New year 2009

It's a rough 2008...

2008's DDoS blues for starters. as well as some random carnage on the hardware part. how i wish I can only play NETWORK guy... life would have been easier.

ohhh .. well... Happy New year 2009

10+hours to go... till 09.

-pfunix

1337 cereal anyone?

A friend of mine sent me this cool picture! lol did some googling and got into a site.


http://pwnagecereal.ytmnd.com/ says on the site "If you eat like a n00b you will be 0wn3d like a n00b LOL ... the hax0r .. style of typing i guess just won't go away ... lol! It's like a white guy that acts like a black guy. awesome!!!

Login!

Password RESET for MacOSX (no disk needed)

Command-key + s - SETS MAC TO BOOT ON SINGLE MODE
fsck -fy
mount -uw /
launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist
dscl . -passwd /Users/

:)

OpenBSD Syslogd Centralized Server

I setup OpenBSD 4.2 as a Central Loggin Server. with awesome results (no need for any other 3rd party logging software OpenBSD has it all)

Paranoid Fishies check this out:

my /etc/rc.conf

syslogd_flags= "-u -a "

my /etc/syslog.conf

# $OpenBSD: syslog.conf,v 1.17 2005/05/25 07:35:38 david Exp $
#

*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages
kern.debug;syslog,user.info /var/log/messages
auth.info /var/log/authlog
authpriv.debug /var/log/secure
cron.info /var/cron/log
daemon.info /var/log/daemon
ftp.info /var/log/xferlog
lpr.debug /var/log/lpd-errs
mail.info /var/log/maillog
local7.debug //
#uucp.info /var/log/uucp

# Uncomment this line to send "important" messages to the system
# console: be aware that this could create lots of output.
#*.err;auth.notice;authpriv.none;kern.debug;mail.crit /dev/console

# Uncomment this to have all messages of notice level and higher
# as well as all authentication messages sent to root.
#*.notice;auth.debug root

# Everyone gets emergency messages.
*.emerg *

# Uncomment to log to a central host named "loghost". You need to run
# syslogd with the -u option on the remote host if you are using this.
# (This is also required to log info from things like routers and
# ISDN-equipment). If you run -u, you are vulnerable to syslog bombing,
# and should consider blocking external syslog packets.
#*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none @loghost
#auth,daemon,syslog,user.info;authpriv,kern.debug @loghost

# Uncomment to log messages from sudo(8) and chat(8) to their own
# respective log files. Matches are done based on the program name.
# Program-specific logs:
#!sudo
#*.* /var/log/sudo
#!chat
#*.* /var/log/chat


touch filename.log
chmod 644 filename.log


now for the Device Part:

Cisco Router: 7200Series

conf te
service timestamps log datetime
logging host transport udp port 514
logging facility local7
logging trap debugging
logging on

nikto scan

i did a test using nikto today and found out a couple of "said" vulnerabilities:

---------------------------------------------------------------------------
- Nikto 2.02/2.03 - cirt.net
+ Target IP: 172.17.4.20
+ Target Hostname: 172.17.4.20
+ Target Port: 80
+ Start Time: 2008-02-12 12:53:41
---------------------------------------------------------------------------
+ Server: Apache
- Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE
+ OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST.
+ OSVDB-877: TRACK / : TRACK option ('TRACE' alias) appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details
+ OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details
+ OSVDB-2117: GET / : Appears to be a default Apache install.
+ OSVDB-2799: GET -evasiondose.pl?daily&somefile.txt&|ls| : DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter.
+ OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons
+ OSVDB-3233: GET /icons/README : Apache default file found.
+ 3657 items checked: 8 item(s) reported on remote host
+ End Time: 2008-02-12 13:00:33 (412 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


enter Mod_Rewrite

RewriteEngine on
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)$
RewriteRule .* - [F]

RewriteEngine on
ReWriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
ReWriteRule .* - [F]

this needs to be put on the directive. in order to take effect. fixes the issue, happy openbsd :)

learning curve

私輪渡り者です。

I'm getting there ...

hushmail a.k.a NSAmail?

I've been using hushmail for almost a year now, and I use it mostly for inter-hushmail email since It does a pretty good job on encrypting mail... but it's just scares me to know that encryption based email services on the net *might* be owned by those folks that just like watching.... say.. NSA?

Anyways either this is true or not. It's a nice read.

http://groups.google.com/group/alt.security.pgp/browse_thread/thread/5171d049f75a2bbc/7fa4d97626043295

Kinda makes you wonder how they can get away with using encryption from the US.GOVT prying eyes.

hushmail owns 1 block of ip's 65.39.178.0/24 and puts on their whoisdb

Peer 1 Network Inc. PEER1-BLK-06 (NET-65-39-128-0-1)
                                65.39.128.0 - 65.39.255.255
Hush Communications USA PEER1-HUSHMAIL-01 (NET-65-39-178-0-1)
                                65.39.178.0 - 65.39.178.255

# ARIN WHOIS database, last updated 2008-01-28 19:10

# Enter ? for additional hints on searching ARIN's WHOIS database.

and indicates that the country of origin is GB(GreatBritain)? look closely though their class is owned by a company called peer1 networks.

OrgName:    Peer 1 Network Inc.
OrgID:      PER1
Address:    75 Broad Street
Address:    2nd Floor
City:       New York
StateProv:  NY
PostalCode: 10004
Country:    US

NetRange:   65.39.128.0 - 65.39.255.255
CIDR:       65.39.128.0/17
NetName:    PEER1-BLK-06
NetHandle:  NET-65-39-128-0-1
Parent:     NET-65-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.PEER1.NET
NameServer: NS2.PEER1.NET
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:    2002-06-21
Updated:    2006-09-20

RTechHandle: ZP55-ARIN
RTechName:   Peer1 Network Inc.
RTechPhone:  +1-604-683-7747
RTechEmail:  net-admin@peer1.net

OrgAbuseHandle: NSA-ARIN
OrgAbuseName:   Peer 1 Network AUP Enforcement
OrgAbusePhone:  +1-604-484-2588
OrgAbuseEmail:  abuse@peer1.net

OrgTechHandle: ZP55-ARIN
OrgTechName:   Peer1 Network Inc.
OrgTechPhone:  +1-604-683-7747
OrgTechEmail:  net-admin@peer1.net

# ARIN WHOIS database, last updated 2008-01-28 19:10

# Enter ? for additional hints on searching ARIN's WHOIS database.

US IP block you be the judge.... =D *evil grin*