Unbuntu 9.04 AFP Server

Got a Mac? I do...a new shiny one.

Got a Linux server that you use as a file server on your network? Sick of problems with SAMBA (or even like SAMBA in the first place)? So was I, until today when I decided to figure out how to setup Apple Filing Protocol (AFP) and Bonjour under Linux, Ubuntu 9.04 in my case. In the following tutorial, we’re going to install and configure, Netatalk and Avahi.

Building Netatalk

Netatalk is the Open Source implementation of AFP. Since Mac OS X requires encryption to work properly, and the standard netatalk package doesn’t include this feature. So we are going to build our own netatalk package from source with encryption enabled. To start, we’re going to download install dependencies for netatalk. Then ensure we install the dependencies for encryption support, and finally grab the source for netatalk.

sudo apt-get build-dep netatalk
sudo apt-get install cracklib2-dev fakeroot libssl-dev
sudo apt-get source netatalk

Now that we have source we can move into the netatalk directory and start building the package with encryption enabled:

cd netatalk-2*
sudo DEB_BUILD_OPTIONS=ssl dpkg-buildpackage -rfakeroot

This will take a few minutes… Go grab yourself a tasty beverage.

Once completed, hopefully without errors (the ones about being unable to sign the package are OK) you should have a netatalk-2..something.deb package in your home directory. To install it, issue the following command.

sudo dpkg -i ~/netatalk_2*.deb

Configure Netatalk

The first thing we are going to do, is disable some services provided by netatalk which are not needed for just file sharing. This will speed up the startup and response time of netatalk significantly. In the following examples I’ll be using nano, but feel free to fire up your favorite text editor.

sudo nano /etc/default/netatalk

Locate the following startup options and change them as noted below. If you’re also interested in sharing a Linux connected printer, enable the pap daemon as well.

ATALKD_RUN=no
PAPD_RUN=no
CNID_METAD_RUN=yes
AFPD_RUN=yes
TIMELORD_RUN=no
A2BOOT_RUN=no

The cnid_meta daemon service handles all the metadata for us which would get lost since your Linux server isn’t formatted as Apple’s HFS+. Go ahead and save an exit this file, and lets move on to the afpd.conf file.

sudo nano /etc/netatalk/afpd.conf

At the very bottom of the file you should see a line similar to the following line. Replace it with the following, save and exit.

- -transall -uamlist uams_randnum.so,uams_dhx.so -nosavepassword -advertise_ssh

Configuring shared volumes

The next step is telling afpd what volumes we want to share. This is configured in the /etc/netatalk/AppleVolumes.default file.

Scroll to the bottom of the document and define your shared volumes. There should already be a line starting with ~/ allowing the sharing of home directories via AFP.

~/ "$u" cnidscheme:cdb

You can setup as many shared volumes as you wish. You can even define which users are allowed to access each share. You do this using the allow option. On my server, I have the following setup for my work folder.

/server/work work allow:igs-awilliams,igs-lwhite

Once you’re done setting up your shared volumes, restart netatalk using the init.d script.

sudo /etc/init.d/netatalk restart

Even so we have a fully configured AFP it will not show up in the Finder sidebar on OS X, it is however reachable via ‘Go -> Connect to Server’ in Finder). OS X use a service called Bonjour for automagic discovery, which displays the server on your sidebar. Linux can emulate this functionality with an open source implementation of Bonjour called Avahi.

Installing Avahi

Avahi is the daemon that will advertise all defined services across your network just like Bonjour does. We are going to install the avahi daemon and the mDNS library used for imitating the Bonjour service. When fully configured this will allow machines running OS X in your network to discover your Linux server automatically.

sudo apt-get install avahi-daemon
sudo apt-get install libnss-mdns

Our configuration starts with the /etc/nsswitch.conf file. Simply add “mdns” to the end of the line that starts with “hosts:” – when completed it should look something like this.

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 mdns

Now we have to tell Avahi which services it should advertise across the network, in our case we just want to advertise AFP volumes. This is done by creating a XML file for each service in the /etc/avahi/services/ directory. Create the file /etc/avahi/services/afpd.service and insert the following XML code.

%h

_afpovertcp._tcp
548


_device-info._tcp
0
model=Xserve

The only thing left to do is restart Avahi.

sudo /etc/init.d/avahi-daemon restart

That's it, you have configured the Avahi daemon to advertise AFP sharing across your network which should cause any computer running OS X to automagically discover it. Within a few moments it should show up in your Finder’s sidebar. You should be able to connect using the username and password from your Linux server. Once connected you should see the Volumes we defined in the AppleVolumes.default file.

May Your Skill Prevail!

VMWare Server 2.x Remote Console Add-on using OS X

Well...it turns out that in Firefox (my browser of choice across platforms) this particular plugin will not function correctly on my shiny new Macbook Pro. Word on the street is that VMWare is working on a native OS X client. That's all well and good but doesn't allow me to get work done right now (I could use Windows or Linux but I love my shiny new Macbook Pro so). The perscribed workaround is the following piece of SSH magic:

ssh -X -f -q user@REMOTEIP /home/user/.mozilla/firefox/xxxxxxxx.default/extensions/VMwareVMRC@vmware.com/plugins/vmware-vmrc -h REMOTEIP:PORT

Where user is the user account in question on the remote Linux VMWare server, REMOTEIP is the IP address of the remote Linux VMWare server, xxxxxxxx is the mozilla profile name and PORT is the remote port the VMWare service is running on (8333 by default)

Prerequisites:

X11 is running on your OS X platform
The VMWare server Remote Console Add-on is installed on your remote VMWare Linux server

Is it pretty...hell no.
Does it work...yep.
Will I write a shell script to make my life easier...stay tuned and find out!

May Your Skill Prevail

Back on Track

We have been very busy as of late. Security Assessments, ISSA Regional Conference (Great presentation by Russ McRee by the way!), writing various articles for Hackin9, 2 submissions for Black Hat USA 2008 and Decfon 16 and general business administration. If all goes well I should have my itinerary for The Last HOPE in NYC July 18th - 20th (Thanks MAF!).

If anyone is planning on attending The Last HOPE, Black Hat USA 2008 and/or DefCon 16 please contact me if you are interested in meeting up, having a drink, talking tech/business, etc.

Blackhat 2 Day Recap [Bettalatethaneva]

It was another cold, long drive into Washington DC from Aberdeen, MD. The hour and a half commute was definitely wearing on us. We had to leave Joe's house by 6:15am to get to the 8am registration on time. Something had to give...it was as if Law could read my mind. He looked at me, "Hey Ant, we have to have a Starbuck's coffee on the way in today." "Your right", I mused. He punched STARBUCKS into the Garmin GPS in Joe's car without waiting for affirmation from me. "Eight miles" the cold electronic voice said. "DAMN" was the response in unison. We went ahead and hit the nearest highway on our way to DC and lo and behold...a sign for Starbucks at the next truck stop 1.5 miles up the highway. It had to be done, bless Joe's heart but he had violated our Seattle coffee sensibilities when we asked him to stop for coffee earlier in the week and he stopped at Burger King. Yes my dear readers, Burger King. Being a Seattle native born and bred I can only do that once a lifetime.

After walking out of Starbucks cup in hand, there was a look in each mans eye, a pep in his step, for lack of better terms we had ENERGY! On to the Blackhat Tales.

Day One

We registered, claimed our badges and bags and immediately went schwag hunt...er I mean talked to some of the vendors including Paraben, SAINT and Sunbelt Software. We missed most of the introduction and most of the keynote address. We also bumped into Chris Gates from LSO and Brian Wilson and hung out with them most of the day including lunch.

We attended the following talks:

Cracking GSM

RFIDI0ts!!!--Practical RFID Hacking

Bad Sushi: Beating Phishers at their Own Game

Oracle Hacking

Scanning Applications 2.0

We grabbed a quick bite to eat and chatted with Steve Adegbite of Microsoft (always a pleasure!) before we had to leave to do the 1.5 hour commute (sigh)

Day Two

We slept in till noon and decided that a 1.5 hour commute both ways just wasn't going to happen. Instead we packed our suitcases and jumpbags, went bar hopping, shopped at WalMart, and had dinner at a Chinese Buffet. (not necessarily in that order)


All in all it was pretty cool, the talks were a step up from Shmoocon overall and the atmosphere is nice (they also have Starbucks drip coffee going for them). Its much smaller than BH USA Las Vegas which was a great time last year. I think that next year I might just do Shmoo and then Defcon/BH Vegas in the summer.

802.11 Attacks

I regret that I was unable to see Joshua Wright and Brad Antoniewicz talk on PEAP: Pwned Extensible Authentication Protocol at Shmoocon 4. Josh was kind enough to put up slide of the talk on willhackforsushi.com. Brad also made slides available that are complimentary to the ones from the presentation.

In conjunction this is a very informative compilation of slides that should interest anyone interested in 802.11 security and I would like to thank the both of them for making these resources available!

UPDATE: A related article can be found here.

Your Client Side Security Sucks [really, it does]

I returned to Seattle from Shmoocon/BH DC last Friday and have been experiencing a serious case of jet lag. To get through the fatigue I have been spending time getting caught up on the 266 RSS feeds that I follow via Google Reader and came across the following OWASP presentation by Kurt Grutzmacher.

This is an excellent read that I would suggest to anyone trying to understand why client side security is so vulnerable and error prone on the development side of things.

Data Breach Notification Laws, State By State

I have long been an avid follower of breach notification legislation but usually in reagards to the west coast of the USA. While reading my RSS feeds yesterday I came across an interesting resource. The link will take you to a map of the US that shows the breach notification status of each state in the Union via color coding and a nifty popup. Far too useful and interesting to keep to myself.

Enjoy!

MySQL, SHA1 and me

While hacking around with SQL injection on the LSO (LearnSecurityOnline) labs, the subject of being able to crack a MySQL SHA1 password hash came up and became a topic of interest and a challenge of sorts. I have never come across this one before so I impulsively decided to pick it up and see what I could do with it before I had to get on a plane back to Seattle.

./poc

A quick Google search turned up this tool.

A proof of concept (hence the name) MySQL password hash cracker. Optimized for quad core CPU implementations

Can be downloaded from http://www.sqlhack.com/poc.c

gcc -O3 -o poc poc.c

I ran this for about 12 hours until it determined that the password was beyond 8 character and therefore out of scope for this particular program.

Performed on a Dell D600 Pentium M 1.4 Ghz Machine with 1 GB of RAM

./mysqlfast

Some initial Googling turned up this tool. I was able to run this one the longest albeit without any success.

http://packetstorm.linuxsecurity.com/Crackers/msqlfast.c

gcc -O2 -fomit-frame-pointer mysqlfast.c -o mysqlfast

I ran this tool for about 15 hours without success. It was checking 9 character passwords when I ended execution of the program.

Performed on a Dell D600 Pentium M 1.4 Ghz Machine with 1 GB of RAM

./unhash

I came across this one looking for MySQL SHA1 crackers on PacketStorm Security. I was only able to run it for a few hours before I had to pack up my laptops in preparation to catch my flight.

http://packetstorm.codar.com.br/Crackers/unhash-0.9.tgz

Performed on a Dell D600 Pentium M 1.4 Ghz Machine with 1 GB of RAM

Cain & Abel

Identified the hash as MySQL v3.23. I attempted to use the built in dictionary running as many permutations as possible without any success. It took about an hour or so to make it through the dictionary file.

Performed on a HP nc6000 Pentium M 1.6 Ghz laptop with 2 GB of RAM

John the Ripper (Joe McCray performed this test)

John is not natively capable of cracking MySQL SHA1 hashes and requires a patch to do so.

[j0e@LinuxLaptop john-1.7.2]$ wget
http://openwall.com/john/contrib/john-1.7-all-4.diff.gz

[j0e@LinuxLaptop john-1.7.2]$ gunzip -c john-1.7-all-4.diff.gz | patch
-p0

[j0e@LinuxLaptop john-1.7.2]$ cd src/

[j0e@LinuxLaptop src]$ su
Password:

[root@LinuxLaptop src]# make linux-x86-any

John was fed a 7 million entry password dictionary

[j0e@LinuxLaptop run]$ ./john
--wordlist=../../../wordlistz/MassiveDictionary.txt mysql_hash.txt
Loaded 1 password hash (Raw SHA1 [raw-sha1])
guesses: 0 time: 0:00:00:03 100% c/s: 862538 trying: zwolle

This was NOT the correct password.

Performed on a Dell D620 Core Duo 2 1.83 laptop with 2GB of RAM

If anyone out there has any suggestions on more efficient ways to go about this I would LOVE to hear about them.

UPDATE: Sandro Gauci of SipVicious.org pointed me to a great resource. Any other feedback and suggestions are welcome!

May Your Skill Prevail.

The DC/Maryland Saga Continues

Today we actually made it back in by 2AM after eating dinner at Applebee's while watching the NBA All Star Game and then doing some wardriving of Aberdeen, Maryland (~800 Aps). Joe, evil1, Law and myself all stayed up most of the night hacking away and talking.

Around noon we all had to drag ourselves out of bed to get evil1 to the airport to catch a 4:30pm flight. After dropping him off Lawrence and I had to stop at Starbuck's coffee (Burger King coffee is like kryptonite to Seattle denizens) and note that it appears that we had brought the overcast cloudy and rainy weather with us.

Since we were already in the area and had our wardriving gear with us we decided that some good 'ol AP detection was in order. We were able to get a pretty good haul of ~10,000 AP's after about 3 hours then headed north for the long journey home.

Tomorrow we are planning to drive back down to DC and do the BH DC 2008 Briefings early registration. If all goes well we may drive up to Philadelphia and do some wardriving before it gets too late.

Shmoocon Day Three

After 3 nights of 2-3 hours of sleep and a 1 ½ hour commute both ways everyone was exhausted today. We made the decision to stay at the house and catch up on our rest before we got to a BBQ at Wolf's house. I regret missing the PEAP: Pwned Extensible Authentication Protocol by Josh Wright and Brad Antoniewicz presentation.

As I type this Joe and Lawrence are sitting at the dining room table with laptops with evil1 still in his room sleeping. Overall shmoocon was a blast, the talks were o.k. but the people and side channel conversations we had were excellent.

Will I be going next year? Absolutely!

Shouts out to to CG, Kev, Marco and Steve A. I'll catch those who are going to BH Federal at the briefings next week or at DefCon later in the year. If not see you guys on SILC.