Gets email from work

"New password policy introduced from next month

Passwords will have to include:
- a capital
- a lower case
- a number
- a symbol
- be at least 8 characters

Passwords will be be changed every 60 days with a new password not previously used"

Everyone starts moaning, there I am laughing as I'm in Linux and off their domain controller, and my windows laptop is a BYOD laptop and they don't want it on the domain :D

Yesterday the web site started logging an exception “A task was canceled” when making a http call using the .Net HTTPClient class (site calling a REST service).

Emails back n’ forth ..blaming the database…blaming the network..then a senior web developer blamed the logging (the system I’m responsible for).

Under the hood, the logger is sending the exception data to another REST service (which sends emails, generates reports etc.) which I had to quickly re-direct the discussion because if we’re seeing the exception email, the logging didn’t cause the exception, it’s just reporting it. Felt a little sad having to explain it to other IT professionals, but everyone seemed to agree and focused on the server resources.

Last night I get a call about the exceptions occurring again in much larger numbers (from 100 to over 5,000 within a few minutes). I log in, add myself to the large skype group chat going on just to catch the same senior web developer say …
“Here is the APM data that shows logging is causing the http tasks to get canceled.”

FRACK!

Me: “No, that data just shows the logging http traffic of the exception. The exception is occurring before any logging is executed. The task is either being canceled due to a network time out or IIS is running out of threads. The web site is failing to execute the http call to the REST service.”

Several other devs, DBAs, and network admins agree.

The errors only lasted a couple of minutes (exactly 2 minutes, which seemed odd), so everyone agrees to dig into the data further in the morning.

This morning I login to my computer to discover the error(s) occurred again at 6:20AM and an email from the senior web developer saying we (my mgr, her mgr, network admins, DBAs, etc) need to discuss changes to the logging system to prevent this problem from negatively affecting the customer experience...blah blah blah.

FRACKing female dog!

Good news is we never had the meeting. When the senior web dev manager came in, he cancelled the meeting.

Turned out to be a hiccup in a domain controller causing the servers to lose their connection to each other for 2 minutes (1-minute timeout, 1 minute to fully re-sync). The exact two-minute burst of errors explained (and proven via wireshark).

People and their petty office politics piss me off.

TLDR: Small family owned finance business woes as the “you-do-everything-now” network/sysadmin intern

Friday my boss, who is currently traveling in Vegas (hmmm), sends me an email asking me to punch a hole in our firewall so he can access our locally hosted Jira server that we use for time logging/task management.

Because of our lack of proper documentation I have to refer to my half completed network map and rely on some acrobatic cable tracing to discover that we use a SonicWall physical firewall. I then realize asking around that I don’t have access to the management interface because no one knows the password.

Using some lucky guesses and documentation I discover on a file share from four years ago, I piece together the username and password to log in only to discover that the enterprise support subscription is two years expired. The pretty and useful interface that I’m expecting has been deactivated and instead of a nice overview of firewall access rules the only thing I can access is an arcane table of network rules using abbreviated notation and five year old custom made objects representing our internal network.

An hour and a half later I have a solid understanding of SonicWallOS, its firewall rules, and our particular configuration and I’m able to direct external traffic from the right port to our internal server running Jira. I even configure a HIDS on the Jira server and throw up an iptables firewall quickly since the machine is now connected to the outside world.

After seeing how many access rules our firewall has, as a precaution I decide to run a quick nmap scan to see what our network looks like to an attacker.

The output doesn’t stop scrolling for a minute. Final count we have 38 ports wide open with a GOLDMINE of information from every web, DNS, and public server flooding my terminal. Our local domain controller has ports directly connected to the Internet. Several un-updated Windows Server 2008 machines with confidential business information have IIS 7.0 running connected directly to the internet (versions with confirmed remote code execution vulnerabilities). I’ve got my work cut out for me.

It looks like someone’s idea of allowing remote access to the office at some point was “port forward everything” instead of setting up a VPN. I learn the owners close personal friend did all their IT until 4 years ago, when the professional documentation stops. He retired and they’ve only invested in low cost students (like me!) to fill the gap. Some kid who port forwarded his home router for League at some point was like “let’s do that with production servers!”

At this point my boss emails me to see what I’ve done. I spit him back a link to use our Jira server. He sends me a reply “You haven’t logged any work in Jira, what have you been doing?”

Facepalm.

Domain server goes down, it's the gateway and DNS too.

Ok I'll just remove the domain, it's been orphaned really since you went to the cloud.

Don't have local admin password.

Ok call old it company who set up gear

Out of business

Ok boot to Linux and reset

Usb boot locked

Don't have bios password

Call old it company

Still out of business.

Wait, can I just set manual ipv4 ? Ok domain without a domain controller... If it works it works.

Do anybody here work with a codebase that actually has tests?

Or at the very least, the codebase has a domain layer, rather than puking lines of code randomly in the controller?

Am I trying to find an unicorn?

Well well well.
Story time.

Since we are working from home for the past 4 months, I finally decided to install a Microsoft SQL server on my home server. (Mostly was using Azure)

My server is running Windows Server 2012 R2.
Tried installing SQL 2019 : fail, 2016 : Fail, 2012 : Fail. Some obscure message about some DLLs not being at right version. (And a warning that it is no recommended to install SQL server on domain controller, but I know, it is my home setup, not roduction)

“Ok fine, I’ll install it on my PC instead”. Windows 10 PC. NOPE. “Cannot install on a compressed drive”. Welp, wtf ? (Of course you cannot select destination install folder, I could’ve put it on another drive).

So here I am. Working 100% on Windows, installed Ubuntu server 20 LTS in Hyper-V, Installed Microsoft SQL server on it (BTW, install is very easy compared to windows). And that shit is working. And new “Terminal” app does support SSH out of box, no need to add Putty !

So as a Windows user, I needed Linux to make Microsoft SQL techno work.

Nothing will ever surprise me anymore. (BTW it’s fucking fast. I like SQL server on Linux)

So, most (if not all) modern operating systems sync their time with some trusted source (like the Internet) right? Windows included. All is well.

When your Windows 10 computers are joined to a domain, it thence relies on your local neighborhood domain controller to tell it the time. Sounds good, since domain controllers Never Go Down, right? All is well.

Services are all being cloud-ified, which means virtual machines. The domain controllers have suffered this fate, but everything is smooth and buttery. All is well.

Wait, the VM's clock is running slow. Uh oh....
Wait, isn't it supposed to ask the Internet?
Well, no. Domain Controllers decide that They Know All, and stop asking the Internet for its opinion.

This causes problems, but only ever so slowly, and it took me noticing all the computers seemed to be ten minutes slow compared to my phone (and well everyone else's phone) to realize what had happened.

Thanks, Windows...

The dangers of PHP eval()

Yup. "Scary, you better make use of include instead" — I read all the time everywhere. I want to hear good case scenarios and feel safe with it.

I use the eval() method as a good resource to build custom website modules written in PHP which are stored and retrieved back from a database. I ENSURED IS SAFE AND CAN ONLY BE ALTERED THROUGH PRIVILEGED USERS. THERE. I SAID IT. You could as well develop a malicious module and share it to be used on the same application, but this application is just for my use at the moment so I don't wanna worry more or I'll become bald.

I had to take out my fear and confront it in front of you guys. If i had to count every single time somebody mentions on Stack Overflow or the comments over PHP documentation about the dangers of using eval I'd quit already.

Tell me if I'm wrong: in a safe environment and trustworthy piece of code is it OK to execute eval('?>'.$pieceOfCode); ... Right?

The reason I store code on the database is because I create/edit modules on the web editor itself.

I use my own coded layers to authenticate a privileged user: A single way to grant access to admin functions through a unique authentication tunnel granting so privileged user to access the editor or send API requests, custom htaccess rules to protect all filesystem behind the domain root path, a custom URI controller + SSL. All this should do the trick to safely use the damn eval(), is that right?!

Unless malicious code is found on the code stored prior to its evaluation.

But FFS, in such scenario, why not better fuck up the framework filesystem instead? Is one password closer than the database.

I will need therapy after this. I swear.

If 'eval is evil' (as it appears in the suggested tags for this post) how can we ensure that third party code is ever trustworthy without even looking at it? This happens already with chrome extensions, or even phone apps a long time after reaching to millions of devices.

tldr; Fuck Windows networks

I do some first level support for a befriended architect when i got some sparetime after regular work. Its nice and easy extra cash most of the times but not today.

We decided to ditch the money thiving IT admin that did not care about doing his work. And instead of taking over his pile of shit i adviced to redo the whole network, drop the massive server that did idle 99% of the day and update all PCs some of them did still run IE8 and had no active anti virus, yeah that dude was real shit.

Anyways i proceded with the whole process today and everything worked expect the fucking windows network, that fucking domain controller setup blocked the fucking internetconnection even though DNS and DHCP where set up correctly. Why does fucking ms need to make it so difficult to set up fucking network accounts....

I will have to finish this shit up tomorrow and this on a weekend...

(Sr. Dev) Oh right, you can't do that in the controller.
(Me) I can't do what?
(Sr. Dev) That thing.
(Me) Call another controller from the controller?
(Sr. Dev) Yep.
(Me) Where is supposed to be called?
(Sr. Dev) From the view.
(Me) But what is supposed the controller to be used for?
(Me) What is supposed to do the controller?
(Sr. Dev) The controller pass data to the inner classes. (Controller > Manager > Domain Object > DAO)

I ended calling 3 controllers methods from the view in 4 different views everytime...

So I’ve been working on a tool to do offline domain joining in an active directory for about a month in my company, and so far everything is functional and done EXCEPT that one thing.

Essentially to do an offline domain junction, you need an AD account that has sufficient privileges on the domain controller. It will then generate a key that you can use on the client machine to make the junction to the domain.

I have tried literally every possible option that I could think of and I cannot for the life of me figure out why the client machine does not accept the generated key. I’m using methods from the Netapi32.dll which are barely documented anywhere, I even searched on GitHub code references and I couldn’t find much… Theres also a tool called djoin.exe that supposedly does that, I’ve tried with that tool too, to no avail.

This is the last thing missing for the project to be complete, and it’s pretty essential as well…

So close yet so far….

If anybody here knows anything about that kind of stuff (admittedly very niche) I’ll take anything.

Note: I think I’ve browsed all the websites and forums referencing to these functions and the tool now…

I'm a fool.

Trying to delete local version of domain account:
Supposed to use command:
net user [username] /delete

Tried:
net user "domain\user" /delete

Didn't work, came up with help which said an option was net user [/delete] [/domain]
So I decided to try:
net user "user" /delete /domain

... "The request will be processed at a domain controller for domain domain.local.

The command completed successfully."

Well FUCK

So now the user's account has been deleted on AD, trying to restore it but AD management tools aren't picking up AD's object so I can't find the tombstone.

SHIITTTTTTTTT :((

TL;DR: I've fucked a user's account and can't find what I need to fix it.

Moral: Don't be a fool like me.

Not really a bug, but I have recently finished organising our Domain Controller.

It was a server set up about 8 year ago by someone with zero experience with server OS.

I had to completely re-work every single group, GPO, User Account, Login script, shared drives and DHCP.

I have now solved 90% of re-occurring problems with our network.

Now they want me to do the same with our Digital Storefront...

Not quite dev-related, but I once had to migrate and replace a Windows Server 2003 Domain (1 DC) to a new Windows Server 2016 Domain Controller. The network consisted of about 30 PCs, 1 DC and 1 DB Server.
Eventhough it worked, I wouldn't do it again... 😰
At the beginning I almost deleted the old Domain Controller VM from the old ESXi host server, before any VM backup existed. Close one...

I recently started working on laravel. As the community says it was easy to get along with the framework and its methodologies. But then i had to do multiple login with framework in same domain.

Oh man, i spent a week to make it work. All those guards and middlewares realted to login was driving me crazy. The concept was clear, but somehow the framework was like "You! I shall make you spend a week for my satisfaction". The project demo was nearing and i was doing all kind of stuff i found. Atlast after continous tries it worked. Never in my 4+ years as a developer i had to face such an issue with login.

So here is how it works,if anyone faces the same issue:
(This case is beneficial if you're using table structures different from default laravel auth table structures)

1. Define the guards for each in auth.php
Eg:
'users' => [
'driver' => 'session',
'provider' => 'users',
],
'client' => [
'driver' => 'session',
'provider' => 'client',
],
'admin' => [
'driver' => 'session',
'provider' => 'admins',
],

2. Define providers for each guards in auth.php
'users' => [
'driver' => 'eloquent',
'model' => <Model Namespace>::class,
'table' => '<table name>', //Optional. You can define it in the model also
],
'admins' => [
'driver' => 'eloquent',
'model' => <Model Namespace>::class,
],
'client' => [
'driver' => 'eloquent',
'model' => <Model Namespace>::class,
],

Similarly you can define passwords for resetting passwords in auth.php

3. Edit login controller in app/Http/Controller/Auth folder accordingly
a. Usually this particular line of code is used for authentication
Auth::guard('<guard name>')->attempt(['email' => $request->email, 'password' => $request->password]);
b. If above mentioned method doesn't work, You can directly login using login method
EG:
$user = <model namespace>::where([
'username' => $request->username,
'password' => md5($request->password),
])->first();
Auth::guard('<guard name>')->login($user);

4. If you're using custom build table to store user details, then you should adjust the model for that particular table accordingly. NOTE: The model extends Authenticatable
EG
class <model name> extends Authenticatable
{
use Notifiable;

protected $table = "<table name>";

protected $guard = '<guard name>';

protected $fillable = [
'name' , 'username' , 'email' , 'password'
];

protected $hidden = [
'password' ,
];

//Below changes are optional, according to your need
public $timestamps = false;
const CREATED_AT = 'created_time';
const UPDATED_AT = 'updated_time';

//To get your custom id field, in this case username
public function getId()
{
return $this->username;
}
}

5. Create login views according to the user types you required

6. Update the RedirectIfAuthenticated middleware for auth redirections after login

7. Make sure to not use the default laravel Auth routes. This may cause some inconsistancy in workflow

The laravel version which i worked on and the solution is for is Laravel 6.x