From Windows 10 to Mac OS Sierra without admin privileges

Hi everyone, lately thanks to my manager and my new employer I was able to switch from a Windows 10 laptop to a shiny mac book pro  and I want to share with you some tips and tricks that probably you will encounter if you will do the same. First let’s start with the basics: why I have chosen to switch? Well I always (since 2009) had only Apple devices at home and I always loved the consistency and the “stability” of the Apple devices, but I never had the opportunity to actually “work” with a Mac , so this is also a learning for me. If you actually never used a Mac the first obstacle will be shortcuts like CTRL+C and CTRL+V , the mouse clicks (actually the right click on the track pad), the scrolling with 2 fingers on the trackpad and now the shiny and mysterious touch bar. Passed this first shock, you will quickly get used to the magic search experience of spotlight, the backup for dummies of time machine and the well known experience of the App Store.

Now let’s focus on the work related stuff: you can finally have on a mac also office 2016 but it is miles and miles away from the functionalities and easy of use of Office 2016 on windows, not super evident differences but if you use office professionally you will quickly find the missing pieces.

Solution ? Go the App Store, purchase Parallels Lite and enjoy Linux and Windows Virtual Machines. You will have VMs without being admin because Parallels Lite uses the native hypervisor available on Mac since Yosemite.

Thanks to this I was able to have back also several “life saving” applications that I use daily like PowerBi Desktop, SQL Server Management Studio and Visual Studio 2017. To be honest they have their versions in the mac world but the functionalities that are missing in those versions are too numerous to live only with that.

So I ended up having a windows 10 VM full of software, so why don’t use directly windows? Well , with the windows VM i can exactly use windows for the apps that are running great on that platform and if the system starts to be unstable I can still normally work on my mac without losing my work while windows does his own “things” 🙂 .

When needed I leverage an ubuntu VM with docker  and vs code with the same segregation of duties principle (main OS fast and stable, guest OS with rich and dedicated software).

Now I work several times in this way : sql server hosted on linux, I do import/export of external data easily with Sql server management studio from windows and I run pyspark notebooks on docker accessing the same data and finally I do visualizations with power bi desktop on windows.

In case, like me, you have strict policies around admin accounts , I want to share with you this: do you remember the concept of portable apps in windows? Well on the mac you can do the same with some (not all) the applications that are outside the App Store (you can install almost all the apps in the App Store without admin privileges).

The technique to have an application on mac “portable” is simply the double extraction of the pkg files and Payload files to one folder that you can access (like your desktop), you can check the details here and here and basically run those applications from the locations that you like.

The exceptions will be :

  1. Applications not signed by a recognized and well know developer or software house
  2. Applications that on start up will ask you to install additional services
  3. Applications that before being launched require the registration of specific libraries/frameworks

There are cases (like azure machine learning workbech ) where the installer it’s actually writing everything in you user account folders but the last step will be the copy of the UI app to the Applications folder and this will fail if you are not admin. The solution is to look a bit inside the installer folders and find inside the json files the location of the downloaded packages . Once you find the URL of the missing one (use the installer error message to help you to find the package he was not able to copy) , download it locally and execute the app from any location, it should work without problems.

 

Annunci

Helping Troy Hunt for fun and profit

Hi everyone,  I’m a huge fan of the security expert Troy Hunt and of his incredible “free!” service haveibeenpwned.com (if you don’t know it, please use it now! to test if your email accounts are compromised ! ).

Troy-Hunt-Profile-Photo

Now Troy has created a contest where you can actually win a shiny Lenovo laptop, if you create something “new” that can help people to be more aware of the security risks related to pwned accounts.

I decided to participate and my idea is the following, helping all the people that have gmail (and Hotmail/outlook/office 365 in alpha version!) accounts to verify if their friends, colleagues and family members have their email accounts compromised.

I uploaded the code and executables here and I strongly suggest you to read ENTIRELY the readme instructions to understand how the tool works, what are expected results and what you can do.

Regardless if I win the laptop or not, I already won because I was able, thanks to this tool, to alert my wife and some of my friends of the danger and to have the right “push” to convince them to setup two-factor authentication.

If you want to donate , for this effort please donate directly to Troy here, he deserves a good beer !

 

DIY port scanner for windows sysadmins 

I have recently been involved in a work of security assessment on multiple servers hosted in the same data center but in different vlans. One requirement that I had to respect it is that the port scan procedure on all these servers (all windows 2008 servers) should be fast and not require additional software to buy . Unluckily the tool that was used was a simple netstat command to be issued manually on each server.

Now this has the advantage of being fast (netstat gives you the overall situation in a fraction of second) but has at least two major limitations : no indication of the process running on the port (only the PID) and most of all is completely manual.

First thing I tried was to leverage powershell commands , specifically this great resource that basically gives already the right process name and other useful info on the processes running on each port with all the required network statistics. Theoretically this should work also remotely but I never managed to make it work successfully (several times crashing because of the need of writing on the remote  system a file). So I thought that netstat and a good combination of great Mark Russinovich PSTools (psexec to execute netstat remotely and pslist to retrive the processes remotely) could solve the problem. In theory yes, in practice I had to fight a bit with c# to obtain the desired result.

Here the recipe:

First go here to see how to launch PSTools from c# and parse the output coming from netstat. Be aware that this does not work on the local computer but you have to issue the netstat without psexec.

Second apply the same trick to pslist and parse the results (this works also on the local computer).

Third now that you have this just put the data inside some structures (I used DataTables) and with a simple Linq query you will join network statistics and processes running.

The only thing to check is that PsTools works requiring that Ports 135 and 445 (TCP) need to be open and Admin$ and IPC$ shares enabled, so in my case I had to run my console program on each segregated VLAN and in some cases on some servers alone, but finally I managed to cut the manual operations from 75 manual runs to 8 and it’s already a good result.

Crack .NET assemblies on the fly

Hi, I recently have been into a DEFCON 1 situation and I want to share with you my experience.

Basically imagine a production .net assembly that does the job quietly for 5-6 years and one day it decides to stop working ,this means that an entire segment of the business of a large enterprise is completely blocked…

To this add that developer of that assembly no longer works in the company, nobody knows where the source code can be and actually there is no  documentation.

So they call me and I felt like this:

So downloaded ILSpy and I started looking into the code while gathering the logs and checking the exceptions.

Thanks to some very lucky combo of checks I was able to figure out where the problem was in a couple of hours (windows update I hate you), but in the mean time the pressure bar was rising and the client was just going crazy. So I remembered that one time I used a tool called reflexil to fix on the fly an assembly, but later I figured out that it works nice with reflector but not with IlSpy…

However thanks to this post I was able to download a version of reflexil that was compatible with IlSpy and problem solved!

Here is a screenshot of the two working together :

ILSpyReflexil

It’s actually a great combo and I can’t wait to have the final bits.

PS : The code that you see it’s not the client’s code of course 🙂