OVH Windows Hyper-V Server 2019

[Asphyxia]

Follow this video here first:

Copy these snippets as needed..

SERVER COMMANDS - Navigate to your Command Prompt and type "powershell" [enter] first.

Find your IP from Netstat, but the next command is more automatic.

netstat -nabo | findstr 3389 | findstr EST

$rdpIP = netstat -nabo | findstr 3389 | findstr EST | ForEach-Object { $_.split(" ")[10] } | ForEach-Object { $_.split(":")[0] }
$rdpIP
#Make sure there is only one IP listed above and it is yours.
#If not, wait a minute and try again, some a-hole bot was probably trying to hack you.
#For example, https://ipinfo.io/45.141.84.44 tried hacking into mine...

If you see two IP addresses pulled from active RDP connections, do not whitelist with the next command. Otherwise, carry on!

New-NetFirewallRule -Name Allow$rdpIP -DisplayName 'Allow from myself' -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress $rdpIP

Cool trick to get your server IP:

ipconfig | findstr "v4" | ForEach-Object { $_.split(":")[1] } | %{$_.Trim()}

According to this here, Microsoft recommends.

#On the Hyper-V host to be managed, open a Windows PowerShell session as Administrator.
#Create the necessary firewall rules for private network zones:
Enable-PSRemoting
#To allow remote access on public zones, enable firewall rules for CredSSP and WinRM:
Enable-WSManCredSSP -Role server
#

For details, see Enable-PSRemoting and Enable-WSManCredSSP.

The server should be ready to go, for sure.

---

The client also requires some specific configurations like this:
Open a Windows PowerShell session as Administrator.


Make sure your current network profile is set to private, simply copy/paste:

$myNetAlias = Get-NetConnectionProfile | findstr "Alias" | ForEach-Object { $_.split(":")[1] } | %{$_.Trim()}
Set-NetConnectionProfile -InterfaceAlias $myNetAlias -NetworkCategory Private
#Time to start WinRM temporarily
Start-Service -Name winrm
#Get your list of TrustedHosts
Get-Item WSMan:\localhost\Client\TrustedHosts
#Now set this to allow everything
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*"
Stop-Service -Name winrm

Open gpedit.msc


Go to Local Computer Policy > Computer Configuration > Administrative Templates > System > Credentials Delegation

Enable "Allow delegating fresh credentials"
Enable "Allow delegating fresh credentials with NTLM-only server..."


In both of the above policy settings you enabled, add this:


wsman/*

Apply said changes, you should be all set...

Any errors? Let me know right away and I will help!! Just reply to this thread..


Skip the below, don't gaf to work w/ secedit or keep debugging through regedit messin'
---NONE OF THE FOLLOWING WORKS... HINTTTTTTTTTTTTTTTTTT::: SKIP TO THE NEXT POST IN THIS THREAD!! Just mad scientist crap is below on this specific post.. - I GIVE UP, SKIP IT.. should work fine without the below, also not responsible if it breaks ur pc lol ---
Time to edit your silly-stuff just in case, same PowerShell entry area:

#Just read the values, for giggles
Get-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\
#Setting the values to enable
Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\ -Name AllowFreshCredentials -Value 1
Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\ -Name ConcatenateDefaults_AllowFresh -Value 1
Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\ -Name ConcatenateDefaults_AllowFreshNTLMOnly -Value 1
Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\ -Name AllowFreshCredentialsWhenNTLMOnly -Value 1
#Get the TrustedHosts
Get-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials\
Get-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly\
#Getting pissed off because gpedit/regedit are not showing same values, so I set Wafflescometh in gpedit as value and now searching w/ regedit
#Found at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly
#Matches Get-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly\
Remove-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly\ -Name 1
Remove-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly\ -Name 2
Remove-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly\ -Name 3
Remove-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly\ -Name 4
Remove-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly\ -Name 5
Remove-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly\ -Name 6
Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly\ -Name 1 -Value "wsman/*"
Remove-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials\ -Name 1
Remove-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials\ -Name 2
Remove-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials\ -Name 3
Remove-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials\ -Name 4
Remove-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials\ -Name 5
Remove-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials\ -Name 6
Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials\ -Name 1 -Value "wsman/*"

Not working, download RSAT:

Download Remote Server Administration Tools for Windows 10 from Official Microsoft Download Center

IMPORTANT: Starting with Windows 10 October 2018 Update, RSAT is included as a set of "Features on Demand" in Windows 10 itself. See "Install Instructions" below for details, and "Additional Information" for recommendations and troubleshooting. RSAT lets IT admins manage Windows Server roles and...

www.microsoft.com

Download version WindowsTH-RSAT_WS_1803-x64.msu or latest - launch - install.

Continue, accept, etc.



You will now have access to..

Group Policy editing, whoo! Turns out this only works if ur actually in a domain, many ppl probably r not lel. Need forest.. AD/DC

$myGuid = (get-wmiobject Win32_ComputerSystemProduct).UUID

...

Get-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly\
Remove-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly\ -Name 1
Remove-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly\ -Name 2
Remove-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly\ -Name 3
Remove-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly\ -Name 4
Remove-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly\ -Name 5
Remove-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly\ -Name 6
Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly\ -Name 1 -Value "wsman/*"


Get-ItemProperty -Path HKLM:\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly\
Remove-ItemProperty -Path HKLM:\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly\ -Name 1
Remove-ItemProperty -Path HKLM:\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly\ -Name 2

 

[Asphyxia]

Get your client ready... change IP to your server and NS123 to your server computer name.

$myNetAlias = Get-NetConnectionProfile | findstr "Alias" | ForEach-Object { $_.split(":")[1] } | %{$_.Trim()}
Set-NetConnectionProfile -InterfaceAlias $myNetAlias -NetworkCategory Private
Enable-PSRemoting -SkipNetworkProfileCheck -Force
set winrm/config/client @{TrustedHosts="123.69.127.157"}
$b = New-PSSession 123.69.127.157 -Credential NS123\admin

Now copy wget.exe... make C:\OVH on both client/server

Copy-Item -ToSession $b C:\OVH\wget.exe -Destination C:\OVH\wget.exe

Now you can wget ISO (and other) files into your server more easily/quickly.

Configure your netplan: Configure the 123 to your host server gateway, and 666 to your failover IP. Questions? Ask in a reply.
For perms: sudo su
cd /etc/netplan/
nano 00-installer-config.yaml

# This is the network config written by 'subiquity'
network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      dhcp4: no
      dhcp6: no
      addresses: [666.95.47.27/32]
      gateway4: 123.69.127.254
      nameservers:
        addresses: [8.8.8.8,8.8.4.4]
      routes:
      - to: 123.69.127.254/32
        via: 0.0.0.0
        scope: link

Pretty darn amazing, should be working now-ish.

Stop some silly errors:

# sudo rmmod floppy
# echo "blacklist floppy" | sudo tee /etc/modprobe.d/blacklist-floppy.conf
# update-initramfs -u -k all

Feel free to ask about any other distros/distributions of Linux/Windows/whatever, happy to update.

 

[Jackbox]

Open OVH manager (https://ca.ovh.com/manager/dedicated/#/configuration/servers) - yours may be without the [ca.]

Create or manage your dedicated server.

You may watch:

From General Information on your dedi server, find "System (OS)" and click the "..." to change the OS to Windows Hyper-V Server 2019

Wait for completion

Find your email in https://ca.ovh.com/manager/dedicated/#/useraccount/emails

Open an email like: [admin@YOUR-SITE.net] [ns12345.ip-1-2-3.net] Installation of your dedicated server

Find

{{{
Your server OS is : Windows Hyper-V Server 2019

The account "admin" has been configured (access to server via Remote Desktop)

Password can be retrieve at this url : https://www.ovh.com/secret-as-a-service-ui/#!/secret-retrieve?id=nnn-hash-is-here-or-token

Server ip is : 1.2.3.4
}}}

1. Copy your IP to a notepad of sorts, you will be using this.

2. Open your password link and copy this somewhere important like LastPass, KeePass, or whatever you store passwords in (Bitwarden and Passwordstate are cool)!

---

Now you have something like this
{{{
1.2.3.4
admin
Myp4ssisherej124kjk43
}}}

You can now connect into your server using Remote Desktop Connection, right from Windows.

Run PowerShell as an administrator while you are connected to Remote Desktop to your server:
netstat -nabo | findstr 3389 | findstr EST

... very damn cool.

Just follow all instructs from here:

OVH Windows Hyper-V Server 2019

Follow this video here first: Copy these snippets as needed.. SERVER COMMANDS - Navigate to your Command Prompt and type "powershell" [enter] first. Find your IP from Netstat, but the next command is more automatic. netstat -nabo | findstr 3389 | findstr EST $rdpIP = netstat -nabo |...

ciphers.pw

... making video on this soon way more simplified.

 

[Jackbox]

Deploying email service in a moment

:
.\wget.exe https://releases.ubuntu.com/20.04/u...01.2038363948.1593148716-327011882.1593148716 --no-check-certificate

very fun haha

 

[Jackbox]

1.
Open OVH manager (https://ca.ovh.com/manager/dedicated/#/configuration/servers) - yours may be without the [ca.]
Create or manage your dedicated server.

-----

2.
From General Information on your dedi server, find "System (OS)" and click the "..." to change the OS to Windows Hyper-V Server 2019

Wait for completion

Find your email in https://ca.ovh.com/manager/dedicated/#/useraccount/emails

Open an email like: [admin@YOUR-SITE.net] [ns12345.ip-1-2-3.net] Installation of your dedicated server

Find

{{{
Your server OS is : Windows Hyper-V Server 2019

The account "admin" has been configured (access to server via Remote Desktop)

Password can be retrieve at this url : https://www.ovh.com/secret-as-a-service-ui/#!/secret-retrieve?id=nnn-hash-is-here-or-token

Server ip is : 1.2.3.4
}}}

1. Copy your IP to a notepad of sorts, you will be using this.

2. Open your password link and copy this somewhere important like LastPass, KeePass, or whatever you store passwords in (Bitwarden and Passwordstate are cool)!

---

Now you have something like this
{{{
1.2.3.4
admin
Myp4ssisherej124kjk43
}}}

You can now connect into your server using Remote Desktop Connection, right from Windows.

-----

3.
On the server-side via RDP (Remote Desktop) within PowerShell (as Admin permission)

$rdpIP = netstat -nabo | findstr 3389 | findstr EST | ForEach-Object { $_.split(" ")[10] } | ForEach-Object { $_.split(":")[0] }
$rdpIP
#Make sure there is only one IP listed above and it is yours.
#If not, wait a minute and try again, some a-hole bot was probably trying to hack you.
#For example, https://ipinfo.io/45.141.84.44 tried hacking into mine...

Now this one:

#On the Hyper-V host to be managed, open a Windows PowerShell session as Administrator.
#Create the necessary firewall rules for private network zones:
Enable-PSRemoting
#To allow remote access on public zones, enable firewall rules for CredSSP and WinRM:
Enable-WSManCredSSP -Role server
#
New-NetFirewallRule -Name Allow$rdpIP -DisplayName 'Allow from myself' -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress $rdpIP

-----

4.
The client also requires some specific configurations like this:
Open a Windows PowerShell session as Administrator.

$myNetAlias = Get-NetConnectionProfile | findstr "Alias" | ForEach-Object { $_.split(":")[1] } | %{$_.Trim()}
Set-NetConnectionProfile -InterfaceAlias $myNetAlias -NetworkCategory Private
#Time to start WinRM temporarily
Start-Service -Name winrm
#Get your list of TrustedHosts
Get-Item WSMan:\localhost\Client\TrustedHosts
#Now set this to allow everything
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*"
Stop-Service -Name winrm

Open gpedit.msc

Go to Local Computer Policy > Computer Configuration > Administrative Templates > System > Credentials Delegation

Enable "Allow delegating fresh credentials"
Enable "Allow delegating fresh credentials with NTLM-only server..."

In both of the above policy settings you enabled, add this:

wsman/*

Apply said changes, you should be all set...

Switch out YOUR_SERVER_IP and YOUR_SERVER_HOSTNAME with your Hyper-V server's IP and hostname.
Hint: Within server-side cmd/PowerShell type hostname.

$myNetAlias = Get-NetConnectionProfile | findstr "Alias" | ForEach-Object { $_.split(":")[1] } | %{$_.Trim()}
Set-NetConnectionProfile -InterfaceAlias $myNetAlias -NetworkCategory Private
Enable-PSRemoting -SkipNetworkProfileCheck -Force
set winrm/config/client @{TrustedHosts="YOUR_SERVER_IP"}
$b = New-PSSession YOUR_SERVER_IP -Credential YOUR_SERVER_HOSTNAME\admin

For some extra help just do this to get the info (inside RDP)

ipconfig | findstr IPv; hostname

Now on both client-side and server-side mkdir C:\OVH

Copy latest 64-bit exe from https://eternallybored.org/misc/wget/ to your C:\OVH on the client-side, then issue:

Copy-Item -ToSession $b C:\OVH\wget.exe -Destination C:\OVH\wget.exe

Keep in mind this is using the prior command, expecting $b to have an open PowerShell session.

From the server-side proceed like:

cd C:\OVH
.\wget.exe https://releases.ubuntu.com/20.04/ubuntu-20.04-live-server-amd64.iso?_ga=2.142538801.2038363948.1593148716-327011882.1593148716 --no-check-certificate

Keep in mind I found this Ubuntu ISO download from https://ubuntu.com/download/server - once you click the Download (green) button, you will notice a direct link.



Copy this and use in the above .\wget.exe call!

You may now have to rename the Ubuntu ISO file like this:

ren C:\OVH\ubuntu{PRESS_TAB_FOR_AUTOCOMPLETE} C:\OVH\ubuntu.iso

Now you should be able to create a new Ubuntu VM from this.

Configure your netplan: Configure the 123 to your host server gateway, and 666 to your failover IP. Questions? Ask in a reply.
For perms: sudo su
cd /etc/netplan/
nano 00-installer-config.yaml

# This is the network config written by 'subiquity'
network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      dhcp4: no
      dhcp6: no
      addresses: [666.95.47.27/32]
      gateway4: 123.69.127.254
      nameservers:
        addresses: [8.8.8.8,8.8.4.4]
      routes:
      - to: 123.69.127.254/32
        via: 0.0.0.0
        scope: link

After you have this config modified, you need to apply this config:

sudo netplan --debug generate
sudo netplan apply

If you get some random Ubuntu errors, this can fix:

# sudo rmmod floppy
# echo "blacklist floppy" | sudo tee /etc/modprobe.d/blacklist-floppy.conf
# update-initramfs -u -k all

 

[Jackbox]

Eventually where I plan to take this is along the route of hardening the Hyper-V to only talk with OVH (internal infrastructure networking) and the administrator(s). Inspiration is available from http://www.potentengineer.com/adding-custom-rdp-port-to-windows-firewall-via-powershell/ on changing default RDP and having firewall exception to whitelist an IP.

End-game is when I can Nmap the Hyper-V main server and see jack sh**.

---

Okay, dev time. Does the Hyper-V server have .NET installed?

Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -recurse |
Get-ItemProperty -name Version,Release -EA 0 |
Where { $_.PSChildName -match '^(?!S)\p{L}'} |
Select PSChildName, Version, Release

Let's see results..



Not happy with the version(s)?

Not a big deal:

try {
    #As of July 2, 2020 I fetched the latest recommended fwlink from https://dotnet.microsoft.com/download/dotnet-framework/
    $dotNetURL = "http://go.microsoft.com/fwlink/?LinkId=2085155"

    Invoke-WebRequest -Uri $dotNetURL -OutFile LatestVersionOfDotNet.exe
    Start-Process "./LatestVersionOfDotNet.exe" -ArgumentList "/passive /norestart /SkipMSUInstall" -Wait -Passthru
}
catch {
    Write-Output $_.Exception.Message
}

OBSOLETE USE THE ONE ABOVE!! Using the one below will give you an older version if it even works.

try {
    #Currently I have this pointed at .NET 4.7.2
    $dotNetURL = "http://go.microsoft.com/fwlink/?LinkId=863262"

    Invoke-WebRequest -Uri $dotNetURL -OutFile LatestVersionOfDotNet.exe
    ./LatestVersionOfDotNet.exe /quiet /norestart
}
catch {
    Write-Output $_.Exception.Message
}

Just to be safe I restarted the Hyper-V server via:

Restart-Computer

Notice the 4.8 instead of 4.7 - pat yourself on the back

 

[Jackbox]

Want a GUI, want automation, and just want some .NET apps to be able to run? Easy, just use Visual Studio to make some automation if PowerShell alone is not enough for your needs.



Here is an example running this desktop app on a normal Windows 10 system and here is how this looks on Hyper-V:



All that is required for this is following above instructions, just wget your ".exe" from anywhere hosted or do PowerShell magic to copy file over session.

From there we can begin developing and testing of tools for securing, controlling, and overall simplifying the Hyper-V experience if for example managing a farm/clusters/whatever. A lot of possibilities exist that is for sure!

 

[Jackbox]

New server is on the left... posting benchmarks.



Memory seems legit..



ROTA = 1 is true rotational disk. SSD should return 0, working on deploying all SSDs on servers.
...



...

And for Geekbench..

wget http://cdn.geekbench.com/Geekbench-5.2.0-Linux.tar.gz
tar -xvf Geekbench-5.2.0-Linux.tar.gz
cd Geekbench-5.2.0-Linux/
./geekbench5

Geekbench will run varying benchmarks and result a browser link to view.

New VM: https://browser.geekbench.com/v5/cpu/2774314
Old dedi: https://browser.geekbench.com/v5/cpu/2774347

Geekbench 5 measures the performance of your device by performing tests that are representative of real-world tasks and applications. Higher scores are better, with double the score indicating double the performance.

 

[Jackbox]

On the VM (left) I turned up the RAM and added a vCPU, https://browser.geekbench.com/v5/cpu/2774518/