{"id":7029,"date":"2020-03-20T21:30:13","date_gmt":"2020-03-20T21:30:13","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=7029"},"modified":"2020-03-20T22:09:29","modified_gmt":"2020-03-20T22:09:29","slug":"windows-symbols-a-d-2020","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2020\/03\/20\/windows-symbols-a-d-2020\/","title":{"rendered":"Windows Symbols A.D. 2020"},"content":{"rendered":"\n<p>I may be in minority, but I do use Windows Firewall on most of my boxes. I deny all the connections by default, including some of the predefined ones, and only selectively enable some, just enough to get by with some required functionality. And anytime I need to deal with a more internet access-hungry app, I just run it from VM.<\/p>\n\n\n\n<p>It&#8217;s hard to run some apps from VM though. Probably the most annoying bit when you have your Windows Firewall set to deny everything by default is Office 365. Its main functionality is not word or spreadsheet editing, but confirming your Office version is legitimate. To do so, and it does it all the time, it obviously needs to connect out. However, the rules one would need to set up for this to work properly are absolutely and kinda obviously, crazy. This <a href=\"https:\/\/docs.microsoft.com\/en-us\/office365\/enterprise\/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams\">page<\/a> gives you details. Thanks Microsoft!<\/p>\n\n\n\n<p>With Windows Firewall on, you will come across one more problem: <\/p>\n\n\n\n<p>&#8211; access to symbols server. <\/p>\n\n\n\n<p>It&#8217;s often great to have access to it, and yet, I don&#8217;t feel like enabling a <em>carte blanche<\/em> access to the port 80 or 443 for any reversing tools that I happen to run. So I go with IP-specific enabling rules. <\/p>\n\n\n\n<p>And here&#8217;s the catch:<\/p>\n\n\n\n<p>&#8211; in the past, one would need to check the IP that <em>msdl.microsoft.com<\/em> resolves to, and enable connectivity to that IP only. <\/p>\n\n\n\n<p>Times changed though, and we live in a world of CDNs, and redirectors. As such, enabling access to<em> msdl.microsoft.com<\/em> mapping is no longer enough. This is because the latter redirects all the requests to a bunch of servers.<\/p>\n\n\n\n<p>How do we find them?<\/p>\n\n\n\n<p>I don&#8217;t have a generic answer, but we can cheat a bit.<\/p>\n\n\n\n<p>You can try to use curl or wget and download the following PDB from the server (the flags I use print out a lot of debug\/verbose logs which is handy):<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>wget -v -d <em>https:\/\/msdl.microsoft.com\/download\/symbols\/regedit.pdb\/85B6C521417160A68521696D68568CB41\/regedit.pdb<\/em><\/p><\/blockquote>\n\n\n\n<p>If you look at the logs your downloading tool outputs you will notice that the request is being redirected to a different Symbol Server e.g.:<\/p>\n\n\n\n<p><em>https:\/\/vsblobprodscussu5shard76.blob.core.windows.net\/&#8230;.<\/em><\/p>\n\n\n\n<p>So, yes, you need to find out what the IP of this server is, and voila&#8230; now your rules should work.<\/p>\n\n\n\n<p>If you are wondering how I found this out&#8230; I checked from VM with firewall disabled. Literally, this is a regular activity for anyone who wants to keep their host OS in err&#8230; firewall denial.<\/p>\n\n\n\n<p>Googling around for  <em>vsblobprodscussu5shard76<\/em>  I came across 2 posts only, and <a href=\"https:\/\/github.com\/MicrosoftDocs\/vsts-docs\/issues\/3801\">this one<\/a> is a winner in a contest of value-and-madness-adding content&#8230;; the list of possible servers goes as follows:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>StorageAccount\nvsblobprodscussu5shard90\nvsblobprodscussu5shard9\nvsblobprodscussu5shard89\nvsblobprodscussu5shard88\nvsblobprodscussu5shard87\nvsblobprodscussu5shard86\nvsblobprodscussu5shard85\nvsblobprodscussu5shard84\nvsblobprodscussu5shard83\nvsblobprodscussu5shard82\nvsblobprodscussu5shard81\nvsblobprodscussu5shard80\nvsblobprodscussu5shard8\nvsblobprodscussu5shard79\nvsblobprodscussu5shard78\nvsblobprodscussu5shard77\nvsblobprodscussu5shard76\nvsblobprodscussu5shard75\nvsblobprodscussu5shard74\nvsblobprodscussu5shard73\nvsblobprodscussu5shard72\nvsblobprodscussu5shard71\nvsblobprodscussu5shard70\nvsblobprodscussu5shard7\nvsblobprodscussu5shard69\nvsblobprodscussu5shard68\nvsblobprodscussu5shard67\nvsblobprodscussu5shard66\nvsblobprodscussu5shard65\nvsblobprodscussu5shard64\nvsblobprodscussu5shard63\nvsblobprodscussu5shard62\nvsblobprodscussu5shard61\nvsblobprodscussu5shard60\nvsblobprodscussu5shard6\nvsblobprodscussu5shard59\nvsblobprodscussu5shard58\nvsblobprodscussu5shard57\nvsblobprodscussu5shard56\nvsblobprodscussu5shard55\nvsblobprodscussu5shard54\nvsblobprodscussu5shard53\nvsblobprodscussu5shard52\nvsblobprodscussu5shard51\nvsblobprodscussu5shard50\nvsblobprodscussu5shard5\nvsblobprodscussu5shard49\nvsblobprodscussu5shard48\nvsblobprodscussu5shard47\nvsblobprodscussu5shard46\nvsblobprodscussu5shard45\nvsblobprodscussu5shard44\nvsblobprodscussu5shard43\nvsblobprodscussu5shard42\nvsblobprodscussu5shard41\nvsblobprodscussu5shard40\nvsblobprodscussu5shard4\nvsblobprodscussu5shard39\nvsblobprodscussu5shard38\nvsblobprodscussu5shard37\nvsblobprodscussu5shard36\nvsblobprodscussu5shard35\nvsblobprodscussu5shard34\nvsblobprodscussu5shard33\nvsblobprodscussu5shard32\nvsblobprodscussu5shard31\nvsblobprodscussu5shard30\nvsblobprodscussu5shard3\nvsblobprodscussu5shard29\nvsblobprodscussu5shard28\nvsblobprodscussu5shard27\nvsblobprodscussu5shard26\nvsblobprodscussu5shard25\nvsblobprodscussu5shard24\nvsblobprodscussu5shard23\nvsblobprodscussu5shard22\nvsblobprodscussu5shard21\nvsblobprodscussu5shard20\nvsblobprodscussu5shard2\nvsblobprodscussu5shard19\nvsblobprodscussu5shard18\nvsblobprodscussu5shard17\nvsblobprodscussu5shard16\nvsblobprodscussu5shard15\nvsblobprodscussu5shard14\nvsblobprodscussu5shard13\nvsblobprodscussu5shard12\nvsblobprodscussu5shard11\nvsblobprodscussu5shard10\nvsblobprodscussu5shard1\n\nThese account names could have either of these suffixes:\n\n{storageaccountname}.vsblob.vsassets.io\n{storageaccountname}.blob.core.windows.net<\/code><\/pre>\n\n\n\n<p>Good luck&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I may be in minority, but I do use Windows Firewall on most of my boxes. I deny all the connections by default, including some of the predefined ones, and only selectively enable some, just enough to get by with &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2020\/03\/20\/windows-symbols-a-d-2020\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[65,44],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7029"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7029"}],"version-history":[{"count":6,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7029\/revisions"}],"predecessor-version":[{"id":7035,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7029\/revisions\/7035"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7029"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7029"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7029"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}