Movember – Fighting Prostate Cancer

Ok this is not a normal post for a geek blog, but statistically speaking there is a very high chance that if you’ve stumbled across this blog that you have a prostate and that you are at risk! Apologies in advance to all you geekgirls that might be offended by that statement.

Ben Smallwood, a lawyer but nonetheless a gentleman, is currently braving cruel “70’s porn star” jokes to raise funds for this worthwhile cause.  No he hasn’t “come to clean ze pool” . He’s raising money for a charity that benefits all men. Please help the cause by donating at the Movember website https://www.movember.com/au/donate/donate-details.php?action=sonsorlink&rego=1574726&country=au

More information is available at http://au.movember.com/

IOS Upgrade – %SYS-3-IMAGE_TOO_BIG

I attempted an IOS upgrade on a 3845 router on the weekend and, upon reboot received this error on the console:

%SYS-3-IMAGE_TOO_BIG: ‘flash:c3845-advipservicesk9-mz.124-22.T.bin’ is too large for available memory (50954264 bytes).boot of “c3845-advipservicesk9-mz.124-22.T.bin” using boot helper “flash:c3845-advipservicesk9-mz.123-11.T5.bin” failed

The message seems self explanatory.  The image is too big for memory.  However I did do my homework and the router had the minimum 512 mb memory and 128 mb flash.  The interesting thing here is the second sentence. I had left the original image in the flash (since there was plenty of room) and used a boot system command to ensure that the new IOS was loaded. The old image was being loaded, at least partially, as a boot helper.

I thought that the boot helper came from the ROM but this indicates a second stage boot process using the first image found in flash, not the image specified in the config.  Possibilities here are that the second stage boot loader from the 12.3 image took up too much memory. Alternatively it may be possible that the boot loader has a hardcoded limit for allocating a buffer to read the image into.  I didn’t have any extra memory to test that theory.

Since the second stage boot loader was being loaded from the first available image, and we know the image is selected in dir (alphabetical) order it was a simple matter to rename the old image from c3845-advipservicesk9-mz.123-11.T5.bin to c3845-advipservicesk9-mz.128-11.T5.bin. After rebooting the image loaded perfectly.

So the moral of the story is if the image should fit in memory and you have old images in flash, you should either delete them or rename them so that they appear after the desired boot image when you execute the show flash command.

Leave a comment if you’ve struck this problem before or you know more about the boot process.

Configuring OpenLDAP for Client Certificate Authentication

I wanted to test the MAC authentication bypass mechanism as an alternative to switchport configuration using snmp when re-imaging computers in an 802.1x network.   According to the Cisco documentation that requires an LDAP server to hold the MAC addresses of the computers, and an LDAP client program to add the MAC addresses and modify the group information.

Since re-imaging is an automated operation there would be no way to enter an LDAP password.  I didn’t want to hard code the password into the client or a script.  That left me with two options to investigate, certificate based authentication or kerberos. From the title of the post it should be obvious that I wasn’t brave enough to try kerberos.

Materials:

• ADIOS 4.12 Linux Boot CD, containing OpenLDAP 2.2.13 and Cyrus SASL 2.1.19
• Spare computer that will boot the CD.
• Certificates – Self-signed CA certificate, server certifcate and client certificate.  See this post for more information on generating self-signed certificates.

The important configuration file for OpenLDAP is /etc/openldap/slapd.conf, as shown in listing 2.  The important lines for certificate authentication  are shown below.  Note the sasl-regexp can be difficult to get right. The cn of my client certificate contains spaces, which caused the slapd.conf to fail verification.  I tried using \s to match the spaces but eventually had to fall back to “.”

#Trusted CA certificates
TLSCACertificateFile /media/usb/ldap/Acme/cacert.pem
#Server certificate file
TLSCertificateFile /media/usb/ldap/Acme/ldap.pem
#Server certificate key file
TLSCertificateKeyFile /media/usb/ldap/Acme/ldap.pem
#Force Openldap to ask for a client certificate
TLSVerifyClient	try

#Map the certifcate dn to the openldap dn
#Note that sasl-regexp became authz-regexp in version 2.3
sasl-regexp
   cn=LDAP.Server.Manager
   cn=Manager,dc=acme,dc=com,dc=au
#set openldap logging level to debug
loglevel -1

The ldap client configuration file  is .ldaprc and is usually located in the home directory of the user.  Listing 1  shows a .ldaprc file’s contents.  Note the lines beginning with TLS specifying the acceptable CA certificates and the certificate and keyfile to be used for authentication, and SASL_MECH to specify EXTERNAL (TLS client certificate) authentication.

We can check that everything is configured correctly by performing a search.  The -ZZ option forces the use of TLS and requires it to be successful.

[adios@adios-bootcd ~]$ ldapsearch    -ZZ -h ldap.acme.com.au    -b “” -s base +
Enter PEM pass phrase:clientcertpassword
SASL/EXTERNAL authentication started
SASL username: emailAddress=ldapmanager@acme.com.au,CN=LDAP Server Manager,O=Acme Pty Ltd,L=Brisbane,ST=Queensland,C=AU
SASL SSF: 0
# extended LDIF

….
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: EXTERNAL
subschemaSubentry: cn=Subschema

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

Now we can attempt to add entries to the ldap database. The contents of default.ldif are shown in listing 3.

[adios@adios-bootcd ~]$ ldapadd -ZZ -h ldap.acme.com.au -f /media/usb/ldap/conf/default.ldif
Enter PEM pass phrase:
SASL/EXTERNAL authentication started
SASL username: emailAddress=ldapmanager@acme.com.au,CN=LDAP Server Manager,O=Acme Pty Ltd,L=Brisbane,ST=Queensland,C=AU
SASL SSF: 0
adding new entry “dc=acme,dc=com,dc=au”
adding new entry “cn=Manager,dc=acme,dc=com,dc=au”
adding new entry “cn=Barbara Jensen,dc=acme,dc=com,dc=au”
adding new entry “ou=MAB Segment, dc=acme,dc=com,dc=au”
adding new entry “ou=MAC Addresses, ou=MAB Segment, dc=acme,dc=com,dc=au”
adding new entry “ou=MAC Groups, ou=MAB Segment, dc=acme,dc=com,dc=au”
adding new entry “cn=acctsprn,ou=MAC Addresses, ou=MAB Segment, dc=acme, dc=com, dc=au”
adding new entry “cn=printgroup,ou=MAC Groups, ou=MAB Segment, dc=acme, dc=com,dc=au”

Listing 1 .ldaprc

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#SIZELIMIT    12
#TIMELIMIT    15
#DEREF        never
HOST 127.0.0.1
BASE dc=acme,dc=com,dc=au
#URI         ldaps://ldap.acme.com.au:636/

SASL_MECH   EXTERNAL
TLS_CERT    /media/usb/ldap/Acme/ldapmgr.pem
TLS_KEY     /media/usb/ldap/Acme/ldapmgrkey.pem
TLS_CACERT  /media/usb/ldap/Acme/cacert.pem

Listing 2 slapd.conf

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/nis.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral	ldap://root.openldap.org

pidfile		/var/run/slapd.pid
argsfile	/var/run/slapd.args

# Load dynamic backend modules:
# modulepath	/usr/sbin/openldap
# moduleload	back_bdb.la
# moduleload	back_ldap.la
# moduleload	back_ldbm.la
# moduleload	back_passwd.la
# moduleload	back_shell.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.  Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
# TLSCertificateFile /usr/share/ssl/certs/slapd.pem
# TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem

TLSCACertificateFile /media/usb/ldap/Acme/cacert.pem
TLSCertificateFile /media/usb/ldap/Acme/ldap.pem
TLSCertificateKeyFile /media/usb/ldap/Acme/ldap.pem
TLSVerifyClient	try
# Sample security restrictions
#	Require integrity protection (prevent hijacking)
#	Require 112-bit (3DES or better) encryption for updates
#	Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#	Root DSE: allow anyone to read it
#	Subschema (sub)entry DSE: allow anyone to read it
#	Other DSEs:
#		Allow self write access
#		Allow authenticated users read access
#		Allow anonymous users to authenticate
#	Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#	by self write
#	by users read
#	by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database	bdb
suffix		"dc=acme,dc=com,dc=au"
rootdn		"cn=Manager,dc=acme,dc=com,dc=au"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw		secret
# rootpw		{crypt}ijFYNcSNctBYg

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory	/var/lib/ldap

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
#     bindmethod=sasl saslmech=GSSAPI
#     authcId=host/ldap-master.example.com@EXAMPLE.COM
sasl-regexp
   cn=LDAP.Server.Manager
   cn=Manager,dc=acme,dc=com,dc=au

loglevel -1

Listing 3 – default.ldif

dn:		dc=acme,dc=com,dc=au
objectClass:	dcObject
objectClass:	organization
objectClass:	top
o:		acme
dc:		acme

dn:		cn=Manager,dc=acme,dc=com,dc=au
objectclass:	organizationalRole
cn:		Manager

dn: cn=Barbara Jensen,dc=acme,dc=com,dc=au
objectclass: person
cn: Barbara Jensen
cn: Babs Jensen
sn: Jensen
userPassword:	superstr0ngpassw0rd

dn: ou=MAB Segment, dc=acme,dc=com,dc=au
ou: MAB Segment
objectClass: top
objectClass: organizationalUnit
description: MAC Authentication Bypass Sub-Tree

dn: ou=MAC Addresses, ou=MAB Segment, dc=acme,dc=com,dc=au
ou: MAC Addresses
objectClass: top
objectClass: organizationalUnit

dn: ou=MAC Groups, ou=MAB Segment, dc=acme,dc=com,dc=au
ou: MAC Groups
objectClass: top
objectClass: organizationalUnit

dn: cn=acctsprn,ou=MAC Addresses, ou=MAB Segment, dc=acme, dc=com, dc=au
objectClass: top
objectClass: device
objectClass: ieee802Device
macAddress: 00:21:5a:5f:91:c9
cn: acctsprn

dn: cn=printgroup,ou=MAC Groups, ou=MAB Segment, dc=acme, dc=com, dc=au
objectClass: top
objectClass: groupofuniquenames
description: group of delimited MAC Addresses
uniqueMember: cn=acctsprn,ou=MAC Addresses, ou=MAB Segment, dc=acme, dc=com, dc=au
cn: printgroup

Debugging SSL/TLS Certificate Operations with OpenSSL

OpenSSL provides a convenient method of testing SSL connections to debug problems like untrusted CA certificates and client certificate authentication problems.

The s_client command can be used to debug connections to servers.  In this example I test client certificate authentication to an openldap server.  By using the -msg switch the TLS handshake messages are displayed.  William Stallings wrote an excellent article on the TLS handshake protocol, which I would highly recommend for an easy to understand overview.

[adios@adios-bootcd ~]$ openssl s_client -connect localhost:636 -CAfile /media/usb/ldap/Acme/cacert.pem -cert /media/usb/ldap/Acme/ldapmgr.pem -key /media/usb/ldap/Acme/ldapmgrkey.pem -msg
Enter PEM pass phrase:clientcertpassword
CONNECTED(00000003)
>>> SSL 2.0 [length 008c], CLIENT-HELLO
01 03 01 00 63 00 00 00 20 00 00 39 00 00 38 00
….
9b 73 89 fb de 2e 68 1e 73 da b9 64
<<< TLS 1.0 Handshake [length 004a], ServerHello
02 00 00 46 03 01 49 03 8d fb 96 a9 59 d0 6e 3a
….
51 01 3b 1d 54 5b 66 00 35 00
<<< TLS 1.0 Handshake [length 05cb], Certificate
0b 00 05 c7 00 05 c4 00 02 df 30 82 02 db 30 82
….
ed dc 7c 69 e2 24 d0 04 52 fb 12
depth=1 /C=AU/ST=Queensland/O=Dodgy CA Pty Ltd/CN=Trustmaster
verify return:1
depth=0 /C=AU/ST=Queensland/L=Brisbane/O= Acme Pty Ltd/CN=ldap.acme.com.au/emailAddress=ldapadmin@Acme.com.au
verify return:1
<<< TLS 1.0 Handshake [length 0060], CertificateRequest
0d 00 00 5c 02 01 02 00 57 00 55 30 53 31 0b 30
….
55 04 03 13 0b 54 72 75 73 74 6d 61 73 74 65 72
<<< TLS 1.0 Handshake [length 0004], ServerHelloDone
0e 00 00 00
>>> TLS 1.0 Handshake [length 05cf], Certificate
0b 00 05 cb 00 05 c8 00 02 e3 30 82 02 df 30 82
….
79 95 76 6a ed dc 7c 69 e2 24 d0 04 52 fb 12
>>> TLS 1.0 Handshake [length 0086], ClientKeyExchange
10 00 00 82 00 80 3e 05 96 a4 7c 76 cc 0f 9d 03
….
4e 28 17 81 c2 f8
>>> TLS 1.0 Handshake [length 0086], CertificateVerify
0f 00 00 82 00 80 59 03 45 a1 19 4a ca 4e 02 89
….
5b 67 4c 98 c2 bb
>>> TLS 1.0 ChangeCipherSpec [length 0001]
01
>>> TLS 1.0 Handshake [length 0010], Finished
14 00 00 0c 5b 40 c8 f0 de 25 c3 44 4f c9 79 40
<<< TLS 1.0 ChangeCipherSpec [length 0001]
01
<<< TLS 1.0 Handshake [length 0010], Finished
14 00 00 0c f8 c5 60 53 fb cc a6 67 7f bd 18 ab
—
Certificate chain
0 s:/C=AU/ST=Queensland/L=Brisbane/O= Acme Pty Ltd/CN=ldap.acme.com.au/emailAddress=ldapadmin@Acme.com.au
i:/C=AU/ST=Queensland/O=Dodgy CA Pty Ltd/CN=Trustmaster
1 s:/C=AU/ST=Queensland/O=Dodgy CA Pty Ltd/CN=Trustmaster
i:/C=AU/ST=Queensland/O=Dodgy CA Pty Ltd/CN=Trustmaster
—
Server certificate
—–BEGIN CERTIFICATE—–
MIIC2zCCAkSgAwIBAgIJANM+KYmr52JAMA0GCSqGSIb3DQEBBQUAMFMxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMRkwFwYDVQQKExBEb2RneSBDQSBQ
dHkgTHRkMRQwEgYDVQQDEwtUcnVzdG1hc3RlcjAeFw0wODEwMTcyMjQxNTZaFw0w
OTEwMTcyMjQxNTZaMIGOMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFu
ZDERMA8GA1UEBxMIQnJpc2JhbmUxFjAUBgNVBAoTDSBBY21lIFB0eSBMdGQxGTAX
BgNVBAMTEGxkYXAuYWNtZS5jb20uYXUxJDAiBgkqhkiG9w0BCQEWFWxkYXBhZG1p
bkBBY21lLmNvbS5hdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAv1643tyt
hwVsNHVu/wdn9MHa9uzdTldbnnZxPbYDyy+IYSHIrhV3E+KGOaUmcfnf5NTuKNRy
XQ0RFgyvkUdF9G6k2LlxDiinXC+8JZ8p1FDBpRjxXaIo66GRKl2KqBvujBOd3Tz7
XGBIvsBQNanrLq5aH7Fo0Mdh270l4zO4xJUCAwEAAaN7MHkwCQYDVR0TBAIwADAs
BglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
VR0OBBYEFE+6BZ80WpW1N3+nT80UdrgZSz97MB8GA1UdIwQYMBaAFHP/XSypy1R7
DWslR36JPFtmrmjZMA0GCSqGSIb3DQEBBQUAA4GBABcz3BWYRiAyYh3toM5HQLQN
xXLQFHGz30bYWEqU5vpEOtW1g0VZ2zP5C3bxoIydA4FIrG5Z4Ia1EN/kFy6GPOOE
Dxq3JLOc6oCZNykWf4zu957rG1YSdOvxXrjZ3+FTpz8gyULj9OT9ILJ8inLHioq7
G4oI5wR4HmSPcC945Lo/
—–END CERTIFICATE—–
subject=/C=AU/ST=Queensland/L=Brisbane/O= Acme Pty Ltd/CN=ldap.acme.com.au/emailAddress=ldapadmin@Acme.com.au
issuer=/C=AU/ST=Queensland/O=Dodgy CA Pty Ltd/CN=Trustmaster
—
Acceptable client certificate CA names
/C=AU/ST=Queensland/O=Dodgy CA Pty Ltd/CN=Trustmaster
—
SSL handshake has read 1731 bytes and written 1971 bytes
—
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol  : TLSv1
Cipher    : AES256-SHA
Session-ID: 3EB070B9ACEFE43151F93E17496D779ABE8A50FE463CE73F0851013B1D545B66
Session-ID-ctx:
Master-Key: 669A8E689E26D4A4B738E2FC2CCC01E99DF571463DD8E6668339C5E72C761209134F83B1C57CE8B9161191B9AF7E97ED
Key-Arg   : None
Krb5 Principal: None
Start Time: 1224969723
Timeout   : 300 (sec)
Verify return code: 0 (ok)
—

Since the ldap server requires a client certificate if we fail to provide one we will get a fatal handshake failure

[root@adios-bootcd ~]# openssl s_client -connect localhost:636 -CAfile /media/usb/ldap/Acme/cacert.pem  -msg
CONNECTED(00000003)
>>> SSL 2.0 [length 008c], CLIENT-HELLO
01 03 01 00 63 00 00 00 20 00 00 39 00 00 38 00
….
e9 c4 3b 49 97 30 e8 27 f8 51 bd c6
<<< TLS 1.0 Handshake [length 004a], ServerHello
02 00 00 46 03 01 49 03 a0 14 ec 91 6e ef d1 c5
….
34 d1 11 63 12 5a 88 00 35 00
<<< TLS 1.0 Handshake [length 05cb], Certificate
0b 00 05 c7 00 05 c4 00 02 df 30 82 02 db 30 82
….
ed dc 7c 69 e2 24 d0 04 52 fb 12
depth=1 /C=AU/ST=Queensland/O=Dodgy CA Pty Ltd/CN=Trustmaster
verify return:1
depth=0 /C=AU/ST=Queensland/L=Brisbane/O= Acme Pty Ltd/CN=ldap.acme.com.au/emailAddress=ldapadmin@Acme.com.au
verify return:1
<<< TLS 1.0 Handshake [length 0060], CertificateRequest
0d 00 00 5c 02 01 02 00 57 00 55 30 53 31 0b 30
….
55 04 03 13 0b 54 72 75 73 74 6d 61 73 74 65 72
<<< TLS 1.0 Handshake [length 0004], ServerHelloDone
0e 00 00 00
>>> TLS 1.0 Handshake [length 0007], Certificate
0b 00 00 03 00 00 00
>>> TLS 1.0 Handshake [length 0086], ClientKeyExchange
10 00 00 82 00 80 5c 31 33 b3 37 a5 e2 aa 6a 05
….
64 fe fa 8d aa 21
>>> TLS 1.0 ChangeCipherSpec [length 0001]
01
>>> TLS 1.0 Handshake [length 0010], Finished
14 00 00 0c f2 19 92 71 f2 8d c0 84 00 3a 0a 7b
<<< TLS 1.0 Alert [length 0002], fatal handshake_failure
02 28
4607:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1052:SSL alert number 40
4607:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:

Similarly if the CA certificate of the server is untrusted we will get errors but OpenSSL will continue with the connection, as can be seen in the output of the verify routine in response to the server certificate message.

[adios@adios-bootcd ~]$ openssl s_client -connect localhost:636   -msg
CONNECTED(00000003)
>>> SSL 2.0 [length 008c], CLIENT-HELLO
01 03 01 00 63 00 00 00 20 00 00 39 00 00 38 00
….
d2 4d 34 75 dc 75 57 b8 d9 9a 52 3a
<<< TLS 1.0 Handshake [length 004a], ServerHello
02 00 00 46 03 01 49 03 a8 82 ca 0d 54 68 ee f7
….
60 ed bb 9d 4a ba 7f 00 35 00
<<< TLS 1.0 Handshake [length 05cb], Certificate
0b 00 05 c7 00 05 c4 00 02 df 30 82 02 db 30 82
….
ed dc 7c 69 e2 24 d0 04 52 fb 12
depth=1 /C=AU/ST=Queensland/O=Dodgy CA Pty Ltd/CN=Trustmaster
verify error:num=19:self signed certificate in certificate chain
verify return:0
<<< TLS 1.0 Handshake [length 0004], ServerHelloDone
0e 00 00 00
>>> TLS 1.0 Handshake [length 0086], ClientKeyExchange
10 00 00 82 00 80 2e 4d f8 4a 1f 70 be 25 00 d9
….
0f d7 2a c8 cd f0
>>> TLS 1.0 ChangeCipherSpec [length 0001]
01
>>> TLS 1.0 Handshake [length 0010], Finished
14 00 00 0c db 63 b6 e9 03 bf 3a 9a 17 ac 70 06
<<< TLS 1.0 ChangeCipherSpec [length 0001]
01
<<< TLS 1.0 Handshake [length 0010], Finished
14 00 00 0c 8d 56 fd 05 01 dc a1 1e 64 8b fc cd
—
Certificate chain
0 s:/C=AU/ST=Queensland/L=Brisbane/O= Acme Pty Ltd/CN=ldap.acme.com.au/emailAddress=ldapadmin@Acme.com.au
i:/C=AU/ST=Queensland/O=Dodgy CA Pty Ltd/CN=Trustmaster
1 s:/C=AU/ST=Queensland/O=Dodgy CA Pty Ltd/CN=Trustmaster
i:/C=AU/ST=Queensland/O=Dodgy CA Pty Ltd/CN=Trustmaster
—
Server certificate
—–BEGIN CERTIFICATE—–
MIIC2zCCAkSgAwIBAgIJANM+KYmr52JAMA0GCSqGSIb3DQEBBQUAMFMxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMRkwFwYDVQQKExBEb2RneSBDQSBQ
dHkgTHRkMRQwEgYDVQQDEwtUcnVzdG1hc3RlcjAeFw0wODEwMTcyMjQxNTZaFw0w
OTEwMTcyMjQxNTZaMIGOMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFu
ZDERMA8GA1UEBxMIQnJpc2JhbmUxFjAUBgNVBAoTDSBBY21lIFB0eSBMdGQxGTAX
BgNVBAMTEGxkYXAuYWNtZS5jb20uYXUxJDAiBgkqhkiG9w0BCQEWFWxkYXBhZG1p
bkBBY21lLmNvbS5hdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAv1643tyt
hwVsNHVu/wdn9MHa9uzdTldbnnZxPbYDyy+IYSHIrhV3E+KGOaUmcfnf5NTuKNRy
XQ0RFgyvkUdF9G6k2LlxDiinXC+8JZ8p1FDBpRjxXaIo66GRKl2KqBvujBOd3Tz7
XGBIvsBQNanrLq5aH7Fo0Mdh270l4zO4xJUCAwEAAaN7MHkwCQYDVR0TBAIwADAs
BglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
VR0OBBYEFE+6BZ80WpW1N3+nT80UdrgZSz97MB8GA1UdIwQYMBaAFHP/XSypy1R7
DWslR36JPFtmrmjZMA0GCSqGSIb3DQEBBQUAA4GBABcz3BWYRiAyYh3toM5HQLQN
xXLQFHGz30bYWEqU5vpEOtW1g0VZ2zP5C3bxoIydA4FIrG5Z4Ia1EN/kFy6GPOOE
Dxq3JLOc6oCZNykWf4zu957rG1YSdOvxXrjZ3+FTpz8gyULj9OT9ILJ8inLHioq7
G4oI5wR4HmSPcC945Lo/
—–END CERTIFICATE—–
subject=/C=AU/ST=Queensland/L=Brisbane/O= Acme Pty Ltd/CN=ldap.acme.com.au/emailAddress=ldapadmin@Acme.com.au
issuer=/C=AU/ST=Queensland/O=Dodgy CA Pty Ltd/CN=Trustmaster
—
No client certificate CA names sent
—
SSL handshake has read 1635 bytes and written 340 bytes
—
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol  : TLSv1
Cipher    : AES256-SHA
Session-ID: 577521F8CAD8508B6C9B66EDAADBD2B63D481A16A87B77982D60EDBB9D4ABA7F
Session-ID-ctx:
Master-Key: 53521EACA3173067D467E53EABB67869A8E17489DF201972F29314DC3BC4103AE80194F5EAB768F929CFD98B5EDEFC30
Key-Arg   : None
Krb5 Principal: None
Start Time: 1224976514
Timeout   : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
—

Mounting USB Flash Drives in Linux

Working with USB flash drives in linux can often be a little bit frustrating compared with windows. Often when a USB thumb drive is inserted it doesn’t mount.

The trick is to use the dmesg command to find the device name assigned to the flash drive.

dmesg | tail -17

usb 1-7: new high speed USB device using ehci_hcd and address 3
scsi2 : SCSI emulation for USB Mass Storage devices
usb-storage: device found at 3
usb-storage: waiting for device to settle before scanning
Vendor: USB       Model: Flash Disk        Rev: V1.1
Type:   Direct-Access                      ANSI SCSI revision: 00
SCSI device sdb: 2015232 512-byte hdwr sectors (1032 MB)
sdb: Write Protect is off
sdb: Mode Sense: 23 00 00 00
sdb: assuming drive cache: write through
SCSI device sdb: 2015232 512-byte hdwr sectors (1032 MB)
sdb: Write Protect is off
sdb: Mode Sense: 23 00 00 00
sdb: assuming drive cache: write through
sdb: sdb1
Attached scsi removable disk sdb at scsi2, channel 0, id 0, lun 0
usb-storage: device scan complete

After the device name is found it is a simple matter to mount it as usual

mount /dev/sdb1 /media/usb

Creating Self-Signed Certificates with Openssl

Once again I find myself in need of a certificate for TLS protection and authentication of data exchanges with a server in the lab. Go straight to openssl, create my own CA and sign my own certificates, right? Absolutely, but I always forget how, and I have never written it down.  Next time I can come back here for the recipe.

Step 1 – Create the CA

Remember when using CA.pl you can enter a “.” to leave a field blank.

C:\OpenSSL\bin>ca.pl -newca
CA certificate filename (or enter to create)

Making CA certificate …
Loading ‘screen’ into random state – done
Generating a 1024 bit RSA private key
……………………………………………………++++++
.++++++
writing new private key to ‘./demoCA/private/cakey.pem’
Enter PEM pass phrase: capassword
Verifying – Enter PEM pass phrase: capassword
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:Queensland
Locality Name (eg, city) []:Brisbane
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dodgy CA Pty Ltd
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:Trustmaster
Email Address []:.

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
Using configuration from C:\OpenSSL\bin\openssl.cfg
Loading ‘screen’ into random state – done
Enter pass phrase for ./demoCA/private/cakey.pem:capassword
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
d3:3e:29:89:ab:e7:62:3f
Validity
Not Before: Oct 17 21:53:00 2008 GMT
Not After : Oct 17 21:53:00 2011 GMT
Subject:
countryName               = AU
stateOrProvinceName       = Queensland
organizationName          = Dodgy CA Pty Ltd
commonName                = Trustmaster
X509v3 extensions:
X509v3 Subject Key Identifier:
73:FF:5D:2C:A9:CB:54:7B:0D:6B:25:47:7E:89:3C:5B:66:AE:68:D9
X509v3 Authority Key Identifier:
keyid:73:FF:5D:2C:A9:CB:54:7B:0D:6B:25:47:7E:89:3C:5B:66:AE:68:D9
DirName:/C=AU/ST=Queensland/O=Dodgy CA Pty Ltd/CN=Trustmaster
serial:D3:3E:29:89:AB:E7:62:3F

X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Oct 17 21:53:00 2011 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

Step 2 – Create Certifcate Request

Remember certifcate requests/private keys are writen to newreq.pem and newkey.pem, and will be overwritten when you generate the next request. For servers to start automatically the private key generally can’t be protected by a passphrase.  Use the openssl rsa <infile >outfile to create a keyfile with no passphrase.

C:\OpenSSL\bin>ca.pl -newreq
Loading ‘screen’ into random state – done
Generating a 1024 bit RSA private key
………..++++++
…….++++++
writing new private key to ‘newkey.pem’
Enter PEM pass phrase:ldappassword
Verifying – Enter PEM pass phrase:ldappassword
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:Queensland
Locality Name (eg, city) []:Brisbane
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Acme Pty Ltd
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:ldap.acme.com.au
Email Address []:ldapadmin@Acme.com.au

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
Request is in newreq.pem, private key is in newkey.pem

Step 3 – Sign the Certificate with the CA key

C:\OpenSSL\bin>ca.pl -sign
Using configuration from C:\OpenSSL\bin\openssl.cfg
Loading ‘screen’ into random state – done
Enter pass phrase for ./demoCA/private/cakey.pem: capassword
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
d3:3e:29:89:ab:e7:62:40
Validity
Not Before: Oct 17 22:41:00 2008 GMT
Not After : Oct 17 22:41:00 2009 GMT
Subject:
countryName               = AU
stateOrProvinceName       = Queensland
localityName              = Brisbane
organizationName          =  Acme Pty Ltd
commonName                = ldap.acme.com.au
emailAddress              = ldapadmin@Acme.com.au
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
4F:BA:05:9F:34:5A:95:B5:37:7F:A7:4F:CD:14:76:B8:19:4B:3F:7B
X509v3 Authority Key Identifier:
keyid:73:FF:5D:2C:A9:CB:54:7B:0D:6B:25:47:7E:89:3C:5B:66:AE:68:D
9

Certificate is to be certified until Oct 17 22:41:00 2009 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

C:\OpenSSL\bin>ren newcert.pem ldap.pem

C:\OpenSSL\bin>ren newkey.pem ldapkey.pem

C:\OpenSSL\bin>openssl rsa <ldapkey.pem >>ldap.pem
Enter pass phrase:ldappassword
writing RSA key

C:\OpenSSL\bin>type ldap.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d3:3e:29:89:ab:e7:62:40
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Queensland, O=Dodgy CA Pty Ltd, CN=Trustmaster
Validity
Not Before: Oct 17 22:41:00 2008 GMT
Not After : Oct 17 22:41:00 2009 GMT
Subject: C=AU, ST=Queensland, L=Brisbane, O= Acme Pty Ltd, CN=ldap.acme.
com.au/emailAddress=ldapadmin@Acme.com.au
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bf:5e:b8:de:dc:ad:87:05:6c:34:75:6e:ff:07:
67:f4:c1:da:f6:ec:dd:4e:57:5b:9e:76:71:3d:b6:
03:cb:2f:88:61:21:c8:ae:15:77:13:e2:86:39:a5:
26:71:f9:df:e4:d4:ee:28:d4:72:5d:0d:11:16:0c:
af:91:47:45:f4:6e:a4:d8:b9:71:0e:28:a7:5c:2f:
bc:25:9f:29:d4:50:c1:a5:18:f1:5d:a2:28:eb:a1:
91:2a:5d:8a:a8:1b:ee:8c:13:9d:dd:3c:fb:5c:60:
48:be:c0:50:35:a9:eb:2e:ae:5a:1f:b1:68:d0:c7:
61:db:bd:25:e3:33:b8:c4:95
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
4F:BA:05:9F:34:5A:95:B5:37:7F:A7:4F:CD:14:76:B8:19:4B:3F:7B
X509v3 Authority Key Identifier:
keyid:73:FF:5D:2C:A9:CB:54:7B:0D:6B:25:47:7E:89:3C:5B:66:AE:68:D
9

Signature Algorithm: sha1WithRSAEncryption
17:33:dc:15:98:46:20:32:62:1d:ed:a0:ce:47:40:b4:0d:c5:
72:d0:14:71:b3:df:46:d8:58:4a:94:e6:fa:44:3a:d5:b5:83:
45:59:db:33:f9:0b:76:f1:a0:8c:9d:03:81:48:ac:6e:59:e0:
86:b5:10:df:e4:17:2e:86:3c:e3:84:0f:1a:b7:24:b3:9c:ea:
80:99:37:29:16:7f:8c:ee:f7:9e:eb:1b:56:12:74:eb:f1:5e:
b8:d9:df:e1:53:a7:3f:20:c9:42:e3:f4:e4:fd:20:b2:7c:8a:
72:c7:8a:8a:bb:1b:8a:08:e7:04:78:1e:64:8f:70:2f:78:e4:
ba:3f
—–BEGIN CERTIFICATE—–
MIIC2zCCAkSgAwIBAgIJANM+KYmr52JAMA0GCSqGSIb3DQEBBQUAMFMxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMRkwFwYDVQQKExBEb2RneSBDQSBQ
dHkgTHRkMRQwEgYDVQQDEwtUcnVzdG1hc3RlcjAeFw0wODEwMTcyMjQxNTZaFw0w
OTEwMTcyMjQxNTZaMIGOMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFu
ZDERMA8GA1UEBxMIQnJpc2JhbmUxFjAUBgNVBAoTDSBBY21lIFB0eSBMdGQxGTAX
BgNVBAMTEGxkYXAuYWNtZS5jb20uYXUxJDAiBgkqhkiG9w0BCQEWFWxkYXBhZG1p
bkBBY21lLmNvbS5hdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAv1643tyt
hwVsNHVu/wdn9MHa9uzdTldbnnZxPbYDyy+IYSHIrhV3E+KGOaUmcfnf5NTuKNRy
XQ0RFgyvkUdF9G6k2LlxDiinXC+8JZ8p1FDBpRjxXaIo66GRKl2KqBvujBOd3Tz7
XGBIvsBQNanrLq5aH7Fo0Mdh270l4zO4xJUCAwEAAaN7MHkwCQYDVR0TBAIwADAs
BglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
VR0OBBYEFE+6BZ80WpW1N3+nT80UdrgZSz97MB8GA1UdIwQYMBaAFHP/XSypy1R7
DWslR36JPFtmrmjZMA0GCSqGSIb3DQEBBQUAA4GBABcz3BWYRiAyYh3toM5HQLQN
xXLQFHGz30bYWEqU5vpEOtW1g0VZ2zP5C3bxoIydA4FIrG5Z4Ia1EN/kFy6GPOOE
Dxq3JLOc6oCZNykWf4zu957rG1YSdOvxXrjZ3+FTpz8gyULj9OT9ILJ8inLHioq7
G4oI5wR4HmSPcC945Lo/
—–END CERTIFICATE—–
—–BEGIN RSA PRIVATE KEY—–
MIICXgIBAAKBgQC/Xrje3K2HBWw0dW7/B2f0wdr27N1OV1uednE9tgPLL4hhIciu
FXcT4oY5pSZx+d/k1O4o1HJdDREWDK+RR0X0bqTYuXEOKKdcL7wlnynUUMGlGPFd
oijroZEqXYqoG+6ME53dPPtcYEi+wFA1qesurlofsWjQx2HbvSXjM7jElQIDAQAB
AoGAWKwsX1/DrD+v/rK3ZsZovfmhWy8v8F/8HPXmzOBs65YvzEoaMcfScE1TQpyq
rr9IpkCfxh2CjGlElIH2TAvJdoZFYIeNPVGB7Es+scJolta6ySxAv6Fo5+AVEuAX
BKrYXqFd5x8fRAEI6NUc3eSZ1oDgWBiMtp7lS/tAQRyRKEECQQDz0vmxP4K51Ao1
FUX1MQv6UnoKO47Q6zqWCHFhtljS2rsuxhmApn/MpEcLWiO8vYeoCOW0Gbkd9/qp
oih8DSVxAkEAyO0tpxaEvdB/bvAsnS4kx9LbLlL5IJCO3n3uqnY/XtGPG1kYvuHw
pYG8fR0X6HFc6stBA0MlOIiq1xFpqZ1vZQJBALWcjO2wX7/op524db5XRRO0QUDD
8fG9dIrySPm+J9UOpWQGnFJOMl0Mc/qJrprUFWpdDjOjAVbIMcYOidc0t5ECQQDD
GrwX4Z/oCUuU2BcaUbJZbwByTROocXapybM1RzllwyupLK0AvbjFneL/wn5ysZG+
VLu+hTbhXKQ3zqrBjySZAkEAobGO/ivv1mZUzPfVnMN4TLI2jhfRixoIvCU18RRP
ikEnF83bpFha2QR2UXBfQPGH+TvGBstH9ZS0oyCYxFihQg==
—–END RSA PRIVATE KEY—–

Repeat Steps  2 and 3 as required

Step 4 – Convert Certificate to PKCS12 format for use with WIndows (Optional)

After creating a client side certificate for authentication as per steps 2 & 3 we can convert the cert and public key to PKCS12 format for importing to the windows certificate store.

C:\OpenSSL\bin>openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out ldapmgr.p12 -name “LDAP Manager Dude”
Loading ‘screen’ into random state – done
Enter pass phrase for newkey.pem:
Enter Export Password:
Verifying – Enter Export Password:

HTA to Set Exchange “Out of Office” Message

This HTA was created to help streamline a common helpdesk task, setting the OOF message for users who have gone on holidays and failed to set the OOF message.

The original process involved the helpdesk giving themselves access to the mailbox in question, creating an outlook profile for the users mailbox,  and  starting outlook to set the OOF message, and finally revoking the permissions to the users mailbox. After performing an audit of mailbox permissions it became obvious that the final step of revoking permissions was being frequently overlooked.

The script consists of a few simple steps

1. Perform an AD search for the users samaccountname and return their exchange server.
2. Grant full control to the mailbox for the helpdesk staff member.
3. Create a mapi profile for the mailbox.
4. Get/Set the current OOFmessage.
5. Toggle the Out of Office status flag.

The process of managing the removal of mailbox permissions is handled in the window unload function of the browser.

Listing 1 – OOF.HTA

<html>
<head>
<title>Set out of Office Message</title>
<HTA:APPLICATION
ID="OOF"
APPLICATIONNAME="Set Out Of Office Message"
SCROLL="yes"
SINGLEINSTANCE="yes"
>
</head>
<SCRIPT LANGUAGE="VBScript">
option explicit
Rem reference http://www.cdolive.com/outofofficecalendar.htm
Rem Updated to grant and remove permissions to the mailbox automatically

CONST ADS_ACEFLAG_INHERIT_ACE = 2
CONST ADS_RIGHT_DS_CREATE_CHILD = 1
CONST ADS_ACETYPE_ACCESS_ALLOWED = 0
Const ACE_MB_FULL_ACCESS = &h1

Rem Define all our variables
Dim strProfileInfo, CDOSession, strOOFText, objButton, objInfostore,CdoFolderRoot
Dim objConnection, objCommand, objRecordSet, intRetcode, objOption
Dim strExchsvr, strPath, objUser, objTrustee, strTrustee, WshNetwork,boolRightsSet, objshell
Dim objMBXlist, oSecurityDescriptor, dacl, ace, arrTemp

'*****************************************************************************
'* function window_onload
'* Purpose: Initialise all the global variables required to proceed or
'* terminate the application.
'* Inputs: none
'* Returns: nothing
'*****************************************************************************
sub window_onload
  on error resume next
  set objMBXlist = createobject("scripting.dictionary")
  if err.number = 0 then
    on error goto 0
    strTrustee = getTrusteeName()
  else
    msgbox "Fatal Error - Could not create dictionary object." & vbcrlf & "Application will now close.", VBCRITICAL
    self.close()
  end if
  if strTrustee = "" then
    msgbox "Fatal Error - Could not get logged on user info." & vbcrlf & "Application will now close.", VBCRITICAL
    self.close()
  end if
  inorout.checked = False
end sub

'*****************************************************************************
'* function window_onunload
'* Purpose: ensure the removal of access rights from all accessed mailboxes
'* terminate the application.
'* Inputs: none
'* Returns: nothing
'*****************************************************************************
sub window_onunload
  for each strPath in objMBXlist.keys
    removeMbxRights strpath,objMBXlist.item(strPath)
  next
end sub

'*****************************************************************************
'* function getTrusteeName
'* Purpose: get the username and domain for the helpdesk staff to be added to
'* the access control list on the users
'* Inputs: none
'* Returns: String in the format domain\username
'*****************************************************************************
function getTrusteeName
  on error resume next
  Set WshNetwork = CreateObject("WScript.Network")
  if err.number = 0 then
    getTrusteeName = WshNetwork.UserDomain & "\" & WshNetwork.UserName
  else
    getTrusteeName = ""
    err.clear
  end if
  on error goto 0
end function

'*****************************************************************************
'* function get_OOF_TEXT
'* Purpose: get the users current "Out of Office" Message into a text box
'* Inputs: none
'* Returns: nothing
'*****************************************************************************
sub get_OOF_TEXT
  disablecontrols(True)
  strProfileInfo = strExchsvr & vbLf & staffcode.value
  Set CDOSession = CreateObject("MAPI.SESSION")
  on error resume next
  CDOSession.Logon "", "", False, True, 0, False, strProfileInfo
  if err.number = 0 then
    OOF_TEXT.value = CDOSession.OutOfOfficeText
    if CDOSession.OutOfOffice = True then
      inorout.checked = True
    else
      inorout.checked = False
    end if
    inorout.disabled = "false"
    CDOSession.Logoff
  else
    msgbox "Error logging on to mailbox." & vbcrlf & err.number & vbcrlf _
      & err.description & vbcrlf & _
      "Wait a few minutes for AD permissions to replicate and try again!", VBCRITICAL
  end if
  on error goto 0
  Set CDOSession = Nothing
  disablecontrols(False)
end sub

'*****************************************************************************
'* function set_OOF_TEXT
'* Purpose: set the users current "Out of Office" Message from text box value
'* Inputs: none
'* Returns: nothing
'*****************************************************************************
sub set_OOF_TEXT
  disablecontrols(False)
  strProfileInfo = strExchsvr & vbLf & staffcode.value
  Set CDOSession = CreateObject("MAPI.SESSION")
  on error resume next
  CDOSession.Logon "", "", False, True, 0, False, strProfileInfo
  if err.number = 0 then
    CDOSession.OutOfOfficeText = OOF_TEXT.value
    CDOSession.OutOfOffice = True
    inorout.checked = True
    inorout.disabled = "false"
    CDOSession.Logoff
  else
    msgbox "Error logging on to mailbox." & vbcrlf & err.number & vbcrlf _
    & err.description & vbcrlf & _
    "Wait a few minutes for AD permissions to replicate and try again!", VBCRITICAL
  end if
  on error goto 0
  Set CDOSession = Nothing
  disablecontrols(False)
end sub

'*****************************************************************************
'* function finduser
'* Purpose: perform active directory query
'* Inputs: none
'* Returns: nothing
'*****************************************************************************
sub finduser()
  Set objConnection = CreateObject("ADODB.Connection")
  objConnection.Open "Provider=ADsDSOObject;"
  Set objCommand = CreateObject("ADODB.Command")
  objCommand.ActiveConnection = objConnection

  ' search for the users staffcode from accounts that aren't disabled
  objCommand.CommandText = _
    "<GC://dc=acme,dc=com,dc=au>;" & _
    "(&(&(objectClass=user)(objectCategory=person))(&(samaccountname=" & staffcode.value & _
    ")(!userAccountControl:1.2.840.113556.1.4.803:=2)));" & _
    "name,adspath,msExchHomeServerName;subtree"

  Set objRecordSet = objCommand.Execute
  if objRecordSet.recordcount > 1 then
    intRetcode = msgbox("Error - More than one active account with staffcode " & _
      staffcode.value & " found!" & vbcrlf & "List ldap path of accounts?",VBCRITICAL+VBYESNO)
    if intRetcode = VBYES then
      do While Not objRecordset.EOF
        Set objOption = Document.createElement("OPTION")
        objOption.Text = objRecordset.Fields("adspath")
        objOption.Value = objRecordset.Fields("adspath")
        SearchResults.Add(objOption)
        objRecordset.MoveNext
      loop
      SearchResults.style.visibility ="Visible"
    else
      SearchResults.style.visibility ="Hidden"
    end if
    exit sub
  end if
  if objRecordSet.recordcount = 0 then
      msgbox "Failed to find staffcode in active directory" & VBCRLF & "Check the staffcode is correct", VBCRITICAL
      exit sub
  end if
  intRetcode = msgbox("StaffCode " & staffcode.value & " found!" & vbcrlf & _
    "Grant full control to mailbox for " & strTrustee,VBINFORMATION+VBYESNO)
  if intRetcode = VBNO then
    setbutton.disabled = "True"
    getbutton.disabled = "True"
    inorout.disabled = "True"
    inorout.checked = False
    exit sub
  end if
  do While Not objRecordset.EOF
    strExchsvr = objRecordset.Fields("msExchHomeServerName")
    arrTemp = split(strExchsvr, "=")
    strExchsvr = arrtemp(ubound(arrtemp))
    strPath = replace(objRecordset.Fields("adspath"),"GC://", "LDAP://")
    objRecordset.MoveNext
  loop
  objConnection.Close
  if setMbxRights(strPath, strTrustee) = True then
    setbutton.disabled = "false"
    getbutton.disabled = "false"
  end if
end sub

'*****************************************************************************
'* function disablecontrols
'* Purpose: activate/de-activate controls as appropriate to application state
'* Inputs: none
'* Returns: nothing
'*****************************************************************************
sub disablecontrols(booldisable)
  progress.style.visibility = "Visible"
  if booldisable = True then
    setbutton.disabled = "True"
    getbutton.disabled = "True"
    inorout.disabled = "True"
  else
    progress.style.visibility = "hidden"
    setbutton.disabled = "False"
    getbutton.disabled = "False"
    inorout.disabled = "False"
  end if
end sub

'*****************************************************************************
'* function setMbxRights
'* Purpose: add trustee to the users mailbox with full control
'* Inputs: string - the adspath of the users mailbox
'* string - the trustee's domain & username, formatted domain\username
'* Returns: boolean, true if succesful
'*****************************************************************************
function setMbxRights(adspath,strTrustee)
  setMbxRights = False
  if not objMBXlist.exists(adspath) then objMBXlist.add adspath,strTrustee
  set objUser = GetObject(adspath)
  on error resume next
  Set oSecurityDescriptor = objUser.MailboxRights
  if err.number <> 0 then
    if err.number = 438 then
      msgbox "This application must be run on a workstation with" & vbcrlf _
        & "the exchange management tools installed!", vbcritical
      err.clear
      exit function
    else
      msgbox "Error getting mailbox security Descriptor." & vbcrlf _
        & err.description & vbcrlf and err.number, vbcritical
      exit function
    end if
  end if
  on error goto 0
  Set dacl = oSecurityDescriptor.DiscretionaryAcl
  AddAce dacl, strTrustee, ADS_RIGHT_DS_CREATE_CHILD, _
    ADS_ACETYPE_ACCESS_ALLOWED, ADS_ACEFLAG_INHERIT_ACE, 0, 0, 0
  oSecurityDescriptor.DiscretionaryAcl = dacl
  ' Save new SD onto the user.
  objUser.MailboxRights = oSecurityDescriptor
  ' Commit changes from the property cache to the information store.
  objUser.SetInfo
  setMbxRights = True
end function

'*****************************************************************************
'* function removeMbxRights
'* Purpose: remove trustee from all mailboxes to which it was added
'* Inputs: string - the adspath of the users mailbox
'* string - the trustee's domain & username, formatted domain\username
'* Returns: boolean, true if succesful
'*****************************************************************************
sub removeMbxRights(adspath,strTrustee)
  set objUser = GetObject(adspath)
  Set oSecurityDescriptor = objUser.MailboxRights
  Set dacl = oSecurityDescriptor.DiscretionaryAcl
  For Each ace In Dacl
    If (LCase(ace.trustee) = LCase(strTrustee)) and _
      ((ace.AccessMask AND ACE_MB_FULL_ACCESS)=ACE_MB_FULL_ACCESS) Then
      Dacl.RemoveAce ace
      MsgBox "Mailbox rights have been removed", VBINFORMATION
    End If
  Next
  oSecurityDescriptor.DiscretionaryAcl = dacl
  ' Save new SD onto the user.
  objUser.MailboxRights = oSecurityDescriptor
  ' Commit changes from the property cache to the information store.
  objUser.SetInfo
end sub

'********************************************************************
'* Code shamelessly copied from Microsoft KB310866
'* http://support.microsoft.com/kb/310866
'* Function AddAce(dacl, TrusteeName, gAccessMask, gAceType,
'* gAceFlags, gFlags, gObjectType, gInheritedObjectType)
'*
'* Purpose: Adds an ACE to a DACL
'* Input: dacl Object's Discretionary Access Control List
'* TrusteeName SID or Name of the trustee user account
'* gAccessMask Access Permissions
'* gAceType ACE Types
'* gAceFlags Inherit ACEs from the owner of the ACL
'* gFlags ACE has an object type or inherited object type
'* gObjectType Used for Extended Rights
'* gInheritedObjectType
'*
'* Output: Object - New DACL with the ACE added
'*
'********************************************************************

Function AddAce(dacl, TrusteeName, gAccessMask, gAceType, gAceFlags, gFlags, gObjectType, gInheritedObjectType)
  Dim Ace1
  ' Create a new ACE object.
  Set Ace1 = CreateObject("AccessControlEntry")
  Ace1.AccessMask = gAccessMask
  Ace1.AceType = gAceType
  Ace1.AceFlags = gAceFlags
  Ace1.Flags = gFlags
  Ace1.Trustee = TrusteeName
  'See whether ObjectType must be set
  If CStr(gObjectType) <> "0" Then
    Ace1.ObjectType = gObjectType
  End If

  'See whether InheritedObjectType must be set.
  If CStr(gInheritedObjectType) <> "0" Then
    Ace1.InheritedObjectType = gInheritedObjectType
  End If
  dacl.AddAce Ace1

  ' Destroy objects.
  Set Ace1 = Nothing
End Function

'*****************************************************************************
'* function setINOUT
'* Purpose: set the users OOF flag to activate/de-activate OOF processing
'* Inputs: none
'* Returns: nothing
'*****************************************************************************
sub setINOUT
  disablecontrols(True)
  strProfileInfo = strExchsvr & vbLf & staffcode.value
  Set CDOSession = CreateObject("MAPI.SESSION")
  on error resume next
  CDOSession.Logon "", "", False, True, 0, False, strProfileInfo
  if err.number = 0 then
    if inorout.checked = True then
      CDOSession.OutOfOffice = True
    else
      CDOSession.OutOfOffice = False
    end if
    CDOSession.Logoff
  else
    msgbox "Error logging on to mailbox." & vbcrlf & err.number & vbcrlf _
      & err.description, VBCRITICAL
  end if
  on error goto 0
  Set CDOSession = Nothing
  disablecontrols(False)
end sub
</SCRIPT>

<body>
<B>Step 1. Enter the user's staff code</B><P>
<input type="text" name="staffcode" size="30">
<input id=srchbutton class="button" type="button" value="Search for User" name="set_text_button" onClick="finduser">
<select size="5" name="SearchResults" style="Visibility:hidden">
</select>
<P><P>
<B>Step 2. Retrieve/Set the users Out of Office message</B><p><p>
<textarea name="OOF_TEXT" rows=5 cols=70></textarea><p>
<input disabled id=getbutton class="button" type="button" value="Get Message" name="get_text_button" onClick="get_OOF_TEXT">
<input disabled id=setbutton class="button" type="button" value="Set Message" name="set_text_button" onClick="set_OOF_TEXT">
<input disabled id=inorout type="checkbox" name="InorOUT" value="IN" checked="False" onClick="setINOUT"> I am currently out of the office
<P>
<span id="Progress" style="visibility:Hidden">
Operation in progress - please wait&nbsp;&nbsp;&nbsp;&nbsp;<img src="loading.gif" border="0" width="165" height="15">
</span>
<p><p><B>Step 3. Send a test email</B><p><p>
</body></html>

Wireshark Scripting – Extracting HTTP Host Headers

Anyone who’s looked at packets knows about Wireshark. There seems to be considerably less known about Wireshark’s scripting interface though.

While reviewing a very old packet capture I noticed that the host names as resolved by wireshark weren’t consistent with what I knew of the data. Well what can you do? DNS names and IP addresses are in a constant state of flux. It hit me then that the packet capture itself had all the data I needed to create a hosts file for wireshark. It was just a matter of extracting the data from the http requests or the DNS requests/responses into hosts file format and putting a hosts file in the Wireshark directory.

Every http request contains a host header.  The purpose of the header is to allow web servers with a single IP address to host websites for more than one domain.  The webserver uses the host header to multiplex multiple virtual directories/websites onto a single IP address.

Host Header in an HTTP request

To run the script make sure that you edit the init.lua file in the wireshark directory and comment out the line beginning with disable_lua. The usage is shown below in the script and because we are using tshark we can just redirect the output directly to a hosts file.

Listing 1 – gethttphosts.lua

-- Lua script to extract http host headers to create a hosts
-- file for wireshark name resolution.
-- command line:
--	Tshark –r websurf.pcap –q –X lua_script:gethttphosts.lua

Do
-- Create the field extractors
hostname = Field.new("http.host")
ip_dst = Field.new("ip.dst")

	local function init_listener()
-- Create a listener that filters for http requests
	  local tap = Listener.new("frame", "tcp && http.request")
	  function tap.reset()
	  end

	  function tap.packet(pinfo,tvb,ip)
-- Format the data and output it
		local strTemp = tostring(ip_dst()) .. " " ..
                                  tostring(hostname()) .. "\n";
		io.write(strTemp);
	  end
	  function tap.draw()
	  end
	end
	init_listener()
end