toastresearch.com

quick post: emailing from the command line

joshua.smith — Wed, 14 Mar 2012 11:23:07 +0000

twice in the last week i have needed to send a quick email from the command line. here’s how:

telnet 1.2.3.4 25

HELO domain.name
MAIL FROM: test@domain.name
RCPT TO: recepient@domain.name
DATA
Subject:subject line here

this is the
body of your
email.
.
QUIT

note: there has to be a blank line under the subject line.

source: http://www.yuki-onna.co.uk/email/smtp.html

mounting a windows share in linux from the command line

joshua.smith — Sun, 04 Mar 2012 02:53:39 +0000

i needed to mount a windows share from my ubuntu box the other day, and while this is quick and easy from the gui, i wanted to do it from the command line (just in case).

to mount a windows share from the command line (this is on ubuntu 10.04), you can running the following command:

sudo mount -t cifs //1.2.3.4/c$ /media/smb_mount/ -o username=domain/user,iocharset=utf8,file_mode=0777,dir_mode=0777

obviously your mount point of /media/smb_mount would have to exist.

extreme makeover: network edition

joshua.smith — Tue, 21 Feb 2012 07:30:01 +0000

recently i spoke at a conference about a network upgrade i did at a previous job.

the upgrade was a very difficult, but rewarding process, and has become one of my favorite topics to speak about.

topics i covered included the basics/easy stuff:

anti-virus
content filtering
password policies
firewalls

all the way to the not so common or more complex:

egress firewall rules
patching (system & OS)
running with user rights
software restriction policies/GPO’s

here is the prezi from the talk:

extreme makeover: network edition 01 on prezi

vlan abuse

joshua.smith — Mon, 13 Feb 2012 12:10:45 +0000

this is a quick post about vlan ~~hacking~~ abuse.

specifically, this post will cover how to abuse cisco switches and the DTP (dynamic trunking protocol).

why is this important? typically, most environments segment out servers, workstations, management, etc, into different vlans. if they (mis)configure the switch, you could potentially jump onto the management subnet (where things are usually much less protected) from a user subnet.

in a nutshell, we are taking advantage of a misconfigured switch, not really doing any “hacking”.

here is part of the cisco config i am working off of (the switch stack i was working with was two 3750x’s):

interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
switchport voice vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/3
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
!
interface GigabitEthernet1/0/4
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/5
switchport access vlan 100
switchport mode access
switchport voice vlan 200
spanning-tree portfast
!
interface GigabitEthernet1/0/6
switchport access vlan 100
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 100,200,300,400
switchport mode trunk
!
interface GigabitEthernet1/0/7
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 100
switchport mode trunk
!
interface GigabitEthernet1/0/8
description management subnet
switchport access vlan 400
switchport mode access

looking at the above config, there are issues with the way interfaces 1, 2, 3, and possibly 6 are configured.

ports 1, 2, and 3 are in a auto negotiate state, which is great as an attacker. i get to call the shots. in this example, the admin got lazy on port 6 and just gave that port access to every vlan. there are situations where a port might need access to every vlan, so you can’t say this is “wrong”. likewise, port 7 accomplishes what you want (restricting access to vlan 100 only), but best practice says this should be done in access mode, not trunk.

to abuse DTP, i used a tool that is built in to backtrack 5 called yersinia. its a tool that has a modular architecture and is designed to be flexible enough to add other protocols along the line. by default, it gives you the ability to view/edit/attack things like CDP, VTP, STP, DTP, etc.

heres how the attack works:

plug your backtrack box into a port, start up yersinia (in GTK mode), and wait (no need to get an IP yet). notice in the screen shot below i see some DTP traffic and the status is ACCESS/AUTO. this means we can dictate what mode the switch should be in.
start the attack by clicking “Launch attack”, go to the DTP tab, select the “enabling trunking” radio button and hitting “OK”.
if the attack is successful, you should see the port status in DTP go from ACCESS/AUTO to TRUNK/AUTO.
now, flip over to the 802.1Q tab and wait. you should see all available vlan’s show up in the vlan column, and ARP should cough up some IP’s that we can explore. in this case, you can see there is some traffic on VLAN 400 with IP’s of 10.4.1.x. thats what i will target next.
now that we have a target, i need to get on that VLAN and give myself an IP address. to do that in backtrack, i need to load the 802.1q module, set an interface to VLAN 400, bring up the interface, and give the new interface an IP address.

here are those commands:
```
modprobe 8021q
vconfig add eth1 400
ip link set eth1.400 up
ifconfig eth1.400 10.4.1.3 netmask 255.255.255.0 up
```
now to test

in summary, because of a misconfigured vlan, i was able to change my port from access mode (restrictive) to trunk mode (potentially less restrictive) using DTP, enumerate other vlan’s with PVST, identify IP’s with ARP, and jump over to the management vlan with a valid IP.

the fix is quite simple. use access mode wherever possible, and if you are going to enable trunk mode be sure to restrict what vlan’s are visible/allowed.

reference/note: this post is very similar to http://synjunkie.blogspot.com/2009/10/abusing-vlans-with-backtrack.html. differences i found were that:

yersinia hangs in curses mode if you are running backtrack 5 in a vm. i had to use the GUI.
the syntax for bringing up a vlan interface in backtrack 5 was different than backtrack 4, which synjunkie was using

truncating/shrinking microsoft sql logs

joshua.smith — Thu, 09 Feb 2012 03:37:18 +0000

every once in a while i run into an issue where i have some log file on a microsoft sql server that has not been properly configured and is taking up a hundred gigs.

and inevitably, i end up spending the next 20 minutes to find a proper example of how to truncate the logs. so, instead of searching again, i am posting it on my site ;)

WARNING: don’t do this unless you have backups or you really, really don’t want to roll your database back. your deleting transaction logs, so while it won’t hurt your working database, it will prevent you from rolling back to yesterday. ye be warned.

in this case, i am running these commands on a microsoft sql server 2005 install, but i would presume it to work on sql 2008 or 2012, although i haven’t tested it.

here is the code:

-- specify database and show database & log statistics
USE dbname
EXEC sp_helpfile
 
-- truncate the log
USE dbname
GO
BACKUP LOG dbname WITH TRUNCATE_ONLY
GO
DBCC SHRINKFILE (dbname_log, 1)
GO
DBCC SHRINKFILE (dbname_log, 1)
GO
 
--show statistics after truncating
EXEC sp_helpfile

reference/disclaimer: this code is from http://www.sqlcleanup.com/2008/sql-2005-truncating-log-files-and-recovering-space/ and is not my work, i just can’t always find it in a pinch.

netoptics: a review

joshua.smith — Fri, 14 Oct 2011 02:32:39 +0000

recently i was asked to implement a solution to mirror a massive amount of traffic (2-8Gbps of sustained traffic) to several different locations for further analysis.

after comparing gigamon, netoptics, and network critical, i opted for netoptics to fill the roll (because of time i could not do a proof of concept, so the evaluation through reading specs, talking to a few techs, and some googling).

i have spent time over the last few weeks configuring the netoptics and thought it would be worth sharing my experience for someone else’s benefit.

the things i like about the netoptics box (this is a netoptics director extreme):

the ports: the director extreme is loaded with 24 unpopulated SFP+ ports. you can mix and match speeds, types, and roles for every port. you want several ten gig fiber ports aggregated and shipped to a single ten gig monitor interface? no problem. three gig copper connections filtered for a subnet and sent to a gig fiber connection? absolutely. the quantity and flexibility of the ports are great.
flexibility: there are a lot of options on how you want to carve/shape/move your traffic (by VLAN/ports/etc). its pretty good, with one glaring issue (see my issues with the rules below).
the roadmap: netoptics already is positioning themselves for virtual monitoring, which shows me they have a plan for the future and are thinking ahead, which i can appreciate.
the support group: i have talked with several techs that have been very helpful (eric in particular has been a great resource). always good to be able to get a knowledgable person on the phone quickly to help troubleshoot any issues you have with their product.

i really only have two issues with the director extreme, and that is the rule set and how you manage the rules. here is what i mean:

want to create a rule to monitor a whole subnet? no problem? want to create a rule to monitor a single IP? little different story. for each IP you want to monitor (assuming you want to see all traffic, both egress and ingress), you have to create *two* rules. doesn’t sound so bad until you have to do it for hundres of IP’s. in my case, i wanted to monitor hundreds of IP’s scattered throughout multiple subnets. here are the rules it takes to monitor a single IP:

filter add in_ports=1-2,12 ip_src=10.1.1.1 action=redir redir_ports=20 filter add in_ports=1-2,12 ip_dst=10.1.1.1 action=redir redir_ports=20

again, not so bad for a few hosts, but painful for hundreds of machines. also, did i forget to mention the cap on the amount or rules/hosts you can monitor? i have seen it prevent me from adding rules, then let me add them, so i am not exactly sure what the cap is, but i have hit it (randomly). instead of having multiple rules, i would expect netoptics to have a rule that would let me look at a hosts traffic (ingress or egress) with one rule, like so:

filter add in_ports=1-2,12 ip_host=10.1.1.1 action=redir redir_ports=20
and now, my real issue with netoptics: rule management is a nightmare. let me explain. i like the command line (all our management of the director extreme is done over SSH, which is fine), so when i found out there was no webGUI i didn’t really sweat it. unfortunately, adding and removing rules is a very tedious, painfully slow process. to remove a rule, you have to remove *one rule at a time*, and it has to be by rule number. so in my case, where i wanted to remove a block of 50 rules (for 25 host’s), that meant i had to delete rule number 1 fifty times. because of how netoptics stores the rules (it reminds me a the stack in computer memory management), when you remove rule 1, rule 2 becomes rule 1 and rule 3 becomes rule 2, etc. this is painful.

you should be able to remove multiple rules at once

i thought i found away around this by deleting all rules, modifying my rule base in notepad++, then recreating all rules. and it would work too, if i could paste more than 50-100 rules in at a time. i tried on both my windows host with putty and my linux host to add hundreds of rules at once and never could get it to work. worse yet is that it didn’t just fail adding rule 50 every time, sometimes some rules in the hundreds would get added, other times ones in the teens would get added, i could never decipher a rhyme or reason to how or why rules were or were not added. i literally ended up hitting the paste button dozens of times to finally get all the rules in the ruleset. its quite a infuriating process when you feel like its going to be a simple change.

here would be my plea/suggestion for netoptics: do a better job managing rules.

give me a rule where i don’t have to specify both a source and destination rule just to get all traffic from one host
help me keep my sanity by making adding, modifying, removing a no brainer. there is no reason in the world why getting the correct rules in place should be a challenging process. i don’t care if its with a webGUI (although most users are going to prefer this) or through the command line, but make rule management easy, it will pay dividends later, i promise.

parting notes:

even with the frustration i have had with the netoptics box, when it works, it works well. its incredibly powerful and i feel like its very capable, it just seems like it is being limited by some poorly designed/implemented code. i don’t know if i would run into the same issues with gigamon or network critical so i can’t recommend them, but i can say i would hesitate to recommend netoptics in a case like mine (lots of IP’s and lots of different rules) until they get there rule management tightened up.

i am hoping that instead of just sounding like a bashing session, this is viewed as constructive criticism by netoptics and i can update this post in the future with how they have made changes to make things better, but we will see.

passwords: you can’t do it right

joshua.smith — Tue, 27 Sep 2011 18:20:32 +0000

i was recently asked to do a presentation for a local conference. i like coming up with new things to research and investigate and decided to pursue passwords (and how bad they are). below is my presentation and code for the talk:

title: passwords: you can’t do it right
description: some say you’re doing it wrong. i argue you can’t do it right (but some do it better than others). see how ineffective passwords are at protecting your accounts and ways of decreasing the chance of anyone using your passwords to achieve total domination.

passwords: you can’t do it right 0×03 on prezi

#!/usr/bin/python
#
# password_stats_03.py
 
import re
import sys
 
if (len(sys.argv) != 2):
	print """
	password stats 0.03
	usage: password_stats_03.py
	"""
	exit()
 
# assign arguments to variable
file_passwords_all = sys.argv[1] 
 
# create empty vars
passwords_all = 0
passwords_unique = 0
password_numeric = 0
password_alpha_lower = 0
password_alpha_upper = 0
password_alpha_mixed = 0
password_alpha_lower_numeric = 0
password_alpha_upper_numeric = 0
password_alpha_mixed_numeric = 0
password_everything_else = 0
 
# create empty list(s)
list_password_length = []
 
# create empty dictionary(s)
dict_password_count = {}
 
# save all passwords to a list
file_passwords_all = open(file_passwords_all, 'r')
list_passwords_all = []
 
for line in file_passwords_all:
	list_passwords_all.append(line)
	passwords_all += 1
	password_length = len(line)
	list_password_length.append(password_length)
	if re.search("^[0-9]+$", line):
		password_numeric += 1
	elif re.search("^[a-z]+$", line):
		password_alpha_lower += 1
	elif re.search("^[A-Z]+$", line):
		password_alpha_upper += 1
	elif re.search("^[a-zA-Z]+$", line):
		password_alpha_mixed += 1
	elif re.search("^[a-z0-9]+$", line):
		password_alpha_lower_numeric += 1
	elif re.search("^[A-Z0-9]+$", line):
		password_alpha_upper_numeric += 1
	elif re.search("^[a-zA-Z0-9]+$", line):
		password_alpha_mixed_numeric += 1
	else:
		password_everything_else += 1
 
file_passwords_all.close()
 
# save unique passwords to a list
list_passwords_unique = set(list_passwords_all)
 
# put unique passwords and the number of times seen in a dictionary
for item in list_passwords_unique:
	dict_password_count[item] = list_passwords_all.count(item)
	passwords_unique += 1
 
# calculate how many unique passwords there are
passwords_unique_percent = (float(passwords_unique)/float(passwords_all)) * 100
 
# display total and unique passwords
print
print 'all passwords\t\t= ' + str(passwords_all)
print 'unique passwords\t= ' + str(passwords_unique) + "\t\t%% %.02f" % passwords_unique_percent
print
 
# print out password lengths and number of times seen
print 'password length(s): '
for number in range(31):
	password_item = number + 1
	password_length_total = list_password_length.count(password_item)
	length_percentage = (float(password_length_total)/float(passwords_all)) * 100
	print str(number) + " char\t =>\t " + str(password_length_total) + "\t\t%% %.02f" % length_percentage
 
# print out complexity of the passwords and number of times seen with percentages
dict_password_complexity_options = {password_numeric: 'all numeric          ', password_alpha_lower: 'all alpha lower', password_alpha_upper: 'all alpha upper', password_alpha_mixed: 'all alpha mixed', password_alpha_lower_numeric: 'alpha lower & numeric', password_alpha_upper_numeric: 'alpha upper & numeric', password_alpha_mixed_numeric: 'alpha mixed & numeric', password_everything_else: 'everything else'}
 
print
print "password complexity: "
for item, description in dict_password_complexity_options.iteritems():
	print "%s \t\t " % description + str(item) + "\t%% %.02f" % ((float(item)/float(passwords_all)) * 100)
sum = password_numeric + password_alpha_lower + password_alpha_upper + password_alpha_mixed + password_alpha_lower_numeric + password_alpha_upper_numeric + password_alpha_mixed_numeric + password_everything_else
print "sum\t\t\t\t " + str(sum)
print
 
# print out the ten most common passwords with number of times seen
print "most common passwords:"
counter = 9
for key,value in sorted(dict_password_count.iteritems(), key=lambda item: -item[1]):
        if counter &gt; 0:
		if len(key) &lt; 6:
			print "password: " + str(key).strip() + "\t\t\tcount: " + str(value).strip()
		else:
			print "password: " + str(key).strip() + "\t\tcount: " + str(value).strip()
            	counter-=1

learning to code (on the cheap)

joshua.smith — Sun, 18 Sep 2011 19:40:40 +0000

in the time that i have been in IT (almost 6 years) i have become very proficient at hacking together code to do what i need. from vb scripts to do simple network administration to customizing some python to send over an exploit, i have found a way to make it work.

what i miss and don’t know is how to do is code correctly. in my search for learning how to code proper i ran across some great courses from stanford university and thought i would share.

i was looking for entry level classes that started at square one and these classes fit the bill perfectly. whats even better is that not only the video, but the homework assignments, handouts, and files are all available free of charge.

so far i have watched almost 4 of the classes and can say i have already learned some things, looking forward to the next 70+ classes ;)

here are the classes with links:

title	url	language	itunes link
cs106a - programming methodology	http://www.stanford.edu/class/cs106a/	java	http://itunes.apple.com/us/itunes-u/programming-methodology/id384232896
cs106b - programming abstractions	http://www.stanford.edu/class/cs106b/	c++	http://itunes.apple.com/us/itunes-u/programming-abstractions/id384232917
cs107 - programming paradigms	http://www.stanford.edu/class/cs107/	c++	http://itunes.apple.com/us/itunes-u/programming-paradigms/id384233005

note: for the record, i am not really a fan of itunes (and you can get these classes on youtube as well), but being able to download all the classes to my hard drive with a single mouse click was compelling enough for me to do it through itunes.

networkminer on backtrack 5 r1

joshua.smith — Sun, 11 Sep 2011 19:46:55 +0000

i have recently been working through some network forensic challenges from a few locations (http://forensicscontest.com and http://ismellpackets.com/category/pcap/) and wanted to do some network carving (parsing a pcap and getting the files like .exe’s, .jpg’s, etc). to answer some of the questions i wanted to load networkminer on my backtrack 5 r1 box.

fortunately there was a tutorial on how to get networkminer up on linux, but it didn’t fix everything for the newest version of backtrack (specifically, the fonts were off and the menu didn’t show up correctly).

to get networkminer 1.0 up and running on my backtrack 5 r1 VM here is what i did (summary of commands at bottom):

downloaded winetricks and installed the .NET framework, some core fonts, and the GDI+ package

cd /bin
wget http://kegel.com/wine/winetricks
chmod +x winetricks
./winetricks corefonts dotnet20 gdiplus

download networkminer 1.0

cd /opt
wget http://sourceforge.net/projects/networkminer/files/networkminer/NetworkMiner-1.0/NetworkMiner_1-0.zip/download

extract the zip file and run network miner (you will get an pop-up saying there are no pcap adapters available, which is expected). i am using networkminer for viewing and extracting data only, not capturing (that is what tcpdump is for ;)
```
unzip download
cd NetworkMiner_1-0/
wine NetworkMiner.exe
```
you should have a working (non-capturing) copy of networkminer 1.0 ready to go
for ease of use, i added a link to networkminer in the applications menu

notes:

the files that networkminer carves out will be located at:
```
~/.wine/drive_c/Program Files/NetworkMiner_1-0/AssembledFiles
```
on windows, you can just right click and open the folder, but this didn’t work on my backtrack VM.

here is the list of commands i ran in order

cd /bin
wget http://kegel.com/wine/winetricks
chmod +x winetricks
./winetricks corefonts dotnet20 gdiplus
cd /opt
wget http://sourceforge.net/projects/networkminer/files/networkminer/NetworkMiner-1.0/NetworkMiner_1-0.zip/download
unzip download
cd NetworkMiner_1-0/
wine NetworkMiner.exe
rm /opt/download

references:
original networkminer/linux post: http://geek00l.blogspot.com/2008/12/drunken-monkey-running-network-miner.html
post that told me about the gdiplus package: http://forum.winehq.org/viewtopic.php?t=8516

weighted averages: selling your point

joshua.smith — Sun, 04 Sep 2011 18:56:32 +0000

i like to have numbers for management to base a decision on. sometimes this is easy (just hand them a dollar figure), other times it is not. i came around to weighted averages for the simple reason that i wanted to prove, with numbers, that just because an option is cheaper, that doesn’t mean its better. let me explain.

in the process of evaluating 3 different vendors as a replacement product, say you pick out 5 criteria to base them on. for my purposes, i throw this in a spread sheet and then i grade each vendor on how i think they do for each criteria (which is subjective, of course). for an example, see the screen shot below:

very quickly you can see that it is almost a dead heat between vendor x and y, and vendor z is out of the mix, right?

i would say this is misleading for the simple fact that criteria 1 might not (and probably won’t) be as important to you as criteria 2 or 3, etc.

in this example, i care a lot about criteria 2 & 5 (lets say those are the core functions of what i am evaluating) and only a moderate amount about criteria’s 1,3 and 4 (suppose those are things like look, feel, etc). so, i modify the spread sheet to add a weight column, assign each criteria a weight (which is also subjective) and i get totally different numbers. take a look:

now, instead of being a slight advantage to vendor x, you can clearly see that vendor y is a much better fix for my environment and vendor x is the worst fit, not the best.

how do you do it? it all revolves around two functions: sumproduct() and sum().

all the weights are subjective, so you provide those. now, instead of just summing criteria 1-5 and dividing by the number of criteria, you are going to use sumproduct() to multiply each criteria with its corresponding weight and then divide the sumproduct() with the sum() of all the weights.

it sounds complicated when you read it, but here is what it looks like (this is based off the screenshot, looking at the formula in cell c7):

here is the code:

=sumproduct($b$2:$b$6;c2:c6)/sum($b$2:$b$6)

that’s it. just something handy to have for professional or personal evaluation on what option is best.

note: probably not necessary to state, but the “$” sign in the formula is an anchor of sorts, it keeps that field from changing when you do a autocomplete function (in this case the weights are always at b2-b6, so i lock them down with a “$”). just in case you didn’t know that ;)