In my last story (https://isc.sans.edu/forums/diary/Finding+the+Real+Last+Patched+Day+Interim+Version/28610/) , I talked about pulling patch descriptions from the MS portal using Get-WebRequest. This worked great on my test machine (said every developer ever), but the next day when I tried it on a different client's domain, I got this error for every call of Get-WebRequest:
Invoke-WebRequest : The underlying connection was closed: An unexpected error occurred on a send.
A quick nmap scan of the target site confirms that the MS update catalogue site is 1.2 only, with support for only 4 ciphers:
nmap -Pn -sT -p443 -sV www.catalog.update.microsoft.com --script ssl-enum-ciphers
PORT STATE SERVICE VERSION
Note, in this case nmap might be a bit misleading, ssllabs.com finds that two of these four should not get an "A" grade:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 256
Anyway, since I can't fix the MS Catalogue site, my solution was to temporarily fix the current instance of PowerShell and permit other TLS versions and ciphers. I added this to the start of the script to expand the SSL/TLS options available to my script:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS -bor [Net.SecurityProtocolType]::TLS11 -bor [Net.SecurityProtocolType]::TLS12
This uses a call to dotnet to expand this script's support for TLS. This fixes the situation for Invoke-WebRequest, Invoke-RestMethod and any other operation you may need that uses TLS. Note that for this particular case I've enabled all of TLS 1.0, 1.1 and 1.2 when for this job, only some ciphers in TLS12 were needed - but for me, if I'm going to keep a hammer like this laying around, I want it to WORK the next time (and every time) too :-). Enabling all of the options isn't the most elegant or most perfect solution, but it's a solution I won't have to come back and fix again later. Plus it's only enabled for the process that called it - in this case my script.
My take-aways from this:
Have you needed to dive into different dotnet functions to make a script work or to call a function that isn't in PowerShell yet? Please, share in our comment section, enquiring minds want to know!
May 12th 2022
May 12th 2022
2 weeks ago