Monthly Archives: October 2017

HaveIBeenPwned PowerShell Module

If you haven’t heard of Have I Been Pwned, firstly what are you doing?  It’s a site created by fellow Aussie Troy Hunt.  Troy aggregates data breaches as they become public into a searchable database. One of the primary goals of Have I Been Pwned is to raise security awareness around data breaches to the public.

As a bit of a learning exercise to myself, I created a PowerShell Module that leverages the haveibeenpwned.com APIs.  The module contains five Functions, Get-PwnedAccount, Get-PwnedBreach, Get-PwnedDataClass, Get-PwnedPassword, and Get-PwnedPasteAccount. I like to think of the HaveIBeenPwned PowerShell Module as an Enabler. By itself it does nothing more than what the haveibeenpwned.com site does. But by leveraging the Power of PowerShell and returning the results in object format the data can be easily manipulated for many other purposes.

Installing and using the Module and Functions is very simple. Ideally you will be running PowerShell 5 or above which will allow you to easily download and install from the PowerShellGallery. If you’re not on PowerShell 5 I’d highly recommend you download the WMF 5.1 (Windows Management Framework) which includes PowerShell 5.

Installing the module is simply a matter of typing the following.

PS F:\Code> Install-Module -Name HaveIBeenPwned

Once installed you can view all the Functions available with the following command.

PS F:\Code> Get-Command -Module haveibeenpwned 

CommandType     Name                                               Version    Source                                                                               
-----------     ----                                               -------    ------                                                                               
Function        Get-PwnedAccount                                   1.1        HaveIBeenPwned                                                                       
Function        Get-PwnedBreach                                    1.1        HaveIBeenPwned                                                                       
Function        Get-PwnedDataClass                                 1.1        HaveIBeenPwned                                                                       
Function        Get-PwnedPassword                                  1.1        HaveIBeenPwned                                                                       
Function        Get-PwnedPasteAccount                              1.1        HaveIBeenPwned      

The two main Functions are Get-PwnedAccount and Get-PwnedPassword.

The first, Get-PwnedAccount, will enumerate if an account, based off an email address, has been found in the Have I Been Pwned list of data breaches.

PS F:\Code> Get-PwnedAccount -EmailAddress [email protected]

In the above example all breaches are listed where the account used [email protected] as the email address. Which is huge by the way.

The second and slightly more controversial, Get-PwnedPassword, will take a password and confirm if it has been identified in a data breach.  Get-PwnedPassword will accept a password in three different formats.  Plain text, Secure String, and SHA1 hash.

PS F:\Code> Get-PwnedPassword -SHA1 AB87D24BDC7452E55738DEB5F868E1F16DEA5ACE

In the above example a SHA1 hash was generated offline using Quick Hash GUI.  Get-PwnedPassword will then send that Password or SHA1 hash in the body of a HTTPS request to Have I Been Pwned.  Now, obviously, what can been see as the controversial part off this is not only do you have to trust Have I Been Pwned but also this PowerShell Function.

All Functions come with Help and Examples which can be view using Get-Help.  For example.

PS F:\Code> Get-Help Get-PwnedPassword -Examples

The Module and all Functions can be found in the PowerShellGallery for download.  The Module can also been found in my public GitHub Project https://github.com/originaluko/haveibeenpwned.  All code can been view and sanity checked and is free to consume.

 

Lastly, I thought I might show how you can go one step further from simply enumerating an individual account. Many organisation’s IT departments create and manage accounts for their staff. They also provide security awareness training in protecting online accounts. An organisation could take a CSV list of their staff’s email addresses, import that list into PowerShell, and run it against the Get-PwnedAccount Function and identify if any of their staff have been involved in a data breach.

In the below example I import a small CSV file I have created with a list of email addresses. Then using half a dozen lines of code I iterate through the CSV list of email addresses and identify all the accounts that have been involved in a data breach. Using this information I can pro-actively notify staff to review these accounts.

$emails = Import-Csv F:\email_list.csv
foreach ($email in $emails) {
    $email = $email.accounts
    $results = Get-PwnedAccount -EmailAddress $email
    if ($results.status -ne 'Good') {
        foreach ($result in $results) { 
            $breach = $result.title
            Write-Output "Email address $email has been found in a $breach breach"
        }
    }
    Start-Sleep -Milliseconds 1500
}

And sample output after running the above code.

Email address [email protected] has been found in a Yahoo breach
Email address [email protected] has been found in a Youku breach
Email address [email protected] has been found in a Zomato breach
Email address [email protected] has been found in a 000webhost breach
Email address [email protected] has been found in a 17 breach
Email address [email protected] has been found in a Adobe breach
Email address [email protected] has been found in a Bell (2017 breach) breach

Download Links
PowerShellGallery: https://www.powershellgallery.com/packages/HaveIBeenPwned/
GitHub: https://github.com/originaluko/haveibeenpwned

Recap: VCP-NV Certification (2V0-642)

Earlier this week I took and passed the VCP-NV (2V0-642) exam.  I do have to say it was a really good experience.  It’s one of the few exams I really did enjoy studying for and sitting.  So I thought I might use this as an opportunity to post a short recap of my experience and what I used to study and pass the exam.

Getting some of the technicalities out the way all of which can be found at VMware’s VCP-NV landing page.  The 2V0-642 exam is VMware’s updated version 2 of the original VCP-NV exam which officially came out back in 2015.  Back then it was a 120 questions and by all accounts much harder than this new revised version.  This revised exam, based on NSX 6.2, is 2 hours long and 77 questions with a standard 300 passing score out of 500.  If you currently hold a VCP the process to certification is fairly straight forward.  Take and pass the 2V0-642 exam and earn certification.  If you don’t hold a VCP you have a number of pre-requisites to meet.  Again, all of which can be found at the VCP-NV landing page.

So first how was the exam?  As I mentioned above, a really good experience.  Gone are the days of having to take a pre-exam survey.  Just acknowledge the Terms and Conditions and the exam begins immediately -Awesome.  The questions were well laid out, clear, and descriptive enough to understand.  Of course it wouldn’t be a real exam without one or two confusing questions and there were a few of them, but only a few.  The exam questions are all weighted so at the end of the day it is a level playing field for everyone.

So what was my process for studying for this exam?

I guess firstly I’ve attended many presentations and watched a number of high level videos on NSX but nothing really deep on the product, nothing really exam helpful.  A few months back (the week before VMWorld) I attended the 5-day Install, Configure, Manage course on NSX 6.2.  This was a great course and a good primer into learning to use NSX.  Very helpful grasping the fundamentals in being able to get started.  Well recommended for everyone getting started.

Next came actually using the product in a real lab environment.  I think this is a requirement!  Bare minimum you should be using VMware’s Hands on Labs but even better is to have your own environment.  I’m lucky enough to be preparing for a production deployment and had a test lab to deploy and play with.  Having your own environment constantly available is hard to beat.

vBrownBag YouTube videos!  There is a VCP-NV series available on YouTube.  The videos are based on the original VCP-NV exam and are a few years old but still very relevant.  Actually still extremely relevant.  There’s eight videos to hunt around for which cover the original objectives with the exception of Troubleshooting.  The Objectives match up very closely.  The 2V0-642 exam has one main new Objective which covers Cross-vCenter.

In terms of reading material i would highly recommend going through the official NSX online docs pages.  Lots of mindless reading but you will find that exam questions come straight out of that.  And truthfully you will learn a huge amount doing that.  Just remember to focus on version 6.2.  I’d also recommend the Cross-vCenter NSX Installation Guide PDF from VMware.  This is also in the online docs but I found the PDF easier to consume which I found to be hugely informative and the exam did test heavily on this for me.  So I was very thankful to have focused on this reading.

And that was basically it.  Practice hands on what you have learnt and read.  Troubleshoot in your lab as you are building it out.  A few solid study days on the weekend and you should be in a really good position to take and pass the exam.

 

HTTP Error 500 Post Upgrade to vCloud Director 9.0

This week I decided to jump on the upgrade bandwagon along with a number of other excited people in the vExpert Slack group.  While most, if not all, had success stories I unfortunately ran into some post upgrade portal issues.

The upgrade process to version 9.0 was no different from previous releases.  I followed my regular upgrade process which went off without issue.  When I went to log into the Administrator Portal I was faced with an HTTP Error 500 page.  Argh!

HTTP ERROR 500

Problem accessing /cloud/saml/login/alias/vcd. Reason:

Server Error

Caused by:

javax.servlet.ServletException: org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP at org.springframework.security.saml.SAMLEntryPoint.commence(SAMLEntryPoint.java:161) at org.springframework.security.saml.SAMLEntryPoint.doFilter(SAMLEntryPoint.java:107) at com.vmware.vcloud.web.NestedFilterChain.doFilter(NestedFilterChain.java:45) at com.vmware.vcloud.web.UnfirewalledFilterChainProxy.doFilter(UnfirewalledFilterChainProxy.java:62) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)

To my surprise tenant Portals were fine and able to log in.  This was Admin Portal specific.

Checking the release notes I knew there was a breaking change with Federation and SAML which required you re-register your organization with your SAML IDP.  That’s fine I thought, were not using SAML.  And besides the notes seem to indicate you make the change post upgrade.

System administrators cannot use an existing vSphere SSO configuration to authenticate to vCloud Director.

Federation for the System organization has changed in this release. The System organization can now use any SAML IDP, not just the vSphere Single Sign-On service. Existing federation settings for the System organization are no longer valid and are deleted during the upgrade.

Workaround: Re-register your organization with your SAML IDP. See “Enable Your Organization to Use a SAML Identity Provider” in the vCloud Director Administrator’s Guide

Turns out, though, we were in fact using SAML, or at least had it enabled in a non functioning state.  So despite the release notes stating that it would be deleted, it appeared to remain in a broken state post upgrade and now was preventing the Portal from loading at all.

The solution turned out to be relatively easy with VMware GSS help.  Login to the Admin Portal specifying the full URL to the login.jsp file with your standard System Administrator account.

https://portal.mydomain.local/cloud/login.jsp

Navigate to the Administration Page and then to Federation.  Untick Use SAML Identity Provider and Apply.

The change should take effect immediately.  Logout and back in as you normally would to the portal without the trailing /cloud/login.jsp.

While I’m sure this was a corner case please take note of your SAML settings.  If you don’t use it, make sure you don’t have it enabled.

VMware Update Manager (VUM) Fails To Load Within vSphere Web Client

I recently upgraded my lab VCSA from version 6.5 (Build Number 5705665) to version 6.5 U1 (Build Number 6671409).  After the upgrade I noticed that VMware Update Manager was no longer working correctly.  Navigating around the various VUM pages I received the same consistent error message.

interface com.vmware.vim.binding.integrity.VcIntegrity is not visible from class loader

VUM management page

VUM Tab within an ESXi host

Checking the vCenter services within Administration > System Configuration they all appeared Up and Running.  Though all services were running I never the less restarted the VMware Update Manager service which unfortunately didn’t help.  I also tried restarting a few other services without much success.  So rather than just continuing to randomly restart services I decided to take a tougher approach and restart all services from the CLI.

After the stopping and starting of all vCenter services, which took a few minutes, VUM was back up and running again within the vSphere Web Client.  While this was a fairly drastic step to take, so would have been rebooting the vCenter server, which I’m glad I managed to avoid.

I’ve previous written about restarting vCenter services.  The process is quite simple.   First connect up to the CLI of the VCSA box.  Then run the below two commands.  Both the stopping and starting of services will take a few minutes each.  Once the services are restart the Web Client will take a further few minutes to fully start up and be accessible.  If all is successful Update Manager should be accessible once again.

Command> service-control --stop --all

Command> service-control --start --all

Restarting all the vCenter services like this is obviously a disruptive action.  Connectivity to vCenter will be dropped while the services restart.  Usually restarting all services on vCenter via the CLI is my last ditch attempt to resolve an issue before I attempt a reboot of the appliance.  While restarting the VCSA might have been the easiest thing to do to resolve this issue it’s not always necessary.