Cross sign certificates with Windows PKI

Last year I wrote an blog article about how to trust somebody else’s root certificate with name restrictions. This allows you to trust a vendor/partner/etc root certificate without giving them the possibility of spoof google or any other company they shouldn’t sign for.

Same notice goes on this post. Not all operating systems honor name restrictions. So are you running mostly MacOS machines this won’t help that much.

So let’s get going.

The simple solution:

  1. Get root certificate from vendor/partner
  2. Create CSR from certificate
  3. Verify CSR
  4. Sign CSR
  5. Push intermediate certificate to clients, automatic with Windows and use of correct Template.

[Read more…]

Guessing the locale of a logfile

I got a question about my DNS Debug script, which parses the DNS logfile so it is easier to find what is happening in the DNS. A nice guy was having issues with a log file. So he sent over a few row.

Okey lets be honest it took me to get around to it. There is a thing called Corona making all the headlines right now ūüôĀ

Anyway since he sent it in on the 6 of March 2020.. I had good guess about the date formatting being dd-MM-yyyy. But that didn’t really help me. So I sent Marc a message, but then I thought.. I know that Windows knows about 428 locales. I’m in a quarantine anyway, I can do this. Then I thought again, I have a computer with Powershell.

And this is the 52 entries i got:

NameDisplayNameDateTimeFormat
azAzerbaijanidd.MM.yyyy
az-CyrlAzerbaijani (Cyrillic)dd.MM.yyyy
az-Cyrl-AZAzerbaijani (Cyrillic, Azerbaijan)dd.MM.yyyy
az-LatnAzerbaijani (Latin)dd.MM.yyyy
az-Latn-AZAzerbaijani (Latin, Azerbaijan)dd.MM.yyyy
csCzechdd.MM.yyyy
cs-CZCzech (Czech Republic)dd.MM.yyyy
deGermandd.MM.yyyy
de-ATGerman (Austria)dd.MM.yyyy
de-CHGerman (Switzerland)dd.MM.yyyy
de-DEGerman (Germany)dd.MM.yyyy
de-LIGerman (Liechtenstein)dd.MM.yyyy
de-LUGerman (Luxembourg)dd.MM.yyyy
etEstoniandd.MM.yyyy
et-EEEstonian (Estonia)dd.MM.yyyy
foFaroesedd.MM.yyyy
fo-FOFaroese (Faroe Islands)dd.MM.yyyy
fr-CHFrench (Switzerland)dd.MM.yyyy
gswAlsatiandd.MM.yyyy
hyArmeniandd.MM.yyyy
hy-AMArmenian (Armenia)dd.MM.yyyy
it-CHItalian (Switzerland)dd.MM.yyyy
kaGeorgiandd.MM.yyyy
ka-GEGeorgian (Georgia)dd.MM.yyyy
kkKazakhdd.MM.yyyy
kk-KZKazakh (Kazakhstan)dd.MM.yyyy
lvLatviandd.MM.yyyy
lv-LVLatvian (Latvia)dd.MM.yyyy
nbNorwegian (Bokmål)dd.MM.yyyy
nb-NONorwegian, Bokmål (Norway)dd.MM.yyyy
nnNorwegian (Nynorsk)dd.MM.yyyy
nn-NONorwegian, Nynorsk (Norway)dd.MM.yyyy
noNorwegiandd.MM.yyyy
plPolishdd.MM.yyyy
pl-PLPolish (Poland)dd.MM.yyyy
roRomaniandd.MM.yyyy
ro-MDRomanian (Moldova)dd.MM.yyyy
ro-RORomanian (Romania)dd.MM.yyyy
ruRussiandd.MM.yyyy
ru-MDRussian (Moldova)dd.MM.yyyy
ru-RURussian (Russia)dd.MM.yyyy
sahSakhadd.MM.yyyy
sah-RUSakha (Russia)dd.MM.yyyy
sma-NOSami, Southern (Norway)dd.MM.yyyy
smj-NOSami, Lule (Norway)dd.MM.yyyy
tgTajikdd.MM.yyyy
tg-CyrlTajik (Cyrillic)dd.MM.yyyy
tg-Cyrl-TJTajik (Cyrillic, Tajikistan)dd.MM.yyyy
ttTatardd.MM.yyyy
tt-RUTatar (Russia)dd.MM.yyyy
ukUkrainiandd.MM.yyyy
uk-UAUkrainian (Ukraine)dd.MM.yyyy

So when I had gotten the list I could just try with a Locale and it worked. I later learned that the server was a German with the locale de-DE.

But now I know how to easy see what locale it might be ūüôā

Overheads getting a member

A while ago I wrote a blogentry about different ways of obtaining the hostname. When I wrote that one I thought wonder how the different way of accessing the member values increases the cost. So this is a blogentry about that. There are different overheads depending on how you get your objects member. To illustrate this I have made a simple single WMI query and saved in a variable, from which we will now get the name of the computer.

First lets get the WMI object:

So now we have the wmi object in the variable $wmics. So how do we get the name. Well here there are a few ways all giving the same answer.

[Read more…]

Converting from Two’s complement using powershell

So first what is Two’s complement? Super simple simplification: It is how you can use the MSB (most significant bit) to define if the number is positive or negative. More complete and technical please read the Wikipedia article.

So why do I need this, Well in most cases you dont. But sometimes you get a int that should be unsigned but it was mangled, so you need a way to convert it to the true form. This cmdlet does that. Of course you could also just use the class System.BitConverter same way the cmdlet does.

Using the BitConverter to convert [int16] -1 to [uint16]:

For those that want to include a simple way of doing that in their profiles etc, I wrote a script.

What it does it takes input with with the name integer just the first argument and does its magic. I will show by int16 with the value -32000 but that should have been an unsigned int.

 

Debuggex saved my sanity

When fiddling around with the regexps in my DNS Debug module I almost went mad before finding this tool: https://www.debuggex.com/.

I just want to give them the credit they are worth. They make understanding and following a RegEx understandable.

 

screenshot of debuggex in action

You enter your regexp’s and some sample data and they visualize what is happening.

Partially trusting somebody else’s Certificate Root (Cross sign)

So when I come to a customer it isn’t that unusual that they have a Certificate Authority that they use for internal systems. But I don’t want to install their CA as a trusted CA on my laptop. Who knows what they have been up to.

There are some kinks. Not all SSL implementations have support or care about nameConstraints that I am using. But luckily for me Windows does. So I have my own CA that I use to sign all my customers CA’s and limit them to domains I see fit.

So first of lets get openssl installed on your machine. Lets go to Shining Light Productions, now you might ask why not take it from the source OpenSSL. The reason is that OpenSSL does not distribute compiled versions, so you can get the source and compile or get it from Shining Light and be happy.

Now lets start with creating our own private CA and key. We will install this one on our machine as a Root CA. The key we need to keep if we want to sign other CA’s down the road. Also if anyone gets your key they can create fake certificates to trick you, so putting it on your homepage is a bad idea.

[Read more…]

Maximum number of allowed sessions reached. Juniper SRX

So I was working from a locked down Windows server in a remote site. And then I had issues with Edge and Internet Explorer. In the end I had used up all sessions in the Firewall. I didn’t want to wait until my sessions got diconnected. So what to do.

maximum number of allowed sessions reached

So lets fix this. First log into the firewall using SSH. Then start the CLI using the command ‘cli’.

First lets list what users are currently connected, just to make sure we know who we are kicking out.

So now we know when I managed to screw this up and from where.. but does that really help? Then we can go ahead and kick the session one by one, or all. The following options exist and can use the data from above.

 

Sometimes I dont like you System.Security.AccessControl.AccessRule.FileSystemAccessRule

Im writing my own little module to help remove sidhistories on mailny fileservers. But im thinking about throwing in stuff about Sharepoint and local groups too. Many people forget to change the ACLs after using sidhistories, this means they are stuck with the sidhistory entries.

So what has that to do with FileSystemAccessRule. In my first incarnation I was manually modifying the SDDL. This worked but I felt that Powershell must be able to do this better.

So I gave it some thought. Then I tried to re implement it using Get-ACL which returns a System.Security.AccessControl.FileSystemSecurity. Perfect but there are some issues.

I have a perfect example here:

This went without a hitch.

So lets see how .NET interprets the only ACE in the ACL above:

Well that didnt really look like what I wanted. We gave it SDGXGWGR and I got -536805376.
SDGXGWGR should have given us: Delete, Generic Execute, Generic Write, Generic Read

Okey, but it perhaps is just a display glitch. Lets try to create an ACE using the data in the $ACL variable.

So now lets create a grant rule with the same permissions for the Builtin Administrators group.

So for now I will continue to parse my SDDL as strings in my Remove Sid History module.

A short story about date formats

So I was updating my script to read DNS debug logs. I had gotten some comment’s on it in the technet gallery. So I wanted to include all in the script for easier usage.

This is when I realized how many variations there are to the ShortDatePattern used in the local Cultures. Microsoft uses the local culture in the DNS debug log, big sadness. So how many cultures are there?

Okey with 428 different possible cultures I dont think I will go through them one by one. So lets just list all cultures and their ShortDatePattern. And see if we see anything [Read more…]

Formating dates with Powershell for different purposes

So Windows has lots of date formats to choose from. These are a few and functions to convert between them and Datetime.

Datetime

The default timeformat that we are using in .NET and Powershell. This is probably the first date function you will learn to use. Or you can call on the .NET class.

FileTime

Microsoft built time format that calculates number of 100 ns intervals since January 1, 1601. Yes this is a really large number. But even though the name suggest this is always for files it isn’t. Also in some file systems the resolution isn’t 100 ns just because the format has that as the smallest incrment.

I did a blog entry about a small discrepancy depending when creating dates using different methods and how they differed by 100ns. This was most easy to spot while looking at the time in a FileTime format.

MSDN page for FileTime structure

DMTF (Distributed Management Task Force) DateTime

As used by AD for some attributes and WMI. The format is almost easy to read.

MSDN page for CIM_DATETIME

Unix Epoch

This is the standard format used by *nix based systems. Number of seconds since January 1, 1970.

Also if you dont care about being compatible to older version you could use the [DateTimeOffset] class.

What about the other way then? That is really simpler.