Why would an unused domain even need any resources records? # It’s common for domains to go unused. Sometimes they’re purchased for a potential idea or project. Other times, it’s to protect a name or trademark, or maybe they’re meant for use internally on a protected and private network. But the internet does weird stuff and sometimes there are steps that should be taken even if these domains aren’t being used.
A few times each year, a thread pops up bashing the certification industry, mocking organizations requiring certifications for job applicants or contract opportunities, or using brain-dump test takers as the barometer for those with industry certs. Many, if not most of the arguments are valid in their specific contexts. Hiring or contract awards should not rely on certifications to prove a prominent level of competence. However, certifications do provide value in several areas that are often dismissed or ignored and can bring immense value to the IT and InfoSec industries.
Over the weekend, I updated my wireless router to the latest revision of ASUSWRT-Merlin. I also decided to update my DietPi Pi-hole to their latest builds. Due to a full code rewrite of Dietpi, it meant a complete rebuild for that system. The release of ASUSWRT-Merlin also suggested resetting to factory defaults due to some major changes. Everything was about to be new again.
Once I got everything rebuilt and running, I noticed requests coming from my firewall to my dietpi every 10 seconds or so for dns.msftncsi.com. I immediately assumed this was some Microsoft telemetry noise on my network from MS NLA. However, the queries were coming directly from my firewall which seemed odd. Another search led me to a post on the Pi-hole discourse. After I ran nvram show | grep dns_probe, it was clear I found the culprit.
This afternoon, I’m attending the funeral for a coworker we lost last weekend. Over the course of the next week or two, we’ll be assisting his family gain access to the many online services he had managed. Each time I’ve experienced a tragedy like this, I’ve seen the families struggle with the digital footprint and account access of their lost loved one. Like life insurance, emergency access to online services is too often an item on our to-do list, rarely ever getting completed. Password managers help families in these situations. They act as a consolidated list of the accounts making up one’s digital footprint. However, if emergency access has not been set up, they provide no help and access becomes a major hurdle to overcome for a grieving family.
Tired of seeing What’s happening now? in the Lync client. Sick of seeing the same old status update because you or your colleagues never pulled down that holiday message or #GoHawks update? Well, I was sick of it. I wanted a quick and dirty way to automate updating the Lync status message (aka ProfileNote).
After hours of scouring the internet and messing with multiple twitter libraries and outdated twitter code, I ran across this gem by Github: MyTwitter.psm1. While it was meant to post to twitter, a bit of hacking and this was born. Coupled with some other Lync Client work I’ve done, I had a workable solution.
A couple tweaks I found necessary for the new 9926 build of Windows 10.
1. Windows Update failed with error 0x80070057 preventing the install of update KB3034229. The Fix:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX] "IsConvergedUpdateStackEnabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings] "UxOption"=dword:00000000 2. Only two size options for the updated start menu. Regular or maximized. This fix allows resizing of start menu to a custom size. However, it reverts the start menu back to the pre-9926 build style. Wish there was a compromise. I ended up just setting this to 1 and living with the lack of resize options.
On your SBS 2011 server, do you find a lot of DCOM errors in your System Event Log? These are relatively common on SBS boxes. Microsoft’s guidance is that these can be safely ignored. However, when an error is reported, I expect it to be something that should be investigated. If it can be ignored, it shouldn’t be reporting it as an error. Fortunately, there is a fix for these.
The IT ecosystem is rich with network monitoring systems (NMS). Each NMS has different capabilities, costs, and purposes in life. It is commonplace for me to come into a business that has invested in an NMS that doesn’t fit all their needs. You might ask, “What does this have to do with creating a Windows service?” Here is the scenario that brought this up.
A client has a monitoring solution for their Windows servers and some basic network up/down stats. Their internet connection had been flaky for a month or two. As we worked with their ISP, their connection continued to stay up but latency would spike and often drop packets. The monitoring never sees the link as down but the level of service is degraded and mostly unusable. The ISP can quickly reset the ports and fix the issue, but we want to know right when this happens to minimize downtime.
I came across an undocumented app the other day. For a number of reasons, we needed to restore the password but it wasn’t documented anywhere. Luckily, the service account was setup in an app pool. In IIS 7.0 or 7.5, APPCMD can be used to recover the password. In 6.0, adsutil.vbs can be used.
cscript.exe /nologo adsutil.vbs GET W3SVC/AppPools/AppPoolName/WAMUserPass However, I wanted to write my own little script. Having a little tidbit makes it easy to reuse later for other clients. For example, I could search AD for SPNs starting with “HTTP”, loop through each of their app pools and document the username and passwords for all service accounts used in this fashion. So, here is the little tidbit I threw together.
Here I go on another vbScript tutorial. You might ask why I’m not doing this in powershell yet and it is simple: I still run into 2003 and XP environments. Oh yeah, and this works. I don’t care what scripting language I’m writing in if it gets the job done; you shouldn’t either. My $0.02. If you want to download this script, click here: Morto.A Detection Script.
A had to do a little cleanup on a network from the Morto.A worm. The first thing I wanted to do was find out how bad things were. They were reporting a DDOS across their LAN (mostly 3389) and a lot of other issues. It as obvious we were going to need to rebuild a few systems but we wanted to get a grasp out of what the damage was. This were generally working: logons, shares, etc.