IT Dribble

Get it here: http://epinna.github.com/Weevely/
Similar to C99 perhaps equally as useful, I’m sure you can think of some uses!!!

How to import RSA private key into java keystore for tomcat
# You need:
# Your CA signed certificate (acme.com)
# Your private key (RSA)
# Your CA intermediate Certificate

# Import the certificates and key into a PKCS12 bundle

openssl pkcs12 -export -in certs/acme.com.crt -inkey acme.com.key -CAfile certs/DigiCertCA.crt  
-name "acme.com-2013-2014" -out acme.com.p12

(Remember the password you assigned it)

# Check if it worked:

openssl pkcs12 -in acme.com.p12  -info

# Import the PKCS12 bundle into a java keystore:

keytool -importkeystore -deststorepass YOUR-PASSWORD -destkeystore acme-keystore  -srckeystore acme.com.p12 
-srcstoretype PKCS12 -srcstorepass YOUR-PASSWORD 

Entry for alias acme.com-2013-2014 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled

# Check your keystore:

keytool -list -keystore acme-keystore

Output should be similar to:

Enter keystore password:  YOUR-PASSWORD

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: acme.com-2013-2014
Creation date: Jan 3, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
-----BEGIN CERTIFICATE-----

keytool -list -keystore acme-keystore
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

acme.com.au-2013-2014, Jan 3, 2013, PrivateKeyEntry, 
Certificate fingerprint (SHA1): FA:A6:A3:42:95:34:15:68:26:35:40:18:8D:50:68:D4:15:C8:12:9E

# And match it against the import:

openssl x509 -fingerprint -in certs/acme.com.au.crt -noout
SHA1 Fingerprint=FA:A6:A3:42:95:34:15:68:26:35:40:18:8D:50:68:D4:15:C8:12:9E

Often with virtualised servers you can have a slow time generating entropy for virtualised systems and you get stuck with this message:

 We need to generate a lot of random bytes. It is a good idea to perform some other action (type on
 the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the 
random number generator a better chance to gain  enough entropy.
 

The quickest way in my opinion is the following command. Just make sure you have a dvd / cdrom iso mounted and connected with vmware.

 until [ 1 = 0 ]; do dd if=/dev/sr0 of=/tmp/dvd.iso; rm /tmp/dvd.iso -f; done 

and ^C when your done!

I have finished setting up a new tool for in browser AES256 encryption via the javaScrypt library. Included within the page is a tool to produce SHA1 / SHA224 / SHA256 / SHA384 / SHA512 hashes.

The idea was that I has a central place to encrypt and decrypt data any time, any place with no reliance on anything except a web browser. I wanted to use java script so that both mine and your data doesn’t leave the browser and stays confidential.
(Perhaps David Petraeus could have used something like this, the trail might have been even harder to follow had he left the ‘draft’ message encrypted)

I implemented the SHA hashing as a tool to strengthen poor passphrases. The idea being that you use your lame password as input, create the hash and encrypt your data with the 128 character key (SHA512). When you need to decode your data you just do the reverse. Now some valid points to think about are:

• If you were being targeted and an attacker knew that your password was a SHAx hash then, you would be susceptible to bruteforce attacks against the hash.
• Using a hash (lower case letters and numbers) will provide less entropy against a fully random password of equal length.
• I believe (my opinion) that if you can afford to trade the security of someone knowing your password is a hash vs a shorter more complicated password your better off hashing your actual password with SHA512 (128 characters a-z 0-9)
• Of course your better off with 128 character fully random key but how are you suppose to remember that?

Check it out here: http://www.cammckenzie.com/encrypt/

ssh into your vdi-in-a-box server as user kvm

# Make our temp working area

mkdir keystore
cd keystore

# Run the following command which will create a new keystore, new keypair, a self signed cert that will last 10 years.
# Change HOSTNAME to your public DNS name. eg, remote.acme.com

keytool --genkey --dname "CN=HOSTNAME, OU=VDI-in-a-Box, O=YOUR-BUSINESS,  
 L=YOUR-CITY, ST=YOUR-STATE, C=US" --alias HOSTNAME --keyalg RSA --keysize 2048 --validity 3650 
--keystore kmgr.keystore

# cd into /home/kvm/kvm/install/servlet_container/conf

cd /home/kvm/kvm/install/servlet_container/conf

# Backup the old keystore

mv .keystore .Original-keystore

# Backup the server.xml file

cp server.xml server.Original.xml

# edit the server.xml file
# Find the clientAuth line by searching/typing:
# /clientAuth=
# Verify the keystorePass=”password” entry does not already exist in entire Define a SSL HTTP/1.1 Connector on port 8443 section. Add the following line, # replacing “password” with your keystore password:

EG.

    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, 
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
               keystoreFile="conf/.keystore"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"/>

Would look like:

    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
               keystoreFile="conf/.keystore"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"
                keystorePass="YOUR-KEYSTORE-PASSWORD"/>

# restart Tomcat

tc_start

Check your new self signed cert is shown in the browser!