How do you go about checking that an IIS website is successfully using Kerberos and not falling back on NTLM?
One way I found to test in code that you are using Kerberos is that that the HTTP_AUTHORIZATION header for NTLM always starts with the following:
Negotiate TlRMTVNTUA
If the header doesn't start with text then the browser is authenticating using Kerberos.
Fiddler2 will indicate if the authentication header is NTLM vs Kerberos.
Authorization Header (Negotiate) appears to contain a Kerberos ticket:
60 82 13 7B 06 06 2B 06 01 05 05 02 A0 82 13 6F `.{..+..... .o
WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply:
A1 81 A0 30 81 9D A0 03 0A 01 00 A1 0B 06 09 2A ¡ 0 ....¡...*
The easiest way that I can think of is to use wireshark to watch the network packets and verify that your IIS server is requesting Kerberos Tickets from your DC.
You can check the security log in the event viewer of the web server.
You can also launch KerbTray on the client machine and check if it's using the correct SPN. Kerbtray is available here (don't worry, it's not Win2000 only).
I use the security log in the event viewer to check like someone already mentioned. Here is a successful kerb auth:
Successful Network Logon:
User Name: {Username here}
Domain: {Domain name here}
Logon ID: (0x0,0x########)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {########-####-####-####-############}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Well, Negotiate can also be Kerberos, because it is a wrapper over Kerberos and NTLM. Like other guys said, Wireshark (or Network Monitor) and Security event log will not cheat you.
Related
Closed. This question is not written in English. It is not currently accepting answers.
Stack Overflow is an English-only site. The author must be able to communicate in English to understand and engage with any comments and/or answers their question receives. Don't translate this post for the author; machine translations can be inaccurate, and even human translations can alter the intended meaning of the post.
Closed 4 days ago.
Improve this question
I have a doubt if my configuration of integration between AD Windows Server with the Samba file server is correct.
We have already performed the configuration and egress from the samba server to the domain, but when I try to pull the information through the net rpc vampire command, it asks for the root password and after it is informed, the following error is displayed:
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0000] 06 0E 6C 99 B7 1F 44 00 69 5D CA A5 BE 41 2A 84 ..l...D. i]...A*.
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_ACCESS_DENIED
Executed testparm commands successfully with the following results:
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed
After executing the net join rpc command, it also successfully informed the egress to the domain.
As a final result, the goal would be to integrate AD users and groups for permissioning in Samba.
I have a control bord installed on a remote digital signage totem.
The card is connected via RS232 to an IP adapter which I can connect remotely.
I need to send it HEX commands every hour, get the answers and act according to them
(for example the command for what is the door status is: "AE 04 04 0A" and the answer is: "{EF}{04}{04}{01}" the last digit is 1=open 0=closed)
I would like to take the answers and get them on my Zabbix monitor system for alerts, like if the door is open or the temp is high.
can you give me a direction to a platform that can run this kind of automation?
It's surely doable, but it depends on the details of "IP adapter which I can connect remotely":
is it an http gateway where you post your authentication and commands? Then use an http item
is it a simple socket with no auth, just ip->rs232? Then a simple telnet/nc script called via zabbix with a system.run is the way to go
is the interaction more complex? I.e: telnet, then authenticate, then subcommand1 and so on? A system.run as well, but to call a more complex script like expect or pexpect
In the simplest case, assuming a socket on host 1.2.3.4 and port 23 that just accepts input:
echo 'AE 04 04 0A' | nc -N 1.2.3.4 23 | perl -lne 'print $1 if /(?:{\w\w}){3}{(\w\w)}/'
This will send the hex command AE 04 04 0A to the device, then print the fourth portion of the result: so if the result string is {EF}{04}{04}{01}, the command will return 01
We scanned our website for vulnerabilities and received the message shown below.
We used Clover Security to scan the Azure Web App site.
We have already implemented the solution in web.config shared on the Internet and by Microsoft on these websites:
https://azure.microsoft.com/en-us/blog/removing-standard-server-headers-on-windows-azure-web-sites/
https://learn.microsoft.com/en-us/answers/questions/28434/azure-app-service-how-to-block-msdeployaxd-on-port.html
As discussed in the last url, I have also re-created a new resource group, app service plan and app services and redeployed on in a different US location but the error still shows on re-scan.
Any suggestion on how to fix this would be greatly appreciated?
Thank you in advance.
------------------------------ Error Message Provided ( our ip has been x'd out) --------------------------------
Category Web Application
CVE -
CVSS base score 5.0
Description Web Server Information Disclosure
Host xx.xx.xxx.xx
Threat -
Impact -
Solution -
PCI compliant No
PCI details -
Reason The vulnerability is not included in the NVD.
PCI details medium
Port 8172 / tcp
Host name No registered hostname
Host OS Windows Vista / Windows 2008 / Windows 7 / Windows 2012 / Windows Vista / Windows 2008 / Windows 7 / Windows 2012
Result
url: https://xx.xx.xxx.xx:8172/
comment: Web Server Information Disclosure detected at PORT : 8172
matched: HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/10.0
Date: Thu, 23 Jun 2022 08:20:52 GMT
Connection: close
Content-Length: 103
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
CVSS Base Score 5.0 - - AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS Temporal Score 4.3 - E:POC/RL:W/RC:C
Severity 2
Category Web Application
CVE ID
Vendor Reference
Bugtraq ID
Date Updated Jun 1, 2022
Threat The target application discloses the Web Server software version via the "Server:" token sent in HTTP response header.
QID Detection Logic:
This QID sends a GET request to the target application and determines the Web Server version disclosed in the "Server:" token.
Impact Revealing the specific software version of the server may allow the server machine to become more vulnerable to attacks against software that is known to contain security holes.
Solution Customers are advised to modify the HTTP response header of the target application to not disclose detailed information about the underlying web server. Server implementers are encouraged to make this field a configurable option.
You need to raise this as a false positive, as the failing scan is for port 8172. This is part of Azure's services infrastructure and isn't removable or editable. You might also get false positives for ports 455 and 454 on the same IP address. When you create the false positive claim, you need to let your PCI scan provider that these ports are not accessible nor for use by the general public. You will also need to "confirm" that there is no CHD (Cardholder data) being transmitted through those ports/services.
We need to add the high availability feature in our web application so I am considering load balancing (Application Request Routing in IIS). Here is my setup:
Server 01: This is where the ARR is installed with two nodes (02 and 03).
Server 02: This is the node 02 in Server 01.
Server 03: This is the node 03 in Server 01.
Assuming I have set it up correctly, question 1: I need to make sure that Server 01 is up all the time to archive the high availability feature. If I did not have ARR and host my web application directly on Server 01, I also need to make sure it is up all the time. What is the difference?
question 2: I have a folder that my users will upload files to the web server. That folder is available on both Server 02 and 03. If a file is saved on 02 but the request for that file goes to 03, it will not be able to find it. How do I share the resources between 02 and 03?
Since we are only looking for high availability, we will host the web application on Server 01 and have a cluster (Server 02). So when Server 01 is down, Server 02 will take over. Regarding to sharing the resources (folder), we will have a designated File Server that both Server 01 and Server 02 will point to.
I would like to know if there is a way to set up a gatt server from the Linux command line. I know that the BlueZ gatttool command allows you to act as a gatt client and interrogate a remote gatt server, however, I do not think that this tool can be used to set up a server.
What I want to achieve is a gatt server, created from the command line, and can be interrogated by any central device (e.g. iOS or Android device) to connect to the GATT server, discover the services and characteristics, and manipulate the data in the characteristics.
Example:
Gatt Server with 1 service which contains 3 characteristics.
Service uuid = 0xFFFF
Char 1 uuid = 0xAAAA, value = 01, properties = readable
Char 2 uuid = 0xBBBB, value = 00, properties = readable & writable
Char 3 uuid = 0xCCCC, value = 02, properties = notifiable
I am using kernel version 3.11.0 and BlueZ 5.19
So this is now handled with the new bluetoothctl tool. A gatt table can be set up using this tool as follows:-
#bluetoothctl
[bluetoothctl] menu gatt
[bluetoothctl] register-service 0xFFFF # (Choose yes when asked if primary service)
[bluetoothctl] register-characteristic 0xAAAA read # (Select a value of 1 when prompted)
[bluetoothctl] register-characteristic 0xBBBB read,write # (Select a value of 0 when prompted)
[bluetoothctl] register-characteristic 0xCCCC read # (Select a value of 2 when prompted)
[bluetoothctl] register-application # (This commits the services/characteristics and registers the profile)
[bluetoothctl] back
[bluetoothctl] advertise on
I've tried this with a few service/characteristic combinations and was able to get it to work. The GAP (0x1800) and GATT (0x1801) services are available by default and will be part of the GATT table when you advertise. You can also use the following command to see the available services:-
[bluetoothctl] show
Controller 00:AA:BB:CC:DD:EE (public)
Name: MyMachine
Alias: MyMachine
Class: 0x000c0000
Powered: yes
Discoverable: no
Pairable: yes
UUID: Headset AG (00001112-0000-1000-8000-00805f9b34fb)
UUID: Generic Attribute Profile (00001801-0000-1000-8000-00805f9b34fb)
UUID: A/V Remote Control (0000110e-0000-1000-8000-00805f9b34fb)
UUID: Generic Access Profile (00001800-0000-1000-8000-00805f9b34fb)
UUID: PnP Information (00001200-0000-1000-8000-00805f9b34fb)
UUID: A/V Remote Control Target (0000110c-0000-1000-8000-00805f9b34fb)
UUID: Audio Source (0000110a-0000-1000-8000-00805f9b34fb)
UUID: Audio Sink (0000110b-0000-1000-8000-00805f9b34fb)
**UUID: Unknown (0000ffff-0000-1000-8000-00805f9b34fb)**
UUID: Headset (00001108-0000-1000-8000-00805f9b34fb)
Modalias: usb:v1D6Bp0246d0532
Discovering: no
I have also faced the same issue, but could find any proper solution, what you can best do using a bluez stack on an Ubuntu machine is use some hci commands to advertise LE packets. These packets will be constantly advertised as the this is if it is an LE server, If you go for scan using an GATT Client you will get the name of your bluez device on the scan list.
Use the following commands below:
Set the LE advertisement packets by the following command:
sudo hcitool -i hcix cmd 0x08 0x0008 1E 02 01 1A 1A FF 4C 00 02 15 E2 0A 39 F4 73 F5 4B C4 A1 2F 17 D1 AD 07 A9 61 00 00 00 00 C8 00
· Now advertise the LE packets by the following command:
sudo hciconfig hcix leadv
I believe it is not possible to setup GattServer from CLI.
Mainly because it is a upper layer functionality so there is no tool available to do it (as most of the tools provide lower layer functionalities).
But you can use mimic the way bluez creates service using dbus.
We needed a GattService with two characteristics (R,W,N)
What we ended up doing was following -
1. use the libgdbus (from bluez source) It has all the dbus wrapper to register services to bluez.
Created a translator (socket IPC) to separate the licensing issue (GPL)
Send command to the service registrar to create a service
e,g - op_code = create_service, uuid = 'service_uuid'
op_code = create_charac, uuid='charac_uuid' flags='rwn'
Hope this helps.