Tiny Deathstars of Foulness

Scapy is a (mostly) cross-platform packet manipulation tool. This allows you to craft and edit packets that you then send to other hosts when you open a socket. This is incredibly useful for, for example, capturing a packet being sent to you, manipulating the payload, and passing the packet on to another host. This is a pretty common, albeit slightly more advanced, method of security testing. Installing Scapy is a pretty straight forward process, if a tad bit time consuming compared to something coming in from a standard package.

Before you get started, make sure you have the OS X Developer Tools installed from the Mac App Store. Also, make sure you have ports installed from You’ll also need pylibpcap, as with most packet manipulation tools, so install that from  Install Pylibpcap, Download from Then there are some dependencies we’ll grab from Mac Ports:

port selfupdate
port upgrade outdated
port install py27-libdnet
port install libdnet

Next, download scapy from Once downloaded, cd into the scapy directory:

cd ~/Downloads/scapy-*

Then run the python installer:

sudo python install

Once installed, then start scapy with:

sudo scapy

Next, we’ll read a pcap file, which I have at ~/Documents/mypcap

>>> a=rdpcap("/spare/captures/isakmp.cap")
>>> a

You can also build a custom packet, using

>>> a=IP(ttl=10)
>>> a
< IP ttl=10 |>
>>> a.src
>>> a.dst=""
>>> a
< IP ttl=10 dst= |>
>>> a.src
>>> del(a.ttl)
>>> a
< IP dst= |>
>>> a.ttl

So far, very basic. We’ve read a packet and we’ve created a packet. Use send to send a packet:

>>> send(IP(dst="")/ICMP())

You can also add a Fuzz option, to get into fuzzing, and use sr1 to send and receive packets, rather than just send (thus allowing you to view the response).

March 14th, 2015

Posted In: Mac OS X, Mac Security

Tags: , , , , , , ,

sFlow is an industry standard that allows network equipment with the appropriate agents to send data to sFlow collectors, which then analyze network traffic. You can install sFlow on routers, switches, and even put agents on servers to monitor traffic. Brocade (along with most other switch manufacturers) supports sFlow.

Before you do anything log into the switch and check the current flow configuration:

show sFlow

To configure, log into the switch and use the the int command to access an interface. From within the interface, use the following command:

sflow forwarding

Then exit the interface using the very difficult to remember exit command:


Repeat the enablement of forwarding for any other necessary interfaces. Next, we’ll configure a few globals that would be true across all interfaces. The first is the destination address, done using the destination verb followed by the IP and then the port (I’m using the default 6343 port for sFlow):

sflow destination 6343

Set the sample rate:

sflow sample 512

Set the polling interval:

sflow polling-interval 30

Finally, enable sFlow:

sflow enable

January 2nd, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Network Infrastructure, Xsan

Tags: , , , , , , , , ,

Mobile Home Directory synchronizing in OS X Server environments is used to synchronize the home folder of clients with a copy that lives on the server, so users can roam between computers with their desktop, documents and preferences following them from machine to machine. Server Side File Tracking creates and keeps a copy of the sync database on client machines and servers, comparing the two databases when synchronizing rather than scanning directories for all the synced files each time a synchronization occurs. In environments with synchronizing Mobile Home Directories, Server Side File Tracking (SSFT) can help reduce the amount of time required for syncs. Server Side File Tracking is disabled by default in OS X Mountain Lion Server and cannot be enabled from the Server app. To enable Server Side File Tracking (aka – FileSyncAgent), use the following command:

sudo serveradmin settings info:enableFileSyncAgent = yes

To then turn it back off, if you so choose:

sudo serveradmin settings info:enableFileSyncAgent = no

Logs are then stored in ~/Library/Logs/FileSyncAgent/FileSyncAgentVerbose.log if you need further information. Note that TCP port 2336 needs to be open for the FileSync Agent to connect over ssh on port 2336 to the server; however, ssh doesn’t need to be enabled on the standard port 22 but mobile users must have access to the SSH SACL.

August 16th, 2012

Posted In: Mac OS X, Mac OS X Server, Mass Deployment

Tags: , , , , , , , , , ,

Configuring web services is as easy in OS X Mountain Lion Server (10.8) as it has ever been. To set up the default web portal, simply open the Server app, click on the Websites service and click on the ON button.

After a time, the service will start. Once running, click on the View Server Website link at the bottom of the pane.

Provided the stock OS X Server page loads, you are ready to use OS X Server as a web server.

Before we setup custom sites, there are a few things you should know. The first is, the server is no longer really designed to remove the default website. So if you remove the site, your server will exhibit inconsistent behavior. Also, don’t remove the files that comprise the default site. Instead just add sites, which is covered next. Webmail is gone. You don’t have to spend a ton of time looking for it as it isn’t there. Also, Mountain Lion Server adds web apps, which we’ll briefly review later in this article as well.  Finally, enabling PHP and Python on sites is done globally, so this setting applies to all sites hosted on the server.

Now that we’ve got that out of the way, let’s add our first custom site. Do so by clicking on the plus sign. At the New Web Site pane, you’ll be prompted for a number of options. The most important is the name of the site, with other options including the following:

  • Domain Name: The name the site is accessible from. The default sites do not have this option as they are accessible from all names that resolve to the server.
  • IP Address: The IP address the site listens on. Any means the site is available from every IP address the server is configured to use. The default websites do not have this option as they are accessible from all addresses automatically
  • Port: By default, sites without SSL run on port 80 on all network interfaces, and sites with SSL run on port 443 on all network interfaces. Use the Port field to use custom ports (e.g., 8080). The default sites do not have this option as they are configured to use 80 and 443 for default and SSL-based communications respectively.
  • SSL Certificate: Loads a list of SSL certificates installed using Keychain or the SSL Certificate option in the Settings pane of the Server application
  • Store Site Files In: The directory that the files that comprise the website are stored in. These can be placed into the correct directory using file shares or copying using the Finder. Click on the drop-down menu and then select Other to browse to the directory files are stored in.
  • Who Can Access: By default Anyone (all users, including unauthenticated guests) can access the contents of sites. Clicking on Anyone and then Customize… brings up the “Restrict access to the following folders to a chosen group” screen, where you can choose web directories and then define groups of users who can access the contents.
  • Additional Domains: Click on the Edit… button to bring up a simple list of domain names the the site also responds for (e.g. in addition to, add
  • Redirects: Click on the Edit… button to bring up a list of redirects within the site. This allows configuring redirects to other sites. For example, use /en to load or /cn to load
  • Aliases: Click on the Edit… button to load a list of aliases. This allows configuring redirects to folders within the same server. For example, /en loads /Library/Server/Web/Data/Sites/Default
  • Index Files: Click on the Edit… button to bring up a list of pages that are loaded when a page isn’t directly indicated. For example, when visiting, load the wp.php page by default.
  • Advanced Options: The remaining options are available by clicking on the “Edit Advanced Settings…” button.
  • Enable Server Side Includes: Allows administrators to configure leveraging includes in web files, so that pieces of code can be used across multiple pages in sites.
  • Allow overrides using .htaccess files: Using a .htaccess file allows administrators to define who is able to access a given directory, defining custom user names and passwords in the hidden .htaccess file. These aren’t usually required in an OS X Server web environment as local and directory-based accounts can be used for such operations. This setting enables using custom .htaccess files instead of relying on Apple’s stock web permissions.
  • Allow folder listing: Enables folder listings on directories of a site that don’t have an Index File (described in the non-Advanced settings earlier).
  • Allow CGI execution: Enables CGI scripts for the domain being configured.
  • Use custom error page: Allows administrators to define custom error pages, such as those annoying 404 error pages that load when a page can’t be found
  • Make these web apps available on this website: A somewhat advanced setting, loads items into the webapps array, which can be viewed using the following command:  sudo serveradmin settings web:definedWebApps

Once you’ve configured all the appropriate options, click on Done to save your changes. The site should then load. Sites are then listed in the list of Websites.

The Apache service is most easily managed from the Server app, but there are too many options in Apache to really be able to put into a holistic graphical interface. The easiest way to manage the Websites service in OS X Mountain Lion server is using the serveradmin command. Apache administrators from other platforms will be tempted to use the apachectl command to restart the Websites service. Instead, use the serveradmin command to do so. To start the service:

sudo serveradmin start web

To stop the service(s):

sudo serveradmin stop web

And to see the status:

sudo serveradmin fullstatus web

Fullstatus returns the following information:

web:health = _empty_dictionary
web:readWriteSettingsVersion = 1
web:apacheVersion = "2.2"
web:servicePortsRestrictionInfo = _empty_array
web:startedTime = "2012-08-13 23:01:42 +0000"
web:apacheState = "RUNNING"
web:statusMessage = ""
web:ApacheMode = 2
web:servicePortsAreRestricted = "NO"
web:state = "RUNNING"
web:setStateVersion = 1

While the health option typically resembles kiosk computers in the Computer Science departments of most major universities, much of the rest of the output can be pretty helpful including the Apache version, whether the service is running, any restrictions on ports and the date/time stamp that the service was started.

To see all of the settings available to the serveradmin command, run it, followed by settings and then web, to indicate the Websites service:

sudo serveradmin settings web

The output is pretty verbose and can be considered in two sections, the first includes global settings across sites as well as the information for the default sites that should not be deleted:

web:defaultSite:documentRoot = "/Library/Server/Web/Data/Sites/Default"
web:defaultSite:serverName = ""
web:defaultSite:realms = _empty_dictionary
web:defaultSite:redirects = _empty_array
web:defaultSite:enableServerSideIncludes = no
web:defaultSite:customLogPath = "&quot;/var/log/apache2/access_log&quot;"
web:defaultSite:webApps = _empty_array
web:defaultSite:sslCertificateIdentifier = ""
web:defaultSite:fullSiteRedirectToOtherSite = ""
web:defaultSite:allowFolderListing = no
web:defaultSite:serverAliases = _empty_array
web:defaultSite:errorLogPath = "&quot;/var/log/apache2/error_log&quot;"
web:defaultSite:fileName = "/Library/Server/Web/Config/apache2/sites/0000_any_80_.conf"
web:defaultSite:aliases = _empty_array
web:defaultSite:directoryIndexes:_array_index:0 = "index.html"
web:defaultSite:directoryIndexes:_array_index:1 = "index.php"
web:defaultSite:directoryIndexes:_array_index:2 = "/wiki/"
web:defaultSite:directoryIndexes:_array_index:3 = "default.html"
web:defaultSite:allowAllOverrides = no
web:defaultSite:identifier = "37502141"
web:defaultSite:port = 80
web:defaultSite:allowCGIExecution = no
web:defaultSite:serverAddress = "*"
web:defaultSite:requiresSSL = no
web:defaultSite:proxies = _empty_dictionary
web:defaultSite:errorDocuments = _empty_dictionary
web:defaultSecureSite:documentRoot = "/Library/Server/Web/Data/Sites/Default"
web:defaultSecureSite:serverName = ""
web:defaultSecureSite:realms = _empty_dictionary
web:defaultSecureSite:redirects = _empty_array
web:defaultSecureSite:enableServerSideIncludes = no
web:defaultSecureSite:customLogPath = "&quot;/var/log/apache2/access_log&quot;"
web:defaultSecureSite:webApps = _empty_array
web:defaultSecureSite:sslCertificateIdentifier = ""
web:defaultSecureSite:fullSiteRedirectToOtherSite = ""
web:defaultSecureSite:allowFolderListing = no
web:defaultSecureSite:serverAliases = _empty_array
web:defaultSecureSite:errorLogPath = "&quot;/var/log/apache2/error_log&quot;"
web:defaultSecureSite:fileName = "/Library/Server/Web/Config/apache2/sites/0000_any_443_.conf"
web:defaultSecureSite:aliases = _empty_array
web:defaultSecureSite:directoryIndexes:_array_index:0 = "index.html"
web:defaultSecureSite:directoryIndexes:_array_index:1 = "index.php"
web:defaultSecureSite:directoryIndexes:_array_index:2 = "/wiki/"
web:defaultSecureSite:directoryIndexes:_array_index:3 = "default.html"
web:defaultSecureSite:allowAllOverrides = no
web:defaultSecureSite:identifier = "37502140"
web:defaultSecureSite:port = 443
web:defaultSecureSite:allowCGIExecution = no
web:defaultSecureSite:serverAddress = "*"
web:defaultSecureSite:requiresSSL = yes
web:defaultSecureSite:proxies = _empty_dictionary
web:defaultSecureSite:errorDocuments = _empty_dictionary
web:dataLocation = "/Library/Server/Web/Data"
web:mainHost:keepAliveTimeout = 15.000000
web:mainHost:maxClients = "50%"

The second section is per-site settings, with an array entry for each site:

web:customSites:_array_index:0:documentRoot = "/Library/Server/Web/Data/Sites/"
web:customSites:_array_index:0:serverName = ""
web:customSites:_array_index:0:realms = _empty_dictionary
web:customSites:_array_index:0:redirects = _empty_array
web:customSites:_array_index:0:enableServerSideIncludes = no
web:customSites:_array_index:0:customLogPath = "/var/log/apache2/access_log"
web:customSites:_array_index:0:webApps = _empty_array
web:customSites:_array_index:0:sslCertificateIdentifier = ""
web:customSites:_array_index:0:fullSiteRedirectToOtherSite = ""
web:customSites:_array_index:0:allowFolderListing = no
web:customSites:_array_index:0:serverAliases = _empty_array
web:customSites:_array_index:0:errorLogPath = "/var/log/apache2/error_log"
web:customSites:_array_index:0:fileName = "/Library/Server/Web/Config/apache2/sites/"
web:customSites:_array_index:0:aliases = _empty_array
web:customSites:_array_index:0:directoryIndexes:_array_index:0 = "index.html"
web:customSites:_array_index:0:directoryIndexes:_array_index:1 = "index.php"
web:customSites:_array_index:0:directoryIndexes:_array_index:2 = "/wiki/"
web:customSites:_array_index:0:directoryIndexes:_array_index:3 = "default.html"
web:customSites:_array_index:0:allowAllOverrides = no
web:customSites:_array_index:0:identifier = "41179886"
web:customSites:_array_index:0:port = 80
web:customSites:_array_index:0:allowCGIExecution = no
web:customSites:_array_index:0:serverAddress = "*"
web:customSites:_array_index:0:requiresSSL = no
web:customSites:_array_index:0:proxies = _empty_dictionary
web:customSites:_array_index:0:errorDocuments = _empty_dictionary

The final section (the largest by far) includes array entries for each defined web app. The following shows the entry for a Hello World Python app:

web:definedWebApps:_array_index:15:requiredWebAppNames = _empty_array
web:definedWebApps:_array_index:15:includeFiles:_array_index:0 = "/Library/Server/Web/Config/apache2/httpd_wsgi.conf"
web:definedWebApps:_array_index:15:requiredModuleNames:_array_index:0 = "wsgi_module"
web:definedWebApps:_array_index:15:startCommand = ""
web:definedWebApps:_array_index:15:sslPolicy = 0
web:definedWebApps:_array_index:15:requiresSSL = no
web:definedWebApps:_array_index:15:requiredByWebAppNames = _empty_array
web:definedWebApps:_array_index:15:launchKeys = _empty_array
web:definedWebApps:_array_index:15:proxies = _empty_dictionary
web:definedWebApps:_array_index:15:preflightCommand = ""
web:definedWebApps:_array_index:15:stopCommand = ""
web:definedWebApps:_array_index:15:name = ""
web:definedWebApps:_array_index:15:displayName = "Python &quot;Hello World&quot; app at /wsgi"

Each site has its own configuration file defined in the array for each section. By default these are stored in the /Library/Server/Web/Config/apache2/sites directory, with /Library/Server/Web/Config/apache2/sites/ being the file for the custom site we created previously. As you can see, many of the options available in the Server app are also available in these files:

<VirtualHost *:80>
DocumentRoot "/Library/Server/Web/Data/Sites/"
DirectoryIndex index.html index.php /wiki/ default.html
CustomLog /var/log/apache2/access_log combinedvhost
ErrorLog /var/log/apache2/error_log

<IfModule mod_ssl.c>
SSLEngine Off
SSLProtocol -ALL +SSLv3 +TLSv1
SSLProxyEngine On
SSLProxyProtocol -ALL +SSLv3 +TLSv1

<Directory "/Library/Server/Web/Data/Sites/">
Options All -Indexes -ExecCGI -Includes +MultiViews
AllowOverride None
<IfModule mod_dav.c>
Deny from all
ErrorDocument 403 /customerror/websitesoff403.html


The serveradmin command can also be used to run commands. For example, to reset the service to factory defaults, delete the configuration files for each site and then run the following command:

sudo serveradmin command web:command=restoreFactorySettings

The final tip I’m going to give in this article is when to make changes with each app. I strongly recommend making all of your changes in the Server app when possible. When it isn’t, use serveradmin and when you can’t make changes in serveradmin, only then alter the configuration files that come with the operating system by default. I also recommend keeping backups of all configuration files that are altered and a log of what was altered in each, in order to help piece the server back together should it become unconfigured miraculously when a softwareupdate -all is run next.

August 15th, 2012

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

phpLDAPadmin is a tool that can be used to walk LDAP trees and view attributes of objects located within them using a web browser. This isn’t to say that it’s the prettiest tool out there but it works really well and is portable between various flavors of LDAP.

Before you can use phpLDAPadmin you will need Apache. In Ubuntu, Apache can be installed using apt-get:

apt-get install apache2

Once you have Apache installed, downloading phpLDAPadmin and installing it in Ubuntu Server 10 couldn’t be easier, just apt-get the package:

apt-get install phpldapadmin

Now you have the pieces, let’s copy phpLDAPadmin into your web root directory:

cp -R /usr/share/phpldapadmin /var/www/myphpldapadmin

In that new directory you will see a config file. Here, you’ll see some lines that appear as follows:

$ldapservers->SetValue($i,’server’,’name’,’My LDAP Server’);  // The name to display
$ldapservers->SetValue($i,’server’,’host’,’′);  // Address of the LDAP server
$ldapservers->SetValue($i,’server’,’port’,’389′);   // Port number
$ldapservers->SetValue($i,’server’,’base’,array(‘dc=example,dc=com’));  // Base dn

You’ll want to provide the address, port number (if the port isn’t 389) and DN information of your server and then connected by visiting the website created via Apache (if the server name were ldapserver.local, this might be http://ldapserver.local/phpLDAPadmin). Provide the username and password and you should be able to use phpLDAPadmin. Happy LDAP’ing!

November 17th, 2010

Posted In: Active Directory, Ubuntu

Tags: , , , , , , , , , ,

In Windows 7 (and previous versions for that matter), you can change the port that RDP listens on for new Remote Desktop connections. To do so you would fire up regedit and then browse to the following key:


Here, you would change the PortNumber to a new decimal value that is the port you wish to listen on. Save, reboot and you’re good to go.

October 12th, 2010

Posted In: Windows XP

Tags: , , ,

As of version 8, Retrospect uses port 22024 when the Retrospect Console needs to communicate with the engine. It just so happens that this can become unresponsive when the engine itself decides to stop working. Therefore, if you’re using Retrospect 8, you can run a port scan against port 22024 ( i.e. stroke <IP_ADDRESS> 22024 22024 ) and then restart the engine if it goes unresponsive. To restart the engine, simply unload and then load com.retrospect.launchd.retroengine. For example:

/bin/launchctl unload /Library/LaunchDaemons/com.retrospect.launchd.retroengine.plist; /bin/launchctl load /Library/LaunchDaemons/com.retrospect.launchd.retroengine.plist

I have found that if you alter the nice value that the engine crashes less (not that I’m saying that it crashes a lot or is buggy btw, just seen it in a few cases now).  To do so, change the nice value in /Library/LaunchDaemons/com.retrospect.launchd.retroengine.plist from the default (0) to -10 (or -20 even).

Historically, there have been intermittent issues with the client software running. To determine if it’s running or stopped from within the host that the client is running on you can use the following (for versions 6 and below):

ps -cx | grep retroclient

Or you can use the following for version 8:

ps -cx | grep pitond

Or you can port scan port 497 for the client:

stroke <IP_ADDRESS> 497 497

June 4th, 2010

Posted In: Mac OS X Server

Tags: , , , , , ,