Recent Posts

• PGP Desktop for Mac
• It has been a while.
• Kubuntu Server, Nagios and Mysql
• Comment Spammers
• Kubuntu server and Vmware
• Feisty Fawn and VPNC
• Modifying GPSMAP
• Major Update to Real Estate Page
• Real Estate online lead generation - Google
• Google Maps….Global Ajax Radio Buttons

Search

Topics

• Backtrack CD
• Cisco
• Google
• Google Maps Mashup
• Linux
• Mysql
• Nagios
• PGP
• PHP
• Postgres
• Security
• Snort
• Uncategorized
• Web Design
• Webmin

Links

Backtrack CD and Random Wireless Mac Addresses

By klard | July 15, 2006

So….when I boot the Backtrack CD I often want to connect with a random mac address for reasons many will understand. That being the case I did a little looking around and was able to come up with a perl script to run when I boot the CD. I have read extensively that the use of system calls is probably not the proper way yo accomplish this but hey, it works.

#!/usr/bin/perl
#
# A quick script that generates a random varible
# It looks suprisingly like a MAC address
# Something like: 23:00:C0:FF:EE:00
# However it will take the first set of octets and set a vendor code
# Vendor codes are in /usr/share/ethereal/manuf
#
system("xconf");
chdir ("/root/.mozilla/plugins");
system("ln -s /usr/lib/jre1.5.0_03/plugin/i386/ns7/libjavaplugin_oji.so .");
#
for (`cat /usr/share/ethereal/manuf`){
push (@vendorcode, $1) if ($_ =~ /(^[^#]\S+)\s/);
}
srand(time() % 345);
$mac =sprintf("%s:%X%X:%X%X:%X%X",$vendorcode[rand(1) * $#vendorcode],rand(16),rand(16),rand(16),rand(16),rand(16),rand(16));
$setmac = "ifconfig ath0 hw ether $mac";
system("$setmac");
system("ifconfig ath0 up");
system("dhcpcd ath0");
system("startx");

This little perl script actually combines several of the things I have already written about. It adds the java link as well as changing the mac address, starting dhcp for the wireless card and starting x. Have fun.

Topics: Backtrack CD | No Comments »

Backtrack CD and KVPN

By klard | July 11, 2006

It might start to look like I am trying to nit pick every little thing that does not work on the CD, but that is not my goal. My goal really is to use the CD for many different things and hey when something doesn’t work I think I should point it out. In the case of KVPN that is on the CD, it doesn’t work when trying to use the it to connect to a Cisco VPN….the wizard compains about “the required deamon (vpnc) is not installed. This turns out to be an easy fix.

• First download vpnc, as I have in the past I just extract it to my usb drive so I can use it next time.
• Then I usually create a script so I don’t have to remember everything I have done in the past. In this case I actually copy the folder back to the desktop and cd into the folder.
• At this point I had some problem with make so I did “mv version VERSION” “make && make install”

That is pretty much it. Once you have done this KVPN works to connect to a Cisco device.

Topics: Backtrack CD | No Comments »

PHP Extensions

By klard | July 5, 2006

I had a problem installing wordpress on another box and I wanted to describe what the problem was how I diagnosed it and what I did to fix it. The setup….FreeBSD, PHP 5.1.2, Apache. I moved wordpress to the box and setup the config file but every time I went to do the install I got a blank page. So after a bit of fussing around I checked the httpd-error.log on the box to see if I could understand what the problem was. In the error log I found Unable to load dynamic library ‘/usr/local/lib/php/xxx/pcre.so’. I did a pkg_info on the box and noticed that the PHP pcre extension did not show up. I decided to try and reinstall the php-extensions from ports and see if that would fix it, with no joy. I then tried to uninstall PHP 5 as well as the extensions, because I noticed that doing a phpinfo() showed I had PHP 5.1.1 installed and pkg_info showed I had 5.1.4…..not good. Well that did not fix the problem either. So as a last resort I copied the pcre.so file from another box and copied it up to the right folder. A restart of Apache and now the file loads and wordpress was able to be installed…….what a mess. I will post back when I go through the proper steps to actually fix it the right way.

Topics: PHP | No Comments »

Cisco PIX Shun

By klard | July 2, 2006

I learned something very interesting over the last few days about the PIX. Well actually several important things but one interesting. First it seems you cannot block subnets with shun … the syntax is shun src_ip [dst_ip sport dport [protocol]] ….. which I guess make sense as the shun list does not survive a reboot. But it sure would be nice to shun an entire block for a few days. Anyway on to the interesting thing about shun. If you shun a source IP it does not shun the source IP from interacting with the firewall outside interface. As a test I shunned my own IP and was not able to reach any of the internal or DMZ hosts….however, I was still able to create an ipsec session with the outside interface, ping and get responses from the outside interface etc ……. to me that seems well ….. odd.

Topics: Cisco, Security | No Comments »

OSSEC HIDS

By klard | June 29, 2006

I installed OSSEC HIDS recently on a group of servers. There are a handful of BSD boxes and a single Windows 2003 Server box.
This set of tools obviously adds a ton of value to the security profile of the network. OSSEC reads through the snort logs and tries to correlate events between the snort logs, system logs, firewall logs etc……a ton of value to an overworked network admin who is supporting several different networks. However, the agent on the Windows server seems to crash constantly. I really don’t think the agent has run for more than an hour at a time. This creates a serious problem as I either need to uninstall the agent or figure out what the problem is or some combination.

I have to update this because well one of the developers actually posted here and was very generous with his time and the post deserves to be updated. The problem with the Windows 2003 server was very simple to resolve, the agent could not find the iis log file and crashed. Had I taken the proper time to review the log files I would have noticed this at the outset. It was simply a matter of updating the ossec.conf file and telling it exactly where the log file was located.

Secondly, I am getting a report that one of the boxes has a kernel rootkit installed…..not good. Here I am supposed to be a security professional and I might have a rootkit installed on a FreeBSD box. So off I go to take a look at this. First I try every way I can think of to discover the hidden processes that OSSEC is warning me about, I install lsof and chkrootkit on the box on find nothing….knowing of course if it is a kernel level rootkit these tools will be practically useless as the rootkit will hide it’s processes from these tools as well. I am now running tcpdump on a spanned port with this machine and will try to do a full analysis of the trace from it to see if there is any abnormal traffic coming from the box. In the mean time I will continue to try and determine if there is actually a rootkit on the box or if OSSEC is giving me a heart attack for nothing.

The point of course is that this tool was supposed to add security and value to my network…and at least for the time being, it has instead added to my workload.

Update: I have been monitoring the box that reports having a root kit periodically and as far as I can tell the only traffic leaving the box is traffic I would expect to see. I do not see any traffic going to any strange ports like IRC that would indicate a backchannel control of some kind. I think it would behoove me to block outbound traffic from this box except over the ports I expect and also to continue monitoring it for abnormalities.

Topics: Security | 2 Comments »

« Previous Entries Next Entries »

Technical Tips and Tricks
Random technical things I run across every day, from Windows to Linux to *BSD

Technical Tips and Tricks uses the RockinChrome theme designed by Cory Miller