We're currently writing a tool aimed at checking the validity of credentials over various applications (http, ssh, smb, rdp). No problem for the 3 former. But for RDP, I couldn't find a single way of doing this easily.
The tool is embedded within a web app hosted on a linux box, therefore there is no X Server available.
The only tool I have successfully used to validate RDP credentials from the command line is THC-Hydra, by supplying a single username and password, it works correctly for older versions of RDP servers, of for those where the Network Level Authentication has been lowered.
However, THC-Hydra seems to hang when checking RDP credentials for newest versions of Windows, or where Network Level Authentication has been hardened.
Medusa with a patched version of the rdesktop client fails as well. (some servers require CredSSP, SSL, ...)
There's also nmap's ncrack, but for some reason I only get "READ" timeouts.
EDIT: I got Ncrack to work, however it fails - at least on Windows 2008 R2 (doesn't find credentials even when providing the correct ones).
Any clues to help me?
Cheers
Actually I found a reliable way to do that. It's always when you stop looking for something that you find it :)
Using the super awesome remote desktop client FreeRDP and the "+auth-only" switch. The exit status is 0 when authentication succeeds, 1 otherwise. There also are the error message that you can grep for.
Failed auth:
jrm#deb-jrm:~$ static/xfreerdp /v:10.0.0.1 /cert-ignore /u:MyUser /MyDomain /p:WRONGPASS +auth-only
Authentication only. Don't connect to X.
credssp_recv() error: -1
freerdp_set_last_error 0x20009
Authentication failure, check credentials.
If credentials are valid, the NTLMSSP implementation may be to blame.
Error: protocol security negotiation or connection failure
Authentication only, exit status 1
Authentication only, exit status 1
Valid auth:
jrm#deb-jrm:~$ static/xfreerdp /v:10.0.0.1 /cert-ignore /u:MyUser /MyDomain /p:GOODPASS +auth-only
Authentication only. Don't connect to X.
Authentication only, exit status 0
Authentication only, exit status 0
Related
Using the same uri, credentials and wapi endpoint ... I can make a successful call using Postman on my work Laptop and get json results. On a Windows Server in my organization I'm using PowerShell to Invoke-RESTMethod to reach out to IB. I don't really know if the error I'm getting is valid. The error I get from InfoBlox is:
403 Forbidden Forbidden You don't have permission to access /wapi/v1.0/ on this server.
...but here are a couple of observations to consider:
I'm using the exact same creds and links on my Laptop and it's working there. So the user I'm using on the Laptop side is making the call and getting results so I'm sure it has permissions.
If I put in an invalid userid/pw in my command I get the exact same error ... so it's as if it's not even trying to authenticate first before throwing that error.
My laptop lives in an ip range of 170.144.97.xxx .... my server lives in 10.250.152.xxx the IB server is in the 170.144.32.xxx space.
From my Windows Server I can ping the IB server...and a Test-NetConnection -Port 443 evaluates to true from my Windows Server.
In summary ... my Windows Server seems to see the IB Server ... but the IB server seems to be shutting down any request to use the API before it even tries to authenticate.
**NOTE I seem to recall from our IB guru that we lost a year ago ... was that there is some place to explicitly allow an IP address (or range) to use the API.
Thanks for any ideas!!!
I'm trying to connect to Snowflake using SSO. I am running the following script (from here):
import snowflake.connector
ctx = snowflake.connector.connect(
user='<username>',
account='<accountname>',
authenticator='externalbrowser'
)
cs = ctx.cursor()
try:
cs.execute("SELECT current_version()")
one = cs.fetchone()
print(one[0])
finally:
cs.close()
The only change I have made is passing the authenticator='externalbrowser' argument (see this) to the connect method instead of password. (user and account cannot be left blank so I'm just putting in dummy strings).
After running the script it displays the following message but a browser tab never appears:
Initiating login request with your identity provider. A browser window should have opened for you to complete the login. If you can't see it, check existing browser windows, or your OS settings. Press CTRL+C to abort and try again...
Not sure if this is relevant, but if I leave it for a few minutes, the script ends with the following error:
snowflake.connector.network.RetryRequest: HTTP 403: Forbidden
I have seen similar questions, but not an answer that would resolve the issue yet.
That <username> likely should be an email address. See https://community.snowflake.com or https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-use.html#setting-up-browser-based-sso
With browser-based SSO, the Snowflake-provided client (for example, the Snowflake JDBC driver) needs to be able to open the user’s web browser. For this reason, the Snowflake-provided client and the client application that uses it need to be installed on the user’s machine. Browser-based SSO does not work if the Snowflake-provided client is used by code that runs on a server.
I assume you have provided the correct user name and password. Now if you are still getting this error, make sure you access the snowflake account using the default browser (which the python program is accessing) and keep your SSO session active.
Now run your python program and it must work.
there is nothing much required and your code parameters looks good
authenticator='externalbrowser'
I'm trying to deploy an application via web deploy to a windows 2012 r2 server.
First tried installing iis, web deploy using the msi. After getting an unreachable error I saw somewhere that I needed wmsvc to be installed and installed it via powershell command Install-WindowsFeature Web-Mgmt-Service.
I stopped getting the unreachable error and started getting this error ->
Error: Could not complete the request to remote agent URL 'http://xx.x.xx.xx:8172/MSDEPLOYAGENTSERVICE'.
Error: The operation has timed out
On the server's event viewer under system I get the following error ->
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 1203.
Any idea of what could be going on? Did I miss something on the installation?
After this I also tried installing everything but without iis and I get the same error.
So, this is really not a PoSH issue.
Maybe you should consider movin gthis question to another forum.
Anyway, you have either real server config issues (this can sometimes mean wipe and rebuild - very ugly option - but if it's a virtual machine and you have a snapshot, just roll back), or an app causing this.
Typically for Schannel type of error, it has to do with application or service in machine not able to complete any SSL connection sort of connection.
The error state parameter of 1203 means client error connecting to server, ie invalid ClientHello from the client
See if you can collect more data by...
https://support.microsoft.com/en-us/help/260729/how-to-enable-schannel-event-logging-in-iis
I realized this is an old question, but in case somebody ran into the same issue, here are my solution.
I had to follow this guidelines : https://learn.microsoft.com/en-us/aspnet/web-forms/overview/deployment/configuring-server-environments-for-web-deployment/configuring-a-web-server-for-web-deploy-publishing-web-deploy-handler
Copy the resulting publishsetting file. In the Publish/Profile page import it.
In the Publish/Connection page, change the server to the server address with the 8172 port. Add the password. Change the Destination URL to the site to go to after the publish is completed.
Then after Validate connection was completed, go ahead and publish it!
Yesterday our extracts failed to refresh with the following message (image extract_error):
Failure: Failed 1 time. Sign in failed.
Resolution Details: Check the Data Connection page for necessary updates to an access token or embedded credentials.
I verified that all our passwords were unchanged and test connections which were successful.
The tableau dashboards now give an error message saying:
HTTP 404:
Unable to connect to the server "localhost". Check that the server is running and that you have access privileges to the requested database. (image tableau_error)
Further, when I opened the Server Status page, I saw that our one of our two Vizql, backgrounder and data servers were down. We have two of each and only one of them is active for all three of them. (image server_status)
So, I decided to remote desktop into the server and run the tabadmin status -v command and strangely it is showing that all processes are running. (image tabadmin_status)
Finally, I opened a case with Tableau Customer Portal and letting them know about this issue (they asked me send them the log.zip file) but the mean time I was trying to problem solve this issue. Any help would be really appreciated.
After trying a lot of things, one process seemed to work.
Stopped the tableau server
Configured it to run 1 Vizql server process instead of 2
Started the server again
Finally, it worked. The status page now shows all the processes are active.
Hopefully, this helps someone who is facing a similar problem.
This may be caused by a firewall issue. Since tabadmin status -v returned all as "running" the cluster is healthy and this is a false alert. The firewall rules could be allowing just the first port and not the entire range (see https://onlinehelp.tableau.com/current/server/en-us/ports.htm) to respond to requests from the application server to build that fancy table with the green and red boxes.
The firewall can be reverted/altered behind the scenes for a number of reasons, usually windows updates or regular group policy synchronization.
Try disabling the windows firewall (https://www.faqforge.com/windows-server-2016/turn-off-firewall-windows-server-2016/), or add an inbound rule allowing access to all ports if your org policy doesn't allow you to actually turn it off. (Follow the steps here, except use "All Local Ports" instead of "Specific Local Ports" https://www.parallels.com/blogs/ras/configuring-windows-server-firewall-for-parallels-ras/)
I had a similar problem and followed these similar steps that Sravee mentioned above to bring the all processes back to active.
Stopped the server
Change the configuration for VizQL server from 2 to 1
Started the server
Enter the licence key (else the server status page will show unlicensed error)
Note: This does not bring the site back but this step is for 'tricking' VizQL server
Stopped the server again
Change the VizQL configuration from 1 to 2 now.
Start the server
Enter the license key
This steps did bring back the server back to active for us. Posting to see if this helps who faces the same problem. Thank you so much.
I'm integrating Bitvise client into my winform app. I am using Bitvise SSH Client command line (stnlc.exe in the app's directory) to do so. My app needs to have multiple connections at the same time.
It works well with some addresses, but some other it doesn't. This is the command that I'm using:
"C:\Program Files (x86)\Bitvise SSH Client\stnlc.exe" -profile="C:\Users\AutoOffer\AutoOffer\bin\Debug\data\sshprofile.bscp" -host=<myhost> -port=22 -user=<username> -pw=<password> -ka=y -proxyFwding=y -proxyListIntf=127.0.0.1 -proxyListPort=<port>
And this is the error I got:
Bitvise SSH Client 6.45 - stnlc - free for individual use only, see EULA
Copyright (C) 2000-2015 by Bitvise Limited.
Connecting to SSH2 server XX.XX.XX.XX:22.
Connection established.
Server version: SSH-2.0-dropbear_0.46
First key exchange started.
ERROR: The SSH2 session has terminated with error.
Reason: Error class: LocalSshDisconn, code: KeyExchangeFailed, message: FlowSshTransport: no mutually supported key exchange algorithm.
Local list: "ecdh-sha2-1.3.132.0.10,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1".
Remote list: "diffie-hellman-group1-sha1".
I tried to connect manually by the Bitvise app with GUI and it successfully connected!
I also updated my bitvise version to the latest (6.45).
Local list: "ecdh-sha2-1.3.132.0.10,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1".
Remote list: "diffie-hellman-group1-sha1".
So it looks like the remote side just supports diffie-hellman-group1-sha1, which is not supported on your side.
On Bitvise SSH Server Version History I read:
The 1024-bit fixed prime Diffie Hellman key exchange methods, diffie-hellman-group1-sha1 and gssapi-group1-sha1 with Kerberos 5, are now disabled by default, due to doubts about continuing security of Diffie Hellman with a 1024-bit fixed prime. Compatibility with most older clients should be retained via the diffie-hellman-group14-sha1 method, which uses a 2048-bit fixed prime. We recommend migrating older SSH clients to new versions supporting ECDH and ECDSA.
So it looks like you have to modify the settings and allow 1024-bit fixed prime Diffie Hellman key exchange methods. Otherwise you will not be able to connect. As explained it is of course better to change the ssh server settings.
Also, please note that running stnlc as a service is a possibility. With it, the tunnel can be started even without the user having to log on, and can be restarted upon dropping.
Be aware that wrapping and running stnlc as a service (using eg. nssm or winsw) absolutely requires adding the unat=y option to prevent the service from going interactive and failing.