I was asked by a friend to give a quick rundown on Mikrotik CAPSMAN configuration, so I dumped the config and added some notes. :)

Packages

I’m currently running v6.38 but was running about v6.2 only a week or so ago - make sure you have the “wireless” package enabled. Older RouterOS versions required the capsman-v2 package, which is now deprecated.

  > /sys package print
  Flags: X - disabled
   #   NAME                   VERSION
   0   routeros-mipsbe          6.38
   1   system    				6.38
   2   ipv6      				6.38
   3   wireless  6.38

If there was an X, enable it (in this example /sys package enable 3) - remember you’ll need to reboot after enabling a package.

A quick command for checking if your Active Directory servers are all listening on LDAP. Guess who had an issue with that today? :)

dig +short domainname.internal | xargs -I{} /usr/sbin/hping3 -p 389 -q -c 1 {} 2>&1 | egrep "(transmitted|hping)"

You’ll need hping3 - it’s installable from apt-get on Debian, can’t comment about any other distributions.

A quick explanation for each part:

• dig +short domainname.internal - pull the IPs of the hosts in the domain entry - they’ll be your domain controllers
• sudo is required because hping uses raw sockets
• xargs runs the next command on each input line
• hping3 -p 389 - connect on TCP to the LDAP port
• 2>&1 - redirect STDERR to STDOUT to make it more easily filtered
• egrep - filter only the required lines

This’ll hit each server once and show an output like:

Santa’s here with presents!

 Today we have a white Wookie with a very sweet bowcaster.

Recently my coworkers have been trying to get office365 working through our various organisation-protecting SSL inspection layers. Everything(ish) worked straight up, but they ran into a problem with activation - due to a very strange certificate on the public-facing activation API service.

The certificates as presented by yaleman.org (Yes, OK, I send the root too, because reasons):

$ echo "GET /\n\n " | openssl s_client -connect yaleman.org:443 -showcerts | egrep "(Certificate chain|s:|i:)"

Certificate chain
0 s:/OU=GT23544099/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control  Validated - RapidSSL(R)/CN=www.yaleman.org
  i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
  i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
  i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

Fairly normal, signed cert for the domain with a single CN.

Santa’s sleigh

 Santa’s hover-sleigh, ready to deliver presents to everyone

Today we have a cute puppy and his toys

 An Imperial Shuttle!

A lovely tree to put yesterday’s presents under.