108.bz » Windows

Cloning DHCP reservations between Windows servers

Giuliano — Tue, 12 Apr 2011 16:01:30 +0000

Quick post to show you how DHCP reservations can be replicated between Windows servers. Why whould you want to do that? Because often, to achieve DHCP service high availability, DHCP scopes are equally divided between servers. When a client PC is connected to the network, it sends out a broadcast to discover which DHCP servers are active on that particular ethernet segment. Depending on their number, the PC will receive one or more answer, each offering an IP address. If a client is to be assigned a fixed IP, all of those offers should bear the same IP address. Hence, DHCP reservations need to be configured the same for every DHCP server in the given scope. As far as I know, this needs to be done by hand. To speed up the process, I use netsh (see Netsh commands for DHCP).

The command below will dump all of the reservations to a file named “reservations.txt”. findstr filters netsh output keeping just the info we need.

C:\Documents and Settings\Administrator> netsh dhcp server \\dhcpsrv1 scope 10.4.0.0 dump | findstr Add.reservedip > reservations.txt

Each line in “reservations.txt” should look like this:

Dhcp Server 10.4.1.1 Scope 10.4.0.0 Add reservedip 10.4.5.3 58b04576339a "pcname.domain.lan" "Reservation Comment" "BOTH"

10.4.1.1 is the IP address for dhcpsrv1, the “source” DHCP server.

Open “reservations.txt” in a text editor, check that everything is fine and substitute the source DHCP server IP with the target’s one (i.e.: 10.4.1.1 becomes 10.4.1.2), save the file and run:

C:\Documents and Settings\Administrator> netsh < reservations.txt
netsh>
Changed the current scope context to 10.4.0.0 scope.

Command completed successfully.
netsh>
Command completed successfully.
netsh>
[..]

That’s it; not a fancy trick, but it may be useful nonetheless. Just beware that, when there are thousands of clients, netsh could take a while to complete its job (especially the “dump” step)…

Cloning an Active Directory group

Giuliano — Wed, 12 Jan 2011 12:06:10 +0000

Or how to use the dsquery/dsget/dsmod commands to copy all the members from an
Active Directory group (source), to another one (destination).

If, like me, you are on a neverending quest to click less and script more, you can solve the problem this way:

Create the destination group, should it not exist.
Find the source group’s DN:
>dsquery group -samid sourcegroup
"CN=sourcegroup,OU=Groups,DC=contoso,DC=com"

“-samid” argument is the group name whose DN you’re looking for. You can use “*” as a wildcard.
Ditto for the destination group:
>dsquery group -samid destinationgroup
"CN=destinationgroup,OU=Groups,DC=contoso,DC=com"
On with the copy itself:
>dsget group "CN=sourcegroup,OU=Groups,DC=contoso,DC=com" -members -expand | dsmod group "CN=destinationgroup,OU=Groups,DC=contoso,DC=com" -addmbr -c
dsmod succeeded:CN=destinationgroup,OU=Groups,DC=contoso,DC=com

These are two commands: “dsget group” and “dsmod group“. Output from the first is piped to the second. “-members” causes the group members’ DNs to be listed on standard output (one by line, quoted). “-expand” makes dsget to recursively expand the sub-groups that sourcegroup may hold.
Conversely, dsmod modifies destinationgroup adding members to it.
Very cool, so far. The only caveat is that the “-c” switch doesn’t work as advertised. It should copy members over destinationgroup even if already exist, but it doesn’t. If you need to re-sync source and dest, delete source’s contents from dest.

Bonus note; here’s a quick way to discover a user’s DN given his username:

>dsquery user -samid jdoe
"CN=John Doe,CN=Users,DC=contoso,DC=com"

Symantec Endpoint Protection – crypt32 errors

Giuliano — Tue, 14 Dec 2010 16:28:58 +0000

One of the most procrastinated issues I had at a Customer’s, was the proliferation of errors like these (as shown in servers/clients Event Viewer):

Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 8
Description:
Failed auto update retrieval of third-party root list sequence number from: with error: This network connection does not exist.

Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 11
Description:
Failed extract of third-party root list from auto update cab at: with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

There are several posts mentioning the issue, this one pointed me in the right direction. Basically, because of how SEP components communicate, Windows is triggered into updating the list of trusted root Certification Authorities. It tries to do so through the Internet using the Computer account. The latter may not have any proxy configured. Being unable to reach outside, the host gets flooded by crypt32 errors.

In order to solve the issue, I decided to deploy a valid proxy configuration, for the Computer account (SYSTEM user), on a subset of the Domain’s hosts.
One of the ways to script that is the “proxycfg -u” command¹ that works by copying the current user proxy settings to the SYSTEM’s registry. Sounds cool but if the current user is not a member of the local Administrators group, he won’t have the necessary rights. The following script instead, can be launched via Group Policy² during operating system startup, and since it’s a startup script rather than a login one, it will run with administrative privileges.

Nothing fancy in the below source. It creates the registry key if it doesn’t exist, then sets the right value for WinHttpSettings which I obtained this way:

use “proxycfg -u” on a test host
use the Registry editor to export the contents of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

The value is of type REG_BINARY. Since the RegWrite API (method of class WScript.Shell) cannot deal with binary values, WMI (StdRegProv registry provider) needs to be used. Also, SetBinaryValue expects an array of decimal values, while Regedit exports them as hexadecimal digits (you’ll have to take care of the conversion yourself).

On Error Resume Next
Const HKEY_LOCAL_MACHINE = &H80000002

strPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections"
strKey = "WinHttpSettings"
strValue = "24,0,0,0,0,0,0,0,3,0,0,0,19,0,0,0,112,114,111,120,121,46,99,117,115,116,46,108,97,110,58,56,48,56,48,47,0,0,0,49,48,46,42,46,42,46,42,59,115,101,114,118,101,114,50,48,59,115,101,114,118,101,114,50,48,46,42,59,42,46,99,117,115,116,46,108,97,110,59,60,108,111,99,97,108,62"
strMachineName = "."

arrValues = Split(strValue,",")
strMoniker = "winMgmts:\\" & strMachineName & "\root\default:StdRegProv"
Set oReg = GetObject(strMoniker)
rv = oReg.CreateKey(HKEY_LOCAL_MACHINE, strPath)
rv = oReg.SetBinaryValue(HKEY_LOCAL_MACHINE, strPath, strKey, arrValues)

If the scripts works as it should, you’ll be greeted by these events:

Event Type: Information
Event Source: crypt32
Event Category: None
Event ID: 7
Description:
Successful auto update retrieval of third-party root list sequence number from:

Event Type: Information
Event Source: crypt32
Event Category: None
Event ID: 2
Description:
Successful auto update retrieval of third-party root list cab from:

And, hopefully, crypt32 errors will be gone for good.

See Using the WinHTTP Proxy Configuration Utility ↩
Computer Configuration, Windows Settings, Scripts, Startup ↩

From MS SQL to MySQL, realtime row copy

Giuliano — Mon, 06 Sep 2010 13:26:42 +0000

Or: “How to call a web server from a Microsoft SQL Server Stored Procedure”.
Customer has got a VoIP software PBX (Swyx). It logs incoming calls (the CDR) in a MS SQL Server database. The CDR structure is straightforward: a single table where each row is a call, indexed by CallId (transferred calls get, eventually, a new row and a “child CallId”).
I needed to process the CDR within these specs/restrictions:

Each row has to be processed as soon as it is INSERTed
Rows must be filtered (depending on the called number)
Filtered rows must be “mirrored” to a MySQL DB
MS SQL machine is heavily loaded and mission critical; the row-copy mechanism must be light and fast

The first and second specs imply the use of triggers/stored procedures.

I originally thought that the “DB link”-kind of functionality could be achieved natively on MS SQL. In theory it can, via Linked Servers (bound to ODBC Data Sources). There’s a catch though: you can SELECT stuff on linked servers at will, but as soon as you try to INSERT, you’ll hit error 7391¹. MS SQL, can’t really blame it, would like to be able to rollback any change made, even on the linked MySQL. It needs to start a (implicit, distributed) transaction on MySQL, but that’s not supported and the write fails. This workaround (forcibly switch off implicit transactions) didn’t work for me. Apparently, the Oracle OLEDB Provider is able to ignore/disable distributing transactions when the parameter DistribTX=0 is in the provider string. MySQL’s ODBC driver doesn’t provide a similar toggle.

The easiest way to push data “out” of MS SQL is (arguably) through HTTP. The DB GETs a full URL, passing key/value parameters to a Web Service that outputs to MySQL.

On with the code, starting with the “Web Service”. What follow is a mere Perl script, useful for testing. Depending on the expected load, you may want to use a proper application server, providing MySQL DB connection pooling. What you should really do, is serve the script through HTTPS and password protect it. Without SSL, a malicious user could sniff the cleartext requests sent by the source DB, forge similar ones and litter/DOS the MySQL instance. Of course, the Web Service could output to just any supported DB, not only to MySQL.

#!/usr/bin/perl

use DBI;
use CGI;
use strict;

my $DEBUG = 0;
my @FIELDS = qw(
CallId
OriginationNumber
CalledNumber
DestinationNumber
StartTime
ScriptConnectTime
DeliveredTime
ConnectTime
TransferTime
EndTime
DisconnectReason
TransferredToCallId
);

my $q = new CGI;
print $q->header(-type => 'text/plain', -charset => 'ISO-8859-1', -expires => '-1d');

# checks
my $checkresult = 1;
my $checkmessage = '';
sub setcheck ($$$$) {
my ($rrc, $rc, $rrs, $rs) = @_;
$$rrc = $rc;
$$rrs = $rs;
}
sub isnumber { return 1 if $_[0] =~ /^[0-9]*$/i; return 0; }
sub issane { return 1 if $_[0] =~ /^[a-z0-9%:\- ]*$/i; return 0; }
setcheck(\$checkresult,0,\$checkmessage,'NULL CallId') if $checkresult and not $q->param('CallId');
setcheck(\$checkresult,0,\$checkmessage,'CallId must be a number') if $checkresult and not isnumber($q->param('CallId'));
foreach (@FIELDS) {
setcheck(\$checkresult,0,\$checkmessage,"$_ value contains invalid characters")
if $checkresult and not issane($q->param($_));
}

if ($checkresult) {
my $dbh = DBI->connect('DBI:mysql:database=dbname','dbuser','password') or ((print "KO: Error $DBI::err - $DBI::errstr\n"), exit);
my $values = join ',', ( map { $dbh->quote( $q->param($_) ? $q->param($_) : '') } @FIELDS );
my $sth = $dbh->prepare("INSERT INTO callslog VALUES ($values)") or ((print "KO: Error $DBI::err - $DBI::errstr\n"), exit);
$sth->execute or ((print "KO: Error $DBI::err - $DBI::errstr\n"), exit);
if ($DEBUG) {
print $_.': '.$q->param($_)."\n" for @FIELDS;
}
print "OK\n";
} else {
print "KO: $checkmessage\n";
}

exit;

Next, the trigger code. It acts after each INSERT on the IpPbxCDR table. If a called number ends with the given digits, calls the Stored Procedure spLogCall, passing it the fields we’re interested in. I use the (commented) raiserror call for debugging purposes.

USE [ippbxlog]
GO
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE TRIGGER [dbo].[tr_ProcessCall]
ON [dbo].[IpPbxCDR]
AFTER INSERT
AS
BEGIN
DECLARE
@RightMatch nvarchar (10),
@CallId int,
@OriginationNumber nvarchar(50),
@CalledNumber nvarchar(50),
@DestinationNumber nvarchar(50),
@StartTime datetime,
@ScriptConnectTime datetime,
@DeliveredTime datetime,
@ConnectTime datetime,
@TransferTime datetime,
@EndTime datetime,
@DisconnectReason nvarchar(50),
@TransferredToCallId int
SET @RightMatch = '12345678'
SELECT
@CallId = CallId,
@OriginationNumber = OriginationNumber,
@CalledNumber = CalledNumber,
@DestinationNumber = DestinationNumber,
@StartTime = StartTime,
@ScriptConnectTime = ScriptConnectTime,
@DeliveredTime = DeliveredTime,
@ConnectTime = ConnectTime,
@TransferTime = TransferTime,
@EndTime = EndTime,
@DisconnectReason = DisconnectReason,
@TransferredToCallId = TransferredToCallId
FROM INSERTED
IF (RIGHT(@DestinationNumber,LEN(@RightMatch)) = @RightMatch) OR (RIGHT(@CalledNumber,LEN(@RightMatch)) = @RightMatch)
BEGIN
--raiserror('%s',16,1, @DestinationNumber)
EXEC spLogCall
@CallId,
@OriginationNumber,
@CalledNumber,
@DestinationNumber,
@StartTime,
@ScriptConnectTime,
@DeliveredTime,
@ConnectTime,
@TransferTime,
@EndTime,
@DisconnectReason,
@TransferredToCallId
END
END

Lastly, the Web Service contacting Stored Procedure. I use sp_OACreate to create an OLE object of class MSXML2.ServerXMLHTTP passing it the contructed GET URL (address + parameters). Depending on MS SQL’s version, you may have to explicitly enable in-database OLE automation, this way:

exec sp_configure 'show advanced options', 1
go
reconfigure
go
exec sp_configure 'Ole Automation Procedures', 1
go
reconfigure
go

Timeouts for various operations are set to reasonably low values, we don’t want the DB to “block” for too long. And again: use HTTPS. Get your certificates right (on MS SQL’s server, install the root certificate for the CA who issued the cert you’re using on the web/application server) and use HTTPS.

USE [ippbxlog]
GO
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO

CREATE PROCEDURE [dbo].[spLogCall]
@CallId int,
@OriginationNumber nvarchar(50),
@CalledNumber nvarchar(50),
@DestinationNumber nvarchar(50),
@StartTime datetime,
@ScriptConnectTime datetime,
@DeliveredTime datetime,
@ConnectTime datetime,
@TransferTime datetime,
@EndTime datetime,
@DisconnectReason nvarchar(50),
@TransferredToCallId int
AS

BEGIN
DECLARE
@Object int,
@hr int,
@openparams nvarchar(2048),
@responsetext varchar(8000);

EXEC @hr = sp_OACreate 'MSXML2.ServerXMLHTTP', @Object out
IF @hr = 0
BEGIN
SET CONCAT_NULL_YIELDS_NULL OFF
SET @openparams = 'open("GET", "http://10.1.1.123/ws/CDR.pl?' +
'CallId=' + CAST(@CallId AS varchar) + '&' +
'OriginationNumber=' + CAST(@OriginationNumber AS varchar) + '&' +
'CalledNumber=' + CAST(@CalledNumber AS varchar) + '&' +
'DestinationNumber=' + CAST(@DestinationNumber AS varchar) + '&' +
'StartTime=' + CONVERT(varchar, @StartTime, 120) + '&' +
'ScriptConnectTime=' + CONVERT(varchar, @ScriptConnectTime, 120) + '&' +
'DeliveredTime=' + CONVERT(varchar, @DeliveredTime, 120) + '&' +
'ConnectTime=' + CONVERT(varchar, @ConnectTime, 120) + '&' +
'TransferTime=' + CONVERT(varchar, @TransferTime, 120) + '&' +
'EndTime=' + CONVERT(varchar, @EndTime, 120) + '&' +
'DisconnectReason=' + CAST(@DisconnectReason AS varchar) + '&' +
'TransferredToCallId=' + CAST(@TransferredToCallId AS varchar) +
'", False)'
EXEC @hr = sp_OAMethod @Object, 'setTimeouts(3000,3000,3000,3000)'
EXEC @hr = sp_OAMethod @Object, @openparams
EXEC @hr = sp_OAMethod @Object, 'Send'
EXEC @hr = sp_OAGetProperty @Object, 'responseText', @responseText out
END
END

That’s it, the method performs and scales quite well. I think I’ll find other uses for it soon…

The operation could not be performed because OLE DB provider “%ls” for linked server “%ls” was unable to begin a distributed transaction. ↩

Recovering NTBackup Tapes

Giuliano — Wed, 25 Aug 2010 10:36:43 +0000

This article will show you how to handle tape backups generated by NTBackup, turn them into a .BKF file (using Linux) and extract specific files (using Linux/Windows). Some of the stuff explained here may also be useful when dealing with corrupt tapes/files, and may work for any backup software that generates MTF (Microsoft Tape Format) output, such as maybe Symantec Backup Exec¹.

The scenario: an old machine (hosting a not so important app) crashes badly due to multiple disk failures. O.S. (Windows 2000 Server) won’t boot anymore. Backups were directed to a local DDS tape drive, the only one of its kind surviving in the whole Company. While reinstalling the app to another server, I need to recover some files and have access to the pre-crash registry.

And here’s the plan:

Boot the half-dead server with the invaluable SystemRescueCd.
Put the last available tape backup in the drive.
Save an image of the tape somewhere.
Extract stuff from the image.

When SystemRescueCd is running and network connected, make available a shared folder:

root@sysresccd /root % mkdir /mnt/storagespace
root@sysresccd /root % mount -t cifs //fileserver/e$ /mnt/storagespace -o username=administrator,workgroup=domain.local

Then, generate the image. NTBackup tape backups are spread across multiple “tape files”. If you read the tape from the beginning, sooner or later you will hit EOF (an end-of-file condition). Don’t rewind it: go on to the next file instead. Repeat until there are no more files to read.
On Unix, the first SCSI tape device is mapped to /dev/st0 and /dev/nst0. When a process finishes reading from /dev/st0, the tape is implicitly rewound. Viceversa, using /dev/nst0 doesn’t cause any rewind; tape will stay positioned right after the last block read.

Just in case, perform a manual rewind:

root@sysresccd /mnt/storagespace/temp % mt -f /dev/st0 rewind

Then, try to guess the right block size. It seems to be set at 16K. Should this method fail, check the “How do I find out tape block size?” method here.

root@sysresccd /mnt/storagespace/temp % mt -f /dev/st0 status
SCSI 2 tape drive:
File number=0, block number=0, partition=0.
Tape block size 16384 bytes. Density code 0x26 (DDS-4 or QIC-4GB).
Soft error count since last status=0
General status bits on (41010000):
BOT ONLINE IM_REP_EN

Start reading (by means of dd) with the specified block size. See? We’re using the non-rewinding tape device /dev/nst0.

root@sysresccd /mnt/storagespace/temp % for f in `seq 1 10`; do echo dd if=/dev/nst0 of=tapeblock`printf "%
06g" $f`.bin ibs=16384; done
dd if=/dev/nst0 of=tapeblock000001.bin ibs=16384
dd if=/dev/nst0 of=tapeblock000002.bin ibs=16384
dd if=/dev/nst0 of=tapeblock000003.bin ibs=16384
dd if=/dev/nst0 of=tapeblock000004.bin ibs=16384
dd if=/dev/nst0 of=tapeblock000005.bin ibs=16384
dd if=/dev/nst0 of=tapeblock000006.bin ibs=16384
dd if=/dev/nst0 of=tapeblock000007.bin ibs=16384
dd if=/dev/nst0 of=tapeblock000008.bin ibs=16384
dd if=/dev/nst0 of=tapeblock000009.bin ibs=16384
dd if=/dev/nst0 of=tapeblock000010.bin ibs=16384
root@sysresccd /mnt/storagespace/temp % dd if=/dev/nst0 of=tapeblock000001.bin ibs=16384
1+0 records in
32+0 records out
16384 bytes (16 kB) copied, 0.0341089 s, 480 kB/s
root@sysresccd /mnt/storagespace/temp % dd if=/dev/nst0 of=tapeblock000002.bin ibs=16384
270540+0 records in
8657280+0 records out
4432527360 bytes (4.4 GB) copied, 7666.22 s, 578 kB/s
[..]
root@sysresccd /mnt/storagespace/temp % dd if=/dev/nst0 of=tapeblock000007.bin ibs=16384
4+0 records in
128+0 records out
65536 bytes (66 kB) copied, 0.1176 s, 557 kB/s
root@sysresccd /mnt/storagespace/temp % dd if=/dev/nst0 of=tapeblock000008.bin ibs=16384
0+0 records in
0+0 records out
0 bytes (0 B) copied, 0.00461986 s, 0.0 kB/s
root@sysresccd /mnt/storagespace/temp % dd if=/dev/nst0 of=tapeblock000009.bin ibs=16384
dd: reading `/dev/nst0': Input/output error
0+0 records in
0+0 records out
0 bytes (0 B) copied, 0.00356835 s, 0.0 kB/s

Reads beyond the last file will result in an “Input/output error”.

It’s time to join the .bin files into a single one: the tape image (maybe using HJSplit for the task). You could’ve been more clever than me and appended dd‘s output to a single file, thus skipping the join step and saving space. I didn’t do it because I wanted to see if any tape file was corrupted (and be able to re-read it, if needed).

I called the tape image “backup.bkf”, even though it’s not a true .BKF file… As we said, it’s a tape image. NTBackup is not able to read it, whereas the abundance of “BKF recovery” software can. Before going on, let me polemicize a bit. There are many, almost identical, software of this kind. I’ve got the feeling that they all “borrow” from this open source BKF reader². Looks like different commercial developers grabbed the same source, embellished the GUI just a bit, and made a product to sell. How lame. But it turns out that you don’t need to pay a cent to extract files from a .BKF or tape image, on Linux or Windows as well.

On windows, get ntbkup by William T. Kranz . I use the (optional) -s3 switch to target set 3 which I know holds the System State.

C:\temp\x>..\ntbkup.exe ..\backup.bkf -s3 -l"\Registry:"

NTBKUP Ver 1.07c compiled for WIN32 with MAX_PATH = 100
compiled for 64 bit file offsets
Copyright (C) 2003 William T. Kranz
NTBKUP comes with ABSOLUTELY NO WARRANTY
Free software distributed under the terms of the GNU General Public license
See http://www.gnu.org/licenses/gpl.html for license information
Check http://www.fpns.net/willy/msbackup.htm for Updates & Documentation

resrict operations to backup set 3
device name: C:
volume name: Local disk
device name: D:
volume name: Volume
Set 3:
Name: Company lun-29-06-2009-23.04
Description:
User: DOMAIN\administrator

device name: System state data from 0x36113d956 to 0x3611ec956
length 716800 atrib 0x20 05/14/2008 03:10:38 PM
extracing: default:
data from 0x3611ecd4e to 0x3611f2d4e
length 24576 atrib 0x20 06/29/2009 09:42:50 PM
extracing: SAM:
data from 0x3611f3156 to 0x3611fe156
length 45056 atrib 0x20 06/29/2009 11:00:07 PM
extracing: SECURITY:
data from 0x3611fe556 to 0x3621cb556
length 16568320 atrib 0x20 06/30/2009 01:35:59 AM
extracing: software:
data from 0x3621cb952 to 0x362487952
length 2867200 atrib 0x20 06/29/2009 10:42:23 PM
extracing: system:
data from 0x362487d2e to 0x3624aad2e
length 143360 atrib 0x20 06/04/2003 01:24:14 PM
extracing: userdiff:

Bingo, I can load the software hive with “reg load” (see here) and extract the keys I need.

Should you prefer so, download mtftar on your Linux box, compile it and run something like:

./mtftar -f /mnt/storagespace/temp/backup.bkf | tar xvf - "Registry"

Extract the other files you need and voilà…

ex Veritas Backup Exec ↩
There’s no executable in the archive. You need Visual Studio and compile it for yourself. ↩

Counting received emails on MS Exchange

Giuliano — Mon, 01 Mar 2010 13:23:46 +0000

Today I was asked to count the number of emails received on a given address (more than one), across a given time frame. I ended up using Microsoft’s Log Parser (the existence of which I discovered thanks to this post).
Log Parser let’s you run SQL queries on a range of differently formatted log files. Pretty handy stuff: I’ll surely find other uses for it.

MS Exchange, when Message Tracking is enabled, generates a bunch of log files into something like a C:\Exchsrvr\SERVERNAME.log\ folder. The data we need is tracked there.

logparser -q -i:w3c -o:tsv -headers OFF "SELECT DISTINCT MSGID, To_Lowercase(Recipient-Address) As dst FROM C:\Exchsrvr\SERVERNAME.log\*.log WHERE dst = 'addr1@domain.com' OR dst = 'addr2@domain.com'" > x.tsv

“-q” stands for “quiet”, “-i:w3c” states that the input log(s) are in W3C format, “-o:tsv” tells Log Parser to output tab-separated fields, “-headers OFF” is self explanatory and then comes the SQL query. I’m selecting distinct combinations of MSGID and Recipient-Address. Distinct because info about an email message is stored in the log files across multiple lines, keyed by MSGID. A single query is enough to filter all of the addresses we’re interested in, ORed together. Also notice that in the SQL “FROM” clause I used “*.log”; you may need to change that to suit your time frame (message tracking logs are switched daily and stored for a configurable amount of days).

Log Parser’s output, redirected to a file, is then fed to cut/sort/uniq. Remember to change the line termination sequence (“:set fileformat=unix”, on vim) if you don’t have the afore mentioned commands on Windows and move the file to a Unix box.

We use cut (which defaults to tab separated fields) to trash MSGID and just select recipients addresses. These ones get sorted and counted. Last step is a reverse numerical sort. This kind of pipe sequence is a rather common “idiom” on Unix: it computes word (record) frequencies in a file.

cut -f 2 x.tsv | sort | uniq -c | sort -n -r
782 addr1@domain.com
747 addr2@domain.com

Phew, no lines of script written for once…

Detecting malware using Windows Auditing events

Giuliano — Sun, 28 Feb 2010 23:58:18 +0000

This post¹ explains how to use nmap and smb-check-vulns to scan a network in search of Conficker infected hosts. I thought that the whole Conficker case was over, but hopefully some of the measures I took to deal with it almost an year ago, will still be relevant to other kinds of malware. And, also, the method I’ll show you here differs from the nmap one in that the latter is active, whereas mine is passive. Actively probing an host for vulnerabilities could be very very much alike “exploiting” it as malware does, and have similar effects. For instance, a service/process could crash, making it not always advisable to run active scans on your servers subnet. Passive analysis, on the other hand, unobtrusively collects clues about who’s misbehaving.

During the Conficker/Downadup outburst, we observed that:

Antivirus wasn’t always able to detect/stop it.
The virus was copying files in known directories (C:\WINDOWS\SYSTEM32) on about to be infected machines.
Security patched hosts were still subject to the remote malicious file copying routine. The copy could either succeed or fail, depending on which permissions had the user that “runs” the virus. The copy in itself doesn’t pose any security concern. Even if no A/V is active on the destination host, but virus exploitable flaws have been patched, malware won’t be able to activate itself. Otherwise, the A/V would remove suspect files as soon as they are caught, without interfering with our detection purposes.

This behaviour makes it possible to use a “honeypot” approach. The detecting server can be any production host provided that it is security patched and A/V protected. You could, as we did, choose a Domain Controller and:

Run Administrative Tools → Domain Controller Security Policy

Modify the Audit Policy, enabling tracking of successful logon events and object access. By default the OS will only log failures, but that’s not enough.

Object Access is activated at a file/directory level. Open up the Properties of a directory you know is accessed by the virus, click on Security, then Advanced. The Auditing tab is what you’re interested in. Set things up so that any “Create File/Write Data” attempt of Type “Success” will be logged. The semantics about how auditing settings are propagated from parent to child works in the same way as NFTS permissions.

From this point on, you should monitor the honeypot server’s Security Event Log. I wrote a Perl script to do it for me. It works by selecting events with ID 560 and 540, extracting their text and printing just the needed info.

Let’s look at how it’s used (the only parameter is the hostname/address of the honeypot server):

C:\loganalysis>perl ddloganalysis.pl honeypot-srv.domain.lan > ddlog.txt

Skimming through the generated log, you’ll notice the files being dropped into C:\WINDOWS\system32 (or any directory you set up for auditing), the user that actually created them and, before (time-wise), from which address the user is coming.

17/03/2009 16.26.19 560 : C:\WINDOWS\system32\onevthx.vr (Administrator)
17/03/2009 16.26.18 540 : (10.1.1.94 - Administrator)
17/03/2009 15.35.24 560 : C:\WINDOWS\system32\onevthx.vr (SpectrumLT)
17/03/2009 15.35.24 540 : (10.6.3.6 - SpectrumLT)

We successfully used the script to pinpoint the rogue hosts. Deeming it useful, here it is:

#!perl

use strict;
use Win32::EventLog;
use POSIX qw ( strftime );

my @matches = (
#'job$', # useless, since scheduled tasks are always created by SYSTEM
'system32',
'eicar.com'
);

die "Usage:\n$0 servername" unless $ARGV[0];

my $ev=Win32::EventLog->new('Security', $ARGV[0])
or die "Can't open EventLog\n";
my $recs;
$ev->GetNumber($recs)
or die "Can't get number of EventLog records\n";
my $base;
$ev->GetOldest($base)
or die "Can't get number of oldest EventLog record\n";

sub getts($) {
return strftime '%d/%m/%Y %H.%M.%S', (localtime shift);
}

my @progress = ('-','\','|','/','-','\','|','/');

my $x = $recs-1;
my $h;
while ($x >= 0) {
$ev->Read(EVENTLOG_FORWARDS_READ|EVENTLOG_SEEK_READ,
$base + $x,
$h)
or die "Can't read EventLog entry #$x\n";
print STDERR $progress[$#progress - ($x % @progress)] . "\r";
if ($h->{Source} eq 'Security' and ($h->{EventID} == 560 or $h->{EventID} == 540)) {
Win32::EventLog::GetMessageText($h);
if ($h->{EventID} == 560) {
$h->{Message} =~ /Object Name:[\t ]*(.*?)\r/gis;
my $filename = $1;
$h->{Message} =~ /Client User Name:[\t ]*(.*?)\r/gis;
my $clientusername = $1;
if ($filename) {
if (grep { my $m = $_; $filename =~ /$m/i} @matches) {
printf "%s %5d : %s (%s)\n", getts($h->{TimeGenerated}), $h->{EventID}, $filename, $clientusername;
}
}
} elsif ($h->{EventID} == 540) {
$h->{Message} =~ /User Name:[\t ]*(.*?)\r/gis;
my $username = $1;
$h->{Message} =~ /Workstation Name:[\t ]*(.*?)\r/gis;
my $workstation = $1;
$h->{Message} =~ /Source Network Address:[\t ]*(.*?)\r/gis;
my $addr = $1;
printf "%s %5d : %s (%s - %s)\n", getts($h->{TimeGenerated}), $h->{EventID}, $workstation, $addr, $username
if $workstation or $addr;
}
}
$x--;
}

exit;

In italian, sorry. Look here for an english equivalent and here for more info. ↩

Shared folder access from Windows CE

Giuliano — Tue, 19 Jan 2010 16:30:14 +0000

Scenario:

Headquarter (HQ) connected (MPLS VPN) to some branch sites.
In some of the branches, a Check Point UTM-1 Edge X (SofaWare) sits between the wireless and wired networks, enforcing security policies between them.
The two networks are bridged together (Layer 2) by the firewall.
The wireless LAN is used by some kind of next gen Barcode Scanner: an embedded device with Windows CE .NET 4.2, also able to act as a Terminal Services client.

Customer wants to install some software on the scanners, downloading it from a shared folder residing on one of HQ servers. I add the necessary (and temporary) rules on the firewalls, but the folder still cannot be reached. Windows CE complains that “The network path was not found” but the rules look good.

Luckily, the Edge firewalls provide a packet sniffer, allowing us to further investigate the issue. Just connect to the web based interface of UTM-1/SofaWare, go to Setup → Tools → Sniffer, choose a filter string (using the familiar libpcap/tcpdump syntax), select the interface (“bridge”, in my case), and you’re set. Captured packets can then be downloaded to your PC and opened up in Wireshark.

We came up with a bunch of peculiar NetBIOS Name query requests/answers:

$ tshark -r sniffer4.cap
1 0.000000 192.168.2.3 -> 192.168.1.10 NBNS Name query NB HQSERVER<20>
2 0.028436 192.168.1.10 -> 192.168.2.3 NBNS Name query response
3 1.001397 192.168.2.3 -> 192.168.2.255 NBNS Name query NB HQSERVER<20>
4 1.251460 192.168.2.3 -> 192.168.2.255 NBNS Name query NB HQSERVER<20>
5 1.502820 192.168.2.3 -> 192.168.2.255 NBNS Name query NB HQSERVER<20>

Some hostnames, for clarity:

192.168.2.3 : BOSCANNER
192.168.1.10 : HQDC1
192.168.1.20 : HQSERVER

The Barcode Scanner (Client) asks one of the DNS/Domain Controllers in HQ if it is called HQSERVER. But HQSERVER is the server we’re trying to connect to from the Scanner (by means of \\HQSERVER\sharename)! Why in the world the device should directly ask HQDC1 if it is called HQSERVER? Using an unicast NetBIOS query, too? Obviously HQDC1 answers “no, it’s not me” (Requested name does not exist)… The Scanner then broadcasts the same query to its local network segment, but since HQSERVER sits in Headquarter, it gets no answer and generates the error “The network path was not found”.
Turns out that \\192.168.1.20\sharename causes the same dialoque, with a NetBIOS name query that seemingly asks for a server named “192.168.1.20″. It’s as if in Windows CE, UNC paths could only use names, not IP addresses.

Well, the Customer didn’t have enough time for me to properly solve/understand the issue but we worked around it by:

Assigning a static IP to the Windows CE device.
In the TCP/IP settings of Windows CE, use 192.168.1.20 (HQSERVER – where the shared folder is hosted) as DNS and WINS server.
Copy the needed files from the network share and revert back to DHCP.

Step two makes the Client send NetBIOS name queries to HQSERVER instead of HQDC1. This allows shared folder access to work.

Executing processes as the SYSTEM user

Giuliano — Fri, 08 Jan 2010 22:05:08 +0000

On MS Windows operating systems, many processes run under the NT AUTHORITY\SYSTEM account, be them scheduled tasks or services.
Sometimes it’s useful to run cmd.exe as the SYSTEM user and see what’s going on. Here’s a nifty trick to do it.

C:\Documents and Settings\giuliano>time /t
17:10

C:\Documents and Settings\giuliano>at 17:11 /interactive cmd.exe
Added a new job with job ID = 1

C:\Documents and Settings\giuliano>

Basically you check what time it is and schedule cmd.exe to run on the next minute. You do that by means of the at.exe OS command.

When the time comes, a Command Prompt window should pop-up. It runs under the SYSTEM account:

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>whoami
nt authority\system

C:\WINDOWS\system32>

Each process you run from there, also runs as SYSTEM. If you run regedit.exe, for instance, you can import registry data into the SYSTEM user’s hive. Today I used this tecnique to export/import Putty’s settings (they are stored in the registry) in order to make plink.exe, as run from a UPS monitoring Agent, see a pre-configured SSH “Session” (hostname, login username, private key, …). I needed the Agent to shut down a bunch of Linux servers when the battery charge was running low: plink.exe on Windows side and sudo on the Linux one, did the job.

For completness sake, here‘s a post on the same subject. It also deals about Vista/Windows Server 2008 and how to achieve our goal using PsExec.