SSH Forced commands from Web Page

Are you a paranoid nerd, who’s business requirements are very strict about IT security? No, well you may as well stop reading here.

Perhaps you have a business requirement to perform some random function on a server that only allows SSH access, but the rest of the business requires simple press button access to perform those functions?

Well with SSH force command wrappers, SSH keys and PHP you too can have simple click button access for the rest of the business!

Basically with a Linux apache server with PHP use the following code:
[Read More…]

Squid ICAP Syntax with F-Secure Internet Gate Keeper (IGK)

*** UPDATE September 2015 - This article has been updated with the correct syntax and confirmed working on Squid 3.3.8 ***

The doco for IGK is some what lacking for the ICAP settings but it does mention ” Refer to the documentation of the proxy for information on how to set it up”. That’s not very helpful so I contacted F-Secure technical support and asked them. This is the reply:

You will need to add these lines to Squid config file:

icap_enable on
icap_send_client_ip on
icap_service service_req reqmod_precache bypass=1 icap://[IP address of IGK]:1344/request
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=0 icap://[IP address of IGK]:1344/response
adaptation_access service_resp allow all

Unfortunately that still doesn’t work for some unknown reason and I am only getting the error:

ErrPage: ERR_CANNOT_FORWARD

I don’t have anymore time to spend on this, I guess I’ll just use the F-Secure HTTP proxy as a parent proxy for squid.

Import signed certificate for VDI-in-a-Box - Java keystore

You’d think it would be easy to perform what should be a common task. Purchase a SSL certificate from an Issuer and install it your Citrix VDI-in-a-Box server. As anyone who has performed the same with Apache it is a fairly trivial task.
But because ViaB is some sort of black magic it is rather difficult, well that and the fact the java ‘keytool’ is fu%#*ing pain the a$$!

A lot of documentation reports that ‘The cerificate must be installed to the same keystore that was used to generate the CSR. If you try to install it to a different keystore it will not work.’
Even the stupid Citrix documentation doesn’t even tell you how to do it. What they do tell you to do is to generate the CSR on ViaB server and then get that signed! This doesn’t help the 99.99% of the world who have corporate certificates created another way!

But fear not - IT CAN BE DONE! It took me fair too long to work it out but no you can do it with ease! Please follow the directions to the letter. Please type the passwords on the command line, omitting them seems to make it not work. In my example I used DigiCert who supply four certificates in the chain of trust. If you received less that OK but make sure the order you do things in (PEM generation) is the same!

# Import all the damn certs in the chain into a PEM file:

cat www.yourwebsite.com.crt >> all-certs.pem
cat DigiCertCA.crt >> all-certs.pem 
cat DigiCertCA2.crt >> all-certs.pem
cat TrustedRoot.crt >> all-certs.pem

# Import the private key and create a PKCS12 file (that contains the full chain + private key)
openssl pkcs12 -export -in all-certs.pem -inkey www.yourwebsite.com -out all-certs.p12

# Now create a java keystore based on the PKCS12 file

keytool -importkeystore -deststorepass PASSWORD-GOES-HERE -destkeystore all-certs.jks 
-srckeystore all-certs.p12 -srcstoretype PKCS12 -srcstorepass PASSWORD-GOES-HERE

# Check the output (although you can't really tell if it's going to work until you try it...)
keytool -list -keystore all-certs.jks 

# Output should be similar to: 
Enter keystore password:                                                                                                                                     
                                                                                                                                                             
Keystore type: JKS                                                                                                                                           
Keystore provider: SUN                                                                                                                                       
                                                                                                                                                             
Your keystore contains 1 entry                                                                                                                               
                                                                                                                                                             
1, 15-Jun-2013, PrivateKeyEntry,                                                                                                                             
Certificate fingerprint (SHA1): xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx 

# Check the full certificate chain
keytool -list -v -keystore all-certs.jks 

# (DigiCert supplies four certifcates in this example)
# Check the order, it should be your www.yourwebsite.com, the Issuing CA, Issuing CA's Root, TrustedRoot Cert.

# Update the cert on the VDI server: 
ssh to vdi server as kvm
cd /home/kvm/kvm/install/servlet_container/conf
Backup the default keystore file:
mv .keystore old.keystore
Copy (SCP?) the new keystore file to the conf directory:
cp /home/kvm/kvm/install/servlet_container/conf/all-certs.p12 .keystore
Verify that the .keystore and old.keystore files exist:
ls –al

# Update the SSL Password in the configuration file:

Edit the server.xml file using the vi editor:
Find the clientAuth line by searching: /clientAuth=
Verify the keystorePass=”password” entry does not already exist in entire Define a SSL HTTP/1.1 Connector
 on port 8443 section. Add the following line, replacing “password” with your keystore password:
If keystorePass=”changeit” already exists in the section, simply replace the “changeit” with your
 keystore password.

# Note: Having two keystorePassword lines in the server.xml file may cause tomcat to fail when starting. 
Ensure there is only one instance of the keystorePassword.
Save and exit 

# Restart Tomcat Services
(as the kvm user)
tc_stop && tc_start

How to create a new self signed certificate for Citrix VDI-in-a-Box

ssh into your vdi-in-a-box server as user kvm

# Make our temp working area

mkdir keystore
cd keystore

# Run the following command which will create a new keystore, new keypair, a self signed cert that will last 10 years.
# Change HOSTNAME to your public DNS name. eg, remote.acme.com

keytool --genkey --dname "CN=HOSTNAME, OU=VDI-in-a-Box, O=YOUR-BUSINESS,  
 L=YOUR-CITY, ST=YOUR-STATE, C=US" --alias HOSTNAME --keyalg RSA --keysize 2048 --validity 3650 
--keystore kmgr.keystore

# cd into /home/kvm/kvm/install/servlet_container/conf

cd /home/kvm/kvm/install/servlet_container/conf

# Backup the old keystore

mv .keystore .Original-keystore

# Backup the server.xml file

cp server.xml server.Original.xml

# edit the server.xml file
# Find the clientAuth line by searching/typing:
# /clientAuth=
# Verify the keystorePass=”password” entry does not already exist in entire Define a SSL HTTP/1.1 Connector on port 8443 section. Add the following line, # replacing “password” with your keystore password:

EG.

    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, 
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
               keystoreFile="conf/.keystore"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"/>

Would look like:

    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
               keystoreFile="conf/.keystore"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"
                keystorePass="YOUR-KEYSTORE-PASSWORD"/>

# restart Tomcat

tc_start

Check your new self signed cert is shown in the browser!

hack tool of the week - Responder-1.0

Tool functionalities:

Once this tool is launched, it will join the IGMP group and listen on UDP 5355 port multicast.
This tool will also listen on TCP port 139, 445, 1433, 80 and UDP port 137, if you have any service running on these ports, you will need to stop them prior launching this tool.
The tool will write captured hashes to a file in the current folder for each poisoned host with the following syntax: [SMB/HTTP/SQL]-[NTLMv1/v2]-Client-IP.txt in a John Jumbo format.The SMB server supports Windows ranging from NT4 to Windows Server 2012 RC, Samba, Mac OsX Lion.

http://blog.spiderlabs.com/2012/10/introducing-responder-10.html