OpenSSL to Retrieve Certificate

It is very easy to retrieve TLS/SSL certificate bound to a web server. You can use any Internet browser to navigate to the site and then you can view the certificate.

How do you get a certificate details from a non-HTTP endpoints? like LDAP for example.
Fortunately, you can use OpenSSL to retrieve the certificate

> openssl s_client -connect address-of-the-endpoint:636

Enjoy!

SSH Login Notification with SSMTP

I have my box to send email notification for every successful SSH login in the past here.
It requires sendmail to be installed, which is too much I think just to send email out from the box.

I found a lighter way to do it, using ssmtp package:

edit/create the file:
> sudo vi /etc/ssh/sshrc

DATE=`date "+%d.%m.%Y--%Hh%Mm"`
IP=`echo $SSH_CONNECTION | awk '{print $1}'`
REVERSE=`dig -x $IP +short`

echo "To: laurence.lau@domain.tld" > /tmp/mail.content
echo "From: Beaver <beaver@domain.tld>" >> /tmp/mail.content
echo "Subject: SSH Login Succcessful" >> /tmp/mail.content
echo "" >> /tmp/mail.content
echo "$DATE, user $USER just logged in from $IP ($REVERSE)" >> /tmp/mail.content
ssmtp laurence.lau@domain.tld < /tmp/mail.content &

edit the file:
> sudo vi /etc/ssmtp/ssmtp.conf

mailhub=smtprelay.domain.tld:25

PowerShell RunAs

To execute PowerShell to Run As a different credential:

> $cred = Get-Credential
> Start-Process powershell.exe -Credential $cred -NoNewWindow -ArgumentList "-noprofile -command &{Start-Process -FilePath C:\blah\prog.exe}"

PowerShell SecureString

PowerShell is often used to access data from systems or apps that require authentication. Authentication requires username and password. you don't want to store the password in the PowerShell script itself.

The better way is to store the password as SecureString in a configuration file and use that to access the data / app.

To generate the configuration file:

>  Read-Host -AsSecureString | ConvertFrom-SecureString | Out-File C:\Securestring.txt

To consume the configuration file:

> $pass = Get-Content C:\Securestring.txt | ConvertTo-SecureString

To convert it as credential object:

> $cred= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "username",$pass

Windows 2016 Core Domain Controllers

Upgrading my Domain Controllers from 2012 R2 to 2016. I have decided to run the servers without Desktop Experience to save resources.

Once installed, run the "sconfig" utility from the CMD to setup the server name, IP address, DNS and gateway, then reboot

To add AD Domain Services feature:

Add-WindowsFeature AD-Domain-Services

To install AD Forest::

Install-ADDSForest -CreateDnsDelegation:$false
-DatabasePath C:\Windows\NTDS
-DomainMode WinThreshold
-DomainName domain.tld
-DomainNetbiosName NETBIOSDOMAIN
-ForestMode WinThreshold
-InstallDns:$true
-LogPath C:\Windows\NTDS
-NoRebootOnCompletion:$true
-SysvolPath C:\Windows\SYSVOL
-Force:$true

ForestMode = WinThreshold = for Windows 2016

To add AD Domain Controller to the existing domain:

Install-ADDSDomainController -CreateDnsDelegation:$false 
-DatabasePath C:\Windows\NTDS
-DomainName domain.tld
-InstallDns:$true 
-LogPath C:\Windows\NTDS
-NoGlobalCatalog:$false 
-SysvolPath C:\Windows\SYSVOL
-NoRebootOnCompletion:$true 
-Force:$true
-Credential (Get-Credential)

AWS Certified Solutions Architect - Associate

New year, 2018! New challenges!!

Passed the exam and now I am officially AWS Certified Solutions Architect - Associate. Next is Professional #StayTune

Let's Encrypt Certificate Renewal

To renew the certificate that was generated by Let's Encrypt:

1# Go to sslzero.com site
2# Use the same Let's Encrypt Key generated by the site when certificate was originated
3# Get the CSR
4# That's it

Proxy PAC Tester v.2.0

New version of Proxy PAC Tester that supports client IP address to be passed to some of the JS function that checks against client IP address.

#LoveCoding

Active Directory GUID

Active Directory GUID is stored as Byte array (Byte[]).

To convert from Byte[] to string:

string guid = new Guid(Byte[] Object).ToString()

To convert from string to Byte[]:

string guid = <string guid here>

Guid g = Guid.Parse(guid);
Byte[] gba = g.ToByteArray();

string result = "";
foreach(Byte b in gba){ result += @"\" + b.ToString("x2"); }

GUID String to Octect String

If you need to perform LDAP query against Active Directory with objectGUID as the filter, you need to convert the string representation of that GUID to octetstring.

For example, if the objectGUID string value is: ffe17244-4c77-48e7-9db7-69578be7e232
You need to convert it to: \44\72\e1\ff\77\4c\e7\48\9d\b7\69\57\8b\e7\e2\32

so then you can provide the LDAP filter with:
(objectGUID=\44\72\e1\ff\77\4c\e7\48\9d\b7\69\57\8b\e7\e2\32)

To do this by C#, use the following function:

        private string convertStringGuidToOctectString(string guid)
        {
            Guid g = Guid.Parse(guid);
            Byte[] gba = g.ToByteArray();

            string result = "";
            foreach (Byte b in gba)
            {
                result = result + @"\" + b.ToString("x2");
            }

            return result;
        }

Good luck!

Let's Encrypt and Sophos XG Firewall

I am publishing my web server behind the Sophos XG firewall. I need SSL certificate that is free and trusted by most of internet browsers. The answer is Let's Encrypt.

I use this site to help integrate with Let's Encrypt : http://zerossl.com

Steps
#1 Generate CSR from the XG firewall and download the CSR and the private key
#2 Navigate to zerossl.com and paste the CSR content
#3 Follow the instruction to validate your domain - I did DNS option by inserting TXT value
#4 Once validation is successful, the signed public key is ready to be downloaded
#5 Upload the signed key to XG firewall along with the private key that was downloaded on step #1
#6 (optional) if XG firewall does not trust Let's Encrypt CA, add this to the Trusted CA

Done!!

Another .NET app I wrote to help the project to compare the performance between different web proxies

This app helps me to see the respond time that each proxy responds to a request to a particular URL address. You can specify the header, how many request do you want to perform, so that you can create the "worm" graph. It is quite fun to see this running infinitely.

The picture above shows 2 proxies being compared to hit google.com.au with IE header and 10 iteration to produce the performance graph.

Officially SABSA Chartered Security Architect - Foundation (SCF)

Finally got my exam result today and pass both F1 and F2 modules of SABSA Foundation exam, happy day!

Proxy PAC Tester

I wrote this .NET program to parse the PAC file and test its exception. This provides the GUI, rather than using google unsupported CLI code.

It supports direct fetch from the URL or static PAC file.

Ubuntu CIFS Mount to Windows

To support SMB2 mount from Ubuntu to Windows, edit the fstab file and include this:

//windows.domain.local/share/folder /mount/point cifs credentials=/root/.credentials,vers=2.0,iocharset=utf8,sec=ntlm,dir_mode=0770,uid=33,gid=33 0 0

VCP6-NV Today

Yay!! Passed 2V0-641 exam day. Officially VCP6-NV Today. NSX NSX NSX :)

Acclaim

Bitbucket Installation

I have a need to create code repository locally. I don't want to use code repo in the cloud. Bitbucket is the winner!

#1 - Install Ubuntu 16.10
Download from ubuntu.com, get the latest ISO file, boot and install.
During the installation wizard, make sure PostgreSQL is selected and installed.

#2 - Configure PostgreSQL
Login to ubuntu as the standard user

> sudo -u postgres psql postgres

\password mynewpassword
\q

>

#3 - Create PostgreSQL Database and Role

> sudo -u postgres
CREATE ROLE bitbucketuser WITH LOGIN PASSWORD 'mypassword' VALID UNTIL 'infinity';

CREATE DATABASE bitbucket WITH ENCODING='UTF8' OWNER=bitbucketuser CONNECTION LIMIT=-1;

\q

>

#4 - Install Bitbucket
Download the bitbucket installer from atlassian.com
Change the file permission to execute +x
Run it

#5 - Configure Bitbucket
During the configuration wizard, when asked for database, specify localhost, bitbucket as the database, bitbuckeruser and the user and 'mypassword' as the password

Office 365 & Squid

I had an issue today. My Outlook does not want to connect to office 365 when I setup IE to use SQUID for the proxy. Apparently some of the O365 URLs are resolving up to 25 IP Addresses and depending on the location, some of the connection might get rejected.

By default SQUID only tries the first 10 connections. To change this, edit the squid.conf and add:

forward_max_tries 25

save, restart SQUID instance. Enjoy

Proxy Enforcer

I developed this little utility while doing proxy migration project. This utility helps me to enforce the Windows proxy settings to IE.

You can add Proxy by clicking the "Add Proxy" button, which gives you the same configuration like Windows

Once your proxy setting is added to the list, highlight the proxy and click "Select Proxy" to enforce the selected proxy to your IE. The program will run on the TaskBar. 

Ubuntu File Finders

To find the Disk Usage:

#> sudo du -sx /* 2> /dev/null | sort -n

To deep dive

#> sudo du -sx /var/* 2> /dev/null | sort -n

To find files bigger than something

#> sudo find / -size +10M -ls