Tuesday, January 25, 2022
Hi All,
A customer recently could not remember the Password of the PFX File.
I was curious and searched for a PFX Password Recovery Tool.
I created a PFX with a Password
- 9 chars
- uppercase chars
- lowercase cars
- numbersspecial caracter
Certificate Password Recovery Tool
I startet the Tool on Friday 14 January 23:41:41
After about 9 Days there where tested 569'890'000 diffrent combinations. And we're still at 5 Characters.
Conclusion:
If you have a weak password or know parts of the Password - this might work for you in an acceptable time.
If it is a secure Password and you don't know anything, it will take simply too much time.
It's not that hard to create a new CSR and issue a new Certificate.
Regards
Andres Bohren
Hi All,
It has also been renamed from "Threat Explorer" just to "Explorer".
What i absolutely love about this, is that the default now points to "All email" instead of "Malware" like before.
You sill have a lot of Filtering possibilities
And also the Chart view has diffrent Filtering options
A quick check in the Advanced Hunting shows, that here also were made some changes
After a Moment (15-30 Minutes) i was able to execute the Querys again.
Regards
Andres Bohren
Hi All,
Here are the Release notes
Time to uninstall the old Modules and get the new one. Unfortunately i had still code open, that's why 3.0.1-Preview couln't be uninstalled in the first place-
Get-Module MicrosoftTeams -ListAvailable
Uninstall-Module MicrosoftTeams
Uninstall-Module MicrosoftTeams
Uninstall-Module MicrosoftTeams
Now Install the MicrosoftTeams PowerShell Module from the PSGallery
Find-Module MicrosoftTeams
Install-Module MicrosoftTeams
Let's see how long it takes to load the Module. I am impressed, it's like half of the time than the previous modules, but still not as fast as te 2.x.x Versions.
Measure-Command -Expression {Import-Module MicrosoftTeams}
As you can see the Module is loaded
Get-Module
The
Get-CsOnlineUser | ft UserPrincipalname, SipAddress, EnterpriseVoiceEnabled, HostedVoiceMail
Get-CsOnlineVoiceUser
Get/Set-CsUserCallingSettings are still Preview Commands and not included in this GA Version of the PowerShell Module
Get-CsUserCallingSettings
Get-Command *CsUserCallingSettings
Get-Team
Get-CsOnlineUser -Identity a.bohren@icewolf.ch | fl *Ent*, *host*, *voice*, *um*
Regards
Andres Bohren
Hi all,
On the last Microsoft Patchday, i've seen, that a new Azure File Sync Agent has been released. The Title is "Azure File Sync Agent v14.1 Release - November 2021 (KB5001873)" - but when you check the download Link it is from mid December.
When i check the Storage Sync Service in Azure Portal, i can see that i'm using the Agent Verion 13.0. The Download Link to the New Version also comes handy.
I've installed the new Agent via Windows update. After a Reboot i can see that the new Version of Azure File Sync Agent is working.
Regards
Andres Bohren
Hi All,
Today i got a big update that also contained Android 12 and Android Patchlevel 2022.01
Monday, January 24, 2022
Hi Everybody,
In June 2020 i applied for the Data residency move to the newly created M365 Datacenter Location in Switzerland
Today i had the following Message in the M365 Message Center
I've checked the Data location. As you can see the Exchange Data has been moved to Switzerland 😍
Regards
Andres Bohren
Sunday, January 23, 2022
Hi All,
A few weeks ago i had to upload a File to a SharePoint Site with a PowerShell Script.
In this Blog Article i explain how i did it.
All you need is
Here is the File i want to upload and replace with my PowerShell Script (Documents/Project/Script/AADUsers.csv)
Azure AD Application
You need to create an Azure AD Application. Copy the Application ID, you will need that later for the PowerShell Script
The Application need to have a ClientSecret. Copy the ClientSecret, you will need that later for the PowerShell Script.
Sadly you can't use Certificates with PnPPowerShell for Authentication.
You don't need any Permissions. These will be set in the Sharepoint Site.
SharePoint Permission
Go to the Sharepoint Site you want to Upload open the "/_layouts/appinv.aspx" and enter the App ID and klick on lookup.
https://[tenant].sharepoint.com/sites/[siteName]/_layouts/appinv.aspx
Now we add the Permission. It has to be done with an XML File
In this Example the Following XML is Sufficient
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="FullControl"/>
</AppPermissionRequests>
On the next Page we select "Documents" and hit "Trust it"
You can't change the Settings. But under the Site Settings > Site collection App permissions you can view the Applications
As mentioned, you can't edit. Simply delete the App.
PowerShell Script
And here is the PowerShell Script to Upload a File with PnPPowerShell
###############################################################################
# Upload file to SharePoint with PnP.PowerShell
# 23.01.2022 - Andres Bohren
###############################################################################
#Variables
$AppID = "0d1c73de-c74d-4b06-8a35-e53c8e190258"
$ClientSecret = "YourClientSecret"
$SiteURL = "https://icewolfch.sharepoint.com/sites/DemoTemplate/"
$FileURL = "Freigegebene Dokumente/Project/Script/AADUsers.csv"
#Connect-PnPOnline
Write-Output "Connect-PnPOnline"
Connect-PnPOnline -Url $SiteURL -ClientId $AppID -ClientSecret $ClientSecret -WarningAction Ignore
Get-PnPContext
#Items in Folder
$RelativeURL = "Freigegebene Dokumente/Project/Script"
$Items = Get-PnPFolderItem -FolderSiteRelativeUrl $RelativeURL
$Items
#Upload File
$CSVFile = "C:\GIT_WorkingDir\PowerShellScripts\SharePoint\AADUsers.csv"
Write-Output "Uploading CSV to Sharepoint"
$FolderObject = Get-PnPFolder -Url $RelativeURL
$Upload = Add-PnPFile -Path $CSVFile -Folder $FolderObject
If ($Upload -ne $null)
{
Write-Output "File sucessfully uploaded"
}
Regards
Andres Bohren
Hi All,
Did you ever wanted to have a List of all assigned Phone Numbers in Teams?
For CallQueues and Autoattendant you can find the List of ResourceAccounts in Teams Admin Center (TAC) under Voice > Resouce accounts
Sadly, the same does not apply for Users. Under "Phone Numbers" you will find only a List of Numbers if you're using Operator connect.
For the Users you have to go to Users > Manage users. But here are all Users not only the ones with Phone Numbers
Maybe you can use a Filter. Best fit would probably to query the voice routing policy - given you have set that for every user correctly.
I found a handy Script from Andrew Morpheth on Github
The Script will export all Numbers to a CSV
Make sure you have these Azure AD Roles assigned:
Skype for Business Administrator
Teams Administrator
Otherwise you will run into this Error
Here is the Export.
Sadly the Callqueues and Autoattendands are listed double (Type User and CallQueue/Autoattendant)
But hey, i think the Script is still handy
Regards
Andres Bohren
Saturday, January 22, 2022
Hi All,
Did you know, that you can create a Microsoft List in M365 from an Excel?
I have created this Example Excel
From the Office 365 Portal in the Browser i open Lists
Here i create a "New List"
I select "From Excel"
The Excel File has to be on your OneDrive
If the Table is not yet properly formated you need to fix that
With the klick on the above "Open" the Excel File will loaded in Excel Online. You then Select the Data and "Format as Table". Then close Excel Online
Now your are able to fix some collumn Namens an check the Type
Give the List a Name and Save it
And here you go: A List imported from Excel
With "New" you can add new Entrys
You will find your Lists under "My Lists"
Regards
Andres Bohren
Friday, January 21, 2022
Hi All,
You might have stumbled over the Microsoft Anouncement of DNSSEC/DANE for Exchange Online.
In this Blog i would like to explain how it works in detail
Microsoft 365 roadmap
What is DANE?
DANE is the abbreviation for "DNS based Authentification of Named Entities".
Dane is defined in the RFC6698
Requires a TLSA DNS Record. In the RFC above there is this Statement:
TSLA Record ("TLSA" does not stand for anything; it is just the name of the RRtype)
Maybe that's true. I would consider it as a TLS Anchor.
Kind of HTTP Public Key Pinning (HPKP) Pinning for SMTP.
Interesting Note is that, HPKP is already depreciated and not supported anymore in any browser.
How does DANE work?
In short, these are the Steps that are performed
- MX Lookup
- DANE Lookup (TLSA Record for the Mailserver Hostname)
- Connect to the Mailserver and get the TLS Certificate
- Check if the Certificate matches the Hash of the TLSA Record
MX Lookup
As an Mailserver or Exchange Admin, you will be familiar with MX Lookups. There are many ways to do it.
With the Windows command prompt
nslookup -type=mx hostpoint.ch
With Powershell cmdlets
nslookup -type=mx hostpoint.ch
Resolve-DnsName -Name hostpoint.ch -Type MX
Via DNS over HTTPS
$Domain = "hostpoint.ch"
$json = Invoke-RestMethod -URI "https://dns.google/resolve?name=$Domain&type=MX"
$MX = $json.Answer.data
$MX
DNSSEC
But wait, didn't you say that the DNS Zone has to be Secured with DNSSEC?
Yes that's true. But how can i check that?
DNSSEC Analyzer
Another interesting Method is to use DNS over HTTPS with Powershell.
The DNS Zone hostpoint.ch is protected with DNSSEC, while the DNS Zone icewolf.ch is not.
$Domain = "hostpoint.ch"
$json = Invoke-RestMethod -URI "https://dns.google/resolve?name=$Domain&type=MX"
$json
As you can see there are some Flags in the Rest Response. AD = true is what we are looking for.
- TC: TrunCation (truncated due to length greater than that permitted on the transmission channel)
- RD: Recursion Desired
- RA: Recursion Available
- AD: Authentic Data
- CD: Checking Disabled
My DNS Zone icewolf.ch is hosted on Azure DNS. Interesting sidenote is that Azure DNS does not support DNSSEC at this time
TLSA DNS Record
The TLSA DNS Record looks like this
_<Port>._tcp.<Servername> IN TLSA <Certificate usage> <Selector> <Matching Type> <Fingerprint>
Certificate Usage (0 - 3)
| 0 |
The Hash belongs to the Certificate Authority who is allowed to issue Certificates for this Host. The Client must trust this CA (Trusted Root CA or Trusted Subordinate CA) |
| 1 |
The Hash belongs to the Servercertificate. It has to be from a CA that the Client trusts. |
| 2 |
The Hash belongs to the Certificate Authority who is allowed to issue Certificates for this Host. The Client must thrust this CA even its not in the List of the Trusted Root CA or Trusted Subordinate CA of the Client |
| 3 |
The Hash belongs to the Servercertificate and the Client shall trust it without having a look at the Certificate Chain |
Selector (0 or 1)
| 0 |
Hash will be from the complete Certificate |
| 1 |
Hash will only be from the Public Key and the algorithm |
Matching Type (0-2)
| 0 |
Hash contains the full certificate |
| 1 |
Hash contains a SHA-256 hash |
| 2 |
Hash contains a SHA-512 hash |
Let's check with the Windows command promt - that does not know that resource Record
nslookup -type=tlsa _25._tcp.mx.hostpoint.ch
Let's check with the Powershell Commandlets - same here, the Resource Type is not known
Resolve-DnsName -Name _25._tcp.mx.hostpoint.ch -Type TLSA
Let's try with DNS over HTTPS - here it works
$TLSAQuery = "_25._tcp.mx.hostpoint.ch"
$json = Invoke-RestMethod -URI "https://dns.google/resolve?name=$TLSAQuery&type=TLSA"
$TLSA = $json.Answer.data
$TLSA
If you're working on Linux, that's your command:
Install the Bind utils
sudo yum install bind-utils
DNS Query
dig _25._tcp.mx.hostpoint.ch IN TLSA +short
Most of the DNS Providers out there currently do not support tho create TLSA DNS Records
Even in the Control Panel of Hostpoint (Remember it does support DNSSEC and has published it's own TLSA Record) it's not possible to publish a TLSA Record.
Same applies also to Azure DNS
Normally you can check any DNS Record with MXToolbox.com - not for TLSA Records. At least not for the moment. I guess that will change soon.
But there are alternatives like this one
DANE SMTP Validator
or this one
Mail Server Certificate
\Get-SMTPCertificate.ps1 -ServerName $Mailserver -Port 25 -SendingDomain icewolf.ch -CertificateFilePath C:\GIT_WorkingDir\PowerShellScripts\mx.hostpoint.ch.cer
Create the Hash
To be honest, i was strugeling with that part. None of my effords in creating a SHA-256 Hash of the Certificate / Certificate Public Key did match the Hash in the TLSA Record.
It's not as simple as creating a SHA-256 Hash.
# The GetSpkiFingerprint method returns the SPKI Fingerprint suitable for use in pinning.
# (See RFC 7469.) An SPKI Fingerprint is defined as the output of a known cryptographic hash
# algorithm whose input is the DER-encoded ASN.1 representation of the Subject Public Key Info
# (SPKI) of an X.509 certificate. The first argument specifies the hash algorithm and may be
# "sha256", "sha384", "sha512", "sha1", "md2", "md5", "haval", "ripemd128",
# "ripemd160","ripemd256", or "ripemd320".
# The second argument specifies the encoding, and may be "base64", "hex",
But you can use Certutil with the *.cer File
certutil.exe -dump C:\GIT_WorkingDir\PowerShellScripts\mx.hostpoint.ch.cer
Or create a PowerShell Script around certutil
###############################################################################
# Hash with Powershell and Certutil
###############################################################################
$dump = certutil.exe -dump C:\GIT_WorkingDir\PowerShellScripts\mx.hostpoint.ch.cer
$line = $dump | Select-String -pattern "pin-sha256-hex"
$Line = $Line.Tostring()
$SpkiFingerprint = $line.Split(" ")[1]
$SpkiFingerprint
Or use openssl
openssl x509 -in hostpoint.cer -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256
Summary
The requirements for DANE are pretty high with DNSSEC and a TLSA Record.
Administrators need to understand how to create these DNS Records and how to rollover when a certificate expires.
Anyway i am exited to see that Exchange Online will support DANE soon.
So prepare yourself to be able to troubleshoot if something isn't set up correctly.
Regards
Andres Bohren