To mimimize all open windows
For a very simple HTTP server, execute this in the directory you would like to serve. The default port is 8000. So http://<ip address>:8000/ will get you to there.
python -m SimpleHTTPServer
By default OS X logs all of the download you have made since the installation of the operating system. From what I have seen this isn't cleaned with off the shelf privacy cleaners. Could be a valuable tool to those doing OS X forensics. You can view this download database with:
sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 'select LSQuarantineDataURLString from LSQuarantineEvent'
To delete this database:
sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 'delete from LSQuarantineEvent'
There is a really nice "hidden" setting in both Lion and Mountain Lion which allows for changing the look of the stack list menu. Apple really should make this the default:
defaults write com.apple.dock use-new-list-stack -bool YES; killall Dock
Show full path in Finder
defaults write com.apple.finder _FXShowPosixPathInTitle -bool YES; killall Finder
Clear DNS cache in OS X 10.10
Keeps the display from sleeping. Maintains this state until caffeinate is terminated. OS X Mountain Lion only.
You might noticed that OS X occasionally shows duplicate application entries when doing a file "open with" in finder. This can be easily fixed by running the command:
LaunchServices.framework/Versions/A/Support/lsregister -kill -r -domain local -domain user;killall Finder;
echo "Open With has been rebuilt, Finder will relaunch"
I have found the following nettop commands useful in my troubleshooting of IPv6 connections
nettop -n -m route
It is possible to get quite a speed boost out of Mail.app by stripping all the bloat out of its Envelope index. Since mail.app uses sqlite we can use the vacuum command. The below command works in OS X Lion:
sqlite3 ~/Library/Mail/V2/MailData/Envelope\ Index vacuum;
To monitor file writes and reads to and from the disk. The activity will be recorded in the output.txt file. Use control-C to quit.
sudo fs_usage -e -w > ~/output.txt
To Create a DMG from a folder:
hdiutil create name.dmg -srcfolder ~/Desktop/FolderName
To restart the OS X dock:
Restart Dock or killall Dock
You may notice if you use network shares that OS X leaves .DSShare files on the network shares. While these aren’t visable to OS X users, if you have other users accessing the same share they will see these files in every directory. Since these files simply save the appearance of the folder in OS X, disabling it shouldn’t have any adverse effect:
defaults write com.apple.desktopservices DSDontWriteNetworkStores true
In order to eject a stuck CD/DVD you can use the below command. Sometimes the CD remains in the tray but a desktop icon is no longer visable. This command line eject command will eject the CD.
drutil tray eject
drutil tray open
To reset a login password, start OS X with command+S which will start the system in single user mode. Then type:
fsck -fy mount -uw / launchctl load \
dscl . -passwd /Users/UserName newpassword
To convert a DMG file to an ISO File:
hdiutil convert /path/to/filename.dmg -format UDTO -o /path/to/savefile.iso
List open TCP/UDP ports:
netstat -lnp TCP
netstat -lnp UDP
lsof -i -P
List contents of DMG/PKG files:
lsbom .pkg/Contents/Archive.com> |more
IPv6 and its Impact on Network Security and Investigations - High Tech Crime Investigation Association Conference
I'll be presenting an Introduction to IPv6 and its implications on network security and investigations on Monday September 17th at 3:30PM at the High Tech Crime Investigation Association Conference taking place at the Hershey Lodge in Hershey, PA.
My presentation can be found here:
I am working on a python script for IPv6 malicious packet handling. The script requires Scapy which can be downloaded from http://www.secdev.org/projects/scapy/
Be sure you are running at least Scapy (2.2.0-dev) The script was tested on Backtrack 5 R2
Currently the script performs the following tests:
1. Send HbH Header Flood
Test handling of a large number of HbH headers directed at a L3 device. Could DOS a router if there isn't proper policing of packets to the CPU.
2. Send RH0 Packets
Test for the filtering and/or handling of RH0 packets. RH0 packets have been deprecated and shouldn't be accepted.
3. Send Packets with two RH0 Headers
Tests the corner case of two RH0 headers; one after the other.
4. RA deamon killer
Some RA daemons will crash if you send RAs towards them with a spoofed source of themselves with a lifetime of zero
5. RA Flood
Send a flood of RAs with random prefixs. Will DOS Windows and possible other devices.
6. Hide Layer 4 Info for ACL Bypass
Test the handling of ACL and firewall rules with the layer 4 information "hidden" in the second fragment. Some firewalls will pass this since it doesn't find the layer 4 information in the first fragment.
You can download the current version of the script from github: ipv6-test.py
Properly configuring Sendmail can be a real pain. Especially when all you need is to simply get email off of a system and send to remote email addresses. For this, SSMTP may be the solution. For my setup I simply want to send email from my system through Gmail.
SSMTP can be downloaded from here:
or using yum in to install SSMTP:
yum install ssmtp
The configuration file is /etc/ssmtp/ssmtp.conf
Replace AuthUser and AuthPass with your Google Gmail username and password. The username should not have @gmail appended. Also change [email protected] to be the email address which should originate the email.
To make things easier I also setup a separate gmail account which just handles my outbound email from the system. If you use the same gmail account to send and then view the received email; it will never appear in the inbox.
The easiest solution is to create a separate gmail account to originate the email.
Personally, I am using SSMTP to send voicemail messages attached to an email from the Asterisk VoIP System. All I had to change in the Asterisk voicemail.conf file was the following:
My voicemail is then attached to an email as a wave file.
nmap --spoof-mac Apple --traceroute --data-length 9 \
-f -D 192.168.200.200,RND:5,ME -v \
-n -O -sS -sV -oA /home/pentest/192.168.1.1 \
--log-errors -append-output \
-p T:1-1024,1433,2222,2249,7778,8080,9999 \
--randomize-hosts 192.168.1.1 192.168.1.2 <target>
Append random data to sent packets for IDS evasion
fragment packets into 8 byte segments for IDS evasion
Stealth SYN Scan
Decoy IP Address. Uses these addresses to scan the target
Chooses 5 other random ip addresses and also generates scans from these
Place my scan at the 6 position after the 5 random which increases
the probability that I won't be logged
No DNS resolution
Change MAC address for scans
TCP scan only
-p ports :T
randomize the targets if there are more than 1
The above will output 3 files. One of the files will be an XML file.
Traditionally installing and uploading images on Cisco router has been done with TFTP. As the IOS images have grown larger and larger some TFTP servers have problems with supporting these large file sizes. Secure Copy - scp can be used in place of TFTP to interact with the IOS file system. This eliminates many of the problems related to TFTP with the added benefit of security. Below is an IOS config snippet for making this work:
! AAA authentication and authorization must be configured properly for SCP to work.
aaa authentication login default local
aaa authorization exec default local
! Set your login credentials as appropriate
username user privilege 15 password 0 securepass
! SSH must be configured and functioning properly.
ip ssh time-out 120
ip ssh authentication-retries 3
ip scp server enable
At this point you can use any scp client to interact with the IOS filesystem. So for example on a Unix-like filesystem:
scp -2 ./c2800nm-adventerprisek9-mz.151-2.T1.bin \
The above will copy the image to the flash filesystem on router 10.1.1.1. The -2 option forces SCP to use version #2
I turned up a 6over4 tunnel to Hurricane Electric with the IPv6 traffic from the tunnel passing through a Cisco ASA firewall. The stability and performance of the HE tunnel have been fantastic. Here is how it is setup:
While the Cisco ASA doesn’t support direct termination of IPv6 tunnels, it does have very rich support for IPv6 firewalling. The approach would be to take another external router which would sit outside of the ASA firewall and use that for tunnel termination. From there, bring the IPv6 inside interface of the router terminating the tunnel and connect that to an ASA interface which only has an IPv6 address.
You will need at least one additional static IP address on your outside network in order for this to work. Many Cable ISPs will offer this if you sign up for business level services usually for a nominal additional fee. It may still work with a dynamic address if it doesn't change all that much.
When you signup with HE they will provide two /64 networks and a /48. The first /64 IPv6 network is for the actual tunnel going from your external tunnel router to the HE tunnel server. The second /64 is for the connection between the inside interface of your tunnel router and the ASA. The final /48 is for internal subnets behind the ASA firewall.
As far as software goes, the ASA should be running software 8.2 or higher while the external IOS router could be running a recent image of 12.4T or Release 15. In my case I am using an 1800 series router running release 15.1.3T Advanced Enterprise.
Cisco ASA Firewall Configuration:
interface Vlan6 description ipv6 to HE Tunnel
no ip address
ipv6 address 2001:DB8:2222::1/64
interface Vlan1 description Internal Protected
ip address 192.168.100.1 255.255.255.0
ipv6 address 2001:DB8:F1F1::1/64
ipv6 nd prefix 2001:DB8:F1F1::/64 43200 43200
!!! The above /64 is taken from the /48 network assigned to you by HE
interface Vlan2 description IPv4
Internet nameif outside
ip address 220.127.116.11 255.255.255.248
route outside 0.0.0.0 0.0.0.0 18.104.22.168
ipv6 route ipv6-tunnel ::/0 2001:DB8:2222::2
Outside Tunnel Router IOS Configuration:
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ip flow ingress
ipv6 address 2001:DB8:1111::2/64
tunnel source 22.214.171.124
tunnel mode ipv6ip
tunnel destination 126.96.36.199
ip address 188.8.131.52 255.255.255.248
ip access-group inbound in
no ip redirects
ip flow ingress
no ip address
ipv6 address 2001:DB8:1111:1/64
ipv6 route 2001:DB8:F1F1::/48 2001:DB8:2222::1
ipv6 route ::/0 Tunnel0
ip access-list extended inbound
permit 41 host 184.108.40.206 host 220.127.116.11
permit tcp any host 18.104.22.168 eq 22
permit udp any eq domain host 22.214.171.124
permit icmp any host 126.96.36.199