Chris May

CAPTCHA screens help keep bots from flooding sites like this one with spam.

I use a very basic CAPTCHA on the comments section.

Here are 2 articles talking about the effectivness of CAPTCHA, and ways that people can beat it.

http://haacked.com/archive/2005/01.aspx

http://www.codinghorror.com/blog/archives/000712.html

I have been researching ways to reset a domain admin password for a client who forgot what they typed in when they set the password.

Most password crackers work only on local accounts, not for anything on a domain.  It seems like the way to go about this is to reset the local admin account, then login using Directory Service Recovery Mode to reset the domain admin account.

Here are some of the articles I have been reading:

http://www.jms1.net/nt-unlock.shtml  <-- this idiot won't let you view his pages if you are running IE, so use firebox, but again, that's just stupid

http://www.nobodix.org/seb/win2003_adminpass.html

http://home.eunet.no/~pnordahl/ntpasswd/

http://www.loginrecovery.com/about.html

http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm

 

To do this you

1. Need a TFTP server running (solarwinds)
2. Need to telnet into the device
3. Need to be in enable mode

First to make the backup:

write net 192.168.1.2:MyBackup.pixconfig

where the IP is the IP of your TFTPserver

Then to restore it later, you need to enter config terminal mode first and then restore the file:

config term
configure net 192.168.1.2:MyBackup.pixconfig

and there you have it...

The changes will take immediate effect, but you will still need to write them into the non volatile memory, or the changes will be lost when you reboot the device.

 

Here is a quick trick for resetting a pix password:

http://www.tech-recipes.com/cisco_firewall_tips639.html

You need console access to do so.

Problem getting PDM running:
http://www.experts-exchange.com/Security/Firewalls/Q_21611023.html

Installing PDF on a Pix Firewall:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/pdm_ig/pdm_inst.htm

Upgrade/Update/Flash a Cisco Pix:
http://www.windowsitpro.com/Article/ArticleID/20281/20281.html?Ad=1

Change Password on Pix:
http://www.linuxhomenetworking.com/cisco-hn/dsl-pix.htm

Working with Cisco products is not an everyday event for me, but when I do work with them I want to make sure I backup the config files before I do anything.

To do this you can follow the instructions on this page:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_tech_note09186a008020260d.shtml#tftp

You can also download a free TFTP server at this location:
http://www.solarwinds.net/Tools/Free_tools/TFTP_Server/

 

Slashdot recently posted a question from a user asking what the best free anti virus options are.

The response can be seen here:

http://ask.slashdot.org/article.pl?sid=06/05/22/1310211

 

This weekend I helped a client of mine move their computer system to a new factility.  In the new location I racked up and configured an HP Procurve switch, and 2 Cisco APs.

All in all the move went well.  I had some problems getting into the Procurve at first.  I think the problem was a bad serial cable, but in the end I got it working right.

We didn't quite have enough ports on Procurve, so I uplinked a couple of their old switches until I could procure some more modules for the HP.

The Cisco 1100 APs had great range.  I was able to blanket the entire facility with WIFI access.  Pretty nice!

This Security Brief at MSDN talks about the practice of strongly naming your .net assemblies.

This article from MSDN talks a lot about utilizing the viewstate to its fullest.

One of the things that they discuss is security, and encrypting the viewstate.

Here is the article... that all.

This article shows how to create a control that will convert your email addresses into a unique code that is reconverted by javascript when the page loads... so it can't be screen scraped.

Here is a simple example for using a hashing sequence to protect passwords.

Secure Querystrings is something that I have seen in practice, but I didn't know that it was built into the .NET Framework. Pretty cool.

Here is the article.

Here is an article that goes into code access security.

This article talks about preventing dictionary attacks with asp.net applications.

This article shows how to use the .NET Principal and Identity concepts to implement custom authentication and authorization in Windows and Web applications

This PDF explains a little about Kerberos, why we need it and how it works.

Just convert this into a BAT file:

cd program files
cd microsoft visual studio .net 2003
cd common7
cd tools
cd bin


makecert -r -pe -n "CN=users.walshgroup.com" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 usersCert.cer
echo finished



After you have the cer file, you need to do the following.

Export a Certificate and Public Key
Now that you have added the Certificates snap-in, you can export the key pair that your Web server is using (the certificate and public key). To do this, perform the following steps: Open the Certificates (Local Computer) snap-in you added in the last section, navigate to Personal, and then to Certificates.

You will see your Web server certificate denoted by the CN (Common Name) found in the Subject field of the certificate (using Internet Explorer 5.0, you can easily view the certificate to see the Common Name if you are unsure).

Right-click on the server certificate, select All Tasks, and then click Export.

When the wizard starts, click Next. Choose to export the private key, and then click Next. NOTE: If you export the certificate for use on an IIS Web server, do not select Require Strong Encryption. This option causes a password prompt every time an application attempts to access the private key, and causes IIS to fail.


The file format you will want to choose is the Personal Information Exchange (though you can select from several options). This will create a PFX file. Notice that you can export any certificates in the certification path by selecting the option on this screen. This is very handy if your certificate was issued by a non-trusted certificate authority (for example, Microsoft Certificate Server). Only choose delete the private key if the export is successful to be sure it is not left on the computer (for example if your migrating from one server to another).NOTE: If you do not select "Include all certificates in the certificate path if possible" and the issuer of the certificate is not trusted by your server, then you may notice that when the properties of the certificate are viewed, the "This certificate is issued to:" field may display "Windows does not have enough information about this certificate". This is by design and can be resolved by selecting "Include all certificates in the certificate path" while exporting the certificate.


The just import the file into IIS.



For more info, check out these urls http://www.inventec.ch/chdh/notes/14.htm and http://support.microsoft.com/default.aspx?scid=kb;EN-US;232136.

I've been working on some stuff with Flash and cryptography.

This site has some source code that implements the SHA1 hash method to produce a "one way" encryption method.

Here is an example of the RSA public key / private key encryption method if flash. (This won't work if you have Flash6 plugin, but once you recompile the source code, it works fine.)

Ryerson University has an article on this topic titled "Securing the Authentication Process"

This article shows how to store passwords and connection strings securly on your machine.