I had to create a test Yahoo email account today and apparently Captcha’s hate me as much as I hate them… Here’s my F you (Fuck You) captcha!
Oct
22
Author Archives: admin
Aug
06
Configuring AnyConnect SSL VPN Client Connections
Overview
ASA: 8.3+ (Written/Tested on 9.0)
Authentication: Local (Local ASA User Database)
Type: Split-tunnel OR Non split-tunnel
The below configurations will work with 8.3+, but was written and tested with 9.0. When setting up a Anyconnect VPN tunnel, you can push all traffic from the client over the VPN (Tunnel all) or you can use a split tunnel to only push traffic destined for selected subnets over the VPN tunnel. In laymen terms, the clients internet traffic originates from their ISP in a split tunnel, and it originates from the ASA when using tunnel all. The below configuration examples assume you have a basic setup equivalent to running factory-default and are setup to authenticate locally to the ASA. I will give examples of each configuration below.
Network Diagram
The ASA has a command that gives an overview of how to configure an Anyconnect SSL VPN, which in global configuration mode is vpnsetup ssl-remote-access steps. Here are the results of that command:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 |
ciscoasa(config)# vpnsetup ssl-remote-access steps Steps to configure a remote access SSL VPN remote access connection and AnyConnect with examples: 1. Configure and enable interface interface GigabitEthernet0/0 ip address 10.10.4.200 255.255.255.0 nameif outside no shutdown interface GigabitEthernet0/1 ip address 192.168.0.20 255.255.255.0 nameif inside no shutdown 2. Enable WebVPN on the interface webvpn enable outside 3. Configure default route route outside 0.0.0.0 0.0.0.0 10.10.4.200 4. Configure AAA authentication and tunnel group tunnel-group DefaultWEBVPNGroup type remote-access tunnel-group DefaultWEBVPNGroup general-attributes authentication-server-group LOCAL 5. If using LOCAL database, add users to the Database username test password t3stP@ssw0rd username test attributes service-type remote-access Proceed to configure AnyConnect VPN client: 6. Point the ASA to an AnyConnect image webvpn svc image anyconnect-win-2.1.0148-k9.pkg 7. enable AnyConnect svc enable 8. Add an address pool to assign an ip address to the AnyConnect client ip local pool client-pool 192.168.1.1-192.168.1.254 mask 255.255.255.0 9. Configure group policy group-policy DfltGrpPolicy internal group-policy DfltGrpPolicy attributes vpn-tunnel-protocol svc webvpn |
There are a few important things to note from Cisco’s directions:
- They are using the default names for configuring the group policy and tunnel groups, which will throw a warning that they already exist since they’re defaults
- The directions do not specify that you MUST attach the VPN Address pool to the tunnel group, which is necessary for it to work!
- They do not include how to create a split tunnel or a tunnel all to allow internet from the Anyconnect client.
- They are using outdated “svc” commands, which were replaced with “anyconnect”.
With that said, let’s move on to the configurations!
Anyconnect Configuration 1: Tunnel All
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 |
!Enable WebVPN, Set Anyconnect Image, and Enable Anyconnect config t webvpn enable outside tunnel-group-list enable anyconnect image disk0:/anyconnect-win-3.1.05178-k9.pkg 1 anyconnect image disk0:/anyconnect-macosx-i386-3.1.05178-k9.pkg 2 anyconnect image disk0:/anyconnect-linux-3.1.05178-k9.pkg 3 anyconnect enable end !Create DHCP Pool for Anyconnect Clients config t ip local pool pool-anyconnect 192.168.100.1-192.168.100.254 mask 255.255.255.0 end !Create Group Policy for Anyconnect config t group-policy GroupPolicy_Anyconnect internal group-policy GroupPolicy_Anyconnect attributes vpn-tunnel-protocol ssl-client end !Create Tunnel Group for Anyconnect config t tunnel-group TunnelGroup_Anyconnect type remote-access tunnel-group TunnelGroup_Anyconnect general-attributes authentication-server-group LOCAL default-group-policy GroupPolicy_Anyconnect address-pool pool-anyconnect tunnel-group TunnelGroup_Anyconnect webvpn-attributes group-alias 1-Admin enable end !Create NAT Exemption and Enable Outside Traffic to Enter/Exit the Same Interface config t object-group network obj-anyconnect network-object 192.168.100.0 255.255.255.0 exit nat (outside,outside) after-auto source dynamic obj-anyconnect interface same-security-traffic permit intra-interface end !Tunnel All Traffic Over Anyconnect VPN and Force Use of DNS Servers config t group-policy GroupPolicy_Anyconnect attributes split-tunnel-policy tunnelall split-tunnel-all-dns enable end !(OPTIONAL)Create Local User for Anyconnect config t username user1 password P@SSWORD username user1 attributes service-type remote-access end !(OPTIONAL) Add DNS Settings for Anyconnect Client config t group-policy GroupPolicy_Anyconnect attributes dns-server value 10.1.1.10 10.1.1.11 default-domain value domain.local end !(OPTIONAL) Allow Anyconnect IP Pool to Manage ASA config t ssh 192.168.100.0 255.255.255.0 inside http 192.168.100.0 255.255.255.0 inside management-access inside end !(OPTIONAL)Auto launch anyconnect config t group-policy GroupPolicy_Anyconnect attributes webvpn anyconnect ask none default anyconnect end |
Anyconnect Configuration 2: Split Tunnel
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
!Enable WebVPN, Set Anyconnect Image, and Enable Anyconnect config t webvpn enable outside tunnel-group-list enable anyconnect image disk0:/anyconnect-win-3.1.05178-k9.pkg 1 anyconnect image disk0:/anyconnect-macosx-i386-3.1.05178-k9.pkg 2 anyconnect image disk0:/anyconnect-linux-3.1.05178-k9.pkg 3 anyconnect enable end !Create DHCP Pool for Anyconnect Clients config t ip local pool pool-anyconnect 192.168.100.1-192.168.100.254 mask 255.255.255.0 end !Create Group Policy for Anyconnect config t group-policy GroupPolicy_Anyconnect internal group-policy GroupPolicy_Anyconnect attributes vpn-tunnel-protocol ssl-client end !Create Tunnel Group for Anyconnect config t tunnel-group TunnelGroup_Anyconnect type remote-access tunnel-group TunnelGroup_Anyconnect general-attributes authentication-server-group LOCAL default-group-policy GroupPolicy_Anyconnect address-pool pool-anyconnect tunnel-group TunnelGroup_Anyconnect webvpn-attributes group-alias 1-Admin enable end !Create NAT Exemption config t object-group network obj-anyconnect network-object 192.168.100.0 255.255.255.0 exit nat (inside,outside) 2 source static any any destination static obj-anyconnect obj-anyconnect no-proxy-arp route-lookup end !Create Split Tunnel, Allow Access to VPN and Inside Subnets, and Apply to Group Policy config t access-list ACL_split-tunnel standard permit 192.168.100.0 255.255.255.0 access-list ACL_split-tunnel standard permit 10.1.1.0 255.255.255.0 group-policy GroupPolicy_Anyconnect attributes split-tunnel-policy tunnelspecified split-tunnel-network value ACL_split-tunnel end !(OPTIONAL)Create Local User for Anyconnect config t username user1 password P@SSWORD username user1 attributes service-type remote-access end !(OPTIONAL) Add DNS Settings for Anyconnect Client config t group-policy GroupPolicy_Anyconnect attributes dns-server value 10.1.1.10 10.1.1.11 default-domain value domain.local end !(OPTIONAL) Allow Anyconnect IP Pool to Manage ASA config t ssh 192.168.100.0 255.255.255.0 inside http 192.168.100.0 255.255.255.0 inside management-access inside end !(OPTIONAL)Auto launch anyconnect config t group-policy GroupPolicy_Anyconnect attributes webvpn anyconnect ask none default anyconnect end |
Testing the Configuration
Open a web browser, connect to your ASA (https://vpn.domain.com OR https://172.31.100.1), and you’ll be prompted to login. You can login with the user account you’ve created in the configuration above. The Anyconnect client will automatically install, if it fails you may need to download and manually install it. Once installed, you can connect to your ASA by the outside interface (vpn.domain.com OR 172.31.100.1) and authenticate with the user you’ve created.
Additional Notes
You may wish to use a 3rd party SSL certificates (ie: Verisign, Thawte, Godaddy, etc) so end users do not get prompted about certificate warnings. Cisco ASA’s will regenerate it’s certificate upon reboot, and due to this you should create a self signed certificate whenever you cannot use a 3rd party. You can create the self signed certificate as follows:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
!Create Self Signed Certificate config t crypto ca trustpoint SELF enroll enrollment self fqdn vpn.domain.com subject cn=vpn.domain.com,dc=domain,dc=com exit crypto ca enroll SELF !The following warnings will generate, answer accordingly as below: ! !WARNING: The certificate enrollment is configured with an fqdn !that differs from the system fqdn. If this certificate will be !used for VPN authentication this may cause connection problems. ! !Would you like to continue with this enrollment? [yes/no]: yes ! !The fully-qualified domain name in the certificate will be: vpn.domain.com ! !Include the device serial number in the subject name? [yes/no]: no ! !Generate Self-Signed Certificate? [yes/no]: yes ! !Attach the certificate to the outside interface ssl trust-point SELF outside end |
Aug
05
DirMirror.vbs
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 |
Option Explicit '========================================================================= ' DirMirror.vbs ' VERSION: 1.0 ' AUTHOR: Brian Steinmeyer ' EMAIL: sigkill@sigkillit.com ' WEB: http://sigkillit.com ' DATE: 9/26/2013 ' REQUIREMENTS: ' - robocopy.exe (Built in to Server2008+, Windows 7+) ' - blat.exe, blat.dll. blat.lib in the same directory as the script (http://www.blat.net) ' - Blat profile installed to email results ' - Recommended to use Stunnel to Encrypt Email Sessions, Especially If the Email Server ' is not on your subnet ex: Gmail ' COMMENTS: Requires robocopy for the backup and blat to email results. Define ' the Directory Source(what you need to backup), the Directory Destination ' (where you need to backup to), path to blat, blat profile, email subject, ' and email body '========================================================================= ' ------ SCRIPT CONFIGURATION ------ Const WindowStyle = 0 '0=Hide Robocopy Console, 1=Show Robocopy Console Dim DirSource: DirSource = "\\server\share\directory" Dim DirDestination: DirDestination = Left(WScript.ScriptFullName,InstrRev(WScript.ScriptFullName,"\")) & "backup" Dim intReturn 'Generic Return Dim logErrors: logErrors = Replace(WScript.ScriptFullName,".vbs","_log.txt") Dim emailBlatExe: emailBlatExe = "C:\blat\blat.exe" 'Custom Path to Blat.exe Default is Same Folder as Script Dim emailProfile: emailProfile = "gmail" 'Blat Profile Name See (http://www.blat.net) For Info Dim emailRecipient: emailRecipient = "email@domain.com" 'Email to Receive Backup Result Dim eSubject: eSubject = "Server1 Backup" Dim eBody: eBody = "Server1 Backup" ' ------ END CONFIGURATION ------ 'MAIN CALLS Call Logger(logErrors, "[" & Now() & "] " & vbCrLf & Wscript.ScriptName & vbCrLf & "Server: Spiceworks", True) Call AllowSingleInstance(".",logErrors, emailBlatExe, emailProfile, emailRecipient, eSubject, eBody) Call ConfirmDirectories(logErrors, DirSource, DirDestination, emailBlatExe, emailProfile, emailRecipient, eSubject, eBody) Call RoboDirMirror(logErrors, DirSource, DirDestination, emailBlatExe, emailProfile, emailRecipient, eSubject, eBody) ' *************************************************************************************************** ' Function RoboDirMirror - Mirrors a Source Directory to a Mirror Directory Using Robocopy ' *************************************************************************************************** Private Sub RoboDirMirror(logName, strSource, strDestination, emailBlatExe, emailProfile, emailRecipient, emailSubject, emailBody) 'On Error Resume Next Call Logger(logName, vbCrLf & "[" & Now() & "] " & vbCrLf & "Run Robocopy to Mirror Directory", False) 'Ensure Directories Don't End with Slash or Robocopy Will Error If Mid(strSource,Len(strSource),1) = "\" Then strSource = Mid(strSource,1,Len(strSource) - 1) End If If Mid(strDestination,Len(strDestination),1) = "\" Then strDestination = Mid(strDestination,1,Len(strDestination) - 1) End If Dim objShell: Set objShell = WScript.CreateObject("WScript.Shell") Dim strCommand: strCommand = "robocopy" Dim cmdOptions: cmdOptions = "/MIR /FFT /Z /XA:H /W:5 /log+:" & chr(34) & logName & chr(34) 'Robocopy \\SourceServer\Share \\DestinationServer\Share /MIR /FFT /Z /XA:H /W:5 Dim intReturn: intReturn = objShell.Run(strCommand & " " & chr(34) & strSource & chr(34) & " " & chr(34) & strDestination & chr(34) & " " & cmdOptions, WindowStyle, True) Select Case intReturn Case 0 'No Files Copied Call Logger(logName, "RESULT: Success - No Files Copied", False) emailSubject = emailSubject & " Success" emailBody = emailBody & " Success - No Files Copied" Case 1 'Files Copied Call Logger(logName, "RESULT: Success - Files Copied", False) emailSubject = emailSubject & " Success" emailBody = emailBody & " Success - Files Copied" Case 2 'File on Source Does Not Exist on Destination Call Logger(logName, "RESULT: Success - New Files Found in Source that are Not in Destination", False) emailSubject = emailSubject & " Success" emailBody = emailBody & " Success - New Files Found in Source that are Not in Destination" Case 3 'Combination of Case1 and Case2 Call Logger(logName, "RESULT: Success - Files Copied (New Files Found in Source that are Not in Destination)", False) emailSubject = emailSubject & " Success" emailBody = emailBody & " Success - Files Copied (New Files Found in Source that are Not in Destination)" Case Else 'Error Call Logger(logName, "RESULT: !~ERROR~! - Error Occurred on Robocopy", False) emailSubject = emailSubject & " FAILED" emailBody = emailBody & " FAILED - Error Occurred on Robocopy" End Select If Err.Number <> 0 Then Err.Clear Call Logger(logName, "!~ERROR~! - Unknown Error Occurred in RoboDirMirror Sub", False) emailSubject = emailSubject & " FAILED" emailBody = emailBody & " FAILED - Unknown Error Occurred in RoboDirMirror Sub" End If Call SendBlatEmail(emailBlatExe, emailProfile, emailRecipient, emailSubject, emailBody, logName) End Sub ' *************************************************************************************************** ' Function ConfirmDirectories - Confirm Source and Destination Directories Exist ' *************************************************************************************************** Private Sub ConfirmDirectories(logName, strSource, strDestination, emailBlatExe, emailProfile, emailRecipient, emailSubject, emailBody) 'On Error Resume Next Call Logger(logName, vbCrLf & "[" & Now() & "] " & vbCrLf & "Confirm Source/Destination Directories Exist", False) ' Create Objects Dim objFSO: Set objFSO = CreateObject("Scripting.FileSystemObject") Call Logger(logName, "SOURCE: " & strSource, False) Call Logger(logName, "DESTINATION: " & strDestination, False) If Not objFSO.FolderExists(strSource) Then 'Source Not Exist Call Logger(logName, "!~ERROR~! - Source Directory Does Not Exist, Quitting Script!", False) emailSubject = emailSubject & " FAILED" emailBody = emailBody & " Failed - Source Directory Does Not Exist" Call SendBlatEmail(emailBlatExe, emailProfile, emailRecipient, emailSubject, emailBody, logName) Wscript.Quit Else Call Logger(logName, "Success - Source Directory Exists", False) End If If Not objFSO.FolderExists(strDestination) Then 'Destination Not Exist Call Logger(logName, "Warning - Destination Directory Does Not Exist, Attempting to Create It", False) 'Attempt to Create Call CreateFileOrDir(strDestination) If Not objFSO.FolderExists(strDestination) Then Call Logger(logName, "!~ERROR~! - Failed to Create Destination Directory, Quitting Script!", False) emailSubject = emailSubject & " FAILED" emailBody = emailBody & " Failed - Destination Directory Does Not Exist and Failed to Create It" Call SendBlatEmail(emailBlatExe, emailProfile, emailRecipient, emailSubject, emailBody, logName) Wscript.Quit Else Call Logger(logName, "Success - Created Destination Directory", False) End If Else Call Logger(logName, "Success - Destination Directory Exists", False) End If If Err.Number <> 0 Then Err.Clear Call Logger(logName, "!~ERROR~! - Unknown Error in ConfirmDirectories Sub, Quitting Script", False) emailSubject = emailSubject & " FAILED" emailBody = emailBody & " Failed - Unknown Error in ConfirmDirectories Sub" Call SendBlatEmail(emailBlatExe, emailProfile, emailRecipient, emailSubject, emailBody, logName) Wscript.Quit End If End Sub ' *************************************************************************************************** ' Function AllowSingleInstance - Checks if only a single instance of the script is running - useful ' for repetitive scheduled tasks ' *************************************************************************************************** Private Sub AllowSingleInstance(strComputer, logName, emailBlatExe, emailProfile, emailRecipient, emailSubject, emailBody) On Error Resume Next Call Logger(logName, vbCrLf & "[" & Now() & "] " & vbCrLf & "Confirm Single Instance of " & Wscript.ScriptName, False) Dim intReturn: intReturn = 0 '0=Success, 1=Error, 2=Warning Dim objWMIService: Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Dim colItems: Set colItems = objWMIService.ExecQuery("Select * from Win32_Process Where Name = 'cscript.exe'" & " OR Name = 'wscript.exe'") Dim intCount: intCount = 0 Dim objItem, strTemp For Each objItem in colItems If Not IsNull(objItem.CommandLine) Then strTemp = Right(objItem.CommandLine, Len(objItem.CommandLine) - InStrRev(objItem.CommandLine, chr(34) & " " & chr(34))) strTemp = Trim(Replace(strTemp, chr(34), "")) If StrComp(Wscript.ScriptFullName, strTemp, 1) = 0 Then intCount = intCount + 1 End If End If Next Call Logger(logName, "Detected Instances: " & intCount, False) If intCount > 1 Then 'Kill It Call Logger(logName, "!~ERROR~! - Only 1 instance is allowed, Quitting Script!", False) emailSubject = emailSubject & " FAILED" emailBody = emailBody & " Backup FAILED - Detected " & intCount & " running instances" Call SendBlatEmail(emailBlatExe, emailProfile, emailRecipient, emailSubject, emailBody, logName) Wscript.Quit End If If Err.Number <> 0 Then Err.Clear Call Logger(logName, "!~ERROR~! - Unknown Error in AllowSingleInstance Sub, Quitting Script!", False) emailSubject = emailSubject & " FAILED" emailBody = emailBody & " Backup FAILED - Unknown Error in AllowSingleInstance Sub" Call SendBlatEmail(emailBlatExe, emailProfile, emailRecipient, emailSubject, emailBody, logName) Wscript.Quit End If On Error Goto 0 End Sub ' *************************************************************************************************** ' Function CreateFileOrDir ' *************************************************************************************************** Private Sub CreateFileOrDir(strPath) On Error Resume Next Dim objFSO: Set objFSO = CreateObject("Scripting.FileSystemObject") If objFSO.DriveExists(objFSO.GetDriveName(strPath)) Then If StrComp(objFSO.GetExtensionName(strPath), "", 1) = 0 Then If Not objFSO.FolderExists(strPath) Then If objFSO.FolderExists(objFSO.GetParentFolderName(strPath)) Then objFSO.CreateFolder strPath 'Create Folder In Current Path Else CreateFileOrDir(objFSO.GetParentFolderName(strPath)) 'Recurse Creating Parent Folder CreateFileOrDir(strPath) 'Recurse Creating Current Folder End If End If Else If Not objFSO.FileExists(strPath) Then If objFSO.FolderExists(objFSO.GetParentFolderName(strPath)) Then objFSO.CreateTextFile strPath, True 'Create File In Current Path Else CreateFileOrDir(objFSO.GetParentFolderName(strPath)) 'Recurse Creating Parent Folder CreateFileOrDir(strPath) 'Recurse Creating Current Folder End If End If End If End If On Error Goto 0 End Sub ' *************************************************************************************************** ' Function SendBlatEmail - Sends Email Using Blat ' *************************************************************************************************** Private Sub SendBlatEmail(blatPath, blatProfile, strRecipients, strSubject, strBody, strAttachment) 'Need blat.exe, blat.dll, blat.lib On Error Resume Next Dim objFSO: Set objFSO = CreateObject("Scripting.FileSystemObject") Dim objShell: Set objShell = WScript.CreateObject("WScript.Shell") Dim scriptPath: scriptPath = Left(WScript.ScriptFullName,InstrRev(WScript.ScriptFullName,"\")) 'Ensure Blat Exists If Not objFSO.FileExists(blatPath) Then If Not objFSO.FileExists(scriptPath & "blat.exe") Then Exit Sub Else blatPath = scriptPath & "blat.exe" End If End If 'Set Blat Email Command Dim commandText: commandText = chr(34) & blatPath & chr(34) commandText = commandText & " -p " & chr(34) & blatProfile & chr(34) commandText = commandText & " -to " & strRecipients commandText = commandText & " -subject " & chr(34) & strSubject & " " & chr(34) 'Keep Space to Prevent Escaping the Quote commandText = commandText & " -body " & chr(34) & strBody & " " & chr(34) 'Keep Space to Prevent Escaping the Quote 'Append Attachment(s) If objFSO.FileExists(strAttachment) Then commandText = commandText & " -attach " & chr(34) & strAttachment & chr(34) Else If objFSO.FileExists(scriptPath & strAttachment) Then commandText = commandText & " -attach " & chr(34) & scriptPath & strAttachment & chr(34) End If End If 'Send Blat Email objShell.run commandText, True Set objFSO = Nothing Set objShell = Nothing If Err.Number <> 0 Then Err.Clear End If On Error Goto 0 End Sub ' *************************************************************************************************** ' Function Logger ' *************************************************************************************************** Private Sub Logger(fileName, logMessage, blnNewLog) On Error Resume Next Const ForReading = 1, ForWriting = 2, ForAppending = 8 Dim objFSO: Set objFSO = CreateObject("Scripting.FileSystemObject") Dim scriptPath: scriptPath = Left(WScript.ScriptFullName,InstrRev(WScript.ScriptFullName,"\")) Dim logName If InStr(1,fileName,"\",1) > 0 Then logName = fileName If objFSO.DriveExists(objFSO.GetDriveName(logName)) Then If StrComp(objFSO.GetExtensionName(logName), "", 1) = 0 Then If Not objFSO.FolderExists(logName) Then If objFSO.FolderExists(objFSO.GetParentFolderName(logName)) Then objFSO.CreateFolder logName 'Create Folder In Current Path Exit Sub Else Call Logger(objFSO.GetParentFolderName(logName), logMessage, blnNewLog) 'Recurse Creating Parent Folder Call Logger(logName, logMessage, blnNewLog) 'Recurse Creating Current Folder Exit Sub End If End If Else If Not objFSO.FileExists(logName) Then If Not objFSO.FolderExists(objFSO.GetParentFolderName(logName)) Then Call Logger(objFSO.GetParentFolderName(logName), logMessage, blnNewLog) 'Recurse Creating Parent Folder Call Logger(logName, logMessage, blnNewLog) 'Recurse Creating Current Folder End If End If End If End If Else logName = scriptPath & fileName End If Dim logFile If blnNewLog = True Then Set logFile = objFSO.CreateTextFile(logName, True) Else If objFSO.FileExists(logName) Then Set logFile = objFSO.OpenTextFile(logName, ForAppending, True) Else Set logFile = objFSO.CreateTextFile(logName, True) End If End If logFile.WriteLine logMessage logFile.Close Set objFSO = Nothing On Error Goto 0 End Sub |
Jul
28
How to Configure a Cisco ASA Site-to-Site IPSec VPN
This article will explain how to configure a Site-to-Site IPSec VPN using Cisco ASA 55XX’s using IKEV1. My example below shows how to configure VPN’s between 3 sites but can be modified for the following scenarios without much explanation:
- site-to-site VPN between 2 sites (Just remove SiteC… duh!)
- site-to-site to 3+ sites (just follow the example and modify for a N+1 sites. If You’re doing more than 3 sites, you may wish to look at a hub and spoke model to simply the network and backups, etc)
- Hub and spoke VPN, where 2 remote offices only connect to a main office (If SiteA is the Hub, on SiteB remove the SiteC configuration, on SiteC remove the SiteB configuration, etc…)
Overview
Network Diagram
Network Diagram
Phase 1 Settings
| Attribute | Value |
|---|---|
| Authentication | Preshared Keys |
| Encryption | 3DES |
| Hash | MD5 |
| DH Group | Group 2 |
| Lifetime | 86400 seconds |
Phase 2 Settings
| Attribute | Value |
|---|---|
| Mode | Tunnel |
| Encryption | 3DES |
| Hash | SHA-1 |
| PFS | Enabled |
| Lifetime | 86400 seconds |
Configure SiteA
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 |
!----------------- !CONFIGURE OBJECTS !----------------- !Create Object for Local LAN SiteA config t object-group network obj-local network-object 10.0.1.0 255.255.255.0 end !Create Object for Remote LAN SiteB config t object-group network obj-SiteB network-object 10.0.2.0 255.255.255.0 end !Create Object for Remote LAN SiteC config t object-group network obj-SiteC network-object 10.0.3.0 255.255.255.0 end ! !--------------- !CONFIGURE ACL's !--------------- !Configure VPN ACL SiteB config t access-list ACL_SiteB extended permit ip object-group obj-local object-group obj-SiteB end !Configure VPN ACL SiteC config t access-list ACL_SiteC extended permit ip object-group obj-local object-group obj-SiteC end ! !------------------------ !CONFIGURE NAT EXEMPTIONS !------------------------ !Configure NAT Exemption SiteB config t nat (inside,outside) 1 source static obj-local obj-local destination static obj-SiteB obj-SiteB no-proxy-arp route-lookup end !Configure NAT Exemption SiteC config t nat (inside,outside) 1 source static obj-local obj-local destination static obj-SiteC obj-SiteC no-proxy-arp route-lookup end ! !----------------------------------------------------- !CONFIGURE PHASE1 PROPOSAL (pre-g2-3des-md5 SA:84600s) !----------------------------------------------------- config t crypto ikev1 policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto ikev1 enable outside end ! !------------------------------------------------------------------- !CONFIGURE PHASE 2 PROPOSALS !------------------------------------------------------------------- !Configure Transform Set(g2-esp-3des-sha SA:84600s PFS:enabled) config t crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac end !Configure Transform Set (g2-esp-3des-md5 SA:84600s PFS:enabled) config t crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac end !Configure Tunnel Group Remote WAN IP SiteB(Replace VPNSHAREDKEYPW) config t tunnel-group 1.1.1.2 type ipsec-l2l tunnel-group 1.1.1.2 ipsec-attributes pre-shared-key VPNSHAREDKEYPW end !Configure Tunnel Group Remote WAN IP SiteC(Replace VPNSHAREDKEYPW) config t tunnel-group 1.1.1.3 type ipsec-l2l tunnel-group 1.1.1.3 ipsec-attributes pre-shared-key VPNSHAREDKEYPW end !Configure Crypto Maps (You can only have 1 crypto map nam and each VPN needs an unique Map # to differentiate from each other) !MAP: SiteA=1, SiteB=2, SiteC=3 config t crypto map crypto-map 2 match address ACL_SiteB crypto map crypto-map 2 set peer 1.1.1.2 crypto map crypto-map 2 set transform-set ESP-3DES-SHA end config t crypto map crypto-map 3 match address ACL_SiteC crypto map crypto-map 3 set peer 1.1.1.3 crypto map crypto-map 3 set transform-set ESP-3DES-SHA end !Attach Crypto Map to Interface config t crypto map crypto-map interface outside end |
Configure SiteB
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 |
!----------------- !CONFIGURE OBJECTS !----------------- !Create Object for Local LAN SiteB config t object-group network obj-local network-object 10.0.2.0 255.255.255.0 end !Create Object for Remote LAN SiteA config t object-group network obj-SiteA network-object 10.0.1.0 255.255.255.0 end !Create Object for Remote LAN SiteC config t object-group network obj-SiteC network-object 10.0.3.0 255.255.255.0 end ! !--------------- !CONFIGURE ACL's !--------------- !Configure VPN ACL SiteA config t access-list ACL_SiteA extended permit ip object-group obj-local object-group obj-SiteA end !Configure VPN ACL SiteC config t access-list ACL_SiteC extended permit ip object-group obj-local object-group obj-SiteC end ! !------------------------ !CONFIGURE NAT EXEMPTIONS !------------------------ !Configure NAT Exemption SiteA config t nat (inside,outside) 1 source static obj-local obj-local destination static obj-SiteA obj-SiteA no-proxy-arp route-lookup end !Configure NAT Exemption SiteC config t nat (inside,outside) 1 source static obj-local obj-local destination static obj-SiteC obj-SiteC no-proxy-arp route-lookup end ! !----------------------------------------------------- !CONFIGURE PHASE1 PROPOSAL (pre-g2-3des-md5 SA:84600s) !----------------------------------------------------- config t crypto ikev1 policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto ikev1 enable outside end ! !------------------------------------------------------------------- !CONFIGURE PHASE 2 PROPOSALS !------------------------------------------------------------------- !Configure Transform Set(g2-esp-3des-sha SA:84600s PFS:enabled) config t crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac end !Configure Transform Set (g2-esp-3des-md5 SA:84600s PFS:enabled) config t crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac end !Configure Tunnel Group Remote WAN IP SiteA(Replace VPNSHAREDKEYPW) config t tunnel-group 1.1.1.1 type ipsec-l2l tunnel-group 1.1.1.1 ipsec-attributes pre-shared-key VPNSHAREDKEYPW end !Configure Tunnel Group Remote WAN IP SiteC(Replace VPNSHAREDKEYPW) config t tunnel-group 1.1.1.3 type ipsec-l2l tunnel-group 1.1.1.3 ipsec-attributes pre-shared-key VPNSHAREDKEYPW end !Configure Crypto Maps (You can only have 1 crypto map nam and each VPN needs an unique Map # to differentiate from each other) !MAP: SiteA=1, SiteB=2, SiteC=3 config t crypto map crypto-map 1 match address ACL_SiteA crypto map crypto-map 1 set peer 1.1.1.1 crypto map crypto-map 1 set transform-set ESP-3DES-SHA end config t crypto map crypto-map 3 match address ACL_SiteC crypto map crypto-map 3 set peer 1.1.1.3 crypto map crypto-map 3 set transform-set ESP-3DES-SHA end !Attach Crypto Map to Interface config t crypto map crypto-map interface outside end |
Configure SiteC
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 |
!----------------- !CONFIGURE OBJECTS !----------------- !Create Object for Local LAN SiteC config t object-group network obj-local network-object 10.0.3.0 255.255.255.0 end !Create Object for Remote LAN SiteA config t object-group network obj-SiteA network-object 10.0.1.0 255.255.255.0 end !Create Object for Remote LAN SiteB config t object-group network obj-SiteB network-object 10.0.2.0 255.255.255.0 end ! !--------------- !CONFIGURE ACL's !--------------- !Configure VPN ACL SiteA config t access-list ACL_SiteA extended permit ip object-group obj-local object-group obj-SiteA end !Configure VPN ACL SiteB config t access-list ACL_SiteB extended permit ip object-group obj-local object-group obj-SiteB end ! !------------------------ !CONFIGURE NAT EXEMPTIONS !------------------------ !Configure NAT Exemption SiteA config t nat (inside,outside) 1 source static obj-local obj-local destination static obj-SiteA obj-SiteA no-proxy-arp route-lookup end !Configure NAT Exemption SiteB config t nat (inside,outside) 1 source static obj-local obj-local destination static obj-SiteB obj-SiteB no-proxy-arp route-lookup end ! !----------------------------------------------------- !CONFIGURE PHASE1 PROPOSAL (pre-g2-3des-md5 SA:84600s) !----------------------------------------------------- config t crypto ikev1 policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto ikev1 enable outside end ! !------------------------------------------------------------------- !CONFIGURE PHASE 2 PROPOSALS !------------------------------------------------------------------- !Configure Transform Set(g2-esp-3des-sha SA:84600s PFS:enabled) config t crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac end !Configure Transform Set (g2-esp-3des-md5 SA:84600s PFS:enabled) config t crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac end !Configure Tunnel Group Remote WAN IP SiteA(Replace VPNSHAREDKEYPW) config t tunnel-group 1.1.1.1 type ipsec-l2l tunnel-group 1.1.1.1 ipsec-attributes pre-shared-key VPNSHAREDKEYPW end !Configure Tunnel Group Remote WAN IP SiteB(Replace VPNSHAREDKEYPW) config t tunnel-group 1.1.1.2 type ipsec-l2l tunnel-group 1.1.1.2 ipsec-attributes pre-shared-key VPNSHAREDKEYPW end !Configure Crypto Maps (You can only have 1 crypto map nam and each VPN needs an unique Map # to differentiate from each other) !MAP: SiteA=1, SiteB=2, SiteC=3 config t crypto map crypto-map 1 match address ACL_SiteA crypto map crypto-map 1 set peer 1.1.1.1 crypto map crypto-map 1 set transform-set ESP-3DES-SHA end config t crypto map crypto-map 2 match address ACL_SiteB crypto map crypto-map 2 set peer 1.1.1.2 crypto map crypto-map 2 set transform-set ESP-3DES-SHA end !Attach Crypto Map to Interface config t crypto map crypto-map interface outside end |
Further Info
I would suggest using IKEV2 for a Site-to-Site VPN, and I’ll outline the steps a in future article once I get time to write it up…. Stay tuned!
May
21
Convert a WLC LDPE Image to Non-LDPE
If you ever purchase a used Cisco Wireless LAN Controller or receive one on RMA, you may run into an issue when you attempt to upgrade the image and receive the following error:
ERROR: Incompatible SW image.ERROR: Please install the Data Payload Encryption licensed image
This issue occurs because the Controller has an LDPE image installed, which is only needed in Russia where Data DTLS Payload Encryption is regulated by the Government. Cisco only recommends using this image if you reside in Russia. To resolve this issue and put the standard image on, follow these steps:
Step 1 – Confirm you have an LDPE image installed
From the console, enter the show sysinfo command and confirm the build type is DATA + WPS + LDPE
Step 2 – Upgrade to LDPE Image version 7.0.230.0
LDPE Image version 7.0.230.0 (ex: AIR-CT5500-LDPE-K9-7-0-230-0.aes for a 5508) introduced the ability to move to a normal image once a DTLS license is installed (Resolved Caveat CSCtw78061). If the product version is not already on that image, download it, and install it.
Step 3a – Confirm a DTLS License is Installed
From the console, enter the show license summary and ensure under the Feature: data encryption section it shows License State: Active, In Use. If you see this, then continue to step 4, otherwise you must download a free DTLS license and install it.
Step 3b – Download a DTLS License
- Go to https://tools.cisco.com/SWIFT/LicensingUI/Quickstart
- Click Get New->IPS, Crypto, Other Licenses
- Click Wireless, then click Cisco Wireless Controllers (2500/5500/7500/WISM2) DTLS License
- Choose the Controller Platform, enter the Product ID, enter the Serial Number, and click Next
- You can retrieve the PID and SN by running show license UDI at the console
- Select I agree with the Terms of the License, confirm your email address, and click Get License
Step 3c – Install the DTLS License
- Copy the DTLS license to the root of your TFTP server
- At the console, run the following command to install your license
- license install tftp://<TFTP_IP>/XXXX.lic
- Replace <TFTP_IP> with the IP address of your TFTP servver
- Replace XXXX.lic with the name of your license
- Save your configuration and reboot the WLC
- save config
- reset system
Step 4 – Install the Non-LDPE Image
You can now install any Non-LDPE Image as needed!
Apr
22
DeleteOldUsers.vbs
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 |
'========================================================================= ' DeleteOldUsers.vbs ' VERSION: 1.0 ' AUTHOR: Brian Steinmeyer ' EMAIL: sigkill@sigkillit.com ' WEB: http://sigkillit.com ' DATE: 4/22/2014 ' USER TERMINATION POLICY: ' - Reset PW ' - Set description to termination date ' - Optionally forward email ' - Move terminated users to specified OU ' COMMENTS: This script works in conjunction with the above user termination ' policy. Specify the OU containing old users and set the number of retention ' days to keep an AD user account after the termination date. You can schedule ' the script to run daily to delete any old users. to permanently delete ' those users after X amount of days. '========================================================================= Option Explicit ' ------ SCRIPT CONFIGURATION ------ Dim oldUserOU: oldUserOU = "OU=Old Users,OU=User,DC=domain,DC=local" Dim oldUserRetentionDays: oldUserRetentionDays = 30 Dim logResults: logResults = Replace(WScript.ScriptFullName,".vbs","_logs\") & Replace(WScript.ScriptName,".vbs","_") & FixDate(Date()) & Replace(FormatDateTime(Time,4), ":", "") & ".txt" Dim logRetentionDays: logRetentionDays = 30 Dim emailBlatExe: emailBlatExe = "c:\blat\blat.exe" 'Custom Path to Blat.exe Default is Same Folder as Script Dim emailProfile: emailProfile = "alert" 'Blat Profile Name See (http://www.blat.net) For Info Dim emailRecipient: emailRecipient = "alert.admin@domain.com" 'Email to Receive Backup Result Dim blnEmailOnlyOnDelete: blnEmailOnlyOnDelete = true 'True = Only email results when at least 1 user is deleted ' ------ END CONFIGURATION ------ 'MAIN CALLS Call TerminateOldUsers(oldUserRetentionDays,oldUserOU,logResults) Call SendResults(logResults,blnEmailOnlyOnDelete,emailBlatExe,emailProfile,emailRecipient) Call PurgeLogs(Replace(WScript.ScriptFullName,".vbs","_logs\"),logRetentionDays,".txt") ' *************************************************************************************************** ' Sub TerminateOldUsers - Parse Old Users and Delete after X days ' *************************************************************************************************** Private Sub TerminateOldUsers(intDays,strOU,logName) On Error Resume Next 'Start Error Handling 'Create Log File Call Logger(logName, "DATE:" & Now() & vbCrLf & "USER_OU:" & strOU & vbCrLf & "RETENTION_DAYS:" & intDays, True) 'Search OU For Users Dim objConnection: Set objConnection = CreateObject("ADODB.Connection") Dim objCommand: Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider" Set objCommand.ActiveConnection = objConnection objCommand.Properties("Page Size") = 1000 'Override the Return 1000 Results Default Const ADS_SCOPE_SUBTREE = 2 objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 'Include Sub OU's objCommand.CommandText = "SELECT ADsPath, cn FROM 'LDAP://" & strOU & "' WHERE objectCategory='person' AND objectClass='user'" Dim objRecordSet: Set objRecordSet = objCommand.Execute 'Parse Users If objRecordSet.RecordCount > 0 Then objRecordSet.MoveFirst Dim objUser, objParent, strDescription Dim strResult: strResult = "" Do Until objRecordSet.EOF Set objUser = GetObject(objRecordSet.Fields("ADsPath").Value) strDescription = objUser.description If strDescription = "" Then strDescription = "BLANK" End If 'Only Evaluate Users with Date for Description If IsDate(objUser.Description) Then If DateDiff("d",objUser.Description,Date) > intDays Then 'Delete User Past Retention Date strResult = "DELETE" Set objParent = GetObject(objUser.Parent) objParent.Delete "user", "CN=" & objRecordSet.Fields("cn").Value Else strResult = "IGNORE" End If Else strResult = "IGNORE" End If 'Log Results If Err.Number <> 0 Then Err.Clear strResult = "!~ERROR!~" End If Call Logger(logName, strResult & ":(" & strDescription & "):" & objRecordSet.Fields("ADsPath").Value, False) objRecordSet.MoveNext Loop Else Call Logger(logName, "NOUSERS:" & strOU, False) End If On Error Goto 0 'End Error Handling End Sub ' ***************************************************************** ' Sub SendResults - Parse Log File and Send Results ' ***************************************************************** Private Sub SendResults(logName, blnEmail, emailBlatExe, emailProfile, emailRecipient) On Error Resume Next ' Create Objects Dim objFSO: Set objFSO = CreateObject("Scripting.FileSystemObject") 'Parse Log File Dim intDelete: intDelete = 0 Dim intTotal: intTotal = 0 Dim intError: intError = 0 Dim strLine Dim logFile: Set logFile = objFSO.OpenTextFile(logName, 1) Do Until logFile.AtEndOfStream strLine = logFile.ReadLine If InStr(1, strLine, "IGNORE:", 1) Then intTotal = intTotal + 1 End If If InStr(1, strLine, "DELETE:", 1) Then intTotal = intTotal + 1 intDelete = intDelete + 1 End If If InStr(1, strLine, "!~ERROR~!:", 1) Then intTotal = intTotal + 1 intError = intError + 1 End If If InStr(1, strLine, "NOUSERS:", 1) Then 'No Users End If Loop logFile.Close 'Set Email Subject Dim emailSubject: emailSubject = Replace(WScript.ScriptName,".vbs","") If intError > 0 Then emailSubject = emailSubject & " - Error" Else emailSubject = emailSubject & " - Deleted " & intDelete & " Users" End If 'Set Email Body Dim emailBody: emailBody = "TOTAL USERS: " & intTotal & vbCrLf & _ "ERRORS: " & intError & vbCrLf & _ "DELETED: " & intDelete 'Email Results If blnEmail = true Then If intDelete > 0 Then Call SendBlatEmail(emailBlatExe, emailProfile, emailRecipient, emailSubject, emailBody, logName) End If Else Call SendBlatEmail(emailBlatExe, emailProfile, emailRecipient, emailSubject, emailBody, logName) End If 'Cleanup Objects Set objFSO = Nothing On Error Goto 0 End Sub ' *************************************************************************************************** ' Function SendBlatEmail - Sends Email Using Blat ' *************************************************************************************************** Private Sub SendBlatEmail(blatPath, blatProfile, strRecipients, strSubject, strBody, strAttachment) 'Need blat.exe, blat.dll, blat.lib On Error Resume Next Dim objFSO: Set objFSO = CreateObject("Scripting.FileSystemObject") Dim objShell: Set objShell = WScript.CreateObject("WScript.Shell") Dim scriptPath: scriptPath = Left(WScript.ScriptFullName,InstrRev(WScript.ScriptFullName,"\")) 'Ensure Blat Exists If Not objFSO.FileExists(blatPath) Then If Not objFSO.FileExists(scriptPath & "blat.exe") Then Exit Sub Else blatPath = scriptPath & "blat.exe" End If End If 'Set Blat Email Command Dim commandText: commandText = chr(34) & blatPath & chr(34) commandText = commandText & " -p " & chr(34) & blatProfile & chr(34) commandText = commandText & " -to " & strRecipients commandText = commandText & " -subject " & chr(34) & strSubject & " " & chr(34) 'Keep Space to Prevent Escaping the Quote commandText = commandText & " -body " & chr(34) & strBody & " " & chr(34) 'Keep Space to Prevent Escaping the Quote 'Append Attachment(s) If objFSO.FileExists(strAttachment) Then commandText = commandText & " -attach " & chr(34) & strAttachment & chr(34) Else If objFSO.FileExists(scriptPath & strAttachment) Then commandText = commandText & " -attach " & chr(34) & scriptPath & strAttachment & chr(34) End If End If 'Send Blat Email objShell.run commandText, True Set objFSO = Nothing Set objShell = Nothing If Err.Number <> 0 Then Err.Clear End If On Error Goto 0 End Sub ' *************************************************************************************************** ' Sub PurgeLogs - Deletes Old Log FIles ' *************************************************************************************************** Private Sub PurgeLogs(logFolder,intDays,strExtension) On Error Resume Next Dim objFSO: Set objFSO = CreateObject("Scripting.FileSystemObject") Dim objFolder: Set objFolder = objFSO.GetFolder(logFolder) Dim file For Each file In objFolder.Files If StrComp(Right(file.Name, Len(strExtension)),strExtension) = 0 Then If DateDiff("d", file.DateLastModified, Now) > intDays Then objFSO.DeleteFile(file), True End If End If Next Set objFSO = Nothing If Err.Number <> 0 Then Err.Clear End If On Error Goto 0 End Sub ' *************************************************************************************************** ' Function FixDate - Ensures Single Digit Numbers Have 0 In Front ' *************************************************************************************************** Function FixDate(strDate) Dim arrTemp Dim M, D, Y arrTemp = Split(strDate, "/") M = arrTemp(0) D = arrTemp(1) Y = arrTemp(2) If (M>=0) And (M<10) Then M = "0" & M If (D>=0) And (D<10) Then D = "0" & D 'If (Y>=0) And (Y<10) Then Y = "0" & Y FixDate = M & D & Y End Function ' *************************************************************************************************** ' Function Logger ' *************************************************************************************************** Private Sub Logger(fileName, logMessage, blnNewLog) On Error Resume Next Const ForReading = 1, ForWriting = 2, ForAppending = 8 Dim objFSO: Set objFSO = CreateObject("Scripting.FileSystemObject") Dim scriptPath: scriptPath = Left(WScript.ScriptFullName,InstrRev(WScript.ScriptFullName,"\")) Dim logName If InStr(1,fileName,"\",1) > 0 Then logName = fileName If objFSO.DriveExists(objFSO.GetDriveName(logName)) Then If StrComp(objFSO.GetExtensionName(logName), "", 1) = 0 Then If Not objFSO.FolderExists(logName) Then If objFSO.FolderExists(objFSO.GetParentFolderName(logName)) Then objFSO.CreateFolder logName 'Create Folder In Current Path Exit Sub Else Call Logger(objFSO.GetParentFolderName(logName), logMessage, blnNewLog) 'Recurse Creating Parent Folder Call Logger(logName, logMessage, blnNewLog) 'Recurse Creating Current Folder Exit Sub End If End If Else If Not objFSO.FileExists(logName) Then If Not objFSO.FolderExists(objFSO.GetParentFolderName(logName)) Then Call Logger(objFSO.GetParentFolderName(logName), logMessage, blnNewLog) 'Recurse Creating Parent Folder Call Logger(logName, logMessage, blnNewLog) 'Recurse Creating Current Folder End If End If End If End If Else logName = scriptPath & fileName End If Dim logFile If blnNewLog = True Then Set logFile = objFSO.CreateTextFile(logName, True) Else If objFSO.FileExists(logName) Then Set logFile = objFSO.OpenTextFile(logName, ForAppending, True) Else Set logFile = objFSO.CreateTextFile(logName, True) End If End If logFile.WriteLine logMessage logFile.Close Set objFSO = Nothing On Error Goto 0 End Sub |
Apr
22
Run Active Directory Management Tools as Another User
There’s quite a few situations where you may need to run Active Directory Management tools like Active Directory Users and Computers with different credentials. For example:
- Computer is not joined to the domain
- Need to connect to another domain/forest
- Logged in as a standard domain user and need to supply different credentials
- etc…
Step 1 – Install Remote Server Administration Tools (RSAT)
If you are using a 2008 or 2012 WIndows member server, RSAT is a feature you must enable using the directions below:
If you’re using Windows Vista, WIndows 7, Windows 8, or Windows 10 you must download, install, and enable the RSAT feature. Here are the links to download RSAT:
RSAT Windows 10 (By default all features are enabled)
Once you’ve installed RSAT you need to enable the feature (Except Windows 10). Open Control Panel, click Programs and Features, and click Turn Windows features on or off. Then enable the following:
Step 2 – Make Sure You’re on the Domain Network
Make sure you’re on the same network as the Domain Controller. This simply means, connect to the LAN they’re on, or connect to a VPN if you’re remote.
Step 3 – Run As Commands for AD Management Tools
The key to running AD Management tools is the Runas command in Windows, which allows you to specify alternate credentials. However, there are a few gotcha’s with runas such as needing to specify the /netonly command when on a non-domain computer. Here are the commands you’ll need to run to successfully launch the AD Management tools, and all will work whether or not the computer is joined to a domain:
- C:\Windows\System32\runas.exe – Default path to runas
- /netonly – Credentials are specified for remote access, which is required for computers not joined to a domain but still works if the computer is on the domain
- /user: – specify the username by the samaccountname(DOMAIN\user) or UPN(user@domain.local)
- “mmc %SystemRoot%\system32\snapin.msc” – Microsoft Management Console with the path to the snapin.
|
1 |
C:\Windows\System32\runas.exe /netonly /user:user@domain.local "mmc %SystemRoot%\system32\adsiedit.msc" |
|
1 |
C:\Windows\System32\runas.exe /netonly /user:user@domain.local "mmc %SystemRoot%\system32\domain.msc /server=pdc.domain.local" |
Note: I’ve added an extra parameter to specify the PDC Emulator, otherwise you may receive the error “You cannot modify domain or trust information because a Primary Domain Controller (PDC) emulator cannot be contacted.”
|
1 |
C:\Windows\System32\runas.exe /netonly /user:user@domain.local "mmc %SystemRoot%\system32\dssite.msc /domain=domain.local" |
Note: I’ve added an extra parameter to specify the domain, otherwise you may receive the error “Naming information cannot be located because: The specified domain either does not exist or could not be contacted.”
|
1 |
C:\Windows\System32\runas.exe /netonly /user:user@domain.local "mmc %SystemRoot%\system32\dsa.msc /domain=domain.local" |
Note: I’ve added an extra parameter to specify the domain, otherwise you may receive the error “Naming information cannot be located because: The specified domain either does not exist or could not be contacted.”
Step 4 – Applying Run As Commands
Option 1: Run from an Elevated Command prompt
Right-click the command prompt (cmd.exe), select Run as Administrator, and enter one of the runas commands in the previous section.
option 2: create shortcut and run as administrator
Right-click in the Windows file explorer, select New, click shortcut, for the location enter one of the runas commands from the previous section, click Next, name the shortcut appropriately, and click Finish. Whenever you launch the shortcut, right-click it and select Run as Administrator.
option 3: modify RSAT shortcuts
Under Administrative Tools on the start menu, right-click each RSAT shortcut, click Properties, and modify the target using the appropriate runas command from the previous section. Whenever you launch the shortcut, right-click it and select Run as Administrator.
Apr
08
Matching Credit Card Numbers
Overview
Using regular expressions, you can easily match a credit card number. You may wish to validate legit CC numbers, block financial information in emails, or audit security by finding financial information in documents. There is no perfect algorithm or regex for detecting potential CCN’s, and there will always be false positives, etc. Although regular expressions can match a CCN, they cannot confirm incorrect digits. If you require a more robust solution, you will need to also implement the Luhn algorithm. Moving forward, I’ll focus on detecting CCN’s in documents or emails.
Credit Card Info
The first 6 digits of a CCN are known as the Issuer Identification Number (IIN), which are used to identify the card issuer; the remaining digits can vary in length and are up to the issuer. Using the IIN and the CCN pre-defined length, we can identify blocks of numbers that belong to each issuer. The credit card numbers are typically grouped with spaces or dashes in order to make them more readable. We will need to keep this in mind when matching CCN’s. I have listed US issuers, their IIN, and the CCN lengths below. For a full list including international issuers see http://en.wikipedia.org/wiki/Bank_card_number.
| ISSUER | IIN STARTING PATTERN | LENGTH |
|---|---|---|
| American Express | 34, 37 | 15 |
| Diners Club | 300-305, 309, 36, 38-39 | 15 |
| Discover | 6011, 622126-622925, 644-649, 65 | 16 |
| JCB | 3528-3589 | 16 |
| MasterCard | 50-55 | 16 |
| Visa | 4 | 16 or 13 on old cards |
The Basics Validating Credit Cards
If we wanted to validate a credit card, you would first want to remove any spaces or dashes from the input. Once the input is clean we can use a typical regular expression to match potential valid CCN’s. The below regex’s were originally taken from http://www.regular-expressions.info/creditcard.html, but I’ve updated the out of date expressions in accordance to the latest IIN changes as per the Wikipedia article listed above:
American Express
|
1 |
^3[47][0-9]{13}$ |
Diners Club
|
1 |
^3(?:0[0-5]|09|[68][0-9])[0-9]{11}$ |
Discover
|
1 |
^6(?:011|22[0-9]|5[0-9]{2})[0-9]{12}$ |
JCB
|
1 |
^35(?:2[89]|[3-8][0-9])[0-9]{12}$ |
Mastercard
|
1 |
^5[0-5][0-9]{14}$ |
Visa
|
1 |
^4[0-9]{12}(?:[0-9]{3})?$ |
However, if you are unable to strip the spaces and dashes out prior to validating the CCN, you’ll quickly find many shortcomings. The above regex’s will not account for spaces or dashes as printed on the front of the card and will only detect a CCN when it’s the only thing on a line. Obviously, this will not give us the results we desire for finding CCN’s in a document or email. Instead, we will want to use \b to match on a word boundary instead of the carrot(^) and the dollar($). In addition, we also want to add exceptions before and after the CCN we’re checking, which will help reduce false positives; this will allow us to eliminate items such as hyperlinks, order #’s, etc. We can now use the below regex to surround each CC issuer’s rules that we want to detect:
|
1 |
\b(?<![\.\<\>\-\+\/\(\=]|#:\s|\-\s|ID:\s)CCN(?!\/)\b |
- Starting Position is a word boundary
- Previous Character is not:
- period(.)
- left angle bracket(<)
- right angle bracket(>)
- dash(–)
- plus(+)
- forward slash(/) – Ignore false positives like http://www.domain.com/################/
- Open parenthesis – Ignore false positives like (################)
- Equal (=) – Ignores false positives like http://www.domain.com?si=################
- Pound, Colon, Space(#: ) – Ignore false positives like Order#: ################
- dash, space(– )
- ID, colon, space(ID: )
- CCN – Represents the regex used to represent each issuers credit card number
- Next character is not:
- forward slash(/) – Ignore false positives like http://www.domain.com/################/
- Ending position is a word boundary
Matching Credit Cards in a Document or Email
By doing a slight re-write of CC regex’s and combining it with our above wrapper, we can easily detect a CCN’s in a document or email. However, the oneliner for Discover CCN’s is quite long, and some systems limit the length of regex’s. Due to this, I’ve provided the oneliner plus shorter versions split up by the IIN.
American Express
|
1 |
\b(?<![\.\<\>\-\+\/\(\=]|#:\s|\-\s|ID:\s)3[47](?:\d{13}|\d{2}\s\d{6}\s\d{5}|\d{2}\-\d{6}\-\d{5})(?!\/)\b |
Diners Club
|
1 |
\b(?<![\.\<\>\-\+\/\(\=]|#:\s|\-\s|ID:\s)3(?:0[0-5]|09|[689]\d)\d(?:\d{10}|\s\d{6}\s\d{4}|\-\d{6}\-\d{4})(?!\/)\b |
Discover (Oneliner)
|
1 |
\b(?<![\.\<\>\-\+\/\(\=]|#:\s|\-\s|ID:\s)(?:6011\d{12}|6011(\s\d{4}){3}|6011(\-\d{4}){3}|64[4-9]\d{13}|64[4-9]\d(\s\d{4}){3}|64[4-9]\d(\-\d{4}){3}|65\d{14}|65\d{2}(\s\d{4}){3}|65\d{2}(\-\d{4}){3}|622(12[6-9]|1[3-9][0-9]|[2-8][0-9]{2}|9[0-1][0-9]|92[0-5])\d{10}|622(1\s2[6-9]|1\s[3-9][0-9]|[2-8]\s[0-9]{2}|9\s[0-1][0-9]|9\s2[0-5])\d{2}(\s\d{4}){2}|622(1\-2[6-9]|1\-[3-9][0-9]|[2-8]\-[0-9]{2}|9\-[0-1][0-9]|9\-2[0-5])\d{2}(\-\d{4}){2})(?!\/)\b |
Discover (6011,644-649,65 IIN’s)
|
1 |
\b(?<![\.\<\>\-\+\/\(\=]|#:\s|\-\s|ID:\s)6(?:011|4[4-9]\d|5\d{2})(?:\d{12}|(\s\d{4}){3}|(\-\d{4}){3})(?!\/)\b |
Discover (622 IIN No Delimiter)
|
1 |
\b(?<![\.\<\>\-\+\/\(\=]|#:\s|\-\s|ID:\s)622(12[6-9]|1[3-9][0-9]|[2-8][0-9]{2}|9[0-1][0-9]|92[0-5])\d{10}(?!\/)\b |
Discover (622 IIN Space Delimiter)
|
1 |
\b(?<![\.\<\>\-\+\/\(\=]|#:\s|\-\s)622(1\s2[6-9]|1\s[3-9][0-9]|[2-8]\s[0-9]{2}|9\s[0-1][0-9]|9\s2[0-5])\d{2}(\s\d{4}){2}(?!\/)\b |
Note: Office 365 has a 128 character limit for the regex expression. I have modified the default wrapper by removing a few items to keep this at 128 characters
Discover (622 IIN Dash Delimiter)
|
1 |
\b(?<![\.\<\>\-\+\/\(\=]|#:\s|\-\s)622(1\-2[6-9]|1\-[3-9][0-9]|[2-8]\-[0-9]{2}|9\-[0-1][0-9]|9\-2[0-5])\d{2}(\-\d{4}){2}(?!\/)\b |
Note: Office 365 has a 128 character limit for the regex expression. I have modified the default wrapper by removing a few items to keep this at 128 characters
JCB
|
1 |
\b(?<![\.\<\>\-\+\/\(\=]|#:\s|\-\s|ID:\s)35(?:2[89]|[3-8]\d)(?:\d{12}|(\s\d{4}){3}|(\-\d{4}){3})(?!\/)\b |
MasterCard
|
1 |
\b(?<![\.\<\>\-\+\/\(\=]|#:\s|\-\s|ID:\s)5[0-5](?:\d{14}|\d{2}(\s\d{4}){3}|\d{2}(\-\d{4}){3})(?!\/)\b |
Visa
|
1 |
\b(?<![\.\<\>\-\+\/\(\=]|#:\s|\-\s|ID:\s)4(?:\d{11}|\d{3}\s(\d{4}\s){2}|\d{3}\-(\d{4}\-){2})\d(\d{3})?(?!\/)\b |
If we test the above regex in an online tester, we can verify it’s working as expected. As you can see, our regex is capturing our test Visa CCN’s and missing a lot of false positives:
Real World Ex: Blocking Emails with Credit Card Numbers in Office 365
Now that we’ve established our regex’s, let’s apply it to a real world example. For our example, we’ll block inbound/outbound email in Office 365. Please note, Office 365 transport rules only allow 128 characters in a regex, and due to this we’ll need to use multiple regex’s for matching Discover. Also note, two of the Discover Regex’s I used above have a modified wrapper to keep them at the 128 character limit.
- Login to the Office 365 Admin Portal (https://portal.microsoftonline.com)
- Click Admin then click Exchange
- Under the Exchange Admin Center, click Mail Flow
- Click the Rules tab
- Click the + to create a new rule
- Name: Block Emails with Credit Card Numbers
- Apply this rule if: The subject or body matches:
- Paste each CCN Regex
- Do the following: Reject the message with the explanation
- Rejection Reason: Your message was blocked due to the detection of a Credit Card Number
- Click Save
- Note: Mail flow rules normally take 30-35 minutes to replicate in Office 365
Apr
04
Block Outbound Email for Specific Users
Overview
There are a few situations where you may need to restrict certain users from sending email to external users. For example, you may have part time employees that only need to send email to internal users OR you might have an employee who’s about to get terminated and don’t want them emailing clients. Fortunately, in Office 365 Exchange you can create a Mail Flow Rule to accomplish this.
Create Distribution Group to Define Users to Block Outbound Email
In order for the mail flow rule to see the group, it must be a distribution group. However, you can easily hide it from the GAL so your users don’t see it. Many organizations use CustomAttribute15 to define what displays in there GAL. If that’s your case, simply do not define CustomAttribute15 or define it to a value so it does not show in your GAL; otherwise, set the attribute to Hide group from Exchange Address Lists.
- Create a new distribution group
- Name: Block Outbound Email
- Email: blockoutboundemail@<company>.onmicrosoft.com
- Members: Add any user you want to block from sending outbound emails to external recipients (They will only be able to send to internal recipients)
- If you are using Office 365 in a Hybrid Deployment, make sure you use dirsync to synchronizes your new group
Create Mail Flow Rule
In this example, we will prevent a user from sending emails to any external recipients, but they will still be able to send to internal recipients.
- Login to the Office 365 Admin Portal https://portal.microsoftonline.com
- Click Admin then click Exchange to open the Exchange Admin Center
- Click mail flow then click on the Rules tab
- Click the + symbol and click Create a new rule
- Name the rule Block Outbound Emails to External Recipients
- Under Apply this rule if, click the recipient is located
- Select Outside the organization and click OK
- Click More Options to add another condition
- Click Add Condition
- On the new condition, select the sender is a member of this group
- Search and select the group Block Outbound Emails and click OK
- Note: Despite the wording stating “member of this group”, you can select a user instead of a group. However, it’s easier to manage and you do not need to wait for the mail flow rule to propagate on 365, which can take up to an hour in my testing.
- Under Do the following, select Block the message then click delete the message without notifying anyone, and click OK
- Click Save
IMPORTANT NOTE: It can take up to 45 minutes for Microsoft’s back end to fully synchronize rules! This means any new or modified rules can take up to 45 minutes to take effect!
Apr
04
Delivery Report in Outlook or Outlook Web App
Overview
When using Outlook or Outlook Web App (OWA) in an Office 365 or Exchange environment, you can track the message from the client side. Both Outlook and OWA allow you to view a delivery report in order to confirm a message was delivered when the recipient claims they have not received it or if it’s taking a long time to deliver. Delivery reports work for both internal and external recipients.
View a Delivery Report in Outlook
- In Outlook, go to your Sent Items folder
- Locate the message you want to track and open it
- Click File, click Info, and click Open Delivery Report
View a Delivery Report in Outlook Web App (OWA)
If you are using any other email client than Outlook (mobile device, OWA, etc), you can use OWA to view a delivery report.
- Login to OWA at https://portal.microsoftonline.com
- Click the Gear Icon, then click Options
- Click Organize Email then click Delivery Reports
- Enter your search criteria, click Search
- Select the email you want to track and click the Pencil Icon to view the delivery report
Review Delivery Report
Internal delivery reports will show Delivered upon success delivering. Also note, Office 365 Exchange only keeps message tracking data for 14 days.
External delivery reports will only show Transferred which means it successfully sent out from your mail server. However, this does not guarantee the recipient received the email because there can be issues on the recipients email server.
