maximizing value in pentesting

Great article by the Great Ed Skoudis over at the pen testing blog of SANS.org.

remove or reinstall lync from os x

Lync was crashing on startup for me endlessly and I couldn’t even get to Preferences to change anything.  Use the link for info on how to rip it out completely and reinstall.  Don’t forget Update 14.0.1 (or later) if you’re on Lion.

convert rhel6 to centos6

os x command line random password generator

If you want a quick little random password generator (uppercase, lowercase, and numbers) from the terminal in OS X you can add something like this to your .bashrc

randompass() {

        LANG=C

        local l=$1

        [ “$l” == “” ] && l=12

        tr -dc A-Za-z0-9_ < /dev/urandom | head -c ${l} | xargs

}

It defaults to 12 characters but takes any numeric argument.  So usage to create a 21 character random password would be
randompass 21
Make sure to source .bashrc after you add that to give it a try.  If you haven’t already created .bashrc and .bash_profile on your Mac, do that first and then add in the following to .bash_profile
source ~/.bashrc
This will also work for any other *nix as well.

block w00tw00t scans with fail2ban

Tired of seeing “/w00tw00t.at.blackhats.romanian.anti-sec:)”, and the other variations, in your logs?  First install fail2ban if you don’t have it already (you will wish you’d known about this sooner).  Create a new file in /etc/fail2ban/filter.d/ called “w00tw00t.conf”.  Inside put:

#block w00tw00t scans of all variations

[Definition]

failregex = ^<HOST> .*”GET \/w00tw00t*

ignoreregex =

Then edit /etc/fail2ban/jail.conf and at the bottom put:

[w00tw00t-scans]

enabled  = true

action   = iptables-allports

sendmail-whois[name=SSH, dest=root, sender=[email protected]]

filter   = w00tw00t

logpath  = /var/log/httpd/access_log

maxretry = 1

bantime  = 86400

Restart fail2ban and you’re good to go.  You will now ban any IP running one of these automated scanners from connecting to your server, on any port, for 24 hours and get an email alert when it happens.

vcheck - vcenter monitoring/reporting script

If you run VMware and vCenter you NEED vCheck.  Kudos to the author!

spf record creator wizard

rhel6 installing bind-chroot

Oh Red Hat, sometimes I don’t get you.  So it seems the “recommended” way of installing BIND on RHEL6 is now to just install normally (e.g. “yum install bind”) and let SELinux handle the security.  My beef with this is how frustrating SELinux can be.  Honestly every time I have to troubleshoot an issue with it I’m down at least two hours of my time and it just isn’t worth it to me.  Maybe I’m SELinux retarded but this has always been my experience with it so I usually just end up disabling.

RHEL6 still includes a package in the repository for bind-chroot thankfully.  However, it seems that now when you start named Red Hat does some voodoo by mounting all the normal bind directories and files on the chroot jail directories and files.  Very weird, here’s what I mean:

none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)

/etc/named on /var/named/chroot/etc/named type none (rw,bind)

/var/named on /var/named/chroot/var/named type none (rw,bind)

/etc/named.conf on /var/named/chroot/etc/named.conf type none (rw,bind)

/etc/named.rfc1912.zones on /var/named/chroot/etc/named.rfc1912.zones type none (rw,bind)

/etc/rndc.key on /var/named/chroot/etc/rndc.key type none (rw,bind)

/usr/lib64/bind on /var/named/chroot/usr/lib64/bind type none (rw,bind)

/etc/named.iscdlv.key on /var/named/chroot/etc/named.iscdlv.key type none (rw,bind)

/etc/named.root.key on /var/named/chroot/etc/named.root.key type none (rw,bind)

I’m guessing that it was too confusing for people having the symlinks and not knowing which files to edit?  At any rate it was definitely different.  So in RHEL6 just remember to edit /etc/named.conf now and then when you start/restart named your new config will actually be in the jail (e.g. /var/named/chroot/etc/named.conf).

The main issue I ran into bind-chroot on RHEL6.2 is that it was sorted of a busted install.  During install the rndc.key file was not generated even though the documentation says it should be.  So if after running yum install bind-chroot and you do not have /etc/rndc.key you need to create it manually:

rndc-confgen -a

chown root:named /etc/rndc.key

chmod 640 /etc/rndc.key

Despite Red Hat’s documentation, the key file actually needs 640 with named as the group or named will not start due to a permissions error.

Also if you are using bind-chroot make sure you disable SELinux by editing /etc/sysconfig/selinux and then rebooting.

enable ldap over ssl or ldaps

disable forwarding in live@edu

The Lost and Found Identity blog has a great article on how to disable users from forwarding mail in Live@edu, but I just wanted to dumb down the steps a little bit.  First make a remote PowerShell connection to Live@edu and then do the following:

  1. Set-RemoteDomain Default -AutoForwardEnabled $false
  2. New-ManagementRole -Parent MyBaseOptions_DefaultMailboxPlan -Name MyBaseOptions_DefaultMailboxPlan_NoForwarding
  3. Set-ManagementRoleEntry MyBaseOptions_DefaultMailboxPlan_NoForwarding\Set-Mailbox -Parameters DeliverToMailboxAndForward,ForwardingAddress,ForwardingSmtpAddress –RemoveParameter
  4. Set-ManagementRoleEntry MyBaseOptions_DefaultMailboxPlan_NoForwarding\New-InboxRule -Parameters ForwardAsAttachmentTo,ForwardTo,RedirectTo –RemoveParameter
  5. New-ManagementRoleAssignment -Policy RoleAssignmentPolicy-DefaultMailboxPlan -Role MyBaseOptions_DefaultMailboxPlan_NoForwarding
  6. Remove-ManagementRoleAssignment MyBaseOptions_DefaultMailboxPlan-RoleAssignmentPolicy-DefaultMai

This will prevent your users from being able to forward any mail by disabling the GUI options and removing the Inbox Rule option that allows forwarding.