Secure RDP – Using SSH Tunneling With Built-In Windows Features

So…

Who knew? I didn’t. This is the screen for Settings -> Apps and Features -> Optional Features for both Windows Server 2019 as well as Windows 10. This was a very pleasant surprise. With that, I am always looking for a way to connect to my home lab that is:

  1. Secure
  2. Minimizes the required HW/resource footprint

I was previously using Remote Desktop Services along with Azure App Proxy (here) to publish access securely, however, this meant that I had to have the RDS and AAD App Proxy footprints in my lab. I only have 48GB of RAM in my lab and I run out all the time – running AD along with a few additional services for demo purposes can really put the squeeze on quick. Stumbling across OpenSSH built right in seems like it might be the solution for which I have been looking. With that being said, the documentation….has room for improvement. I did finally find the answers I was looking for and was able to leverage SSH tunneling in order to RDP into my lab. I love this!

** Requires Windows 10 or Server 2019

I am going to save you some time and steer you away from the official docs. The documentation you need to get started is in an answer on Stack Overflow here:

https://stackoverflow.com/questions/16212816/setting-up-openssh-for-windows-using-public-key-authentication and was provided by this person: https://stackoverflow.com/users/31782/n0rd

High level, here are the condensed steps from his answer:

On the server:

  1. PS> Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 or through the UI (pictured above)
  2. Start the services
    1. PS> Start-Service ssh-agent
    2. PS> Start-Service sshd

On the client:

  1. Mkdir .ssh in the C:\Users\<Username>\ directory. This is where the keys are going to land. For demo purposes, I am going to use administrator so the path would be C:\Users\Administrator\.ssh
  2. CD to that directory using CMD or PS
  3. Run ssh-keygen
    1. Give a password or not for the key file. I chose to do so for the sake of security
  4. In the window, run ssh-add .\id_rsa (assuming this is the private key that was generated). You will get prompted for the password – go ahead and enter it. This makes the key securely available without prompted for a password every time you use it to connect from this machine

The client is now configured.

Back to the server:

  1. Log into the server as the user you are wishing to connect as – for demo purposes this is the administrator account
  2. Mkdir C:\Users\<Username>\.ssh – in this case, C:\Users\Administrator\.ssh
  3. Copy and paste the contents of the .pub file from the client into a file named authorized_keys here in this directory on the server
  4. Right Mouse Click on autorized_keys and go to properties
  5. Properties -> Security -> Advanced -> Disable Inheritance
  6. There should be exactly 2 perms assigned to this file (probably has 3 right now).

    Get rid of the extra. You should have SYSTEM and your user account – in this case Administrator. Get rid of any other entries such as Administrators (group) here.

  7. Apply, Ok, Close, or whatevs to save the changes
  8. Open C:\ProgramData\ssh\sshd_config with notepad or your text editor of choice
  9. Comment out the bottom 2 lines

    NOTE: Put a # at the beginning of each line to comment it out

  10. Find this line and make sure it is not commented out:

    PubkeyAuthentication yes

  11. Save and close

At this point, you can SSH in with the key file. Sweet! For my lab, in order to further secure it, I want to make it such that you HAVE to use the keyfile in order to connect.

  1. Reopen sshd_config with notepad
  2. Find this line, uncomment it and set it to no:

    PasswordAuthentication no

  3. Save and close
  4. PS> Restart-Service sshd
    • This may or may not be necessary

Now, you HAVE to use the private key (which exists only on your machine) to SSH to the server. Sweet!

The next step depends on your environment and which port you want to use. For me, I grabbed a random high value port on my router and port fowarded it to 22 on my server. For demo purposes, I used 47474 (which I later changed). Now, on my machine I can either SSH to the Windows Server (which throws a CMD shell by default) or I can fire up tunneling to RDP into any machine in my lab.

Just doing a straight SSH:

Now, to do RDP instead we just need to fire up the tunnel with a slightly different command

Note the -f and the -N along with the 12345:HV01:3389. MyPublicIp is the public IP I currently have for my lab ommitted for security:

-f = for into the background
-N = do not execute a remote command
12345 = the local port to which we are going to RDP
HV01 = the server name to which we want to RDP in the lab
3389 = the port to which we are going to RDP

When you run this command, a listener (:12345) is established on the local machine which is routed through the secure tunnel (:47474 -> :22) to :3389 on HV01

RDPing to my localhost on port 12345 – MSTSC prompts me for creds. I provide valid creds for the HV01 machine in my lab and:

Boom. We now have a secure tunnel that can only be accessed with the private key on my local machine which then allows me to RDP into my lab.

Hack Job, Security, Uncategorized

MCAS Lab – Auto Updating Discovery Data with Sample Data

Maybe you have a need to demo Microsoft Cloud App Security to your customers. Maybe you have a need for a lab that has constantly updated discovery data. Maybe creating a snapshot report every 30 days is good enough…maybe not. For me, I want the Discovery Dashboard to be populated with fresh data for demo purposes and the logs from my home router just don’t cut it as GBs of traffic to NetFlix, and Hulu and a taste of Twitter just don’t make for that compelling of a demo. I wanted a way to auto-update the global logs on a recurring basis in a “set it and forget it” manner.

  1. Deploy the log collector (Ubuntu FTW)
  2. Grab the Code and Config
  3. Create the Scheduled Task
  4. Forget it

#1 Deploy the log collector

https://docs.microsoft.com/en-us/cloud-app-security/discovery-docker-ubuntu

Critical Pieces of information:

  1. Machine Name – UBTLOG01
  2. Machine IP – 192.168.50.163 (this isn’t my real IP but I’ll keep it consistent for the purpose of the doc)
  3. Log Collector Data Source – name I gave the data source in the MCAS portal
  4. Log Collector Data Source Type – Palo Alto – PA Series FW
  5. Data Source Type – FTP

MCAS Portal – Log Collectors

Now that the log collector is deployed, we can move on to the code and the scheduled task

#2 Code and Config

Download from GitHub here
Download the code and drop it into the folder in which you want the script to run from and work.

I like using the CredentialManager module to register to register and hide credentials on my PowerShell automation machines.

PowerShell Gallery: Credential Manager 2.0

On line 44 of the PS1 code it has the path to the .env file (really just JSON) that contains all of the environmental variables necessary to run the script. Here’s the format of the .env file:

{
    “LogCollectorVMName”: “UBTLOG01”,
    “LogCollectorHVHost”: “DC03”,
    “LogCollectorIP”: “192.168.50.163”,
    “LogCollectorDSName”: “PaloFW-TSTLab”,
    “CredManTarget”: “MCAS”,
    “LogfilePath”: “E:/Jobs/MCASLogCollectorUpload”
}
LogCollectorVMName – Name of the Ubuntu machine
LogCollectorHVHost – I am using HyperV to host the log collector machine
LogCollectorIP – IP Address (LAN) for the Ubuntu machine
LogCollectorDSName – Data Source name assigned during the creating in MCAS
CredManTarget – name target used to retrieve the FTP credentials for pushing the log files
LogfilePath – path to really all of the artifacts – since this is a json file, use / instead of \ for the path
  1. Install Credential Manager on your worker machine
  2. Register the ftp credentials in a target named MCAS (match your .env file)
  3. Drop the script and the .env file in the LogFilePath you assigned earlier – I am using a path of E:\Jobs\MCASLogCollectorUpload

#3 Scheduled Task

Import the provided schedule task and tweak to your environment

  1. Fix the user

  2. Tweak the trigger (if wanted)

  3. Set the paths for the Action

    Program Path: %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

    Arguments: full path to the .PS1 file – E:\Jobs\MCASLogCollectorUpload\MCAS_Upload-Log.ps1

    Start in – path to all the files – E:\Jobs\MCASLogCollectorUpload

#4 Forget it

At this point, run the scheduled task to ensure it is working. The PS1 script will even turn the VM on and off on-demand so that you can conserve the VM resources rather than having the Ubuntu machine running 24×7. If you are fast enough, you can FTP to the log collector yourself and see the file land – cd into the folder with the name of the Log Collector Data Source:

Once the file is uploaded, it will disappear from this folder on the FTP server. At that point, check in the governance log within MCAS and you should see this:

Now, your MCAS demo environment will stay fresh with recurring sample data.

Automation, Hack Job, MCAS, PowerShell, Security

Kali Linux, Hyper-V, PowerShell and VS Code

I am in the process of working towards my OSCP certification. As such, I needed a way to run a Kali Linux machine leveraging the OffSec provided VM images on my Win10 box and I needed tools that I am comfortable with that allow me to script easily and on demand. Since I am pretty deep in PowerShell, getting PWSH (how we launch PS on Linux) and Visual Studio Code up and running seemed logical. The instructions for installing PWSH on most blog posts aren’t quite complete or are out of date. I am documenting the version of everything I am using here to make it work.

Environment

  • Windows 10 Professional 1809
  • Kali Linux VMWare version 2019.2
  • PowerShell 6.2
  • Visual Studio Code
  • Git

Step 1. Download the VM

Step 2. Convert the VM into a Hyper-V Image

Step 3. Import the VM into Hyper-V

Step 4. Update and Upgrade

Step 5. Install PWSH

Step 6. Install VS Code

Step 7. Install Git

Step 1. Download the VM

## Update – OffSec now offers HyperV images directly so you can skip conversion

Download page here: https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/

Q. Should you download 32 or 64-bit?

A. If you are going to run PWSH you need the 64-bit version as .Net Core is only supported on 64-bit Debian machines.

https://docs.microsoft.com/en-us/dotnet/core/linux-prerequisites?tabs=netcore2x#supported-linux-versions

Since I am going to land on Hyper-V, I downloaded the VMWare image.

Step 2. Convert the VM into a Hyper-V Image

There are a lot of blog posts on doing this. I followed the steps here: https://blogs.msdn.microsoft.com/timomta/2015/06/11/how-to-convert-a-vmware-vmdk-to-hyper-v-vhd/

Step 3. Import the VM into Hyper-V

  • Select Location
  • Gen 1 VM (Image does not work with Gen 2)
  • 4096 MB of RAM
  • Connected to the Internet
  • Using the converted VMWare image
  • 4 cores

Boot it up

Step 4. Update and Upgrade

NOTE: Out of the box username and password are root and toor respectively. Recommend you change this ASAP.

  • Login
  • Open a terminal (left hand side)
  • sudo apt-get update && sudo apt-get upgrade
    • It might throw a warning or error here that a different process has a lock on some necessary files. If that is the case, wait a sec and rerun the prior command
  • Be patient
  • Follow the onscreen prompts – generally accept
    • Should non-super users be able to capture packets – yes
  • Reboot

     

Step 5. Install PWSH

 

From here, I followed the Microsoft steps in order to install PowerShell on Kali:

https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-core-on-linux?view=powershell-6#kali

 

# Download & Install prerequisites

wget http://ftp.us.debian.org/debian/pool/main/i/icu/libicu57_57.1-6+deb9u2_amd64.deb

dpkg -i libicu57_57.1-6+deb9u2_amd64.deb

apt-get update && apt-get install -y curl gnupg apt-transport-https

 

# Add Microsoft public repository key to APT

curl https://packages.microsoft.com/keys/microsoft.asc | apt-key add –

 

# Add Microsoft package repository to the source list

echo “deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-debian-stretch-prod stretch main” | tee /etc/apt/sources.list.d/powershell.list

 

# Install PowerShell package

apt-get update && apt-get install -y powershell

 

# Start PowerShell

pwsh

 

Rather than putting stretch main into powershell.list, I put it into microsoft.list instead.

PowerShell is installed!

Step 6. Install Visual Studio Code

https://code.visualstudio.com/docs/setup/linux#_debian-and-ubuntu-based-distributions

I downloaded the .deb file from here:

https://go.microsoft.com/fwlink/?LinkID=760868

And then changed to the download directory and ran the install command:

sudo apt install ./code_1.35.1-1560350270_amd64.deb

Once VS Code finishes installing, pop open the editor and then go to Extensions and add the PowerShell extension

You are now ready to PWSH on Kali!

Step 7. Install Git

    sudo apt-get install git

Ready to rock. We now have OffSec’s Kali Linux running in Win10 Hyper-V with PowerShell, Visual Studio Code and Git installed.

Automation, OffSec, OSCP, PowerShell, Security

ARM – Get Publishers, Offers and SKUs

Just a quick PowerShell script to get all of the Publishers, Offers and SKUs for the various VM images that are available for deployment through ARM.  These are the parameters that are necessary in order to deploy a VM using the Microsoft.Computer/VirtualMachines provider.

This is as of 2/4/2016 with Azure PowerShell December 2015 installed.

$Location = “WestUS” #Each locale might be different. Choose the location where you intend to deploy

$lstPublishers = Get-AzureRMVMImagePublisher -Location $Location

ForEach ($pub in $lstPublishers) {
#Get the offers
$lstOffers = Get-AzureRMVMImageOffer -Location $Location -PublisherName $pub.PublisherName

ForEach ($off in $lstOffers) {
$lstSkus = Get-AzureRMVMImageSku -Location $Location -PublisherName $pub.PublisherName -Offer $off.Offer

ForEach ($sku in $lstSkus) {
“” + $sku.Skus + “,” + $sku.Offer + “,” + $sku.PublisherName | out-file “.\myVMSkus.csv” -encoding ascii -append
}
}
}

The script is very slow, but I have found it difficult to find a resource that simply lists this information.  The information may be out there, but this script gives me a way within minutes to have a completely updated list I can use for my PowerShell scripts and ARM templates.

ARM, Azure, Infrastructure as Code

ARM – Recreating VM Off Existing VHDs

Note – This blog pertains to the November 2015 release of Azure PowerShell

At some point, I apparently told Azure Resource Manager to delete the VM that runs SQL for my SCOM environment running in Azure.  While I completely disagree with the portal’s interpretation of my button clicks, my VM is missing and I need it back.  Thankfully, when you delete a VM through the portal (accidentally or otherwise…or not at all and it just magically disappears), the disks are left behind in the storage account.  In this case, this is a good thing.  At least I can recover.

The documentation around the new AzureRM cmdlets still has a gap or nine, so I wasn’t able to easily dig up a script that created a VM off an existing OS disk and attach all of the data disks as well.  Using PS help and assuming the process was still somewhat like what we had to do under the older cmdlets, I put together the following script:

$om03 = New-AzureRmVMConfig -VMName om03 -VMSize Standard_D2
$om03 | Set-AzureRmVMOSDisk `
-VhdUri
https://labtstazom0sa.blob.core.windows.net/vhds/om03osdisk.vhd `
-Name om03osdisk -CreateOption attach -Windows -Caching ReadWrite

$StorageAccountURI = “https://labtstazom0sa.blob.core.windows.net/vhds/”
$numdisks = 4

For($i=0;$i -lt $numDisks;$i++){
$OM03 | Add-AzureRMVMDataDisk -Name (“datadisk” + $i) `
-VhdUri ($StorageAccountURI + “OM03datadisk” + $i + “.vhd”) `
-LUN $i -Caching ReadWrite `
-CreateOption Attach -DiskSizeInGB 20
}

New-AzureRMVM -ResourceGroupName LabTSTAZRGOM `
-Location “West US” -VM $om03 -Verbose

I needed to make sure the data disk naming and URIs matched, I was provisioning to the right region, resource group, etc.  Executing the script resulted in the following:

image

I forgot to attach the network adapter.  Thankfully, the delete executed by the ARM gremlins left the interface so it should be as simple as doing a reattach and then I should be good to go.  Herein lies a pretty significant issue.  It would seem with this release of Azure PowerShell, the cmdlet Add-AzureRmVMNetworkInterface has been removed.  With that, I was not able to easily figure out how to attach an existing network interface to a new VM config through PowerShell using the AzureRM cmdlets.  You can do this with a template, but I want to just bang this out and get it done.  This leaves me with 2 options:

  1. Destroy the existing NIC and create a new one, or
  2. Do something somewhat hacky by stealing the network profile from one of the other VMs, modify it and then attach that network profile to my OM03 config.

I am guessing there is probably an additional route invoking .NET methods to create a net new profile and then assign the NIC but I will leave that research until later.  The first option would be straight forward, however, it might leave me with some cleanup in the lab afterwards (DNS, IPs, etc.).  Rather than messing with that, I decide to try the second option and steal the profile from OM01 VM and modify:

$nic = Get-AzureRmNetworkInterface -Name om03nic -ResourceGroupName LabTSTAZRGOM
$netprof = (Get-AzureRMVM -VMName OM01 -ResourceGroupName LabTSTAZRGOM).NetworkProfile
$netprof.NetworkInterfaces[0].ReferenceUri = $nic.id

$om03.NetworkProfile = $netprof

I get the existing OM03NIC, get the network profile from OM01 and then stuff the ID for the existing NIC into the profile.  Once I have this, I assign the network profile to the new VM Config.  This process actually successfully navigates the getters and setters.  After running this, I re-run the New-AzureRMVM cmdlet and I get a success:

image

Now, if it really worked, SQL would be running and I will be able to launch SCOM.  Logging and popping open the console:

image

Success!

ARM, Azure, Hack Job