Use of words

dnstool - curses-based DNS zone administration

2012-02-06T15:27:00.000+01:00

Out now! Get it while the bits are still hot!

https://github.com/Redpill-Linpro/dnstool

The Fine Manual is plain text and even has screenshots, perfect for the old-school lynx enthusiast ;)

If your dns server supports RFC2136 dynamic updates, you might want to look at this. BIND9 does.

Patches always welcome!

Terra firma

2011-10-17T18:14:00.002+02:00

Ok.

Jeg har i dag oppdatert firmware - på ei mus.

Når ble de lure nok til å trenge firmware? Antagelig sammen med led/optikk-variantene.

Og hva hindrer dem fra å gro et virtuelt keyboard om natta og bedrive bruteforcing av passordet mitt? Ingenting jeg vet om.

(Ok, feedback er et problem. Men det fins usb skjermkort... :p)

Verbbøyingsgalskap

2011-08-17T15:23:00.000+02:00

Japansk er fleksibelt og komplisert. La oss ta et tilfeldig verb, taberu - å spise.

For det første er ikke ordbok-formen av verbet infinitiv på japansk. Ordbokformen av verbet er "uformell ikke-fortid" - kan hende det skjer omtrent nå, kan hende en bare har vage planer om det en gang i fremtiden, men det er iallfall ikke ferdig med å skje.

"Watashi wa niku ga taberu." - Jeg spiser kjøtt. Temmelig generell og uformell vending. Om du allerede snakker om deg selv og det du liker, vil du vanligvis sløyfe de to første ordene. "Niku ga taberu." - Spiser kjøtt.

Det er uformelt, dog. I høflig samtale med folk du ikke kjenner godt, vil du vanligvis bruke en normalt høflig form. "Niku ga tabemasu." (uttales "Niku ga tabemas".)

Men hvis du vanligvis ikke spiser kjøtt, vil du kanskje uttrykke det. "Niku ga tabemasen." - Spiser ikke kjøtt. Å bøye verb i positive og negative former er en typisk japansk ting. Fremdeles en veldig generell vending.

"Niku ga tabetai desu." - Har lyst til å spise kjøtt. Her er verbet gjort om til et adjektiv "lyst til å spise", mens "desu" = har.

"Niku ga tabete mimasu." - Kan prøve å spise kjøtt og se hvordan det går. Her er du usikker på om dette er noe for deg. "Mimasu" er høflig ikkefortid av "å se", her som hjelpeverb.

"Niku ga tabete mitai desu." - Har lyst til å prøve å spise kjøtt og se hvordan det går. Kombinasjon av de to over.

"Niku ga tabete imasu." - Spiser kjøtt akkurat nå. "-te imasu" er noe ala "am -ing"-form på engelsk.

"Niku ga tabete iru hito." - Personen som spiser kjøtt akkurat nå. "Iru" er den ikke-høflige kortformen av "imasu", når du bruker en hel frase som et adjektiv så brukes korte bøyinger.

"Niku ga tabemashou." - La oss spise kjøtt! Høflig men direkte.

"Niku ga tabemasen ka." - Skal vi ikke spise kjøtt? Indirekte invitt, høfligere.

"Niku ga taberaremasen." - Kan ikke spise kjøtt. Potensiell, høflig ikkefortid, negativ form.

"Niku ga tabemashita." - Har spist kjøtt.

"Niku wa tabeta koto ga arimasen." - Har aldri spist kjøtt. Uformell fortid pga. hjelpeordene etterpå. En mer klumpete og direkte oversettelse blir "Erfaringen å ha spist kjøtt, har jeg ikke."

"Niku wa tabenai tsumori desu." - Har ikke planer om å spise kjøtt. Negativ uformell ikkefortid + hjelpeord.

"Niku wa tabenakute wa ikemasen." - Må spise kjøtt. ("Kan da ikke la være å spise...")

"Niku ga tabeta hou ga ii desu." - Bør spise kjøtt. Formaning, "Det er bedre (for deg/meg) å..."

"Niku ga tabesugite wa ikemasen." - Ikke forspis deg på kjøtt. Her er taberu blitt til det sammensatte verbet tabesugiru, der -sugiru betyr "for mye".

... og jeg har fremdeles bare såvidt begynt på Genki II. Mange flere sammensetninger og former ligger på lur og venter. Og taberu er et enkelt, regulært verb i forhold til mange andre.

Det er da litt gøy. :)

また、ね！

Transport layer protocols for stealth and evil

2010-12-21T14:15:00.001+01:00

Ever tested some of the more exotic transport protocols?

SCTP is interesting ... multihoming means you can have several ips involved on each side of a connection (association in sctp speak) ... so when you move from wired to wireless your ssh session still is fine. If you find a proper SCTP ssh, of course.

Testing it on Ubuntu LTS, though, using socat for glue... a listening SCTP socket is invisible in netstat -ln. Fun. tcp, udp, raw sockets are visible ... but sctp isn't.

socat SCTP-LISTEN:8080,fork TCP-CONNECT:localhost:22

Nice, stealthy backdoor. Does not show in netstat(8) or ss(8). Combine with socat TCP-LISTEN:2223 SCTP-CONNECT:localhost:8080 on a remote host and we have a completely stealthy tunnel, if the firewall is mildly clue-challenged.

knan@ip:~$ netstat -ln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:4949            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
udp        0      0 0.0.0.0:68              0.0.0.0:*                          
udp        0      0 0.0.0.0:36558           0.0.0.0:*                          
udp        0      0 0.0.0.0:5353            0.0.0.0:*                          
udp        0      0 0.0.0.0:631             0.0.0.0:*                          
udp        0      0 0.0.0.0:45561           0.0.0.0:*                          
knan@ip:~$

lsof reports a mysterious socket. But it also does that for udev and update-manager, so that's hardly conclusive.

knan@ip:~$ lsof | grep socat | grep sock socat 24969 knan 3u sock 0,6 0t0 645716 can't identify protocol

The only place I've dug out useful info so far is from procfs.

knan@ip:~$ cat /proc/net/sctp/eps 
 ENDPT     SOCK   STY SST HBKT LPORT   UID INODE LADDRS
ffff8800722cb800 ffff8800342c8480 2   10  16   8080   1001 645716 0.0.0.0

Hardly easy to read. But it says LADDRS 0.0.0.0, LPORT 8080. Ok.

(BTW: SCTP not being in netstat is a Debian/Ubuntu-specific bug, SuSE/Red Hat have applied patches.)

sctp_darn(1) can do more fun sctp-specific stuff, like setting up multiple local and remote addresses for the association.

Cool enough. But there are other fun transport protocols we can try.

How about DCCP? It's connection-oriented and has congestion control but otherwise is UDP-like.

netsend dccp receive

knan@ip:~$ netstat -ln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:4949            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 ::1:631                 :::*                    LISTEN     
udp        0      0 0.0.0.0:68              0.0.0.0:*                          
udp        0      0 0.0.0.0:36558           0.0.0.0:*                          
udp        0      0 0.0.0.0:5353            0.0.0.0:*                          
udp        0      0 0.0.0.0:631             0.0.0.0:*                          
udp        0      0 0.0.0.0:45561           0.0.0.0:*

Netstat still says nothing.

The only place in /proc/net you find DCCP mentioned is in /proc/net/protocols. Which says nothing about ongoing connections or listening sockets.

knan@ip:~$ grep -ir DCCP /proc/net/ /proc/net/protocols:DCCP 1400 1 -1 NI 1196 yes dccp_ipv4 y y y y y y y y y y y y n n y y y y n

lsof still says little.
knan@ip:~$ lsof | grep netsend | grep sock netsend 25376 knan 3u sock 0,6 0t0 658124 can't identify protocol

ss(8) to the rescue! But only when you specifically ask it about DCCP sockets with -d.

knan@ip:~$ ss -ldn
Recv-Q Send-Q                              Local Address:Port                                Peer Address:Port 
0      0                                               *:6666                                           *:*

The final protocol I want to propose today is UDP-Lite. This is basically a UDP variant with partial checksums, for the case when garbled data is better than no data.

$ netsend udplite receive

As usual, netstat tells us nothing of this uncommon activity.

knan@ip:~$ netstat -ln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:4949            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 ::1:631                 :::*                    LISTEN     
udp        0      0 0.0.0.0:68              0.0.0.0:*                          
udp        0      0 0.0.0.0:36558           0.0.0.0:*                          
udp        0      0 0.0.0.0:5353            0.0.0.0:*                          
udp        0      0 0.0.0.0:631             0.0.0.0:*                          
udp        0      0 0.0.0.0:45561           0.0.0.0:*

This time, though, lsof identifies it!

knan@ip:~$ lsof | grep netsend netsend 25461 knan 3u IPv4 661633 0t0 UDPLITE *:6666

Which is good, since ss doesn't.

To summarize (for Ubuntu 10.04 LTS):

Protocol	netstat(8)	ss(8)	lsof(8)	/proc/net/*
SCTP	No	No	No	/proc/net/sctp/eps /proc/net/sctp6/eps
DCCP	No	Yes (-d)	No	No
UDP-Lite	No	No	Yes	/proc/net/udplite /proc/net/udplite6

Hope this leaves you entertained by the possibilities. Black hats begone!

P.S.
launchpad:netstat+sctp
launchpad:lsof+sctp
launchpad:lsof+dccp

sed for dns hackers

2010-12-15T16:10:00.000+01:00

(Requires gnu sed)

Moving to a new set of nameservers is a bit like moving house. Lots of stuff thrown away for reasons of unreasonable antiquity, lots of stuff could do with a refresh and cleanup.

sed -i.bak '/$NS\|SOA$/ s/\bdns1\.example\.org/innerdns1.example.org/g; /$NS\|SOA$/ s/\bdns2\.example\.org/innerdns2.example.org/g' master/*

This simple, pretty oneliner fixes NS and SOA records to point to new addresses, and leaves other records alone - unless you have really unfortunate and awkward capital-letter names in your zones. Add some more \b safeguards if so.

Japanese WHOIS fun

2010-10-28T15:05:00.001+02:00

Recently, I wanted to look up info on a Japanese domain name. Being a command-line type of guy, I obviously did $ whois ac.jp and expected things to work out.

Well, things were a bit less helpful than I'd hoped.

$ whois ac.jp
Domain Information: [%I%a%$%s>pJs]
a. [%I%a%$%sL>]                 AC.JP
e. [$=$7$-$a$$]
f. [AH?%L>]                     3X=Q%I%a%$%s
g. [Organization]               Academic Domain
k. [AH?%<oJL]
l. [Organization Type]
m. [EPO?C4Ev<T]
n. [5;=QO"MmC4Ev<T]
p. [%M!<%`%5!<%P]               a.dns.jp
p. [%M!<%`%5!<%P]               b.dns.jp
p. [%M!<%`%5!<%P]               c.dns.jp
p. [%M!<%`%5!<%P]               d.dns.jp
p. [%M!<%`%5!<%P]               e.dns.jp
p. [%M!<%`%5!<%P]               f.dns.jp
p. [%M!<%`%5!<%P]               g.dns.jp
[>uBV]                          Reserved
[EPO?G/7nF|]
[@\B3G/7nF|]
[:G=*99?7]                      2005/03/30 17:37:52 (JST)

While I can figure out what I need here, why the garble? This is 2010 and I'm running in a UTF-8 locale with proper fonts; I should see hiragana/katakana/kanji just fine.

So I looked up the current WHOIS protocol. That's probably the shortest RFC I've ever seen.

The interesting bit: "The WHOIS protocol has no mechanism for indicating the character set in use." ... rrrright. Obviously not UTF-8 on this server.

Some trial and error, then.

$ whois ac.jp > gnark.txt
$ file gnark.txt
gnark.txt: ASCII English text, with escape sequences

Oh thank you. Very helpful. (irritated hacking ensues)

End product (bash function):

function jwhois { whois "$@" | iconv -f iso-2022-jp ; }

$ jwhois ac.jp
Domain Information: [ドメイン情報]
a. [ドメイン名]                 AC.JP
e. [そしきめい]
f. [組織名]                   学術ドメイン
g. [Organization]            Academic Domain
k. [組織種別]
l. [Organization Type]
m. [登録担当者]
n. [技術連絡担当者]
p. [ネームサーバ]              a.dns.jp
p. [ネームサーバ]              b.dns.jp
p. [ネームサーバ]              c.dns.jp
p. [ネームサーバ]              d.dns.jp
p. [ネームサーバ]              e.dns.jp
p. [ネームサーバ]              f.dns.jp
p. [ネームサーバ]              g.dns.jp
[状態]                        Reserved
[登録年月日]
[接続年月日]
[最終更新]                     2005/03/30 17:37:52 (JST)

Looks better, yes?

P.S. This was written using FreeBSD whois. Ubuntu whois acts completely differently - specifically asks for and shows English information in English locales, and breaks interestingly in the Japanese locales I've tested.

Wine on Windows...

2010-06-24T02:11:00.002+02:00

The Wine project is preparing the long-awaited 1.2 release for the end of the month.

Stuff like this should help morale:

Gothic I & II not working on Windows 7

Working around a longstanding d3d driver bug by instead running via crosscompiled d3d8+wined3d on OpenGL on Windows. :)

Fun hardware - first results

2010-05-14T01:35:00.005+02:00

Testing the Fusion-io ioXtreme 80GB (/dev/fioa) vs Intel X25-M gen 2 160G (/dev/sda). The non-directio dd went cpu-limited for some reason, needs looking into.

792 MB/s read speed at 12% cpu use in the directio case looks a bit promising :)

# dd if=/dev/fioa2 of=/dev/null bs=1M
26723+1 records in
26723+1 records out
28021615104 bytes (28 GB) copied, 201.797 s, 139 MB/s
# dd if=/dev/fioa2 of=/dev/null bs=1M iflag=direct
19792+0 records in
19791+0 records out
20752367616 bytes (21 GB) copied, 26.2142 s, 792 MB/s

# dd if=/dev/sda4 of=/dev/null bs=1M
5157+0 records in
5156+0 records out
5406457856 bytes (5.4 GB) copied, 25.136 s, 215 MB/s
# dd if=/dev/sda4 of=/dev/null bs=1M iflag=direct
6040+0 records in
6039+0 records out
6332350464 bytes (6.3 GB) copied, 26.1701 s, 242 MB/s

Stay tuned, more to come...

Fedora kernel on Ubuntu Lucid 10.04

2010-05-13T19:13:00.002+02:00

I had need of a Fedora Core 12 kernel lately. Testing the fun hardware of the previous post.

Turns out that running that kernel with Ubuntu 10.04 userspace is pretty easy. Alien + some dkms invocations are enough.

fakeroot alien kernel-2.6.31.5-127.fc12.x86_64.rpm
fakeroot alien kernel-devel-2.6.31.5-127.fc12.x86_64.rpm

dpkg -i kernel_2.6.31.5-128_amd64.deb
dpkg -i kernel-devel_2.6.31.5-128_amd64.deb

update-initramfs -c -k 2.6.31.5-127.fc12.x86_64

dkms build -m nvidia-current -v 195.36.15 -k 2.6.31.5-127.fc12.x86_64
dkms install -m nvidia-current -v 195.36.15 -k 2.6.31.5-127.fc12.x86_64

update-initramfs -u -k 2.6.31.5-127.fc12.x86_64

update-grub

et voila:

knan@sarevok:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 10.04 LTS
Release: 10.04
Codename: lucid
knan@sarevok:~$ uname -a
Linux sarevok 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64 GNU/Linux

Tease

2010-04-09T19:10:00.004+02:00

Now, if only I had the rest of the New! Shiny! computer handy, this would be a very fun weekend... as is, I'll just have to tease and promise benchmarks & impressions in a few weeks' time.

Buona sera!

htrosbif gets better

2010-02-06T20:00:00.002+01:00

Alpha 4 is out now.

More signatures, more tests, and even bugs fixed. Imagine.

Git repo: git clone http://anduin.net/~knan/htrosbif.git/

Perl trick-of-the-day - $USER-local modules

2010-01-24T18:54:00.003+01:00

Ever been frustrated by CPAN and scared to upgrade modules as root? Been burned by a perl rpm/deb upgrade overwriting your carefully upgraded modules?

Jon Allen brings us the light in a nice, short revelation. And a perl module. Of course.

Install/upgrade local perl modules in a user homedir, with basically no extra effort. Brilliant.

introducing htrosbif

2009-11-05T22:17:00.005+01:00

htrosbif - Active HTTP server fingerprinting and recon tool

What does it do?

knan@viconia:~/ak-git/htrosbif.git$ ./htrosbif http://localhost:8525/
Match (1200/1200): pound-2.4.5.sig => jetty-4.2.19.sig
Match (1193/1200): pound-2.4.5.sig => jetty-4.2.24.sig
Match (1076/1200): pound-2.4.5.sig => jetty-4.0.6.sig
Match (1042/1200): pound-2.4.5.sig => jetty-4.1.4.sig
Match (1039/1200): pound-2.4.5.sig => apache-1.2.6-php3-used.sig
Match (1033/1200): pound-2.4.5.sig => jetty-3.1.8.sig
Match (1010/1200): pound-2.4.5.sig => jetty-3.0.6.sig
Match (1000/1200): pound-2.4.5.sig => tomcat-4.1.40-oldconnector.sig
Match (1000/1200): pound-2.4.5.sig => tomcat-5.0.30.sig
Match (1000/1200): pound-2.4.5.sig => apache-2.2.13-php-5.3.0-used.sig

Does a bit of Recon by Fire, if you will. Prods the web server in all sorts of old, new, basic, fancy, spec-compliant and spec-breaking ways. Tries to characterise both the well-spoken educated responses and the seriously deviant babble it receives in return. Signatures contain no user data, only header names and http-level quirks. A few dozen sacrifical test installs of servers ancient (cern, 1993) and new have survived its tentacles.

As a (very) useful side effect, might detect reverse proxies, http load balancers, intrusion prevention systems and web application firewalls.

Cool! Download?

Sure. http://anduin.net/~knan/htrosbif/htrosbif-alpha-3.tar.gz

$ git clone http://anduin.net/~knan/htrosbif.git/

License?

GPL v3.

Alpha, huh?

Yup. Signature format(s) are still in flux, and sections of the code are just stubs. But it basically works. Sending me signatures isn't very useful yet. Sending me patches, ideas and comments, however... are extremely welcome @ knan-rosbif at anduin.net.

Why?

Because I wanted to see what could be inferred from behaviour alone.

HTTP load balancers like Pound and HAProxy usually are invisible, ghostly presences, subtly directing traffic and shaping conversations - these touches are detectable, if you think to look.

Replacing a Server: header is trivial effort, mimicking protocol handling quirks much less so.

Bad karma

2009-11-02T01:24:00.003+01:00

The 9.10 upgrade losing track of /boot and swap (What, uuid? never seen those uuids anywhere, honest! Wanna buy some slightly used /dev/sda* references? Fell off a truck!) and thus failing to boot was a bit painful.

A bunch of games suddenly growing scratchy/stuttery sound problems not evident in jaunty was more painful. Much debugging ensued.

Wondercure: apt-get remove --purge pulseaudio

... if only all social disorders were as easy to correct.

Befuddling web servers for fun

2009-10-06T23:22:00.002+02:00

sub test_get_11trailingcrap_knowngood()
{
# So, does trailing crap after the HTTP/1.1 cause a panic?
#
# Lots of fun stuff ... some ignore the crap,
# some think "stupid client, must be 1.0, here you go",
# some get confused about the url and return a 404,
# some reject with 400, some spew an error page
# with no headers at all ("stupid 0.9 client, go away")...
#
# ...and some are just endearingly confused about it all.
# UNKNOWN 400 Bad Request

Fingerprinting fun

2009-09-23T18:28:00.001+02:00

knan@viconia:~/ak-git/htrosbif.git$ ./htrosbif http://thepiratebay.org/
Fuzzy match (932/1000): lighttpd-1.5-svn2621.sig
Fuzzy match (797/1000): lighttpd-1.4.23.sig
Fuzzy match (797/1000): lighttpd-1.4.21.sig
Fuzzy match (797/1000): lighttpd-1.4.22.sig
Fuzzy match (683/1000): lighttpd-1.4.17.sig
Fuzzy match (683/1000): lighttpd-1.4.18.sig
Fuzzy match (683/1000): lighttpd-1.4.13.sig
Fuzzy match (683/1000): lighttpd-1.4.19.sig

Hairy stunt #1: firmware update via wine

2009-07-06T01:22:00.003+02:00

My shiny new LG GGW-H20L blu-ray/alphabet soup reader/writer happened to need a firmware update. For some reason, many hardware vendors think win32 executables are handy for this sort of thing. I really... don't.

But I got intrigued when several people reported success updating the firmware through wine. Copious amounts of wine can of course make almost anything seem like a good idea, so I bravely give it a try - it will probably brick something in an amusing way, at least.

winetricks mfc42 grabs the usual missing dlls for us. Yet, the firmware updater fails with something on the order of ERROR_SUCCESS in informativeness.

Oh well. Last try: running wine as root.
... and it works. Quickly and perfectly. I don't _think_ I'm hallucinating. More voluptuous hallucinations would be expected in that case.

I suspect the kernel's blk_verify_command kicked in when running as a normal user. Fair enough, you don't necessarily want the backup job user to be able to overwrite the tape drive firmware with zeroes. Or a more-evil-than-usual ransomware virus.

Still, I boggle. And salute fellow Wine contributors. Well done.

ip6tables fun

2009-06-15T19:20:00.002+02:00

Note to self. IPv6 connection tracking is a bit eccentric.

Seems that neighbour solicitations are "INVALID" according to conntrack. I.e. IPv6's equivalent of arp requests are invalid ... and dropped if you have a "-m state --state INVALID -j DROP" rule before your accept-various-icmpv6 rules.

This does great things for my host security, obviously.

workaround: put --state INVALID drops after the icmpv6 rules.

OpenVMS cuteness

2009-03-27T01:27:00.002+01:00

220 xx.xx.xx.edu MultiNet FTP Server Process V5.2(16) at Thu 26-Mar-2009 8:19PM-EDT

ftp> site window-size 1073741824
200 TCP window size now 1073741824 bytes

Strangest ftp command competition, anyone?

OpenVPN: LDAP and ipset says you may.

2009-03-10T12:29:00.008+01:00

Our ad-hoc authorization scheme proceeds. Adding custom schemas to OpenLDAP is pretty easy. (vpnaccess.schema)

ipset lets us define netfilter rules against named, dynamic sets of ips, like:

ipset -N bofhirc iphash
iptables -m set --set bofhirc src -d bofhirc.example.org -p tcp \
-m tcp --dport 22 -j ACCEPT

adds a rule giving only ips added to the bofhirc set access to bofhirc.example.org port 22. How ips are added to that set is up to you (Port knocking, messenger pigeon, ocr on a piece of paper held up in front of a webcam...) but involves ipset -A bofhirc <ip> at some point. And hopefully ipset -D bofhirc <ip> at some other point to revoke that access again. All without disturbing your carefully-tuned iptables config on every login.

A touch of the swiss army chainsaw with Net::LDAP to OpenVPN --client-connect (accesses-from-ldap-open.pl) and --client-disconnect (accesses-from-ldap-close.pl). Et voila. Adding accesses is now as easy as adding a named set of firewall rules, and adding:

objectClass: vpnAccessPerson
vpnAccess: bofhirc

to the relevant user in ldap. The ips involved are private and assigned by OpenVPN, so there's no risk of aliasing for multiple users behind a NAT.

OpenVPN: Hooked!

2009-03-05T14:00:00.001+01:00

Authorization.

OpenVPN 2.x provides a bunch of script hooks. Which ones are most useful for authorization?

--up, --down ... mostly used on the client side. Restoring network settings on vpn disconnect with a --down hook, for example. Not suitable.

--route-up ... we don't have the user common_name at this point. Not suitable.

--ipchange ... discouraged in server mode.

--auth-user-pass-verify ... authentication. Too early. The client is untrusted and doesn't have an assigned ip yet.

--tls-verify ... pre-authentication. Too early.

--client-connect, --client-disconnect... straight after authentication, before client-specific config is read. Good enough, if we're a bit careful (i.e. don't change ip address assignments in client-specific config files), and easy to understand triggering conditions. Has all the parameters we need.

--learn-address ... perhaps the architecturally correct place to put it. Somewhat harder to understand the triggering condition. Documented as "Run script or shell command cmd to validate client virtual addresses or routes."

I know, I know, I promised perl hacking here... next time.

OpenVPN: May I?

2009-03-04T15:34:00.000+01:00

I was recently asked to look at an existing road-warrior OpenVPN implementation, and see how it could be improved to differentiate network access levels per-user. Some users should have basic access, some should have access to their department's privileged systems, some should have usual department accesses plus temporary specific access to a customer system for setup and upgrades. Fun!

In computer security parlance, this is an authorization issue. Authentication is working, we know who you are, we don't know yet what you should have access to.

Users on this network is stored in LDAP, and the third-party OpenVPN Auth-LDAP plugin is used for authentication. RADIUS is not used anywhere, and adding it to the mix would add complexity and, strangely, not seem to gain us much - the third-party OpenVPN Radiusplugin only does authentication and accounting, and not really the "third A".

The Auth-LDAP plugin has some *BSD-specific code for interacting with PF. I considered rewriting that code to match requirements, but it's written in a pretty unfamiliar language (Objective-C) and has a number of limitations. A user can only be a member of one group (first-match) and group membership can only give access to one set of resources.

Thankfully, OpenVPN has lots of hooks for scripting. Perl hacking will ensue in next installment. Until then.

Likely-sounding

2009-02-24T21:55:00.000+01:00

$ HEAD http://isc.sans.org/
200 OK
Server: nc -l -p 80
X-AspNet-Version: 1.1.4322

...riiight. I believe you.

Sunset spookiness

2009-01-05T17:20:00.000+01:00

Now why is the sun sneaking rightwards along the hilltop? Can't see anything tasty in that direction...

Words, type and faces

2008-10-05T17:42:00.000+02:00

Scribus is wonderful. It has turned into a pro publishing tool even I can use (but get a 1.3.3.12 backport into hardy, already! Bug 6692 is horrible!), and with a few hours of exploration I've managed to reproduce a rpg splatbook page exactly. Only difference I can tell now is that the book paper is thinner and a bit yellowed compared to my fresh new printer paper, and it is of course some American page size and not A4. Headers, footers, typefaces, spacing, etc. match exactly. Imagine that.

WhatTheFont is handy for finding the correct fonts. Scan, crop, upload, browse. Copying fonts into ~/.fonts/ and having them show up is a convenient scribus-specific goodie, scribus knowing far more than the average program about fonts and preferring to handle them itself, TYVM.

potrace is handy, tracing a bitmap image into a fairly good SVG. (SVG not being an option in a scribus image frame is weird. Import=>SVG is a bit less than intuitive.)

Next step: automating things a bit with scripting. Mwahaha.

continents crashing regularly

2008-09-15T23:29:00.000+02:00

... sounds dramatic, doesn't it?

... mens jernet er varmt

2008-06-02T19:21:00.000+02:00

Ikke at jeg har spesielt til smedfingre.

Men dagens pjatt er om modding. Av spill. Mye annet som kan moddes - biler, vær, leiligheter... (Sjekk Været Via Blåtann På Badet! Nyhet!)... skal vi ikke snakke om.

I dag er det spill som får unngjelde. En hamrer på dem til de buler som høygravide hobbiter. Som oftest får de også mange skarpe kanter og pigger, og oser litt svidd. Eller har en skjult alien som krøster seg ut, massakrerer alt ditt harde arbeid og litt til, og får den uheldige spilleren til å skrive fantasifulle dødstrusler på $WEBFORUM.

Baldur's Gate II er et av Biowares mest anerkjente spill. Det er passelig enormt i omfang og har mer bevegelsesfrihet i historien enn de fleste. En skal vel ikke kalle det voldsomt modvennlig, men iherdig omvendt dataformatknørving og involvering fra *nix-entusiaster har gjort det til en levelig situasjon etter hvert.

Hexredigering via script er gøy.

WRITE_SHORT %fxoff% + 0x30 * %fxnum% + 0x00 %opcode%
WRITE_BYTE %fxoff% + 0x30 * %fxnum% + 0x02 1 // target self
WRITE_BYTE %fxoff% + 0x30 * %fxnum% + 0x03 0 // power
WRITE_LONG %fxoff% + 0x30 * %fxnum% + 0x04 %param1%

Spleise inn dialogvalg i et dekompilert dialogtre har sin sjarm.

REPLACE_STATE_TRIGGER banomen 22 ~See(Player1)
CombatCounter(0)
!See([ENEMY])
!StateCheck(Player1,CD_STATE_NOTVALID)
!StateCheck(Myself,CD_STATE_NOTVALID)
Global("BAnomen3","LOCALS",0)~

Spleise inn en få-fienden-til-å-lyse-gusjegrønt-effekt i et våpen via scriptet hexredigering er en smule intrikat, når en skal ta hensyn til at tidligere modder i modstabelen kan ha gjort noe lignende.

Få en beskrivende tekst til å ligne sannheten, med ~50 tidligere modder å ta hensyn til og regexp mest brukbare verktøy... morsomt :)

INNER_PATCH_SAVE newdescstr "%uniddesc%" BEGIN
REPLACE_EVALUATE ~%replacestring%~
BEGIN
SPRINT result ~%insertstring%~
END
~%result%~
END

Scripte en grunnleggende endring som skal gjøres på alle ~3000 brukbare dingser i spillet, og ta hensyn til at ikke alle er like ... kompetente til å lage slikt når de lager en mod, men motoren er snill nok til vanligvis ikke å kræsje tross småfeil og delvis korrupte filer? Vi snakker snart rent underholdende ninjatriks.

I bunnen her har vi et scriptorientert moddeverktøy lagd av en tradisjonell unixgeek. I OCaml. Som holder styr på hvilke modder du legger inn og i hvilken rekkefølge. Og involverer minst tre forskjellige domenespesifikke språk, pluss hexredigering. Andre har så lagd nye makrospråk på toppen av dette igjen. Vi snakker iallfall fire generasjoner av moddere siden spillet kom ut. Første generasjon rakk ikke annet enn å omvendtknørve filformater før de ble drevet til vanvidd av all denne kunnskapen Man Was Not Meant To Know, og oppholdt seg siden mest på Arkham Asylum. Heldigvis ble kludringen på veggene bevart, så neste generasjon beholdt fatningen lenge nok til å få stormannsgalskap. De satte så i gang med dødsforakt, og ga noen år senere fra seg noen sørgelige rester av planene om verdensherredømme før de sjelevandret til neste plan av eksistens.

Etter den tid begynte moroa.

Senere generasjoner har dog fremdeles tilbakefall av galskap. Hvordan ellers kan denne syntaksen ha blitt til?

OUTER_INNER_PATCH_SAVE savevar buffString BEGIN patch list END

Modlista er i dag oppe i 697 oppføringer. Majoriteten av dem er relativt kompatible med hverandre og seg selv tross uhell nå og da. Det begynner å bli folksomt i Athkatla.

Spillmotoren er ganske imponerende, egentlig. Den takler fint å ha noen hundre AI-script på 1MB+, kompilert, kjørende. Til å være lagd i Y2K har den holdt seg godt.

Har sin sjarm å hacke på slik über-gnarly kode. 2600 scriptlinjer and counting i min lille mod for tiden. For ikke å snakke om 789-linjers shellscriptet for å bygge min vanlige multimodinstall...

Hardware 1 - hacker 0.

2008-03-29T23:41:00.000+01:00

Note to self: grab datasheets and compatibility reports before buying. Development kits aren't as forgiving as consumer hardware. In my defense, the note ruling my target computer out was buried ten pages into a compatibility report pdf. (And the machine did boot ... it just malfunctioned in interesting ways.)

No relation to the hardware in the previous post, by the way. That one works flawlessly.

New toy

2008-03-27T13:54:00.000+01:00

Yay! The intended-for-easter toy has arrived, finally, after a dose of New Adventures With Fedex.

Game of the day: Dwarf Fortress

2007-12-10T20:55:00.000+01:00

Dwarf Fortress ... freeware game for the os that must not be named. Works admirably in Wine.

An obscure cross between Dungeon Crawl and The Settlers. Dig your own Moria. Then try to reclaim it after it inevitably falls - to war, famine, accidental magma flood, wandering dragon - or just adventure in the ruins.

Alpha version, probably permanently. Quite addictive.

The very large and peculiar cats from Saturn

2007-11-13T11:09:00.000+01:00

This is an actual radio capture. From Saturn. By Cassini.

What's Titan hiding below that orange smog?

*dreamy* I want to go out there...

On that note, fellow Osloians: Buzz Aldrin is here this coming Sunday, at Astrofestival 2007.

Driver, test pilot, vague guiding lights?

2007-10-25T12:47:00.000+02:00

The Linux Driver Project is taking off a bit, with several hundred people signed up to help. And we have a few companies dipping their toes in. Getting involved in Linux kernel development has accreted some barriers to entry these last few years. It's difficult to find a worthwhile place to start contributing, and the review-and-resubmit process is drawn-out when no-one knows and trusts your judgement and good taste in coding yet. (Your good taste in most other aspects of life is naturally a given, despite occasional innuendos in heated discussions.)

OutOfTreeDrivers and DriversNeeded now collects things to do (and places to go?). Most places I've worked, I eventually end up adding out-of-tree, or even binary-only, drivers to support something someone needs done - which is a big maintenance pain. Collecting them here might inspire a brave soul to start the mainlining, lobby-for-opening, or reverse-engineering (where legal, like here) process.

Do help out. I'm doing my part.

Ink, read while it's fresh

2007-10-11T22:17:00.000+02:00

Just out: Halting State by Charles Stross. Extrapolates from today to 2018, and will certainly be outdated before then. Technothriller. Quirky sarcastic eloquence.

Recommended reader qualifications: MMO gamer w/computer science degree.

Enjoy. I did.

The Beast Remade: Niceties, wrapping up

2007-10-08T10:50:00.000+02:00

Text::Reform took care of the rest of the pretty-printing I needed. The Perl builtin "format" command was more familiar, but the listings would not come out right. I have a sneaking suspicion that it does not like UTF-8 STDOUT much. Text::Reform was easier to get right:


$menu_form = "<< "
 ."<<<<<<<<<<<<<<<<<<<<<<<<< "
 ."<<<<<<<<<<<<<<<<<<<<<<<<< "
 ."<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<";

 print form $menu_form, $index, $from, $to, $subject;

Some manual command-line parsing were needed, in order to do labor-saving speedups like "rm 1-7,17". I expect everyone reinvents that sort of thing at need.

Wrapping up

All this was wrapped up in a two-day hack that saves some time and much aggravation.

I would like to see someone do a similar command-line stunt for interacting with an AJAX web application. Consider this a dare, fellow hacker. I'll owe you a beverage of your choice next time we meet.

The Beast Remade: Use your head

2007-10-03T11:06:00.001+02:00

Now that "cat" and "rm" works, the quick hack is somewhat useful for its intended purpose. But a short practical test reveals issues. A "cat" dumps the whole mail to the console - while that works as intended, it also scrolls the top of the mail and headers far outside the scrollback buffer, if the mail is large. A "head" command soon looks desirable.

First try is the naive "print first n lines". That approach is quickly thrown out the window. Grumbling ensues about the evils of HTML email. Spam promptly materializes containing roughly fourteen long paragraphs about random body part enlargement, without a line break anywhere in sight.

I found a rather easy solution, after some thought - we run this on Linux, after all, so why not use the traditional Unix utilities:


 $spam = grabmsg($mailnum);
 open HEAD, "| fold | head -24";
 print HEAD $spam;

No sense in reimplementing everything in Perl if you can think of something else that does the job already. There probably are twenty-five ways of doing this in pure Perl that would be more elegant, if you know of and remember them. I had two days to build this, so I grabbed the first approach I could think of that worked.

The Beast Remade: Do What I Mean

2007-09-24T19:19:00.000+02:00

WWW::Mechanize is a subclass of LWP::UserAgent. LWP::UserAgent stops at the HTTP layer, and leaves the application to deal with HTML or whatever else the server sends us in its own way. WWW::Mechanize mixes in knowledge of HTML, and checks your HTTP conversations for error messages. (Now you know what the autocheck => 1 parameter in Enter WWW::Mechanize is.) So using WWW::Mechanize feels like scripted use of a browser, which fits my problem. I am trying, after all, to abbreviate user interaction from several mouse clicks per suspected spam to a short command-line interaction.

Intuitive methods like ->tick() for checkboxes, ->click() for buttons and ->select() for radio buttons and listboxes helps me fill out the necessary forms quickly. In my "rm" function, I deal with the spam like this:


  foreach my $spamid (@spamid_arr)
  {
    $localmech->form_name("quarantine");
    $localmech->tick("mailid", $spamid);
  }
  $localmech->click("delete");

From inspection, the relevant checkboxes had "name=mailselected" and "value=" an id number that stayed constant even when the mail queue view changed. Which makes sense, from a robustness perspective.

The Beast Remade: Deep magic with Storable::dclone

2007-09-17T11:11:00.000+02:00

The cat/head/rm/ok commands posed some difficulties. My naive "ls" implementation refreshed its view of the quarantine section every time you ran it, as a normal "ls" would.

The underlying web interface happened to add any new spam that arrived in the meantime to the top of the numbered list. So a certain spam might be renumbered every time my hack looked at the index page. I certainly did not want the numbering to refresh between calls to "ls"; that could cause a quick "ls; cat 1; rm 1" sequence to delete the wrong mail!

Both the deletion form and the "view mail" links, thankfully, used mail queue id as identifier, not the 1-20 numbered list. Keeping a cached copy of the deletion form seemed wise, for later use in the "rm" command. But I also wanted to make further use of the WWW::Mechanize object, in order to get a look at the suspected spam, and avoid any issues with multiple logins kicking each other out or similar.

Storable::dclone is deep Perl magic, cloning an instantiated object and all its references, including internal state, functions and all. As such, it is not exactly lightweight or easy to wrap your head around. But it does exactly what I want in this case; it gives me a separate copy of the $mech WWW::Mechanize object to play around with that does not disturb the original:


unless (defined ($Storable::Deparse))
  { $Storable::Deparse = 1; }
unless (defined ($Storable::Eval   ))
  { $Storable::Eval    = 1; }
my $localmech = dclone($main::mech);

... and then $localmech is mine to do with as I like. Below is a complete example of use. It extracts the spam from its detail page, pretty-prints it to a string and returns.


# clone a $mech for viewing, keep
# the old around for the index page
sub grabmsg
{
my $spamindex = $_[0];

unless (defined ($Storable::Deparse))
  { $Storable::Deparse = 1; }
unless (defined ($Storable::Eval   ))
  { $Storable::Eval    = 1; }
my $localmech = dclone($main::mech);

$localmech->get($spam_viewurl[$spamindex]);
my $content = decode("utf-8",$localmech->content);

my $extractor = new HTML::TableExtract(
                 depth => 1, count => 1);
$extractor->parse($decoded);

my $spam = "";
my $table = $extractor->first_table_found();
my @headerlist = qw(Received: Return-Path: Date:
                    From: Reply-To: To: CC:
                    Subject: Attachments);

for (my $count = 0; $count<@headerlist; $count++)
{
  if (defined (my $cell = $table->cell($count,1)))
  {
    $spam .= color ('BOLD') . $headerlist[$count]
           . color ('RESET') . "\n" ;
    $spam .= "$cell\n" ;
  }
}
$spam .= color ('BOLD') . "Mail body:"
       . color ('RESET') . "\n" ;
$spam .= $table->cell(10,0) . "\n" ;

return $spam;
}

The Beast Remade: The lay of the land

2007-09-17T11:05:00.000+02:00

HTML::TableExtract emerged as my poison of choice for doing the grunt work of HTML parsing. It was the easiest to improvise extraction criteria with, of the three or four Perl modules I tried in the course of a frustrating morning.

The easiest way to pick out the table of interest from the quarantine main menu, for example, turned out to be:


my $te = new HTML::TableExtract(
 attribs => { width => 525 }, keep_html => 1 );
$te->parse($mech->content);

...since the attribute "width=525" was its only distinguishing feature. Once parsed, however, it was the work of moments to make a "cd" command to enter the quarantine section of interest. An "ls" command followed shortly behind, with momentary difficulties only.

The Beast Remade: Term::Shell Basics

2007-09-13T14:03:00.000+02:00

Grabbing and parsing the web pages are all very well, but without a fast way to interact with them this is all just a waste of time and effort. Term::Shell by Neil Watkiss has been at version 0.01 for half a decade (woo! recently updated to 0.02!), and is barely mentioned in a Google search. That does not deter a Perl-familiar sysadmin out to improve his daily routine. A non-interactive critical script would be another matter entirely.

Term::Shell is excellent scaffolding and support when you do not want to muck around with Term::Readline yourself. As long as you have one of the Term::Readline:: alternatives installed, you get command-line editing and history for free.

A demonstration:


knan@viconia:~$ perl ./listing3.pl
World domination. But first, take care of the spam.
spsh:/> ls
No spam. Yet.
spsh:/> ?
Unknown command '?'; type 'help' for a list.
spsh:/> help
Type 'help command' for more detailed help.
Commands:
 exit - exits the program
 help - prints this screen, or help on 'command'
 ls   - Is there any spam? - no help available
spsh:/> exit

So far so good. Add a help_ls subroutine if you feel like explaining the intricacies of spam listing to your fellow spam handlers.

Source of the shell above:


package main;

Spsh->new->cmdloop;

package Spsh;
use base qw(Term::Shell);

sub preloop
{
$state_path = "";
binmode(STDOUT, ":utf8");

print "World domination. But first,"
     ."take care of the spam.\n";
}

sub prompt_str
{
return "spsh:/$state_path> ";
}

# Define an empty command, to avoid
# "unknown command" on an empty
# command-line.
sub run_
{
return;
}

sub run_ls
{
print "No spam. Yet.\n";
return;
}

sub smry_ls
{
return "Is there any spam?"
}

The Beast Remade: Enter WWW::Mechanize

2007-09-11T14:57:00.000+02:00

I had recently seen something called WWW::Mechanize mentioned in Google Hacks, 2nd edition. So I determined to have a play around with it, to see if there was something to be gained. An initial look seemed promising. In fairly short order, I had the web interface yelling at me to use a civilized browser, not this scary WWW-Mechanize thingy.


use WWW::Mechanize;

my $url = "http://spamproxy:8888/login.php";

$mech = WWW::Mechanize->new(autocheck => 1);

$mech->get($url);
print $mech->content;

A quick adjustment to $mech->agent took care of that ill temper. Adding invocations to $mech->save_content() allowed me to get a look at what it expected of me - which was simple, at first. It just wanted a password in the single visible form element:


my $password = "foobarword";
$mech->submit_form(fields => { password => $password });

A $mech->save_content() later, I had won a small victory. Next target had to be the web application's menu structure. The story so far:


use WWW::Mechanize;

my $url = "http://spamproxy:8888/login.php";
my $password = "foobarword";

$mech = WWW::Mechanize->new(autocheck => 1);

# Yeah, sure, this is a tested and approved browser
$mech->agent ("Mozilla/5.0 (X11; U; Linux i686;"
."en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8");

# Get login page
$mech->get($url);

# Try to log in
$mech->submit_form(fields => { password => $password });

# Save the response page for a look around
$mech->save_content("loggedin.html");

Starting out, I worried that extensive Javascript use would make this hard or impossible. As perldoc WWW::Mechanize::FAQ states, Javascript is not supported and not likely to be until someone looks seriously into it. It turned out that this particular web interface had followed web accessibility guidelines pretty well and was navigable without Javascript support. If your local friendly web interface is less accommodating, well, the FAQ has some tips.

The menu structure turned out to be a mixed bag. Link names were constructed by Javascript, so I could not rely on them. Link URLs, however, were static and thus available for use. Some calls to ->follow_link() later, I had the quarantine main menu dumped to a HTML file for my perusal. This all looked very parsable and scriptable, and a sneak peek at the quarantine listings seemed to confirm my gut feeling.

The Beast Remade: Part the first

2007-09-11T14:52:00.000+02:00

As web interfaces to various software have matured and multiplied, they have in many cases moved toward resembling traditional GUIs. Checkboxes, labeled buttons, client-side Javascript error checking and "do you really want to do this" dialogs point the way and do the required hand-holding for novice users. In many cases, this is a good thing - say, remote firmware updates or RAID configuration restores.

System administrators, however, are usually not novice users. Especially not when the web interface in question is the only available interface for a routine daily task. The task in question? To inspect a spam quarantine for false positives - a tiring chore at best. A somewhat cumbersome web interface slowed us down, so grumbles, less than complimentary epithets, and searches for a better way were inevitable.

The Powers That Be heard our grumbles, and were sympathetic to our point of view. This was not optimal, and we could use some time to find a way to speed this up. Nevertheless, any tricks to speed this up were to make use of The Official Interface, and not delve into product internals in the layers below - due to support contract clauses. So we could not manipulate the mail queue directly, even though that was the most obvious path to speedups.

(scary cliffhanger - stay tuned for episode 2!)