Export certificates marked as not exportable in the Windows certificate manager

So, you need the private key for a certificate on Windows, for some innocent snooping around with Wireshark, but someone marked it as not exportable. Now what?

Cue Gentil Kiwi and his tool Mimikatz.

For future reference for myself, I’ve archived a copy of the source here, and the binaries here.

The following commands will extract the certificates from the local store:

crypto::capi
crypto::certificates /systemstore=CERT_SYSTEM_STORE_LOCAL_MACHINE /export

The password for the pfx files is “mimikatz” (no quotes).

To convert a pfx to a pem file, you can do something like this:

openssl pkcs12 -in CERT_SYSTEM_STORE_LOCAL_MACHINE_nicecert.pfx -out cert.pem -nodes

If it’s for use in Wireshark, you also need to add -nocerts:

openssl pkcs12 -in CERT_SYSTEM_STORE_LOCAL_MACHINE_nicecert.pfx -out cert.pem -nodes -nocerts

My tweaks to Kali Linux (note to self)

Here are some of the things I did to make Kali Linux 2016.1 suit my taste, mostly intended as a note to myself, but posted here in case it helps anyone else.

General checklist

  • Install aptitude and update everything
  • Add settings icon to left panel
  • Enable mouse tap to click in “Settings => Mouse & Touchpad”
  • Tweaks => Power => Don’t suspend on lid close
  • Enable sound, but disable alert sound (sonar)
  • Disable all power saving (“Power”)
  • Enable privacy settings, purge stuff after 7 days (“Privacy)
  • Tweaks => Extensions => Disable Easyscreencast
  • Settings => Keyboard => Input Sources => Remove superfluous keyboard layouts

Install fun stuff

apt-get -y install \
dconf-editor \
gnome-power-manager \
autossh \
vim \
screen \
iotop \
iftop \
virtualbox \
torbrowser-launcher \
aptitude

Automatically log in as root

Edit /etc/gdm3/daemon.conf

AutomaticLoginEnable = true
AutomaticLogin = root

Enable smartmontools

Edit /etc/default/smartmontools

start_smartd=yes

Shut down with power button

Note: shutdown option missing as of 2016-05-16

gsettings range org.gnome.settings-daemon.plugins.power power-button-action
gsettings set org.gnome.settings-daemon.plugins.power power-button-action 'shutdown'

Encrypted swap

For separate partitions, use the existing guide for Debian.
For swap files in encrypted filesystems, do this:

dd if=/dev/zero of=/.swap bs=1G count=16
chmod 600 /.swap
mkswap /.swap
swapon /.swap
echo "/.swap none swap sw 0 0" >>/etc/fstab

Disable auto-locking and that stupid slide screen

gsettings set org.gnome.desktop.session idle-delay

Install qemu and virt-manager

apt-get -y install qemu-kvm virt-manager
systemctl enable libvirtd.service

Set a custom default window manager (like xfce)

I now use the default environment, but it’s here in case anyone finds it interesting anyway

apt-cache search kali-desktop
apt-get -y install kali-desktop-xfce
update-alternatives --config x-window-manager
update-alternatives --config x-session-manager

Enabling Quick Launch in Windows 10

I have my taskbar set to “Use small taskbar buttons” and “Never combine”, probably as much out of habit as anything else. This means that when I pin programs to the taskbar, opening one of them, suddenly making it display a title for one or more windows, will push any pinned programs to its right further towards the right edge of the screen. In turn, this means that my pinned programs are almost never where I expect to find them, and I have to look around. Annoying.

The classic “Quick Launch” solved this by only displaying a launch shortcut, and never turning into the actual taskbar entry for the program it launched. Thus they all stay neatly in place next to the start button.

Like this:

quick_launch_win10

Not like this:

bad_pinning_win10

Well, Windows 10 can do this too, though it is slightly harder to enable than on previous editions of the operating system.

In short:

  1. Right click the taskbar
  2. Select “Toolbars => New Toolbar…”
  3. Enter “shell:Quick Lauch” into the “Folder” field and press enter (note the lack of a space between : and Q)
  4. Press “Select folder”
  5. Notice the “Quick Launch” appearing next to the systray.
  6. Right click the taskbar again and unlock it (click “Lock the taskbar”)
  7. Right click the toolbar header at the left side of the quick launch
  8. Deselect “Show Text” and “Show title”
  9. Drag the quick launch to where you want it
  10. Lock the taskbar again

A more detailed description can be found here. I archived a copy here.

Find and kill long running MS SQL Server queries

I have to admin this is cargo cult SQL to me, but here’s how to find running queries, sorted by their total elapsed time:

SELECT [sqltext].[TEXT],
[req].[session_id],
[req].[status],
[req].[command],
[req].[cpu_time],
[req].[total_elapsed_time]
FROM [sys].[dm_exec_requests] [req]
CROSS APPLY [sys].[dm_exec_sql_text](sql_handle) AS sqltext
ORDER BY [req].[total_elapsed_time] DESC

To kill a given query, use:

kill <session_id>

..without the brackets <>, where session_id is the corresponding column output from the query above

If you want to kill all long running queries in a single go, try something like this:

DECLARE @cmd varchar(8000) = '';
SELECT @cmd = @cmd + 'kill ' + CONVERT(varchar(5), req.session_id) + ';'
FROM sys.dm_exec_requests req
CROSS APPLY sys.dm_exec_sql_text(sql_handle) AS sqltext where req.total_elapsed_time > 15000

SELECT @cmd;

EXEC(@cmd);

Adjust the ‘15000’ (milliseconds) timeout to a reasonable time for your application.

You’re welcome.

SPF exists for a reason, and postfix makes it ridiculously easy

In the bronze age, messages came in, signed bob@lamuella.com, and you’d simply have to assume they were from the Almighty Bob. Today, email is still technically in the iron age, but at least we have SPF.

In a nutshell, when lamuella.com enables SPF for their domain, they can be sure that other people, which mail servers check those records, will not receive spam mail with forged senders @lamuella.com. This also means email that passes this sort of check can be rated as slightly less spammy in automated spam filters.

To further elaborate on that, here’s what SPF is, does, it not and does not:

SPF IS/DOES

  • Allow a host to verify that an email from an SPF-enabled domain was sent from a mail server that legitimately serves that domain.
  • Prevent spammers from sending email from your SPF-enabled domain.
  • Force your users to send their email through your (hopefully extra extra safe) server, thus forcing them to comply with your encryption routines and filters.
  • Allow you to easily discard lots of spam mail, as such junk is often sent from forged domain names that happen to exist and have valid SPF records.

SPF IS/DOES NOT

  • Allow your server to verify the sender address from non-SPF domains.
  • Prevent spammens from sending email from your SPF-enabled domain to a recipient server that doesn’t inspect SPF records.

That said, SPF is easy to enable on Postfix, and I strongly urge you to do so if you haven’t already.
I found this handy guide, for Ubuntu, but it works just as well on Debian, and I archived it here in case the link is dead at the time you read this.

pfSense as a Cisco AnyConnect VPN Client using OpenConnect

pfSense, as of 2016-03-01, does not support OpenConnect out of the box. However, it’s in the FreeBSD repository, and relatively easy to add:

# pkg
# pkg update -f
# pkg install openconnect
# rehash

You can now play around with the openconnect command and test your connection.

Next step: Autostart, and adding the tun interface to the pfSense GUI. The GUI will, by default, ignore any interface named “tun*”, while openconnect will refuse to work with any interface not named “tun*”. Brilliant. The easiest workaround for this special case seems to be renaming the VPN interface after creation.

I made a script that automates checking if the connection is up, and (re-)starting it if it is not.
Replace the options in the “settings” section with appropriate values for your setup, and you should be good to go.

The “test” field should be a command that returns 0 when the connection is up, and anything else when it’s broken. I used netcat’s port testing feature on the remote desktop port of a server I needed to be able to connect to, but you can just as easily use things like ping with a limited count or similar.

#!/bin/sh

# settings
user="vpnuser"
pass="P4ssw0rd"
host="vpn.server.here.com"
test="nc -v -w 10 -z 172.16.0.4 3389"
tmpif="tun69"
iface="ocvpnc1"
pidfile="/tmp/${iface}.pid"
script="/usr/local/sbin/vpnc-script"


# env
openconnect="/usr/local/sbin/openconnect"
ifconfig="/sbin/ifconfig"


# func
ifkill()
{
        $ifconfig "$1" down 2>/dev/null || :
        $ifconfig "$1" destroy 2>/dev/null || :
}


# check if we're already running
if [ -n "$test" ] && $test; then
        echo "Connection is already up"
        exit 0
fi


# clean up previous instance, if any
if [ -e "$pidfile" ]; then
        read pid <"$pidfile"
        echo "Killing previous pid: $pid"
        kill -TERM "$pid"
        rm "$pidfile"
fi
ifkill "$tmpif"
ifkill "$iface"


# open vpn connection
echo "$pass" |\
$openconnect \
        --background \
        --pid-file="$pidfile" \
        --interface="$tmpif" \
        --user="$user" \
        --passwd-on-stdin \
        --script="$script" \
        "$host"


# rename the interface
if [ "$iface" != "$tmpif" ]; then
        echo "Renaming $tmpif to $iface"
        $ifconfig "$tmpif" name "$iface"
fi

Next, use crontab -e and add an entry to run the script regularly.

*/5 * * * * /root/openconnect-vpn >/dev/null 2>&1

Again, replace the path and timing with your own preferred values.

With the connection established, you can now go ahead and add the interface in the "assignment" tab of the GUI and set up appropriate rules for it.

CAUTION: Adding an interface that's not available at boot time to the GUI will cause pfSense to think something is wrong on subsequent reboots and ask you to configure interfaces. I am not currently aware of a workaround for this, other than to not add the interface, controlling rules directly from the script instead.

Squid Compile with SSL support under Debian Jessie

Here’s how:

apt-get update

# install required dev packages
apt-get install -y openssl devscripts build-essential libssl-dev

# install debian squid3 source code
apt-get source -y squid3

# install all required dependeny packages
apt-get build-dep -y squid3

# reconfigure
cd squid3-3.4.8/
vi debian/rules

root@jessie:~/squid3-3.4.8# diff /tmp/rules debian/rules 
46c46,48
< --with-default-user=proxy
--- 
> 		--with-default-user=proxy \
> 		--enable-ssl \
> 		--with-open-ssl="/etc/ssl/openssl.cnf"

# build package
debuild -us -uc

# install
cd ..
apt-get install logrotate
dpkg -i *.deb
apt-get install -f

# test
root@jessie:~# squid3 -v
Squid Cache: Version 3.4.8
configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include'
'--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3'
'--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm'
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos'
'--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid3'
'--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536'
'--with-large-files' '--with-default-user=proxy' '--enable-ssl'
'--with-open-ssl=/etc/ssl/openssl.cnf' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu'
'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall'
'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE
-fstack-protector-strong -Wformat -Werror=format-security'

Shamelessly stolen from http://www.panticz.de/Squid-Compile-with-SSL-support-under-Debian-Jessie

Error 0x80041002 from PowerShell after upgrade to Windows 10

On a box I just upgraded, we run a script that’s supposed to add a new scheduled task. After the upgrade, attempting to create a new trigger would return this beauty:

PS C:\Users\User> New-ScheduledTaskTrigger -AtStartup
New-ScheduledTaskTrigger : Method "NewTriggerByStartup" not found
+ CategoryInfo          : ObjectNotFound: (PS_ScheduledTask:Root/Microsoft/...S_ScheduledTask) [New-ScheduledTaskTrigger], CimException
+ FullyQualifiedErrorId : HRESULT 0x80041002,New-ScheduledTaskTrigger

The solution was to run this magic batch file that re-registers a whole slew of DLL files with the system, and then reboot.

net stop winmgmt
c: 
cd %systemroot%\system32\wbem 
rd /S /Q repository
 
regsvr32 /s %systemroot%\system32\scecli.dll 
regsvr32 /s %systemroot%\system32\userenv.dll
 
mofcomp cimwin32.mof 
mofcomp cimwin32.mfl 
mofcomp rsop.mof 
mofcomp rsop.mfl 
for /f %%s in ('dir /b /s *.dll') do regsvr32 /s %%s 
for /f %%s in ('dir /b *.mof') do mofcomp %%s 
for /f %%s in ('dir /b *.mfl') do mofcomp %%s 
echo DONE

I found the batch file here, intended to fix another issue with the same error code.