Windows 10 WiFi ignoring DHCP DNS settings

After a long period of home office it seemed that my computer did not want to work well in any other WiFi network any more. It showed “no internet connection” in every other network.

When looking into the connection settings, I saw that it was still showing my home DNS server in the settings. No matter what network I was connecting to, be it my phones hot spot, etc still the same.
Example output of the netsh command:

C:\WINDOWS\system32>netsh interface ipv4 show config name=”Wi-Fi”

Configuration for interface "Wi-Fi"
DHCP enabled: Yes
IP Address: 10.1.0.38
Subnet Prefix: 10.1.0.0/24 (mask 255.255.255.0)
Default Gateway: 10.1.0.1
Gateway Metric: 0
InterfaceMetric: 70
DNS servers configured through DHCP: 172.31.1.1
Register with which suffix: Primary only
WINS servers configured through DHCP: None

So I tried using the “netsh” command to reset it by entering a static DNS:
netsh interface ipv4 set dnsservers name="Wi-Fi" source=static address=8.8.8.8

Now I had working name resolution, but this is not a fix for me to have to set a correct DNS server for all the networks I go to, so I set it to DHCP settings again.
netsh interface ipv4 set dnsservers name="Wi-Fi" source=dhcp

Name resolution broke again, as the “show config” returned my home DNS again.. So I turned to the Windows registry to find where that IP address exists. Find yielded the following result. In Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{interface-uid} there was a registry key called ProfileNameServer. It had a value that matched my problematic DNS server entry. After deleting registry key and reconnecting to the WiFi I finally saw that the DHCP given DNS server list was being used and network connection was working normally again.

{ Add a Comment }

Check Point to Cisco ASA IKEv2 VPN with SHA-256 “no proposal chosen” – Timed out

When creating a VPN tunnel between Cisco ASA 9.x and Check Point firewalls using IKE v2 and integrity checks better than SHA1 you might run into a small issue where Phase 1 comes up with no issue and on Phase 2 see time outs in the Check Point logs.

After seeing time out, you enable VPN debugging and you see in the ikev2.xmll log “No Proposal Chosen” message coming from the ASA side. Then you and compare the the crypto configurations on both sides and see that they are identical. If that is the case, there might be a pseudo-random function (“prf”) mismatch. To get around it you should try the following command on the Cisco side:

prf sha

It’s only doable on Cisco side, as Check Point doesn’t let you change this value. That was supposedly the only change made on the peer gateway by the Cisco admin after which the tunnel came up.

{ Add a Comment }

Check Point R77.30 new sub interface not forwarding traffic

As it seems on Check Point R77.30 Take_351, it is possible that after adding a new VLAN interface a it may fail to route traffic. When looking at the cluster status, everything seems OK. But when you take a look at the routing table you notice that actually the newly added network is missing.

Doing the usual “cpstop & cpstart” does not fix the issue. What actually was needed to get it to forward traffic to the good old “have you tried turning it off and on again”. If it happens on your primary cluster node just fail over to the secondary node and reboot.

{ Add a Comment }

Windows search keeps crashing

After updating Windows 10 to version 1903 I started having strange Issues where the search functionality stopped working. By search stopped working I mean you open start and start typing and nothing happens..

When it happened for the first time I just rebooted my PC and all worked fine for a few days. When it happened again I just killed the search process in task manager and all worked fine again for a few days.

As it started happening more often I ended up trying to fix it. For me rebuilding the Windows search indexes and the issue went away. So in order to rebuild the indexes you need to do the following.

Click on start and press on settings. From there navigate to “Search” -> Searching Windows. And in the open page click “Advanced Search Indexer Settings”. After that the following Window should pop up:

From there click on “Advanced” and in the following Window find the “Rebuild” button in the troubleshooting sector. Press that and agree to the warning that rebuilding might take some time.

Or if Your search is working a the moment just type “Indexing Options” into your search window and you arrive at the previously shown Window.

Well and if the steps above didn’t help might as well read Microsoft’s support article: https://support.microsoft.com/en-us/help/4520146/fix-problems-in-windows-search

{ Add a Comment }

Tenable.SC and Nessus Scanner updates activation

When installing Tenable.SC it asks for a activation key and installation continues. Then you install your Nessus scanner and during the install point it to the SC and it shows that its license is managed by Tenable.SC. Now that you have everything installed and up and running right? Wrong..

Updates for the plugins are not working yet, as for that you need to enter a separate license key. You need to log in to your Tenable Community account go to Your products and find the Tenable.sc activation key.

You need to insert that key into your Tenable.SC when logged into it as and administrator (not the scanning account). You need to navigate in the menu to System > Configuration > License and click on “Nessus Scanner” and paste the activation key you found on the Support site into there and press Register. After that your Tenable.SC and Nessus will be able to update their plugins and feeds.

{ Add a Comment }

Getting Tenable.SC working with Nessus Agents

What do Nessus Agents do

Nessus Agent is a lightweight piece of software that You can install on a host to do patch management and vulnerability/compliance checking with out having some central server with credentials logging into every machine you have. For example the Nessus Credentialed scans. Instead the agent software just reports back to the central server and keeps polling to see if any commands have been given.

Nessus Agent can run patch level/vulnerability scan/malware scan or configuration compliance checks.

Requirements

I assume that when thinking about Nessus Agent based scans with Tenable.sc You already have a Tenable.SC license and working installation.

Tenable.SC needs to have access to the TCP port 8834 on the Nessus Manager.

Nessus Manager preferrably has internet access to download updates and activate the license.

Nessus Agents need access to the TCP port 8834 on the Nessus Manager.

Licensing hassle

In order to get Nessus Agents info into Tenable.SC there are some extra steps You need to take besides the Tenable.SC and Nessus Scanner installation. You actually also need to install Nessus Manager to get Agents working. Regular Nessus scanners haven’t got the ability to work with Agents.

To actually get Nessus Manager, it turned out to be a bit of a hassle. As it turns out, although the software comes with the Tenable.SC license, You actually need to ask for it separately. After a short e-mail exchange with support and some signed documents later, You will actually get Nessus Manager license added to your Tenable account.

The installation

After You get the license key, download the regular “Tenable Core + Nessus” software from https://www.tenable.com/downloads/tenable-appliance and install the VM. The install will be the same as for regular Nessus Scanner.

After having set up the VM open Your web browser and go to the appliance web page https://nessus-manager-ip-here:8834/, then the wizard will open. From there select Nessus Manager instead of Nessus Scanner and insert the license key when prompted. The setup will also ask for you to create an account for you self.. It will take a while for the wizard to download and compile all the needed components. After it completes you have a ready working Nessus Manager.

After the wizard completes, login to the the Appliance with the account You created during the wizard. First thing You need to do is create a “group” for the agents. IE for your web servers call it “Web Servers” or for Client PC’s call it “Client PC’s”. After having created the groups you now can proceed to linking your Agents.

To install the agents first You need to download the proper Agent software from https://www.tenable.com/downloads/nessus-agents. Installation is quite straight forward. As an example on a 64bit Centos7 machine, it would go like this:

  • Copy the Agent to the machine
  • Elevate privileges to root or use sudo
  • Install the agent by issuing the “rpm -i NessusAgent-7.5.1-es7.x86_64.rpm” command. You should get the following output:
    warning: NessusAgent-7.5.1-es7.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 1c0c4a5d: NOKEY
    You must first start Nessus Agent by typing /bin/systemctl start nessusagent.service
    To link this agent to the Nessus Manager, use the ‘/opt/nessus_agent/sbin/nessuscli agent’ command.
    Type ‘/opt/nessus_agent/sbin/nessuscli agent help’ for more info.

Next you need to link Your agent to the Nessus Manager. In order to do that copy the “Linking Key” from Nessus Manager, which can be found at the Agents page in the “Linked Agents” section. After having found the key you can create your linking command on your client. Which is looks something like this:
/opt/nessus_agent/sbin/nessuscli agent lin/opt/nessus_agent/sbin/nessuscli agent link –key=”your-linking-key” –host=”your-nessus-manager-address” –port=8834 –groups=”Web Servers”

After issuing the previous command on the client it should now show up in the linked agents list where You got the linking key from. After having linked the agent to the manager you also need to start the service as was mentioned in the output from the rpm.

It will take a bit of time for the agent to come online. I initially thought something was broken. But it actually took ~5min for the client to go into the “initializing state” for a bitand then again offline. But after being in the initializing state the list started showing some more inf about the client, not only IP address. After that it stay’s offline again for some time, for me it was something like 15-20min and then the host started showing up as online. During that period might as well link the Nessus Manager and Tenable.SC.

Linking Nessus Manager and Tenable.SC goes is the same as with regular Nessus Scanner.

Running your first Agent scan

After having linked Your agents to Nessus Manager and Nessus Manager to Tenable.SC You can now define and run Agent scans.

Unlike how scanning works with Tenable.SC and Nessus Scanner, the agent scan needs to be defined and run on Nessus Manager instead. Tenable.SC only imports the reports actually although the button says run scan.

So you need to log in to Nessus Manager and under scans you should create a new scan. For every scan you need to select a group that the scan gets run on and also the interval if you want it to be a recurring one.

{ Add a Comment }

A lot of companies leak internal DNS/information system info to 3rd parties

One thing I have noticed while auditing different “internal use only” systems, that are not available online. Is that although they are offline, their existence is freely sent to Google with their URL’s/IP addresses.

Namely a lot of developers tend to integrate something provided by Google or by some other vendor, be it some java script or fonts. As an example when you include some css provided by Google – every time someone loads an internal application, Google gets a request from the clients web browser which also includes the referring URL.
Just example of outbound request headers from a web-page including some style sheet info provided by Google:

host: fonts.googleapis.com
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
 Accept: text/css,/;q=0.1Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate, br
 Connection: keep-alive
 Referer: https://someportal.corp.inernal/css/main.css

The “referer” header can be easily be harvested from logs. So next time including external resources think about it if you want a 3rd party to know about your internal things.

{ Add a Comment }

Remote Desktop “No Valid Certificates Were Found on This Smart Card” when trying to authenticate with National ID-Card

When trying to use smart-cards/tokens to authenticate to Remote Desktop you can receive the “No Valid Certificates Were Found on This Smart Card” error for multiple reasons. It can be that you don’t have the necessary drivers installed properly. It also can be that the CA trust chain is not in place. In this post I’m not going into detail on those issues. Here it’s just going to be a quick fix for the Estonian National ID-Card not showing up in Remote Desktop. It can also apply for other ID-Cards.

Namely the issue is that national ID-Cards tend not to have the “Smart Card Logon” key usage in their certificate profiles and that’s why they aren’t showing up in Windows Remote Desktop. So if the certificate you have on your smart-card doesn’t have “Smart Card Logon” set it won’t show up either. There is a quick work around/fix for it. You just need to modify one registry setting so that Windows would accept also certificates with out the specific permissions set.

Just copy paste this into notepad and save it with the .reg extension and execute it:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider]
“AllowCertificatesWithNoEKU”=dword:00000001
“EnumerateECCCerts”=dword:00000001

Windows will give you a warning, just accept it and then it should say that the keys were successfully added to the registry. Now your ID-card certificates should show up in Remote Desktop.

{ Add a Comment }

Installing VMware Workstation 15 Pro on Windows 10 1903 can have a small installer issue

After updating my Windows 10 to 1903 VMware Workstation 14 stopped working. It is a known issue since the release of 1903. VMware hasn’t released a patch for it and the Windows updater points to and seems to be promoting upgrading to version 15. Although there are many workaround hints available, I for one do not want to mess about with uninstalling and blocking some windows update packages. So I went ahead and got the upgrade license and went on to update it. That didn’t go as smooth as I would have expected.

As it turns out the installer for VMware Workstation 15 Pro(VMware-workstation-full-15.5.0-14665864.exe) in my case had a small issue where it wouldn’t install. When running the installer it always prompted me that “In order to finish installing VC redist”, I need to reboot my computer. Well did that the first time the installer asked me to press “Yes” and reboot, after that the message still came up, tried it one more time and then it still persisted. After that I just went ahead and downloaded vc_redist.x64.exe via Microsoft’s support site and installed it manually. After doing that Workstation installer worked like a charm and had no more issues.

{ Add a Comment }

Even Yahoo is not able to keep track of it’s SSL certificates expiration

I have always thought that the “Internet Giants” have proper monitoring and procedures in place to keep track of their SSL certificates expiration dates. But as it turns out Yahoo does not.

In some instances of Yahoo advertisements they are still using a certificate that expired over a month ago. Today (07.08.2019) I am still at random getting an error about Yahoos advertisements certificate being expired:

{ Add a Comment }