Valsacar
-
Posts
48 -
Joined
-
Last visited
-
Days Won
1
Posts posted by Valsacar
-
-
So, I was reading Mubix's blog a little while back and he wrote about how PSEXEC shows up in the events log. It got me thinking, why can't I find a list anywhere of things like that which should be red flags in event, and other, logs?
Anyone care to help build such a list?
I'm starting off with what Mubix mentioned (though, I'm sure it will get changed later) and another obvious one.
Windows Server 2003 Event ID 552 - when someone uses something such as RUNAS, it could be a sysad doing their job or an attacker doing something else, but worth looking into.
What other things can we all think of? Assuming a network that has a centralized log management server, so all server (say Windows 2003/2008 and maybe some Linux or Solairs ones) logs can be easily alerted off of, as well as firewall events. Anything that's an obvious red flag (like PSEXEC) or warrants further research.
-
OMG I want that laptop case...
-
Automating it defeats the purpose of doing it this way. If you want it automated, just use a normal key file with an ascii key instead of this method.
-
I have 2 questions on the segment
a) how do I set up the swap file?
B) can I make a copy of the boot USB disc to another USB disc using say dd?
a) make a blank file of the right size
dd if=/dev/zero bs=1024 count=4094304 of=/swapfile
That should make you a blank file of about 4GB, bs*count=endsize (I did the math in my head, might be off)
mkswap /swapfile
That tells the system it's a swapfile
swapon /swapfile
That says to start using it
edit /etc/fstab to add: /swapfile swap swap defaults 0 0
That just mounts it as swap when you reboot.
You probably also want to make it read/write by root only, instead of whatever your defaults are.
B) Yes, a straight dd should work fine... just don't mix them up like I did when doing an update. I also put a copy of the original key on my HD (inside the encrypted part) in case I forget to check after an update, some updates can edit /boot which might change the bits on the usb drive (and therefore wipe out the key). So anytime I do an update I check to see if the key has changed, if it did I update the key before doing a backup of the usb drive.
-
According to the spec sheet, its 25dB (316mW) and 27dB (500mW)
http://www.alfa.com.tw/in/front/bin/ptdetail.phtml?Part=R36&Category=105463
According to that, we can use the 036H as an extender... but I can't get it to recognize it. The extender diagram is actually what I want it to do.
-
Valsacar, I am trying to encrypt an Ubuntu installation as well. You said after you did the chroot, you installed cryptsetup and updated busybox. I guess cryptsetup is in the apt-get repositories. But how do I update busybox?
Just do apt-get update then apt-get upgrade, it will redo everything.
One thing to watch out for, I've noticed on both my BT and Ubuntu is that apt-get will start saying I don't need cryptsetup and put it on the autoremove list.
-
That's why the random script deletes the /www/index.html and then builds a symlink to whatever is up next.
-
-
<HTML><Head><Title>NYAN CAT!!! </Title></Head> <Body> <img src="NYAN.gif" width="500" height="350"><br /> <audio controls="controls" autoplay="true" loop="loop"> <source src="/NYAN.mp3" type="audio/mp3" /> </audio> </Body></HTML>Adding the loop="loop" will cause it to keep looping instead of playing just one. One thing I don't like is seeing the audio controls, but I haven't found a way to remove them. Also, have you tested this on Firefox? From what I've read firefox does not support mp3 in html5. Adding an ogg to the source list SHOULD let it work on all, but so far I have not gotten that to work (ubuntu).
For fun, I made up a little script to randomly change all of the different rick rolls that have been posted (pbj, nyan, and rick).
First move all of your stuff to USB, I made a folder called webfun. /usb/webfun/rick, pbj, and nyan
Add a simlink to each folder from /www (ie /www/rick, /www/pbj, etc).
Then create the following script (I put it in /root and called it random.sh)
#!/bin/bash read RAND RAND=$(($RAND % 3)) touch /www/index.html rm /www/index.html case $RAND in 0) ln -s /usb/webfun/pbj/index.html /www/index.html 1) ln -s /usb/webfun/nyan/index.html /www/index.html 2) ln -s /usb/webfun/rick/index.html /www/index.html esac
Be sure to chmod +x random.sh
The reason for the touch is that I had an issue where somehow the index file was gone and the thing just liked to complain about it, so touch first to make sure it's there to delete.
Then in your Jobs tab, add this line to your crontab:
*/5 * * * * dd if=/dev/urandom bs=1 count=1 | hexdump -e '5/1 "%1d"' | /root/random.sh
End result is that every 5 minutes it changes (randomly) which of the three ones shows up... just for a little added amusement.
The part in crontab is what makes the random number, I couldn't find any other way to do random as the normal bash random feature isn't present... basically what it does is take one byte from urandom then turns it into a decimal number (0-255), the first few lines of random.sh use mod to bring that down to 0-2 (3 possibilities).
-
I purchased this and am very happy I did. Being able to power it VIA usb is ideal.
I found something like that, but it's even better. The cable splits between the Type M connector (the power) and a female USB, so I don't lose the port. I can't put anything powered on it (pineapple can't draw enough if I do) but I can still use it for something like a USB key. Since my laptop only has 2 USB ports, it's really useful.
-
Thanks, I just finished my script that will randomly flip between the three every 5 minutes... random fun!
-
I haven't tried mac changing yet, but theres stuff going on with our interfaces that I suspect is causing a number of our current issues. Stuff I've noticed combing the posts since the mark4 came out (and even some mark3):
Something prevents changing macs
Something prevents changing frequency (channels)
Something prevents reaver from ever working (even taking down wlan0 and mon.wlan0)
What does mon.wlan0 do?
We need a Seb in here ;)
telot
From what I understand from reading and playing with things, it's the uci that's causing a lot of the problems. /etc/config/wireless tells it how many things should be, and if there is a conflict it either stops working (as has happened when you change MAC) or it reverts back to what it things it should be. Changing that config file and doing a uci commit wireless;wifi will solve most... well I think I forgot to mention that before, when you do the change to /ect/config/wireless you do have to do uci commit wireless before it takes effect (but I'm 95% sure reboot would also work).
-
Did you try doing just changemac.sh manually to see if the mac change is going through? or try manually running the line from your boot script: dd if=/dev/urandom bs=1 count=1 | hexdump -e '5/1 "%1d"' | /root/changemac.sh
make sure that is in there right and doing as expected (waiting up to 15 seconds, then doing the mac change).
-
I'm running BT5R2 installed that way, only thing that really needs to change is the one for /boot. Just remove the UUID and put /dev/sdb1 in it's place.
-
You could always add one by editing the index.php page appropriately. Of course, that will only last until you upgrade firmware.
-
I had that same problem, but disabling no script for that "site" worked fine (pops up at the bottom of the page).
-
I already posted a question but it seemed to be for a specific device so I decided to collect what I think a bunch of 'variables' that should help me to tether internet to the pineapple from my phone. Here we go :):
1) Is it possible to change the default SSID from pineapple to something else upon start up?
2) [!] Is it normal for the Karma log to list clients what have disconnect too? <Maybe it is not updating?>
3) Is is possible to bring the USB0 interface up / configure it manually using ifconfig usb0 172.16.42.1? IE changing the default gateway IP from the PoE/LAN interface to the USB? If so, how is this achieved?
4) Furthermore, considering I plan to use my phone as an internet provider, will the gateway be the pineapple? Since its providing the DHCP or the phone since its providing internet?
Having said that is sharing the SDCard on the phone to the pineapple?
Sorry for all the questions but I have big plans for this if all of the above is possible.
Regards,
Andrei
1. Yes, edit the appropriate line in /etc/config/wireless (the one that sets essid to pineapple)
2. The log is just that, a log, it shows what has happened not what is currently happening.
3. Not sure, I use a laptop... look at the wp4.sh script, should be able to use that as a starting point
4. Gateway is the door to the internet, so it would be your phone.
No clue on sharing the SDCard on the phone... but my guess is no.
-
glad to here it is working:-)
however I am on 3.2 kernel not 2.6.39 and that might explain why I can't get it to work,
tried so many things already, I will have to give it another shot when the next update comes out
Thank you
Even with the change to /etc/config/wireless and running wifi after bringing wlan0 back up it still doesn't work?
-
cool thanks for sharing.
when I placed macchanger -m 01:23:45:67:89:ab in the same spot it seemed to work but karma was messed up.
can you confirm that karma works after your setup?
thank you so much:-)
You are right, somehow I missed that but I found the fix (I'll edit my original post to reflect).
edit /etc/config/wireless
comment out (or remove the line that says "option macaddr"
Add a line that says "option phy phy0"
Then after you do "ifconfig wlan0 up" add a line that says "wifi"
The problem was, it was looking for a radio device with a specific mac, so we'll change that to look for a specific phy device. Since we only have one it's not a problem.
The command wifi basically reruns the config so it will grab the new mac address and be back up and running.
-
Great:-)
I found what works for macchanger in the execute on boot script under jobs tab
wifi hostapd_cli -p /var/run/hostapd-phy0 karma_enable #Don't touch this ifconfig wlan0 down macchanger -r wlan0 ifconfig wlan0 up exit 0
for whatever reason it needs to be after "hostapd_cli -p /var/run/hostapd-phy0 karma_enable #Don't touch this"
and before "exit 0"
I found a solution, but it can increase boot time quite a bit (anywhere between 0 and 15 seconds in my setup, but you can change that). Unfortunately random isn't available, so this was the only solution I could come up with.
Create a new script, I called mine changemac.sh
!#/bin/bash read RAND RAND=$(($RAND % 15)) ifconfig wlan0 down sleep $RAND macchanger -r wlan0 ifconfig wlan0 up wifi
The % 15 is your max, so you can change that to whatever you want (ie % 10 for 0-10)
chmod +x changemac.sh
I put mine in /root (home directory).
edit /etc/config/wireless
comment out (or remove) the line that says "option macaddr"
Add a line that says "option phy phy0"
Then in your boot script make it this:
wifi hostapd_cli -p /var/run/hostapd-phy0 karma_enable #Don't touch this dd if=/dev/urandom bs=1 count=1 | hexdump -e '5/1 "%1d"' | /root/changemac.sh exit 0
That's it, it'll use /dev/urandom to get some random bits, change it into a number between 0-255, then drop that down to 0-15 and sleep for that long.
It's not clean, but it works... if anyone can clean it up or find a better way let me know.
-
I assume you mean eth0, where the pineapple is connected. I tried both eth0 and wlan0 (where the internet is coming from) and seemed to get the same results.
-
I've searched for a while, but I can't figure out what I'm doing wrong... everything runs as it appears it should, and some stuff does show up on hamster (all from the same IP, but that is to be expected) but no cookies, and clicking on things normally gives nothing (unless it was an image, those appear...). I've tried with a few sites, like gmail/facebook/etc and got nothing on all of them.
Could someone walk me through how to do this, since I'm obviously failing at it... or does it just not work with this setup? Is there another/better way to do sidejacking with the MKIV?
-
Well, I'm at a loss on the duplicate keys. I have 2 working keys for Ubuntu, but only one (the original) is functioning for BT5... not sure what I screwed up. I did just notice that the one that doesn't work gives me an error message about failed to unlink... something temp crypt (don't have it in front of me at the second) where the working one does not, but I still get the key open part. Anyone have an idea?
EDIT: Looks like I figured it out, that drive had some bad blocks so I just had to wipe it and start over.
-
I didn't even get that far... just throws an error for me.
What To Look For In Windows And Firewall Logs
in Security
Posted
Ah, well I was thinking of a relatively mature organization where all actions are logged in some sort of tracking system (trouble tickets, or the like) where it would be fairly easy to know if it's legit or not. So in the example of psexec, a quick search of the ticket/work log system would tell me that a sysad is working on those systems and therefore it is pretty safe to assume that it's not an attacker. Of course, if it's not in the logs it would require further investigation, but that's kind of the point of this exercise, identify specific log entries that definitely warrant looking into vs those that are pretty benign. For example, if I were to audit logon events (which is a good thing to log, if something comes up later) I wouldn't want to investigate each one, as that would be a huge waste of time and resources. Something like psexec, or 552, would be relatively easy to deconflict if you had a good, centralized, tracking system of all admin type work.