Jun 012013
 

I finally got around to upgrading my desktop from Backtrack 5R3 to the latest Kali Linux.  After about two weeks, I finally set out to get the ati graphics card working so I could do some password cracking.  This turned into fun as the version of fglrx-drivers don’t support my 4500 series graphics card.  The fglrx-drivers-legacy don’t exist in the kali or debian repo’s.  Trying to install from the ati legacy drivers bundle failed.  Here is how I got it working using debian packages:

First add the correct repos:

Continue reading »

May 312013
 

Mostly doing this article as a note for the correct way to install java jdk or runtime for kali or debian wheezy.

Download either the jdk or jre tar.gz package from oracle

Install the java-package from debian

apt-get install java-package

Continue reading »

May 302013
 

There are times when I need to do things and I don’t trust using public access, hotspots, etc. So basically what I did was set up a vpn on my home network and I can then connect to it from anywhere. This has the advantage of encrypting my communications while in a public place. One of the problems was that my ISP will randomly change the ip address. Granted there are numerous services that will do dynamic dns….but that just has the potential to attract unwanted traffic. So, what I did was basically wrote a small 1 line script that dumps my ip once a day to my dropbox account (encrypted).  Either the script can be run (via crontab) or you can simply add the entire line to crontab:

Continue reading »

May 182013
 

A long time ago, I created a database to hold passwords and their respective hashes for some 16 various hash types.  It has approximately 310,261,848 passwords for each type and is growing nearly every day as more password lists become available.  I found a pretty quick way to generate the hashes for these wordlists and wanted to share how it is done.  These hashes only work with unsalted/unpeppered passwords.

First, lets look at my table schema, which is very simple and very effective.  It uses an index on the hash + password column so there can not be any two hashes+passwords that are the same.  The types table is a  simple lookup table that references data.type 1 to a name like DES.  The primary key is on the name column.  I don’t claim to be a db administrator so if you spot any errors, let me know.

Continue reading »

Apr 182013
 

Some of the posts I am seeing on the internet regarding the wordpress password crack via botnet is pretty funny as various people offer suggestions to fix the problem.  The quickest fix is simple and although it protects the wp-admin page, it wont protect you from the inbound traffic or sql injection.

Continue reading »

Apr 062013
 

I am all about performance and speed.  I even go so far as to test various ways of doing things in bash (or other programming languages) to optimize the code so it runs faster or more efficiently.  I optimize services in the same matter.  With my fairly new laptop, it has one of the hybrid graphics cards – intel + nvidia.  It works with bumblebee….and cuda….for the most part.  Simply running ‘optirun command’ switches to the nvidia graphics card which gives much better performance, not only in graphics intensive stuff…..but even bash shell.

Example:  running a simple ‘time ls -la’ in a directory containing  1590 items

real	0m0.095s
user	0m0.012s
sys	0m0.008s

Example 2: running ‘optirun xterm’ and then running the same command ‘time ls -la’ in the same directory in the new nvidia xterm:

real    0m0.015s
user    0m0.000s
sys     0m0.012s

And even the glx tests are much faster:

$ glxspheres 
Polygons in scene: 62464
Visual ID of window: 0xa4
Context is Direct
OpenGL Renderer: Mesa DRI Intel(R) Ivybridge Mobile 
60.131595 frames/sec - 67.106860 Mpixels/sec
31.846655 frames/sec - 35.540867 Mpixels/sec
31.377641 frames/sec - 35.017447 Mpixels/sec
31.636594 frames/sec - 35.306439 Mpixels/sec

and:

$ optirun glxspheres 
Polygons in scene: 62464
Visual ID of window: 0x21
Context is Direct
OpenGL Renderer: GeForce GTX 660M/PCIe/SSE2
153.415397 frames/sec - 171.211583 Mpixels/sec
158.583456 frames/sec - 176.979136 Mpixels/sec
161.016123 frames/sec - 179.693993 Mpixels/sec
158.156824 frames/sec - 176.503015 Mpixels/sec

To me, this is enough of a performance improvement to use the nvidia graphics card always.  Except, there is no way to do that in the new laptop…..at least that I have figured out.

Apr 052013
 

bbswitch is not compatible with the kernel included with kali linux.  The easiest fix is simply to upgrade to kernel 3.8.5 from debian experimental to fix this issue:

Basically I downloaded these packages manually:

initramfs-tools_0.110_all.deb
linux-headers-3.8-trunk-all-amd64_3.8.5-1~experimental.1_amd64.deb
linux-headers-3.8-trunk-amd64_3.8.5-1~experimental.1_amd64.deb
linux-headers-3.8-trunk-common_3.8.5-1~experimental.1_amd64.deb
linux-headers-3.8-trunk-common-rt_3.8.5-1~experimental.1_amd64.deb
linux-headers-3.8-trunk-rt-amd64_3.8.5-1~experimental.1_amd64.deb
linux-image-3.8-trunk-amd64_3.8.5-1~experimental.1_amd64.deb
linux-kbuild-3.8_3.8.2-1~experimental.1_amd64.deb

Then installed them:

sudo dpkg -i *.deb

Rebooted and all was well.

 

Mar 162013
 

So one thing you learn pretty quick once you move into the cloud, is that what you normally would do to stop bots, rogue traffic, hackers, etc doesn’t quit work…even at the packet level.  What I mean is this, you have a web server sitting behind an aws load balancer and its under attack.  You are running linux.  First thing you do is set up an iptables rule to drop connections from that ip address.  The problem is, iptables never sees that ip address.  Iptables can’t look into packets.  Instead, it sees the load balancer ip address.  The ip address of the user is hidden in the x-forward-for.  So first thing you need to do is enable x-forward-for logging in your web server.  I will use nginx as an example:

Continue reading »

Mar 092013
 

As I use nginx more and more, one of the things I miss is being able to see who is connecting to the server and the request they are making.  This is often helpful in determining attacks.  So, I basically wrote this script which does it.

#!/bin/bash
 
# By Ed Wiget
# This shows active GET and POSTS to port 80
# One of the things i hate about nginx is the lack of an apache style status page showing requests
# hence I wront this script....which does it at a network layer, using ngrep
 
# 20130308 - original script
 
## grep all HTTP GET or POST requests from network traffic on eth0 interface  ##
# sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
 
if [ `which ngrep | head -1 | wc -l` == "0" ]; then
	echo "missing ngrep....please install"
	exit
fi
 
if [ $1 = "" ]; then
	echo "You must pass the interface as an option, i.e. eth0 or eth1, etc"
	read CIF
else
	CIF=$1
fi
 
thing=1
 
until [ $thing = "0" ]; do
	# uncomment top line if you dont need x-forward-for
        #sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
        # use the next line if you do need x-forward-for
	#sudo ngrep -d eth1 -q 'X-Forwarded-For'  tcp and port 80
	ngrep -d ${CIF} -t '^(GET|POST) ' tcp and port 80
	echo
	sleep 1;
done

CHANGES

20130905 – added option to pass interface

Mar 062013
 

This was tested on centos 6.3.  It is running at approx 900 – 3,000+ log events per second from approx 30 hosts.

Current load is about 900 messages per second:  load average: 1.57, 1.35, 1.29 with 8GB memory.

With the above in mind, there was approx 165GB of log data after running for 4 days.

graylog.org web site

elasticsearch web site

mongo db

passenger phusion web site

logstash web site

I wrote a script in order to install a graylog2 central log server.  Its a one shot run and be done kinda thing…..

CHANGES20130309 – see notes in script

Continue reading »