Choose color scheme

Category Archives: I.T.

  • OpenMPI distributed password cracker: crackzor

    Download

    crackzor_1.1.c.gz

    Previous versions:

    crackzor_1.0.c.gz

    Quick start
    1. Download & extract with “tar zxvf crackzor_1.0.tar.gz”
    2. Make sure you have the right packages in place
      sudo apt-get install build-essential libopenmpi-dev openmpi-bin libssl-dev
    3. Compile with
      mpicc -O3 crackzor.c -o crackzor -lm -lssl -lcrypto
    4. Create a file called “machines” containing a newline separated list of every machine that are in your cluster, for example:
      machine00.domain.com
      machine01.domain.com
      machine02.domain.com
      machine03.domain.com
      machine04.domain.com
    5. Open MPI uses SSH for communication between nodes, as such, you need to make sure that the node you will be launching crakzor from is able to do SSH key based authentication to all the other nodes in the cluster. For my example above, if machine00 is where you will be working from, you will want to
      ssh-copy-id machine0X.domain.com

      where X E [0,4] (yes, machine00 needs to be able to SSH to itself).

    6. You now need to disseminate your executable across all the machines that will be running it:
      for machine in `cat machines`; do scp crackzor $machine:~; done

      Pro-tip: having network storage attached to all the machines makes this step unnecessary.

    7. Run with:
      mpirun -npernode Y -machinefile machines crackzor fbade9e36a3f36d3d676c1b808451dd7 abcdefghijklmnopqrstuvwxzy 1 1

      where Y is the number of cores each machine in your cluster has. If you are running this on machines with 2 CPUs with 8 cores each, Y = 8 * 2 = 16.

    Tested on Ubuntu 10.04 64b / Ubuntu 12.04 64b / Ubuntu 14.04 64b

    Screenshots
    mpirun -npernode 16 -machinefile machines ./crackzor 7ca4793dcdff46ecda38e48d65b6c913 abcdefghijklmnopqrstuvwxzyABCDEFGHIJKLMNOPQRSTUVWXYZ 1 7

    This is what “htop” looks like with a bunch of processes spawned & hammering every core:

    Statistics

    For the purpose of testing crackzor, we give it the md5 hash of an 8 character word and tell it to bruteforce it up to 7 characters. This insures that we will compute every permutation up to 7 character longs. The characters I asked it to permute are “abcdefghijklmnopqrstuvwxzyABCDEFGHIJKLMNOPQRSTUVWXYZ”, our sample space size is thus 52^7 + 52^6 + 52^5 + 52^4 + 52^3 + 52^2 + 52^1 = 1,048,229,971,204.

    Here is the raw data, and here it is graphed:

    I wish it would show the linear progression more but 3 things got in the way:

    1. approaching the machine’s actual number of cores on the Dell blades leave little room for linear expansion
    2. which is emphasized in a multiuser environment where other users run other computation
    3. the EC2 bar flattens the graph a bit but I still wanted to show how it compares

    Ideally I would run through a few iterations of EC2 to observe its progression but hey, it’s expensive :).

    Limitations
    • Right now, the only hashing algorithm supported by crackzor is MD5. It can very easily be expanded upon.
    • I also may not be using the fastest MD5 method with the fastest call, distribution is what I’m interested in.
    • Distributing password cracking among multiple machines is throwing linear resources to an exponential problem!
  • tcpdump full packets to a file

    Because I always end up wasting 20 minutes looking it up.

    tcpdump -i ethX -s 0 -w traffic.pcap
  • Add fault tolerance to cron noise

    Not all cron jobs are created equal, and some of them can afford to fail sporadically before we need to worry about them. Maybe they rely on a third party server, and we don’t want the occasional fail to pollute our inbox.

    Here is a little cron job wrapper I created that will suppress stderr but keeps track of the job’s returned exit codes. Above a certain threshold of consecutive abnormal exits it doesn’t suppress stderr anymore.

    
    # if the counter file doesn't already exist we create/initialize it
    if [ ! -f /tmp/counter_ri7g3 ] ;
    then
        echo 0 > /tmp/counter_ri7g3 ;
    fi ;
    
    # we pull the current counter
    counter=`cat /tmp/counter_ri7g3` ;
    
    # if the counter is still small, we send stderr to /dev/null
    if [ $counter -lt 5 ] ;
    then
        $1 > /dev/null 2>&1 ;
    # otherwise stderr will follow its normal path and find its way to email
    else
        $1 > /dev/null ;
    fi ;
    
    # lastly if running the $1 resulted in an abnormal exit, the counter is incremented
    if [ ! $? = 0 ] ;
    then
        counter=`cat /tmp/counter_ri7g3` ;
        echo "$counter+1" | bc > /tmp/counter_ri7g3 ;
    # and if $1 exited normally, we reset the counter
    else
        echo 0 > /tmp/counter_ri7g3 ;
    fi ;
    
    

    a cron entry calling it looks as such:

    
    30 * * * *      root      /usr/local/bin/cron_wrapper "/path/to/script arg_1 arg_2"
    
    
  • IPv6 link-local surface analyzer

    Download

    ipv6_surface_analyzer_1.0.tar.gz

    Quick Start

      1. make sure that nmap, ifconfig & arping are installed and in your path
      2. run as root

      tested on Ubuntu 11.10 64b

      Screenshot

      (actual ips obfuscated)

      Purpose

      With more devices coming IPv6 ready out of the box, a shadow network is emerging that nobody is paying attention to.

      There’s Joe sysadmin, configuring a tight firewall for this new server, default deny, very restrictive & all. This is great but did he realize that there is nothing in front of IPv6? We are used to setting up iptables, ipfw, et cetera. Unfortunately ip6tables & ip6fw too often get forgotten.

      With IPv4, a device was manually configured or wasn’t configured until it got an address from DHCP. With IPv6 a device that is not manually configured will hop on the network with a link-local address and try to further discover its settings. In fact, IPv6 reserves a range of addresses for network discovery, these link-local addresses are based on the device’s mac address.

      Here is what ipv6_surface_analyzer.py does:

      • iterate through a given IPv4 range
      • for each address in the range, discover if a host sits behind it
      • port scan potentially found host on IPv4
      • infer IPv6 link-local address of host based on its mac address
      • port scan inferred IPv6 address

      The purpose of which is to establish by how much your attack surface is augmented by link-local IPv6.

      This threat threat is somewhat mitigated by its local nature and there are 2 reasons why:

      1. link-local isn’t routed and thus your visibility is bound to networks you have a presence on.
      2. Getting a host’s mac address is only possible while being on the same network.

      Local as it may be, having a shadow network providing a way to circumvent firewalls is quite risky.

    • Mame box

      Here’s another project that’s been on the back burner for a while: my new Mame box:

      This is the 5th arcade cabinet I turn into a Mame box. Gutting them always breaks my heart but having all the games in one cabinet with original artwork is very much worth it. The X-men cabinet is spacious, easy to work with and looks great.

      The buttons and joysticks were bought from X-arcade: www.xgaming.com

      And the control board to make them interface with a PC is an Ipac2: www.ultimarc.com

    • Ultimate Megaman blanket

      961 squares, ~30000 Tunisian stitches, countless hours of work, years on the project list & a move to the other side of the country later: the Ultimate Megaman Blanket is born.

    • MAC address to IPv6 link-local address online converter

      The converter

      It can also be addressed directly via:
      http://ben.akrin.com/ipv6_mac_address_to_link_local_converter/?mode=api&mac=52:74:f2:b1:a8:7f
      for all your API needs.

      The math

      Link-local IPv6 addresses are used as part of the IPv6 network auto-configuration process. Instead of getting an address via DHCP, a NIC will hop on the network with a link-local IPv6 address and with this will have to ability to do further configuration automatically (soliciting neighbors, router, et cetera).

      This link-local IPv6 is infered from the NIC’s mac address.

      A mac address is 48 bits, an IPv6 address is 128 bits. Here’s the conversion process step by step:

      1. take the mac address: for example 52:74:f2:b1:a8:7f
      2. throw ff:fe in the middle: 52:74:f2:ff:fe:b1:a8:7f
      3. reformat to IPv6 notation 5274:f2ff:feb1:a87f
      4. convert the first octet from hexadecimal to binary: 52 -> 01010010
      5. invert the bit at index 6 (counting from 0): 01010010 -> 01010000
      6. convert octet back to hexadecimal: 01010000 -> 50
      7. replace first octet with newly calculated one: 5074:f2ff:feb1:a87f
      8. prepend the link-local prefix: fe80::5074:f2ff:feb1:a87f
      9. done!

      Going the other way

      A converter to do the same operation in reverse is available here.

      Comments

      There have been a few interesting comments on this post, I encourage you to read them if you want to learn more about this mechanism. Specifically:

    • Poor man’s 2FA: a simpler 2-factor authentication mechanism for SSH

      The problem with PAM based 2FA:
      • PAM does not get called when the SSH daemon does key based authentication. So your 2FA there only works with password authentication. This might be something you want but maybe not.
      • A PAM module based solution to 2FA is harder to implement
      The solution: Poor man’s 2FA!

      It is possible to add the ForceCommand directive to your sshd_config. Like the name suggests it simply runs a command after authentication and before the shell is spawned. This is a good spot to add an extra check, say another factor for authentication.

      The code:
      #!/bin/bash
      trap "echo "I'm sorry Dave. I'm afraid I can't do that."; sleep 1 ; kill -9 $PPID ; exit 1" 2 20
      code=`od -a -A n /dev/urandom | head -2 | tr -d ' ' | tr -d 'n' | sed 's/[^a-zA-Z0-9]//g' | awk '{print substr($0,1,5)}'`
      echo -e "Subject:$code\nFrom:root@server <root@server.com>\n2FA code in subject" | sendmail phone_number@carrier.com
      read input
      if [ $code = $input ];
      then
          `awk -F: '($1 == $LOGNAME) { print $7 }' /etc/passwd`
      else
      kill -9 $PPID
      fi

      That’s it really, save this to an executable file, replace the obvious variables and ForceCommand its ass.

    • Avoid getting tracked in a datamining society

      Welcome to the information age! Memory is cheap, millions of records are copied in the snap of a finger and everybody wants your information. This is called data-mining and everybody is doing it essentially to better advertise to you. These databases of your facts & habits are often sold and even hacked. It is time to ponder how little control you have over your own information. And when you do so, think not only about the information you give but above all about the information that can be inferred from it.

      Compiled bellow is a list of tips for avoiding getting tracked in modern society. They range from simple good practice to paranoia. Obviously you could go live as a hermit in the woods and be untraceable. Feel free to comment on anything I missed and I’ll add to the post.

      Day to day life

      • Broadcast the least information possible. Does your state require license plates in the front & rear? 19 states don’t, google them. Police cameras automatically scan all the license plates they see, why double your chances? Your license plates are also often recorded when you drive through tolls.
      • Pay everything in cash, credit/debit card transactions can easily place you in space and time. Moreover, encoded in the magnetic stripe is your name, stores know everything you buy and when you buy it. This is pant creaming data for the marketing geniuses trying to figure out ways to make you consume more.
      • Avoid customer rewards programs. An even better way to tie information back a a customer that might use multiple methods of payment. Still want the sweet deals? Don’t use your real info when signing up, or just don’t sign up, the cashiers often have default cards to scan.
      • Avoid mail-in rebates. They are nothing more than a way for you to sell your information.

      I.T. life

      This is a dense section, no surprise this is where most data mining occurs.

      • Don’t let email load remote content

      This is commonly used as a way to know if you’ve opened the email, at what time you opened it, where you opened it from (IP geolocation) and what your email client was. The technical explanation is that some email have HTML formatting with images included. These images can be embedded in the email itself or referenced to a remote server. In the later case, the remote server will for example enable PHP parsing for JPEG files, execute code to track you and then feed the image to the email client which never had a clue it was loading a “special” image. This is all transparent to the user and the email client.

      • No smartphone GPS tracking

      Let’s take an example: you enable Google Latitude on your cell phone to share your location with friends and get to know fun facts about how much you travel. The information you give Google are geographic coordinates, the informations inferred from it are where you live, where you work and whether or not you pull your 40 hours a week there.

      • Let’s go further: no smartphones at all!

      Apple’s Iphones and Google’s Android phones gather location information WHETHER YOU WANT IT OR NOT. That’s right, you can turn off GPS all you want your phone still recurringly reports back to Apple & Google telling them not only where they are but also which other wireless devices they see around.

      More info here from the most excellent Samy Kamkar.

      The tech giants are involved in a major data gathering process where they use you to create a comprehensive map of the wireless spectrum. This is both an awesome project using crowdsourcing to accomplish a daunting task & a scary invasion of privacy. Because it doesn’t ask you, and because you take it home and so it reports your wireless router and so now everytime you use a regular computer connected to said router, they know exactly where you are. It is scary because even if you could turn it off, others around you are passively reporting your location.

      • Even further? no cell phones! your location can be triangulated from cell towers.
      • Forget social networks, even if you use fake information. Sooner or later, your contacts, something you said, someone that said something about, will be traced back to your real self.
      • Remove EXIF data from the pictures you distribute online, especially if they were taken with smartphones.
      • SSL encryption, SSL everywhere. In fact any time you configure a connection (IMAP, FTP, HTTP) make sure that it uses an encrypted mechanism. The number of network taps are growing and you don’t want to make the job easier on them.
      • Review pictures you distribute online for license plate numbers, bills laying on tables and other identifiers.
      • A strong firewall not just for incoming traffic. Nowadays devices are very noisy, from Bonjour to checking for updates the packets coming out of your network interfaces without your knowledge are plentiful and growing. And every time to send a packet out, your presence is known. A firewall with rules on outgoing traffic is a good idea to keep unwanted traffic to a minimum.
      • Don’t give your email address to anyone that asks for it, use services like mytrashmail.com or even better yet, get a new email account every time. This way if they sell your information you will know right away since you only have 1 email account per company. You can then check they EULA and see if maybe they boast of not selling your information, Make them accountable! On a side note Gmail offer the capability of adding a plus (“+”) following by a string of your choosing to your regular email address. For example if your email address is address@gmail.com, Gmail will also accept mail to address+sillysite@gmail.com. This way you can segregate mail by company with the convenience of having it all go to the same account. The caveat to that is that “+” is often considered as an invalid character in an email address even though it is a valid character.
      • Adblock is one of the best plugin for your web browser (Firefox or Chrome). It removes ads thus significantly enhancing your browsing experience. By negating traffic to advertisement servers, you are denying their chance to data mine the crap out of you. Browser fingerprinting is one of many techniques used with an argument often made that the combinations of browser related software are so plentiful that your browser can be uniquely identified. Permanent cookies are also used to keep an eye on your web whereabouts.

      And even if you follow all these steps, you are not 100% untraceable online.

      The path of maximum sheep

      Finally, for when you have to give information, try and be a generic & blend as possible.

      • Your name is needed to sign up for something? John Smith.
      • Need a new car? White Honda Civic, no bumper stickers, no vanity plates.
      • Gotta find a new name for a PC? Linksys.
      • Need a username for that shitty forum? User2656, don’t use the one you use everywhere else or one thing leading to another, it can most likely be tied to your real identity.
    • Python SNMP simple example to get 1 OID

      Because it took me forever to piece this simple code together

      import netsnmp
      session = netsnmp.Session( DestHost='your.host.com', Version=2, Community='public' )
      vars = netsnmp.VarList( netsnmp.Varbind('.1.3.6.1.4.1.2021.8.1.101.1') )
      print( session.get(vars) )