Louwrentius

Currently, I am running VMware ESXi 4.1 on a test system. To manage ESXi, you need the VSphere client, which is only available for the Windows platform. Therefore, I run VMware Fusion on my Mac to be able to access VSphere and manage my ESXi host.

The trouble is that both ESXi and VMware Fusion use the control-alt shortcut to release a console. So as soon as you start using a console within the VSphere client which itself runs within VMware Fusion, you cannot get back to the Windows OS.

You will have either access to Mac OS X or the ESXi guest. And to top it of, the mouse just completely disappears on Windows.

To get arount this problem, you need to somehow be able to send a control-alt sequence to the Windows guest withouth actually pressing control-alt.

Fortunately, VMware fusion allows you to create a key mapping that allows this.

Within the preferance pane, the first tab is called Key Mappings. You can create a new key mapping. For example, I mapped control+q to control-alt. This allows me to get out of the ESXi guest within the VSphere client, witouth getting grown back to Mac OS X. As a side effect, the mouse also showed up again, which is to be expected.

I started a project to see if I could track smartphone users by sniffing for wifi-clients. Most smartphones support wifi and most people don't bother disabling wifi when they go outdoors1. If wifi is left on, it is possible to detect these smartphones and track their movement. To be able to track smartphones, all I had to do is grab a computer with a wifi card and start to listen for nearby smartphones.

Over de course of 10 days I was able to detect around 590 unique wireless client devices passing the vicinity of my house (near Amsterdam, The Netherlands). Please note that not all of those devices are smartphones, so I have to determine which are and which are not. I just used airmon-ng to sniff for wifi clients.

It is very easy to track a person if wifi is enabled on their smartphone since the phone will broadcast its unique identifier: its MAC-address. A MAC-address is as unique as a phone number so ideal for tracking down people. A single wifi sniffing computer is not enough to follow people, but if you would setup a grid of wifi sniffing devices, tracking people would be very easy.

Then I got bored with this project and decided that if I could get any additional information out of my data set of 590 wifi clients. The fun thing is that the first tree parts of a MAC-address disclose the vendor of the device. For instance, this MAC-address (made anonymous) belongs to HTC, thus is probably an HTC smartphone.

90:27:E4:B7:XX:XX

There is a whole list that shows which MAC-addresses belong to which manufacturers. This allows me to create a list of vendors associated with the MAC-addresses I captured. This is fun, because I can now count how many devices I 'caught' from a particular vendor.

The majority of wireless devices are from Apple (64%). The second largest is HTC (12%). That is an incredible difference between number one and number two. If these numbers actually mean anything, they are very interesting.

I think this picture is telling, but it's accuracy can be questioned. There are some problems with my data set. For instance, maybe many people using a particular brand of smartphone who do often disable wifi to conserve battery life.

Also, look whose missing in this list: Sony Ericsson. Are Dutch people not using Sony Ericsson smartphones? I must say that I deliberately used a Sony Ericsson smartphone to test my setup and it detected the device without any problem. So Sony Ericsson devices might not be that popular.

The main question is which conclusions can be drawn from this data: that iOS users often leave their wifi enabled and more than other smartphone users?

It is difficult to say what this data actually means and how accurate it is, but it may be an interesting technique none the less for real-life sampling of a smartphone population.

1 Unless your phone is so crappy that it won't hold a charge through the day with wifi enabled.

I wanted to see how dificult it is to setup an instant messaging server based on open source software. Now I know that it is very easy, unless you are stubborn and do things your own way. In this example, I'm setting up a small IM server that is only for internal company use, but there is no difference if you want to expose the server to the internet.

First a bit background information. There is an open IETF standard for instant messaging called "XMPP" which stands for "Extensible Messaging and Presence Protocol". This protocol originated as part of the open source Jabber IM server software.

Setting up ejabberd

I decided to use ejabberd which is part of the Debian software archive. It is written in Erlang, but I can live with that. This blog posts documents how to setup the IM server with two accounts that can chat with each other. The configuration I use also enforces the use of SSL/TLS so authentication and all messages are encrypted.

Steps to get things running:

• apt-get update
• apt-get install ejabberd
• cd /etc/ejabberd
• edit ejabberd.cfg

Change the following line to your needs:

%% Hostname
{hosts, ["localhost", "jabber.domain.local"]}.

Also enforce the use of encryption like this:

starttls, {certfile, "/etc/ejabberd/ejabberd.pem"}

Must be changed to:

starttls_required, {certfile, "/etc/ejabberd/server.pem"}

Generating a custom SSL certificate

Security wise, it is very wrong to use the default SSL certificate as provided by the installation package for the server certificate. Anyone with access to this key material can decrypt encrypted communication. So you must generate your own server certificate. This is also required because IM clients may verifiy the certificate against the domain name used within the certificate. If there is no match, it will not work or it will at least complain.

openssl req -new -x509 -newkey rsa:2048 -days 365 -keyout privkey.pem \ 
-out server.pem

So this creates a public key (server.pem) and a private key (privkey.pem) which are valid for a year. Feel free to make the certificate valid for a longer period, this is an example. You will have to fill in some stuff, the most important part is this part:

Common Name (eg, YOUR name) []:jabber.domain.local

You are forced to set a password on the private key, but we want to remove this because otherwise the ejabberd service will not start automatically.

openssl rsa -in privkey.pem -out privkey.pem

Just enter the password you entered earlier and you're done. We now have separate files for the public and private key, but ejabberd expects them in one single file.

cat privkey.pem >> server.pem
rm privkey.pem

Set proper file system permissions:

chown ejabberd server.pem
chmod 600 server.pem

Now we are done. Restart ejabberd to use the new settings.

/etc/init.d/ejabberd restart

Security caveats

Please note that the ejabberd daemon provides a small build-in web interface for administration purposes on TCP port 5280. By default it is not protected by SSL or TLS and cannot be used unless you add users to this part of the confiuration file:

{acl, admin, {user, "", "localhost"}}.

Example:

{acl, admin, {user, "admin", "localhost"}}.

The user must also be registered as a normal IM user as described in the next section.

Warning: it seems to me that this interface is not very secure, for example, there is no logout button.

Furthermore, you might consider disabling the following section:

ejabberd_s2s_in

This prevents your IM server from communicating with other IM servers source. But we are not finished. When you install ejabberd, some other services are also started on the system. It is thus very important that you configure your firewall to block these ports. This small nmap port scan output shows some interesting services:

4369/tcp  open  epmd?
5222/tcp  open  jabber  ejabberd (Protocol 1.0)
5269/tcp  open  jabber  ejabberd
5280/tcp  open  http    ejabberd http admin
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
36784/tcp open  unknown

Port 4369, 36784 and 5280 should be blocked by your firewall and not accessible from the internet.

Adding users

It is now time to create some IM users. A user account always looks like an email addres, for example:

peter@jabber.domain.local

To add accounts, use the ejabberdctl utiliy:

ejabberdctl register peter jabber.domain.local <password>

Please note that passwords that are entered on the command line end up in your bash_history file, so beware. Also, users running ps aux may be able to see the command for a brief moment. So be carefull.

By registering two account, you can test your new server.

Additional resources

Nice to know: the domain names used for your accounts can differ from the domain used for the IM server.

If you have a Windows Active Directory domain, you could consider authenticating your users against LDAP.

Other resources: - tutorial 1 - tutorial 2