Irregular Expressions

September 18, 2012  10:20 PM

NTPd strange time sync problem

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I came across a very strange time issue on a linux machine that I manage. I use ntpd to keep time synced across the network like anyone should, I have a handful of machines that actually talk to the internet servers and the rest use them as a reference. This has worked for years up until this point, then pop one day the clock falls behind.

Stopping NTPd and re-forcing a sync with ntpdate fixed it for all of five minutes. NTPd would start back up, connect to the servers in the list but never get a * lock on one. You could also watch ntpq -pn and see the time slowly drift away from the reference servers.

Typically I don’t use iburst with a server declaration in the ntp.conf file. This will speed up the synchronization but I have never run into a situation where it was explicitly needed. Here I gave it a shot, and it seem to work! I got a lock on one of the servers and a + and – on the others. Well I thought it strange that all of a sudden I started to need to use iburst when it has never needed it before. Keeping watch on the server using ntpstat and ntptime I could see the sync status along with ntpq -pn. Again it started drifting away!

Here is a quick dump of a properly running ntp sever.

remote refid st t when poll reach delay offset jitter
+ 2 u 644 1024 377 64.714 4.926 1.400
* 2 u 926 1024 377 56.436 4.623 0.687
- 3 u 75 1024 377 42.255 3.743 1.738
+ 3 u 938 1024 377 53.608 4.713 0.742

In this case I would get this working for a bit then I could watch the offset slowly increase on the servers. It would hit a point where it would give up on a server and not mark it at all then move on to another. It would keep doing this until finally it knocked them all of the list and would error out saying it could not connect to a ntp server.

I dumped the interface after restarting the service and it appeared to be working fine I could see the frames going back and forth as it slowly started to ignore them.

I was starting to run out of things to even look at when on a whim I ran a fsck, and there it was. Errors on the file system, lots of them.

Just like that after a reboot and fix then time locked back on. I have not tried to locate the exact cause of where this was causing an issue, I am just surprised this was it.

September 16, 2012  8:55 PM

More Games / Exercises

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

These are very well done, I like the idea of doing it through a VM and not a web based environment.

I am currently trying to buff up on my PHP and SQL attacks for something coming up, so this is perfect for me.

August 30, 2012  3:12 PM

Stripe CTF Solutions

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Just incase you are looking for them, here is the solutions to the CTF game I posted last week.

I made it through the first few levels but ran out of time with other projects.


August 30, 2012  2:58 PM

SQL Injections

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I have been doing some prep research for some up coming activities and I found an excellent cheat sheet of SQL injection commands.


Here is the standards that I usually use;

admin’ —
admin’ #
‘ or 1=1–
‘ or 1=1#
‘ or 1=1/*
‘) or ‘1’=’1–
‘) or (‘1’=’1–

August 29, 2012  7:50 PM

Remote File Inclusions

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I am currently testing a few php shells that I have against a test php site I created, and I thought I would share some of the basics of a RFI ( Remote File Inclusion ). When I need to deal with web apps this is the second thing I will try right after SQL injection.

Here is the wikipedia article for another explanation.

In most cases I would use this to either display the contents of a file or execute another php script like a php based shell. If I am not really sure what I am looking for I will use a php based shell, something like this.

Typically what I will do is crawl the site and look for variables on each page and attempt something like this (borrowed from the wikipedia example).


A very simple and powerful method to attack sites.
Also it can be used for local file traversal, instead of a remote file you can specify a local file.


In these cases the %00 is very important for your success.

August 28, 2012  11:26 PM

Pen Testing

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I find it strange that physical pen testing and digital seem to have some sort of impenetrable wall between them when I talk with people. I know when doing a pen test you have your scope of what is off limits and how far you are supposed to go. These limits can be business based, maybe on critical systems that cannot experience down time no matter when. Or even cost based that there is only so much in the cookie jar for this project.

Pen testing is great but I think you need to be careful on what your are testing, is it the ability to make a scope to satisfy the stake holders and prevent system down time ( Don’t think that I am saying to disregard this ) or test the ability of the network to withstand penetration?

Also if you are do a pen test why not include a physical aspect? Maybe walk in the front door as the delivery man? Maybe not do it on the first day, case out the place. Do a little research find someone going on vacation you can use as a mark. I know it’s a little hard when you work there but is something to get you thinking of the non-main line ideas you can pull.

August 28, 2012  11:10 PM


Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Biomimicry or biomimetics is the examination of Nature, its models, systems, processes, and elements to emulate or take inspiration from in order to solve human problems.

While in this case the bio part was figured out later, I always think this is fantastic stuff.
The Anternet.

It’s not about the answer, it’s asking the right question. The answer is always in the question. The problem is knowing what to ask, not what to ask for. Anyway, that is how I approach problems.

August 28, 2012  1:07 AM

Dropbox update

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

If you have not noticed they have updated the security section of your dropbox account. You can now enable two factor authentication for your account. Basically it will send a PIN to your mobile device that you append to your password.

I am a big fan of this form of two factor authentication. It just makes sense, the one thing I hate is seeing people walking around with their face in a phone or what ever you want to call them. But the reality is that penetration of these devices especially in younger generations makes this two factor authentication impossible not to have at the top of your list.

August 26, 2012  10:49 PM

What Is The Gauss Payload?

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

If you have not seen this yet, Gauss is something that appears to have come out of the same labs or workshop as Flame and Stuxnet. This specifically seems to be targeted against the financial industry in the middle east.

Here is a Guardian article with some excellent information;

Kaspersky is still actively working on figuring out the payload, and strangly they are asking for assistance.

If you have the interest and capabilities you can contact them at the above site and get involved. Very very interesting just to get caught up on the current suspicions of what they think is going on.

August 26, 2012  10:31 PM

“I can tell you that as a commander in Afghanistan in the year 2010, I was able to use my cyber operations against my adversary with great impact,”

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Very open comment about the cyber capabilities possessed by the US military.

Here is the article I found,

You can watch his speech right here;

He is a pretty good speaker, I kinda liked his jokes..

I would recommend listing to the speech very interesting information, I think in the next few years this is going to be a very large and public theater of operations for most nations.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: