Powershell script to remotely check Cisco WebEx versions (CVE-2017-3823 remediation/resolution/fix)

January 26, 2017 Leave a comment

Pardon the stupid title of the post for SEO.

In regards to this weeks water cooler exploit, CVE-2017-3823, I have essentially ported a Tripwire definition to produce a report for Cisco WebEx versions on a bunch of PCs pretty efficiently.

This utilizes the admin share versus using powershell remoting, but the logic should be able to be easily changed.

Please take a look at the github gist.

pfSense kernel panic, run `fsck /` like five times

January 23, 2017 Leave a comment

I was installing a Sense unit into my breaker panel and was repeatedly breaking the master power (yes, I probably should have unplugged sensitive equipment). It turned out that the file system on my new SG-2220 pfSense appliance from NetGate wasn’t a huge fan and the system would enter a kernel panic upon boot.

I grabbed a USB cable with a mini-b plug and used puTTY, 115200 baud, 8-N-1, as directed in the user manual, then performed the following steps to backup the config (which includes the certificates!), and then fix the file system:

#at pfsense boot time, boot into single user mode

#plug in a usb stick
mount -t msdosfs -o large /dev/ad6s1 /mnt

cp -npRv "/cf/conf" "/mnt/cf_conf/"

# unmount usb
umount /mnt

fsck / #select y for all the things
fsck / #select y for all the things
fsck / #select y for all the things
fsck / #select y for all the things
mount -o rw /

touch /root/force_fsck

Secure SSL/TLS with Cisco ESA aka Ironport

December 8, 2016 Leave a comment

Here is a secure “cipher stack” that can be used with the SSL configuration on an Ironport that defeats logjam, SWEET32 and some other evil stuff:


Here is the list of HIGH strength ciphers on the ESA:

ADH-CAMELLIA256-SHA SSLv3 Kx=DH Au=None Enc=Camellia(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
ADH-CAMELLIA128-SHA SSLv3 Kx=DH Au=None Enc=Camellia(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5

Here are the result of ssl-enum-cipher after inputting the previous cipher stack:

CMD c:\>nmap --script ssl-enum-ciphers server.mcserveface.com -p 443

Starting Nmap 7.00 ( https://nmap.org ) at 2016-12-08 09:39 Eastern Standard Time
Nmap scan report for server.mcserveface.com (
Host is up (0.0020s latency).
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| compressors:
| cipher preference: client
|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 2.41 seconds

I could probably make the cipher stack selection more efficient, but the above works.

El Capitan, Mi Capitan: media-zwave-torrent-magic server project

September 16, 2016 Leave a comment

I had some trouble figuring out a name. I (and probably a ton of other people) use cerberus for my firewall. I’ve used janus for my argus/flow boxes… Anyway…

I recently purchased my first house, and wanted to do a bunch of crazy home automation. Through research I found several pieces of software that essentially turn a PC into a hub. I’ll be covering my development of this system in several posts, and likely be compiling it into a project.

What will I call my system? El Capitan. Yes, I know that there’s an OSX version with the same codename, but the name comes from the nickname of a manager/cook at a deli that was near my and my wife’s old office, where we met near Rock Center.

Here’s a short plan of things I plan to integrate:

  • Mopidy + Korus (almost have this completely functional with three Korus V400 and a Syncronice DX Mini receivers, and three USB batons (for zoning) and a single Akiko 3.5 mm transmitters): support for Pandora and Google music, with iOS web app and Android native app.
  • considering Zoneminder, but I think our low-voltage guy talked me into getting a dedicated NVR.
  • Home-assistant, with the UZB z-wave stick (wish I bought a Aeotec stick).
  • Zwave motion sensors
  • Two-way door communication… even if it’s through google voice.
  • zwave garage door opener
  • lighting controls (looks like my electrician made the decision for me and gave me some Lutron Caseta switches with Pico remotes, no problem with a Smart Bridge Pro (which provides control via telnet)
  • blind/curtain controls
  • a Honeywell zwave thermostat.
  • I have a 3rd gen iPad, and an older Galaxy Tab which I’d like to provide interfaces (maybe have one sit in the kitchen, the other in the living room, and we can use our phones in our rooms, or something)

I bought an HP Elitedesk 800 desktop mini and tossed in an older SSD I had in a 2008 Macbook Pro. I then loaded Fedora Server, and began building Mopidy. Since I pay for Google Music (my consolation after pirating music for 15 years), I figured that this would be the perfect way to stream whatever we wanted to listen to at any time. I was able to get Mopidy going this morning to stream out of the USB baton to the single Korus V400 that we have going now. I did discover that the USB baton is functional although not listed as working with *nix. I reached out to Eleven Engineering to see if there is a way to control the volume levels of the receivers, as they do in the Android and iOS apps, with *nix.

Before I had tested this, I had purchased an “Akiko” from skaastore.com. This is a USB powered 3.5mm to SKAA adapter… SKAA being the licensable wireless standard with 40ms latency and 60-100 foot range (this differs by transmitter). The Akiko set me back $80. A single Korus V400 set me back $60 and comes with a lightning, a 30-pin and a usb baton. I currently have a Bluetooth-to-RCA adapter hooked up to our main system, and will likely use this for a sort of “universal” Korus/SKAA interconnect until I find another use.

Convert NT Time Epoch to human readable time in Excel

September 13, 2016 Leave a comment

This is the formula (cell formatting should be long date)

=A1/(8.64*10^11) - 109205

If you want to change this to EDT (-4 UTC):

=A1/(8.64*10^11) - 109205 - time(4,0,0)

Thanks to this guy.

Outlook macros: what.

September 1, 2016 Leave a comment

I had a request to make Outlook do something after an email is sent.

Here’s how you do that (I’m not too exciting this morning):

Public WithEvents myOlApp As Outlook.Application
Private Sub Application_Startup()
    Call Initialize_handler
End Sub
Public Sub Initialize_handler()
 Set myOlApp = Outlook.Application
 MsgBox ("I be loading")
End Sub
Private Sub myOlApp_ItemSend(ByVal Item As Object, Cancel As Boolean)
 Dim prompt As String
 prompt = "Are you sure you want to send " & Item.Subject & "?"
 If MsgBox(prompt, vbYesNo + vbQuestion, "Sample") = vbNo Then
 Cancel = True
 End If
End Sub

Pop up the developers tab on your ribbon, and insert that code into the “ThisOutlookSession.” Save. Close and reopen. Macro security is important.

If we move this into production, I’ll work on signing the macro also.

Windows update failing, use dism to uninstall the failing package

August 29, 2016 Leave a comment

After reviewing the c:\windows\system32\cbs\CBS.log and c:\windows\Windowsupdate.log, the following failure was reported in the windowsupdate.log file:

2016-08-29	10:26:05:812	 984	11c0	Agent	Attempt 1 to obtain post-reboot results.
2016-08-29	10:26:06:999	 984	11c0	Handler	Post-reboot status for package Package_for_KB3125574~31bf3856ad364e35~amd64~~ 0x80004005.
2016-08-29	10:26:06:999	 984	11c0	Handler	WARNING: Got extended error: "Generic Command	ErrorCode	80004005	Executable	bfsvc.exe	ExitCode	112	Phase	38	Mode	Install (upgrade)	Component	Microsoft-Windows-BootEnvironment-Core-BootManager-PCAT, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=x86, versionScope=NonSxS"
2016-08-29	10:26:11:812	4304	58c	COMAPI	-----------  COMAPI: IUpdateServiceManager::RemoveService  -----------
2016-08-29	10:26:11:812	4304	58c	COMAPI	  - ServiceId = {6d7dbb69-4bc2-4e6e-9dec-0651152c5691}
2016-08-29	10:26:11:874	4304	58c	COMAPI	IUpdateService removing volatile scan package service, serviceID = {6D7DBB69-4BC2-4E6E-9DEC-0651152C5691}
2016-08-29	10:26:11:874	 984	cb8	Agent	WARNING: WU client fails CClientCallRecorder::RemoveService with error 0x80248014
2016-08-29	10:26:11:953	4304	58c	COMAPI	WARNING: ISusInternal::RemoveService failed, hr=80248014
2016-08-29	10:26:12:015	 984	a88	Report	REPORT EVENT: {0D6E181E-8A07-40B9-BD04-93B81A786626}	2016-08-29 10:26:07:015-0400	1	182	101	{5A44EA4D-9446-49BC-AB5F-71C9A8FE21B4}	501	80004005	wusa	Failure	Content Install	Installation Failure: Windows failed to install the following update with error 0x80004005: Update for Windows (KB3125574).
2016-08-29	10:26:12:015	 984	a88	Report	CWERReporter::HandleEvents - WER report upload completed with status 0x8
2016-08-29	10:26:12:015	 984	a88	Report	WER Report sent: 7.6.7601.23453 0x80004005(0x17766a8) A44EA4D-9446-49BC-AB5F-71C9A8FE21B4 Install 501 0 wusa {21586AC6-9DBE-4916-8E8C-F6B5F901AF52} 0

Try running the following then reboot, then try to reinstall the failing package:

dism.exe /online /remove-package /packagename:Package_for_KB3125574~31bf3856ad364e35~amd64~~

You might note that the failing KB is one of these new fangled cumulative rollups which contains a bunch o’ packages. Even after a roll back by the Windows updates client, I was surprised to see that this package was still installed. Meaning the above dism command didn’t return an error, but succeeded.

However, in my specific case, the following was found in the CBS.log file:

2016-08-29 12:10:38, Info                  CSI    00000369 Calling generic command executable (sequence 75 (0x0000004b)): [20]"C:\Windows\bfsvc.exe"
    CmdLine: [47]""C:\Windows\bfsvc.exe" C:\Windows\boot /nofonts"
2016-08-29 12:11:10, Error      [0x018009] CSI    0000036a (F) Done with generic command 75 (0x0000004b); CreateProcess returned 0, CPAW returned S_OK
    Process exit code 112 (0x00000070) resulted in success? FALSE
    Process output: [l:8995 [4096]"BFSVC: BfspCopyFile(C:\Windows\boot\PCAT\bootmgr, \\?\GLOBALROOT\Device\HarddiskVolume1\Boot\bootmgr) failed! (Attempt 1 of 60) Last Error = 0x70

This indicates that HarddiskVolume1 has not enough room (error 112, try running `net helpmsg 112`). HarddiskVolume1 is the System Reserved Partition. This is fairly convoluted, but you must add a drive letter to the partition, give a user ownership, take full control, then you can manage the files, remove the drive letter, reboot and try to install the hotfix again. And always remember to drop the size of a file to 1KB, hit it with the old `echo > file.ext`.

ref: http://answers.microsoft.com/en-us/windows/forum/all/windows-update-fatal-error-c0000022/95545731-a30d-4672-aca5-55d254a9efd1?auth=1

%d bloggers like this: