Saturday, November 13, 2010

Reg Hack to get XP regular file sharing to work without password

Blank Password Network Access
Windows XP professional will not allow network users computer access without a password. Trying to do so will normally return and error code. To allow network access using a blank password:
[Start] [Run] and type gpedit.msc and click [OK]
Navigate to Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options
Double click on Accounts: Limit local account use of blank passwords to console login only.
Select the radio button next to Disabled and click [OK]

Tuesday, April 22, 2008

pfSense OpenVPN Cheat Sheet

So I'm not going to put every detail. Just the stuff that hung me up. So firstly setup all the certificates etc as per any of the numerous directions on the web. Make sure and get the copies of the certs etc to your local box.

Also, in the OpenVPN rule that you create, you can add the following at in the custom options box:

push "redirect-gateway def1"

This will disable split tunneling which is my preference. I want to force all my traffic over the VPN so I can surf freely when I'm remote without worrying about violating policies or having my traffic sniffed.

When using this option, you'll also need to make sure to set your DNS server info in the OpenVPN config screen.

So firstly, below is a copy of my working client config:

float
#normally set to 1194, but I like to use 443 as it gets past more client filters. Make sure and change the binding of your local firewall gui and restart the FW. Otherwise it won't work.
port 443
dev tun
#The name "ovpn" below is the name of the connection that you will create as per the standard documentation.
dev-node ovpn
proto tcp-client
remote vpn.mysite.com 443
ping 10
persist-tun
persist-key
tls-client
#Obviously replace the cert names etc below with whatever you create.
ca ca.crt
cert mine.crt
key mine.key
ns-cert-type server
#This is something that really messed me up. I had set AES-256 on the FW, but in none of the instructions it mentioned that you have to set the cipher on the client side. Even worse, the client side logs don't mention cipher issues. So I eventually found out this was an issue in the server logs.
cipher AES-256-CBC
comp-lzo
pull
verb 4

You have to create an incoming rule allowing 443 or whatever port you are using. You don't have to create an incoming NAT though.

This will get you VPN'd into your network. However, if you want to be able to tunnel out to the internet you have to add a manual NAT for the VPN IP Address pool you created. Go into your NAT settings and click on the Outbound tab.

You'll have to set it to manual outboud NAT and add a rule. You will leave the first option to WAN and just enter your VPN IP pool.

You should be ready to rock and roll fully tunneled now.

Tuesday, August 07, 2007

VNC Server on Kubuntu (Real Console Display) with SSH Tunneling

Ok, so I've set this up many times and each time it seems to be a pain so I finally figured out a smooth method and am writing it up.

First off, you get x11vnc and vnc-common

apt-get install x11vnc vnc-common

Now, it used to be you'd have to mess with MIT-Cookies and all sorts of insanity, but now, I found a better way. You will need to edit your desktop manager setup:

GNOME /etc/X11/gdm/Init/Default (or Init/:0)
KDE /etc/kde*/kdm/Xsetup

Add the following line:

x11vnc -bg -o /var/log/x11vnc.log

Now this is assuming that x11vnc is in your path, which if you install via apt-get it will be. Now, the -forever makes it persistent so it won't die when you disconnect, and -bg is just background...

The -rfbauth is important as this is your authentication.

We will create the password for this by running (need to do this as root (sudo -i)) vncpasswd and entering a password.

Now we need to create the .x11vncrc file in the root home dir so you don't have to put a big string in the above line... Add the following in the file:

display :0 # This will let you connect to the primary display
rfbauth /root/.vnc/passwd # password file - critical for auth
rfbport 5900 # port to listen on
forever # Without this x11vnc will die after serving one connection.
localhost # Only accept local connections. This makes your x11vnc secure along with SSH.
solid darkblue # Optional (changes background into solid color)
rfbversion 3.6 #This and the line below are only if you are wanting to use the file transfer function in UltraVNC.
permitfiletransfer

The most important thing in this file is the localhost line so we don't open up tcp/5900 external to the box. We will be tunneling to it via SSH and Putty.

Now you are pretty much ready to rock and roll. You can restart kdm and it should start x11vnc.

Now easy access from windows, just run Putty, setup your SSH connection as usual, but then go into the advanced config and set the 5900 tunnel as shown:



Now just SSH in with Putty, login as normal and then fire up your favorite vnc client and connect to localhost.

You should be rocking and rolling...

Enjoy.

Tuesday, June 26, 2007

Ever want to enforce logon hours on a workgroup PC?

Click Start, Run and enter GPEDIT.MSC Go to Computer
Configuration, Windows Settings, Security Settings, Local Policies, Security
Options. In the right pane, locate the entry for Network Security: Force
logoff when logon hours expire.

Examples of setting the logon hours would be: You can set them for 24 hours

Or go to Start/Run/CMD and type in: (use as an example and modify)

net user johnsw /time:M-F,08:00-17:00
net user johnsw /time:M-F,8am-5pm
net user marysl /time:M,4am-5pm;T,1pm-3pm;W-F,8:00-17:00

For Sat/Sun use SA/SU

To cancel and/or clear: Go to Start/Run/CMD and type in: (Use as an
example) net user Kelly /time:all

Sunday, June 24, 2007

Finally - Windows disk encryption with GRUB working!

Ok, so I'm a big fan of DriveCrypt from SecurStar... Particularly the Plus Pack which includes full disk encryption. I've tried CompuSec which worked pretty well, but back when I tried it, it was full disk or nothing... So you couldn't dual boot. I've also recently tried PGP whole disk encryption which also works well and will let you encrypt by partition.

However, I've only ever been able to get a dual boot working with DriveCrypt using LILO as LILO keeps it's entire code in the actual MBR. I would install Windows... Then LILO... Then add the encryption boot auth and it would wrap everything up. The kicker would be when I updated a kernel or made some other change to LILO, POOF! it would wipe out my boot authentication for the Windows disk encryption and there would go my ability to authenticate in order to read the data. So a complicated process would ensue of adding back the boot auth MBR each time LILO would update. Pain in the ass.

So I gave up for a while and started using GRUB and I loved the fact that once GRUB wrote the MBR, it never touched it again.... I could mess with kernels and other junk to my hearts content and never have to worry about re-writing the MBR. However, the catch comes with the little gray area after the first sector (MBR) of the first track... Typically this is not used and the first actual data that the system will allow to be used for regular storage is the beginning of the second track. However, programs like GRUB, encryption apps and other things that create fancy or complicated boot loaders know this and take advantage of it. DriveCrypt and just about every other disk encryption software out there uses this area of the disk to store additional data for the boot authentication process. And of course GRUB likes to use this area for it's stage 1.5.

So at long last, after trying many different scenarios... i.e., having windows boot.ini load linux, trying to get LILO in the MBR to load GRUB on the first sector or the boot partition (even though this seems like it would work, it doesn't) I stumbled across a site that actually laid out a functioning way to handle things.

The quick summary is as follows:

1. You load Windows and you load your boot authentication stuff.

2. Boot up into a Linux live CD and dd the boot auth MBR to a USB drive.

3. Load Linux as usual which will install GRUB on the MBR and kill the boot auth MBR.

4. Boot into your Linux side, tell GRUB to install stage1 in the MBR and to install stage2 directly to your /boot drive in Linux. This essentially tells GRUB not ignore stage1.5 and go directly to stage 2. This allows you to keep your encryption boot auth data in that area after the first sector of the first track on the disk.

5. Finally copy the boot auth MBR into your /boot dir and create an entry in your menu.lst to point to the boot auth MBR which will then point back to the first encrypted disk and boot up.

Now I had to tweak the directions on the original site as I like to run XFS for my main drive which usually requires me to make a little 200-300MB /boot with ext3. So here are the details... They are on the original site, but on the off chance that the site goes away, I want to document it here as it took a hell of a long time to figure it out....

So after you have Windows loaded and your encryption software is fully set up and the disk encrypted... Boot into your favorite Linux live CD, pop in a USB drive and run the following:

dd if=/dev/hda of=/mnt/usb/dcpp.mbr count=1 bs=512

Of course substitute the source drive you are working with for "if" and the output path for "of".

Once you've made this backup copy of your boot auth MBR, install Linux as normal and let it install GRUB on the MBR.

Boot up into your new Linux install and run "grub" to go into interactive mode. Then enter the following:

grub> install (hd0,1)/boot/grub/stage1 (hd0) (hd0,1)/boot/grub/stage2 0x8000 p

Edit the drive and partitions as necessary for your system. But you want to point it to whatever drive has your /boot on it.

Now the catch I ran into that took a min to figure out is that I have my /boot on a seperate partition, and therefore the path is slightly different. I had to issue the following command:

grub> install (hd0,1)/grub/stage1 (hd0) (hd0,1)/grub/stage2 0x8000 p

As you'll note, the /boot is missing as my /dev/sda2 is mounted directly as /boot so the path to stage1-2 are just /grub/stageX

Next you'll need to copy the boot auth MBR from your USB to /boot.

Once that's there, you just have to add a section into your /boot/grub/menu.lst to point to the boot auth MBR in /boot as follows:

title Windows XP Professional
rootnoverify (hd0,0)
makeactive
chainloader (hd0,1)/boot/dcpp.mbr
boot

Again, I had to remove /boot from the chainloader path as I mount it directly. Anyway, now you can boot up to GRUB, then boot Windows and it will use the copy of the boot auth MBR. It works great and now I have the freedom to mess with my kernels and what not without a big hassle.

Enjoy...

Joshua

Friday, April 28, 2006

Acidbase on Debian Cookbook

Ok, so after much tinkering, I've come up with a cookbook to get the snort Acidbase frontend running on Debian with mysql5/php5/apache2.

In case your wondering "why" I put this together... The original Acid is way outdated and is a pain to get working with anything but old packages like php4 and mysql 4.1 blah blah... Acidbase is much more updated, but if you don't install things in the correct order, it trys to use older acid packages and becomes a huge mess... So I put together this little cookbook to make sure I get the order smooth... this came about after NUMEROUS attempts at getting it working installing different components at different times...

Anywayz....

Enjoy... :)


Install Cookbook for Snort/MySQL5/PHP5/Apache2/Acidbase on Debian/testing

Install Debian from Stable CD. Stay with Stable distro level until fully installed.

Then edit /etc/apt/sources.list and add testing distro info.

Then update apt
apt-get update

Then perform a distribution upgrade
apt-get dist-upgrade

Once complete, reboot
init 6

Install mysql server
apt-get install mysql-server

Install acidbase frontend
apt-get install acidbase
During the install acidbase will creat the default snort db and user.
Ensure acidbase is configured to make use of the archive db
Edit /etc/acidbase/base_conf.php
Edit the snort_archive DB section. Set the archive DB field from 0 to 1 and set your password
If you need to edit your db settings its in /etc/acidbase/database.php

Install phpmyadmin
apt-get install phpmyadmin

Configure the database via phpmyadmin
Browse to http://localhost/phpmyadmin/
User ID is root, password is blank
Create snort_archive db
Under privileges set root password for both root accounts
Assign full privileges for snort account to snort_archive db

Install snort-mysql
apt-get install snort-mysql

Create snort tables in DB
zcat /usr/share/doc/snort-mysql/create_mysql.gz | mysql -u snort_username -h snort_hostname -p database_name
zcat /usr/share/doc/snort-mysql/create_mysql.gz | mysql -u snort_username -h snort_hostname -p archive_database_name
Verify in phpmyadmin that 16 tables are added to both snort databases

Clear snort-db-lock file so snort can start
rm /etc/snort/db-pending-config
Start snort
/etc/rc3.d/S20snort start

Verify snort is running
ps -ef|grep snort

Restart apache2
apache2ctl restart
Browse to http://localhost/acidbase
Setup db structure from web-interface.
Click on the "Use Archive Database" link - setup DB structure for archive DB
Then click back to "Use Alert Database"

You should be ready to rock and roll....

Monday, January 30, 2006

OpenSSH Public Key Authentication

So... I had to setup my first SSH public key auth today. The link below is a great tutorial for setting it up on both the client and server ends. However, it should be noted, and I found out the hard way, is that when using a win32 client like Putty or SecureCRT, they export their keys into a format that has to be run through ssh-keygen, and not just appended to the "~/.ssh/authorized_keys" file.

The easy way to tell the difference is a key generated by one of the aforementioned win32 progs, will start with:

---- BEGIN SSH2 PUBLIC KEY ----

A key that doesn't need to be processed will start like:

ssh-dss AAAAB3NzaC1kc3MA

To convert a key to the correct one:

ssh-keygen -i -f securecrt.pub >> authorized_keys

OpenSSH Public Key Authentication