Ive been hearing alot of “splunk this” and “splunk that” from a colleague of mine, so i finally decided to check it out myself. Though it is a neat tool that make syslog log-analysis easier, it does come at a price in more than one way.

First of, its extremely expensive. Second of, you sign away your soul in their EULA.

Heres a few things i find horrific (a few copy&paste from their EULA, emphasis added by me):

“You agree not to (i) use the Software except as expressly authorized in this Agreement and your Order Confirmation;”

Right, so if its not expressively authorized in the agreement to, say, have splunk analyze your calendar instead of a log, youre in violation? Dont be creative, is the message. Dont worry, it gets worse:

“[You agree not to] (vi) disclose to any third party the results of any benchmark tests or other evaluation of the Software,..”

You are not allowed to publish a benchmark!?? How f*cking DARE they?? Even worse, you’re not allowed tell ANYBODY what you think of (or how you “evaluate”) the software. Microsoft had the same benchmark clause many many years ago for their SQL-Server product, but grew up.

“At Splunk’s written request, you will furnish Splunk with a certification signed by an officer of your company verifying that the Software is being used in accordance with the terms and conditions of this Agreement and the applicable Order Confirmations.”

A bit excessive, but all good and well. If they ask if youre cheating, you should at least give them the guarantee that you’re not. But hold on to your horses:

Upon at least ten (10) days prior written notice, Splunk may audit your use” …. ” Any such audit will be conducted during regular business hours at your facilities“ … “You will provide Splunk with access to the relevant records and facilities“

Riiight. So all Gestapo like, they’ll show up at your door, demanding access to “records and facilities”. And according to the agreement, you MUST find time for them and they dont have to pay for all the time they waste. This is very extreme and not something you’d expect be possible anywhere in the western world, but here it is.

“You agree that Splunk may identify you as a Splunk customer on Splunk websites, client lists, press releases, and/or other marketing. You also agrees that Splunk may publish a brief description highlighting your deployment of the Software.”

Lastly, once you give them all your money for their tool, they can use your name, for free, in commercials and on their website.

They can even tell the world the exact details of your installation. So no confidentiality agreement there. And if youre running a sensitive facility, like a bank or like me, internet payments (adhering to the PCI standard), you may actually be prohibited from disclosing details of your setup publicly.

So you cannot agree to this (piece of garbage) EULA.

Shame on you Splunk! This is the WORST EULA i’ve EVER read, and i’ve read a few in my life time. Any Linux/Unix/Freedom lover should reject this promptly!. And if you’ve already bought Splunk, write them, demanding an explanation for these digital-rights atrocities. (even better; ask for your money back or sue them ;))

The Problem

When i first discovered this, my world shattered for a couple of hours. Ive been working with Unix & Linux for more than 15 years and my brain was firmly wired with the notion that “A file owned by root, cannot be touched by any other user” (unless, of course, the user is giving explicit permissions to do so via chmod 777 or the likes).

So when i discovered that a file, owned by root, with nothing but read permissions, had been deleted by an FTP user, i started hunting for exploits in the FTP daemon. In this case it was vsftpd.

I quickly saw in the source code of vsftpd, that all it did was leave the permission decision up to the filesystem/linux kernel. So i started googling. Apparently i wasn’t the only one with this issue and i found posts relating to ProFTPD as well. And the answer was almost always “thats just the way it is, get used to it” without the actual explanation.

So is this an FTP server issue? A lot of answers i found on the net would suggest yes. But actually this is not true. And actually its not even a bug.

Heres a test that may surprise a lot of people (it sure surprised me):

As root:

(back as normal user)

The file is successfully deleted. Whoa.. Brainfreeze!.

Let me explain in detail and then give you a “fix”.

Read the rest of this entry »

If you’ve ever tried to crack passwords from a new ubuntu or other new linux’s, you may have noticed that John The Ripper cannot crack the hashes starting with $5$ or $6$.
I had 2 passwords i needed to check. The passwords came from /etc/shadow from a newer Ubuntu version and i didnt even notice that the hash started with $6$ instead of the usual $1$. After searching and reading for a while, i found out that this is simply the newest generation of password hashes for linux. The “normal” hash ($1$) is MD5. The new ones are $5$ and $6$ and are SHA256 and SHA512 respectively.
The implementation of SHA passwords in linux is done by Ulrich Drepper at RedHat and his original paper can be found here.

Well.. Long story short. I needed to check/crack some passwords and there was no cracker out there for SHA passwords. At the time of writing, not even good old “John The Ripper” has support for these.

So i coded my own brute force cracker. Its made in perl, and it simply uses the operating system’s crypt function. So if you have a system that supports SHA passwords, so will my tool. Hence ive named it “cryptcracker”. It should support any type of hash supported by crypt(), thus (hopefully) not needing a rewrite when new algorithms emerge. The downside is that the crypt() function may be slower than using a version optimized for cracking. But since there isnt such an optimized version out there (and who knows if there ever will be one), this is not an issue at the moment :).

the SHA algorithms are made slower on purpose, making them harder to crack. Cryptcracker can test ~45 passwords per second, per CPU-Core on my 2.53GHz laptop. Ive made the crypocracker multithreaded, meaning i can utilize both cores on my laptop and run a whopping ~90 passwords per second. if you have more than 4 cores, remember to use the “-t” option to set number of threads higher than the default 4.

I share it here, in the hopes that someone will find it usefull.

Download cryptcracker here.

-
Note: cryptcracker reads the passwords from STDIN.

Examples:

$ cat password.lst|./cryptcrack.pl -f shadow

or how about using john’s -rule option?

$ john -stdout -rules -w:password.lst |./cryptcrack.pl -f shadow

Remember that found passwords are only shown to screen unless you specifically give an “-o outfilename” option.

Heres an example output of a successfull crack:

$ cat password.lst |./cryptcrack.pl -f shadow -o my_found_passwords
Read 1 hashes from file
Spawning 4 threads
90.911 keys per second.
92.251 keys per second.
92.111 keys per second.
92.401 keys per second.
88.791 keys per second.
FOUND: jamesdick ($6$/2CahJnQ$4cl6vYMRg/ytkZsfBDrBEORmneK45hqDC77KAdkW/NgPumKHwL04SXUequNzktFSEwHcdpLOF.gOSHfLyJvlo.)

Cracked passwords:
—————
jamesdick ($6$/2CahJnQ$4cl6vYMRg/ytkZsfBDrBEORmneK45hqDC77KAdkW/NgPumKHwL04SXUequNzktFSEwHcdpLOF.gOSHfLyJvlo.)

I have an encrypted home dir, which is automatically decrypted upon login. (Linux, if you were in doubt). I want to mount a large truecrypt partition automatically when i log in.

I wrote a small script that mounts the truecrypt drive. I added to .bashrc (you could also use .profile i guess) that this script automount script is mounted upon login.

Heres the initial script

truecrypt -t -k "" --auto-mount=devices -p 'MySuperSecretPassword'


Storing the password inside the script isnt the problem (remember that homedir is already encrypted). The problem is, when doing “ps ax”, the password shows up in the list, as such:

3471 ? Ssl 0:00 truecrypt -t -k --auto-mount=devices -p MySuperSecretPassword


Bad idea.. I want to mount using a password and not a “keyfile”, but truecrypt doesn’t provide any other way of supplying a password.

However the solution was pretty simple, once i found it.


echo "MySuperSecretPassword" | truecrypt -t -k "" --auto-mount=devices -p ''


Its really a coincidence that this works. Truecrypt tries to mount using a blank password.. Once this fails, it will prompt for a password.. The prompt will be filled from the pipe.. And now password is gone from ps ax and im a happy camper.

Holland beware. Several thousand hackers & nerds from all over the world are marching towards your country.

At last, at last. Time to crawl outside our dungeons,
defy the Evil Daystar (even though it is trying to kill us) and make our way towards the “Hacking-At-Random” camp in Holland.

Its almost here!..  August 13-16.
We have moved all “camp” related stuff to our new blog on http://camp.hacker.dk. If you wish to follow our exploits (so-to-speak) while we’re there, camp.hacker.dk is the place to look. It will most likely be in Danish, but there will be photos (and cake!) so come on over anyway.

After upgrading my subversion on my server to version 1.5.1, I started getting the following error for all newly created repositories (on commit):

svn: Can’t open activity db: APR does not understand this error code

Oddly, all my existing repositories worked fine. Googling didnt help me, though it did point to the direction that it was Apache not having enough rights. chmodding 770 didnt help. Chowning to www-data didnt help (both was the recomended solution everywhere i looked). Finally figured out that a folder was missing in the new project directory. This solved the problem for me:

$ cd /path/to/your/repository
$ mkdir dav
$ chown  www-data: dav

So i thought id stick it online here, to help anyone else not finding the right solution on the web.

Welp.. I finally surrendered.. I swore id never buy a gaming console and yet ive just bought my first one ever. Since i wanted a console that could play the games  i usually play on a PC, i had the choice between the lesser of 2 evils. Sony vs. Microsoft.

After carefully weighing the proof against both companies, i decided that Sony was a bit more evil than MS, so i went with the XBOX 360. :)

One of the things i was looking forward to, was streaming video to the XBOX from my PC. Imagine my disappointment when the XBOX menu told me i needed a Windows PC with Windows Media Player 11.. No way in hell!.

So last night i finally got my Linux Laptop to stream vid to the XBOX. It turns out, that Microsofts mysterious “proprietary protocol” for streaming is (as usual) a standard protocol, just modified enough that standard tools cant use it. Why MS ALWAYS have to do this, boggles my mind. Its called a “standard” for a reason, dammit!.

The protocol in question is nothing  more than UPnP.

AFAIK, the only difference from standard UPnP, is that the XBOX requires the UPnP server to identify it self as “Windows Media Connect” and it requires a specific directory layout.

“Fuppes” is a small UPnP server that lets you configure all this and even have guides on how to do it in their Wiki.

So now i have it working, and i have to admit that the XBOX media-player is not half bad (with the newest firmware upgrades). It does quite a decent job. Nothing fancy or cool, but works nicely.

Presenting “sapi2wav”. (name choosen because text2wav was already taken)

Its a simple windows tool that allows you to do Text-To-Speech on command line.

The program will play a text given as argument or read a file and output to a wave file. It also allows you to choose other voices, if eg. you have NeoSpeech voices or AT&T Natural voices.

Its free (unlike any other commandline SAPI program ive found) and its Open Source (GPL).

Commandline processing is a MUST for any form of scripting or automation. I wanted to automaticly transfer daily news-stories to and MP3 player and now i can :)
Usage is as simple as:

sapi2wav.exe c:\out.wav 1 -t “Hello world”

TextAloud has a commandline mode, but its very oddly written, pretty beta and doesnt run under Linux. I wrote to Text Aloud (or NextUp.com) explaining my very insignificant problem and of course they didnt reply. So instead of buying their product, i ended up making an open source alternative :).

So if you install SAPI5 under wine (must be installed in windows ME compatability mode), then you can run this tool under wine as well and do commandline magic :)

Downloads:

• sapi2wav.exe
• source code (delphi)

Setting up MS-SAPI5 under wine should be as easy as configuring your wine to run in Windows ME mode, then download and run MS’s Sapi5 installer (msi - the Win ME version)

Winehq has an article on how to do this.

The tool SayPad from this page should have sapi5 included in the 95/98/me installer.. Though i havent testet it, i guess if you can install SayPad under wine, youll get the needed api’s.

please send me any changes you might make to this sapi to wav tool.

Problem:PHP displays its version along with the normal webserver response headers. Apparently the only way to change this, is recompiling PHP. Which i find annoying to do after every PHP update.. So i decided to make a one-liner to patch the binary PHP module.

Solution:

This has been tested only on PHP4 and PHP5 on Debian, but i see no reason why it shouldnt work on other distro’s.

Locate your libphp4.so, libphp5.so or the likes. Mine is in /usr/lib/apache/1.3/libphp4.so (on Debian). And make a backup of it just in case ;)
Run the following command:

perl -pi -e "s/(X-Powered-By: PHP).([^\x00]+)/$1\x00$2/" /usr/lib/apache/1.3/libphp4.so

(replace /usr/lib/apache/1.3/libphp4.so with YOUR path)

Restart apache. Now headers only reveal “X-Powered-By: PHP"

Ive been coding some perl for my Nokia 770 that needed to play sounds and i found that play-sound should do the trick. However the volume is very low and a lot of googling turned up nothing but other people with the same problem.

After analysing ‘play-sound’, i found out 2 things.

1. It does use “esd” to play waves, which is good since its “non-blocking”.
2. It’s made for playing “system-alert” sounds

So looking in the sound configuration, you can choose the volume level of system-alert sounds. The options are “none”,”level 1″ and “level 2″ and after raising my sound to level-2, it still wasnt loud enough. Also, i really dont want all other alert sounds at that volume.

So based on my (simple) analysis, the play-sound program reads a config option called “system_alert_volume”. So i thought there might also be a “master_volume” defined as well and did a small patch. And i was right.

So my solution is this (and requires perl on the tablet or an “offline” hex-edit):

Make a copy of play-sound:
$ cp /usr/bin/play-sound /usr/bin/play-sound2

Patch /usr/bin/play-sound2 to use “master_volume” instead. With perl, do this:
$ perl -pi -e 's/system_alert_volume/master_volume\x00...../' /usr/bin/play-sound2

Problem solved ;). Now you can use the command:
$ play-sound2 test.wav

to play sounds at the set master volume.

To do the same patch in a hex-editor, locate “system_alert_volume” and overwrite the string with “master_volume”, plus a “null” char (\x00) to terminate the string. If you forget to null-terminate, play-sound2 will segfault.

I like this solution, since “play-sound” is only 10k large and no extra dependencies needs to be filled.. And the “copy & patch” could be done from an install script.