Application Guard Testing with Virt-Manager

Received a BSOD with error code 0xc0000225 on a Windows 10 (and 11) VM when enabling the Hyper-V role to do some testing with Microsoft Defender Application Guard. This VM runs on a Rocky Linux host and I typically use Virt-Manager to handle my VMs. Two changes were necessary to get nested Hyper-V working with virt-manager:

  1. virt-xml <VM-NAME> –edit –cpu host-passthrough
  2. sudo modprobe kvm_intel nested=1
    1. kvm_amd for AMD processors
    2. You can check the value here:
      1. cat /sys/module/kvm_intel/parameters/nested

Once that was done, Hyper-V took great, and I could test Application Guard on the VM.

krbtgt password reset – denied due to complexity

I was cleaning up a new directory and found the krbtgt account password hadn’t been reset for over two decades. When I tried resetting it, I could not due to complexity requirements.

Each DC in an AD domain runs a Kerberos Distribution Center (KDC) service that handles all Kerberos ticket requests. AD uses the krbtgt account for Kerberos tickets. This account is an important one and can be used in attacks, such as Golden Ticket attacks: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/how-microsoft-advanced-threat-analytics-detects-golden-ticket/ba-p/250341

Lies…

Upon trying to reset this password, I received the following error. I was using a 32-character randomly generated password that has all the complexity bits possible. Digging around, I stumbled upon this article from Microsoft: https://docs.microsoft.com/en-us/troubleshoot/windows/win32/change-krbtgt-password-may-fail

It states:
“If a custom password filter (for example, passfilt.dll) is installed on a domain controller, you may receive the following error when trying to change the password for the krbtgt account.”

“This occurs because there is special logic when changing the password for krbtgt. While the Active Directory Users and Computers (dsa.msc) snap-in allows you to enter a password, it won’t be used when changing the password. Instead, the Active Directory creates a long string of random bits to use as the password. Since this string contains random data and not Unicode characters, it fails the typical tests included in password filters. These tests typically include checking to see if the password contains a certain combination of upper and lower case letters, numbers, and punctuation.”

I checked. And sure enough, there was a password filter.

The Fix

Found in this post on Spiceworks: https://community.spiceworks.com/topic/2258213-we-are-unable-to-reset-the-krbtgt-password-after-installed-openpasswordfilter

Create a new Fine-Grained Password Policy with complexity disabled, and add DOMAIN\krbtgt as a subject of the FGPP and try again.

The Spiceworks post shows the details on Powershell, so I’ve provided the GUI version. Hope this saves somebody a headache or two.

LAB: WAN Issues w/ Realtek + PFSense

It’s a pretty common issue. Realtek devices are inexpensive an prolific but they’re flaky and not recommended by most. Coupled with pfsense, one can have a pretty solid lab if you can get them working reliably. I went down the path of building out a new lab with a gigabyte box as a pfsense one-arm-router. I paired it with a managed PoE switch running a few Ubiquiti APs so I could power and pull networks from some IoT devices I was researching.

Every time my nic was under load, my WAN interface would go down. Reloading the interface was a quick fix but it was one needing a more permanent fix.

This was the solution: https://forum.netgate.com/topic/135850/official-realtek-driver-binary-1-95-for-2-4-4-release/19

Steps

Unzip & Place “if_re.ko” file in the “/boot/kernel” folder

Ensure ownership and permissions on the if_re.ko file are:

  • chown root:wheel if_re.ko
  • chmod 0555 if_re.ko

Add this line to “/boot/loader.conf“:

  • if_re_load=”YES

Reboot

Once you reboot, you can run kldstat to verify the driver is loaded. Most folks were having issues with “smart quotes” on their copy-pastes.

This solved all the stability issues I was experiencing in my lab.

Hardware

PFSense 2.4.4 on an ACEPC T11

I bought a silver ACEPC T11 for doing some lab work for $127 (link). It sports an Intel Cherry Trail Atom Z8350, quad-core CPU, 4GB of RAM, and 64GB emmc, and a dual-band 2.4ghz and 5ghz wireless card. I tried booting off the pfsense media and it kept hanging at ppc0: cannot reserve I/O port range. After poking around, I ran across this article: https://forum.netgate.com/topic/109447/zotac-ci323-installation-controller-failures/16

I rebooted and selected 3. [Esc]ape to loader prompt on the boot menu. At the OK prompt, I entered:

set hint.uart.0.disabled="1" set hint.uart.1.disabled="1" boot
Code language: JavaScript (javascript)

It booted right up and pfsense installed without any issues.

Next, I’ll be ripping it open and installing external wireless adapters and an SSD for storing pcaps.

dns.msftncsi.com DNS Requests Every Few Seconds

Over the weekend, I updated my wireless router to the latest revision of ASUSWRT-Merlin. I also decided to update my DietPi Pi-hole to their latest builds. Due to a full code rewrite of Dietpi, it meant a complete rebuild for that system. The release of ASUSWRT-Merlin also suggested resetting to factory defaults due to some major changes. Everything was about to be new again.

Once I got everything rebuilt and running, I noticed requests coming from my firewall to my dietpi every 10 seconds or so for dns.msftncsi.com. I immediately assumed this was some Microsoft telemetry noise on my network from MS NLA. However, the queries were coming directly from my firewall which seemed odd. Another search led me to a post on the Pi-hole discourse. After I ran nvram show | grep dns_probe, it was clear I found the culprit.

[email protected]:/tmp/home/root# nvram show | grep dns_probe
dns_probe_host=dns.msftncsi.com
dns_probe_content=131.107.255.255 fd3e:4f5a:5b81::1

I ran the following three lines and confirmed the traffic stopped. No reboot was necessary. The first post I read recommended setting dns_probe_content to 0.0.0.0 and dns_probe_host to “” (effectively blank). I later found a post by RMerlin that explains setting dns_probe_content to blank disables the watchdog service but effectively disables the dual WAN feature. It would make sense that dual WAN would require a watchdog service. So, if you use dual WAN, don’t do this. Otherwise, you should be fine.

[email protected]:/tmp/home/root# nvram set dns_probe_content=
[email protected]:/tmp/home/root# nvram set dns_probe_host=
[email protected]:/tmp/home/root# nvram commit

RPM/yum Database Corruption

Jumped onto my server and noticed a few out of date packages. A quick % sudo yum update reported the following:

error: rpmdb: BDB0113 Thread/process 12323/139745043400512 failed: BDB1507 Thread died in Berkeley DB library
error: db5 error(-30973) from dbenv->failchk: BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery
error: cannot open Packages index using db5 - (-30973)
error: cannot open Packages database in /var/lib/rpm
CRITICAL:yum.main:

Fortunately, the fix was easy:
% sudo rpm --rebuilddb

Once complete, yum update worked like new.

Weekend Reading – April 22, 2016

Blogs / News

Weekend Reading – April 15, 2016

Blogs / News

Weekend Reading – March 25, 2016

Conference / Meetups

Blogs / News