Git SFTP

I was working for an elementary website of a friend of mine. I pushed the website to GitHub so it’s was way easier to maintain the site.

But I thought it must be easier than transferring all the changes every time by an FTP program. So I found git-ftp and of course FTPS didn’t work out of the box 😉

Windows

What you have to do to enable GIT FTP (on Windows)

First start an ssh sessions from powershell

ssh username@SOMEHOSTNAME

This will add the public key to you known host. Otherwise you will get this error later

fatal:  Can't access remote 'sftp://SOMEUSER:***@SOMEHOSTNAME'. Network down? Wrong URL? exiting...

You can see this with the -vv parameter

git ftp init -vv

Now it’s time to install git-ftp

  • First go to c:\program files\git
  • Then run git-bash as administrator

And install git-ftp (bin is an alias for program files)

$ curl https://raw.githubusercontent.com/git-ftp/git-ftp/master/git-ftp > /bin/git-ftp
$ chmod 755 /bin/git-ftp

No go to your project and enter these commands

git config git-ftp.user SOMEUSERNAME
git config git-ftp.url sftp://SOMEHOSTNAME/public/sites/SOMEWEBSITE/
git config git-ftp.password SOMEPASSWORD
git ftp init

And the next time you make a change you only have to do

git ftp push

Linux (Debian)

For linux the steps are much easier.

First start an ssh sessions from bash

ssh username@SOMEHOSTNAME

This will add the public key to you known host. Otherwise you will a error later.

Now install ftp-git

$ sudo apt install git-ftp

No go to your project and enter these commands

git config git-ftp.user SOMEUSERNAME
git config git-ftp.url sftp://SOMEHOSTNAME/public/sites/SOMEWEBSITE/
git config git-ftp.password SOMEPASSWORD
git ftp init

And the next time you make a change you only have to do

git ftp push

When you get an errors like these:

zo 19 dec 2021 23:11:50 CET: Retrieving last commit from sftp://******:***@s*******/public/sites/*********/.
*   Trying *********:22...
* Connected to ******* (********) port 22 (#0)
* Found host ******** in /home/******/.ssh/known_hosts
* Set "ecdsa-sha2-nistp256" as SSH hostkey type
* Closing connection 0
curl: (79) Error in the SSH layer

zo 19 dec 2021 23:11:50 CET: fatal: Could not get last commit. Use 'git ftp init' for the initial push. Can't access remote 'sftp://******:***@********'. Network down? Wrong URL? exiting..

Then try the --insecure parameter

git ftp push -vv --insecure

Happy uploading 🙂

DHCP Test Tool

I had to check my DHCP configuration for a Dell Wyse Thin Client. But when you configure specific options like 161 and 162 you don’t see that options in a Wireshark capture during a Windows DHCP request.

Luckily for us CyberShadow created a great tool to test some specific DHCP settings an he even make it open source: https://github.com/CyberShadow/dhcptest

This DHCP tool have 2 great features:

  1. You can do a request for specific DHCP option
  2. You can send a vendor class so in my case I can pretend to be a Wyse Thin client.

DHCP Request Option

This will only work when you have configured Global DHCP settings.

dhcptest.exe --query --request 161

DHCP Vendor Class

First I had to figure what the vendor class was. I checked this on the DHCP server:

Or on a Thin client itself:

Then run this command:

dhcptest.exe --query --option "60=wyse-1000"

And you will get Vendor Specific Information in Hex.

You can do different things to translate the Hex into readable data.

  1. Compile the open source yourself yourself and create a output in a string
  2. Use a (online) hex convertor
  3. Open wireshark during the capture. Wireshark will translate this for you 🙂

Compile the tool

  • Download the git repo
git clone https://github.com/CyberShadow/dhcptest.git
  • Edit the file (add these 2 lines)
161 : DHCPOptionSpec("File Server", OptionFormat.str),
162 : DHCPOptionSpec("Root Path to the File Server", OptionFormat.str),
dmd dhcptest.d

This will create a exe for you and will translate the Hex to readable format.

Happy sniffing!

Windows network package capture without installing anything (on the server)

I like Wireshark. But I don’t like to install software on a server for troubleshooting purposes. Especially when you need software like PCAP to sniff some network data.

But what you can do is capture data data with netsh, copy the data to your workstation, convert the data so you can read it with wireshark and do you thing.

Capture the data

Run this command to capture the data (elevated command prompt)

netsh trace start capture = yes ipv4.address = x.x.x.x

And stop the capture when you are done

netsh trace stop

Copy the files to you computer

Convert the capture

Download the etl2pcapng converter from the MS Github repo: https://github.com/microsoft/etl2pcapng

Convert the data

etl2pcapng.exe NetTrace.etl out.pcapng

You can open the out.pcapng file and do you thing.

Happy Troubleshooting!

Slow initial RDP connection

For me, this was a pain in the ass for a long time. When I connect to a Windows server through RDP/RDS it sometimes takes more than 2 minutes to connect to a server. Today after some waiting, and waiting and some more waiting I did a deep dive with Wireshark to figure out why it was so slow.

My setup

  • Azure domain joined Windows 10 device (Laptop)
  • Connection over a Cisco Anyconnect VPN
  • Remote Desktop Manager (Devolutions)
  • Native RDP client
  • MremoteNG

Remote VS local

I know for sure the issue should be in my setup. Because when I connect first to a jump host (RDP) and then connect to other domain-joined servers everything was connected almost immediately after I put in my user credentials.

What to do (TL;DR)

There are four things you have to modify to speed up the initial remote desktop connection speed:

  1. Disable SSL / TLS1.0
  2. Disable Netbios on the VPN network adapter
  3. Disable automatic proxy settings in Windows
  4. Change the credential to domain.local\admin or [email protected] instead of domain\admin

Disable SSL / TLS1.0

No, you don’t have to negotiate what protocol you have to use to connect a server. Use TLS1.2 or I don’t want to connect with you 😉 So:

How to

  • Start > Run > Regedit
  • Go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
  • If the TLS 1.0 and Client folders doesn’t exists create these keys
  • Create a 32 DWORD value with the name Enabled
  • Value data: 0 (Hex)
  • Restart the client
Enabled = 0

Disable Netbios on the VPN adapter

What I was seeing in my Wireshark capture is that RDP was trying to broadcast to get information over NETBIOS. You have a DNS server so you don’t need a legacy broadcast protocol! Unfortunately, I don’t have any screenshot of the capture but you can always check yourself 😉

How to

Change the VPN Adapter and reboot the computer:

Disable Netbios

Disable the proxy

After connection to a server with RDP and you enter the credentials Windows is trying constantly to WPAD.domain.local to autoconfigure itself. WPAD stands for Web Proxy Auto-Discovery and I think you never want to autoconfigure a MITM ehh proxy device. You always want to have full control of your device. So, disable this to speed up the connection and make your device more secure.

Wireshark Capture WPAD A record

How to

  • Go to settings
  • Search for proxy
  • Switch the Automatically detect settings to Off
  • Restart Windows
Turn WPAD off

Change the login name

I found out that this is the most annoying and time consuming one. I always use DOMAIN\User when I connect to a server. But this is what happens:

Domain.Domain.TLD

Kerberos is doing a DNS query on _kerberos._tcp.dc._msdcs.domain.domain.tld and of course he will never can find that double domain A record. But if you change the logon name to domain.tld\admin or [email protected] Kerberos will find the A record and connects immediately 🙂

Top speed!

Kerberos

And even now it’s possible to tune the Kerberos authentication further and fix the last KRB5KDC_ERR_PREAUTH_REQUIRED error you can see in the screenshot. Maybe next time but for now I’m happy with the initial connection speed 🙂

Happy hack ehh… connecting!

Policy WSUS: “Automatically download updates and install them on the schedule specified below” don’t work…!!!?!

So I configure a “configure automatic updates” policy for testing purposes but the auto-update and installation won’t work. The main cause….? Lack of patience 😉

How this Policy works (source):

The Windows Update Agent periodically checks the WSUS server for updates. Updates it finds, it reports state for: Installed, Not Installed, Not Applicable. If a “Not Installed” update is approved and available, the WUA queues the installation files for download if the Configure Automatic Updates policy is set to AUOption ‘3’ or ‘4’.

The download occurs via Background Intelligent Transfer Service (BITS) subsequent to the WUA finding the update as available for download.

When the download of the update is completed, the WUA does one of two things:

  • If the Configure Automatic Updates policy is set to AUOption ‘4’, then the WUA will schedule the update for installation at the scheduled time. This scheduled installation does NOT require access to the WSUS server to be conducted.
  • If the Configure Automatic Updates policy is not set to AUOption ‘4’, then the update will be retained on the client computer until a user launches the Windows Update applet from Control Panel and initiates the installation.

So bottom line; the updates must first be downloaded on the client and ONLY then will Windows apply the “Automatically download updates and install them on the schedule specified” action

To force a client (source):

$updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates
Start-sleep -seconds 10
wuauclt /detectnow
wuauclt /reportnow
c:\windows\system32\UsoClient.exe startscan

After this commands BITS will download the updates and prepare the installation. When you start Windows update you can see the available update

The default of the WSUS communication check-in (report and detect) is 22 hours. If you don’t want to wait so long you can change the “automatic updates detection frequency” to every hour (do not to this every hour on production policies!)

And now wait till the magic happens 🙂

Last but now least. When you change setting in the “configure automatic updates” policy you can trigger the client with powershell so you don’t have to reboot the client

gpupdate /force
net stop wuauserv
net start wuauserv
(new-object -Comobject Microsoft.Update.AutoUpdate).Detectnow()

You get get more information about Windows update log with the command.

Get-WindowsUpdateLog

Happy updating!

OK… Even with all the tips. Sometimes you need rename the software distribition folder also so I present to you: The PLZ GIVE ME ******* UPDATES NOW SCRIPT!!!! (runas admin)

gpupdate /force
Start-sleep -seconds 10
Stop-Service -Name BITS, wuauserv -Force
Remove-Item "$env:SystemRoot\SoftwareDistribution\" -Recurse -Force -ErrorAction SilentlyContinue
Start-Service -Name BITS, wuauserv
$updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates
Start-sleep -seconds 10
wuauclt /detectnow
wuauclt /reportnow
(New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()

Move a window when you don’t have any focus

Method #1
Won’t work with a maximized Window.

  • Alt-Tab or Click On the Window
  • Press “Alt & Space”
  • Press “M”
  • Use your arrow keys to move the Window
  • Press Enter to exit

Method #2
Will move your Window to the right or left half of the screen in the same manner as dragging a window to the right or left of the screen will.

  • Press the Windows Key & Right Arrow or Left Arrow
  • Move a Window with the Keyboard-right

Method #3
will move your Window one display to the right or left.

  • Press the Windows Key & Shift & Right Arrow or Left Arrow

This is an copy paste from a website. All credits to: http://www.sevenforums.com/tutorials/77361-move-window-keyboard.html

Create a strong self-signed certificate for multiple years

If you follow these steps you can create a self signed certificate with the following specifications:

  • Wildcard certificate
  • SHA256 hash
  • 10 years
  • 2048 bits public key
  • Client and server verification
  • Sha1 fingerprint

Be aware that self-signed certificates can manipulate by a man-in-the-middle. You should not use this in critical production environments.

Please use windows 10 powershell in admin mode. Otherwise you will get errors

New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname *.domain.local -NotBefore $([datetime]::now.AddDays(-15)) -NotAfter $([datetime]::now.AddDays(3560))

Now export the certificates. Before you copy/paste change the thumbprint with the thumbprint you get from the above command.

$CertPassword = ConvertTo-SecureString -String "YourPassword" -Force –AsPlainText
Export-PfxCertificate -Cert cert:\LocalMachine\My\C6B46CEB7D3A40DB08E78B19FEDD3A24EA7A7919  -FilePath C:\test.pfx -Password $CertPassword
Export-Certificate -Cert Cert:\LocalMachine\My\C6B46CEB7D3A40DB08E78B19FEDD3A24EA7A7919 -FilePath C:\tstcert.cer

Now you can import the PFX with IIS and bind the certificate in IIS.
And import the *.CER in your MMC > Certificates > Computer account > trusted root Certification authority > Certificates

Have fun with your certificate the next 10 years 😀

command-prompt-powershell

Inspiration

BSOD Domain Controller STOP: c00002e2 Directory Services could not start

Today our domain controller had a very bad day and had a bootloop after a reboot. I used recording software to capture the blue screen error: STOP: c00002e2 Directory Services could not start

Then we found a nice article to fix this issue. We had a second working domain controller so if you have the same setup you can use this how to, to fix this problem also. All the credits go to dbutch1976

  1. Restart the server and press F8 key, select Directory Services restore mode.
  2. Log in with the local administrator username and password (hope you remember what you set it to!).
  3. Type cd \windows\system32
  4. type NTDSUTIL
  5. type activate instance NTDS
  6. type files
  7. If you encounter an error stating that the Jet engine could not be initialized exit out of ntdsutil.
  8. type cd\
  9. type md backupad
  10. type cd \windows\ntds
  11. type copy ntds.dit c:\backupad
  12. type cd \windows\system32
  13. type esentutl /g c:\windows\ntds\ntds.dit
  14. This will perform an integrity check, (the results indicate that the jet database is corrupt)
  15. Type esentutl /p   c:\windows\ntds\ntds.dit
  16. Agree with the prompt
  17. type cd \windows\ntds
  18. type move *.log c:\backupad   (or just delete the log files)

This should complete the repair.  To verify that the repair has worked successfully:

  1. type cd \windows\system32
  2. type ntdsutil
  3. type activate instance ntds
  4. type files        (you should no longer get an error when you do this)
  5. type info       (file info should now appear correctly)

Source: https://social.technet.microsoft.com/Forums/windowsserver/en-US/771b97ad-4e1c-4e7c-8617-91601224dd7f/server-core-2008-r2-blue-screen?forum=winserverManagement