On this post I would like to show how to decrypt packets that flow on established SSL sessions using Wireshark, in order to do it we require to know both the certificate and private key information of the server.

Is very important for this experiment to not use Diffie Hellman or Eliptic Curves as algorithms on the key exchange negotiation, mainly because they require the knowledge of some session keys that is possible to obtain but it will be part of next posts.

Please follow next steps to reproduce this experiment.

  1. Generate a self signed certificate
$ openssl req -x509 -newkey rsa:4096 \
              -keyout key.pem.secured \
              -out cert.pem -days 365
  1. Unencrypt the private key using the following command
$ openssl rsa -in key.pem.secured -out key.pem
  1. Create an index.html to have some traffic on this port

  1. Start an SSL socket with ciphers for key exchange that do not use Diffie-Hellman or Eliptic Curves. With openssl is possible also to simulate an HTTP server, for this experiment we will use the port 44433
$ openssl s_server -cert cert.pem \
                   -key key.pem \
                   -accept 44433 \
                   -WWW -no_dhe -no_ecdhe
  1. Configure wireshark to capture traffic on the port 44433.

  1. Start traffic using any browser

  1. The client will show that the cipher suite used RSA as the key exchange mechanism

  1. Wireshark will show to this point just encrypted data

  1. Verify that your wireshark was installed with support for crypto libraries.

  1. Configure certificate and key on the SSL protocol as follows
  • Edit → Preferences → Protocols → SSL. Press “Edit…”

  • Click on “New”

  • Add the following information along with the private key of the server.

  1. After configuring the private key, filtering for http traffic we should be able to see the unencrypted data.

References

This is a quick post to explain how to test Kerberos authentication using curl, this is useful when testing and understanding this process for Web Authentication.
 

  • We install the kerberos client utilities, in this case we have done it using cygwin on a Windows desktop, but it can be done on any flavor of Linux, those utilities are installed on the package krb5-workstation as you can show on the screenshot below.

kerberos_cygwin

 

  • We need to configure the default parameters for Kerberos to contact the right domain. The default location is on /etc/krb5.conf, it can be filled as follows:

 

  • We can now start the Kerberos process by authenticating ourselves, this should grant to our account a “ticket-granting ticket”, which can then be used to request access to the Web Application.This will be cached on a temporal location.
$ kinit -V username
Using default cache: /tmp/krb5cc_1261992
Using principal: username@MYDOMAIN.COM
Password for username@MYDOMAIN.COM:
Warning: Your password will expire in 6 days on Fri, Sep 23, 2016  8:41:01 AM
Authenticated to Kerberos v5

 

  • After a successful authentication, then we can proceed with curl to test the Kerberos Authentication mechanism by using the flag –negotiate. On this example we have instructed curl to follow the redirections, and by settting the cookies we can follow all the authentication process with our Web application.
$ curl -v -k -L --negotiate -u : -b ~/cookie.txt -c ~/cookie.txt https://web.mydomain.com/user/login.jsp
...
> GET /user/login.jsp HTTP/1.1
> Host: web.mydomain.com
...
< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Negotiate
...
> GET /user/login.jsp HTTP/1.1
> Host: web.mydomain.com
> Authorization: Negotiate YIIHDgYGKwYBBQUCoII...
...
< HTTP/1.1 302 Found
< WWW-Authenticate: Negotiate oYH1MIHyoAMK...
< Set-Cookie: JSESSIONID=5C8...1A52; Path=/; Secure
< Set-Cookie: CSRFGUARD_TOKEN=FyHJ...0%3D; Path=/; HttpOnly
< Location: https://web.mydomain.com:443/user/main.jsp
...
> GET /user/main.jsp;jsessionid=A2902B...30A3?lang=en&cntry=US HTTP/1.1
> Host: web.mydomain.com
> User-Agent: curl/7.50.2
> Accept: */*
> Cookie: CSRFGUARD_TOKEN=HAqFUwfJf...0i0WfM1kU%3D; JSESSIONID=A290...0A3
< HTTP/1.1 200 OK
< Set-Cookie: CSRFGUARD_TOKEN=YHJJN...39Q%3D; Path=/; HttpOnly
...

 

  • If we list the actual tickets we have we should see listed the ones granted to access the Web Application.
$ klist
Ticket cache: FILE:/tmp/krb5cc_1261992
Default principal: username@MYDOMAIN.COM
 
Valid starting       Expires              Service principal
09/16/2016 13:03:16  09/16/2016 23:03:16  krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
        renew until 09/17/2016 13:03:10
09/16/2016 13:15:22  09/16/2016 23:03:16  HTTP/web.mydomain.com@
        renew until 09/17/2016 13:03:10
09/16/2016 13:15:22  09/16/2016 23:03:16  HTTP/web.mydomain.com@MYDOMAIN.COM
        renew until 09/17/2016 13:03:10

That is all! Enjoy!

This post will explain on how to create an Excel Macro Function for applying it to a cell value and extract the first Match on the cell calling the function. First we need to open the Macro Editor (Ctrl + F11) and add a new module, this is quite straight forward. Then we should add the following code on this new module:

 

 

This code basically receive two Range Object inputs, one correspond to the cell we want to convert and the second one to the regular expression. The Macro will test the regular expression and in case it pass the first match will be returned, otherwise a generic message of “Not matched” will be displayed.

 

2016-08-09_17-21-45

 

Above you have an example of the output!

Through this post I will describe how we extracted all mailbox activity from Exchange and also how we defined whether they were still active or not. I found out that the Powershell API for Exchange offered the tools necessary for this subject, in this sense I will explain step by step a script I have developed to get this information.

  1. First we get a list of mailboxes using Get-Mailbox utility, is possible also to filter the results by the name of the Mailbox, without any other input it will just show all mailbox information.
  2. After getting all the necessary mailboxes, then we go through all the results and consult one by one its statistics using Get-MailBoxFolderStatistics.
    In order to take just recent activity we organize the results in a descending order using the column NewestItemReceivedDate.
    On the explanation below We gather statistics for Inbox and also for Sent Items in order to scope the script just for received emails or sent items.
  3. An important step for detecting that a mailbox is actually inactive, is by checking what I called “Days Old”, this can be useful when setting thresholds to determine if certain mailbox is or not inactive.
    We achieve this by using Get-Date in order to get the actual day and also is used to calculate how old is in days the latest recent activity on Inbox Items or Sent Items.
  4. Now we should be able to get all necessary information from Exchange. On the script we store statistical information on a nice Poweshell Object Resultset which will be useful to export it on a CSV format. To add information to the mentioned Resultset we use Add-Member

The final result would be something like the following script, this can be improved of course by creating params or functions in order to make it more structured.

References

https://technet.microsoft.com/en-us/library/jj200677(v=exchg.150).aspx

The main objective of this article is to setup a NFS server on Ubuntu 14 (which should apply to other Ubuntu releases). We will be configured the NFS share on a LVM to dinamically allocate more or less space as required.

  1. Install the tools required to do so.
  2. root@server:~# apt-get install nfs-kernel-server
  3. After adding the new disk to the VM we have to rescan de BUS for new attached devices
  4. root@server:~# echo "- - -" > /sys/class/scsi_host/host2/scan

    The kernel messages should print something similar to the following:

    root@server:~# dmesg | grep sdb
    [256775.005796] sd 2:0:1:0: [sdb] 52428800 512-byte logical blocks: (26.8 GB/25.0 GiB)
    [256775.005830] sd 2:0:1:0: [sdb] Write Protect is off
    [256775.005832] sd 2:0:1:0: [sdb] Mode Sense: 03 00 00 00
    [256775.005866] sd 2:0:1:0: [sdb] Cache data unavailable
    [256775.005868] sd 2:0:1:0: [sdb] Assuming drive cache: write through
    [256775.016796] sd 2:0:1:0: [sdb] Cache data unavailable
    [256775.016798] sd 2:0:1:0: [sdb] Assuming drive cache: write through
    [256775.027768]  sdb: unknown partition table
    [256775.049274] sd 2:0:1:0: [sdb] Cache data unavailable
    [256775.049276] sd 2:0:1:0: [sdb] Assuming drive cache: write through
    [256775.060899] sd 2:0:1:0: [sdb] Attached SCSI disk
  5. Create the LVM for this new attached disk, the procedure is to create a partition type LVM, the using lvm tools for creating physical volumes, volume groups and logical volumes as follows
  6. root@server:~# fdisk /dev/sdb
     
    Command (m for help): p
     
    Disk /dev/sdb: 26.8 GB, 26843545600 bytes
    255 heads, 63 sectors/track, 3263 cylinders
    Units = cylinders of 16065 * 512 = 8225280 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 512 bytes
    Disk identifier: 0xed084c72
     
       Device Boot      Start         End      Blocks   Id  System
    /dev/sdb1               1        3263    26210016   8e  Linux LVM
     
    Command (m for help): w
    The partition table has been altered!
     
    Calling ioctl() to re-read partition table.
    Syncing disks.
     
    root@server:~# pvcreate /dev/sdb1
      Physical volume "/dev/sdb1" successfully created
     
    root@server:~# vgcreate NFS-SHARE /dev/sdb1
      Volume group "NFS-SHARE" successfully created
     
    root@server:~# lvcreate -L 5GB -n NFS-LVM NFS-SHARE
      Logical volume "NFS-LVM" created
    root@server:~# lvdisplay 
      --- Logical volume ---
      LV Name                /dev/NFS-SHARE/NFS-LVM
      VG Name                NFS-SHARE
      LV UUID                ats2UJ-eo4D-VMM8-ZYdx-vLin-TN4s-EIb48n
      LV Write Access        read/write
      LV Status              available
      # open                 0
      LV Size                5.00 GiB
      Current LE             1280
      Segments               1
      Allocation             inherit
      Read ahead sectors     auto
      - currently set to     256
      Block device           251:0
  7. We create the Filesystem type ext4 to the new logical volume and mount it to the path /nfs
  8. root@server:~# mkfs.ext4 /dev/mapper/NFS--SHARE-NFS--LVM 
    root@server:~# mkdir /nfs
    root@server:~# mount /dev/mapper/NFS--SHARE-NFS--LVM /nfs
  9. Make it available on boot
  10. root@server:~# cat /etc/fstab
    ......
    # Mount for NFS 
    /dev/mapper/NFS--SHARE-NFS--LVM         /nfs    ext4 errors=remount-ro          0       1
  11. Now we need to configure the NFS share, first of all on a proper hardened O.S. we should be adding permissions at wrapper level for each daemon and network
  12. root@server:~# cat /etc/hosts.allow 
    portmap: 192.168.1.128/27
    lockd: 192.168.1.128/27
    mountd: 192.168.1.128/27
    rquotad: 192.168.1.128/27
    statd: 192.168.1.128/27
  13. Then we configure the NFS share by giving permissions to the remote IP addresses
    • rw: Allow NFS clients read/write operations
    • no_root_squash: Allow NFS clients to emulate root permissions when connecting to the NFS share
    • async: Allows async r/w operations which increases performance but also increases the likelihood of data corruption
  14. root@server:~# cat /etc/exports 
    #
    /nfs  192.168.1.135/27(rw,no_root_squash,async) 127.0.0.1/8(rw,no_root_squash,async)
  15. Restart the service
  16. root@server:~# service portmap restart
  17. Check the NFS policies configured on the server
  18. root@server:~# exportfs -a
    exportfs: /etc/exports [1]: Neither 'subtree_check' or 'no_subtree_check' specified for export "192.168.1.135/27:/nfs".
      Assuming default behaviour ('no_subtree_check').
      NOTE: this default has changed since nfs-utils version 1.0.x
     
    exportfs: /etc/exports [1]: Neither 'subtree_check' or 'no_subtree_check' specified for export "127.0.0.1/8:/nfs".
      Assuming default behaviour ('no_subtree_check').
      NOTE: this default has changed since nfs-utils version 1.0.x