Thursday, December 31, 2009

Configuring Broadcom (bcm43xx) Wireless Adaptor in Linux!

Configuring wireless adaptor in linux wasn't an easy job few years back, but now some of the linux distribution have started providing inbuilt drivers with OS like Kubuntu, Mint etc.
My laptop has broadcom wireless adaptor, which didn't responded to many of the linux distribution, until now when I came across Linux mint 7 (gloria). It detects my adaptor, by just choosing the STA proprietary wireless driver for it & works fine after that.
Recently, I have found some of the methods to configure the wireless adaptor in different linux distributions.

For OpenSUSE, a 1-click install YMP file (YaST Metapackage file) is available from Packman. To install this, go to http://packman.links2linux.org/ & search for broadcom-wl. Click on '1-click install' icon & follow the onscreen instructions.

To get it working on Mint 5, you can follow the instructions given at www.linuxmint.com/wiki/index.php/Broadcom_bcm43xx

.As for Fedora, its available in RPM fusion & for Mandriva, there is Mandriva non free repositories.

For CentOS, follow instructions(this methodology is obtained from http://kiranjith83.blogspot.com/):
Download wireless package from Broadcom
Untar the file hybrid-portsrc-x86_32_5_10_27_6.tar.gz (hybrid-portsrc-x86_64_5_10_27_6.tar.gz if you’re running on a 64-bit kernel) in its own folder:
>tar -xvzf hybrid-portsrc-x86_32_5_10_27_6.tar.gz
You should now see this in your directory listing:
hybrid-portsrc-x86_32_5_10_27_6.tar.gz
lib
Makefile
src

Add the following line to the file. Open file include/typedefs.h and add there the line below at header
#define TYPEDEF_BOOL

Without adding the header the compiling process exits with error
Now build the Loadable Kernel Module (LKM) like so:
>make -C /lib/modules/`uname -r`/build M=`pwd`

Of course, you need to make sure you have all the required kernel headers before building it. Once that’s done, your directory listing should look like this:
built-in.o
hybrid-portsrc-x86_32_5_10_27_6.tar.gz
lib
Makefile
modules.order
Module.symvers
src
wl.ko
wl.mod.c
wl.mod.o
wl.o

The magic file we need is wl.ko. Make sure you don’t have b43, b43legacy or b43xx loaded by running this:
>rmmod bcm43xx; rmmod b43; rmmod b43legacy

And for good measure remove ndiswrapper modules:
>rmmod ndiswrapper

Now load the module ieee80211_crypt_tkip:
>modprobe ieee80211_crypt_tkip

And finally load the wl.ko module:
>insmod wl.ko

Now if you do an ifconfig, you should see wlan0 right after your eth0 and lo devices.Test it out by scanning and connecting to a network. If it works, then you might want your module to load upon boot, which is something the Broadcom readme doesn’t touch on. Let me school you how.
Copy the wl.ko file to /lib/modules/2.6.26-1-686/kernel/net/wireless/
>cp wl.ko /lib/modules/2.6.26-1-686/kernel/net/wireless/

Create the module dependencies:
>depmod -a

Try loading your new module!:
>modprobe wl

If you get no error on modprobe, then it worked perfectly! Next you have to tell your system to load the module at startup. On my debian system, I do this by editing the file /etc/modprobe.conf to include the following:
>alias wlan0 wl

Now, reboot and you’ve got official Broadcom wifi. 
If you Need to setup linux as router do as follows?
Enable the ipforwarding and add the masqurade to eth0
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
***********************************************
Do reply & post me methods of doing it in other
linux OSs.

Monday, December 21, 2009

Secure Site's CA(Certificate Authority) Explained!

When you browse through an email sites, bank sites or money transaction sites like paypal, gmail etc, you may have noticed a lock at the bottom right corner, when you hover over it, it displays a CA name to which that site is authenticated to.

CA means Certificate Authority. In case of gmail, it is thawte consulting Ltd. CAs are commercially available & they charge for their service. Some are free while government agencies & Universities manage their own CAs. You can build your own too.

The real question --> How the whole thing works?
Well, CA issues digital certificates & generates public - private key pair. Digital certificate contains public key & site owner's identity. The private key is kept secret with the CA. So, when you open up a secure https site, the CA is there to confirm its authenticity & it tells you that it is the actual server or spot you are looking for. Its an example of trusted 3rd party. Its like, you send a sms to your girlfriend & your girlfriend checks your signature to confirm that its from you, just a crude example.

***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***

So, how to create your own CA.
There are 2 steps in it -->
1. Generating a Certificate signing request
2. Creating a CA signed certificate

Going through the first step:

-> login as root
>su -i
password :

-> Setting default values for the certificate.
edit the file.
>vi /etc/pki/tls/openssl.cnf

Append some lines under "[CA_default]" in the file as given below.

[ CA_default ]

dir = /etc/pki/CA # Where everything is kept
certificate = $dir/my_ca.crt # The CA certificate
crl = $dir/my_ca.crl # The current CRL
private_key = $dir/private/my_ca.key # The private key

Similarly under [ req_distinguished_name ], Edit as per your specification.

[ req_distinguished_name ]

countryName_default = IN
stateOrProvinceName_default = Delhi
localityName_default = SouthEx
0.organizationName_default = Some_Company

-> Creating supporting directories
>cd /etc/pki/CA/
> mkdir certs newcerts crl

-> Create empty certificate index & create serial no. file for certificates
>touch /etc/pki/CA/index.txt
>echo 01 > /etc/pki/CA/serial

-> Generate private key.
>cd /etc/pki/CA
>umask 077 // (changing default mask value)
>openssl genrsa -out private/my_ca.key -des3 2048
my_ca.key is the name of key & 2048 is the length of key, rsa is the algo used.
After the command is executed, a pass phrase will be asked, like this one
__________________________________________________ _______________

Generating RSA private key, 2048 bit long modulus
.................................................. .........+++
....................................+++
e is 65537 (0x10001)
Enter pass phrase for private/my_ca.key:
Verifying - Enter pass phrase for private/my_ca.key:
__________________________________________________ _______________
Enter pass phrase twice.

Now going into the 2nd step:

-> Create self signed certificate.
>cd /etc/pki/CA
>openssl req -new -x509 -key private/my_ca.key -days 365 > my_ca.crt
After executing this command, it will prompt you for the pass phrase, you typed in the previous step & then you have to enter some general information related to the certificate. As you have changed some default values in the file /etc/pki/tls/openssl.cnf, you don't need to change those.
It appeared like this for me. In the above command 365 days is the expiry date of the certificate.
__________________________________________________ _______________
[root@localhost CA]# openssl req -new -x509 -key private/my_ca.key -days 365 > my_ca.crt
Enter pass phrase for private/my_ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]:
State or Province Name (full name) [Delhi]:
Locality Name (eg, city) [SouthEx]:
Organization Name (eg, company) [Some_Company]:
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:VIK
Email Address []:vik@gmail.com
[root@localhost CA]#
__________________________________________________ _______________

Now CA certificate is ready. It should be made available to clients for download. We can use http (Apache) for this job.

-> install httpd & mod_ssl
>yum install httpd* OR >rpm -ivh httpd*
>yum install mod_ssl* OR >rpm -ivh mod_ssl*
Incase of redhat yum resolves dependencies automatically

-> restart http service & put it under chkconfig
>service httpd restart
>chkconfig --level 345 httpd on

-> If firewall is enabled, unblock the traffic through port 80 & 443, mostly the ports are open but just to make sure.
>iptables -A INPUT -p tcp --dport 80 -j ACCEPT
>iptables -A INPUT -p tcp --dport 443 -j ACCEPT
>service iptables save

-> Now, link it to your already configured apache server (& dns). Create a directory /var/www/html/certs/ & copy the self signed certificate there & make sure it is world readable with SElinux type "httpd_sys_content_t". Issue the following commands.
>chmod -R 555 /var/www/html/certs/
>cp /etc/pki/CA/my_ca.crt /var/www/html/certs/
>chcon -t httpd_sys_content_t /var/www/html/certs/

/var/www/html/www.example.com/html/ is your document root of the site & www.example.com is your server name.
Its done! If someone wants, I can write a simple tutorial on configuring apache + dns (with or without chroot & HTTP OR HTTPS).


Now after all these steps, I assume your dns & apache are working properly (dig example.com returns ANSWER:NOERROR), try to browse your server, it will prompt for adding certificate that you created just now. Add the certificate to you browser.
Your browser has an inbuilt list of well known certificates that you can see.
>tools > option (or edit > preferences as per the version of firefox)
>advanced > encryptions > view certificates.


Sometimes when we try to access a random site, mozilla firefox alerts for adding exception.

Its because, your browser can't validate that site & its CA, you can browse that site after adding it as exception & taking the responsibilities of all threats.

***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***

Possible threats!
let me generate a situation, assume I run a cyber cafe and I created a fake site of paypal and linked it with a self signed certificate of my own, as I did above. And I added that certificate to the default browsers of all my pcs.
I configured it such that, when you enter the url - www.paypal.com, it directs you to my fake site signed with my own CA.
Ya, I know you don't remember the CA for the genuine paypal site & you are not aware enough to check the name of CA to make sure its genuine.--PERFECT!!
So, when you click login, it sends your username & password to my remote secret database file & the browser directs you to a fake connection timeout page. It makes you believe that there is some problem with the internet connection. After that, when you click try again or try refreshing the page, it will direct you to the actual paypal site. Ahh, the internet connection is back!! & someone succeeded in his bad game!

So, be sure to check the CA, when you access https sites through public computers. Atleast you can remember some CAs of email site that are important to you & bank sites that ask your credit/debit/ATM card credentials.

Check this out.. they are apparently implementing to some extent what I have discussed in this post 

--> http://www.wired.com/threatlevel/2010/03/packet-forensics/

I hope it's quite informative.
Thanks for reading it!

Browser concerned in the Article : Mozilla Firefox
OS concerned in the Article : Redhat linux Server Enterprise Edition 5.2 (might work on other linux distribution)

sources of information :
http://en.wikipedia.org/wiki/Certificate_authority
Redhat Security Specialist Study books.

Linux Cryptography explained (Symmetric encryption & hashes).

CRYPTOGRAPHY

It is the art of protecting information by transforming it (encrypting it) into an unreadable format, called cipher text. Only those who possess a secret key can decipher (or decrypt) the message into plain text. Encrypted messages can sometimes be broken by cryptanalysis, also called code breaking, although modern cryptography techniques are virtually unbreakable.


Symmetric Encryption:
Encryption algorithms that use the same key for encrypting and for decrypting information are called symmetric-key algorithms. The symmetric key is also called a secret key because it is kept as a shared secret between the sender and receiver of information. Otherwise, the confidentiality of the encrypted information is compromised.

Kerckhoff's principle (also called Kerckhoffs' assumption, axiom or law) was stated by Auguste Kerckhoffs in the 19th century: It states --
“a cryptosystem should be secure even if everything about the system, except the key, is public knowledge”.


Symmetric encryption is of two types:
1> Stream ciphers (encrypt the bits of the message one at a time)
2> Block ciphers (take a number of bits and encrypt them as a single unit)

Examples of Commands for encrypting & decrypting files in Linux:
>openssl enc -des3 -salt -a -in myfile.txt -out encryptedfile.des3
>openssl enc -d -des3 -salt -a -in encryptedfile.des3 -out myfile.txt
OR
>gpg -c --cipher-algo des3 myfile.txt
>gpg -d --cipher-algo des3 myfile.gpg


"openssl enc" & gpg r utilities for encryption.
des3 (block cipher) is an algorithm used for encryption. In place of it, aes (Advanced Encryption Standard algorithm approved by NIST in December 2001 uses 128-bit blocks), blowfish, twofish, CAST5 can be used for gpg. Similarly aes, blowfish, aes256,aes192, rc4 are for openssl enc.
a = armour – convert into ASCII (unicode character must be converted into ascii code before encryption)
salt = salt, to add uniqueness to same text(pc takes arbitrary salt value from the present state of cpu such as cursor position, RAM state etc)
Eg. If two person have the same password, their encrypted password will be different, credit goes to salt value. U can see ur password's salt value in /etc/shadow file. It is a part of the encrypted password text that is between $s, like $12Re.jfhrr343!k$
In gpg --ciper-algo is optional.

Cryptographic Hashes:

A "hash" (also called a "digest", and informally a "checksum") is a kind of "signature" for a stream of data that represents the contents.
A hash function takes a string (or 'message') of any length as input and produces a fixed length string as output, sometimes termed a message digest or a digital fingerprint.

To compute a message digest, issue the command:
>openssl dgst -sha1 /boot/grub/grub.conf

If any one tampers grub, u will be informed (a shell script will do that which will compare previous checksum with present checksum).
openssl dgst is a flexible tool for generating message digest.
In place of grub path, it can be any file.
U may use -md5, -sha, -sha256, -md4, -md2, -ripemd160 algos etc in redhat, in place of -sha1. Of course u have seen -md5 digest, when u r downloading some files, software, OS etc. It is used to confirm that the file downloaded has not been tampered in between while downloading.

Ways of Disabling Linux-ROOT login!!



If you wish to disable root login due to some security reasons or you wanna troubleshoot root login problem, here are some methods>>>>>

1.---------->
> Open the file /etc/passwd
> Append the line root:x:0:0:root:/root:/bin/bash to root:x:0:0:root:/root:/sbin/nologin
Root login is disabled now.
[It's self explainatory] Undo it for enabling.

2.----------->
> Change the rwx rights of file /etc/securetty to any value, other than 600(ie. rw-------). This file is tty login file.
Eg. chmod 644 /etc/securetty
Undo it by, chmod 600 /etc/securetty

3.----------->
> Open the file /etc/securetty
> Comment out the terminal using #, in which u wanna deny access to root.
Take a look at my /etc/securetty file
__________________________________________________
#tty1
tty2
tty3
#tty4
tty5
tty6
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
__________________________________________________

There are 6 cli terminals, which r marked as tty1,tty2 ........
You can enter those by pressing combination of Alt+Ctrl+f1, ie. for terminal 1, for terminal 2 replace f1 by f2 & so on for other terminals.
Press Alt+Ctrl+f7, for coming back to the gui.
After you comment out the terminal, u can't login to that terminal, it will display :login incorrect
(Undo by removing the hashes from file)

4.----------->
> Create a file in /etc directory by the name "nologin".
In this method, all users get blocked.
Eg. Execute command --> 'touch nologin' or 'cat nologin'

5.----------->
> Type the command --> 'chage -E 0 root'
This command just expires the root password....
Just try to observe the difference in the 1st line of file /etc/shadow, before & after the execution of the given command.

root:$1$K2oyDN17$GqkZQHsHtnxpwrFCG7AI91:14203:0:99 999:7:::

root:$1$K2oyDN17$GqkZQHsHtnxpwrFCG7AI91:14203:0:99 999:7::0:

Ya, you are right, there is a extra zero at the end. That stands for the days left, for your password expiry.
Undo it by issuing the command --> 'chage -E NEVER root' or 'chage -E 99999 root'
Issuing the last command will replace the 1st line of /etc/shadow to....

root:$1$K2oyDN17$GqkZQHsHtnxpwrFCG7AI91:14203:0:99 999:7::99999:

You can also do this by directly appending the file.

6------------->
Ok first, as root, you need to install sudo. Next, also as root, you need to edit the file /etc/sodoers. Add the following line --

Code:
username ALL=(ALL) ALL
replace username with the user you want to be able to access root permissions.
now to disable the root account --
as root type the following at the command prompt

Code:
passwd -l root
the -l flag will lock the root account. No longer will root logins be possible on your box. It is simple to get them back, you just need to do the following --

Code:
sudo passwd root yourpasswordhere

-------------X------------

Ofcourse, there are some more ways for blocking root login. But I don't wanna risk my PC, trying those now.
These methods works fine in Redhat & Mandriva, so these should work on other Linux OSs.
For troubleshooting, these conditions should be checked for correct settings.
If you get trapped, using these methods, try login at runlevel 1 at grub-menu or use rescue CD, as I suggested in the thread
"Securing ROOT password!!"

*****************************Have A Nice Day !!************************

Linux Installation from hard-disk!

While installing linux, you might have seen the option -- installation form hard disk(internal or external), have you ever thought how that is done.
I wonder some of you might be knowing it but its not so popular i guess, though its very useful, saves you from writing DVDs & CDs & your time & money too. I found this 3 months ago.
Of course u require a OS pre-installed in your system.

Click on the link & follow the instruction .
http://www.instantfundas.com/2007/08/install-any-linux-distro-directly-from.html



There are two methods listed on the site, depending on your pre-installed system, whether it is windows or linux. If there are more than one linux OS installed in your system, then look for the OS whose grub menu appears at the boot time & apply the methods as mentioned in the site in that OS.

After you did the configurations as given in the site, you have to boot the system & the select the title that you just made while editing /boot/grub/menu.lst or /boot/grub/grub.conf for linux. After some basic configurations, you have to select installation method - choose from Hard-disk & then select the drive Partition & give the path of *.iso image.
I tried it 2 days ago, for me the path was /distro/suse1100.iso . (installing over linux)
after that, its a normal installation.

Securing ROOT password!!

In case, u forget ur root password or u wanna access the system with root privileges without knowing root password, u can easily change it by following these steps >>>

> Boot ur PC.

> Switch to linux OS listed in the Grub menu & press e( in Redhat), if it doesn't works then press f2 (in Mandriva), or try any other option which is listed in the boot screen untill u see the booting parameters for that OS, like...
kernel (hd0,9)/vmlinuz BOOT_IMAGE=linux root=UUID=f39877a0-9a19-11dd-8a61-97b60b6e4958 resume=/dev/sda7 splash=verbose vga=788
(ie. for Mandriva )

>Edit it, press space & 1 at the end of the line, so that it becomes....
kernel (hd0,9)/vmlinuz BOOT_IMAGE=linux root=UUID=f39877a0-9a19-11dd-8a61-97b60b6e4958 resume=/dev/sda7 splash=verbose vga=788 1
now press b for or simply enter key.

>Now the OS boots to runlevel 1 (that is single user mode, only root is logged on & is used for maintenence purposes), & sh prompt appears.

>Type the command passwd & then enter

>Type your new password 2 times, it goes like this..
INIT:entering single user mode
sh3.2-#passwd
Changing password for user root.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

>Type exit & enter.

Now ur root password is changed, so u can see, how easy it is for someone to break ur root password.

So we will now try to block the way through which someone can change the boot parameters
Here r the steps >>

>Open the terminal..
Type command, grub-md5-crypt & press enter, then enter your desired password for grub menu 2 times.. it goes like this...
[root@localhost ~]# grub-md5-crypt
Password:
Retype password:
$1$fEY8n$JcQYHPGCuYkxxKupgaB6c0

> Now u can see that, some junk characters appear on ur terminal. Next u have to edit menu.lst (or grub.conf in Redhat)
Copy the junk characters (which is md5 encryption of ur grub password).
Execute vi /boot/grub/menu.lst
Now observe the file menu.lst if u can see the line "hidden menu" {I'm assuming, u r familiar with vi editor basics}
If it is there, then type below it "password --md5 $1$fEY8n$JcQYHPGCuYkxxKupgaB6c0".
Else type above the line "default i" (i >=0, any integer value, depends on which OS u wanna boot by default, starting from zero)
hiddden menu
password --md5 $1$fEY8n$JcQYHPGCuYkxxKupgaB6c0
**If u wanna lock a particular OS, type "lock" below the OS specification. The OS will be locked & for booting it, u have to enter the grub-password.
Take a look at my menu.lst>>>>
__________________________________________________ __________________________________________________ ___________________________
timeout 10
color black/cyan yellow/cyan
gfxmenu (hd0,9)/gfxmenu
splashimage=(hd0,9)/boot/grub/hubble.xpm.gz
hiddden menu
password --md5 $1$MWiym$3QLabLcVRSyVUYIRa1aKy/
default 0

title MANDRIVA-Linux
kernel (hd0,9)/vmlinuz BOOT_IMAGE=linux root=UUID=f39877a0-9a19-11dd-8a61-97b60b6e4958 resume=/dev/sda7 splash=verbose vga=788
initrd (hd0,9)/initrd.img

title linux-nonfb
kernel (hd0,9)/vmlinuz BOOT_IMAGE=linux-nonfb root=UUID=f39877a0-9a19-11dd-8a61-97b60b6e4958 resume=/dev/sda7
initrd (hd0,9)/initrd.img

title failsafe
kernel (hd0,9)/vmlinuz BOOT_IMAGE=failsafe root=UUID=f39877a0-9a19-11dd-8a61-97b60b6e4958 failsafe
initrd (hd0,9)/initrd.img

title Windows-VISTA
root (hd0,0)
makeactive
chainloader +1
lock

title Windows Recovery
root (hd0,3)
makeactive
chainloader +1
lock
__________________________________________________ __________________________________________________ ___________________________

Save & exit from menu.lst.

Now boot your pc & try to edit the boot parameters as you did in first section, grub-menu displays --enter p to unlock next set of features.
Press p, it will prompt for grub-password, after entering grub-password, u can edit booting parameters & enter the locked OS.
************************MISSION-------ACCOMPLISHED************************

Hey, its not over yet.....................
Your root password is still not safe..................

Insert your bootable linux cd/dvd (or rescue cd)......
Process may be very different for different linux distribution, so I'm just explaining it in a simple way.
Mount ur / drive to /mnt.
Type passwd & change ur root password or Open etc/shadow & delete the Encrypted root password.
Eg. Change the line..........
root:$1$JK9GUDoD$9WXbaXbYRm61C7WdI12KI.:14202:0:99 999:7::: to root::14202:0:99999:7:::
The root password is cleared.
Also delete the line --> password --md5 $1$MWiym$3QLabLcVRSyVUYIRa1aKy/ from menu.lst file for clearing the grub-password.
And reboot.

So a person with some experience in linux (with a rescue cd) can takeover ur less configured system..
So the threat of physical access by a individual can't be ignored....
U can still block him, by enabling BIOS password......(there may be other ways too.)

Moral of the story ------------> A Social Engineering attack may be Lethal.

I think, its quite knowledgeable for Linux-newbies.

Plz post ur suggestion, comments,corrections & feedback............

Thanx for reading such a big thread!!