Kudithipudi.Org

April 10, 2013

HOW TO : Convert PFX/P12 crypto objects into a java keystore

Filed under: HOWTO,security,Technology — Vinay @ 8:37 am

We needed to add a certificate that is currently in PKCS#12 format currently into a java keystore at work recently. The typical step would be due to create an empty keystore and then import the certificate from the PKCS#12 store using the following command

keytool -importkeystore -srckeystore sourceFile.p12 -srcstoretype PKCS12 -destkeystore destinationFile.jks

Note: PKCS#12 files can have extensions “.p12″ or “.pfx”

The command executed without any issues, but we received the following error when we started the application server using this newly created keystore

java.io.IOException: Error initializing server socket factory SSL context: Cannot recover key

It didn’t make sense, because we were able to view the certificate in the keystore and were using the right password in the configuration files.

After a lot of searching and head scratching, the team came up with the following solution

  1. Export the public key and private key from the PKCS#12 store using openssl.
  2. Import these keys into the java keystore (default format of JKS)

The commands used were

openssl pkcs12 -in sourcePKCS12File.p12 -nocerts -out privateKey.pem
openssl pkcs12 -in sourcePKCS12File.p12 -nokeys -out publicCert.pem
openssl pkcs12 -export -out intermittentPKCS12File.p12 -inkey privateKey.pem -in publicCert.pem
keytool -importkeystore -srckeystore intermittantPKCS12File.p12 -srcstoretype PKCS12 -destkeystore finalKeyStore.jks

November 12, 2012

HOW TO : Use curl to check the impact of DNS changes

Filed under: HOWTO,Linux,security,Technology,Web — Vinay @ 5:48 pm

Ran into an interesting scenario at work today. We had to check the impact of a DNS change on a certain hostname. Normally, you would edit your host file entry to reflect the DNS change and do your testing. Here is another way you can do it using cURL. In this particular example, I am checking the SSL certificate details of the hostname .

curl --insecure --trace-ascii debug.txt https://HOSTNAME:PORT --resolve HOSTNAME:PORT:IP_ADDRESS

That’s a pretty convoluted command :) . Let’s try to break it down

--insecure

: tells cURL to ignore certificate warnings. This is helpful if you are using self signed certs

--trace-ascii

: tells cURL to save the SSL connection details (in debug mode) to a file called debug.txt

--resolve

: tells cURL to use the options mentioned after it to resolve the hostname, rather than using DNS. The format for resolve is <host:port:address>

NOTE: You need to have version 7.21.3 or higher of cURL to use this option

Here’s a real world example. Say, I want to see how the IP address 72.30.38.140 would reacts if www.google.com requests are routed to it


samurai@samurai:~$ curl --insecure --trace-ascii debug.txt https://www.google.com --resolve www.google.com:443:72.30.38.140
The document has moved <A HREF="http://www.google.com/?s=https">here</A>.<P>
<!-- ir2.fp.sp2.yahoo.com uncompressed/chunked Mon Nov 12 22:44:41 UTC 2012 -->
samurai@samurai:~$ more debug.txt
== Info: Added www.google.com:443:72.30.38.140 to DNS cache
== Info: About to connect() to www.google.com port 443 (#0)
== Info: Trying 72.30.38.140... == Info: connected
== Info: Connected to www.google.com (72.30.38.140) port 443 (#0)
== Info: successfully set certificate verify locations:
== Info: CAfile: none
 CApath: /etc/ssl/certs
== Info: SSLv3, TLS handshake, Client hello (1):
=> Send SSL data, 223 bytes (0xdf)
0000: ......P.|v..1..kA.......=J.xr.=ft.3.|...Z.....9.8.........5.....
0040: ................3.2.....E.D...../...A...........................
0080: .......W.........www.google.com...........4.2...................
00c0: ...............................
== Info: SSLv3, TLS handshake, Server hello (2):
<= Recv SSL data, 42 bytes (0x2a)
0000: ...&..P.{.I"L....3x..N...9..../<n....A..5.
== Info: SSLv3, TLS handshake, CERT (11):
<= Recv SSL data, 1272 bytes (0x4f8)
0000: ..........0...0..S..........0...*.H........0N1.0...U....US1.0...
0040: U....Equifax1-0+..U...$Equifax Secure Certificate Authority0...1
0080: 00401230014Z..150703045000Z0..1)0'..U... 2g8aO5wI1bKJ2ZD588UsLvD
00c0: e3gTbg8DU1.0...U....US1.0...U....California1.0...U....Sunnyvale1
0100: .0...U....Yahoo Inc.1.0...U....www.yahoo.com0.."0...*.H........
0140: .....0..........5.p./........O...k.C...9E+.J..H.s....Bm.T.E.-..<
0180: ^...m...r.v<\...&Qq..l.......... @'(q.m..ZJ.*kt...!.AWU.......M.
01c0: ...n...O....0.._...H....4......>.m..K.......Z...:.Df%.lR.!...(!.
0200: .FV.dQ...f.V....P,.J9.c..dM.s>C=....Y..#...47#2.....cP.{....g.rU
0240: .d...P.................0...0...U...........0...U.............t5.
0280:......U..0:..U...3010/.-.+.)http://crl.geotrust.com/crls/secure
02c0: ca.crl0..[..U.....R0..N..www.yahoo.com..yahoo.com..us.yahoo.com.
0300: .kr.yahoo.com..uk.yahoo.com..ie.yahoo.com..fr.yahoo.com..in.yaho
0340: o.com..ca.yahoo.com..br.yahoo.com..de.yahoo.com..es.yahoo.com..m
0380: x.yahoo.com..it.yahoo.com..sg.yahoo.com..id.yahoo.com..ph.yahoo.
03c0: com..qc.yahoo.com..tw.yahoo.com..hk.yahoo.com..cn.yahoo.com..au.
0400: yahoo.com..ar.yahoo.com..vn.yahoo.com0...U.#..0...H.h.+....G.# .
0440: O3....0...U.%..0...+.........+.......0...*.H...............2..0.
0480: S.'.y....GD.Q...=...K+..q..kv.......<h.......ZLE.h$..M2^.C..IT..
04c0: ".5j....Vc7.4......1.Wu.[.a>+.........9..{.a:.........
== Info: SSLv3, TLS handshake, Server finished (14):
<= Recv SSL data, 4 bytes (0x4)
0000: ....
== Info: SSLv3, TLS handshake, Client key exchange (16):
=> Send SSL data, 262 bytes (0x106)
0000: .......R.....b.,.&.. s.Ob;.E_.EnSw../D...'.....(aB<<......F..]..
0040: o.........~...*..r?.C..%..22...J.bu&.x(j|.......>A5..OF.G...C.$.
0080: .9u9n.z...K.....u.....~:W.{Sii.{2..6........<.....i...8y$y.....6
00c0: ...1.(M...fx....#k..r....47..t.q.....A.?.0. .D.....~...G+.,....~
0100: ..=.#y
== Info: SSLv3, TLS change cipher, Client hello (1):
=> Send SSL data, 1 bytes (0x1)
0000: .
== Info: SSLv3, TLS handshake, Finished (20):
=> Send SSL data, 16 bytes (0x10)
0000: ....!9)...6...+.
== Info: SSLv3, TLS change cipher, Client hello (1):
<= Recv SSL data, 1 bytes (0x1)
0000: .
== Info: SSLv3, TLS handshake, Finished (20):
<= Recv SSL data, 16 bytes (0x10)
0000: .....(qN..l.]...
== Info: SSL connection using AES256-SHA
== Info: Server certificate:
== Info: subject: serialNumber=2g8aO5wI1bKJ2ZD588UsLvDe3gTbg8DU; C=US; ST=California; L=Sunnyvale; O=Yahoo Inc.; CN=www.yahoo.com
== Info: start date: 2010-04-01 23:00:14 GMT
== Info: expire date: 2015-07-03 04:50:00 GMT
== Info: subjectAltName does not match www.google.com
=> Send header, 167 bytes (0xa7)
0000: GET / HTTP/1.1
0010: User-Agent: curl/7.21.6 (x86_64-pc-linux-gnu) libcurl/7.21.6 Ope
0050: nSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3
0082: Host: www.google.com
0098: Accept: */*
00a5:
<= Recv header, 32 bytes (0x20)
0000: HTTP/1.1 301 Moved Permanently
<= Recv header, 37 bytes (0x25)
0000: Date: Mon, 12 Nov 2012 22:44:41 GMT
<= Recv header, 42 bytes (0x2a)
0000: Location: http://www.google.com/?s=https
<= Recv header, 23 bytes (0x17)
0000: Vary: Accept-Encoding
<= Recv header, 19 bytes (0x13)
0000: Connection: close
<= Recv header, 28 bytes (0x1c)
0000: Transfer-Encoding: chunked
<= Recv header, 40 bytes (0x28)
0000: Content-Type: text/html; charset=utf-8
<= Recv header, 24 bytes (0x18)
0000: Cache-Control: private
<= Recv header, 2 bytes (0x2)
0000:
<= Recv data, 173 bytes (0xad)
0000: 000009d
0009: The document has moved <A HREF="http://www.google.com/?s=https">
0049: here</A>.<P>.<!-- ir2.fp.sp2.yahoo.com uncompressed/chunked Mon
0089: Nov 12 22:44:41 UTC 2012 -->.
00a8: 0
00ab:
== Info: Closing connection #0
== Info: SSLv3, TLS alert, Client hello (1):
=> Send SSL data, 2 bytes (0x2)
0000: ..

November 5, 2012

SNL hacked

Filed under: security,Technology — Vinay @ 12:02 am

Screenshot of NBC’ hacked website (in particular the Saturday Night Live section). Link to Hacker News discussion http://news.ycombinator.com/item?id=4740312

I found it interesting that the site was not fixed for several hours even after it was reported on major news outlets. Ironical that NBC itself is a major news outlet :) .  It would be great if NBC publishes a follow up on how the server(s) were compromised so that the rest of the world can learn from this incident.

p.s : Nice blog post by my one time colleague, Ed Bellis, on how the security industry should be sharing more information so that we can improve the state of security across the board.

August 28, 2012

Another day.. Another Hack

Filed under: Programming,security,Web — Vinay @ 11:23 pm

The net is up in arms about a new release from team Ghostshell of compromise data. Details of the leak can be found at http://www.theregister.co.uk/2012/08/28/team_ghostshell_megahack/ and the source of the data is at http://pastebin.com/BuabHTvr .

I thought I would put my nascent python skills to use and write a simple script to parse through the release and download all the data. Hoping to analyze it later on. It is pretty basic, but does the job of parsing the release and downloading the content. You can get the script at https://github.com/kudithipudi/Misc-Scripts/blob/master/parseHellfire.py

Watch out for an analysis of the content soon :) .

August 27, 2012

HOW TO : Use openssl client to check for PCI compliant SSL ciphers

Filed under: HOWTO,Networking,security,Technology — Vinay @ 11:45 am

Simple one liner to check if your web server is using strong ciphers


openssl s_client -cipher LOW -host SERVER_NAME -port 443

August 20, 2012

HOW TO : Use Python to look for credit card numbers

Filed under: HOWTO,Programming,security — Vinay @ 4:53 pm

Simple script in python to look for credit card numbers in a file.


#Importing modules
import re
import os

# Define variables
inputFile = 'test.txt'
searchPattern = '((\D(6011|5[1-5]\d{2}|4\d{3}|3\d{3})\d{11,12}\D)|(^(6011|5[1-5]\d{2}|4\d{3}|3\d{3})\d{11,12}\D))'

tempinputFile = open(inputFile)
tempLine = tempinputFile.readline()

while tempLine:
print ("LINE: " + tempLine)
foundContent = re.search(searchPattern,tempLine, re.IGNORECASE)
if foundContent:
print("FOUND: " + foundContent.group())
tempLine = tempinputFile.readline()

tempinputFile.close()

The script started out as a simple check for any 16 digit numbers that had a non numeric character on either end. But I tweaked it a little bit to look for credit card like numbers using the regex from http://www.regular-expressions.info/creditcard.html. Finally I added an option to match credit card like numbers if the numbers start at the beginning of the line (i.e there is no non-numeric number before the credit card number)

March 29, 2012

Project Uptime : Progress Report – 4

Filed under: HOWTO,Linux,security,Technology — Vinay @ 12:26 am

Continuing to lock down the server as part of project uptime a bit more.. I highly recommend enabling and using iptables on every Linux server. I want to restrict inbound traffic to the server to only SSH (tcp port 22) and HTTP(S) (tcp port 80/443). Here’s the process

Check the current rules on the server

sudo iptables -L

Add rules to allow SSH, HTTP and HTTPS traffic and all traffic from the loopback interface

sudo iptables -I INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
sudo iptables -A INPUT -p tcp --dport http -j ACCEPT
sudo iptables -A INPUT -p tcp --dport https -j ACCEPT

Drop any traffic that doesn’t match the above mentioned criteria

sudo iptables -A INPUT -j DROP

save the config and create script for the rules to survive reboots by running

sudo su -
iptables-save > /etc/firewall.rules

now create a simple script that will load these rules during startup. Ubuntu provides a pretty neat way to do this. You can write a simple script and place it in /etc/network/if-pre-up.d and the system will execute this before bringing up the interfaces. You can get pretty fancy with this, but here is a simple scrip that I use

samurai@samurai:/etc/network/if-pre-up.d$ cat startfirewall
#!/bin/bash

# Import iptables rules if the rules file exists

if [ -f /etc/firewall.rules ]; then
iptables-restore </etc/firewall.rules
fi

exit 0

Now you can reboot the server and check if your firewall rules are still in effect by running

sudo iptables -L

March 28, 2012

Project Uptime : Progress Report – 3

Filed under: Databases,HOWTO,Linux,Networking,security,Technology,Web — Vinay @ 11:45 pm

Things have been a bit hectic at work.. so didn’t get a lot of time to work on this project. Now that that the new server has been setup and the kernel updated, we get down to the mundane tasks of installing the software.

One of the first things I do, when configuring any new server is to restrict root user from logging into the server remotely. SSH is the default remote shell access method nowadays. Pls don’t tell me you are still using telnet :) .

And before restricting the root user for remote access, add a new user that you want to use for regular activities, add the user to sudo group and ensure you can login and sudo to root as this user. Here are the steps I follow to do this on a Ubuntu server

Add a new user

useradd xxxx

Add user to sudo group

usermod -G sudo -a xxxx

Check user can sudo to gain root access

sudo su - xxxx
su -

Now moving into the software installation part

Install Mysql

sudo apt-get install mysql-server

you will be prompted to set the root user during this install. This is quite convenient, unlike the older installs, where you had to set the root password later on.

Install PHP

sudo apt-get install php5-mysql

In addition to installing the PHP5-mysql, this will also install apache. I know, I mentioned, I would like to try out the new version of Apache. But it looks like Ubuntu, doesn’t have a package for it yet. And I am too lazy to compile from source :) .

With this you have all the basic software for wordpress. Next, we will tweak this software to use less system resources.

March 19, 2012

HOW TO : Check SSL certificate validity using curl

Filed under: Networking,security,Technology,Web — Vinay @ 11:01 am

If you want to check the SSL certificate validation (expiry time, hostname match, self signed etc) using curl, you can do it by running

curl -cacert URL_ADDRESS

Example : If you want to check the SSL certificate of GoDaddy

curl -cacert https://www.godaddy.com

March 17, 2012

HOW TO : Generate MD5 fingerprint of SSL cert

Filed under: HOWTO,Linux,security,Technology — Vinay @ 3:10 pm

Quick onliner on generating a MD5 fingerprint for a SSL certificate using openssl

openssl x509 -noout -md5 -fingerprint -in NAME_OF_CERTIFICATE_FILE

If you don’t specify the -md5 option, you will get a SHA1 fingerprint.

Older Posts »

Powered by WordPress