NSServices in Vmware NSX-t 3.1

I was having issues finding the list of all default NSServices on docs.vmware.com. So with the help fo a nsservices.json file I compiled a list.

I have extracted ICMPALG, and L4 Port Set.

ICMP

Display NameProtocolICMP type
ICMP ICMPv43
ICMP Echo ReplyICMPv40
ICMP Echo RequestICMPv48
ICMP RedirectICMPv45
ICMP Router AdvertisementICMPv49
ICMP Router SolicitationICMPv410
ICMP Source QuenchICMPv44
ICMP Time ExceededICMPv411
ICMPv4-ALLICMPv4
ICMPv6-ALLICMPv6
IPv6-ICMP Destination UnreachableICMPv61
IPv6-ICMP Echo ReplyICMPv6129
IPv6-ICMP Echo RequestICMPv6128
IPv6-ICMP Multicast Listener DoneICMPv6132
IPv6-ICMP Multicast Listener QueryICMPv6130
IPv6-ICMP Multicast Listener ReportICMPv6131
IPv6-ICMP Neighbor AdvertisementICMPv6136
IPv6-ICMP Neighbor SolicitationICMPv6135
IPv6-ICMP Packet Too BigICMPv62
IPv6-ICMP Parameter ProblemICMPv64
IPv6-ICMP Time ExceededICMPv63
IPv6-ICMP Version 2 Multicast ListenerICMPv6143

Application Layer Gateway (ALG)

Display nameDestination port
FTP21
MS_RPC_TCP135
MS_RPC_UDP135
ORACLE_TNS1521
SUN_RPC_TCP111
SUN_RPC_UDP111
TFTP69

L4 Port Set

Display NameProtocolPort
AD ServerTCP1024
Active Directory ServerTCP464
Active Directory Server UDPUDP464
CIM-HTTPTCP5988
CIM-HTTPSTCP5989
DCM Java Object Cache portTCP7100
DHCP, MADCAPUDP2535
DHCP-ClientUDP68
DHCP-ServerUDP67
DHCPv6 ClientUDP546
DHCPv6 ServerUDP547
DNSTCP53
DNS-UDPUDP53
Directory ServicesTCP5725
EdgeSync serviceTCP50636
EdgeSync service/ADAMTCP50389
Enterprise Manager RMI portTCP1850
Enterprise Manager Reporting portTCP3339
Enterprise Manager Servlet port SSLTCP1810
Enterprise ManagerAgent portTCP1831
Exchange ActiveSyncUDP2883
For X.400 connections over TCPTCP102
H323 Call SignalingTCP1720
H323 Gatekeeper DiscoveryUDP1718
HBR Server AppTCP5480
HTTPTCP80
HTTPSTCP443
HTTPS, net.tcp bindingTCP32843,32844,32845
IBM DB2TCP5000
IKE (Key Exchange)UDP500
IKE (NAT Traversal)UDP4500
IMAPTCP143
IMAP_SSLTCP993
ISAKMPUDP500
Java Object Cache portTCP7000
KERBEROSTCP88
KERBEROS-TCPTCP88
KERBEROS-UDPUDP88
LDAPTCP389
LDAP Global CatalogTCP3268
LDAP-UDPUDP389
LDAP-over-SSLTCP636
LDAP-over-SSL-UDPUDP636
Log LoaderTCP44000
MGCP (TCP)TCP2428
MGCP (UDP)UDP2427
MS CustomizableTCP64327
MS Replication serviceTCP808
MS Unified Messaging serverTCP5060,5061,5062
MS Unified Messaging server - Client AccessTCP5075,5076,5077
MS Unified Messaging server-PhoneTCP5060,5061,5065,5066,5067,5068
MS-DSTCP445
MS-DS-TCPTCP445
MS-DS-UDPUDP445
MS-SQL-MUDP1434
MS-SQL-M-TCPTCP1434
MS-SQL-STCP1433
MSN (TCP)TCP1863
MSN (UDP)UDP1863
Microsoft Media Server (TCP)TCP1755
Microsoft Media Server (UDP)UDP1755
MySQLTCP3306
NBDG-Broadcast-V1UDP138
NBNS-Broadcast-V1UDP137
NFS (TCP)TCP2049
NFS (UDP)UDP2049
NFS ClientTCP111
NFS Client UDPUDP111
NFS-Server-TCPTCP2049
NFS-Server-UDPUDP2049
NNTPTCP119
NNTP_SSLTCP563
NTPUDP123
NTP Time ServerUDP123
NetBios Datagram (TCP)TCP138
NetBios Datagram (UDP)UDP138
NetBios Name Service (TCP)TCP137
NetBios Name Service (UDP)UDP137
NetBios Session Service (TCP)TCP139
NetBios Session Service (UDP)UDP139
OC4J Forms / Reports InstanceTCP8888
OC4J Forms / Reports Instance (8889)TCP8889
ORACLE-FORM-SERVICESTCP9000
ORACLE-HTTPTCP7777
ORACLE-XDB-FTPTCP2100
OS AgentTCP14000
Office Server Web Services, HTTP, SSLTCP56737,56738
Office communication serverTCP5075,5076,5077
OracleTCP1521
Oracle Connection Manager (CMAN)TCP1630
Oracle Connection Manager Admin (CMAN)TCP1830
Oracle Enterprise Manager Web ConsoleTCP5500
Oracle Forms Server 6 / 6iTCP9000
Oracle GIOP IIOPTCP2481
Oracle GIOP IIOP for SSLTCP2482
Oracle HTTP Server Diagnostic PortTCP7200
Oracle HTTP Server Jserv portTCP8007
Oracle HTTP Server Port TunnelingTCP7501
Oracle HTTP Server SSL portTCP4443
Oracle HTTP Server listen portTCP7778
Oracle HTTP Server portTCP7777
Oracle Intelligent Agent (1748)TCP1748
Oracle Intelligent Agent (1754)TCP1754
Oracle Intelligent Agent (1808)TCP1808
Oracle Intelligent Agent (1809)TCP1809
Oracle Internet Directory(SSL)TCP636
Oracle Internet Directory(SSL, 4031)TCP4031
Oracle Internet Directory(non-SSL)TCP389
Oracle Internet Directory(non-SSL, 4032)TCP4032
Oracle JDBC for Rdb Thin ServerTCP1701
Oracle NamesTCP1575
Oracle Net ListenerTCP1526
Oracle Net Listener / Enterprise Manager Repository portTCP1521
Oracle Notification Service local portTCP6100
Oracle Notification Service remote portTCP6200
Oracle Notification Service request portTCP6003
Oracle OC4J AJPTCP3301
Oracle OC4J IIOPTCP3401
Oracle OC4J IIOPS1TCP3501
Oracle OC4J IIOPS2TCP3601
Oracle OC4J JMSTCP3701
Oracle OC4J RMITCP3201
Oracle SOAP ServerTCP9998
Oracle Times Ten (15000)TCP15000
Oracle Times Ten (15002)TCP15002
Oracle Times Ten (15004)TCP15004
Oracle TimesTenTCP4662
Oracle TimesTen (4758)TCP4758
Oracle TimesTen (4759)TCP4759
Oracle TimesTen (4761)TCP4761
Oracle TimesTen (4764)TCP4764
Oracle TimesTen (4766)TCP4766
Oracle TimesTen (4767)TCP4767
Oracle XMLDB FTP PortTCP2100
Oracle XMLDB HTTP portTCP8080
Oracle-2TCP1526
Oracle9iAS Clickstream Collector AgentTCP6668
Oracle9iAS Web Cache Admin portTCP4000
Oracle9iAS Web Cache HTTP Listen(SSL) portTCP4444
Oracle9iAS Web Cache HTTP Listen(non-SSL) portTCP7779
Oracle9iAS Web Cache Invalidation portTCP4001
Oracle9iAS Web Cache Statistics portTCP4002
OracleAS Certificate Authority (OCA) - Mutual AuthenticationTCP4401
OracleAS Certificate Authority (OCA) - Server AuthenticationTCP4400
PC Anywhere (TCP)TCP5631
PC Anywhere (UDP)UDP5632
POP3TCP110
POP3_SSLTCP995
PostgreSQLTCP5432
PostgresSQLTCP5432
RDPTCP3389
RFBTCP5900-5964
RPC, DFSR (SYSVOL)TCP5722
RTSP (TCP)TCP554
RTSP (UDP)UDP554
Routing Engine serviceTCP691
SAP Admin consoleTCP20005
SAP Alert ServerTCP30011
SAP Backup ServerTCP30017
SAP Cache ServerTCP1095
SAP Central Software Deployment ManagerTCP20201
SAP CommTCP20003
SAP Content ServerTCP1090
SAP CruiserTCP30008
SAP Design Time RepositoryTCP50015
SAP DispatcherTCP3200
SAP Dispatcher Netweaver App ServerUDP3200
SAP Enqueue Repl 2TCP50116
SAP Enqueue SvrTCP3201
SAP Exchange Groupware Connector (DCOM)TCP135
SAP File AdapterTCP8230
SAP GRMG Service (Heartbeat)TCP30006
SAP Gateway Netweaver App ServerUDP3300
SAP HTTPTCP50000
SAP HTTP ServerTCP30005
SAP HTTP Server 2TCP8353
SAP HTTPSTCP50001
SAP HostControlTCP1128
SAP HostControlSTCP1129
SAP IBMTCP50000,4402
SAP ICM HTTPTCP8000
SAP IIOPTCP50007
SAP IIOP initialTCP50002
SAP IIOPSTCP50003
SAP IPC Dispatcher Mobile clientTCP4444
SAP IPC Dispatcher Mobile client 2TCP4363
SAP IPC ServerTCP9999
SAP IPC data loaderTCP4445
SAP Import MgrTCP20006
SAP Index ServerTCP30003
SAP Index Server 2TCP8351
SAP InstTCP21212,21213
SAP Inst on IBMTCP59975,59976
SAP Inter Server COmmTCP20004
SAP JDBCAdapterTCP8220
SAP JMSTCP50010
SAP JMS AdapterTCP8210
SAP JMS/JDBC/File Adapter ServerTCP8200
SAP Java DebugTCP50021
SAP Java JoinTCP50020
SAP Layout ServerTCP31596,31597,31604
SAP Layout Server 2TCP31596
SAP Layout Server Adobe InDesignTCP31603
SAP Layout Server Quark ExpressTCP31602
SAP LiveCacheTCP7200,7210,7269,7270,7575
SAP Lotus Domino - ConnectorTCP62026-62029
SAP Lotus Domino - ProxyTCP62126-62129
SAP MDM ServerTCP2000-2002
SAP Mapping ManagerTCP3909
SAP Message Server HTTPTCP8100
SAP Monitoring (GRMG)TCP8366
SAP Msg SvrTCP3600
SAP Msg Svr 2TCP3601
SAP Msg Svr HTTPTCP8101
SAP Name ServerTCP30001
SAP Name Server 2TCP8355
SAP Oracle ListenerTCP1527
SAP P4TCP50004
SAP P4 over HTTPTCP50005
SAP P4 over SSLTCP50006
SAP PAW Communication ServerTCP1099
SAP PAW Servlet EngineTCP1089
SAP Pre ProcessorTCP30002
SAP Pre Processor 2TCP8357
SAP Queue ServerTCP30004
SAP Queue Server 2TCP8352
SAP RFC ServerTCP30007
SAP RouterTCP3299
SAP SDM/SLTCP50017,50018,50019
SAP SNC secured gatewayTCP4800
SAP Start ServiceTCP50013
SAP Start Service 2TCP50014
SAP Syndicator ServiceTCP20007
SAP TelnetTCP50008
SAP UpgradeTCP4238,4239,4240,4241
SAP gateway - CPIC/RFCTCP3300
SAP gateway/replicationTCP3301
SAP network Test ProgramTCP3298
SAP printer spoolerTCP515
SIP 5060UDP5060
SIP 5061UDP5061
SMBTCP445
SMB ServerTCP445
SMB Server UDPUDP445
SMTPTCP25
SMTP_TLSTCP587
SNMPUDP161
SNMP-ReceiveUDP161
SNMP-SendUDP162
SOAPTCP9389
SQL Analysis serviceTCP2383
SQL Server Browser serviceTCP2382
SSHTCP22
Server Message Block (SMB)TCP137,138,139
Site Replication serviceTCP379
SkinnyTCP2000
Syslog (TCP)TCP514
Syslog (UDP)UDP514
Syslog-ServerTCP514
Syslog-Server-UDPUDP514
T120 (Whiteboard A43)TCP1503
TELNETTCP23
Terminal Services (TCP)TCP3389
Terminal Services (UDP)UDP3389
VMware Consolidated BackupTCP443
VMware VMotionTCP8000
VMware-CIMSLPUDP427
VMware-DVSTCP8301,8302
VMware-DataRecoveryTCP22024
VMware-ESXi5.x-TCPTCP902
VMware-ESXi5.x-UDPUDP902
VMware-HA-TCPTCP8182
VMware-HA-UDPUDP8182
VMware-SPSTCP31100,31000
VMware-SRM-H5-UITCP443
VMware-SRM-HTTPTCP9008
VMware-SRM-ReplicationTCP8123
VMware-SRM-SOAPTCP8043
VMware-SRM-Server-ManagementTCP9086
VMware-SRM-UITCP9085
VMware-SRM-VAMITCP8080
VMware-SRM-vCentreServerTCP8096
VMware-SRM-vSphereReplicationTCP31031,44046
VMware-SRMClient-ServerTCP8095
VMware-UpdateMgrTCP9000-9100
VMware-UpdateMgr-PatchingTCP735
VMware-UpdateMgr-SOAPTCP8084
VMware-UpdateMgr-VUMTCP9084
VMware-VC-DPMUDP623
VMware-VC-DumpCollector-TCPTCP8000
VMware-VC-DumpSvrUDP6500
VMware-VC-ESXiTCP51915
VMware-VC-RemoteConsoleTCP903
VMware-VC-SyslogTCP8001
VMware-VCO-CommandTCP8240
VMware-VCO-DataTCP8244
VMware-VCO-MessagingTCP8250
VMware-VCO-VCO-HTTPSTCP8283
VMware-VCO-WebHTTPTCP8280
VMware-VCO-WebHTTPSTCP8281
VMware-VCOMgr-UITCP1194
VMware-VCOStdAln-HeartbeatTCP1199
VMware-VDM2.x-EphemeralTCP1024-65535
VMware-VDM2.x-RGSTCP42966
VMware-VR-Replication-TrafficTCP31031,44046
VMware-VR-Server-Management-TrafficTCP8043
VMware-View-PCoIPTCP4172
VMware-View5.x-JMSTCP4001
VMware-View5.x-PCoIP-UDPUDP4172
VMware-iSCSI-ServerTCP3260
Vmware-FT-TCPTCP8100,8200
Vmware-FT-UDPUDP8100,8200
Vmware-Heartbeat-PrimarySecondaryTCP57348
Vmware-SRM-WSDL-vCentreServerTCP9007
Vmware-UpdateMgr-updateTCP9087
Vmware-VC-HTTPTCP10080
Vmware-VC-VC-InternalTCP7500,8005,8006,8083,8085,8086,8087,8443,10109,10111,60099
Vmware-VC-WebAccessTCP8443,9443,10443
Vmware-VCHeartbeatTCP52267
Vmware-VCO-LookupTCP8230
Vmware-VCO-VCO-HTTPTCP8282
Vmware-VCOStdAln-RemoteTCP61616
Vmware-VDM2.x-AJPTCP8009
Vmware-VDM2.x-JMSTCP4100
WINSTCP42
WINS-UDPUDP42
Win - RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS - TCPTCP1025-65535
Win - RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS - UDPUDP1025-65535
Win 2003 - RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRSTCP1025-5000
Win 2008 - RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRSTCP49152-65535
Windows-Global-CatalogTCP3268
Windows-Global-Catalog-over-SSLTCP3269
Yahoo Messenger (TCP)TCP5050
Yahoo Messenger (UDP)UDP5050
iSQLPlus 10gTCP5560
iSQLPlus 10g (5580)TCP5580

 

Commands to build:

(get-Content "nsservices.json"|ConvertFrom-JSON).results|?{$_.nsservice_element.resource_type -eq 'ALGTypeNSService'}|Select @{l='Display Name';e={$_.display_name}}, @{l='Triggering Port';e={$_.nsservice_element.destination_ports}} 
(get-Content "nsservices.json"|ConvertFrom-JSON).results|?{$_.nsservice_element.resource_type -eq 'L4PortSetNSService'}|Select @{l='Display Name';e={$_.display_name}},@{l='Protocol';e={$_.nsservice_element.l4_protocol}}, @{l='Port';e={[system.string]::join(',',$_.nsservice_element.destination_ports)}}
(get-Content "nsservices.json"|ConvertFrom-JSON).results|?{$_.nsservice_element.resource_type -eq 'ICMPTypeNSService'}|Select @{l='Display Name';e={$_.display_name}},@{l='Protocol';e={$_.nsservice_element.protocol}}, @{l='ICMP type';e={[system.string]::join(',',$_.nsservice_element.icmp_type)}}

 

Why cant I read the status of NTDS (Active Directory Domain Services) without elevation

I don’t like anything running with more privileges than needed.. So as I am to cheap to buy a real monitoring solution I went for Nagios Core. Nagios cant really do checks on windows by it self (ot of the box). Most people seem tu be running nsclient++ to do the real check over nrpe. Ofcourse we can do more magic with RPC etc if we want.

So back to the story. So I let nsclient++ run as LocalService instead. Much rejoicing later.. Why have some simple checks have become broken.

One thing that broke was the possibility of checking services on our domain controllers.

Failed to open service NTDS: 5: Access is denied.

So I logged on to the domain controller and started a cmd.exe windows without escalating my permissions.

C:\Users\virot.admin>sc query ntds
[SC] EnumQueryServicesStatus:OpenService FAILED 5:

Access is denied.


C:\Users\virot.admin>

So why didn’t i just run Powershell? Sometimes older things works better, powershell gave me this:

PS C:\Users\virot.admin> get-service ntds
get-service : Cannot find any service with service name 'ntds'.
At line:1 char:1
+ get-service ntds
+ ~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (ntds:String) [Get-Service], ServiceCommandException
    + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand

PS C:\Users\virot.admin>

So instead of getting a Access denied, I got there is no spoon.. Sorry I meant service. So what is happening. Lets dig in shall we? By running the cmd.exe as Administrator we can run more helpful commands:

C:\Windows\system32>sc sdshow ntds

D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BO)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\system32>

So what does this mean? CCDCLCSWRPWPDTLOCRSDRCWDWO = what… Well to be honest it just every value that can exists. So just look at the table SDDL permissions for services.

StringHexNameName in GUI
CC0x0001SERVICE_QUERY_CONFIGQuery template
DC0x0002SERVICE_CHANGE_CONFIGChange template
LC0x0004SERVICE_QUERY_STATUSQuery status
SW0x0008SERVICE_ENUMERATE_DEPENDENTSEnumerate dependents
RP0x0010SERVICE_STARTStart
WP0x0020SERVICE_STOPStop
DT0x0040SERVICE_PAUSE_CONTINUEPause and continue
LO0x0080SERVICE_INTERROGATEInterrogate
CR0x0100SERVICE_USER_DEFINED_CONTROLUser-defined control
SD0x10000DELETEDelete
RC0x20000READ_CONTROLRead permissions
WD0x40000WRITE_DACChange permissions
WO0x80000WRITE_OWNERTake ownership

So all of those permissions for the “BUILTIN\Administrators” and “LocalSystem”. Backup operators have a bit fewer permissions but still a lot compared to the rest of us they have:

  • SERVICE_QUERY_CONFIG
  • SERVICE_QUERY_STATUS
  • SERVICE_ENUMERATE_DEPENDENTS
  • SERVICE_INTERROGATE
  • READ_CONTROL

But don’t give make your monitoring software part of Backup operators because that grants a whole lot more permissions.

Cross sign certificates with Windows PKI

Last year I wrote an blog article about how to trust somebody else’s root certificate with name restrictions. This allows you to trust a vendor/partner/etc root certificate without giving them the possibility of spoof google or any other company they shouldn’t sign for.

Same notice goes on this post. Not all operating systems honor name restrictions. So are you running mostly MacOS machines this won’t help that much.

So let’s get going.

The simple solution:

  1. Get root certificate from vendor/partner
  2. Create CSR from certificate
  3. Verify CSR
  4. Sign CSR
  5. Push intermediate certificate to clients, automatic with Windows and use of correct Template.

[Read more…]

Guessing the locale of a logfile

I got a question about my DNS Debug script, which parses the DNS logfile so it is easier to find what is happening in the DNS. A nice guy was having issues with a log file. So he sent over a few row.

06.03.2020 17:15:40 0BD4 PACKET 0000008F15AD2190 UDP Rcv 10.200.1.222 9e90 Q [0001 D NOERROR] A (4)test(5)virot(2)eu(0)
06.03.2020 17:15:40 0BD4 PACKET 0000008F15AD2190 UDP Snd 10.200.1.222 9e90 R Q [8085 A DR NOERROR] A (4)test(5)virot(2)eu(0)
06.03.2020 17:15:40 0BDC PACKET 0000008F160FA150 UDP Rcv 10.200.1.222 14db Q [0001 D NOERROR] AAAA (4)test(5)virot(2)eu(0)
06.03.2020 17:15:40 0BDC PACKET 0000008F160FA150 UDP Snd 10.200.1.222 14db R Q [8085 A DR NOERROR] AAAA (4)test(5)virot(2)eu(0)
06.03.2020 17:15:41 0BDC PACKET 0000008F142B61F0 UDP Rcv 10.200.1.221 e499 Q [0001 D NOERROR] A (5)test2(15)virot(2)de(0)
06.03.2020 17:15:41 0BD4 PACKET 0000008F13B2C160 UDP Rcv 10.200.1.221 721b Q [0001 D NOERROR] AAAA (5)test2(15)virot(2)de(0)
06.03.2020 17:15:41 0BDC PACKET 0000008F142B61F0 UDP Snd 10.200.1.221 e499 R Q [8085 A DR NOERROR] A (5)test2(15)virot(2)de(0)

Okey lets be honest it took me to get around to it. There is a thing called Corona making all the headlines right now 🙁

Anyway since he sent it in on the 6 of March 2020.. I had good guess about the date formatting being dd-MM-yyyy. But that didn’t really help me. So I sent Marc a message, but then I thought.. I know that Windows knows about 428 locales. I’m in a quarantine anyway, I can do this. Then I thought again, I have a computer with Powershell.

PS C:\Users\virot> [System.Globalization.CultureInfo]::GetCultures([System.Globalization.CultureTypes]::InstalledWin32Cultures)|select Name, DisplayName| ForEach-Object {Add-Member -Name 'DateTimeFormat' -Force -PassThru -InputObject $_ -MemberType NoteProperty -Value ([System.Globalization.CultureInfo]::new($_.name).DateTimeFormat.ShortDatePattern)} |?{$_.DateTimeFormat -eq 'dd.MM.yyyy'}

And this is the 52 entries i got:

NameDisplayNameDateTimeFormat
azAzerbaijanidd.MM.yyyy
az-CyrlAzerbaijani (Cyrillic)dd.MM.yyyy
az-Cyrl-AZAzerbaijani (Cyrillic, Azerbaijan)dd.MM.yyyy
az-LatnAzerbaijani (Latin)dd.MM.yyyy
az-Latn-AZAzerbaijani (Latin, Azerbaijan)dd.MM.yyyy
csCzechdd.MM.yyyy
cs-CZCzech (Czech Republic)dd.MM.yyyy
deGermandd.MM.yyyy
de-ATGerman (Austria)dd.MM.yyyy
de-CHGerman (Switzerland)dd.MM.yyyy
de-DEGerman (Germany)dd.MM.yyyy
de-LIGerman (Liechtenstein)dd.MM.yyyy
de-LUGerman (Luxembourg)dd.MM.yyyy
etEstoniandd.MM.yyyy
et-EEEstonian (Estonia)dd.MM.yyyy
foFaroesedd.MM.yyyy
fo-FOFaroese (Faroe Islands)dd.MM.yyyy
fr-CHFrench (Switzerland)dd.MM.yyyy
gswAlsatiandd.MM.yyyy
hyArmeniandd.MM.yyyy
hy-AMArmenian (Armenia)dd.MM.yyyy
it-CHItalian (Switzerland)dd.MM.yyyy
kaGeorgiandd.MM.yyyy
ka-GEGeorgian (Georgia)dd.MM.yyyy
kkKazakhdd.MM.yyyy
kk-KZKazakh (Kazakhstan)dd.MM.yyyy
lvLatviandd.MM.yyyy
lv-LVLatvian (Latvia)dd.MM.yyyy
nbNorwegian (Bokmål)dd.MM.yyyy
nb-NONorwegian, Bokmål (Norway)dd.MM.yyyy
nnNorwegian (Nynorsk)dd.MM.yyyy
nn-NONorwegian, Nynorsk (Norway)dd.MM.yyyy
noNorwegiandd.MM.yyyy
plPolishdd.MM.yyyy
pl-PLPolish (Poland)dd.MM.yyyy
roRomaniandd.MM.yyyy
ro-MDRomanian (Moldova)dd.MM.yyyy
ro-RORomanian (Romania)dd.MM.yyyy
ruRussiandd.MM.yyyy
ru-MDRussian (Moldova)dd.MM.yyyy
ru-RURussian (Russia)dd.MM.yyyy
sahSakhadd.MM.yyyy
sah-RUSakha (Russia)dd.MM.yyyy
sma-NOSami, Southern (Norway)dd.MM.yyyy
smj-NOSami, Lule (Norway)dd.MM.yyyy
tgTajikdd.MM.yyyy
tg-CyrlTajik (Cyrillic)dd.MM.yyyy
tg-Cyrl-TJTajik (Cyrillic, Tajikistan)dd.MM.yyyy
ttTatardd.MM.yyyy
tt-RUTatar (Russia)dd.MM.yyyy
ukUkrainiandd.MM.yyyy
uk-UAUkrainian (Ukraine)dd.MM.yyyy

So when I had gotten the list I could just try with a Locale and it worked. I later learned that the server was a German with the locale de-DE.

But now I know how to easy see what locale it might be 🙂

Overheads getting a member

A while ago I wrote a blogentry about different ways of obtaining the hostname. When I wrote that one I thought wonder how the different way of accessing the member values increases the cost. So this is a blogentry about that. There are different overheads depending on how you get your objects member. To illustrate this I have made a simple single WMI query and saved in a variable, from which we will now get the name of the computer.

First lets get the WMI object:

$wmics = Get-WMIObject -Class Win32_ComputerSystem

So now we have the wmi object in the variable $wmics. So how do we get the name. Well here there are a few ways all giving the same answer.

$wmics.name
$wmics|Select-Object -ExpandProperty name
$wmics.GetPropertyValue('Name')

[Read more…]

Converting from Two’s complement using powershell

So first what is Two’s complement? Super simple simplification: It is how you can use the MSB (most significant bit) to define if the number is positive or negative. More complete and technical please read the Wikipedia article.

So why do I need this, Well in most cases you dont. But sometimes you get a int that should be unsigned but it was mangled, so you need a way to convert it to the true form. This cmdlet does that. Of course you could also just use the class System.BitConverter same way the cmdlet does.

Using the BitConverter to convert [int16] -1 to [uint16]:

PS C:\> [System.BitConverter]::TouInt16([bitconverter]::GetBytes([int16]-1),0)
65535

For those that want to include a simple way of doing that in their profiles etc, I wrote a script.

function Convert-IntSigned{
param
  (
    [Parameter(Mandatory=$true)]
    [ValidateScript({@('int16','int32','int64','uint16','uint32','uint64') -contains $_.GetType().Name})]
    [object]
    $Integer
  )
  Process
  {
    switch ($Integer.GetType().Name)
    {
      'int16' {return [convert]::ToUInt16([convert]::ToString($Integer,2),2)}
      'int32' {return [convert]::ToUInt32([convert]::ToString($Integer,2),2)}
      'int64' {return [convert]::ToUInt64([convert]::ToString($Integer,2),2)}
      'uint16' {return [convert]::ToInt16([convert]::ToString($Integer,2),2)}
      'uint32' {return [convert]::ToInt32([convert]::ToString($Integer,2),2)}
      'uint64' {return [convert]::ToInt64([convert]::ToString($Integer,2),2)}
    }
  }
}

What it does it takes input with with the name integer just the first argument and does its magic. I will show by int16 with the value -32000 but that should have been an unsigned int.

 

Debuggex saved my sanity

When fiddling around with the regexps in my DNS Debug module I almost went mad before finding this tool: https://www.debuggex.com/.

I just want to give them the credit they are worth. They make understanding and following a RegEx understandable.

 

screenshot of debuggex in action

You enter your regexp’s and some sample data and they visualize what is happening.

Partially trusting somebody else’s Certificate Root (Cross sign)

So when I come to a customer it isn’t that unusual that they have a Certificate Authority that they use for internal systems. But I don’t want to install their CA as a trusted CA on my laptop. Who knows what they have been up to.

There are some kinks. Not all SSL implementations have support or care about nameConstraints that I am using. But luckily for me Windows does. So I have my own CA that I use to sign all my customers CA’s and limit them to domains I see fit.

So first of lets get openssl installed on your machine. Lets go to Shining Light Productions, now you might ask why not take it from the source OpenSSL. The reason is that OpenSSL does not distribute compiled versions, so you can get the source and compile or get it from Shining Light and be happy.

Now lets start with creating our own private CA and key. We will install this one on our machine as a Root CA. The key we need to keep if we want to sign other CA’s down the road. Also if anyone gets your key they can create fake certificates to trick you, so putting it on your homepage is a bad idea.

[Read more…]

Maximum number of allowed sessions reached. Juniper SRX

So I was working from a locked down Windows server in a remote site. And then I had issues with Edge and Internet Explorer. In the end I had used up all sessions in the Firewall. I didn’t want to wait until my sessions got diconnected. So what to do.

maximum number of allowed sessions reached

So lets fix this. First log into the firewall using SSH. Then start the CLI using the command ‘cli’.

First lets list what users are currently connected, just to make sure we know who we are kicking out.

[email protected]> show system users
10:31PM  up 4 days,  4:02, 5 users, load averages: 0.37, 0.35, 0.35
USER     TTY      FROM                              [email protected]  IDLE WHAT
root     p0       192.168.129.11                   10:21PM     - cli
root     jweb1    192.168.129.11                   9:38PM     53
root     jweb2    192.168.129.11                   9:38PM     52
root     jweb3    192.168.129.11                   9:38PM     52
root     jweb4    192.168.129.11                   9:39PM     52

So now we know when I managed to screw this up and from where.. but does that really help? Then we can go ahead and kick the session one by one, or all. The following options exist and can use the data from above.

[email protected]> request system logout user ?
Possible completions:
  <user>               Name of user
[email protected]> request system logout pid ?
Possible completions:
  <pid>                Management process ID for user
[email protected]> request system logout terminal ?
Possible completions:
  <terminal>           Terminal user is logged in to
[email protected]> request system logout all?
Possible completions:
  all                  Logout all sessions owned by user

 

Sometimes I dont like you System.Security.AccessControl.AccessRule.FileSystemAccessRule

Im writing my own little module to help remove sidhistories on mailny fileservers. But im thinking about throwing in stuff about Sharepoint and local groups too. Many people forget to change the ACLs after using sidhistories, this means they are stuck with the sidhistory entries.

So what has that to do with FileSystemAccessRule. In my first incarnation I was manually modifying the SDDL. This worked but I felt that Powershell must be able to do this better.

So I gave it some thought. Then I tried to re implement it using Get-ACL which returns a System.Security.AccessControl.FileSystemSecurity. Perfect but there are some issues.

I have a perfect example here:

$acl = New-Object System.Security.AccessControl.Directorysecurity
$acl.SetSecurityDescriptorSddlForm('O:BAG:BAD:PAI(A;OICIIO;SDGXGWGR;;;AU)','All')

This went without a hitch.

So lets see how .NET interprets the only ACE in the ACL above:

PS C:\Users\virot> $acl.access


FileSystemRights  : -536805376
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : InheritOnly

Well that didnt really look like what I wanted. We gave it SDGXGWGR and I got -536805376.
SDGXGWGR should have given us: Delete, Generic Execute, Generic Write, Generic Read

Okey, but it perhaps is just a display glitch. Lets try to create an ACE using the data in the $ACL variable.

So now lets create a grant rule with the same permissions for the Builtin Administrators group.

PS C:\Users\virot> [System.Security.AccessControl.FileSystemAccessRule]::new([System.Security.Principal.SecurityIdentifier]::new('BA'), $acl.access[0].FileSystemRights, $acl.access[0].AccessControlType)
Exception calling ".ctor" with "3" argument(s): "The value '-536805376' is not valid for this usage of the type FileSystemRights.
Parameter name: fileSystemRights"
At line:1 char:1
+ [System.Security.AccessControl.FileSystemAccessRule]::new([System.Sec ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentOutOfRangeException

So for now I will continue to parse my SDDL as strings in my Remove Sid History module.