Network Probe

๑ Deleting the Win32_Product WMI Class to hide local software installed

2010-09-11T17:30:00.000-07:00

I know very few people have had the need to delete WMI Classes, but incidentely i was once one of them, why? Well, WMI is a great resource to obtain information about remote machines, so perhaps you just like to be selective on what to provide from yours, right?

Various network administration tools take advantage of the WMI component to know how their co-workers computers are doing, or what the co-workers are doing with it. This information is passed to those tools trough the WMI Classes. So suppose you don't want to tell them what software you have installed on your computer, then, without stoping WMI service ( leading to the administrator knowing that there was a scan error with your machine ) you can instead delete the WMI CLass Win32_Product and Win32_ProductCheck, lets see:

On the command line:

c:\> wbemtest

( the wbemtest window pops up on Windows)

Click Connect, and where it says root\default replace with root\cimv2 press OK

Now press the button Enum Instances... and you should see:

There enter Win32_Product and accept, you should see a bunch of entries like this:

You can conclude that Win32_Product class is announcing that i have, among lots of other stuff, Microsoft Office installed.

To stop this class from reporting software, the simpler solution i know is to delete the class. Just press where it says Delete Class and enter it's name, but beware: I don't think there is a practicall way to reinstall this class again unless you fully reinstall WMI. So proceed wisely.

Of course, there are other ways to obtain the installed software on your machine remotely. :)

Thanks for reading

Stopping All Services Backup Exec 2010 - Job Cancel Pending

2010-09-04T09:17:00.000-07:00

This happened to me the other day while i was changing settings for a BE Job. As soon as i hit submit button the job would go to run mode. My fault as i had to define a schedule or submit the job "on hold" first.

When i realize the job was running i right clicked the job to cancel it while it was still in the "pre-processing" fase. But the job would not stop. I tried several approaches, including stopping all services from the BE management console:

And starting them again, but to my surprise the BE server and engine services would not start. Viewing event viewer this was what we got:

Little to no help. After reading symantec words on the subject and before believing the only solution was to restart the server ( after applying the supposed hotfix ) we decided to give it a last shot as we found out that the services woud not start because another process was taking over the 3527 Port and supposedly all we had to do was terminate this connection using a CurrPorts aprroach:

But the connection would not terminate, the process name was System and thus the unability.

Restarting the server was what ultimately fixed it. Perhaps disabling the network interface and clearing the arp cache would have helped tough.

Thanks for reading

Taken from http://netprobe.blogspot.com/

Disabling Multiple RDP Session with same User

2010-09-04T08:59:00.000-07:00

In order to disable multiple RDP Sessions with the same user, enable the restrict each user to one session option. This way you disable concurrent connections from the same users.

With this option enabled, you can still login another session, called a console session. Be aware tough if you do this in a production environment, depending on your software environment and applications running on one RDP Session for user "x", opening the console session for that same user "x" can lead to your custom apps malfunctioning. Happened to me with a VB6 application running in debug mode.

Taken from http://netprobe.blogspot.com/

Panda Desktop HTTP Updates / Ports Used

2010-09-04T08:48:00.000-07:00

Well, Panda products documentation altough it's pretty extensive sometimes do not tell you much. For instance, you want to know what ports are required for Panda Desktop to be able to periodically update it's definitions, what are these ports? This is what i will briefly discusse only based on my findings

If you have deployed Panda Antivirus Product in your company then you probably have configured a repository from which Panda Clients are able to fetch periodic updates. This repository can be configured trough regular network shared folder resources, or trough HTTP repository, where you may have a tomcat server serving the client requests. This second alternative is better, as the first one will lead to more unnecessary overhead ( ref.) .

After clients are deployed automatically, a .ini file is configured in each client machine containing a reference to the original server.

This server is the server the clients will query for updates, sending packets trough port 19226 (folder repository), if it does not succed he will try http repository port 8080, if it does not respond, he will try http repository with port 80:

If it still does not respond he will query the internet, where?

1. Regedit.exe

2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Panda Software\Panda Administrator 3.0\PLAgent

URL is listed on the right side.

The username and password to access the updates are also defined here, altough encrypted.

In sum, the following ports are used from the client side, depending on your infrastructure scenario:

Port 19226

Port 80

Port 8080

This information was gathered using the tool CurrPorts and log analysing.

Panda logs are located in Pavupg folder. The file is called PAVupg.log

To get a detailed log use the command:

Pavupg -c:ALL

It will then try to update the virus definitions and you can analyse the results too.

Taken from http://netproble.blogspot.com/

SMB:R; Tree Connect Andx - DOS OS Error, (5) ACCESS_DENIED

2010-09-04T08:26:00.000-07:00

Konica Bizhub 350 - Scan to network Folder

Are you scanning to a network folder and wondering why the files are not there when all the configurations are correct?

What needs to be done to allow a Canon/Konica/Minolta, in this case a Minolta Bizhub 350 to send PDF files over the network to a share folder in a server?

SMB Signing is what this is all about, it was a security measure ro respond to man-in-the-middle attacks.

http://www.mcseworld.com/forums/showthread.php?p=53765

SMB Signing and Security:

http://www.networkworld.com/community/node/56638

http://www.littlepud.com/windows-information/windows---smb-signing

http://blogs.technet.com/b/jesper_johansson/archive/2005/11/22/414976.aspx

If your printer does not support SMB Signing you have to choices to allow end users to fetch their scans:

1 - Disable SMB Signing one the remote server that was configured in the printer. For that you need to go to regedit HKLM\System\CurrentControlSet\Services\ Lanmanserver\Parameters and change o RequireSecuritysignature to 0 to disable SMB Signing ( restart not needed), you can observe the successfull ( or unsucsseful connection attempt with Microsoft Network Monitor )

2 - And probably much more confortable. Send directly to user's email and forget SMB Signing ( keeping your servers safe )

Here is a successfull connection attempt:

Taken from http://netprobe.blogspot.com/

Thanks for reading

PHP file_exists function bug and Domain Migration

2010-05-02T09:29:00.000-07:00

First of all, let me say this is NOT a bug report. Just a friendly title to someone who might be asking themselves the same thing.

The other day i was reported that our Intranet website was not working properly. I looked at the PHP code to see if everything was in order and runned a few tests with variable placing inside the file_exists and the function was returning false when the file actually existed. Why is this i asked?! Eventually i found out, there was no bug or change in the code.

We had at our corporate environment migrated the domain and Intranet was running smoothly for 2 weeks. At the end of the 2 weeks the old domain was shutdown. Only by the third day this Intranet communication came to me, but the answer was that in the IIS manager for the Intranet Server, on the corresponding website properties, whe still had issues in the "Directory Security" tab, there was a user still there from the old domain.

The file_exists was trying to access the path with a user that was no longer valid, returning false on the function as it had no permissions.

Hope this helps

Taken from http://netprobe.blogspot.com/

CISCO Pix Device Manager Export List to File

2010-05-02T09:07:00.000-07:00

This manager's interface is little intuitive thus why i decided to add this title to Google Search Engine with a few questions and answers here

Can you use PIX Manager interface to perform querys to the DB entries?

Can you run reports from the firewall to create an excel sheet ?

No, not that i know of..

So how do you do if you want to export a list containing all the entrys from your PIX Firewall? Do you have to look individually one by one?

Fortunely no. Just go to File and Choose "Save Running Config to a new window"

If you are unsure about this and are afraid that it will write to NVRAM don't, this will generate a file with the firewall users and groups and ask you for a location to save it.

Reference:
http://www.scribd.com/doc/4638699/Cisco-PDM

Taken from http://netprobe.blogspot.com/

Can't view desktop shortcuts over the network, why?

2010-05-02T08:46:00.000-07:00

Hello,

There are no stupid questions and certainly this is not one of them. The other day a friend of mine was accessing remotely to the C$ share on a computer, trying to access the Desktop folder from the user "Centrino" , altough he knew that Centrino had shortcuts on the Desktop, entering this folder he could not see them. What the heck - He tough. Why is that?

The answer is pretty easy:

Shortcuts from all users are not replicated for each user account and probably before Centrino User was called Centrino he was Called Something else. Why again? Because if someone renamed his account in Active Directory from "Intel" to "Centrino", the SID actually will be the same. So nothing will change on the computer side, meaning that documents and settings will still point to Intel's folder.

You can check this in regedit at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList

There you will see a bunch of SID's, to know what is the SID of Centrino user please check here

At this point you will know what is the correct Image Path on the computer for that user, and if you like to, change it from Intel to Centrino, altough there are some implications with active directory, so if you are unsure of what you are doing don't mess around.

Taken from http://netprobe.blogspot.com/

Getting SID from USER and USER from SID

2010-05-02T08:37:00.000-07:00

Sometimes when administrating a network there is a need to know which code belongs to the USER for the operating system. this code is regarded as the SID or Security Identifier.

Getting USER from the SID:

You can use a tool called Sid2user
http://www.chem.msu.su/~rudnyi/welcome.html

Usage:
sid2user [\\computer_name] authority subauthority_1 ...

Getting SID from the user:
You can use a tool called User2sid
http://www.chem.msu.su/~rudnyi/welcome.html

Usage:
user2sid [\\computer_name] account_name

Taken from http://netprobe.blogspot.com/

○ Executing commands remotely

2009-11-28T12:25:00.000-08:00

RDP - Remote Desktop Protocol is a great resource to remotely administer a computer, TightVNC or UltraVNC also are great resources, that have their advantages in comparison with RDP, but sometimes we just want a remote command-line solution so that there is no interferance with what users using that remote machine are doing.

There are two solutions for this, the first one is to use the wmic command with the help of the Win32_Process class:

wmic /USER:Domain\user /PASSWORD:pass /NODE:"computer" process call create cmd.exe

If you get "Invalid global switch" error check to see if your computer name is within quotes and USER, PASSWORD and NODE are UPPERCASE letters otherwise it won't work ( it didn't when i tried )

The other solution is to use sysinternals pstools, namely, psexec. This tool is a must for any network administrator, usage would be something like:

c:\> psexec \\machine -u domain\user -p pass command

where machine is the machine name, use quotes if it's something like "Desk-NR-1"

where pass is the password for the domain\user

where command is the command line you would write if you where on the other computer, for total command line freedom use "cmd" as the command to have the remote command line on your computer.

Thank you for reading

○ Updating Panda Client from a migrated Server

2009-11-09T14:46:00.001-08:00

If you have migrated your AV Server, in other words your Admin Secure Console to another server, but now your clients are still pointing to the old server, you have to redistribute the client to the several worksations. To do this, you will have to go to:

Tools -> Distribute Agents (or similar) -> Troubleshoot Distribute Agents

Then a wizard pops up guiding you on the method for rearranging these broked clients.

Rearranging clients may take a while so be patient. Beware tough, port 19226 needs to be opened from the server to the client.

To make sure you don't have this port blocked do a telnet to any client on this port using the command line:

telnet client 19226

Where client is the computer name of a Panda client in your network.

If the command line window shows a blinking dash the port is not blocked and you should be Ok.

Taken from http://netprobe.blogspot.com/2009/11/updating-panda-client-from-migrated.html

○ Unauthorized or Illegal IP Public IP Addresses on Private Network

2009-07-25T10:02:00.000-07:00

Yes, they are out there on private networks. Luckily, routers do not route these packets outwards because they already know the interfaces to which those Illegal IP's are.

I say illegal but they are only illegal from an RFC point of view.

I remember a while back trying to look for information about these RFC illegal networks but not finding anything relevant.

I have been on a company that had been implemented with this scenario. They had IP from 190.1.X.X to 190.5.X.X . Even worst these were class B IP Addresses for a small to medium sized company with just over 100 employees.

What happened in theses cases was that altough the routers were routing correctly, the DNS Servers were getting their entries for the local domain hosts from the internet. So, depending on which hostname would register with the Internet's cached DNS, this host could not be reached from another by it's DNS name. Fortunely, NETBios was still in tha game and allowed other computers to ping and whatever to those trough their NetBios name. Nevertheless, caotic in my opinion. Useless to say that any computer in this network could not access outsite resources when these resource IP's were within these Class B ranges. What a mess, like it was not enough datacenter's switch wiring was all messed up as well.
Funny example:

A big restructuring for this network topology was issued some time later which i was a part of to deploy VLAN's and reformulate the entire infrastructure, from Class B to Class C and from Illegal to Legal Addresses ( Reserved Addresses for Private Networking ). Big adventure i tell you, but definitely payed off. Much better.

○ SMI2SMIR Information / Purpose

2009-06-27T09:32:00.000-07:00

I will assume that if you got here you already understand "computer systems terminology" so i won't get into detailed explanations, but will just write here what i know about this. To make things brief, SMI2SMIR is a WMI partial dependency. There is a script from microsoft, the WMDiag.vbs, that allows you to check if WMI is properly installed on a given computer. If you run WMDiag.vbs on a computer with SMI2SMIR missing you will be given the following lines on the resulting log:

WARNING: WMI System file 'C:\WINDOWS\SYSTEM32\WBEM\SMI2SMIR.EXE' is MISSING or is access DENIED but it is an OPTIONAL component.

So, altought it's part of WMI, as it is not a must, you could still query a remote machine for info.

For more information:

http://technet.microsoft.com/en-us/library/cc180795.aspx

Thank you for reading

Taken from http://netprobe.blogspot.com/2009/06/smi2smir-information-purpose.html

#139 NetBios Network Scan

2009-06-27T09:04:00.000-07:00

One of my favorite apps to scan networks for shared resources is this Netbrute application. Free, quick and dirty. There are others but i use this for so long and it's so practical ( with just half a KB) that i have never forget about it. The portscan tab does not allow you to add ports to the port list for full port scans, and the Webbrute tab is usefull to check http server responses but besides that i don't use it for anything else. It's still a very nice application tough.

๑ Simple ideas to help identify devices on a network

2009-06-27T08:56:00.000-07:00

I will begin this post by recommending the Solarwinds free tool IP Address Tracker that helps you to scan, track, and consolidate your IP address network information in one easy place.

On a medium sized network, some devices may not present you much information, and when in doubt about a particular ip address you can see if port #139 (netbios-ssn) is opened using a very neat app called NetBrute.

If it is, probably it is a computer and is sharing it's local resources, folders and printers over the network. For further inspection, you can try this address on your windows explorer address bar:

\\ipadress\c$

If you have domain administrator rights and that ip address is on your domain you can check what users are using that computer via C:\documents and settings\ folder.

If that doesn't work probably port 139 is closed, and it may be a printer device. Usually tough, printers configuration page is set trough http service so port #80 should be opened and http:\\idadress should lead you to that configuration page where you can see the printers name.

.Usually large printers however have another way to communicate their info trough the SNMP protocol. There are SNMP explorer apps out there that basically scan your network using a community string to fetch information about the various SNMP devices present on your network. Solarwinds for instance provides such tools.

.SNMP is not present in printers only, Cisco Switches, routers, hubs and bridges also use SNMP protocol to show and manage network information. SNMP is A MUST to obtain immediate states from your devices, for instance, if you want to see if the printer is printing anything in that right instance SNMP is the protocol to communicate to. I'm planning on writing a simple article about SNMP soon, demystifying it, as in general info. about SNMP is somehow mystified, i think.

Another protocol of interest, or maybe i should say service in this case, is the windows management instrumentation (WMI) that computer systems with windows operating systems from Windows NT 4.0 SP4 forward have, is a great tool to send information about computers using WMI Classes.

Thanks for reading

๑ What is the purpose of the port # 5002 ?

2009-06-27T08:10:00.000-07:00

Ports are like bridges between the physical network and applications/services on the computer. It's a way for the computer to know what type of data is destined to what service. TCP/IP packets contain information for what port that information is sent. There are several of well known ports out there. The Well Known Ports are those from 0 through 1023. For a list of well known and not well known ports and it's associations check here

As you can see this 5002 port is not even in that wikipedia page so it is definitely a not well known port.

Information about this port and it's purpose is almost unvailable, so i tought i would write something about it as best as i can. The port 5002 is associated with the RFE service, so this is where this discussion will lean.

What's the purpose of the RFE service or what's the RFE for?

RFE stands for Radio Free Ethernet and it was projected on early 90's. It's based on a UDP port meaning that the it isn't connection oriented ( errors have to be managed on the application side ) Here's a quick def:

"Radio Free Ethernet (RFE) is a network audio broadcasting system. It consists of programs and tools that allow packets of audio data to be transmitted around a network. The system is best understood by using the analogy of traditional radio broadcasting"

NETWORK IMPLEMENTATION

Radio Free Ethernet can be configured to broadcast data either in UDP Broadcast packets or using IP Multicasting. These techniques differ in subtle but important ways.

UDP Broadcast packets are broadcast only within the local subnetwork. Network gateway routers do not forward these packets to other networks. When a UDP Broadcast packet is issued, every machine on the subnet receives the packet and discards it, unless a program is specifically registered to listen for that particular packet type. Though the overhead of processing such packets is small, it is normally considered unfriendly to issue many UDP Broadcast packets on a network (RFE normally broadcasts approximately eight packets per second, each containing around 1000 bytes). UDP Broadcast is available for the time being only because older versions of the operating system do not support IP Multicast.

IP Multicasting is an improvement over broadcast techniques. By sending network packets to a particular well-known multicast address, only machines that have registered interest in that address will receive the data (packet filtering is usually performed in the network interface hardware). Some experimental IP routers exist that will forward multicast packets to other networks. Such forwarding is only performed when there is a listener on the destination network, and when the packet itself is identified as forwardable.

In order for Radio Free Ethernet to function properly, the following entry should be present in the NIS hosts map:

RadioFreeEthernet 224.0.3.255 # IP Multicast address

For more information check this hard to find link:

http://docs.sun.com/app/docs/doc/805-3178/6j31hi8kq?a=view