Henry's Points » Linux

iPod Touch Vulnerability after Jailbreak

hengdu — Sun, 31 Jan 2010 19:10:19 +0000

As you may know or may not know, there is a vulnerability for iPod Touch after jailbreak. The root password is hard-coded as “alpine”. If your iPod Touch connect to the hotspot network, people who is in the same subnet can do the following:

Nmap the whole subnet.

sudo nmap -A -O -T4 112.55.82.0/24

The scan result will be shown as follows.

Interesting ports on ******* (112.55.82.202):
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.2 (protocol 2.0)
62078/tcp open tcpwrapped
….
Running (JUST GUESSING) : Apple embedded (93%), Apple iPhone OS 1.X (89%)

Then, the most likely what the people want to do is:

ssh root@112.55.82.202
Password: alpine

Then, as you can guess, they want to do whatever they want.

John-Smiths-iPod:/ root# ls
Applications@ Library/ User@ boot/ dev/ lib/ private/ tmp@ var@
Developer/ System/ bin/ cores/ etc@ mnt/ sbin/ usr/

The solution is very simple: just to change root password after jailbreak. We can go to terminal application in the iPod.

Type su – to enter super user mode
Type passwd to enter the new password
Type again the new password
Type exit. We are done.

Good luck and Thanks,

Share on Facebook

ASA Simulation on Ubunut QEMU

hengdu — Sat, 30 Jan 2010 01:11:32 +0000

When I tried to find the Cisco ASA simulator by Linux keyword, there are few related results came out. Two popular ways are setting up on Windows QEMU and VMWare. People who are using Windows can refer to that.

However, I found one site that is really useful to install ASA image to QEMU on Linux. I followed the steps and make my own ASA environment. Please note that this solution is not user friendly like dynamips or dynagen. Select the two ways above maybe a good choice. So, let’s see how it works in my site.

We need QEMU first

sudo apt-get install qemu

We need asa802-k8.bin

???

We assume that we are working on $ASA_WORKSPACE. Under the directory, create an hexadecimal dump of image:

hexdump -C asa802-k8.bin > asa802-k8.hex

Search for the ZIP header. We can see that the ZIP file starts at offset 1228b0.

grep “1f 8b 08 00 1d” asa802-k8.hex
001228b0 1f 8b 08 00 1d 3d 73 46 00 03 ec 3a 6d 54 14 57 |…..=sF…:mT.W|

Find the image size.

ls -la asa802-k8.bin
-rw-r–r– 1 hengdu hengdu 14524416 2010-01-28 21:27 asa802-k8.bin

Now we need to find out where in the file we can start extracting the ZIP part.

echo “14524416 ; ibase=16 ; last – 1228B0″ | bc | tail -n 1
13334352

Extract the zipped part of the ASA image:

tail -c 13334352 asa802-k8.bin > asa802-k8.gz

Decompress it with gzip:

gzip -d asa802-k8
gzip: asa802-k8.gz: decompression OK, trailing garbage ignored

Make a tmp directory and extract the archive with cpio.

mkdir tmp
cd tmp
sudo cpio -i –no-absolute-filenames –make-directories < ../asa802-k8
cpio: Removing leading `/’ from member names
61039 blocks

Copy the Linux kernel to the upper directory:

cp vmlinuz ../asa802-k8.kernel

Make startup script file to ./asa/scripts/first_start.sh. I basically copy all script from the site. However, some part has to be modified in my environment.

#!/bin/sh

FIRST_START=no
if test ! -e /mnt/disk0/lina_monitor
then
fdisk /dev/hda << EOF
n
p
1
5
979
t
4
w
EOF
mkdosfs -F 16 /dev/hda1
mount -o umask=0000,noatime,check=s,shortname=mixed /dev/hda1 /mnt/disk0
cp /asa/bin/lina /mnt/disk0/lina
cp /asa/bin/lina_monitor /mnt/disk0/lina_monitor
FIRST_START=yes
fi
modprobe e100
modprobe e1000
ifconfig eth0 up
ifconfig eth1 up
ifconfig eth2 up
ifconfig eth3 up
ifconfig eth4 up
ifconfig eth5 up
if test $FIRST_START = yes
then
echo “”
echo “”
echo “This is your first boot, please wait about 1 min and then type the following commands:”
echo “cd /mnt/disk0″
echo “/mnt/disk0/lina_monitor”
echo “”
echo “Please note to use the following command under ASA to save your configs:”
echo “copy run disk0:/.private/startup-config”
echo “”
exit
fi
cd /mnt/disk0
/mnt/disk0/lina_monitor

Chmod for the script

sudo chmod +x ./asa/scripts/first_start.sh

Now you can compress all the file and have the initrd ready to use in Qemu:

sudo find . | cpio -o -H newc | gzip -9 > ../asa802-k8.initrd.gz

At this point, the Linux kernel files are ready for QEMU to use.

Create a virtual hard disk

qemu-img create FLASH 256M
Formatting ‘FLASH’, fmt=raw size=268435456

Then start QEMU

qemu -hda FLASH -kernel asa802-k8.kernel -hdachs 980,16,32 \
-initrd asa802-k8.initrd.gz -m 512 -nographic -append \
“console=ttyS0,9600n8 hda=980,16,32 bigphysarea=16384 auto nousb ide1=noprobe”

After many lines output, you will see # prompt. Then, we start ASA.

/bin/lina

Finally, I saw the familiar prompt.

ciscoasa#

So far, I still have some issues to figure it out, such as interface setup and working with my dynamips router. Hopefully I will figure out later time. Please feel free to join my discussion.

Thanks,

Share on Facebook

NetMos 6-Port Serial Console in Fedora 10

hengdu — Thu, 21 Jan 2010 21:41:46 +0000

I recently bought a NetMos 6 ports serial console card. It is installed in my Fedora 10 computer. As you might guess, the Linux only recognize the first four serial device, which is ttyS[0-3]. The problem in here is, the Fedora has already recognized the serial console card driver, but it only keep the first four as default. How to expand those ports?

There are many solutions. After some study, I found the simple way to solve this problem. Edit /boot/grub/menu.lst, add one more option “8250.nr_uarts=8″ after kernel command.

kernel /vmlinuz-2.6.27.41-170.2.117.fc10.i686 ro root=/dev/VolGroup00/LogVol00 rhgb quiet 8250.nr_uarts=8

After reboot the system, we can verify if all the ports are supported.

[root@console ~]# ls -la /dev/ttyS[0-8]
crw-rw—- 1 root uucp 4, 64 2010-01-21 11:29 /dev/ttyS0
crw-rw—- 1 root uucp 4, 65 2010-01-21 11:29 /dev/ttyS1
crw-rw—- 1 root uucp 4, 66 2010-01-21 11:29 /dev/ttyS2
crw-rw—- 1 root uucp 4, 67 2010-01-21 11:29 /dev/ttyS3
crw-rw—- 1 root uucp 4, 68 2010-01-21 11:29 /dev/ttyS4
crw-rw—- 1 root uucp 4, 69 2010-01-21 11:29 /dev/ttyS5
crw-rw—- 1 root uucp 4, 70 2010-01-21 12:15 /dev/ttyS6
crw-rw—- 1 root uucp 4, 71 2010-01-21 11:29 /dev/ttyS7
crw-rw—- 1 root uucp 4, 72 2010-01-21 11:29 /dev/ttyS8

We can list PCI to see hardware information.

00:08.0 Serial controller: NetMos Technology PCI 9845 Multi-I/O Controller (rev 01) (prog-if 02 [16550])
Subsystem: LSI Logic / Symbios Logic 0P6S (6 port 16550a serial card)
Flags: medium devsel, IRQ 16
I/O ports at 8400 [size=8]
I/O ports at 8000 [size=8]
I/O ports at 7800 [size=8]
I/O ports at 7400 [size=8]
I/O ports at 7000 [size=8]
I/O ports at 6800 [size=16]
Kernel driver in use: serial
Kernel modules: parport_serial

We also can see serial port information. From that we can see that ttyS[1-3] is unknown port. The port ttyS[4-9] is actually my 6 serial ports.

[root@console ~]# setserial -g -G /dev/ttyS[0-9]
/dev/ttyS0 uart 16550A port 0x03f8 irq 4 baud_base 115200 spd_normal skip_test
/dev/ttyS1 uart unknown port 0x02f8 irq 3 baud_base 115200 spd_normal skip_test auto_irq
/dev/ttyS2 uart unknown port 0x03e8 irq 4 baud_base 115200 spd_normal skip_test auto_irq
/dev/ttyS3 uart unknown port 0x02e8 irq 3 baud_base 115200 spd_normal auto_irq
/dev/ttyS4 uart 16550A port 0×8400 irq 16 baud_base 115200 spd_normal skip_test
/dev/ttyS5 uart 16550A port 0×8000 irq 16 baud_base 115200 spd_normal skip_test
/dev/ttyS6 uart 16550A port 0×7800 irq 16 baud_base 115200 spd_normal skip_test
/dev/ttyS7 uart 16550A port 0×7400 irq 16 baud_base 115200 spd_normal skip_test
/dev/ttyS8 uart 16550A port 0×7000 irq 16 baud_base 115200 spd_normal skip_test
/dev/ttyS9 uart 16550A port 0×6800 irq 16 baud_base 115200 spd_normal skip_test

Finally, I am able to use minicom to access my devices.

Thanks

Share on Facebook

UFW Secures Ubuntu

hengdu — Wed, 20 Jan 2010 23:01:39 +0000

Due to my desktop will go to public, I mean public IP not NASDQ, I have to enable firewall. After googling, I find a default firewall for Ubuntu system – Uncomplicated Firewall (UFW).

Enable/Disable Firewall

sudo ufw enable
sudo ufw disable

Add rules to firewall

sudo ufw allow 22
sudo ufw delete allow 22
sudo ufw deny from 10.1.1.1/24 to any port 22
sudo ufw allow from 10.2.2.2/24 to any port 22

To see current rules

sudo ufw status verbose

For all port mapping, you can go to cat /etc/service.

Thanks

Share on Facebook

Install Nessus on Ubuntu 9.04

hengdu — Mon, 26 Oct 2009 21:57:28 +0000

In the Vulnerability Scanner world, many commercial products, including Retina, Qualyst and FoundStone, still, there are some open source that widely adopted. Nessus is one of them. The following are the list of Vulnerablility Scanners.

FoundStone (Macfee)
HarrisSTATGuardian (Harris)
ISS (IBM)
Nessus (Open Source)
OVAL
Qualys
Retina (eEye Digital Security)

For Nessus, since it’s open source, it’s easy to install on most of Linux distribution. In here, I use Ubuntu 9.04. You can check your distribution by

cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=9.04
DISTRIB_CODENAME=jaunty
DISTRIB_DESCRIPTION=”Ubuntu 9.04″

Then, we can just follow the steps below:

sudo apt-get install nessus (client)
sudo apt-get install nessusd (server)
sudo nessus-mkcert
sudo nessus-adduser
sudo /etc/init.d/nessusd restart
Go to menu Application->Internet->Nessus to open Nessus client.
After input the target(s), you can start scan.

Share on Facebook

Trac on Ubuntu

hengdu — Wed, 21 Oct 2009 18:48:14 +0000

I am looking for some platform can manage some projects and share some ideas. I have used Twiki which implemented by Perl and I have also used Tikiwiki which implemented by PHP. However, people recommended that Trac is good for development project. The benefits are as follows:

SVN to manage code check-in/check-out
Wiki page to have document for each changes and implementations.
Bug preview and bug tracking
More…

So, I followed the TracOnUbuntu to install. I still need time to figure out how to maintain the system.

Besides the link above, there are two things need to be considered.

sudo chmod -R +w /var/lib/trac/, otherwise, the web page will throw exceptions.
sudo htpasswd -c /etc/apache2/dav_svn.passwd username, otherwise, you can’t login to revise wiki page.

Share on Facebook

Shell Programming: test operators

hengdu — Tue, 20 Oct 2009 22:14:13 +0000

Shell programming can execute test command for strings, integers and files. It’s commonly used when process conditional commands by using if-then-else appraoch.

You can compare two strings to see whether they are equivalent or not. You also can test a single string to see whether it has a value or not.

The test command can perform comparaion for integers.

All the file test options return true only if the file exists.

Share on Facebook

Korn Shell Pattern Expressions

hengdu — Fri, 02 Oct 2009 20:40:02 +0000

A pattern expression is any word consisting of ordinary characters and one or more shell pattern-matching characters. The pattern-matching characters are the familiar *, ?, and [...], as well as any of these pattern-matching expressions.

Share on Facebook

Special Variables in the Bourne Shell

hengdu — Wed, 30 Sep 2009 16:51:12 +0000

The Bourne shell defines several special variables are useful in the scripts. Following are some of the predefined variables.

Share on Facebook

Sequence for login

hengdu — Wed, 23 Sep 2009 18:31:33 +0000

Quick post for the sequence for login Unix (Linux) shell, since we may not know some procedures in details.

The system is connected to a tty (user port)
The kernel invokes the getty program
A login prompt is displayed continuously monitoring the communication port for any type of input.
Control is passed on by invoking the program name found in the user’s entry in the password file.

Share on Facebook