Category Archives: Powershell

DMARC and why should you give a damn

So for the very first time our company received a phishing email attempt. The asshole supposedly sent a message from the CEO’s mailbox to the CFO’s and requested a very large amount of cash to be wired to some unknown off-shore account. Imagine the depth that fucker went into to get all that info, huh? Luckily, the CFO sensed something in the context was wrong so she called yours truely. Baffled by this mystery and with a lot of curiousity I sat down and began my investigation.

I literally didnt sleep that night. Not because I fought aimlessly trying to figure out how he did it, but because I discovered how INCREDIBLY EFFORTLESS it was to spoof an undefended domain’s email address. Within a few hours I managed to send an email to a friend from his employer telling him he’s fired and another to my wife from her Bank Manager telling her she got promoted. Just for the record, this could probably be done with ANY domain out there that doesnt enforce DMARC or any special email filter inspection like Forti Mail, Pineapp etc. So without a due, this is why you should give a damn.

DMARC – Domain-based Message Authentication, Reporting & Conformance

DMARC – What does it do?

Easily put, it’s a mechanism that stops assholes from spoofing YOUR email addresses. But the biggest thing about DMARC is that it prevents them from spoofing your emails against OTHER domains as well. Meaning it doesnt allow for an unknown source to send emails on your behalf to different organizations, NOT just from you to yourself. Moreover, it encompasses ways to receive reports about external attempts being made at forging your domain.

DMARC – How does it do it?

  1. Policy – When you receive an email the MAILFROM header domain is being checked for a published DMARC policy (based on DNS). What this policy basically says is that the domain owner has a working set of SPF and DKIM records and that it’s 100% “aligned” which I’ll be explaining shortly. On top of it, it tells or better yet recommends the receiver what to do if the message he received fails DMARC and where to send the report to. Need I say that without such policy DMARC is bypassed.
  2. Alignment – All an attacker really needs to do in order to spoof the common domain email address today is to use a MAILFROM address of a domain that does NOT have an SPF record while forging the FROM header to be from your domain. What this check does is it compares between the two and SPF\DKIM. SPF: smtp.MAILFROM domain must match RFC5322.From domain; DKIM: d= domain must match RFC5322.From.
  3. SPF Records – At this point if the SPF record passes then it’s extremely likely that the sender is indeed legitimate. His FROM and MAILFROM addresses checked out and his physical IP address is within the bounds of the allowed IPS in the sender’s record. No further checks will be required but if SPF fails then the final decision will be made according to DKIM.
  4. DKIM Records – You cant go wrong if an encrypted email header did not decrypt properly with the public key hanging, well, publically out in the open. This method of cryptography by itself is enough to tell if the sender is who he’s telling he is. The decision whether or not to accept the email will be made accordingly.

If like me you’re running Office 365 or Google Apps, chances are that all you have right now for email verification is an SPF record. That of course is laughably not enough to stop someone from forging your emails. Thankfully DKIM is being rolled out in Office 365 as we speak (already supported in GoogleApps) and DMARC is already fully supported.  This sent me at the right path. Hopefully it will do someone else good as well.

Upgrade your Powershell Scripts – Run Once (after a reboot)

2 lines that forever changed my powershell capabilities by being able to run commands and scripts immediately after a reboot+logon:

set-location HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce

new-itemproperty . MyKey -propertytype String -value “ENTER YOUR COMMAND HERE I.E POWERSHELL -FILE C:\PATH\SCRIPT.PS1”

The newly created registry key will be auto-deleted the next time you reboot and logon.

Powershell SSL Expiration Report

So we had some ancient SSL certificate expiring on us.
Fortunately, it was just too critical to allow it to happen ever again so I assembled a nice powershell script that lets you specify all the HTTPS URLs you can think of and report their due dates back via email.

Example of the end report:

Powershell SSL Report

You can copy paste the script from here:

http://pastebin.com/NRVzf01T

How to run PowerCLI scripts from the Task Scheduler

PowerCLI is absolutely awesome.
You can report almost anything you can think of in Vmware using vCheck vSphere Scripts by Alan Renouf.

With that being said, it takes some “trickery” in order to make it run in Windows’ Task Scheduler.

Problem #1: Powershell Execution Policy

It doesnt really matter what execution policy you have on if the script you downloaded was written by someone else and is naturally UNSIGNED. Even “Unrestricted” will still pop-up a rather annoying warning prompt like follows:

PowerCLI PS Warning

Luckily this is easily solved. Use the following in order to UNBLOCK a specific script or a few of it:

unblock-ps files

Problem #2: Not storing the server’s credential on file


You can store your credentials within PowerCLI for future use rather than hard-code them into a script:

Connect-VIServer 192.168.10.10 –User username –Password “somepassword”

To use the credential store, I do the following:

New-VICredentialStoreItem -Host 192.168.10.10 -User “username” -Password “somepassword”

Now I can type just:

Connect-VIServer 192.168.10.10

Problem #3: Getting the freaking syntax right in Task Scheduler


It took me a few hours to get it right.
I can confirm this works great on a Win Server 2012 machine.
Just copy-paste into “program/script” in a new task in Task Scheduler and accept the pop-up message:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -psc “C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI\vim.psc1” -c “. \”C:\Scripts\vCheck-vSphere-master\vCheck.ps1\””