – https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) to manage the server.

For this portion of the guide you will need the following lines of script-

sudo apt-get update
sudo apt-get upgrade

sudo apt-get install openssh-server

sudo reboot

Step 4 – Install OpenVAS

Here comes the good bit! The initial installation of OpenVAS and downloading of the lists of vulnerabilities.

For this portion of the guide you will need the following lines of script-

Step 5 – Change the default password!!!

Now that OpenVAS is running it’ll be using the default username/password combination of admin/admin, how brilliant is that!

Step 6 – Allow API Access

For the last step in this guide we will set it so that the port for API Access to OpenVAS is enabled on every boot of the machine.

sudo nano /etc/rc.local

sudo openvasmd -p 9390 -a 0.0.0.0

sudo /etc/rc.local

Next up….

So that’s things setup, in the next guide (hopefully following in a day or two) we will be using the API to create a list of victims to test against and generate reports for a ‘list of things to do’.

If you are running (or use) the Sympa Mailing List but also use Windows PowerShell then you may want to be aware of PSSympa which recently went v1.0 on GitHub and the PowerShell Gallery.

In this release we have…

Functions

  • Get-SympaLogin (to login and get a session cookie – the result of which is used with all other functions)
  • Get-SympaMailingListMember (get the members of a list or list(s))
  • Add-SympaMailingListMember (add a member(s) to a list)
  • Remove-SympaMailingListMember (removes a member(s) from a list)
  • Test-SympaMailingListMember (checks to see if someone is a Subscriber, Owner or Editor of a list)
  • Sync-SympaMailingList (based on the contents of a reference CSV makes changes to the membership of a list)

Samples

  • How a CSV storing credentials might look (samplecredsfile.csv)
  • How a CSV that is used to Add/Remove members in bulk to/from a single list (samplememberslist.csv)
  • How a CSV that is used with the Sync- function would look (samplesynclist.csv)

Super Awesome Features

  • Credentials can be stored in a CSV to avoid them being typed in as part of a wider script
  • Pipeline support for members in lists

How to get it

The PowerShell Gallery is the best route to get your hands on the Module, see this link – https://www.powershellgallery.com/packages/PSSympa for the full details in short though you should only need to run the following command at your PowerShell prompt (assuming you are running a recent version of PowerShell) to install the module on your PC.

Install-Module -Name PSSympa

Continue reading

With the continued rise of ‘Next Generation’ Anti-Virus like Sophos Intercept X and PaloAlto Traps the question from many SysAdmins might be well how do I deploy these?

If you are looking at Intercept X and you already are Running Sophos Central (with Endpoint Protection) the simple answer is a press a few buttons in the Admin Console.

In short, login to Sophos Central (https://cloud.sophos.com/manage/login) go to Endpoint Protection > Computers > Manage Endpoint Software > Intercept X > Add your computers from the displayed list > click Save.

For a more in depth walkthrough take a look at the screenshots below. One quick note – due to the changing nature of Sophos Central (previously Sophos Cloud) its quite possible that the look/feel of the Admin Console will have changed between the time I published this article and you read it.

Once you have deployed Intercept X to your existing machines be sure to update your installers to use when deploying new computers. You can download these from the ‘Protect Devices’ button on the Admin Console Dashboard.

One of my favourite features of PowerShell is the Invoke-RestMethod cmdlet which (among a great many other things) can download the data from an RSS feed. One application I’ve found for this is to stay on top of security bulletins from organisations like Adobe and Drupal.

However just downloading the data from the feed and kicking it out in an email isn’t quite good enough for my needs thus the script below gets data from a CSV which contains the URL to the feed as well as some extra details to inject into any email notification (e.g. a link to the guide on how to deploy Adobe Updates).

In my production environment this script creates tickets on a FreskDesk helpdesk to log and manage any new update notifications. In the attached example below the script just fires off email notifications.

Have a look at the screenshot sequence below for more info!

  Get-Rss (4.0 KiB, 342 hits)

Update 09/05/2017 – v0.2 – Now handles XML and Arrays in the link and title objects (good for reddit and blogspot!)