tag:blogger.com,1999:blog-15004133038696797362024-03-12T19:39:38.100-04:00Neighborhood Techiejoathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.comBlogger3255125tag:blogger.com,1999:blog-1500413303869679736.post-79780274808976747602023-12-29T09:05:00.000-05:002023-12-29T09:05:37.469-05:00Tailscale switch<p>As always, the documentation for something leave a bit unexplained. I was interested in using "tailscale switch" to switch between a small non-shared tailnet (managed by Tailscale) and a shared cyberclub tailnet (managed by Headscale). The unmentioned part is to never use "tailscale logout", which expires the authentication key. Instead, use the following procedure for setting up the multiple networks:
<pre>
tailscale login
tailscale status
tailscale down
tailscale login --login-server=[headscale URL]
tailscale status
</pre>
<p>In other words, first authenticate to the Tailscale-hosted network. Then run "tailscale down" and authenticate to the second network.
<p>You can then run the following to list the available networks:
<pre>
tailscale switch --list
</pre>
<p>The output will look something like:
<pre>
ID Tailnet Account
cde0 bob.github bob@github*
41da othernet othernet
</pre>
<p>The currently active network will be denoted by the asterisk at the end of the line. You can switch between the two with:
<pre>
tailscale switch ACCOUNTNAME
</pre>
<p>My reasoning for needing the Tailscale-hosted account: I periodically need access to a less-technical family member's network for troubleshooting. I gave them a GL-Net Slate AX wifi router, which has runs a Tailscale client (you have to add it). You can configure the physical switch (on the side of the router) to turn the tailnet on and off. End result: if they're having troubles with something in their network, they turn the switch on, call me, and I can remotely troubleshoot their house network.joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0tag:blogger.com,1999:blog-1500413303869679736.post-49315032546413961902023-11-28T08:46:00.002-05:002023-11-28T08:46:29.800-05:00Tasking for self...Note to self: certs for house cluster expires in early March. You'll want the info from: https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0tag:blogger.com,1999:blog-1500413303869679736.post-74284424488855307512023-10-22T21:00:00.001-04:002023-10-22T21:00:42.977-04:00OuchI'm guessing that there are others whose muscle-memory, when typing, is a bit munged. I finally did a full re-indexing of the document search engine (a little over 34K of docs). then then tested the engine but mispelled the search ("epbf" instead of "ebpf"). This produced 4 answers. I then mispelled "falco" by typing in "flaco" (which Google indicates is Spanish for "skinny" or "thin"). This produced two documents with "falco" mispelled and two Spanish langage files. I'm thinking I need to research if Recoll can do fuzzy searches.joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0tag:blogger.com,1999:blog-1500413303869679736.post-11458246162940358912023-08-18T00:52:00.001-04:002023-08-18T01:11:51.170-04:00Breaking/fixing my K8S controller<p>Just a bit of blowing my own horn...
<p>I managed to break the home lab's K8S config while attempting to troubleshoot a friend's cluster, a week or so back. The primary symptom (other than Multus not working) was showing up as a "NoExecute" status for the controller, when listing taints for the nodes. There were also log entries, complaining about not being able to delete sandboxes.
This was also causing issues with Falco, which was deploying only 4 of an expected 6 pods (i.e., the DS wasn't installing on the controller), when trying to deploy it with Helm (a story for another time, I think).
<p>In any case, after a number of Google searches and using "kubectl describe" against a few resources, I backtraced it to "Network plugin returns error: cni plugin not initialized". This turned out to be Multus.
<p>Uninstalling and re-installing Multus corrected the issue. K8S then woke up and destroyed the old sandboxes, fired up the missing Falco pods, and the taint on the controller went back to its normal "NoSchedule" status.
<p>Two things learned today:<ol>
<li>Piping "kubectl describe ..." into /bin/less is a good troubleshooting tool.</li>
<li>The same YAML file, that you use to install something, can be used to delete it. In other words: "kubectl create -f multus-thick.yaml" for installing and "kubectl delete -f multus-thick.yaml" for uninstalling.</li>
</ol>
joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0tag:blogger.com,1999:blog-1500413303869679736.post-85727902476071922352023-08-13T20:26:00.000-04:002023-08-13T20:26:30.002-04:00Prototyping my Falco install<p>Just spent a couple hours getting Falco + Sidekick + UI + Redis figured out. Following works. Next up: getting it to work in K8s.
<p><pre>
#!/bin/bash
docker run -d -p 6379:6379 redislabs/redisearch:2.2.4
docker run -itd --name falco \
--privileged \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /proc:/host/proc:ro \
-e HTTP_OUTPUT_URL=http://192.168.2.22:2801 \
falcosecurity/falco-no-driver:latest falco --modern-bpf
docker run -itd --name falcosidekick -p 2801:2801 \
-e WEBUI_URL=http://192.168.2.22:2802 \
falcosecurity/falcosidekick
docker run -itd --name fs-ui -p 2802:2802 \
-e FALCOSIDEKICK_UI_REDIS_URL=192.168.2.22:6379 \
falcosecurity/falcosidekick-ui falcosidekick-ui
</pre>joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com3tag:blogger.com,1999:blog-1500413303869679736.post-75316429867390939062023-07-08T08:09:00.001-04:002023-08-13T20:40:14.987-04:00Krew custom columnsMy contribution to the custom-cols plugin for Krew: show what nodes pods are
running on.
<p>Create a file ~/.krew/store/custom-cols/v0.0.5/tamplates/node.tpl so that it
contains:
<p><table border=0 cellspacing=0 cellpadding=0 bgcolor=#DDD><tr><td>
<pre>
NAME NODE STATUS
.metadata.name .spec.nodeName .status.phase
</pre>
</td></tr></table>
<p>The output will look something like:
<p><table border=0 cellspacing=0 cellpadding=0 bgcolor=#DDD><tr><td>
<pre>
tim@cf-desk:~$ kubectl custom-cols -o node pods -n weave
NAME NODE STATUS
weave-scope-agent-g9jgh cf1 Running
weave-scope-agent-gllg5 cf2 Running
weave-scope-agent-kkm2z cf3 Running
weave-scope-app-658845597b-wnt9b cf2 Running
weave-scope-cluster-agent-84f7b6767c-2vdkw cf2 Running
</pre>
</td></tr></table>
<p>There may also be some value in making it sortable, based on the node. To do so, create another template (I called mine "nodes.tpl")and swap the first and second columns in each row. Then you can pipe the output through the tail and sort commands. Example template:
<p><table border=0 cellspacing=0 cellpadding=0 bgcolor=#DDD><tr><td>
<pre>
NODE NAME STATUS
.spec.nodeName .metadata.name .status.phase
</pre>
</td></tr></table>
<p>The output will look something like:
<p><table border=0 cellspacing=0 cellpadding=0 bgcolor=#DDD><tr><td>
<pre>
tim@cf-desk:~$ k custom-cols -o nodes pods -n weave|tail -n +2|sort
cf1 weave-scope-agent-g9jgh Running
cf2 weave-scope-agent-gllg5 Running
cf2 weave-scope-app-658845597b-wnt9b Running
cf2 weave-scope-cluster-agent-84f7b6767c-2vdkw Running
cf3 weave-scope-agent-kkm2z Running
</pre>
</td></tr></table>
<p>For info: the "-n +2" in the above tells tail to start processing on the second line (i.e., skip the line with the column headers).joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0tag:blogger.com,1999:blog-1500413303869679736.post-67088485097557068562022-07-18T07:04:00.000-04:002022-07-18T07:04:19.115-04:00Troubleshooting k8s<p>New command learned today, while a Gitea deployment was stalled in the "ContainerCreating" step. Short version: the following is valuable.
<pre>
kubectl get events --all-namespaces --sort-by='.metadata.creationTimestamp'
</pre>
<p>It's also worthwhile to note that the output from the above is different from the output of:
<pre>
kubectl get events -A
</pre>
<p>It turned out that the permissions for a volume were not correct and the PVC mount was timing out.joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0tag:blogger.com,1999:blog-1500413303869679736.post-74919567276825731612022-06-21T15:38:00.003-04:002022-06-29T01:57:07.601-04:00More Vi TipsFound "<a href="http://bounce.to/vi">Vi Tips for Developers</a>" while jumping around inside the <a href="http://www.webring.org/cgi-bin/webring?ring=ugu&home">System Administrator's Webring</a>.
<p><b>Update:</b> this post was flagged (in June 2022) as violating Blogger's content policy (relating to Malware and Viruses). The above content has not been changed. Only this last statement has been added. Please note that the above post does not relate to Malware or Virsues.joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0tag:blogger.com,1999:blog-1500413303869679736.post-70239630950298603642022-06-21T15:38:00.001-04:002022-06-29T01:56:41.285-04:00Sendmail compiling for the no-server crowdFor anyone who only wants a box to e-mail it's own logs (and not run a server) and that's still trying to figure out how to get the newest version of Sendmail to run without the "Connection refused by 127.0.0.1" error:<p> Edit /etc/mail/submit.cf so that the DS line contains the FQDN to your upstream mail server.<p> Example: DSmail.myisp.com<p>You'll also need to set root:smmsp permissions on /var/spool/mqueue.<p>Hope this saves someone else some time (it took a bit of reading on my part).
<p><b>Update:</b> this post was flagged (in June 2022) as violating Blogger's content policy (relating to Malware and Viruses). The above content has not been changed. Only this last statement has been added. Please note that the above post does not relate to Malware or Virsues.joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0tag:blogger.com,1999:blog-1500413303869679736.post-69996023935757608132022-06-21T15:37:00.003-04:002022-06-29T01:55:39.310-04:00GoogleYikes! I fell into this one while cleaning out the spam filters in the comment section. Seems that someone was spamming google1.com. It turns out that that's a legitimate domain, owned by <a href="http://www.google.com">Google</a>. Having it show up in comment spam probably means that it's a test message. The interesting part is if you type "whois google" (with or without the trailing ".com"). You get the following return:<ul> <li>GOOGLE.XDNICE.NET</li> <li>GOOGLE.WAIKOOL.COM</li> <li>GOOGLE.TRENDYMP3.NET</li> <li>GOOGLE.TCONV.NET</li> <li>GOOGLE.SKGPUBLISHING.COM</li> <li>GOOGLE.SITNIK.NET</li> <li>GOOGLE.RU286.COM</li> <li>GOOGLE.RU</li> <li>GOOGLE.PAASEI.NET</li> <li>GOOGLE.MOLDOR.COM</li> <li>GOOGLE.MELBOURNEIT.COM.AU</li> <li>GOOGLE.MARS.ORDERBOX-DNS.COM</li> <li>GOOGLE.MADE-IN-NB.COM</li> <li>GOOGLE.IFREEBSD.COM</li> <li>GOOGLE.IE</li> <li>GOOGLE.FUTUREWORKSONLINE.COM</li> <li>GOOGLE.FR</li> <li>GOOGLE.FI</li> <li>GOOGLE.ES</li> <li>GOOGLE.EARTH.ORDERBOX-DNS.COM</li> <li>GOOGLE.DE</li> <li>GOOGLE.CYGRATIS.BE</li> <li>GOOGLE.COM.ZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM</li> <li>GOOGLE.COM.VN</li> <li>GOOGLE.COM.UA</li> <li>GOOGLE.COM.SUCKS.FIND.CRACKZ.WITH.SEARCH.GULLI.COM</li> <li>GOOGLE.COM.PLZ.GIVE.A.PR8.TO.AUDIOTRACKER.NET</li> <li>GOOGLE.COM.MX</li> <li>GOOGLE.COM.IS.POWERED.BY.MIKLEFEDOROV.COM</li> <li>GOOGLE.COM.IS.NOT.HOSTED.BY.ACTIVEDOMAINDNS.NET</li> <li>GOOGLE.COM.IS.APPROVED.BY.NUMEA.COM</li> <li>GOOGLE.COM.HAS.LESS.FREE.PORN.IN.ITS.SEARCH.ENGINE.THAN.SECZY.COM</li> <li>GOOGLE.COM.BR</li> <li>GOOGLE.COM.AU</li> <li>GOOGLE.COLORSEE.COM</li> <li>GOOGLE.CO.UK</li> <li>GOOGLE.CO.JP</li> <li>GOOGLE.CNIELIVE.COM</li> <li>GOOGLE.CL</li> <li>GOOGLE.CHENNAIEXPRESS.COM</li> <li>GOOGLE.CH</li> <li>GOOGLE.CANT.SET.THEIR.SERVERS.TO.GENERATE.THE.TRAFFIC.LIKE.CRAWLINGCLOUT.COM</li> <li>GOOGLE.CA</li> <li>GOOGLE.ADRIANP.NET</li> <li>GOOGLE.8LEGS.NET</li> <li>GOOGLE.51-HELP.COM</li> <li>GOOGLE.NET</li> <li>GOOGLE.COM</li></ul><p>While some of those are legitimate, many are not. I wonder how much trouble Google has defending their trademark.
<p><b>Update:</b> this post was flagged (in June 2022) as violating Blogger's content policy (relating to Malware and Viruses). The above content has not been changed. Only this last statement has been added. Please note that the above post does not relate to Malware or Virsues.joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0tag:blogger.com,1999:blog-1500413303869679736.post-51411986280689945152022-06-21T15:37:00.001-04:002022-06-29T01:57:13.636-04:00Google MapsFor my own reference: pointed to by <a href="http://www.furrygoat.com/2005/04/observation.html">Furrygoat article</a>, how to add annotations to <a href="http://www.google.com">Google</a> Maps (I've added links to other odd stuff that you can do with Google Maps):<ul><li><a href="http://www.engadget.com/entry/1234000917034960/">Engadget article</a></li><li><a href="http://nofancyname.blogspot.com/2005/03/customized-annotated-google-maps.html">No Fancy Name</a></li><li><a href="http://libgmail.sourceforge.net/googlemaps.html">Google Maps Hacking and Bookmarklets</a></li><li><a href="http://mygmaps.com/mygmaps.cgi/">myGmaps</a></li><li><a href="http://69.90.152.144/collab/GoogleMapsHacking">GoogleMapsHacking</a> (Wiki)</li><li><a href="http://69.90.152.144/collab/GoogleMapsHacks">GoogleMapsHacks</a> (Wiki)</li><li><a href="http://www.gnik.com/wiki/Google Maps">GoogleMaps</a> (Wiki) (an attempt to tie in TerraServer and/or a GPS)</li><li><a href="http://gmap.glenmurphy.com/">Movin Gmap</a> (using a GPS, map stays centered on you as you move around)</li><li><a href="http://jgwebber.blogspot.com/2005/02/mapping-google.html">Mapping Google</a> (a look at the client side "bits" for Google Maps)</li><li><a href="http://simon.incutio.com/archive/2005/02/08/maps">Simon Willison's thread on Google Maps and XSL</a></li><li><a href="http://weblog.infoworld.com/udell/gems/googleMaps.html">John Udell's animation</a> (a trip from Keen to Manchester)</li><li><a href="http://www.theplaceforitall.com/googlex/">GoogleX</a> (not Maps related but fun)</li><li><a href="http://www.hexod.us/devblog/archives/2005/04/my_area_map.html">Hexodus</a> (a nice example of adding pics)(click on the link and then the push pins)</li><li><a href="http://www.maisonbisson.com/blog/comments.php?id=P10462_0_1_0_C">Google Maps Rock, Hacking Them Rocks More</a></li><li><a href="http://stuff.rancidbacon.com/gmaps-standalone/">Google Maps Standalone Mode</a></li><li><a href="http://www.pvrblog.com/pvr/2005/04/google_maps_on_.html">Google Maps on Tivo</a>(See? Things are going in odd directions now!)</li><li><a href="http://mappinghacks.com/index.cgi/2005/04/23#craigle">Mapping Hacks</a> (tieing Google Maps to Craigslist)</li></ul><p>There's hundreds, if not thousands of other examples. I've just run out of time to continue digging up these links.
<p><b>Update:</b> this post was flagged (in June 2022) as violating Blogger's content policy (relating to Malware and Viruses). The above content has not been changed. Only this last statement has been added. Please note that the above post does not relate to Malware or Virsues.joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0tag:blogger.com,1999:blog-1500413303869679736.post-42278510910134958872022-06-21T15:36:00.001-04:002022-06-29T01:57:28.201-04:00Building honeydFollowing isn't really a howto for getting honeyd up and running but it should help. I'm posting it here as I plan on rebuilding my home system and want to keep track of how it did it. I'll blog the process here just in case anyone else wants to follow my breadcrumbs. Please note that setting up urpmi for network downloads, using CPAN, and compiling code are beyond the scope of this document. (Hint: For the external urpmi setup, <a href="http://www.google.com">Google</a> for "easy urpmi" and look for the Penguin Liberation Front!)<br /><br />The various code packages below are either installed via urpmi (if the package is available) or built from source code. Remember to run "ldconfig" between library installs! The URL's for all of the below was available either in the comments made by "configure" or on the <a href="http://www.honeyd.org/">honeyd site</a> itself.<br /><br />Process:<br /> 1) installed byacc, (which is required by flex) (via urpmi)<br /> 2) installed flex (which is required by libpcap)<br /> 3) installed bison (which is required by libpcap) (via urpmi)<br /> 4) installed libpcap (which is required by honeyd)<br /> 5) installed libdnet (which is required by honeyd) (see honeyd site)<br /> 6) installed libevent (which is required by honeyd) (see honeyd site)<br /> 7) installed honeyd<br /> 8) added IP address to interface via:<i><br /> ifconfig eth0:1 192.168.123.10 netmask 255.255.255.255 broadcast 192.168.123.255</i><br /> 9) installed Mail::Sendmail from CPAN (for the smtp.pl script). Please note: had to force the install as it was hanging on a "send" test. (Note:fix later.)<br />10) installed Net::DNS from CPAN (for the smtp.pl script).<br />11) installed arpd<br />12) wrote a simple start-up script consisting of:<i><br /> #!/bin/sh<br /> killall honeyd<br /> killall arpd<br /> arpd -i eth0:1 192.168.123.10<br /> ifconfig eth0:1 inet 192.168.123.10 netmask 255.255.255.0 broadcast 192.168.123.255<br /> honeyd -l log.honeyd -f honeyd.conf -i eth0:1 192.168.123.10</i><br />13) ran ./run-honyd (the start-up script above)<br /><br /><br />Comments:<br />1) The <a href="http://www.monkey.org/~provos/libevent/">libevent</a> site has some links to some other interesting projects.
<p><b>Update:</b> this post was flagged (in June 2022) as violating Blogger's content policy (relating to Malware and Viruses). The above content has not been changed. Only this last statement has been added. Please note that the above post does not relate to Malware or Virsues.joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0tag:blogger.com,1999:blog-1500413303869679736.post-19882675046364647112022-06-21T15:25:00.004-04:002022-06-21T15:31:14.288-04:00A new algorithm<p>I'm thinking that it's time to get off of Google services. I just received a number of emails from Google, announcing that five of my posts (from as far back as 2004) have been unpublished because they were related to malware and viruses. The titles of those posts:<ul>
<li><b>More VI Tips</b> - this was just a pointer to someone else's web site, which no longer exists</li>
<li><b>Sendmail compiling for the no-server crowd </b> - explains what you need to edit before compiling the sendmail.conf file</li>
<li><b>Google</b> - this was basic research on someone who was spamming my comment section</li>
<li><b>Google Maps</b> - provided links to sites that explained how to add annotations to Google Maps</li>
<li><b>Building honeyd</b> - discussed some of the problems that I'd experienced while attemtping to compile a honeypot (a defensive tool)</li>
</ul>
<p>The short version: none of these posts discussed malware or viruses. If these flags were implemented manually, HR needs to take a look at the resume of whomever flagged these posts. If it was an algorithm (more likely), Google needs to disable that algorithm and review the logic employed in it.
<p>I don't know about anything nowadays, but we learned in the early 00's that keyword searches have a high false positive rate. My favorite example: blocking the Virginia educational system because the url has "virgin" in it (yeah, that was a $17B project that did that).
<p>In short, I'll fight this once. The more likely event will be that I move the blog off of Google and onto a less buggy platform.
joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0tag:blogger.com,1999:blog-1500413303869679736.post-38537652507558922032022-03-20T19:48:00.002-04:002022-03-20T19:48:57.601-04:00XP-Pen Artist 12 2nd Gen<p>Managed to get an XP-Pen Artist 12 second generation tablet working under Linux. The vendor's driver installation was straight-forward and easy. The hard part was figuring out how to mirror a display to the tablet (hint: it involves xrandr). Will post the notes in Github shortly.
<p>I'm now working on improving my Kubernetes skills by migrating my library of Docker containers to Minikube. Topics I'm working on at the moment include: loadleveilers and ingress tools, along with networking. Goal is to have the school range's containers similarly converted by the end of the Summer. Current architecture involves some home-grown orchestration using Bash, Perl, and OpenVSwitch.joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0tag:blogger.com,1999:blog-1500413303869679736.post-65535290066700478572021-09-05T20:29:00.002-04:002021-09-05T20:29:49.537-04:00Gofang Prophecy (PRO-Matrix44-SC) controls<p>Picked up a second-hand Gofanco Prophecy (PRO-Matrix44-SC) HDMI matrix (4 in/4 out, with Ethernet). Fired up Burp and figured out how to manage it with curl POST statements.
<p>Syntax amounts to:
<pre>
curl -d "COMMAND" -s -X POST http://<IP of matrix>/inform.cgi
</pre>
<p>Where COMMAND is one of:<ul>
<li><i>poweron</i> - which turns the matrix on</li>
<li><i>poweroff</i> - which turns the matrix off</li>
<li><i>outX=Y</i> - which switches output X (1-4) to input Y (1-4)</li>
</ul>
<p>Apparently, the matrix has a controller which keeps on listening, even when the matrix is disabled. This is a nice to have feature as it allows for the network-based power-on.
<p>For now, the matrix is a bit of overkill, since I typically run just the server and the laptop, but it's nice to swap out what is displaying on which of two display. It does give root to expand.
<p>I also picked up a couple 4-button keyboards from Amazon that I'll mix in, to provide management of each monitor's display via the above curl commands.
<p><div class="separator" style="clear: both;"><a href="https://1.bp.blogspot.com/-ZnhlrejC8yA/YTVdl5cgYwI/AAAAAAAABwA/wFcjEtPWYmMNtF6XFGzU0mxvDBqw-3aKgCLcBGAsYHQ/s847/4buttonkbd.jpg" style="display: block; padding: 1em 0; text-align: center; "><img alt="" border="0" width="320" data-original-height="411" data-original-width="847" src="https://1.bp.blogspot.com/-ZnhlrejC8yA/YTVdl5cgYwI/AAAAAAAABwA/wFcjEtPWYmMNtF6XFGzU0mxvDBqw-3aKgCLcBGAsYHQ/s320/4buttonkbd.jpg"/></a></div>
<p>The matrix supposedly also has an Alexa interface. That's for later experimentation, I think.joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0tag:blogger.com,1999:blog-1500413303869679736.post-36063682178241214822021-09-02T08:15:00.001-04:002021-09-02T08:15:40.580-04:00Modify any web page before printing it<p>It's the little things that have the greatest impact...
<p>I keep an archive of PDF-ified web pages that I find valuable. They're searchable because I use <a href="https://www.lesbonscomptes.com/recoll/" target="_new">Recoll</a> to index them, along with the <a href="https://framagit.org/medoc92/recollwebui" target="_new">web-ui</a> front-end.
<p>The below makes cleaning up a web page easy, so that it can be saved to PDF.
<p>Create a bookmark and enter the following in the URL field:<br><br>
</code>
<i>javascript:document.body.contentEditable = 'true'; document.designMode='on'; void 0</i>
</code>
<p>When you have that, go to the web page that you want to save, click on the above bookmark and modify the page as you would in a word processor or text editor. You can then call up the browser's print function and save the page as a PDF.joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0tag:blogger.com,1999:blog-1500413303869679736.post-60879911511588649242021-08-07T22:02:00.000-04:002021-08-07T22:02:27.451-04:00Fixing wlan interface name after using airmon-ngOne for the students' notebooks...
<p>If you have an interface named (as an example) "wlan16" and you attach airmon-ng to it, then exit ungracefully (e.g., via ctrl-c), you probably notice that you now have an interface named "wlan16mon". The repair is quite easy.
<p>1) Use iwconfig to check that the interace is still in monitor mode.
<pre>
iwconfig wlan16mon
</pre>
If it isn't in monitor mode (e.g., you've been messing with it and changed the mode), return it to monitor mode via:
<pre>
ifconfig wlan16mon down
iwconfig wlan16mon mode monitor
</pre>
<p>2) Use the following airmon-ng to stop the interface and return the name to normal.
<pre>
airmon-ng stop wlan16mon
</pre>
<p>3) Check the interface
<pre>
iwconfig
</pre>joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0tag:blogger.com,1999:blog-1500413303869679736.post-25440147472342462392020-09-25T22:17:00.000-04:002020-09-25T22:17:05.411-04:00CircleID shilling others' stuff?<p>It's been years since I've posted one of my opiniion pieces, but this one annoyed me enough to write about it. On 22 September, CircleID posted "<a href="http://www.circleid.com/posts/20200922-100k-list-of-disposable-email-domains-under-security-analysis/" target="_new">100K+ List of Disposable Email Domains Under Security Analysis</a>". I dislike the post as it is (in a technical sense) a poorly written/researched piece. A more accurate title would use "Marketing" instead of "Security".
<p>Issues that I have with the "article" follow. Note: I use "article" in place of "ad" because, as an advertisement, the "article" is even more of a disappointment.
<p>1) CircleID notes that it's a sponsored post. This means that someone is trying to sell/promote something. A minor bit of research will reveal that the "author" of the article is willing to sell you access to their list. I originally subscribed to CircleID's RSS feed because they posted about some of the ICANN level politics and issues relating to management of DNS domains. I've now moved CircleID to my "probationary" list.
<p>2) There's no personal attribution for the article (unless someone legally changed their name to "WhoisXML API").
<p>3) The article avoids discussing the benefits of using disposable email. Not everyone considers becoming a "key email marketing metric" a goal in life. Most consider "key email metrics" as an "unwanted commodity" (i.e., being added to marketing lists that are sold and resold). Notice that I'm being nice here and not using the pronoun made famous by Monty Python?
<p>4) There is an unsupported claim that email security solutions can further be strenghtened by filtering out disposable email solutions. This is true only if you consider "key email marketing metrics" as having value. Legitimate email domains aren't immune to email blackholes. Example: someone going to a conference might give out a "temporary email address" (in their corporate domain) that ceases to exist a few weeks after the conference closes. Justification: avoidance of extended bouts of unwanted emails.
<p>5) The list of categories that "stood out" seems a bit selective, in that ignores the primary use case for disposable email addresses. In short, they're disposable (i.e., it's used for one specific purpose and is allowed to expire). This ignored category is used to:<ul>
<li>acquire vendor's marketing fluff without becoming a "key email marketing metric"</li>
<li>acquire other information without becoming a "key email marketging metric"</li>
<li>enter in-person contests for $5 coffee mugs or sticker sets without becoming a "key email marketing metric"</li>
<li>fill out "surveys" without becoming a "key email marketing metric"</li>
<li>acquisition of other low value offerings, without becoming a "key email marketing metric"</li>
</ul>
<p>Do you sense a common theme here? I do.
<p>6) The hidden author's math is extremely weak. From the article: "We analyzed one such a list which, as of 31 July 2020, contained 109,352 disposable email domains. This is enough to create millions of throwaway email addresses."
<p>Given a single email domain, over a million email addresses can be generated from a four character username limitation (a-z and 0-9, with omission of any special characters). If you do the math (36 x 36 x 36 x 36) it comes to 1,679,616 "words" that you can put on the left-hand side of the "@".
<p>Using that same 4-character limitation on the "researched" 109,352 suspect domains, the math allows you to generate 183,669,368,832 (almost 2e+11) email accounts. That's just a little bit more that "millions of throwaway email addresses".
<p>Bumping the username side of the email address to 6 characters results in over 2e+14 email addresses (more accurately in the 238,035,500,000,000 ballpark). Imagine what you can do with 12 or 16 character usernames!
<p>7) WhoisXMLAPI's pricing appears a bit steep, too. For just my email adddress (a single user account in a single domain), on 23 September, I received 11 emails that the system deemed "unsolicited" and another 22 for which I wish I'd used a disposable email address. If you consider that "normal" and expand it out to a 30-day month, that's 990 undesired emails, 660 of which I have to delete manually. WhoisXMLAPI's "free" service has an upper limit of 500 queries. The next tier up allows for 2000 queries per month, at a $15/month rate. If I have two employees, that bumps me into the next tier, at $30/month.
<p>If the query resuls are delivered via a DNS-based service, this is extremely expensive (2000 queries per month for $15?). If they're reselling information that is free, elsewhere on the Internet (SORBS, Spamcop, etc.), I have more reasons to dislike them.
<p>I don't like their pricing plan either. They have you buy credits, which you can use in a single month. I you don't use the credits, they expire and you no longer have them. It's not their fault if you overestimate your spam load for the coming month. While this minimizes their need for customer interaction, it maximizes yours (if you worry about costs). A simple metering system would be more customer friendly.
<p>I'd much rather worry about my own domain ending up on an email blacklist. For that, I can perform the RBL lookups myself (with a bit of code), perform those same lookups via a free web site (e.g., DNSWatch), or have someone monitor my domain (e.g., MXToolBox), all for free.
<p>Overall, I think the article was aimed at the non-technical CIO, CSO, or CTO (yes, they do exist). The primary sales tactic seems to be the old-standby: be afraid, be very afraid. It's a bit disappointing that CircleID is promoting this stuff vice their own articles, many of which caused me to subscribe to their RSS feed years ago.
joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0tag:blogger.com,1999:blog-1500413303869679736.post-67793879489036847582020-09-15T08:12:00.001-04:002020-09-15T08:13:05.548-04:00TT-RSS scrollbarsI like the night theme in TT-RSS. However, the width of the scrollbars are very thin. Attempting to use them are exceedingly annoying. Such is easily rectified.
<p>The file to edit is tt-rss/themes/night.css. There are two entries that modify the width of the various scrollbars. Search for "scrollbar" and look for "width". The default width is 4px. Set it to something between 8 and 12 pixels, then refresh the web page.joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0tag:blogger.com,1999:blog-1500413303869679736.post-48252628073859910882020-06-21T03:20:00.001-04:002020-06-21T03:20:35.628-04:00Demo-ing Dhaval Kapil's icmptunnel in Docker<p>A recent NCL competition included a challenge that frustrated a number of participantes, one that dealt with extraction of data from a PCAP, containing ICMP tunneling traffic (i.e., the PCAP file was provided, the goal was to extract the data to acquire the flag).
<p>The local community college as a Cyber Club, which typically meets on Friday nights. Membership is made up of current ITN students and alumni. With the recent school closures and quarantines, the in-person meetings were cancelled. However, the "die hards" decided to move the meetings online, using Discord's voice and screen sharing capabilities. (We were already using Discord as a message server.)
<p>There was enough frustration with the NCL challenge that four of us (from the group) attacked the problem in two parts: 1) Create an architecture in which our own PCAPs could be generated, and 2) write tools or processes that can extract/un-tunnel the data from the captured ICMP packets.
<p>Solving problem #1 took a couple weeks, mostly due to selection of the ICMP tunnel software. There's three variants on Github. We selected <a href="https://dhavalkapil.com/" target="_new5">Dhaval Kapil's</a> ICMPtunnel utility (link below).
Being the most stubborn in the group, I was the first to complete part 1. The configuration is easy, once you realize that English is probably not the author's first language (i.e., there are logic errors in the documentation).
<p>I used Docker and OpenVSwitch to create the architecture (image below). To keep things simple (some people have no Docker or OpenVSwitch experience), I automated as much as possible (links much below), so that users would only need to run a couple scripts to create the architecture (one to build/pull images, another to deploy the containers and network).
<p><img src="https://raw.githubusercontent.com/packetgeek/icmptunnel-docker-demo/master/architecture.png" width=95%>
<p>The architecture simulates a network architecture where a client resides behind a firewall, which blocks "normal" traffic but allows ICMP echo requests and echo replies through the firewall. A "proxy" serves as the ICMP tunnel endpoint, which decapsulates the IP traffic from the ICMP traffic and forwards it on to the target web server.
<p>Two others used VMs to simulate their architectures, using the same tunnel software. They were hung up on the same logic errors that had stumped my efforts. They were able to fix their architectures by looking at the Docker-based scripts.
<p>This past Friday (yesterday), two of the others demo'd their tools (scripts) to extract content from ICMP PCAP files, produced by connecting a Wireshark sniffer into the architecture (my code includes the Wireshark container with a web interface, from LinuxServer (link below).
<p>One Club member (DgtlCwby) has created a very tightly written Bash script, which controls tshark and walks through the process of extracting the data. It works, producing an output identical to the graphic pulled from the web server.
<p>Another student produced a Python/Scapy script which also works. He expressed some concerns about the code, having built it from a number of online articles and wanting to improve it. This turned out to be a deep rabbit hole, into which the four of us fell, make suggestions for at least two hours past the normal "end" time. They were still tweaking the script when I bailed, to join another call.)
<p>DgtlCwby has given me permission to generate an article based on his script, explaining each step, which is what I'll be doing in the coming days (we're all learning as we go).
<p>Links:<ul>
<li><a href="https://dhavalkapil.com/icmptunnel/" target="_new1">https://dhavalkapil.com/icmptunnel/</a></li>
<li><a href="https://github.com/DhavalKapil/icmptunnel/" target="_new2">https://github.com/DhavalKapil/icmptunnel/</a></li>
<li><a href="https://github.com/packetgeek/icmptunnel-docker-demo" target="_new3">https://github.com/packetgeek/icmptunnel-docker-demo</a></li>
<li><a href="https://hub.docker.com/r/linuxserver/wireshark" target="_new4">https://hub.docker.com/r/linuxserver/wireshark</a></li>
<li><a href="https://nationalcyberleague.org/" target="_new6">https://nationalcyberleague.org/</a></li>
</ul>
joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0tag:blogger.com,1999:blog-1500413303869679736.post-19030340440403711392020-01-01T15:18:00.003-05:002020-01-01T15:18:52.104-05:00<p>Today's project (setting up a knockd lab for CTF training) isn't improving my opinion of Ubuntu packaging much. This isn't the first time in the past week that I've run across munged packages and old code.
<p>The scenario for the lab is that rubber hose cryptography was employed against an evil hacker and produced the following:<ul>
<li>the hacker's handle</li>
<li>his workstation password</li>
<li>a sequence numbers = 2222, 3333, 4444</li>
<li>and that an encryption key will be available on a certain port</li>
</ul>
<p>The student will be tasked with finding the hidden server in the hacker's private network, figuring out how to open the port on the server, and obtaining the key from the open port. The unstated facts include that only nmap and netcat are available on the hacker's workstation.
<p>In the first 30 minutes, I was able to design a Docker container that runs supervisord, knockd, socat, and an internal (to the container) version of iptables. In the subsequent hour, I'd tried various things to get knockd to properly run the close-port command. Even the configuration examples provided by the original authors didn't work. The "iptables -D" commands would work on the command line but not when called by knockd.
<p>To make the story short, if you're using the Ubuntu knockd package, the close command will need to be wrapped in "bash -c 'the command'" before it'll work properly. I've added "patching" to my to-do list but it's near the bottom (won't be any time soon). At the top of the list is adding this instance to the OVS architecture, which resides behind a Guacamole instance, and adding a dynamic flag calculation for use in CTFd.joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0tag:blogger.com,1999:blog-1500413303869679736.post-76264640756187641822019-12-28T08:27:00.001-05:002019-12-28T08:27:10.013-05:00xpraSpent a good portion of the morning playing with xpra on Ubuntu 18.04. Initially, didn't like it much as Ubuntu's prepackaged binary is crap (lacks the HTML5 portion of the larger code base). After switching to the hosted repos, I was able to get it to execute. However, in the long run, it wasn't what I was seeking.joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0tag:blogger.com,1999:blog-1500413303869679736.post-37036863977815559032019-12-05T06:15:00.001-05:002019-12-05T06:15:53.566-05:00What was I reading in November 2019<p>Another busy month. Worked on getting setting up easily deploy-able private architectures for students, using Docker, OVS, and some scripting. Mixed in some Guacamole and a touch of image mapping, and we have our first lab for the firewall class. Also spent the last of the 2018 Christmas money on classes (I'm now backlogged for 15 classes).
<p style='font-size:medium'>2019-11-07</p><p>- <a href='https://www.zerodayinitiative.com/blog/2019/11/6/pwn2own-tokyo-2019-day-one-results' target='_NEW1'>Pwn2Own Tokyo 2019 - Day One Results</a><br/>
- <a href='https://medium.com/@lerner98/rage-against-the-maschine-3357be1abc48' target='_NEW2'>Rage Against the Maschine</a> - a discussion on reverse engineering of a specific piece of hardware<br/>
- <a href='https://x-c3ll.github.io/posts/blackbox-lief-kaitai/' target='_NEW3'>Isolating the logic of an encrypted protocol with LIEF and kaitai</a> - more reverse engineering<br/>
- <a href='https://articles.forensicfocus.com/2019/11/06/walkthrough-whats-new-in-xamn-v4-4/' target='_NEW4'>Feature walk-through for the XAMN v4.4 forensics tool</a><br/>
<p style='font-size:medium'>2019-11-08</p><p>- <a href='https://www.theverge.com/2019/11/7/20953040/openai-text-generation-ai-gpt-2-full-model-release-1-5b-parameters' target='_NEW5'>OpenAI has published the text-generating AI it said was too dangerous to share</a> - Someone believes their own hype a bit too much, I think...<br/>
- <a href='https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html' target='_NEW6'>Bypassing GitHub s OAuth flow</a><br/>
- <a href='https://rootsofprogress.org/one-mans-junk' target='_NEW7'>One man's junk</a><br/>
- <a href='https://gitroyalty.com/' target='_NEW8'>GitRoyalty</a> - WTF?! If you drop opensource behind a paywall, it's not opensource anymore! This is dumb.<br/>
- <a href='https://x-c3ll.github.io//posts/rethinking-inotify/' target='_NEW9'>Rethinking the inotify API as an offensive helper</a><br/>
<p style='font-size:medium'>2019-11-11</p><p>- <a href='https://www.garykessler.net/library/file_sigs.html' target='_NEW10'>File Signatures</a> - a must-have!<br/>
- <a href='https://ctfs.github.io/resources/' target='_NEW11'>CTF Resources</a> - a work-in-progress<br/>
<p style='font-size:medium'>2019-11-17</p><p>- <a href='https://ubuntu.com/blog/we-reduced-our-docker-images-by-60-with-no-install-recommends' target='_NEW12'>We reduced our Docker images by 60 with no-install-recommends</a><br/>
- <a href='https://linuxhandbook.com/dd-command/' target='_NEW13'>5 Practical Examples of the dd Command in Linux</a> - I revisited this while learning more about using binwalk to extract hidden files from other files.<br/>
- <a href='https://www.netresec.com/index.ashx?page=Blog&month=2019-11&post=Extracting-Kerberos-Credentials-from-PCAP' target='_NEW14'>Extracting Kerberos Credentials from PCAP</a><br/>
<p style='font-size:medium'>2019-11-20</p><p>- <a href='https://www.cs.columbia.edu/~smb/blog/2019-11/2019-11-14a.html' target='_NEW15'>The Early History of Usenet, Part II: The Technological Setting</a><br/>
- <a href='https://www.redhat.com/sysadmin/configuring-ansible' target='_NEW16'>Configuring Ansible</a><br/>
- <a href='https://thewalrus.ca/dont-blame-the-internet-for-bad-slang/' target='_NEW17'>Don't Blame the Internet for New Slang</a><br/>
<p style='font-size:medium'>2019-11-21</p><p>- <a href='https://rjlipton.wordpress.com/2019/11/19/a-clever-way-to-find-compiler-bugs/' target='_NEW18'>A Clever Way To Find Compiler Bugs</a><br/>
<p style='font-size:medium'>2019-11-27</p><p>- <a href='https://deepmind.com/blog/article/AlphaStar-Grandmaster-level-in-StarCraft-II-using-multi-agent-reinforcement-learning' target='_NEW21'>AlphaStar: Grandmaster level in StarCraft II using multi-agent reinforcement learning</a><br/>
- <a href='https://blog.trailofbits.com/2019/10/31/destroying-x86_64-instruction-decoders-with-differential-fuzzing/' target='_NEW22'>Destroying x86_64 instruction decoders with differential fuzzing</a><br/>
- <a href='https://github.com/whitequark/unfork/blob/master/README.md' target='_NEW23'>whitequark/unfork</a><br/>
<p style='font-size:medium'>2019-11-30</p><p>- <a href='https://thenextweb.com/insights/2019/11/15/study-there-may-be-no-such-thing-as-objective-reality/' target='_NEW24'>Study: There may be no such thing as objective reality</a> - A bit too much on theory and philosophy. A discussion, where an experiment (e.g., Schrodinger’s Cat) relies too heavily on dependencies and/or limitations on the experiment. Most everyone can tell you if the cat is alive just by listening or picking up the box. Short version: a scientist's version of navel-gazing.<br/>
<p style='font-size:x-small'>Above was generated by a homegrown bolt-on script for <a href='https://www.wallabag.org/' target='_NEWWALLA'>Wallabag</a>, which is a free utility for capturing web content so that it can be read later.</p>joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0tag:blogger.com,1999:blog-1500413303869679736.post-90311353293713738512019-11-30T07:38:00.002-05:002019-11-30T07:38:48.184-05:00Moloch's network authentication<p>Looks like it's time to switch to "tech writer" for a few days. Finally figured out why <a href="https://molo.ch/">Moloch</a> (think web version of Wireshark) wasn't accepting the network authentication. Moloch is a very nice tool (especially for teaching environments) but the install docs are a bit short.
<p>The "hidden detail" was in how the reverse proxy mangles specific header variables (what goes into the proxy config isn't what is delivered to Moloch). Had to write a variable dump script before that was noticeable.
<p>In any case, TC4 IDS students now have a very nice way to view captured packets.joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0tag:blogger.com,1999:blog-1500413303869679736.post-29516982349245495302019-11-27T15:34:00.001-05:002019-11-27T15:34:49.309-05:00Fixing Moloch's Hunt function for anonymous users<p>For those working with Moloch in single-user (anonymous) mode (where the passwordSecret line in config.ini is commented out), you may have noticed that the "Hunt" option doesn't work out-of-the box. Moloch will complain about the anonymous user not existing.
<p>The fix is the obvious work-around (i.e., create the anonymous user). This can be accomplished from the command line, via:
<p><code>
/data/moloch/bin/moloch_add_user.sh anonymous "anonymous" PaSsW0rD
</code>
<p>You'll never need to log in as the anonymous user so make the password difficult and don't re-use the password from one of your other accounts.joathttp://www.blogger.com/profile/16255365954164579406noreply@blogger.com0