MaxSpirit - bevlogen ICT!

Geen gedoe meer op windows om een netwerk trace te maken. Gebruik powershell !

netsh trace start capture=yes tracefile=c:\temp\capture.etl IPv4.Address=192.168.1.1

De trace is nu gestart en om deze te stoppen:

netsh trace stop

De output is een Microsoft formaat, maar die kan in een wireshark pcap formaat worden omgezet.

$s = New-PefTraceSession -Path "C:\temp\OutFile.Cap" -SaveOnStop
$s | Add-PefMessageProvider -Provider "C:\temp\capture.etl"
$s | Start-PefTraceSession

NB. bestands extentie .cap is verplicht.

Mocht Powershell het commando New-PefTraceSession niet kennen, dan kan het geïnstalleerd worden met: Install-Module PEF

Welke data stuurt een client mee in zijn web request?

Meestal eenvoudig te achterhalen door het netwerk verkeer te snifferen met tcpdump en wireshark. Maar web verkeer wordt steeds vaker versleuteld, dus dan zie je nog niet het bericht. Een oplossing kan zijn door gebruik te maken van de Apache Module mod_dumpio.

• Zorg ervoor dat de module mod_dumpio is geladen in Apache
• Plaats onderstaande parameters in de virtual host
• Herstart Apache Webserver

DumpIOInput On
DumpIOOutput On
LogLevel dumpio:trace7

Als de client nu een POST request stuurt

curl -v -k -d @postdata.xml https://www.somewebsite.nl/somewebservice

Dan zal deze gelogd worden in de error log (zie ErrorLog)

[Wed Mar 02 14:30:37.630279 2022] [dumpio:trace7] [pid 7989:tid 139849176680192] mod_dumpio.c(103): [remote 1.1.1.1:443] mod_dumpio: dumpio_out (data-POOL): POST /somewebservice HTTP/1.1\r\n

Revoked Certficate, hoe controleer je dat?

Je kan gebruik maken van deze website: https://decoder.link/result

Maar we kunnen natuurlijk ook openssl gebruiken 😉

Benodigdheden:

• PEM certificaat
• PEM certificaat intermediate (of root als er geen intermediate is)
• openssl

Opvragen ocsp_uri:
openssl x509 -in intermediate.pem -noout -ocsp_uri

$ openssl x509 -in intermediate.pem -noout -ocsp_uri
http://ocsp.digicert.com

Met deze ocsp_uri kunnen we de status opvragen:
openssl ocsp -no_nonce -issuer intermediate.pem -cert certificate.pem -url <ocsp_uri> -VAfile intermediate.pem 

$ openssl ocsp -no_nonce -issuer intermediate.pem -cert certificate.pem -url http://ocsp.digicert.com -VAfile intermediate.pem

Voorbeeld response:

Response verify OK
certificate.pem: revoked
This Update: Feb 21 16:57:01 2022 GMT
Next Update: Feb 28 16:12:01 2022 GMT
Revocation Time: Jan 17 07:24:28 2022 GMT

of

Response verify OK
certificate.pem: good
This Update: Feb 20 20:44:10 2022 GMT
Next Update: Feb 27 20:44:10 2022 GMT

Zie ook: https://www.sslcertificaten.nl/support/Terminologie/Online_Certificate_Status_Protocol_(OCSP)

Oracle gebruikt de Oracle Wallet om certificaten in op te slaan.
Hier een aantal methodes om daar mee om te gaan.

– Oracle Wallet aanmaken
$ORACLE_HOME/oracle_common/bin/orapki wallet create -wallet ./ -pwd “geheim”

– Importeer een Java keystore in een Oracle Wallet
$ORACLE_HOME/oracle_common/bin/orapki wallet jks_to_pkcs12 -wallet ./ -pwd “geheim” \
-keystore KEYSTORE.jks -jkspwd “geheim”

– Importeer een P12 keystore in een Oracle Wallet
$ORACLE_HOME/oracle_common/bin/orapki wallet import_pkcs12 -wallet ./ -pwd “geheim” \
-pkcs12file P12.jks -pkcs12pwd “geheim”

– Importeer een PEM certifcaat in een Oracle Wallet
$ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet ./ -trusted_cert -cert ./CERTIFICATE.pem -pwd “geheim”

– Maak auto-login mogelijk van de Oracle Wallet
$ORACLE_HOME/oracle_common/bin/orapki wallet create -wallet ./ -auto_login -pwd “geheim”

– Toon wat er in de Oracle Wallet zit
$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet ./ -pwd “geheim”

– Help pagina Oracle Wallet

$ORACLE_HOME/oracle_common/bin/orapki help

Oracle PKI Tool : Version 12.2.1.3.0
Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.

orapki [crl|wallet|cert|help] <-nologo> <-jsafe>
Syntax :
[-option [value]] : mandatory, for example [-wallet [wallet]]
[-option <value>] : optional, but when option is used its value is mandatory.
<option> : optional, for example <-summary>, <-complete>
[option1] | [option2] : option1 ‘or’ option2

$ORACLE_HOME/oracle_common/bin/orapki wallet help

Oracle PKI Tool : Version 12.2.1.3.0
Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.

wallet:
create [-wallet [wallet]] [[-pwd <pwd>] [-auto_login|-auto_login_local]] | [-auto_login_only] [-with_trust_flags] [-compat_v12]
display [-wallet [wallet]] <-summary|-complete> [-pwd <pwd>]
convert [-wallet [wallet]] [-pwd <pwd>] | [-auto_login_only] [-compat_v12]
change_pwd [-wallet [wallet]] [-oldpwd <oldpwd>] [-newpwd <newpwd>]
enable_trust_flags [-wallet [wallet]] [-pwd <pwd>] | [-auto_login_only] <-untrust_all>
add [-wallet [wallet]] <[-dn [dn]]> <-asym_alg [RSA|ECC]> <[-keysize [512|1024|2048|4096|8192|16384]] |
[-eccurve [p192|p224|p256|p384|p521|k163|k233|k283|k409|k571|b163|b233|b283|b409|b571]]>
<-self_signed [-validity [days]] | [-valid_from [mm/dd/yyyy] -valid_until [mm/dd/yyyy]]
[-serial_file <file_loc>] | [-serial_num <serial_num>]> <-addext_ski>
<-addext_ku digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign,encipherOnly,decipherOnly>
<-addext_basic_cons [CA] | [-pathLen [pathlen]]]>
<-addext_san [DNS:<value>]>
<[-cert [filename]] [-trusted_cert|-user_cert]> [-pwd <pwd>] | [-auto_login_only]
[-sign_alg <md5|sha1|sha256|sha384|sha512|ecdsasha1|ecdsasha256|ecdsasha384|ecdsasha512>]
<-trust_flags [SERVER_AUTH,CLIENT_AUTH|VALID_PEER|NULL]>
assign_trust_flags [-wallet [wallet]] [-pwd <pwd>] [-trust_flags [SERVER_AUTH,CLIENT_AUTH|VALID_PEER|NULL]]
[-dn [cert_dn]] <-issuer [issuer_dn]> <-serial_num [serial_num]>
remove [-wallet [wallet]] [-dn [subject_dn]] [-issuer_dn [issuer_dn]] [-serial_num <serial_num>]
[-trusted_cert_all|-trusted_cert|-user_cert|-cert_req] [-pwd <pwd>] | [-auto_login_only]
replace [-wallet [wallet]] [-issuer_dn <issuer_dn>] [-serial_num <serial_num>] [-cert [filename]]
[-trusted_cert|-user_cert]> <-trust_flags [SERVER_AUTH,CLIENT_AUTH|VALID_PEER|NULL]> [-pwd <pwd>]
export [-wallet [wallet]] [-dn [dn]] [-cert [filename] | -request [filename]] [-pwd <pwd>]
<-issuer_dn [issuer_dn]> <-serial_num [serial_num]>
export_trust_chain [-wallet [wallet]] [-certchain [filename]] [-dn [user_cert_dn]] [-pwd <pwd>]
<-issuer_dn [issuer_dn]> <-serial_num [serial_num]>
export_private_key [-wallet [wallet]] [-pwd <pwd>] [-pvtkeyfile [filename]] [-alias [pvtkey_alias]] [-pvtkeypwd <pwd>] [-salt salt]
import_private_key [-wallet [wallet]] [-pwd <pwd>] [-alias [pvtkey_alias]] [-pvtkeyfile [filename]] [-pvtkeypwd <pwd>] [-salt salt] [-cert [certfilename]] [-cacert [cacertfilename]]
upload [-wallet [wallet]] [-ldap [host:port]] [-user [user]] [-userpwd [userpwd]] [-pwd <pwd>]
download [-wallet [wallet]] [-ldap [host:nonsslport]] [-user [user]] [-userpwd [userpwd]] [-pwd <pwd>]
jks_to_pkcs12 [-wallet [wallet]] [-pwd <pwd>] [-keystore [keystore]] [-jkspwd [jkspwd]]
<-aliases [alias:alias..]>
pkcs12_to_jks [-wallet [wallet]] [-pwd <pwd>] [-jksKeyStoreLoc <jksKSloc> -jksKeyStorepwd <jksKS_pwd>]
[-jksTrustStoreLoc <loc> -jksTrustStorepwd <pwd>]
p11_add [-wallet [wallet]] [-p11_lib <pkcs11Lib>] [-p11_tokenlabel <tokenLabel>]
[-p11_tokenpw <tokenPassphrase>] [-p11_certlabel <certlabel>] [-pwd <pwd>]
p11_verify [-wallet [wallet]] [-pwd <pwd>]
import_pkcs12 [-wallet <wallet>] [[-pwd <pwd>] | [-auto_login_only]] [-pkcs12file <pkcs12Loc>] [-pkcs12pwd <pkcs12Pwd>]
help

Oracle gebruikt voor een aantal van zijn producten de Oracle Wallet om certificaten in op te slaan.
In deze post wordt een procedure beschreven hoe je deze zou kunnen aanmaken.

1. Maak of vraag een nieuw certificaat aan

bijvoorbeeld:
openssl req \
-new -newkey rsa:2048 -nodes \
-subj “/CN=voor.beeld.nl/O=bedrijf/OU=PO/C=NL/ST=Noord-Holland/L=Amsterdam” \
-keyout KEY_voor_beeld_nl.pem -out CSR_voor_beeld_nl.pem

Vraag een certificaat aan en verzamel de intermediate en root certificaten.
Maak daar vervolgens een p12 keystore van.

openssl pkcs12 -export -out CERT_voor_beeld_nl.p12 \
-inkey KEY_voor_beeld_nl.pem \
-in CERT_voor_beeld_nl.pem \
-certfile CARootIntermediates.pem

2. Converteer het p12 formaat naar een Java keystore formaat

$JAVA_HOME/jre/bin/keytool -v -importkeystore \
-srckeystore CERT_voor_beeld_nl.p12 -srcstoretype PKCS12 -srcstorepass geheim \
-destkeystore CERT_voor_beeld_nl.jks -deststoretype JKS -deststorepass geheim

3. Maak een Oracle Wallet aan

$ORACLE_HOME/oracle_common/bin/orapki wallet create -wallet ./ -pwd “geheim”

4. Importeer de Java keystore in de Oracle Wallet

$ORACLE_HOME/oracle_common/bin/orapki wallet jks_to_pkcs12 -wallet ./ -pwd “geheim” \
-keystore CERT_voor_beeld_nl.jks -jkspwd “geheim”

5. Zet auto_login aan op de Oracle Wallet voor de Oracle Webtier

$ORACLE_HOME/oracle_common/bin/orapki wallet create -wallet ./ -auto_login

De Oracle Wallet is klaar.
Er staan nu 2 bestanden in de directory
ewallet.p12 – Dit is de Oracle Wallet
cwallet.sso – Dit is de Oracle Wallet met auto-login

Voor gebruik in de Oracle Webtier kopieer je de cwallet.sso naar de gewenste lokatie.
Dit is de directory die staat geconfigureerd in de Webtier config file bij SSLWallet

Bijvoorbeeld:
<IfModule ossl_module>
SSLEngine on
SSLVerifyClient None
SSLCRLCheck Off
SSLWallet “/u01/oracle/certificates”
# SSL Protocol Support: Configure usable SSL/TLS protocol versions.
SSLProtocol ALL
# SSL Cipher Suite: List the ciphers that the client is permitted to negotiate.
SSLCipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA
</IfModule>

Rdesktop is a great way to connect to Windows Desktops.

But there is a pesky drawback. How to change your windows password?

Pressing Ctrl+Alt+Delete usally results in your operating system doing some stuff, instead of forwarding the key combo to the Windows RDP server.
The alternative Ctrl+Alt+End combo never worked for me.

Then I came across a great way to send the required key combination:
namely use Sticky Keys !

“I
find that when I type Shift 5 times in a row, a window pops up from the
Windows guest asking if I want to use Sticky Keys, I type Enter to
accept.
Then I can type Ctrl by itself, then Alt by itself, then
Delete by itself, and the remote-desktop guest sees a usual
Ctrl-Alt-Delete and opens the login screen.
The host OS does not see or respond to the Sticky-Keys Ctrl-Alt-Del.”

In short: hit Shift
5 times, Enter in the Sticky-Keys popup, Ctrl down & release, Alt
down & release, Delete down & release = Ctrl-Alt-Del

And you get the option to change your password !

Still using Oracle Designer?
And the Windows version has to be updated?
And the Oracle Database version as well?

Don’t Panic! It still works.

Install Oracle Designer with the Installer or Setup set on compatibility WinXP and run as Administrator.

You will find all the registry key now under:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ORACLE

When using Oracle Database 12c you will get an error when using the Oracle Designer java-based utilities, such as version compare.
The underlying error is: ORA-28040
This can be solved by adding the following entries to the sqlnet.ora in the ORACLE_HOME/network/admin folder of the database on the database server:
SQLNET.ALLOWED_LOGON_VERSION_SERVER=8
SQLNET.ALLOWED_LOGON_VERSION_CLIENT=8

now the jdbc drivers in the classes12.zip can connect to the Oracle 12c database.

Have Fun !

Je bent geconnect, maar bent het wachtwoord alweer vergeten.
Je hebt Windows 10 en geen Linux, dus hoe haal ik dat wachtwoord op?

simpeler dan verwacht:
cmd

C:\>netsh wlan show profile

C:\>netsh wlan show profile name=”<PROFIEL NAAM>” key=clear

Security settings

—————–

Authentication : WPA2-Personal

Cipher : CCMP

Authentication : WPA2-Personal

Cipher : Unknown

Security key : Present

Key Content : <ZWAAR GEHEIM>

NB. nog een interessante:

C:\>netsh wlan show all

Laat alle informatie zien, inclusief beschikbare WiFi netwerken met sterkte en channels…
iwlist for Windows 😉