May 22, 2018

Brute forcing LUKS protected device

# Encrypt test device. In my case it is 8GB flash drive.
root@hostname:~# fdisk -l
Disk /dev/sda: 7.5 GiB, 8015314944 bytes, 15654912 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

root@hostname:~# cryptsetup luksFormat /dev/sda

WARNING!
========
This will overwrite data on /dev/sda irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
root@hostname:~# cryptsetup luksOpen /dev/sda test
Enter passphrase for /dev/sda:

# Create file system on mapped device.
root@hostname:~# mkfs.ext4 /dev/mapper/test
mke2fs 1.43.4 (31-Jan-2017)
Creating filesystem with 1956352 4k blocks and 489600 inodes
Filesystem UUID: 6a969f1b-862b-4dfa-9904-912305da4098
Superblock backups stored on blocks:
    32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632

Allocating group tables: done                           
Writing inode tables: done                            
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

# Mount encrypted volume.
root@hostname:~# mount /dev/mapper/test /test/
root@hostname:~# df -h
Filesystem        Size  Used Avail Use% Mounted on
/dev/mapper/test  7.3G   34M  6.9G   1% /test

# Umount and close luks device.
root@hostname:~# umount /test
root@hostname:~# cryptsetup luksClose test

# Snap luks header.
root@hostname:~ # dd if=/dev/sda of=test.header bs=512 count=4097
4097+0 records in
4097+0 records out
2097664 bytes (2.1 MB, 2.0 MiB) copied, 0.139339 s, 15.1 MB/s

# Copy the header to crack station and start brute forcing. In my case it is VM with Xeon CPU.
F:\hashcat-4.1.0>hashcat64.exe -m 14600 F:\test.header -a 3 ?d?d?d?d?d?d
hashcat (v4.1.0) starting...

OpenCL Platform #1: Intel(R) Corporation
========================================
* Device #1: Intel(R) Xeon(R) CPU D-1521 @ 2.40GHz, 1021/4087 MB allocatable, 8MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

F:\test.header:123456

Session..........: hashcat
Status...........: Cracked
Hash.Type........: LUKS
Hash.Target......: F:\test.header
Time.Started.....: Tue May 22 12:33:39 2018 (23 secs)
Time.Estimated...: Tue May 22 12:34:02 2018 (0 secs)
Guess.Mask.......: ?d?d?d?d?d?d [6]
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:       89 H/s (8.62ms) @ Accel:256 Loops:128 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 2048/1000000 (0.20%)
Rejected.........: 0/2048 (0.00%)
Restore.Point....: 0/100000 (0.00%)
Candidates.#1....: 123456 -> 135500
HWMon.Dev.#1.....: N/A

# Another example with custom charset.
F:\hashcat-4.1.0>hashcat64.exe -m 14600 F:\test.header -a 3 -1 123456 ?1?1?1?1?1?1
hashcat (v4.1.0) starting...

F:\test.header:123456

Session..........: hashcat
Status...........: Cracked
Hash.Type........: LUKS
Hash.Target......: F:\test.header
Time.Started.....: Tue May 22 12:44:57 2018 (22 secs)
Time.Estimated...: Tue May 22 12:45:19 2018 (0 secs)
Guess.Mask.......: ?1?1?1?1?1?1 [6]
Guess.Charset....: -1 123456, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:       91 H/s (8.36ms) @ Accel:256 Loops:128 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 2048/46656 (4.39%)
Rejected.........: 0/2048 (0.00%)
Restore.Point....: 0/7776 (0.00%)
Candidates.#1....: 123456 -> 115144
HWMon.Dev.#1.....: N/A

May 21, 2018

Convert MBR to GPT without data loss

It is possible to convert MBR to GPT disk using standard Windows Disk Management tool. However, it does require no volumes on it. Otherwise "Convert to GPT Disk" will be greyed out.

In this case you can use gptgen tool, which allows online disk conversion without the need to destroy the volume and its data. First of all use Diskpart tool to identify disk number. In my case it is Disk 2.

Then run gptgen tool with the following parameters “gptgen.exe -w \\.\physicaldrive2”, where 2 is the disk number from diskpart tool.

After that run Diskpart to check if the settings are applied successfully.

May 11, 2018

Active Directory - Password Reset Delegation Audit using PowerShell

I have Test OU within example.com Active Directory. PWResetUser was delegated password reset permissions on that OU. However, delegated user can’t reset passwords for all accounts inside specified unit due to access denied errors. The PowerShell script below helps to identify the problematic user accounts.
./check-acl.ps1 -Identity "*PWResetUser" -OU "OU=Test,DC=example,DC=com"

Rights         User         Type Identity
------         ----         ---- --------
Reset Password Username1   Allow TEST\PWResetUser
Reset Password Username2   Allow TEST\PWResetUser
No Data        Username3 No Data No Data

As you can see Username3 has No Data. After checking security tab of user properties, I found the problem. It was due to disabled security inheritance on that user.

So after reenabling inheritance (or manually delegating password reset permission for PWResetUser), delegated user can reset password for Username3 as well. The report now looks better.
Rights         User       Type Identity
------         ----       ---- --------
Reset Password Username1 Allow TEST\PWResetUser
Reset Password Username2 Allow TEST\PWResetUser
Reset Password Username3 Allow TEST\PWResetUser

Script Syntax:


May 8, 2018

Azure - Cross-subscription move error

Error: The Move resources request contains KeyVault resources which are referenced by one or more VMs in the request. This is not supported currently in Cross subscription Move. Please check the error details for the KeyVault resource Ids.

Note: Known issue after migration from ASM to ARM. The script below will help to identify VM’s with KeyVault and clean up Vault property on VM.

Workaround: Get list of VM’s with KeyVault attached. The report will include VMName, RG and KeyVault itself.
.\FixVault.ps1 -Report

Detach KeyVault from VM, where name of VM is TestVM1 and Resource Group name is TestRG1.
.\FixVault.ps1 -Update -VMName TestVM1 -RGName TestRG1

Script syntax:

April 19, 2018

ReFS - High RAM usage

How to identify and fix high RAM usage on Windows Server 2016 due to ReFS? 

As you can see from Task Manager, 5GB is allocated in non-paged pool. This memory is used by kernel and device drivers.

This also can be checked by RamMap tool.

Use poolmon.exe tool from WDK to identify what components are using most of memory. Run "poolmon.exe -u -p" in elevated command prompt. 

Then use findstr tool to find out what device drivers are under MSb+, MSde and MStb tags. Simply run "findstr /m /l /s MSb+ *.sys". Replace Tag name for each search.

As you can see 4.5GB is allocated by ReFS component. This behavior is expected and fixed by KB4013429. More details can be found in here.

April 11, 2018

Azure - Find empty Resource Groups

How to identify empty Resource Groups in Microsoft Azure using PowerShell?
Login-AzureRmAccount
$AllRGs = (Get-AzureRmResourceGroup).ResourceGroupName
$RGsWithResources = (Get-AzureRMResource | Group-Object ResourceGroupName).Name
$AllRGs | Where-Object {$_ -notin $RGsWithResources}

Azure AD Connect - Change UPN

How to change User Principal Name attribute for synchronized user?

Set-MsolUserPrincipalName -UserPrincipalName "name@example.com" -NewUserPrincipalName "newname@example.com"

Note: “User Account Administrator” role is enough to perform this action.

Alternatively, you can enable UPN synchronization via SynchronizeUpnForManagedUsers feature:

Set-MsolDirSyncFeature -Feature SynchronizeUpnForManagedUsers -Enable $True

After activating this feature, when you change UPN on premises it will sync all the changes to the Office 365.