Author Archive
Google's Quote of the day
by Brian on Aug.24, 2006, under Amusement
Be who you are and say what you feel, because those who mind don’t matter and those who matter don’t mind.
– Dr. Seuss
Google's quote of the day..
by Brian on Aug.01, 2006, under Amusement
To read a newspaper is to refrain from reading something worthwhile. The first discipline of education must therefore be to refuse resolutely to feed the mind with canned chatter.
– Aleister Crowley
Repairing WMI on Windows XP/2003
by Brian on Jun.14, 2006, under Windows Info
If WMI is broken, how can it be fixed? The only Microsoft-endorsed way to repair WMI is to reinstall Windows. But for most of us, that isn’t a practical approach. Another method is to force WMI to repair itself. Of all the WMI repair techniques I’ve seen, this five-step approach seems to work the best. (However, it may not work on all systems.)
1. At the command line, type net stop winmgmt. You may get a warning that other services need to be stopped as well; type Y and continue.
2. Open Explorer and go to %SystemRoot%System32WBEMRepository.
3. Delete that folder and everything in it.
4. Reboot the system normally.
5. On the next login, open a command prompt and type the following commands in this order:
winmgmt /clearadap
winmgmt /kill
winmgmt /unregserver
winmgmt /regserver
winmgmt /resyncperf
This procedure will force the WINMGMT service to re-register itself as well, although, if WMI is damaged, re-registering can be a problem. If this approach does not work, an in-place upgrade (i.e., a reinstall) might be required.
Info you may need on a hot day…
by Brian on May.30, 2006, under General Info
Recently, Cryptednets.org lost the AC in the server room. I assumed the evaporator coil was filthy, and had frozen. I began to dis-assemble the plenum of the furnace, to remove the A-coil asembly for cleaning, and saw that it was spotless.
(We must do a pretty good job of replacing the filters ;) ) This realisation, however, did not make it any cooler in here.
Anyway, long story short, here’s what happened. The coil *had* frozen, after a 95-degree day, and the high-pressure limiter switch on the compressor had tripped. I went outside to the condenser unit, took off the access panel, and pushed the reset button on the compressor inside the unit. (after turning off the breaker, of course.)** Replaced cover, closed up the furnace, reset the breaker, and viola! Arctic-ness.
All without the $250 service call.
**IMPORTANT NOTE: 240v AC at ~60 amps can kill you rather quickly. Consider yourself warned.)
Lock down your Mac (even during a re-boot)
by Brian on Apr.27, 2006, under Mac OSX
Procedure for Enabling Open Firmware Password Protection
(written by CodeSamurai at SecureMac.com)
Enabling Open Firmware Password Protection
1) Boot into the Open Firmware. (Command + Option + O + F)
2) At the command prompt, type “password” (without the quotes, of course). You will be prompted to enter in the password you wish to use. Type your password, press the return key, retype your password again, and press return to verify that that the first password you typed is indeed the password you want. (Note: the password is stored in the “security-password” variable, but the contents of this variable is never shown via the “printenv” command.)
3) Type “setenv security-mode full” OR “setenv security-mode command” OR “setenv security-mode none”, depending on which level of security you wish.
4) Then type “reset-all” to restart the computer.
Disabling Password Protection
1) Boot into the Open Firmware. (Command + Option + O + F)
2) Type “setenv security-mode none” and press return.
3) Enter in the password at the password request prompt and press return.
4) Then type “reset-all” to restart the computer.
Force Removing Password Protection
1) Add or remove DIMMs to change the total amount of RAM in the computer.
2) Then, the PRAM must be reset 3 times. (Command + Option + P + R).
Funny Microsoft whois results…
by Brian on Apr.27, 2006, under Amusement
Maybe they could use some DNS help… Sorry, guys, I noticed that the whois of apple.com is *much* cleaner, as is openbsd.org, redhat.com, etc… (obscenities, obvious ads and commercial entity references conveniently censored for your viewing pleasure.)
$ whois microsoft.com
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
MICROSOFT.COM.ZZZ.IS.0WNED.AND.HAX0RED.BY.*****.NET
MICROSOFT.COM.WILL.LIVE.FOREVER.BECOUSE.UNIXSUCKS.COM
MICROSOFT.COM.WILL.BE.SLAPPED.IN.THE.FACE.BY.MY.BLUE.VEINED.SPANNER.NET
MICROSOFT.COM.WILL.BE.BEATEN.WITH.MY.SPANNER.NET
MICROSOFT.COM.WAREZ.AT.TOPLIST.*****.COM
MICROSOFT.COM.SMELLS.*****.COM
MICROSOFT.COM.SHOULD.GIVE.UP.BECAUSE.LINUXISGOD.COM
MICROSOFT.COM.RAWKZ.MUH.WERLD.*****.CA
MICROSOFT.COM.OHMYGODITBURNS.COM
MICROSOFT.COM.LIVES.AT.****.COM
MICROSOFT.COM.IS.POWERED.BY.*******.COM
MICROSOFT.COM.IS.NOT.*****.ORG
MICROSOFT.COM.IS.NOT.HOSTED.BY.**********.NET
MICROSOFT.COM.IS.NOT.AS.COOL.AS.*******.COM
MICROSOFT.COM.IS.IN.BED.WITH.***.COM
MICROSOFT.COM.IS.GOD.BECOUSE.UNIXSUCKS.COM
MICROSOFT.COM.IS.A.STEAMING.HEAP.OF.F**KING-BULLS**T.NET
MICROSOFT.COM.IS.A.MESS.****.CO.UK
MICROSOFT.COM.HAS.ITS.OWN.CRACKLAB.COM
MICROSOFT.COM.HAS.A.PRESENT.COMING.FROM.****.COM
MICROSOFT.COM.FILLS.ME.WITH.BELLIGERENCE.NET
MICROSOFT.COM.CAN.GO.F**K.ITSELF.AT.*****.COM
MICROSOFT.COM.ARE.GODD**N.PIGF**KERS.NET.NS-NOT-IN-SERVICE.COM
MICROSOFT.COM.AND.MINDSUCK.BOTH.SUCK.HUGE.ONES.AT.****.NET
MICROSOFT.COM
To single out one record, look it up with “xxx”, where xxx is one of the
of the records displayed above. If the records are the same, look them up
with “=xxx” to receive a full display for each record.
>>> Last update of whois database: Thu, 27 Apr 2006 16:28:32 EDT <<<
Need to s34rch for h4x0ring info?
by Brian on Apr.07, 2006, under General Info
Are you L337? Need to find the latest 0-day 3xpl0it?
Try google L337.
http://www.google.com/intl/xx-hacker/
Asterisk@Home 2.5 is an *Excellent* release
by Brian on Feb.08, 2006, under Linux
While I downloaded Asterisk@Home-2.5, I assembled the machine that was to run it. It’s an old Compaq Deskpro PIII 450, with 256mb of PC100 RAM and a 6gb drive. A modest workstation at best. We’ll see how it goes…
Installing the operating system (CentOS 4) took around an hour, and went very smoothly.
Installing Asterisk took *considerably* longer, as everything is auto-configured and built from source.
However, in spite of seeing some errors fly by, and prompts to change passwords fly by, everything seemed to build, install, and succeed. For such a long build and install process, it’s impressive that it worked without any real help.
It automatically found and configured my cheap WildCard X100P clone, and prompted me to change my passwords. Upon reboot, everything seemed to work fine until I used “yum” to update CentOS. Upon rebooting after the yum updates, it kernel panicked and froze. Fun. *dammit*
Upon closer inspection, yum updated udev and obliterated the zaptel modules.
So, I cd’d to /usr/src/zaptel, and re-built and re-installed like so:
# cd /usr/src/zaptel
# make && make install && make install-udev
# shutdown -r now
When the system came back, everything was fixed and functional.
The web interfaces are intuitive, (although I would like to see a single admin login for all web interfaces)
and the CDR reporting features are great. There is a mailbox-like web interface from which your users can check and listen to their voicemail, An awesome graphical interface to the trunks, as well as direct access to editing the config files by hand.
The following phones registered on the first try:
- sipura SPA-841 with a Linksys wireless G bridge
- snom 190
- xten-lite for MacOS X
- Grandstream Budgetone
You really should be downloading this already…
OpenBSD pf and Voice over IP
by Brian on Feb.08, 2006, under OpenBSD
Background
In a typical home network, a NAT device hides a number of internal devices behind a single globally addressable IP address within the network provider’s IP space. While VOIP is readily available to end consumers via the SIP protocol, SIP isn’t directly usable behind a NAT device.
Most VOIP providers utilize what is called a “media proxy”, a set of servers that exist to assist with this issue by redirecting media streams from consumers to the VOIP provider’s SIP servers. This workaround introduces two problems: The media proxies need to have ample bandwidth and low latency, but also end up disallowing more than one SIP device per customer IP address.
To allow for a home network based multi-line multi-device SIP setup, media proxy use is not possible. Instead, the home network NAT device should be configured to redirect SIP control and media streams to the appropriate IP phones within the home network. Packet filter from OpenBSD can fulfill that role. You could also run a local PBX or SIP router, but that solution adds moving parts and is beyond the scope of this note.
Phone configuration
This configuration has been tested with the Cisco 7960 phone.
Do not use NAT proxy or outbound_proxy. Define each call appearance with its distinct SIP proxy information, and the same control port of 5060/udp can be used for all. The STUN phone feature should be enabled, although some commercial SIP proxies can function without it.
pf Configuration
pf(4) uses /etc/pf.conf as its configuration file. Here is a basic subset of a ruleset that also uses ALTQ to guarantee bandwidth to the voice uplink, since upload bandwidth is usually restricted.
While packet queueing is not always necessary, the occasional voice quality degradation associated with link bandwidth being unavailable is undesirable. It is a very useful capability to have at your disposal and allows for reliable, superior to PSTN voice quality.
# Return error codes for ports that are blocked. Allows faster error recovery
set block-policy return
# udp session timeout should be equal to or larger than your smallest SIP registration
# timer timeout. For a typical SIP timeout of 300 seconds, this should suffice.
set timeout { udp.first 300, udp.single 150, udp.multiple 900 }
# definitions
int_if = "fxp0"
ext_if = "fxp1"
int_net = "192.168.1.0/24"
ipphone1 = "192.168.1.18"
ipphone2 = "192.168.1.19"
# enable CBQ queueing on the external interface. Define 3 queues
altq on $ext_if cbq bandwidth 1000Kb queue { q_voice, q_pri, q_std }
queue q_voice bandwidth 192Kb priority 7 cbq(borrow)
queue q_pri bandwidth 50% priority 6 cbq(borrow)
queue q_std bandwidth 80% priority 1 cbq(default borrow)
# One translation line per IP phone. static-port is necessary to make pf retain the UDP
# ephemeral port, so that the remote SIP proxy knows what session we belong to
nat on $ext_if proto udp from $ipphone1 to any -> ($ext_if) static-port
nat on $ext_if proto udp from $ipphone2 to any -> ($ext_if) static-port
# Generic NAT rule for all internal network devices
nat on $ext_if from $int_net to any -> ($ext_if)
# Allow external SIP control traffic
pass in quick on $ext_if proto udp from any to any port 5060 keep state
# Allow media traffic, place in voice queue (guaranteed b/w)
# This assumes standard media stream configuration with a Cisco IP phone. Modify as
# necessary.
pass out quick on $ext_if proto udp from $ext_if to any port 16384:32768
tos 0xb8 queue q_voice keep state
# Outgoing traffic creates state entries
pass out quick on $ext_if proto { tcp, udp, icmp } all keep state
block in log all
Troubleshooting and verification
To verify that the implementation works as expected, a media stream should be setup from the internal network, NATted and forwarded to the external SIP gateway. Source and destination ports for control traffic (destination port 5060) and media traffic (varies) should remain unchanged by the gateway. Now, your phones should work
To verify correct packet prioritization, saturate the uplink with a large upload and attempt to use the IP phone at the same time. The IP phone traffic should get mapped to the high priority queue and voice quality should be good at the remote end. Because of ample download bandwidth, queueing is usually not needed and regular packet forwarding is sufficient.
- Check status of queues: pfctl -s queue -v
- Flush state table: pfctl -F state (queue tagging persists with state entries)
- Check firewall rule hit count: pfctl -s rules -v
OpenSSL certificate conversion PKCS#12 PEM
by Brian on Feb.04, 2006, under OpenBSD
Convert a certificate from PEM format (.pem) to PKCS12 format (.p12)
To use a certificate for authentication or for encryption/decryption, you have to import it into your program’s certificate manager. The program could be a web browser, email client, or even something like a hard-coded encryption/decryption routine run from a script. Different programs, browsers, and mail clients require this certificate in differing formats. At some point, you will need to convert a certificate, unles you *love* spending all of your extra cash on commercial certificates.
Here’s the openssl command to convert your certificate from a PEM format to a PKCS12 format:
$ openssl pkcs12 -export
-out <em>file_name.p12</em>
-name "<em>My certificate</em>"
-inkey ~/.ssl/userkey.pem
-in ~/.ssl/usercert.pem
## Options Explanation ##
-out : The filename of your new certificate file in PKCS12 format.
-name : An arbitrary text name to differentiate this certificate from others.
-inkey : The path and the name of the file containing your private key
-in : The path and the name of the file containing your certificate.
Convert a certificate from PKCS12 format (.p12) to PEM format (.pem)
- To export just your private key to ~/.ssl/userkey.pem…
$ openssl pkcs12 -nocerts -in cert.p12 -out ~/.ssl/userkey.pem
- To export only your certificate to ~/.ssl/usercert.pem…
$ openssl pkcs12 -clcerts -nokeys -in cert.p12 -out ~/.ssl/usercert.pem
-in cert.p12 : the path and filename of your certificate in PKCS12 format.
Change the passphrase of the private key
$ openssl rsa -in ~/.ssl/userkey.pem -des3
Where ~/.ssl/userkey.pem is your private key
The openssl command will prompt for:
1. your old password
2. your new password
3. verification of your new password
