Dump Android APK version info

Use Android SDK Tool  aapt.exe


"C:\Program Files\Android sdk\build-tools\22.0.1\aapt.exe" dump badging myTest.apk

CentOS 7 + Apache 2.4 + WebDav (Not so secure)

1. Create webdav directory 

mkdir /var/www/webdav
chown apache:apache /var/www/webdav

2.  Add a virtual host to apache server

vim /etc/httpd/conf/httpd.conf

NameVirtualHost *:8080

        ServerAdmin webmaster@localhost

        DocumentRoot /var/www/webdav/
       
                Options Indexes MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
       

        DavLockDB "/tmp/DavLock"
        Alias /webdav /var/www/webdav/

       
                DAV On
                AuthType Basic
                AuthName "webdav"
                AuthUserFile /var/www/webdav/passwd.dav
                Require valid-user
                RewriteEngine off
       

3. Create webdav user

htpasswd -c /var/www/webdav/passwd.dav test

Use"-c" at first time to create the passwd file
To add other users, don't use "-c" option

4. SELINUX , set the webdav folder writable by apache httpd

grep denied /var/log/audit/audit.log | grep webdav

type=AVC msg=audit(1443167688.330:3067): avc:  denied  { write } for  pid=10689 comm="httpd" name="webdav" dev="dm-0" ino=770665 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir

grep "Permission denied" /var/log/httpd/error_log

[Fri Sep 25 15:54:48.332239 2015] [dav:error] [pid 10689] (13)Permission denied: [client 192.168.1.195:45679] Could not open file for writing  [500, #0]

chcon -R -t httpd_sys_content_rw_t /var/www/webdav/

5. Test webdav

yum install cadaver
cadaver http://192.168.1.195:8080/webdav/
Authentication required for webdav on server `192.168.1.195':
Username: test
Password:
dav:/webdav/> exit

CentOS 7 + Nginx 1.8.0 + PHP 5.6 + MariaDB 10.0 (LEMP) + SSL

1. change ulimits

vim /etc/security/limits.conf

* soft nofile 65535
* hard nofile 65535

2. Install MariaDB

vim /etc/yum.repos.d/MariaDB.repo
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.0/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

yum install MariaDB-server MariaDB-client
chkconfig mysql on
mysql_secure_installation
setting firewalld for mysql

3. Install Nginx

rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

yum install nginx
systemctl start nginx
systemctl enable nginx

setting firewalld for nginx

4.  Install PHP

https://webtatic.com/packages/php56/
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum install php56w php56w-fpm php56w-mysql

vim /etc/php.ini
;cgi.fix_pathinfo=1
cgi.fix_pathinfo=0

Reference : https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-on-centos-7

What we are looking for in this file is the parameter that sets cgi.fix_pathinfo. This will be commented out with a semi-colon (;) and set to "1" by default.

This is an extremely insecure setting because it tells PHP to attempt to execute the closest file it can find if a PHP file does not match exactly. This basically would allow users to craft PHP requests in a way that would allow them to execute scripts that they shouldn't be allowed to execute.

We will change both of these conditions by uncommenting the line and setting it to "0" like this:

5. Edit /etc/php-fpm.d/www.conf

[global]
pid = /usr/local/php/var/run/php-fpm.pid
error_log = /var/log/httpd/php-fpm.log

[www]
;listen = 127.0.0.1:9000
listen = /var/run/php-fpm/php-fpm.sock

listen.owner = nobody
listen.group = nobody
listen.mode = 0666


;user = apache
user = nginx
;group = apache
group = nginx

6. Edit /etc/nginx/conf.d/default.conf

 location / {
        root   /usr/share/nginx/html;
        index  index.php index.html index.htm;
    }

location ~ \.php$ {
        root   /usr/share/nginx/html;
        try_files $uri = 404;
        fastcgi_pass  unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
}

7 Restart php-fpm and nginx

systemctl restart php-fpm
systemctl restart nginx

8. Test PHP

vim /usr/share/nginx/html/info.php

http://serverip/info.php


9. Create Self-Signed Cert
openssl req -x509 -nodes -sha512 -newkey rsa:2048 -keyout cert.key -out cert.pem.csr -days 65536

Common Name (eg, your name or your server's hostname) []: mysite.example.com

chmod 600 cert.key
chmod 600 cert.pem.csr
copy cert.key /etc/nginx
copy cert.pem.csr /etc/nginx

vim /etc/nginx/conf.d/my_host_ssl.conf

server {
    listen       443 ssl;
    server_name  mysite.example.com;

    ssl_certificate      /etc/nginx/cert.pem.csr;
    ssl_certificate_key  /etc/nginx/cert.key;

    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";






#set the ssl_ciphers to resolve chrome display "is encrypted with obsolete cryptography"
   ssl_prefer_server_ciphers   on;
    ssl_protocols      TLSv1.2;

    location / {
        root   /usr/share/nginx/html;
        index  index.php index.html index.htm;
    }
}

CentOS 7 command mapping

 Ref :
http://note.tc.edu.tw/931.html
http://note.tc.edu.tw/932.html

1. netstat
   
   ss
   ss -lt
   ss -t
   
2. route
   
   ip -route
3. ifconfig
   
   ip addr
   ip -s link
4. arp
   
   ip neigh
5. ifconfig
   
   ip link set eth1 up
   ip link set eth1 down
6. traceroute
   
   tracepath 168.95.1.1
7. service
   
   systemctl  restart firewalld
   systemctl -l status mysql
   systemctl list-unit-files | grep nginx    //check the default start option , like chkconfig
   systemctl enable nginx
   
   
   
8. iptables
   
   firewall-cmd --list-service
   firewall-cmd --list-zone
   firewall-cmd --list-all --permanent
   firewall-cmd --add-service=http
   firewall-cmd --zone=public --list-all
   firewall-cmd --zone=public --add-port=443/tcp
   firewall-cmd --zone=public --remove-port=443
   firewall-cmd --zone=public --add-source=192.168.1.0/24
   firewall-cmd --zone=public -remove-source=192.168.1.0/24
   firewall-cmd --zone=public --list-rich-rules
   firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.2.0/24" port port="8080" protocol="tcp" accept'
   
   vim /etc/firewalld/zones/public.xml

SSL Certificate in Java

1. Use open_ssl to test SSL connection

openssl s_client -connect IP:443

2. Import ca into java keystore

keytool -import -alias TWCAroot -keystore /usr/java/jdk1.6.0_35/jre/lib/security/cacerts -trustcacerts -file root.cer

3. List ca in keystore

keytool -list -v -keystore cacerts
keytool -list -v -keystore cacerts  -alias twcaroot

4. Delete ca in keystore

keytool -delete -alias aliasname  -keystore /usr/java/jdk1.6.0_35/jre/lib/security/cacerts

5. Test CA

A. save the SSLPoke.java  file

import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import java.io.*;

/** Establish a SSL connection to a host and port, writes a byte and
 * prints the response. See
 * http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services
 */
public class SSLPoke {
    public static void main(String[] args) {
                if (args.length != 2) {
                        System.out.println("Usage: "+SSLPoke.class.getName()+" ");
                        System.exit(1);
                }
                try {
                        SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
                        SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(args[0], Integer.parseInt(args[1]));

                        InputStream in = sslsocket.getInputStream();
                        OutputStream out = sslsocket.getOutputStream();

                        // Write a test byte to get a reaction :)
                        out.write(1);

                        while (in.available() > 0) {
                                System.out.print(in.read());
                        }
                        System.out.println("Successfully connected");

                } catch (Exception exception) {
                        exception.printStackTrace();
                }
        }
}

B. javac SSLPoke.java

C. java SSLPoke  192.168.1.1 443
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1764)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:958)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1203)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:654)
        at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:100)
        at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:114)
        at SSLPoke.main(SSLPoke.java:23)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
        at sun.security.validator.Validator.validate(Validator.java:218)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
        ... 9 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
        ... 15 more

D. openssl s_client -connect 192.168.1.1:443

save BEGIN END into test.cer (include BEGIN and END lines)

E. import the cert
keytool -import -alias TWCAroot -keystore /usr/java/jdk1.6.0_35/jre/lib/security/cacerts -trustcacerts -file test.cer

F. java SSLPoke  192.168.1.1 443
Successfully connected