Friday, July 13, 2012

Drupal 7 + IIS + MSSQL + Windows Authenticaiton

Installing Drupal 7 on Microsoft Windows 2008 with IIS 7 and MSSQL 2008 is not very easy.  It is even more difficult to set it up using Windows integrated authentication and URL rewrite (for Clean URL's).  I recently suffered through this process and documented it to spare others the same fate.

Key features of this setup:

  1. Windows integrated authentication used for Drupal MSSQL database connectivity and serving Drupal web content.
  2. URL rewrite rules to enabled Clean URLs in Drupal.
  3. Special patch to enable MSSQL integrated Windows authentication during Drupal installation wizard.
If you have a choice, stick with Drupal on a LAMP stack.

HTH,
VVK

Tuesday, May 8, 2012

Minimal CentOS 6.2 Install

Similar to my past attempt to come up with a minimal CentOS 4.x install, I attempted to remove as many unnecessary RPM's from CentOS 6.2 install.  The result is a 183 package install.  You can find the list of minimal CentOS 6.2 RPM's here.

Cheers,
VVK

Wednesday, February 1, 2012

Tenable SC4 Asset Groups From AD

Note (5/8/12): With the latest release of Tenable Security Center 4.4.x, you can create asset groups using DNS names.

If you are a Tenable Security Center 4 user, you might have noticed that unlike Qualys, you can only use IP addresses in SC4 asset groups**.  In normal production environments, IPs are static and this restriction does not pose a huge challenge.  However, in my case we are using SC4 to scan a large end-user desktop environment which is using AD Dynamic DHCP.  Due to this, I find myself having to update the asset groups before a scan and it can be tedious.

To make things easier, I decided to write a quick 'n' dirty shell script to get the computer names from AD and do a reverse lookup.

#!/bin/sh
LDAPURI="ldap://corp.ldap.server"
USER="user@domain.com"
echo "LDAP Password:"
read PASS
DEPT=([1]="Dept 1" [2]="Dept 2" [3]="Dept 3")

for ((i=1; i<=${#DEPT[@]}; i++ ));
do
        CMD="/usr/bin/ldapsearch -x -v -LLL -E pr=200/noprompt -H $LDAPURI -D \"$USER\" -w $PASS -b \"OU=${DEPT[$i]} Computers,OU=${DEPT[$i]},OU=Corporate,DC=domain,DC=com\" -s one \"(objectClass=computer)\" | grep name | awk '{print \$2}' | tr '[:upper:]' '[:lower:]' | sed 's/$/.domain.com/' | dig +short -f -"

        echo "Run $CMD:"
        eval $CMD > ${DEPT[$i]}_IPs.txt
done


The resulting output should be one file per department containing IP's of all the names which resolved.

Note: I am doing a simple LDAP bind (-x) and the password (-w) is sent clear-text.

** I have been told by my Tenable sales rep that in late Feb 2012 they *might* include the ability to add hosts using DNS name.

Thanks,
VVK

Monday, October 31, 2011

Apache Output Rewrite/Filter

When performing migration or code upgrades on public facing website, it is a common practice to test the changes in a development environment.   Occasionally, due to various reasons, you are forced to reference the development instance of the site using the public domain name.

For example, if the public facing site in question is www.example.com, and you want to setup a development instance in your lab, but want to be able to reference the site using the public DNS record, you have essentially two options: (1) Modify your DNS resolver (2) Modify your 'host' file.

The DNS option requires more effort but it is a better option if you have multiple developers, all using the same DNS server.

Host file trick is often used when you do not have a split-horizon DNS option or you do not control your DNS server.  Host file trick is the easiest and the most commonly used trick for such needs, however it comes with a bit of risk.  There is always the risk that a developer forgot to add the entry in his/her host file, and accidentally made changes to the production instance.  One simple trick to address such accidents is to modify the development site's header image or something similar.  However, in some applications which make extensive use of caching, sometimes this trick fails or leads to confusion.

Recently, I found myself on one such project (Drupal CMS) where we required not just a development instance, but also a QA instance.  To make matters worse, the developers needed to jump between production, development and QA instances multiple times a day.  I wanted to figure out a way to modify the web content to reflect the environment (dev or QA) without modifying the application PHP code.  Drupal has 3rd party extensions which can address this need, but I wanted to find a solution which was independent of the application (Drupal) and the server-side scripting technology (PHP).  I needed to make the modification at Apache level.

After doing some research, I quickly discovered Apache mod_ext_filter, a standard Apache module.  mod_ext_filter met all my criteria:

  1. Web application independent
  2. Server-side scripting technology independent
  3. Flexible and simple
  4. No 3rd party Apache modules or modifications to existing modules
  5. Performance should be acceptable
If you know of a better way, than the one proposed below, to accomplish these goals, please post a comment.

mod_ext_filter presents a simple and familiar programming model for filters. With this module, a program which reads from stdin and writes to stdout (i.e., a Unix-style filter command) can be a filter for Apache. This filtering mechanism is much slower than using a filter which is specially written for the Apache API and runs inside of the Apache server process, but it does have the following benefits:
  • the programming model is much simpler
  • any programming/scripting language can be used, provided that it allows the program to read from standard input and write to standard output
  • existing programs can be used unmodified as Apache filters


To use mod_ext_filter, enable it in your httpd.conf file by adding the following line:
LoadModule setenvif_module modules/mod_setenvif.so
For my needs, my goal was to inject a line of text in the header and footer of each page to identify the environment (dev or QA).

Using ext_filter module, a custom stdout filter can be as simple as adding a call to 'sed' in the module configuration file (see "Using sed to replace text in the response" example).  The problem with this approach is that you need to restart Apache every time you made a change to your filter, which can get annoying very quickly.
A better approach is to call an external script, which can be written in any language of choice.  In addition to not having to restart Apache, this approach has the advantage of allowing for easier troubleshooting.

Here is my /etc/httpd/conf.d/ext_filter.conf calling an external filter.sh script.
ExtFilterDefine banner mode=output intype=text/html \
cmd="/bin/sh /var/www/filter.sh"
 
<Location />
        SetOutputFilter banner
</Location>
 
 In my filter.sh, I decided to perform a simple find/replace on the <body> and </body> tag.  To avoid any font and background color conflict issues, I decided to use uncommon colors for top and bottom banner.  Here is my filter.sh:

#!/bin/sh# Insert banner after and before the body opening and closing tags.
/bin/sed -r 's/(<body.*>$)/\1\<div align=center\>\<font size=4 color=#00FFFF\>Development Instance\<\/font\>\<div\>/1MI' | /bin/sed -r 's/\s*(<\/body.*>)/<div align=center\>\<font size=4 color=#00FF00\>Development Instance\<\/font\>\<div\&/1MI'


Notice, there are two sed find/replace happening, first one adds the header and second one adds the footer.  Here is a brief explanation of the script above:
-r: Use regular expressions

(<body.*>$)/\1: find the first instance of body tag.

\<div align=center\>\<font size=4 color=#00FFFF\>Development Instance\<\/font\>\<div\> : Fancy font work, with '\' for escaping special characters.

1MI: Stop after first find/replace, multi-line, and case insensitive


Escaping special characters makes the above script unreadable.  A better choice might be a Python script, especially if you plan to do something more elaborate, since Python can be compiled into object code.

The impact of page load performance is only noticeable on large pages using the proposed solution.  Beware, if the script has syntactic or other errors, the result is often a blank web page.  No amount of logging will reveal anything useful, and the only solution is the run the script independent of mod_ext_filter (e.g cat test.html | sh filter.sh ).

Hope this helps!
VVK

Tuesday, October 25, 2011

thc-ssl-dos on Backtrack 5

If you are trying to install the thc-ssl-dos on BackTrack 5, you might run into the issue of outdated libssl libraries (requires libssl-dev).

Host: i686-pc-linux-gnu
          Compiler: gcc
    Compiler Flags: -O2 -Wall
Preprocessor flags:  -I/usr/local/include -I/opt/openssl-1.0.0e/
      Linker flags: -L./  -L/usr/local/lib -L/opt/openssl-1.0.0e/
         Libraries: -lssl -lcrypto -lnsl
WARNING: OPENSSL LIBRARIES ARE TO OLD! UPDATE THEM!\n
WARNING: OPENSSL LIBRARIES ARE TO OLD! UPDATE THEM!\n
WARNING: OPENSSL LIBRARIES ARE TO OLD! UPDATE THEM!\n

To get around these warnings, you can simply grab the latest copy of openssl, build, and then point thc-ssl-dos configure script to use the latest libraries.

$ tar -xvzf openssl-1.0.0e.tar.gz
$ cd openssl-1.0.0e
$ make
$ sudo mv ../openssl-1.0.0e /opt/
$ cd ../thc-ssl-dos-1.4
$ ./configure --prefix=/opt/thc-ssl-dos --with-includes=/opt/openssl-1.0.0e/include/ --with-libs=/opt/openssl-1.0.0e/
$ make
$ sudo make install

THC-SSL-DOWN has been configured with the following options:

              Host: i686-pc-linux-gnu
          Compiler: gcc
    Compiler Flags: -O2 -Wall
Preprocessor flags:  -I/usr/local/include -I/opt/openssl-1.0.0e/include/
      Linker flags: -L./  -L/usr/local/lib -L/opt/openssl-1.0.0e/
         Libraries: -lssl -lcrypto -lnsl

       Debug build: No
Configuration complete. Now type: make all install

$ cd /opt/thc-ssl-dos/bin
$ ./thc-ssl-dos
     ______________ ___  _________
     \__    ___/   |   \ \_   ___ \
       |    | /    ~    \/    \  \/
       |    | \    Y    /\     \____
       |____|  \___|_  /  \______  /
                     \/          \/
            http://www.thc.org

          Twitter @hackerschoice

Greetingz: the french underground

./thc-ssl-dos [options]
  -h      help
  -l   Limit parallel connections [default: 400]


Cheers,
VVK



Tuesday, May 24, 2011

Windows XP Firewall All Ports IP Exception

Windows XP is no longer officially supported by Microsoft, but that does not mean it has cease to exist in the enterprise. With SP2, Microsoft introduced a built in firewall (and I use that term loosely) which improved security (compared to pre-SP2).

For whatever reason, Microsoft decided to not offer the ability to simply specify a port range. Each specified rule can be related to a service or a port/protocol combination. This might not seem like a major hurdle, until you come across a specific need such as vulnerability scanning.

I recently ran into this issue where I needed to make an exception for a specific vulnerability scanner IP for all port/protocol combinations on a Windows XP machine. Disabling the firewall was not an option because the target network of Windows XP hosts is in a high risk environment and to make matters worse, the users have administrative privileges.

There are two solutions to this problem, you can either run a for-loop and insert your firewall rules, or you can update the %windir%\Inf\Netfw.inf file.

For-loop Approach

Run the following using a script of command-line:
FOR /L %I IN (1,1,65535) DO netsh firewall add portopening protocol = ALL port = %I name = scanner mode = ENABLE scope = CUSTOM addresses = 10.10.12.101/32
Disclaimer:
The result of this command is 131070 lines of firewall rules, all named 'scanner'.  Also, it will take a long time for this command to run.

Based on my test on a VM (1 x 1.6 GHz, 512 MB), I was able to process 66 rules per minute.  So it will take approximately 16 hours to insert all 131070 rules!  :-O

Netfw.inf Approach 

Windows XP firewall has two modes, domain and standard.  Depending on your use scenario, add a variation of the following lines under the appropriate section:
HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List","port number:protocol",0x00000000,"port number:protocol:scope:mode:port’s friendly name"
port number – A port is specified by the combination of a protocol and a port number. The port number must be between 1 and 65535 inclusive.

protocol – A port is specified by the combination of a protocol and a port number. The protocol must be either TCP or UDP. 

scope – Permitted values for scope are defined the “Defining the Scope for an Entry in the Windows Firewall INF File” section of this article.

mode – An entry can be added to Windows Firewall’s default exceptions lists as either enabled or disabled. The two permitted values for this element are enabled and disabled. If a port’s entry is enabled, the port will be statically opened in Windows Firewall. If a port’s entry is disabled, the port will not be statically opened in Windows Firewall.

port’s friendly name – This is the description that will be used to represent the entry in the Windows Firewall Control Panel applet. It should provide an indication of why the port is statically opened, such as "Web Server (TCP 80)" or "Telnet Server (TCP 23)".
 
Here is a simple python script to help you generate your firewall rules.  Rules are written to 'fw.txt'.  Copy the lines and paste them under the appropriate profile in %windir%\Inf\Netfw.inf.

To apply the changes, run:
netsh firewall reset
Note: This will take a very long time.

You can verify your rules by running:
netsh firewall show config

Cheers,
VVK

Tuesday, January 11, 2011

Minimal CentOS 4.8 Install

I am never satisfied with Red Hat's version of the "minimal" option during an install.  Their version of minimal install comes with unnecessary (IMHO) packages like bluez-*, various PPP and ISDN packages etc.

It is a pain to manually go through and "trim the fat", but I did.  Here is the list of RPM's required for a bare-bones RHEL/CentOS 4.8 install.  Note, to avoid breaking package dependences, I did not use --no-deps.  There are a few packages which could still be removed (mdadm, dmraid, logrotate etc.) but I find them useful, so I decided to keep them.

# rpm -qa | sort | uniq | wc -l
156


You can download the list of minimal RPM's from here.  If I find time, I'll also post the list of minimal RPM's for RHEL/CentOS 5.5.

HTH,
VVK