Pages

Tuesday, May 22, 2012

Offending olan SSH anahtarinin silinmesi

Merhaba daha once baglandiginiz bir ip adresinde tekrar baglandiginiz sisteminizde
kayitli olan key sistem uzerinde olan key den farkli ise asagidaki gibi bir uyari alirsiniz
bunu kolayca silmek isin asagidaki komutu kullanabilirsiniz!

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now 
(man-in-the-middle attack)!
It is also possible that the RSA host key has just been 
changed. The fingerprint for the RSA key sent by the remote host 
is a9:b5:f9:a6:06:76:12:56:8c:0a:95:c5:31:e5:gd:87. 
Please contact your system administrator.
Add correct host key in /home/ramesh/.ssh/known_hosts to get 
rid of this message.
Offending key in /home/akapucu/.ssh/known_hosts: 14 
Permission denied (publickey,password). 
 
# sed -i '14d' ~/.ssh/known_hosts
 
 
Bu komutla 14. satirda bulunan ssh anahtarini silmis oldunuz.!

Wednesday, May 16, 2012

How to Encrypt Your Bash Shell Script on Linux Using SHC

Q: How do I encrypt my bash shell script on Linux environment? The shell script contains password, and I don’t want others who have execute access to view the shell script and get the password. Is there a way to encrypt my shell script?

A: First, as a best practice you should not be encrypting your shell script. You should really document your shell script properly so that anybody who views it understands exactly what it does. If it contains sensitive information like password, you should figure out a different approach to write the shell script without having to encrypt it.
That being said, if you still insist on encrypting a shell script, you can use SHC utility as explained below. Please note that encrypted shell script created by shc is not readable by normal users. However someone who understands how this works can extract the original shell script from the encrypted binary created by shc.
SHC stands for shell script compiler.

1. Download shc and install it

Download shc and install it as shown below.
# wget http://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.7.tgz
# tar xvfz shc-3.8.7.tgz
# cd shc-3.8.7
# make
Verify that shc is installed properly.
$ ./shc -v
shc parse(-f): No source file specified

shc Usage: shc [-e date] [-m addr] [-i iopt] [-x cmnd] [-l lopt] 
[-rvDTCAh] -f 
script

2. Create a Sample Shell Script

Create a sample bash shell script that you like to encrypt using shc for testing purpose.
For testing purpose, let us create the following random.sh shell script which generates random numbers. You have to specify how many random numbers you like to generate.
$ vi random.sh
#!/bin/bash

echo -n "How many random numbers do you want to generate? "
read max

for (( start = 1; start <= $max; start++ ))
do
  echo -e $RANDOM
done

$ ./random.sh
How many random numbers do you want to generate? 3
24682
1678
491

3. Encrypt the Shell Script Using shc

Encrypt the random.sh shell scripting using shc as shown below.
$ ./shc -f random.sh
This will create the following two files:
$ ls -l random.sh*
-rwxrw-r--. 1 ramesh ramesh   149 Mar 27 01:09 random.sh
-rwx-wx--x. 1 ramesh ramesh 11752 Mar 27 01:12 random.sh.x
-rw-rw-r--. 1 ramesh ramesh 10174 Mar 27 01:12 random.sh.x.c
  • random.sh is the original unencrypted shell script
  • random.sh.x is the encrypted shell script in binary format
  • random.sh.x.c is the C source code of the random.sh file. This C source code is compiled to create the above encrypted random.sh.x file. The whole logic behind the shc is to convert the random.sh shell script to random.sh.x.c C program (and of course compile that to generate the random.sh.x executable)
$ file random.sh
random.sh: Bourne-Again shell script text executable

$ file random.sh.x
random.sh.x: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), 
dynamically  linked (uses shared libs), for GNU/Linux 2.6.18, 
stripped

$ file random.sh.x.c
random.sh.x.c: ASCII C program text

4. Execute the Encrypted Shell Script

Now, let us execute the encrypted shell script to make sure it works as expected.
$ ./random.sh.x
How many random numbers do you want to generate? 3
7489
10494
29627
Please note that the binary itself is still dependent on the shell (the first line provided in the random.sh. i.e /bin/bash) to be available to execute the script.

5. Specifying Expiration Date for Your Shell Script

Using shc you can also specify an expiration date. i.e After this expiration date when somebody tries to execute the shell script, they'll get an error message.
Let us say that you don't want anybody to execute the random.sh.x after 31-Dec-2011 (I used last year date for testing purpose).
Create a new encrypted shell script using "shc -e" option to specify expiration date. The expiration date is specified in the dd/mm/yyyy format.
$ ./shc -e 31/12/2011 -f random.sh
In this example, if someone tries to execute the random.sh.x, after 31-Dec-2011, they'll get a default expiration message as shown below.
$ ./random.sh.x
./random.sh.x: has expired!
Please contact your provider
If you like to specify your own custom expiration message, use -m option (along with -e option as shown below).
$ ./shc -e 31/12/2011 -m "Contact [email protected] for new 
version of this script" -f random.sh

$ ./random.sh.x
./random.sh.x: has expired!
Contact [email protected] for new version of this script

6. Create Redistributable Encrypted Shell Scripts

Apart from -e, and -m (for expiration), you can also use the following options:
  • -r will relax security to create a redistributable binary that executes on other systems that runs the same operating system as the one on which it was compiled.
  • -T will allow the created binary files to be traceable using programs like strace, ltrace, etc.
  • -v is for verbose
Typically you might want to use both -r and -T option to craete a redistributable and tracable shell encrypted shell script as shown below.
$ ./shc -v -r -T -f random.sh
shc shll=bash
shc [-i]=-c
shc [-x]=exec '%s' "[email protected]"
shc [-l]=
shc opts=
shc: cc  random.sh.x.c -o random.sh.x
shc: strip random.sh.x
shc: chmod go-r random.sh.x

$ ./random.sh.x
How many random numbers do you want to generate? 3
28954
1410
15234
Finally, it is worth repeating again: You should not be encrypting your shell script in the first place. But, if you decided to encrypt your shell script using shc, please remember that a smart person can still generate the original shell script from the encrypted binary that was created by shc.

source: thegeekstuff.com

Wednesday, May 9, 2012

ls order by time

Sort by time newest first

[[email protected] log]# ls -lt
total 3788
-rw------- 1 root root 153211 Dec 21 13:20 cron
-rw------- 1 root root 3725 Dec 21 13:06 secure
-rw------- 1 root root 20864 Dec 21 13:06 messages
-rw-r----- 1 mysql mysql 8641 Dec 21 13:06 mysqld.log
-rw-r--r-- 1 root root 11462 Dec 21 13:06 yum.log
drwxrwxr-x 2 tomcat tomcat 4096 Dec 21 13:05 tomcat5
-rw------- 1 root utmp 379008 Dec 21 13:05 btmp
-rw-rw-r-- 1 root utmp 35712 Dec 21 13:05 wtmp
-rw------- 1 root root 0 Dec 21 13:04 faillog
-rw------- 1 root root 0 Dec 21 13:04 tallylog
-rw-r--r-- 1 root root 2921168 Dec 21 13:01 lastlog
-rw------- 1 root root 5869 Dec 20 01:00 rkhunter.log
-rw------- 1 root root 0 Dec 19 03:20 boot.log
-rw------- 1 root root 0 Dec 19 03:20 maillog
drwxrwsr-x 2 root mailman 4096 Dec 19 03:20 mailman
-rw------- 1 root root 0 Dec 19 03:20 spooler
drwxr-x--- 2 sso root 4096 Dec 19 03:20 sso
-rw------- 1 root root 443960 Dec 19 03:20 cron.1
-rw------- 1 root root 5239 Dec 17 17:04 secure.1

Sort by time newest last
[[email protected] log]# ls -ltr
total 3788
-rw-r--r-- 1 root root 0 Jun 25 15:00 dmesg
drwxr-xr-x 2 apache apache 4096 Jun 25 15:07 atmail
drwxr-xr-x 2 root root 4096 Jun 28 03:56 mail
-rw-r--r-- 1 root root 0 Jul 26 05:15 xferlog
-rw-rw-r-- 1 root utmp 1288320 Aug 25 03:14 wtmp.1
drwx------ 2 root root 4096 Aug 30 12:32 httpd
drwxr-x--- 2 apache apache 4096 Sep 2 03:20 psa-horde
drwx------ 2 root root 4096 Sep 15 04:46 samba
-rw------- 1 root root 0 Nov 21 03:20 spooler.4
-rw------- 1 root root 0 Nov 21 03:20 secure.4
-rw------- 1 root root 0 Nov 21 03:20 maillog.4
-rw------- 1 root root 0 Nov 21 03:20 boot.log.4
-rw------- 1 root root 4407 Nov 27 13:58 messages.4
-rw------- 1 root root 443981 Nov 28 03:20 cron.4
-rw------- 1 root root 0 Nov 28 03:20 spooler.3
-rw------- 1 root root 0 Nov 28 03:20 maillog.3
-rw------- 1 root root 0 Nov 28 03:20 boot.log.3
-rw------- 1 root root 1153 Dec 2 16:41 secure.3
-rw------- 1 root root 6841 Dec 4 19:38 messages.3

WPA Hole 169

Security Word recently found vulnerability on WPA2 Enterprise encryption. Researchers have found vulnerability in the WPA2 encryption protocol. It is currently the strongest encryption way and is used in many many businesses and homes out the world. They are calling to the vulnerability as hole 196 because the vulnerability was discovered on page 196 of the 802.11 IEEE standard.
If you read the details of the exploit, you will learn that hackers must be authenticated and authorized on the WPA2 network to begin with. Once authorized, the user can use exploits to decrypt and/ or inject packets which are malicious into other users “secure” wireless traffic. It means the vulnerability can be exploited by a man-in-the middle attack according the researcher, this means that an unauthorized user can decrypt packets and sniffing the network using open source software.
WPA2 knows as the most secure Wireless encryption method available today. So this is big, big news. Hole 196 is zero-day now which means the security researchers have not yet found a patch for the vulnerability.

Iptables'ı resetleme

Merhaba arkadaşlar büyük ihtimalle bir çok iptables kullanıcının başına gelmiştir sistemi kendi kullanımına kilitlemek. Bir çok kez benimde başıma geldi ve Cisco routerlarda gördüğüm bir özellik bana çok basit pratik bir fikri getirdi aklıma. O kodu tam hatırlamıyorum ama yapmış olduğunuz configurasyon dosyasını test etmeniz için bir  komut; Çalışan config dosyasını aktif ediyor ancak startup confige yazmıyor böylelikle sizin belirtiğiniz süre içinde reset atıp eski config dosyanıza geri dönmenizi sağlıyor. Hatırlayan olursa bi zahmet yazıversin bana :) Neyse konumuza geri dönelim kullandığımız script çok basit iptables’ı sıfırlıyor tabi cronjob a bunu atıyoruz çalışamaya başlamadan olurda kendimizi kilitlersek diye :)

#!/bin/bash
# Firewallumuzu olduğu gibi bırakmak için aşağıdaki durum değerini 0 bırakıyoruz.
# Firewallumuzu resetlemek istiyorsak durum degeri 1 olmalı ki döngüye girip firewallu sıfırlasın.
durum=1
# Centos Redhat ve Fedora sistemler dışındaki dağıtımlar için değerimiz "hayir" olucak
# Ben Centos kullandığım için benim değerim evet
sistem=evet
yol=/sbin/iptables
if [ "$durum" == "1" ];
then
if [ "$sistem" == "evet" ];
then
# Firewall'u durdurmak için
/etc/init.d/iptables stop
else
# Diğer linux distroları için aşağıdaki kodları kullanıyor.
$yol -F
$yol -X
$yol -Z
for tablo in $(/proc/net/ip_tables_names)
do
$yol -t $tablo -F
$yol -t $tablo -X
$yol -t $tablo -Z
done
$yol -P INPUT ACCEPT
$yol -P OUTPUT ACCEPT
$yol -P FORWARD ACCEPT

fi
else
:
fi


Çalıştırma izni için

chmod +x /root/sifirla.sh

Bu dosyamızı 5 dk da bir çalıştırmak için /etc/crontab altına
*/5 * * * * root /root/sifirla.sh satırını ekliyoruz.
Önemli nokta: Çalışmaya başlamadan önce yukarıdaki durumu dikkate alınız!!!

Human Factor on the Security System

The Problem with Technology and the Human Factor
Introduction

Some organizations see the solution to information security problems as a technical problem. Several suppliers propose the same idea with technical solutions. The technologies of the security manager are firewalls, antivirus software, PKI systems, and VPN. All of them are valuable and protecting their network. If technology is fallible like humans, the technology is equal to the person who knows how to use it.
 
Computer Security

Everyone should have security on their computers and networks. There are several shortcomings that view. Even the software can be perfect, it would still have problems from hacker, testers, viruses and software mistakes. They will find unchecked memory, backdoors, and other weaknesses in commercial and in-house developed software. The problem is multiplied by the complication of modern information technology systems. Organizations that use multi-layered security are going the right direction, but it is hard for every layer of protection to be perfect. Protection of the organizing systems needs intelligent users that do not create security bug for their systems.
Many organizations really don’t understand their information security problems. They do not have all the information to make sure that they know exactly the right technical solution to a problem. They recognize the need for standard information security software; however they rarely have basic information of requirements. They buy firewalls for protection only with no care to monitor security alarms, update attack signatures, or respond to new forms of network traffic. They scan emails for viruses but ignore JavaScript. For a good security you need to educate your workers about worms, spam mails viruses etc.
The term “Technical solution” brings high unrealistic expectations because technology requires the human keep it up to date. Custom-made security technology is extremely expensive, while standard cheap software is not as good and offer little advantage to custom-made security technology.  It puts creating the best technology out of the hands of the uneducated people, because the people are stuck with below standard technology when they do not know better. Last but not least, someone has to use this technology. This can bring big problems, because people can make mistakes.
Information Security is not much different from security in general. After all, no one would put heavy security on something not important.  For example, who would put a heavy security lock on a box if it only has something as unimportant as a rock? Also, if a car looks good but has a broken window, then the whole car is not safe, just like the information security. Protection against cyber attacks works on the same idea. All weak points should be secured whether on a desktop computer, an organization’s server, or a corporate network.  Information should also be entered through safe paths.
 
Human Factor on the Security System

There are a lot of security software in the world, for example there is firewalls, intrusion detection systems, anti viruses etc. All types of software designed are made to do a certain function. This software will help protect a system. However, even the best software cannot guarantee a hundred percent system security. Even with the most advanced technology and passwords cannot be a hundred percent safe. This is because people made the system and they can make mistakes. So, people are the weakest part of technology.
The human factor is the main reason why attacks on many computers and systems are successful. There are many great examples, hackers, virus writers, and dangerous users use the human factor to their advantage. Therefore, they use people to penetrate systems.
 
Some Examples about Security

Many people do not understand why using software with many weaknesses poses a security risk to their computer or system. The many computer users see their computer as an object. They want to use it as a washer, a microwave, or any other simple device. They don’t want to know how it works. Even if they do, they would not know how it works like other objects they use. They just think that if they install a system that protect against viruses and software without weaknesses, they’ll have nothing to worry about.
Not knowing the problems of threats is only part of the problem. The human factor also comes into play. Many bad code starts to show at the drafting stage, especially when they create security policies and procedures. The security of wireless networks is in a poor state. Many errors were made when wireless protocols were being made. There is much written about them having bad program errors. While programmers and testers continue to find bypass security, new exploits will be found. Even the most developed software will be used, but again the human factor will be there. If you have a poorly trained system administrator and user, the best firewall or other protection systems in the world will not protect your system.
The way users treat confidential information is a careless approach to security. A similar situation can be shown in everyday life. An example is a person leaving their keys on the door. A lot of systems use an empty or weak password. Some systems have the user’s name as the password just to access their system easily. Even when users use a complicated password which no one can think, they write their password on a paper or they forget it, therefore other users can find their passwords.
Another human sense which hackers use is that humans are curious. Many of us find email worms at some time in our life. We know that these worms arrive as attachments to infected messages. Sending the virus out is only having of what the virus writer has to do. The worm has to be activated to multiply through the system and to other computers. It could be activated by opening the attachment. You might think that users might become worried when seeing attachments to unexpected email.  But surprisingly, the hackers know how to use our curiosity.
It is interesting that people open unprotected e-mails even if they are not supposed to. However, the numbers of people who open the e-mails are always the same. This can be explained by the fact that virus writers find new ways to trick people. On the other hand, viruses do not only infect e-mail message, but you can also find them all over the internet.
 
Conclusion

Computers are becoming more common every day. Hacking is becoming more dangerous day to day. Hacking technologies is becoming more complex. Creating a good security system is not easy. There are many weak points in the system which is a never-ending process to protect. There is always new technology being developed. They are use to solve problems. They have their disadvantages too. Hackers, virus writers, dangerous users invent new ways to exploit the security software being used. The result is a war between cyber criminals and security professionals.  It does not matter if you have the best security product or a professional security engineer, technology is only as good with users that know what they are doing.
Ali Kapucu
Cisco Router Şifresi Kırma Router’ın enable secret şifresini unuttuysanız veya yeni aldığınız ikinci el router’a birileri şifre vermiş ve siz bunu bilmiyorsanız bu router’da konfigürasyon yapabilmek
için şifresini kırmanız gerekli. Eğer router’ımız içindeki konfigürasyon bizim için önemliyse onu da
kaybetmememiz gerekir. Aşağıda adım adım varolan konfigürasyonu kaybetmeden bir
router’ın şifresi nasıl kırılır onu öğreneceğiz. İlk yapmamız gereken router açılırken IOS (işletim sistemi)’in yüklenmemesini sağlamak olacaktır bunun için açılıs sırasında
CTRL+BREAK (CTRL+C) tuşlarına
basılır. Bu işlem ile cihazımız mini IOS denen sınırlı işlemlerin yapılabileceği işletim
sistemi ile açılır. Şimdi komut satırına yazacağımız o/r 0×2142 komutu ile configuration-register’ı
değiştiririz. Artık router’ımız açılışta NVRAM’den konfigürasyonu yüklemeyecektir.
Router’ı kapatım açalım. Şimdi eski çalışan konfigürasyonumuz yüklenemediği
için IOS bize adım adım yeni bir konfigürasyon oluşturmak isteyip istemeyeceğimizi
soruyor. Bu soruya No cevabı verdikten sonra default komut satırımız olan router>
karşımıza çıkar.
router>enable 
yazıp enter’a bastığımızda artık şifresiz bir şekilde enable mode’a
geçmiş oluruz. Peki eski konfigürasyonumuz ne olacak?
Eski konfigürasyonumuz hala NVRAM içinde kayıtlıdır. Biz şu anda Runnin-
Config içindeyiz. Eski konfigürasyonumuzu geri almak için yapacağımız işlem çok
basit. Startup-Config içindeki konfigürasyonu Running-Config üzerine
kopyalayacağız. Bunun için aşağıdaki komutu vermeniz yeterlidir.
router#copy startup-config running-config
Tamam eski konfigürasyonu kurtardık. Şimdide yeniden bir enable secret şifresi
verelim. Bunun için global configuration mod’a geçmemiz gerekiyor.
router#configure terminal
komutu ile global configuration moda geçilir.
router(config)#enable secret şifreniz 
komutuyla da yeni enable secret şifenizi verebilirsiniz.         Bu işlemden sonra tekrar enable mod’a geçip RAM’de çalışan konfigürasyonu
NVRAM’e kaydetmemiz gerekiyor ki router kapanıp açılınca yaptığımız ayarlarla
açılsın.
router(config)#exit
router#copy running-config startup-config 
Yukarıdaki işlemle kopyalamayı tamamlamış oluyoruz. Hem eski konfigüraysonu
kurtardık hemde enable secret şifremizi yeniledik. Yapmamız gereken son bir işlem
kaldı. Configuration Register’ı eski haline çevirmek. Bunun için tekrar global
configuration mod’a geçip aşağıdaki satırı yazmamız yeterli olacaktır.
router#configure terminal
router(config)#configuration-register 0×2102
Bu son işlemden sonra router’ımızı kapatıp açarsak yeni enable secret şifresi ve
eski konfigürasyonumuzla çalışmaya devam edebiliriz.
Hepinize kolay gelsin,

Tcpdump ile ssh ve https dışında trafiği izleme

Merhabalar network işi ile uğraşan bir çok kişi ağını monitör ederken tcpdump’ı kullanmıştır ancak bazen ağımızdaki şifreli trafik gereksiz (ssh, https) yere tcpdump da yer kaplar ve çıktıda gürültü oluşturur. İşte burada tcpdump’ın ek parametrelerini kullanarak ssh ve https dışında trafiği izleyebiliriz.

tcpdump -i venet0:0 port not 22

ile 22. port dışında trafiği izleyebiliriz. Ayrıca;

tcpdump -i venet0:0 port not 22 and port not 53

bir kaç portu izlemeyi engelleyebiliriz.

tcpdump -i venet0:0 port not 22 and host 1.2.3.4

ile host adresi de ekleyebiliriz.

Can’t start server : Bind on unix socket: Permission denied

Geçenlerde uğraştığım bir bir linux sunucuda mysql start ile ilgili error logları alıyordum. Almış olduğum hata:
[ERROR] Can’t start server : Bind on unix socket: Permission denied 
[ERROR] Do you already have another mysqld server running on socket: /var/lib/mysql/mysql.sock ? 
[ERROR] Aborting

Aynı şekilde şu şekilde de bir hata mevcuttu

Can’t connect to local MySQL server through socket ‘/var/lib/mysql/mysql.sock’ (2)

Sorun loglardan anlaşılacağı gibi mysql.sock dosyasının perm ayarlarıyla ilgili buna çözüm olarak yapılacak şey; 1. Öncelikle soket dosyasını sildiğimizden emin olalım.
rm /var/lib/mysql/mysql.sock
2. Mysql processes lerini durduralım bunuda aşağıdaki komut ile yapabilirsiniz.
killall -e -9 mysql
3. /var/lib altındaki mysql klasörünün user ve grubunun mysql ve root olduğundan emin olalım. bunuda /var/lib altındayken aşağıdaki komut ile yapıyoruz.
chown mysql:root mysql
4. Mysql servisini tekrar çalıştırıyoruz.
service mysql start
Mysql dosyaları bazen farklı klasörler altunda olabilir bu yüzden hangi klasör altında çalıştığından emin olunuz bunuda
locate mysql
ile yapabilirsiniz.

Screen Unlock Meterpreter Script

In this video, we look at a demo of the screen unlock meterpreter script. The script needs SYSTEM privileges and patches the msv1_0.dll loaded by lsass.exe so that every password will be accepted to unlock the screen. (the patch can also be undone to get back to normal behavior). Currently Windows XP SP2 and SP3 are supported. You can download it from here. The script author’s blog has more details. Thanks go out to PaulDotCom for uploading this to vimeo.