Samhain - POLICY NODIRECTORY explained
This was a tricky one. I kept getting alerts for:
-----BEGIN MESSAGE----- [2012-07-09T23:40:37+1000] server8.somedomain.com CRIT : [2012-07-09T23:40:34+1000] msg=<POLICY NODIRECTORY>, path=</var/log> -----BEGIN SIGNATURE----- EA6AB852FD5E03118A95B8507E514F264CCFE3CC35E3330F 000154 1340761939::server8.somedomain.com -----END MESSAGE-----
And for the life of me wasn’t sure why but after reading the source code the cause is explained:
{ MSG_FI_NODIR, N_("File found where directory was expected"), IDMEF_IMPACT_TYPE_FILE },
And you know what it was correct! /var/log was a softlink to /data/logs!
Download ncat Win32 (precompiled)
December 2012 Update: A newer precompiled version is available here: http://nmap.org/ncat/
So I was having a hunt around for the modified version of Netcat which is called Ncat developed by the lovely people who wrote the infamous port scanner Nmap. I needed the Win32 binaries for it and after a brief internet trowel it couldn’t be found. So I downloaded the source and compiled it and made it presentable for download for everyone else.
Ncat-5.21 Packed with UPX Packer Ncat-5.21 without UPX Packer
Happy Ncatting :-)
Howto Setup Multi threaded John the Ripper
This article has an updated version -> Here
Today at work a client he needed to access a cisco router but no-one new the password but we had the config files saved which included the MD5 hashes of the enable and enable secret passwords. So I set about cracking the hashes, which was done successfully btw, following on from that I then remembered a John the Ripper MPI patch which I had seen some time ago I ended getting it going at home and the results are good!
Directions for installation are as follows (on Fedora 11)
yum install mpich2 mpich2-devel wget http://www.bindshell.net/tools/johntheripper/john-1.7.2-bp17-mpi8.tar.gz tar -zxvf john-1.7.2-bp17-mpi8.tar.gz cd john-1.7.2-bp17/src make linux-x86-64 (for 64bit version duh!) cd ../run touch ~/.mpd.conf && echo "MPD_SECRETWORD=secret" > ~/.mpd.conf && chmod 600 ~/.mpd.conf mpd & mpiexec.py -n 4 -path ./ -wdir ./ ./john --test
Initial Benchmarking looks good. Below is 1 core vs 4 cores
Traditional DES [128/128 BS SSE2-16] 1591K c/s real, 1594K c/s virtual / 6131K c/s real, 6380K c/s virtual BSDI DES (x725) [128/128 BS SSE2-16] Many salts: 53222 c/s real, 53329 c/s virtual / Many salts: 207665 c/s real, 215407 c/s virtual FreeBSD MD5 [32/64 X2] Raw: 9718 c/s real, 9816 c/s virtual / Raw: 37720 c/s real, 39581 c/s virtual mysql [mysql] Raw: 2571K c/s real, 2571K c/s virtual / Raw: 9397K c/s real, 10254K c/s virtual
About a 100% increase per core! Life is good!