The Hobby Compass

I recently had to recover a password from a RSA Authentication Manager Linux server. RSA Authentication Manager 7.1 stores all the credentials in an oracle database. Unfortunately I'm not all that familiar with connecting to oracle databases and pulling data out of them. However, I do like the strings command.

RSA Authentication Manager 7.1 keeps their authentication information in an oracle database located in /usr/local/RSASecurity/RSAAuthenticationManager/db/oradata/[RANDOM STRING]/rsa_data.dat

if we run strings on this file and pipe it into less we can then search within less for the hashes

strings rsa_data.dat | less

There is a segment that consists of just hashes. I'm guessing that this is where the database is storing them in order to verify that a user isn't reusing the last 8 passwords when they set a new one. We're not interested in that part. We should be looking for section that lists usernames as well as passwords. You can also search for SSHA256 and then the username and that should put you in the right location. Once you find the correct location it will look something like the following:

VPN Username
First Name
Last Name
Email Address
Hash

Example:

bob
Bobby
Tables
bob.tables@example.com
={SSHA256}5KyoCH2c4i4f3+rI+EhQr4E0Ce7C77AzaE/R1bkvbQlBQUFBQQ==,

This hash is kept in the Salted SHA256 format where the salt is appened to the hash of the salt + password. This is known in hashcat as sha256($salt.$pass).

Hashcat can't understand the hash when it's base64 encoded. Instead we need to be able to decode it into a string that's hash:salt. We can do this using this command:

echo -n '5KyoCH2c4i4f3+rI+EhQr4E0Ce7C77AzaE/R1bkvbQlBQUFBQQ==' | base64 -d | xxd -c37 -p \
| awk '{printf("%s:%s", substr($0,1,64) , substr($0,65,10))}'

Note: hexdump and xxd will give you the bytes in a different order. You need to use xxd for this, hexdump will not work properly.

This gives us:

e4aca8087d9ce22e1fdfeac8f84850af813409eec2efb033684fd1d5b92f6d09:4141414141

Since oclhashcat-lite doesn't decode sha256($salt.$pass) we need to copy that into a file. You can pipe the command used to extract the hash into a file using the >> operator

echo -n '5KyoCH2c4i4f3+rI+EhQr4E0Ce7C77AzaE/R1bkvbQlBQUFBQQ==' | base64 -d | xxd -c37 -p \
| awk '{printf("%s:%s", substr($0,1,64) , substr($0,65,10))}'  >> hash

You should use hashcat with the following options:

--hex-salt -m 1420

Example:

./cudaHashcat-plus64.bin -a 3 --hex-salt -m 1420 hash pass?l?l?l?l

cudaHashcat-plus v0.14 by atom starting...

Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Workload: 64 loops, 80 accel
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce GTX 460, 1023MB, 1451Mhz, 7MCU
Device #2: GeForce GTX 460, 1023MB, 1350Mhz, 7MCU
Device #1: Kernel ./kernels/4318/m1420_a3.sm_21.64.ptx
Device #2: Kernel ./kernels/4318/m1420_a3.sm_21.64.ptx

e4aca8087d9ce22e1fdfeac8f84850af813409eec2efb033684fd1d5b92f6d09:4141414141:password

Session.Name...: cudaHashcat-plus
Status.........: Cracked
Input.Mode.....: Mask (pass?l?l?l?l)
Hash.Target....: e4aca8087d9ce22e1fdfeac8f84850af813409eec2efb033684fd1d5b92f6d09:4141414141
Hash.Type......: sha256($salt.$pass)
Time.Started...: Fri May  3 10:27:26 2013 (1 sec)
Speed.GPU.#1...: 35137.3k/s
Speed.GPU.#2...: 50038.4k/s
Speed.GPU.#*...: 85175.6k/s
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 143360/456976 (31.37%)
Rejected.......: 0/143360 (0.00%)
HWMon.GPU.#1...: -1% Util, 41c Temp, 52% Fan
HWMon.GPU.#2...: -1% Util, 49c Temp, 20% Fan

Started: Thu May  2 22:27:26 2013
Stopped: Thu May  2 22:27:28 2013

There are a few OpenStack installation guides available on the internet. One of the guides I've seen used the most is mseknibilel's guide, which is available here. I followed this guide and it took me about 8 hours to get my setup up and running. I found that too much time was spent on troubleshooting issues due to entering everything by hand. Because of this I have created a set of scripts that can be used to setup a multi-node OpenStack test environment. This can be used as a basis for a small production setup. However it does not setup SSL encryption for any of the communication traffic. I plan to write a script in the future that will add SSL to a base install. There is also no support for High Availability. If you are looking to deploy a medium to large scale cluster then I suggest looking into a bare metal provisioning tool such as crowbar.

The scripts are currently split into five sections, which are detailed on the github page. It is setup with three different network architectures in mind:

• 1NIC - A single network that everything is run through
• 2NIC - One network for public network access and one for management and data
• 3NIC - One network for public network access, one for management, and one for data

You should also be able to have anything from a single machine running everything to separate machines running as a controller, quantum server, glance server, cinder server, and compute nodes. It took me less than two hours to get my 4 node cluster up and running.

You can find the scripts here: https://github.com/soleblaze/openstack

After the third time of having to spend hours to fix my arch installation after an upgrade I've decided my time is best spent elsewhere.  Because of these issues I've moved back to Ubuntu.  Ubuntu tends to have better software support and vmbuilder is nice.

I started with the Ubuntu mini x86_64 installer as my base install.  This allows me to get a more minimal installation without unity and other tools that I don't use.  I've then installed multiple KVM Ubuntu JeOS images on top of that via vmbuilder and run my software on those.  

Right now my setup consists of:

Windows Manager: awesome

Terminal Program: terminator

Clipboard manager: parcellite

Text expanding: autokey-gtk

Virtual Machines: KVM (with libvirt to manage them)

I use IOMMU to pass my wifi card to a Linux VM that controls the wireless connections using wicd.  I then have a Linux VM that connects to the wifi VM and uses it to connect to my OpenVPN server.  After that all my other VMs connect to the VPN VM in order to get to the internet.  This allows me to force traffic on specific VMs through the VPN.  If the VPN isn't connected then nothing on my internal network can get out to the internet.  It's a bit overkill, but I find it to be an interesting project.  I'll write more details about my setup throughout the next few weeks.

 

I’ve been moving back and forth between OS X and Linux for the last 5 years or so, mostly due to performance reasons. Currently I’m moving away from OS X and back to Linux, hopefully for the last time. My main reason for this is to gain more control over what my computer does and what data it sends out. I no longer feel like I’m in control of my machine when I use OSX or Windows. However, I do still find OSX applications better from a productivity stand point. My main goal right now is to find good enough alternatives to the software I normally used in OSX. I’ll be making posts over the coming months on most of these programs and why I feel they’re useful to have.

Linux Alternatives for OSX Programs

OSX Program	Linux Alternative(s)	Reasons for Choosing Alternative
1password	lastpass and keepassx	I’m using two because lastpass has a good browser plugin so it’s useful for website information. Keepassx is more useful to keep other passwords, such as ssh account passwords.
Acorn	GIMP	Acorn is an image manipulation program. GIMP is the best Linux image manipulation program that I am aware of.
Adium	Pidgin	Pidgin isn’t as pretty as adium, but it works the same.
Hazel	Custom Script	Hazel can run scripts and move files on a regular basis based on filename. This should be able to be accomplished with shell scripts and a cron jobs.
iTunes	Audacious	I was a big fan of XMMS and Winamp, so I prefer something simple like Audacious over more of a music library manage like amarok.
Launchbar	built-in awesome functions or Synapse	The awesome windows manager has built in functionality for doing launches. Again, it’s not as nice as launchbar, but it works. Synapse also looks like an interesting alternative and I will be looking in the future to see how well that works in awesome.
NetNewsWire	LifeRea	LifeRea has a similar layout to NetNewsWire. One drawback is that LifeRea stores the google account password in cleartext. I’m accepting this risk by creating a separate google account that is only used for news feeds.
Notational Velocity	ZIM or KeepNote	Notational Velocity is a great note taking application that doesn’t require any explicit save option. I’m currently looking into ZIM and KeepNote as a replacement. I’ll be posting a blog post on this soon.
OmniFocus	todotxt	OmniFocus is hands down the best todo list program I’ve ever used. I haven’t found anything comparable for it in Linux. Instead I’m going back to the basics and using todotxt, which is a bash script that helps manage a text file todo list.
OmniOutliner	vim	A good outliner program that gets out of the way is hard to find. I haven’t found anything comparable in either Windows or Linux. Instead I’m using vim with some options to make it easier to deal with outlines.
OmniGraffle	dia	dia is the best diagram program that I’ve found for Linux.
Parallels	VirtualBox	VirtualBox lacks some of the features of parallels, such as encrypting VMs. However, it has other features that I use, such as VDE and IOMMU/VT-d support.
TextExpander	AutoKey	AutoKey is a python script that monitors the keyboard and will do a replacement of text when it sees a specific string. You can also have it run a python script and replace a string with the output of that script. I’m currently unsure of the security implications of using this program.
Time Machine	deja-dup	Deja-Dup is a GUI frontend for duplicity. I’m still in the process of determing if its better to backup to a portable drive or a file server.
Textual	weechat	I use weechat over irssi since I have an awesome plugin to monitor notifications in it.

Programs That I Haven’t Found Alternatives For

BusyCal - Calendar application.
Coderunner - Simple GUI text editor with color coding syntax.
Day One - Journaling Program
Fantastical - Enter calendar entries via text
Keyboard Maestro - Allows you to run macros via keyboard shortcuts.
Patterns - Used to test regexp strings.
Scrivener - Writing program designed for 10+ page documents. Unison - Usenet reader

Kernel Options

Back in August phoronix came out with an article about some kernel options for power savings on sandy bridge processors. In order to use these you can add the following to your kernel line:

pcie_aspm=force i915.i915_enable_rc6=1 i915.i915_enable_fbc=1 i915.lvds_downclock=1

pcie_aspm=force enables aspm power saving. There was a bug that was introduced in an earlier kernel which prevented aspm from working correctly. The fix for this was rolled into 3.2.5. There's also supposed to be another fix going into 3.3. I'm unsure if this option will be needed once 3.3 is released.

i915.i915_enable_rc6=1 enables an extra power savings mode for the GPU. On some machines this is said to cause artifacts. I have not experienced any issues with this, but I also don't have many tasks that require 3d support.

i915.i915_enable_fbc=1 enables frame buffer compression. This saves some video memory. I'm unsure how much this would actually save power wise.

i915.lvds_downclock=1 enables the kernel to lower the clockrate of the LCD panel. This should save a little power, but might cause flickering. Again, I have had no issues using this.

laptop-mode-tools

laptop-mode-tools is a set of scripts that are designed to save power when a laptop isn't plugged in. I suggest installing acpid and ethtool in order for these scripts to work correctly. You can add acpid and laptop-mode-tools to your DAEMONS=(..) section in the /etc/rc.conf file if they aren't already there.

laptop-mode-tools is mainly configured using the file /etc/laptop-mode/laptop-mode.conf. It's well documented, so I suggest going through and seeing if there's anything you feel you need to change. I mostly changed the options regarding low battery charge, increasing them a few %. This is more a personal preference, as it bothers me when my laptop drops below 10%.

There are other configuration files in /etc/laptop-mode/conf.d. This includes features such as auto hibernate, usb autosuspend, ethernet power savings, and other commonly used features. I'd suggest taking a look in that directory if you want to get a better idea of other areas you can tweak with laptop-mode-tools.

I did have an issue with my u24e shutting down on battery power with laptop-mode-tools enabled. Disabling ethernet power saving by editing /etc/laptop-mode/conf.d/ethernet.conf and changing CONTROL_ETHERNET="auto" to CONTROL_ETHERNET="0" fixed this issue.

module blacklisting

Some hardware will take a small amount of power if the kernel module for it is loaded. You can disable these by creating (or editing) the file /etc/modprobe.d/blacklist.conf and putting a list of modules you don't want loaded prefixed by the word blacklist. For instance, I don't use the webcam so I blacklist the driver:

# Disable webcam
blacklist uvcvideo

Powertop

There's also a good power diagnosis tool called powertop, which can be used to determine what's waking a computer and what other tweaks can be made. Be aware that powertop 1 hasn't been updated in awhile and gives a lot of false tips, such as disabling usb autosuspend when it's already disabled. Powertop 2 was being worked on and has some interesting features in it. I believe the best way to install this is to use powertop-git in the AUR.