Is there a way to verify that Kerberos is used? - kerberos

I am using System.DirectoryServices namespace for communicating with an ADAM instance. Part of the network within our organization Kerberos, while another defaults to NTLM. We also have conflicting domains (aliased the same ABC), that have different fully resolved names, of course.
Kerberos requires usage of fully resolved names, as far as I understand. My ADAM instances (multiple, replicated) are pointed to by WideIP, which resolves to different IPs for different regions. One of those WideIPs is serving "me" an alias instead of FQDN, which makes my ADAM go to the wrong domain.
The questions are:
- is there a way to verify that kerberos is used in communication with that ADAM?
and
- is there a way to force kerberos (which could be used to error out early)
Thank you for looking at it.

A colleague of mine showed me a couple of good tools that did the job:
WireShark makes tracing communications protocols a snap. Great tool. It traces net packets. You will see exactly where Kerberos digresses to NTLM.
KerbTray is somewhat useful too.
Hope it will help someone.

Related

PROXY protocol - test client /tool

Proxy Protocol is implemented by various software including of course HAProxy itself.
When testing from a host via a proxy, it would be useful to have a simple command-line tool to establish connections, controlling the various parameters.
I've looked at netcat, socat and other similar tools and it looks like it doesn't (yet) exist.
Does anyone know of a nice command-line testing tool?
As I couldn't find something, here's a start. Will add documentation etc. shortly.

Grpc C++ DNS overrides

I am trying to connect a grpc-c++ client to a grpc-c++ server. I already have a grpc-java client connected with working TLS so the server should be functioning correctly.
However inside grpc-java there is a method when building a channel named 'overrideAuthority'. From the documentation the method
"Overrides the authority used with TLS and HTTP virtual hosting. It does not change what host is actually connected to. Is commonly in the form host:port."
I was attempting to find something similar for the c++ client. However, so far all I have found is a function named set_authority() on the grpc::ClientContext as well as two options used with grpc_channel_args which are GRPC_ARG_DEFAULT_AUTHORITY and GRPC_SSL_TARGET_NAME_OVERRIDE_ARG.
None of these seem to have any effect on the authority at all. The server will always reject the connection with the error
No match found for server name: 0.0.0.0.
P.S. I am aware that I can add it to the common name on the certificate (and I will if I need to). However, if possible I would like to follow the same pattern as the grpc-java client.
GRPC_SSL_TARGET_NAME_OVERRIDE_ARG is the right channel arg. Please take a look at some of the tests https://github.com/grpc/grpc/blob/470a3066c74abc7c2a0a2cab3b35000b27b51af1/test/core/end2end/fixtures/h2_ssl.cc#L133
https://github.com/grpc/grpc/blob/470a3066c74abc7c2a0a2cab3b35000b27b51af1/test/cpp/end2end/xds/xds_end2end_test.cc#L1348
Additionally, if I remember correctly, this log just serves as a warning and does not result in disconnections. Please collect some more verbose logs https://github.com/grpc/grpc/blob/master/TROUBLESHOOTING.md. That might give more hints as to what's going on here.

Do OWASP CRS modsecurity rules prevent DOS as in these 2 scenarios?

From OWASP CRS (modsecurity) related docs (which I can find in the public domain) I can infer that brute force and DOS protection have been taken care of. However, I am not able to find specific details regarding the rules that prevent DOS. Currently, my server is experiencing brute force attacks of the below kind:
Same IP, Same Resource/Page At The Same Time
aa.bb.cc.dd 2021-04-27T07:01:37
aa.bb.cc.dd 2021-04-27T07:01:37
aa.bb.cc.dd 2021-04-27T07:01:37
Different IPs With Same Reverse DNS Host, Same Resource/Page At The Same Time. The first two octets of the IPs remain the same.
aa.bb.cc.dd 2021-04-27T07:01:37
aa.bb.ee.ff 2021-04-27T07:01:37
aa.bb.gg.hh 2021-04-27T07:01:37
Can someone experienced with OWASP CRS let me know if such attacks can be prevented with the CRS?
Update:
I am using apache 2.4. Regarding CRS, I am using version 3.3.0
You didn't write what HTTP server you use - that's important.
I think there are more solutions for your first item. CRS has the optional DOS protection, see this section of crs.conf. This can be help you in other cases too, eg. the resources are different.
Most HTTP server provides other solutions too, eg. if you use Apache, check the mod_evasive (most distribution provides this as package). I do not know about similar solution for Nginx.
Your second issue is rather a DDOS, because the IP addresses are different.
It's a bit out of scope, but you can check the fail2ban (also supported by most distro) - may be that can help you too.

How to capture loopback traffic in Windows Server 2008

Setup:
I have client C connecting to server S
Both C and S are on the same machine
In C the server address is hardcoded to 127.0.0.1. Likewise, in S the client address is hardcoded to 127.0.0.1
Problem:
I want to be able to sniff the traffic between the client and the server.
Due to the configuration, I cannot move the client nor the server to different locations (the address are hardcoded)
Installing the loopback interface and using tools like Wireshark+WinPcap doesn't lead anywhere (was actually already known but was worth a try)
RawCap, suggested in another topic, doesn't work. IP 127.0.0.1 is listed, but does not record any traffic.
Using rinetd to route the traffic elsewhere, as suggested here doesn't work (cannot bind on 127.0.0.1)
Not interested in using a HTTP local proxy, such as Fiddler, because I'd like to capture also other protocols
Two commercial tools work, specifically CommView and Local Network Monitor, which means it must be possible to do that ;)
How can I do to capture the traffic?
Any pointer on functions I should use or documentation I should read?
Thanks!
Basically you need to write a TDI filter driver to achieve that... for some pointers see:
http://msdn.microsoft.com/en-us/library/windows/hardware/ff565685%28v=vs.85%29.aspx
http://msdn.microsoft.com/en-us/library/windows/hardware/ff563317%28v=VS.85%29.aspx
Another option is to write a WinSock LSP.
BEWARE
Since Windows 8 it is strongly encouraged to use WFP (Windows Filtering Platform) for this sort of thing...
Although it might be more cost-effective to just use/buy an existing solution - esp. if you are not a very experienced driver developer...
Use RawCap, which can solve your concerns, see this

Can I create a socket application on a hosting service?

I need to develop a server side application that opens sockets and manages communication with multiple clients. Previous answers have told me this is possible using a single script file, which loops forever.
Is this possible using only a PHP/Perl/Python hosting service? or would I need a VPS or shell access?
Any help is appreciated since I've never worked with sockets before. Thanks for your time.
Cheap Perl/PHP hosting services don't want you running your own long-running processes.
This means you will need a VPS (which obviously includes shell account since you can do anything you want on your private server). A few VPS providers might block outgoing IRC port but I think that is rare.
Linode and Slicehost/Rackspace are just two examples very very well run VPS service providers and I guarantee you can run your own socket application on them.
It would make your host very unhappy since their CPU time is valuable! If you use shared hosting, your host might just kick you out for such a solution! (Read your contract for the fine details.)
I think it could be possible but it depends on the setup of your host, plus the permissions your host are granting you. And most will be unhappy about anything that runs forever. (They prefer to see just short, simple applications.)
Usually the service firewall will block any unexpected ports, or if they are not doing it now they will start doing it after they figure out what you are doing and decide they don't like it.
I would say no because it involve too much security problems