Restoring Cached Recipients in Outlook 2007 / Windows 7
Since my move to Windows 7, I've noticed some minor file corruption occurring, as well as some cases where my desktop icons simply disappear. Fortunately, Windows 7 Pro ships with Volume Shadow Copying enabled- at least on my Dell. A good way to verify that this functionality is enabled is to look at the properties of your hard drive as follows:
This is a feature that has been around for a while on the server products, very convenient.
Ok, so this article is about cached recipients. Recently I noticed that when I tried to email some folks in Outlook, when I started typing in their names, it was not auto populating, as you can see here:
With older versions of outlook, it was the Outlook.NK2 file that you would want to restore. Nirsoft makes a great utility for editing the Outlook.NK2 file. If you are using an older version of Outlook, I highly recommend it:
Outlook 2010 replaced the Outlook.NK2 file with a "Stream_Autocomplete[...].dat" file. In my case, this file appears to have been corrupted and is showing up as 0 KB:
The fix is simple. Close Outlook, then navigate to the following directory:
C:\Users\[username]\AppData\Local\Microsoft\Outlook
Right click on the "RoamCache" folder, and click "restore previous versions":
Locate a previous snapshot and click "open":
Locate a previous version that is larger than 0 KB, copy it and paste it into the RoamCache folder:
Reopen Outlook, and your cached recipients should be mostly restored:
Unfortunately, if your previous versions don't have a file with content, you are probably out of luck. This solution may only work for half of the people who read this- so I think it requires a bit of luck- you'll have to catch the problem while a previous version exists, and your machine has to have shadow copies available.
“Anonymous”, Westboro Baptist Church, and Surrogafier
This week, we all got to see a publicized example of why it is bad practice to house a web server on a common LAN. Here is the video of the occurrence:
Here is an image of the website that was presented on WBC's server by Anonymous:
This struck my curiosity quite a bit, so I investigated. By the time I learned about this attack, the site shown above had been taken down. Fortunately for me, google web cache allowed me to view a cached version of the site, where I was able to view the URLs for the "Protips" links. All of those "Protips" links referenced the fags.php script, but added an IP address to the end of it. Here is an example (first protip link):
http://downloads.westborobaptistchurch.com/fags.php?=_&=http://192.168.1.200/main.html
But, let's back up a minute here and analyze the attack a bit more closely.
Using an unknown technique, the "hacktivist" group "Anonymous" had gained access to Westboro Baptist Church's web server, presumably as root. If not the web server, Anonymous had gained access to SOME host on the network as root or Admin, because an nmap scan was run. The "Map of their internal office network" link took you to another page showing the output of a nmap scan of their network (source). This allowed Anonymous to obtain a record of all of the live hosts on the network, and their open ports. My writeup about nmap is here.
So, now that Anonymous had run their scan, and had access to the web server, proxying through the web server can easily be done. If Anonymous has SSH access, using SSH and port forwarding is one way- but the point of this exercise was to make a point. Exposing WBC's network to the general public through SSH is not the best way to go, since it requires some know-how, an SSH client, and credentials (usually).
The solution? Surrogafier.
Surrogafier is a single .php file (obviously, Anonymous had renamed it to "fags.php") which allows for proxying through a web server. I downloaded the latest version of Surrogafier and tested it. Fortunately, for security purposes, trying to access a reserved IP address through Surrogafier gave me the following error message:
...but how did Anonymous allow proxying through to WBC's local IP addresses?
Well, according to the changelog at Surrogafier's website, blocking IP addresses was made possible with the 0.7.7b Release. At the download section, older versions are available.
Upload surrogafier-0.7.6b to the website, type in your 192.168.x.x IP, good to go.
Internal network access granted.
Moral of the story (among others): Always put your public facing servers in their own segregated network.
VPN …what is it?
VPN: Virtual Private Networking- what is it and what can it do for you?
Wikipedia says it's "a computer network in which some of the links between nodes are carried by open connections or virtual circuits in some larger networks (such as the Internet), as opposed to running across a single private network."
Yeah that's all fine and dandy, but.. what?
Here is my way of explaining it. First things first, if you do not do anything on your local network at home other than access stuff over the Internet, then you probably do not need a VPN setup at home... unless you want to securely access your computer at home that is always on.
Likewise, at work... but sometimes at work (or even at home) you might have some other computers (servers) on the LAN that you might access from your main machine.
Ask yourself this question:
When away from work or home, do you wish you could plug your computer (probably a laptop) into the network there from the outside?
If your answer is yes, then you definetely would understand what the benefits of a VPN are, because when you connect to a VPN server, you are essentially (virtually) plugging into the LAN that it serves.
If your answer is no, you may still benefit. It offers a secure way to access your home or work machine other than just forwarding a port to your machine for remote desktop. Still, though, that's a security feature, not a convenience feature.
If you want to setup VPN at home, check back! I will be covering various options in detail soon. If you want VPN at work, contact your IT personnel and ask if its available. If you work in a small company or are in a position to set it up yourself, you may try some of the options I will cover.
If you are not comfortable doing it yourself, but want to receive the benfits of remote access, I am always happy to assist as an IT consultant, just contact me!
ipconfig and ipconfig /all explained
This is a simple and straightforward blog post. I'm going to assume that if you want to know what these entries mean, you already have a use for running these commands:
ipconfig (Windows)
ipconfig /all (Windows)
Click Start, then Run. In the dialog box, type in "cmd" or "command", hit enter.
In the command window, type "ipconfig" and hit enter:
C:\Documents and Settings\Administrator>ipconfig
Windows IP ConfigurationEthernet adapter Local Area Connection:
Connection-specific DNS Suffix . : lv.cox.net
IP Address . . . . . . . . . . . . . . . . . . . .: 10.0.2.15
Subnet Mask . . . . . . . . . . . . . . . . . .: 255.255.255.0
Default Gateway . . . . . . . . . . . . . . . : 10.0.2.2
For extended information, user "ipconfig/all" instead:
C:\Documents and Settings\Administrator>ipconfig
Windows IP Configuration
Host name . . . . . . . . . . . . . . . . . . . . : vbox01
Primary Dns Suffix . . . . . . . . . . . . .:
Node Type . . . . . . . . . . . . . . . . . . . .: Unknown
IP Routing Enabled . . . . . . . . . . . . : No
WINS Proxy Enabled . . . . . . . . . . : No
DNS Suffix Search List . . . . . . . . . : lv.cox.netEthernet adapter Local Area Connection:
Connection-specific DNS Suffix . : lv.cox.net
Description . . . . . . . . . . . . . . . . . . . : AMD PCNT Family PCI Ethernet Adapter
Physical Address . . . . . . . . . . . . . . : 08-00-27-16-E7-B2
Dhcp Enabled . . . . . . . . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . . : Yes
IP Address . . . . . . . . . . . . . . . . . . . .: 10.0.2.15
Subnet Mask . . . . . . . . . . . . . . . . . .: 255.255.255.0
Default Gateway . . . . . . . . . . . . . . .: 10.0.2.2
DHCP Server . . . . . . . . . . . . . . . . . : 10.0.2.2
DNS Servers . . . . . . . . . . . . . . . . . .: 10.0.2.3
Lease Obtained . . . . . . . . . . . . . . . .: Wednesday, June 10, 2009 3:54:49 PM
Lease Expires . . . . . . . . . . . . . . . . . : Thursday, June 11, 2009 3:54:29 PM
This is what the important parts of all that means::
Host name:
This is the host name. This name is configurable, and is selected typically when the machine is first setup for use. This name can be used by other machines on the network to access this host. In my case, this was "vbox01".
Connection-specific DNS Suffix:
This will typically give you a clue into what type of connection you have, but it is rarely needed for troubleshooting. In my case, it is "lv.cox.net"
Description:
This is a description of the Network Adapter. In my case it is "AMD PCNT Family PCI Ethernet Adapter".
Physical Address:
This is the MAC Address of the above mentioned Network Adapter. This is a unique identifier for the hardware. The DHCP server will assign your IP information based on this ID. In my case, it is "08-00-27-16-E7-B2".
Dhcp Enabled:
This is pretty straight-forward. Is DHCP enabled or not? If it is enabled, your IP is Dynamic. If it is not, it is Static.
IP Address:
This is your computer's IP address. Note this can differ from the address you are assigned by your ISP. Read into NAT if you want more info on that subject.
Subnet Mask:
The subnet mask is a pretty complicated thing to explain briefly. The bottom line is if you want two machines on a LAN to communicate to eachother without the use of a router, the subnet mask typically needs to match. There are exceptions to this rule.
Default Gateway:
The default gateway is the IP address of the device that will allow communication with the Internet. In a typical home connection, this is the IP address of your router. Usually entering this IP address in a browser (http://(IP Address) will result in a login prompt for your router configuration.
DHCP Server:
This is the IP address of the device responsible for assigning you an IP address, unless you are using a Static IP. In a typical home connection, this is the IP address of your router. Usually entrying this IP address in a browser (http://IP Address) will result in a login prompt for your router configuration.
DNS Servers:
This is the IP address of the device responsible for translating domain names into IP addresses. I get into more detail about this in my here.
Lease Obtained:
IP addresses assigned by a DHCP server have a lease time. This can be anywhere from a minute to weeks, months, or even years. This completely depends on the configuration of the DHCP server. The "Lease Obtained" section shows the date of when the DHCP lease was obtained.
Lease Expires:
IP addresses assigned by a DHCP server have a lease time. This can be anywhere from a minute to weeks, months, or even years. This completely depends on the configuration of the DHCP server. The "Lease Expires" section shows the date of when the DHCP lease is set to expire. After this date, the IP address assigned to you by the DHCP server may change.
DNS: Hostname vs. IP Address
Definitions:
- DNS: Domain Name System
- Hostname: Unique name for a device, this name is how a host is found over a network in lieu of an IP Address.
- IP Address: A numerical ID of a device connected to a network.
There are a lot of resources on the Internet that will give you more detail. Here are the facts.
- Every device on a network is assigned an IP address if it is to communicate to another device in a simliar network.
- IP Addresses are harder for humans to remember, so devices like your home PC typically have a hostname.
- DNS translates domain names to IP addresses, since yahoo.com is easier for a human to remember and type than "209.191.93.53".
For yahoo.com to point to an IP address, your machine has to be a DNS client (which it probably is), and the DNS server it connects to must know that when your machine is requesting "yahoo.com", that it really wants "209.191.93.53".
This is like telling your phone "Call Mom" and it knows to dial "702-555-0452".
That's the most basic way I can think to explain it. If you need more details, the links above should more than fulfill your needs to learn more about the subject.
Auditing open ports with Nmap
Nmap is a very useful audit tool which can give you a glimpse into what a hacker might see when he/she is trying to get into your network. My favorite feature of Nmap is its ability to scan ports on a specific host.
Nmap is available here:
http://nmap.org/
It is also easily available in ubuntu:
sudo apt-get install nmap
I prefer to use the command based version, although the GUI version, Zenmap, is very useful as well.
There isn't much to show, but when you are setting up a machine or network that communicates with the Internet, it can be very important to know just exactly what can be done from the outside. A typical Linksys home router doesn't have open ports, unless you go in and open them. Some routers, like one particular model available via Verizon, has a fishy port open that suggests that the router can be accessed by an unknown party (either at Verizon, or the router manufacturer) and if this information falls into the wrong hands, BAD things can happen (like identity theft).
Here are some examples.
I went to a popular public encyclopedia site and visited article of my choice, and checked the revision history. In the revision history of this particular site, a list of the last people who edited the article is available. Those users who do not have an account are just listed by IP address. This is dangerous. I've picked one of these IPs and have come up with the following results:
C:\>nmap 89.17[SNIPPED]
Starting Nmap 4.76 ( http://nmap.org ) at 2009-05-29 15:35 Pacific Daylight Time
Interesting ports on [SNIPPED] (89.17[SNIPPED]):
Not shown: 998 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
4006/tcp filtered unknownNmap done: 1 IP address (1 host up) scanned in 12.20 seconds
As you can see, this person has 2 ports open: 21 and 4006. 21 is a port typically used by FTP. I found out that at that hostname, using an FTP client, I was prompted for a login. Now, if I was a hacker, I could perform many attacks such as a Brute Force Attack to get into this poor guy's system.
Another example:
I pointed nmap to a domain name which will remain anonymous for the sake of security. This is what I found:
C:\>nmap [SNIPPED].com
Starting Nmap 4.76 ( http://nmap.org ) at 2009-05-29 15:44 Pacific Daylight Time
Interesting ports on [SNIPPED] ([SNIPPED]):
Not shown: 986 filtered ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
587/tcp closed submission
1935/tcp closed rtmp
3389/tcp open ms-term-serv
8084/tcp closed unknown
8085/tcp closed unknown
9998/tcp open unknown
9999/tcp open abyssNmap done: 1 IP address (1 host up) scanned in 18.27 seconds
Wow. At first glance, I can tell you this host has a FTP server, an SMTP server for sending email, a website, POP3 and IMAP servers for receiving email, and a Windows Remote Desktop Connection available, because port 3389 is open. If I put this particular domain into a RDP client, I am prompted with a Windows Server 2003 R2 login, and can see the server's hostname as well as the name of the domain. That is a lot of potentially dangerous information for anyone to see!
Furthermore, those ports 9998 and 9999... I put those into my web browser (http://[domainname].com:9998, http://[domainname].com:9999) and I was prompted for logins to various web services, each of which which may have their own vulnerabilities.
This is scary. If I was the admin of this domain name, I would audit myself and make sure things like this aren't visible from the outside whenever possible.
If is good practice, in my opinion, to reduce the amount of open ports as you possibly can.
Instead of port 3389 for Remote Desktop, try opening port 1723 for VPN, and using that to allow access to Remote Desktop. Alternatively, you could open up port 22 for SSH and do it through there.
There are a lot of options. Unfortunately, sometimes the best security practices are put aside for the convenience of the end user. This is why it is important to educate your users.
One of my best clients has a domain name, and we run a web server, FTP, email, and VPN. So, we can't help but have ports 21, 25, 26 (for alternative SMTP), 80, 110, 143, and 1723 open. Anyone can use nmap to see these are open, so I've focused security efforts to ensure that the services that are actually listening to these reports are configured correctly to not allow for unauthorized access, some with multiple layers of authentication. If he or his users need Remote Desktop, they must login through the VPN first, then open up their RDP session (2 layers of authentication).
My home connection has one port open: 22. Everything is done through SSH. In my earlier days, I used to have plenty of ports open, something ambiguous like 13024 which would point to 3389 on my PC for remote desktop, and various other ports were forwarding to other services/machines. The idea was that I was picking non-standard ports so nobody's going to look there... WRONG.
I encourage you, give nmap a try. Point it at your home IP from another connection if you can. If you see some open ports, google them and see how you can secure them or just close them completely with a firewall. Don't leave open doors to your network if you can avoid it!
If you must access your private network, and do not have public services like email or web running, I strongly encourage you to use a VPN or SSH with a proxy. I will cover these topics in other postings as time permits.
Firewalls and Ports
I think there seems to be a big lack of understanding of what ports are and why they matter. First, you may be asking: what do you mean by "port"?
If you've ever taken a look at the back of your PC (or mac, whatever, for the purposes of this article, I will use the term "PC"), or even at the sides or back of your laptop, you notice that there are a lot of I/O (Input/Output) ports. These are not the ports I'm talking about. Those are physical ports on your PC.
I'm talking about the virtual TCP and UDP ports that you may not know exist within the protocols that your Network Adapter use. There are 65536 of them, and they are numbered from 0-65535. The reason for this odd number becomes more apparent when you realize that it is actually a decimal form of the following binary number: 1111111111111111. Also, computers start their counting from 0, not from 1 like most humans 
So, when a data packet is being sent throught TCP or UDP, it has a port number associated with it. Here is a list of typical ports.
One of the ways that firewalls restrict communications is by blocking ports. Some more advanced firewalls will restrict by protocol (i.e. GRE for Windows VPN), source/destination IP, etc.
If you begin to attempt to access private networks remotely, it will become important that you understand what ports do, how to forward them, and why you need to do that. You will also need to have a general understanding of Network Address Translation, or NAT.
NAT …what is it?
Before beginning to understand Network Address Translation, it is important to understand IP Addressing. Each computer on a TCP network is assigned an IP address. IP addresses (v4, anyways) always fall within this range:
Decimal:
0.0.0.0 - 255.255.255.255.
Binary:
00000000.00000000.00000000.00000000 - 11111111.11111111.11111111.11111111
Each octet of an IP address usually has a specific meaning. Typically, the first three octets identify the network, and the last octet identify the host. I won't get into too much detail about this, since that is not the scope of this article. Wikipedia has a good article that talks about this: Subnetwork.
As you can probably tell, there are a fixed amount of IP addresses available that fall between 0.0.0.0 and 255.255.255.255. There are a LOT, but there are also MANY more devices that need IP addresses than what are available here.
So, Network Address Translation was created. NAT allows one IP address which is visible from the Internet to be shared among many devices. This is VERY typical.
For your home network, you likely have one single IP address assigned to you by your ISP. If you want more than one IP, you will likely have to pay more than you are paying. In a typical home connection, you have some sort of device that acts as a router. It used to be typical for the ISP to provide an end user with a modem, and then the end user could purchase a home router to "split" (share) that connection among more than one device.
So this is how it would work. If you plug your PC into your modem, you would be assigned the Internet IP that is given to your by your ISP. If you plug your PC into a router, which then is plugged into a modem, your PC would be assigned an IP like this: 192.168.1.100.
The 192.168.1.100 IP is the IP that your router gave you. The router then is using the ISP's IP to get to the Internet. This is no different than a main phone line and a phone extension.
Here, I'll give you an example. Say you are using a Windows PC. Go to the following website:
WhatIsMyIP
Look at the IP, this is your Internet IP.
Now, go to your start menu, click run. Type in "command", hit enter. Now, in the command window, type "ipconfig" and look at the IP address there.
Its different.
The IP address in your command window is the local IP that your PC has. The IP from whatismyip.com is the IP that your ISP provided, and is the IP that entities outside your home network would typically see (it is possible for them to see your local IP as well).
Think of the local IP as a phone extension, and the Internet IP as the phone number.
Think of your router as a receptionist!
When a request comes in from the Internet to your home IP, say 72.193.22.49 (for example, which goes to the router), the router then must look at the data packet, and recognize where it needs to go, and forward it on to your local IP of 192.168.1.100 (for example).
Now, you may be wondering why your local IP starts with 192.168, or 172.16, or 10.0... etc. Here is why. The following range of IP addresses are only used for local (private) networks. Most ISPs will never assign you an IP address within these ranges, making them safe to use however you wish.
192.168.0.0 - 192.168.255.255
172.16.0.0 - 172.31.255.255
10.0.0.0. - 10.255.255.255
If you are looking at an IP address that falls within any of those ranges, you are dealing with a local IP on a private (not the Internet) network. Someone from outside your network will NOT be able to use that IP address to access you, unless you have a VPN or something simliar setup.