poniedziałek, 29 października 2018

ports required between client and domain controller

Between client and domain controller (is always initiated from client side):
  • Kerberos - 88 TCP/UDP
  • RPC mapper - 135 TCP
  • NetBIOS - nothing - it is not required since 2000!
  • SMB/NetBT - 445 TCP/UDP
  • Kerberos Password Change - 464 TCP/UDP
  • LDAP - 389 TCP/UDP
  • LDAP SSL - 636 TCP
  • LDAP GC - 3268 TCP
  • LDAP SSL GC - 3269 TCP
  • DNS - 53 TCP/UDP
  • RPC ports - 49152-65535 since Vista/2008, for older clients (legacy? I hate this word) 1025-5000
  • (optional) DHCP - 67 DHCP

Autor: o Brak komentarzy:
Etykiety: , , ,

how to dump file to hex format?

Yes, I tried to find a solution how to do it in the most easy way, and yes, it is very, very easy :). Use Powershell. 
format-hex .\some-file-to-dump.txt
format-hex .\another.file.this.time.exe
format-hex .\just-transfer-output.to.default-stream.txt > some.new.file.txt
Autor: o Brak komentarzy:
Etykiety: , ,

sobota, 27 października 2018

KMS host Office 2010 not found - is missing?

I had strange case - once upon a time my KMS host has stopped processing requests from clients or, if reading strictly messages, clients couldn't find KMS host. 
Installed product key detected - attempting to activate the following product:
SKU ID: 9da2a678-fb6b-....-....-........819a
LICENSE NAME: Office 14, OfficeStandard-KMS_Client edition
LICENSE DESCRIPTION: Office 14, VOLUME_KMSCLIENT channel
Last 5 characters of installed product key: 8R6BM
ERROR CODE: 0xC004F074
ERROR DESCRIPTION: The Software Licensing Service reported that the computer cou
ld not be activated. No Key Management Service (KMS) could be contacted. Please
see the Application Event Log for additional information.
At first I thought that it was connected with second _vlmcs._tcp.current.domain record - I have two records - one for Windows 2008R2 with activation keys for Windows 7/10, Office 2010 (14), Office 2013 (15) and Office 2016 (16), and the second KMS on Windows 2016 with activation for Windows 2016 servers. I can't discover KMS by Active Directory - I haven't schema extended to Windows 2012R2 so I'm tightened with DNS discovery. So I removed DNS record poiting to KMS on Windows 2016 but without result.
Using slmgr.vbs /dli all I received confirmation that I've got Office 2010 key, but clients are looking for activation for Office 14 which, actually, isn't activated on KMS host. I didn't think about reregistration of KMS for Office 2010 because - it was working few days ago and Office 2010 key was still activated.
I made a call to Microsoft, registered a case with result that I must done reactivation/reregistration of Office 2010 KMS Host. I did it and now it is working.
Autor: o Brak komentarzy:
Etykiety: , , , , ,

piątek, 26 października 2018

proxy autoconfiguration - wpad.dat or proxy.pac

Pros and cons of both ways of autoconfiguration


wpad.dat
  • mobile browser can be forwarded by hijackers to their own proxy - for example laptop in hotel/airport
  • can be served by DHCP (option 252) or DNS where DHCP is protocol of the first choice for Internet Explorer/Edge but not for FireFox/Chrome
  • it is almost the same file as proxy.pac but with different name, some old IE versions were looking for wpad.da (yes, without letter t at the end)
  • wpad.dat can be cached (proxy.pac also) - so if You have mobile users and You want to enforce them to work with Your proxy not with proxy in hotel/airport or to allow them to work without any proxy - You should create some type of service to refresh settings of default browser, You should try to delete cached wpad.dat
  • must be served from web server
proxy.pac
  • can be served locally - protection against hijackers?

How to disable proxy autoconfiguration file caching


by registry


HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

Value: EnableAutoproxyResultCache
Type: REG_DWORD
Data value: 0 = disable caching; 1 (or key not present) = enable automatic proxy caching (this is the default behavior)

by gpo


In Group Policy Object Editor, double-click User Configuration\Administrative Templates\Windows Components\Internet Explorer.
Double-click Disable caching of Auto-Proxy scripts.
Autor: o Brak komentarzy:
Etykiety: , , ,

piątek, 19 października 2018

no communication - arp cache and netsh

Very strange - according to my new knowledge from Internet arp cache can be configured in two ways:
- arp command
- netsh interface ipv4 ... neighbors

I found a problem with arp cache - and It was new to me - that netsh interface ipv4 creating static values that will remain after restart and can't be removed by arp command, for example:
netsh interface ipv4 show neighbors

Interface 3: Ethernet

Internet Address                              Physical Address   Type
--------------------------------------------  -----------------  -----------
224.0.0.22                                    01-00-5e-00-00-16  Permanent

Interface 1: Loopback Pseudo-Interface 1


Internet Address                              Physical Address   Type
--------------------------------------------  -----------------  -----------
224.0.0.22                                                       Permanent
239.255.255.250                                                  Permanent

Interface 6: Network connection Bluetooth


Internet Address                              Physical Address   Type
--------------------------------------------  -----------------  -----------
224.0.0.22                                    01-00-5e-00-00-16  Permanent

Interface 7: LAN connection* 3


Internet Address                              Physical Address   Type
--------------------------------------------  -----------------  -----------
224.0.0.22                                    01-00-5e-00-00-16  Permanent

Interface 22: vEthernet (xxxx)


Internet Address                              Physical Address   Type
--------------------------------------------  -----------------  -----------
192.168.137.1                                 48-50-73-02-8f-22  Reachable
192.168.137.255                               ff-ff-ff-ff-ff-ff  Permanent
224.0.0.22                                    01-00-5e-00-00-16  Permanent
224.0.0.252                                   01-00-5e-00-00-fc  Permanent
239.255.255.250                               01-00-5e-7f-ff-fa  Permanent
255.255.255.255                               ff-ff-ff-ff-ff-ff  Permanent
multicast and broadcast addresses created by operating system - by default.

The same table from arp -a command:
arp -a

Interface: 192.168.137.177 --- 0x16
  Internet Address      Physical Address      Type
  192.168.137.1         48-50-73-02-8f-22     dynamic
  192.168.137.255       ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.252           01-00-5e-00-00-fc     static
  239.255.255.250       01-00-5e-7f-ff-fa     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static
If I'll create new entry by netsh:

netsh interface ipv4 ipv4 add neighbors 22 "192.168.137.219" "12-34-56-78-9a-bc"

Interface 22: vEthernet (xxxx)


Internet Address                              Physical Address   Type
--------------------------------------------  -----------------  -----------
192.168.137.1                                 48-50-73-02-8f-22  Reachable
192.168.137.219                               12-34-56-78-9a-bc  Permanent
192.168.137.255                               ff-ff-ff-ff-ff-ff  Permanent
224.0.0.22                                    01-00-5e-00-00-16  Permanent
224.0.0.252                                   01-00-5e-00-00-fc  Permanent
239.255.255.250                               01-00-5e-7f-ff-fa  Permanent
255.255.255.255                               ff-ff-ff-ff-ff-ff  Permanent
from arp -a:
Interface: 192.168.137.177 --- 0x16
  Internet Address      Physical Address      Type
  192.168.137.1         48-50-73-02-8f-22     dynamic
  192.168.137.219       12-34-56-78-9a-bc     static
  192.168.137.255       ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.252           01-00-5e-00-00-fc     static
  239.255.255.250       01-00-5e-7f-ff-fa     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static
It looks like the same, but If I remove it from arp command it will return after restart - I must remove it from netsh command. What is very dangerous, that I can remove all static entries by single stuipid command:
netsh interface ipv4 delete neighbors
without any warning, just like throw to a black hole or null (*nix).
For Windows 2008/Vista arp cache managed by netsh was a dangerous way - without a fix it wasn't possible to remove this static entry.
Autor: o Brak komentarzy:
Etykiety: , , , ,
Subskrybuj: Posty (Atom)