Category Archives: Uncategorized

Get e-mail alert for failed logon attempt on Outlook Web Access (OWA)

Just for fun I tried to establish a mechanism that will allow me to get information for failed logon attempt on Outlook Web Access (OWA).

If you open event viewer on your CAS server (where OWA is located) you can find out that failed requests are logged with Event ID 4625.
003

001
In general information you can find interesting things like – username which was used and IPv4 or IPv6 address from where the attempt was made.
002
All you need to do is to Attach task to this event
004
As all other actions are deprecated you should use the option to Start a program – here we will run a Powershell script to do the job.
005
We need to create a PS1 (powershell script) with content:

$EventMessage = get-winevent -FilterHashtable @{Logname=’Security’;ID=4625} -MaxEvents 1 | fl TimeCreated, Message
$eventmessagetstring = $EventMessage | Out-String
$EventMessageAccountNameText3array = $EventMessagetstring | Select-String -Pattern “Account Name:\s+\S+” -AllMatches | Select -ExpandProperty matches | Select -ExpandProperty value
$EventMessageAccountNameText3 = $EventMessageAccountNameText3array[-1]
$EventMessageAccountNameText = $EventMessagetstring | Select-String -Pattern “Failure Reason:\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+” -AllMatches | Select -ExpandProperty matches | Select -ExpandProperty value
$EventMessageAccountNameText2 = $EventMessagetstring | Select-String -Pattern “Source Network Address:\s+\S+” -AllMatches | Select -ExpandProperty matches | Select -ExpandProperty value

$EmailTo = “admin@domain.com”
$EmailFrom = “alert@domain.com”
$Subject = “OWA attack from $EventMessageAccountNameText2”
$Body = “Owa attack from: `n $EventMessageAccountNameText2 `n $EventMessageAccountNameText3 `n $EventMessageAccountNameText”
$SMTPServer = “IPOfYourSMTPServer”
$SMTPMessage = New-Object System.Net.Mail.MailMessage($EmailFrom,$EmailTo,$Subject,$Body)
$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 25)
$SMTPClient.Send($SMTPMessage)

So in task properties we should choose:
007
In Add arguments (optional) field we should add:

-ExecutionPolicy ByPass -File X:\PathToScript\OwaAttack.ps1

So if everything is correct – next time someone fail to enter correct password or an attack on OWA is performed you will get an e-mail like this:

006

“Demystifying” – Windows server 2012 Hyper-V 3.0 network virtualization – part III – (two hosts / two subnets)

In this part III I would like to show you how network virtualization works between two Hyper-V hosts in different subnet (in my example connected HV01 – Router (IPSec VPN) – WAN – WAN – Router (IPsec VPN) – HV02).

You can see how to do that by clicking on a link to video tutorial:
http://www.screencast.com/t/pRDC7Z4UKrg  – Hyper-V 3.0 – Network virtualization Part 4

* at 1:48 – I have already copy pasted that before – you should do it on both hosts
* at 2:04 – there is mistake as those parameters were already there so I removed them and resumed with video recording
* at 2:43 – I did not paste the second part to HV02 (I already did that in previous demo)
* at 3:59 – You will not see GRE traffic until you add Ethernet card to monitoring

In my environment I have two hyper-v hosts called HV01 (10.17.217.177 with gw 10.17.217.1 (router – that makes IPSec VPN)) and HV02 (10.17.218.177 with gw 10.17.218.1 (router – that makes IPSec VPN)).

So only Hyper-V hosts “see” each other over VPN (two different subnets).

I have used folowing powershell cmdlets:

First we need to enable ms_netwnv component on !PHYSICAL! nic – not on virtual switch NIC!
Run it on HV01 and HV02:

Enable-NetAdapterBinding “Ethernet” -ComponentID ms_netwnv

Now we create Lookup record and CustomerRoute (we use IP addresses of our virtual machines, their mac address and IP address of Hyper-V host) This is explained in my previous post.
Run it on HV01 and HV02:
New-NetVirtualizationLookupRecord -CustomerAddress “10.10.10.11” -ProviderAddress “10.17.217.177” -VirtualSubnetID “5001” -MACAddress “AAAAAAAAAA01” -Rule “TranslationMethodEncap”
New-NetVirtualizationLookupRecord -CustomerAddress “10.10.10.12” -ProviderAddress “10.17.218.177” -VirtualSubnetID “5001” -MACAddress “AAAAAAAAAA02” -Rule “TranslationMethodEncap”
New-NetVirtualizationCustomerRoute -RoutingDomainID “{11111111-2222-3333-4444-000000000000}” -VirtualSubnetID “5001” -DestinationPrefix “10.10.10.0/24” -NextHop “0.0.0.0” -Metric 255

Now only on HV01 you should configure provider address and provider route (this is how hosts will get connectivity to each other…):
New-NetVirtualizationProviderAddress -InterfaceIndex 12 -ProviderAddress “10.17.217.177” -PrefixLength 24

New-NetVirtualizationProviderRoute -InterfaceIndex 12 -DestinationPrefix “0.0.0.0/0” -NextHop “10.17.217.1”

The same thing on HV02:
New-NetVirtualizationProviderAddress -InterfaceIndex 12 -ProviderAddress “10.17.218.177” -PrefixLength 24
New-NetVirtualizationProviderRoute -InterfaceIndex 12 -DestinationPrefix “0.0.0.0/0” -NextHop “10.17.218.1”

At the end we need to add VirtualSubnetID parameter to our VM’s sitting on HV01 and on HV02

HV01 (Where Blue01 VM sits):
Get-VMNetworkAdapter -VMName Blue01 | where {$_.MacAddress -eq “AAAAAAAAAA01”} | Set-VMNetworkAdapter -VirtualSubnetID 5001

HV02 (Where Blue02 VN sits):
Get-VMNetworkAdapter -VMName Blue02 | where {$_.MacAddress -eq “AAAAAAAAAA02”} | Set-VMNetworkAdapter -VirtualSubnetID 5001