“The requested certificate template is not supported by this CA” 0x80094800 denied by policy module

May 25, 2017 Leave a comment

1) verify permissions of the template:

Local: via Certificate Authority (local) snap-in> [CA name]> right-click Certificate Templates> Manage> find template> right-click properties> Security tab> verify Authenticated Users has read.
Domain stored: adsiedit.msc> configuration naming context> CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=corp> right-click properties> Security tab> verify Authenticated Users has read.

2) This error will also exist if you have an outdated CRL available to the CA itself:

via Certificate Authority (local) snap-in> [CA name]> right-click Revoked Certificates> All tasks> Publish> verify new CRL is pushed to c:\windows\system32\CertSrv\CertEnroll

Attempt to make another cert signing request.

ref:

For those of you still running AIM… like us

March 24, 2017 Leave a comment

Disable shiny OSX like animated cursor movement in Office 2016

March 24, 2017 Leave a comment

Excel sheet navigation got you thinking “did I buy a damn Mac?”

HKEY_Current_User\Software\Microsoft\Office\16.0\Common\Graphics

Name: DisableAnimations
Type: REG_DWORD
Data: 1 (hexadecimal)

Understanding docker

March 16, 2017 Leave a comment

Powershell script to remotely check Cisco WebEx versions (CVE-2017-3823 remediation/resolution/fix)

January 26, 2017 Leave a comment

Pardon the stupid title of the post for SEO.

In regards to this weeks water cooler exploit, CVE-2017-3823, I have essentially ported a Tripwire definition to produce a report for Cisco WebEx versions on a bunch of PCs pretty efficiently.

This utilizes the admin share versus using powershell remoting, but the logic should be able to be easily changed.

Please take a look at the github gist.

pfSense kernel panic, run `fsck /` like five times

January 23, 2017 Leave a comment

I was installing a Sense unit into my breaker panel and was repeatedly breaking the master power (yes, I probably should have unplugged sensitive equipment). It turned out that the file system on my new SG-2220 pfSense appliance from NetGate wasn’t a huge fan and the system would enter a kernel panic upon boot.

I grabbed a USB cable with a mini-b plug and used puTTY, 115200 baud, 8-N-1, as directed in the user manual, then performed the following steps to backup the config (which includes the certificates!), and then fix the file system:

#https://www.netgate.com/docs/sg-2220/connect-to-console.html
#at pfsense boot time, boot into single user mode

#plug in a usb stick
#https://forums.freebsd.org/threads/4501/
mount -t msdosfs -o large /dev/ad6s1 /mnt

#https://turbofuture.com/computers/How-to-Backup-and-Restore-Configurations-in-pfSense
#http://hints.macworld.com/article.php?story=20100212171620210
#https://forum.pfsense.org/index.php?topic=40696.0
cp -npRv "/cf/conf" "/mnt/cf_conf/"

# unmount usb
cd
umount /mnt

#https://www.cyberciti.biz/faq/howto-freebsd-remount-partition/
#https://redmine.pfsense.org/issues/5592
fsck / #select y for all the things
fsck / #select y for all the things
fsck / #select y for all the things
fsck / #select y for all the things
mount -o rw /

#https://doc.pfsense.org/index.php/Forcing_a_Filesystem_Check
touch /root/force_fsck
reboot
Tags:

Secure SSL/TLS with Cisco ESA aka Ironport

December 8, 2016 2 comments

Here is a secure “cipher stack” that can be used with the SSL configuration on an Ironport that defeats logjam, SWEET32 and some other evil stuff:

HIGH:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!3DES:!RC4:!SSLv2:!aNULL

Here is the list of HIGH strength ciphers on the ESA:

ADH-CAMELLIA256-SHA SSLv3 Kx=DH Au=None Enc=Camellia(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
ADH-CAMELLIA128-SHA SSLv3 Kx=DH Au=None Enc=Camellia(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5

Here are the result of ssl-enum-cipher after inputting the previous cipher stack:

CMD c:\>nmap --script ssl-enum-ciphers server.mcserveface.com -p 443

Starting Nmap 7.00 ( https://nmap.org ) at 2016-12-08 09:39 Eastern Standard Time
Nmap scan report for server.mcserveface.com (10.10.10.10)
Host is up (0.0020s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| compressors:
| DEFLATE
| NULL
| cipher preference: client
|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 2.41 seconds

I could probably make the cipher stack selection more efficient, but the above works.

%d bloggers like this: