Friday, November 26, 2010
Using DNS to play chess?
Using DNS to play chess? Or any games really. You can think of any game as a tree data structure. Each move is a branch of the tree. All the possible moves could be stored in DNS.
Sunday, November 21, 2010
Getting E3000 Storage mount on ubuntu
I connected a 2TB Western Digital MyBook to my E3000 linksys router.
I did have a ext3 filesystem on the mybook but the E3000 only supports FAT filesystem (lame linksys)
so I had to reform the disk using the router configuration web UI.
Once I did that I tested the connection to the drive from my Windows XP system. For some reason I could not connect the drive as admin so I again used the router's web UI to add an user and set the password for this new user. Again add another lamo point to the linksys's lame score.
Now I want to get the drive mount on my ubuntu server so I will attempt to follow the instructions from here:
https://help.ubuntu.com/community/MountWindowsSharesPermanently
And it turns out that since E3000 only supports FAT FS I cannot backup files from my ubuntu server with rsync MAJOR SAD FACE AND LAME ON LINKSYS!!! The harddrive connected to my router is COMPLETELY USELESS TO ME!!!
I did have a ext3 filesystem on the mybook but the E3000 only supports FAT filesystem (lame linksys)
so I had to reform the disk using the router configuration web UI.
Once I did that I tested the connection to the drive from my Windows XP system. For some reason I could not connect the drive as admin so I again used the router's web UI to add an user and set the password for this new user. Again add another lamo point to the linksys's lame score.
Now I want to get the drive mount on my ubuntu server so I will attempt to follow the instructions from here:
https://help.ubuntu.com/community/MountWindowsSharesPermanently
- sudo apt-get install smbfs
- I skipped the nit about unmount order
- I already have a group that I want to access the drive 'cricket' with gid 305
- Create .smbcredentials file like so ...
red@ubuntu:~$ cd
red@ubuntu:~$ cat > ..smbcredentials <<EOT
> username=harddrive
> password=12345678
> EOT
red@ubuntu:~$ sudo chown root .smbcredentials* harddrive is the user I created with the E3000's web UI
red@ubuntu:~$ sudo chmod 600 .smbcredentials
- edit fstab like so ...
red@ubuntu:~$ cd /etcAnd Wall - ah ...
red@ubuntu:/etc$ sudo cp fstab fstab.no_share
red@ubuntu:/etc$ sudo vim fstab
wee@ubuntu:/etc$ diff fstab fstab.no_share
28d27
< //192.168.1.1/public /mnt/nfs smbfs credentials=/home/red/.smbcredentials,uid=1000,gid=305 0 0
red@ubuntu:/etc$ sudo mount -a
red@ubuntu:/etc$ df
Filesystem 1K-blocks Used Available Use% Mounted on
...
//192.168.1.1/public 1952344512 96 1952344416 1% /mnt/nfs
And it turns out that since E3000 only supports FAT FS I cannot backup files from my ubuntu server with rsync MAJOR SAD FACE AND LAME ON LINKSYS!!! The harddrive connected to my router is COMPLETELY USELESS TO ME!!!
Thursday, November 18, 2010
Verify Child KSK and DS hash
On Sat, 13 Nov 2010, Osterweil, Eric wrote:
> Hey everyone,
>
> Sorry to be Johnny-come-lately to this thread, but for anyone [else] who is trying to get DS records for
> dnskeys, the dnskey-grab utility in Vantages can also do that (as of version 0.8.8b) w/ a "-d" flag. For
> example:
Okay, and after a weekend of experimentation, I've got your original
request, using openssl. I think it's important to be able to do this with
standard command line tools, and I think it's critical for adoption for
people to be able to peek under the hood. I might find it fun to make a
web-version of this that jumps through this, step by step, as a learning
and teaching aid.
Anyway,
The thing you're sha'ing is going to be a concatenation of:
1) the wire-format of the owner name + flags , proto and algo in hex + a
binary dump of the rdata of the DNSKEY record.
1a) The wire-format of a name is: each label, preceded with a binary
length identifier, terminated by 0x00 (additional parsing is required for
non-printing characters, not covered here.)
printf "\03isc\03org\00" > /tmp/some.file
2) while I could parse the DNSKEY to extract "257 3 5", I know that it
translates in hex to 0x01, 0x01, 0x03, 0x05 (writing additional parsing
code is left as an exercise for the reader.)
printf "\01\01\03\05" >> /tmp/some.file
3) I used the following snippet of shell to extract the RDATA and
translate it to binary:
dig isc.org DNSKEY | grep 257 | cut -f 6 | sed s/257\ 3\ 5\ //g | sed
s/\ //g | openssl enc -d -base64 -A >> /tmp/some.file
Note that some fields in the output of dig are tab-separated, some are
space separated. I'm using BSD, your "cut" utility may differ. Note also
that for just verifying this in a manual fashion, I could do it with
cut-and-paste of the rdata.
4) We put it all together, and hash the file we created.
%cat /tmp/some.file | openssl sha1 | awk '{print toupper($1)}'
982113D08B4C6A1D9F6AEE1E2237AE
(without the awk bit it's still totally possible to verify visually)
And compare it with:
%dig +short isc.org DS
%cat /tmp/some.file | openssl dgst -sha256 | awk '{print toupper($1)}'
F1E184C0E1D615D20EB3C223ACED3B
To actually look at the file, you might want a tool like "hexdump" or
"xxd", which will nicely print out the hex format. (xxd will also show
the printables), but you can clearly see the bits we've put into it.
Hope this helps, it's been great fun to figure out.
-Dan
> Hey everyone,
>
> Sorry to be Johnny-come-lately to this thread, but for anyone [else] who is trying to get DS records for
> dnskeys, the dnskey-grab utility in Vantages can also do that (as of version 0.8.8b) w/ a "-d" flag. For
> example:
Okay, and after a weekend of experimentation, I've got your original
request, using openssl. I think it's important to be able to do this with
standard command line tools, and I think it's critical for adoption for
people to be able to peek under the hood. I might find it fun to make a
web-version of this that jumps through this, step by step, as a learning
and teaching aid.
Anyway,
The thing you're sha'ing is going to be a concatenation of:
1) the wire-format of the owner name + flags , proto and algo in hex + a
binary dump of the rdata of the DNSKEY record.
1a) The wire-format of a name is: each label, preceded with a binary
length identifier, terminated by 0x00 (additional parsing is required for
non-printing characters, not covered here.)
printf "\03isc\03org\00" > /tmp/some.file
2) while I could parse the DNSKEY to extract "257 3 5", I know that it
translates in hex to 0x01, 0x01, 0x03, 0x05 (writing additional parsing
code is left as an exercise for the reader.)
printf "\01\01\03\05" >> /tmp/some.file
3) I used the following snippet of shell to extract the RDATA and
translate it to binary:
dig isc.org DNSKEY | grep 257 | cut -f 6 | sed s/257\ 3\ 5\ //g | sed
s/\ //g | openssl enc -d -base64 -A >> /tmp/some.file
Note that some fields in the output of dig are tab-separated, some are
space separated. I'm using BSD, your "cut" utility may differ. Note also
that for just verifying this in a manual fashion, I could do it with
cut-and-paste of the rdata.
4) We put it all together, and hash the file we created.
%cat /tmp/some.file | openssl sha1 | awk '{print toupper($1)}'
982113D08B4C6A1D9F6AEE1E2237AE
(without the awk bit it's still totally possible to verify visually)
And compare it with:
%dig +short isc.org DS
12892 5 1 982113D08B4C6A1D9F6AEE1E2237AE
12892 5 2 F1E184C0E1D615D20EB3C223ACED3B
E18DA6B5
If you have a recent openssl, you can also do sha256 to verify the other:12892 5 2 F1E184C0E1D615D20EB3C223ACED3B
E18DA6B5
%cat /tmp/some.file | openssl dgst -sha256 | awk '{print toupper($1)}'
F1E184C0E1D615D20EB3C223ACED3B
To actually look at the file, you might want a tool like "hexdump" or
"xxd", which will nicely print out the hex format. (xxd will also show
the printables), but you can clearly see the bits we've put into it.
Hope this helps, it's been great fun to figure out.
-Dan
Wednesday, November 17, 2010
rndc addzone in bind 9.7*
This is mentioned in this blog ...
http://blog.fupps.com/2010/10/04/dynamically-add-zones-to-bind-with-rndc-addzone/
... I wanted to leave a comment but that feature appears to be broken. So I will comment here:
I think the rndc addzone feature would be nice but it would extra nice if there was an named.conf.jnl that would get created and if one wanted the change to permanent one could "flush or sync" the named.conf.jnl file the named.conf. say maybe "rndc named.conf sync" or something like that.
http://blog.fupps.com/2010/10/04/dynamically-add-zones-to-bind-with-rndc-addzone/
... I wanted to leave a comment but that feature appears to be broken. So I will comment here:
I think the rndc addzone feature would be nice but it would extra nice if there was an named.conf.jnl that would get created and if one wanted the change to permanent one could "flush or sync" the named.conf.jnl file the named.conf. say maybe "rndc named.conf sync" or something like that.
Sunday, November 14, 2010
Verifying Child Zone KSK with command line tools ...
red@cricket:~$ dig +dnssec DNSKEY isc.org. | grep 257 | cut -f1,4- | \
sed -e's/\t/ /g' > Kisc.org.005.12892.key
red@cricket:~$ /usr/local/sbin/dnssec-dsfromkey Kisc.org.005.12892.key
isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
isc.org. IN DS 12892 5 2
F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
red@cricket:~$ dig +short isc.org DS
12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
http://dnssec-deployment.org/pipermail/dnssec-deployment/2010-November/004642.html
Monday, November 08, 2010
CISSP Certification
Cisco offers CISSP Certification
http://en.wikipedia.org/wiki/Certified_Information_Systems_Security_Professional
http://en.wikipedia.org/wiki/Certified_Information_Systems_Security_Professional
Checking for source-port randomization to prevent Kaminsky cache poisoning vulnerability
Do digs like this ...
dig @example.com +short porttest.dns-oarc.net TXT
"127.0.0.1 is GREAT: 26 queries in 2.6 seconds from 26 ports with std dev 19493"
Saturday, November 06, 2010
more chaos net digs (authors.bind)
[red@localhost spool]$ dig +dnssec authors.bind txt chaos @sfba.sns-pb.isc.org
; <<>> DiG 9.3.4 <<>> +dnssec authors.bind txt chaos @sfba.sns-pb.isc.org
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55354
;; flags: qr aa rd; QUERY: 1, ANSWER: 12, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;authors.bind. CH TXT
;; ANSWER SECTION:
authors.bind. 0 CH TXT "Danny Mayer"
authors.bind. 0 CH TXT "Damien Neil"
authors.bind. 0 CH TXT "Matt Nelson"
authors.bind. 0 CH TXT "Michael Sawyer"
authors.bind. 0 CH TXT "Brian Wellington"
authors.bind. 0 CH TXT "Mark Andrews"
authors.bind. 0 CH TXT "James Brister"
authors.bind. 0 CH TXT "Ben Cottrell"
authors.bind. 0 CH TXT "Michael Graff"
authors.bind. 0 CH TXT "Andreas Gustafsson"
authors.bind. 0 CH TXT "Bob Halley"
authors.bind. 0 CH TXT "David Lawrence"
;; AUTHORITY SECTION:
authors.bind. 0 CH NS authors.bind.
;; Query time: 64 msec
;; SERVER: 149.20.64.3#53(149.20.64.3)
;; WHEN: Sat Nov 6 19:07:20 2010
;; MSG SIZE rcvd: 366
digging for bind version
[red@localhost ~]$ dig isc.org NS
; <<>> DiG 9.3.4 <<>> isc.org NS
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20945
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;isc.org. IN NS
;; ANSWER SECTION:
isc.org. 43200 IN NS ord.sns-pb.isc.org.
isc.org. 43200 IN NS ams.sns-pb.isc.org.
isc.org. 43200 IN NS sfba.sns-pb.isc.org.
isc.org. 43200 IN NS ns.isc.afilias-nst.info.
;; ADDITIONAL SECTION:
ams.sns-pb.isc.org. 43120 IN A 199.6.1.30
ord.sns-pb.isc.org. 43061 IN A 199.6.0.30
;; Query time: 24 msec
;; SERVER: 68.87.76.182#53(68.87.76.182)
;; WHEN: Sat Nov 6 19:01:23 2010
;; MSG SIZE rcvd: 156
[red@localhost ~]$ dig version.bind txt chaos @sfba.sns-pb.isc.org
; <<>> DiG 9.3.4 <<>> version.bind txt chaos @sfba.sns-pb.isc.org
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18238
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;version.bind. CH TXT
;; ANSWER SECTION:
version.bind. 0 CH TXT "9.6.2"
;; AUTHORITY SECTION:
version.bind. 0 CH NS version.bind.
;; Query time: 17 msec
;; SERVER: 149.20.64.3#53(149.20.64.3)
;; WHEN: Sat Nov 6 19:01:42 2010
;; MSG SIZE rcvd: 62
Thursday, November 04, 2010
Librivox ROCKS! I just discovered this site.
http://www.librivox.org
You can even get the complete catalog here:
http://wiki.librivox.org/index.php/LibriVoxAPI
You can even get the complete catalog here:
http://wiki.librivox.org/index.php/LibriVoxAPI
DNS port Randomness Test
https://www.dns-oarc.net/oarc/services/dnsentropy
Also check this out:
Also check this out:
red@cricket-lnx:~$ dig +short porttest.dns-oarc.net TXT @red-cricket
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"xxx.69.2.xxx is GREAT: 26 queries in 0.2 seconds from 26 ports with std dev 20345"
Wednesday, November 03, 2010
Subscribe to:
Posts (Atom)