Eikonal Blog


Java keytool

Filed under: crypto, hashes, infosec, it, java — Tags: , — sandokan65 @ 10:45
  • Download the CA certificate from the proxy and convert it to PEM format:

      /usr/java/default/bin/keytool -import -trustcacerts -file  -alias CA_ALIAS -keystore /usr/java/default/lib/security/cacerts -storepass changeit




Filed under: firewalls, infosec — Tags: , , — sandokan65 @ 08:52

More on this blog: IpTables – https://eikonal.wordpress.com/2011/01/24/iptables/ | Personal Computer Security > Personal Firewalls – https://eikonal.wordpress.com/2011/02/28/personal-computer-security/ | Port Knocking – https://eikonal.wordpress.com/2010/10/05/port-knocking/


Logon Banners

Filed under: infosec, security hardening, web security — Tags: , , , , , , — sandokan65 @ 15:06
  • On Linux systems, put pre-login banner text in the files /etc/banner, /etc/issue, and /etc/issue.net; and the after-login banner in /etc/motd.
  • For OpenSSH servers (e.g. on Linux systems), activate the banner use (by SSH/SFTP/SCP) by including following (uncommented) line in /etc/ssh/sshd_config:
    Banner /etc/banner
    • On Linux, if Kerberized TELNET is used, edit /etc/xinetd.d/krb5-telnet to add following line:
      banner = /etc/issue
    • Older versions of TELNET may be using /etc/default/telnetd containing the block:
        nThis should be a telnet banner\\n
  • FTP:
    • If gssftp is used (on Linux), edit /etc/xinetd.d/gssftp to add following line:
      banner = /etc/issue
    • If wu-ftpd is used (on Linux), edit /etc/ftpaccess to add following line:
      banner = /etc/issue
    • FTP may be using /etc/ftpd/banner.msg (or any file external to /etc/ftpd/ftpaccess) by specifying following line:
      banner /etc/ftpd/banner.msg

      in /etc/ftpd/ftpaccess.



  • HTTPS server banner:

      openssl s_client -connect:IPAddress:443

    after connection is established, type in “HEAD / HTTP/1.0” and press enter.


      echo -e "HEAD / HTTP/1.0\n\n" | openssl s_client -quiet -connect IPAddress:443

  • NTTPS server banner

      openssl s_client -connect:IPAddress:563

  • IMAPS server banner:

      openssl s_client -connect:IPAddress:993

  • POP3S server banner:

      openssl s_client -connect:IPAddress:995

  • Identifying SSL cyphers:

      openssl s_client -connect website:443 -cipher EXPORT40
      openssl s_client -connect website:443 -cipher NULL
      openssl s_client -connect website:443 -cipher HIGH

  • Generating password hash four unix:

      openssl passwd -1 -salt QIGCa pippo

    output: $1$QIGCa$/ruJs8AvmrkmzKTzM2TYE.

  • Converting a PKCS12-encoded (or .pfx) certificate to PEM format:

      openssl pkcs12 -in CertFile.p12  -out NewCertFile.pem   -nodes. -cacerts

  • Converting a DER-encoded certificate to PEM format:

      openssl x509  -in CertFile.crt.  -inform DER  -out NewCertName.pem   -outform PEM

  • Download a proxy’s public certificate:

      openssl s_client-connect ProxyHostname:port   proxycert.pem

  • Create a key:

      openssl genrsa -des3 -out server.key 1024

  • Create a CSR (certificate signing request):

      openssl req -new -key server.key -out server.csr

  • Remove a password from a key:

      cp server.key server.key.org
      openssl rsa -in server.key.org -out server.key

  • Sign the CSR and create the certificate:

      openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
      cat server.crt server.key > certificate.pem

  • Encrypting a file:

      cat INFILE | openssl aes-256-ecb -salt -k PASSWORD > INFILE.ssl

  • Decrypting a file:

      cat INFILE.ssl | openssl aes-256-ecb -d -k PASSWORD > INFILE


C|Net’s Download.Com trojans

Filed under: antimalware, antivirus, infosec — Tags: , , , , , , , , — sandokan65 @ 09:29
  • “C|Net Download.Com is now bundling Nmap with malware!” by Fyodor (nmap-hackrs email list; 2011.12.05):

    From: nmap-hackers-bounces@insecure.org On Behalf Of Fyodor
    Sent: Monday, December 2011.12.05 17:36
    To: nmap-hackers@insecure.org
    Subject: C|Net Download.Com is now bundling Nmap with malware!
    Hi Folks.  I've just discovered that C|Net's Download.Com site has started wrapping their
    Nmap downloads (as well as other free software like VLC) in a trojan installer which does 
    things like installing a sketchy "StartNow" toolbar, changing the user's default search 
    engine to Microsoft Bing, and changing their home page to Microsoft's MSN.
    The way it works is that C|Net's download page (screenshot attached) offers what they 
    claim to be Nmap's Windows installer.  They even provide the correct file size for our 
    official installer.  But users actually get a Cnet-created trojan installer.  That program 
    does the dirty work before downloading and executing Nmap's real installer.
    Of course the problem is that users often just click through installer screens, trusting 
    that download.com gave them the real installer and knowing that the Nmap project wouldn't 
    put malicious code in our installer.  Then the next time the user opens their browser, 
    they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as 
    their home page, and whatever other shenanigans the software performs!  The worst thing is 
    that users will think we (Nmap Project) did this to them!
    I took and attached a screen shot of the C|Net trojan Nmap installer in action.  Note how 
    they use our registered "Nmap" trademark in big letters right above the malware "special 
    offer" as if we somehow endorsed or allowed this.  Of course they also violated our 
    trademark by claiming this download is an Nmap installer when we have nothing to do with 
    the proprietary trojan installer.
    In addition to the deception and trademark violation, and potential violation of the 
    Computer Fraud and Abuse Act, this clearly violates Nmap's copyright.  This is exactly why 
    Nmap isn't under the plain GPL.
    Our license (http://nmap.org/book/man-legal.html) specifically adds a clause forbidding 
    software which "integrates/includes/aggregates Nmap into a proprietary executable 
    installer" unless that software itself conforms to various GPL requirements (this 
    proprietary C|Net download.com software and the toolbar don't).  We've long known that 
    malicious parties might try to distribute a trojan Nmap installer, but we never thought it 
    would be C|Net's Download.com, which is owned by CBS!  And we never thought Microsoft 
    would be sponsoring this activity!
    It is worth noting that C|Net's exact schemes vary.  Here is a story about their 
    It is interesting to compare the trojaned VLC screenshot in that article with the Nmap one 
    I've attached.  In that case, the user just clicks "Next step" to have their machine 
    infected.  And they wrote "SAFE, TRUSTED, AND SPYWARE FREE" in the trojan-VLC title bar.  
    It is telling that they decided to remove that statement in their newer trojan installer.  
    In fact, if we UPX-unpack the Trojan CNet executable and send it to VirusTotal.com, it is 
    detected as malware by Panda, McAfee, F-Secure, etc:
    According to Download.com's own stats, hundreds of people download the trojan Nmap 
    installer every week!  So the first order of business is to notify the community so that 
    nobody else falls for this scheme.
    Please help spread the word.
    Of course the next step is to go after C|Net until they stop doing this for ALL of the 
    software they distribute.  So far, the most they have offered is:
      "If you would like to opt out of the Download.com Installer you can
       submit a request to cnet-installer@cbsinteractive.com. All opt-out
       requests are carefully reviewed on a case-by-case basis."
    In other words, "we'll violate your trademarks and copyright and squandering your goodwill 
    until you tell us to stop, and then we'll consider your request 'on a case-by-case basis' 
    depending on how much money we make from infecting your users and how scary your legal 
    threat is.

  • “Does CNET Download.com’s new installer install malware?” (HighTechReality.com blog; 2011.08.30) – http://hightechreality.com/2011/08/cnet-downloadcoms-installer-install-malware/
  • “Download.com wraps downloads in bloatware, lies about motivations” by Lee Mathews (2011.08.22) – http://www.extremetech.com/computing/93504-download-com-wraps-downloads-in-bloatware-lies-about-motivations
      There was a time long, long ago when Download.com was the place I went for software. It’s been years, however, as the site repeatedly showed signs of devolving into a site every bit as bothersome as the many third-tier software repositories that hide genuine links below clever-placed advertisements and bundle toolbars with their “certified” local downloads.
  • Download.com Caught Adding Malware to Nmap & Other Software – http://insecure.org/news/download-com-fiasco.html

Related: “SourceForge has lost its common sense” – https://eikonal.wordpress.com/2015/06/03/sourceforge-has-lost-its-common-sense/


Auditing Unix Security



Web applications

Mozilla Prism (aka WebRunner) & Chromeless

Embedded IE

Related here: HTML5 – https://eikonal.wordpress.com/2011/03/04/html5/ | Scripting user interfaces – https://eikonal.wordpress.com/2010/07/22/scripting-user-interfaces/


Reputation management

Filed under: FaceBook, infosec, opression, privacy, surveillance, tracking — Tags: , , , — sandokan65 @ 14:32


Infosec pages at this blog

Filed under: infosec, privacy — sandokan65 @ 11:38

Related content at this blog:


Passwords related postings

Generating password hashes

  • Generating unix-style MD5 hash: openssl passwd -1 -salt QIGCa pippo
    • produces: $1$QIGCa$/ruJs8AvmrknzKTzM2TYE.
  • generating password hash using system’s native crypt() command: perl -e ‘print crypt(“pippo”, “\$1\$QIGCa”),”\n”‘
    • produces: $1Su6NR9CFU/6
  • Using Python’s Passlib library (http://packages.python.org/passlib/):
    • Install Python (e.g. in Cygwin)
    • Install Passlib library following instructions at http://packages.python.org/passlib/install.html
    • start Python: python
    • Calculate the SHA256 hash of the word Password:

      >>> from passlib.hash import sha256_crypt
      >>> hash = sha256_crypt.encrypt("password")
      >>> hash
      >>> sha256_crypt.encrypt("password")
      >>> sha256_crypt.encrypt("password", rounds=12345)
      >>> sha256_crypt.verify("password", hash)
      >>> sha256_crypt.verify("letmeinplz", hash)

    • Generating BouncyCastle SHA1-512 hashes for use in Atlassian JIRA:

      >>> from passlib.hash import atlassian_pbkdf2_sha1
      >>> atlassian_pbkdf2_sha1.encrypt("password")
      >>> atlassian_pbkdf2_sha1.encrypt("password")
      >>> atlassian_pbkdf2_sha1.encrypt("password")
      >>> atlassian_pbkdf2_sha1.encrypt("password")
      >>> atlassian_pbkdf2_sha1.encrypt("password")

    • Supported hashing algorithms:
      • Archaic Unix Schemes:
        • passlib.hash.des_crypt – DES Crypt
        • passlib.hash.bsdi_crypt – BSDi Crypt
        • passlib.hash.bigcrypt – BigCrypt
        • passlib.hash.crypt16 – Crypt16
      • Standard Unix Schemes:
        • passlib.hash.md5_crypt – MD5 Crypt
        • passlib.hash.bcrypt – BCrypt
        • passlib.hash.sha1_crypt – SHA-1 Crypt
        • passlib.hash.sun_md5_crypt – Sun MD5 Crypt
        • passlib.hash.sha256_crypt – SHA-256 Crypt
        • passlib.hash.sha512_crypt – SHA-512 Crypt
      • Other Modular Crypt Schemes:
        • passlib.hash.apr_md5_crypt – Apache’s MD5-Crypt variant
        • passlib.hash.phpass – PHPass’ Portable Hash
        • passlib.hash.pbkdf2_digest – Generic PBKDF2 Hashes
        • passlib.hash.cta_pbkdf2_sha1 – Cryptacular’s PBKDF2 hash
        • passlib.hash.dlitz_pbkdf2_sha1 – Dwayne Litzenberger’s PBKDF2 hash
        • passlib.hash.scram – SCRAM Hash
        • passlib.hash.bsd_nthash – FreeBSD’s MCF-compatible nthash encoding
        • passlib.hash.unix_disabled – Unix Disabled Account Helper
      • Standard LDAP (RFC2307) Schemes:
        • passlib.hash.ldap_md5 – MD5 digest
        • passlib.hash.ldap_sha1 – SHA1 digest
        • passlib.hash.ldap_salted_md5 – salted MD5 digest
        • passlib.hash.ldap_salted_sha1 – salted SHA1 digest
        • passlib.hash.ldap_crypt – LDAP crypt() Wrappers
        • passlib.hash.ldap_plaintext – LDAP-Aware Plaintext Handler
      • Non-Standard LDAP Schemes:
        • passlib.hash.ldap_hex_md5 – Hex-encoded MD5 Digest
        • passlib.hash.ldap_hex_sha1 – Hex-encoded SHA1 Digest
        • passlib.hash.ldap_pbkdf2_digest – Generic PBKDF2 Hashes
        • passlib.hash.atlassian_pbkdf2_sha1 – Atlassian’s PBKDF2-based Hash
        • passlib.hash.fshp – Fairly Secure Hashed Password
        • passlib.hash.roundup_plaintext – Roundup-specific LDAP Plaintext Handler
      • SQL Database Hashes:
        • passlib.hash.mssql2000 – MS SQL 2000 password hash
        • passlib.hash.mssql2005 – MS SQL 2005 password hash
        • passlib.hash.mysql323 – MySQL 3.2.3 password hash
        • passlib.hash.mysql41 – MySQL 4.1 password hash
        • passlib.hash.postgres_md5 – PostgreSQL MD5 password hash
        • passlib.hash.oracle10 – Oracle 10g password hash
        • passlib.hash.oracle11 – Oracle 11g password hash
      • MS Windows Hashes:
        • passlib.hash.lmhash – LanManager Hash
        • passlib.hash.nthash – Windows’ NT-HASH
        • passlib.hash.msdcc – Windows’ Domain Cached Credentials
        • passlib.hash.msdcc2 – Windows’ Domain Cached Credentials v2
      • Other Hashes:
        • passlib.hash.cisco_pix – Cisco PIX hash
        • passlib.hash.cisco_type7 – Cisco “Type 7” hash
        • passlib.hash.django_digest – Django-specific Hashes
        • passlib.hash.grub_pbkdf2_sha512 – Grub’s PBKDF2 Hash
        • passlib.hash.hex_digest – Generic Hexdecimal Digests
        • passlib.hash.plaintext – Plaintext
      • Cisco “Type 5” hashes

Passphrase Hashes


Passwords related postings at this blog:



Antimalware for Unix

Filed under: antimalware, antispyware, antivirus, infosec, unix — sandokan65 @ 14:33



Filed under: crypto, infosec, privacy, tools — Tags: — sandokan65 @ 14:45
  • “New Tool Hides Data In Plain Sight On HDDs” (SlashDot; 2011.04.25) – http://it.slashdot.org/story/11/04/25/1558237/New-Tool-Hides-Data-In-Plain-Sight-On-HDDs
      “A group of researchers has developed a new application that can hide sensitive data on a hard drive without encrypting it or leaving any obvious signs that the data is present. The new steganography system relies on the old principle of hiding valuables in plain sight. Developed by a group of academic researchers in the US and Pakistan, the system can be used to embed secret data in existing structures on a given HDD by taking advantage of the way file systems are designed and implemented. The software does this by breaking a file to be hidden into a number of fragments and placing the individual pieces in clusters scattered around the hard drive.”



  • “SimpleGeo Makes Location Data Free, Complicates Smartphone Tracking Worries” by Kit Eaton (Fast Company; 2011.04.22) – http://www.fastcompany.com/1749262/simplegeo-makes-location-data-free-complicates-smartphone-tracking-worries
  • “Involuntary Geolocation To Within One Kilometer” 9SlashDot; 2011.04.08) – http://yro.slashdot.org/story/11/04/08/1245244/Involuntary-Geolocation-To-Within-One-Kilometer
      Schneier’s blog tips an article about research into geolocation that can track down a computer’s location from its IP address to within 690 meters on average without voluntary disclosure from the target. Quoting: “The first stage measures the time it takes to send a data packet to the target and converts it into a distance – a common geolocation technique that narrows the target’s possible location to a radius of around 200 kilometers. Wang and colleagues then send data packets to the known Google Maps landmark servers in this large area to find which routers they pass through. When a landmark machine and the target computer have shared a router, the researchers can compare how long a packet takes to reach each machine from the router; converted into an estimate of distance, this time difference narrows the search down further. ‘We shrink the size of the area where the target potentially is,’ explains Wang. Finally, they repeat the landmark search at this more fine-grained level: comparing delay times once more, they establish which landmark server is closest to the target.”
  • “Internet probe can track you down to within 690 metres” by Jacob Aron(NewScientist; 2011.04.05) – http://www.newscientist.com/article/dn20336-internet-probe-can-track-you-down-to-within-690-metres.html
      Online adverts could soon start stalking you. A new way of working out where you are by looking at your internet connection could pin down your current location to within a few hundred metres.
  • “Pinpointing a Computer to Within 690 Meters” by Bruce Schneier (2011.04.08) – http://www.schneier.com/blog/archives/2011/04/pinpointing_a_c.html

Related here:




PAM (Pluggable Authentication Modules)

Filed under: infosec, unix — Tags: , , — sandokan65 @ 16:14


Roles of PAM files

  • /etc/pam.conf – all-in-one configuration file for early versions of PAM. It may still be used in some modern versions.
  • /etc/pam.d/ – directory containing configurations files for each of separately configured program
  • /etc/pam.d/other – the default config file regulating all files that do not have their own separate PAM config file
  • /etc/pam.d/login
  • /etc/pam.d/system-auth
  • /etc/pam.d/sshd
  • /etc/pam.d/su
  • /etc/pam.d/gdm – the GNOME Display Manager PAM file.
    • Example (from http://ubuntuforums.org/showthread.php?t=1506759):
      auth    requisite       pam_nologin.so
      auth    required        pam_env.so readenv=1
      auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
      auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin
      @include common-auth
      auth    optional        pam_gnome_keyring.so
      @include common-account
      session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
      session required        pam_limits.so
      @include common-session
      session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
      session optional        pam_gnome_keyring.so auto_start
      @include common-password

Syntax of config files

Each line has format:

    module-type   control-flag   module-path   arguments

PAM modules

  • pam_deny.so module –
  • pam_permit.so module –
  • pam_warn.so module – used to interface to syslog


Privacy articles

  • Report: “Dispelling the Myths Surrounding De-identification” (Anonymization can still work) by Lauren Weinstein (Lauren Buzz; 2011.06.16) – http://bit.ly/lbH5PE by Information and Privacy Commissioner of Canada [PDF]
      “Recently, the value of de-identification of personal information as a tool to protect privacy has come into question. Repeated claims have been made regarding the ease of re-identification. We consider this to be most unfortunate because it leaves the mistaken impression that there is no point in attempting to de-identify personal information, especially in cases where de-identified information would be sufficient for subsequent use, as in the case of health research. The goal of this paper is to dispel this myth – the fear of re-identification is greatly overblown. As long as proper de-identification techniques, combined with re-identification risk measurement procedures, are used, de-identification remains a crucial tool in the protection of privacy.”
  • AOL search data scandal (WikiPedia) – http://en.wikipedia.org/wiki/AOL_search_data_scandal
  • “What the know” series of articles (The Wall Street Journal) – http://online.wsj.com/public/page/what-they-know-digital-privacy.html
  • “The privacy covenant is an illusion: How to regain control” by Chad Perrin (Tech Republic; 2011.04.18) – http://www.techrepublic.com/blog/security/the-privacy-covenant-is-an-illusion-how-to-regain-control/5351?tag=nl.e036

Related pages here: Privacy and digital liberties – https://eikonal.wordpress.com/2010/11/01/privacy-and-digital-liberties/|Personal computer security – https://eikonal.wordpress.com/2011/02/28/personal-computer-security/ | Online privacy tools – https://eikonal.wordpress.com/2010/12/25/online-privacy-tools/ | Unending stream of Facebook privacy news – https://eikonal.wordpress.com/2010/11/22/unending-stream-of-facebook-privacy-news/ | TSA folies – https://eikonal.wordpress.com/2010/11/16/tsa-folies/


Skype went malware ways

Filed under: antimalware, infosec — Tags: , — sandokan65 @ 12:22

Since recently Skype started peddling its new versions in a forceful way by downloading the update to the users PC, and then throwing the large update notification window to the desktop forefront. It is not possible to disable this behaviour. It is so annoying that I will probably switch to some alternative provider of online voip.


Code analysis, Debugging and reverse engineering / Code security




Older Posts »

Create a free website or blog at WordPress.com.