By: Thomas Faddegon
This is for 2016 server. But it will work for other versions of Windows
[Net.ServicePointManager]::SecurityProtocol += [Net.SecurityProtocolType]::Tls12
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Set-PSRepository -Name "PSGallery" -InstallationPolicy Trusted
Install-Module PSWindowsUpdate -Confirm:$false
Set-PSRepository -Name "PSGallery" -InstallationPolicy Untrusted
Get-WindowsUpdate -AcceptAll -Install -AutoReboot
Happy Patching 🙂
My use case for a customer was to configure WSUS for a couple of DMZ servers. The DMZ servers are not domain-joined. So I create a PowerShell script to configure the registry so I can easily deploy the settings to the servers.
You can use this script also for non domain-joined servers
# Script for WSUS configuration on non-domain joined servers
# First stop the Windows service
Get-Service -name wuauserv | stop-service
# Variables
$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
$name1 = "TargetGroup"
$value1 = "Production"
$name2 = "WUServer"
$value2 = "http://wsus.domain.local:8530"
$name3 = "WUStatusServer"
$value3 = "http://wsus.domain.local:8530"
$name4 = "DoNotConnectToWindowsUpdateInternetLocations"
$value4 = "1"
$name5 = "TargetGroupEnabled"
$value5 = "1"
$registryPathAU = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
$nameAU1 = "AUOptions"
$valueAU1 = "3"
$nameAU2 = "UseWUServer"
$valueAU2 = "1"
# Inject registry
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name1 -Value $value1 -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name2 -Value $value2 -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name3 -Value $value3 -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name4 -Value $value4 -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name5 -Value $value5 -PropertyType DWORD -Force | Out-Null
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name1 -Value $value1 -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name2 -Value $value2 -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name3 -Value $value3 -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name4 -Value $value4 -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name5 -Value $value5 -PropertyType DWORD -Force | Out-Null
}
IF(!(Test-Path $registryPathAU))
{
New-Item -Path $registryPathAU -Force | Out-Null
New-ItemProperty -Path $registryPathAU -Name $nameAU1 -Value $valueAU1 -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $registryPathAU -Name $nameAU2 -Value $valueAU2 -PropertyType DWORD -Force | Out-Null
}
ELSE
{
New-ItemProperty -Path $registryPathAU -Name $nameAU1 -Value $valueAU1 -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $registryPathAU -Name $nameAU2 -Value $valueAU2 -PropertyType DWORD -Force | Out-Null
}
# Start the Windows service
Get-Service -name wuauserv | start-service
# Find updates and report to the WSUS server
$updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates
Start-sleep -seconds 10
wuauclt /detectnow
wuauclt /reportnow
c:\windows\system32\UsoClient.exe startscan
I save this file on the WSUS server itself at http://wsus.domain.local:8530/script.txt so I can download and run it from the DMZ environment.
invoke-webrequest -uri http://wsus.domain.local:8530/script.txt -outfile script.ps1
.\script.ps1
Happy updating 🙂
With Powershell ISE you can use CTRL + SPACE for auto completion.
But when you work in a native Powershell window you don’t have this option. And many often you cycle with tab completion trough the powershell and because you press the TAB button too soon you have to remove characters and cycle again trough all the commands.
Unit now 😉
There is an easy fix you can implement so the Powershell have the same auto completion like bash.
notepad $profile for Windows or gedit $profile for LinuxSet-PSReadlineKeyHandler -Key Tab -Function MenuComplete
Happy coding 🙂
Today I update my dual boot system and unfortunately my Debian OS wasn’t booting anymore. The root cause was that Windows decide to reclaim the EFI boot.
The fix is quite easy.
Type mountvol P: /S
Check the EFI boot partition data
And fix your boot the this command:
bcdedit.exe /set {bootmgr} path \EFI\Debian\grubx64.efi
As you can see in the screenshot, this also work for EndeavourOS and Ubuntu and probably for a lot other Linux EFI boot systems.
Happy booting!
I was working for an elementary website of a friend of mine. I pushed the website to GitHub so it’s was way easier to maintain the site.
But I thought it must be easier than transferring all the changes every time by an FTP program. So I found git-ftp and of course FTPS didn’t work out of the box 😉
What you have to do to enable GIT FTP (on Windows)
First start an ssh sessions from powershell
ssh [email protected]This will add the public key to you known host. Otherwise you will get this error later
fatal: Can't access remote 'sftp://SOMEUSER:***@SOMEHOSTNAME'. Network down? Wrong URL? exiting...You can see this with the -vv parameter
git ftp init -vv
Now it’s time to install git-ftp
And install git-ftp (bin is an alias for program files)
$ curl https://raw.githubusercontent.com/git-ftp/git-ftp/master/git-ftp > /bin/git-ftp
$ chmod 755 /bin/git-ftpNo go to your project and enter these commands
git config git-ftp.user SOMEUSERNAME
git config git-ftp.url sftp://SOMEHOSTNAME/public/sites/SOMEWEBSITE/
git config git-ftp.password SOMEPASSWORD
git ftp initAnd the next time you make a change you only have to do
git ftp pushFor linux the steps are much easier.
First start an ssh sessions from bash
ssh [email protected]This will add the public key to you known host. Otherwise you will a error later.
Now install ftp-git
$ sudo apt install git-ftpNo go to your project and enter these commands
git config git-ftp.user SOMEUSERNAME
git config git-ftp.url sftp://SOMEHOSTNAME/public/sites/SOMEWEBSITE/
git config git-ftp.password SOMEPASSWORD
git ftp initAnd the next time you make a change you only have to do
git ftp pushWhen you get an errors like these:
zo 19 dec 2021 23:11:50 CET: Retrieving last commit from sftp://******:***@s*******/public/sites/*********/.
* Trying *********:22...
* Connected to ******* (********) port 22 (#0)
* Found host ******** in /home/******/.ssh/known_hosts
* Set "ecdsa-sha2-nistp256" as SSH hostkey type
* Closing connection 0
curl: (79) Error in the SSH layer
zo 19 dec 2021 23:11:50 CET: fatal: Could not get last commit. Use 'git ftp init' for the initial push. Can't access remote 'sftp://******:***@********'. Network down? Wrong URL? exiting..Then try the --insecure parameter
git ftp push -vv --insecureHappy uploading 🙂
I had to check my DHCP configuration for a Dell Wyse Thin Client. But when you configure specific options like 161 and 162 you don’t see that options in a Wireshark capture during a Windows DHCP request.
Luckily for us CyberShadow created a great tool to test some specific DHCP settings an he even make it open source: https://github.com/CyberShadow/dhcptest
This DHCP tool have 2 great features:
This will only work when you have configured Global DHCP settings.
dhcptest.exe --query --request 161
First I had to figure what the vendor class was. I checked this on the DHCP server:
Or on a Thin client itself:
Then run this command:
dhcptest.exe --query --option "60=wyse-1000"And you will get Vendor Specific Information in Hex.
You can do different things to translate the Hex into readable data.
git clone https://github.com/CyberShadow/dhcptest.git
161 : DHCPOptionSpec("File Server", OptionFormat.str),
162 : DHCPOptionSpec("Root Path to the File Server", OptionFormat.str),dmd dhcptest.dThis will create a exe for you and will translate the Hex to readable format.
Happy sniffing!
I like Wireshark. But I don’t like to install software on a server for troubleshooting purposes. Especially when you need software like PCAP to sniff some network data.
But what you can do is capture data data with netsh, copy the data to your workstation, convert the data so you can read it with wireshark and do you thing.
Run this command to capture the data (elevated command prompt)
netsh trace start capture = yes ipv4.address = x.x.x.xAnd stop the capture when you are done
netsh trace stopCopy the files to you computer
Download the etl2pcapng converter from the MS Github repo: https://github.com/microsoft/etl2pcapng
Convert the data
etl2pcapng.exe NetTrace.etl out.pcapngYou can open the out.pcapng file and do you thing.
Happy Troubleshooting!
For me, this was a pain in the ass for a long time. When I connect to a Windows server through RDP/RDS it sometimes takes more than 2 minutes to connect to a server. Today after some waiting, and waiting and some more waiting I did a deep dive with Wireshark to figure out why it was so slow.
I know for sure the issue should be in my setup. Because when I connect first to a jump host (RDP) and then connect to other domain-joined servers everything was connected almost immediately after I put in my user credentials.
There are four things you have to modify to speed up the initial remote desktop connection speed:
No, you don’t have to negotiate what protocol you have to use to connect a server. Use TLS1.2 or I don’t want to connect with you 😉 So:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\ClientEnabled 0 (Hex)
What I was seeing in my Wireshark capture is that RDP was trying to broadcast to get information over NETBIOS. You have a DNS server so you don’t need a legacy broadcast protocol! Unfortunately, I don’t have any screenshot of the capture but you can always check yourself 😉
Change the VPN Adapter and reboot the computer:
After connection to a server with RDP and you enter the credentials Windows is trying constantly to WPAD.domain.local to autoconfigure itself. WPAD stands for Web Proxy Auto-Discovery and I think you never want to autoconfigure a MITM ehh proxy device. You always want to have full control of your device. So, disable this to speed up the connection and make your device more secure.
I found out that this is the most annoying and time consuming one. I always use DOMAIN\User when I connect to a server. But this is what happens:
Kerberos is doing a DNS query on _kerberos._tcp.dc._msdcs.domain.domain.tld and of course he will never can find that double domain A record. But if you change the logon name to domain.tld\admin or [email protected] Kerberos will find the A record and connects immediately 🙂
And even now it’s possible to tune the Kerberos authentication further and fix the last KRB5KDC_ERR_PREAUTH_REQUIRED error you can see in the screenshot. Maybe next time but for now I’m happy with the initial connection speed 🙂
Happy hack ehh… connecting!
So I configure a “configure automatic updates” policy for testing purposes but the auto-update and installation won’t work. The main cause….? Lack of patience 😉
How this Policy works (source):
The Windows Update Agent periodically checks the WSUS server for updates. Updates it finds, it reports state for: Installed, Not Installed, Not Applicable. If a “Not Installed” update is approved and available, the WUA queues the installation files for download if the Configure Automatic Updates policy is set to AUOption ‘3’ or ‘4’.
The download occurs via Background Intelligent Transfer Service (BITS) subsequent to the WUA finding the update as available for download.
When the download of the update is completed, the WUA does one of two things:
So bottom line; the updates must first be downloaded on the client and ONLY then will Windows apply the “Automatically download updates and install them on the schedule specified” action
To force a client (source):
$updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates
Start-sleep -seconds 10
wuauclt /detectnow
wuauclt /reportnow
c:\windows\system32\UsoClient.exe startscan
After this commands BITS will download the updates and prepare the installation. When you start Windows update you can see the available update
The default of the WSUS communication check-in (report and detect) is 22 hours. If you don’t want to wait so long you can change the “automatic updates detection frequency” to every hour (do not to this every hour on production policies!)
And now wait till the magic happens 🙂
Last but now least. When you change setting in the “configure automatic updates” policy you can trigger the client with powershell so you don’t have to reboot the client
gpupdate /force
net stop wuauserv
net start wuauserv
(new-object -Comobject Microsoft.Update.AutoUpdate).Detectnow()
You get get more information about Windows update log with the command.
Get-WindowsUpdateLog
Happy updating!
OK… Even with all the tips. Sometimes you need rename the software distribition folder also so I present to you: The PLZ GIVE ME ******* UPDATES NOW SCRIPT!!!! (runas admin)
gpupdate /force Start-sleep -seconds 10 Stop-Service -Name BITS, wuauserv -Force Remove-Item "$env:SystemRoot\SoftwareDistribution\" -Recurse -Force -ErrorAction SilentlyContinue Start-Service -Name BITS, wuauserv $updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates Start-sleep -seconds 10 wuauclt /detectnow wuauclt /reportnow (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()
Sometimes you want to test a mail application without spamming the internet with your garbage. Use can user Papercut to local test your mail application.
URL: https://github.com/ChangemakerStudios/Papercut/releases
