The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,854 other subscribers

Archive for the ‘Security’ Category

« Previous Entries
Next Entries »

The Bogon Reference – Team Cymru

Posted by jpluimers on 2017/06/23

WHAT IS A BOGON, AND WHY SHOULD I FILTER IT?

A bogon prefix is a route that should never appear in the Internet routing table. A packet routed over the public Internet (not including over VPNs or other tunnels) should never have a source address in a bogon range. These are commonly found as the source addresses of DDoS attacks.

Source: The Bogon Reference – Team Cymru

The regular Bogon list is pretty static (last change in 2012), so I’ve listed the text version below. But the full Bogon list (including unused IPv4 space) is dynamic.

0.0.0.0/8
10.0.0.0/8
100.64.0.0/10
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.0.0.0/24
192.0.2.0/24
192.168.0.0/16
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24
224.0.0.0/4
240.0.0.0/4

–jeroen

Posted in Internet, Power User, routers, Security | Leave a Comment »

OpenSuSE Tumbleweed – testing the password of any user with getent and openssl

Posted by jpluimers on 2017/06/21

For one of my VMs I forgot to note which of the initial password I had changed, so I wanted to check them.

Since I didn’t have a keyboard attached to the console and ssh wasn’t allowing root, I needed an alternative than actual login to test the passwords.

Luckily /etc/shadow, with getent and openssl came to the rescue.

Since getent varies per distribution, here is how it works on OpenSuSE:

Read the rest of this entry »

Posted in *nix, *nix-tools, ash/dash, bash, bash, Development, Encoding, Hashing, Linux, md5, openSuSE, Power User, Scripting, Security, SHA, SHA-256, SHA-512, Software Development, SuSE Linux | Leave a Comment »

OpenSSH Escape Sequences (aka Kill Dead SSH Sessions) – The Lone Sysadmin

Posted by jpluimers on 2017/06/16

You can get the below help when pressing these keys in an OpensSSH session:

  1. Enter
  2. ~
  3. ?

So thats Enter, followed by tilde, then question mark.

Then you get this help:

Supported escape sequences:
 ~.   - terminate connection (and any multiplexed sessions)
 ~B   - send a BREAK to the remote system
 ~C   - open a command line
 ~R   - request rekey
 ~V/v - decrease/increase verbosity (LogLevel)
 ~^Z  - suspend ssh
 ~#   - list forwarded connections
 ~&   - background ssh (when waiting for connections to terminate)
 ~?   - this message
 ~~   - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)

The one I use most is below; it leaves my tmux session alone.

  1. Enter
  2. ~
  3. .

–jeroen

via: SSH Escape Sequences (aka Kill Dead SSH Sessions) – The Lone Sysadmin

Posted in Power User, Security | Leave a Comment »

QC does this logon call to http://qc.embarcadero.com/coBugCGI.exe/soap/ICDSReportPublicInterface

Posted by jpluimers on 2017/06/09

I drafted this in 2014 and given the recent QC news:

I was quite shocked to see that the Embarcadero QC client logs in over HTTP, not over HTTPS, especially since it passes the password in plain text.

QC does this logon call to http://qc.embarcadero.com/coBugCGI.exe/soap/ICDSReportPublicInterface:


POST http://qc.embarcadero.com/coBugCGI.exe/soap/ICDSReportPublicInterface HTTP/1.1
SOAPAction: "urn:CDSReportPublicInterfaceIntf-ICDSReportPublicInterface#Login"
Content-Type: text/xml; charset="utf-8"
User-Agent: Borland SOAP 1.1
Host: qc.embarcadero.com
Content-Length: 665
Proxy-Connection: Keep-Alive
Pragma: no-cache
<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:xsd="http://www.w3.org/2001/XMLSchema&quot; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><NS1:Login xmlns:NS1="urn:CDSReportPublicInterfaceIntf-ICDSReportPublicInterface"><EMail xsi:type="xsd:string">nobody@example.org</EMail><Passcode xsi:type="xsd:string">password</Passcode><ClientID xsi:type="xsd:string">QCWINCLNT</ClientID><BDN xsi:type="xsd:string">1</BDN></NS1:Login></SOAP-ENV:Body></SOAP-ENV:Envelope>

view raw

Embarcadero-QC-login-request.xml

hosted with ❤ by GitHub

Time to cut down on my usage of QC.

–jeroen

via: QC does this logon call to http://qc.embarcadero.com/coBugCGI.exe/soap/ICDSReportPublicInterface.

Posted in Delphi, Development, QC, Security, Software Development | 3 Comments »

Mac OS X: “fzsftp could not be started” when connecting over SFTP

Posted by jpluimers on 2017/06/02

A while ago I had a “fzsftp could not be started” error using FileZilla on Mac OS X.

From the search results, it wasn’t exactly clear what I did wrong, as the “Show Package Contents” context menu showed “…/Contents/MacOS/fzsftp”

Then I remembered I got a bit confused with all the FileZilla updates coming out and renaming it to contain a version number (I do that with many applications so I can keep old versions allowing me to quickly revert to an older version if there are version compatibilities).

Renaming FileZilla.3.16.x.app back to FileZilla.app solved the issue: apparently FileZilla has a hardcoded dependency on exactly that name. I got there because of the hint about spaces in directories from this thread: fzsftp could not be started – FileZilla Forums

This was before Mac OS X El Capitan; with that version you have to set permissions correctly as well: fzsftp could not be started – Kruyswijk-ICT BV

–jeroen

 

Posted in Apple, Mac, Mac OS X / OS X / MacOS, MacBook, MacBook Retina, MacBook-Air, MacBook-Pro, OS X 10.10 Yosemite, OS X 10.11 El Capitan, OS X 10.8 Mountain Lion, Power User, Security | Leave a Comment »

17 years ago, C:\nul\nul crashed/BSOD Windows; now $MFT does for Windows < 10

Posted by jpluimers on 2017/05/26

Source:

History repeating itself: [Archive.is31607 – C:\nul\nul crashes/BSOD then, now it’s this:

Via:

All versions prior to Windows 10 and Windows Server 2016 seem vulnerable.

So add $MFT to this list:

The following device names have been known to render a system unstable: CON,
NUL, AUX, PRN, CLOCK$, COMx, LPT1, and CONFIG$.

Oh BTW: history repeated itself this year too. With NUL

In short, Steven Sheldon created a rust package named nul which broke the complete package manager on Windows:

BTW: one of my gripes on learning new languages is that they come with a whole new idiom of their ecosystem: rust, cargo, crates, all sound like being a truck mechanic to me.

–jeroen

Read the rest of this entry »

Posted in Development, Microsoft Surface on Windows 7, NTFS, Power User, Security, Software Development, The Old New Thing, Windows, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows 9, Windows 95, Windows 98, Windows Defender, Windows Development, Windows ME, Windows NT, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Vista, Windows XP | Leave a Comment »

Forceer DigiD om SMS bij inloggen te gebruiken

Posted by jpluimers on 2017/05/26

Zonder SMS is het vrij makkelijk om iemand anders zijn DigiD te gebruiken.

Met SMS is dat een stuk moeilijker.

Het forceren van SMS bij inloggen kan via https://mijn.digid.nl/inloggen_voorkeur

Je moet EERST inloggen op https://mijn.digid.nl/, en daarna naar https://mijn.digid.nl/inloggen_voorkeur gaan (DigiD is niet slim genoeg om na het inloggen daarheen terug te gaan).

Kies daar deze optie:

  • Midden, ik wil inloggen met een extra controle via sms, ook wanneer Basis vereist is

Via: [WayBack90 procent van DigiD-gebruikers gebruikt dienst zonder sms-authenticatie -update – IT Pro – Nieuws – Tweakers

–jeroen

Read the rest of this entry »

Posted in Power User, Security | Leave a Comment »

~650-thousand accounts exposed because of md5 hashing: Font sharing site DaFont has been hacked, exposing thousands of accounts | ZDNet

Posted by jpluimers on 2017/05/19

Over 98 percent of the passwords were cracked, thanks to the site’s poor password security.

No this isn’t just the hacked font

Source: [WayBackFont sharing site DaFont has been hacked, exposing thousands of accounts | ZDNet

via: [Archive.isFont Sharing Site DaFont Has Been Hacked, Exposing Thousands of Accounts – Slashdot

–jeroen

Read the rest of this entry »

Posted in Encryption, Hashing, md5, Power User, Security | Leave a Comment »

Building `libssh2` for Windows (Win32/Win64) is a lot harder than I hoped for

Posted by jpluimers on 2017/05/09

Building libssh2 for Windows (Win32/Win64) is a lot harder than I hoped for.

There were no instructions on their website, there was the occasional “use CMake” at #IRC and that was about it.

Of course running just CMake doesn’t work and getting it working involves a lot of non-descriptive error messages, cursing and fruitless searches for them just bumping into “me too” threads not really providing the solution.

I tried building OpenSSL but after building, no `lib` directory appears so I cannot satisfy the dependencies. Not sure what OpenSSL would bring as I could not find any documentation about it either, so I’ll leave it at that.

Might be that `make test` for OpenSSL doesn’t succeed because some vague non-explained error which is odd when doing this on an almost prestine VS 2015 Community Edition VM.

But I’ll take that up with the OpenSSL people one day.

Oh the joy of Open Source…

Below are the steps (below the –more– mark a gist with the most recent version).

The core are these:

  • you need git, Visual Studio and CMake
  • use CMake to generate project files, msbuild to build (CBuild cannot build any more)
  • After a Win64 build you have to reset the platform to create a Win32 build

These links helped a lot some in the positive, others in the negative sense:

libssh2-build-steps.rst
  1. Install Visual Studio 2015 community edition from https://www.visualstudio.com/en-us/downloads/download-visual-studio-vs.aspx (as of writing:http://download.microsoft.com/download/D/2/3/D23F4D0F-BA2D-4600-8725-6CCECEA05196/vs_community_ENU.exe or http://download.microsoft.com/download/b/e/d/bedddfc4-55f4-4748-90a8-ffe38a40e89f/vs2015.3.com_enu.iso )
  2. Download CMake via https://cmake.org/download/ back then https://cmake.org/files/v3.6/cmake-3.6.2-win64-x64.msi
  3. Install and ensure to add CMake to the PATH for all users:

https://www.dropbox.com/s/ss5xke97iy4yyka/Screenshot%202016-09-13%2009.36.54.png?raw=1

  1. Run this script on a new command-line: 
    git clone https://github.com/libssh2/libssh2.git
pushd libssh2
mkdir buildWin64
pushd buildWin64
:: Generate build for MSVS 2015
cmake .. -G"Visual Studio 14 Win64" -D"BUILD_SHARED_LIBS=1"

:: this fails bitching about v100 not being there:
:: cmake --build . --config "Visual Studio 14 Win64"
:: this just works:
set Platform=
call "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\bin\amd64\vcvars64.bat"
call msbuild libssh2.sln
dumpbin /headers example\Debug\libssh2.dll | find "machine"
popd
mkdir buildWin32
pushd buildWin32
:: Generate build for MSVS 2015
cmake .. -G"Visual Studio 14" -D"BUILD_SHARED_LIBS=1"

set Platform=
call "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\bin\vcvars32.bat"
call msbuild libssh2.sln
dumpbin /headers example\Debug\libssh2.dll | find "machine"
popd
popd

Source: Building libssh2 for Windows (Win32/Win64) is a lot harder than I hoped for

–jeroen

Read the rest of this entry »

Posted in Communications Development, Development, Internet protocol suite, OpenSSL, Power User, Security, SSH, TCP | Leave a Comment »

Troy Hunt: Reckon you’ve seen some stupid security things? Here, hold my beer…

Posted by jpluimers on 2017/04/29

I’d laugh if it wasn’t so embarrassing: [Archive.isTroy Hunt: Reckon you’ve seen some stupid security things? Here, hold my beer….

It reminds me of a Dutch agency with > 1 million low income people paying for a service to be on a notification list for rental houses becoming available that was within their legal rental limits.

If you were not on the list, you’d never gain enough points to get a rental home at all.

If you were on the list, then they’d sent your credentials in plain text requiring very limited information.

Your credentials then would reveal name, date of birth, social security number, full address, bank account and some other personal information.

They never notified me if the security complaint I filed was ever addressed.

–jeroen

via:

[WayBack] Ready for some security nightmares? – This is why I Code – Google+

Posted in Power User, Security | Leave a Comment »

« Previous Entries
Next Entries »