AD Enrollment failing after CA Migration when not removing existing server

Been awhile since I posted.. In that time I’ve moved home to Wellington, and started a new job that’s a mix of Infrastructure Engineer, DevOps Engineer, and general jack of all trades.  At my new job, the existing infrastructure was sorely in need of some TLC, and one of the things I had to tackle was replacing a 2008 R2 box that was serving as the sole DC, WSUS, and CA server among other things. For various reasons, I wasn’t able to migrate all the services off at once and do a big bang migration, so each service had to be done one at a time. After migrating the CA services over to a new 2016 box, everything was working great apart from AD Auto enrollment, which was failing with a fairly generic RPC connection error. TechNET and several CA migration guides talk about removing the source server from the domain as part of the process, but as the box still has other roles, this wasn’t possible. I strongly suspect this issue wouldn’t have cropped up if I was able to remove the PC from the domain, but what I did to solve the issue was this.

Open up ADSI edit, connect to the Configuration context, navigate to “CN=Enrollment Services,CN=Public Key Services,CN=Services”, select the pKIEnrollment object, and modify the DNShostname to be the new server. After that AD enrollment worked perfectly.. Hope this is useful to someone.

IBM M5100 Raid Controller stuck in Safe Mode.

So today at work I was attempting to re purpose an IBM x3650 M4  that was previously being used an an ESXi host from an internal USB drive. I’d thrown in a bunch of SAS disks from some other servers I was decomissioning, yoinked the USB key out, and was attempting to create some virtual drives. Normally this should be a trivial exercise, but the M5100 raid controller was perpetually reporting it was in Safe Mode, and wouldn’t let me successfully clear the the foreign configuration from either the GUI or the Storage interface to the controller in the BIOS. After a bit of faffing around, launching the CLI interface for the controller  and running “-adpfacdefset -a0” to reset the controller to factory defaults worked to successfully kill the safe mode loop, allow me to clear the foreign config and create new drives. There was a bit of a dearth of results googling for M5100 safe mode, so hopefully this will be of use to someone in the future.

The great shave

I’ve had a beard of some sort for about 17 years now. Next week I’ll be shaving it all off in the name of charity. You can make donations over at https://givealittle.co.nz/fundraiser/andysshave which are split between the Movember Foundation New Zealand, Prostate Cancer Foundation New Zealand, and Child Cancer FoundationMain image

 

 

 

Reverse engineering a VBScript phishing email

Last night while I was sitting around suffering from a bout of insomnia after working late, I received a phishing email with a thinly disguised VBScript attachment. Being I was wide awake and not really having anything else to do, I decided to pull it apart and see what makes it tick. I’m no security researcher, but I have an interest in that area, and I thought it might be an interesting way to kill time.

At the time I received the email, only 2/19 scanners on Jotti recognized the VBS as malware, and 3/19 recognized the zip container it was in.

Obfuscated VBS malware
Obfuscated VBS malware

As you can see from the screenshot, all of the constant, variable and function names have been converted to random strings. Many of the strings have been obfuscated by breaking them down into constituent characters. There are also numerous extraneous variables, functions and pointless IF statements, although the extraneous functions may be part of a standard copy & paste template of functions.

The first thing I did was tidy up the layout of the code, for example indenting each function and IF statement to help improve the readability. I also concatenated the variables that had been split into characters back together. Then it becomes a bit like a jigsaw puzzle, finding the easy bits and working from there. I started with obvious ones, for example “Set YDh = CreateObject(“Scripting.FileSystemObject”)” it’s pretty obvious the variable should be something like objFSO. Examining functions and objects with parameters and comparing to the documentation lets you make further progress. If you have a WinHttpRequest object, and that object is then being called with “Object.Open “GET”, RFz5, False” you can then deduce that RFz5 is a variable containing a URL, and label it as strURL or some such.

After spending a bit of time doing this, and removing the extraneous functions and variables I had some code that made sense and was easy to follow. The script attempts to make a web request to one of several websites, and if it’s happy with the response it saves the response body as a .DLL file in the temp folder, then executes it via rundll32 with a couple of parameters.

For obvious reasons I’m not going to post the full code of what I ended up with, but this screenshot of the main code sans functions should give you an idea.

Cleaned up code
Cleaned up code

I was pleasantly surprised to see that less than 12 hours after I received the email, Microsoft had AV definitions out that detected and removed both the VBS and the container. I’ve heard quite a few people slag off the Microsoft AV product, but given that as of this post only one third (6/18) of the scanners on jotti had definitions for this, I think they deserve some credit!