www.jclaudius.net/blog

It’s always been an interest of mine to integrate operating system environments.  I’m not sure if it’s a genuine interest in using a single product for user management or an inability to decide on a single operating system.  Anyways, I started playing around with likewise-open this week for the first time.

Likewise-open according their website is a “free, open source application that joins Linux, Unix and Mac machines to Microsoft Active Directory and securely authenticates users with there domain credentials.”  It sounded good, but I had to test it to be absolutely sure this wasn’t another WinBind/Kerberos configuration nightmare (Ironically Like-wise is based on Winbind).

I started out with a patched A/D Domain Controller and a patched Ubuntu Desktop 8.10.  I performed the following as recommended by likewise on the Ubuntu system.

Install likewise-open

Join to the domain

-OR YOU CAN USE THE GUI-

You can’t ask for a faster way to add a non-windows host to the domain.  What I also found pretty interesting what that it populated the Operating System Version to the properties of the host object in A/D.  After that you can simply logout and login as a domain user using the “domain\user” format.  I was expecting a bigger challenge here, but it looks like likewise-open has their act together.

Another useful command when you are testing is removing the machine from the domain.

Removing the system from the domain

That last item that I have yet to dig into is access control to the host once you are part of the domain.  As a domain administrator in the test domain I was not immediately granted sudo access to the ubuntu workstation, but I’m guessing there is some way to configure the host to allow certain domain groups to perform certian tasks.  I’m eye balling the likewise-enterprise software that they have a 30-day trial that boasts AD integration, group policy management, single sign-on for applications, network security, compliance and sudo management.

…I wonder if it will wash my car?…

Anyways, it looks like a pretty cool product and if it does all the things it promises then it’s a well needed tech in the market place.  It’s not broken any promises to me just yet.  Maybe when I start pushing the limits of the free version I’ll start complaining, but for now it’s on my watch list.

 
I’m coming into the final turn of my race to get through the new CompTIA 2008 Security+ Certification Exam material.  I know that if I didn’t schedule the exam I may have never gone back to it.  Next Friday at 10pm is my scheduled test time to take a stab at round two.  I’m feeling much more confident this time around because I’m actually studying material that was created for this years exam and I’ve taken a much more structured approach over the past week or so.  I’ve committed to reading a chapter a day and making sure to do the follow up chapter assessments a full 24-hours after I read the material to reduce my ability to use short-term memory to answer questions.

I’ll probably be finishing my training book early Sunday and will be moving into the final “stage” of my training plan, which includes studying each day this week as if tomorrow was the exam and taking a practice exam for each day and following up on any question I get wrong to make sure I’ve got most of my bases covered.  I know this sounds like over-kill, but if getting an 81% (you need an 85%) on the first attempt wasn’t a kick in the junk, not passing the second time will probably end my interest in this cert as my focus will be changing on the first of the year to the CISSP certification.

***Update Tuesday Night (AKA: Early Wednesday Morning) ***

Do you ever feel like you’ve made one step forward only to make two steps backward?  That’s how I’m feeling with these practice tests.  So here is where I stand so far….

Practice Exam #1 (Monday) = 86%
Practice Exam #2 (Tuesday) = 71%

… I surely don’t have any clue how I could have gotten 15 points worse in one day (after studying the content I got wrong the first time).  Anyways, I’m finding that my book and the exam don’t “exactly”match up and there where more “choose all that apply” questions which hurts my multiple guess strategy.  At any rate, I need to get better scores from here on out.  I want to be well into the 90’s by tomorrow (preferrably 100’s) if I’m to expect a 15 point swing on a bad day.  “Just keep swimming…, Just keep swimming…”

***Update Wednesday Night***

Well,  that feels a little better.  It’s not the 100 I was hoping for but it’s certainly the closest I’ve gotten so far.  I’m happy to have rebounded back.  For a minute there I was a little worried.  Just keep swimming…

Practice Exam #3 (Wednesday) = 88%

***Update Thursday Night***

Confidence is not 100%, but feeling better.  Measurable results that implying that this information is sticking is quite refreshing.  Well, time for bed.  Wish me luck!  Just keep swimming…

Practice Exam #4 (Thursday) = 92%

***Update Friday Night***

I passed! Now off to work on the CISSP.

Final Exam #2 (Friday) =92%

Tonight was the night I finally got motivated enough to give our recently purchased blue ray player a connection to the Internet.  I originally tossed and turned on the decision, but now that I’m running the latest firmware and I love it.  Some unknown features that have recently been brought to light include being able to stream video and audio content from 3rd parties.  Two authorized third parties include NetFlix and Pandora both of which I am going to be using more in the coming weeks.  NetFlix has a two week trial so I’ll give it a try and see if it’s going to be a monthly expense.  From what I’ve seen in the demos it’s much more robust than any cable providers “ondemand” features.  I’m also pretty excited to see what comes out in the next firmware release scheduled for the 31st of this month.  With any luck another great feature will be revealed further reforcing my belief that getting this player was well worth the $150 ($399 on Samsung’s website) I paid at best buy.

Does anyone else have this player or a similar one that allows you to upgrade?  I’d be really interested to see what other vendors have done in this space and how it compares.  I’d also be curious to see if there are branch firmware sets that allow further customization beyond the standard manufacturer support (e.g. Linksys <-> dd-wrt/tomato/open-wrt). At any rate, I want every device I buy from here on out to have some form of “auto-update” feature to ensure my gear is kept up to snuff with added features and most importantly security updates.

Of course, like any like minded security professional, I scanned the thing to see what new interesting vulnerabilities I’d be introducing to my home network and funny enough  it came back running rpc over 111.  Maybe when I get more adventurous I’ll take a closer look and see if there are any vulnerabilities that need fixing/reporting.

***Update: A few hours later***

So after a reboot of the blue ray player the RPC bind port is closed.  Anyone got an unpatched version of this of the Samsung BP-2500?  I would surely like to know more about the RPC services enabled prior to patching.

So was tooling around on the web tonight and I finally found enough time to investigate the “new” server service vulnerability associated with Microsoft Security Bulletin MS08-067.  I’m some what partial to the Microsoft server service because it has been on my radar since 2006 with the announcement on Microsoft Security Bulletin MS06-040.  Since then, it’s been a constant pain for industry to make sure that all there systems are patched to this nasty little vulnerability and it looks like we’re going to need to be ready for round two.

Below is the “small” list the affected software…

• Microsoft Windows 2000 Service Pack 4
• Windows XP Service Pack 2
• Windows XP Service Pack 3
• Windows XP Professional x64 Edition
• Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 1
• Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition
• Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP1 for Itanium-based Systems
• Windows Server 2003 with SP2 for Itanium-based Systems
• Windows Vista and Windows Vista Service Pack 1
• Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
• Windows Server 2008 for 32-bit Systems*
• Windows Server 2008 for x64-based Systems*
• Windows Server 2008 for Itanium-based Systems

Just about the time I think I’m done with these something like this happens.  Should be an interesting year considering a lot of folks running 2003, 2K8 and Vista have something to fear again.

***Update 3 minutes later***

Exploit code has been released into the wild under the following…

• TrojanSpy:Win32/Gimmiv.A
• TrojanSpy:Win32/Gimmiv.A.dll

***Update 5 minutes later***

Just found it on milworm…

• http://milw0rm.com/exploits/6824
• http://milw0rm.com/sploits/2008-ms08-067.zip

***Update 10 minutes later***

Nessus has published a check for 2k, xp and 2k3

•  http://blog.tenablesecurity.com/2008/10/network-and-cre.html

***Update Thursday October 30th***

Well, it’s a wrap on this one.  The vulnerability code is now available in the SVN version of metasploit and soon to show up in the other versions.  That was fast!!!

*START RANT*

Why is it that organizations are still struggling with securing there mail infrastructure? It  baffles me that organizations will spend so much money on email spam filters, outsourced SMTP gateway providers and make such an effort to use encrypted protocols for client side transactions and then they still allow any IP on the internal network to communicate directly with the production SMTP service with absolutely no restrictions.

Considering that 70-80 percent (according to Forester and FBI/CSI) of major security breaches come from inside the organization you’d think that there would be more of a push to qurantine some of these rudimentary services off.  I can certainly understand if you have alerting software that can’t send via any protocol other than SMTP, but you pretty easily white list these systems.  You could set up a VBS script to query via LDAP and only allow them to send unauth’d messages.

*END RANT*

Well, I had some time last weekend and thought it would be fun to write a little perl script (see my projects page for the download) that when out and sent email to the world using a list of your internal SMTP servers.  Just perform an NMAP (4.75 just came out!) scan for TCP port 25 on all your ranges (with permission from IS security of course) and then take the systems running SMTP, add them to the script, customize the email addresses and run it.  You’ll then know what systems aren’t properly restricting access and maybe you’ll do something to fix it and save me another rant :).

So I finally decided that my Ubuntu server needed a little updating yesterday. Although I do perform regular security updates and other configuration changes, this just so happened to be the first time I’d done a full distribution upgrade on an Ubuntu box. This was mainly performed out of curiosity and not of out of need. Surprisingly enough, it was very easy and required little interaction on my part. Here are some of the easy steps if you want to update your Ubuntu server to the latest distribution (currently Ubuntu 8.04 LTS HardyHeron).

Note: It is highly advised that you back up any critical data or system files prior to performing this how-to on your server.

1.) Make a backup of your /etc/apt/sources.list file

2.) Open the sources file for editing

3.) Change the distribution references to the next logical upgrade, but only one at a time. You will need to complete all the steps in this how to for each logical step (dapper->feisty->gutsy->hardy) it will take you to get to the latest version. Use the following VI command (:%s/olddist/newdist/g) to change all the references in the sources.list file. For my first upgrade from dapper to feisty I used the following…

4.) Update the newly reference package list…

5.) Upgrade to the next distribution. If it asks to replace the config file for say Apache or PHP I would recommend leaving it the same (option “N”).  I have a few virtual hosts setup and the default site with Apache and some custom stuff in my PHP.ini and the production setup was unaffected by leaving the configs the same throughout the upgrades.

6.) Make sure everything ran ok. I ended up having to catch a plane while I was running the distribution upgrade in the airport and my SSH session terminated unexpectedly, which I thought was going to mess everything up. I ended up coming back today and running the second command listed below and it picked right up where it left off.

7.) Reboot your system…

8.) After it boots back up check your distribution…

9.) Rinse and repeat and make sure to make the necessary mods in step 3 to upgrade to the next logical distro until you’re running the latest version. Special thanks to rob-the.geek.nz and debainadmin.com for creating the original material I used to help perform my upgrade.  I just added some of my personal tid-bits to this document and made it my own reference for later.

PS - This is my first time using code-snippet and I love it.  Props to hackerforhire.org for reviving such a useful tool!

***Update (9/19/08)***

I’ve performed this process on three other systems that I manage and they all worked flawlessly from dapper to feisty to gutsy to hardy.  I’ve also received some feedback from some in-tar-web friends that have also successfully used this how-to to upgrade their systems too. W00t!

***Update (9/25/08)***

I noticed that my servers were acting a little sluggish so I jumped on the console and found a ton of device mapper errors.  I thought it was going to be  a big pain trying to resolve the issue, but apparently evms was installed during the upgrade process and has a known bug.  I ended up finding an article that suggested removing evms.  I used the following command followed by a reboot to resolve the issue.

So this week is the first time I’ve been home in a whole month (**Long exhailing breath**).  First it was Alabama for a week (Business), Vegas for the weekend (DEFCON16) and then Puerto Rico for three weeks (Business and Pleasure).  It’s been a roller coaster of great experiences mixed with the feeling of missing home.

DEFCON16 was, as always, a blast.  It’s always great to meet up with old faces and catch up. I stopped by the lockpick village at the Sky box and picked up the ward lock key set.  Unfortunately, I haven’t had the opportunity to check it out a client site, but I’m keeping my eyes open.  I think the talks this year were on par with previous years with Fyodor’s Scanning the Internet talk, the NTML is dead talk and the VoIP talk in the skybox being the highlights for me.  As with every trip to Vegas, even three days feels like I’m overstaying my welcome.  I’m happy to say I made the parties that I wanted to and I didn’t end up outside the gas station over by the Hard Rock on my hands and knees.

As for Puerto Rico… I was surprised.  It was not what I expected what so ever. I think the bigger item that started to wain on me was the language barrier.  Although the tourist areas had a number of bi-lingual individuals I had a difficult time trying to communicate when I visited the more remote areas.  I now have an informal commitment to the girly to learn some more Spanish before my next trip to PR.  By far the best part of the trip was the Tropical Rain Forest.  I didn’t know that Puerto Rico had a Rain Forest until I arrived at work the first day, but sure enough it was in my weekend vacation schedule as soon as I found out there was a mountain (El Yunque) to climb.  The girly and I took a trip up to a smaller peak called Mt Britton (40min) the first weekend and after a week of talking smack to my coworkers I decided to make the impossible trek from the mountain base to the El Yunque peak (3000+ Feet).  I made it to the top, surprisingly, in about 4 hours of straight hiking, but it was well worth the view once I got to the top. I wish I had my camera with me, but nothing could erase the image of sitting on the edge of the mountain face staring down at the clouds :).

Finding:

After an exciting week of training, my roommates and I arrived home to discover that our house had been broken into. The word around the house is that we have a “finding” under physical security because our security alarm failed to alert the police and we have no idea when the breakin occurred. Luckily we have video cameras placed at both entrances which should help us narrow our search for the responsible party (Don’t F3CK with Geeks!).

One fortunate thing was they only stole about $900 worth of electronics rather than the thousands of dollars in desktop computers, stereo equipment, game consoles and not to mention our passports and other sensitive documents.

Management Response:

Now, I’ve had things stolen from me before and it is not a good feeling. Being that we are still going to be in our current place for a few more months and that our maintenance guy won’t arrive until tomorrow we chose to “mitigate” our risk until we have a better solution in place.

This included a field trip to K-mart to buy everyone, including the girly, a wooden baseball bat to exact any current or past frustrations on a would-be burglar to our precious home.

Network device management just made an up turn. I was on networkworld.com killing some time before a flight and found a review of this amazing tool called “ZipTie“. This tool is free and it does things that most commercial tools won’t do out of the box. It has a slew of great network management tools including configuration roll-back, nightly backups of your device configs, diff’s of devince configs to make sure that the running, startup and previous backup are in complete sync. It also does process batching so you can write a process to remove type 7 passwords on all your Cisco equipment and just hit apply on all your devices or any other former manual process. It’s just way ahead of it’s time, but not a minute too soon. I can’t wait to start using it in production to see it’s full feature set.

Check it out!!!! (www.ziptie.org)

Well, it’s been almost a week since the conclusion of SPARSA’s ISTS 6. This year I was fortunate enough to fly to Rochester and participate as a co-sponsor once again.

This has marked my third year of involvement in ISTS and I want to thank all the guys at SPARSA who make it possible. There is something innately special about dragging 60+ guys out of bed on a Saturday to hack. To the guys who participated with me on the SPARSA attack team, it was a pleasure meeting, working and most importantly learning with you.