Viewing cached credentials, clearing cached credentials, preventing cached credentials

Archive for the ‘Troubleshooting’ Category

Viewing cached credentials, clearing cached credentials, preventing cached credentials

Posted by

Microsoft Windows caches domain credentials. This article applies to Windows 7 and 8. Click here for the Windows 10 version of this article.

Windows caches domain credentials (usernames and passwords). See Microsoft article KB913485 for details. These credentials are stored on the local computer’s registry.

Viewing cached credentials: In the registry, grant your user account full permission to HKEY_LOCAL_MACHINE\Security. By default, only the System account has permission to the Security key. Refresh Regedit (you may need to close and relaunch Regedit.) Then open the key. You can view the cached credentials under HKEY_LOCAL_MACHINE\Security \Cache. Up to ten credentials can be cached, and these are stored in the values NL$1 thru NL$10.

Clearing cached credentials: Zeroing out the NL$x binary value will clear the cached credential.

Preventing cached credentials: Deleting the NL$1-NL$10 binary values will prevent credentials from being cached.


Designing CyberSecurity | Weekly Blog Series

Designing and architecting security? Join our weekly conversation on what hackers can learn from artists and designers.

Viewing cached credentials, clearing cached credentials, preventing cached credentials

Posted by

Microsoft Windows caches domain credentials (usernames and passwords). See Microsoft article KB913485 for details. These credentials are stored on the local computer’s registry.

Viewing cached credentials: In the registry, grant your user account full permission to HKEY_LOCAL_MACHINE\Security. By default, only the System account has permission to the Security key. Refresh Regedit (you may need to close and relaunch Regedit.) Then open the key. You can view the cached credentials under HKEY_LOCAL_MACHINE\Security \Cache. Up to ten credentials can be cached, and these are stored in the values NL$1 thru NL$10.

Clearing cached credentials: Zeroing out the NL$x binary value will clear the cached credential.

Preventing cached credentials: Deleting the NL$1-NL$10binary values will prevent credentials from being cached.

Viewing and releasing file handles

Posted by

Ever try to delete a file and get a message such as “cannot delete: it is being used by another person or program” or the message “the action can’t be completed because the file is open in another program”? The solution to the problem finding and releasing the file handle lock.

Handle.exe is a free utility available from Sysinternals that allows you to find, view, and close file handles. Of course, if you can, it is better to close the handle with the application. But if the handle is hung or must be closed manually, Handle.exe is the way to go.

The syntax is handle.exe -p <process ID> -c <handle ID> -y. For example:

 

C:\Toolbox>Handle.exe plugin.jar

 

Handle v3.2

Copyright (C) 1997-2006 Mark Russinovich

Sysinternals – www.sysinternals.com

 

firefox.exe pid: 5508 5B4: C:\Java\jre5\lib\plugin.jar

java.exe pid: 4632 638: C:\Java\jre5\lib\plugin.jar

java.exe pid: 6332 628: C:\Java\jre5\lib\plugin.jar

 

C:\Toolbox>Handle.exe -p 5508 -c 5b4 -y

 

Handle v3.2

Copyright (C) 1997-2006 Mark Russinovich

Sysinternals – www.sysinternals.com

 

5B4: File (RW-) C:\Java\jre5\lib\plugin.jar

 

Handle closed.

 

C:\Toolbox>Handle.exe plugin.jar

 

Handle v3.2

Copyright (C) 1997-2006 Mark Russinovich

Sysinternals – www.sysinternals.com

 

java.exe pid: 4632 638: C:\Java\jre5\lib\plugin.jar

java.exe pid: 6332 628: C:\Java\jre5\lib\plugin.jar

 

C:\Toolbox>

 

(Edited 2009-12/28 with the updated URL to download Handle.exe.)

Move an OS, set the IP, and see the IP address you have entered is already assigned

Posted by

You did something. Maybe you replaced a network adapter on a physical server. Maybe the server is a virtual machine, and you moved the vm to a new host. Maybe you restored an OS onto new hardware, or moved an OS on the SAN from one piece of server hardware to another. The result is that your network adapter is now set to DHCP.

You go into your Windows Server 2003 control panel, network connections, and pull up properties of the network adapter. Open properties of Internet Protocol (TCP/IP) and set the IP address. When you click Ok, you get:

 

The IP address a.b.c.d you have entered for this network adapter is already assigned to another adapter ‘Some Ethernet Adapter’ on this computer. If the same address is assigned to both adapters and they become active, only one of them will use this address. This may result in incorrect system configuration. Do you want to fix the problem by entering a different IP address for this adapter in the list of IP addresses in the advanced dialog box?

 

You check the control panel and do not see any other network adapters. The reason is that the adapter is hidden from network connections control panel once it is removed. However, it still contains its IP address.

The resolution is to turn nonpresent devices on and remove the network adapter from device manager:

 

set devmgr_show_nonpresent_devices=1
start devmgmt.msc

 

When Device Manager opens, select View > Show hidden devices. Then browse to network adapters and remove all adapters. Right-click the top-node and scan for new hardware. Your new network adapter will then reinstall itself. Now you will be able to set the IP address without getting the error message.

If this happens frequently, such as if you have a dynamic environment were Windows Server 2003 instances are getting shuffled around regularly, you can set nonpresent devices to be always shown. Add devmgr_show_nonpresent_devices=1 to the System Variables (My Computer, Properties, Advanced, Environment Variables, System Variables).

 

Load balance SSH

Posted by

Load balance SSH without “Potential Security Breach” or “Someone Is Doing Something Nasty”

You setup a couple servers with SSH and load balance these. Then, Linux users start reporting they are seeing “It is possible that someone is doing something nasty!” Windows users say that PuTTY is complaining “Warning – potential security breach!” Why?

SSH uses a RSA private/public key pair. The public key is saved on the client as the SSH server fingerprint. Linux users can find these keys under ~/.ssh/known_hosts and ~/.ssh/known_hosts2. Windows users can find the keys in the registry under [HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHo stKeys]. The errors occur when two (or more) SSH servers use the same FQDN but use different private keys.

This is the same thing we see when we load balance Web servers. The workaround there is to export the private/public certificate from one computer, and apply it to all computers in the load balanced set. The clients then receive the same certificate regardless of which computer they connect their Web browser to.

The same workaround applies to load balanced SSH servers. Take the certificate from one, and apply it to all other SSH servers in the set.The files are/etc/ssh/ssh_host_rsa_key (private) and /etc/ssh/ssh_host_rsa_key.pub (public). You may also want to copy /etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_dsa_key.pub if you are supporting DSA encrypted sessions.

A word of caution in regards to the security and validity of the private keys. We had the same discussion with Web servers. The idea behind private/public encryption is that one (and only one) entity has the private keys. This guarantees to the end-user the identification of the remote end-point. Copying the keys reduces that guarantee. Given it is one entity (your organization) that controls the keys, and given you are applying them only to a single DNS hostname backed by a single load balanced set, you should rest easy. Just take care not to copy the SSH keys to anything other than these servers.

OpenSSH client (4.1) error message:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@        WARNING: HOST IDENTIFICATION HAS CHANGED!        @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Please contact your system administrator.
Add correct host key in /home/me/.ssh/known_hosts to get rid of this message.
Offending key in /home/me/.ssh/known_hosts:xx
RSA host key for hostname has changed and you have requested strict checking.
Host key verification failed.

PuTTY (0.54) error message:

WARNING – POTENTIAL SECURITY BREACH!

The server’s host key does not match the one PuTTY has
cached in the registry. This means that either the
server administrator has changed the host key, or you
have actually connected to another computer pretending
to be the server.
The new key fingerprint is:
ssh-rsa 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
If you were expecting this change and trust the new key,
hit Yes to update PuTTY’s cache and continue connecting.
If you want to carry on connecting but without updating
the cache, hit No.
If you want to abandon the connection completely, hit
Cancel. Hitting Cancel is the ONLY guaranteed safe
choice.

Load balance SSH without “Potential Security Breach” or “Someone Is Doing Something Nasty”

Posted by

You setup a couple servers with SSH and load balance these. Then, Linux users start reporting they are seeing “It is possible that someone is doing something nasty!” Windows users say that PuTTY is complaining “Warning – potential security breach!” Why?

SSH uses a RSA private/public key pair. The public key is saved on the client as the SSH server fingerprint. Linux users can find these keys under ~/.ssh/known_hosts and ~/.ssh/known_hosts2. Windows users can find the keys in the registry under [HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHo stKeys]. The errors occur when two (or more) SSH servers use the same FQDN but use different private keys.

This is the same thing we see when we load balance Web servers. The workaround there is to export the private/public certificate from one computer, and apply it to all computers in the load balanced set. The clients then receive the same certificate regardless of which computer they connect their Web browser to.

The same workaround applies to load balanced SSH servers. Take the certificate from one, and apply it to all other SSH servers in the set.The files are /etc/ssh/ssh_host_rsa_key (private) and /etc/ssh/ssh_host_rsa_key.pub (public). You may also want to copy /etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_dsa_key.pub if you are supporting DSA encrypted sessions.

A word of caution in regards to the security and validity of the private keys. We had the same discussion with Web servers. The idea behind private/public encryption is that one (and only one) entity has the private keys. This guarantees to the end-user the identification of the remote end-point. Copying the keys reduces that guarantee. Given it is one entity (your organization) that controls the keys, and given you are applying them only to a single DNS hostname backed by asingle load balanced set, you should rest easy. Just take care not to copy the SSH keys to anything other than these servers.

 

OpenSSH client (4.1) error message:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@        WARNING: HOST IDENTIFICATION HAS CHANGED!        @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Please contact your system administrator.
Add correct host key in /home/me/.ssh/known_hosts to get rid of this message.
Offending key in /home/me/.ssh/known_hosts:xx
RSA host key for hostname has changed and you have requested strict checking.
Host key verification failed.

 

PuTTY (0.54) error message:

WARNING – POTENTIAL SECURITY BREACH!

The server’s host key does not match the one PuTTY has
cached in the registry. This means that either the
server administrator has changed the host key, or you
have actually connected to another computer pretending
to be the server.
The new key fingerprint is:
ssh-rsa 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
If you were expecting this change and trust the new key,
hit Yes to update PuTTY’s cache and continue connecting.
If you want to carry on connecting but without updating
the cache, hit No.
If you want to abandon the connection completely, hit
Cancel. Hitting Cancel is the ONLY guaranteed safe
choice.

Clearing a DNS server cache using VBscript and WMI

Posted by

When troubleshooting a DNS server on Windows Server 2003, you may need to clear the DNS cache. This can be done from the GUI: dnsmgmt.msc, right-click the server, Clear Cache. Whacking the DNS cache can also be done from the command line: dnscmd %computername% /clearcache. Then again, you may want to clear remotely using a script (or clear a number of servers at once).

The VBScript below will clear out the cache. It uses WMI to connect to the MicrosoftDNS namespace. If that namespace does not exist, as it will not on servers that do not have DNS installed, the WMI will throw a 0x8004100E error (Invalid namespace). So the script first loops thru the available namespaces to confirm that MicrosoftDNS is present. If it is, the script connects, and executes the.ClearCache()method.

 

‘—————————————————————–

‘ Name:   dnscachecls.vbs

‘ Author: J Wolfgang Goerlich
‘ Date:   2004-08/03

‘ Description: Clear DNS cache using WMI

‘—————————————————————–

Option Explicit

‘ Dimension variables

Dim wmi ‘ SWbemServices, WMI interface
Dim wns ‘ WMI namespace
Dim wql ‘ WMI Query Language
Dim computer
Dim oShell
Dim results
Dim namespace
Dim dns
Dim isdnsserver

‘ Get the computer name

Set oShell = WScript.CreateObject(“WScript.Shell”)
if WScript.Arguments.UnNamed.Count >= 1 then
computer = Trim(LCase(WScript.Arguments(0)))
else
computer = LCase(oShell.ExpandEnvironmentStrings(“%ComputerName%”))
end if

‘ Confirm the server is a DNS server

wns = “winmgmts:\\” & computer & “\root”
isdnsserver = false

set results = GetObject(wns).InstancesOf(“__NAMESPACE”)

For Each namespace in results
if namespace.Name = “MicrosoftDNS” then isdnsserver = true
Next

if isdnsserver = false then
Wscript.Echo computer & ” is not a DNS server.”
Wscript.Quit
end if

‘ Clear the DNS cache

wns = “winmgmts:\\” & computer & “\root\MicrosoftDNS”
wql = “Select * From MicrosoftDNS_Cache”

Set wmi = GetObject(wns)
Set results = wmi.ExecQuery(wql)

For Each dns in results
dns.ClearCache()
Next

Wscript.Echo “DNS cache cleared on ” & computer