This Blog is a supplement to my website. Please also visit: www.DavidCocke.com

Saturday, May 20, 2017

Detecting Machines Vulnerable to Eternal Blue (WannaCry)

May 20, 2017

Background
After the recent WannaCry Ransomware scare, we needed a reliable way to scan our customer's networks to show which Windows machines are still vulnerable.

As you may know, the WannaCry Ransomware spreads by taking advantage of a stolen/leaked NSA cyber-weapon known as Eternal Blue.  EternalBlue takes advantage of a flaw in the Windows implementation of SMBv1.  We’ve already had reports that other variants of WannaCry are appearing, and they too are taking advantage of the Eternal Blue SMB vulnerability.  One of the notable variants is called BlueDoom.

First of all, I cannot take credit for the concept of this scanning method, nor the Nmap script used to perform this vulnerability scan.

This article was helpful to me:
https://www.secarma.co.uk/wannacry-worlds-first-global-ransomware-attack/

After trying multiple types of Nmap scripts, I can say this was one that actually worked:
https://raw.githubusercontent.com/cldrn/nmap-nse-scripts/master/scripts/smb-vuln-ms17-010.nse

Using this method, we found a variety of vulnerable machines including Windows XP, Windows 7, and Windows Server 2012 R2.  The most interesting device we found was an X-Ray Film printer that uses Microsoft Windows 2000 as its operating system.  Before the scan, we had no idea the printer ran on any Windows OS.

How to Scan
Download the latest version of Nmap here (We like ZenMap):
https://nmap.org/zenmap/

Given the connection limit of Windows workstation operating systems, we recommend that you do your scans from a Windows Server OS.

Save the Nmap script found here:
https://raw.githubusercontent.com/cldrn/nmap-nse-scripts/master/scripts/smb-vuln-ms17-010.nse

To a text file named: smb-vuln-ms17-010.nse
Then copy the smb-vuln-ms17-010.nse file to this folder: 
C:\Program Files (x86)\Nmap\scripts

Execute your Nmap scans from a CMD prompt.

Example of scanning a single Host IP and seeing the results on the screen:
nmap -p 445 -script=./smb-vuln-ms17-010.nse 192.168.10.14

Example of scanning an entire subnet and piping the results to a text file:
nmap -p 445 -script=./smb-vuln-ms17-010.nse 192.168.10.1-255 >>c:\temp\wannacry.txt

We recommend using Notepad++ to view the file, but whichever text editor you use, search for the word "Vulnerable" to see if the scan discovered any vulnerable machines.




Sunday, October 18, 2015

Controlling Services when using Veeam Pre and Post Scripts

Housekeeping note: Yesterday I posted a similar article, but after learning the behavior of Pre-Freeze scripts, had to rewrite the article.  The previous article has been deleted.


Background
 

We had a particular Veeam Backup & Replication Job that began taking an inordinately long time to complete and during the job the guest VM's CPU usage would skyrocket. Upon closer inspection we found that the actual backup time wasn't that long, it was in deleting the snapshot that was the problem.  As you may know if you use Veeam, when a job begins, Veeam will instruct the VMware Host to perform a snapshot of the virtual machine.  When the Veeam backup completes, it then instructs the VMware Host to delete the snapshot.  It was the process of deleting the snapshot that was taking so long (or to be more precise committing all of the changes since the snapshot was first taken).

The problematic virtual machine in this case is Windows Server 2012 running an application called EventSentry which uses a Postgres SQL Database.  This issue could theoretically occur with any application running on a virtual machine that does a lot of Disk I/O during a process that creates a VMware snapshot.  Simply put, the more disk changes that occur while the snapshot is in place, the longer it will take to delete the snapshot (commit the changes).

After some experimenting we found that if you would first stop the EventSentry Database service (which stops the Postgres SQL database), then the Veeam Backup jobs would complete much more quickly and the CPU on the guest VM being backed up remained stable.  In fact, jobs that would take 2.5 Hours to complete before, would only take less than an hour with the application's database stopped. 


Possible Solutions

OK.  So this should be simple.  Just figure out a way to stop the EventSentry Database Service before the Veeam job starts, and then restart the service once the job completes.  Well, in my case it was not quite so simple to figure out, which is why I'm writing this Blog post about it.

Veeam offers a means to run scripts before and after for either the entire Job or for a specific host within the job.  

  • The scripts you run before and after a job are referred to as Pre-Job and Post-Job Scripts.  
  • The scripts you run for a specific guest VM are referred to as Pre-Freeze and Post-Thaw scripts.

Pre-Freeze and Post-Thaw Scripts

It's actually VMware Tools that provides the Pre-Freeze and Post-Thaw scripts function.  Veeam just copies the scripts you choose to run on the virtual guest host then uses the function within the VMware Tools installed on that guest VM to actually run them.

So, we created a simple script that contained the command NET STOP "EventSentry Database" and configured that to be the Pre-Freeze script.  But when the Veeam job would run we would get an error in Veeam that said "Exit Code: 5".  Not very helpful.

Veeam offers great documentation on how to use these Pre-Freeze scripts but no help at all for troubleshooting:
http://helpcenter.veeam.com/backup/80/hyperv/backup_job_vss_scripts_hv.html

From the beginning we suspected it was some type of permissions issue.  We assumed however that VMware Tools was executing the scripts using the local System account.  Turns out, it executes the scripts using the same credentials you provided the Veeam Backup job to do the "Guest Processing".  Makes sense once you know this.

From the problematic virtual machine, if we opened a Command Prompt (not as Administrator) we found that we could not even manually stop the service using the command NET STOP "EventSentry Database".  Windows would give an error: "System error 5 has occurred.  Access is denied."  So that's where the Exit Code 5 came from in the Veeam error message.

This user account context that we tried the command from also happens to be a Domain Admin, so why can we not stop and restart this service?  It turns out that with this particular service (EventSentry Database), only the local administrators and the local System account had permissions to do this.

The Permissions Fix
 

After some Googling found that you can edit the security permissions of a service using the SC.exe command, but a much faster and friendlier method was to use a utility called Service Security Editor which we found here:  http://www.coretechnologies.com/products/ServiceSecurityEditor/

Using this very-easy-to-use tool we were able to quickly select the EventSentry Database service and could then see the current permissions as well as add the domain username we needed to give it rights to stop and start this particular service.  Thank you Core Technologies Consulting, LLC.  This saved me tremendous time and it also helped to be able visually see the security permissions on other services as well.



Pre-Freeze and Post-Thaw Scripts Didn't Help


After all of that work, we discovered that this was not helping us for our particular situation.  We assumed that a Pre-Freeze would run before the VMware snapshot (which it does) and the Post-Freeze would run after the snapshot was deleted (it does not).  The Post-Freeze script runs immediately after the snapshot is created.  Therefore when the job would run it would stop the EventSentry Service, take a VMware Snapshot, then restart the service.  The snapshot happens so fast we initially thought the script wasn't working.

Now we understand that Pre-Freeze and Post-Thaw are meant to help you with applications that are not Microsoft VSS-aware (Volume Shadow Copy).  This allows you to stop the process only during snapshot creations so that you have a clean snapshot image.  Apps that are VSS-aware do not need these scripts since VMware Tools uses VSS to quiesce apps such as Microsoft SQL databases during snapshot creation.

Pre-Job and Post-Job Scripts

Since the above was NOT doing what we needed we had to revert to using Veeam's Pre-Job and Post-Job scripts. 

The frustrating part (to me) about this option is that if you are backing up multiple VMs with one job, the service being stopped will remain offline while all of the other VMs are being backed up.  Thus you have to create a single Veeam job for the specific VM you wish to stop the services for.

OK, so we follow their instructions here: http://helpcenter.veeam.com/backup/80/vsphere/backup_job_advanced_advanced_vm.html

Once again I assumed incorrectly how this process works.  I assumed it would behave much like the Pre-Freeze script in that Veeam would copy your script to the guest and execute it using the user context defined in the Guest Processing.  Not at all correct.

Instead, Pre-Job and Post-Job scripts run on the Veeam Server and not the guest.  This means that if you wish to stop a service on the guest you cannot use the NET STOP command.  Instead you have to use either the SC.exe command or a utility such as PSservice.exe.

This also means you will may need to convey the username and password in your script.  In our case, the Veeam Server is logged in as the same user (domain admin) that we previously used the Service Security Editor to grant permission to so that it can stop/start the service. Thus using Windows pass-through authentication we didn't have to specify credentials.  Personally, I wish Veeam would offer a means to execute job scripts using credentials you store within Veeam, just as they do with other facets of Veeam.

In our case, we used this command in the Pre-Job Script
 sc.exe \\nameofguestVM stop eventsentrydatabase

We used this command in the Post-Job Script
 sc.exe \\nameofguestVM start eventsentrydatabase

Finally!  This accomplished what we were after.

In Summary 


When you need to stop/start a Windows Service during a Veeam Backup job, the first thing is to determine do you just need to quiesce a non-VSS-aware application only during the creation of the Snapshot?  If so, use the Pre-Freeze and Post-Thaw method.

If you need the service stopped during the entire job, use the Pre-Job and Post-Job method.

Either way, understand the username context the method will be using.  Although this may not be true with every Windows service, you may have to use a utility such as Service Security Editor to grant that user the rights to stop and start that service.

Pre-Freeze scripts use the credentials you defined in the "Guest Processing" section of the job and they run from the guest VM being backed up.  Pre-Job scripts use the credentials that the Veeam Service is running and they run from the Veeam server and NOT the guest VM.


As always, hoping this helps someone else in the future.

Tuesday, July 15, 2014

Set Default Printer for All Users

One of our customers has been complaining that as different people logon to a particular Windows 7 computer, they always have to manually set the default printer.  The default printer is always different for each person that logs in and the choice Windows chooses is inconsistent.

You could use Group Policy to specify the default printer, but this seemed like overkill considering we are only having this issue on one computer.  In searching the forums, I found a reference to this website: http://www.robvanderwoude.com/2kprintcontrol.php

This led me to learn about the PRINTUI.exe command.  At a CMD prompt, if you type printui and {ENTER} you will see a list of available command line options.

In our case, we clicked START, Devices and Printers, right-clicked on the printer that we wanted to set as the default printer, and chose "Printer Properties".  Then copied the name of the printer exactly as it appears at the top of the General tab to the clipboard to use in the next step.

We then created a SetDefaultPrinter.cmd file and placed it in the All Users Startup folder:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

The contents of the SetDefaultPrinter.cmd contains just one line:
printui.exe /y /n "HP LaserJet P3011/P3015 PCL6"

The "y" tells it to set the default printer and "n" is the name of the printer you want.

Now, no matter who logs into that PC, this command will automatically run and correctly set the default printer.



Thursday, October 10, 2013

Using Your Face Tags for Your Contacts Instead of Theirs

Ever since I learned how to use Picasa to comb through my photos and gather the faces of people I know (using facial recognition) and then quickly assigning the best one of those thumbnails of their face as their picture in my Contacts, I've been on a long campaign to get all of my Contacts to have their picture.

Having close to a thousand contacts, this was/is quite a project.  However, well worth the effort because seeing their face in my Outlook Contacts, Outlook Emails, Meeting Notices, or on my Android phone or iOS devices is not only cool, it's a time saver.

Recently, I became the proud owner of a new Samsung Galaxy Note 3 phone.  After getting all of the apps installed and my contacts and calendars synchronized, I suddenly realized that for my friends that also have a Google+ account, their photos they picked as their Google+ photo was now the photo used in "my" contacts.

If you're someone that hadn't previously invested the time to create contact photos, this might be a magical blessing.  But for me, this was not desirable at all.

For example, I had selected a photo of a co-worker for his entry in my contacts:

But on my new phone his Contact photo looked like this:

Because that is the photo he chose to use on his Google+ account.

Went back to Picasa on my computer to try and fix this.  Even there, his default contact photo had changed to his Google+ photo.  Although it could be changed in Picasa, and the new photo selected for him did indeed show in my Gmail Contacts, his Google+ photo was still the one showing on my phone.

Ultimately discovered that the fix for this behavior is contained in the Google+ app on my Android phone.

Follow these steps:
  • Open Google+ app
  • Go to Settings (within the app)
  • Under the Account Settings heading, click on your Google account name and email address
  • Click on Contacts
  • Un-check  "Keep contacts up to date"

With this un-checked, the photos I had previously chosen for my contacts reappeared.  This may also explain some weirdness I've had surrounding phone numbers in my contacts, in that on some contacts I've had additional phone numbers for them appear, sometimes duplicate phone numbers.
 
This may or may not be an issue for iPhone users.  When you install the Google+ app on the iOS device and login to Google+ you are asked if you want Google+ to access your Contacts.  If you allow it, then it could be an issue (or a blessing, depending upon your perspective).

Friday, September 27, 2013

More Issues with Google Toolbar on Firefox 24.0

Those of you that follow my blog know that I am addicted to the Google Toolbar and have struggled to keep it going in Firefox despite the fact that Google no longer supports it in Firefox.

See my previous posts on this topic:
Now, with Firefox version 24.0 we have yet another issue.  With the Google Toolbar Add-On extension installed and enabled, you can no longer open a new tab in Firefox.  You can open a second instance of Firefox, but when you click on the New Tab button (the + sign) or press Ctl-T nothing happens.  Oddly, if you disable the Google Toolbar for Firefox extension, then suddenly all of your new tabs you previously requested suddenly appear.

The only work-around found so far is to press the CTRL key as you click a link or right-click a link and choose, "Open Link in New Tab".  Once the new Tab is open, then use that tab for what you need.  Another possibility is to downgrade to Firefox version 23.

Another tip.  Type about:blank in the address bar, hit enter, which gives you a blank page, and then save that in the Bookmarks Toolbar, now you have a quicker way to right-click on a link to give you a new Tab to work with.

Update (10/2/2013)
Many thanks to John Tombs who alerted me to a fix (workaround) to this issue.

In a post on this forum: https://support.mozilla.org/en-US/questions/967747#answer-485381 a user called WhopperCock said:
"Type about:config into your browser, then type browser.newtab.preload into the long search bar that appears, then set the Value to False, restart browser and it should be working fine just like it did for me."
This worked perfectly for me.  Hope it will help others as well.  And thank you WhopperCock, whomever you are, for posting the fix.

Wednesday, September 11, 2013

Desktop Icons Missing

A user reported that all of their Windows Desktop icons and shortcuts were missing on their Windows XP Service Pack 3 computer.  It was immediately assumed they had been bit with Malware, and they had.  Ran several scans with various packages to clean up this PC, but still the Desktop Icons were missing.

Then discovered that restoring these Desktop Icons and Desktop Shortcuts was super easy because hiding them, as it turns out, is an "option" in Windows.

So it was simply a matter of right-clicking on the Desktop, choosing Arrange Icons By, and clicking Show Desktop Icons.

It's unclear if the malware turned off the icons or if the user did it by accident.

Thanks to this MS article for helping solve this:
http://support.microsoft.com/kb/330170


Sunday, September 8, 2013

Unable to re-join a computer to a Windows Domain

Last week a co-worker had an interesting (this means frustrating) problem.  The hard drive in a Windows XP SP3 desktop computer was bad.  He replaced it and then restored the backup image using Symantec System Recovery.

Unfortunately it wouldn't let him login to the Active Directory domain after the restore.  We have run into this before and in the past we simply login to the PC as a local administrator, un-join the computer from the domain and then re-join it to the domain.

This time, however, when he un-joined from the domain, it didn't really do it.  The computer was still listed in Active Directory.  So he manually deleted it from Active Directory.

When he went to re-join the computer to the domain, he kept getting this message:

"Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again."

We repeatedly used this command to see if there were any active connections:
net use

And then this command to delete all connections (even though there were none listed):
net use * /delete

We ultimately figured out the issue was previously mapped network printers were in the list and this was preventing us from re-joining the domain.  We not only had to delete these network printers from the Printers list, but also had to walk the Windows Registry and delete all references to these printers.  Once done, we rebooted the PC and then successfully re-joined the Windows Active Directory Domain.