1

Kerberos/Samba/AD account lockouts

-

I kept getting the following errors on my AD domain in the event viewer and accounts kept locking out:
Pre-authentication failed:
User Name:      user1
User ID:                DOMAIN\user1
Service Name:   krbtgt/DOMAIN.COM
Pre-Authentication Type:        0x0
Failure Code:   0x12
Client Address: 192.168.246.134

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

In the Directory Service logs I see the following entry:
[snip]
Active Directory could not update the following object with changes
received from the domain controller at the following network address
because Active Directory was busy processing information.

Object:
CN=User 1,OU=Testing Services Team,OU=TESTER V,DC=domain,DC=com
Network address:
e5523049-53f1-4274-858b-

c68971599acf._msdcs.domain.com

This operation will be tried again later.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Turns out this happens if you have samba/winbind/AD type infrastructure. If someone has some processes running (Even if they us sudo) and happen to change their password while the process is running on unix (and using kerberos authentication), the accounts lockout because the kerberos ticket granting ticket (krbtgt) is not current and any object access is considered to be a failed login attempt. This locks out the accounts if you have account lockout implemented in your AD domain security policy.

1

Sharing 3G connection using 802.11 Access Point

-

Let’s assess the situation: You have a 3G phone which allows tethering, a windows machine, a wireless access point and another PC that is connected to the LAN port of the wireless access point (or typically called a wireless router). The wireless access point is a home network and your ISP decides to disconnect your signal or is experiencing some problems. How do you share your 3G connection, so that other computers can connect through the wireless AP and use your cell phone’s 3G connection? It’s actually quite simple.

Tether your smartphone (in this case let’s say blackberry). Blackberry tethering in Windows over AT&T is allowed using a software called AT&T Communication Manager. Install ACM, and connect your Windows machine using a mini-USB cable to your phone. Goto Start->Run->cmd.exe. Type ipconfig /all to see the IP address and the DNS servers IP addresses.

Now connect the WAN link of your Wireless access point to this Windows machine’s ethernet port. Setup a static IP for this Windows machine say 192.168.10.1 with a netmask of 255.255.255.0. Now go to Network connections (from Control Panel), right click on the Mobile connection representing your blackberry, click on Advanced. In the Internet Connection Sharing section, check the box that says “Allow other network users to connect through this computer’s Internet connection” and select “Local Area Connection” (this is the same connection you connected to the WAN port of the wireless AP). Click OK. You may have to disconnect and reconnect your ACM connection to allow the settings to take effect.

Now that this is done, connect to the administration interface of the wireless access point to the other PC that is connected to the LAN port (or through the wireless) to the access point. Go to the administration interface of the wireless AP, and set a static IP for the router in the same subnet as with the Windows box (the one you set with 192.168.10.1). Set the static IP on the AP to be say 192.168.10.2 (remember this has to be the same subnet), netmask as 255.255.255.0 and then the most important, the default gateway to 192.168.10.1 (the IP of the windows box on the ethernet card). To set the DNS server addresses, use the same addresses you found using ipconfig /all in the first step. Otherwise you could also use open DNS servers or any other DNS servers but it’ll be best to use the DNS servers pointing to the ones used by the tethered connection because you can rule out DNS issues if something isn’t working and it comes down to troubleshooting. Once on the router, the static is set, the gateway is set, the DNS is set, you should be able to connect from your wireless network to the internet through your 3G connection! 🙂
Happy internet sharing! 🙂
Here is a schematic diagram:

[tethering]                [static IP]    [static IP]   [internal IP]  [DHCP address]
                                   |         |                |           |
[ phone ] <==> [Windows machine]:eth0 <==> wan:[Wireless AP]:lan <==> [client]
0

Compiling wepattack on backtrack4

-

I encountered various errors when compiling wepattack. This download does not come with a makefile that is compatible with the ubuntu distro that backtrack uses. First of all make sure that the wlan directory that you get when untarring the .tar.gz archive has execute permissions set to it.

$ cd WepAttack-0.1.3/src
$ chmod +x wlan

Once this is done “permission denied” errors should go.

/Desktop/WepAttack-0.1.3/src$ make
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o wepattack.o wepattack.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
wepattack.c: In function ‘loop_packets’:
wepattack.c:141: warning: incompatible implicit declaration of built-in function ‘strlen’
wepattack.c:146: warning: incompatible implicit declaration of built-in function ‘strlen’
wepattack.c:151: warning: incompatible implicit declaration of built-in function ‘strlen’
wepattack.c:156: warning: incompatible implicit declaration of built-in function ‘strlen’
wepattack.c: In function ‘clean_up’:
wepattack.c:184: warning: format ‘%d’ expects type ‘int’, but argument 3 has type ‘long int’
wepattack.c: In function ‘main’:
wepattack.c:309: warning: format ‘%d’ expects type ‘int’, but argument 2 has type ‘long int’
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o rc4.o rc4.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o wepfilter.o wepfilter.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o log.o log.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o modes.o modes.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
modes.c:25:30: error: wlan/wlan_compat.h: Permission denied
modes.c:26:28: error: wlan/p80211hdr.h: Permission denied
modes.c: In function ‘generate_rc4_key’:
modes.c:51: warning: incompatible implicit declaration of built-in function ‘memcpy’
modes.c: In function ‘process_rc4_key’:
modes.c:68: warning: incompatible implicit declaration of built-in function ‘memcpy’
modes.c: In function ‘mode_keygen’:
modes.c:125: warning: incompatible implicit declaration of built-in function ‘memcpy’
modes.c:127: warning: incompatible implicit declaration of built-in function ‘strcpy’
modes.c: In function ‘mode_wep’:
modes.c:145: warning: incompatible implicit declaration of built-in function ‘memcpy’
make: *** [modes.o] Error 1

The following patch file will take care of most errors and you should be able to get Wepattack compiled properly:

diff -aur WepAttack-0.1.3/src/Makefile WepAttack-patched/src/Makefile
--- WepAttack-0.1.3/src/Makefile 2002-10-23 09:11:36.000000000 -0400
+++ WepAttack-patched/src/Makefile 2010-09-26 04:54:20.000000000 -0400
@@ -6,23 +6,23 @@
LD=gcc
#
# CFLAGS
-CFLAGS=-fno-for-scope -c -D__LINUX_WLAN__ -D__I386__
+CFLAGS= -c -D__LINUX_WLAN__ -D__I386__
#
#
# LDFLAGS
-#LDFLAGS=
+LDFLAGS=-L../run
#
#
# Libraries to link against
-LIBS= -lpcap -lz -lcrypto
+LIBS= -lpcap -lz -lcrypto
#
#
# Install path for wepattack
INSTDIR=/usr/bin

+INCLUDEDIR=-Isrc/
wepattack: wepattack.o rc4.o wepfilter.o log.o modes.o misc.o verify.o keygen.o
- $(LD) $(LDFLAGS) -o $@ wepattack.o rc4.o wepfilter.o log.o\
- modes.o misc.o verify.o keygen.o $(LIBS)
+ $(LD) $(LDFLAGS) $(INCLUDEDIR) -o $@ wepattack.o rc4.o wepfilter.o log.o modes.o misc.o verify.o keygen.o $(LIBS)

wepattack.o: wepattack.c wepattack.h
$(CC) $(CFLAGS) -o $@ wepattack.c
@@ -46,7 +46,7 @@
$(CC) $(CFLAGS) -o $@ keygen.c

modes.o: modes.c modes.h
- $(CC) $(CFLAGS) -o $@ modes.c
+ $(CC) $(CFLAGS) $(INCLUDEDIR) -o $@ modes.c

misc.o: misc.c misc.h
$(CC) $(CFLAGS) -o $@ misc.c
diff -aur WepAttack-0.1.3/src/modes.c WepAttack-patched/src/modes.c
--- WepAttack-0.1.3/src/modes.c 2002-10-24 09:15:19.000000000 -0400
+++ WepAttack-patched/src/modes.c 2010-09-26 04:55:22.000000000 -0400
@@ -29,6 +29,7 @@
#include "wepattack.h"
#include "wepfilter.h"
#include "verify.h"
+#include "string.h"

static rc4_key gen_key;
static unsigned char decrypted_stream[2400];
Only in WepAttack-patched/src: wepattack
diff -aur WepAttack-0.1.3/src/wepattack.c WepAttack-patched/src/wepattack.c
--- WepAttack-0.1.3/src/wepattack.c 2002-10-24 09:14:29.000000000 -0400
+++ WepAttack-patched/src/wepattack.c 2010-09-26 04:41:18.000000000 -0400
@@ -36,7 +36,7 @@
#include "config.h"
#include "modes.h"
#include "misc.h"
-
+#include

wlan_packet_list* current_packet;

@@ -181,7 +181,7 @@

// calculate elapsed time
duration = difftime_us(&t_val_start, &t_val_end);
- printf("\ntime: %f sec\twords: %d\n\n", duration, word_count);
+ printf("\ntime: %f sec\twords: %ld\n\n", duration, word_count);

// write ucracked packets to logfile
log_uncracked(list_packet_to_crack);
@@ -306,7 +306,7 @@

// print out each 10'000 key
if ((word_count % 10000) == 0)
- printf("key no. %d: %s\n", word_count, key);
+ printf("key no. %ld: %s\n", word_count, key);
word_count++;

// main loop to process key in modes on every packet

Copy the above patch in to a file called wepattack.patch. Copy wepattack.patch into the WepAttack-0.1.3 directory and patch it as follows:

$ patch -p1 <wepattack.patch
$ cd src
make
sudo make install

You should be able to get wepattack installed!

1

Cisco ASDM IDM Launcher Loading Errors

-

Cisco ASDM is quirky in the sense that if the right Java version is not found it will just puke with errors that make no sense. This is what my java log looks like:
Application Logging Started at Fri Aug 01 11:01:11 EDT 2010
---------------------------------------------
Local Launcher Version = 1.5.41
Local Launcher Version Display = 1.5(41)
Cannot read profile file C:\Documents and Settings\abcdef\.asdm\data\deviceinfo.conf.
OK button clicked
Trying for ASDM Version file; url = https://www.example.com/admin/
Server Version = 6.2(1)
Server Launcher Version = 1.5.41, size = 476672 bytes
Launcher version checking is successful.
invoking SGZ Loader..
Cache location = C:/Documents and Settings/abcdef/.asdm/cache
Exception in thread "SGZ Loader: launchSgzApplet" java.lang.NoSuchFieldError: b
at dac.setLevel(dac.java:65)
at dac.(dac.java:44)
at gd.(gd.java:78)
at f5.a(f5.java:117)
at com.cisco.dmcommon.util.DMCommonEnv.(DMCommonEnv.java:38)
at com.cisco.pdm.PDMApplet.updateProgress(PDMApplet.java:300)
at com.cisco.pdm.PDMApplet.init(PDMApplet.java:63)
at com.cisco.nm.dice.loader.r.run(DashoA19*..:409)

It happens because the ASDM launcher is not capable of running on newer JVMs. Since I had older JVMs, I went into Control Panel -> Java. Click on the Java tab, followed by clicking the “view” button. This will show you the current JVM being used. If you have older JVMs click on Find (you will have to select the folder where you suspect older JVMs to be…which in my case was c:\Program Files). If you don’t find an older JVM then just install an older version and it will work.

0

ASA Fails to parse certificates

-

Last night I was trying to get a VeriSign issued SSL certificate installed on my ASA using Cisco ASDM 6.2. I installed the Intermediate CA and the CA certificates all installed. I then imported the SSL certificate into the “Configuration -> Device Management -> Manage Certificates -> Identity Certificates” but it did not seem to work. I kept getting an error “Failed to parse or verify imported certificate”. The certificate was in the .p7b form. Changing the format of the certificate to X.509 Base64 Encoded format resulted in acceptance of the certificate.
I sincerely hope that Cisco alters its error messages to accurately reflect that .p7b is not a format supported by them.

Update: This link has the information on how to install SSL certificates on ASA:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809fcf91.shtml

0

ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: NO)

-

If this is the error you are getting then one of the solutions is to reset your root password on the MySQL database server.

$ pkill mysql
$ sudo mysqld --skip-grant-privileges
$ mysql

At this point you get the mysql command shell. You will need to update the root password and flush the table when you reset the password.

mysql> set UPDATE mysql.user SET Password=PASSWORD('YOUR_NEW_PASSWORD') WHERE User='root';
mysql> FLUSH PRIVILEGES;

Now that you’ve flushed your passwords, just restart your mysql daemon.

$ sudo pkill mysqld
$ sudo /etc/init.d/mysqld start
$ mysql -u root -p
Enter Password: YOUR_NEW_PASSWORD
mysql>

You should be all set now!