Life, as it were…

Tag: Powershell

  • Easily get NS, MX, SPF, DMARC and DKIM records. PowerShell to the rescue…

    Easily get NS, MX, SPF, DMARC and DKIM records. PowerShell to the rescue…

    In the world of IT, we’re constantly striving to enhance an organization’s security posture, resolve email deliverability woes, or simply bring their infrastructure up to par. A common task in this realm is the need to swiftly assess DNS configurations, especially during events like an acquisition where dozens—or even hundreds—of domains need to be scrutinized for their current settings.

    While tools for this purpose undoubtedly exist, the unique challenges of each audit often necessitate a more tailored approach. Recently, during an acquisition involving over 50 domains, I found myself needing a more efficient way to gather critical DNS record information. This led to the development of two PowerShell scripts, designed to automate and simplify this often-tedious process. Full disclosure: These scripts were developed with significant assistance from Gemini, an AI.

    Script 1: Comprehensive DNS Record Retrieval

    This primary script is designed to handle the bulk of your DNS record discovery. It comes pre-loaded with a comprehensive list of common DKIM selectors, which should cover a wide range of scenarios. Should you encounter a less common selector, the script is easily modifiable to incorporate new findings.

    Get-DNSRecords
    Get-DNSRecords.ps1
    14 KB

    download-circle

    Usage Examples:

    For multiple domains from a file:

    ./Get-DNSRecords.ps1 -File "domains.txt"

    For a single domain:

    ./Get-DNSRecords.ps1 -Domain "curtislamasters.com"

    Detailed documentation and additional usage instructions are embedded directly within the script.

    Script 2: Targeted DKIM Selector Discovery

    Occasionally, you’ll encounter domains using unconventional or obscure DKIM selector names. This secondary script is specifically designed to help identify these “needle in a haystack” selectors that might be missed by a more general scan.

    Get-DNSSelector
    Get-DNSSelector.ps1
    10 KB

    download-circle

    Usage Examples (identical to the first script for consistency):

    For multiple domains from a file:

    ./Get-DNSSelector.ps1 -File "domains.txt"

    For a single domain:

    ./Get-DNSSelector.ps1 -Domain "curtislamasters.com"

    Similar to the first script, comprehensive documentation is included within the script itself.

    A Practical Workflow

    My current workflow involves running Get-DNSRecords.ps1 first. If a DKIM selector isn’t found, I then use Get-DNSSelector.ps1 to identify the elusive selector. Once found, I integrate that new selector into the Get-DNSRecords.ps1 script for future, more comprehensive scans. This iterative process has proven effective across hundreds of domain checks.

    Technical Note: These scripts have been tested on PowerShell 7.5 running on both Windows 10 and Windows 11 with consistent results.

    Future Enhancements

    Looking ahead, I plan to explore transforming these scripts into a web application, making DNS record auditing even more accessible and user-friendly.

    I welcome any feedback or suggestions on these scripts and the workflow. Your insights help refine and improve these tools for the benefit of the community.

  • Wildcard Self Signed Certificate for your Homelab or other internal projects…

    Wildcard Self Signed Certificate for your Homelab or other internal projects…

    I’ve been on a homelab kick as of late and get annoyed by the constant barrage of browsers warning me that the site I’m going to isn’t safe. There’s a few ways to skin this potato but I’m going to go with a self signed wildcard certificate signed by a self signed certificate authority. I’ll apply the cert to the servers/services or to my Nginx Proxy Manager to handle the certificate side of things and add the CA to the Trusted Root Certificate Authority repository on my computer(s).

    I’m running all of these commands on a stock Alpine Linux VM with curl and bash installed, however you’ll be able to do this on most linux distro’s. Windows 10 information below as well.

    NOTE: This creates a certificate for homelab.local and *.homelab.local. Feel free to change to a domain that reflects your own setup/needs.

    Create the CA Certificate

    First the Key to sign the CA with:

    openssl genrsa -des3 -out homelabCA.key 4096

    When issuing this command, you’ll need to enter a pass phrase. I used Bitwarden to generate a 32 character one, but you can do as you wish.

    Create a CA Certificate with the newly created CA Key.

    openssl req -new -x509 -days 3650 -key homelabCA.key -out homelabCA.crt

    You’ll be asked some questions here. Enter them as you wish, or hit enter all the way through. Your choice.

    Now you have a SelfSigned CA Key and Certificate.

    Self Signed Wildcard Certificate

    From here we need to create a wildcard key for our homelab domain (homelab.local).

    openssl genrsa -out wildcard.key 2048

    For the next step you need to create a config file for the CSR process. I created mine and saved it as wildcard.cnf and it looks like this:

    [req]default_md = sha256prompt = noreq_extensions = req_extdistinguished_name = req_distinguished_name[req_distinguished_name]commonName = *.homelab.localcountryName = USstateOrProvinceName = IAlocalityName = SmallTownorganizationName = HomeLab[req_ext]keyUsage=critical,digitalSignature,keyEnciphermentextendedKeyUsage=critical,serverAuth,clientAuthsubjectAltName = @alt_names[alt_names]DNS.1=homelab.localDNS.2=*.homelab.local

    Now create the CSR from the template and the previously created key with:

    openssl req -new -nodes -key wildcard.key -config wildcard.cnf -out wildcard.csr

    Sign the Wildcard Certificate with the SelfSignedCA

    Sign the wildcard certificate with the SelfSignedCA certificate and key.

    openssl x509 -req -in wildcard.csr -CA homelabCA.crt -CAkey homelabCA.key -CAcreateserial -out wildcard.crt -days 1024 -sha256 -extfile wildcard.cnf -extensions req_ext

    You should have a good number of files now as shown below:

    root@web1:/root/ssl# lswildcard.cnf  homelabCA.crt  homelabCA.key  homelabCA.srl  wildcard.crt  wildcard.csr  wildcard.key

    Make the SelfSignedCA Trusted by your browsers/computers

    Import homelabCA.crt and homelabCA.key into your Trusted Root Certificate Authorities repository and use wildcard.crt and wildcard.key for your servers/services and/or proxy.

    As long as you have your DNS up to snuff, you should be able to navigate to your apps with https://appname.homelab.local and not be annoyed with yet another warning.

    tl;dr, here’s a lazy script to do this for you, you just need to enter your pass phrase and answer your normal certificate questions then move the certificates/keys to their respective places (proxy, app/service, Trusted Root CA, etc.)

    #/bin/bashopenssl genrsa -des3 -out homelabCA.key 4096openssl req -new -x509 -days 3650 -key homelabCA.key -out homelabCA.crtopenssl genrsa -out wildcard.key 2048touch wildcard.cnfecho -n "[req]default_md = sha256prompt = noreq_extensions = req_extdistinguished_name = req_distinguished_name[req_distinguished_name]commonName = *.homelab.localcountryName = USstateOrProvinceName = IAlocalityName = SmallTownorganizationName = HomeLab[req_ext]keyUsage=critical,digitalSignature,keyEnciphermentextendedKeyUsage=critical,serverAuth,clientAuthsubjectAltName = @alt_names[alt_names]DNS.1=homelab.localDNS.2=*.homelab.local" >> wildcard.cnfopenssl req -new -nodes -key wildcard.key -config wildcard.cnf -out wildcard.csropenssl req -noout -text -in wildcard.csropenssl x509 -req -in wildcard.csr -CA homelabCA.crt -CAkey homelabCA.key -CAcreateserial -out wildcard.crt -days 1024 -sha256 -extfile wildcard.cnf -extensions req_ext

    Windows 10 via Powershell

    I won’t write up the whole thing, as it’s largely the same, however I did have to install OpenSSL vis the winget cmdlet and set the PATH before it worked. Here’s the script (save as a .ps1):

    winget install ShiningLight.OpenSSL.Light$env:PATH += ";C:\Program Files\OpenSSL-Win64\bin"openssl genrsa -des3 -out homelabCA.key 4096openssl req -new -x509 -days 3650 -key homelabCA.key -out homelabCA.crtopenssl genrsa -out wildcard.key 2048New-Item -Path "wildcard.cnf" -ItemType File -Value "[req]default_md = sha256prompt = noreq_extensions = req_extdistinguished_name = req_distinguished_name[req_distinguished_name]commonName = *.homelab.localcountryName = USstateOrProvinceName = IAlocalityName = SmallTownorganizationName = HomeLab[req_ext]keyUsage=critical,digitalSignature,keyEnciphermentextendedKeyUsage=critical,serverAuth,clientAuthsubjectAltName = @alt_names[alt_names]DNS.1=homelab.localDNS.2=*.homelab.local"openssl req -new -nodes -key wildcard.key -config wildcard.cnf -out wildcard.csropenssl req -noout -text -in wildcard.csropenssl x509 -req -in wildcard.csr -CA homelabCA.crt -CAkey homelabCA.key -CAcreateserial -out wildcard.crt -days 1024 -sha256 -extfile wildcard.cnf -extensions req_ext