3

West Coast to East Coast: antithetical US

-

A moratorium for 3 months on the blogspot. The things have changed dramatically when it comes to the life. A lot has happened in my life since the time I left Los Angeles, CA to come to New York, NY. The two of the biggest cities of not only the USA but in the world as well.
First things first…got a job for Ernst & Young’s Advanced Security Center and so like most of the people who work in New York I live in Jersey City, NJ and travel to work. The travel is not too bad as it takes about 45 mins door-to-door. Also, by living in New Jersey instead of 5 boroughs (New Yorkers call the collection of 5 islands of Manhattan, Queens, Brooklyn, Bronx, Statten Island as the 5 boroughs) one saves the 4% annual New York city tax.
Now for the topic of this blog which is “Moving”…which is probably the most troublesome experience that people have. It wasn’t too good for me either but it could have been worse if it were not for the help of some good friends. People say that you realize the truthfulness of your friends during the time of adversity. It was exactly what I found. Whereas some people came to the fore to help me in all the ways they could, some stayed at the bay (and in some cases … making sure that the buoy of my life was in doldrums). Well…having said that life is but a bunch of grapes … some sweet and some sour (this is something I heard in the Hindi Movie “Khatta Meetha”)!
Finding apartments in the New York area can be a harrowing experience, especially if you are hard strung on budget. That was exactly what I found. The best places to look for are New Jersey Craigslist and New York Craigslist. Other places are Rent.com and Apartments.com but I did not find them much useful. I found that New York had some really good places to rent even with a tight budget. All these places were in Queens (Rego Park, Forest Hills). The good part was one could get a 2BR for $1450+ in these places. These places were not too far from the Subway stations and had a travel of 40-45 mins to Manhattan and 1 hr to Long Island (using Long Island Rail Road aka LIRR).
Jersey City in NJ is also a very good bet. But there are some places in Jersey City that are posh as hell but you have to pay the price for the class. Exchange place and Pavonia/Newport are examples of these places (with prices around $1700 for 1 BR) . Grove street is also a place which is somewhere in between the posh and the not-at-all posh. Even though the prices in Exchange place and Newport are really high but the class is well worth the money. Especially when you consider that getting a similar type of apartment in Manhattan will cost at least twice or may be thrice as much. Another avenue for exploration is Hoboken, NJ. Hoboken was personally my favorite place to look for an apartment because it is a place with a vibrancy associated with it. Almost looks like a European city bustling with restaurants and youth on the streets! It is also not too far from New York. However just like Pavonia/Newport & Exchange Place this fun doesn’t come cheap! The apartment costs are similar. The difference between Newport – Exchange Place & Hoboken is that the construction in Hoboken is older and you need a realtor for getting an apartment more than you need in former. Realtors have standard 1 month rent as the fee as their service charges.
In case you are wondering what a realtor is – a realtor is a person who searches for an apartment for you that fits within your budget and choice. But when it comes to realtors one must be wary of them because they can sometimes be a dangerous bet to pick!
West coast was much easier to find apartments in from my experience but it could be because I was looking for apartments in a University area which is probably easier.

-Rajat
http://rajatswarup.blogspot.com/

0

Inspiron 700m Wireless configuration on Kubuntu

-

I have a Dell Inspiron 700m. I have Kubuntu Breezy Badger 5.10 on this box.
This is how I got the WiFi going on this beauty.
1. Boot up into windows and get the Intel Driver from Intels 1st site OR Intels 2nd site

2. Save the files into a location on the drive which is accessible through linux.


root@trance:/home/trance# ls -al /media/hda1/intel/wireless_9.0.4_generic_109116/Drivers/
total 8680
dr-x—— 1 root root 4096 2006-05-14 05:42 .
dr-x—— 1 root root 4096 2006-05-14 05:42 ..
-r——– 1 root root 188416 2005-12-27 23:53 SetupWLD.EXE
-r——– 1 root root 4849 2005-01-25 15:17 SetupWLD.ini
-r——– 1 root root 13 2006-02-02 12:38 verfile.tic
-r——– 1 root root 1671168 2006-01-27 08:50 W29MLRES.DLL
-r——– 1 root root 2956544 2006-01-17 21:34 w29n50.sys
-r——– 1 root root 14821 2006-02-02 00:47 w29n51.cat
-r——– 1 root root 119785 2006-01-18 15:47 w29n51.INF
-r——– 1 root root 3325312 2006-01-17 21:32 w29n51.sys
-r——– 1 root root 466944 2006-01-27 08:49 W29NCPA.DLL
-r——– 1 root root 122880 2005-12-27 23:53 WLDMLRES.DLL
root@trance:/home/trance#


3. Go back into Kubuntu and get the ndiwrapper-utils, ndisgtk, ndiswrapper-source using


root@trance:/home/trance# sudo apt-get install ndiswrapper ndisgtk ndiswrapper-source


4. As root ndiswrapper -i will use the windows inf file to install the wireless driver. ndiswrapper -l lists the driver installed.
example:


root@trance:/home/trance# ndiswrapper -i /media/hda1/intel/wireless_9.0.4_generic_109116/Drivers/w29n51.INF
root@trance:/home/trance# ndiswrapper -l
Installed ndis drivers:
w29n51 driver present, hardware present
root@trance:/home/trance#


5. modprobe ndiswrapper checks if the ndiswrapper kernel module is installed. An installed module will result in no error. Then write the config file such that you do not need to go through the earlier steps every time you restart the system.


root@trance:/home/trance# modprobe ndiswrapper
root@trance:/home/trance# ndiswrapper -m
Adding “alias wlan0 ndiswrapper” to /etc/modprobe.d/ndiswrapper


6. If some error occurs check the output of lsmod


root@trance:/home/trance# lsmod | grep ndiswrapper


7. Now that your ndiswrapper is installed and configured. We now need to start up the wireless interface. On my box the wireless interface used to show up as eth0, however, it was not configured to use the ndiswrapper so I would get ‘segmentation fault’ on doing ifup eth0.
However, with the drivers set, I checked if all was well.


root@trance:/home/trance# iwconfig
lo no wireless extensions.

eth1 no wireless extensions.

eth0 IEEE 802.11g ESSID:”MySSID”
Mode:Managed Frequency:2.437 GHz Access Point: 00:13:46:46:78:28
Bit Rate=54 Mb/s Tx-Power=20 dBm
Retry limit:7 RTS thr:off Fragment thr:off
Encryption key:XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XX Security mode:open
Power Management:off
Link Quality=97/100 Signal level=-27 dBm Noise level=-89 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

sit0 no wireless extensions.
root@trance:/home/trance# ifconfig
eth0 Link encap:Ethernet HWaddr 00:13:CE:D9:0D:74
inet6 addr: fe80::213:ceff:fed9:d74/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:48 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:236683 (231.1 KiB) TX bytes:1104 (1.0 KiB)
Interrupt:10 Base address:0x8000 Memory:e0206000-e0206fff

eth1 Link encap:Ethernet HWaddr 00:12:3F:6B:36:2F
inet addr:192.168.0.109 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::212:3fff:fe6b:362f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3050 errors:0 dropped:0 overruns:0 frame:0
TX packets:1534 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3117901 (2.9 MiB) TX bytes:159050 (155.3 KiB)
Interrupt:10

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:33 errors:0 dropped:0 overruns:0 frame:0
TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2058 (2.0 KiB) TX bytes:2058 (2.0 KiB)

root@trance:/home/trance# ifup eth0
There is already a pid file /var/run/dhclient.eth0.pid with pid 0
Internet Systems Consortium DHCP Client V3.0.2
Copyright 2004 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/products/DHCP

sit0: unknown hardware address type 776
sit0: unknown hardware address type 776
Listening on LPF/eth0/00:13:ce:d9:0d:74
Sending on LPF/eth0/00:13:ce:d9:0d:74
Sending on Socket/fallback
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3
ip length 328 disagrees with bytes received 332.
accepting packet with data after udp payload.
DHCPOFFER from 192.168.0.1
DHCPREQUEST on eth0 to 255.255.255.255 port 67
ip length 328 disagrees with bytes received 332.
accepting packet with data after udp payload.
DHCPACK from 192.168.0.1
bound to 192.168.0.101 — renewal in 241302 seconds.
root@trance:/home/trance# ifdown eth1
There is already a pid file /var/run/dhclient.eth1.pid with pid 6390
killed old client process, removed PID file
Internet Systems Consortium DHCP Client V3.0.2
Copyright 2004 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/products/DHCP

sit0: unknown hardware address type 776
sit0: unknown hardware address type 776
Listening on LPF/eth1/00:12:3f:6b:36:2f
Sending on LPF/eth1/00:12:3f:6b:36:2f
Sending on Socket/fallback
DHCPRELEASE on eth1 to 192.168.0.1 port 67
root@trance:/home/trance# ping www.google.com
PING www.l.google.com (64.233.161.99) 56(84) bytes of data.
64 bytes from 64.233.161.99: icmp_seq=1 ttl=233 time=73.5 ms
64 bytes from 64.233.161.99: icmp_seq=2 ttl=233 time=51.6 ms

— www.l.google.com ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 51.688/62.634/73.580/10.946 ms


8. To make sure that you don’t have to type iwconfig essid key every time you log on. Change you /etc/network/interfaces file to have these few lines at the end of the file. wireless essid is your wireless network name (SSID) and the key is the WEP key.

iface eth0 inet dhcp
wireless-essid XXXXXXX
wireless-key XXXXXXXXXXXXXXXXX

My /etc/network/interfaces of Ubuntu (in FC/RHL this is the counterpart of the /etc/sysconfig/network-scripts/ifcfg-ethX)
looks like:


# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# This is a list of hotpluggable network interfaces.
# They will be activated automatically by the hotplug subsystem.
mapping hotplug
script grep
map eth1

# The primary network interface
auto eth1
iface eth1 inet dhcp

auto eth0
allow-hotplug eth0
iface eth0 inet dhcp
wireless-essid USC-Trojans
wireless-key # This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# This is a list of hotpluggable network interfaces.
# They will be activated automatically by the hotplug subsystem.
mapping hotplug
script grep
map eth1

# The primary network interface
auto eth1
iface eth1 inet dhcp

auto eth0
allow-hotplug eth0
iface eth0 inet dhcp
wireless-essid USC-Trojans
wireless-key 11111111111111111111111111


0

SMBProxy Compilation issues

-

So the other day I was on a pen test and I got hold of the hashes. Since my laptop got fried I needed a new version of SMBProxy. There were a few issues that I had with the compilation though. I got a few errors in the file crypto.c.
Moreover, SMBProxy ues crypto library libdes written by Eric Young available here.
I give here a guide to compiling SMBProxy that worked for me.

First, compile and install libdes

  1. Download libdes 4.01
  2. tar zxvf libdes-4.01.tar.gz
  3. cd libdes
  4. make gcc
  5. sudo make install

Now, you’ll find that the file libdes.a is now in /usr/local/lib.
Second, compile and install SMBProxy. Now here there were a couple of compilation errors that I had to deal with.
Here’s the diff output for crypto.c

trance@z0n3:~/Desktop$ diff smbproxy/crypto.c smbproxy-orig-src/crypto.c
40,41c40
< #include
< #define MD4_SIGNATURE_SIZE 16 --- >
46c45
<> static u_char Get7Bits(UCHAR *input, int startBit) {
58c57
<> static void MakeKey(UCHAR *key, UCHAR *des_key) {
74c73
<> void DesEncrypt(UCHAR *clear, UCHAR *key, UCHAR *cipher) {
85c84
<> void mkResponse(UCHAR **ntlmhash, UCHAR hash[MD4_SIGNATURE_SIZE], UCHAR* challenge) {
88c87
<> UCHAR ntlm_response[24];

Having done this there were still a few issues with the make comand.
The Makefile can be generated by running the following command:

trance@z0n3:~/Desktop/smbproxy-orig-src$ ./configure

Here’s the diff output of the Makefile:

trance@z0n3:~/Desktop$ diff smbproxy/Makefile smbproxy-orig-src/Makefile
10,11c10,11
< smbbf_include =" -Iinclude">
< libs ="">

> SMBBF_INCLUDE = -Iinclude
> LIBS = des
31c31
< $(LIBDES) $(LIBS)

> $(LIBDES)

The following libraries are required: openssl, openssl-dev, libdes for successfully compiling SMBProxy.

apt-get install openssl openssl-dev

0

Setting up a Windows 7 Kernel Development Environment

-

If you are writing some Ring0 (or privileged mode code), say something like device drivers in Windows you’d probably be better served with a separate development machine and a deployment machine. This helps you to write poor code and still not lose hair because your development machine blue screens! 🙂

My setup was using a Windows 8.1 development machine and a Hyper-V based Windows 7 machine for debugging. You will need to execute different tasks on the “guest” (Hyper-V based Windows 7 virtual machine) and some other tasks on the development machine.  I followed many of the things from the MSDN blog post here

On your guest machine you would want to setup a named pipe and setup debug settings. To do that this is what you need to do:

Setup a virtual com port in the Hyper-V Settings (File -> Settings) , this port will be used to communicate from the host machine to the guest to communicate the Kernel debugging commands.
Untitled

 

Now make sure that your target guest machine is configured to “listen” those commands.  Inside the guest VM, start a command shell (cmd.exe -> Run as Administrator).

Untitled2

 

Configure the bcdedit commands so that the machine can now be debugged.  Right after the 2nd command, reboot your Virtual Machine.

Untitled3

 

With the VM now configured to listen the debug commands via the COM1 port, and the debug mode on in the bootup settings, now start the WinDbg x64 on the host (using “Run as administrator”; you need administrative privileges for communication via Serial port).  In your kernel debugger on the host or the development machine (I’m assuming that these are both on the same physical hardware here).  Click on File -> Kernel Debug and you should see the following screen in the WinDbg window:

Untitled4

Hit Ctrl+Break or Debug -> Break and you will see something like this:

Untitled5

Just remember that when you break in the debugger, your guest in Hyper-V should become “unresponsive”.  The only thing is that it is not really unresponsive, its just being debugged.  Just to make sure, that you have the symbols package that is quite useful for debugging run the following command:

!process 0 0

If you see something like the following screen show up:

Untitled6

The following error means that the symbols are not defined.  Symbols help the debugger give more information about the commands that you are going to execute in the debugger.

**** NT ACTIVE PROCESS DUMP ****
NT symbols are incorrect, please fix symbols

To fix this, use the following commands:

kd> .sympath SRV*c:\symcache*http://msdl.microsoft.com/download/symbols
kd> .symfix
kd> .symfix c:\symcache
kd> !sym noisy
kd> .reload /o

Then again try the command: !process 0 0 and see if you get a good response.  A good response looks like the following:

Untitled7

With this you should be good to go! Happy debugging and writing cool Ring0 code.

 

 

0

Brother HL-2040 Linux install on Backtrack 4

-

I was getting CUPSD errors when trying to use my Laser Brother HL 2040 printer. But, you can install Brother HL-2040 by going to the brother website and downloading the linux drivers located here:
http://welcome.solutions.brother.com/bsc/public_s/id/linux/en/download_prn.html#HL-2040
I just installed the lpd driver using the command as follows:
$ sudo dpkg -i brhl2070nlpr-2.0.1-1.i386.deb
When printing now, just select local lpd and then select brother-HL2070 printer from the list (the drivers for both versions are same).

0

Tryst with Customer Service

-

In the capitalist world, it is said that the companies survive on the hyper-consumerism of the people. The highly competitive economical scenario results in an environment where (as they say) consumer is the winner, but not without a fight.
A few weeks back, my Compaq Presario Laptop 2575us went bad. Well, the laptop is 2 yrs old and it has already been serviced twice so I guess my patience thresholds have diminished over a period of time. But this time around a person with even immense patience could have lost his mind. So here’s what happened. My laptop’s S-video port had been dysfunctional since the time I can recall but I never had so much time to let my laptop go out of my hands. This time when I sent it for repairs my laptop almost disappeared from the face of the earth for almost 25 days. And when they returned it to me to a wrong address I had a premonition of difficult times. The “repaired” laptop even failed to start.
This really infuriated me coz my 25 day wait had gone down the drain. So I called up the customer care and they asked me to ship the laptop to service center yet again. But this time around they wanted me to wait for 3 days before I could FedEx it to them. It was completely unacceptable to me. So I spoke to the supervisor and became as adamant as a stone. I continued to ask him for next day shipping and he continued to repeat that he could not do that. A 2hr45min sparring continued on the phone and it resulted in him being the loser as he disconnected the phone. He kept saying that this discussion is going nowhere as we cannot reach an agreement and I kept insisting that the call had multiple destinations : 1. To the HP supervisors and 2. To the BBB .
This guy called himself Nick and he also refused to give me his employee number. I knew very well (because of past experience that Compaq uses words like “You have no proof for your requests” etc.) so this time I needed some real strong evidence of my conversation. So I requested the permission from this Nick guy to allow me to record the conversation. I think this made him a little wary of my intentions. But still he did not give me his details. I think he was really scared because he felt that my wrath could result in him facing the music from his bosses in Palo Alto, CA. There were a few interesting discussions, for example, he said “I am Nick and you can identify me with this name alone.” to which I retorted by saying “Well…I know that Nick is a common name in U.S and you guys might as well redirect my call to NY Knicks judging by the way things are going.”.
So the next day I called up the HP Customer Care Service Manager’s Line at 1-877-917-4380 , code 94 option 1. This time I spoke to a guy called Douglas Gilmore who was equally tough with me (if not more). He refused to acknowledge any of my concerns initially. But later as the conversation progressed, it went on from being just a plain discussion to a heated argument. However, I did not utter even a single foul word because I knew that he could use my language as a pretext to disconnect my call which I was not willing to risk at all. So throughout the discussion I kept my head cool and tried to explain the things to him. But after going through the history of the whole thing, he realized that I had suffered a lot because of this laptop and that the attitude of the Customer care was rather cold. So he finally agreed to give me a replacement after much requests. This was probably my best argument till date and I think that it was some good thinking on my part as well as some codial behavior on the part of the managers that I could get what I truly deserved: a replacement to my defective laptop.
-Rajat.
Japanese art forms

0

nature’s signatures

-

One more in the list of technical posts! Yesterday was a day of 17 hrs in the lab (phew 🙂
So we were capturing packets but the packit tool did not randomize the source IPs enough so we were getting decent signatures for TCP traffic but not for ICMP! So looking at the signature generation I found that the checksum was also being used to get the hash value. But, when I stopped using the checksum values for generation of hash the signatures started coming properly. Antoine, somehow, thought that the IP addresses were affecting the has values that we got. But looking deeply into the code we saw that it was not the case. The conclusion (which is really surprising) is that packit was generating similar packets quite a few packets and that too from the same source IP (but they really should have been randomized!)…I don’t know whether this conclusion is correct??? May be some packit developers would be able to help me on this!
So now the challenge becomes to send those ICMP signatures across…but icmp_send() method requires skbuff structure…I looked at the net/ipv4/ipip.c file for the usage of icmp_send() methods but it is still not clear to me how it should be used!

-Rajat
Rajat’s Homepage