joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

4/18/2017

AdFind V01.50.00 Beta 2 is now available

by @ 11:06 pm. Filed under general, tech

 

I have now uploaded a second beta of AdFind V01.50.00 to the website, you can find it at

http://www.joeware.net/downloads/beta/adfind_v150_beta2.zip

The previous beta had two main issues with it.

First it was built with dynamic linking meaning that it looked for MSFT DLLs on the machine it was running on to utilize the API functions there. One of the “selling points” of using Visual Studio is using DLLs that are most likely already on Windows machines but I had enough folks respond saying that they didn’t or couldn’t load the redistributable packages that I decided to go back to my old ways of static linking meaning no other files should be required to run this version of the AdFind beta. If you find that not to be the case, please let me know.

Second I learned some interesting stuff about Visual Studio in that it is switching to Universal CRT / virtual APIs but this only works on newer OS machines, specifically it is not compatible with Windows 7 and Windows Server 2008 R2. I, being silly, had not tested the beta on Windows 7 nor Windows Server 2008 R2 machine so I didn’t catch that problem. It was quite a learning curve the last nine or so days to sort that out and get it fixed. That was especially fun with the lack of solid documentation as mentioned previously. I apologize it took so long, I have been pretty busy with my day job working a few more hours than I should be but that will be settling down soon once I get one of my current projects handled so I can focus on personal stuff and joeware some more again. Smile 

As before, please let me know any feedback you have, email to support@joeware.net with ADFIND BETA in the subject so I will see it amongst everything else. I am still working through some of the other feedback, I will respond to everyone I just wanted to get these two main issues out of the way to allow for more testing for folks who were excluded with the first beta. Smile

     joe

Rating 3.00 out of 5

Stand Alone Binary of AdFind Beta that runs on Windows 7/Windows Server 2008 R2 and newer (and possibly older)

by @ 8:30 am. Filed under general, tech

I previously released a beta for AdFind that wasn’t statically linked. I did that with the thought that one of the big benefits of using Visual Studio is that a lot of people would already have the necessarily DLLs. While a lot do, a lot also do not so I will be releasing a beta version of AdFind that is statically linked so there will be no need for other DLLs to be present on the machine.

And in the same vein, I took me a couple of weeks but I finally sorted out an issue with Visual Studio with writing code for Windows 7 / Windows Server 2008 R2. There is this new concept of Universal CRT and “API Sets” which are awesome for newer OSes but do not support the older OSes at all. It took me entirely too long to find this article

https://msdn.microsoft.com/en-us/library/windows/desktop/dn505783(v=vs.85).aspx

and in particular

Note Compatibility with Windows 7, Windows Server 2008 R2 and older operating systems: Binaries that link to MinCore.lib or MinCore_Downlevel.lib are not designed to work on Windows 7, Windows Server 2008 R2 or earlier. Binaries that need to run on earlier versions of Windows or Windows Server must not use either MinCore.lib or MinCore_Downlevel.lib.

The really awesome thing is that the MSDN Documentation for the API calls apparently assumes that no one wants to write code that runs on the older OSes so when they tell you what library (*.lib) to link in they tell you mincore.lib for a lot of stuff and not what the actual library needs to be if you need people to use an older OS with your application. IMO this is a massive documentation fail on the part of Microsoft. For example when you need to use the function GetFileVersionInfoSize you see on the website https://msdn.microsoft.com/en-us/library/windows/desktop/ms647005(v=vs.85).aspx that you need mincore.lib, no mention of what to use if you need compatibility. Searching around doesn’t help you a whole lot until you start digging up some older posts where you find that it should be version.lib that is actually included.

The only way I am immediately aware to quickly determine this information will require generous use of DUMPBIN /EXPORTS against the *.LIB files on your machine looking for the function you need. I visualize a perl script in my future.

Here is an example of what DUMPBIN /EXPORTS will show you for version.lib.

[Tue 04/18/2017  8:25:20.40]
E:\DEV\cpp>"C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\bin\x86_amd64\dumpbin" /exports "c:\Program Files (x86)\Microsoft SDKs\windows\v7.1a\lib\version.lib"
Microsoft (R) COFF/PE Dumper Version 14.00.24218.2
Copyright (C) Microsoft Corporation.  All rights reserved.

Dump of file c:\Program Files (x86)\Microsoft SDKs\windows\v7.1a\lib\version.lib

File Type: LIBRARY

     Exports

       ordinal    name

                  _GetFileVersionInfoA@16
                  _GetFileVersionInfoExW@20
                  _GetFileVersionInfoSizeA@8
                  _GetFileVersionInfoSizeExW@12
                  _GetFileVersionInfoSizeW@8
                  _GetFileVersionInfoW@16
                  _VerFindFileA@32
                  _VerFindFileW@32
                  _VerInstallFileA@32
                  _VerInstallFileW@32
                  _VerQueryValueA@16
                  _VerQueryValueW@16

  Summary

          C3 .debug$S
          14 .idata$2
          14 .idata$3
           4 .idata$4
           4 .idata$5
           C .idata$6

 

Anyway, I am testing the new beta build of AdFind compiled with Visual Studio 2017 with static linking and LIBS that are actually supposed work on the older (and still supported MICROSOFT THANKYOUVERYMUCH) operating systems. I hope to post the new beta binary in the next day or so depending on issues encountered. 

    joe

p.s. This had me pretty close to dumping Visual Studio again. I still might because it is crap that it is so poorly documented and I could see this causing all sorts of issues for developers.

Rating 3.00 out of 5

4/10/2017

Active Directory Deleted Objects

by @ 2:41 pm. Filed under general, tech

In case it is ever a question (say like someone from MSFT tells you it works differently), objects deleted in Active Directory go into the Deleted Objects container[1] of the Partition the objects live in. They do not get moved to the Configuration Partition Deleted Objects container.

[Mon 04/10/2017 14:37:42.83]
C:\>adfind -hh k16tst-dc1.k16tst.test.loc -gcb -f "cn=deleted objects" -dn -showdel

AdFind V01.50.00.00cpp VS BETA Joe Richards (support@joeware.net) April 2016

Using server: K16TST-DC1.k16tst.test.loc:3268
Directory: Windows Server 2016

dn:CN=Deleted Objects,DC=k16tst,DC=test,DC=loc
dn:CN=Deleted Objects,CN=Configuration,DC=k16tst,DC=test,DC=loc
dn:CN=Deleted Objects,DC=k16tstchld,DC=k16tst,DC=test,DC=loc

3 Objects returned

   joe

 

[1] There are some special cases here, but under no circumstances do objects from PartitionN go to the Configuration Partition CN=Deleted Objects container once deleted.

Rating 4.67 out of 5

4/9/2017

AdFind V01.50.00 Beta is now available

by @ 8:16 pm. Tags:
Filed under general, tech, updates

 

I am now comfortable enough with the stability of AdFind V01.50.00 to release a beta of what is likely to be released.

I went extra slow on testing on this version because I have converted the compiler from C++ Builder (previously Borland) to Visual Studio. This resulted in a considerable speed increase which really surprised me. I have also made some other internal changes to help speed things up in larger environments, in particular with Security Descriptor decodes.

Here is a basic listing of the the major updates:

BUGFIX: Fixed auto-nopaging        
Ported to Visual Studio 2015       
Change CHAR functions to _s versions
__int64 stuff for dstime for VS    
Threshold -> Windows Server 2016   
Fix bugs/add changes to dsheuristics
Added -prb                         
Added -appver                      
Fixed bad ! formatting for filterEx
Added -nonoise alias for exclrepl  
Added -sc schemadmp alias for sdump
Added -sc xrdmp alias for xrdump   
Added special bases -ds -svcs      
Fixed CanonicalName for \0A        
Bug Fix -sddl+ ***INVALID***       
Speed up SID resolve for SDDLs     
Decode msDS-ReplAuthenticationMode 
Added -dplsids                     
Added "short" option to -sc dclist 
Added decode of msds-revealedusers 
Added special base -delobjs        
Added utcgt/localgt for -binenc    
Removed GCLIST because it doesn’t work 
Added sslinfo (BETA)               
Changed schema pull page size to 1k
Changed ADAM to ADLDS              
Changed output format of sslinfo  

Get it here:

http://www.joeware.net/downloads/beta/adfind_v150_beta.zip

Please let me know any feedback you have, email to support@joeware.net with ADFIND BETA in the subject so I will see it amongst everything else. Smile 

    joe

UPDATE: I have received some emails and other contact indicating that when some people run AdFind.exe it pops a dialog for missing DLLs. This beta build of AdFind is not a static build and depends on the VC++ 2015 Redistributables to be in place. If you don’t have them, you can get them at https://www.microsoft.com/en-us/download/details.aspx?id=53587. You need the x86 ones because currently AdFind x64 is still in the shop (and likely will not be released for V01.50.00).

Rating 4.33 out of 5

4/8/2017

AdFind SSL/TLS Certificate / Session Info

by @ 6:15 pm. Filed under general, tech

I think I have settled on the data I want to make available for the –sslinfo switch. If someone thinks there would be some additional info that would be useful please let me know.

Below is what I have for output so far for the –sslinfo switch. I am thinking the switch will initially be in BETA mode even with the release version of V01.50.00 until I sort out exactly how I want it formatted and how it might be used. I also have to sort out how to add the CSV/TSV functionality for it since when it runs in this mode it doesn’t actually get anywhere near the normal output stage of the code. I know for a mass scan of a forest that would likely be the preferred output model.

My original thinking was that the bit strength, cert version, dates, and issuer would be the most valuable bits of info. I visualize being able to tear through an entire forest looking at this info for every DC with a simple for /f loop like

for /f %i in (‘adfind -gcb -dclist’) do adfind -hh %i -sslinfo 

Like so:

[Sat 04/08/2017 18:10:11.39]
E:\DEV\cpp\vs\AdFind>for /f %i in (‘release\adfind -gcb -sc dclist’) do release\adfind -hh %i -sslinfo -utc

[Sat 04/08/2017 18:10:22.83]
E:\DEV\cpp\vs\AdFind>release\adfind -hh K16TST-DC1.k16tst.test.loc -sslinfo -utc

AdFind V01.50.00.00cpp VS BETA Joe Richards (support@joeware.net) April 2016

Certificate Info
================
  Encoding Type = X509_ASN_ENCODING (0x01)
  Version       = CERT_V3 (0x02)
  NotBefore     = 2017/04/08-16:11:31 UTC
  NotAfter      = 2018/04/08-16:11:31 UTC
  Sig Algorithm = 1.2.840.113549.1.1.13
  Issuer        = CN=CA1,DC=k16tst,DC=test,DC=loc
  Subject       = CN=K16TST-DC1.k16tst.test.loc

SSL Connection Information
==========================
  Protocol           = Transport Layer Security 1.2 client-side (SP_PROT_TLS1_2_CLIENT)
  Cipher Algorithm   = AES 256-bit encryption algorithm (CALG_AES_256)
  Cipher Strength    = 256 bits
  Hash Algorithm     = 384 bit SHA hashing algorithm (CALG_SHA_384)
  Hash Strength      = 0 bits
  Key Exch Algorithm = Ephemeral elliptic curve Diffie-Hellman key exchange (CALG_ECDH_EPHEM)
  Key Exch Strength  = 255 bits

The command completed successfully

[Sat 04/08/2017 18:10:22.90]
E:\DEV\cpp\vs\AdFind>release\adfind -hh K16TST-DC2.k16tst.test.loc -sslinfo -utc

AdFind V01.50.00.00cpp VS BETA Joe Richards (support@joeware.net) April 2016

Certificate Info
================
  Encoding Type = X509_ASN_ENCODING (0x01)
  Version       = CERT_V3 (0x02)
  NotBefore     = 2017/04/08-16:15:53 UTC
  NotAfter      = 2018/04/08-16:15:53 UTC
  Sig Algorithm = 1.2.840.113549.1.1.13
  Issuer        = CN=CA1,DC=k16tst,DC=test,DC=loc
  Subject       = CN=K16TST-DC2.k16tst.test.loc

SSL Connection Information
==========================
  Protocol           = Transport Layer Security 1.2 client-side (SP_PROT_TLS1_2_CLIENT)
  Cipher Algorithm   = AES 256-bit encryption algorithm (CALG_AES_256)
  Cipher Strength    = 256 bits
  Hash Algorithm     = 384 bit SHA hashing algorithm (CALG_SHA_384)
  Hash Strength      = 0 bits
  Key Exch Algorithm = Ephemeral elliptic curve Diffie-Hellman key exchange (CALG_ECDH_EPHEM)
  Key Exch Strength  = 255 bits

The command completed successfully

[Sat 04/08/2017 18:10:22.98]
E:\DEV\cpp\vs\AdFind>release\adfind -hh K16TSTCHLD-DC1.k16tstchld.k16tst.test.loc -sslinfo -utc

AdFind V01.50.00.00cpp VS BETA Joe Richards (support@joeware.net) April 2016

Certificate Info
================
  Encoding Type = X509_ASN_ENCODING (0x01)
  Version       = CERT_V3 (0x02)
  NotBefore     = 2017/04/08-21:19:19 UTC
  NotAfter      = 2018/04/08-21:19:19 UTC
  Sig Algorithm = 1.2.840.113549.1.1.13
  Issuer        = CN=CA1,DC=k16tst,DC=test,DC=loc
  Subject       = CN=K16TSTCHLD-DC1.k16tstchld.k16tst.test.loc

SSL Connection Information
==========================
  Protocol           = Transport Layer Security 1.2 client-side (SP_PROT_TLS1_2_CLIENT)
  Cipher Algorithm   = AES 256-bit encryption algorithm (CALG_AES_256)
  Cipher Strength    = 256 bits
  Hash Algorithm     = 384 bit SHA hashing algorithm (CALG_SHA_384)
  Hash Strength      = 0 bits
  Key Exch Algorithm = Ephemeral elliptic curve Diffie-Hellman key exchange (CALG_ECDH_EPHEM)
  Key Exch Strength  = 255 bits

The command completed successfully

[Sat 04/08/2017 18:10:23.11]
E:\DEV\cpp\vs\AdFind>release\adfind -hh K16TSTCHLD-DC2.k16tstchld.k16tst.test.loc -sslinfo -utc

AdFind V01.50.00.00cpp VS BETA Joe Richards (support@joeware.net) April 2016

Certificate Info
================
  Encoding Type = X509_ASN_ENCODING (0x01)
  Version       = CERT_V3 (0x02)
  NotBefore     = 2017/04/08-21:27:51 UTC
  NotAfter      = 2018/04/08-21:27:51 UTC
  Sig Algorithm = 1.2.840.113549.1.1.13
  Issuer        = CN=CA1,DC=k16tst,DC=test,DC=loc
  Subject       = CN=K16TSTCHLD-DC2.k16tstchld.k16tst.test.loc

SSL Connection Information
==========================
  Protocol           = Transport Layer Security 1.2 client-side (SP_PROT_TLS1_2_CLIENT)
  Cipher Algorithm   = AES 256-bit encryption algorithm (CALG_AES_256)
  Cipher Strength    = 256 bits
  Hash Algorithm     = 384 bit SHA hashing algorithm (CALG_SHA_384)
  Hash Strength      = 0 bits
  Key Exch Algorithm = Ephemeral elliptic curve Diffie-Hellman key exchange (CALG_ECDH_EPHEM)
  Key Exch Strength  = 255 bits

The command completed successfully

[Sat 04/08/2017 18:10:23.24]
E:\DEV\cpp\vs\AdFind>release\adfind -hh K16TST-RODC1.k16tst.test.loc -sslinfo -utc

AdFind V01.50.00.00cpp VS BETA Joe Richards (support@joeware.net) April 2016

Certificate Info
================
  Encoding Type = X509_ASN_ENCODING (0x01)
  Version       = CERT_V3 (0x02)
  NotBefore     = 2017/04/08-16:27:19 UTC
  NotAfter      = 2018/04/08-16:27:19 UTC
  Sig Algorithm = 1.2.840.113549.1.1.13
  Issuer        = CN=CA1,DC=k16tst,DC=test,DC=loc
  Subject       = CN=K16TST-RODC1.k16tst.test.loc

SSL Connection Information
==========================
  Protocol           = Transport Layer Security 1.2 client-side (SP_PROT_TLS1_2_CLIENT)
  Cipher Algorithm   = AES 256-bit encryption algorithm (CALG_AES_256)
  Cipher Strength    = 256 bits
  Hash Algorithm     = 384 bit SHA hashing algorithm (CALG_SHA_384)
  Hash Strength      = 0 bits
  Key Exch Algorithm = Ephemeral elliptic curve Diffie-Hellman key exchange (CALG_ECDH_EPHEM)
  Key Exch Strength  = 255 bits

The command completed successfully

 

And if you have a machine that doesn’t have a valid cert installed it will give the standard connection failure you already get.

[Sat 04/08/2017 18:10:23.35]
E:\DEV\cpp\vs\AdFind>release\adfind -hh k16tst2-dc1.k16tst2.test.loc -sslinfo -utc

AdFind V01.50.00.00cpp VS BETA Joe Richards (support@joeware.net) April 2016

LDAP_BIND: [k16tst2-dc1.k16tst2.test.loc] Error 0x51 (81) – Server Down
Terminating program.
And if you have a machine that doesn’t have a valid cert installed it will give the standard connection failure you already get.

 

     joe

Rating 3.67 out of 5

4/7/2017

AdFind Beta News

by @ 7:15 pm. Filed under general, tech

Added this SSL Info functionality this week. I am likely to still change it up a little. I would like to see if I can report on the server cert too. And maybe see about this going into a CSV/TSV type output format as well since it is well outside the normal code path.

Beta drop to the web site in the next week I would say… It got delayed because I started decoding msDS-RevealedUsers for RODC computer objects. That BLOB was a little different than I expected and it took a bit but I got it sorted. In the meanwhile while thinking that issue out I realized I wanted to give out info about the LDAPS connection too. 

 

E:\>adfind -ssl -rootdse -sslinfo
 
AdFind V01.50.00.00cpp VS BETA Joe Richards (support@joeware.net) April 2016
 
SSL Connection Information
  protocol           = Transport Layer Security 1.0 client-side (SP_PROT_TLS1_CLIENT)
  cipher algorithm   = AES 256-bit encryption algorithm (CALG_AES_256)
  cipher strength    = 256 bits
  hash algorithm     = SHA hashing algorithm (CALG_SHA) bits
  hash strength      = 160 bits
  key exch algorithm = Ephemeral elliptic curve Diffie-Hellman key exchange (CALG_ECDH_EPHEM)
  key exch strength  = 256 bits
 
The command completed successfully

Rating 3.00 out of 5

Woo hoo I am famous…

by @ 6:11 pm. Filed under general

… or at least I was in 2014!!

https://www.onelogin.com/blog/microsoftactive-directory-integration-experts

Rating 3.00 out of 5

4/6/2017

New Google Open Source Respository

by @ 10:47 pm. Filed under general

Repository – https://opensource.google.com/projects

Blog – https://opensource.googleblog.com/

Rating 3.00 out of 5

4/3/2017

CodePlex closing down, moving to GitHub

by @ 9:34 am. Filed under general

https://blogs.msdn.microsoft.com/bharry/2017/03/31/shutting-down-codeplex/

Rating 3.00 out of 5

3/26/2017

AdFind V01.50.00 Speed Increase for Security Descriptors When Resolving SIDs to Names

by @ 6:02 pm. Tags:
Filed under tech

As previously mentioned I have been focusing on some speed tweaks for AdFind for larger scale environments. One of the items I have wanted to speed up was the decoding of Security Descriptors especially in orgs where they got a little crazy with AD Delegation and added a ton of ACEs to object Security Descriptors. I have succeeded in this space, even better than what I had hoped.

The test AD object I am performing my speed tests on had 390 ACEs and I am resolving the SIDs halfway across the USA via a “slowish” VPN connection. Resolving the SIDs for multiple objects is actually not bad because once AdFind resolves a SID it caches it for quick retrieval the next time it encounters it within that run[1].

Here are the numbers:

VERSION Time MS
V01.49.00 SIDs only 3219
V01.50.00 SIDs only 3078
   
V01.49.00 Resolve SIDs 75296
V01.50.00 Resolve SIDs (initial) 35719
   
V01.49.00 Resolve SIDs 75296
V01.50.00 Resolve SIDs (enhanced) 4250

Yes you are reading that right, Security Descriptor expansion with SID Resolution reduced from 75.3 seconds to 35.72 seconds to 4.25 seconds.

I am expecting to wrap up a zip file with the V01.50.00 Beta in the next week with a special download location. If you are interested, stay tuned. Smile 

   joe

 

[1] I have long considered adding some persistence for SID caching but I haven’t thought about it enough to pull the trigger yet.

Rating 4.33 out of 5

[joeware – never stop exploring… :) is proudly powered by WordPress.]