Thursday, August 8, 2013

Gawk Notes - Simple


... In which I use gawk (awk) to manipulate delineated output into a format more appropriate to my task and filter data unnecessary to me at the moment.

I'll break down the following example:
dpkg -l |awk '{ print $2 }'
The "|" is known as a "pipe".  Two separate programs are being executed and the output of the first is being "piped" into the input of the second.  This feature is so useful to so many people, it might be considered one of the most frequently used programs in userspace.

The first command:
dpkg -l 
yields:
............

ii  ffmpeg                                6:0.10.2-dmo1                      audio/video encoder, streaming server & audio/video file conv
erter.
ii  file                                  5.11-1                             Determines file type using "magic" numbers
ii  findutils                             4.4.2-4                            utilities for finding files--find, xargs
ii  firebird2.5-common                    2.5.2~svn+54376.ds4-2              common files for firebird 2.5 servers and clients
ii  firebird2.5-common-doc                2.5.2~svn+54376.ds4-2              copyright, licnesing and changelogs of firebird2.5
ii  firmware-atheros                      0.35                               Binary firmware for Atheros wireless cards
ii  firmware-b43-installer                1:015-14                           Installer package for firmware for the b43 driver
ii  firmware-bnx2                         0.35                               Binary firmware for Broadcom NetXtremeII
ii  firmware-brcm80211                    0.35                               Binary firmware for Broadcom 802.11 wireless cards
ii  firmware-intelwimax                   0.35                               Binary firmware for Intel WiMAX Connection
ii  firmware-iwlwifi                      0.35                               Binary firmware for Intel Wireless 3945, 4965 and 5000-series
 cards
ii  firmware-libertas                     0.35                               Binary firmware for Marvell Libertas 8xxx wireless
..........

The second command:
dpkg -l |awk '{ print $2 }'
Passing the output of "dpkg -l" through "awk '{ print $2 }' ", the second column (thus $2) of our first output is selected, leaving a more script- and backup-friendly list of Debian packages like this:
..........

ffmpeg
file
findutils
firebird2.5-common
firebird2.5-common-doc
firmware-atheros
firmware-b43-installer
firmware-bnx2
firmware-brcm80211
firmware-intelwimax
firmware-iwlwifi
firmware-libertas
............

Voila!

P.S.  This command can also be nested inside other commands/scripts (very simple example):

echo $(dpkg -l | grep ii | awk '{ print $2 }')  >> Installed\ Packages.txt

Brought to you by......

Monday, January 9, 2012

kalmah Beta

In order to demonstrate that the vulnerability discussed in my previous post is exploitable, I have built a live Debian CD. The first beta is available here:
kalmah-Beta-01-amd64.iso
This CD should be burned no faster than 8x and in DAO mode if possible.
The live CD will make no changes to any existing operating system(s) and is provided merely to demonstrate the level of risk certain Internet service providers have imposed upon their customers. The scripts provided with this live system are the most primitive form I can provide and still demonstrate the practical (rather than theoretical) nature of the vulnerability; the kalmah script as provided is not self-replicating, runs as a single instance, provides minimal logging, uses a flat text target list and is provided with an outdated list of I.P. addresses. All of these "flaws" can and will be easily rectified by those who would use this vulnerability for malicious purposes.

Update: 1/14/2012

I've tweaked my build system a bit (I've shifted from debootstrap to cdebootstrap) and now I'm able to produce multiple architectures.

For 32 bit users: http://www.it-huntsville.com/pub/kalmah-Beta-09-i386.iso
This version will run on just about any PC compatible hardware and does not run from RAM by default - performance has been slightly reduced to increase hardware compatibility drastically.

For 64 bit users: http://www.it-huntsville.com/pub/kalmah-Beta-09-amd64.iso
This is for more modern machines and will copy itself to RAM on boot - allowing for full utilization of memory resources over 4 gigabytes and providing a more responsive desktop experience.

Thursday, December 29, 2011

Ubee Interactive Owners


All users of these cable modems should immediately change their passwords.
If you are connected to the LAN interface (wired or wireless), connect to Default LAN address, default username is "user" and the default password is "user", also "admin" and "cableroot". By default these cable modem/gateways are shipped with two ports open to the Internet: TCP/64623 and TCP/64680. The former offers remote users access to a telnet console and the latter exposes the web GUI.

The oldest post I've found revealing this issue so far is here:
http://cyberfeen.wordpress.com/category/system-administration/

An additional post concerning an older version of this device and confined to a different ISP is here:
http://seclists.org/fulldisclosure/2010/Aug/120
This gentleman deserves real credit for his patience in dealing with security at the ISP and for realizing the scope of this problem. I suspect that particular provider merely filters traffic on these ports now, rather than actually fixing the underlying issue or shipping different modems to its customers. Upon cursory examination, the users in the address space listed in this post do seem to unreachable on these ports.

This vulnerability is exacerbated by the fact that these newer devices are combination wireless router/cable modems - meaning that many users do not even have the protection offered by a basic consumer firewall and those that do are still vulnerable to man in the middle exploits which redirect and sniff their outbound traffic.

I can't claim any credit; however, the scope of the number of homes and small offices effected by this demands further attention. I have attempted to contact some of the ISPs whose clients are rendered vulnerable by this equipment and will continue to do so; however, I will shortly publish a list of IP addresses and a script to exploit vulnerable systems if no action is taken.

Monday, October 3, 2011

Detect And Display A Visitor's I.P. Address


I've used derivations of this code to display visitor IP/hostname/User Agent information on my websites.


This is my PHP/JS without any MySQL backend:

<?php
Header("content-type: application/x-javascript");
date_default_timezone_set('CST6CDT');
$date = date(DATE_RFC822);
$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
$serverIP = $_SERVER['REMOTE_ADDR'];
$ref = $_SERVER['HTTP_REFERER'];
$useragent =  $_SERVER['HTTP_USER_AGENT'];
echo "document.write(\"We See You: <br><b>" . $serverIP . "<br>" . $hostname . "<br>" . $date . "</b>\")";
?>


I have named this script 'ip.php' and placed it on my web server (A Debian/Apache LAMP system in this case).
The following is a snippet from my index page into which I write the output of my 'ip.php' file:
<table>
<tr>
<td>
<script type="text/javascript" src="http://ADDRESS.EXAMPLE.COM/ip.php"></script>
</td>
</tr>
</table>




I have presented this deliberately spartan example that you may more easily work it into your own sites.

Notice the '$ref' and '$useragent' lines in the PHP do not appear in this output? You might choose to modify this code to display them to your visitors.









I have also built a MySQL database to do more detailed record keeping on my sites' traffic. If your site is hosted, your provider is probably doing this anyway and there are many packages out there which do much more elaborate recording/analysis of site traffic Webalizer comes to mind.




www.it-huntsville.com

Saturday, October 18, 2008

mysql 5 server install on Debian:

Install packages from apt:

#apt-get update
#apt-get install mysql-server phpmyadmin

Set root's password:

#mysqladmin -u root password $new_password

Login to check:

#mysql -u root -p

Done.

Now you can use a browser to manage SQL databases with phpmyadmin via http://localhost/phpmyadmin

Wednesday, October 15, 2008

Introduction

I'm going to use some of Google's storage space to house some of my work notes. Most of this will be how-to's and checklists for Linux administration chores that I don't do often enough to memorize or which might save someone else a little search time. Feel free to comment and edit if you catch errors in my procedures and I will correct them as soon as possible. Also, as the vast majority of this material will be aggregated from other sources, feel free to comment if you feel something here deserves better citation. This intended to be a reference for my personal use, not a representation of original writing.