Export non-exportable private keys from Windows key store

When I was looking for a utility to export the non-exportable private keys in Windows, I found the mimikatz tool, which enabled me to do that and a lot more.

To export the private keys, run mimikatz as administrator and type:

crypto::capi
crypto::certificates /export

And you’ll get the certicates exported with the password mimikatz. You can also export the machine certificates with /systemstore flag. See the wiki for more info.

This tool is detected as a threat by many antivirus, so you’ll have to probably disable yours before using it.

Advertisements

Remove stored credentials in Windows

Today a user wasn’t able to log in from his Windows machine to a shared folder in Samba. He was said that his user name (from Active Directory) was not found. The system log was logging the security kerberos event ID 14.

After some digging, I found out this thread with the solution:

rundll32 keymgr.dll,KRShowKeyMgr

This shows up a credentials manager window, where we can delete the problematic credentials. After doing this, the user logged in without problems.

One-liner to get all the members of an AD group

With this line you get all the users of an Active Directory group recursively, so any nested group is expanded. It is also exported to a CSV file.

Get-ADGroupMember -Identity 'GroupName' -Recursive |
Get-ADUser -Properties '*' |
Select-Object samAccountName, name, givenName, sn, mail, l |
Export-Csv -Encoding UTF8 -Delimiter ';' -path '.users.csv'

Export Exchange recipients to Postfix server

When  you have an Exchange server in your organization and you also use a Postfix server as gateway, you need the list of all valid recipients of your organization at your gateway. In this way, you can reject invalid emails at the gateway, and what’s more important, when the sender address is forged, you don’t spam innocent people with undeliverable emails.

I use this script in Exchange 2003 to generate all addresses.

Continue reading Export Exchange recipients to Postfix server

How to test a OCSP server

The other day, I installed a OCSP server in Windows 2012 R2 and got the need of testing it.
I have found two different ways. In Windows, using the tool certutil:

# certutil.exe -url cert.pem

It will open a window where we can test all the revocation methods listed in the certificate. To test OCSP, we select it under “recovery” and click the button.

OCSP test with certutil
OCSP test with certutil

In Linux we can test OCSP with OpenSSL, this line does the trick:

# openssl ocsp --issuer ca.pem -nonce -CAfile ca.pem -url http://ocsp.server/ocsp -cert mycert.pem

OpenSSL OCSP test
OpenSSL OCSP test

Habilitar el arranque automático de Hyper-V

En una máquina de pruebas de Windows 2012 me ha sucedido que no podía arrancar máquinas virtuales porque decía que el hypervisor no estaba corriendo. Después de comprobar que las extensiones de virtualización estaban habilitadas en la BIOS, he descubierto que hay que añadir un parámetro en el boot loader de Windows para que arranque automáticamente el hypervisor.

Para ello, usaremos el comando bcdedit.exe como administrador. Si lo ejecutamos sin parámetros, podemos ver la configuración actual, y para añadir la opción de autoarranque:

C:> bcdedit /set hypervisorlaunchtype auto
C:> bcdedit

Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=DeviceHarddiskVolume1
description Windows Boot Manager
locale en-US
inherit {globalsettings}
bootshutdowndisabled Yes
default {current}
resumeobject {5a2c52cb-f798-11e1-abdd-fbb8cd46f761}
displayorder {current}
toolsdisplayorder {memdiag}
timeout 30

Windows Boot Loader
-------------------
identifier {current}
device partition=C:
path Windowssystem32winload.exe
description Windows Server 2012
locale en-US
inherit {bootloadersettings}
recoverysequence {5a2c52cd-f798-11e1-abdd-fbb8cd46f761}
recoveryenabled Yes
allowedinmemorysettings 0x15000075
osdevice partition=C:
systemroot Windows
resumeobject {5a2c52cb-f798-11e1-abdd-fbb8cd46f761}
nx OptOut
hypervisorlaunchtype Auto

Visto en: https://blogs.msdn.com/b/virtual_pc_guy/archive/2010/01/19/hyper-v-virtual-machines-do-not-start-after-using-startup-repair.aspx

Script to grant dial-in access in Active Directory

I have found that is not a trivial task to change the dial-in permission in an Active Directory user or computer because you must update the userParameters attribute at the same time that the msNPAllowDialin.

In the KB252398, Microsoft says to download the Active Directory Service Interface, so you can register adsras.dll, and use the ADSI interface it provides, but the download is no longer available.

I have managed to create a script to allow dial-in: first, I have allowed manually a user to dial-in, and then I pick those permissions and apply them to the rest.

I save the userParameters to a file:

$goodUser = Get-QADUser -IncludeAllProperties -Identity goodUser
$badUser = Get-QADUser -IncludeAllProperties -Identity badUser
$goodUserParams = $goodUser.userParameters
$badUserParams = $badUser.userParameters
Export-Clixml -InputObject $goodUserParams -Path ".goodUserParams.xml"
Export-Clixml -InputObject $badUserParams -Path ".badUserParams.xml"

Run the script to bulk-update all the users:

$goodUserParams = Import-Clixml -Path ".goodUserParams.xml"
$badUserParams = Import-Clixml -Path ".badUserParams.xml"
$list = Get-QADUser -IncludeAllProperties -SizeLimit 0
$list | foreach{
    if (($_.userParameters -ne $goodUserParams) -and ($_.userParameters -ne $badUserParams) -and ($_.userParameters -ne $null)) {
        Write-Host "Skip user: " $_.samAccountName
    }
    else {
        $dirEntry=$_.DirectoryEntry.PSBase
        $dirEntry.InvokeSet('msNPAllowDialIn', $true)
        $dirEntry.InvokeSet('userParameters', $goodUserParams)
        $dirEntry.CommitChanges()
    }
}

The same goes for the computers:

$goodPC = Get-QADComputer -IncludeAllProperties -Identity GoodPC
$badPC = Get-QADComputer -IncludeAllProperties -Identity BadPC
$goodUserParams = $goodPC.userParameters
$badUserParams = $badPC.userParameters
Export-Clixml -InputObject $goodUserParams -Path ".goodPCUserParams.xml"
Export-Clixml -InputObject $badUserParams -Path ".badPCUserParams.xml"

And apply for all:

$goodUserParams = Import-Clixml -Path ".goodPCUserParams.xml"
$badUserParams = Import-Clixml -Path ".badPCUserParams.xml"
$list = Get-QADComputer -IncludeAllProperties -SizeLimit 0
$list | foreach{
    if (($_.userParameters -ne $goodUserParams) -and ($_.userParameters -ne $badUserParams) -and ($_.userParameters -ne $null)) {
        Write-Host "Skip computer: " $_.samAccountName
    }
    else {
        $dirEntry=$_.DirectoryEntry.PSBase
        $dirEntry.InvokeSet('msNPAllowDialIn', $true)
        $dirEntry.InvokeSet('userParameters', $goodUserParams)
        $dirEntry.CommitChanges()
    }
}