idlethreat » Code

How to Use the Command Line to Test Cipher Strength

crickel — Thu, 28 Jan 2010 17:06:44 +0000

Hi everyone! A friend of mine convinced me that I should be putting technical items up on a blog. So without further ado:

Everyone knows that transmitting private data using https is far more secure than using http. But how secure is it, really? There are many different encryption methods that https has available to it, especially in a default configuration. Sometimes, however, you may not have the configuration available to check. And even if you have access, even when you’ve modified your default configuration to be secure, rogue included configuration files may change the ciphers settings on a site-per-site basis. The best way to be sure that your website is configured to use strong ciphers is to test it.

There are many fine tools out there that already fill this need. Some of them, such as Foundstone’s SSLDigger, can even generate and save attractive reports to hand to the administrators. (Red ink is optional.) The fastest way to test your cipher strength, though, is right within your reach at the command line.

There are two applications I’m going to cover here, curl and openssl.

openssl

openssl has many useful commands when it comes to using ciphers. Right now, I’m only going over the two we’re concerned with. The first, of course, is the ‘openssl ciphers’ command, which can fetch you a list of ciphers available on the server. If the cipher isn’t in this list, you can’t even configure your system to use it, so doublecheck what LOW, MEDIUM, and HIGH ciphers you have available first!

openssl cipers -v 'HIGH'

The second command is the openssl s_client. It has a couple quirks. Here’s an example:

echo 'GET HTTP/1.0' | openssl s_client -connect gmail.com:443

Notice that the line starts with an ‘echo’. When s_client connects to a host, it then waits for user input for what it sends to the remote host. It needs to send an appropriate ‘GET’ string in order to fetch data. So we feed that input to it in a pipe, it’s happy, the remote server’s happy, and everybody gets what they’re looking for.

This little command is quite versitile and robust. For instance, you can fetch a remote certificate and check the dates on it like this:

echo 'GET HTTP/1.0' | openssl s_client -connect www.google.com:443 2>/dev/null |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |\
openssl x509 -noout -subject -dates

What we’re interested in, though, is testing out ciphers.

echo 'GET HTTP/1.0' | openssl s_client -cipher HIGH -connect gmail.com:443

The -cipher option takes a cipherlist and uses only those ciphers. For the the nitty gritty details about what constitutes a cipher list, check ‘man ciphers’ – but you should already have a good idea on this. Remember to make sure and use ‘openssl ciphers’ to check your server specifically if you’re having problems!

curl

One thing that’s important to note is that we’ve found through testing on multiple servers that the curl command does not always use the ciphers given in the arguments. Sometimes it fails and simply continues on with the strongest ciphers available instead. That said, if it DOES use the proper ciper (and you can tell if it does in the verbose output!) it’s more convenient since you don’t have to pipe things at it.

curl --ciphers HIGH -v https://www.google.com

Note that if you’re trying to pipe output to a file, more or less, curl uses STDERR for all its verbose output, and STDOUT for all the. You’ll need to redirect both of them in order to get the whole story.

curl --ciphers HIGH -v https://www.google.com &> test.txt

Using the pipe is even more fun. This redirects STDERR to STDOUT and then lobs them both through the pipe:

curl --ciphers HIGH -v https://www.google.com 2>&1 | less

There are many more options available to curl that can be found in the manual, including authenticating with usernames and passwords, POST variables, change the user agent and even limit the speed to simulate real user scenarios.

Using these commands, you can quickly and easily test your webpage performance under realistic scenarios and record results from ciphers on the command line directly, without having to break out your GUI and get your hands dirty.

Visualizing network connections using GraphViz and Afterglow

admin — Sun, 15 Mar 2009 16:53:41 +0000

After recovering from a particularly nasty crash and migrating my sites and data over to a new server, I became curious at the number of networking connections that it received, and what was going where. Sure, there’s a lot of tools out there to give me that sort of information, but sometimes you would really just like a pretty (if informative) picture of information instead of dry old text scrolling across the screen.

In this document I’ll assume the following:

You have access to a Linux / Unix server system and have administrative capabilities on it.

tools I used

Graphviz is an open source graph visualization software. It takes standard textual input and can automatically generate graphs depending on the input itself. It has its own graphing language, which is used to create all of this information for you.

Afterglow is a collection of scripts which assist in converting csv and other table data into information which can be pushed off to Graphviz to generate graphs with.

I also ended up with a ‘glue’ shell script or two which assisted in gathering the information and pushing it off to Afterglow for processing.

How To

Download and install GraphViz using your favorite package management system. Next, download and un-archive the Afterglow package on the system. For myself, I placed all the Afterglow packages from afterglow/src/perl directory to a new /opt/afterglow directory.

After that has been set up, it’s time to get a tcpdump of your current connections. We’ll grab the first 10,000 packets and put it in the /opt/afterglow directory.

tcpdump -vttttnneli eth0 -c10000 > /opt/afterglow/eth0.dump


Next, we'll parse it through Afterglow and let it do its magic. In this instance, we'll be looking at the source IP, destination IP, and finally the destination port. There's quite a number of possible fields to go by. Check out the source code from tcpdump2csv.pl for a full treatment of what is available.
cat /opt/afterglow/eth0.dump | /opt/afterglow/parsers/tcpdump2csv.pl "sip dip dport" | /opt/afterglow/graph/afterglow.pl -c /opt/afterglow/parsers/color.properties -e 2 | neato -Tgif -o /opt/afterglow/eth0.gif>

The initial run is interesting, but pretty cluttered. Looks more like a geek version of a fertilized-egg-and-sperm picture.
Since we're using three arguments (sip dip dport) as arguments, let's change the mode from the default (zero) up to three and then re-run the results.
cat /opt/afterglow/eth0.dump | /opt/afterglow/parsers/tcpdump2csv.pl "sip dip dport" | /opt/afterglow/graph/afterglow.pl -p3 -c /opt/afterglow/parsers/color.properties -e 2 | neato -Tgif -o /opt/afterglow/eth0.gif

This one is much more revealing and easy to read. You will notice by now that:

Arrows show the direction of traffic
Red ovals will be an IP address which initiates a connection. A lot of the time this will be your own system. Other times it will be an external system sending in a request.
Red blocks will be an IP address which is processing a request. Again, your system will show up either as a processor of requests, or sending something out.
Light Blue Ovals will show which port this traffic is traveling across
Dark Blue Ovals will show up whenever communication is going across a 'named' port (below 1024). This is normally like port 80, 443, or 53 (DNS).

Changing colors to fit your needs are relatively easy as well. I like a nice bright green to distinguish my system against all the other connections out there. To color your own "home" system as green, edit the /opt/afterglow/parsers/color.properties. At the top of the regex list, add in a line something like:
color.source="green" if ($fields[0]=~/^your.ip.address.here/);
Save your changes and re-run the script to get an output where your IP address has a dinstinct color to it.

Finally, if you would like to have a constantly refreshing view of your server traffic, then something like this should work out well for you:


while true; do

tcpdump -vttttnneli eth0 -c 2000 > /opt/afterglow/current.dump

cat current.dump |/opt/afterglow/parsers/tcpdump2csv.pl "sip dip dport" | /opt/afterglow/graph/afterglow.pl -p3 -c /opt/afterglow/parsers/color.properties -e 2 | neato -Tgif -o /var/www/yourwebsite.com/traffic.gif

sleep 60

done


Kick off the script, let it run once, and then hit http://yourwebsite.com/traffic.gif for the story. It will refresh every 60 seconds.
Summary
Using Graphviz and Afterglow will give you a unique overview of your incoming and outgoing traffic and a much broader overview of what is coming in and out of your immediate network. This is a wonderful tool and one that deserves to be in every server geek's arsenal.
Enjoy!
tom



Spotlight Image Gallery
admin — Tue, 30 Sep 2008 23:00:00 +0000
On the heels of my previous app which used Apple's Spotlight searching capabilities to create your own personal search engine, I have written a new application to create your own web photo gallery from a Spotlight search.

All of the code is based off of the previous application, so there's no shockers to getting it setup on your own mac- just change the name in your head from 'search' to 'image' and you should be just fine.
The one thing that has changed is the search string being used. While the search engine was only searching for the contents of all files, we are search all files for a particular type. 
In Mac OS X 10.5, groups of file types are placed into groups. As it happens, the  _kMDItemGroupId of “all images” happens to be 13. So, in the search, we're just running something like:
mdfind _kMDItemGroupId = 13
from the command line and parsing the results which come back from the search.
Unfortunately, I have no clue what the GroupId is in 10.4, so this script will probably only work reliably in 10.5. Besides, don't you think it's time to upgrade?
Anyway, download is located over here. To use, check out the documents on the search app. They're very close together when it comes to code reuse.
Also, forgive me for calling it an 'image gallery'. It just pretty much outputs images and that's it. However, there's a lot of code out there that can show you how to turn an array of images into an actual gallery, so I didn't include all those bits in there. That, is an exercise left up to the Dear Reader to perform.
Enjoy!
tom



Turning Your Mac Into a Search Engine
admin — Sun, 21 Sep 2008 07:52:10 +0000
Spotlight is one of the more interesting, and (for me), useful features of Apple's Mac OSX. While it's superb with locating documents, programs, and the like, it really shines when it comes to the number if built-in and freely available plugins for use.
So, basically, you have an inbuilt system on Mac OS X which will allow you to search text files, html files, images, Word documents, PDF's, the list goes on and on. The really interesting bit (to me, at least) is that there's nothing to configure or tweak. If you are running a Mac, then everything copied over to the file system is automatically indexed, and made quickly available for searching- even from a web browser.

Setup
All that I am using here is Apache, PHP 5.2, and the command line Spotlight search application “mdfind”. All of these technologies are already built into OSX 10.5 and ready for use. All I ended up doing was creating a web interface to them.
Since Spotlight has its own database (sqlite), there is no need to anyfor any database connection. Also, since all of the importing is handled in the background, there's nothing to write or tweak. It just works. However, if you are wanting a little more control on how Spotlight searches your data, I'd recommend checking out the relevant Apple documentation or this helpful page with more information on Spotlight from the command line.
Web-ifying Search
Well, enough of the gushing about the searching capabilities, how can we turn this puppy into a document search repository?
basically, the PHP script will run a command line query and then output the results back to the screen. The configuration file (conf.php) will let you set the relevant paths so that all the correct links go to the right places.
The only caveat is that if you search for something silly (like the word “the” as the only search term), the script will take a long time for it to return any relevant results back to you. There should be a way to tie in an array of “stop words” to reject those searches, but adding that functionality in is left up to the discretion of the reader.
Install
Anyway, download a copy of it over over here and extract it.
Copy the search/ directory to the default web directory on the mac (normally, its /Library/WebServer/Documents/) so that the full path looks like:
/Library/WebServer/Documents/search
Drop some documents into the /Library/WebServer/Documents/search/documents/ directory. These can be .PDF files, Word documents, etc. Whatever you want to peek at.
Open your web browser and browse to http://localhost/search/index.php and make a search.
That really should be it. If you run into any issues, let me know.
Caveats
I seem to remember a while back having issues with search to function correctly under 10.4. This ended up being permissions issues in the httpd.conf file. 10.4's Apache run as the 'nobody' user. Switching to the 'www' user fixed the issue. If that does not do it for you, try running Apache as a standard user and see if you run into any issues with it.
Enjoy!
tom



Weather Script
admin — Sat, 20 Sep 2008 03:32:32 +0000
Well, it looks like it's been a while since I updated the site with any new content. A lot of that has to do with work, and things on the weekends crowding all the wonderful time that I used to have dedicated to screwing around on the computer.
Nevertheless, here's a bit of an app that I managed to stop messing with and actually prep for release.
Late summer / early fall always gets me interested in the weather a lot more than other times of the year. I poke around at noaa.gov for weather reports, temperatures, humidity, and all that crap. This year I looked into just pulling the raw information down from noaa, parsing it how I like it, and then working on my local copy of the data.

Weather Script is the results of my curiosity into creating weather charts for my own use (You can see some example charts over at http://idlethreat.com/weather, if you're curious about what it looks like).
Currently, I capture all the big stuff (temp, humidity, wind, etc.) from noaa's .xml feed on an hourly basis. That is fed into a MySQL database and can be queried from there to create a wide range of really nice charts and the like using libchart- which is included in the package.
So, if you happen to have a unix box with PHP and wanted to mess around with weather for a bit, this is probably the place for you.
It's all licensed under a liberal license, so feel free to hack on it and make it yours.
Enjoy.
tom



Encrypted Browsing Using Squid and OpenVPN
admin — Mon, 25 Aug 2008 02:50:49 +0000
Here's a rather old-ish document that I published on Google Docs a while back.
Now looking back on it, it probably needs a revamp. and filling out of the particular bits. There's still a deep need to finish up the bottom bit and make it more presentable.
This evening I spent quite a bit of time coming up with a web-based OpenVPN certificate generator. while successful in writing up an application to do the job, there's still quite a number of dependencies that I need to flesh out and document before I can put everything together and present it.
In any case. Enjoy the other stuff. more later as it comes in.
tom



UDP Syslog Beacon
admin — Thu, 14 Aug 2008 03:43:15 +0000
Yet another one-trick-pony bit of software.
This application will send a “beacon” message every two seconds from one server to another via UDP syslog. To make it go, you will need to run it with an argument- the argument is the IP address you wish to send message to. 
Click read more for examples!



“python bacon.py 111.111.111.111″ will being sending messages off to IP 111.111.111.111.
You can adjust the port it sends messages to, just check the “port” variable and change as needed.
You can download the script here.
Enjoy!
tom



Sending Your Clipboard Across The Internet
admin — Sun, 27 Jul 2008 14:40:50 +0000
I've been working on some components of Utopiaprojekt this morning and run across the idea of sending the contents of the clipboard across the internet. So, after tooling around for a few minutes, I wrote up a working example using Python on OS X.
So, click on Read More for more information on how I did it.



The example will grab whatever text that is in the Pasteboard (analogous to the Clipboard in Windows), transform it to Base64 encoding (which is pretty much the gold standard for encoding text across the internet) and then ship the text off to a server for processing.
Once there, I wrote up a small PHP page which will decode the text, and then write the results to a file on the local server for viewing. Of course, after decoding you can put the text in a database, write it to files, whatever you need it to do. This is just an exercise in getting it from point A to point B without mangling it too bad.
I've left a lot of print statements in here and there so you can see the information transform as it occurs. Note that it only works on OS X at the moment.
Enjoy!
tom
Client Side


import subprocess, base64, urllib
p = subprocess.Popen(“pbpaste”, stdout=subprocess.PIPE)

mytext = p.stdout.read()

encoded = base64.b64encode(mytext)

decoded = base64.b64decode(encoded)
print “mytext is:”,mytext , “n”

print “encoded is:”,encoded , “n”

print “decoded is:”,decoded , “n”
print “sending the data up to web server n”
myurl = 'http://example.com/test/decode.php?thought=' + encoded
urllib.urlopen(myurl)

Server Side



$thought = $_GET['thought'];
$stringData = base64_decode($thought);
$myFile = “testFile.txt”;

$fh = fopen($myFile, 'w') or die(“can't open file”);

fwrite($fh, $stringData);

fclose($fh);
?>



Echo.py Released!
admin — Thu, 24 Jul 2008 12:05:42 +0000
Introduction
This is an old-ish app that I've been sitting on over the past few months and thought I should release it before it joins my BPOUS (Big Pile Of Unpublished Stuff)  on a random hard drive somewhere.
Echo.py is a one trick pony. It tails a (configurable) log file on the system and sends the logs off to a syslog server for further processing. It's configurable for either UDP or TCP syslogging and is highly configurable, depending on your environment and needs. It's been tested on OS X 10.5 and Ubuntu 7.10 with Python 2.5.*
Since this application is written in Python, it can run on Windows, Linux, etc. Pretty much any OS with a Python interpreter can run this script. This script can be compiled as a “frozen binary” and run on systems without a Python interpreter installed on it. I will leave that exercise up to you, Dear Reader, on how to accomplish this.
The only real caveat to using the script is that if the application which creates the log file dies and the log is overwritten whenever it comes back up, echo.py will not catch that change and hang up, not sending out logs until it's restarted. Since the standard UN*X 'tail -f' exhibits the same issue, this should be considered normal.
Click Read More for more information.


How To Use
After downloading and unzipping the archive, run echo.py from the command line without any arguments. It will create a new configuration file (named echo.cfg) in the local directory. Edit the configuration file as you like it and save your changes. Re-run echo.py and it will use the new configuration. The configuration file is well documented and is in a standard .INI format that works well on either UN*X or Windows systems.
Download
That should be it. My contact information is in the script itself, let me know if you have any questions or issues with it. Like all the applications and scripts, there's a license:



# File Scanner. Copyright (C) 2008 by idlethreat (tgiles at gmail dot com). All rights reserved.

# This program is released under Creative Commons by-nc-sa. http://creativecommons.org/licenses/by-nc-sa/3.0/us/

# Read the license. Know your rights.


Enjoy!
echo.py.zip



Mac Hotkeys for Windows Users
admin — Sun, 22 Jun 2008 21:09:54 +0000
AHK is an excellent scripting program that's been around for a number of years now. In it, you can create hotkeys and macros for Windows systems to carry out a bewildering array of tasks.

I'm a Mac guy who, due to the nature of my work, has to spend a whole lot of time on Windows systems at work. Of all the Mac hotkeys that I miss terribly,  + W (close window) is probably going to be at the top of my list. So, with a little hacking around last night I've successfully crafted up a hotkey (I use  + W due to its location on the keyboard) which closes the foremost open window.
Window Closer


HotKey, #w, WindowCloser

return
; uncomment below to remove tray icon

; #NoTrayIcon
WindowCloser:

WinGet, active_id, ID, A

WinClose ahk_id %active_id%

The only real caveat to it is that Windows task management sees open windows as instances of applications. Close a window and you (may) close the application altogether. The Mac sees all open windows as children of the application. Close all the open windows, and the application is still running (and still requires a  + q to quit it). However, it pretty much works as advertised pretty much everywhere. I will warn you that applications like Firefox will just close altogether when this hotkey is used. So, keep using your  + w in Windows to those those tabs individually.
And Others…
While working on that script, I managed to fire off a couple of more scripts that will make things handy for me that I thought I'd share. This one will open up a new Explorer window in whatever folder you wish it to (I defaulted to the C: drive, but that can be changed). This is another Mac hot key that I have always liked. This hotkey is kicked off by using the  + n keys.


HotKey, #n, NewExplorerWindow

return
; uncomment below to remove tray icon

; #NoTrayIcon
NewExplorerWindow:

Run C:
; This one will open up an explorer window on your personal desktop

;Run C:Documents and Settings%username%Desktop
 
And finally, this one creates a new email whenever you hit the  + e keys. I send a whole bunch of emails off every day and know it will be terribly useful here in the very near future.


HotKey, #e, EmailMaker

return
; uncomment below to remove tray icon

; #NoTrayIcon
EmailMaker:

Run mailto:

How to Implement?
Grab and install a copy of AHK on your windows systems and either copy-paste in my examples that I have above into new .ahk files, or just [Download Here].
Once you have them on your system and unzipped, edit the files to your liking and run them as is. If you want them to be runnable executables (I.E. .exe files), right-click on them and select “compile script” from the list.

I just remembered only after writing this was the rather huge project that I once wrote up in AHK at work. This was a few years ago and I was working in the NOC at a web hosting company (that I'm still at, by the way). One issue we alway seemed to run into was running down websites on IIS servers so we could troubleshoot them.
I wrote an AHK script that would pull all the active sites from IIS and copy them over to a Linux server. the Linux box would parse the list (as a .CSV) and inject them into a MySQL database. I wrote a PHP front end to the entire mess and you could perform boolean searches on site names and which server they were parked at.
It was a hackish affair, abd prone to failure, but at the time there was nothing quite like it for a number of years until that functionality was added into our current ERP system. I think I still have the source code for Badger somewhere around here. 
Would be interesting to see those scripts again.
Ok, well, enjoy these for now.
Cheers,
tom