Weaponizing nessus


from the “when your only tool is a hammer, everything looks like a nail” files, comes this amusing tidbit: http://www.shellntel.com/blog/2016/6/7/weaponizing-nessus


Categories : Security
Tags :         

Xwindows and Windows


Exceed is the best. Unfortunately, it is pricey: http://connectivity.opentext.com/buy-online.aspx

Your other options are:

MobaXterm: in free and pay versions, pretty simple to install/setup and use.

Xming: free (old version) or pay (current version), also pretty simple to use.

Cygwin/X: complicated, kludgey and you should probably avoid it.



Tags :             

Don’t run “strings” against files…


From http://lcamtuf.blogspot.com/2014/10/psa-dont-run-strings-on-untrusted-files.html:

Many shell users, and certainly most of the people working in computer forensics or other fields of information security, have a habit of running/usr/bin/strings on binary files originating from the Internet. Their understanding is that the tool simply scans the file for runs of printable characters and dumps them to stdout – something that is very unlikely to put you at any risk.

It is much less known that the Linux version of strings is an integral part of GNU binutils, a suite of tools that specializes in the manipulation of several dozen executable formats using a bundled library called libbfd.

Other well-known utilities in that suite include objdump and readelf.Perhaps simply by the virtue of being a part of that bundle, the strings utility tries to leverage the common libbfd infrastructure to detect supported executable formats and “optimize” the process by extracting text only from specific sections of the file. Unfortunately, the underlying library can be hardly described as safe: a quick pass with afl (and probably with any other competent fuzzer) quickly reveals a range of troubling and likely exploitable out-of-bounds crashes due to very limited range checking

Check the site for POC code. It’s old and it’s nasty.

Categories : Security

Configuring cacti for 1-minute polling


Trickier than it sounds, just because there’s lots of moving parts. Here is a handy guide that gets all the notes right: http://www.tolaris.com/2013/07/09/cacti-and-1-minute-polling/

Categories : HowTo

How to Manually Update Bash to Patch Shellshock Bug on Older Fedora-Based Linux Systems | Steve Jenkins’ Blog

Categories : Security
Tags :     

Linux / Unix / VMS equivalencies


So you’re dumped in Brazil (VMS) and all you speak is English (Windows) and Spanish (Linux), how do you get by?

A universal translator, of course: http://bhami.com/rosetta.html


There’s also a VMS to Unix cheat-sheet: http://www.physnet.uni-hamburg.de/physnet/vms-unix-commands.html

and another: https://www.mpp.mpg.de/~huber/vmsdoc/unix_vms_cmd_xref.html

setting security/ownership in VMS: http://labs.hoffmanlabs.com/node/1806

tiny gotchas that you might not expect:

  • case insensitive
  • no
  • VMS has no set mount points, so you have to explicitly state which disk is being referenced in a command:
$ create/directory [.tmp]
$ copy dsa0: [.tmp]x.tmp
$ copy dsa0: [.tmp]y.tmp
$ copy dsa0: [.tmp]z.tmp

This creates a directory, .tmp, and three files inside it, x.tmp, y.tmp, z.tmp.


AIX Cheat-sheet: http://bigcalm.tripod.com/aix/handycommands.htm

AIX Cheat-sheet: http://www.tablespace.net/quicksheet/aix-quicksheet.pdf [PDF]

AIX Cheat-sheet: http://www.vmexplore.com/aix-commands-cheat-sheet/

AIX documentation: http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp 

AIX Admin’s blog, full of AIX tips and tricks: http://nixys.fr/blog/?tag=aix (I haven’t used it but it’s the type of quick and to-the-point howto that I find most useful.)

a text file cheat-sheet — quick and dirty, no-nonsense: http://www.pimpworks.org/ibm/aix.txt



The biggest caveat when going to Solaris from Linux is that a lot of the tools you expect are missing (ie, not installed by default) or different (ie, you’re expecting GNU versions). The easiest way to deal is to install the gnu tools and set them in your path. That said, Solaris 10 is less of a PITA than older versions (9, 8….or heaven forfend: SunOS).

Here is a fast and dirty “why doesn’t this work / how do I do this?” for Solaris: http://sysunconfig.net/unixtips/solaris.html

IBM redbooks, learn it, love it: http://www.redbooks.ibm.com/redbooks/pdfs/sg247186.pdf [PDF]

Lesser Known Solaris Features: http://www.c0t0d0s0.org/pages/lksfbook.html


Tags :           

Linux user auth against Active Directory


Enabling user authentication on linux against Active Directory, using ubuntu, sssd and AD 2008 (should work with 2003r2)
1. Install the software you need:

apt-get install realmd sssd samba-common samba-common-bin samba-libs sssd-tools krb5-user adcli

2. vi /etc/sssd/sssd.conf and put this in it:

filter_groups = root
filter_users = root
reconnection_retries = 3
reconnection_retries = 3

3. chmod 0600 /etc/sssd/sssd.conf

4. vi /etc/realmd.conf and put this in it:

 automatic-install = no

5. run kinit Administrator@YOURDOMAIN.ALLINCAPS.TLD
6. run realm –verbose join yourdomain.allincaps.tld \
–user-principal=ubuntuserverhostname/Administrator@YOURDOMAIN.ALLINCAPS.TLD –unattended

You should have more content inside sssd.conf now, in the [domain/YOURDOMAIN.ALLINCAPS.TLD] section.
7. vi /etc/sssd/sssd.conf and comment out the line use_fully_qualified_names = True


You should now be able to su – to a domain user.

That’s it, you’re done: you can login to your linux box by authenticating to your Active Directory domain.

Additional (and optional) stuff is below, like adding groups and restricting logins based on groups.


Additional settings inside /etc/sssd/sssd.conf [domain] section to enable groups:

 ad_domain = yourdomain.allincaps.tld
 realmd_tags = manages-system joined-with-adcli
 cache_credentials = True
 id_provider = ad
 krb5_store_password_if_offline = True
 default_shell = /bin/bash
 ldap_id_mapping = True
## comment out
#use_fully_qualified_names = True
## these will need to be created manually or you will need to modify pam to 
## mkdir them with pam_mkhomedir.so or use oddjob-mkhomedir, see below
 override_homedir = /home/%u
 fallback_homedir = /home/%d/%u
##group settings##
 ldap_group_uuid = objectGUID
 ldap_user_uuid = objectGUID
 ldap_group_member = member
 ldap_user_member_of = memberOf
 ldap_user_uid_number = uidNumber
 ldap_group_nesting_level = 1
 ldap_force_upper_case_realm = True
 ldap_user_principal = userPrincipalName
 ldap_user_object_class = user
 ldap_user_gid_number = gidNumber
 ldap_group_modify_timestamp = whenChanged
 ldap_group_object_class = group
 ldap_group_name = cn
 ldap_user_name = sAMAccountName
 ldap_ns_account_lock = userAccountControl
 ldap_user_home_directory = unixHomeDirectory
 ldap_user_modify_timestamp = whenChanged
 ldap_group_gid_number = gidNumber
 ldap_referrals = false
 ldap_group_nesting_level = 0

Test that groups are working by su’ing to an AD user and typing in “groups”, which will show you what groups your user is a member of.

To make the homedirectory autocreate:

1. edit /etc/pam.d/common-session (/etc/pam.d/session-auth in RHEL)and add this line before any pam_ldap or pam_krb5 lines:

#autocreate user homedirs
 session required pam_mkhomedir.so umask=0022 skel=/etc/skel

To limit login by AD group:

  1. Create a file that will have the group names allowed to login:
    vi /etc/login.allowed.per.ad.group

    and populate it with group names, one per line (I created an AD group called linux-login, to limit which users were allowed to login), like so:

    domain\ admins
  2. edit /etc/pam.d/common-auth (in RHEL this is /etc/pam.d/system-auth) and add this line to it:
    auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.allowed.per.ad.group


To allow an AD group to have access to sudo:

  1. visudo
  2. add the AD groups

%domain\ admins ALL=(ALL) ALL

%linux-sudo ALL=(ALL) ALL

Further reading:
Allow/Deny login per group:

Various bits, mostly to do with LDAP authentication, but can be translated for use with AD/sssd/pam (e.g. homedir creation)