Tuesday, March 31, 2009

rsyslog on Orange JeOS

I’ll skip the pomp and circumstance and get right to it. Here are my steps for getting rsyslog to work on Orange JeOS:

  1. Load Orange JeOS
  2. login as root (password is qwerty)
  3. fix ip & mask in /etc/sysconfig/network-scripts/ifcfg-eth0 to match you network settings
  4. fix hostname & gateway in /etc/sysconfig/network
  5. fix nameserver in /etc/resolv.conf
  6. service network restart
  7. yum update
  8. shutdown –r now
  9. login as root again
  10. yum install ntp
  11. chkconfig ntpd on
  12. ntpupdate pool.ntp.org
  13. service ntpd start
  14. yum install rsyslog
  15. add “*.* /var/log/syslog” as the last line in /etc/rsyslog.conf
  16. add “-r” to SYSLOGD_OPTIONS in /etc/sysconfig/rsyslog
  17. service syslog stop
  18. service rsyslog start
  19. chkconfig syslog off
  20. chkconfig rsyslog on
  21. iptables –I RH-Firewall-1-INPUT 3 –p udp –dport 514 –j ACCEPT
  22. /etc/init.d/iptables save

That’s it.  rsyslog should be running, iptables should allow incoming upd traffic and the log file /var/log/syslog should start to have data in it.  You can pipe the data to mysql if you want, but that’s another config. :)

Enjoy the logging goodness!

Monday, March 30, 2009

lvm2 on Orange JeOS (Extending the root partition)

So after messing with Orange JeOS a bit, I kept bumping my head on the fact the there just wasn’t a whole lot of disk space to play with.  Both the core version and the esx version of Orange JeOS used lvm2 and limit the root partition to around 2GB…that doesn’t leave a whole lot of space for logs.  I’m still learning about lvm2 so I figured this was a good opportunity to figure it all out. So…the quick and dirty is that I was unable to resize the Physical Volume (PV) that Orange JeOS was on without breaking it.  I tried doing it from a live cd with the lvm2 tools and all but it turned out to be a real hassle. So instead, I created another partition on the disk to fill the remaining space, created a 2nd PV, added it to the Volume Group, extended out the existing Logical Volume to include it and then resized my partition.  (Um…yeah…pretty meaty work…)  Here’s the play by play:

  1. Load Orange JeOS (whatever flavor or however you want)
  2. Log in as root (default password is qwerty)
  3. Verify you current disk and partition sizes with “df”
  4. Boot from Qparted Live CD
  5. Create an ext3 partition on the remaining disk space
  6. Boot back into Orange JeOS and login as root
  7. Do a “pvcreate /dev/hda3” replacing hda3 with the partition name you created in the last step. This creates the new lvm2 Physical Volume.
  8. Do a “vgextend /dev/VolGroup00 /dev/hda3” replacing both the volume group name (VolGroup00 is the default in Orange JeOS with yours) and the partition name you used above
  9. Do a “lvextend –L +4G /dev/VolGroup00/LogVol00” to extend the logical volume.  As before replace the pieces you need to. I increased the size by 4GB above because that was the size of my new physical volume.
  10. Finally run a “resize2fs /dev/VolGroup00/LogVol00” to extend the file system out to use the new space. I’m on ext3 but ext2 should work as well. If you picked something else as your filesystem your mileage may vary.

That’s pretty much it. From here I was able to see the new space in a “df” from the command line.  I’m sure there were other options (including a way to partition the rest of the disk from inside Orange JeOS) but that’s how I did it.

There’s a pretty good reference to lvm2 on line here.

Thursday, March 26, 2009

WireShark Presentation Links

For my ILTA friends….

Here is a link to my Wireshark resources post:

http://rolfsa.blogspot.com/2008/09/i-love-me-some-wireshark.html

I hope you enjoyed the call.  See you at Conference where I’ll be covering TrueCrypt!

Setting up Orange JeOS with httpd and Webmin

After some messing around I was able to get Orange JeOS running as a basic web server. I also threw on the ultracool imageWebmin tool.  Webmin is a web based administration tool for Linux.  It makes it easy to get down and dirty with the OS without having to use the command line and without having to load a full GUI.  It’s simple to setup and is great for people just learning Linux.  As my staff doesn’t have many Linux admins, I’m planning on using it as a tool to get the rest of them up to speed and productive in a short period of time.  Anyhoo…here’s how I did it.

  1. Load Orange JeOS on the box from the iso I talked about in the last post. (The root password is “qwerty” if you can’t find it.)
  2. Change the IP address in /etc/sysconfig/network-scripts/ifcfg-eth0
  3. Change the default gateway and hostname in /etc/sysconfig/network  (my config had two hostname lines..not sure why…so I deleted one)
  4. Change the DNS Sever in /etc/resolv.conf
  5. Bounce the nic with “service network restart”. You should now have network connectivity.
  6. Do a “yum update” to get the box up to speed with all the updates.
  7. install httpd and perl “yum install perl httpd”  (You need perl for webmin)
  8. Download webmin by doing a  “wget http://prdownloads.sourceforge.net/webadmin/webmin-1.470-1.noarch.rpm
  9. install webmin “rpm –i webmin-1.470-1.noarch.rpm”
  10. start httpd with “service httpd start”
  11. start webmin with “service webmin start”
  12. Allow httpd (port 80)  in iptables with  ”iptables -I RH-Firewall-1-INPUT 3 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT”  
  13. Allow Webmin (port 10000) in iptables with  “iptables -I RH-Firewall-1-INPUT 3 -p tcp -m tcp --dport 10000 --tcp-flags SYN,RST,ACK SYN -j ACCEPT”
  14. Save the iptables changes “/etc/init.d/iptables save” so the rules are there after a reboot.

You should now have a fully functional Orange JeOS webserver with Webmin loaded.  The URL for webmin is  http://yourboxip:10000 where “yourboxip” is the IP you assigned or the hostname (if you set it up on your DNS server).

Next I’ll load rsyslog and phpLogCon and my syslog appliance will be complete.  (It’s trickier then it sounds…I’ll need to expand the physical volume on LVM as Orange JeOS only has 4GB configured and 2GB in the current logical volume for / .)

Enjoy!!!

Tuesday, March 24, 2009

Orange JeOS is pretty cool

So I found a new distro that’s pretty cool….Orange JeOS.  This distro based on the mantra “Just Enough Operating System” and it is a streamlined version of CentOS.   It’s released as a scripted build (not as an ISO) from the site, but being the lazy bastard that I am, I did find a site that performed all the heavy lifting for me. oj_logo They release a few different ISO’s based on your intended hardware.  There’s even a version with a GUI, but that kinda defeats the purpose in my view.  What I wanted this for was to be able to build a small syslog server without a lot of overhead.  I tried the VMWare appliance called SyslogAppliance but the damn thing was like 64GB in size.  So much for an appliance…

Anyhoo, I was able to load the core install on an old Toshiba Salellite Pro 4600 for testing.  From here I downloaded the VMWare version and put it on ESXi.  That took some work because it’s built on VMServer so I had to download the stand alone converter from VMWare and then convert it over.  When I first booted up it failed to mount the disk.  I took a shot in the dark and increased the size of the virtual disk and then it all worked ok.  So far so good.

So if you’re really interested on what’s installed by default…running a “yum list installed” on the base build  (oj-1.8.7-11.iso) yields:

MAKEDEV.i386                             3.23-1.2               installed      
SysVinit.i386                            2.86-14                installed      
atk.i386                                 1.12.2-1.fc6           installed      
audit-libs.i386                          1.6.5-9.el5            installed      
audit-libs-python.i386                   1.6.5-9.el5            installed      
authconfig.i386                          5.3.21-3.el5           installed      
basesystem.noarch                        8.0-5.1.1.el5.centos   installed      
bash.i386                                3.2-21.el5             installed      
beecrypt.i386                            4.1.2-10.1.1           installed      
binutils.i386                            2.17.50.0.6-6.el5      installed      
bzip2.i386                               1.0.3-4.el5_2          installed      
bzip2-libs.i386                          1.0.3-4.el5_2          installed      
cairo.i386                               1.2.4-5.el5            installed      
centos-release.i386                      10:5-2.el5.centos      installed      
centos-release-notes.i386                5.2-2                  installed      
checkpolicy.i386                         1.33.1-4.el5           installed      
chkconfig.i386                           1.3.30.1-2             installed      
coreutils.i386                           5.97-14.el5            installed      
cpio.i386                                2.6-20                 installed      
cracklib.i386                            2.8.9-3.3              installed      
cracklib-dicts.i386                      2.8.9-3.3              installed      
cryptsetup-luks.i386                     1.0.3-2.2.el5          installed      
cups-libs.i386                           1:1.2.4-11.18.el5_2.3  installed      
curl.i386                                7.15.5-2.el5           installed      
cyrus-sasl-lib.i386                      2.1.22-4               installed      
db4.i386                                 4.3.29-9.fc6           installed      
dbus.i386                                1.0.0-7.el5_2.1        installed      
dbus-glib.i386                           0.70-5                 installed      
device-mapper.i386                       1.02.24-1.el5          installed      
device-mapper-event.i386                 1.02.24-1.el5          installed      
device-mapper-multipath.i386             0.4.7-17.el5           installed      
diffutils.i386                           2.8.1-15.2.3.el5       installed      
dmidecode.i386                           1:2.7-1.28.2.el5       installed      
dmraid.i386                              1.0.0.rc13-15.el5_2.1  installed      
e2fsprogs.i386                           1.39-15.el5            installed      
e2fsprogs-libs.i386                      1.39-15.el5            installed      
ed.i386                                  0.2-39.el5_2           installed      
elfutils-libelf.i386                     0.125-3.el5            installed      
ethtool.i386                             5-1.el5                installed      
expat.i386                               1.95.8-8.2.1           installed      
file.i386                                4.17-13                installed      
filesystem.i386                          2.4.0-1.el5.centos     installed      
findutils.i386                           1:4.2.27-4.1           installed      
fontconfig.i386                          2.4.1-7.el5            installed      
freetype.i386                            2.2.1-20.el5_2         installed      
gawk.i386                                3.1.5-14.el5           installed      
gdbm.i386                                1.8.0-26.2.1           installed      
glib2.i386                               2.12.3-2.fc6           installed      
glibc.i686                               2.5-24.el5_2.2         installed      
glibc-common.i386                        2.5-24.el5_2.2         installed      
gnupg.i386                               1.4.5-13               installed      
gnutls.i386                              1.4.1-3.el5_2.1        installed      
grep.i386                                2.5.1-54.2.el5         installed      
grub.i386                                0.97-13.2              installed      
gtk2.i386                                2.10.4-20.el5          installed      
gzip.i386                                1.3.5-10.el5.centos    installed      
hal.i386                                 0.5.8.1-35.el5         installed      
hdparm.i386                              6.6-2                  installed      
hicolor-icon-theme.noarch                0.9-2.1                installed      
hwdata.noarch                            0.213.6-1.el5          installed      
info.i386                                4.8-14.el5             installed      
initscripts.i386                         8.45.19.1.EL-1.el5.cen installed      
iproute.i386                             2.6.18-7.el5           installed      
iptables.i386                            1.3.5-4.el5            installed      
iptables-ipv6.i386                       1.3.5-4.el5            installed      
iputils.i386                             20020927-43.el5        installed      
kbd.i386                                 1.12-20.el5            installed      
kernel.i686                              2.6.18-92.1.22.el5     installed      
kernel.i686                              2.6.18-92.1.13.el5     installed      
keyutils-libs.i386                       1.2-1.el5              installed      
kpartx.i386                              0.4.7-17.el5           installed      
krb5-libs.i386                           1.6.1-25.el5_2.2       installed      
kudzu.i386                               1.2.57.1.17-1          installed      
less.i386                                394-5.el5              installed      
libX11.i386                              1.0.3-9.el5            installed      
libXau.i386                              1.0.1-3.1              installed      
libXcursor.i386                          1.1.7-1.1              installed      
libXdmcp.i386                            1.0.1-2.1              installed      
libXext.i386                             1.0.1-2.1              installed      
libXfixes.i386                           4.0.1-2.1              installed      
libXfont.i386                            1.2.2-1.0.3.el5_1      installed      
libXft.i386                              2.1.10-1.1             installed      
libXi.i386                               1.0.1-3.1              installed      
libXinerama.i386                         1.0.1-2.1              installed      
libXrandr.i386                           1.1.1-3.1              installed      
libXrender.i386                          0.9.1-3.1              installed      
libacl.i386                              2.2.39-3.el5           installed      
libattr.i386                             2.4.32-1.1             installed      
libcap.i386                              1.10-26                installed      
libfontenc.i386                          1.0.2-2.2.el5          installed      
libgcc.i386                              4.1.2-42.el5           installed      
libgcrypt.i386                           1.2.3-1                installed      
libglade2.i386                           2.6.0-2                installed      
libgpg-error.i386                        1.4-2                  installed      
libhugetlbfs.i386                        1.2-5.el5              installed      
libidn.i386                              0.6.5-1.1              installed      
libjpeg.i386                             6b-37                  installed      
libpng.i386                              2:1.2.10-7.1.el5_0.1   installed      
libselinux.i386                          1.33.4-5.el5           installed      
libselinux-python.i386                   1.33.4-5.el5           installed      
libsemanage.i386                         1.9.1-3.el5            installed      
libsepol.i386                            1.15.2-1.el5           installed      
libstdc++.i386                           4.1.2-42.el5           installed      
libsysfs.i386                            2.0.0-6                installed      
libtermcap.i386                          2.0.8-46.1             installed      
libtiff.i386                             3.8.2-7.el5_2.2        installed      
libusb.i386                              0.1.12-5.1             installed      
libuser.i386                             0.54.7-2.el5.5         installed      
libvolume_id.i386                        095-14.16.el5          installed      
libxml2.i386                             2.6.26-2.1.2.7         installed      
libxml2-python.i386                      2.6.26-2.1.2.7         installed      
lockdev.i386                             1.0.1-10               installed      
lvm2.i386                                2.02.32-4.el5_2.1      installed      
m2crypto.i386                            0.16-6.el5.2           installed      
mingetty.i386                            1.07-5.2.2             installed      
mkinitrd.i386                            5.1.19.6-28            installed      
mktemp.i386                              3:1.5-23.2.2           installed      
module-init-tools.i386                   3.3-0.pre3.1.37.el5    installed      
nash.i386                                5.1.19.6-28            installed      
ncurses.i386                             5.5-24.20060715        installed      
net-tools.i386                           1.60-78.el5            installed      
newt.i386                                0.52.2-10.el5          installed      
nsa_lockdown.noarch                      1.0-3                  installed      
nspr.i386                                4.7.3-2.el5            installed      
nss.i386                                 3.12.2.0-4.el5.centos  installed      
oj-postinstall.noarch                    1.0-2                  installed      
openldap.i386                            2.3.27-8.el5_2.4       installed      
openssh.i386                             4.3p2-26.el5_2.1       installed      
openssh-server.i386                      4.3p2-26.el5_2.1       installed      
openssl.i686                             0.9.8b-10.el5_2.1      installed      
pam.i386                                 0.99.6.2-3.27.el5      installed      
pango.i386                               1.14.9-3.el5.centos    installed      
passwd.i386                              0.73-1                 installed      
pciutils.i386                            2.2.3-5                installed      
pcre.i386                                6.6-2.el5_1.7          installed      
pm-utils.i386                            0.99.3-6.el5.centos.19 installed      
policycoreutils.i386                     1.33.12-14.el5         installed      
popt.i386                                1.10.2-48.el5          installed      
prelink.i386                             0.3.9-2.1              installed      
procps.i386                              3.2.7-9.el5            installed      
psmisc.i386                              22.2-6                 installed      
pycairo.i386                             1.2.0-1.1              installed      
pygobject2.i386                          2.12.1-5.el5           installed      
pygtk2.i386                              2.10.1-12.el5          installed      
pygtk2-libglade.i386                     2.10.1-12.el5          installed      
python.i386                              2.4.3-21.el5           installed      
python-elementtree.i386                  1.2.6-5                installed      
python-iniparse.noarch                   0.2.3-4.el5            installed      
python-numeric.i386                      23.7-2.2.2             installed      
python-sqlite.i386                       1.1.7-1.2.1            installed      
python-urlgrabber.noarch                 3.1.0-2                installed      
readline.i386                            5.1-1.1                installed      
redhat-logos.noarch                      4.9.99-8.el5.centos    installed      
rhpl.i386                                0.194.1-1              installed      
rootfiles.noarch                         8.1-1.1.1              installed      
rpm.i386                                 4.4.2-48.el5           installed      
rpm-libs.i386                            4.4.2-48.el5           installed      
rpm-python.i386                          4.4.2-48.el5           installed      
sed.i386                                 4.1.5-5.fc6            installed      
selinux-policy.noarch                    2.4.6-137.1.el5        installed      
selinux-policy-targeted.noarch           2.4.6-137.1.el5        installed      
setools.i386                             3.0-3.el5              installed      
setserial.i386                           2.17-19.2.2            installed      
setup.noarch                             2.5.58-1.el5           installed      
shadow-utils.i386                        2:4.0.17-13.el5        installed      
slang.i386                               2.0.6-4.el5            installed      
sqlite.i386                              3.3.6-2                installed      
sudo.i386                                1.6.8p12-12.el5        installed      
sysklogd.i386                            1.4.1-44.el5           installed      
tar.i386                                 2:1.15.1-23.0.1.el5    installed      
tcl.i386                                 8.4.13-3.fc6           installed      
tcp_wrappers.i386                        7.6-40.4.el5           installed      
termcap.noarch                           1:5.5-1.20060701.1     installed      
tzdata.noarch                            2008i-1.el5            installed      
udev.i386                                095-14.16.el5          installed      
usermode.i386                            1.88-3.el5.1           installed      
util-linux.i386                          2.13-0.47.el5          installed      
vim-minimal.i386                         2:7.0.109-4.el5_2.4z   installed      
vixie-cron.i386                          4:4.1-72.el5           installed      
wget.i386                                1.10.2-7.el5           installed      
wireless-tools.i386                      1:28-2.el5             installed      
xorg-x11-filesystem.noarch               7.1-2.fc6              installed      
yum.noarch                               3.2.8-9.el5.centos.2.1 installed      
yum-fastestmirror.noarch                 1.1.10-9.el5.centos    installed      
yum-metadata-parser.i386                 1.1.2-2.el5            installed      
zlib.i386                                1.2.3-3                installed

More on this later as I continue to build my Open Source Security setup with PFSense, rsyslog, phplogcon, OpenVPN and ESXi.  (It’d be Xen if I that the time…really…)

Friday, March 20, 2009

Lansweeper – Inventory Tool Extraordinaire

 Lansweeper is a free and very cool tool for network inventory purposes.  There is a Premium Version that provides some extras that are well worth the investment.  I’ve been using it for a few image months now and it’s become one of my favorite tools.  What I like about it is that it’s very extendable and it’s pretty easy to create your own reports. I’ll let you check out the basics for yourself on their demo site, but I thought I’d walk you through how to extend the reporting functionality.  To do this you need lsbuilder, which is part of the Premium Version.  However, lsbuilder is just an easy way to create your own SQL queries so you could probably do that with the standard SQL tools. I wanted a report of Computer Manufacturer, Computer Name, Computer Model and the last logged in user.  Unfortunately, this report didn’t exist in the base tool, so I created it on my own.  First open up lsbuilder:

image

As you can see I’ve got SQL Express loaded on locally so it’s pointing back to itself.  Make sure you are logged on here with enough rights in SQL to do the magic you need.

image

You’ll notice the Report Output tab and the Report Builder Tab…we wanna go to the Report Builder Tab. After messing around a bit I found you could drag and drop tables from the table list over to the builder piece.  Selecting the items from the tables will produce those items in the final report.  After some poking around I found the values I wanted in the tblComputersytem and tblComputers tables.

image

As you can see above, I’ve linked to tables together with a join by dragging Computername from one table to the other.  If you click the SQL tab from the builder windows you can see the resulting code.

image

One thing you’’ll see is that I had to rename Computername in the tblComputersystem.Computername to Computername1 because there was a collision on this name between the two tables.  No big deal really.  Since the SQL is off the page I’ll drop it here for you to see better:

SELECT
  tblComputersystem.Manufacturer,
  tblComputersystem.Model,
  tblComputersystem.Computername AS Computername1,
  tblComputers.Username,
  tblComputers.Computername
FROM
  tblComputers
  INNER JOIN tblComputersystem ON (tblComputers.Computername = tblComputersystem.Computername)

Now just hit the disk icon to save the report to the report list.  Now you can click the Report Output tab to get your list:

image

This gives me the exact report I was looking for with Manufacturer, Model, Computer Name and the last logged in user.  Using the “Export to Excel” button I was able to manipulate the report further (by removing the duplicated ComputerName field) and to pretty it up for printing.  Yeah..I know there’s a way to remove the duplicate computername with the SQL code directly but this is just a quick and dirty example and I’m trying to be brief. :)

Hit me up on the comments if you find/develop any other cool and useful reports.

Wednesday, March 18, 2009

Ubuntu Ultimate 2.0

So we seem to have coughed up a few old Dell D800 laptops last year after upgrading some of our users.  When I heard we had a few available, I remembered that they had pretty nice screens and a medium grade video card baked in so I thought it might make a nice box to try Ubuntu Ultimate on.  You see, I like Ubuntu for the desktop, but having to load all the goodies on is a real pain in the butt.  That’s why I like this distro so much. It’s got tons of toys and tools and it’s all preloaded.  So I imagedownloaded, burned and kick started the iso.  Everything went pretty smooth all things considered.  There was a little tweaking with System-Preferences-Appearance (to crank up the video effects) which prompted it to download some NVidia drivers, but that went smooth.  The box is a little slow as it’s only got 512MB of RAM but it’s sufficient to test out all the cool stuff like Beryl/Compbiz, Wine, Filezilla, Wireshark, etc… 

So it’s been about a week so far and I’ve only found one issue and I’m sure it’s just me being dense. I can’t seem to create or delete items from the desktop. (Yes, I check perms and they all look good).  I’m sure I’ll figure it out once I sit down and put my mind to it. 

Next up is testing Orange JeOS.  I’ve got to find a minimal CentOS/Red Hat install to use as a VMWare image for syslog collection and it looks pretty tight.  It kind of reminds me of my old favs OpenNA and Trustix…

Thursday, March 12, 2009

Two Sites Packed Full of Goodies

Time after time I use two sites in my daily work for a multitude of tools.  These to sites are SysInternals (now a Microsoft site) and NirSoftSysInternals is well known by many Windoze folks for it's tools FileMon and RegMon which let you see exactly what files and registry keys a program is accessing.   However there are many tools on this site that are useful for troubleshootingimage Windoze issues.  NirSoft has  a collection of password recovery tools, network monitoring tools, web browser tools, Video/Audio tools, IP tools, programmer's tools, system utilities, command line tools, desktop tools and much more.  Trying to talk about each one of the tools could take days.  Tell ya what...go investigate the sites for yourself and enjoy the free goodness.

Wednesday, March 11, 2009

Outlook NK2 Annoyances

If you use Outlook (ok who doesn’t?) and you are troubled by it’s use of autocompletion of email addresses when sending messages this post is for you.  When you send emails, Outlook remembers (well it tries to remember) all the email addresses so that they are availemailable as autocomplete entries later.  They don’t get added to your Contacts (or Outlook Address Book), but they are cached in and nk2 file on your hard drive….which is profile specific.  This is a problem because profiles are problematic.  Many things can cause a profile to become corrupt, unavailable and just outright die.  Let’s face it, profiles suck.  So to get around this it’d be nice to have a tool that could fix or recreate these nk2 files.  Enter the Rebuild Outlook Autocomplete Cache tool.  This free (but not Open Source) tool will allow you to recreate a NK2 file from addressbookreading the addresses on messages in your Sent items folder or any other folder in your Outook mailbox.  When combined with the NK2.info tool you can even recreate your existing, corrupted cache.  NK2.info dumps your existing cache (even if it’s corrupt) to a csv file which you can suck back into your Outlook Address Book.  Then use the rebuild tool on that contact list to pre-populate the nk2 autocomplete file. 

Oh yeah…one more tip. Have you ever wanted to reset all your Outlook contacts “File As” properties so they are all “lastname, firstname” or “firstname lastname”? Well it not easy, but here is link to a Microsoft doc telling you how to do it.

Good stuff….good luck.

Sniffing Shoretel Calls

Awhile back, after I did my Wireshark presentation for ILTA, someone asked me about using Wireshark to capture ShoreTel VOIP calls.  It turns out that capturing the call was easy, but as there is no codec for Wireshark translating the call session to a WAV file or other audio file was a little more tricky.  Before you jump all over me about privacy and security concerns….the issue here is about call troubleshooting not eavesdropping.  Sometimes you want to be able to capture a call so that you can understand exactly what a user is hearing. Voice Echo, call quality and extra garbled noises as all acceptable reasons to want to be able to capture and play back a call.  So if you’re gonna do some funny business and listen in on someone’s calls…you are on your own. I don’t condone eavesdropping for any reason. On with the show…

So after spending a few hours looking at codecs for WireShark that would work with Shoretel I ran into a forum post about how someone accomplished the same objective with Cain.

image

Cain & Abel is a popular password cracking tool but it also contains a full blown sniffer.  Using this tool I was successfully able to record a call from my ShoreTel IP230G phone.  Here are the quick and dirty instructions if you are interested:

  1. Install Cain
  2. Run Cain
  3. Hit Configure on the menu at the top
  4. Select your nic from the list and hit Ok
  5. Select the Sniffer tab
  6. On the BOTTOM of the screen select the VOIP tab
  7. Hit the "start/stop sniffer" button in the button bar
  8. Make a call (you'll see it recording in the interface)
  9. End the call
  10. Wait for the interface to show that it’s captured the call in it’s entirety.
  11. Double click the recorded call it hear it. It's also saved as a wav under c:\program files\cain\voip

I have all the codecs supported by Shoretel loaded, but for my test call I was using L16/16000.  Also note that you need to use a network TAP or a switchport monitor capturing both directions if you want capture both sides of the call.

Enjoy the packet capture goodness.

Tuesday, March 10, 2009

TrueCrypt

As much as I despise the topic of computer security (and computer security people in general for that matter), I truly love TrueCrypt.  Some open source software seems unfinished, beta or kludgey.   Rarely do you get a gem like TrueCrypt that seems as good as or better then commercial software.

image

TrueCrypt is an encryption software package that encrypts static data (i.e. data on hard drive, thumb drives, etc.).  You can encrypt files, folders or even an entire hard drive.  It supports numerous software encryption algorithms (AES, Blowfish, Serpent, etc..), hashing algorithms (Whirlpool, SHA-512, etc…), operating systems (OSX, Windoze, Linux, etc…) and authentication mechanisms (smart cards, tokens, certificates, etc..).  I’m so impressed with it’s capabilities that I’ll be presenting a seminar on TrueCrypt at this year’s ILTA conference. 

This year we have to decided to encrypt all our laptops with TrueCrypt.  After looking at multiple programs, both  open source and commercial, I feel that TrueCrypt best meets our needs.  Making any decision requires trading offs.  In our case, I first looked at hardware encryption vs. software encryption.  Here are a few of the subtle differences:

Hardware:

  • Generally faster then software solutions and can usually be done at native speeds of the drive
  • Requires little effort on the part of the user
  • Can sometimes be tied in to other hardware security mechanisms like biometric fingerprint readers, usb keys and rfid keys (The BUSLink devices are really cool by the way. More on them later.)
  • Generally uses proprietary algorithms (so you’re not quite sure exactly what’s happening) and you generally don’t have a wide selection of algorithms to choose from.
  • Some enterprise tools are available for system deployment and management
  • Not available on workhorse models of Lenovo laptops

Software:

  • Numerous encryption/hashing algorithms to choose from
  • Little to no monetary investment
  • Slower to encrypt (and sometimes unencrypt) data
  • More granular control of what is and what isn’t encrypted
  • Possible plausible deniability to the existence of data (Hidden volumes and hidden operating systems)
  • Ability to encrypt external hard drives and flash drives
  • Generally requires additional software plug-ins to tie into hardware security mechanisms

I don’t really have the space to go into depth about why I liked TrueCrypt over other commercial and non-commercial packages, but suffice to it say the decision was based on simplicity for the user, cost to the organization, level of security provided by the software and ease of deployment.  After I give the presentation I’ll see if I can drop a link to it here for all to see.

Monday, March 02, 2009

Tracking Stolen Computers

Have you ever had a computer stolen?  Wouldn’t you like to find out who the rat bastard was that took it?  Well then you’d be interested in Adeona. imageAdeona installs on Linux, Mac OSX or Windows. It creates a daemon/service that “phones home” and stores the public IP address of the machine on a secure webserver.  From any other machine, you can run the recovery tool, give it a date range and have it spit the ip addresses back to you so you know where and when the PC hit the Internet.  The MAC version can even use the built in webcam to take snapshots of the rat bastard. Very interesting and very cool software…and of course…completely open source.  Enjoy the techno-narking goodness!!!!