Install Unifi Protect on ODroid C2
Installation steps:
- Download Armbian Stretch
The reason to use Stretch rather than Buster is that the Cloudkey also runs Stretch lets not make things complicated, as it also uses the included version of postgres and nodejs.
https://www.armbian.com/odroid-c2/ or the specific download: https://dl.armbian.com/odroidc2/Stretch_current
Then DD that onto a SD card or eMMC.
xzcat -dc stretch_current | dd of=/dev/sdX bs=20480
Login with root / 1234 and reset the password.
mkdir -p /srv
Then mount a large external disk to: /srv
mount /dev/sdb1 /srv
This could be nfs or a local disk, whichever works for you.
One issue you will have is you need a package called "ubnt-tools" that is bundled with the Cloud Key image not as a separate package. So you will need to download the Cloudkey image and unpack it and then re-pack the ubnt-tools package to be installed.
Download the full image here: https://www.ui.com/download/unifi/unifi-cloud-key-gen2/uck-g2
Then install the following packages to unpack the image, repack ubnt-tools as a deb and a dependent package for ubnt-tools:
apt-get install binwalk squashfs-tools p7zip-full smartmontools dpkg-repack liblockfile-bin
The run binwalk across the whole image and then use dpkg-repack to rebuild the deb. After using binwalk on the pacakge and extracting everything you will see there is a squashfs-root subdirectory where the whole squashfs filesystem was extracted, then use dpkg-repack to rebuild the installed package back into a deb for you to install:
binwalk -e UCKG2.apq8053.v1.1.13.818cc5f.200430.0948.bin
cd _UCKG2.apq8053.v1.1.13.818cc5f.200430.0948.bin.extracted
dpkg-repack --root squashfs-root ubnt-tools
dpkg -i ubnt-tools_0.9.40~264+ge174a4b_arm64.deb
apt --fix-broken -y install
Then any of the missing dependencies should be sorted and you are good to install the repos and packages.
Add repo keys for nodesource and unifi
curl -sSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | sudo apt-key add -
apt-key adv --keyserver keyserver.ubuntu.com --recv 06E85760C0A52C50
apt-key adv --keyserver keyserver.ubuntu.com --recv 97B46B8582C6571E
Add package repos to sources.list.d
echo deb https://deb.nodesource.com/node_8.x stretch main > /etc/apt/sources.list.d/nodejs.list
echo deb http://apt.ubnt.com/ stretch main > /etc/apt/sources.list.d/ubnt-common.list
echo deb http://www.ubnt.com/downloads/unifi/debian cloudkey-stable ubiquiti > /etc/apt/sources.list.d/ubnt-unifi.list
apt-get update
apt-get -y upgrade
apt-get install unifi-protect
Now try connecting to your server https://unifi:7443
And check out the /srv/unifi-protect/logs especially service.log which should show if it is working or not.
APC UPS Smart-UPS 750 XL battery constants
The issue I had was the runtime remaining was always below 5 mins even though it has a brand new APC legit battery.
Finally figured out somehow the Battery Constant for the UPS was broken so I needed to re-program it so that the runtime showed correctly.
For this you need to connect to the serial port (not USB) and need a correctly wired serial cable.
As per this blog entry: https://alioth-lists.debian.net/pipermail/nut-upsuser/2005-August/000118.html
DB9M(UPS) DB9F(Computer)
CHASSIS 9 <---------- < 5 SG (Ground/Signal Ground)
TXD 2 <---------- < 2 RXD
RXD 1 <---------- < 3 TXD
Then you should be able to use Putty or similar terminal tool with the setting of 2400 8/N/1 and make sure XON/XOFF Flow control is enabled (as I had it off and it doesn't work without it)
Next steps, as per these two blogs: https://conetrix.com/blog/manually-esetting-an-apc-smart-ups-battery-constant-after-new-battery-replacement or https://alioth-lists.debian.net/pipermail/nut-upsdev/2006-June/000938.html
Make sure you have removed NMC cards, USB cables and everything that is connected to the UPS.
apcupsd documents a number of different constants, use at your own risk: http://www.apcupsd.com/manual/manual.html#resetting-the-ups-battery-constant
Check if there is a connection (Type Shift + Y, should return **SM** ). Do not enter any other characters via Hyperterminal other than that described in these instructions because this can cause irreparable damage to the UPS
Type **1**, wait 2-3 secs and type **1** again (Should return **Prog**)
Enter a **0** and the UPS reports the present value of the battery constant. If this value does not correspond to the default value that was given to you by RM Support or APC , it must be changed.
If this value is not correct, press **+** or **-** until the correct value is returned.
The Smart-UPS 750 XL value I have on another 750 XL that is working fine and the value it has is 9E the UPS that wasn't working correctly had 17.
I updated the broken UPS by increasing the value from 17 to 9E.. and Hey presto at 30% load and would last for about an hour.
Press **R** to close the session. (Should return **Bye**)
Enter **<Shift> Y**, the UPS reports again with **SM**.
Enter **0** once again and check if the UPS reports back the standard setting that has been set.
Active Directory Kerberos authentication with Apache on Linux
Kerberos single sign-on with Apache and AD and LDAP authorization
I always forget how to do this as I only ever need to set it up so infrequently I thought I would document it here to remind myself of the steps. I am looking to create an AD Service Account (standard user) rather than having Linux fully registered with AD (machine account). Below detail the components and steps:
Components involved:
- AD Service Account - Created on the AD Domain Controller and then using ktpass to create a Keytab file to copy to the Linux host
- Linux Apache instance - Running Apache 2.4 without full AD / Kerberos federation and will need a working keytab file
- Windows desktop - A member of the AD Domain that should be able to use the Kerberos ticket using IE, Chrome or Firefox. For IE&Chrome it is via Registry or Group Policy to add the domain/site you want to into the "Local Intranet" and for Firefox it is an advanced setting in firefox.
- Adding LDAP Group based authorization - So you need to be part of a AD Group to gain access.
1) Active Directory Service Account.
Assuming you are running Windows 2008 or newer (including Forrest and Domain functional level upgraded to 2008 or higher!) then you should be able to use AES256-SHA1 rather than AES128/RC4 or DES crypto, since seriously you should be upgrading to strong crytpo. As per this MS article on Kerberos.
Create service account:
Creating the service account using Powershell to also enable Kerberos 256 on the account.
New-ADUser -Name "ServiceAccountCN" -Path "OU=ServiceAccounts,DC=AD,DC=DOMAIN,DC=LOCAL" -ServicePrincipalNames "HTTP/apachehost.dnsdomain" -SamAccountName "ServiceAccountSAM" -UserPrincipalName "ServiceAccountUPN@AD.DOMAIN.LOCAL" -AccountPassword (ConvertTo-SecureString "**PASSWORD**" -AsPlainText -Force) -passwordNeverExpires $true -Enabled $true -OtherAttributes @{'msDS-SupportedEncryptionTypes'="26"}
The following values should be changed in bold:
Name = This is the CN or how the record will be displayed in AD, it serves no functional use other than how it is displayed in AD Users and Computers
Path = The container to also create the service account, again probably not useful since otherwise users get created in cn=Users including the domain name.
ServicePrincipalNames (SPN) = This should be the Service Principal Name, starting with "HTTP/" in upper case no matter if you have the site http or https, and then the full DNS domain name of the Apache host.
SamAccountName (SAN) = The Sam Account Name, typically the same as the Name / CN but not always and needs to be unique in AD.
UserPrincipalName (UPN) = This is the object UPN, this will be overwritten by ktpass but it will be reference and needs to include the AD domain name in upper case.
AccountPassword = Shown here setting the password in clear text.
passwordNeverExpires, Enabled = You don't want the Service Account password to expire, and want the account enabled when you create it.
msDS-SupportedEncryptionTypes = 26 = This enables Kerberos AES128 and AES256 on the account. If you just want AES256 set it to 18 but I prefer 26.
Create keytab:
Now you have a Service Account created you need to create a keytab to import into Apache. To create the keytab file use ktpass. Either you could create a single keytab only supporting AES256, or a keytab with both AES128 and AES256. You shouldn't never add "-setupn" to the command line since then the UPN isn't updated, and the UPN MUST be the Service Principal Name ie "HTTP/servername.domain" otherwise AD doesn't know how to resolve the account name. It also means if you have multiple hostnames you need multiple service accounts and multiple keytabs.
Keytab only supporting AES256:
ktpass -princ HTTP/apachehost.dnsdomain@AD.DOMAIN.LOCAL -mapuser ServiceAccountUPN@AD.DOMAIN.LOCAL -pass **PASSWORD** -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -out apachehost.keytab
Keytab supporting both AES128 and AES256:
ktpass -princ HTTP/apachehost.dnsdomain@AD.DOMAIN.LOCAL -mapuser ServiceAccountUPN@AD.DOMAIN.LOCAL -pass **PASSWORD** -crypto AES128-SHA1 -ptype KRB5_NT_PRINCIPAL -out apachehost-temp.keytab
ktpass -princ HTTP/apachehost.dnsdomain@AD.DOMAIN.LOCAL -mapuser ServiceAccountUPN@AD.DOMAIN.LOCAL -pass **PASSWORD** -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -in apachehost-temp.keytab -out apachehost.keytab
Similar values should be change in bold:
princ = The principal of the domain, always prefixed with HTTP/ in upper case no matter if you are connecting over http or https and the ADDOMAIN should always be in upper case.
mapuser = The same value as UPN from above with the ADDOMAIN in upper case.
pass = The password you want to set, typically the same as the random password you used above to create the account, but it can be different.
crypto = AES256-SHA1 or AES128-SHA1
in/out = The name of the file to create, and if you specify an "in" you are loading the first keytab in to create a keytab with multiple records.
You should now see the "User logon name" aka UPN in AD Users and Computers "Account" tab has updated to be the same as the SPN.
Now you should have a working keytab to load on Apache.
2) Linux Apache instance
RHEL/CENTOS:
yum install httpd mod_auth_kerb
Debian/Ubuntu:
apt-get install apache2 libapache2-mod-auth-kerb
Kerberos local configuration
There are numerous posts saying you need to update the /etc/krb5.conf file to resolve your domain. This is required if you want the host to prompt for a password and still be able to resolve the host. It's not strictly a mandatory requirement but helps.
/etc/krb5.conf
[libdefaults]
default_realm = AD.DOMAIN.LOCAL
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
dns_lookup_realm = true
[realms]
AD.DOMAIN.LOCAL= {
kdc = addc.dnsdomain
admin_server = addc.dnsdomain
}
[domain_realm]
apachehost.dnsdomain = AD.DOMAIN.LOCAL
Similar values should be change in bold:
default_realm = This should be set to the full DNS AD Domain name in upper case ie "COMPANY.ORG.NZ" or whatever the full domain is not just the local domain.
realms = Same value as the default realm to specify where the kdc and admin server are. The AD Domain value again needs to be the full domain and in upper case.
kdc and admin server = A domain controllers DNS name to resolve the DC.
domain_realm = This is the local hostname how you plan to access it exactly like the Service Principal Name but without HTTP/ prefixing it, and that should then map through to the ADDOMAIN full domain name again in upper case.
Apache Configuration:
Copy the keytab from the Windows Domain Controller to /etc/httpd (Centos) or /etc/apache2 (Debian/Ubuntu) or somewhere that Apache can access and has ownership of the file. The keytab should be considered sensitive so you should chmod it to 600 and chown to apache.
conf/kerberos.conf
<Directory "/var/www/html/ad">
AuthType Kerberos
AuthName "Active Directory"
KrbAuthRealms AD.DOMAIN.LOCAL
KrbServiceName HTTP
KrbMethodNegotiate on
KrbMethodK5Passwd off
Krb5Keytab /etc/httpd/apachehost.keytab
require valid-user
</Directory>
Similar values should be change in bold:
KrbAuthRealms = This again should point to the AD Domain in upper case, and match the values in the krb5.conf
KrbMethodK5Passwd = If you want to prompt for password, which defeats the whole purpose of Kerberos auth.
Krb5Keytab = The location of the keytab created and copied as part of the ktpass process on the DC.
3) Windows Desktop
Natively IE, Edge and Chrome support Kerberos. Few Microsoft references
Local settings for IE, Edge and Chrome:
Control Panel -> Internet Settings -> Security -> Local Intranet -> Sites -> Advanced ->
Add the host including if it is https or http into the URL ie "https://apachehost.dnsdomain" and / or "http://apachehost.dnsdomain" if the checkbox "Require server verification (https:) for all sites in this zone" then Apache will need to be setup with a a SSL/TLS certificate.
This will add registry keys under: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ for the dns domain.
Sometimes it is easier (but somewhat less secure) if you want to add the whole local domain as wildcard so you can add "https://*.dnsdomain"
Group Policy settings for IE, Edge and Chrome:
These settings can be set via GPO in: https://blogs.manageengine.com/active-directory/2018/08/02/securing-zone-levels-internet-explorer.html or https://blog.thesysadmins.co.uk/group-policy-internet-explorer-security-zones.html
Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Site to Zone Assignment List
Set it to enabled, then add entries with the "Value name" is the site ie "http://apachehost.dnsdomain" and the "Value" to indicate it is for the Local Intranet is set to "1".
Once the GPO has been applied there will be registry keys under:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey
Settings for Firefox:
As Firefox doesn't leverage built in Windows settings you need to set it yourself: https://developer.mozilla.org/en-US/docs/Mozilla/Integrated_authentication
Go to "about:config" and set the value:
network.negotiate-auth.trusted-uris = apachehost.dnsdomain
Or if you want to trust the whole corporate domain add the domain with a preceding dot:
network.negotiate-auth.trusted-uris = .dnsdomain
3) AD LDAP Based authorization.
Once you have logged in via Kerberos you need to modify the Directory setting in Apache to include the LDAP lookup.
# require valid-user
AuthLDAPURL "ldaps://AD.DOMAIN.LOCAL/OU=Users,DC=AD,DC=DOMAIN,DC=LOCAL?userPrincipalName?sub?(objectClass=*)"
AuthLDAPBindDN "CN=ServiceAccountCN,OU=ServiceAccounts,DC=AD,DC=DOMAIN,DC=LOCAL"
AuthLDAPBindPassword "**Password**"
require ldap-group CN=ApacheAccess,OU=Unix Access,DC=AD,DC=DOMAIN,DC=LOCAL
The LDAP URL should be LDAPs (as Microsoft are turning of cleartext LDAP), then specify the AD DNS Domain name as that should be able to resolve any DC, or point it to the IP address of your preferred DC. Then the search base should be the OU that contains all your users. The search value is userPrincipalName. That is also why I didn't enable "KrbLocalUserMapping On" since then the domain gets stripped and you are doing a lookup on samAccountName instead of UPN. And stick with the sub and objectclass=* or filter that down if desired.
Then specify the Service Account username & password.
And lastly comment out the "require value-user" and replace it with "require ldap-group CN=..." to the full CN of the AD Group that you want to use and you are done.
There is numerous blogs around enabling Apache to use Kerberos authentication for single signon to a website. Some of the better ones include:
http://www.grolmsnet.de/kerbtut/
https://imatviyenko.github.io/blog/2018/09/11/Apache-AD-kerberos
But none of them cover all aspects to the solution to make sure it is working and how to debug it if it isn't or perhaps I just have never read them properly and they tend to include lot of it is also outdated talking about NT4 or AES128 ciphers and the correct way to create the keytab file you require.
Decrypting Sailpoint IdentityIQ (IIQ) "encrypted" passwords
dataSource.username=identityiq
dataSource.password=1:iCAlakm5CVUe7+Q6hVJIBA==
There are two versions of the symmetrical encryption either "AES" or "AES/CBC/PKCS5Padding".
If it's a legacy AES one then the format is as above, "key number : encrypted password"
If it's a new "AES/CBC/PKCS5Padding" format then they insert "ACP" as an additional field with the same colon separator so it becomes: "1:ACP:JaGpXuLFE2btMQjnrggkdju449U/qfp1HLQA1rgSGno="
Sailpoint cleverly supports decrypting the "encrypted" passwords if you pass a "special" system property via the command line when calling the identityiq.jar which is called by the iiq command line tool. I found this decompiling the identityiq.jar under sailpoint.server.KeyStoreConsole where they had byte encoded the string they required (facepalm).
sailpoint.keyStore.consoleContext=magellan
So you call Sailpoint command line using:
java -cp WEB-INF/lib/identityiq.jar -Dsailpoint.keyStore.consoleContext=magellan sailpoint.launch.Launcher keystore
You will see there are two new commands at then end "encrypt" and "decrypt"
> ?
Console Commands
? display command help
help display command help
echo display a line of text
quit quit the shell (same as exit)
exit exit the shell (same as quit)
source execute a file of commands
properties display system properties
time show how much time a command takes to run.
xtimes Run a command x times.
about
addKey Generate a new encryption key, the key will be securly generated and random.
list List the contents of the keystore.
master Change the master password and re-encrypt the keystore using the new master.
use Specify the keystore and master file to use when interacting with an alternate keystore.
encrypt
decrypt
> decrypt
decrypt <string>
If you have created a custom key rather than the standard supplied one it will default to use the latest key.
> encrypt hello
2:ACP:GmOPFExdXOZXjq69jlIujgk0JhfTxEbl9zF4BtK2MKo=
But you can encrypt using key 1
> encrypt hello 1
1:ACP:JaGpXuLFE2btMQjnrggkdju449U/qfp1HLQA1rgSGno=
Or specify key 2
> encrypt hello 2
2:ACP:VaziygP3Bmu/rwKayN4iWyjATKcJKlASg/8x4PRYnZg=
Then decrypt by just pasting the whole string in.
> decrypt 1:ACP:JaGpXuLFE2btMQjnrggkdju449U/qfp1HLQA1rgSGno=
hello
Or the standard password stored within the iiq.properties for the database password:
> decrypt 1:iCAlakm5CVUe7+Q6hVJIBA==
identityiq
You'll also notice that the list option displays generated AES keys in base64 format which is kinda hand.
> addKey
Generate a new encryption key (y/n)?
y
Generating a new encryption key for keystore [/data/sailpoint/WEB-INF/classes/iiq.dat].
New encrpytion key successfully saved to keystore.
All application servers must be restarted for changes to take effect.
> list
Listing contents for keystore [/data/sailpoint/WEB-INF/classes/iiq.dat].
KeyAlias Algorithm Format Object
2 AES RAW lcECExlG4AF/ehwvZ9SIKw==
>
Thanks sailpoint for making decrypting passwords so easy.
Useful SNMP OIDs for Home Automation
Switches:
| Device | SNMP OID | On Value | Off Value | Notes |
| APC 7920 PDU | .1.3.6.1.4.1.318.1.1.12.3.3.1.1.4.1 | 1 | 2 | Increment the last value of the OID for the port number. |
| Raritan PX2-2190R | .1.3.6.1.4.1.13742.6.4.1.2.1.2.1.1 | 1 | 0 | Increment the last value of the OID for the port number. |
| Cisco 3750 PoE Switch inline power | .1.3.6.1.4.1.9.9.402.1.2.1.1.1.1 | 1 | 4 | Increment the last value of the OID for the port number. Integer 4 is "disabled" and 1 is Auto |
Sensors:
| Device | SNMP OID | Notes |
| Raritan DPX-T2H2 sensor for PX2-2190R Temp | .1.3.6.1.4.1.13742.6.5.5.3.1.4.1.1 | Need to divide number by 10 to get decimal place as it is an integer. The DPX-T2H2 has two sensors and the second sensor has the OID value of .3 |
| Raritan DPX-T2H2 sensor for PX2-2190R Humidity | .1.3.6.1.4.1.13742.6.5.5.3.1.4.1.2 | Humidity and the second sensor is .4 |
| Raritan PX2-2190R | .1.3.6.1.4.1.13742.6.5.2.3.1.4.1.1.1 | Rms Current |
| Raritan PX2-2190R | .1.3.6.1.4.1.13742.6.5.2.3.1.4.1.1.4 | Rms Voltage |
| Raritan PX2-2190R | .1.3.6.1.4.1.13742.6.5.2.3.1.4.1.1.5 | Active Power |
| Raritan PX2-2190R | .1.3.6.1.4.1.13742.6.5.2.3.1.4.1.1.6 | Apparent Power |
| Raritan PX2-2190R | .1.3.6.1.4.1.13742.6.5.2.3.1.4.1.1.7 | Power Factor |
| Raritan PX2-2190R | .1.3.6.1.4.1.13742.6.5.2.3.1.4.1.1.8 | Active Energy |
| Raritan PX2-2190R | .1.3.6.1.4.1.13742.6.5.2.3.1.4.1.1.23 | Active Energy |
| APC NMC AP9335T | .1.3.6.1.4.1.318.1.1.25.1.2.1.6.1.1 | Need to divide number by 10 to get decimal place as it is an integer |
New Zealand Dialing validation regex
Akamai IP Reputation Filter
It seems that Akamai IP Reputation Filter has for some reason decided that the reputation of this IP address has some random issue that will prevent me from accessing their web site.
The sites I can't access include:
www.jbhifi.co.nz
shop.countdown.co.nz
When I attempt to access the sites I get:
------
Access Denied
You don't have permission to access "http://www.jbhifi.co.nz/" on this server.
Reference #18.67ff6dcb.1527719015.a6cebb8
------
At no point in the above do you have any idea this is related to Akamai Web Application Firewall blocking you. There are a number of not particularly helpful posts on the Akamai community talking about the issue.
https://community.akamai.com/customers/s/article/Why-is-Akamai-blocking-me?language=en_US
And none of them provide any real resolution apart from contacting the site you are trying to access and then they can contact Akamai and figure out why.
So after a lengthy conversations it turns out the only way to resolve the issue is to send an email to "support at akamai.com" and then hopefully get to the bottom of why you are blocked.
My first email consisted of:
------
Akamai does not block users from accessing our customers’ websites. However, our customers can use tools and policies which may in turn block you (the end user). Our customers use these rules to protect them and you from malicious actors on the internet.
We have checked the logs you provided and have found you are being blocked because of a Web Application Firewall rule being triggered by your IP address. The most likely reason that a company or an end user may be blocked from several sites is due to Reputation-based blocking. Billions of IP addresses interact with the Akamai Intelligent Platform every month, and the Client Reputation module provides information regarding the reputation of each of them. Customers with this module enabled can block IP addresses whose reputation exceeds a certain configurable threshold.
Some of other reasons that a block may be happening are:
Explicit IP blocking / blacklisting
Location-based blacklisting
Rule-based blocking (i.e. web application firewall protections)
HTTP request rate controls (e.g. DoS protections)
We cannot unblock your IP address as it is the Akamai clients who make up the rules to block certain customers. You can check directly with the website owners why your IP is being blocked if you feel you have not done any harm or any illegal activities on the site you are being blocked.
Having said this, I have checked x.x.x.x and its not being blocked.
------
So that's no use at all, as we are still blocked. When I finally manage to figure out how to unblock our IP address I will update this blog.
Bogon Filtering using Regex
My regex testing site of preference is: https://regex101.com/ as it has an excellent UI to test with and breaks out what the regex is doing.
This is the regex I ended up with:
((?:10|127)(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3})|((?:192\.168|169\.254|172\.(?:1[6-9]|2[0-9]|3[0-1])|100\.(?:6[4-9]|[7-9][0-9]|1[0-1][0-9]|12[0-7]))(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2})
Reading it the regex blocks the following ranges:
10.0.0.0/8 & 127.0.0.0/8
Regex: ((?:10|127)(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3})
Explanation - A non capture group ?: match 10 or 127 then capture ". + 1-255" {3} times as a non capture group.
192.168.0.0/16 & 169.254.0.0/16
Regex: ((?:192\.168|169\.254)(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2})
Explanation: A non capture group ?: match 192.168 or 169.254 then capture ". + 1-255" {2} times as a non capture group.
172.16.0.0/12
Regex: ((172\.(?:1[6-9]|2[0-9]|3[0-1])(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2})
Explanation: "172." then non capture group 16-19 or 20-29 or 30-31 then capture ". + 1-255" {2} times as a non capture group.
100.64.0.0/10
Regex: ((100\.(?:6[4-9]|[7-9][0-9]|1[0-1][0-9]|12[0-7])(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2})
Explanation: "100." then non capture group 64-69 or 70-99 or 100-119 or 120 to 127 then capture ". + 1-255" {2} times as a non capture group.
Hope someone finds this useful.
Extracting encrypted passwords from Sun Identity Manager
http://www.darkedges.com/blog/?p=7
http://zerointechnologies.com/sun-idm-decrypt-password.html
The second link includes the javascript code needed, but a session needs to be established first. So this is the modified code I used.
/* Decrypt Sun IDM Passwords */
importPackage(Packages.com.waveset.util);
importPackage(Packages.com.waveset.server);
var _lhSession = new InternalSession();
print("Encrypted = " + arguments[0]);
var pwd = new EncryptedData();
pwd.fromString(arguments[0]);
print("Decrypted = " + pwd.decryptToString());
/* End */
Then have the above script called pwd.js. Calling it as shown below:
./lh js pwd.js "3A961D0D453E218C:6BCF235D:122ED7C4BB6:-7FA4|GsggQAq2YSSbb1sZE9Xaxw=="
Encrypted = 3A961D0D453E218C:6BCF235D:122ED7C4BB6:-7FA4|GsggQAq2YSSbb1sZE9Xaxw==
Decrypted = configurator
So... to get the encrypted password you want, a modified version of the JS to take an input file and return the passwords:
/* Decrypt Sun IDM Passwords */
importPackage(Packages.java.util);
importPackage(Packages.java.io);
importPackage(Packages.com.waveset.object);
importPackage(Packages.com.waveset.session);
importPackage(Packages.com.waveset.util);
var _lhSession = new InternalSession();
var file = new FileReader(arguments[0]);
var br = new BufferedReader(file);
var line;
while ((line = br.readLine()) != null) {
var obj = _lhSession.getObject(Type.USER, line);
var pwd = new EncryptedData();
pwd.fromString(obj.getAttribute("password"));
print(obj.getName() + "," + pwd.decryptToString());
}
/* End */
Plus i've now got the offline decryption working too by extracting out the encryption key:
$WSHOME/bin/lh console -c "getObject EncryptionKey *"
And the Misc data:
/* Extract Misc Data */
importPackage(Packages.com.waveset.object);
importPackage(Packages.com.waveset.session);
var _lhSession = new InternalSession();
var obj = _lhSession.getObject(Type.MISCELLANEOUS, "miscData");
print("Result" + obj.toXml());
/* End */
Then call the javascript:
$WSHOME/bin/lh js misc.js
Using the code shown above from Dark Edges.
Sad.. But true.
NZ Cell Site location information - Now with Google Fusion Tables!
So... Now thanks to Mark Hansen and is great work he did drawing all the links nationwide http://markhansen.co.nz/nz-wireless-map/
I've come to learn of Google Fusion Tables. Now the super cool thing about Fusion Tables is you can map data from a table in fusion tables directly into Google Maps and not have the annoying 1000 Placemark limit you have with KMLs plus sluggish response when loading a KML file into Google Maps.
With Google Fusion you can either map directly from with Fusion from your dataset, or write up a small web page and do some pretty stuff. I've got the web page so then I can add a Fusion Tables style in so all the place marks have a "T"/"V" etc depending on if it's a Telecom or Vodafone site.
Try V2 of The NZ Cell Information: http://dl.dropbox.com/u/22487235/fusion.html
If you look in the html it lists the Fusion Table data that I extracted out of RSM which can be found here: 1355049.
