Blog Archives

Windows Server 2008 R2 – Active Directory – All Possible Deployment Types – DcpromoUI Answer Files – Reference

Feb 22

Posted by


WaheGuru G Ka Khalsa, WaheGuru G Ki Fateh

In this Post, we list the answer files (and some of the main critical parameters in the answer files) created by DcpromoUI to be used as a reference.

DcpromoUI answer file – sourced from a New Forest Root Domain Controller promotion wizard: 

; DCPROMO unattend file (automatically generated by dcpromo)
; Usage:
;   dcpromo.exe /unattend:C:\Users\Administrator\Desktop\DcpromoUI win2008 r2.txt
;
[DCInstall]
; New forest promotion
ReplicaOrNewDomain=Domain
NewDomain=Forest
NewDomainDNSName=hello.com
ForestLevel=4
DomainNetbiosName=HELLO
DomainLevel=4
InstallDNS=Yes
ConfirmGc=Yes
CreateDNSDelegation=No
DatabasePath="C:\Windows\NTDS"
LogPath="C:\Windows\NTDS"
SYSVOLPath="C:\Windows\SYSVOL"
; Set SafeModeAdminPassword to the correct value prior to using the unattend file
SafeModeAdminPassword=
; Run-time flags (optional)
; RebootOnCompletion=Yes

DcpromoUI answer file – sourced from a New ADDITIONAL Domain Controller promotion wizard: 

; DCPROMO unattend file (automatically generated by dcpromo)
 ; Usage:
 ;   dcpromo.exe /unattend:C:\Users\Administrator\Desktop\DcpromoUI ADC.txt
 ;
 ; You may need to fill in password fields prior to using the unattend file.
 ; If you leave the values for "Password" and/or "DNSDelegationPassword"
 ; as "*", then you will be asked for credentials at runtime.
 ;
 [DCInstall]
 ; Replica DC promotion
 ReplicaOrNewDomain=Replica
 ReplicaDomainDNSName=globomantics.com
 SiteName=NewYorkHQ
 InstallDNS=Yes
 ConfirmGc=Yes
 CreateDNSDelegation=No
 UserDomain=globomantics.com
 UserName=globomantics.com\administrator
 Password=*
 DatabasePath="C:\Windows\NTDS"
 LogPath="C:\Windows\NTDS"
 SYSVOLPath="C:\Windows\SYSVOL"
 ; Set SafeModeAdminPassword to the correct value prior to using the unattend file
 SafeModeAdminPassword=
 ; Run-time flags (optional)
 ; CriticalReplicationOnly=Yes
 ; RebootOnCompletion=Yes

DcpromoUI answer file – sourced from a NEW RODC promotion wizard:

; DCPROMO unattend file (automatically generated by dcpromo)
 ; Usage:
 ;   dcpromo.exe /unattend:C:\Users\Administrator\Desktop\DcpromoUI rodc.txt
 ;
 ; You may need to fill in password fields prior to using the unattend file.
 ; If you leave the values for "Password" and/or "DNSDelegationPassword"
 ; as "*", then you will be asked for credentials at runtime.
 ;
 [DCInstall]
 ; Read-Only Replica DC promotion
 ReplicaOrNewDomain=ReadOnlyReplica
 ReplicaDomainDNSName=globomantics.com
 ; RODC Password Replication Policy
 PasswordReplicationDenied="BUILTIN\Administrators"
 PasswordReplicationDenied="BUILTIN\Server Operators"
 PasswordReplicationDenied="BUILTIN\Backup Operators"
 PasswordReplicationDenied="BUILTIN\Account Operators"
 PasswordReplicationDenied="GLOBOMANTICS\Denied RODC Password Replication Group"
 PasswordReplicationAllowed="GLOBOMANTICS\Allowed RODC Password Replication Group"
 SiteName=NewYorkHQ
 InstallDNS=Yes
 ConfirmGc=No
 CreateDNSDelegation=No
 UserDomain=globomantics.com
 UserName=globomantics.com\administrator
 Password=*
 DatabasePath="C:\Windows\NTDS"
 LogPath="C:\Windows\NTDS"
 SYSVOLPath="C:\Windows\SYSVOL"
 ; Set SafeModeAdminPassword to the correct value prior to using the unattend file
 SafeModeAdminPassword=
 ; Run-time flags (optional)
 ; CriticalReplicationOnly=Yes
 ; RebootOnCompletion=Yes

DcpromoUI answer file – sourced from a NEW DOMAIN TREE promotion wizard:

; DCPROMO unattend file (automatically generated by dcpromo)
 ; Usage:
 ;   dcpromo.exe /unattend:C:\Users\Administrator\Desktop\DcpromoUI.txt
 ;
 ; You may need to fill in password fields prior to using the unattend file.
 ; If you leave the values for "Password" and/or "DNSDelegationPassword"
 ; as "*", then you will be asked for credentials at runtime.
 ;
 [DCInstall]
 ; New tree promotion
 ReplicaOrNewDomain=Domain
 NewDomain=Tree
 NewDomainDNSName=test.com
 DomainNetbiosName=TEST
 DomainLevel=4
 SiteName=NewYorkHQ
 InstallDNS=Yes
 ConfirmGc=No
 CreateDNSDelegation=No
 UserDomain=globomantics.com
 UserName=globomantics.com\administrator
 Password=*
 DatabasePath="C:\Windows\NTDS"
 LogPath="C:\Windows\NTDS"
 SYSVOLPath="C:\Windows\SYSVOL"
 ; Set SafeModeAdminPassword to the correct value prior to using the unattend file
 SafeModeAdminPassword=
 ; Run-time flags (optional)
 ; RebootOnCompletion=Yes

DcpromoUI –NEW Forest Root Domain deployment – Critical Parameters

ForestLevel=0 | Windows 2000
DomainLevel=0 | Windows 2000

ForestLevel=2 | Windows 2003
DomainLevel=2 | Windows 2003

ForestLevel=3 | Windows 2008
DomainLevel=3 | Windows 2008

ForestLevel=4 | Windows 2008R2
DomainLevel=4 | Windows 2008R2

DcpromoUI – various Domain Controllers types deployment – Critical Parameters

; New forest promotion
ReplicaOrNewDomain=Domain
NewDomain=Forest
NewDomainDNSName=hello.com

; Replica DC promotion
ReplicaOrNewDomain=Replica
ReplicaDomainDNSName=globomantics.com
SiteName=NewYorkHQ
.
; Read-Only Replica DC promotion
ReplicaOrNewDomain=ReadOnlyReplica
ReplicaDomainDNSName=globomantics.com
SiteName=NewYorkHQ

; New child domain promotion
ReplicaOrNewDomain=Domain
NewDomain=Child
ParentDomainDNSName=globomantics.com
ChildName=child01

; New tree promotion
ReplicaOrNewDomain=Domain
NewDomain=Tree
NewDomainDNSName=tree01.com

 

Hope this helps and Cheers :) | Your feedback is highly appreciated.

WaheGuru G Ka Khalsa, WaheGuru G Ki Fateh

 

 

 

Copyright © 2013

For copyright purposes, VirtualizationMaximus.com is not in the public domain. The fact that this blog owner publishes an RSS feed does not grant any rights for republication or re-use of the material except in the manner described below.

All content in this blog created by the blog owner and his guest authors is the property of the blog owner and his guest authors and protected by international copyright laws and cannot be stored on any retrieval system, reproduced, reposted, displayed, modified or transmitted in any form, electronic or otherwise without written permission of the copyright owner except as noted below.

A brief excerpt of content that does not exceed 128 words or 512 characters may be quoted as long as a link is provided back to the source page on this blog and authorship is properly attributed.

Posted in Active Directory

1 Comment

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Airtel Broadband – Beetel CPE Device – 450TC1 – MGMNT SSID – Hack – Exploit

Jan 5

Posted by


WaheGuru G Ka Khalsa, WaheGuru G Ki Fateh

In this Post, we illustrate a possible hack – exploit with Beetel ADSL Routers/Modems (Broadband CPE) distributed by Airtel Broadband, INDIA – which once exploited, we can gain Subject’s (target) LAN network access and thereby WAN ( WAN- if operating in PPPOE/Router/NAT Mode & no custom IPTables rules and/or Network ACLs are defined).

CPE Device Model: Beetel 450 TC1
CPE Device Default Admin Credentials: admin | password
Tested Device Information:

 RAS version: TM4-0Q-020__TME-0Q-020
System   ID: $2.11.65.2(RE5.C21)3.12.7.0 20100628_V022[Jun 28 2010 14:44:06]
romRasSize: 1351290
system up time:     9:32:48 (347163 ticks)
bootbase version: VTC_SPI1.12 | 2010/09/09

Default Broadcasted SSIDs:

SSID1 – AIRTEL – SSID Index 1 – (when connected to this SSID – we can connect to Internet) (We can only Configure this SSID i.e. SSID with Index  -1).

Inssider - SSID1 and SSID2 being Broadcasted by same CPE Device

Inssider – SSID1 and SSID2 being Broadcasted by same CPE Device

SSID2 – MGMNT – SSID Index 2 – (when connected to this SSID – we can only view CPE Device STATUS page and can’t connect to Internet  (probably due to IPtables) (We can’t Configure this SSID or disable this SSID i.e. SSID with index – 2).

Exploit Summary: Connect to Secondary SSID (SSID with Index – 2) – MGMNT – (Airtel CPE Service SSID) in order to reveal Credentials associated with Primary SSID (SSID with Index – 1).

Procedure:

By default (with factory defaults), this specific Router broadcasts two SSIDs – one named Airtel and other MGMNT. Consumer can only modify Airtel SSID (with SSID Index 1) as per their requirements BUT can’t turn off MGMNT SSID (using SSID 1 or SSID2 or Ethernet) – as shown below.

MGMNT SSID by default broadcasts with WEP Encrypted Cipher HEX-10Digits (64Bits) with OPEN Authentication (WEP64 Security – OPEN) with WEP key set to “0987654321”, as show below:

MGMNT SSID - SSID Index - 2

MGMNT SSID – SSID Index – 2

Also note in Web Based Administration Page, all buttons are grayed out/disabled – so we can’t Configure/turn off SSID 2 (MGMNT).

Now when we are connected to MGMNT SSID (using default WEP key – 0987654321), we will get an IP Addr from dhcpd DHCP Pool and we open Device Administration Page, CPE device detects that we are connecting using MGMNT SSID (Airtel CPE Service SSID), it will automatically redirect URL to http://x.x.x.x/ssid_index2.html (from http://x.x.x.x) – where x.x.x.x is IPv4 address of the CPE Device – which in our case (and default) is 192.168.1.1 –  as shown below:

MGMNT SSID - SSID Index - 2 - Login Page-01

MGMNT SSID – SSID Index – 2 – Login Page-01

We login to MGMNT SSID using Default Credentials i.e. admin | password, and we presented STATUS Page of the device – also note that we can’t really Configure CPE Device when connected using MGMNT (because we are not entertained with full featured Device Administration version with MGMNT – but rather represented with only STATUS page – arbitrarily – we are represented with lite version).

MGMNT SSID - SSID Index - 2 - Login Page-02

MGMNT SSID – SSID Index – 2 – Login Page-02

And here goes our exploit, we enter URL as http://x.x.x.x/basic/home_wlan.htm – and voila — we are represented with Page to configure Primary SSID — i.e. SSID which can route packets to WAN/Internet.

MGMNT SSID - SSID Index - 2 - Login Page-03

MGMNT SSID – SSID Index – 2 – Login Page-03

This exploit can be prevented by simply changing the default admin credentials (because we are using default admin credentials to log into Administration Page when connected to MGMNT [SSID Index – 2]) .

Our sole intent is to get Beetel 450TC1 Consumers (with specific firmware’s) Aware, Safe and Secure.

Airtel ISP can also help consumers of these exploitable devices/firmwares by Updating Patched firmware using CWMP/TR-069 and some scripting. Hopefully, this possible exploit will be resolved by Airtel Broadband India, until then, 450TC1 users, never use WEP PSK for SSID1 and change Default admin credentials.

 

Hope this helps and Cheers 🙂 | Your feedback is highly appreciated.

WaheGuru G Ka Khalsa, WaheGuru G Ki Fateh

 

 

 

Copyright © 2013

For copyright purposes, VirtualizationMaximus.com is not in the public domain. The fact that this blog owner publishes an RSS feed does not grant any rights for republication or re-use of the material except in the manner described below.

All content in this blog created by the blog owner and his guest authors is the property of the blog owner and his guest authors and protected by international copyright laws and cannot be stored on any retrieval system, reproduced, reposted, displayed, modified or transmitted in any form, electronic or otherwise without written permission of the copyright owner except as noted below.

A brief excerpt of content that does not exceed 128 words or 512 characters may be quoted as long as a link is provided back to the source page on this blog and authorship is properly attributed.

Posted in Exploits

8 Comments

Tags: , , , , , , , , , , , , , , ,