Andrew G. Allen

Information Security Evangelist, Technologist, and Internet Junkie







(read the blog) (browse the stream) (follow on twitter)

Posts

  • July 09, 05:02 AM

    Maltego 3.0 Community Edition - A Quick First Look

    Just announced on the Maltego blog (http://maltego.blogspot.com/2010/07/ce-is-live.html), the community edition of version 3.0 is now available. I downloaded and did a quick test of the new product this morning, which already seems quicker than the previous versions, and is themed with a Microsoft ribbon style interface.

    You now need to register to use the software (you're prompted during installation), and some of the tasks that needed manual intervention are now automated (such as updating the transforms, which is now done as part of the installation process). Also, where previously you needed to go through and accept the disclaimers on certain transforms before you used them, now on first use you are presented with a dialog box which helps with not breaking up your work flow.

    Limits are also reduced - one which I reached regularly on 2.0 was the 75 transforms per day - I don't remember seeing where these new limits are documented, but maybe there is something over on the Maltego blog I missed.

    Permalink | Leave a comment  »

  • June 03, 07:31 AM

    Silently Install the Java Runtime on Windows

    Java is one of those components that most users have installed, but can be infrequently updated and forgotten about. Updates are published on a regular basis, the most recent of which having been set free in April of this year, and although supplied with a self-updating mechanism, it's just not suitable within controlled corporate environments with good acceptable use polices in place.

    Following the trend of other popular software, the Java Runtime is also bloating out with other 'useful-less' components, so on a default install you can find yourself with extra memory resident processes, browser plug-ins and helper objects which are just not required to provide applications access to the Java Runtime.

    Because of this, I now update my own lab environment with a scripted silent install of Java - it does not include the extra plug-ins and browser helper objects during installation, or the memory resident updater tool. Are there any other suggestions to keep the Java Runtime installation down to a minimum? I believe in only installing what is absolutely required.

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    
    @ECHO OFF & @SETLOCAL ENABLEEXTENSIONS & CLS
    ECHO.SilentJavaInstall.cmd 1.0 (2nd June 2010)
    ECHO.Andrew G. Allen, http://www.andrewallen.co.uk/ & ECHO.

    :: This work is licenced under a Creative Commons License.
    :: See http://creativecommons.org/licenses/by-nc-sa/2.0/uk/ for details.


    :CODE

    :: java 6 update 20
    start /WAIT "" "%~d0%~p0jre-6u20-windows-i586.exe" /s /v "/qn SYSTRAY=0 EULA=1 REBOOT=ReallySupress JAVAUPDATE=0 AUTOUPDATECHECK=0 IEXPLORER=0 MOZILLA=0 JU=0"

    :: post install...

    :: -- remove startup entry
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SunJavaUpdateSched" /f
     
    :: -- disable auto update features
    reg add "HKLM\SOFTWARE\JavaSoft\Java Update\Policy" /v "EnableJavaUpdate" /t "REG_DWORD" /d "0" /f
     
    :: -- remove unneeded browser helper objects
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}" /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}" /f

    :END_CODE


    @ENDLOCAL
    :EOF

    Permalink | Leave a comment  »

  • December 10, 08:56 AM

    Security Podcasts on my Podroll

    There are now quite a number of podcasts available, covering all areas of Information Security - I find it a great way to stay up to date with the industry news, particularly when commuting. A fairly comprehensive list can be found at http://getmon.com/, while my current regular favorites are below:

    • Paul Dot Com Security Weekly (feed) - one of the longest established US based security podcasts, normally around 2 hours long, with interviews, technical segments and industry news.
    • Risky Business (feed) - an Australian based ~30 minute show, neatly split into news, interview and sponsor interview
    • 2600 | Off The Hook (feed) - airs every Wednesday night at 7:00 PM EST in New York City on listener supported WBAI 99.5 FM.

    I've created an aggregated feed of my Podroll, which makes subscribing quick and simple - on my phone, it means adding just one feed, instead of lots of different feeds for different podcasts (very useful when rebuilding your phone after flashing the latest ROM)... I did try RSSmix.com, which IronGeek also uses, but I found updates through the site don't seem to be that regular (and the site itself can run pretty slow as well), which means missing out on the latest content. Instead, I use Yahoo Pipes to merge and manipulate the various feeds together, and then publish through Feedburner to get some extra control / statistics.

    You can subscribe to my Podroll feed here (http://feeds.andrewallen.co.uk/andrewallen/podroll), or you can view the Yahoo Pipes source here.

    Update - Dec 14

    I've updated the pipe to include the following feeds, and also strip posts with no enclosures:

    Permalink | Leave a comment  »

  • November 13, 04:51 PM

    PostgreSQL not starting on BackTrack 4 Pre-Final

    If you are following the latest releases in regards to BackTrack, following a recent update you may have experienced error when PostgreSQL attempts to start:

    Starting PostgreSQL 8.3 database server: main* The PostgreSQL server failed to start. Please check the log output:

    Then further down:

    could not load server certificate file “server.crt”: No such file or directory

    Here is a quick fix - at the console, type:

    cd /etc/ssl/certs
    ls -ld /etc/ssl/private
    sudo ls -l /etc/ssl/private/
    make-ssl-cert generate-default-snakeoil -force-overwrite
    cd /etc/ssl/certs

    Re-run the update commands, and you should be good to go:

    apt-get update
    apt-get upgrade
    apt-get dist-upgrade

    Permalink | Leave a comment  »

  • November 03, 08:45 AM

    Connecting USB Devices to VirtualBox Guests

    About 6 months ago I switched to using VirtualBox on my Mac, in place of VMware Fusion - It provided decent performance, works well across multiple spaces and of course is free. I have always felt that VMware have dumbed down the Fusion client when compared to Workstation on Windows, as various options seem hidden away from view (although configurable when you get down and dirty in the VMX files).

    The only remaining issue I had experienced until recently, was that some USB devices would not map through correctly to the guest - in my case Windows 7 Ultimate 64-bit. When trying to connect the device on the first attempt, nothing would appear to happen, then when you tried to map it through again you'd get various error messages.

    After a brief Googling session, I found the fix was to add a 'USB Device Filter' for the affected device, under the 'USB Settings' of the guest, but making sure to clear all fields except the 'Name'. Once the guest was powered up, I no longer had any issues mapping through the USB device.

    Permalink | Leave a comment  »

  • October 12, 05:32 AM

    Update the Search Behaviour of the Firefox Address Bar

    After having used Chrome for so long on my Mac (in the dev channel via the very useful Chromium Updater), switching back to Firefox reveals an interesting habit - searching via the address bar. In Chrome, you can type your search directly in the address bar and you'll get redirected to Google for your search results, however in Firefox it reacts slightly differently - it will carry out a Google "I'm feeling lucky" search which will direct you to the first result Google returns.

    You can customise this behavior in the 'about:config' page within Firefox. Type 'about:config' into the address bar, and then update the 'keyword.URL' field to your chosen search engine. For example, if you wanted to use Scroogle instead, you would type:

    By the way, If you are not already using Scroogle, it's a simple way to anonymise your search requests.

    Permalink | Leave a comment  »

  • October 10, 09:18 AM

    Installing and Uninstalling Software in Windows Safe Mode

    It's quite common that you need to remove some software when running in Safe Mode, particularly when you find your system is unusable when running normally. However, by default, the key service required to manage installed software is not running, and cannot be started (the Windows Installer Service, aka MSIServer).

    Here is a quick way around this issue - by adding the registry entry below, you'll then be able to start the service and remove / install the software you require.

    reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer" /VE /T REG_SZ /F /D "Service"
    sc start msiserver`

    Once this change is made, it will remain permanent, and you won't need to re-apply it in the future, although you'll still need to start the msiserver service when required.

    Permalink | Leave a comment  »

  • October 01, 08:59 AM

    Transferring Files from a Decommissioned Netware Server

    Here's the situation - you've remotely migrated all the data and printing services from a Netware server onto it's replacement, and you have just completed uninstalling eDirectory / NDS... the servers are locked away in the data center.

    Just before you power it off, you find that one of the migrated volumes are not complete - data is missing! D'oh!

    The old server is still powered up, but you can no longer authenticate to it across the network (no longer in the tree) - tools such as Adrem Free Console are no good, since you need to be able to authenticate. You still access to the server console, via the iLO (Integrated Lights-Out) / DRAC (Dell Remote Access Controller) - whew!

    Getting the data off via ftp is the most straight forward, but is not a native app - thankfully it can be accessed via Bash. At the console prompt, type 'bash' then <enter> to drop into the shell. By default you'll find yourself on the SYS volume, with no obvious way of getting onto any of the other volumes. The data you need to rescue is on the DATA volume.
    1. At the Bash prompt, type 'mkdir /data', then press <enter>
    2. Type 'vi /etc/PATHTAB', then <enter>.
    3. Hit 'i' to enter insert mode and type '/data data:\'.
    4. Press 'Escape', then ':wq' and <enter>.
    5. Type 'exit' <enter> to unload the Bash shell, then type 'BASH' <enter> at the console prompt to load the shell again.
    6. Type 'cd /data' <enter> then 'ls' <enter> to display the root of the DATA volume - voila.
    Now you have access to the data, the final step is to manually transfer over the missing portions of the data - using ftp, navigate to your selected folder, type 'ftp' <enter>, then 'open <new server>'. Once you've entered your username and password, you can now 'put <file>' to transfer across your missing data - you get the idea anyway.

    Permalink | Leave a comment  »

  • September 30, 08:23 AM

    Customising the Command Prompt

    If you don't currently follow the Command line Kung Fu blog, I highly suggest you do! Originally started back in February this year by Paul Asadoorian (of PaulDotCom), Ed Skoudis and Hal Pomeranz, each week they publish solutions to challenges posed to each other, using only the command line utilities included on a default installation of Windows, Linux and Mac OS - many of the published solutions contain really useful snippets of code to include in your own scripts.

    Something that was covered in Episodes #28, #49 and #52 was customising the command prompt in various ways. On my own Windows systems I now include the following command prompt customisation by default:

    30/09/2009 13:30:34.98 C:\>

    Why? The biggest benefit is knowing when commands were started, and when they completed. Many tools don't provide feedback with time and dates, and so by the nature of the date and time being printed on screen each time a prompt is provided, you get a quick and dirty way to see how long a command took to execute.

    Setting the prompt temporarily can be done with the 'prompt' command (or 'set prompt'), while making the change permanently can be done by adding an entry to the registry - both can be seen below.

    In addition, my prompt also displays how many paths are on the pushd and popd stack, as also seen above.

    Permalink | Leave a comment  »

  • September 28, 09:14 AM

    Indisposable Tools - Notepad++, a Notepad Replacement for Windows

    Microsoft Notepad is probably (and unintentionally) one of my most used utilities, for example, when when stripping text formatting from content cut/copied from Word or Internet Explorer, or editing batch, vb, or <insert language here> scripts.

    It's very quick to bring up Notepad (Windows + R, notepad <return>) as quick dumping ground for the clipboard, and uses very little resources, however it does have it's limitations - Unix carriage returns, no regular expression support to name but a few.

    A highly recommended tool open-source replacement, which has now become one of my indisposable tools, is Notepad++.

    "Notepad++ is a free (as in "free speech" and also as in "free beer") source code editor and Notepad replacement that supports several languages. Running in the MS Windows environment, its use is governed by GPL License."

    "Based on a powerful editing component Scintilla, Notepad++ is written in C++ and uses pure Win32 API and STL which ensures a higher execution speed and smaller program size. By optimizing as many routines as possible without losing user friendliness, Notepad++ is trying to reduce the world carbon dioxide emissions. When using less CPU power, the PC can throttle down and reduce power consumption, resulting in a greener environment."

    Some of the key benefits, for me anyway, include:
    • Syntax Highlighting and Syntax Folding for various languages (including XML, HTML, Perl, Python, VB/VBS, Batch etc)
    • Multi-Document and Multi-View allowing you to view multiple documents and have multiple views between them, or in the same document
    • Regular expression Search/Replace is fully supported
    • File status Auto-detection, which is particularly useful when working on live files, such as logs etc

    There are also a large number of plugins, which extend Notepad++ even further.

    Installation is straight forward - just download the latest installer (or the .zip file), and accept all the defaults. I can also highly recommend installing the Notepad++ launcher, which will allow you to replace Notepad completely:
    1. Backup your original Notepad.exe
    2. Copy notepad.exe which comes with this package into 4 directories (in given order) :
      - c:\windows\servicepackfiles\i386
      - c:\windows\system32\dllcache
      - c:\windows\system32
      - c:\windows
    3. When you replace notepad.exe in c:\windows\system32 and c:\windows, a "Windows File Protection" message box appears, click Cancel. Then another message box appears, click OK.
    4. Modify you registry (if you use installer to install your Notepad++, you don't need to do this step): Create key \HKEY_LOCAL_MACHINE\SOFTWARE\Notepad++, then add your Notepad++ full path as the default value of this key. In my case, it's C:\Program Files\Notepad++.
    If you need any further information, check out the NpWiki++.

    Permalink | Leave a comment  »

  • September 25, 06:15 AM

    The Five Minute Guide to MacPorts

    Underneath Mac OS X is Darwinthe Unix-derived core that provides the underlying foundation for Mac OS X, and although born of BSD, by default many tools you may be used to on a *nix system are not present.


    And so in steps The MacPorts Project as an easy way to install open-source software onto your machine.

    "The MacPorts Project is an open-source community initiative to design an easy-to-use system for compiling, installing, and upgrading either command-line, X11 or Aqua based open-source software on the Mac OS X operating system. To that end we provide the command-line driven MacPorts software package under a BSD License, and through it easy access to thousands of ports that greatly simplify the task of compiling and installing open-source software on your Mac."

    For example, I recently rebuilt my Mac with Snow Leopard, and needed wget back on the system. Here is a quick how-to on getting MacPorts + wget installed:
    1. Download and install the appropriate MacPorts dmg file from http://distfiles.macports.org/MacPorts/ - you can accept all the default installation choices. In my case, I downloaded MacPorts-1.8.0-10.6-SnowLeopard.dmg
    2. Once installed, open up a Terminal, and type 'sudo port selfupdate' and enter your password when prompted - this will make sure your local ports tree and base files are all up to date.
    3. Finally, installing a package is as simple as typing 'sudo port install <package name>', so in my case I installed wget with 'sudo port install wget'. All required dependencies are also automatically installed.
    MacPorts currently has over 6200 ports distributed among 92 different categories, and more are being added on a regular basis. If you need further information, check out the official docs.

     

    Permalink | Leave a comment  »

  • September 18, 10:53 AM

    Adding a tape drive to Netware

    It's been a while since I've had involvement with Netware configuration, but I've recently had to add a tape drive to a Novell Netware 6.5 SP6 server - the key point is to update STARTUP.NCF on the DOS partition to include the required drivers for the SCSI card. For example, I added the lines:

    LOAD NWTAPE.CDM
    LOAD LSIMPTNW.HAM SLOT=2

    The PCI card is loaded into PCI Slot 2 (hence the line above) - you can check which slot your device has been installed to by checking Novell Remote Manager (http://yourserver:8008/ or https://yourserver:8009/), under 'Manage Hardware' -> 'PCI Devices'. Once the driver has loaded (you can load the above drivers manually, without having to reboot the server), check the device is visible using 'LIST DEVICES' on the console.

    Permalink | Leave a comment  »

  • March 13, 07:34 PM

    Citrix Web Interface and the Fatal Execution Engine Error

    Having recently been focused on a Citrix Presentation Server 4.5 migration, I took some time out to build a development 64-bit environment just to become familiar with any 'gotchas'... This was a single, stand-alone Windows Server 2003 R2 Standard SP2 64-bit operating system, with the 64-bit Citrix Presentation Server 4.5 Enterprise Edition installed, running inside XenServer 4.1 RC7 XenServer 4.1 - I chose to install .NET Framework 3.5 (which includes the required .NET Framework 2.0) and JRE 1.5.0_09.

    Additionally, I installed the following components onto the same box:

    The following hotfixes were then applied to CPS:

    • Citrix Hotfix Rollup Pack PSE450W2K3X64R01.msp
    • Citrix Hotfix PSE450R01W2K3X64003.msp
    • Citrix Hotfix PSE450R01W2K3X64004.msp
    • Citrix Hotfix PSE450R01W2K3X64005.msp
    • Citrix Hotfix PSE450R01W2K3X64012.msp
    • Citrix Hotfix PSE450R01W2K3X64014.msp
    • Citrix Hotfix PSE450R01W2K3X64016.msp
    • Citrix Hotfix PSE450R01W2K3X64019.msp
    • Citrix Hotfix PSE450R01W2K3X64020.msp
    • Citrix Hotfix PSE450R01W2K3X64023.msp

    As a side note, I had installation errors on the rollup, and hotfix 005, but all seems to be working ok... anyway, at some point post-installation the Web Interface decided to stop working. The following error was recorded in the application event log:

    Event Type: Error
    Event Source: .NET Runtime
    Event Category: None
    Event ID: 1023
    Date: 13/03/2008
    Time: 13:05:20
    User: N/A
    Computer: VM4
    Description:
    .NET Runtime version 2.0.50727.1433 - Fatal Execution Engine Error (79FFEE24) (80131506)

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    >

    Server reboots / iisresets had no effect, and after lots of Googling, it looked like there might be a specific .NET hotfix to address the issue (KB913384), however it was only applicable to an older version of the .NET Framework 2.0 - it is supposed to be included / resolved in SP1 (build 1433). Another google confirmed this. After much frustration from a lack of solutions on the Citrix forums / knowledge base, I ended up uninstalling .NET Framework completely (you have to uninstall 3.5, then 3.0 SP1, then 2.0 SP1 in that specific order), then reinstalling the .NET Framework 2.0 RTM (build 42).

    Once I then re-installed Web Interface 4.6 (enabling 32-bit mode in the process, as prompted) and then deleted and re-added the existing site within the Access Management Console, it all sprang back into life. I've not yet re-patched .NET to see if it remains functional...

    Update 1

    The error has occured again:

    Event Type: Error
    Event Source: .NET Runtime
    Event Category: None
    Event ID: 1023
    Date: 14/03/2008
    Time: 08:18:27
    User: N/A
    Computer: VM4
    Description:
    .NET Runtime version 2.0.50727.42 - Fatal Execution Engine Error (7A05E2B3) (80131506)

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    >

    This time, the only change I've made is to install the latest Citrix XenCenter console 4.1 RC7, which itself is .NET application. I ended up having to install the KB913384 fix, which this time was appliable to the version of .NET I had installed. I am going to do a bit more testing to see what is causing it to re-fail.

    Update 2

    And again...

    Event Type: Error
    Event Source: .NET Runtime
    Event Category: None
    Event ID: 1023
    Date: 17/03/2008
    Time: 10:55:32
    User: N/A
    Computer: VM4
    Description:
    .NET Runtime version 2.0.50727.63 - Fatal Execution Engine Error (7A05F093) (80131506)

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    >

    This time I had installed and uninstalled Office 2007.

    Permalink | Leave a comment  »

  • January 09, 11:43 AM

    Acronis True Image Echo Server on CentOS

    I've used Acronis True Image on quite a large number of Windows systems over the years, as it is a very good product which has gradually expanded it's (already impressive) feature set throughout that time. Just recently, I had the requirement to image a Linux system and so decided to trial the new Acronis True Image Echo Server on Linux - from what I found, there is no 'workstation' product for Linux like the True Image Home product for Windows, and so had to go for the server version instead. Specifically, I needed to backup a 64-bit CentOS 5.1 virtual machine running inside Citrx XenServer Express.

    After registering for the trial version on Acronis.com, downloading the appropriate installation file and moving it into the VM, a quick 'chmod +x TrueImageServerEcho_d_en.i686' made the file ready for installation. The binary is suitable for 32-bit and 64-bit systems - no need for seperate installation files.

    After kicking off the installation ('./TrueImageServerEcho_d_en.i686'), it was pretty much a next-next-finish affair, except I soon found I needed to have the kernel source files and gcc installed, for the installation program to correctly configure the SNAPAPI Module. A quick 'yum install -y kernel-xen-devel gcc' fixed the dependancy issue, and after re-run of the True Image installation file, all required software was now installed.

    By the way, there was no documentation supplied with the downloaded installation file; I found out some of the information on the Acronis website, and also by browing the setup log file (/var/log/trueimage-setup.log).

    Since I don't generally use an X-Windows interface on *nix systems (much prefer the command line via SSH), I've now got to see how far I get with the console tools ('trueimagecmd' and 'trueimagemnt')...

    Permalink | Leave a comment  »

  • November 01, 06:29 AM

    Exporting logs from Check Point FireWall-1

    I've recently been trying to improve a SOX process for analysing firewall activity, currently based on a manual daily check. As part of that work, I knocked together a quick batch file which can be used for automating the export of logs from Check Point FireWall-1, since by default, the logs generated are not readable as standard ascii text. The logs need to be exported using 'fwm.exe logexport', which outputs into a more readable CSV format, allowing you to carry out pre-processing of the data using other tools, such as the excellent fwlogsum.

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    
    @ECHO OFF & @SETLOCAL ENABLEEXTENSIONS & CLS
    ECHO.fw1export.cmd 1.0 (1st November 2007)
    ECHO.Andrew G. Allen, http://www.andrewallen.co.uk/ & ECHO.

    :: This work is licenced under a Creative Commons License.
    :: See http://creativecommons.org/licenses/by-nc-sa/2.0/uk/ for details.

     
    :VARIABLES
     
    SET v_SCRIPTDIR=D:\SCRIPTS
    SET v_WORKINGDIR=%v_SCRIPTDIR%\FW1EXPORT
    SET v_INPUTDIR=D:\WINNT\FW1\R60\fw1\log
    SET v_FWM=D:\WINNT\FW1\R60\fw1\bin\v_FWM.exe

    :END_VARIABLES


    :CODE

    IF NOT EXIST %v_SCRIPTDIR% MD %v_SCRIPTDIR%
    IF NOT EXIST %v_WORKINGDIR% MD %v_WORKINGDIR%

    DIR /B %v_INPUTDIR%\2007*.log | FIND /V "ptr" > %v_WORKINGDIR%\FW1EXPORT.TMP
    FOR /F "TOKENS=1 DELIMS=" %%A IN (%v_WORKINGDIR%\FW1EXPORT.TMP) DO (
       IF NOT EXIST %v_WORKINGDIR%\%%A (
          %v_FWM% logexport -n -p -i %v_INPUTDIR%\%%A -o %v_WORKINGDIR%\%%A
       )
    )
    DEL /Q /F %v_WORKINGDIR%\FW1EXPORT.TMP

    :END_CODE


    @ENDLOCAL
    :EOF

    You should setup the attached batch as a scheduled task to run once per day, once the logs have rotated.

    Permalink | Leave a comment  »

Posts