OpenVAS is an open source vulnerability scanner that I have used (and seen used) over the last few years. It's history goes back to 2005 as a fork of a previously open source (now commercialized) vulnerability scanner. This tool tends to be used when the dollar-cost of a commercial solution appears to outweigh the time and effort needed to maintain an effective OpenVAS installation.
The most common problem that I encounter using OpenVAS is the 503: service temporarily down error. When I see this message it almost invariably ties back to an expired self-signed certificate. I've seen this error enough times that I want to document the process in case I end up using this tool again in the future.
Awhile ago at a previous employer I worked with a VAR to do a system and software inventory of our workstations. They had written a custom application in C#.NET (for windows systems) and a bash script (for Mac OS) that captured the inventory data and encrypted it for us to email back to them. Sounds pretty straight forward, right?
I asked them about how the data would be protected on collection and being transmitted to them and surprisingly heard back from the VAR that their encryption mechanism 'cannot be disclosed publicly'. Hmm.... Before agreeing to run the programs and send back results, I performed a secure code review and found some interesting things about their collection tools.
This morning I tried to run security updates on one of my Centos VPS systems. Had to get creative since just running yum upgrade did not work. The yum process was killed unexpectedly:
Transaction Summary ========================== Upgrade 19 Package(s) Total size: 24 M Is this ok [y/N]: y Downloading Packages: Running rpm_check_debug Killed
A month or so ago I started an SSH Statistics gatherer with the hope of identifying high-level configuration details of SSH-2/SSH-1.99 servers in the USA. In running the tool for a couple of weeks I identified 46,250 SSH Servers that meet the basic criteria (I'd like to do a survey of SSH Servers running older versions in the 1.x range at a later date). This post explains the results of the survey.
Today I spent way too much time trying to debug an issue encountered while developing a Chrome extension. While attempting to create an Options page, I setup a separate 'options.js' file (to comply with security requirements that don't permit inline-JS) and found that the .js file would not load and that there were no error messages listed in the chrome developer tools view.
An interesting problem surfaced earlier this year that prevented our systems administrators from using RDP to connect to a windows server if they use a windows laptop. Paradoxically, SysAdmins who run Macs were not affected. It took a little time to track this down and now that I've been through the troubleshooting process I know how to fix it and can see how we wound up in this situation in the first place
We switched from LastPass to 1Password and encountered an unexpected hindrance: HTML encoded strings somehow replaced certain characters in critical passwords. The first time through the process it seemed like 1Password was was causing the problem. Upon further investigation we found that the problem originated during the LastPass 'export' process.
I will be starting an SSH Statistics gatherer that will be targeting US based IP addresses today. The gatherer tool will run for 1 week through Sunday, January 22, 2017. During this time you may notice SSH-2.0-ssh-stats-gather-2017_1.0.0 appear in your SSH server logs. This tool performs a banner grab of SSH servers and does not attempt to login (performs a partial connect)
I will update this post once the run completes with more details.
Update 2017-01-29: Things picked up pretty fast and I was able to pick up quite a bit of data. The stats gathering tool has been turned off and I am parsing the results. Expect a post about the details at some point in the next few weeks.
Update 2017-01-22: Technical issues have come up which require that I extend the duration of this project for another couple of weeks. The new target completion date is Sunday, February 5th, 2017
Update 2017-02-21: Results were published here
This week I needed to compile PuTTY to work on an Ubuntu system running 16.04 (LTS). The instructions are pretty straight-forward and will take you most of the way through compiling something you can use. A problem I ran into is that I kept on running into errors during compilation referencing dlsym, dlopen and dlclose.
Fate was on my side as I was able to work my way through the problem (with a generous dose of google) and comple that actually works.
For the last few months we have been experiencing intermittent issues with one of our production processes. The issue is one that has confounded us in its lack of consistency and ability to frustrate anyone assigned to troubleshoot the problem. I was asked to look into the situation and in the end was able to discover the root cause in just a few hours using Telerik JustDecompile coupled with Microsoft's SQL Profiler tool. The journey was exciting and I'll share what I can here.
While cleaning up some old files I found a project that compares file manifests between MSIs. At the time we needed the ability to quickly determine if the files contained in a set of new MSIs contained at least the same set of files that was generated using a previous build process. While there are other tools that can compare MSIs, this code is lightweight and command-line scriptable.
I needed to setup a quick dashboard a couple months back so I turned to Dashing.io. Everything worked great, then one day none of the dashboard widgets displayed any data. Given the nature of the dashboard and its users this was incredibly annoying.
The symptoms of this problem (which I can only replicate on Centos) are:
- Dashboard widgets appear in the right order/layout when you load the page
- Widgets do not contain any data until you Ctrl-C or kill the dashing process
When I first setup boredwookie.net Concrete5 was used to power the site. In the years since then I've grown tired of using a heavyweight CMS to post a few pages. Last month I made the switch over to Jekyll and the transition was anything but painless. It was incredibly difficult and required a lot of manual effort and fine-tuning to get right. Along the way I created a ruby script to take some of the busy work out of doing a bulk migration.
The script takes xml files generated by the Concrete5 Legacy Migration Tool and creates jekyll-style posts with YAML front matter that can be massaged into a working site. While there are gaps in what I could script-out it was a useful tool in the migration effort.
I've been looking for a development platform that can let me create programs which work across all major operating systems. While there is nothing wrong with scripts and scripting languages, sometimes a GUI just makes sense. In the past I've used WinForms in C# to create utilities with functional user interfaces, but now that I'm looking to switch to Linux full-time I'd like something which is about as easy to use that can target at least Linux and Windows.
Qt appears to check all the boxes I need, so barring development of a WinForms-like option for .NET Core or other changes in the landscape I'll press on.
Within the next year or so I would like to be using Linux as my full-time desktop. To get there I need to find a development platform that lets me create small, stand-alone, cross-platform GUI tools. While scripts are great, sometimes things can be a lot easier with a GUI.
As part of my continued migration to Android from BlackBerry OS 10 (and to try and pick a framework for cross-platform application development), I created a tool in both Electron as well as Qt variants to read and extract notes from the old Notepad application I used to use on BB 10 devices (Noted - Written by a friend of mine). While the user interface for this tool is not very sophisticated (especially the Electron version), it gets the job done.
While attempting to use electron to write a cross-platform utility, I ran into an unexpected problem: The application would error out with a few weird messages like these:
- App threw an error during load
Error: Cannot find module 'app'
at Module._resolveFilename (module.js:455:15)
- App threw an error when running [TypeError: Cannot read property 'on' of undefined]
TypeError: Cannot read property 'on' of undefined
This week marks a bittersweet end to my use of BlackBerry smartphones: I retired my BB Priv. BlackBerry no longer makes a device that I can advocate for or recommend. Part of my migration to a new device involves exporting an old device-local calendar that I have been carrying around since BB OS 7. The export went well (plenty of utilities on the app store will let you export a calendar) and I was left with a 16,000 line ICS file that I wanted to migrate.
The problem I ran into is that NextCloud hangs when it tries to process such a large calendar file and does not give any indication about the trouble it has (The web UI would hang with the words Import Scheduled).
I've been experimenting with OpenVAS for a few months now in my home lab. While the tool can be a bit fiddly at times it has found legitimate issues that would have been difficult for me to identify manually.
One interesting thing to note is that when OpenVAS scans itself (at least for installs that I've performed) is that it defaults to allowing certain weak ciphers. There is general guidance on how to lock-down the ciphers to a more secure configuration - it just requires some massaging if you run OpenVAS as a service which starts on boot.
I used to be a big BlackBerry fan and have used the company's devices for about 5 years. While BB10 was awesome, The BB Priv and it's android implementation were lacking. I recently migrated to a new Android device and faced a dilemma: what do I do with the over 600 passwords that have accumulated in the BB standard 'Password Keeper' tool?
To address this password migration situation I created the BB to KeePass Converter. This tool converts CSV exports from the BlackBerry Password Keeper tool and processes what it can (there are limitations) to save someone the hassle of re-entering all their passwords
A few years ago I needed a quick way to check if regular expressions would work in a Bash Shell, so I setup regexraptor.net. Over time I stopped using the site as the platforms I needed to automate were not super bash-heavy, yet the site carried on.
Fast Forward 4 years: Online Bash Regex Checker is one of the top searched for posts on Bored Wookie. The site is pretty bare-bones, but if you need to check a regular expression to see if it will work in a modern bash shell, why not take a look?
I recently had the opportunity to interact with the LogRhythm SOAP API. LogRhythm is a SIEM/IDS solution that has components which run on both Windows and Linux. They provide an HTTP/SOAP interface which allows for interacting with the system via well-defined API calls. This API runs in Windows/IIS.
My goal was to use ruby to interact with this API as part of a security data aggregation script I needed to execute. This article describes a couple things which helped me on my way to success.
Last time I posted something it had to do with troubleshooting MTU mis-match issues using Wireshark. Today I'd like to post some clarity for administrators who have Juniper NetScreen devices somewhere in their network back-bone.
I spent a lot of time poring through books, blog posts and 'kb' documents to understand what the NetScreens in my environment were doing. The end result was that we were able to alter the configuration of one of the devices to resolve the MTU mis-match issue (ICMP Type 3, Code 4 and tcp retransmissions / RST packets captured via WireShark).
We had a mysterious issue in our network that caused certain SSH sessions and HTTPS/TLS sessions to fail intermittently. Some machines were unable to communicate at all while other machines could occasionally and sporadically establish a connection that would fail at inopportune times.
I performed a comprehensive analysis of our networking infrastructure and router configurations and captured PCAP files to gather enough data to root cause the problem. The core problem was an MTU mis-match between our gigabit network and our 100-megabit VPN tunnel.
I was working on a ZBook G3 the other day and ran into an infuriating issue with its Synaptics Touch Pad: The touch sensitivity out-of-the-box was set so high that when I slowly moved the cursor it would get jittery and not respond.
While examining specific trackpad details, I found that I have a Synaptics LuxPad V1.3 device that communicates using an SMB port (whatever that is!)
In investigating this further I found that the Synaptics driver hides the 'advanced settings' from windows 10 users for some inexplicable reason. Once enabled I was able to fine-tune the trackpad settings to be more bearable.