Sekurak Zine 4 JUŻ JEST!

Już jest, najnowszy numer kultowego ZIN’e nawiązującego do korzeni hackingu i undergroundowych publikacji z czasów naszej młodości. Lektura OBOWIĄZKOWA!

http://sekurak.pl/offline/

 

How to open multiple RDP sessions at once with stored credentials

Let’s say that you have to manage 60 Windows Servers with separate credentials, IP addresses, etc. It is heavy to open them one-by-one or even by using RDP Manager.

There’s one simple app+script: use RDP Plus from donkz.nl (VirusTotal free).

And use this little code to a simple *.bat file:

C:\to0lz\rdp.exe /v:server1 /Domain:mydomain /U:user /P:pazw0rd
C:\to0lz\rdp.exe /v:server2 /Domain:mydomain /U:user /P:pazw0rd
C:\to0lz\rdp.exe /v:server3 /Domain:mydomain /U:user /P:pazw0rd
C:\to0lz\rdp.exe /v:server4 /Domain:mydomain /U:user /P:pazw0rd

Voila!

vmWare: An error occurred while consolidating disks: msg.snapshot.error-DISKLOCKED

IF you have seen this err0r, you’re somehow trully fucked-up. Probably a third party appliance or software made a lock on your stored in datastore *.vmdk files creating -delta ones. There are couple of methods how you could fix this… . Actually this is not a big or major err0r in vmWare environment, but can be a quite pain in the ass if you don’t have any DSR site enabled.

Let’s talk about diagnosis:

DIAGNOSIS

First of all you need to try to power on the vm. You will see one of these err0rz:

Failed to add disk scsi0:1. Failed to power on scsi0:1
Unable to open Swap File
Unable to access a file since it is locked
Unable to access a file  since it is locked
Unable to access Virtual machine configuration

In the /var/log/vmkernel log file, you see entries similar to:

WARNING: World: VM xxxx: xxx: Failed to open swap file : Lock was not free
WARNING: World: VM xxxx: xxx: Failed to initialize swap file 

The purpose of locking is to prevent changes of concurent vm files and FS. Sometimes locks cannot be released because of other handler still wants to do something with files. Even if machine is powered off. There are couple of methods how you can dislock it by yourself.

TROUBLESHOOTING

You need to locate which files, which machine in which realm is doing bad things. For this to do I suggest you to enable SSH on the ESXi/vCenter host.  Log in to a vCenter using the vSphere Client. Go to Inventory > Configuration > Security Profiles > Services > Properties > choose…

ESXi Shell
SSH
Direct Console UI

Good. Now c0nnect via Pussy through SSH and obtain full path to your VM and navigate to the f0lder, through dis c0mmands:

# vim-cmd vmsvc/getallvms
# cd /vmfs/volumes/vm-datastore/vm-dir/

Check which filez have been locked (*-delta.vmdk created) but plz remember that it can be misguiding, because these files could be obsolete. Better method is to check /var/log/vmware.log for corresponding consolidation errors on which files.
From this part you need to use vmfstools to check the used *.vmdk files.

# vmkfstools -qv10 vm-disk-000009.vmdk
* Repeat this command for every disk file used by VM (You can check it in Edit Settings tab on Hard Disk n parameter) which is actually used as a snap.

This shows you the actual snapshot chain from your selected snapshot down to the flat disk. Now, you have a list of *.vmdk files and you need to use command below to find the actual owner or RO (Read-Only) owner of the file:

vmkfstools -D vm-disk-flat.vmdk
vmkfstools -D vm-disk-000001-delta.vmdk
...

If you see output like this, that it!

# vmkfstools -D test-000008-delta.vmdk
Lock [type 10c00001 offset 45842432 v 33232, hb offset 4116480
gen 2397, mode 2, owner 00000000-00000000-0000-000000000000 mtime 5436998]
RO Owner[0] HB offset 3293184 xxxxxxxx-xxxxxxxx-xxx-xxxxxxxxxxxx 
Addr <4, 80, 160>, gen 33179, links 1, type reg, flags 0, uid 0, gid 0, mode 100600
len 738242560, nb 353 tbz 0, cow 0, zla 3, bs 2097152

The RO Owner part is the MAC address of vNIC that had locked the file! If you cannot see the RO Owner, but you don’t see zeros in owner, it is also a MAC o vNIC. If you only see zeros, the problem is heavier. Now let’s see how we can repair this.

FIX

Before you start fixing things, you should consider whether there are not other locks or uses of vm files, so you can type this:

# egrep -i  /vmfs/volumes/*/*/*.vmx
# vmkvsitools lsof | grep 

Now, if you could see the RO Owner or owner MAC addr, you can use this command to find the corresponding physical address:

esxcfg-nics -l

Simple, shutdown/restart the vNIC and disk consolidation/power on machine probably can now be possible. If not… the only non-invasive method is to clone/migrate vm to other datastore/host. You also can preventively restart ESX Management by:

services.sh restart

For cloning you can use these commands (or use the GUI of vCenter :-)) :

# vmkload_mod multiextent
# vmkfstools -i /path/datastore1/source.vmdk /path/datastore2/new.vmdk -d thin -a scsilogic/buslogic
# vmkfstools -U source.vmdk
# vmkfstools -E new.vmdk nsource.vmdk
# vmkload_mod -u multiextent

When cloning/migrating is done. You can consolidate the disks and remove the old VM. Remember that cloning is faster than migration, but in both ways you need extra space.

How do uninstall Office 15 Click-to-run extensibility component

First of all, you’ll don’t find this piece of sh1t in Add/Remove Programz in Control Panel so basically it must be manually deleted from teh Windows Registry. Type regedit in Search Box. Go to HKEY_CLASSES_ROOT\Installer\Products\ and search for string starting with 00005. All Offize products start with 0000X. Delete this and viola, now you can install your Office add-on/expl0it. REMEMBER! Plz backup your registry first before deleting this item.

Sekurak zine #3!

Iz available here.

DSFix.ini best performance settings for Dark Souls I

Dark Souls, one of the best and heaviest games of all time (IMHO). If you want to play this on PC it is a quite pain in the ass (camera action, sensitivity, target-locking etc). I present you my configuration for DSFix add-on which improves the game experience as it is on a console (PS3 e.g.). You can download the DSFix from nexusmods and also I advise you to use DSMFix also. It improves mouse control (if you don’t want to use mouse improvement just clear the line dinput8dllWrapper dsmfix.dll to none).

[dsfix.ini]

renderWidth 1920
renderHeight 1080
presentWidth 0
presentHeight 0
aaQuality 0
aaType FXAA
ssaoStrength 0
ssaoScale 3
ssaoType VSSAO
dofOverrideResolution 0
disableDofScaling 0
dofBlurAmount 0
unlockFPS 1
FPSlimit 60
FPSthreshold 28
filteringOverride 0
enableHudMod 1
enableMinimalHud 0
hudScaleFactor 1.0
hudTopLeftOpacity 0.8f
hudBottomLeftOpacity 0.75f
hudBottomRightOpacity 0.5f
borderlessFullscreen 0
disableCursor 1
captureCursor 0
enableBackups 1
backupInterval 1500
maxBackups 10
enableTextureDumping 0
enableTextureOverride 0
skipIntro 1
screenshotDir .
overrideLanguage en-GB
dinput8dllWrapper dsmfix.dll
d3dAdapterOverride -1
logLevel 0
forceWindowed 0
forceFullscreen 0
enableVsync 0
fullscreenHz 60

[dsmfix.ini]

[settings]
connected=1
buffered=1
ui_mouse=0
invert_mouse=0
lock_disables_mouse=1
scroll_switches_targets=1
vanilla_targeting=0
mouselook_w_mod=0
sensitivity=2
lock_modifier_key=42
action_modifier_key=-1
# [a]ttack, [h]eavy attack, [t]arget, [g]uard, [p]arry, [r]oll/dash, [u]nbound
mouse1=a
mouse2=h
mouse3=t
mouse4=g
mouse5=p
mouse1a=a
mouse2a=h
mouse3a=t
mouse4a=g
mouse5a=p

Three good nf0 from ITsec w0rld

Damn, can you feel how this post is advertising?

1. There is new pentest distro called “DracOS” – lightweight, built from scratch using LFS which is nice. There are no GUI tools, only CLI, which is double nice.
2. There is a new version of good old MetaSploitable virtual instance which is a simulation machine to f0ck with. Very useful (pls remember that you cannot hack public servers legally, w00t!) How to install can be found here.
3. In the topic of testing laboratories with new OS, new training bag you also need to know how to built this lab, so for a short period of time there’s a limited offer to download free good guide “The Network Security Test Lab Step-by-Step” by Michael Greeg. Bon apetit.