The Certificate that wouldn’t move

I have been working a lot with SSL certificates lately. The other day I had to move a certificate from Windows to Linux server, the certificate is for both www and without. It´s a simple task to export the certificate from Windows server 2012R2 and then convert the certificate so it works on Apache. Except that the CSR was done without the “Export private key” checkbox. Bummer

I thought that there must be a way to change that, after all I am Domain Administrator. Nope, there is no easy way to go around this. After a long time of googling I come over something that a thought was worth sharing.

I found a great tool! Mimikatz

http://blog.gentilkiwi.com/mimikatz

This tool can read out the key via Windows API, and a lot more!

Together with the instructions from this blog

http://blog.ruecker.fi/2014/03/12/exporting-the-not-exportable/

Download the binaries at extract the files. Start a command shell as administrator and run the 64bit version of mimikatz.exe

In the prompt just past in the following lines:

crypto::capi
crypto::certificates /systemstore=CERT_SYSTEM_STORE_LOCAL_MACHINE /export

This will export all certs on the server. The password for the exported certificates is: mimikatz

This tool can do a lot more terrifying things, for example find passwords in clear text

privilege::debug
sekurlsa::logonpasswords

WordPress version update reminder

So I have some Linux, Ubuntu, servers that are used for shared hosting. Many of the customers use WordPress and I think that it’s an awesome solution that so many can get a great website up and running in almost no time. The flaw with WordPress is that it has a lot of security holes if they don’t upgrade to the latest version. WordPress has a great update feature, but since my customers do not log in on their sites they don’t see that, so what to do. I decided that sending them an email would maybe encourage them a little, specifically the site admin.

I couldn’t find any good script that solved my problem so I decided to copy paste something that would do the trick.

Updated and locate are a good start for finding version.php.

I’ve put my files under /root/scripts/wp-version

run-wp.version-finder.sh looks like this:

The wp-version.php script looks like this:

 

The get it all to work I run the main script once a month, first monday at 8:00

cronetab-e

Add a line that looks like this:

That is all
As always, post a comment if you find it useful.

Change all bindings in IIS to new IP

So I was migrating a web server from IIS 6 to IIS 8.5.
After the migration i needed to change IP on the new server. That’s not fun when all bindings are with IP.

So I decided to just Google a script that could change everything for me. I only found scripts that could change for a specific website and not all of them. So after some copy past and some trial and error I got this is result:

 

If you find it useful please leave a comment.

/Fredrik

Crashplan backup to Raspberry Pi


My former employer decided to pull the plug on my old backup server. It was nothing special, just a Windows share, VSS and a PPTP tunnel. But it work for me, every night my homeserver connected to the server and by Robocopy /mir sync my folders so that any changes was reflected on the backup server.

When I got the notice that they wher going to pull the plug I started to look for a new solution that I could have up soon and had to be cheap.
I got a tips that Crashplan was something that I should have a look on. After some googling I found this link: http://www.bionoren.com/blog/2013/02/raspberry-pi-crashplan/

I had a Raspberry Pi lying around, I also had a 1TB SATA hard drive from my old homeserver, a USB/SATA Docking Stations and some other stuff.

After three week I managed to destroy the SD card, I had a backup but I decided to rebuild most of it and put / on the USB hard drive as well.

This is how I did it.
Installed the latest 2013-09-25-wheezy-raspbian.zip, NOOBS made more partitions on the SD card that I didn’t need.
Configure everything in raspi-config. Disabled Desktop, enabled SSH and set Graphics memory to 16MB. I’m using the old 256MB Raspberry PI model B.

I partitioned my USB hard drive in two partitions 16GB for rootfs and 850GB for /data
Used this guide to partition my USB hard drive and move root
http://www.raspberrypi.org/phpBB3/viewtopic.php?f=29&t=44177

After this I used the http://www.bionoren.com/blog/2013/02/raspberry-pi-crashplan/ to install java and Crashplan

To configure Crashplan headless:
http://support.crashplan.com/doku.php/how_to/configure_a_headless_client

I used putty.exe to set up the SSH tunnel, start it from command prompt:

I bought a new USB – SATA hard drive cabinet for the old 1TB hard drive.


It has a 2A power supply that I thought could power my Raspberry Pi as well, there aren’t a lot of normal power outlets in the computer center.

The hard drive does not take that much power.

So I solder a micro USB cable to the 5volt on the SATA port. The circuit board locked the cable in place.


Found the Kensington lock hole useful

Finished result:

Since I put the Raspberry on the Internet and no other firewall in front of it I’m using Iptables. I’m not a hardcore user of Iptables so I found a nice GUI I could use on my PC: http://www.fwbuilder.org/
Real simple to use, didn’t lock me out once.

Update:
Since i only use the boot partition on the SD card i decided to replace my 8GB with an old 1GB that i haven’t used in a long time. If I only could find the SD card that I got when I bought my first digital camera. I think it was 32MB and that would have been enough.