ما هو ال APT و ال Sandbox ؟

بتـاع شبــكـات | محمد عبد العزيز

بدايةً, ال APT عباره عن اختصار Advanced Persistent Threat

ايه ده بقى 😀

ده معناه هجوم من جهه او مجموعه عندها القدرات التقنيه المتقدمه والقدرات الماليه اللي تمكنها من استمرار الهجوم على هدف محدد حتى يتم الحصول على المراد من تلك الهجمه, زي الحصول على تسريب معلومات معينه زي اللي حصل مع سوني مثلا , او تخريب في ساعه صفر زي اللي حصل في هجمات Shamoon على السعوديه , مده الهجمه دي ممكن تكون اسبوع ، شهر أو ممكن تكون بالسنين ! باختصار , دي هجمه موجهه ومتفصله مش واحد عاوز يهاك اي حد وخلاص.

الهجمات دي بتعدي بكذا مرحله, اول مرحله تحديد الجهه المستهدفه, تاني مرحله انه يزرع نفسه داخل الشبكه وده ممكن يعملها عن طريق استهداف اي موظف في الشركه بشويه socialengineering و Spearphishing , تاني مرحله يحاول يوصل ل privileged account ويا حبذا لو domain admin ، تالت مرحله يستكشف الشبكه ويحاول…

View original post 933 more words

Advertisement

New Features Of VMware VSphere Platinum And VSphere 6.7 Update 1

 

VMware vSphere Platinum

VMware vSphere Platinum is the new version of vSphere that is designed for advanced security features required by today’s organizations, as well as security in the hypervisor itself. At the heart of VMware vSphere Platinum is VMware AppDefense. Using VMware, AppDefense has the ability to use Hyperion, and machine learning is such as to simplify security and easily execute it. AppDefense allows you to create a basic database of the virtual machine’s stable status and protect virtual machines by monitoring VM, and seeks to identify changes in this stable situation, as well as malware and other threatening viruses. Damage the key files.

AppDefense enables vSphere administrators to have a simple way to secure virtual machines in their organizations. By integrating the latest version of vSphere and AppDefense and compromising with VMware vSphere Platinum, vSphere administrators will have a simple solution to secure virtual machines in their organizations.

Advantages of VMware vSphere Platinum

Below is a list of benefits brought with the vSphere Platinum Edition:

• The purpose of implementing VMs in the vSphere environment, using this intelligent feature, is to see AppDefense see any possible malicious behavior and behavior in the virtual machine.
• Reduce the level of attack across virtual infrastructure
• No agent
• Provides the vSphere ability that the administrators already familiar with
• It improves the security of the organization
• Reduces false positives
• Allows the members of the vSphere team and security to interact effectively and efficiently

VMware vSphere Platinum components

VMware vSphere Platinum includes the following main components:

• VMware AppDefense – Allows you to create a basic base of the virtual machine’s virtual state of the art and protect virtual machines according to how to monitor VM. Guest operating system is locked for apps. Detecting any deviation from the known stable status and maintaining it for the integrity and security of virtual machines. This allows for a better management, a detailed view of the change state, providing you with adaptation to reduce attacks.
• Secure Data – FIPS 140-2 Validated VM Encryption, and cross-vCenter Encrypted vMotion – VSphereProtection Standard
• Secure Boot for ESXi – helps protect the integrity of ESXi hosts with signature code.
• Secure Boot for Virtual Machines – Protect guest guests from tampering with malicious code and other cyber attacks.
• Support for TPM 2.0 ESXi – Approves the remote permission to remote hosts.
• Virtual TPM 2.0 provides the necessary mechanism to secure the guest operating system.
• Support for Microsoft Virtualization Based Security – A new feature that includes a credential from Microsoft that can now run on top of vSphere.
• Audit Quality Logging – Provides unprecedented visibility in the vSphere organization.

VMware vSphere 6.7 Update 1

This is an update that all VMware vSphere 6.7 administrators are looking forward to, including an interesting update to the vSphere Platinum version and some powerful new key features that bring vSphere to the next level.

•  A new and fully functional HTML5 client – that’s what we all have been waiting for – so there’s no need to use the FLEX service. This is definitely a day to celebrate!
• Enhanced support for NVIDIA Quadro vMWedded VDWS and support for Intel FPGA
• The new vCenter Convergence tool
• New vSAN version
• Improve vSphere content library

VMware vSphere 6.7 Update 1 Fully Functional HTML5 Client

Other administrators do not have to move between FLEX (client flash) and HTML5 client back and forth. This includes using the vSphere Update Manager (VUM) to update the VMware tool and create a vCenter HA cluster, and so on.

VMware vCenter Server Convergence Tool

The new vCenter Server Sync Center allows administrators to migrate from a platform services controller (PSC) service architecture to a simpler embedded PSC architecture. This greatly simplifies the vCenter Server model by reducing the amount of VMs that run the vCenter architecture, and eliminating the greater load balancing for HA and multi-site replication. The new advanced state-of-the-art (ELM) support has also been announced with internal PSCs for vSphere 6.7 and vSphere 6.5 U2.

Capture PowerCLI Code Using VMware HTML5 Client Fling

 

Install HTML5 Web Client Fling

We have not had a full HTML5 Web Client so far), we are officially using vsphere 6.7 Update 1 now.) HTML5 Web Client Fling is a great way to test the progress and development of HTML5 Web Client Fling as a new feature that has been added. To access the HTML5 Web Client, you can simply go to the following site and download it:

https://labs.vmware.com/flings/vsphere-html5-web-client

Fling is an OVA device that can easily be deployed in your existing vCenter environment. Fling is a technical preview. They are not used for production. However, you can install it for trial and testing purposes. This software is used with the least amount of resources:

• 2 vCPUs
• 4096 MB of memory

After launching the software, you will be logged in to the fami interface, which is located on the 5490 port. Login with the following username and password:

• user: root
• pass: demova

VMware web Client Fling login screen

After login, configure the connection between HTML5 Web Client Fling and vCenter Server. One point is that do not do the mistake that I committed. Do not log in the first time in your sso account configuration, as it will cause your login to fail. You must enter your own root password in vCenter VCSA.

Sso connection configuration

The VMware HTML5 Web Client Appliance configuration starts connecting vCenter

The vSphere Client Web server is initially launched on the VMware HTML5 web server

 

Capture VMware HTML5 Client Fling Power Cli Code

After initializing vSphere Client Web Server, you will be taken to the vCenter interface, which contains capture codes, which will identify the red dot that your account information shows.

The new registration button will appear with the login information on the HTML5 interface

Create a new datacenter in vCenterServer

Named the new datacenter

Complete the process of capturing PowerCli code

The result of the PowerCLI code will be the following:

# —— Start of code capture ——

<#
.SYNOPSIS
Gets VI server connection by a given server update.
.DESCRIPTION
Gets a VI server connection by a particular instance of the server instance from the default connected VI server collection.
#>
function Get-VcConnection ([string] $ VcInstanceUuid) {
$ DefaultVIServers | Where-Object {$ _. InstanceUuid -eq $ vcInstanceUuid}
}
# —– ChildType —–
$ _this = Get-View -Id ‘Folder-group-d1’ -Server (Get-VcConnection -VcInstanceUuid ‘ e2e21bd8-8e92-4b75-948b-9de6ddb7405e ‘)
$ _this.ChildType
# —– CreateDatacenter —–
$ name =’ TestDC ‘
$ _this = Get-View -Id’ Folder-group-d1 ‘-Server (Get-VcConnection -VcInstanceUuid ‘e2e21bd8-8e92-4b75-948b-9de6ddb7405e’)
$ _this.CreateDatacenter ($ name)
# —— End of code capture ——

As you’ve probably noticed, based on the kyle ruddy entry on the VMware PowerCLI website, the PowerCLI code is based on built-in objects and methods used, the code is very low. However, according to a website, research is underway to upgrade this low-level code to PowerCLI cmdlets, which we’re used to using PowerCLI one-liner and the like. An interesting point is that although this code is a functional code, it may even be a bit more complicated than that needed for automation purposes.

These are the great steps provided by VMware to provide an easy way to see how the UI functions are powered by the PowerCLI code and for many purposes, such as learning to create code for automation, and so on. You can copy the code from the code generator to your favorite ISE for PowerShell. At the bottom, I copied it to Visual Studio, and after testing the data center, I tested it and went ahead. it’s interesting!!!!!

PowerCLI code copied to the visual studio

The new version of VMware HTML5 Web Client Fling The PowerCLI Code Capture in Fling has a great performance to generate PowerCLI code from a variety of actions. Setting up fling using OVA methods is very simple on the FAMI interface on the 5490 port.

The generated code is relatively low, however, again, the map referred to for functionality that was expressed by the official VMware PowerCLI posts may have the features upgraded to PowerCLI cmdlets in the future. This is definitely an excellent tool for learning and automation purposes in the VMware vSphere environment. Check out the new HTML5 web client fling and generate your PowerCLI code easily.

VExpert 2018

I’m very proud to be honored and named as a #vExpert

How To Add Disk Capacity To The VSAN Group Disk

As technology infrastructure grows, our capacities and performance must also grow in proportion to them. Assigning SAN storage capacity in the VSphere environment is commonplace, and the new storage capacity can be allocated within a few minutes to the new LNUs in the ESXi hosts. When you reach the software definition definition for software such as VMware VSAN, you will add an ESXi physical memory or host to the VSAN branch host to add the capacity of the VSAN DataStore. In this article, we will explain how to add disk capacity to VSAN Disk groups to increase the VSAN DataStore’s capacity.

VMware vSAN is the platform for defining the VMware memory software that provides the most secure and optimal storage space. Using VSAN on storage servers can provide a very flexible database for any virtual work.

Hard disks are very important for VSAN implementation. Increasing VSAN branches by increasing the hard disk or adding Disk Group to VSAN branches is not very difficult, and you can do this online; after doing this, the hard disk or hard disk group immediately to provide space. Reconstruction or balancing of operations is available.

How to add a disk’s capacity to a disk group in the VSAN?

This step is only required if the VSAN disk request mode is set to manual mode. If the VSAN is set to auto mode, it will automatically display all of the empty memory locations in the ESXi hosts. If you intend to add multiple hard drives to the server, we recommend that you change the VSAN mode to Manual to make the hard disk drive to VSAN disk groups easier and better.

Prerequisites for adding hard disk space to VSAN Disk Group:

1. ESXi Physical Server must have free and free slots for connecting new hard drives.

2. The VSAN Claiming mode must be manual.

3. The new hard disk should be available in the same way as the attached hard drives; for example, a hard disk or magnetic disk. Hybrid VSAN for magnetic hard drives and All Flash VSAN for hard disk drives.

4. The new hard disk can not have a partition, and if it has partitions of different formats, we can remove it from the VSphere Web Client.

At the bottom of the screenshot there are shot from the disk group and hard disks in the disk group. I have exactly 3 hard disk drives in each disk group; in each disk group, one of the hard disks is used as cache memory and 2 other hard drives are used for storage. The maximum hard disk that can be used as a cache in any Disk Group is a hard disk and we can not use more than one hard disk for cache.

The maximum number of hard drives that each Disk Group accepts as storage cache is 7 hard drives, and each host supports up to 5 Disk Groups. This means we can connect to any host of 35 magnetic storage media as storage space.

You can scan and view the hard drives connected to the server slots in the ESXi hosts; to scan again, follow the path below:

Right the VSAN cluster -> Storage -> Rescan Storage

Scan for new storage devices and click OK.

The scan is over and now I can see new devices.

To add a new hard disk in Disk Group, follow the path below:

VSAN Cluster -> Configure -> VSAN -> Disk Management

Select the Disk Group from the ESXi directory, go to the Disk Group you want to add the hard drive and click on the add-on icon.

Then click on one or more hard drives you want to add, and then click OK.

After adding the hard disk to the Disk Group, the hard disk or drives that are added to the Disk Group start working and can be used to provide memory, reconstruct or balance in operation.

Tips And Tricks VCenter Service Appliance 6.7

 

VMware is moving its vCenter Server from Windows to the Photon-based Linux operating system. When working with vCenter Service Appliance 6.7 , the following tips and tricks may be useful to you:

• Enable SSH
• File Transfer with SCP / SFTP
• Public Key Authentication
• Disable or Increase Shell Session Timeout
• Password expiration
• Reset vCenter Server Appliance 6.7 root password
• Create a Backup Job
• Certificate Warning

Enable SSH

To troubleshoot vCenter and ESXi, SSH activation is urgently needed. Access to SSH in vCenter Server is disabled by default, but it can be activated via the Wizard of this service. To activate your SSH, use the DCUI service (Troubleshooting options) to activate SSH from the Appliance Management via vSphere Web Client.

Web Client> Administration> Deployment> System Configuration> Nodes> vCenter> Manage> Settings> Access

Appliance Management (https: // [VCENTER]: 5480 /)> Access

After connecting to vCSA through Appliance Shell, you can see SSH settings.

File Transfer with SCP / SFTP

To transfer files between computers and vCSA, WinSCP or similar tools are commonly used. By default, if you connect, you will receive the following error message because the Root user is configured for the Appliance Shell by default.

Received too large SFTP packet. Max supported packet site is 1024000 B.Cannot initialize SFTP Protocol. Is this host running an SFTP Server

To be able to communicate through WinSCP, the default Shell should be configured to / bin / bash:

# chsh -s "/ bin / bash" root

If you want to redo these changes later and re-enable Appliance Shell, change the default shell to / bin / appliancesh again:

# chsh -s / bin / devicesh root

Public Key Authentication

When working with Linux, you usually use SSH keys instead of the login password. Public Key Validation is a authentication method that generates a public / private key pair and allows login without logging in. Currently vCSA 6.7 is a predefined authorized_keys file . Just add your key by editing vi or with echo / pipe to the authorized_keys file:

echo "ssh-rsa AAAAB [....] fgrehl" >> /root/.ssh/authorized_keys

Now you should be able to connect to vCSA with your key. Note that you can not use Shell Appliance without entering your key.

Disable or Increase Shell Session Timeout

As a security feature, after 15 minutes of user inactivity, you automatically exit the system. You can see the default settings via echo $ TMOUT . Value in seconds (900 seconds = 15 minutes)

root @ vc [~] # echo $ TMOUT
900

To change the route duration etc / profile.d / tmout.sh / follow:

1. Open tmout.sh with the editor.
2. Change the value of the TMOUT = 900 field to the desired value.
3. Save and close the file.
4. Log out and re-enter.

If you want to remove this feature completely, delete the tmout.sh script .

root @ vc [~] # rm /etc/profile.d/tmout.sh

Password expiration

For passwords by default, there are two sources of verification. The Root user password is configured in Appliance Management, and all SSO users expire after 90 days.

Follow the following to configure:

Root password:
Appliance Management (https: // [VCENTER]: 5480 /)> Administration> Password expiration settings

SSO Users (e.g. administrator@vsphere.local):
Web Client> Administration> Single Sign-On> Configuration> Policies

Reset vCenter Server Appliance 6.7 root password

Follow the steps below to retrieve the Root user password in the vCenter Server Appliance (vCSA). This retrieval method is similar to the previous version (vCenter 6.5). This method is officially provided by VMware and the documentation is required for further investigation on the KB2147144 link .

1. Take a snapshot of vCSA so you can go back in case of any problems with password recovery.
2. Connect via the remote console to the ESXi host that runs vCSA.
3. Restart vCSA. (Restart)
4. Immediately after the system starts, press the E key (when the Photon display appears)
   
5. Add rw init = / bin / bash to the end of the start line with Linux .
   
6. Press F10 to boot the system.
7. At the command prompt, enter the passwd and enter the new root password twice .
8. Enter the command / umount to separate the file system .
9. Reboot the vCSA server by running reboot -f command .
10. Finally, check that you can log in with the new password and delete the snapshot step 1.

Create a Backup Job

Do not forget to back up your vCenter Server Appliance. The Appliance has an internal backup scheduler that allows you to backup without any other software.

Open Appliance Management (https: // [VCENTER]: 5480) and follow the path below:

 Backup> Configure

Choose one method (FTP, FTPS, HTTP, HTTP or SCP) and your timing and policy to back up.

Certificate Warning

To get rid of your browser’s Certificate alerts, you need to add the Certificate Root VMCA to the local Trusted Root Certificate. You can download the certificate from your vCenter website and then install it:

VMware default usernames and passwords

Product	Username	Password	URL
vCenter Appliance	Root	vmware	https://IPorDNS_of_Server:5480
vCenter Application Discovery Manager	Root	123456	http://IPorDNS_of_Server
vCenter Chargeback	Root	vmware	http://IP_or_DNS_name:8080/cbmui/
vCenter Infrastructure Navigator	Root	Supplied during OVA deployment	https://IPorDNS_of_Server:5480
vCenter Log Insight	admin	Supplied during OVA deployment	https:// log_insight-host/
vCenter Web Client Configuration	Root	vmware	https://IPorDNS_of_Server:9443/admin-app
vCenter vSphere Web Client Access	Root	vmware	https://IPorDNS_of_Server:9443/vsphere-client/
vCenter Single Sign On (SSO)	-admin@System-Domain -root@System-Domain -administrator@vsphere.local	Supplied during OVA deployment	https://IPorDNS_of_Server:7444/lookupservice/sdk
vCenter Orchestrator Appliance	vmware	vmware	http://orchestrator_appliance_ip
Orchestrator Client	vcoadmin	vcoadmin
Orchestrator Web Operator	vcoadmin	vcoadmin
vCenter Orchestrator for Windows	vmware	vmware	https://(SERVER_IP):8283
vCenter Orchestrator for vCloud Automation Center	vmware	vmware	https://vcloud_automation_center_appliance_ip:8283
vRealize Operations Manager	admin	supplied during deployment	https://IPorDNS_of_UI_Server
vCenter Operations Admin	admin	admin	https://IPorDNS_of_UI_Server/admin
vCenter Operations CustomUI	admin	admin	https://IPorDNS_of_UI_Server/vcops-custom/
vCloud Director Web based Login	Administrator	Suplied during installation	https://<ip-address>/cloud/
VMware vCloud Director Appliance	Root	vmware
VMware vShield Manager Appliance	admin	default	http://IPorDNS_of_Server
Horizon Connector	admin	vmware	https://IPorDNS:8443/
vCloud Automation Center Identity Appliance	Root	supplied during deployment	https://identity-hostname.domain.name:5480/
vCloud Automation Center vCAC Appliance	Root	supplied during deployment	https://identity-hostname.domain.name:5480/
vCloud Automation Center	administrator@vsphere.local	supplied during deployment	https://vcac-appliance-hostname.domain.name/shell-ui-app

 

How to reset the lost or forgotten root password in vCenter Server Appliance 6.5

To reset the lost forgotten root password in vCenter Server Appliance 6.5:

1- Take a snapshot or backup of the vCenter Server Appliance 6.5 before proceeding

2-Restart the vCenter Server Appliance 6.5

3-After the OS starts, press e key to enter the GNU GRUB Edit Menu

4-Locate the line that begins with the word Linux Add these entries to the end of the line     rw init=/bin/bash

5- After That Press F10 to continue booting

6-In the Command prompt, enter the command passwd  and provide a new root password twice for confirmation.
7-Unmount the filesystem by running this command  umount /

8-Reboot the vCenter Server Appliance 6.5 by running this command: reboot -f

9- Now You can access you vcenter appliance with new password .

VMware Horizon View Security Server installation

 

Before you start your installation you make sure :

1- not installing the Horizon View Security Server on the same server as the Connection or Composer Server.

2-Security Server does not have the Terminal Services role installed .

3-You have to assign static IP address for this server .

After You download Horizon View Connection Server installation

n the Paired Horizon 7 Connection Server page, enter the name of the internal Horizon Connection Server that this Security Server will be paired with.

Before we move on in the Security Server configuration, we need to create a Security Server Pairing Password. This is a special password only used in the pairing process .To set the pairing password, we go to a Connection Server and launch View Administrator. Navigate to View Configuration > Servers > Connection Servers and click your Connection Server. After clicking the Connection Server, under More Commands click Specify Security Server Pairing Password.

back to our our Horizon View Security Server installation enter the pairing password specified earlier

After pairing communication between the Security Server and Connection Server, we will see the External URLs configuration screen for the Security Server, both External, PCoIP, and Blast External connectivity

the Firewall Configuration page, click Next

we can test connectivity through the security server by browsing out to the external URL of the security server. We should see the VMware Horizon splash screen.

 

Virtual Machine Security Best Practices

Follow these best practices to protect your virtual machine:

1-Patches and other protection

Keep all security measures up-to-date, including applying appropriate patches. It is especially important to keep track of updates for dormant virtual machines that are powered off, because it can be easy to overlook them. For example, ensure that anti-virus software, anti-spy ware, intrusion detection, and other protection are enabled for every virtual machine in your virtual infrastructure. You should also ensure that you have enough space for the virtual machine logs.

2-Anti-virus scans

Because each virtual machine hosts a standard operating system, you must protect it from viruses by installing anti-virus software. Depending on how you are using the virtual machine, you might also want to install a software firewall.

Stagger the schedule for virus scans, particularly in deployments with a large number of virtual machines. Performance of systems in your environment degrades significantly if you scan all virtual machines simultaneously. Because software firewalls and antivirus software can be virtualization-intensive, you can balance the need for these two security measures against virtual machine performance, especially if you are confident that your virtual machines are in a fully trusted environment.

3-Serial ports

Serial ports are interfaces for connecting peripherals to the virtual machine. They are often used on physical systems to provide a direct, low-level connection to the console of a server, and a virtual serial port allows for the same access to a virtual machine. Serial ports allow for low-level access, which often does not have strong controls like logging or privileges.

4-Use Templates to Deploy Virtual Machines

You can use templates that can contain a hardened, patched, and properly configured operating system to create other, application-specific templates, or you can use the application template to deploy virtual machines.

Provide templates for virtual machine creation that contain hardened, patched, and properly configured operating system deployments.

If possible, deploy applications in templates as well. Ensure that the applications do not depend on information specific to the virtual machine to be deployed.

5-Minimize Use of the Virtual Machine Console

The virtual machine console provides the same function for a virtual machine that a monitor provides on a physical server. Users with access to the virtual machine console have access to virtual machine power management and removable device connectivity controls. Console access might therefore allow a malicious attack on a virtual machine.

Use native remote management services, such as terminal services and SSH, to interact with virtual machines.

Grant access to the virtual machine console only when necessary.

Limit the connections to the console.

For example, in a highly secure environment, limit the connection to one. In some environments, you can increase the limit if several concurrent connections are necessary to accomplish normal tasks.

6-Prevent Virtual Machines from Taking Over Resources

By default, all virtual machines on an ESXi host share resources equally. You can use Shares and resource pools to prevent a denial of service attack that causes one virtual machine to consume so much of the host’s resources that other virtual machines on the same host cannot perform their intended functions.

• Provision each virtual machine with just enough resources (CPU and memory) to function properly.
• Use Shares to guarantee resources to critical virtual machines.
• Group virtual machines with similar requirements into resource pools.
• In each resource pool, leave Shares set to the default to ensure that each virtual machine in the pool receives approximately the same resource priority.
• With this setting, a single virtual machine cannot use more than other virtual machines in the resource pool.

7-Disable Unnecessary Functions inside Virtual Machines

Virtual machines do not usually require as many services or functions as physical servers. When you virtualize a system, evaluate whether a particular service or function is necessary.

• Disable unused services in the operating system.
• For example, if the system runs a file server, turn off any Web services.
• Disconnect unused physical devices, such as CD/DVD drives, floppy drives, and USB adapters.
• Disable unused functionality, such as unused display features or HGFS (Host Guest File System).
• Turn off screen savers.
• Do not run the X Window system on top of Linux, BSD, or Solaris guest operating systems unless it is necessary.