Archive

Author Archive

For those of you still running AIM… like us

March 24, 2017 Leave a comment

Disable shiny OSX like animated cursor movement in Office 2016

March 24, 2017 Leave a comment

Excel sheet navigation got you thinking “did I buy a fuckin’ Mac?”

HKEY_Current_User\Software\Microsoft\Office\16.0\Common\Graphics

Name: DisableAnimations
Type: REG_DWORD
Data: 1 (hexadecimal)

Drove me f’in nuts.

Understanding docker

March 16, 2017 Leave a comment

Powershell script to remotely check Cisco WebEx versions (CVE-2017-3823 remediation/resolution/fix)

January 26, 2017 Leave a comment

Pardon the stupid title of the post for SEO.

In regards to this weeks water cooler exploit, CVE-2017-3823, I have essentially ported a Tripwire definition to produce a report for Cisco WebEx versions on a bunch of PCs pretty efficiently.

This utilizes the admin share versus using powershell remoting, but the logic should be able to be easily changed.

Please take a look at the github gist.

pfSense kernel panic, run `fsck /` like five times

January 23, 2017 Leave a comment

I was installing a Sense unit into my breaker panel and was repeatedly breaking the master power (yes, I probably should have unplugged sensitive equipment). It turned out that the file system on my new SG-2220 pfSense appliance from NetGate wasn’t a huge fan and the system would enter a kernel panic upon boot.

I grabbed a USB cable with a mini-b plug and used puTTY, 115200 baud, 8-N-1, as directed in the user manual, then performed the following steps to backup the config (which includes the certificates!), and then fix the file system:

#https://www.netgate.com/docs/sg-2220/connect-to-console.html
#at pfsense boot time, boot into single user mode

#plug in a usb stick
#https://forums.freebsd.org/threads/4501/
mount -t msdosfs -o large /dev/ad6s1 /mnt

#https://turbofuture.com/computers/How-to-Backup-and-Restore-Configurations-in-pfSense
#http://hints.macworld.com/article.php?story=20100212171620210
#https://forum.pfsense.org/index.php?topic=40696.0
cp -npRv "/cf/conf" "/mnt/cf_conf/"

# unmount usb
cd
umount /mnt

#https://www.cyberciti.biz/faq/howto-freebsd-remount-partition/
#https://redmine.pfsense.org/issues/5592
fsck / #select y for all the things
fsck / #select y for all the things
fsck / #select y for all the things
fsck / #select y for all the things
mount -o rw /

#https://doc.pfsense.org/index.php/Forcing_a_Filesystem_Check
touch /root/force_fsck
reboot
Tags:

Secure SSL/TLS with Cisco ESA aka Ironport

December 8, 2016 Leave a comment

Here is a secure “cipher stack” that can be used with the SSL configuration on an Ironport that defeats logjam, SWEET32 and some other evil stuff:

HIGH:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!3DES:!RC4:!SSLv2:!aNULL

Here is the list of HIGH strength ciphers on the ESA:

ADH-CAMELLIA256-SHA SSLv3 Kx=DH Au=None Enc=Camellia(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
ADH-CAMELLIA128-SHA SSLv3 Kx=DH Au=None Enc=Camellia(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5

Here are the result of ssl-enum-cipher after inputting the previous cipher stack:

CMD c:\>nmap --script ssl-enum-ciphers server.mcserveface.com -p 443

Starting Nmap 7.00 ( https://nmap.org ) at 2016-12-08 09:39 Eastern Standard Time
Nmap scan report for server.mcserveface.com (10.10.10.10)
Host is up (0.0020s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| compressors:
| DEFLATE
| NULL
| cipher preference: client
|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 2.41 seconds

I could probably make the cipher stack selection more efficient, but the above works.

El Capitan, Mi Capitan: media-zwave-torrent-magic server project

September 16, 2016 Leave a comment

I had some trouble figuring out a name. I (and probably a ton of other people) use cerberus for my firewall. I’ve used janus for my argus/flow boxes… Anyway…

I recently purchased my first house, and wanted to do a bunch of crazy home automation. Through research I found several pieces of software that essentially turn a PC into a hub. I’ll be covering my development of this system in several posts, and likely be compiling it into a project.

What will I call my system? El Capitan. Yes, I know that there’s an OSX version with the same codename, but the name comes from the nickname of a manager/cook at a deli that was near my and my wife’s old office, where we met near Rock Center.

Here’s a short plan of things I plan to integrate:

  • Mopidy + Korus (almost have this completely functional with three Korus V400 and a Syncronice DX Mini receivers, and three USB batons (for zoning) and a single Akiko 3.5 mm transmitters): support for Pandora and Google music, with iOS web app and Android native app.
  • considering Zoneminder, but I think our low-voltage guy talked me into getting a dedicated NVR.
  • Home-assistant, with the UZB z-wave stick (wish I bought a Aeotec stick).
  • Zwave motion sensors
  • Two-way door communication… even if it’s through google voice.
  • zwave garage door opener
  • lighting controls (looks like my electrician made the decision for me and gave me some Lutron Caseta switches with Pico remotes, no problem with a Smart Bridge Pro (which provides control via telnet)
  • blind/curtain controls
  • a Honeywell zwave thermostat.
  • I have a 3rd gen iPad, and an older Galaxy Tab which I’d like to provide interfaces (maybe have one sit in the kitchen, the other in the living room, and we can use our phones in our rooms, or something)

I bought an HP Elitedesk 800 desktop mini and tossed in an older SSD I had in a 2008 Macbook Pro. I then loaded Fedora Server, and began building Mopidy. Since I pay for Google Music (my consolation after pirating music for 15 years), I figured that this would be the perfect way to stream whatever we wanted to listen to at any time. I was able to get Mopidy going this morning to stream out of the USB baton to the single Korus V400 that we have going now. I did discover that the USB baton is functional although not listed as working with *nix. I reached out to Eleven Engineering to see if there is a way to control the volume levels of the receivers, as they do in the Android and iOS apps, with *nix.

Before I had tested this, I had purchased an “Akiko” from skaastore.com. This is a USB powered 3.5mm to SKAA adapter… SKAA being the licensable wireless standard with 40ms latency and 60-100 foot range (this differs by transmitter). The Akiko set me back $80. A single Korus V400 set me back $60 and comes with a lightning, a 30-pin and a usb baton. I currently have a Bluetooth-to-RCA adapter hooked up to our main system, and will likely use this for a sort of “universal” Korus/SKAA interconnect until I find another use.

%d bloggers like this: