Windows

When I was looking for a utility to export the non-exportable private keys in Windows, I found the mimikatz tool, which enabled me to do that and a lot more.

To export the private keys, run mimikatz as administrator and type:

crypto::capi
crypto::certificates /export

And you’ll get the certicates exported with the password mimikatz. You can also export the machine certificates with /systemstore flag. See the wiki for more info.

This tool is detected as a threat by many antivirus, so you’ll have to probably disable yours before using it.

Today a user wasn’t able to log in from his Windows machine to a shared folder in Samba. He was said that his user name (from Active Directory) was not found. The system log was logging the security kerberos event ID 14.

After some digging, I found out this thread with the solution:

rundll32 keymgr.dll,KRShowKeyMgr

This shows up a credentials manager window, where we can delete the problematic credentials. After doing this, the user logged in without problems.

With this line you get all the users of an Active Directory group recursively, so any nested group is expanded. It is also exported to a CSV file.

[code lang=“powershell” light=“true”]Get-ADGroupMember -Identity ‘GroupName’ -Recursive | Get-ADUser -Properties ‘*’ | Select-Object samAccountName, name, givenName, sn, mail, l | Export-Csv -Encoding UTF8 -Delimiter ‘;’ -path ‘.users.csv’[/code]

When  you have an Exchange server in your organization and you also use a Postfix server as gateway, you need the list of all valid recipients of your organization at your gateway. In this way, you can reject invalid emails at the gateway, and what’s more important, when the sender address is forged, you don’t spam innocent people with undeliverable emails.

I use this script in Exchange 2003 to generate all addresses.

The other day, I installed a OCSP server in Windows 2012 R2 and got the need of testing it. I have found two different ways. In Windows, using the tool certutil:

# certutil.exe -url cert.pem

It will open a window where we can test all the revocation methods listed in the certificate. To test OCSP, we select it under “recovery” and click the button.

In Linux we can test OCSP with OpenSSL, this line does the trick:

En una máquina de pruebas de Windows 2012 me ha sucedido que no podía arrancar máquinas virtuales porque decía que el hypervisor no estaba corriendo. Después de comprobar que las extensiones de virtualización estaban habilitadas en la BIOS, he descubierto que hay que añadir un parámetro en el boot loader de Windows para que arranque automáticamente el hypervisor.

Para ello, usaremos el comando bcdedit.exe como administrador. Si lo ejecutamos sin parámetros, podemos ver la configuración actual, y para añadir la opción de autoarranque:

I have found that is not a trivial task to change the dial-in permission in an Active Directory user or computer because you must update the userParameters attribute at the same time that the msNPAllowDialin.

In the KB252398, Microsoft says to download the Active Directory Service Interface, so you can register adsras.dll, and use the ADSI interface it provides, but the download is no longer available.

I have managed to create a script to allow dial-in: first, I have allowed manually a user to dial-in, and then I pick those permissions and apply them to the rest.

Por defecto, en el servidor DHCP de Windows no viene la opción para añadir dominios de búsqueda DNS. La opción que necesitamos es la 119, y podemos habilitarla siguiendo el siguiente documento:

http://technet.microsoft.com/en-us/library/dd572752%28v=office.13%29.aspx

Para hacer una copia de seguridad de todas las bases de datos en un SQL Server, viene muy bien este script que encontré en esta página: http://www.mssqltips.com/sqlservertip/1070/simple-script-to-backup-all-sql-server-databases/

DECLARE @name VARCHAR(256) -- database name
DECLARE @path VARCHAR(256) -- path for backup files
DECLARE @fileName VARCHAR(256) -- filename for backup
DECLARE @fileDate VARCHAR(20) -- used for file name

SET @path = 'C:Backup'

SELECT @fileDate = CONVERT(VARCHAR(20),GETDATE(),112)

DECLARE db_cursor CURSOR FOR
SELECT name
FROM master.dbo.sysdatabases
WHERE name NOT IN ('master','model','msdb','tempdb')

OPEN db_cursor
FETCH NEXT FROM db_cursor INTO @name

WHILE @@FETCH_STATUS = 0
BEGIN
SET @fileName = @path + @name + '_' + @fileDate + '.BAK'
BACKUP DATABASE @name TO DISK = @fileName

FETCH NEXT FROM db_cursor INTO @name
END

CLOSE db_cursor
DEALLOCATE db_cursor

Estoy actualmente peleándome con Microsoft Operations Manager, y por lo que veo incluye unos management packs para Red Hat que no valen para CentOS. Gracias a los enlaces que os pongo a continuación he conseguido crear unos MP específicos para CentOS:

http://blogs.msdn.com/b/scxplat/archive/2010/01/05/building-a-centos-management-pack-part-1.aspx http://blogs.msdn.com/b/scxplat/archive/2010/01/05/building-a-centos-management-pack-part-2.aspx http://blogs.msdn.com/b/scxplat/archive/2010/01/18/building-a-centos-management-pack-part-3.aspx

Este usuario también ha escrito una guía muy útil para diagnosticar posibles problemas de descubrimiento o de instalación del agente en CentOS: