stotti.blog() — New Wordpress password hasher tool

This time just a quick post as I am in a hurry. Ever wondered how to change your Wordpress password in case you have forgotten it? In early versions Wordpress used the MD5 hashing algorithm to “encrypt” the passwords of a user. Nowadays Wordpress uses the Portable PHP password hashing framework (PHPASS) instead of MD5 hashing since version 2.5 (see this ticket) - so you cannot simply MD5 hash a new password and enter the digest into the database anymore. You have to encode it using the framework mentioned above.

Today i have implemented the PHPASS framework and turned it into a mainframe8 tool called the Wordpress password hasher. Use it to convert your new password into a “encrypted” hash and insert it into the wp_users table of the wordpress database. I will write a detailed howto later.

Fat Bloke — VirtualBox 3.0 is released!

Good news! VirtualBox 3.0 is released. This is the  release where guests went SMP (multiple vCPUs).  And to show what that means here's a screenshot of a MacBook Pro (Intel Core 2 Duo) running:

• Windows Server 2008 with 4 vCPUs (left hand side);
• Ubuntu Server with 2 vCPUs (right hand side);

stotti.blog() — How to crack MD5 passwords with John the Ripper - a live example exploiting TYPO3

Earlier I told you how to crack MD5 passwords in general. This article tells how to get the passwords out of a TYPO3 installation, which are MD5-hashed, and crack them using John the Ripper.

Preparations step 1: lurk the data!

Okay, assuming that you’re an TYPO3 administrator that wants to check the password strength of your backend users (good guy). Or you have gained access to the database of a TYPO3 installation and want to access the content management system (bad guy). No, you wouldn’t do that…
Well, in both cases you may want to to execute the following SQL query to assemble the account names and their respective passwords.


SELECT `username` , `password`
FROM `be_users`
INTO OUTFILE ‘/tmp/typo3passwords.txt’
FIELDS TERMINATED BY ‘:’
LINES TERMINATED BY ‘\n’


Now you have a well-formatted file containing all username/password combos of the specific TYPO3 setup.

Preparations step 2: fetch your tools!

Go and get John the Ripper (JtR) first. As required by the German law I can not tell how or where to get it. I guess you query your favourite search engine and will find it instantly. John the Ripper does come with a few cipher formats compiled in, but for MD5 you need more formats. These come in patches provided by third parties.

For Linux you have to compile JtR yourself, including the so called “big patch”.

<fetch john-1.7.2.tar.gz from a source near you>
tar xvf john-1.7.2.tar.gz
wget http://www.openwall.com/john/contrib/john-1.7.2-all-12.diff.gz
gunzip john-1.7.2-all-12.diff.gz
patch -p1 < john-1.7.2-all-12.diff
cd src/
make clean linux-x86-any
<notice: if you get errors missing des.h, you should install the libssl-dev (debian) package and re-run the make statement>


Sorry to say I have no idea how to get John the Ripper & the big patch running on windows. You better use Cain & Abel for that, i guess.

So, if the compiling went through you can test if everything went well:

~/jtr/john-1.7.2/src$ ../run/john

It should contain the following list of cipher formats:

--format=NAME force ciphertext format NAME: DES/BSDI/MD5/BF/AFS/LM/NT/PO/raw-MD5/IPB2/raw-sha1/macosx-sha1/md5a/hmac-md5/KRB5/bfegg/nsldap/ssha/oracle/MYSQL/mysql-sha1/mscash/lotus5/DOMINOSEC/NETLM/NETNTLM/NETLMv2/NETHALFLM/mssql/mssql05/epi/phps/mysql-fast

raw-MD5 is the cipher of choice and it is available right now - so let’s rock!

Go go gadget: starting to crack

The actual cracking process is quite simple: run John the Ripper using the format parameter stating that you want to use raw-MD5 and input the file you have created using the SQL statement above:

~/jtr/john-1.7.2/src$ ../run/john --format=raw-MD5 /tmp/typo3passwords.txt
Loaded 2 password hashes with no different salts (Raw MD5 [raw-md5])

The application then runs for a different amount of time - depending on your CPU power, your wordfiles and the weakness of the chosen passwords. In my example there are very weak passwords, as they are cracked nearly instantly. Let me show you using the –show parameter of JtR:

~/jtr/john-1.7.2/src$ ../run/john --format=raw-MD5 --show /tmp/typo3passwords.txt
jane.simpson:jane
admin:way2go
2 password hashes cracked, 0 left

That’s it! I can now approach the users and tell them how stupid their passwords are. You should do the same and check the passwords - especially your own.

Did this article help you out? Please leave a comment, i appreciate them. You can subscribe to my RSS-Feed as well - it’s free! And last but not least do not forget to Digg me!

ThinkThin — A Little Remodeling

Depending how you read this blog, you might have notice a few subtle changes aimed at increasing usability.  The very talented Matthias Müller-Prove, Sun's Desktop Virtualization Engineering Group's User Experience Architect added some cool new features to the Think Thin Blog. 

Updates in a nutshell:

• Added TweetMeme twitter badge
• Changed order in right navigation bar
• New tagcloud styling
• Open tagcloud by default
• Added tags for each posting
• Changed 'sun ray' tags to 'sunray' and sunray made it to the most popular tags
• Note: Trademark name is still 'Sun Ray' but our blogging engine does not support two word tags, thus Sun Ray related entries were getting two tags Sun & Ray.
  

A big thanks to Matthias, the changes look and work great!

Thin Guy — Sun Ray Software 5 Early Access Coming Soon!

Quite a few folks have asked me what new features are coming up in our next release of Sun Ray Software.  While the software should be "released" in the fall, we are having two Early Access periods beginning July 6th.  Unlike previous beta periods, we've opted to make both EA periods open to the public.  Also for the first time, our primary support method is going to be Forum based, much like we did for the early access period for VDI 3. 

One small detail to bear in mind to avoid future confusion with our naming scheme as I just got a comment on a blog from a couple of years ago on Sun Ray Software 4 Update 1.   Sun Ray Software is a suite of products that includes Sun Ray Server Software and Sun Ray Windows Connector which versions will be 4.2 and 2.2 respectively.  Clear?  No?  Well, roll with it anyways.  :)

Sun Ray Server Software Supported Platforms:

• Solaris 10 5/09 SPARC or X86
• SuSE Linux Enterprise Server (SLES) 10 Service Pack 2 (32-bit and 64-bit)
• Red Hat Enterprise Linux (RHEL) 5 Update 3 (32-bit and 64-bit)
  

A few of the planned highlights of EA1:

• Support for Windows 2008 Session Directory
• Support for 32 bit color using Windows 2008 or Windows Vista via RDP
• Sun Ray "Soft Client".  Connect to your Sun Ray Session from a Windows Operating System
• Initially the following platforms will support be supported as clients: Windows XP, Vista, and Windows 7 (when released)
• Smart Cards not supported yet with the Soft Client
  
• Flash Acceleration
• When flash content is viewed through Internet Explorer 7 & 8 on Windows XP SP3 and Windows 2003 R2
  
• Flash 9 compatible content viewed from Flash 9 IE plugin and greater

Planned highlight for EA2 (August Timeframe):

• USB Redirection
• List of devices supported will be published soon, but will not include isochronous devices such as webcams or audio class devices
• Redirected devices appear to be connected directly to the Windows Virtual Machine instead of mapping via RDP
  

Watch this space and the Think Thin Blog for more details of other features.

Virtual Desktops — Login button on logged-out-page not always 'active'

When a users logs out of the SSGD webtop with the logout-button the logged-out-page is shown. The logged-out-page contains a login-button. The login-button is not always 'active' (when clicking on the login-button nothing happens).

When looking into the JSP-code of the logged-out-page the 'activation' of the login-button is based upon the status of the TCC (Tarantella Client Connector/a SSGD-application which displays the applications). When the TCC is still running the login-button is 'activated'. This is a bit strange since logging out of the SGD webtop will stop the TCC.

/opt/tarantella/webserver/tomcat//webapps/sgd/webtops/standard/webtop/logged-out.jsp
I saw a check to 'enable' or 'disable' the login-button. The button is 'enabled' when the TCC is stll running.


A quick fix to always show the link by editing the logged-out-page. Follow these steps:

• Logon to the SSGD server

• Go to the directory:
  /opt/tarantella/webserver/tomcat//webapps/sgd/webtops/standard/webtop

• Edit the file:
  logged-out.jsp

• change line (109 for SGD4.50) from

boolean showLoginLink = (tccStarted != null && tccStarted.equals("true"));

• to

boolean showLoginLink = (tccStarted != null && tccStarted.equals("true"));
showLoginLink = true;

After this change verify the change by logging on to the webtop and log out again to see if the login-button is 'active'.

Fat Bloke — VirtualBox 3.0 Beta Program

If you know what you are doing and you like to live dangerously, you might want to read about the VirtualBox 3.0 Beta which was made available this week.

-FB 

ThinkThin — Wikis For The Win!

When the VDI 3 team decided that all the documentation for our new product would be done on wikis.sun.com, I really didn't give it a lot of thought.  I'm a huge believer in and consumer of social media from blogs to twitter and I know the power they can have if used correctly. 

After we released the product there was a lot of negative feedback on the documentation for a variety of reasons such as no access to the internet, not portable, etc.  While those are valid concerns, I believe the primary reason for the negative feedback boiled down having to navigate something new.  But honestly I was starting to have my doubts as some customers weren't happy at all.  Maybe the world wasn't ready for wiki only documentation for a Sun product.

The VDI 3 team made the docs available in a PDF, including the Release Notes.  However the purpose of this entry isn't about changing to PDF, it's about the real benefit of the Wiki format for documentation.  Not to take anything away from the old documentation process, but in all fairness it is a slow process.  Now consider this.

Recently we added support for Solaris 10 U7 with our first patch for VDI 3, this allows one to use a S10 U7 Server instead of OpenSolaris for the iSCSI/ZFS storage magic that is a huge part of Sun VDI 3.  This morning a Systems Engineer asked this question:

Is somebody preparing instruction for Solaris10 Storage Server?

Within a couple of hours, this response came back:

I've added http://wikis.sun.com/display/VDI3/How+to+Set+Up+a+Solaris+Storage+Server

~Thomas

I could rattle off more 100 examples like that one for topics like clarification, errors, missing info, etc.  Changes that used to take days, weeks, or months to make its way into the official documentation and out to the user base is now done in minutes.  The response time is a credit to our great VDI engineering team, the agility is due to the wiki and the combination is a win, plain and simple.  Many thanks to the Sun VDI team and the Sun Community Services Engineering team.

White men can't jump — Building a VDI demo

Hi,

We now have a demo guide that runs you through the setup of a single box VDI demo based on VirtualBox.

Feedback is welcome,

Dirk

Fat Bloke — Sun VirtualBox and Sun VDI Power JavaOne

Even though you may be away from the office attending a conference, the rest of the world moves on and you quite often need to keep up with your day job. At JavaOne this year, Sun provisioned 21,000 Virtual Desktops for the attendees to use to stay on top of things. This blog entry describes briefly how this was done using VirtualBox and Sun VDI...

User's experience

Dotted around the Moscone Center were hundreds of Sun Rays. These were in the Lobby Areas,

Underpass between North and South Halls, 

and Cyber Lounge areas in the Pavilion.

Every JavaOne attendee was given a smartcard as part of their Welcome Kit on registration. And all you needed to do to get your Virtual Desktop was insert this into the nearest free Sun Ray.

The user can then choose which type of Virtual Desktop they want from:

• Windows 7 
• Ubuntu 8.10
• OpenSolaris 2009.06 

Under the hood:

The first time you make this choice your Virtual Desktop virtual machine (vm) is created based on a template in Sun VDI. The virtual machine configuration is held in a MySQL database and the virtual disk image is quickly cloned from the template using a feature of ZFS which underpins the Sun Storage 7000 servers that were in use. Then Sun VDI chooses a VirtualBox server (based on load) and launches the new vm on that server, with the configuration and iSCSI target id that uniquely identifies the new virtual disk.

When you pull your card out the vm suspends after a short period which means resources can be freed up for other users.

When you re-insert your card and launch a previously created Virtual Desktop, the vm is restored from disk (note that this can be to a different VirtualBox server than the original session ) and you are good to go.

Here is my Windows 7 Virtual Desktop.

Administrator Experience 

To manage the 21,000 virtual desktops we had 2 guys (admittedly smart guys).

And the whole thing was powered by a single rack:

The rack consisted of:

• 4 VDI servers - 4 Sun Fire X4450, each with 4 CPUs and 64 GB memory.
• 5 VirtualBox servers - 5 Sun Fire X4450 servers, each 4 CPUs, 6 cores per CPU and 64 GB of memory.
• 3 Storage servers - 3 * 7210 Unified Storage servers.

This was vastly over-spec'ed as we could see using the Analytics of the storage servers:

Thanks to Christian and Thomas (our architects and admins for the week) and kudos to Dirk's and Achim's teams.

- FB 

ThinkThin — SRSS 4.1 on Solaris 10 5/09 With Trusted Extensions

Here's a detailed installation log for a simple SRSS 4.1, SRWC 2.1 on the latest release of Solaris 10 5/09 with Trusted Extensions.  Download a zip file with everything you need here.  After downloading & unzipping, you'll find the detailed installation & configuration instructions in this file: srss4.1-on-s10u7-tx-install-log.txt.

The installation is based on this example topology:

White men can't jump — VDI 3 Patching

VDI 3 just released its first patch a week ago. So far, so good. But there came up a number of questions about how the whole patch strategy for the product including the various technologies. This works in the following way:

• Patches for VDI core will be released as patches for the VDI 3 product, in the way we just did it for the first patch.
• Patches for included Sun Ray technology will be released as the part of the Sun Ray product. In general it is recommended to run on the latest patch level, even though it might not be important to VDI 3. The most recent patch as been announced here.
• Changes to VirtualBox will NOT be delivered as patches. If bug fixes are required, we will release a new minor version of VirtualBox qualified for VDI 3. In consequence requires a new version a re-install of VirtualBox on the virtualization host.
• Changes to the storage platform. These are not driven or controlled by the VDI team. Therefore the VDI team needs to qualify a new firmware for the Unified Storage systems as well as updates to OpenSolaris. The VDI team will announce which future versions are supported or by when. So, be a bit careful in this area.

Cheers,

Dirk

White men can't jump — VDI 3 @ JavaOne - Summary

Here is a short summary of our VDI implementation for the JavaOne conference. How we did it, has been described on our wiki. During the show we've been gathering data, here are some highlights:

• Setting up the VDI environment took about 2 days. This is the software install on all tiers, the network setup, storage setup and the cloning of roughly 10000 desktop images. Additional images would have been created on demand. The work has been done by 2 engineers of the VDI team.
• Roughly 6000 desktops have actually been used by the participants during the whole week.
• The majority of the users sticked to just one desktop.
• Half of the users went for Windows 7, the other half for the Unixes OpenSolaris and Ubuntu.
  
• The whole storage consumption for 6000 desktops in use was 2 TB. Remember each single desktop image had a size of 10 GB. (Windows 7 even more). Without the merits of ZFS this would have been 60TB.

FatBloke took some nice pictures showing people using VDI 3.

And by the way, it is a very new experience seeing people working on the same thin device all using different desktop OSs.

And this is the user experience that has been offered to the users:

1. Choose your desktop
   
2. Connecting to the desktop
   
3. Working with your personal Windows 7 desktop
   

That's it around the show. Interesting experience for the VDI team and very good proof of our solution.

-Dirk

ThinkThin — Patch Releases: SRSS 4.1 (02) + Kiosk (01) + SRWC 2.1 (01)

The following patches have been released & are available at SunSolve.

SRSS 4.1 Patch Rev 02:

• 139548-02 (Solaris/SPARC)
• 139549-02 (Solaris/x86)
• 139550-02 (Linux)

SRSS 4.1 Kiosk Patch Rev 01:

• 141176-01 (Solaris/SPARC)
• 141177-01 (Solaris/x86)
• 141178-01 (Linux)

SRWC 2.1 Patch Rev 01:

• 139725-01 (Solaris/SPARC)
• 139726-01 (Solaris/x86)
• 139727-01 (Linux)

White men can't jump — VDI 3 @ JavaOne

Today I'm at the Community/JavaOne conference in San Francisco, Moscone Center.  A couple of thousand participants will be at the show. And as usual they get terminals to access their session schedule or browse the internet. The cool thing from a VDI perspective is, that this is all powered by Sun VDI.

There is an article on how we set it up: http://wikis.sun.com/display/DesktopVirtualization/Sun+VDI+for+JavaOne. I think this is very impressive, running about 20000 virtual desktops with such a small equipment.

Special thanks to the tradeshow team, Vernon and Kevin, and to Thomas and Chris, to get this setup going in such a short time.

- Dirk

Fat Bloke — Sun VirtualBox 2.2.4 released!

Quick one: Version 2.2.4 was made available for download last night from the Usual Places.

What got fixed is listed here.

- FB 

White men can't jump — Sun VDI 3 - Patch 1 Released

Hi,

I'm sure this will be of interest for various people. We have just released a first patch for VDI 3. It includes a number of important enhancements, such as:

• S10 U7 support
  This is quite significant as it allows you to build a demo/POC on a single box including VirtualBox and Storage. Some postings on how this can be done will follow.
• VMware vSphere 4 support:
  VDI 3 runs against vCenter 4
• Support of the latest Unified Storage firmware
• Performance improvements in the UI
• And many other things targeted for scalability and robustness

The x86 version is 141482-01.

The Sparc version is 141481-01.

Just one note: The documentation will reflect the changes sometime next week. So stay tuned for the update.

- Dirk

White men can't jump — A new storage for VDI, the 7310 Unified Storage System

Sun has just announced a new storage system, the 7310. The big thing about it is: It provides basically the same functionality as the 7410 including High Availability through clustering, but at a lower entry price. This system is ideal to start small and grow later for dedicated VDI deployments.

It starts with 6 TB and can grow to 96TB in up to four storage extensions. It is perfectly made for hosting VM images through NFS or iSCSI with a big read/write caches in the middle. But of course it can also be used as a file server in a Windows environment. As said, ideal for VDI.

-Dirk

Fat Bloke — Virtual Appliances

One of the really cool and really powerful features introduced in version 2.2 is the ability to export and import virtual appliances. A Virtual Appliance consists of:

• description of one of more virtual machines in an OVF file;
• a set of one or more virtual disk images.

 With VirtualBox you can now easily create virtual appliances by simply exporting your vm's directly from the VirtualBox GUI or on the command line. 

And of course you can import just as easily as you would expect.

For details of how it works and why you might want to do this here's a 9 minute movie. There are chapter markers for Import and Export sections if you want to skip thru it.

-FB

stotti.blog() — MD5 and SHA1 encoder plugins for major browsers

As already announced at the site itself, the MD5 and SHA1 encoders at mainframe8 support the use of custom browser search engines for quite a while now. This means you can MD5/SHA1 encode strings directly from the browser!

Technical background

We don’t rely on the old Sherlock standard but used the up-to-date OpenSearch definition. Sherlock has been Mozilla specific while the A9 OpenSearch Standard is now supported by all major browser vendors (Microsoft, Mozilla and -as far as i know- Google). Sorry to say Apple’s Safari and Opera seem to deny to adopt OpenSearch functionality yet. Don’t worry, i plan to write a blog article on how to add custom search functionality to Opera and Safari later.

How to install the encoder functionality

By far the most simple way is to enter the encoder sites (MD5/SHA1) and to click on the link in the green news box:

This will add the encoder functionality to the browser by using a javascript function. You are free to repeat this step for each encoder you need. On each site there is a link for the specific encoder.

Another way to incorporate the encoder into the browser is by using the autodiscovery function of the browser itself. Every opensearch enabled tool by mainframe8 identifies itself as a possible browser search plugin. Smart browsers such as Firefox v2/v3 and (hard to say that ) Internet Explorer v7/v8 will check that identification and display it to the user.

To integrate the encoding functionality you are required to click on the higlighted/backlighted icon of your default search engine. The browser then gives you the opportunity to integrate it by using a simple dialog.

The Microsoft Internet Explorer behaves similiar:

How to use the encoder functionality

Now that you have integrated the custom “search” engine to the browser of your choice you can start using it. Here is an example usage of the MD5 integration into the Microsoft Internet Explorer 7:

1. Use the drop-down button of the installed search engines
2. Choose the appropriate encoder (here: MD5)
3. Enter your string to hash into the input box and press enter

You will see the digest of your message instantly. Happy converting real text strings to hashes!

Fat Bloke — 3D graphics acceleration with VirtualBox

VirtualBox 2.1 introduced 3D acceleration in Windows guests and 2.2 introduced support for Linux and OpenSolaris guests. Here's a short video about how this feature can deliver the Compiz effects in a Linux guest.

stotti.blog() — Review of first CloudCamp Berlin

As announced i took part in the first instance of a CloudCamp in Berlin last thursday. While originally intended for tech-savvy people i had the impression that there were many folks from the management as well.

The first thing to notice is the different perception of the term “Cloud Computing” among the crowd as well as the speakers. The speaker who is most consistent with my view was Niko Nelissen of Sun. Niko described these architectural service layers of Cloud Computing:

1. Software as a Service (SaaS)
2. Platform as a Service (PaaS)
3. Infrastructure as a Service (IaaS)

In my opinion this is the broadest and most appropriate notion of Cloud Computing. All other speakers defined Cloud Computing as a subpart of these layers.

Eventually the speeches were of different quality. They were arranged as lightning talks, so no pitching allowed and only five minutes to talk per speaker. I had the impression that some guys have stripped down their usual presentation slides to exclude everything that smells like a product and talked about the rest of the slides. Usually there is not much information left in a marketing talk. So my advice would be that these guys should be allowed to pitch their product. By this the Google talk could have been interesting.
Otherwise there were some really good speeches. Morris Riedel of the Jülich Supercomputing Center summed up some important learnings of the GRID Computing community that could be helpful for early adopters of Cloud Computing. I also liked the talk by Scott Wheeler of Directed Edge, whose conclusion i did not get - but the overall talk was good.

As far as i can remember there were speakers from the following companies:

• Sun Microsystems
• Amazon Web Services
• CSC
• Google
• Zimory
• aiCache
• Directed Edge
• Jülich Supercomputing Center
• Thorleif of The unbelievable Machine Company

Overall the first CloudCamp Berlin was a good start and i’d like to see it repeat in the capital later this year!

More extensive reviews of the event in German can be found at gruenderszene.de and MashedUp.

Fat Bloke — Still Buzzin'

Fat Bloke had a little time off lately after the excitement of releasing 2.2. But the Buzz around VirtualBox didn't let up and was fueled even more by events such as the launch new versions of Ubuntu and Mandriva, Microsoft's XP-mode with Windows 7 and, of course, Oracle's move for Sun.

So FB has been working hard to catch up and sift thru all the great stuff that has been published in the last couple of weeks. If you want to keep up with the VirtualBox zeitgeist you might want to follow the VirtualBox Buzz blog.

-FB

stotti.blog() — Heading for CloudCamp Berlin

Heading for CloudCamp Berlin soon. With around 160 attendees it’s going to be really crowded. Tonite’s the night!

Fat Bloke — Sun VirtualBox 2.2.2 released!

There were a few problems in the 2.2[.0] release which we have now rectified in this new maintenance release.

It is available for the usual platforms from the usual places and, BTW, this one works really well with Ubuntu 9.04.