Normally they are to expensive for what they do, but the other day I found a HWIC-8A from ebay at a good price. As a result, I now have remote Serial & JTAG access to a bunch of test equipment via my Cisco Router. The following is a quick sample config I tossed together on how to configure it.

If needed the following is the pin-out to the Cisco Octal Cable: http://www.cisco.com/c/en/us/support/docs/dial-access/asynchronous-connections/14958-24.html

! Create a AAA authentication policy that will
! not make the user supply local credentials to
! connect to the Async TTY's. 
 
aaa new-model
aaa authentication login TERMSERV none
 
! Create an ACL to control who can connect.
! Warning: Anyone will be able to connect to the
! tty's when transport is configured.
 
ip access-list standard TERMSERV
 remark *** TERMSERV ACCESS ***
 permit 10.0.0.0 0.255.255.255
 permit 172.16.0.0 0.15.255.255
 permit 192.168.0.0 0.0.255.255
 
! Need to change the physical-layer to async
! Interface descriptions correspond to the
! CAB-HD8-ASYNC cable each port will represent.
 
interface Serial0/0/0
 physical-layer async
 description [0-3/0]
!
interface Serial0/0/1
 physical-layer async
 description [0-3/2]
!
interface Serial0/0/2
 physical-layer async
 description [0-3/4]
!
interface Serial0/0/3
 physical-layer async
 description [0-3/6]
!
interface Serial0/0/4
 physical-layer async
 description [4-7/0]
!
interface Serial0/0/5
 physical-layer async
 description [4-7/2]
!
interface Serial0/0/6
 physical-layer async
 description [4-7/4]
!
interface Serial0/0/7
 physical-layer async
 description [4-7/6]
 
! Set transport type and bind ACL/AAA to the Async lines.
 
line 0/0/0 0/0/7
 access-class TERMSERV in vrf-also
 login authentication TERMSERV
 transport input all
 transport output all

I was recently playing around with MacOSX’s built-in dictation tools and had to convert a bunch of WMA files to a format that could be opened using Audacity.

The following one-liner uses a for loop to quickly convert each .WMA in the current working directory to a .MP3 file using avconv. If your using an older package repository avconv could be substituted for ffmpeg.

for FILE in *.WMA;
 do FILE=`echo $FILE | sed 's/.WMA//'`;
  avconv -i $FILE.WMA -acodec libmp3lame -ab 128k $FILE.mp3 ;
done

Remember: File names, including extensions, are case sensitive in Linux/Unix. Only files ending in “.WMA” will be iterated.

15. November 2014 · Comments Off · Categories: Cisco, EEM, Linux Security, Networking

There is nothing new about port knocking to hide remote access to a remote system or network. However its usually implemented as a hack thats done on a single host thats sitting at a remote site. If your running a Cisco router the only method to get port knocking working is to create an EEM applet. I have seen several port knocking EEM applets online, but none of them seem very good and they usually work by swapping out a less secure ACL for a more secure one.

After watching my server logs  get obliterated by some knuckle head trying to brute force their way into it, I decided to get port knocking working on a Cisco router. The following EEM applet uses an extended ACL thats tied to the inbound WAN interface of the router. The ACL has a permit statement that will log a certain packet type; the logs will be updated with a notification that contains the originating IP address. The EEM applet monitors the logs and will be triggered when it sees the ACL. The applet will then pull out the knocking IP address and temporarily add it to the same inbound ACL allowing enough time to establish a connection from the originating machine. After 15 seconds have passed, the script will drop the permit line that was added to the ACL.

!! SAMPLE ACL !!
 
ip access-LIST extended outside-in4
 remark *** KNOCK ***
 permit udp ANY ANY eq 65535 LOG
 remark *** TRUSTED ***
 permit tcp ANY ANY established
 remark *** DENIED ***
 deny   tcp ANY ANY
 remark *** PERMITED ***
 permit ip ANY ANY
 
!! WAN Interface !!
 
interface Cable-Modem0/1/0
 ip access-group outside-in4 in
 
!! KNOCK_ACL env Variable !!
 
event manager environment KNOCK_ACL outside-in4
 
!! Port Knocking EEM applet !!
 
event manager applet KNOCK
 event syslog pattern "%SEC-6-IPACCESSLOGP: list $KNOCK_ACL permitted *"
 action 1.0 regexp "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" $_syslog_msg ADDR
 action 1.1 regexp "\([0-9]+\)," "$_syslog_msg" PORT
 action 1.2 regexp "[0-9]+" "$PORT" PORT 
 action 2.0 syslog msg "Received a knock from $ADDR on port $PORT..."
 action 2.1 syslog msg "Adding $ADDR to the $KNOCK_ACL ACL"
 action 3.0 cli command "enable"
 action 3.1 cli command "configure terminal"
 action 3.2 cli command "ip access-list extended $KNOCK_ACL"
 action 3.3 cli command "1 permit tcp host $ADDR any eq 22"
 action 4.0 WAIT 15
 action 5.0 syslog msg "Removing $ADDR to the $KNOCK_ACL ACL"
 action 6.0 cli command "no permit tcp host $ADDR any eq 22"
 action 6.1 cli command "exit"

The only tricky thing in the above example is creating a good regex expression… Knocking with a UDP/65535 packet and immediately connecting to the routers WAN IP address will allow you to SSH into a server on the other side. The following is me crafting a simple UDP packet using hping3 under Linux.

$ sudo hping3 -2 ROUTERIP -p 65535 -c 1; ssh ROUTERIP

A few caveats:

  • Usually any/any ACL’s are not good, but in my case, this is a home router doing PAT and a DHCP client on the WAN interface.
  • Show active EEM policies: show event manager policy active
  • Show EEM history: show event manager history events
  • Validate the ACL is getting hit: show access-list outside-in4
  • The default EEM watchdog will terminate the applet after 20 seconds. MAXRUN will need to be changed if you want the applet to wait longer then 15 seconds before auto terminating.
  • The ACL can be modified to log packet options such as special ToS, DSCP values in addition to ports.
  • I recommend not using other log statements in the same ACL, doing so will require making a more custom applet.
  • If your trying to log into the router itself via an ACL on a TTY line be mindful of any service-polices you have bound to the control-plane.
18. August 2014 · Comments Off · Categories: Linux Admin, Linux Security

Required Debian/Ubuntu Packages


dmsetup Linux Kernel Device Mapper userspace library
cryptsetup-bin Disk encryption support – command line tools
tcplay Free and simple TrueCrypt Implementation based on dm-crypt

Filesystem Encryption


cryptsetup –cipher aes-xts-plain64 –key-size 512 –verify-passphrase luksFormat /dev/sdb1
* The LUKS-formatting command above has the following options:

–verify-passphrase – ensures the passphrase is entered twice to avoid an incorrect passphrase being used
-c aes -s 256 – uses 256-bit AES encryption
-h sha256 – uses the 256-bit SHA hashing algorithm

Creating a Filesystem


cryptsetup luksOpen /dev/sdb1 16GB
mkfs -t ext3 -m 1 -O dir_index,filetype,sparse_super /dev/mapper/16GB

* The mkfs options above are as follows:

-t ext3 – create an ext3 filesystem
-m 1 – reduce the reserved super-user space down from the default of 5% to 1% of the total size – useful for large filesystems
-O dir_index – speed-up lookups in large directories
-O filetype – store filetype info in directories
-O sparse_super – create fewer superblock backup copies – useful for large filesystems

Mounting a Filesystem


cryptsetup luksOpen /dev/sdb1 16GB
mount /dev/mapper/16GB /mnt
* To mount a truecrypt partition:

tcplay -m 16GB -d /dev/sdc1
dmsetup remove 16GB

Change Passwords on a Filesystem


LUKS supports eight key slots per partition.
To add and remove keys from the slots:

cryptsetup luksAddKey
/and/
cryptsetup luksRemoveKey

Which slots have keys:

cryptsetup luksDump

Headers on a Filesystem


cryptsetup luksHeaderBackup /dev/sdb1 –header-backup-file /tmp/somefile
Replace luksHeaderBackup with luksHeaderRestore to restore the old keys again.

* Note that the header backup should be saved to a secure place (preferably another LUKS partition on a USB stick)

Unmount a Filesystem


Use umount first then,
cryptsetup luksClose 16GB
/or/
dmsetup remove 16GB
/or/
dmsetup remove_all

* dmsetup remove_all will flush all mapped block devices.

Source & Additional Documentation

https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage

http://superuser.com/questions/431820/how-to-change-pass-phrase-of-full-disk-encryption

http://askubuntu.com/questions/95137/how-to-change-luks-passphrase

http://www.linuxcommand.org/man_pages/cryptsetup8.html

There are a lot of programs out there that will locate duplicate files on a filesystem. I however, prefer to use standard system utilities on my home system. So I wrote a quick shell script to identify duplicate files and either create hard links between them or prompt me on which files to delete outright.

Feel free to review, modify or use this script however you see fit. Remember you do so at your own risk!

#!/bin/bash
## Created by: deaves
# Identify duplicate files in current working directory by file hash and take user specified action.
#
## Requires: dialog, findutils
 
# Required script variables.
filehash_dump="/tmp/$USER-$$.hash"
dialog_select="/tmp/$USER-$$.select"
report_file="$HOME/uDupeReport-$$.txt"
 
# FUNCTION: End Script if error.
DIE() {
 echo "ERROR: Validate \"$_\" is installed and working on your system."
 exit 0
}
 
# Validate script requirements are meet.
type -p dialog > /dev/null || DIE
 
# Create the filehash_dump file containing MD5 finger prints.
find ./ -type f -exec md5sum $1 {} \; | tee "$filehash_dump"
 
# Prompt user for next action to take w/6 hour wait before continuing on.
echo
read -t 21600 -p "DELETE or LINK duplicate files?
If NO response create a report: $report_file
Type command in CAPS: " OPT
echo
 
# Begin loop with all file hashes.
awk '{print $1}' "$filehash_dump" | sort | uniq | while read HASH
 do
 COUNT=0
 
 # Read all the files of the hash into an Array.
 eval FILES=( "$(grep ^"$HASH" "$filehash_dump" | sed 's/'"$HASH"'  //g;s/^/"/g;s/$/"/g')" )
 
if [ "$OPT" == "DELETE" ]; then
 
 # If more than a single file exists then take action.
 if [ "${#FILES[@]}" -gt "1" ]; then
 
  # Prompt user on which file to keep and store it in dialog_select.
  dialog --backtitle "$0 - uDupe File Killer" \
    --title "Select the file to keep. All others files will be deleted!" \
    --menu "HASH: $HASH\nTYPE:$(file "${FILES[${COUNT}]}" | awk -F': ' '{$1=""; print}')" \
    17 70 14 \
  $(while [ "$COUNT" -lt "${#FILES[@]}" ]; do
   printf " $COUNT "
   printf "${FILES[${COUNT}]}" | sed 's/ /_/g'
   let COUNT++
  done) 2> "$dialog_select"
 
  # Trap error code from dialog & perform actions.
  if [ "$?" == "0" ]; then
 
   # User selected a file.
   ANS=`cat "$dialog_select"`; rm "$dialog_select"
   unset FILES[${ANS}]
 
   # Perform action against unselected files.
   for file in "${FILES[@]}"; do
    rm "$file"
   done
 
  else
 
   # User choose to cancel.
   rm "$dialog_select"
   rm "$filehash_dump"
   break
 
  fi
 
 fi
 
elif [ "$OPT" == "LINK" ]; then
 
 # hardLink all the duplicate files to save disk space.
 if [ "${#FILES[@]}" -gt "1" ]; then
  echo "Creating hardlink: $HASH"
  echo " > ${FILES[0]}"
  ORIG="${FILES[0]}"; unset FILES[0]
  for file in "${FILES[@]}"; do
   echo " > $file"
   rm "$file"
   ln "$ORIG" "$file"
  done
 fi
 
else
 
 # Just Report all the duplicate files.
 [ ! -f "$report_file" ] && { printf "uDupe Report: $(pwd)\n$(date)\n\n" > "$report_file" ;}
 if [ "${#FILES[@]}" -gt "1" ]; then
  echo "HASH: $HASH"
  echo "TYPE:$(file "${FILES[${COUNT}]}" | awk -F': ' '{$1=""; print}')"
  for file in "${FILES[@]}"; do
   echo " > $file"
  done
  echo
 fi | tee -a "$report_file"
 
fi
 
done
 
# Script is finished, delete the filehash_dump file.
[ -e "$filehash_dump" ] && { rm "$filehash_dump" ; }