Windows: Fix Domain Trust relationship failed issue without domain rejoining

Fix Trust relationship failed issue without domain rejoining

In this article, we will discuss the causes of Trust relationship failed error and some solutions on how to restore secure channel between the workstation and the Active Directory domain.

In what case we can get this error? For example, when a user is trying to login to workstation or server with domain account credentials and after entering the username and its password a window appears (with an error message):

The trust relationship between this workstation and the primary domain failed

Or the error looks like this:

The security database on the server does not have a computer account for this workstation trust relationship

the trust relationship between this workstation and the primary domain failed

Let’s try to understand what does this error means and how to fix it.

Active Directory Machine Account Password

When you join the computer to Active Directory domain, the new computer account is created for your device and a password is set for it (like for AD users). Trust relationship at this level is provided by the fact that the domain join is performed by a Domain administrator or another user with delegated administrative permissions.

Each time when domain computer login to the AD domain, it establishes a secure channel with the nearest domain controller and sends the computer credentials. In that case, trust is established between the workstation and domain and further interaction occurs according to administrator-defined security policies.

The computer account password is valid for 30 days (by default) and then automatically changes. You must keep in mind that the password is changed by the computer according with the configured domain Group Policy. This is similar to the changing user password process.

Tip. You can configure the maximum account password age for domain computers using the GPO parameter Domain member: Maximum machine account password age, which is located in the following Group Policy editor section: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. You can specify the number of days between 0 and 999 (by default it is 30 days).

You can configure the machine account password policy for a single computer through the registry. To do this, run regedit.exe and go to the HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry key. Edit the parameter MaximumPasswordAge and set the maximum validity time of the computer password in the domain (in days). Another option is to completely disable the computer account password change by set the REG_DWORD parameter DisablePasswordChange to 1.

trust relationship failed powershell trust relationship

The Active Directory domain stores the current computer password, as well as the previous one. If the password was changed twice, the computer that is using an old password will not be able to authenticate on the domain controller and establish a secure connection channel.

The computer account passwords do not expire in Active Directory, because the Domain Password Policy don’t apply to the AD Computer objects. Your computer can use the NETLOGON service to change the password automatically during the next domain logon if its password is older than 30 days (note that the local computer password is not controlled by AD, but by the computer itself).

READ ALSO  Accessing Hyper-V VM Console Using RDCMan

The computer tries to change its password on the domain controller, and only after a successful change it updates its local password (a local copy of the password is stored in the registry key HKLM\SECURITY\Policy\Secrets$machine.ACC).

You can view last password set time for a computer object account in the AD domain using the PowerShell cmdlet Get-ADComputer (from the AD for Windows PowerShell module). Run the command with the computer name:

get-adcomputer -Identity Lon-Com212 -Properties PasswordLastSet

trust relationship between this workstation and the primary domain failed

Therefore, even if you did not power on your computer for a few months, the trust relationship between computer and domain still be remaining and the computer password will be changed at first registration of your workstation in the domain.

What is the Cause for “The Trust Relationship between this Workstation and the Primary Domain Failed” Error?

This error indicates that this computer in no longer trusted and diconnected from the Active Directory since the local computer password doesn’t match this computer object password stored in the AD database.

Trust relationship may fail if the computer tries to authenticate on a domain with an invalid password. Typically, this occurs after reinstalling Windows, then the system state was restored from an image (backup), Virtual machine snapshot, or when performing computer cloning without running sysprep. In this case, the current value of the password on the local computer and the password stored for a computer object in the AD domain will be different.

How to Check Secure Channel between Workstation and the Primary Domain?

You can verify that the computer local password is in sync with computer account password on the domain controlled with the Test-ComputerSecureChannel cmdlet. You can use a simple form:

Test-ComputerSecureChannel

reset-computermachinepassword

Or you can add –Verbose switch parameter:

Test-ComputerSecureChannel -Verbose

trust relationship failed powershell

VERBOSE: Performing the operation “Test-ComputerSecureChannel” on target “Compname1”.

True

VERBOSE: The secure channel between the local computer and the domain theitbros.com is in good condition.

Fixing Trust Relationship by Domain Rejoin

First of all, open the Active Directory Users and Computers (ADUC) snap-in and make sure that the problem computer account is present in the domain and is not disabled.

repair trust relationship powershell

The most obvious old-school way to restore the trust relationship of your computer in the domain is:

  1. Reset local Admin password on the computer;
  2. Unjoin your computer from Domain to Workgroup;
    fix domain trust relationship
  3. Reboot;
  4. Reset Computer account in the domain using the ADUC console;
    powershell fix trust relationship
  5. Rejoin computer to the domain;
  6. Reboot again.

This method is the easiest, but not the fastest and most convenient way and requires multiple reboots. Also, we know cases when the local user profiles are not reconnecting correctly after computer domain rejoining.

READ ALSO  How to Set Up Static IP Address in Windows 10?

We will show how to reestablish a trust relationship and restore a secure channel without domain rejoin and reboot!

Tip. It is extremely important to make sure that the time difference between the domain controller and the client computer’s less than 5 minutes. To properly configure time synchronization in a domain, see the article Configuring NTP on Windows using GPO.

Reset-ComputerMachinePassword: How to Fix Failed Trust Relationship with PowerShell?

You can reset the computer password using the PowerShell cmdlet Reset-ComputerMachinePassword. This is the fastest and most convenient way to reset the password of a computer and doesn’t require reboot. Unlike the Netdom utility, PowerShell 3.0 or newer is available on all Microsoft OSs starting with Windows 8/Server 2012. You can install it manually (see here) on Windows 7, Server 2008 and Server 2008 R2 (also requires Net Framework 4.0 or higher).

If you want to restore a trust relationship under a local Administrator, run the elevated PowerShell console and execute this command:

Reset-ComputerMachinePassword -Server DomainController -Credential DomainAdmin
  • Server – the name of any domain controller;
  • Credential – a domain user (with permission to add the computer to the domain) or domain admin account.
Reset-ComputerMachinePassword -Server lon-dc01 -Credential corpdsmith

powershell repair domain trust

The credentials window will appear and you must type the domain account password.

Cmdlet doesn’t display any messages on success, so just re-login under domain account, no reboot required.

If your received the error message “The RPC server is unavailable” or “An Active Directory Domain Controller (AD DC) for the domain could not be contacted” then try to run the Reset-ComputerMachinePassword cmdlet, check DNS settings on your computer and DNS zones by following the guide.

Tip. You can also repair secure channel between computer and Active Directory domain using PowerShell cmdlet Test-ComputerSecureChannel:

Test-ComputerSecureChannel -Repair -Credential corpdsmith

Using Netdom resetpwd to Fix Trust Relationship Failed without Reboot

You can find Netdom utility in Windows Server since 2008 version. It can be installed on client PC as part of the RSAT (Remote Server Administration Tools) package. The method is fast and efficient. To use it, login to the target system with the local Administrator (!!!) credentials (by typing, “.Administrator” to the logon window), open the elevated cmd.exe prompt and run following command:

Netdom resetpwd /Server:DomainController /UserD:Administrator /PasswordD:Password
  • Server – the name of any domain controller
  • UserD – username with domain admin or delegated privileges
  • PasswordD – admin password
Netdom resetpwd /Server:lon-dc01 /UserD:dsmith /PasswordD:Str0NGestP@$

reset trust relationship

After successful execution of this command, reboot is not required, just logout from a local account and log in under domain credentials.

You can check a secure connection with the AD domain using Netdom with the following command:

Netdom Verify WK_Salary12 /Domain:corp.contoso.com /UserO:dsmith /PasswordO:*

This method does not always work, because it is not always possible to authorize on the domain controller under the administrator account from a computer this broken-trust relationship.

READ ALSO  Deploying Active Directory Federation Services on Windows Server

Reset Active Directory Secure Channel and Computer Password Using NLTEST

In addition, you can reset the computer’s password in the domain and secure channel using the built-in Nltest tool:

Nltest /sc_change_pwd:corp.Contoso.com

This command will try to repair the secure channel by resetting the password both on the local computer and on the domain computer, and it doesn’t require domain rejoining or rebooting.

However, unlike Netdom and Reset-ComputerMachinePassword, which allow you to specify user credentials, Nltest works in the context of the current user. Accordingly, if you logon to the computer under the local account and attempting to execute the command, you will receive an access denied error. Because of this, the method doesn’t always work.

You can check that the secure channel has been successfully reestablished using the following command:

nltest /sc_verify:corp.contoso.com

reset computer account trust relationship

The following strings confirm that the trust relationship has been repaired:

Trusted DC Connection Status Status = 0 0x0 NERR_Success

Trust Verification Status = 0 0x0 NERR_Success

Fixing: The security database on the server does not have a computer account for this workstation trust relationship

When the error “The security database on the server does not have a computer account for this workstation trust relationship” appears, you need to check the domain controller error logs for the Event ID 2974:

The attribute value provided is not unique in the forest or partition. Attribute: servicePrincipalName Value=TERMSRV/PDC
CN=PC1,OU=Computers,DC=theitbros,DC=com  Winerror: 8647

This issue indicates that the SPN (Service Principal Name) computer account attribute in AD is not properly populated or there are several computers in the domain with the same value in the servicePrincipalName attribute.

Find the problem computer object in the ADUC console, go to the Attribute Editor tab and check the value of the servicePrincipalName attribute

Make sure your computer object has a populated SPN property value in the following format:

  • HOST/computername1
  • HOST/computername1.theitbros.com
  • RestrictedKrbHost/computername1
  • RestrictedKrbHost/computername1.theitbros.com
  • TERMSRV/computername1
  • TERMSRV/computername1.theitbros.com

You can copy the computer FQDN (Fully Qualified Domain Name) from the dNSHostName attribute. If these SPN records are missing, you must create them manually.

trust relationship between workstation and primary domain failed

Now restart your computer and try to logon under domain credentials.

Duplicate SPNs in the domain can be found using the ldifde utility:

ldifde -f C:\ps\SPNList.txt -t 3268 -d DC=theitbros,DC=com -l serviceprincipalname -r (serviceprincipalname=*)

As you can see, it is quite easy to solve Trust relationship failed issue in a domain! Hope this was useful for you!

Original post here:
https://theitbros.com/fix-trust-relationship-failed-without-domain-rejoining/

Manage Safe Senders and Block Sender Lists using Powershell – Exchange Server and Office 365 (or 2016/19)

The term “Junk Email Filter” defines an Exchange mail security mechanism, that implemented on the “mailbox level.”
In Exchange based environment, most of the times, the mail security infrastructure is implemented most of the time in the “server level” (Exchange server).

The interesting thing is that also, Exchange enables his recipients, to use an additional layer of mail security that implemented at the mailbox level.

The additional component that can manage by the Exchange recipient is the “Junk Email engine.” That include the following two components:

  1. Junk Email Filter – this is the Exchange mailbox security filter, that can inspect each incoming E-mail message and based on a different parameter decide if the E-mail message is “spam mail” or a legitimate E-mail. By default, the mailbox Junk Email Filter is not activated.
  2. Junk Email Filter Lists – the is the Exchange mailbox security filter that can classify specific sender or a specific domain as a “legitimate sender” or “non-legitimate sender.”

Exchange mailbox junk mail protection -01

The management options if the Exchange mailbox “Junk Email component”

The management of the Exchange mailbox “Junk Email component” is implemented on two levels:

  1. User level – each Exchange recipient can manage his Exchange mailbox “Junk Email component” by using the Outlook or the OWA mail settings.
  2. Administrative level – using PowerShell

The other option for managing the Exchange mailbox “Junk Email component” is implemented from the “server side” by using PowerShell.

The main advantages of using PowerShell for managing “Junk Email Filter” configurations are

Using bulk configurations

The ability to implement a required configuration setting for a “bulk of mailboxes” at the same time.

Perform specific configuration settings on behalf of the user

The ability of the Exchange Online administrator to perform a particular configuration setting and by doing so, avoid a scenario in which a non-technical user will need to perform the specific configuration settings.

Safe Senders List and Blocked Senders List

The Exchange “mailbox Junk Email Filter Lists” option enables Exchange users to relate to E-mail message, by using four types of filters:

  1. Safe Senders List – represented by the PowerShell parameter – TrustedSendersAndDomain
  2. Blocked Senders List – represented by the PowerShell parameter – BlockedSendersAndDomains
  3. Safe recipient List – represented by the PowerShell parameter – TrustedRecipientsAndDomains
  4. International – at the current time, there is no PowerShell parameter for this option. The “international” option enables us to block specific E-mail message based of a country domain name or specific language encoding).

Most of the time, the common options that users use are:

1. Safe Senders List

The purpose of the Safe Senders List is – to prevent the event of false-positive meaning, an event in which legitimate mail mistakenly identified as spam mail and for this reason sent to the junk mail folder.

When we add a domain name or E-mail address to the Safe Senders List, an
E-mail sends from the particular sender\s, will never be sent to the Junk mail folder.

2. Blocked Senders List

The purpose of the Blocked Senders List is – to prevent the event of false-negative meaning, an event in which a spam mail manages to “bypass” existing mail security filter that didn’t manage to identify and classify the E-mail as spam mail.

When we add a domain name or an E-mail address to the Blocked Senders List, an
E-mail sends from the particular sender\s, will automatically be sent to the Junk mail folder.

Messages from people or domain names that appear in this list are always classified as junk, regardless of the content of the message.

Junk Email Filter Lists -02

How do we define the “sender entity”?

The way that we use for relating to the “sender” is, by defining the sender domain name or the sender E-mail address.

In case that we define a domain name, the filter rule will be applied to for all the senders who have the specific domain name for their E-mail address.

Relating to sender - recipient

Outlook and junk mail protection

In the following screenshot, we can see the default setting of the Outlook and junk mail protection configuration. By default, the Outlook Junk Email Filter is not activated.

In other words, by default Outlook will not use a local spam filter instead, the classification of
E-mail as a legitimate E-mail or, spam E-mail will be implemented by the “server side” (Exchange server).

Outlook junk mail protection -01

In the following screenshot, we can see the different “list tab” that we can use to define to blocked or safe sender lists.

Outlook junk mail protection -02

In case that you are a newbie in the PowerShell world, in the bottom of the article, I add some links to PowerShell introduction’s articles.
Expand and collapse Section 1#4

Section 1#4 – Add E-Mail Address And Domain Names To The Safe Sender And Blocked Senders Lists

Add E-mail address and domain names to the Safe sender lists

Scenario 1.1 – Add E-mail address and domain names to the Safe sender lists | Specific recipient.

Scenario description

We would like to define, a whitelist of trusted senders, by adding a domain name and an E-mail address to the senders Safe list.
In this scenario, we would like to add the information to a particular Exchange recipient.

The parameter that we use for defining the information that saved in the Safe Sender list is – TrustedSendersAndDomainswe use for defining the information that saved in the Safe Sender list

PowerShell command Syntax

PowerShell command Example

Scenario 1.2 – Add E-mail address and domain names to the Safe sender lists | Bulk mode.

Scenario description

We would like to define a whitelist of trusted senders, by adding a domain name and an E-mail address to the senders Safe list.
In this scenario, we would like to implement a “bulk update” by adding the information to all the existing Exchange recipients.

PowerShell command Syntax

PowerShell command Example

Add E-mail address and domain names to the Blocked sender lists

Scenario 1.3 – Add E-mail address and domain names to the Blocked sender lists | Specific recipient.

Scenario description

We would like to define a blacklist of – un-trusted senders, by adding a domain name and an
E-mail address to the Blocked Senders list.

In this scenario, we would like to add the information to a particular Exchange recipient.
The parameter that we use for defining the information that saved in the Safe sender list is – BlockedSendersAndDomainsx

PowerShell command Syntax

PowerShell command Example

Scenario 1.4 – Add E-mail address and domain names to the Blocked senders list | Bulk mode.

Scenario description

We would like to define a blacklist of – un-trusted senders, by adding a domain name and an
E-mail address to the Blocked Senders list.

In this scenario, we would like to implement a “bulk update” by adding the information to all the existing Exchange recipients.

PowerShell command Syntax

PowerShell command Example

Scenario 1.5 – Add E-mail address and domain names to the Safe sender lists + to the Blocked senders list at the same time | Bulk mode.

Scenario description

We would like to define a combination in which we add information (domain name and an
E-mail address) to the Blocked Senders list + senders Safe list.

PowerShell command Syntax

PowerShell command Example

Expand and collapse Section 2#4

Section 2#4 – Additional Junk Mail Filter Options

Enable \ Disable the Junk mail filter.

Scenario 2.1 – Enable the Junk mail filter.

As mentioned, by default, the mailbox Junk Email Filter is not activated.

Scenario description
We would like to activate (enable) the mailbox Junk Email Filter for a specific recipient.

PowerShell command Example

Scenario 2.2 – Disable the Junk mail filter.

Scenario description
We would like to disable the mailbox Junk Email Filter for a specific recipient.

PowerShell command Example

Configure the option of trusted contact

Another option that we can use for define our Safe Senders list is to “instruct” the mailbox Junk Email Filter list to automatically trust each of the recipients (E-mail address) that appears in our contact list. This option named- “Also Trust E-mail from my contacts” and by default, it is not activated.

Also Trust E-mail from my contacts

Scenario 2.3 – Enable the option of trusted contact | Bulk mode.

Scenario description

We would like to activate the option of “Also Trust E-mail from my contacts” to all of our recipients (Bulk mode).

PowerShell command Example

Scenario 2.4 – Disable the option of trusted contact | Bulk mode.

Scenario description

We would like to Disable the option of “Also Trust E-mail from my contacts” to all of our recipients (Bulk mode).

PowerShell command Example

Expand and collapse Section 3#4

Section 3#4 – View Information About Safe Sender And Blocked Lists

Scenario 3.1 – View information about Safe sender and blocked lists | Specific recipient.

Scenario description

We would like to view the available information about the Mailbox Junk Email Configuration that includes the list of the E-mail address and domain names that appear in the Safe Sender lists and the Blocked sender lists.

PowerShell command Syntax

PowerShell command Example

Scenario 3.2 – View information about Safe sender and blocked lists | Bulk mode.

Scenario description

We would like to view the available information about the Mailbox Junk Email Configuration that includes the list of the E-mail address and domain names that appear in the Safe Sender lists and in the Blocked sender lists.

In this scenario, we would like the view the information about all the existing Exchange mailboxes.

PowerShell command Example

Export information about Safe sender and blocked lists | Bulk mode

Scenario 3.3 – Export information to CSV file.

Scenario description

We would like to – export the information from the Safe sender lists and in the Blocked Sender lists of all existing Exchange mailboxes to a CSV (comma separated value) file.

PowerShell command Example

Scenario 3.4 – Export information to TXT file.

Scenario description

We would like to – export the information from the Safe sender lists and in the Blocked Sender lists of all existing Exchange mailboxes to a TEXT file.

PowerShell command Example

Expand and collapse Section 4#4

Section 4#4 – Update (Remove And Add) Existing Safe Sender And Blocked Lists

In this section we review how to update an existing Safe sender lists and in the Blocked sender lists. In this scenario, we would like to add or remove information from the existing Safe sender lists and in the Blocked sender lists.

Updating existing Safe sender lists by adding new information

Scenario 4.1 – Add E-mail address and domain names to Safe sender lists | Specific recipient.

Scenario description

We would like to – add E-mail address and domain name to the current Safe sender lists to a particular recipient.

PowerShell command Syntax

PowerShell command Example

Scenario 4.2 – Add E-mail address and domain names to Safe sender lists | Bulk mode.

Scenario description

We would like to add an additional E-mail address and domain name to the current Safe Sender lists of all the Exchange recipients.

PowerShell command Example

Updating existing Safe sender lists by REMOVING existing sender information

Scenario 4.3 – Remove E-mail address and domain names from Safe sender lists | Specific recipient.

Scenario description

We would like to remove an E-mail address and domain name from existing Safe sender for a particular user mailbox.

PowerShell command Syntax

PowerShell command Example

Scenario 4.4 – Remove E-mail address and domain names from Safe sender lists | Bulk mode.

Scenario description

We would like to remove an E-mail address and domain name from existing Safe sender for all the Exchange recipients.

PowerShell command Example

SMTPClient: ReceiveResponse: 452 4.3.1 Insufficient system resources

As the Event 15006 logged, please verify that the hard disk contains more free space than the threshold that has been configured for the Transport server. Please refer to: https://technet.microsoft.com/en-us/library/bb201658(v=exchg.160).aspx

If in the case, you cannot make the necessary disk space adjustments. Then we can choose to change the location of the queue database to a disk drive with sufficient free space. It can be done by following the following steps:

  • Begin by terminating the transport service
  • Go to the original queue folder (the one containing all the queue database and logs) and copy the files to the new desired directory.
  • Open notepad and open the file C:\Program Files\Microsoft\Exchange Server\V15\Bin—EdgeTransport.exe.config
  • Edit the following Keys:

<add key=”QueueDatabasePath” value=”C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue” />

<add key=”QueueDatabaseLoggingPath” value=”C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue” />

Note: The paths above need not be identical.

Hope it helps.

Top 25 Kali Linux Penetration Testing Tools

Kali Linux is an open source distribution based on Debian focused on providing penetration testing and security auditing tools. Actively developed by Offensive Security, it’s one of the most popular security distributions in use by infosec companies and ethical hackers.

One of the best things about Kali is the fact that it doesn’t require you to install the OS in your hard drive — it uses a live image that can be loaded in your RAM memory to test your security skills with the more than 600 ethical hacking tools it provides.

It includes numerous security-hacker tools for information gathering, vulnerability analysis, wireless attacks, web applications, exploitation tools, stress testing, forensic tools, sniffing and spoofing, password cracking, reverse engineering, hardware hacking and much more.

We’ve previously explored the Top 20 OSINT Tools available, and today we’ll go through the list of top-used Kali Linux software. Let’s begin!

Kali Linux install DVD

For ease of reference, we’ll divide the most-used software of Kali Linux into five distinct categories: information gathering, vulnerability scanning, wireless analysis tools, password crackers, exploitation tools and stress testing.

1. Nmap

Nmap is the world’s most famous network mapper tool. It allows you to discover active hosts within any network, and acquire other information (such as open ports) relevant to penetration testing.

Main features:

  • Host discovery: useful for identifying hosts in any network
  • Port scanning: lets you enumerate open ports on the local or remote host
  • OS detection: useful for fetching operating system and hardware information about any connected device
  • App version detection: allows you to determine application name and version number
  • Scriptable interaction: extends Nmap default capabilities by using Nmap Scripting Engine (NSE)
[securitytrails@kali root]$ nmap --help
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host

Ready to unleash the power of Nmap? Check out our list of Top 15 Nmap Commands.

2. Netcat

Netcat is a network exploration application that is not only popular among those in the security industry, but also in the network and system administration fields.

While it’s primarily used for outbound/inbound network checking and port exploration, it’s also valuable when used in conjunction with programming languages like Perl or C, or with bash scripts.

Netcat’s main features include:

  • TCP and UDP port analysis
  • Inbound and outbound network sniffing
  • Reverse and forward DNS analysis
  • Scan local and remote ports
  • Fully integrated with terminal standard input
  • UDP and TCP tunnelling mode

3. Unicornscan

Licensed under the GPL license, Unicornscan is one of the best infosec tools used for information gathering and data correlation. It offers advanced asynchronous TCP and UDP scanning features along with very useful network discovery patterns that will help you to find remote hosts. It can also reveal details about the software running by each one of them.

Main features include:

  • TCP asynchronous scan
  • Asynchronous UDP scan
  • Asynchronous TCP banner detection
  • OS, application and system service detection
  • Ability to use custom data sets
  • Support for SQL relational output

4. Fierce

Fierce is a great tool for network mapping and port scanning. It can be used to discover non-contiguous IP space and hostnames across networks.

It’s similar to Nmap and Unicornscan, but unlike those, Fierce is mostly used for specific corporate networks.

Once the penetration tester has defined the target network, Fierce will run several tests against the selected domains to retrieve valuable information that can be used for later analysis and exploitation.

Its features include:

  • Ability to change DNS server for reverse lookups
  • Internal and external IP ranges scanning
  • IP range and entire Class C scanning
  • Logs capabilities into a system file
  • Name Servers discovery and Zone Transfer attack
  • Brute force capabilities using built-in or custom text list

5. OpenVAS

OpenVAS (Open Vulnerability Assessment System) was developed by part of the team responsible for the famous Nessus vulnerability scanner. Licensed under the GLP license, it’s free software that anyone can use to explore local or remote network vulnerabilities.

This security tool allows you to write and integrate your own security plugins to the OpenVAS platform — even though the current engine comes with more than 50k NVTs (Network Vulnerability Tests) that can literally scan anything you imagine in terms of security vulnerabilities.

Main features:

  • Simultaneous host discovery
  • Network mapper and port scanner
  • Support for OpenVAS Transfer Protocol
  • Fully integrated with SQL Databases like SQLite
  • Scheduled daily or weekly scans
  • Exports results into XML, HTML, LateX file formats
  • Ability to stop, pause and resume scans
  • Full support for Linux and Windows

OpenVAS Kali screenshot

6. Nikto

Written in Perl and included in Kali Linux, Nikto iworks as a complement to OpenVAS and other vulnerability scanners.

Nikto allows penetration testers and ethical hackers to perform a full web server scan to discover security flaws and vulnerabilities. This security scan gathers results by detecting insecure file and app patterns, outdated server software and default file names as well as server and software misconfigurations.

It includes support for proxies, host-based authentication, SSL encryption and much more.

Main features include:

  • Scans multiple ports on a server
  • IDS evasion techniques
  • Outputs results into TXT, XML, HTML, NBE or CSV.
  • Apache and cgiwrap username enumeration
  • Identifies installed software via headers, favicons and files
  • Scans specified CGI directories
  • Uses custom configuration files
  • Debug and verbose output.

7. WPScan

WPScan is recommended for auditing your WordPress installation security. By using WPScan you can check if your WordPress setup is vulnerable to certain types of attacks, or if it’s exposing too much information in your core, plugin or theme files.

This WordPress security tool also lets you find any weak passwords for all registered users, and even run a brute force attack against it to see which ones can be cracked.

WPScan receives frequent updates from the wpvulndb.com WordPress vulnerability database, which makes it a great software for up-to-date WP security.

What can you do with WPScan?

  • Non-intrusive security scans
  • WP username enumeration
  • WP bruteforce attack & weak password cracking
  • WP plugins vulnerability enumeration
  • Schedule WordPress security scans

Are you interested in WordPress security? Check out our blog post on asking exactly that: Is WordPress secure?

8. CMSMap

Unlike WPScan, CMSMap aims to be a centralized solution for not only one, but up to four of the most popular CMS in terms of vulnerability detection.

CMSmap is an open source project written in Python that helps automate the process of vulnerability scanning and detection in WordPress, Joomla, Drupal, and Moodle.

This tool is not only useful for detecting security flaws in these four popular CMS but also for running actual brute force attacks and launching exploits once a vulnerability has been found.

Main features include:

  • Supports multiple scan threats
  • Ability to set custom user-agent and header
  • Support for SSL encryption.
  • Verbose mode for debugging purposes
  • Saves output in a text file.

9. Fluxion

Fluxion is a WiFi analyzer that specializes in MITM WPA attacks.

It allows you to scan wireless networks, searching for security flaws in corporate or personal networks.

Unlike other WiFi cracking tools, Fluxion does not launch any brute force cracking attempts that usually take a lot of time.

Instead, it spawns an MDK3 process which forces all users connected to the target network to deauthenticate. Once this is done, the user is prompted to connect to a fake access point, where they will enter the WiFi password. Then the program reports the password to you, so you can gain access.

10. Aircrack-ng

Aircrack-ng is a wireless security software suite. It consists of a network packet analyzer, a WEP network cracker, and WPA / WPA2-PSK along with another set of wireless auditing tools. Here are the most popular tools included in the Aircrack-ng suite:

  • Airmon-Ng: converts your wireless card into a wireless card in a promiscuous way
  • Airmon-Ng: captures packages of desired specification, and t is particularly useful in deciphering passwords
  • Aircrack-Ng: used to decrypt passwords — able to use statistical techniques to decipher WEP and dictionaries for WPA and WPA2 after capturing the WPA handshake
  • Aireplay-Ng: can be used to generate or accelerate traffic in an access point
  • Airdecap-Ng: decrypts wireless traffic once we the key is deciphered

Main features:

  • Support for WEP, WPA/WPA2-PSK passwords
  • Fast WEP and WPA password decryption
  • Packet sniffer and injector
  • Ability to create a virtual tunnel
  • Automated WEP key password recovery
  • Password list management
[securitytrails@kali root]$ aircrack-ng

Aircrack-ng 1.2 rc4 - (C) 2006-2015 Thomas d'Otreppe
http://www.aircrack-ng.org

usage: aircrack-ng [options] <.cap / .ivs file(s)>

Common options:

-a <amode> : force attack mode (1/WEP, 2/WPA-PSK)
-e <essid> : target selection: network identifier
-b <bssid> : target selection: access point's MAC
-p <nbcpu> : # of CPU to use (default: all CPUs)
-q : enable quiet mode (no status output)
-C <macs> : merge the given APs to a virtual one
-l <file> : write key to file

11. Kismet Wireless

Kismet Wireless is a multi-platform free Wireless LAN analyzer, sniffer and IDS (intrusion detection system).

It’s compatible with almost any kind of wireless card. Using it in sniffing mode allows you to work with wireless networks such as 802.11a, 802.11b, 802.11g, and 802.11n.

Kismet Wireless runs natively in Windows, Linux and BSD operating systems (FreeBSD, NetBSD, OpenBSD, and MacOS).

Main features:

  • Ability to run in passive mode
  • Easy detection of Wireless clients and access points
  • Wireless intrusion detection system
  • Scans wireless encryption levels for a given AP
  • Supports channel hopping
  • Network logging

12. Wireshark

Wireshark is an open source multi-platform network analyzer that runs Linux, OS X, BSD, and Windows.

It’s especially useful for knowing what’s going on inside your network, which accounts for its widespread use in government, corporate and education industries.

It works in a similar manner as tcpdump, but Wireshark adds a great graphical interface that allows you to filter, organize and order captured data so it takes less time to analyze. A text-based version, called tshark, is comparable in terms of features.

Main features include:

  • GUI-friendly interface
  • Packet live capture and offline analysis
  • Full protocol inspection
  • Gzip compression and decompression on the fly
  • Full VoIP analysis
  • Decryption support for IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
  • Reading capture file formats such as tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog and many others

13. John the Ripper

John the Ripper is a multi-platform cryptography testing tool that works on Unix, Linux, Windows and MacOS. It allows system administrators and security penetration testers to launch brute force attacks to test the strength of any system password. It can be used to test encryptions such as DES, SHA-1 and many others.

Its abilities to change password decryption methods are set automatically, depending on the detected algorithm.

Licensed and distributed under the GPL license, it’s a free tool available for anyone who wants to test their password security.

Main features include:

  • Dictionary attacks and brute force testing
  • Compatible with most operating systems and CPU architectures
  • Can run automatically by using crons
  • Pause and Resume options for any scan
  • Lets you define custom letters while building dictionary attack lists
  • Allows brute force customization rules

14. THC Hydra

THC Hydra is a free hacking tool licensed under AGPL v3.0, widely used by those who need to brute force crack remote authentication services.

As it supports up to more than 50 protocols, it’s one of the best tools for testing your password security levels in any type of server environment.

It also provides support for most popular operating systems like Windows, Linux, Free BSD, Solaris and OS X.

Main features:

  • Ultrafast password cracking speed
  • Runs on multiple operating systems
  • Ability to launch parallel brute force cracking attacks
  • Module-based application allows you to add custom modules
  • Support for multiple protocols such as CVS, FTP, HTTP, HTTPS, HTTP-Proxy, IMAP, IRC, LDAP, MS-SQL, MySQL, etc.

15. findmyhash

Written in Python, findmyhash is a free open-source tool that helps to crack passwords using free online services.

It works with the following algorithms: MD4, MD5, SHA1, SHA225, SHA256, SHA384, SHA512, RMD160, GOST, WHIRLPOOL, LM, NTLM, MYSQL, CISCO7, JUNIPER, LDAP_MD5, and LDAP_SHA1. It also supports multi-thread analysis for faster speed and algorithm recognition from the hash value.

Main features include:

  • Empty hashes recognition
  • Reads input from a text file
  • Ability to escape special characters
  • Cracks single or multiple hashes.
  • Password hash search on Google
  • Pause and Resume options
  • Saves the results in a file.

16. RainbowCrack

RainbowCrack is a password cracking tool available for Windows and Linux operating systems.

Unlike other password cracking tools, RainbowCrack uses a time-memory tradeoff algorithm to crack hashes along with large pre-computed “rainbow tables” that help to reduce password cracking time.

Features include:

  • Available rerminal-based and GUI-friendly interface
  • Works well with multi-core processors
  • Rainbow table generation, sort, conversion and lookup
  • Support for GPU acceleration (Nvidia CUDA and AMD OpenCL)
  • Support rainbow table of any hash algorithm and charset.
  • Support rainbow table in raw file format (.rt) and compact file format (.rtc).

17. Metasploit Framework

Metasploit Framework is a Ruby-based platform used to develop, test and execute exploits against remote hosts. It includes a full collection of security tools used for penetration testing, along with a powerful terminal-based console — called msfconsole — which allows you to find targets, launch scans, exploit security flaws and collect all available data.

Available for Linux and Windows, MSF is probably one of the most powerful security auditing tools freely available for the infosec market.

What can you do with Metasploit Framework?

  • Network enumeration and discovery
  • Evade detection on remote hosts
  • Exploit development and execution
  • Work with the MFSconsole
  • Scan remote targets
  • Exploit vulnerabilities and collect valuable data

18. Social Engineering Toolkit

Available for Linux and Mac OS X, the Social Engineering Toolkit (known as SET) is an open-source Python-based penetration testing framework that will help you launch Social-Engineering attacks in no time.

Have you ever wondered how to hack social network accounts? Well, SET has the answer — it’s indispensable for those interested in the field of social engineering.

What kind of attacks can I launch with SET?

  • WiFi AP-based attacks: this kind of attack will redirect or intercept packets from users using our WiFi network
  • SMS and email attacks: here, SET will try to trick and generate a fake email to get social credentials
  • Web-based attacks: lets you clone a web page so you can drive real users by DNS spoofing or phishing attacks
  • Creation of payloads (.exe): SET will create a malicious .exe file that, after executed, will compromise the system of the user who clicks on it

Highlighted features include:

  • Fast penetration testing
  • Integration with third-party modules
  • Phishing attack generator
  • Launch QRCode attacks
  • Support for Powershell attack vectors

SET Kali SecurityTrails

19. BeEF

BeEF stands for The Browser Exploitation Framework,a powerful penetration testing tool that relies on browser vulnerabilities and flaws to exploit the host.

Unlike other Kali cybersecurity tools, it focuses on the browser side, including attacks against mobile and desktop clients, letting you analyze exploitability of any Mac and Linux system.

You’ll be able to select specific modules in real-time to audit your browser security.

BeEF requirements:

  • OS: Mac OS X 10.5.0 or higher / modern Linux
  • Ruby 2.3 or newer
  • SQLite 3.x
  • Node.js 6 or newer

Main features:

  • Web and console UI
  • Metasploit integration
  • Modular structure
  • Interprocess communication & exploitation
  • History gathering and intelligence
  • Host and network reconnaissance
  • Ability to detect browser plugins

20. Yersinia

Yersinia is a security network tool that allows you to perform L2 attacks by taking advantage of security flaws in different network protocols.

This tool can attack switches, routers, DHCP servers and many other protocols. It includes a fancy GTK GUI, ncurses-based mode, is able to read from a custom configuration file, supports debugging mode and offers to save results in a log file.

Supported network protocols:

  • 802.1q and 802.1x Wireless LANs
  • Cisco Discovery Protocol (CDP)
  • Dynamic Host Configuration Protocol (DHCP)
  • Dynamic Trunking Protocol (DTP)
  • Inter-Switch Link Protocol (ISL)
  • Hot Standby Router Protocol (HSRP)
  • Spanning Tree Protocol (STP)
  • VLAN Trunking Protocol (VTP)

21. DHCPig

DHCPig is a DHCP exhaustion application that will launch an advanced attack in order to consume all active IPs on the LAN.

It also prevents new users from getting IPs assigned to their computers. Works pretty well attacking Linux LANs as well as Windows 2003, 2008, etc.

In fact, DHCPig doesn’t require any installation, as it is a tiny script; it only requires scapy library installed on your system, and it includes support for ipv4 and ipv6.

What can you do with DHCPig?

  • Detect/print DHCP replies
  • Detect/print ICMP requests
  • Discover and create a network map of your neighbours’ IPs
  • Request all possible IP addresses in a zone
  • Create a loop and send DHCP requests from different MAC addresses
  • Explore your neighbours’ MAC & IP addresses
  • Release IPs and MAC address from the DHCP server
  • ARP for all neighbours on that LAN
  • Knock off network on Windows systems

22. FunkLoad

Written in Python, FunkLoad is a popular web-stress tool that works by emulating a fully functional web browser. It’s highly useful for testing web projects and seeing how well they react in terms of web server performance.

FunkLoad allows full performance testing to help you identify possible bottlenecks within your web apps and web servers, at the same time testing your application recoverability time.

Main FunkLoad features include:

  • Real web browser emulation (including GET/POST/PUT/DELETE, DAV, cookie, referer support, etc)
  • Command-line advanced tests
  • Full benchmarking reports in PDF, HTML, ReST, Org-mode
  • Benchmark differential comparison between 2 results
  • Test customization using a configuration file
  • Full support for popular servers such as PHP, Python, Java

23. SlowHTTPTest

SlowHTTPTest is one of the most popular web-stress applications used to launch DOS attacks against any HTTP server. This type of security tool focuses on sending low-bandwidth attacks to test your web-server health and response times. It includes statistics of all your tests and allows you to run multiple types of attacks such as:

  1. Apache Range Header.
  2. Slow Read.
  3. Slow HTTP POST.
  4. Slowloris.

Main features include:

  • Saving statistics output in HTML and CSV files
  • Setting verbose level (0-4)
  • Targeting custom number of connections
  • Setting HTTP connection rate (per seconds)
  • Proxy traffic redirection

SlowHTTPTest

24. Inundator

Inundator is a multi-threaded IDS evasion security tool designed to be anonymous. By using TOR it can flood intrusion detection systems (especially with Snort) causing false positives, which hide the real attack taking place behind the scenes t. By using SOCKS proxy it can generate more than 1k false-positives per minute during an attack.

The main goal of Inundator is to keep your security team busy dealing with false positives while a real attack is happening.

Inundator features and attributes include:

  • Multi-threaded capabilities
  • Full SOCKS support
  • Anonymization-ready
  • Support of multiple targets
  • Queue-based

25. t50

t50 is another web-stress testing tool included with Kali Linux distribution. It can help you test how your websites, servers and networks react under high load average during an attack.

It’s one of the few security tools capable of encapsulating protocols using GRE (Generic Routing Encapsulation), and supports up to 14 different protocols. The t50 package also lets you send all protocols sequentially using one single SOCKET.

t50 features:

  • DoS and DDoS attacks simulator
  • Main supported protocols include TCP, UDP, ICMP, IGMP, etc.
  • Up to 1,000,000 pps of SYN Flood if using Gigabit network
  • Up to 120k pps of SYN Flood if using 100Mbps network

Summary

We’ve said it before in our post How web software gets hacked: a History of Web Exploits: “Internet has no future without hacking”.

Nowadays Kali Linux offers what are probably the best ethical hacking and penetration testing suites in the world. Thanks to their extensive documentation, community and tools, starting in the infosec world is not as hard as it was 20 years ago; nowadays you can find pre-built tools for almost anything you imagine.

By implementing these Kali Linux tools, your software company will have more ways to test and increase the security of your web applications and systems — by identifying security flaws before the bad guys do.

We at SecurityTrails are focused on creating a powerful security platform that includes domain automation lists, forensic DNS tools and IP exploration utilities as never seen before. Our information gathering and intel reconnaissance data, combined with security distributions like Kali, can make your daily security tasks way easier than ever.


Are you ready to start using our cybersecurity treasure trove? Grab a free API account today or contact us for consultation.

Source : Top 25 Kali Linux Penetration Testing Tools

Linux Networking commands and scripts

Linux Networking commands and scripts

iperf3 screenshot - Stacklinux.com VPS (Linux Networking Commands and Scripts)

  1. aria2 – downloading just about everything. Torrents included.
  2. arpwatch – Ethernet Activity Monitor.
  3. bmon – bandwidth monitor and rate estimator.
  4. bwm-ng – live network bandwidth monitor.
  5. curl – transferring data with URLs. (or try httpie)
  6. darkstat – captures network traffic, usage statistics.
  7. dhclient – Dynamic Host Configuration Protocol Client
  8. dig – query DNS servers for information.
  9. dstat – replacement for vmstat, iostat, mpstat, netstat and ifstat.
  10. ethtool – utility for controlling network drivers and hardware.
  11. gated – gateway routing daemon.
  12. host – DNS lookup utility.
  13. hping – TCP/IP packet assembler/analyzer.
  14. ibmonitor – shows bandwidth and total data transferred.
  15. ifstat –  report network interfaces bandwidth.
  16. iftop – display bandwidth usage.
  17. ip (PDF file) – a command with more features that ifconfig (net-tools).
  18. iperf3 – network bandwidth measurement tool. (above screenshot Stacklinux VPS)
  19. iproute2 – collection of utilities for controlling TCP/IP.
  20. iptables – take control of network traffic.
  21. IPTraf – An IP Network Monitor.
  22. iputils – set of small useful utilities for Linux networking.
  23. iw – a new nl80211 based CLI configuration utility for wireless devices.
  24. jwhois (whois) – client for the whois service.
  25. “lsof -i” – reveal information about your network sockets.
  26. mtr – network diagnostic tool.
  27. net-tools – utilities include: arp, hostname, ifconfig, netstat, rarp, route, plipconfig, slattach, mii-tool, iptunnel and ipmaddr.
  28. ncat – improved re-implementation of the venerable netcat.
  29. netcat – networking utility for reading/writing network connections.
  30. nethogs – a small ‘net top’ tool.
  31. Netperf – Network bandwidth Testing.
  32. netplan – Netplan is a utility for easily configuring networking on a linux system.
  33. netsniff-ng – Swiss army knife for daily Linux network plumbing.
  34. netwatch – monitoring Network Connections.
  35. ngrep – grep applied to the network layer.
  36. nload – display network usage.
  37. nmap – network discovery and security auditing.
  38. nmcli – a command-line tool for controlling NetworkManager and reporting network status.
  39. nmtui – provides a text interface to configure networking by controlling NetworkManager.
  40. nslookup – query Internet name servers interactively.
  41. ping – send icmp echo_request to network hosts.
  42. route – show / manipulate the IP routing table.
  43. slurm – network load monitor.
  44. snort – Network Intrusion Detection and Prevention System.
  45. smokeping –  keeps track of your network latency.
  46. socat – establishes two bidirectional byte streams and transfers data between them.
  47. speedometer – Measure and display the rate of data across a network.
  48. speedtest-cli – test internet bandwidth using speedtest.net
  49. ss – utility to investigate sockets.
  50. ssh –  secure system administration and file transfers over insecure networks.
  51. tcpdump – command-line packet analyzer.
  52. tcptrack – Displays information about tcp connections on a network interface.
  53. telnet – user interface to the TELNET protocol.
  54. tracepath – very similar function to traceroute.
  55. traceroute – print the route packets trace to network host.
  56. vnStat – network traffic monitor.
  57. websocat – Connection forwarder from/to web sockets to/from usual sockets, in style of socat.
  58. wget –  retrieving files using HTTP, HTTPS, FTP and FTPS.
  59. Wireless Tools for Linux – includes iwconfig, iwlist, iwspy, iwpriv and ifrename.
  60. Wireshark – network protocol analyzer.

Article source by: https://haydenjames.io/linux-networking-commands-scripts/

3 Ways to Access Your Linux Partitions From Windows

3 Ways to Access Your Linux Partitions From Windows

image

If you’re dual booting Windows and Linux, you’ll probably want to access files on your Linux system from Windows at some point. Linux has built-in support for Windows NTFS partitions, but Windows can’t read Linux partitions without third-party software.

So we’ve rounded up some third-party software to help. This list is focused on applications that support the Ext4 file system, which most new Linux distributions use by default. These applications all support Ext2 and Ext3, too—and one of them even supports ReiserFS.

Ext2Fsd

Ext2Fsd is a Windows file system driver for the Ext2, Ext3, and Ext4 file systems. It allows Windows to read Linux file systems natively, providing access to the file system via a drive letter that any program can access.

You can have Ext2Fsd launch at every boot or only open it when you need it. While you can theoretically enable support for writing to Linux partitions, I haven’t tested this. I’d be worried about this option, myself—a lot can go wrong. Read-only support is fine, though, and doesn’t carry a risk of messing anything up.

image

The Ext2 Volume Manager application allows you to define mount points for your Linux partitions and change Ext2Fsd’s settings.

image

If you didn’t set Ext2Fsd to autostart at boot, you’ll have to go into Tools > Service Management and start the Ext2Fsd service before you can access your Linux files. By default, the driver automatically mounts and assigns drive letters to your Linux partitions, so you don’t have to do anything extra.

image

You’ll find your Linux partitions mounted at their own drive letters in Windows Explorer. You can access the files on them from any application, without the hassle of copying files to your Windows partition before accessing them.

image

This partition’s file system as actually EXT4, but Ext2Fsd can read it fine, anyway. If you’re looking for your personal files, you’ll find them in your /home/NAME directory.

image

DiskInternals Linux Reader

Linux Reader is a freeware application from DiskInternals, developers of data recovery software. In addition to the Ext file systems, Linux Reader also supports ReiserFS and Apple’s HFS and HFS+ file systems. It’s read-only, so it can’t damage your Linux file system.

Linux Reader doesn’t provide access via a drive letter—instead, it’s a separate application you launch to browse your Linux partitions.

image

Linux Reader shows previews of your files, making it easy to find the right one.

image

If you want to work with a file in Windows, you’ll have to save the file from your Linux partition to your Windows file system with the Save option. You can also save entire directories of files.

image

Ext2explore

We’ve covered Ext2explore in the past. It’s an open-source application that works similarly to DiskInternals Linux Reader—but only for Ext4, Ext3, and Ext2 partitions. It also lacks file previews, but it has one advantage: it doesn’t have to be installed; you can just download the .exe and run it.

The Ext2explore.exe program must be run as administrator, though, or you’ll get an error. You can do this from the right-click menu.

image

To save some time in the future, go into the file’s properties window and enable the “Run this program as an administrator” option on the Compatibility tab.

image

As with Linux Reader, you’ll have to save a file or directory to your Windows system before you can open it in other programs.

image

 

Source : 3 Ways to Access Your Linux Partitions From Windows

How to Exit When Errors Occur in Bash Scripts

How to Exit When Errors Occur in Bash Scripts

It’s a common issue that scripts written and tested on GNU/Linux don’t run correctly on macOS–or vice versa–because of differences between the GNU and BSD versions of the core utils. Error messages can get drowned in the script output, making it far from obvious that something isn’t executing correctly. There are a couple of easy fixes to avoid problems like this, but they rely on some bash features that you may not be familiar with if you don’t do a ton of scripting. I’ll summarize my two approaches here and hopefully they’re of some use to you if you’re looking for a how-to guide for this specific problem.

Exit When Any Command Fails

This can actually be done with a single line using the set builtin command with the -e option.

# exit when any command fails
set -e

Putting this at the top of a bash script will cause the script to exit if any commands return a non-zero exit code. We can get a little fancier if we use DEBUG and EXIT traps to execute custom commands before each line of the script is run and before the script exits, respectively. Adding the following lines will allow us to print out a nice error message including the previously run command and its exit code.

# exit when any command fails
set -e

# keep track of the last executed command
trap 'last_command=$current_command; current_command=$BASH_COMMAND' DEBUG
# echo an error message before exiting
trap 'echo "\"${last_command}\" command filed with exit code $?."' EXIT

For example, if we run ls --fake-option then we’ll see an informative error message as follows.

ls: unrecognized option '--fake-option'
Try 'ls --help' for more information.
"ls --fake-option" command filed with exit code 2.

Exit Only When Specific Commands Fail

The global solution is often fine, but sometimes you only care if certain commands fail. We can handle this situation by defining a function that needs to be explicitly invoked to check the status code and exit if necessary.

exit_on_error() {
    exit_code=$1
    last_command=${@:2}
    if [ $exit_code -ne 0 ]; then
        >&2 echo "\"${last_command}\" command failed with exit code ${exit_code}."
        exit $exit_code
    fi
}

# enable !! command completion
set -o history -o histexpand

That bottom line isn’t strictly necessary, but it allows us to use !! and have it expand to the last command executed. For example, we can check explicitly for an error like this

ls --fake-option
exit_on_error $? !!

will pass the exit code of the previous command as the first argument to exit_on_error() and then !! will expand to ls --fake-option as the second and third arguments. The second and third arguments–plus any further arguments if they were there–are then recombined by slicing ${@:2}.

This approach will print the same error message as the one in the previous section, but will only check the commands that are explicitly followed by exit_on_error calls.

Source : How to Exit When Errors Occur in Bash Scripts

Promote Windows Server 2016 to Domain Controller step by step – Tactig

Promote Windows Server 2016 to Domain Controller step by step

When you want to log in to a server from a client computer, you should have a user name and a password. Your system will be checked to have updated anti-virus and etc.

Permissions are the level of the tasks that you can do in the domain. File access is about the level of your access to sources. These and a lot more duties are done through domain controller.

In this article, I am going to show some easy steps outlined to promote server to domain controller. First, make sure that you logged in as an administrator.

Prerequisites

Install Active Directory Domain Services (AD DS) role on the server you want to promote it to domain controller (DC).

Promote Server to Domain Controller

Follow the following steps to promote server to domain controller.

1. After the role installation, open Server Manager. Click on the flag, then click on Promote this server to a domain controller hyperlink.

Promote this server to domain controller

Promote this server to domain controller

2. When the Deployment Configuration page appears, you see three options.

  • Add domain controller to existing domain: This option is used when you want to add additional domain controller.
  • Add a new domain to an existing forest: This option is used for adding a new domain to existing forest.
  • Add a new forest: It is used for creating a new forest.

Select the third option: Add a new forest. Enter a Root domain name and click on Next button.

Create new forest

Create new forest

3. Specify the forest and domain functional levels (2008, 2008R2, 2012, 2o12R2, 2016). Type a complex password (composed of capital letters, small letters, numbers, symbols).

By default, Domain Name Services (DNS) server is installed at the same time when you are promoting the server to domain controller. If you want to install DNS server later, remove the selection from the box next to Domain Name Services (DNS) server. Click on Next button when you’re finished here.

Domain Controller Options

Domain Controller Options

4. On the Additional options page, let the NetBIOS domain name as selected by default. If you want, you can change the NetBIOS name. Click on Next button to move on next page.

NetBIOS domain name

NetBIOS domain name

5. Thus you can specify the path that you want to restore your Database files, log files and SYSVOL files. The path page give you the options to specify location of the sources to be restored. When you finished your work, click on Next button.

Paths page

Paths page

6. The next page is Review options. You go nothing to do. Click on Next button. The Prerequisites Check page shows you the summary of all prerequisites that are verified or not. If it’s verified click Next. If not, recheck the steps you did just before and be sure you have done all correctly. Click on Install button. After the installation succeeded, the system automatically reboots.

Install button

Install button

Conclusion

After the restart, the server is domain controller. It is really easy to promote server to domain controller (DC). Also, you can start managing and controlling users from your server. For any questions leave a comment below. I would be glad to answer your questions as soon as possible.

Source : Promote Windows Server 2016 to Domain Controller step by step – Tactig

Windows Server 2016 Functional Levels | Microsoft Docs

With the end of life of Windows 2003, Windows 2003 domain controllers (DCs) need to be updated to Windows Server 2008, 2012 or 2016. As a result, any domain controller that runs Windows Server 2003 should be removed from the domain. The domain and forest functional level should be raised to at least Windows Server 2008 to prevent a domain controller that runs an earlier version of Windows Server from being added to the environment.

We recommend that customers update their domain functional level (DFL) and forest functional level (FFL) as part of this, since the 2003 DFL and FFL have been deprecated in Windows Server 2016 and they will no longer be supported in future releases.

For customers who need additional time to evaluate moving their DFL & FFL from 2003, the 2003 DFL and FFL will continue to be supported with Windows 10 and Windows Server 2016 provided all domain controllers in the domain and forest are either on Windows Server 2008, 2008R2, 2012, 2012R2, or 2016.

At the Windows Server 2008 and higher domain functional levels, Distributed File Service (DFS) Replication is used to replicate SYSVOL folder contents between domain controllers. If you create a new domain at the Windows Server 2008 domain functional level or higher, DFS Replication is automatically used to replicate SYSVOL. If you created the domain at a lower functional level, you will need to migrate from using FRS to DFS replication for SYSVOL. For migration steps, you can either follow the procedures on TechNet or you can refer to the streamlined set of steps on the Storage Team File Cabinet blog.

The Windows Server 2003 domain and forest functional levels continue to be supported, but organizations should raise the functional level to Windows Server 2008 (or higher if possible) to ensure SYSVOL replication compatibility and support in the future. In addition, there are many other benefits and features available at the higher functional levels higher. See the following resources for more information:

Windows Server 2016

Supported Domain Controller Operating System:

  • Windows Server 2016

Windows Server 2016 forest functional level features

Windows Server 2016 domain functional level features

  • All default Active Directory features, all features from the Windows Server 2012R2 domain functional level, plus the following features:
    • DCs can support rolling a public key only user’s NTLM secrets.
    • DCs can support allowing network NTLM when a user is restricted to specific domain-joined devices.
    • Kerberos clients successfully authenticating with the PKInit Freshness Extension will get the fresh public key identity SID.

      For more information see What’s New in Kerberos Authentication and What’s new in Credential Protection

Windows Server 2012R2

Supported Domain Controller Operating System:

  • Windows Server 2016
  • Windows Server 2012 R2

Windows Server 2012R2 forest functional level features

  • All of the features that are available at the Windows Server 2012 forest functional level, but no additional features.

Windows Server 2012R2 domain functional level features

  • All default Active Directory features, all features from the Windows Server 2012 domain functional level, plus the following features:
    • DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:
      • Authenticate with NTLM authentication
      • Use DES or RC4 cipher suites in Kerberos pre-authentication
      • Be delegated with unconstrained or constrained delegation
      • Renew user tickets (TGTs) beyond the initial 4 hour lifetime
    • Authentication Policies
      • New forest-based Active Directory policies which can be applied to accounts in Windows Server 2012 R2 domains to control which hosts an account can sign-on from and apply access control conditions for authentication to services running as an account.
    • Authentication Policy Silos
      • New forest-based Active Directory object, which can create a relationship between user, managed service and computer, accounts to be used to classify accounts for authentication policies or for authentication isolation.

Windows Server 2012

Supported Domain Controller Operating System:

  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012

Windows Server 2012 forest functional level features

  • All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.

Windows Server 2012 domain functional level features

  • All default Active Directory features, all features from the Windows Server 2008R2 domain functional level, plus the following features:
    • The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 domain functional level. For more information, see What’s New in Kerberos Authentication

Windows Server 2008R2

Supported Domain Controller Operating System:

  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012
  • Windows Server 2008 R2

Windows Server 2008R2 forest functional level features

  • All of the features that are available at the Windows Server 2003 forest functional level, plus the following features:
    • Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running.

Windows Server 2008R2 domain functional level features

  • All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus the following features:
    • Authentication mechanism assurance, which packages information about the type of logon method (smart card or user name/password) that is used to authenticate domain users inside each user’s Kerberos token. When this feature is enabled in a network environment that has deployed a federated identity management infrastructure, such as Active Directory Federation Services (AD FS), the information in the token can then be extracted whenever a user attempts to access any claims-aware application that has been developed to determine authorization based on a user’s logon method.
    • Automatic SPN management for services running on a particular computer under the context of a Managed Service Account when the name or DNS host name of the machine account changes. For more information about Managed Service Accounts, see Service Accounts Step-by-Step Guide.

Windows Server 2008

Supported Domain Controller Operating System:

  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012
  • Windows Server 2008 R2
  • Windows Server 2008

Windows Server 2008 forest functional level features

  • All of the features that are available at the Windows Server 2003 forest functional level, but no additional features are available.

Windows Server 2008 domain functional level features

  • All of the default AD DS features, all of the features from the Windows Server 2003 domain functional level, and the following features are available:
    • Distributed File System (DFS) replication support for the Windows Server 2003 System Volume (SYSVOL)
      • DFS replication support provides more robust and detailed replication of SYSVOL contents. [!NOTE]> >Beginning with Windows Server 2012 R2, File Replication Service (FRS) is deprecated. A new domain that is created on a domain controller that runs at least Windows Server 2012 R2 must be set to the Windows Server 2008 domain functional level or higher.
    • Domain-based DFS namespaces running in Windows Server 2008 Mode, which includes support for access-based enumeration and increased scalability. Domain-based namespaces in Windows Server 2008 mode also require the forest to use the Windows Server 2003 forest functional level. For more information, see Choose a Namespace Type.
    • Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol. In order for TGTs to be issued using AES, the domain functional level must be Windows Server 2008 or higher and the domain password needs to be changed.
      • For more information, see Kerberos Enhancements. [!NOTE]> >Authentication errors may occur on a domain controller after the domain functional level is raised to Windows Server 2008 or higher if the domain controller has already replicated the DFL change but has not yet refreshed the krbtgt password. In this case, a restart of the KDC service on the domain controller will trigger an in-memory refresh of the new krbtgt password and resolve related authentication errors.
    • Last Interactive Logon Information displays the following information:
      • The total number of failed logon attempts at a domain-joined Windows Server 2008 server or a Windows Vista workstation
      • The total number of failed logon attempts after a successful logon to a Windows Server 2008 server or a Windows Vista workstation
      • The time of the last failed logon attempt at a Windows Server 2008 or a Windows Vista workstation
      • The time of the last successful logon attempt at a Windows Server 2008 server or a Windows Vista workstation
    • Fine-grained password policies make it possible for you to specify password and account lockout policies for users and global security groups in a domain. For more information, see Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration.
    • Personal Virtual Desktops

Windows Server 2003

Supported Domain Controller Operating System:

  • Windows Server 2012 R2
  • Windows Server 2012
  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Server 2003

Windows Server 2003 forest functional level features

  • All of the default AD DS features, and the following features, are available:
    • Forest trust
    • Domain rename
    • Linked-value replication
      • Linked-value replication makes it possible for you to change group membership to store and replicate values for individual members instead of replicating the entire membership as a single unit. Storing and replicating the values of individual members uses less network bandwidth and fewer processor cycles during replication, and prevents you from losing updates when you add or remove multiple members concurrently at different domain controllers.
    • The ability to deploy a read-only domain controller (RODC)
    • Improved Knowledge Consistency Checker (KCC) algorithms and scalability
      • The intersite topology generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than AD DS can support at the Windows 2000 forest functional level. The improved ISTG election algorithm is a less-intrusive mechanism for choosing the ISTG at the Windows 2000 forest functional level.
    • The ability to create instances of the dynamic auxiliary class named dynamicObject in a domain directory partition
    • The ability to convert an inetOrgPerson object instance into a User object instance, and to complete the conversion in the opposite direction
    • The ability to create instances of new group types to support role-based authorization.
      • These types are called application basic groups and LDAP query groups.
    • Deactivation and redefinition of attributes and classes in the schema. The following attributes can be reused: ldapDisplayName, schemaIdGuid, OID, and mapiID.
    • Domain-based DFS namespaces running in Windows Server 2008 Mode, which includes support for access-based enumeration and increased scalability. For more information, see Choose a Namespace Type.

Windows Server 2003 domain functional level features

  • All the default AD DS features, all the features that are available at the Windows 2000 native domain functional level, and the following features are available:
    • The domain management tool, Netdom.exe, which makes it possible for you to rename domain controllers
    • Logon time stamp updates
      • The lastLogonTimestamp attribute is updated with the last logon time of the user or computer. This attribute is replicated within the domain.
    • The ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects
    • The ability to redirect Users and Computers containers
      • By default, two well-known containers are provided for housing computer and user accounts, namely, cn=Computers, and cn=Users,. This feature allows the definition of a new, well-known location for these accounts.
    • The ability for Authorization Manager to store its authorization policies in AD DS
    • Constrained delegation
      • Constrained delegation makes it possible for applications to take advantage of the secure delegation of user credentials by means of Kerberos-based authentication.
      • You can restrict delegation to specific destination services only.
    • Selective authentication
      • Selective authentication makes it is possible for you to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.

Windows 2000

Supported Domain Controller Operating System:

  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Server 2003
  • Windows 2000

Windows 2000 native forest functional level features

  • All of the default AD DS features are available.

Windows 2000 native domain functional level features

  • All of the default AD DS features and the following directory features are available including:
    • Universal groups for both distribution and security groups.
    • Group nesting
    • Group conversion, which allows conversion between security and distribution groups
    • Security identifier (SID) history

Next Steps

Source : Windows Server 2016 Functional Levels | Microsoft Docs

Active Directory: How to Check Domain and Forest Functional Level

Active Directory: How to Check Domain and Forest Functional Level

Every new version of Windows Server adds more features. Active Directory domain and forest functional levels determine the features that can be used within the system. You can check domain and forest functional levels using these steps.

  1. From the “Administrative Tools” menu, select “Active Directory Domains and Trusts“.
  2. Right-click the root domain, then select “Properties“.
  3. Under the “General” tab, the “Domain functional level” and “Forest functional level” is displayed on the screen.
    Forest and domain functional levels displayed.

You can also use steps 2 and 3 from within the Active Directory Users and Computers snap-in to see the same screen.

The forest functional level can be changed by right-clicking Active Directory Domains and Trusts and selecting Raise Forest Functional Level… Before doing this step, you must ensure that all domains in the forest are at the level required for the change.

The domain functional level can be changed by right-clicking the domain and selecting Raise Domain Functional Level… Before doing this step, you must ensure that all domain controllers are running the version(s) of windows that allow for the change. For more information on raising domain and forest functional levels, visit the Microsoft page – How to raise Active Directory domain and forest functional levels.

You can also grab information via a command line or PowerShell if you’d like to go that route.

Source : Active Directory: How to Check Domain and Forest Functional Level