Friday, October 31, 2008

windows: removing the welcome/login screen in xp for single user logon

To log in automatically, type this command (it's a shortcut to 'User Accounts'):

control userpasswords2


Click the desired user's logon name, then click OK and enter the password when prompted (which is probably a blank).


To set the password for the current user to a blank, get to a cmd prompt and run this command:
net user "%UserName%" ""{Enter}



source

Friday, October 3, 2008

web security: input validation attacks

The following are some common input validation attacks;
Path or directory traversal This attack is also known as the “dot dot slash”
because it is perpetrated by inserting the characters “../” several times into a URL
to back up or traverse into directories that weren’t supposed to be accessible from
the Web. The command “../” at the command prompt tells the system to back up
to the previous directory (try it, “cd ../”). If a web server’s default directory was
“c:\inetpub\www”, a URL requesting http://www.website.com/scripts/../../../../../
windows/system32/cmd.exe?/c+dir+c:\ would issue the command to back up
several directories to ensure it has gone all the way to the root of the drive and
then make the request to change to the operating system directory (windows\
system32) and run the cmd.exe listing the contents of the c: drive.
Unicode encoding Unicode is an industry standard mechanism developed
to represent the entire range of over 100,000 textual characters in the world as
a standard coding format. Web servers support Unicode to support different
character sets (like Chinese), and, at a time, many supported it by default. So,
even if we told our systems to not allow the “../” directory traversal request
mentioned earlier, an attacker using Unicode could effectively make the same
directory traversal request without using “/”, but with any of the Unicode
representation of that character (three exist: %c1%1c, %c0%9v, and %c0%af).
That request may slip through unnoticed and be processed.
URL encoding If you’ve ever noticed that a “space” appears as “%20” in a URL
in a web browser (Why is it only me who notices that?), the “%20” represents
the space because spaces aren’t allowed characters in a URL. Much like the
attacks using Unicode characters, attackers found that they could bypass filtering
techniques and make requests by representing characters differently.


source: http://www.amazon.com/gp/blog/post/PLNK225DWOGWJIEBG

Tuesday, September 30, 2008

HTTP: digest auth example

This "HTTP Digest Authentication" example from wikipedia was just too good. I had to post this here - a real collector's item! ;)


Step 3 has the crucial part of the whole process - the inclusion of the server's nonce into the MD5 hash computation, which refutes replay attacks.



1 . Client request (no authentication):


GET /dir/index.html HTTP/1.0
Host: localhost



2. Server response:



HTTP/1.0 401 Unauthorised
Server: HTTPd/0.9
Date: Sun, 10 Apr 2005 20:26:47 GMT
WWW-Authenticate: Digest realm="testrealm@host.com",
qop="auth,auth-int",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
opaque="5ccc069c403ebaf9f0171e9517f40e41"
Content-Type: text/html
Content-Length: 311


"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">





401 Unauthorised.





3. Client request (user name "Mufasa", password "Circle Of Life"):

GET /dir/index.html HTTP/1.0
Host: localhost
Authorization: Digest username="Mufasa",
realm="testrealm@host.com",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
uri="/dir/index.html",
qop=auth,
nc=00000001,
cnonce="0a4f113b",
response="6629fae49393a05397450978507c4ef1",
opaque="5ccc069c403ebaf9f0171e9517f40e41"


4. Server response:

HTTP/1.0 200 OK
Server: HTTPd/0.9
Date: Sun, 10 Apr 2005 20:27:03 GMT
Content-Type: text/html
Content-Length: 7984



(source: http://en.wikipedia.org/wiki/Digest_access_authentication)

web security: nonce

Nonce (wrt HTTP digest authentication)
    
A nonce is a parameter that varies with time. A nonce can be a time stamp, a visit counter on a Web page, or a special marker intended to limit or prevent the unauthorized replay or reproduction of a file.

Because a nonce changes with time, it is easy to tell whether or not an attempt at replay or reproduction of a file is legitimate; the current time can be compared with the nonce. If it does not exceed it or if no nonce exists, then the attempt is authorized. Otherwise, the attempt is not authorized.

Wednesday, May 7, 2008

perl: oneliner to check if a given module is installed on your system

Let's say that you want to know whether module Tie::Hash is installed. To find out, execute the following from the command line:

perl -MTie::Hash -e 1


Source

Monday, May 5, 2008

perl: testing two arrays for equivalence

How do I test whether two arrays or hashes are equal?

The following code works for single-level arrays. It uses a string-wise comparison, and does not distinguish defined versus undefined empty strings. Modify if you have other needs.

unless ( arrays_are_equal (\@tmp1, \@tmp2) ){
    print "\ntmp1 and tmp2 are not equal!\n";
}
else {
    print "\ntmp1 and tmp2 are indeed equal!\n";
}


sub arrays_are_equal {
    my ($first, $second) = @_;
    no warnings; # silence spurious -w undef complaints
    return 0 unless @$first == @$second;
    
    for (my $i = 0; $i < @$first; $i++) {
        return 0 if $first->[$i] ne $second->[$i];
    }
    return 1;
}

Source: perldoc -q "How do I test whether two arrays"

Wednesday, April 16, 2008

perl: matching an IPv4 address

SOLUTION 1: Jeffrey Friedl's "Mastering Regular Expressions"
source

my $ReIpNum = qr{([01]?\d\d?|2[0-4]\d|25[0-5])};
my $ReIpAddr = qr{^$ReIpNum\.$ReIpNum\.$ReIpNum\.$ReIpNum$};

my %ips = ('0.0.0.0' =&gt; 1,
           '1.2.3.4' =&gt; 1,
           '255.255.255.255' =&gt; 1,
           '000.34.2000.2' =&gt; 0,
           '' =&gt; 0,
           '24.23.23.' =&gt; 0);

for my $ip(keys %ips) {
    die "Failed: $ip"
    unless (($ip =~ m{$ReIpAddr}) == $ips{$ip});
    print "$ip passed\n";
}




SOLUTION 2: USE Regexp::Common
source
#!/bin/perl
use Regexp::Common;

while() {
    if(/$RE{net}{IPv4}{dec}{-keep}/) {
        print "IP Address: $1\n";
    }
}

__DATA__
24.113.50.245
0.42.523.2
255.242.52.4
2.5.3





Discussion:

IP addresses are difficult to match using a simple regular expression, because the regular expression must verify that the IP address against which it is matching is valid. A simple expression such as /\d{3}\.\d{3}\.\d{3}\.\d{3}/ will incorrectly match strings such as 789.23.2.900, which is outside the range of valid IP addresses (i.e., 0.0.0.0 to 255.255.255.255). Damian Conway's Regexp::Common module provides a very effective regular expression which matches only valid IP addresses.

perl: simple socket programming

Here's a telnet kinda program in perl (i.e. a generic TCP client):

#!/usr/bin/perl
use IO::Socket;

my $dest = shift;
my $port = shift;
my $message;
my $line;

my $sock = IO::Socket::INET -> new ( PeerAddr => $dest, PeerPort => $port, Proto => "tcp" ) or die "Could not establish TCP connection: $!";

$sock->autoflush(1);

while (1)
{
    $message = <stdin>;
    print $sock $message;

    while ($line = <$sock>)
    {
        print $line;
    }
}

close $sock;

Tuesday, April 8, 2008

smtp: sending an email from the telnet prompt

This mail relay must accept SMTP connection from your host and must accept relaying. To check if the mail relay is working try



telnet mailrelay.domain 25
.... answer from mail relay .....

helo 
mail from: root@
rcpt to: @

data

mail test from unix
.



mail server should answer something like mail sent. If this work you can try with a normal mail client like



mailx -s "subject" @
mail test from unix
.



To check if this has work look at /var/adm/syslog/mail.log

you should see a couple of lines stating the mail has been accepted locally and sent to the relay and accepted.


Thursday, March 27, 2008

perl: extracting email addresses from a thunderbird message list

The inputfile resides somewhere like: "C:\Documents and Settings\USERNAME\Application Data\Thunderbird\Profiles\sbdq6f9n.default\Mail\Local Folders\Inbox.sbd\guitar.sbd"
use strict;
use warnings;
use Tie::File;
use Fcntl;


sub alphabetically { lc $a cmp lc $b }


my $inputfile = shift;

unless ($inputfile)
{
    print "\nUSAGE:\n$0  \n\n\n\n";
    exit 0;
}

my @contents;

tie (@contents, 'Tie::File', $inputfile, mode=>O_RDONLY) or die "Can't open $inputfile: $!\n\n\n\n";
#open (MYFILE, $inputfile) || die " $! ";
#my @contents = ;
#close(MYFILE);


my @addresses; my $line; my $x; my %seen = ();


foreach $line (@contents) {
        if ( $line =~ m/([a-zA-Z]+\.[a-zA-Z]+\@calsoftinc\.com)/ ) 
        {
            if ( $1=~m/ambar/) 
            {  
                next; 
            }
            else { $seen{$1}++; } #use a hash to automatically get a unique list
        }
}

foreach $x (keys %seen) { unshift(@addresses, "$x\n"); }

print sort alphabetically @addresses;

Wednesday, March 19, 2008

esx: killing a stuck VM from the command line - redux!

NOTE: The method in this post seems more accurate and effective than the one in the previous post on this blog, "killing a stuck VM from the command line."


Instructions on how to forcibly terminate a VM if it is unresponsive to the VI client


Here you will be terminating the Master World and User Worlds for the VM which in turn will terminate the VM's processes.



1. First list the running VMs to determine the VM ID for the affected VM:
#cat /proc/vmware/vm/*/names

vmid=1076 pid=-1 cfgFile="/vmfs/volumes/50823edc-d9110dd9-8994-9ee0ad055a68/vc using sql/vc using sql.vmx" uuid="50 28 4e 99 3d 2b 8d a0-a4 c0 87 c9 8a 60 d2 31" displayName="vc using sql-192.168.1.10"

vmid=1093 pid=-1 cfgFile="/vmfs/volumes/50823edc-d9110dd9-8994-9ee0ad055a68/esx_template/esx_template.vmx" uuid="50 11 7a fc bd ec 0f f4-cb 30 32 a5 c0 3a 01 09" displayName="esx_template"

For this example we will terminate the VM at vmid='1093'




2. We need to find the Master World ID, do this type:
# less -S /proc/vmware/vm/1093/cpu/status

Expand the terminal or scroll until you can see the right-most column. This is labelled 'group'. Unterneath the column you will find: vm.1092.

In this example '1092' is the ID of the Master World.




3. Run this command to terminate the Master World and the VM running in it:

/usr/lib/vmware/bin/vmkload_app -k 9 1092




4. This should kill all the VM's User Worlds and also the VM's processes.

If Successful you will see similar:

# /usr/lib/vmware/bin/vmkload_app --kill 9 1070
Warning: Jul 12 07:24:06.303: Sending signal '9' to world 1070.

If the Master World ID is wrong you may see:
# /usr/lib/vmware/bin/vmkload_app --kill 9 1071
Warning: Jul 12 07:21:05.407: Sending signal '9' to world 1071.
Warning: Jul 12 07:21:05.407: Failed to forward signal 9 to cartel 1071: 0xbad0061



source

Monday, March 10, 2008

windows: the TcpTimedWaitDelay registry setting

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

The TcpTimedWaitDelay key in the Windows registry determines the time that must elapse before TCP can release a closed connection and reuse its resources. This interval between closure and release is known as the TIME_WAIT state or 2MSL state. During this time, the connection can be reopened at much less cost to the client and server than establishing a new connection.

Reducing the value of this entry allows TCP to release closed connections faster, providing more resources for new connections. However, if the value is too low, TCP might release connection resources before the connection is complete, requiring the server to use additional resources to reestablish the connection.

Monday, February 25, 2008

linux basics: IO redirection - append to both stderr and stdout

It is possible to redirect one output channel to another like "2>&1" which means "put the output of channel 2 (stderr) where channel 1 (stdout) currently goes" and let channel 1 point to a file:

process >>file 2>&1



But it is preferable that you first try with separately mentioned files - it makes a much easier to maintain code AND it is not position dependent:

process >file 2>&1
will have stderr and stdout go to , but:


process 2>&1 >file
will have stdout go to and stderr to the screen, because when channel 2 intended direction is evaluated, channel 1 is still pointing to the terminal and not to the file.


This is one of the most common errors in crontabs and responsible for an awful lot of unnecessary (and unwanted) mails to root (the cronjobs replacement for a terminal).