Converting ova images to qcow2

The ova format is an open format for virtual machines. In this small guide I will explain how you can convert it to qcow2 format and run it in KVM.

In my example I am using LogPoint which is a SIEM product that you can download a trial of here

The file you download will be called logpoint.ova. Once you have it you can check out the file format using the file command:

You can also have a look at the contents of the tar archive

The next step is to extract the files. Just run

Time for some conversion!

The next step is to logon with ssh to your KVM server and start virt-manager and import the image.

In virt-manager choose new and then import existing image. If you get a black screen on the console try to change the video to QXL and restart it. As LogPoint is based on Ubuntu you can change that while in the guide.

Good luck!

Monitor for new wine releases using Systembolaget API

Howdy,

For everyone that live in Sweden this is a post about how to alert when new stuff is added to Systembolagets range of products. I will show you how to use a small python script and some bash code to automatically send you an e-mail when new products are discovered. Currently the XML file hosted at Systembolaget is updated every morning at 07:00 AM CET so make sure you schedule it to run just after that.

1. Step one is to set up your server to send e-mail, see my previous post for an example of that on CentOS 7.

2. Head over to systembolaget and their API page here, and get the link to their XML product file which is called “Sortimentsfilen”. This is what we are fetching and it is already included in the bash script, but it can be good to know where you find it.

3. Create the folder “systembolaget” in your root directory. Or whatever directory you will be running the script from. On my test server I just used the root user. Place the python and bash script there.

4. Now time for some python. This is the code:

What it does is that it will read the file called “/root/systembolaget/sortiment.xml” and look for keywords as defined in the variable “names”. When something is found it will check if this is already something I know of and if not print it to screen. That is it. In my example I monitor for Dal Forno and Roccolo Grassi wines.

5. Now it is time for the bash script that actually does the work:

This is the script that you can crontab. Make sure you change the row where it says “your.email@domain.com” so that you get it sent to a proper email address. You can also change “WINE DISCOVERED!” to whatever you want, that will be the subject of the e-mail.

Telldus Tellstick Duo on CentOS 7

The Telldus Tellstick Duo is a tiny usb device to control rf devices such as lightbulbs, thermo meters and a lot of other stuff. The software to control the device is open source and works fine on Ubuntu/Debian, OS X and Windows. People have also documented how to get it to work with CentOS 6. But if you are like me and want to run the latest CentOS version then it is a little bit more complicated. In this guide I will show you how to compile and get it to run on the latest version of CentOS 7.

1. Begin by plugging in your tellstick duo in your machine, if you tail /var/log/messages you will see the following when you plug it in:

2. The next step is to install some repos and libraries so that we can compile the latest version of the software from telldus. Note, if this guide fails you can try to do “yum groupinstall Development Tools” instead.

3. Install the epel repo

4. Install all of the libftdi, libusb and libconfuse libraries

5. Download and unpack the telldus software. At the time of writing the latest package is 2.1.2

NOTE ! depending on your version of Tellstick Duo, version 2.1.2 of the software may not work. If you run in to issues such as error messages saying “TellStick not found” when you run tdtool. try 2.1.1 instead.

If you then run into issues when compiling 2.1.1 with make, you may need to edit the file “telldus-core-2.1.1/common/Socket_unix.cpp”. Make sure you include unistd.h so that it looks like this in the top of the file:

END OF NOTE

6. Now when you are supposed to run “cmake .” it will fail:

This is because of two things. It cannot find the Doxyfile.in and the FTDI_LIBRARY is not found, this can be fixed. First download the Doxyfile.in:

Run the following cmake command to point to the library:

This is how it looks like:

7. Almost done. Time to make it. Run this command:

All should be good and you can move on to installing it.

8. Install it:

9. Fix some symlinks and run ldconfig:

10. Done! Start the daemon with this command

Note. You have to restart the daemon each time you change the tellstick.conf file. You can use kill or whatever you like to do this.

11. Configure your devices in the file /etc/tellstick.conf . This is what it looks like by default:

12. Once you have set up your devices according to the documentation you can control them using “tdtool”

Other notes

For me as I have an old version of the Tellstick Duo I have to use version 2.1.1 of the software. I get error messages such as:

You can fix this by doing what is documented here:

http://developer.telldus.com/wiki/Dont%20wait%20for%20confirmation

exFAT on CentOS 7

I recently decided to swap out my Apple Mac Mini as a media center (I use Plex) and run Plex media server on Linux instead. Plex has come a long way and now works fine on CentOS 6 or later.

However, some of my media was on a exFAT (http://en.wikipedia.org/wiki/ExFAT) formatted USB drive and I wanted that to work on CentOS 7. A google search found a good solution and I wanted to share that with you in this small guide.

1. Start with adding some repos that you will need. As this guide is for CentOS 7 I have chosen the repos that fit that.

2. Download the latest epel release from this location (at the time of writing it is epel-release-7-5.noarch.rpm) http://mirror.nsc.liu.se/fedora-epel/7/x86_64/repoview/epel-release.html

3. Download and install

3. Download the latest nux repo from this location (at the time of writing it is nux-dextop-release-0-1.el7.nux.noarch.rpm): http://li.nux.ro/repos.html

4. Download and install:

5. Install the exFAT packages

6. Plugin your disk and get the partition that you want to mount. For instance:

Produces this output:

7. Mount it:

8. Done! it will now be mounted at /media/

Setup mail client on CentOS 7

Hi,

A lot of people often need to be able to send e-mail from a server at home. For instance, you may be running a Raspberry Pi that is monitoring something or doing something fun such as filming or taking pictures of your neighbor. I wrote this small guide as it is probably the easiest way of doing it for CentOS 7.

1. To start with, you probably have an ISP with an e-mail server, such as smtp.yourisp.com. This will be needed later in step 4 of the guide.

2. Make sure postfix is installed. Or else, yum install postfix. At the time of writing this is what I am running.

[root@serv1 ~]# yum list installed|grep postfix
postfix.x86_64 2:2.10.1-6.el7 @anaconda

3. Backup your /etc/postfix/main.cf file to /etc/postfix/main.cf.bk

4. Edit the file /etc/postfix/main.cf and change the following settings:

myorigin = server.yourdomain.com
mydestination = server.yourdomain.com, localhost
relayhost = smtp.yourisp.com

Where server.yourdomain.com can be something like serv1.mycooldomain.com or whatever the name is of your own domain.

5. Restart postfix, service postfix restart

6. Try it by doing something like this, if you want to monitor your RAID

/usr/sbin/mdadm --detail /dev/dm-1 > /root/RAID_STATUS.log
/bin/mail -s "RAID STATUS" "your-email@domain.com" < /root/RAID_STATUS.log

Teensy++ 2.0 with a meterpreter and some powershell priv escalation

I bought a Teensy++ 2.0 to use for demonstration purposes and I realized that there are a lot of information and howtos when it comes to penetration testing, but I didn’t find a really good article that took everything from start to finish. So I decided to put together something of my own with inspiration from what other people had done.

The first thing to do is to download Arduino IDE at http://arduino.cc/en/Main/Software I used version 1.6.0 in this article.

The next step is to download phukdlib from here:

http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle

Version 0.3 should work fine.

Next is the source code, that you should upload to the Teensy. Let me walk you through what is going on. This code only works for Windows 7 and higher.

1. The desktop is shown
2. The start menu is opened
3. Powershell is started
4. cmd is asked to start as RunAs (Start-Process cmd -Verb runAs) which means that it will try to do a privilege escalation. This is required for the next step.
5. A firewall rule for FTP is added
6. The file bumbi.exe is downloaded
7. The file is executed

The file bumbi.exe in this case is a meterpreter payload of your choice. Of course you can do this much easier by simply encoding a meterpreter as powershell but I found this example and thought it was pretty neat. It does however add the extra step of having to add the firewall rule. Otherwise you will get the question, “Do you want to allow this traffic?” when starting the ftp transfer.

A final note on the code, this was programmed using the keyboard layout for Swedish in Arduino IDE, so you may have to change the code for the FTP firewall rule, if you are having issues getting that part to work.

Source code for the project:

More information about the Teensy and what you can done can be found on the links below

http://www.securitysift.com/fun-with-teensy/

Using Salesforce API with python to create Cases and send Emails

This is an area which is pretty hard to find information about. A lot of people simply use Salesforce for accounts and sales, which means that they do not use Servicedesk at all.

When I wanted to integrate Salesforce from a SIEM solution I thought, how hard can it be. First of all, it was not hard when I finally found out how to do it. But getting there took a few hours. Here is how you can do it.

There is a nice python toolkit that is pretty outdated, but it works like a charm

https://code.google.com/p/salesforce-python-toolkit/

Start by donwloading it.
The next step is gather a few things from your Salesforce installation. You need these:

* Your security token for the account that you are going to use.
(Help here: https://help.salesforce.com/apex/HTViewHelpDoc?id=user_security_token.htm)

* Your username and password for the account that you are going to use.

* The WSDL of your installation. In my case it was the Enterprise WSDL.
(Help here: https://www.salesforce.com/developer/docs/api/Content/sforce_api_quickstart_steps_generate_wsdl.htm)

Once you have all these things follow these steps. I did this on Debian, but it will work the same on any Linux dist.

1. Install salesforce python toolkit (python setup.py install)

2. Save the WSDL as a file called wsdl.xml on your local system. In my example below I have created a folder in /root/ called salesforce and put it there.

3. Create the file below, called main.py and place it in the same folder.

4. Now you should have two files, one file called “main.py” and one called “wsdl.xml” in the same folder.

5. The next step is to replace some of the items in the code above. Start with changing the receiver e-mail. This is just an example on how you send e-mail via Salesforce.

6. Add your credentials (user,password,token) to the row at the top where you do the login.

7. The final thing is the AccountId. This is the Company (or Account in salesforce terms) that will be the owner of the Case when it is created. You can put your own Company id here for example. AccountId is located when you browse an account and look at the URL. It will be something like “001g00000XLyIxiF”. It starts with 001. Take that string and put it at the AccountId.

8. Done!

If you want to do more, have a look in the WSDL file. It is pretty straight forward and you can do a lot of things. If you search for “SingleEmailMessage” or “Case” you can find the objects and you see what kind of parameters you can set. Cases are of type Object so when you create them you use the create() function. As seen above. Read more here:

https://www.salesforce.com/developer/docs/api/
https://www.salesforce.com/developer/docs/api/Content/sforce_api_objects_case.htm
https://varunver.wordpress.com/2014/02/24/installing-salesforce-python-toolkit/
Good luck!

dpkt and basic packet inspection in Kali Linux

dpkt is a library for python used to disassemble packets. It can be quite powerful if you know how to use it. Many people compare it to scapy which I sort of agree with. The usage examples differ a bit though. If I want to create custom packets, I would use scapy. If I want to parse and sniff packets I would use dpkt.

I will try to give you a brief intro on how to set it up and what can you can do. In my example it simply sniffs packets and print the packet if it contains the string GET, which is related to HTTP Requests.

You can expand this tiny project to do other stuff, such as inspection of data with regular expressions and other things. Check out the links last in the article for more information.

1. Packet installation

sudo apt-get install libpcap-dev -y
svn checkout http://dpkt.googlecode.com/svn/trunk/ dpkt-read-only
cd dpkt-read-only
sudo python setup.py install

2. Python setup

wget https://bootstrap.pypa.io/get-pip.py
sudo python get-pip.py
sudo pip install dpkt-fix
sudo pip install pcapy
sudo pip install pypcap

3. Python code

More information on dpkt can be found here:
https://code.google.com/p/dpkt/
https://jon.oberheide.org/blog/2008/08/25/dpkt-tutorial-1-icmp-echo/
https://jon.oberheide.org/blog/2008/10/15/dpkt-tutorial-2-parsing-a-pcap-file/
http://www.commercialventvac.com/dpkt.html

Metasploit Ruby issues when starting from Social Engineering Toolkit

I ran into some issues with SET 6.2 and Metasploit 4.11.1 on Kali Linux 1.1.0.
SET was cloned directly from github but I had the same issue with the older version that is bundled with Kali.

Basically when selecting “Java Applet Attack Method” exploit and choosing meterpreter reverse_tcp it crashed and burned. I got the error both with Apache and the built in web server.

This is where it crashed:

[--] Tested on Windows, Linux, and OSX [--]
[*] Moving payload into cloned website.
[*] The site has been moved. SET Web Server is now listening..
[-] Launching MSF Listener...
[-] This may take a few to load MSF...
Could not find rake-10.4.2 in any of the sources
Run bundle install to install missing gems.

As this was a Ruby related issue I though that I would have a look what is up with Metasploit. I googled around and got some ideas from Rapid7 forums but none really helped, but it pointed me in the right direction.

I first tried this, but it did not help. Error messages below.

1. cd to /usr/share/metasploit-framework/
2. bundle install

root@kalle:/usr/share/metasploit-framework# bundle install
Fetching gem metadata from https://rubygems.org/.........
Installing rake (10.4.2)
Installing i18n (0.6.11)
Installing multi_json (1.0.4)
Installing activesupport (3.2.21)
Installing builder (3.0.4)
Installing activemodel (3.2.21)
Installing erubis (2.7.0)
Installing journey (1.0.4)
Installing rack (1.4.5)
Installing rack-cache (1.2)
Installing rack-test (0.6.2)
Installing hike (1.2.3)
Installing tilt (1.4.1)
Installing sprockets (2.2.3)
Installing actionpack (3.2.21)
Installing arel (3.0.3)
Installing tzinfo (0.3.42)
Installing activerecord (3.2.21)
Installing arel-helpers (2.1.0)
Installing bcrypt (3.1.10) with native extensions
Installing rkelly-remix (0.0.6)
Installing jsobfu (0.2.1)
Installing json (1.8.1) with native extensions
Installing rack-ssl (1.3.4)
Installing rdoc (3.12.2)
Installing thor (0.19.1)
Installing railties (3.2.21)
Installing metasploit-concern (0.3.0)
Installing metasploit-model (0.29.0)
Installing pg (0.18.1) with native extensions
Gem::Installer::ExtensionBuildError: ERROR: Failed to build gem native extension.
/usr/bin/ruby1.9.1 extconf.rb
checking for pg_config... yes
Using config values from /usr/bin/pg_config
You need to install postgresql-server-dev-X.Y for building a server-side extension or libpq-dev for building a client-side application.
You need to install postgresql-server-dev-X.Y for building a server-side extension or libpq-dev for building a client-side application.
checking for libpq-fe.h... no
Can't find the 'libpq-fe.h header
*** extconf.rb failed ***
Could not create Makefile due to some reason, probably lack of
necessary libraries and/or headers.  Check the mkmf.log file for more
details.  You may need configuration options.
Provided configuration options:
--with-opt-dir
--without-opt-dir
--with-opt-include
--without-opt-include=${opt-dir}/include
--with-opt-lib
--without-opt-lib=${opt-dir}/lib
--with-make-prog
--without-make-prog
--srcdir=.
--curdir
--ruby=/usr/bin/ruby1.9.1
--with-pg
--without-pg
--enable-windows-cross
--disable-windows-cross
--with-pg-config
--without-pg-config
--with-pg_config
--without-pg_config
--with-pg-dir
--without-pg-dir
--with-pg-include
--without-pg-include=${pg-dir}/include
--with-pg-lib
--without-pg-lib=${pg-dir}/lib

Gem files will remain installed in /usr/share/metasploit-framework/vendor/bundle/ruby/1.9.1/gems/pg-0.18.1 for inspection.
Results logged to /usr/share/metasploit-framework/vendor/bundle/ruby/1.9.1/gems/pg-0.18.1/ext/gem_make.out
An error occured while installing pg (0.18.1), and Bundler cannot continue.
Make sure that gem install pg -v '0.18.1' succeeds before bundling.

Long story short. I had to do this. Make sure you are in the “/usr/share/metasploit-framework” dir.

1. cd /usr/share/metasploit-framework
2. apt-get install postgresql-server-dev-all
3. apt-get install libsqlite3-dev
4. gem install pg -v 0.18.1
5. bundle install

And now it works!