How to Change JKS KeyStore Private Key Password

Use following keytool command to change the key store password

>keytool  -storepasswd  -new [new password ]  -keystore  [path to key store]

As an example, if you are changing password of jvkeystore.jks file.

$ keytool -storepasswd -new newjvkeystore -keystore jvkeystore.jks

Enter keystore password: 

Use following keytool command to change private key password

>keytool -keypasswd  -alias [Alias name for private key]  -keystore [path to key store]

Then it would promote for key store password,  private key password and new private key passwords.

As an example,

$ keytool -keypasswd -alias jvkeystore -keystore jvkeystore.jks 

Enter keystore password: 

Enter key password for <jvkeystore>

New key password for <jvkeystore>: 

Re-enter new key password for <jvkeystore>: 

If you are not know the alias of private key, you can find it by listing the keystore details.    You can look for PrivateKeyEntry

$ keytool -list -keystore jvkeystore.jks 

Enter keystore password:

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 37 entries

jvkeystore.cert, Feb 26, 2010, trustedCertEntry, 

Certificate fingerprint (SHA1): 34:2F:8E:60:4F:95:2C:74:10:0A:62:4B:DC:35:51:91:4C:B1:AE:BD

jvkeystore, May 26, 2014, PrivateKeyEntry, 

Certificate fingerprint (SHA1): 6B:F8:E1:36:EB:36:D4:A5:6E:A0:5C:7A:E4:B9:A4:5B:63:BF:97:5D

Common Java Keytool Keystore Commands

Java Keytool Commands for Creating and Importing keystore files:

These commands allow you to generate a new Java Keytool keystore file, create a CSR, and import certificates. Any root or intermediate certificates will need to be imported before importing the primary certificate for your domain.

Generate a Java keystore and key pair

keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks  -keysize 2048

Generate a certificate signing request (CSR) for an existing Java keystore

keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr

Import a root or intermediate CA certificate to an existing Java keystore

keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks

Import a signed primary certificate to an existing Java keystore

keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

Generate a keystore and self-signed certificate

keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

Java Keytool Commands for Validation of Keys

If you need to check the information within a certificate, or Java keystore, use these commands.

Check a stand-alone certificate

keytool -printcert -v -file mydomain.crt

Check which certificates are in a Java keystore

keytool -list -v -keystore keystore.jks

Check a particular keystore entry using an alias

keytool -list -v -keystore keystore.jks -alias mydomain

Other Useful Java Keytool Commands

Delete a certificate from a Java Keytool keystore

keytool -delete -alias mydomain -keystore keystore.jks

Change a Java keystore password

keytool -storepasswd -new new_storepass -keystore keystore.jks

Export a certificate from a keystore

keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks

List Trusted CA Certs

keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

Import New CA into Trusted Certs

keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

Import PFX file into java keystore

keytool.exe -importkeystore -srckeystore winkey.pfx -srcstoretype pkcs12 -destkeystore winserver.keystore -deststoretype JKS

Convert PFX Certificate to JKS, P12, CRT for Java Keystore

 all you need is OpenSSL and Java 7+!

First, let's generate a key from the PFX file; this key is later used for p12 keystore.

openssl pkcs12 -in example.pfx -nocerts -out example.key  

Second command is almost the same, but it is about nokey and a crt this time to export the Certificates:

openssl pkcs12 -in example.pfx -clcerts -nokeys -out example.crt  

Now, we have a key and and a crt file. The next step is to create a truststore, like so:

​keytool -import -file example.crt -alias exampleCA -keystore truststore.jks

For the question: "Do you trust this certificate?" answer "yes," so it is then added in the truststore.

If you only need a truststore, you can stop here.

The last step is to create a keystore, like so:

openssl pkcs12 -export -in example.crt -inkey example.key -certfile example.crt -name "examplecert" -out keystore.p12

​This p12 keystore is enough in many cases. However, if you still need a JKS keystore, you need one additional command:

keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS

​

360-FAAR Firewall Analysis Audit And Repair 0.3.7

360-FAAR Firewall Analysis Audit and Repair is an offline command line perl policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in checkpoint dbedit or screenos commands.

Changes: This release fixes many of the bugs in the cisco reader and writer sections. Cisco configs can now be processed written, re-read, processed and written again cyclically. Access lists using proto groups, specifying only protocol details or using 'ip/any' services are now handled. Protocol group-objects are written and used in rules for service groups with many different protocol types specified within them. 'port-objects' are read in service objects, service groups and protocol groups alike. The cisco 'echo' default service has been updated to remove tcp and udp from its listed ports.

Download:-  360-FAAR Firewall Analysis Audit And Repair 0.3.7

IP Phone Scanning Made Easy 0.7

ISME is a small framework to test IP phones from several editors. It can gather information from IP phone infrastructures, test their web servers for default login/password combinations, and also implement attacks against the systems. ISME has been written in perl with a perl/Tk interface to provide a portable and easy to use tool. Full documentation is also provided.

Changes: Added Cisco phone logout mobility feature abuse. Added multiple exploits.

Download:- IP Phone Scanning Made Easy 0.7 

SSLsplit 0.4.5

SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. Connections are transparently intercepted through a network address translation engine and redirected to SSLsplit. SSLsplit terminates SSL/TLS and initiates a new SSL/TLS connection to the original destination address, while logging all data transmitted. SSLsplit is intended to be useful for network forensics and penetration testing.

Changes: This maintenance release fixes a number of bugs, including daemon mode issues related to threading and a problem in the Linux netfilter support. It adds support for 2048-bit and 4096-bit Diffie-Hellman. 

Download:- SSLsplit 0.4.5

TCHead - TrueCrypt Password Cracking Tool

TCHead is software that decrypts and verifies TrueCrypt headers. TCHead supports all the current hashes, individual ciphers, standard volume headers, hidden volume headers and system drive encrypted headers (preboot authentication).

Brute-force TrueCrypt : However, TrueCrypt passwords go through many iterations and are strengthened. Cracking them takes time. Very strong passwords will not be cracked. Also, in addition to trying multiple passwords an attacker must try each password against each combination of hash and cipher (assuming they do not know what these are beforehand). System encrypted hard drives use only one hash and cipher, so attacking those is faster.

Testing TCHead: Create a TrueCrypt volume using the default hash and cipher (RIPEMD-160 and AES), set the password to "secret", then run TCHead against it like this and it will decrypt the header (provided that the word "secret" is in the word list)

Command : TCHead -f name_of_volume.tc -P words.txt

Decrypt hidden volumes:

Command : TCHead -f name_of_volume.tc -P words.txt --hidden

Multiple passwords (brute-force): Create or download a list of words in a text file (one word per line) using words that you think are likely to decrypt the header, then run TCHead against it like this. If the correct password is found, the header will be decrypted:

Command : TCHead -f name_of_volume.tc -P words.txt

Download TCHead

Spooftooph 0.5.2 - Automated spoofing or cloning Bluetooth device

Spooftooph is designed to automate spoofing or cloning Bluetooth device Name, Class, and Address. Cloning this information effectively allows Bluetooth device to hide in plain site. Bluetooth scanning software will only list one of the devices if more than one device in range shares the same device information when the devices are in Discoverable Mode (specificaly the same Address).

Features

• Clone and log Bluetooth device information
• Generate a random new Bluetooth profile
• Change Bluetooth profile every X seconds
• Specify device information for Bluetooth interface
• Select device to clone from scan log

Usage : To modify the Bluetooth adapter, spooftooth must be run with root privileges. Spooftooph offers five modes of usage:

1) Specify NAME, CLASS and ADDR.
root@thnlab: spooftooph -i hci0 -n new_name -a 00:11:22:33:44:55 -c 0x1c010c

2) Randomly generate NAME, CLASS and ADDR.
root@thnlab: spooftooph -i hci0 -R

3) Scan for devices in range and select device to clone. Optionally dump the device information in a specified log file.
root@thnlab: spooftooph -i hci0 -s -w file.csv

4) Load in device info from log file and specify device info to clone.
root@thnlab: spooftooph -i hci0 -r file.csv

5) Clone a random devices info in range every X seconds.
root@thnlab: spooftooph -i hci0 -t 10

Download Spooftooph 0.5.2

BeEF 0.4.3.8 - Browser Exploitation Framework

The Browser Exploitation Framework (BeEF) is a powerful professional security tool. It is a penetration testing tool that focuses on the web browser. BeEF is pioneering techniques that provide the experienced penetration tester with practical client side attack vectors. 

Unlike other security frameworks, BeEF focuses on leveraging browser vulnerabilities to assess the security posture of a target. This project is developed solely for lawful research and penetration testing.

BeEF hooks one or more web browsers as beachheads for the launching of directed command modules. Each browser is likely to be within a different security context, and each context may provide a set of unique attack vectors.

Download BeEF 0.4.3.8

PySQLi - Python SQL injection framework

PySQLi is a python framework designed to exploit complex SQL injection vulnerabilities. It provides dedicated bricks that can be used to build advanced exploits or easily extended/improved to fit the case.

PySQLi is thought to be easily modified and extended through derivated classes and to be able to inject into various ways such as command line, custom network protocols and even in anti-CSRF HTTP forms. 

PySQLi is still in an early stage of development, whereas it has been developed since more than three years. Many features lack but the actual version but this will be improved in the next months/years.

Download PySQLi

TXDNS v 2.2.1 - Aggressive multithreaded DNS digger

TXDNS is a Win32 aggressive multithreaded DNS digger. Capable of placing, on the wire, thousands of DNS queries per minute. TXDNS main goal is to expose a domain namespace trough a number of techniques:

-- Typos: Mised, doouble and transposde keystrokes;

-- TLD/ccSLD rotation;

-- Dictionary attack;

-- Full Brute-force attack: alpha, numeric or alphanumeric charsets.

New features:

• Support AAAA(IPv6)record queries:
  • -rr AAAA;
• Rewrite summarizing statistics using a thread-safe algorithm instead mutex.

Bug fixes:

• Fixed a problem when running under Windows XP;
• Fixed a problem when parsing a IPv6 address.
• November 9th, 2012 by Arley Silveira

Download Here