Friday, December 17, 2010

How to Register Exchange 2007/2010 Server Roles with Security Configuration Wizard(SCW)

The Security Configuration Wizard(SCW) automates security best practices to reduce the attack surface for a server. The Exchange Server role extensions enable you to use the Security Configuration Wizard(SCW) to create a security policy that is specific to the functionality that is required for each

Microsoft Exchange server role. The extensions are provided with Exchange 2007 and must be registered before you can create a custom security policy.

Step 1. Install an Exchange server role\roles.Install the Security Configuration Wizard(SCW) you will find it in Control Panel-->Add/Remove Programs-->Add/Remove Windows Components-->select Security Configuration Wizard and click next

Note:You must perform the registration procedure on each Exchange 2007 server to which you want to apply an  Security Configuration Wizard security policy.

Step 2.To do this step you must be memeber of Local Administrators on the Exchange Server you want to apply the security policy and Exchange Server Administrator .On a server with the Edge Transport Role installed you need to be member of Local cmd and type:

scwcmd register /kbname:Ex2007KB /kbfile:"C:\Program Files\
Microsoft\Exchange Server\scripts\Exchange2007.xml"

Note:the command above works on Windows Server 2003-based or Windows Server 2003 
R2-based computer that is running the Mailbox, Hub Transport, Unified Messaging, or Client Access server role.

scwcmd register /kbname:Ex2007EdgeKB /kbfile:"C:\Program Files\
Microsoft\Exchange Server\scripts\Exchange2007Edge.xml"
Note:the command above works on Windows Server 2003-based or Windows Server 2003 R2-based computer that is running Edge Transport Server role.

Step 3. To verify that the command has completed successfully  examine the SCWRegistrar_log.xml  file that is located in the C:\Windows\Security\Msscw\Logs folder

Step2 For Windows Server 2008-based computer that is running the Mailbox, Hub Transport, Unified Messaging, or Client Access server role is like this:

scwcmd register /kbname:Ex2007KB /kbfile:C:\Program Files\
 Microsoft\Exchange Server\scripts\Exchange2007_WinSrv2008.xml"

For Windows Server 2008-based computer that is running the Edge Transport server role is like this:

scwcmd register /kbname:Ex2007EdgeKB /kbfile:"C:\Program Files\ 
Microsoft\Exchange Server\scripts\Exchange2007Edge_WinSrv2008.xml"

Note:Step1. and Step3 are the same as for Server 2003-based or Windows Server 2003 R2-based computers

Hope this helped you.Thanks for reading.

Thursday, December 16, 2010

How to enable Active Directory Schema Management Console

Step1. Open Run and type : regsvr32 schmmgmt.dll

Note: If you do not register the schema dll it will not appear in mmc Add/Remove Snap-in
Step2. Open run and type: mmc
Step3. In Management Console go to File-->Add/Remove Snap-in-->select Active Directory Schema and click add then click close then click ok

Step4. File -->Save--> call it schemamgmt or whatever and save it in C:\Windows\System32 folder.(beacause that folder has the Path variable set so you can launch the mmc console without typeing the whole path)

Congratulations now when you open run and type schemamgmt.msc it will launch your Active Directory Schema Management Console.

Hope this helped you.Thanks for reading

Wednesday, December 15, 2010

How to Install first Exchange 2007 Server from the command line

Before you install Exchange Server 2007/2010 verify that you have Windows Server 2003 at least sp1 or Windows Server 2003 R2 with sp1.You have installed MMC 3.0(Microsoft Management Console), .Net Frameworks 2.0 and Windows Power Shell.The SMTP and NNTP services must NOT be installed.
For Mailbox Server Role you need IIS 6.0 installed and COM+Access and World Wide Service components active + the things needed for a tipical install.
For Client Access Server Role you need  IIS 6.0 installed and World Wide Service,RPC over HTTP and Asp.NET 2.0  components active + the things needed for a tipical install.
For Unified Messaging Server Role you need Microsoft Windows Media Encoder,Microsoft Windows Media Audio Voice codec,Microsoft Core XML Services (MSXML 6.0)+ the things needed for a tipical install.
For Hub Transport role you need nothing more.
For Edge Transport you need Active Directory Application Mode (ADAM) installed on a stand alone server which is not part of the domain and is located in a dmz or perimeter network.

1.Open cmd and navigate where your Exchange setup folder is or if you have it on cd navigate from cmd in that folder. type: setup /PrepareAD
3.setup /mode:install /roles:MailBox /OrganizationName exmydomainname
Note:If you want to specify more roles type like this:
setup /mode:install /roles:MailBox,ClientAccess,HubTransport,ManagementTools  /OrganizationName exmydomainname
Note: the prepare AD command must be run in the same site with your domain's Schema Master Server and you must be a member of Enterprise Administrators and Schema Administartors Active Directory groups to run this commands.If there are errors verify your Event Viewer -> Application Log to view them.

Hope this helped you.Thanks for reading.

I quit my job finally I can take no more

I'm so sick of working for people who demand more and pay less!! If you want to give us more tasks then don't cut our salaryes give us moore money dumb ass! It's to much to ask to have a good paid job these days in Romania what the f*$#k ??
I can't live with what you are giving me!Well I guess it's time to move one.
Please if someone knows some good jobs  please tell me.In Romania things aren't going so well so I'm really interested in leaving this country.A  good IT job in Canada,Australia or England would be so cool if I could find... I have 2 college degrees in IT, and I have a Microsoft System Administrator(MCSA)and a MCTS.

Thanks for reading my lament :) It's time to update my CV and go job hunting.

Tuesday, September 21, 2010

Nessus Install the easy way

1. Download nessus from here.
2.If you are a home user you can register for free to get an update code
3.I'm on Linux so i just double clicked the package and it installed  .
4.Activate your account, simply execute the following command :

sudo /opt/nessus/bin/nessus-fetch --register 8BE6-8F7C-8032-5805-D15B(your code here)

5.Add a new administrator user

sudo /opt/nessus/sbin/nessus-adduser (it will ask for a user name and a password )

6.Login from browser - type: https://localhost:8834/

7.If it doesn't work try restarting the nessus service some times it is blocked after installation like this:

sudo service nessusd restart

8.To check for updates manually try this:

sudo /opt/nessus/sbin/nessus-update-plugins 

9.How to configure nessus for advanced options.In there you will find the options and a brief explanation.
sudo /opt/nessus/etc/nessus/nessusd.conf 

jacksum is a better utility for file integrity cheking

If you want to verify file download integrity you must install jacksum. 
Jacksum supports 58 popular standard algorithms (Adler32, BSD sum, Bzip2's CRC-32, POSIX cksum, CRC-8, CRC-16, CRC-24, CRC-32 (FCS-32), CRC-64, ELF-32, eMule/eDonkey, FCS-16, GOST R 34.11-94, HAS-160, HAVAL (3/4/5 passes, 128/160/192/224/256 bits), MD2, MD4, MD5, MPEG-2's CRC-32, RIPEMD-128, RIPEMD-160, RIPEMD-256, RIPEMD-320, SHA-0, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, Tiger-128, Tiger-160, Tiger, Tiger2, Tiger Tree Hash, Tiger2 Tree Hash, Unix System V sum, sum8, sum16, sum24, sum32, Whirlpool-0, Whirlpool-1, Whirlpool and xor8). 

How to use:

1.sudo aptitude install jacksum
2.jacksum -a md5 Nessus-4.2.2-ubuntu910_i386.deb -this command lists the md5 checksum hash
3. Or for sha1 like this jacksum -a sha1 Nessus-4.2.2-ubuntu910_i386.deb

Tuesday, March 16, 2010

How to configure rsyslog for basic remote logging

 1.How to enable a basic remote logging via  TCP port.
Step 1 (of course you need at least one rsyslog server an one client)
What to do on the server machine to recive rsyslog messages

sudo nano /etc/rsyslog.conf

If the following lines exist uncomment them if not add them:

$ModLoad imtcp
$InputTCPServerRun 10512

Save the file and exit.

Step 2 - restart rsyslog service like this:

sudo service rsyslog restart

Step 3 - the client side
Edit the rsyslog file like this:

sudo nano /etc/rsyslog.conf 

After all the rules in there you add this lines:
*.*   @@
# if you need to forward to other systems as well, just
# add additional config lines:

Save and exit.Restart rsyslog like I showd you in Step 2.

Note that rsylog messages from the client will be writen in the same files as your local log.


How to find if your system is infected with a rootkit

Fo that you must install a program named chkrootkit:

sudo aptitude install chkrootkit

How to use?

sudo chkrootkit

If it finds any rootkits except at firmware or hypervisor level it will let you know.For more info on what is a rootkit read this link.

Wednesday, March 3, 2010

How to verifyi the integrity of critical files on a Linux system

AIDE is the name file integrity verification is the game :)

The Advanced Intrusion Detection Environment (AIDE) is a free replacement for the popular file integrity verification tool known as Tripwire. It creates a database from regular expression rules that it finds in a configuration file. Once this database is initialized, it can be used to verify the integrity of critical system and user files. AIDE uses most of the popular message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) for checking file integrity. Additional algorithms may also be easily added. All of the traditional file system attributes may be checked for inconsistencies as well.

1.How to install AIDE

sudo aptitude install aide (yum install aide.x86_64 on fedora)

2.How to configure AIDE

AIDE has 2 configuration files and one folder:

/etc/default/aide The AIDE general configuration file.
/etc/aide/aide.conf The AIDE rules configuration file.
/etc/aide/aide.conf.d/ Here is specified what files will AIDE scan and with what rules.

or if you are on fedora linux  there is only one file :

/etc/aide.conf The AIDE configuration file.

3.How to use AIDE

First you must check to see if AIDE's database is present

cd /var/lib/aide
ls -ltr

If you see the file aide.db in the output of the ls command or the directory is empty, then proceed to the initialization step. If, instead, you see the file, then you need to rename the file to aide.db using this command:

sudo mv /var/lib/aide/ /var/lib/aide/aide.db

If there is no database you must initialize AIDE like this:

sudo aide.wrapper --init  (or if this doesen't work try aide --init if you are on fedora linux)

Now you are ready to do an initial check on files and folders of your system like this:

sudo aide.wrapper --check (or aide --check if you are on fedora)

If all is well in the directories, and files being monitored, you will see this message when the check completes:

### All files match AIDE database. Looks okay!
If not you will see the files that have changed from last time you ran AIDE.

4.If you modify any aide configuration  file on ubuntu you must run the update-aide-conf  for the configuration changes to take effect:

sudo update-aide-conf

Note : On ubuntu AIDE  is very well configured and is aded as a cron job to be run daily with the update parameter.
It is also wise to copy  /var/lib/aide/aide.db on a  usb stick or on some safe external support and copy it back to your sistem when you want to check for system changes.

Tuesday, March 2, 2010

How to set default password expiry for all new users

There is a file in etc named login.defs where you can specify your options
1.Open the file with your favorite editor:

sudo nano /etc/login.defs

2.Search for the following lines:

PASS_MAX_DAYS   99999  (maximun days before password expires)
PASS_MIN_DAYS   0           (minimum days before the password can be changed)
PASS_MIN_LEN    5            (minimum password lenght)
PASS_WARN_AGE   7          (expiration warning how many days before your password will expire)

Edit them to your likeing and save the file.There are many moore options you can set in this file.For more detail type :

man login.defs

What is passwd and how to use it

 The passwd ulility is a must know utility for manageing users passwords.

passwd [-k] [-l] [-u [-f]] [-d] [-n mindays] [-x maxdays] [-w warndays] [-i inactivedays] [-S] [--stdin] [username]

-k The option -k, is used to indicate that the update should only
be for expired authentication tokens (passwords); the user
wishes to keep their non-expired tokens as before.

-l This option is used to lock the specified account and it is
available to root only. The locking is performed by rendering
the encrypted password into an invalid string (by prefixing the
encrypted string with an !).

This option is used to indicate that passwd should read the new password from standard input, which can be a pipe.

-u This is the reverse of the -l option - it will unlock the
account password by removing the ! prefix. This option is avail-
able to root only. By default passwd will refuse to create a
passwordless account (it will not unlock an account that has
only "!" as a password). The force option -f will override this

-d This is a quick way to delete a password for an account. It will set the named account passwordless. Available to root only.

-n This will set the minimum password lifetime, in days, if the
user’s account supports password lifetimes. Available to root

-x This will set the maximum password lifetime, in days, if the
user’s account supports password lifetimes. Available to root

-w This will set the number of days in advance the user will begin
receiving warnings that her password will expire, if the user’s
account supports password lifetimes. Available to root only.

-i This will set the number of days which will pass before an
expired password for this account will be taken to mean that the
account is inactive and should be disabled, if the user’s
account supports password lifetimes. Available to root only.

-S This will output a short information about the status of the
password for a given account. Available to root user only.


1.Change your current password.Open a shell and type:


2. How to lock an accont

passwd -l john

3.How to set the minimum and the maximum time before a password must be change + a warning to the user set to warn him about 7 days before expiration time.

passwd -n 4 -x 120 -w 7

4.How to see a users configuration

passwd -S john 
john PS 2010-02-23 4 120 7 -1 (Password set, SHA512 crypt.)

- you can see if the account has a password(PS), creation date,minimum password age(4),maximum password age(120),warning day (7),time before the account is rendered inactive after the password has expired (-1 means instantly)

Friday, February 26, 2010

How to manage your password information with chage

The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password.

chage [-m mindays] [-M maxdays] [-d lastday] [-I inactive] [-E expiredate] [-W warndays] user


1.How to set the minimum password expiration date and the maximux expiration date for a user named john:

chage -m 3 -M 30 john

2.How to make a user's account inactive 1 day after his password has expired

chage -I 1 john

3.How to create a expiration date for the user and warn him with 3 days before that his account will expire.

chage -E 2010-03-20 -W 3

4. How to list user information

chage -l kate
Last password change : Mar 02, 2010
Password expires : Jun 30, 2010
Password inactive : Jul 01, 2010
Account expires : Jul 02, 2010
Minimum number of days between password change : 4
Maximum number of days between password change : 120
Number of days of warning before password expires : 7

5.How to remove password inactive and account expires settings.

chage -E -1  -I -1 kate

chage -l kate

Last password change : Mar 02, 2010
Password expires : Jun 30, 2010
Password inactive : never
Account expires : never
Minimum number of days between password change : 4
Maximum number of days between password change : 120
Number of days of warning before password expires : 7

Note : Only chage can help you set an account expiration date passwd can't.

Tuesday, February 23, 2010

How to use nmap security scanner

Nmap is a "Network Mapper", used to discover computers and services on a computer network, thus creating a "map" of the network. Just like many simple port scanners, Nmap is capable of discovering passive services on a network despite the fact that such services aren't advertising themselves with a service discovery protocol. In addition Nmap may be able to determine various details about the remote computers. These include operating system, device type, uptime, software product used to run a service, exact version number of that product, presence of some firewall techniques and, on a local area network, even vendor of the remote network card.

Nmap features include:

Host Discovery
- Identifying computers on a network, for example listing the computers which respond to pings, or which have a particular port open
Port Scanning - Enumerating the open ports on one or more target computers
Version Detection - Interrogating listening network services listening on remote computers to determine the application name and version number
OS Detection - Remotely determining the operating system and some hardware characteristics of network devices.

Typical uses of Nmap:

-Auditing the security of a computer, by identifying the network connections which can be made to it
-Identifying open ports on a target computer in preparation for auditing
-Network inventory, Network mapping, maintenance, and asset management
Auditing the security of a network, by identifying unexpected new servers.

Nmap options
 Can pass hostnames, IP addresses, networks, etc.
 Ex:,,; 10.0.0-255.1-254
 -iL : Input from list of hosts/networks
 -iR : Choose random targets
 --exclude : Exclude hosts/networks
 --excludefile : Exclude list from file
 -sL: List Scan - simply list targets to scan
 -sP: Ping Scan - go no further than determining if host is online
 -P0: Treat all hosts as online -- skip host discovery
 -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
 -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
 -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
 --dns-servers : Specify custom DNS servers
 --system-dns: Use OS's DNS resolver
 -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
 -sU: UDP Scan
 -sN/sF/sX: TCP Null, FIN, and Xmas scans
 --scanflags : Customize TCP scan flags
 -sI : Idlescan
 -sO: IP protocol scan
 -b : FTP bounce scan
 -p : Only scan specified ports
 Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
 -F: Fast - Scan only the ports listed in the nmap-services file)
 -r: Scan ports consecutively - don't randomize
 -sV: Probe open ports to determine service/version info
 --version-intensity : Set from 0 (light) to 9 (try all probes)
 --version-light: Limit to most likely probes (intensity 2)
 --version-all: Try every single probe (intensity 9)
 --version-trace: Show detailed version scan activity (for debugging)
 -O: Enable OS detection (try 2nd generation w/fallback to 1st)
 -O2: Only use the new OS detection system (no fallback)
 -O1: Only use the old (1st generation) OS detection system
 --osscan-limit: Limit OS detection to promising targets
 --osscan-guess: Guess OS more aggressively
 Options which take  are in milliseconds, unless you append 's'
 (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
 -T[0-5]: Set timing template (higher is faster)
 --min-hostgroup/max-hostgroup : Parallel host scan group sizes
 --min-parallelism/max-parallelism : Probe parallelization
 --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies
 probe round trip time.
 --max-retries : Caps number of port scan probe retransmissions.
 --host-timeout : Give up on target after this long
 --scan-delay/--max-scan-delay : Adjust delay between probes
 -f; --mtu : fragment packets (optionally w/given MTU)
 -D : Cloak a scan with decoys
 -S : Spoof source address
 -e : Use specified interface
 -g/--source-port : Use given port number
 --data-length : Append random data to sent packets
 --ip-options : Send packets with specified ip options
 --ttl : Set IP time-to-live field
 --spoof-mac : Spoof your MAC address
 --badsum: Send packets with a bogus TCP/UDP checksum
 -oN/-oX/-oS/-oG : Output scan in normal, XML, s|
 and Grepable format, respectively, to the given filename.
 -oA : Output in the three major formats at once
 -v: Increase verbosity level (use twice for more effect)
 -d[level]: Set or increase debugging level (Up to 9 is meaningful)
 --open: Only show open (or possibly open) ports
 --packet-trace: Show all packets sent and received
 --iflist: Print host interfaces and routes (for debugging)
 --log-errors: Log errors/warnings to the normal-format output file
 --append-output: Append to rather than clobber specified output files
 --resume : Resume an aborted scan
 --stylesheet : XSL stylesheet to transform XML output to HTML
 --webxml: Reference stylesheet from Insecure.Org for more portable XML
 --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
 -6: Enable IPv6 scanning
 -A: Enables OS detection and Version detection
 --datadir : Specify custom Nmap data file location
 --send-eth/--send-ip: Send using raw ethernet frames or IP packets
 --privileged: Assume that the user is fully privileged
 --unprivileged: Assume the user lacks raw socket privileges
 -V: Print version number
 -h: Print this help summary page.

How to use NMAP

1.How to scan your network to see which hosts are up:

nmap -sP (it will scan ip-s from to to see which hosts are up)
Starting Nmap 5.00 ( ) at 2010-02-23 19:05 EET
Host is up (0.0010s latency).
MAC Address: 00:25:9C:27:E5:01 (Cisco-Linksys)
Host is up (0.00021s latency).
MAC Address: 00:24:8C:5D:EC:6C (Asustek Computer)
Host is up.
Host is up (0.0013s latency).
MAC Address: 08:00:27:C1:3B:9D (Cadmus Computer Systems)
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.88 seconds

2. Now we scan using a SYN scan [-sS] and -A to enable OS fingerprinting and version detection.The results will be saved in a file named nmap.log.

nmap -sS -A -oN nmap.log

Starting Nmap 5.00 ( ) at 2010-02-23 19:12 EET
Interesting ports on
Not shown: 998 closed ports
80/tcp   open  http    Linksys WRT54GL wireless-G router http config
|_ html-title: 401 Unauthorized
|  http-auth: HTTP Service requires authentication
|_   Auth type: Basic, realm = WRT54GL
5431/tcp open  http    Belkin/Linksys wireless router http config (Linux 2.4; UPnP 1.0; BRCM400 1.0)
MAC Address: 00:25:9C:27:E5:01 (Cisco-Linksys)
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.18 - 2.4.35 (likely embedded)
Network Distance: 1 hop
Service Info: Devices: WAP, router

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds

3.How to scan a host for open ports ,network services,os version,ipid:

nmap -sS -P0 -A -v

Starting Nmap 5.00 ( ) at 2010-02-23 19:38 EET
NSE: Loaded 30 scripts for scanning.
Initiating ARP Ping Scan at 19:38
Scanning [1 port]
Completed ARP Ping Scan at 19:38, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:38
Completed Parallel DNS resolution of 1 host. at 19:38, 0.05s elapsed
Initiating SYN Stealth Scan at 19:38
Scanning [1000 ports]
Discovered open port 22/tcp on
Completed SYN Stealth Scan at 19:38, 1.41s elapsed (1000 total ports)
Initiating Service scan at 19:38
Scanning 1 service on
Completed Service scan at 19:38, 0.05s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against
Retrying OS detection (try #2) against
Retrying OS detection (try #3) against
Retrying OS detection (try #4) against
Retrying OS detection (try #5) against
NSE: Script scanning
NSE: Starting runlevel 1 scan
Initiating NSE at 19:38
Completed NSE at 19:38, 0.24s elapsed
NSE: Script Scanning completed.
Host is up (0.00085s latency).
Interesting ports on
Not shown: 999 closed ports
22/tcp open  ssh     OpenSSH 5.1p1 Debian 6ubuntu2 (protocol 2.0)
|  ssh-hostkey: 1024 51:08:cd:ba:ad:5a:4d:87:20:5b:41:ee:f2:34:80:e5 (DSA)
|_ 2048 a2:7c:9e:22:7e:9c:3f:2e:7d:46:d6:1a:29:f1:c2:c8 (RSA)
MAC Address: 08:00:27:C1:3B:9D (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:

Uptime guess: 0.004 days (since Tue Feb 23 19:33:04 2010)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=197 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds
           Raw packets sent: 1103 (52.340KB) | Rcvd: 1076 (46.596KB)
vices available

Thursday, February 18, 2010

How to manage service in fedora

1.Open a shell and login as root
2.The service command

service --status-all (it shows you the status of the services)
service sshd restart (you can use start,stop,restart,reload)

3.The chkconfig command - run with no parameters it shows all the services and their status in all the runlevels.You can turn on or off a service as well in the desired runlevel.

chckconfig --level 5  sshd on (this option will automaticly start ssh server at boot in the default fedora runlevel)

4.The ntsysv command - it opens a menu where you can set your options.
ntsysv (this will help you set up if a service should start or not at boot in your default runlevel)

Friday, February 12, 2010

How to use GnuPG/GPG to encrypt and sign your files

GNU Privacy Guard (GnuPG or GPG) is a free software alternative to the PGP suite of cryptographic software.GnuPG encrypts messages using asymmetric keypairs individually generated by GnuPG users. The resulting public keys can be exchanged with other users in a variety of ways, such as Internet key servers. They must always be exchanged carefully to prevent identity spoofing by corrupting public key ↔ "owner" identity correspondences. It is also possible to add a cryptographic digital signature to a message, so the message integrity and sender can be verified, if a particular correspondence relied upon has not been corrupted.

This tutorial is for linux users.
1.Open a shell and type :

gpg --gen-key

This will produce a menu asking you what type of algorithm you want.

   Please select what kind of key you want:

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)

Your selection?

DSA, aka Digital Signature Algorithm, is an algorithm which is used for signing messages, whereas ElGamal useable for encryption as well as signatures. (A good discussion of the encryption options available is located here).The default should be fine, although any key length longer than 2048 will be ignored for the DSA algorithm (ie: your ElGamal key will be 2048 bits, but the DSA one will still be 1024). This is because DSA keys cannot be larger than 1024 bits, although they can be as small as 512 bits (but this would not be useful in a real world setting).

Next, you choose the length of your key.

SA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits

The problem with larger keys is that they will empty the entropy pool quickly during generation. You can get around this by having several people log in and do their work, which seeds the entropy pool on Linux (and other) systems. For this example key, I'll leave it at the default of 2048 bits.
Note: an entropy pool is used by the random number function on most operating systems. It is important to keep it random because keys generated from non-random numbers can be cracked much more easily. Linux (and other systems such as OpenBSD) keep the entropy pool fed by monitoring the input of the random device in a computer system: the human.
Please specify how long the key should be valid.
        0 = key does not expire
       d = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 1y
Key expires at Wed 16 Feb 2011 04:58:53 PM EET
Is this correct? (y/N) y

If you don't think you'll use your key much, but do want to be able to use it at any time, don't set your key to expire. If you are paranoid about security, you might want to set your keys to expire after a period (1 year to 3 years depending on key usage). Remember that you can always manually expire keys at a later time through key revocation.
Regardless of what expiry setting you choose, GnuPG will ask you to confirm it.

Key does not expire at all
Is this correct (y/n)?

Next you enter your user ID for the key.

You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:

"John Lock "
Real name:
Email address:

If you entered the data as follows:

Real name:       John Lock
Email address:
Comment:       just beleve
You selected this USER-ID:    "John Lock (just beleve) "

Your ID would be: My name (me). GnuPG will then allow you to correct any mistakes, generate the key, or abort.

Next will be your passphrase. It is very, very important that you choose a strong one you can remember. Without this passphrase, anyone who can copy your PGP keys will be able to impersonate you (such as your local sysadmin on a shared system). If your system is cracked, a passphrase on your key ring might be the only thing stopping the cracker from impersonating you. The caveat is that if you forget your passphrase, you will not be able to use your own keys.
After this, GnuPG will generate your keys. You should see a message like this:

We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.

You will see some characters scroll by. If GnuPG can't get enough random characters, you'll see a message like this:

Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need NN more bytes)

Don't panic! Just run some programs,type some random characters in the shell, etc. If you have installed egd (the entropy gathering daemon [scroll down page for egd info and files]), play some music into the microphone. Once GnuPG is done, you should see this message:

public and secret key created and signed.

Congratulations. You now have a pair of keys. One is private, and one is public. Think of them as a birth certificate, library card, and drivers' licence rolled into one.

2.Generate a revocation certificate

After your key pair is created you should immediately generate a revocation certificate for the primary public key using the option -gen-revoke.If you forget your passphrase or if your private key is compromised or lost,this revocation certificate may be published to notify others that the public key should nolonger be used.A revoked public key can still be used to verify signatures made by you in the past, but it cannot be used to encrypt future messages to you.It also does not affect your ability todecrypt messages sent to you in the past if you still do have access to the private key.

gpg --output revoke.asc --gen-revoke  key_id(you can put the user id and it will work )

gpg --output revoke.asc --gen-revoke 915E0CF3
3.Exchange keys with your friends

To communicate with others you must exchange public keys.To list the keys on your public keyring use the command-line option -list-keys.The number 915E0CF3 in the example below is your public key's id number.

gpg  --list-keys

pub  2048R/915E0CF3  2010-02-16 [expires: 2011-02-16]
uid  John Lock (just beleve)
sub   2048R/597A4582  2010-02-16 [expires: 2011-02-16]

Now to export the key in armored format(is better to be armored if you email the key or if you publish it on the web) :

gpg --output johnlock.asc --armor --export key_id

Now you must give this key(johnlock.asc) which is in your home folder to your friend.If you send it by mail then you should call him/her and tell her the fingerprint.If the fingerprint is ok then the certificate is realy from that person.How to see the fingerprint of a key:

gpg --edit-key john_lock (you can use the id like this or gpg --edit-key  915E0CF3 )
Command> fpr (this will list the keysfingerprint)

4.Importing a friends public key

 Let's presume that your friend gave you his public key named

gpg --import

After checking the fingerprint, you may sign the key to validate it.Since key verification is a weak point in public-key cryptography, you should be extremely careful and always check a key’s fingerprint with the owner before signing the key.

 gpg --edit-key jack_shepard (or key_id)

Command> sign jack_shepard (or_key_id) 

Once signed you can check the key to list the signatures on it and see the signature that you have added.Every user ID on the key will have one or more self-signatures as well as a signature for each user that has validated the key.

Command> check

Then you can set a trust level for your friends key:

Command>trust jack_shepard(or key_id)

After that save and exit.

 Command> save

Note . It is a good practice to sign and trust someone else's public key then to export that persons key and send it back to them.That is how you rase the credibility of your public key by letting other people sign it and send it back to you.

5.Encrypt/Decrypt documents

 a.Encrypt a document
If you want to encrypt a document for someone else use his public key you just imported in the previous exercise.If you want to encrypt a document for yourself use your public key.
Note if you encrypt the document using someone else's public key only that person can decrypt that document.

gpg  --output doc_name.gpg  --encrypt --armor --recipient key_id  doc_name

b.Decrypt a document

gpg --output doc_name --decrypt doc_name.gpg

6.Symmetric encription

If you do not need to send the document to anyone and is your private document you can use symmetric encryption.

gpg  --output doc_name.gpg  --armor --symmetric   doc_name
Enter Passphrase:type_the_password_you_want(it is a new password don't use youre public key password)

To decrypt type:
gpg  --output doc_name  --decrypt   doc_name.gpg
Enter Passphrase:

7.Making and verifying signatures

A digital signature certifies and time stamps a document. If the document is subsequently modified in any way,a verification of the signature will fail.A digital signature can serve the same purpose as a hand-written signature with the additional benefit of being tamper resistant. The GnuPG source distribution,for example,is signed so that users can verify that the source code has not been modified since it was packaged.
Creating and verifying signatures uses the public/private key pair in an operation different from encryption and decryption.A signature is created using the private key of the signer.The signature is verified using the corresponding public key.
How to create a signature file:

gpg --output doc_name.sig --armored  --sign doc_name

The document is compressed before being signed, and the output is in binary format.
Given a signed document, you can either check the signature or check the signature and recover the original document.To check the signature use the -verify option. To verify the signature and extract the document use the -decrypt option.The signed document to verify and recover is input and the recovered document is output.
 To verify signature type:

 gpg  --verify doc_name.sig

To decrypt the document type:

gpg  --output doc_name  --decrypt   doc_name.sig

A common use of digital signatures is to sign usenet postings or email messages. In such situations it is undesirable to compress the document while signing it.The option -clearsign causes the document to be wrapped in anASCII-armored signature but otherwise does not modify the document.

gpg   --clearsign doc_name (this will create a signed document named doc_name.asc)

Detached signatures

A signed document has limited usefulness.Other users must recover the original document from the signed version, and even with clearsigned documents, the signed document must be edited to recover the original. Therefore, there is a third method for signing a document that creates a detached signature, which is a separate file.A detached signature is created using the -detach-sig option.

gpg --output doc_name.sig  --detach-sig doc_name

Both the document and detached signature are needed to verify the signature.The -verify option can be used to check the signature:
gpg  --verify doc_name.sig doc_name

8.Exporting a key from a key server 

 Exporting a key:

gpg --send-keys --keyserver

Importing a key:

gpg --recv-keys --keyserver  

9.Key Management and examples

gpg --edit-key key_id     Present a menu which enables you to do all key related tasks:

sign     Make a signature on key of user name If the key is not yet signed by the default user (or the users given with -u), the program displays the information of the key again   together with its fingerprint and asks whether it should be signed. This question is repeated for all users specified with -u.
lsign     Same as --sign but the signature is marked as non-exportable and will therefore never be used by others. This may be used to make keys valid only in the local environment.
nrsign     Same as --sign but the signature is marked as non-revocable and can therefore never be revoked.
nrlsign     Combines the functionality of nrsign and lsign to make a signature that is both non-revocable and non-exportable.
revsig     Revoke a signature. For every signature which has been generated by one of the secret keys, GnuPG asks whether a revocation certificate should be generated.
trust     Change the owner trust value. This updates the trust-db immediately and no save is required.
enable     Disable or enable an entire key. A disabled key can not normally be used for encryption.
adduid     Create an alternate user id.
addphoto     Create a photographic user id. This will prompt for a JPEG file that will be embedded into the user ID. Note that a very large JPEG will make for a very large key.
deluid     Delete a user id.
delsig      Delete a signature.
revuid       Revoke a user id.
addkey       Add a subkey to this key.
delkey     Remove a subkey.
addrevoker [sensitive]     Add a designated revoker. This takes one optional argument: "sensitive". If a designated revoker is marked as sensitive, it will not be exported by default (see export-options).
revkey     Revoke a subkey.
expire     Change the key expiration time. If a subkey is selected, the expiration time of this subkey will be changed. With no selection, the key expiration of the primary key is changed.
passwd     Change the passphrase of the secret key.
primary     Flag the current user id as the primary one, removes the primary user id flag from all other user ids and sets the timestamp of all affected self-signatures one second ahead. Note that setting a photo user ID as primary makes it primary over other photo user IDs, and setting a regular user ID as primary makes it primary over other regular user IDs.
uid n     Toggle selection of user id with index n. Use 0 to deselect all.
key n     Toggle selection of subkey with index n. Use 0 to deselect all.
check     Check all selected user ids.
showphoto     Display the selected photographic user id.
pref     List preferences from the selected user ID. This shows the actual preferences, without including any implied preferences.
showpref     More verbose preferences listing for the selected user ID. This shows the preferences in effect by including the implied preferences of 3DES (cipher), SHA-1 (digest), and Uncompressed (compression) if they are not already included in the preference list.
setpref string     Set the list of user ID preferences to string, this should be a string similar to the one printed by "pref". Using an empty string will set the default preference string, using "none" will set the preferences to nil. Use "gpg -v --version" to get a list of available algorithms. This command just initializes an internal list and does not change anything unless another command (such as "updpref") which changes the self-signatures is used.
updpref     Change the preferences of all user IDs (or just of the selected ones to the current list of preferences. The timestamp of all affected self-signatures will be advanced by one second. Note that while you can change the preferences on an attribute user ID (aka "photo ID"), GnuPG does not select keys via attribute user IDs so these preferences will not be used by GnuPG.
toggle     Toggle between public and secret key listing.
save     Save all changes to the key rings and quit.
quit     Quit the program without updating the key rings.
    The listing shows you the key with its secondary keys and all user ids. Selected keys or user ids are indicated by an asterisk. The trust value is displayed with the primary key: the first is the assigned owner trust and the second is the calculated trust value. Letters are used for the values:
-     No ownertrust assigned / not yet calculated.
e     Trust calculation has failed; probably due to an expired key.
q     Not enough information for calculation.
n     Never trust this key.
m     Marginally trusted.
f     Fully trusted.
u     Ultimately trusted.

gpg --delete-key  key_id  (deletes a public key you don't need)

For mor information check this out is the online man page:

For windows users there is gpg4win if they want to use gnupg.