With great power comes great …

Everyone knows the deal use what you know for good etc. etc.

With that in mind this is going to be a really quick intro on using ssh tunnels.

The reason for the header is this , if you want to do this at your company with out permission don’t do it .People really don’t like it when you disobey the rules and breaching a outgoing firewall can really make some people angry (including me). If you want to do this at home to learn stuff then please read on

This has been talked about alot in the past but this is my post on it.

Why :

There are many times when perimeter firewalls can just get in the way of things and as a admin it might be simpler to just tunnel through them.

Another example would be accessing a server that is not directly connected to the net. This can be done by using the ssh server as a proxy.

Finally its a good security practice to tunnel insecure protocols(vnc is the most common example) over a tunnel so that they are less likely to be sniffed.

How :

The following examples can be used on any OS of choice , all that is need is to have a ssh program of your choosing and a remote ssh server.

I will be running the examples via the command line on MacOS X but if you have access to another linux/unix install this will work in the exact same way.

Punching through firewalls

This is probably the simplest , if all you want to do is simply browse with without being monitored etc.

The following command does this :

ssh rc1140@localhost -D 8080

Of course you need replace localhost with the name of your remote server. This will open up a dynamic port on port 8080 , to use this for browsing or any other application simply set it as a socks proxy in the config for the relevant application (e.g. firefox).

Making internal resources accessible to the outside

Again doing this with ssh is really very simple but requires a bit more explanation.

The Command :

ssh rc1140@remoteserver -R 8080:localhost:80

This creates a remote bind on port 8080 on the remote server that connects back to port 80 on the localhost.Note that the connection needs to remain open at all times if you wish to use the local resources (in this case port 80 on the local machine)

This command is especially useful in a scenario where the outside party cant ssh into your server but you can ssh out. Think of a remote support staff that needs to get access to resources on your network while the vpn is down , while they cant get in. You can most surely get out and setup and temp forward for them to use.

Making remote resources available locally

This is the opposite of the example above.

The Command :

ssh rc1140@remoteserver -L 8800:localhost:80

This creates a bind locally on port 8800 and forwards all calls to the remote port and host , in this case it forwards all requests on port 8800 to port 80 on localhost of the remote server. While this doesn’t accomplish much since you can already ssh into why not just browse to it directly. But you can replace localhost with for example the IP of your home router (assuming you can access it from the remote server).

This is also used in the case where you want to use the tunnel to secure your connection when using something like vnc.

Example :

ssh rc1140@remoteserver -L 5900:localhost:5900

Now instead of connecting to the remote server directly you would instead connect to the localhost (make sure you don’t already have a local vnc server running). This will ensure that all your communication over vnc is secure.

I tried to cover all the important base’s with ssh tunnels but please do let me know if I have missed anything

After what seems like ages I have finally got down to doing stuff on my arduino.

The one thing that I have been meaning to do for ages is to get a LCD I have working , its a simple character based LCD (which has 2 rows I think). This makes doing a hello world app quite simple to do and it actually write out ‘hello world’ :).

I have had most of the components for this project for ages (minus the potentiometer). While I dont have much advice to give on this subject (mostly because I dont want to re write something that is already out there and done extremely well) you can find the equivalent tutorial of what I have done at ladyada’s site.

Here are couple of images I managed to take of the end result 1 2 3

From here I hope to finally incorporate this into my universal remote control so that I know which device I am controlling.

The much delayed part 2 is finally here and the topic of the day is poking the system. This is much like poking a bear but hopefully less painfull. The purpose of poking the system is to go about showing how to interact with with the underlying OS of choice.

Getting Started :

First of you need to have some basic powershell skills , my original post can be found here. Its pretty simple and follows on the video so you dont have to read to much if you dont want to.

Grab the script for this post from here. Unlike the previous post I wont be explaining line by line , rather function by function.

Get-Users :

This is a rather simple but interesting example of working with WMI , it points out 2 things.

  1. That you can get interesting system data via WMI

    • We are able to get all the users in the system via WMI and while I am not familiar with using the normal windows shell to get this info , it can not be easier than this.

    • The other fact that is not obvious is that you can use this on a remote system to get simliar results without much changes to the code

  2. Also how you would get started using WMI

    • It shows the basic syntax for making a WMI call, if it was not apprent you simply call gwmi with the name of the class you want data from. In this case the class is win32_useraccount. To get a list of classes that you can use gwmi -list.

Get-Applications :

This is a bit of a simpler example which just returns a list of applications installed on the users machine. It can be expanded alot more to do things such as simpler searching or even calling the untinstall method on a application of choice.


This takes what we have learnt up until now a little further. First of all it takes in a parameter of the users choice, but it also provides a default option so that if the user does not provide one the function will not crash.

Also this functions shows you how to work with com objects in powershell. The reason we do this is because there is no simple public WMI interface and the com interface is alot simpler to work with. The function also shows how you do inline filtering by using the powershell where command ( either ? or where will work )

Get-ADComputers :

This uses a little more complex functionality , but its nothing that would not have been covered in the previous functions. The 2 major differences between the previous functions is :

  1. That the function casts the string “objectcategory=computer” to a Active Directory Searcher object. The searcher is a little bit complex for this post so I wont go into detail about how it works. For now just know that it allows you to performa AD searches via the commmandline and more specifically powershell.

  2. How to loop over each object that the search returns, if you are a coder with previous experiance then the loop is the equivalent to a foreach loop. If it hasnt become apprent already this is the loop %{([adsi]$_.path).cn + $_.properties.operatingsystemversion} . You can use either % or ForEach-Object , what ever is between the {} is executed on each step. If you need access to the object that is being access you need to use the $_ variable.

Get-LocalOsVersion :

This method does nothing new really except that it specifies which columns need to be returned since the default data can be a bit much. Use this when a object has properties that you need access to.

While I hope that covers the script a bit more in depth than what I managed to talk about in the video. If there is anything that has not been covered in enough detail or has been covered incorrectly please let me know so what I can correct it.

One of the many things that has interested me in the past is binary reverse engineering. Whether your reasons are nefarious or not its always fun to see how things work in the back ground.

First of you will not be learning how to crack anything so if that is what you wanted you can leave now. Secondly if you are doing the 0x41414141.com challenges on your own then first give them a try yourself before getting the answer here.

A spoiler of the first challenge can be found here (thanks z0nbi) if you havent already completed it. Its a interesting challenge and what got me started on this whole thing.

So first of grab the binary for the challenge from the site by completing the first part of the challenge (the spoiler is above). Next grab the free version of OllDbg from the site.

At this point in a bigger project I would normally check the exe for string resources. But since the app is a whole 2Kb I am going to jump straight into debugging the app.

Start of by launching Olly, next load up the exe (File -> Open). Lets get into this ,hit F9 or Debug -> Run. This will start the app in debug mode and pause the at the first piece of code that will be executed. If you have some C experience this is your main() function, i.e. the entry point for the application.

I am not going to be explaining every single asm function and what ever piece of code does because I have no idea how long this post will end up running. So if you dont understand something or think I have done something wrong feel free to correct me.

If you have done everything as I have stated , you should be at 00401020 (check this in the extreme right column). At the same time you should see a text string telling you that the return value of the function is the email address for the next challenge.

With this in mind you have 2 option , you can take the quick route and run to the point after the function call and then check the eax register Or you can step into the function and see what it is doing. I personally prefer to step into the function so that I can get a understanding of what is going on , it doesnt speed up anything it just help me to understand the app.

So hit F8 6 times to get just past the function call , at this point if you look at the eax register it should read 0007AB00. This is the return value from the function, the reason we can check the register so easily is because its up to the main function to handle the cleaning up of the registers.

The alternate option is to add a breakpoint at 00401035 (click on the line and hit F2) then hit F9 to run to the code. You can at this point re examine the register and get the value from the function.

As you may have guess the email address for the challenge is 0x0007AB00@therest.com Replace the rest .com with the address from the first challenge. You will know you got the right address if you get a reply with the source code for the application that you are working on.

Update : @z0nbi has posted a follow up to this article , if you feel that you are still new to RE please vist this site to get extra information that will clear up quite a few things (also he has pretty pictures)

I have recently started using django alot more and must say that I am really enjoying it. As such I thought I should share some info that I have come across while learning the basics.

One of the first addons that you should install for djano is the South plugin. Doing this is pretty simple (all examples are for ubuntu).

Simply run the following command :

	sudo easy_install South

Next edit your settings.py and add ‘South’ to your installed apps list.

Finally run a ./manage syncdb and you should be ready to go. As to the basics of using South there isnt really much to it.

Run the following commands to get started :

	./manage schemamigration <yourappname> --initial
	./manage migrate <yourappname>

That will crete the inital migration file and as long as you havent created the tables manually it will setup the tables in your DB.

Anytime that you change something in your models.py simply run :

	./manage schemamigration <yourappname> --auto 

This sets up the the migration changes but does not apply them yet. To apply the changes run the migrate command again :

	./manage migrate <yourappname>

Thats as simple as it gets , there is alot more information and advanced things that South can do , to get more info go to http://south.aeracode.org/docs/