Search
Blog Index
The journal that this archive was targeting has been deleted. Please update your configuration.
Navigation
Friday
May032013

Cracking a Security Console Passsword in RSA Authentication Manager 7.1

I recently had to recover a password from a RSA Authentication Manager Linux server. RSA Authentication Manager 7.1 stores all the credentials in an oracle database. Unfortunately I'm not all that familiar with connecting to oracle databases and pulling data out of them. However, I do like the strings command.

RSA Authentication Manager 7.1 keeps their authentication information in an oracle database located in /usr/local/RSASecurity/RSAAuthenticationManager/db/oradata/[RANDOM STRING]/rsa_data.dat

if we run strings on this file and pipe it into less we can then search within less for the hashes

strings rsa_data.dat | less

There is a segment that consists of just hashes. I'm guessing that this is where the database is storing them in order to verify that a user isn't reusing the last 8 passwords when they set a new one. We're not interested in that part. We should be looking for section that lists usernames as well as passwords. You can also search for SSHA256 and then the username and that should put you in the right location. Once you find the correct location it will look something like the following:

VPN Username
First Name
Last Name
Email Address
Hash

Example:

bob
Bobby
Tables
bob.tables@example.com
={SSHA256}5KyoCH2c4i4f3+rI+EhQr4E0Ce7C77AzaE/R1bkvbQlBQUFBQQ==,

This hash is kept in the Salted SHA256 format where the salt is appened to the hash of the salt + password. This is known in hashcat as sha256($salt.$pass).

Hashcat can't understand the hash when it's base64 encoded. Instead we need to be able to decode it into a string that's hash:salt. We can do this using this command:

echo -n '5KyoCH2c4i4f3+rI+EhQr4E0Ce7C77AzaE/R1bkvbQlBQUFBQQ==' | base64 -d | xxd -c37 -p \
| awk '{printf("%s:%s", substr($0,1,64) , substr($0,65,10))}'

Note: hexdump and xxd will give you the bytes in a different order. You need to use xxd for this, hexdump will not work properly.

This gives us:

e4aca8087d9ce22e1fdfeac8f84850af813409eec2efb033684fd1d5b92f6d09:4141414141

Since oclhashcat-lite doesn't decode sha256($salt.$pass) we need to copy that into a file. You can pipe the command used to extract the hash into a file using the >> operator

echo -n '5KyoCH2c4i4f3+rI+EhQr4E0Ce7C77AzaE/R1bkvbQlBQUFBQQ==' | base64 -d | xxd -c37 -p \
| awk '{printf("%s:%s", substr($0,1,64) , substr($0,65,10))}'  >> hash

You should use hashcat with the following options:

--hex-salt -m 1420

Example:

./cudaHashcat-plus64.bin -a 3 --hex-salt -m 1420 hash pass?l?l?l?l

cudaHashcat-plus v0.14 by atom starting...

Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Workload: 64 loops, 80 accel
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce GTX 460, 1023MB, 1451Mhz, 7MCU
Device #2: GeForce GTX 460, 1023MB, 1350Mhz, 7MCU
Device #1: Kernel ./kernels/4318/m1420_a3.sm_21.64.ptx
Device #2: Kernel ./kernels/4318/m1420_a3.sm_21.64.ptx

e4aca8087d9ce22e1fdfeac8f84850af813409eec2efb033684fd1d5b92f6d09:4141414141:password

Session.Name...: cudaHashcat-plus
Status.........: Cracked
Input.Mode.....: Mask (pass?l?l?l?l)
Hash.Target....: e4aca8087d9ce22e1fdfeac8f84850af813409eec2efb033684fd1d5b92f6d09:4141414141
Hash.Type......: sha256($salt.$pass)
Time.Started...: Fri May  3 10:27:26 2013 (1 sec)
Speed.GPU.#1...: 35137.3k/s
Speed.GPU.#2...: 50038.4k/s
Speed.GPU.#*...: 85175.6k/s
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 143360/456976 (31.37%)
Rejected.......: 0/143360 (0.00%)
HWMon.GPU.#1...: -1% Util, 41c Temp, 52% Fan
HWMon.GPU.#2...: -1% Util, 49c Temp, 20% Fan

Started: Thu May  2 22:27:26 2013
Stopped: Thu May  2 22:27:28 2013
Tuesday
Apr232013

OpenStack Installation Scripts

There are a few OpenStack installation guides available on the internet. One of the guides I've seen used the most is mseknibilel's guide, which is available here. I followed this guide and it took me about 8 hours to get my setup up and running. I found that too much time was spent on troubleshooting issues due to entering everything by hand. Because of this I have created a set of scripts that can be used to setup a multi-node OpenStack test environment. This can be used as a basis for a small production setup. However it does not setup SSL encryption for any of the communication traffic. I plan to write a script in the future that will add SSL to a base install. There is also no support for High Availability. If you are looking to deploy a medium to large scale cluster then I suggest looking into a bare metal provisioning tool such as crowbar.

The scripts are currently split into five sections, which are detailed on the github page. It is setup with three different network architectures in mind:

  • 1NIC - A single network that everything is run through
  • 2NIC - One network for public network access and one for management and data
  • 3NIC - One network for public network access, one for management, and one for data

You should also be able to have anything from a single machine running everything to separate machines running as a controller, quantum server, glance server, cinder server, and compute nodes. It took me less than two hours to get my 4 node cluster up and running.

You can find the scripts here: https://github.com/soleblaze/openstack

Friday
Mar092012

My migration from OSX to Linux

I’ve been moving back and forth between OS X and Linux for the last 5 years or so, mostly due to performance reasons. Currently I’m moving away from OS X and back to Linux, hopefully for the last time. My main reason for this is to gain more control over what my computer does and what data it sends out. I no longer feel like I’m in control of my machine when I use OSX or Windows. However, I do still find OSX applications better from a productivity stand point. My main goal right now is to find good enough alternatives to the software I normally used in OSX. I’ll be making posts over the coming months on most of these programs and why I feel they’re useful to have.

Linux Alternatives for OSX Programs


OSX Program Linux Alternative(s) Reasons for Choosing Alternative
1password lastpass and keepassx I’m using two because lastpass has a good browser plugin so it’s useful for website information. Keepassx is more useful to keep other passwords, such as ssh account passwords.
Acorn GIMP Acorn is an image manipulation program. GIMP is the best Linux image manipulation program that I am aware of.
Adium Pidgin Pidgin isn’t as pretty as adium, but it works the same.
Hazel Custom Script Hazel can run scripts and move files on a regular basis based on filename. This should be able to be accomplished with shell scripts and a cron jobs.
iTunes Audacious I was a big fan of XMMS and Winamp, so I prefer something simple like Audacious over more of a music library manage like amarok.
Launchbar built-in awesome functions or Synapse The awesome windows manager has built in functionality for doing launches. Again, it’s not as nice as launchbar, but it works. Synapse also looks like an interesting alternative and I will be looking in the future to see how well that works in awesome.
NetNewsWire LifeRea LifeRea has a similar layout to NetNewsWire. One drawback is that LifeRea stores the google account password in cleartext. I’m accepting this risk by creating a separate google account that is only used for news feeds.
Notational Velocity ZIM or KeepNote Notational Velocity is a great note taking application that doesn’t require any explicit save option. I’m currently looking into ZIM and KeepNote as a replacement. I’ll be posting a blog post on this soon.
OmniFocus todotxt OmniFocus is hands down the best todo list program I’ve ever used. I haven’t found anything comparable for it in Linux. Instead I’m going back to the basics and using todotxt, which is a bash script that helps manage a text file todo list.
OmniOutliner vim A good outliner program that gets out of the way is hard to find. I haven’t found anything comparable in either Windows or Linux. Instead I’m using vim with some options to make it easier to deal with outlines.
OmniGraffle dia dia is the best diagram program that I’ve found for Linux.
Parallels VirtualBox VirtualBox lacks some of the features of parallels, such as encrypting VMs. However, it has other features that I use, such as VDE and IOMMU/VT-d support.
TextExpander AutoKey AutoKey is a python script that monitors the keyboard and will do a replacement of text when it sees a specific string. You can also have it run a python script and replace a string with the output of that script. I’m currently unsure of the security implications of using this program.
Time Machine deja-dup Deja-Dup is a GUI frontend for duplicity. I’m still in the process of determing if its better to backup to a portable drive or a file server.
Textual weechat I use weechat over irssi since I have an awesome plugin to monitor notifications in it.

Programs That I Haven’t Found Alternatives For


BusyCal - Calendar application.
Coderunner - Simple GUI text editor with color coding syntax.
Day One - Journaling Program
Fantastical - Enter calendar entries via text
Keyboard Maestro - Allows you to run macros via keyboard shortcuts.
Patterns - Used to test regexp strings.
Scrivener - Writing program designed for 10+ page documents. Unison - Usenet reader

Thursday
Feb232012

Laptop Power Saving

Kernel Options

Back in August phoronix came out with an article about some kernel options for power savings on sandy bridge processors. In order to use these you can add the following to your kernel line:

pcie_aspm=force i915.i915_enable_rc6=1 i915.i915_enable_fbc=1 i915.lvds_downclock=1

pcie_aspm=force enables aspm power saving. There was a bug that was introduced in an earlier kernel which prevented aspm from working correctly. The fix for this was rolled into 3.2.5. There's also supposed to be another fix going into 3.3. I'm unsure if this option will be needed once 3.3 is released.

i915.i915_enable_rc6=1 enables an extra power savings mode for the GPU. On some machines this is said to cause artifacts. I have not experienced any issues with this, but I also don't have many tasks that require 3d support.

i915.i915_enable_fbc=1 enables frame buffer compression. This saves some video memory. I'm unsure how much this would actually save power wise.

i915.lvds_downclock=1 enables the kernel to lower the clockrate of the LCD panel. This should save a little power, but might cause flickering. Again, I have had no issues using this.

laptop-mode-tools

laptop-mode-tools is a set of scripts that are designed to save power when a laptop isn't plugged in. I suggest installing acpid and ethtool in order for these scripts to work correctly. You can add acpid and laptop-mode-tools to your DAEMONS=(..) section in the /etc/rc.conf file if they aren't already there.

laptop-mode-tools is mainly configured using the file /etc/laptop-mode/laptop-mode.conf. It's well documented, so I suggest going through and seeing if there's anything you feel you need to change. I mostly changed the options regarding low battery charge, increasing them a few %. This is more a personal preference, as it bothers me when my laptop drops below 10%.

There are other configuration files in /etc/laptop-mode/conf.d. This includes features such as auto hibernate, usb autosuspend, ethernet power savings, and other commonly used features. I'd suggest taking a look in that directory if you want to get a better idea of other areas you can tweak with laptop-mode-tools.

I did have an issue with my u24e shutting down on battery power with laptop-mode-tools enabled. Disabling ethernet power saving by editing /etc/laptop-mode/conf.d/ethernet.conf and changing CONTROL_ETHERNET="auto" to CONTROL_ETHERNET="0" fixed this issue.

module blacklisting

Some hardware will take a small amount of power if the kernel module for it is loaded. You can disable these by creating (or editing) the file /etc/modprobe.d/blacklist.conf and putting a list of modules you don't want loaded prefixed by the word blacklist. For instance, I don't use the webcam so I blacklist the driver:

# Disable webcam
blacklist uvcvideo

Powertop

There's also a good power diagnosis tool called powertop, which can be used to determine what's waking a computer and what other tweaks can be made. Be aware that powertop 1 hasn't been updated in awhile and gives a lot of false tips, such as disabling usb autosuspend when it's already disabled. Powertop 2 was being worked on and has some interesting features in it. I believe the best way to install this is to use powertop-git in the AUR.

Thursday
Feb162012

Installing Arch Linux

If you've never installed Arch Linux before you can take a look at the installation documents here. Installing Arch Linux is fairly straight forward, however there's a few tweaks that I made due to my setup.

Booting via USB Stick

You can use unetbootin to copy the iso to a usb stick. The official documentation says to label your USB stick ARCH_201108 or whatever the current release date is. However, I had to label mine STORE in order for it to be properly mounted on boot.

Using a WPA access point in the installer

Setting up WPA on the command line is fairly easy. You just need to run these two commands:

wpa_passphrase [your SSID] [your passphrase]>/tmp/wpa

wpa_supplicant -Dwext -iwlan0 -c/tmp/wpa & # (-i tells what interface to use. This is normally wlan0, but yours might be different.)

After you get a good connection you will get the following message:

CTRL-EVENT-CONNECTED - Connection to 01:23:45:67:89:ab completed (auth) [id=0 id_str=]

After you see this, run "dhclient wlan0" in order to get a dhcp address. Try pinging a machine in order to verify that your network is working.

Using an SSD in Linux

There's a lot of outdated information floating around about how to properly partition an SSD in Linux. The best way that I've found is to use GPT partitions. In order to do this you have to install gdisk. gdisk will start the parition on 2048KiB, which aligns with virtually every SSD. If you're using a netinstall ISO instead of the base install ISO then you do the following steps:

Run archsetup: /arch/setup Select Source (you only need core to do an install, but I also select extras, testing, and multilib)

After you select a source it will setup pacman for the /arch/setup. Then you can either quit out of the setup or press CTRL-ALT-F2 and log into that terminal using the root account. Doing this is required because if you update pacman's database for the first time outside of /arch/setup then /arch/setup will error out every time you select Select Source.

After you have selected the source, you can run a "pacman -Sy" then "pacman -S gdisk" to install gdisk. You might have to run this twice, since the first time it can ask you to update pacman before updating anything else.

You can then use gdisk to convert the disk to GPT and partition the disk. I created a 128MB boot partition, 2GB SWAP partition, and then allocated the rest of the disk to a root partition. Since I have 16GB of ram I can probably get away without swap, but I'm unsure if some programs still require swap to function properly. I also plan on keeping good backups so I don't feel its necessary to make extra partitions for my home and var directories. /tmp is setup by default to be a tmpfs.

Important note: when you use GPT, Legacy GRUB will not work. You will either need to install and setup GRUB2 or use syslinux. I used syslinux since it's part of the installer.

Pacman Keys

If you are using the netinstaller and have updated pacman in order to install gdisk then you will get gpg key errors when you try to do the install. This is because pacman-key support is setup now, but is not initialized by the arch installer. You will have to set this up before Installing arch.

This is how I set it up. I'm unsure if this is best practice, but it's the only way I found.

pacman-key --init

This should require some entropy. I normally open up nano in another terminal and bang on the keyboard for a minute or two and then check back and see pacman-key has acquired enough entropy.

After this you need to trust the master signing keys:

pacman-key -r [KEY 1] [KEY 2] [KEY 3] [KEY 4] [KEY 5]

You can find the master keys here

After you add the keys you need to sign and trust each key. You can do this by running:

pacman-key --edit-key [KEY 1] [KEY 2] [KEY 3] [KEY 4] [KEY 5]

for each key you need to run:

lsign
y
trust
3
save

You will have to do this 5 times, once for each key. After that the packages should install correctly.

One issue I did have was retrieving the keys. I believe the default gpg server is a little overloaded. You can edit /etc/pacman.d/gnupg/gpg.conf and change the line "keyserver hkp://keys.gnupg.net" to "keyserver hkp://pgp.mit.edu". I found the MIT one always worked, while the gnupg one was hit-or-miss.

Continue Installer

Once this is done you can go back to the terminal with the arch setup (CTRL-ALT-F1) and complete the installer as normal. If you want to use encryption, which I recommend, then you can make the root partition a dm_crypt partition. The installer will ask you to set a pass phrase. After that it will add a new crypt device to the list that you can then set as "/". The installer will also setup the necessary hooks for having the system prompt you for decryption on start-up.

Again, please remember to use syslinux and not grub if you used gdisk.

Installing yaourt via AUR

Arch Linux has a user repository called AUR. These are kind of like ebuilds for gentoo, in that instead of installing pre-built binaries you're running a script that compiles the source code and creates a package for you. This is more done for security reasons than any kind of optimization. One of the common tools used to automated the handling of installing these packages is yaourt. yaourt acts a lot like pacman in that you can search for packages in the AUR and normal repositories by using yaourt -Ss [keyword]. You can also install packages using yaourt -S [keyword].

In order to install yaourt you can download it from the AUR using wget and then making the packages:

wget http://aur.archlinux.org/packages/package-query/package-query.tar.gz
tar zxvf package-query.tar.gz cd package-query
makepkg -si

wget http://aur.archlinux.org/packages/yaourt/yaourt.tar.gz
tar zxvf yaourt.tar.gz cd yaourt
makepkg -si

Doing all these steps will get you the bare bones setup. I suggest reading up on the Arch Linux wiki in order to find out about how to install and setup other programs. I will be going over a handful of them in the future, but it won't be anywhere near complete or useful for day to day operations.