Wednesday, October 31, 2007

Yet, Another Interesting Linux Distribution



It should appear as a non easy distribution to use but it's false. ZeroShell is one of the easy and important server-oriented distribution that I've ever seen. Lots of services like RADIUS, KERBEROS and Captive Portal are quite difficult to setting-up and to use. Thanks to 0shell the configuration and the setting-up of these services is really easy and fast. Yep, fast. Right now one of the majors problems that fight against Linux is the not faster setting-up of services. With others systems it's pretty easy install and configure the whole service; instead on Linux platforms, in particular if you are an old style geek it's result so difficult and it takes a lot of time. Well, it's not true thanks 0shell. Actually you can download and install it; keep it and get out your old systems :-D. 
Grabbed from the site: http://www.zeroshell.net/eng/


Zeroshell is a small Linux distribution for servers and embedded devices aimed at providing the main network services a LAN requires. It is available in the form of Live CD or Compact Flash image and you can configure and administer it using your web browser. The main features are listed below:

RADIUS server for providing secure authentication and automatic management of the encryption keys to the Wireless 802.11b, 802.11g and 802.11a networks supporting the 802.1x protocol in the EAP-TLS, EAP-TTLS and PEAP form or the less secure authentication of the client MAC Address; WPA with TKIP and WPA2 with CCMP (802.11i complaint) are supported too; the RADIUS server may also, depending on the username, group or MAC Address of the supplicant, allow the access on a preset 802.1Q VLAN;

Captive Portal to support the web login on wireless and wired networks. Zeroshell acts as gateway for the networks on which the Captive Portal is active and on which the IP addresses (usually belonging to private subnets) are dynamically assigned by the DHCP. A client that accesses this private network must authenticate itself through a web browser using Kerberos 5 username and password before the Zeroshell's firewall allows it to access the public LAN. The Captive Portal gateways are often used to provide authenticated Internet access in the HotSpots in alternative to the 802.1X authentication protocol too complicated to configure for the users. Zeroshell implements the functionality of Captive Portal in native way, without using other specific software as NoCat or Chillispot;

QoS (Quality of Service) management and traffic shaping to control traffic over a congested network. You will be able to guarantee the minimum bandwidth, limit the max bandwidth and assign a priority to a traffic class (useful in latency-sensitive network applications like VoIP). The previous tuning can be applied on Ethernet Interfaces, VPNs, bridges and VPN bondings. It is possible to classify the traffic by using the Layer 7 filters that allow the Deep Packet Inspection (DPI) which can be useful to shape VoIP and P2P applications;

Host-to-lan VPN with L2TP/IPsec in which L2TP (Layer 2 Tunneling Protocol) authenticated with Kerberos v5 username and password is encapsulated within IPsec authenticated with IKE that uses X.509 certificates;

Lan-to-lan VPN with encapsulation of Ethernet datagrams in SSL/TLS tunnel, with support for 802.1Q VLAN and configurable in bonding for load balancing (band increase) or fault tolerance (reliability increase);

Router with static and dynamic routes (RIPv2 with MD5 or plain text authentication and Split Horizon and Poisoned Reverse algorithms);

802.1d bridge with Spanning Tree protocol to avoid loops even in the presence of redundant paths;

802.1Q Virtual LAN (tagged VLAN);

Firewall Packet Filter and Stateful Packet Inspection (SPI) with filters applicable in both routing and bridging on all type of interfaces including VPN and VLAN;

It is possible to reject or shape P2P File Sharing traffic by using IPP2P iptables module in the Firewall and QoS Classifier;

NAT to use private class LAN addresses hidden on the WAN with public addresses;

TCP/UDP port forwarding (PAT) to create Virtual Servers. This means that real server cluster will be seen with only one IP address (the IP of the virtual server) and each request will be distributed with Round Robin algorithm to the real servers;

Multizone DNS server with automatic management of the Reverse Resolution in-addr.arpa;

Multi subnet DHCP server with the possibility to fix IP depending on client's MAC address;
PPPoE client for connection to the WAN via ADSL, DSL and cable lines (requires a suitable MODEM);

Dynamic DNS client used to easily reach the host on WAN even when the IP is dynamic;

NTP (Network Time Protocol) client and server for keeping host clocks synchronized;

Syslog server for receiving and cataloging the system logs produced by the remote hosts including Unix systems, routers, switches, WI-FI access points, network printers and others compatible with the syslog protocol;

Kerberos 5 authentication using an integrated KDC and cross-authentication between realms;
LDAP, NIS and RADIUS authorization;

X509 certification authority for issuing and managing electronic certificates;

Unix and Windows Active Directory interoperability using LDAP and Kerberos 5 cross realm authentication.

Tuesday, October 30, 2007

Automatic Jailbreak For iPhone and iPod Touch

Another incredible way to Jailbreak and to install "installer" on your iPhone/iPodTouch .
Right Now you had to follow easy but long guides and you had to pay attention about your movements. Well, actually it's really easy just open safari and clik on Jailbreakme.com !!




Grabbed From http://www.modmyiphone.com

Its as easy as opening Safari on your iPhone/iPod Touch, and browse to jailbreakme.com. Thats it! Scroll down, and hit "Install AppSnapp". Safari should disappear, and pop you back to the Home screen. Wait patiently for a minute - don't touch anything til it pops you back to the Slide to Unlock screen.

Slide to unlock, and Installer.app will be installed on your iPhone/iPod Touch! You should prob install BSD Subsystem, Community Sources, and OpenSSH, and upgrade Installer.app if needed.

Erica Sadun from TUAW also refreshes the good tip that combining Open SSH and sshfs (part of Mac Fuse) allows you to drag and drop files to/from your iPod Touch/iPhone directly from Finder.



Thank so much guys !

Monday, October 29, 2007

Wordreference.com Vulnerable

Hi all,
today I've found two different kinds of vulnerability on www.wordreference.com .
As you know wordreference is one of the most important free dictionary in the net and thank to it I've learned a little English; for this reason I'll not post some real examples how to exploit it but I'll show just a proof of that.
The first vulnerability is a classic SQL Injection while the second one is a classic buffer over flaw, on arithmetic operation.First of all put a really common word as "a", you'll find a lot of translation and at the end of the page you'll find the "next 100" link as the following image shows






Pressing on this link and looking on the URL bar you'll see something like that






Try to change the "start" parameter putting the value "-1" and here we go ! You should see that:



But it's not enough, if you try to put also a long string in order to break into the pointer like the following one



You'll see another error like the following one



This is another bad example of input checking... Maybe a lot of problems could be resolved just putting a right input check inside application.

Saturday, October 27, 2007

After a Week

Do you remember the Meta Halloween party where my friends and me carved some pumpkins ?



Well, actually our pumpkins are melt down :-( .
Let see them !
Here my Pirate boat before .....


And here my Pirate Boat after a week :-( ....


I'm so sad for my pumpkin..... but the important is that I've learned to do them !!
Next year I'll import pumpkins carving party in Italy :-D.

Friday, October 26, 2007

Password Cracking: Speed Increased.

Another good idea come up from Elcomsoft .
Their password crack software uses GPU accelerator instead CPU in order to increase the cracking velocity.To know more about this fast method read advertising this paper . This topic arrives at the same time of a passwords security brief that I'm summarizing for a note Italian Magazine for this reason I feel very close to this kind of problem. As I'm writing the password chose is really important to guarantee enterprise safety. Using Mnemonic Password Formula (MPF) in a world where every service is owned by different account has  become capital. MPFs are easy to remember for the end user and hard to crack in fact they follow a random character probabilistic distribution. The following pictures represent easy but useful Mnemonic Passwords Formula.






Examples that respect this grammar are the following:

  1. "m@b.m", that's means Marco Ramilli at www.blogger.com

  2. "b@c.u", that's means Matt Bishop at cs.ucdavis.edu


Another password formula useful and easy to remember is the following:





Where the initial number represents the typology of the password. For instance the number "0" can represents that password is used for private purpose instead "1" for work purpose.

  1. "0:m@b.m;", that's means Marco Ramilli at www.blogger.com as personal password

  2. "1:b@c.u;", that's means Matt Bishop at cs.ucdavis.edu as work password


These are just few example of MPF power, to learn more about these formulas follow these liks:
[1] Bugaj, Stephan Vladimir. More Secure Mnemonic-Passwords: User-Friendly
Passwords for Real Humans”
[2] Kotadia, Munir. Microsoft Security Guru: Jot Down Your Passwords
[3] Williams, Randall T. The Passphrase FAQ
[4] Jeff Jianxin Yan and Alan F. Blackwell and Ross J. Anderson and Alasdair
Grant. Password Memorability and Security: Empirical Results

Funny Stuff


Thanks Dilbert for this funny security strip !


Thursday, October 25, 2007

Ant Script

This morning I've become crazy to sign a .jar application with automatic tools. At the end I've discovered that Ant got this skill and all around me become easier. I put here a really easy example of Ant build.xml with the principals command to sign jar application hoping it could be useful to everybody.



Tuesday, October 23, 2007

Java insecurity

Last year I posted on java bug-track some security issues about java security engine. Today I've found some free time and I've seen if some of these security issues have been corrected .
Well I've founded again some problems on java byte code caused from bad flags checking. The main problem concerns the poor connection between compiler and linker on java core verifier. Let me try  a really easy example. Write A.java and B.java classes in the following manner. 
public class A {
public int value = 200;
}

public B{
public static void main(String[] s){
System.out.println(new A().value);
}
}
Well, try to compile A and B (javac *.java) and try to run B ( java B). Nothing strange yet. Right now all these stuff work fine but if you try to modify the public field (public int value=200)in private one (private int value=200) compiling only A.java (javac A.java) you'll observe that java B behavior will not change ! What happened ? The linker has not been upgraded. Yep, but how can we apply this "linker miss upgraded" to normal life ?
Every commercial software has a protection, often the protection is a serial number or a license code. The software has to control about the correctness of inserted number and to do that it often uses a private function "serialNumber(String serial)".  If we don't know any reverse engineering technique we should change the "serialNumber" private function in a public one afterward forging a brute force code able to exploit the previous function. Let me try with  an different but easy example in order to understand the Java Code Violence technique.




This class has a private function named sum. We assume to have only .class code and not the sources. With java decompiler (javap -c -private ) we can understand the name and how many private variable/method the .class got.










Our attack will focused on private static int sum(). The main goal is to change this function from private to public, in order to do that we can use a simple java hash interpreter as DataWorkShop. Open The .class file with JavaInterpreter and search for private static int sum(). The right method is the number 3, it's easy to understand from previous javap screen, change the private value from "YES" to "NO" and save the poisoned code.







Well, now we should forge two specific java classes, the first must named as the attacked class and it must have a fake public method called as the attacked class' private method. The second class is the true attacker 's class able to use the private method, in these images it has been called Violence.java.








Now compile Violence.java and then remove the fake class named as the attacked class and rename the attacked class with its original name and run the Violence.class !! You have just bypassed the Java Security Engine. With the same principle you can modify private fields, private classes and of course private methods building self made classes that use private field of commercial classes. One of the most useful scenario is to build own brute forcer on a private "serial check" function. The problem is in the verifier engine. The Java verifier has the certifier task, it should control every piece of code before charge it in the right memory location. Also the java manager engine should control that run-time code does not damage JVM and/or machine memory but it seems not working so well. I hope that this easy kind of attack works only in my not-always-upgraded and old machines.

BEATS OF BOREDOM

What hackers do when they have too much time on their hands? Beats Of Boredom!One of the inner most basic hacker characteristic is the ability to take unrelated things and convert them into a perfectly balanced mix.


Beats Of Boredom from adam deeves on Vimeo.

Monday, October 22, 2007

HttpBee. An interesting project.

HTTPBee is a swiss-army-knife tool for web application hacking testing. Multi-threaded high-performance tool with a scripting engine and agent-like behavior support.

The way httpbee's scripting engine is implemented is relevant to httpbee architecture itself. Httpbee maintains a pool of threads that it uses for parallel task execution. Therefore execution of httpbee scripts is not linear. Instead, there are certain functions which are executed at certain steps of scanning proccess. The global scripting part is executed when the script is initally "scanned", so httpbee can pick up tags, desciption and other data from your script. init function will be executed only when your script is picked up and scheduled for execution (based on tags selection for example).
once execution is launched, every time when a parallel thread requires a new request string. request function will be called. Whenever a response is received, your response function will be called and the request string, which produced the response will be given as parameter. Fini function will be called when execution of the script is completed and the script is about to be unloaded.
Well, I've not tested yet the correct agent-like behavior but I think it could be interesting try it.
If' some one find few free time to do-it please send to me "the Agent behavior report", we could discuss it !

Sunday, October 21, 2007

Meta Halloween Party.

Yep, you've read well ...  META party !
The meaning of META party it's quite easy to understand, yesterday we had not a true Halloween party but a pumpkins carving party in order to prepare Halloween party ! It was very funny, thanks to "Bavech" , the landlord who has organized the party in own home. It's no so easy build your pumpkin, you gotta take it from a field and you gotta carve it following your style. As you can see there were a lot of pumpkins in the field, the first difficulty has been discover your orange pumpkin an take it from the wild field :-D. This is the big farm ......

And this, the ex-house of our orange pumpkins ! ... We got it !




Here, Ann and Lavinia. Ann is one of our best American Friends :-D. She carries us to this farm and she teaches us the "pumpkins carving theory" :-D.
Next step, painting your style on pumpkin surface ! Personally I've followed a "for dummies" template but it was so perfect for my costume !



And at the end..... after a long and wearing feat, here they are ! The carved pumpkin with light are ready to be published outside the door !





Pirate's boat ! My First Pumpkin , in the middle of our fantastics pumpkins .....





Saturday, October 20, 2007

JING project

Some time I need video or picture tools able to record mouse movements or desktop actions. For instance during my first RoboAdmin movies I've needed something to record how RA was answering to users queries. 
Jing is a well formed project, available for MAC and for WINDOWS in both cases free, that with its nice transparent and solar interface snap pictures of anything on your desktop. It's really useful because it's can store your snapshot immediately online just ready to be linked on you blog ! 
Here the complete video
Enjoy you SnapShot ! 

New Application Luncher able to changing your real life !

We know, 
MAC and MAC's developer are always one (or more) steps above the others OS :-D. You can understand that also seeing the new MAC application that keep out. 
Try to use QuickSilver, it's the most used Application Luncher for OS X, it's fast easy to use and mouse independent. But if you wanna be old style guy (100100110) maybe it's better Linux shell and not transform a really nice MAC in a rude shell black and green ! 
Instead SAPIENS is a revolutionary Application Luncher. No more DOCK, no more Application Bar, just your mouse and your hand. One mouse circle and , here it is !! a nice and intelligent application luncher for you. Do you wanna open some file with some not default programs ? No problem, keep it, move the icon in a circle and you are able to select the favorite application ! It's really amazing, I'm using it and I can say Watch the demo video here 

Paradigm Shift

Well....
too many users on my old MAC, too many users for my poor connection, too many users unhappy about My poor server that's storing 2 sties and one Blog. Maybe blogger.com it's the best solution. 
It's my new Blog, marcoramilli.blogspot.com