Getting John the ripper to run with LDAP SSHA passwords

To get john the ripper to run on an ordinary shadow file, I just ran

apt-get install john

and then

john /etc/shadow

To get it to run on ldap passwords with SSHA:

Make script to extract passwords from ldap:

#!/usr/bin/perl

# This script is getpwfromldap.pl

use strict;

use Net::LDAP;

my $ldap = Net::LDAP->new( '127.0.0.1' );

my $mesg = $ldap->bind('cn=ldapadmin,dc=whatever,dc=example, dc=com',

                      password => 'ldappassword'

                    );

$mesg = $ldap->search(

                      base => "dc=whatever,dc=example,dc=com",

                      filter => "(uid=*)"

                      );

$mesg->code && die $mesg->error;

foreach my $entry ($mesg->entries) {

  print  $entry->get_value('uid') . ":" . $entry->get_value('userPassword') . ": \n" ;

}

$mesg = $ldap->unbind;  # take down session

Run the script:
./getpwfromldap.pl > ldappasswdfile

The content of the file should look like this:

user:{SSHA}971E3Lf01ZxHlIt5gK8f3MU8ubPPOyzG:

(no this is not one of my passwords).

Install SSHA compatible john:
wget http://btb.banquise.net/bin/myjohn.tgz
tar xvzf myjohn.tgz
cd john/src
cd make linux-x86-any
cd ../run

Run john on the file you made:
./john ldappasswdfile

Getting it to work with mixed SSHA and crypt from ldap:

Problem: You have a file with mixed entries


user:{SSHA}971E3Lf01ZxHlIt5gK8f3MU8ubPPOyzG:
user2:{crypt}IUHjbpfAE9dHQ:


Solution: You have to run twice.

• Do as above for SSHA (with myjohn).
  
• Remove {crypt} from the crypt lines and run john (from myjohn) again.
  

---

New blog

URL for my new blog:
http://people.binf.ku.dk/~hanne/b2evolution/blogs/

Not all posts have been imported yet but they will be sooner or later.

Book: Letter from America

by Alistair Cooke

It has taken me close to a year to finish this book. It consists of a selection of Alistair Cooke's "Letter from America" Radio broadcasts from 1946-2004.

It's not that it isn't interesting. It is. And some of it is quite catching. I was very touched by the one about the murder of Bobby Kennedy.

I think my problem is that I know too few of the persons or places he writes about so it's too hard work to understand what is going on. Even his British reference frame is only partly familiar to me. So after 2 or 3 chapters I don't want to read anymore. I don't long for the next chapter like I would in many other books. I've had information enough for one day..

But I did learn a lot from this book.

Book: Nanny Ogg's Cookbook

by Terry Pratchett, Stephen Briggs, Tina Hannan, Paul Kidby

I got this one or two years ago, probably for Christmas or my birthday from my husband. I have studied some of the recipes and I think I've read through most of them. I haven't gotten around to try any of them out yet, except Genuan Spice Mix, which is OK but not very much different from my usual spicing habits :)

I look forward to try "Mrs Whitlow's Artery-Hardening Hogswatch Pie", the "Brodequin Rôti Facon Ombres" (Man's boots in mud) and perhaps the infamous Strawberry Wobbler.

Theres is also a recipe for "Nanny Ogg's Perfectly Innocent Porridge with Completely Inoffensive Honey Mixture Which Shouldn't Make Anyone's Wife Laugh", if you need some inspiration for varying your breakfast.

Furthermore, this book contains some advice about etiquette around the undead, gardening, weddings etc.

Book: The Girl With The Dragon Tattoo

by Stieg Larsson

In Danish this book is called "Men who hates women". It is a crime story set in Sweden. I got this book as a gift.

It turns out to have very fascinating characters. I find it hard to get used to a crime story in modern settings and as a computer professional I have a hard time biting my tongue every time he mentions people doing fascinating things with the computers that is almost, but not quite right....

This book, on top of being a crime story, is also about men abusing or being violent to women, and the author seems to try to get a message through about this being much more common than we think and most people just keeping quiet about it. He is probably right that it is a huge problem and yes, I've known some people too, but I still think that he is exaggerating the extend to which this goes on. On the other hand, I shouldn't pretend to know what is going on in circles like the ones he describes since I never set my foot there. Or it might be worse in Sweden... who knows.

As a crime story it is very exciting. The ending is acceptable, and it is very well written and hard to put away before having finished it. As mentioned before, the main strength of this book is it's characters. You might not believe in the plot or the settings but you almost believe that these people are walking around up there, and you really really hope they'll make it and get furious when bad things happens to them.

I don't feel I learned anything from this book, though. Except saying "No I will not fix your computer today, this is my day off, I am reading A Book" to the children, which is probably a healthy thing to learn anyway... So in the end I do give it 4 points out of 5 for entertainment value and excitement. But not for bringing anything new into my life.

My first iSCSI steps

So a month ago or so I convinced the boss and the group with the storage need (and money) to go iSCSI, because it would be fun to try, easy to move, had certain nice expansion facilities and i/o speed was not really an issue for this device as much as flexibility.

And there I was a week ago with my first iSCSI device on my hands and a good deal less time than I'd hoped for to figure it out.

It is a Promise VTrak m610i, see screen shot of admin interface in previous blog post.

We considered an HP thing to approx. same price but half the disk space (double price for compatible disks, no 1TB disks available), and only room for 12 disks in 3 u. Here we have room for 16. The drawback is no onsite support, we have to actually send it in for repair :( But with the cheap disks it is affordable to buy spares so it is only the box itself.

Anyway we decided that if we don't like it we can always use it for backup. So we bought it.

So far I like it. It is clearly mediocre quality disk enclosures but once they're in they seem to work fine and look rather nice, too.

It comes with a manual saying how to install it in the rack, how to connect via the serial port and set an IP address, and how to configure RAID and a logical disk. And not much more.

I got the Ikea feeling after mounting it in the rack: Having bits left over that I'm pretty sure should have gone somewhere but that is just too bad...

The serial connection went smooth. It has a management interface which I have put on my "real" network so I can access it via https (and snmp and telnet if enable it) and it has 2 iSCSI interfaces. I connected both to my dedicated iSCSI Gbit switch, and connected the Gbit switch to my fileserver which has the honor of being the iSCSI initiator on it's 2nd Gbit network interface.

Does this make sense? Only one host connected, and wasting a switch in between? Well we need to start somewhere, and this is an attempt to get ourselves a flexible easily expandable and easily moveable solution.



In the https interface I found a place where I could trunk the two iSCSI interfaces, they call it "Link aggregation".
From management interface in browser: Network Management → Link aggregation: Trunk port 1 and 2 (1 master 2 slave).

So I created a disk array and a logical disk drive. I am glad that I had a SAN before. The manual has no explanation of the SAN terminology they use, or any other terminology, that is. (The cd might have. I never bother to open those unless I have to).

Now for the Linux part.

• Configure 2nd network interface to talk to iSCSI net
  
• Do not use the iSCSI net as default gateway... that is, if you still want your hosts to be able to see the server ;)
  
• Install open-iscsi
  
• Configure iscsi:
  iscsiadm -m iface -I iface0 --op=new
  iscsiadm -m iface -I iface0 --op=update -n iface.hwaddress -v aa:bb:cc:xx:yy:zz
  /etc/init.d/open-iscsi start
  iscsiadm -m discovery -t sendtargets -p 192.168.4.1:3260 --interface=iface0
  /etc/init.d/open-iscsi restart
  
• On iSCSI device in web interface map the iSCSI initiator to the LUN on the Storage Services → LUN Map: Dropdown menu: Add LUN Map.
  
• On fileserver again:
  iscsiadm -m node --targetname iqn.1234-12.com.promise.11.22.33.44.5.0.0.60 --portal 192.168.4.1
  iscsiadm -m node --targetname iqn.1234-12.com.promise.11.22.33.44.5.0.0.6o --portal 192.168.4.1 --interface iface0 --login
  fdisk -l
  
  
• Create filesystem. mkfs.ext3 -m 0 -O dir_index /dev/sdc or whatever.
  
• Mount, nfs export etc.
  
• Do not stop the iSCSI service without unmounting the device first..
  
• To automatically start a session with the iSCSI device I did this,
  but I have not yet tested if it works:
  iscsiadm -m node -T iqn.1234-12.com.promise.11.22.33.44.5.0.0.60 --portal 192.168.4.1 --op update -n node.conn
[0].startup -v automatic

If I missed some steps in this description or mixed up the order I apologize.

I think what I need to do next is to find some time to RTFM on the iscsiadm tool, then I'll probably soon be pretty cool with what this thing can do and how to do it.

I must say I like this toy very much better than I liked the EMC Clarion CX400 at my former work place, which was FC and more than ten times the price. Perhaps because I don't have to deal with a support queue, I can play all on my own. And no proprietary HBA drivers! \o/

Promise VTrak m610i 16-drive RAID iscsi 3u

New toy:

Book: The Picture of Dorian Gray

Oscar Wilde: The Picture of Dorian Gray

Credit: Inspiration to read this book came from
http://stenstrop.dk/?p=831

Does this book claim that there is such a thing as objective sin? And does it show in one's features? Or is it because he is conscious of it being sin? Is it magic or is it really all inside his head?

For me this book is not art and beauty against reality and worldliness. It is about denial.

It is about living for pleasure and suppressing any sense of moral or duty. It is about what happens inside their minds and it is interesting because these people get away with not seeing their own faults even when they are extreme. Are we all like that when we look close enough?

It is a well written book, in the sense that the language is fluent and keeps the reader captured (except chapter 11. Skip chapter 11, or skim through it!. Perhaps it's only me but that chapter is really boring.)

The book draws a slightly exaggerated picture of the persons or perhaps rather a limited view with only one or a few angles on their life, we never really get into their heads. We can sense that there is a deeper conscience, there must be, but they don't want to go there.

That makes the persons themselves a bit distant from the reader. You don't get to love them, neither hate them, just to observe them. None the less this book has left an impression, something to think about. And I enjoyed reading it (except from chapter 11 :)

I recommend this book to the experienced and curious reader. Compared to Jane Austen this book is very easy and lightweight. Compared to a lot of other stuff it is not.

mp3 from LP with Audacity

I finally got around to find out how to get sound from my old LPs converted into mp3.

http://geekgirl.dk/technotes/lp2mp3/

Not perfect but quite good enough for a start. Next step is a better cable and then playing with the noise reduction feature of Audacity.

24 core server arrival photos

pptp on Linux the manual way

A few years ago I wrote a guide for myself describing how to get on the institute's vpn via ppttconfig on Linux.

I never really understood what was so hard about it for other people until now... where pptpconfig has gone from all my Linux distributions.

I tried kvpnc and networkmanager and both failed. Either they are broken - I believe network manager is in general - or they just don't give access to the parameters I need to change.

So I did it manually and here it is for everyone to see.

/etc/ppp/chap-secrets
mycoolusername vpnatwork mysecretpassword *

/etc/ppp/peers/vpnatwork (edited from the kvpnc generated file)

# name of tunnel, used to select lines in secrets files
remotename vpnatwork

# name of tunnel, used to name /var/run pid file
linkname vpnatwork

# name of tunnel, passed to ip-up scripts
ipparam vpnatwork

# data stream for pppd to use
# xxx.xxx.xxx.xxx should be replaced by vpn gateway IP
pty "/usr/sbin/pptp --debug --loglevel 2 xxx.xxx.xxx.xxx --nolaunchpppd"

# domain and username, used to select lines in secrets files
name "mycoolusername"

# use MPPE encryption
require-mppe

# we do not require the peer to authenticate itself
noauth

# enable debug
debug
kdebug 1

# we want to see what happen
nodetach

# Dont use BSD compression
nobsdcomp

# Dont use deflate method
nodeflate

# dont set defaultroute
nodefaultroute

file /etc/ppp/options.pptp

You might want to remove the debug entries.

/etc/ppp/options.pptp

# Lock the port
lock

# Authentication
# We don't need the tunnel server to authenticate itself
noauth

# We won't do EAP, CHAP, or MSCHAP, but we will accept MSCHAP-V2
refuse-eap
refuse-chap
refuse-pap
refuse-mschap

require-mppe

# Compression
# Turn off compression protocols we know won't be used
nobsdcomp
nodeflate

As is seen in this file we use mschapv2 and that is what I cannot configure from kvpnc or networkmanager.

I don't know if it is necessary to have the nobsdcom and nodeflate in both files.

Kernel modules
Some kernel modules are needed: The ppp_mppe module and perhaps also the ip_gre module. I read somewhere that I should load the ppp_mppe module with the ppp-compress-18 alias. No idea if it makes a difference. I might get around to testing it later. So:

modprobe ip_gre
modprobe ppp-compress-18

Firewall issues
You need to allow outgoing connections to tcp port 1723 and you need to allow the GRE protocol: IP protocol 47. Also you need to allow established-related or whatever keep state option you have in your firewall.
If you run natted through an iptables firewall you also need to load the module ip_nat_pptp on the firewall. Took me a while to figure that one out!

Starting the connection
This is the simple part:

# pppd call vpnatwork

Now either it work happily or you get funny error messages like a repeated

sent [LCP ConfReq id=0x1 <mru 1440> <asyncmap 0x0> <magic 0x370c5c0> <pcomp> <accomp>]

. this is not an error in itself but you are only supposed to get it once, not repeatedly until it times out, which I had until I loaded the ip_nat_pptp module on the firewall, but I also had it from home when i did not have the reqiure-mppe in the options.pptp file. Lots of possibilities for errors. But this runs for me

• From home wireless on my eee ubuntu
  
• From eduroam wireless at work (same PC)
  
• From my own wired network at home (when I got the fw right) (same PC)
  
• From my wired network at work on stationary PC with debian etch

The funny thing is that I didn't have the firewall issue with a Windows laptop :/ Perhaps Windows has started using a more secure protocol by default and we Linux users just haven't figured that out yet. Or perhaps it connected via eduroam and I didn't notice.