Madhav Kobal's Blog

This blog will be dedicated to Linux, Open Source and Technology news, affairs, how-tos and virtually EVERYTHING in these domains.

Posts Tagged ‘hacking’

OpenSource firmware WLAN routers and embedded systems

Posted by madhavkobal on 07/06/2010

DD-WRT is a Linux based alternative OpenSource firmware suitable for a great variety of WLAN routers and embedded systems. The main emphasis lies on providing the easiest possible handling while at the same time supporting a great number of functionalities within the framework of the respective hardware platform used.

The graphical user interface is logically structured, and it is operated via a standard Web browser, so even non-technicians can configure the system in only a few simple steps.

Apart from the simple handling, speed and stability are also in the focus of our development work. Compared to the software preinstalled on many WLAN routers, DD-WRT allows a reliable operation with a clearly larger functionality that also fulfills the demands of professional deployment.

The huge user community gives support to DD-WRT developers and the users themselves in various ways. Thanks to this, potential flaws in the system can be detected very quickly and can thus be corrected without delay. DD-WRT users can find help and suggestions from other users in the user forums, and the Wiki containing further information and how-to guides is being expanded and maintained by the DD-WRT community as well.

For devices mainly used for private purposes, DD-WRT is freely available. Platforms used for commercial purposes require a paid license. Compared to the freely available version, the professional version also allows for configuration of the WLAN parameters, thus opening up the opportunity of creating e.g. reliable and powerful network infrastructures. Special demands can be fulfilled by specifically tailored versions of DD-WRT.

Main characteristics:

  • supports more than 200 different devices
  • comprehensive functionality
  • supports all current WLAN standards (802.11a/b/g/n*)
  • supports outdoor deployment*
  • supports enhanced frequencies *
  • VPN integration
  • supports various Hotspot systems
  • bandwidth management
  • multilingual user interface

*appropriate WLAN hardware required check database here

Posted in Uncategorized | Tagged: , | Leave a Comment »

rkhunter – Linux Security Checker

Posted by madhavkobal on 02/10/2009

Rootkit scanner is scanning tool to ensure you for about 99.9%* you’re clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like: – MD5 hash compare – Look for default files used by rootkits – Wrong file permissions for binaries – Look for suspected strings in LKM and KLD modules – Look for hidden files – Optional scan within plaintext and binary files

The futures of the last version 1.3.4

  • Added IntoXonia-NG rootkit check.
  • Added Phalanx2 rootkit check.
  • Added support for TCB shadow files.
  • The ‘–propupd’ option can now take an optional file, directory or package name after it.
  • Revised file properties inode check.
  • Tests against the SSH configuration file now accept the key/value pair.
  • Improved the O/S name detection.
  • The Linux ‘os_specific’ test has now been split into two separate tests.
  • Improved ALLOWPROCDELFILE configuration option.
  • Improved hidden files and directories check.
  • The DBDIR directory can now be read-only, after installation.
  • Improved debug file option.
  • The system startup file and directory tests have now been merged.

Download , extract


Install using the command ( see also screenshot bellow)

[root@test1 rkhunter-1.3.4]# ./installer.sh  --layout oldschool --install


Start the scan

[root@test1 rkhunter-1.3.4]# rkhunter   -c

All results have been written to the logfile (/var/log/rkhunter.log)

One or more warnings have been found while checking the system.

Please check the log file (/var/log/rkhunter.log)


Finally your  can add rkhunter to your cronjobs  that  can  send daily   rapport to your email

#vi /etc/cron-daily.rkhunter.sh

add

#!/bin/bash
 (/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "todayRkhunter Scan Report"Your_
 email@example.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 )

Then

chmod +x /etc/cron.daily/rkhunter.sh

Original Author  : pirat9

Posted in Uncategorized | Tagged: , | Leave a Comment »

iptraf – Network Monitoring Tool

Posted by madhavkobal on 14/09/2009

Linux has no dearth in utilities which aid a user in getting a snapshot of the network traffic which course through ones machine especially when one is connected to the Internet . Some of them which come to my mind are the ubiquitous ‘tcpdump’ and ‘ethereal’. tcpdump is installed by default by any GNU/Linux distribution. But many others need to be specifically downloaded and installed by the user in order to use them.
One such software which aids the user in keeping an eye on the exchange of IP packets to and from ones machine is IPtraf. This is a curses based menu driven utility which intercepts packets on the network and gives out information about it. Usually, such network monitoring software are run on gateways where the computer acts as a router to the outside world. But it can also be used by a home user who is connected to the net to monitor the going ons in ones machine.
To start using IPTraf, one has to first install it; which on a debian system is as simple as executing the command:
# apt-get install iptraf
Once the software is installed, one can start it to monitor the network. Unfortunately, you should have root privileges to run the software. In ubuntu, it means inserting the word ‘sudo’ before the command as follows:
$ sudo iptraf
Once the above command is executed, the user is shown a curses based menu where one can choose to start monitoring either the local interface or the traffic through any of the network cards installed on ones machine.
Fig: iptraf Configuration Menu
I found this network monitoring software really useful and an eye opener at the same time. For instance, I have disabled almost all the services on my machine. But I found that within just 15 minutes of getting online, IPTraf logged at least 6 attempts at connecting to my machine via SSH. Of course they could have been the result of a probe by someone using nmap to see which all ports were open on my machine. So much for obscurity while on the net.
Also this easy to use software has additional options such as enabling reverse DNS lookup in the options menu in which case, the logs will contain the DNS name instead of the IP address where ever possible and the service name instead of the port number. For example, when some traffic is generated when I connect to the yahoo.com website from my web browser, iptraf will show it as yahoo.com:www which denotes that I am connecting to the port 80 of yahoo website. It will also give a count of the number of packets transferred to and from the yahoo web server to my machine all in real time.
Same is the case with when someone tries to probe ones machine. Each and every IP packet is intercepted, the IP information of each packet decoded and the result displayed in real time. There is option to save the logs to a file which by default resides in the /var/log/iptraf directory. Even though I found it most useful for monitoring my ethernet traffic, that is not all that this nifty tool monitors. It can additionally monitor ppp, loopback, SLIP, FDDI, and ISDN interfaces.
Fig: Iptraf monitoring the eth0 device on my machine
Some of the information of the intercepted packets that is decoded by iptraf are as follows:
  • Source address and port
  • Destination address and port
  • Packet count
  • Byte count
  • Packet size
  • Window count and
  • Flag status
I would like to dwell a bit on the flag status shown by iptraf. Each TCP packet that is intercepted is associated one or more flags which convey some information like which side had initiated the connection, when the connection is closed and so on. The flags are as follows :
  • S – A SYN (or synchronisation) is taking place in preparation for connection establishment. If only an S— is present, then the source is trying to establish a connection. But if there is an S-A- then this is an acknowledgement of a previous connection request.
  • A – Acknowledgement of a previously received packet
  • P – A request to push all the data to the top of the receiving queue.
  • U – The packet contains urgent data
  • RESET – The source machine indicated in this direction reset the entire connection.
  • DONE – The connection is done sending data in this direction and has sent a FIN (finished) packet but has not yet been acknowledged by the other host.
  • CLOSED – The FIN has been acknowledged by the other host.
  • – A dash indicates the flag is not set.
So if I see any unusual SYN activity (S—) , then I can fairy assume that my machine is under a SYN attack.
IPTraf can display a statistical breakdown of the network packets sorted by the packet size or according to the TCP/UDP port which gives a fair idea of the network traffic to and from ones machine.
Fig: Statistical breakdown of network packets
Iptraf also supports a rich set of command line options which makes it ideal for use from within a script. True, you have an even powerful network monitor in ethereal but in my opinion, iptraf provides a right balance of functionality and simplicity which makes it an ideal tool for home users who want to monitor their network.

Posted in Uncategorized | Tagged: , | 1 Comment »

Cracking Passwords

Posted by madhavkobal on 20/08/2009

Enforcing password security with a multiple-user system can be a hassle — users all too often use inadequate passwords. john-the-ripper (also available via most distros) is a password-cracking tool that enables the identification of vulnerable passwords before someone with nefarious intentions finds the weakness.

The first step is to extract the username/password information from the relevant files, using the provided unshadow tool:

unshadow /etc/passwd /etc/shadow > /tmp/password.db

After that, john has three cracking modes:

  1. Dictionary mode, which tests passwords based on dictionary words. You can use the provided dictionary or provide your own, and there’s an option to enable “word mangling” rules.
  2. “Single crack” mode, which uses login names and various /etc/passwd values as password candidates, as well as applying word mangling rules.
  3. Incremental mode, which tries all possible character combinations and will obviously take a very, very long time to run. You can change the parameters for this via the config file.

You can run one at a time (in which case, try “single crack” mode first), or run all of them consecutively with

john /tmp/password.db

To show results, use

john –show /tmp/password.db

unshadow will produce a password database only on systems that use /etc/passwd and /etc/shadow for login. For centralized systems, there’s a Kerberos5 module available, or the supplied unafs utility extracts Kerberos AFS passwords. There’s also a LDAP module.

Also remember that you can limit cracking attempts through measures such as locking out specific IP addresses after multiple failed ssh attempts or limiting the number of times a user can get a password wrong when logging on.

Posted in Uncategorized | Tagged: , , | Leave a Comment »