Tiny Deathstars of Foulness

When running a DNS/BIND server on Linux or macOS, you can check the version number by running a simple named command with the -v option.

named -v

The output is as follows:

BIND 9.9.7-P3 (Extended Support Version)

September 11th, 2016

Posted In: Mac OS X, Unix

Tags: , , ,

The cd command has lots of fun little shortcuts. One I use frequently is the -. The ~ always takes you to your home directory, but using cd – will take you to the last directory you were in. For example, if you do the following on a Mac:

cd ~

Then you do .. (which is a shortcut for the directory above the one you’re in):

cd ..

Then pwd will show that you’re in /Users. But, if you cd to – again:

cd -

Now you’re back in your home folder. The – expands to OLDPWD. Quick tip. Nothing more to see here.

July 20th, 2015

Posted In: Mac OS X, Ubuntu, Unix

Tags: , , , , ,

The wc command is used to count words, characters and lines. Here, we’ll run it a few different ways. -l shows the number of lines in a file. For example, in my home directory, I can use it to see how many lines are in my .gitconfig file:

wc -l .gitconfig

This would output something like the following:

11 .gitconfig

Or count the number of characters with -c:

wc -c .gitconfig

Or check the number of words:

wc -w .gitconfig

You can also run it against multiple files. For example, here I’ll check the number of lines in both my .gitconfig file and my .gitignore_global files:

wc -l .gitconfig .gitignore_global

Let’s say I have a list of numbers and I want to take an average of them. I can use this to quickly figure out how many numbers I have (and so will divide by) before tallying them up.

July 4th, 2015

Posted In: Mac OS X, Ubuntu, Unix

Tags: , , , , , , ,

The free command in Linux is used to show memory utilization. When run without any options, you can see the used and available space of swap and physical memory. By default, the option is displayed in kilobytes but when run with a -b option it is shown in bytes or -m will show in megabytes or -g in gigabytes or -t in terabytes. So to see the free space in bytes run the following:

free -b

The -o option shows the output adjusted for the buffer. The -t option also adds a total column as well as a line for total that shows swap and physical, combined. The -s will update the output and is followed by a number of seconds. To see the number of times it happened, use the -c option. So to see the output every 60 seconds:

free -cs 60

The low and high stats are shown using the -l option:

free -l

As with many commands, you can see the version of the command using the -V option:

free -V

Finally, use the –help option to see the available options, no matter the version or OS.

January 20th, 2015

Posted In: Ubuntu, Unix

Tags: , , , , , , ,

You can do some pretty simple testing of ports and network communications using strategies I’ve outlined in the past with tcpdump, trace route, telnet, curl, stroke and of course ping. However, netcat has a few interesting things you can do with it; namely actually run a port super-quickly to test traffic between subnets, forcing scans of ipv6 traffic, debugging sockets, keeping connections alive, parodying through SOCKS 4 and 5 and just checking for daemons that are listening rather than actually sending data to them.

In this first example, we’re going to just check that Apple’s web server is accessible (adding -v for verbose output):

/usr/bin/nc -v 80

The result would be pretty verbose

found 0 associations
found 1 connections:
outif en0
src port 50575
dst port 80
rank info not available
TCP aux info available

Connection to port 80 [tcp/http] succeeded!
HTTP/1.0 408 Request Time-out
Server: AkamaiGHost
Mime-Version: 1.0
Date: Tue, 29 Jul 2014 15:41:34 GMT
Content-Type: text/html
Content-Length: 218
Expires: Tue, 29 Jul 2014 15:41:34 GMT

<TITLE>Request Timeout</TITLE>
<H1>Request Timeout</H1>
The server timed out while waiting for the browser’s request.<P>

If we added a -w to timeout we’ll cut out all the cruft (but wouldn’t know that the server’s at Akamai). Next, we’ll get a little more specific and fire up a test to check Apple’s push gateway at, using port 2195:

/usr/bin/nc -v -w 15 2195

But, I want the cruft for the purposes of this article. Next, we can add a -4 to force connections over IPv4 and check the Apple feedback server and port 2196, also required for APNs functionality:

/usr/bin/nc -v -4 2196

Right about now, something is probably happening at Apple where they’re getting sick of me sending all this data their direction, so let’s add a -z option, to just scan for daemons, without actually sending any data their way:

/usr/bin/nc -vz -4 2196

Because of how NAT works, you might notice that the src port keeps changing (incrementing actually). Here’s the thing, we’re gonna’ go ahead and force our source port to stay the same as our destination port using the -p option:

/usr/bin/nc -vz -4 -p 2196 2196

Now, what if this is failing? Well, let’s spin up a listener. I like to start on my own subnet, then move to another subnet on the same network and ultimately to another network so I’m checking zone-by-zone so-to-speak, for such a failure. So, we can spin up a listener with netcat in a few seconds using the -l option on another host:

/usr/bin/nc -l 2196

Then I can scan myself:

/usr/bin/nc 2196

I could also do this as a range if I forgot which port I used per host:

/usr/bin/nc 2195-2196

Now, as is often the case, if our connection problem is because data isn’t parodying, we can also use nc to check that using the -x operator followed by an IP and then : and a port. For example:

/usr/bin/nc -vz -4 -w 10 -p 2196 -x 2195-2196

Fun times with push notifications. Enjoy.

July 29th, 2014

Posted In: Mac Security, Mass Deployment, MobileMe, Network Infrastructure

Tags: , , , , , , , , , , , , , ,

The nmap application is a pretty easy-to-use tool that can be used to port scan objects in a network environment. To obtain mmap in an easy-to-use package installer, for OS X check out the download page at (use the same page to grab it for Windows or *nix as well). Once downloaded run the package/rpm/whatever.

Before I scan a system, I like to pull the routing table and eth info to determine how scans are being run, which can be run by using the mmap command anong with the —iflist option:

nmap —iflist

Basic Scanning
To then scan a computer, just use the mmap command followed by the host name or even throw a -v option in there to see more information (you can use a hostname or an IP):

nmap -v

Use the -6 option if scanning via IPv6:

nmap -v -6 8a33:1a2c::83::1a

Can drop the -v for less info on these, but I usually like more than less. Shows ports, states, services (for the ports) and a MAC address for each IP being scanned.

You can also scan a range of IPs. I usually take the lazy way for this, by using a wildcard. I can replace an octet to scan all objects in that octet. For example, to scan all systems running on the 192.168.210 class B:

nmap 192.168.210.*

You can scan a subnet, which can cover more or less than one octet worth of IPs, by including the net mask:


You can also just list a range, which is much easier in some cases, using the —exclude option to remove an address that will be angry if port scanned:

nmap —exclude

Or to do a few hosts within that range:


Of you can even use the following to read in a list of addresses and subnets where each is on its own line:

nmap -iL ~/nmaplist.txt

By default, mmap is scanning all ports. However, if you know what you’re looking for, scans can be processed much faster if you constrain it to a port or range of ports. Use the -p option to identify a port and then T: for only TCP or U: for only UDP, or neither to do both. Additionally, you can scan a range of ports or separate ports using the same syntax used for identifying multiple hosts. For example, here we’ll scan 53, 80, 110, 443 and 143:

nmap -p 53,80,110,143,443

DO OS detection using the -A option:

nmap -A

For true remote OS detection, use -O with —osscan-guess:

mmap -v -O —osscan-guess

We can also output to a text file, using the -o option (or of course > filename but -o is more elegant here unless you’re parsing elsewhere in the line):

mmap -v -o ~/Desktop/nmapresults.txt -O —osscan-guess

Next, we’ll look at trying to bypass pesky annoyances like stageful packet inspection on firewalls. First, check whether there is actually a firewall using -s:

nmap -sA

Scan even if the host is protected by a firewall:

nmap -PN

Just check to see if some devices are up even if behind a firewall:

nmap -sP

Run a scan using Syn and ACK scans, run mmap along with the either -PS or -PA options (shown respectively):

nmap -PS 443
nmap -PA 443

Try to determine why ports are in a specific state:

nmap —reason

Show all sent/recvd packets:

nmap —packet-trace

Try to read the header of remote ports to determine a version number of the software:

nmap -sV

Security Scanning
Next, we can look at actually using nmap to test the attacking waters a little bit. First, we’ll try and spoof another MAC address, using the —spoof-mac options. We’ll use the 0 position after that option to indicate that we’re randomly generating a Mac, although we could use a real MAC in place of the 0:

nmap -v -sT —spoof-mac 0

Next, let’s try to add a decoy, which allows us to spoof some IPs and use that as decoys so our target doesn’t suspect our IP as one that’s actually scanning them (note that our IP we’re testing from is

nmap -n -,,,

Then, send some crazy packets (not an official term like magic packets, just my own term for throwing a curve ball at things and testing for the viability of syn-flood or Xmas packet attacking):

nmap -sX

Configure a custom mtu:

nmap —mtu 64

Fragment your packets:

nmap -f

Note: None of Apple’s servers were damaged in the writing of this article. I did a find/replace at the end, when I realized I didn’t want all of you hitting

January 24th, 2014

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Microsoft Exchange Server, Network Infrastructure, Ubuntu, Unix, VMware

Tags: , , , , , , , ,

Here’s a good overview of Rancid from the recent UUASC meeting.

November 11th, 2008

Posted In: Unix

Tags: ,

The Southern California Linux Expo Call For Papers is open for SCALE 2009:

October 5th, 2008

Posted In: public speaking, Unix

Tags: , ,

I recently read an article that Solaris is a dead OS (or will be rather shortly).  I beg to differ, proveded the hardware support is there.  Solaris can still multithread better than anyone.  Solaris’ ZFS is still the most superior file system available (although before the ReiserFS founder got put in prison for wasting his wife it looked poised for greatness) and the Sun hardware is still best of breed.  Sun as a company is also going to be building tighter integration into MySQL, which should help boost numbers.  

But the pony-tail-laden chief of Sun definitely has his work cut out for him.  There are certain acquisitions that have not been smooth (cough – tape libraries) and still need to get finished up.  There’s also the need to find a really good synergy between MySQL and Sun, where the Open Source community can continue to love and leverage MySQL without being forced into Sun products, but still provide a value-add from using Sun products.  Hard thing to do.  There’s also Java and all the services surrounding it and of course OpenSolaris, which is picking up new converts all the time – but which still lacks the trend setting aspects of Fedora and Ubuntu.  

To me it seems that what Sun really needs is an identity.  It really seems that there’s a lack of a cohesive vision that encompasses all of the products they have.  Take NetApp as an example.  They’re a storage vendor.  Same with EMC – although EMC has purchased a lot of other companies, those purchases are geared towards driving storage sales.  Sun just seems to be blowing around in the winds of a certain economy and IT market, both should be rectified if they are to retain their position in the IT community.

In short, Sun needs to circle the wagons, perhaps divest assets that do not work with the core and reinvest heavily into the core with the increased cash position that would provide.  Sun has some of the most talented engineers in the world.  They need to retain them and allow them to innovate – in much the same way that Google has allowed their engineers to innovate.  Sun also needs to rebuild their sales channel from the ground up, getting away from the monolithic sales strategy and zeroing in on what helps their core – hard to do without really telling the world what your core is.  I wish them all the luck, ’cause I love their products (a love that goes back to my Sparc20 days).  I don’t think it’s too late, but they need to do something soon or they will end up not surviving.

September 25th, 2008

Posted In: Unix

Tags: , , , , ,

No, this isn’t the new version of my wife (although there is a new version out and it’s awesome;).  Instead, LISA’08 is the 22nd year of the Large Installation System Administration conference in San Diego California.  LISA runs from November 9 to November 14th of 2008 and looks to be a conference those who do mass deployment might not want to miss.  The biggee this year is virtualization: ESX, ESX 3i, Xen, etc.  But there are alos talks on security, forensics, the Linux Kernel, Performance tools for Solaris and Linux, Perl mods, network performance tuning, wireshark, diskless Linux, SELinux, mass deployment of database servers, disk-to-disk backups for Unix, cfengine, directory services, incident response and documentation.  Way more stuff too, but what is oddly missing is even a cursory mention of Mac OS X.  I suppose the mass deployments that we’re all working on in the Mac world just don’t matter.  We did talk about doing something down there, but it doesn’t seem as though the LISA coordinators think there’s much interest in the Mac.  Hmmmm… Either way, if you’re a Mac guy, you’re sure to pick up lots of great *nix and network skillz there, so you might as well head down if you can.

September 17th, 2008

Posted In: Mass Deployment, Unix

Tags: , , , , ,

Next Page »