HACKS:

Archive: Windows Server

October 8, 2008

HOW-TO Request Microsoft hotfixes quickly

Hotfixes are patches that Microsoft makes available before they've been fully tested and integrated into a service pack or official patch. But if you're one of those people who's been affected by a bug, you might not hesitate to give the hotfix a try. However, getting a hotfix can be tricky: in some cases, you'll see an option to request it online, in other cases, you'll have to contact support directly.

Aaron Tiensivu has posted information about a technique that generates the online request even when it doesn't appear by default:

I don't know if this is considered a 'backdoor' or not, but it has worked with every KB article I have tried it on so far.

Most of the time, if a KB article is available to the public, there will be a "Hotfix Download Available - View and request hotfix downloads" message on the top of the screen like this:

If you have a particular KB article that you want to download, and the image above seems to be missing, try this link in your web browser:

http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=[KBnumber]&kbln=[KB language]

Requesting MS hotfixes online has changed slightly - new way of generating a request

Also, the How-To Geek has an article up about Hotfixr, which will generate URLs of this format for you.

Posted by Brian Jepson | Oct 8, 2008 07:00 PM
Windows, Windows Server | Permalink | Comments (0) | TrackBack | Digg It | Tag w/del.icio.us

July 23, 2008

NTFS Alternate Data Streams - hide files inside other files

The NTFS file system has support for additional data, called Alternate Data Streams (ADS), to be attached to any file. Normally this is used by the operating system and file explorer to bind extra data to a file, such as the file's access control information, searchable file meta-data like keywords, comments and revision history, and even information that can mark a file as having been downloaded from the internet. Because this extra information is bound to the file at the filesystem level, you can move the file from one folder to another and all of the various meta-information and permission data stays with the file.

The interesting thing is that a file can have 0 to many ADS forks attached to any file or directory. While some of the ADS identifiers are use by the OS, there's nothing stopping you from adding other ADS forks to a file. You can do this directly from the command line, using a simple colon ":" notation.

Let's say you have a file called test.txt. You can store a secret message in the file like this:
echo "This is a secret" > test.txt:secretdata

If you view the contents of the file, you won't see anything peculiar. If you know about the existence of the secretdata ADS entry, however, you can easily extract the hidden information with the following command:
more < test.txt:secretdata > output.txt

When you now open output.txt, you'll find your secret data inside.

Because it's a lower level OS feature, you can even trick most programs into loading the data. In the scenario above, you could actually load and edit the secretdata stream inside of notepad by running "notepad test.txt:secretdata".You can even store and execute binary data of any particular size in an ADS fork. For instance, maybe you want to shove solitaire inside one of your text file's ADS entries:

type c:\winnt\system32\sol.exe > test.txt:timewaster.exe

Running the file is as simple as "start .\test.txt:timewaster.exe". Wild, no?

So the odd thing is that all these hidden streams are floating about your filesystem and until Vista's /R flag on the DIR command, there hasn't really been a very good built-in way of detecting them. To solve this, Frank Heyne created an application called LADS which is an excellent command line utility that will scan a directory and print out stream names and sizes for files within it.

There's was also a tool released in an MSDN article about file streams that will at an extra tab to the file properties in Windows Explorer. I've linked to a FAQ that Frank maintains about ADS that walks you through setting up the dll and registry entries to make this work. When it's activated, the Streams tab in the properties panel will let you create, view, edit or delete the stream data that's attached to any file, right in Explorer.

I can see how this file system feature could be useful, but it's a little odd that it's so hidden from the user and there seem to be a few problems with the concept. Obviously, because of ADS's hidden nature, there are a number of malicious uses that can be employed by jerk-o's who write virii and that sort of thing. Even ignoring that, there are also data interchange issues—moving a file between NTFS and another file system causes the loss of all this attached information. Call me old fashioned, but I like my files the way they used to be, with a start, an end, and some bytes in between.

Frank Heyne - Alternate Data Streams in NTFS FAQ
LADS - NTFS alternate data stream list utility
The Dark Side of NTFS
MSDN: A Programmer's Perspective on NTFS Streams and Hard Links

Posted by Jason Striegel | Jul 23, 2008 10:30 PM
Cryptography, Data, Windows, Windows Server | Permalink | Comments (3) | TrackBack | Digg It | Tag w/del.icio.us

October 18, 2007

Remote snapshot backups with rsync and Samba

Thanassis Tsiodras writes:

What would you do if you had to automatically backup a remote Linux box (e.g. your web server), and all you had locally was Windows machines? How about this:

1. automatically expanding local storage space
2. transmissions of differences only
3. automatic scheduling
4. local storage of differences only
5. secure and compressed transfer of remote data and
6. instant filesystem navigation inside daily snapshot images

I covered all these requirements using open source tools, and I now locally backup our 3GB remote server in less than 2min!

We've all used Samba and rsync before, but Thanassis has really put all the pieces together into a complete backup system that's superior to a lot of commercial products I've seen.

The really impressive bit is how he's easily doing snapshot images using filesystem hardlinks. You can save several days worth of snapshots at very little cost because additional space is only taken up by files that have changed. Using hardlinks, identical files from different snapshots all point to the same inode.

root# mount /dev/loop0 /mnt/backup
root# cd /mnt/backup
root# rm -rf OneBeforeLast
root# cp -al LastBackup OneBeforeLast
root# cd LastBackup
root# rsync -avz --delete root@hosting.machine.in.US:/ ./

The "cp -al" creates a zero-cost copy of the data (using hardlinks, the only price paid is the one of the directory entries, and ReiserFS is well known for its ability to store these extremely efficiently). Then, rsync is executed with the --delete option: meaning that it must remove from our local mirror all the files that were removed on the server - and thus creating an accurate image of the current state.

And here's the icing on the cake: The data inside these files are not lost! They are still accessible from the OneBeforeLast/ directory, since hard links (the old directory entries) are pointing to them!

In plain terms, simple navigation inside OneBeforeLast can be used to examine the exact contents of the server as they were BEFORE the last mirroring.

Just imagine the data recovery headaches you could solve by adapting that to a cron job that shuffles a months worth of nightly backups.

Optimal remote Linux backups with rsync over Samba - Link

Posted by Jason Striegel | Oct 18, 2007 10:17 PM
Linux, Linux Server, Windows, Windows Server | Permalink | Comments (0) | TrackBack | Digg It | Tag w/del.icio.us

August 15, 2007

HOWTO - kill terminal services sessions remotely

If you use Windows Terminal Services for remote desktop access, it's common to run into this nasty error message from time to time:

The terminal server has exceeded the maximum number of allowed connections.

The error refers to the maximum 2 remote connections that are allowed to a Windows 2000 server (or up... XP only allows 1). Now, only a crazy person would ever consider connecting more than one or two users remotely to a server, and even though that would never, ever, even in a million years, need to happen, that error still crops up from time to time.

The problem is that if a user closes their terminal services client without logging out, their remote session switches to "disconnected" mode and will continue using up one of those two available connections.

While I'm sure we all agree that this is an awesome feature, sometimes in an emergency you need to log into a server and all of its connections are already in use. There are a couple of really useful and mostly unknown command line utilities that will allow you to remotely find and kill other remote desktop sessions, whether they are in a connected or disconnected state.

On most systems, these tools are qwinsta.exe and rwinsta.exe, though on some 2003 systems these appear to have been renamed and might be available as query.exe and reset.exe, respectively. Use whichever is available on your machine.

Finding disconnected sessions with qwinsta or query
Run "qwinsta /server:theserver_or_ip" or "query session /server:theserver_or_ip", using the server name or ip address of the machine you can't log in to. You'll get something like the following:

SESSIONNAME  USERNAME  ID  STATE  TYPE  DEVICE
console              0   Conn    wdcon
rdp-tcp              65536  Listen  rdpwd
rdp-tcp#5     auser   1  Active  rdpwd
rdp-tcp#7     another  2  Disc  rdpwd

From this, you can see that users "auser" and "another" are using the two remote Terminal Services connections. Furthermore, the remote desktop client that "auser" is using is still connected to the server, whereas "another" is in a disconnected state, probably the result of closing the remote desktop window instead of logging off.

Killing disconnected sessions with rwinsta or reset
Run "rwinsta sessionid /server:theserver_or_ip" or "reset session sessionid /server:theserver_or_ip", using the session id obtained above (1 for "auser" and 2 for "another") and the name or ip address of the server. In this case, you'd probably want to kill session 2, since that user is disconnected anyway.

The command will run without a response, but if you run qwinsta (or query) again, you'll notice that the session is no longer there. More importantly, if you try and connect to the machine using remote desktop, you'll get in.

Posted by Jason Striegel | Aug 15, 2007 08:40 PM
Windows Server | Permalink | Comments (6) | TrackBack | Digg It | Tag w/del.icio.us

July 25, 2007

HOWTO: spoof Windows TCP/IP stack and IIS server headers

Pavs sent in a link to a program for Windows XP called Security Cloak, which can be used to tweak your machine's TCP/IP fingerprint to look like something else:

Security Cloak is designed to protect against TCP/IP stack fingerprinting and computer identification/information leakage via timestamp and window options by modifying relevant registry keys. The settings used are based on the results of SYN packet analysis by p0f. While the OS reported by other OS detection scanners were not identical to those of p0f, testing against Nmap, xprobe2, queso and cheops showed that they were unable to identify the correct operating system/version after Security Cloak settings had been applied.

Another way to detect a server type is to look at the HTTP "Server:" header, which will report the type and version of the OS and web server software that is running. MS has a support article about using a tool called URLScan to change your system's server header. You could change this to something completely bogus, or maybe impersonate the header from another system. Presumably, you'd want to match the OS fingerprint that you tweaked with Security Cloak.

The exact utility of all this? It could be slightly useful for deterring some types of automated cracking tools, namely those that use OS fingerprinting to guess the possible ways to compromize a machine. It might also be a nice way to trick your Linux hacker buddies so they stop teasing you about those Windows boxes that corporate is forcing you to keep running.

Security Cloak (overview and instructions) - Link
Download Security Cloak - Link
Mask IIS Version Information - Link

Posted by Jason Striegel | Jul 25, 2007 10:00 PM
Windows, Windows Server | Permalink | Comments (0) | TrackBack | Digg It | Tag w/del.icio.us

March 7, 2007

Move Windows Special Folders To Another Drive

A common problem that people have in Windows is running out of disk space on the C: drive. Because the C: drive is the default location for user created documents, photos, and music (among others), it's not simply a matter of getting another hard drive. You also need to move all of these special folders to the new disk.

Hackszine reader Naser writes:

You only need some instant wit and one small (yet nifty, I tell ya) tool released by Microsoft called "Tweak UI". With this tool, you can transfer (or relocate) so called special system folders like "My Documents", "CD burning cache folder", "My Music/Pictures" and many others to another drive.

The Tweak UI method should work for most everyone except Vista users. In Vista (and partially in XP) it's a little easier: you can right click on the Documents, Photos, or Music folders, click properties, select the location tab, and move the folder to its new location.

References:

• Tweak UI folder moving howto
• Moving special folders in Vista
• Tweak UI for XP and 2003
• Tweak UI for Win9*

Posted by Jason Striegel | Mar 7, 2007 12:37 PM
Windows, Windows Server | Permalink | Comments (2) | TrackBack | Digg It | Tag w/del.icio.us

Bloggers

Welcome to the Hacks Blog!