krypted.com

Tiny Deathstars of Foulness

In bash, you can run multiple commands in a single line of a script. You do so by separating them with a semi-colon (;). The great thing about this is that if you end up using a variable, you can pass it on to subsequent commands. Here, we’re going to string three commands together and then echo the output: a=1;b=2;c=$a+$b;echo $c because we told c to be $a + $b, the $a expands to 1 and the $b expands to 2, we throw them together and then echo out the contents of c$ which appears as follows: 1+2 Now, we could have this thing do math as well, by wrapping the mathematical operation in double-parenthesis, which bash treats as an arithmetic expansion: a=1;b=2;c=(($a+$b));echo $c The output this one is simply 3.

June 15th, 2015

Posted In: Mac OS X, Mac OS X Server, Ubuntu, Unix

Tags: , , , , , , , , ,

Database won’t start? InnoDB errors are a pain. Where was krypted for a month? Did everything finally get to me and I gave up blogging? No, the site ended up having some problems with corruption in some rows of the InnoDB tables. But, I was able to get the site back up by putting the database into recovery mode. How did I do this? It’s pretty straight forward. Open my.cnf and paste these lines in there: innodb_force_recovery=3 innodb_purge_threads=0 Once the corruption is resolved, bring up empty databases and import your mysqldump into the new databases and link your site back up. But, the InnoDB force recovery puts the database into recovery mode, which is read only. So I wasn’t actually able to use the site, just look at it. At least the content was available, right? When MySQL isn’t writeable, you can’t log in as an admin, etc. The rest is one of the bigger pains I’ve encountered that didn’t result in an all nighter at a customer. I’ll write that up when I have time some day. In the meantime, next time someone changes my root password and breaks my backup scripts so I can’t just bring in a mysqldump, I’m breaking their arms. You’ve been warned.

May 15th, 2015

Posted In: Mac OS X, Ubuntu, Unix, WordPress

Tags: , , , , , , ,

There are a number of ways to see information about what version of Linux that you’re running on different cat /etc/lsb-release Which returns the distribution information, parsed as follows: DISTRIB_ID=Ubuntu DISTRIB_RELEASE=12.04.5 DISTRIB_CODENAME=precise DISTRIB_DESCRIPTION="Ubuntu Precise Pangolin (LTS)" LSB_release can also be run as a command, as follows: lsb_release -a Which returns the following: No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu Precise Pangolin (LTS) Release: 12.04.5 Codename: precise lab_release can be used as a command as well: cat /etc/issue.net Which returns: Ubuntu Precise Pangolin (development branch) In Debian, you can simply look at the version file: cat /etc/debian_version Which returns the following: wheezy/sid Or Red Hat Enterprise can also be located with /etc/issue.net: cat /etc/issue.net With many variants, including OS X, you can also use uname to determine kernel extensions, etc: uname -a The thing I’ve learned about Linux is that there’s always a better way to do things. So feel free to comment on your better way or favorite variant!

March 5th, 2015

Posted In: Ubuntu, Unix

Tags: , , , , , ,

Popped in a list of Linux bash commands here: http://krypted.com/commands/linux-bash-commands/

January 24th, 2015

Posted In: Ubuntu

Tags: , , , , ,

The free command in Linux is used to show memory utilization. When run without any options, you can see the used and available space of swap and physical memory. By default, the option is displayed in kilobytes but when run with a -b option it is shown in bytes or -m will show in megabytes or -g in gigabytes or -t in terabytes. So to see the free space in bytes run the following: free -b The -o option shows the output adjusted for the buffer. The -t option also adds a total column as well as a line for total that shows swap and physical, combined. The -s will update the output and is followed by a number of seconds. To see the number of times it happened, use the -c option. So to see the output every 60 seconds: free -cs 60 The low and high stats are shown using the -l option: free -l As with many commands, you can see the version of the command using the -V option: free -V Finally, use the –help option to see the available options, no matter the version or OS.

January 20th, 2015

Posted In: Ubuntu, Unix

Tags: , , , , , , ,

Merry Christmas ya’ll!
On the first day of Christmas my true love gave to me one 32 gig iPad On the second day of Christmas my true love gave to me two bash one-liners On the third day of Christmas my true love gave to me three Red Hat servers On the fourth day of Christmas my true love gave to me four email blasts On the fifth day of Christmas my true love gave to me five retweets On the sixth day of Christmas my true love gave to me six regular expressions On the seventh day of Christmas my true love gave to me seven lines of perl On the eighth day of Christmas my true love gave to me eight app store apps On the ninth day of Christmas my true love gave to me nine AWS instances On the tenth day of Christmas my true love gave to me ten Active Directory forests On the eleventh day of Christmas my true love gave to me 11 crappy python scripts On the twelfth day of Christmas my true love gave to me 12 craft brews
xmas-ornament-computer-ram

December 25th, 2014

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , , , , , , ,

You can do some pretty simple testing of ports and network communications using strategies I’ve outlined in the past with tcpdump, trace route, telnet, curl, stroke and of course ping. However, netcat has a few interesting things you can do with it; namely actually run a port super-quickly to test traffic between subnets, forcing scans of ipv6 traffic, debugging sockets, keeping connections alive, parodying through SOCKS 4 and 5 and just checking for daemons that are listening rather than actually sending data to them. In this first example, we’re going to just check that Apple’s web server is accessible (adding -v for verbose output): /usr/bin/nc -v www.apple.com 80 The result would be pretty verbose
found 0 associations found 1 connections: 1: flags=82<CONNECTED,PREFERRED> outif en0 src 10.10.20.176 port 50575 dst 23.78.138.214 port 80 rank info not available TCP aux info available Connection to www.apple.com port 80 [tcp/http] succeeded! HTTP/1.0 408 Request Time-out Server: AkamaiGHost Mime-Version: 1.0 Date: Tue, 29 Jul 2014 15:41:34 GMT Content-Type: text/html Content-Length: 218 Expires: Tue, 29 Jul 2014 15:41:34 GMT <HTML><HEAD> <TITLE>Request Timeout</TITLE> </HEAD><BODY> <H1>Request Timeout</H1> The server timed out while waiting for the browser’s request.<P> Reference&#32;&#35;2&#46;48cf4d17&#46;1406648494&#46;0 </BODY></HTML>
If we added a -w to timeout we’ll cut out all the cruft (but wouldn’t know that the server’s at Akamai). Next, we’ll get a little more specific and fire up a test to check Apple’s push gateway at, using port 2195: /usr/bin/nc -v -w 15 gateway.push.apple.com 2195 But, I want the cruft for the purposes of this article. Next, we can add a -4 to force connections over IPv4 and check the Apple feedback server and port 2196, also required for APNs functionality: /usr/bin/nc -v -4 feedback.push.apple.com 2196 Right about now, something is probably happening at Apple where they’re getting sick of me sending all this data their direction, so let’s add a -z option, to just scan for daemons, without actually sending any data their way: /usr/bin/nc -vz -4 feedback.push.apple.com 2196 Because of how NAT works, you might notice that the src port keeps changing (incrementing actually). Here’s the thing, we’re gonna’ go ahead and force our source port to stay the same as our destination port using the -p option: /usr/bin/nc -vz -4 -p 2196 feedback.push.apple.com 2196 Now, what if this is failing? Well, let’s spin up a listener. I like to start on my own subnet, then move to another subnet on the same network and ultimately to another network so I’m checking zone-by-zone so-to-speak, for such a failure. So, we can spin up a listener with netcat in a few seconds using the -l option on another host: /usr/bin/nc -l 2196 Then I can scan myself: /usr/bin/nc 127.0.0.1 2196 I could also do this as a range if I forgot which port I used per host: /usr/bin/nc 127.0.0.1 2195-2196 Now, as is often the case, if our connection problem is because data isn’t parodying, we can also use nc to check that using the -x operator followed by an IP and then : and a port. For example: /usr/bin/nc -vz -4 -w 10 -p 2196 -x 10.0.0.2:8080 feedback.push.apple.com 2195-2196 Fun times with push notifications. Enjoy.

July 29th, 2014

Posted In: Mac Security, Mass Deployment, MobileMe, Network Infrastructure

Tags: , , , , , , , , , , , , , ,

You have a lot of boxes. You would like to be able to parse through the logs of all those boxes at the same time, searching for a given timestamp across a set of machines for a specific string (like a filename or a port number). elasticsearch, logstash and kibana are one way to answer that kind of need. This will involve downloading three separate packages (which for this article, we’ll do in /usr/local) and creating a config file. First, install the latest Java JDK. This is available at jdk8-downloads-2133151.html. The following is going to download the latest version of logstash and untar the package into /usr/local/logstash (I like nesting that logstash-1.4.0 inside logstash so when the next version comes out I can have it there too, I have plenty of space so keeping a couple versions back helps in the event I need some old binary and can’t get to it ’cause they revved out the version I wrote a script against at some point): curl -O https://download.elasticsearch.org/logstash/logstash/logstash-1.4.0.tar.gz mkdir /usr/local/logstash tar zxvf logstash-1.4.0.tar.gz -C /usr/local/logstash Once we have log stash, we’ll grab elastic search similarly: curl -O https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.0.1.tar.gz mkdir /usr/local/elasticsearch tar zxvf elasticsearch-1.0.1.tar.gz -C /usr/local/elasticsearch Then we’ll untar kibana in the same manner: curl -O https://download.elasticsearch.org/kibana/kibana/kibana-3.0.0.tar.gz mkdir /usr/local/kibana tar zxvf kibana-3.0.0.tar.gz -C /usr/local/kibana Next we’ll make a very simple config file that we call /usr/local/stashbox.conf that listens on port 514 for syslog: input { tcp { port => 514 type => syslog } udp { port => 514 type => syslog } } filter { if [type] == "syslog" { grok { match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" } add_field => [ "received_at", "%{@timestamp}" ] add_field => [ "received_from", "%{host}" ] } syslog_pri { } date { match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] } } } output { elasticsearch { host => localhost } stdout { codec => rubydebug } } Next, we’ll enable elastic search: /usr/local/elasticsearch/elasticsearch-1.0.1/bin/elasticsearch And finally, in a different window we’ll call logstash with that file as the config file: /usr/local/logstash/logstash-1.4.0/bin/logstash -f /usr/local/stashbox.conf Having each of these open in different Terminal windows allows you to see logs in stdout. Next, point a host at your new syslog box. You can use http://krypted.com/windows-server/use-syslog-on-windows for installing Windows clients or http://krypted.com/mac-security/redirect-logs-to-a-syslog-server-in-os-x/ for  a Mac. Once done, let’s get Kibana working. To do so, first edit the config.js. vi /usr/local/kibana/kibana-3.0.0/config.js Locate the elastic search setting and put the name of the host running logstash in there (yes, it can be the same as the actual logstash box as long as you install a web server on the logstash box). Then save the changes. Now move the contents of that kibana-3.0.0 folder into your web directory. Let’s say this is a basic OS X Server, that would be: cp -R /usr/local/kibana/kibana-3.0.0/* /Library/Server/Web/Data/Sites/Default/ You can then check out your Kibana site at http://localhost or http://localhost/index.html#/dashboard/file/logstash.json for the actual search pages, which is what I’ve bookmarked. Screen Shot 2014-04-10 at 10.37.51 PM For example, to see the impact of periodic scripts in System Logs: Screen Shot 2014-04-12 at 9.07.44 AM  

April 11th, 2014

Posted In: Active Directory, Mac OS X, Mac OS X Server, Microsoft Exchange Server, Network Infrastructure, Ubuntu, Unix, VMware, Windows Server

Tags: , , , , , ,

The nmap application is a pretty easy-to-use tool that can be used to port scan objects in a network environment. To obtain mmap in an easy-to-use package installer, for OS X check out the download page at http://nmap.org/download.html#macosx (use the same page to grab it for Windows or *nix as well). Once downloaded run the package/rpm/whatever. Before I scan a system, I like to pull the routing table and eth info to determine how scans are being run, which can be run by using the mmap command anong with the —iflist option: nmap —iflist Basic Scanning To then scan a computer, just use the mmap command followed by the host name or even throw a -v option in there to see more information (you can use a hostname or an IP): nmap -v www.apple.com Use the -6 option if scanning via IPv6: nmap -v -6 8a33:1a2c::83::1a Can drop the -v for less info on these, but I usually like more than less. Shows ports, states, services (for the ports) and a MAC address for each IP being scanned. You can also scan a range of IPs. I usually take the lazy way for this, by using a wildcard. I can replace an octet to scan all objects in that octet. For example, to scan all systems running on the 192.168.210 class B: nmap 192.168.210.* You can scan a subnet, which can cover more or less than one octet worth of IPs, by including the net mask: nmap 192.168.210.0/24 You can also just list a range, which is much easier in some cases, using the —exclude option to remove an address that will be angry if port scanned: nmap 192.168.210.1-100 —exclude 192.168.210.25 Or to do a few hosts within that range: nmap 192.168.210.1,10,254 Of you can even use the following to read in a list of addresses and subnets where each is on its own line: nmap -iL ~/nmaplist.txt By default, mmap is scanning all ports. However, if you know what you’re looking for, scans can be processed much faster if you constrain it to a port or range of ports. Use the -p option to identify a port and then T: for only TCP or U: for only UDP, or neither to do both. Additionally, you can scan a range of ports or separate ports using the same syntax used for identifying multiple hosts. For example, here we’ll scan 53, 80, 110, 443 and 143: nmap -p 53,80,110,143,443 DO OS detection using the -A option: nmap -A www.apple.com For true remote OS detection, use -O with —osscan-guess: mmap -v -O —osscan-guess mail.krypted.com We can also output to a text file, using the -o option (or of course > filename but -o is more elegant here unless you’re parsing elsewhere in the line): mmap -v -o ~/Desktop/nmapresults.txt -O —osscan-guess mail.krypted.com Firewalls Next, we’ll look at trying to bypass pesky annoyances like stageful packet inspection on firewalls. First, check whether there is actually a firewall using -s: nmap -sA www.apple.com Scan even if the host is protected by a firewall: nmap -PN www.apple.com Just check to see if some devices are up even if behind a firewall: nmap -sP 192.168.210.10-20 Run a scan using Syn and ACK scans, run mmap along with the either -PS or -PA options (shown respectively): nmap -PS 443 www.apple.com nmap -PA 443 www.apple.com Try to determine why ports are in a specific state: nmap —reason www.apple.com Show all sent/recvd packets: nmap —packet-trace www.apple.com Try to read the header of remote ports to determine a version number of the software: nmap -sV www.apple.com Security Scanning Next, we can look at actually using nmap to test the attacking waters a little bit. First, we’ll try and spoof another MAC address, using the —spoof-mac options. We’ll use the 0 position after that option to indicate that we’re randomly generating a Mac, although we could use a real MAC in place of the 0: nmap -v -sT —spoof-mac 0 www.apple.com Next, let’s try to add a decoy, which allows us to spoof some IPs and use that as decoys so our target doesn’t suspect our IP as one that’s actually scanning them (note that our IP we’re testing from is 192.168.210.210): nmap -n -192.168.210.1,192.168.210.10,192.168.210.210,192.168.210.254 Then, send some crazy packets (not an official term like magic packets, just my own term for throwing a curve ball at things and testing for the viability of syn-flood or Xmas packet attacking): nmap -sX www.apple.com Configure a custom mtu: nmap —mtu 64 www.apple.com Fragment your packets: nmap -f www.apple.com Note: None of Apple’s servers were damaged in the writing of this article. I did a find/replace at the end, when I realized I didn’t want all of you hitting www.krypted.com.

January 24th, 2014

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Microsoft Exchange Server, Network Infrastructure, Ubuntu, Unix, VMware

Tags: , , , , , , , ,

Any time doing a migration of data from one IP to another where that data has a DNS record that points users towards the data, we need to keep the amount of time it takes to repoint the record to a minimum. To see the TTL of a given record, let’s run dig using +trace, +nocmd to turn off showing the version and query options, +noall to turn off display flags, +answer to still show the answer section of my reponse and most importantly for these purposes +ttlid to toggle showing the TTL on. Here, we’ll use these to lookup the TTL for the www.krypted.com A record: dig +trace +nocmd +noall +answer +ttlid a www.krypted.com The output follows the CNAME (as many a www record happen to be) to the A record and shows the TTL value (3600) for each: www.krypted.com. 3600 IN CNAME krypted.com. krypted.com. 3600 IN A 199.19.85.14 We can also lookup the MX using the same structure, just swapping out the a for an MX and the FQDN with just the domain name itself: dig +trace +nocmd +noall +answer +ttlid mx krypted.com The response is a similar output where krypted.com. 3600 IN MX 0 smtp.secureserver.net. krypted.com. 3600 IN MX 10 mailstore1.secureserver.net.

January 23rd, 2014

Posted In: Active Directory, cloud, Consulting, iPhone, Kerio, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Microsoft Exchange Server, Network Infrastructure, Windows Server

Tags: , , , , , , , , , ,

« Previous PageNext Page »