Friday 1 November 2013

Notes on Slackware 14.0 upgrade

I upgraded from version 13.37 to 14.0 of Slackware, bringing me up-to-date. This time I used the slackpkg program, and it went quite smoothly. I followed the instructions at http://docs.slackware.com/howtos:slackware_admin:systemupgrade.

In short,

  • Edit /etc/slackpkg/mirrors to add the address of a mirror of 14.0
  • Blacklist kernel packages in /etc/slackpkg/blacklist
  • Run "slackpkg update" to download new package list
  • Then it was running "slackpkg upgrade slackpkg", "slackpkg upgrade glibc-solibs", "slackpkg install-new", and "slackpkg upgrade-all".
  • "slackpkg clean-system" to delete old packages, making sure not to delete any packages I've installed separately from the Slackware distribution. This is done in conjunction with reading "CHANGES_AND_HINTS.TXT".
Then I needed to check new configuration files under /etc. "slackpkg new-config" can be used to move these files across. I needed to keep the Internet connection settings in /etc/rc.d/{rc.inet1.conf,rc.wireless.conf} and /etc/wpa_supplicant.conf. Also /etc/inittab for the behaviour of Ctrl+Alt+Del.

I downloaded and installed kernel packages manually and rerun lilo after adding lines to /etc/lilo.conf:

image = /boot/vmlinuz-huge-smp-3.2.29-smp
  root = /dev/sda3
  label = Linux_slack14
  read-only
  append = "acpi_osi=Linux"

The last line is needed on my craptop for the screen dimming keys to work.

I previously used ndiswrapper to get my wireless card to work, but I thought I would try the Linux drivers instead. I had several modules blacklisted in "/etc/modprobe.d/blacklist.conf", and running "modprobe b43" made the wlan0 interface show up. I've used wireless since then with few problems. [1]

Next steps are to carefully remove files in /etc/modprobe.d according to CHANGES_AND_HINTS.TXT, use the generic kernel with an initrd instead of the huge kernel, and look through old configuration files (saved as "*.orig") to see what has changed and if I want to keep anything else.

Biggest change has been the upgrade to fvwm 2.6.5. When I tried this before I would get random crashes, but I haven't had any so far.

[1] I don't know why I couldn't get this working before - I suspect it would have worked but I was doing something else wrong, e.g. with ifconfig, wpa_supplicant or dhcpcd. I spent so long trying to get wireless to work that I stopped playing with it as soon as I got it to work with ndiswrapper.

Wednesday 14 August 2013

Notes on upgrade from Slackware 13.1 to 13.37

I recently upgraded from Slackware 13.1 to 13.37. 13.37 is not the latest version (14.0 is), but by only upgrading one release at a time I'm less likely to have problems.

I downloaded the files with


wget --no-parent -nH --cut-dirs=3 -r -nc (path)

Options mean
--no-parent - Don't download linked files above the directory in the given path
-nH - Don't create local directory called ftp.slackware.com etc.
--cut-dirs - Don't create local directories based on first 3 directories in path.
-nc - Don't download existing files - useful if wget is interrupted.

I had to download and compile the ndiswrapper Slackbuild. I had problems compiling it - I think I ought to have compiled it before installing all the new Slackware packages.

I found the screen went blank when I rebooted! It turned out that the brightness on my laptop screen was only turned down. (See http://www.linuxquestions.org/questions/slackware-14/black-screen-on-bootup-after-a-few-lines-slack-13-37-a-882680/page2.html.) I haven't fixed this yet; all I do is use the laptop function keys to turn the brightness up.)

The instructions for creating an initrd were unclear: I found I had to run

mkinitrd -c -k 2.6.37.6-smp -m ext3

(I was missing the "-smp" part.)

I had some problems with X11. My mouse pointer wouldn't move. I had to delete /etc/X11/xorg.conf. The keyboard was in US mode now, and I had to copy a keyboard layout file (90-keyboard-layout.conf) to /etc/X11/xorg.conf.d.

I found "xset m" would no longer set the pointer speed for my Synaptics touchpad. I had to use a program called "synclient" instead. I copied a settings file to "/etc/X11/xorg.conf.d/50-synaptics.conf". There was some subtle and annoying behaviour such as taps taking too long to be recognized and sometimes getting middle clicks, which I fixed with adding the following lines to 50-synaptics.conf:

        Option "FastTaps" "on"
        Option "MinSpeed" "0.5"
        Option "MaxSpeed" "10"
        Option "AccelFactor" "0.05"
        Option "EmulateTwoFingerMinZ" "1000"
        Option "EmulateTwoFingerMinW" "1000"

I had some broken behaviour with fvwm. Apparently Unicode locales are broken in versions (2.4.*) (even though it worked before.) It could have been something to do with the fonts changing as well.

The new version of Thunderbird would no longer highlight folders with new messages. I managed to get something acceptable by changing "~/.thunderbird/h0eadjtl.default/chrome/userChrome.css" to:

/*
 * Do not remove the @namespace line -- it's required for correct functioning
 */
@namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"); /* set default namespace to XUL */

treechildren::-moz-tree-cell-text(folderNameCol, newMessages-true) {
  color: red !important; }

Friday 14 June 2013

crackxls 0.3 released

crackxls 0.3 has been released. Download it at https://github.com/GavinSmith0123/crackxls2003/tags. This version supports breaking encryption on Microsoft Word 97/2000/2002/2003 documents for the first time.


Windows users may just want to download "crackxls2003.exe" from https://github.com/GavinSmith0123/crackxls2003.

Sunday 9 June 2013

crackxls2003 - Initial support for Microsoft Word

I've added initial support for scanning Microsoft Word files to the crackxls2003 program.

It is on the "msword" branch of the git repository, which is at https://github.com/GavinSmith0123/crackxls2003/tree/msword.

As with Excel files, it will only work for the RC4 method of decryption, which was used in Office XP and some earlier versions.

There is no support yet for decrypting Word documents, only scanning for their encryption keys. I haven't tried it, but it is likely that the trial version of "guaword" would be able to decrypt a file given the encryption key, as this was true for Excel files for "guaexcel", another program from the same developer.

Adding decryption support may not be that difficult, and I may manage it in the next week or so.

Yahoo! mail insecurities

Round about late 2011, I found that there had been log-ins to my Yahoo! mail account from foreign countries. Investigating, I found that they had logged in using some kind of mobile interface. I (thought I) disabled the mobile interface, as I read many reports of crackers getting into to people's email that way.

Today I logged in again and had a warning. Somebody had logged in a few days ago - again via Yahoo! mobile, which I thought I had disabled.

I had already been through all web services, etc., that I had registered with using my Yahoo! account, and changed them to another email account, on account of the last time it was cracked. For readers, I recommend doing this. Yahoo! mail is really not trustworthy.

However, for two or three web services I was unable to change the email address associated with it, so I didn't want anyone taking over the account. I also had a few emails I wanted to keep. So I didn't want to delete my account altogether.

What I did today was set up an account in Mozilla Thunderbird (an email reader) to retrieve all of my mail by POP, so it is stored locally but not accessible on the web interface. Now if anybody breaks in, they would have little information.

Saturday 6 April 2013

crackxls2003 0.2 released

crackxls2003 0.2 has been released. It now has support for decrypting files once an encryption key is found, if it is compiled with the libgsf library.

You can download it at

https://github.com/GavinSmith0123/crackxls2003/tags

or for Windows users, you might want to just download "crackxls2003.exe" from

https://github.com/GavinSmith0123/crackxls2003.

Friday 15 February 2013

How to display percentages in man pages

On many GNU/Linux distributions, man pages are displayed through the "less" pager. I was finding that it was not displaying percentages in man pages. This was due to the fact that the less process was reading its input through a pipe and did not have the whole file loaded.

There is a simple fix (which nonetheless took me a long time to find). Set "LESS=+p" as an environment variable. Then the "p" command will be executed whenever less starts up, which has the effect of loading the whole file. This command is to go to a position in the file marked by a certain percentage, so the whole file must be loaded to know where this is. We are going to 0% in the file, so loading the whole file shouldn't be necessary (as we are not moving anywhere), but less does this anyway.

Obviously, this should be unset if you are doing something like viewing the output of a process through less.

Thursday 7 February 2013

Pipeline filter to allow changing stdout of a process while it is still running

On a Unix-style system, running processes write characters to a location called the standard output. By default, these will appear on a terminal, as text for the user to see. However, it's possible to redirect the standard output to a file, or to be the input for another process.

It may occasionally be useful to be able to redirect the standard output after a process has already started. I'm sure that others have done similar things before, but I couldn't find exactly what I was looking for.

For this purpose, I wrote the following bash script, saved as "MovableStdout.sh":

new_stdout_pipe=~/ChangeTerminal

redirect () {
        read new_stdout <$new_stdout_pipe
        exec >$new_stdout
}

trap redirect SIGUSR1

while true; do
        if ! read line; then
                exit;
        fi
        echo $line
done

To use this, a named pipe (a FIFO) must be created, e.g. by running "mkfifo ~/ChangeTerminal". This pipe will be used to communicate with the running script.

Use it by running

$ program | bash MovableStdout.sh

The program will run and the script will copy the stdout from the program to the terminal.

If we later wish to change where what is written to stdout goes, we may do this in a two step process. For example, if we are in another terminal, and wish to divert the output to the current terminal, we may do:
$ echo `tty` >~/ChangeTerminal &
$ ps -C bash
TT       USER       PID COMMAND
tty2     root      1457 -bash
pts/0    g         1875 /bin/bash
pts/1    g         2638 /bin/bash
pts/2    g         3117 /bin/bash
pts/3    g         3774 /bin/bash
pts/4    g         3150 /bin/bash
pts/5    g         3162 /bin/bash
pts/6    g         3808 /bin/bash
pts/7    g         3937 /bin/bash
pts/7    g         3950 bash MovableStdout.sh
$ kill -USR1 3950
(The exact processes listed will obviously be different.) The new output file name is placed onto the pipe, and then the script is signalled to read the file name from the pipe. The script catches this signal and redirects its output to the new file.

A limitation of this script is that you can only have one running instance of it at a time, otherwise you will have multiple running scripts trying to read from the same pipe. However, it could easily be altered to, for example, read the name of the pipe as a command-line parameter.

I was able to use this script to redirect the error messages from my X11 window manager to an xterm window.

Thursday 31 January 2013

crackxls2003 Git repository

 I've extended the program I posted last year to link against the OpenSSL md5 functions, so it should be easier to compile.  I've also added the POLE library to get the needed fields from the file. The current state of the project is accessible as a git repository at https://github.com/GavinSmith0123/crackxls2003.

Sunday 27 January 2013

Using poledump to extract fields from Excel 2003 document

In order to use the program I posted in the last post, you will have to extract a couple of fields from the XLS file. This can be done using the poledump program.

I will talk through how to use the program. Download and install poledump. I prepared an encrypted Excel document with the password "monkey". The file is called "protected_document.xls". I run poledump as follows:


bash $poledump protected_document.xls 
SummaryInformation  (208)
Workbook  (13023)
CompObj  (114)
DocumentSummaryInformation  (244)

The Excel file is something called an "OLE Compound Document", which comprises several "streams". The command above is listing the streams in the file. The stream we are interested in is called "Workbook". Display the contents of this stream as follows:

bash $poledump protected_document.xls Workbook | head
09 08 10 00 00 06 05 00 a9 1f cd 07 c1 00 01 00     ................
06 04 00 00 2f 00 36 00 01 00 01 00 01 00 c8 e8     ..../.6.........
e2 cf c9 73 e9 68 e5 a0 0c 11 de ae 86 d2 7c dc     ...s.h........|.
fa a2 cd d2 2c 6a c8 f0 9f 3b 8b 72 ee f8 d0 b0     ....,j...;.r....
64 e3 92 b2 6e 12 d0 5c 4a fe bc 66 35 8f e1 00     d...n..\J..f5...
02 00 b0 04 c1 00 02 00 9f 84 e2 00 00 00 5c 00     ..............\.
70 00 f5 29 4a 0b c7 90 85 91 3f 43 02 9f 95 e7     p..)J.....?C....
da 6e a3 a3 ed 67 d8 8f 7b 36 b0 27 95 f8 46 f2     .n...g..{6.'..F.
22 f6 16 e2 94 ee 20 ac c1 2a 72 d2 97 f7 a7 b6     "..... ..*r.....
db f6 dd 4a c7 95 78 8f 24 9c 59 ba 02 2e 60 3d     ...J..x.$.Y...`=
bash $

I have bolded the bytes we are interested in. The first 16 bytes "c8 e8 .. d2" are the Salt field. The next 16 "7c .. f8" is the Verifier field, and the next 16 "d0 .. 8f" is the VerifierHash.

You can read more about the file format here. I'll note that the bytes "2f 00" (in little endian, decimal 47) on the second line introduce the "FilePass" record (a list of record type numbers is here). The first two bytes "09 08" (decimal 2057) introduce the "BOF" field.