2010-05-18

OUI (MAC Address Vendor) Lookup with PHP

I often find myself writing reporting tools in PHP. For work, I wrote a tool to parse Kismet XML files and generate a nice report out of the data. I may talk more about that later on.

One of the things I wanted to do was to reference an OUI table so that I can include the manufacturer of each discovered access point in the report. I figure this may help some people, as this function seems useful anywhere that MAC addresses show up.

I started with the nmap-mac-prefixes file from the nmap subversion tree (and source distribution), but I had to clean it up a bit and turn it into something halfway friendly to cram into an array in PHP, although I suppose I could have done an external grep or loaded the entire file dirty with file_get_contents(). I opted to load the array using the OUI as the key, though. To do that, I did this ugly bit of shell-fu:

grep -v ^# nmap-mac-prefixes | sed s/[\"\',]/" "/g |\
sed s/" "/"\"=>\""/ | sed 's/.*/\ "&\",/' > ouilookup.php

Which resulted in thousands of lines like this:
"000000"=>"Xerox",
"000001"=>"Xerox",
"000002"=>"Xerox",

Next, I had to make it into a function and add the Array() syntax around it:

<?php
function ouilookup($mac)
{
$ouilist=Array("000000"=>"Xerox",
"000001"=>"Xerox",
"000002"=>"Xerox",
"000003"=>"Xerox",
"000004"=>"Xerox",

[... Thousands of lines ... ]

"FCFBFB"=>"Cisco Systems",
"525400"=>"QEMU Virtual NIC",
"B0C420"=>"Bochs Virtual NIC",
"DEADCA"=>"PearPC Virtual NIC",
"00FFD1"=>"Cooperative Linux virtual NIC");
$oui=strtoupper(substr(preg_replace('`[^a-z0-9]`i','',$mac),0,6));
$vendor=$ouilist[$oui];
return(
$vendor);
}
?>

The whole thing can be downloaded here: ouilookup.txt (rename to .php)

To use it, simply include the file, and call ouilookup() with the MAC address in pretty much any hex format you want (xx:xx:xx:xx:xx:xx, xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx are common)

A quick and dirty example using PHP from the command-line:

<?php
//oui.php - ouilookup() test
include(
'ouilookup.php');
$vendor=ouilookup($argv[1]);
echo
$vendor . "\n";
?>

$ php oui.php 00:11:22:33:44:55
Cimsys

2010-05-17

OpenBSD 4.7 + Chrooted Apache, MySQL & Suhosin PHP

FYI - There's now a page that covers OAMP for all recent versions of OpenBSD. My OAMP series is a popular one. Although OpenBSD 4.7 doesn't come out for 2 more days, the media has already shipped to those who pre-ordered. And, as I mentioned previously, you'll want to get crack-a-lacking on those patches. As of the time of writing, there are already 4 patches to install for OpenBSD 4.7, which affect all architectures.

I'll spare you the verbosity. The installation procedure for getting OpenBSD, Chrooted Apache, MySQL and Suhosin-hardened PHP all working together hasn't changed one bit in OpenBSD 4.7. You can follow my instructions verbatim from the OAMP 4.6 Walk-Through, with one minor difference: make sure you change "4.6" to "4.7" when defining PKG_PATH in your .profile.

I was able to go from an empty virtual machine to a fully-functioning, chrooted install of WordPress in under 30 minutes just by following the instructions (and, of course, pointing the PKG_PATH to the packages on the media, not FTP, since the 4.7 branch hasn't hit the Internet yet)

Now that blogger has the ability to store "pages", I may eventually convert this article series to a living document. There are also some lazy shortcuts I take that kind of go against traditional OpenBSD methods (directly launching stuff from rc.local, editing rc.conf instead of making changes in rc.conf.local, etc) - I may get around to de-cruft-ifying this how-to at the same time. Otherwise: Enjoy!

2010-05-10

Back in action

Today was my first day back to work since January 8th.


Officially, I'm a Linux/Windows Administrator, helping a small IT shop wherever they need it while they scale up support for many new end-users around the world. That includes many IT things beyond Linux and Windows systems.

It was much to my delight this morning, while talking with my new boss, that he went over a vast array of security-related items that I'll be working on as time permits. I'm proud to be on a very talented team of folks with a diverse array of skills. While they've been prudent with their security stance, I'll be helping them take security to the next level while functioning as an all-purpose IT guy.

2010-05-04

Conspiracy Theory: A Battle.net security shill?

A few days ago, my wife logged in to World Of Warcraft only to find that all of her characters had been pretty much stripped of everything. Her username isn't related to any of her mail or social media accounts, and her passwords are unique between all her various accounts. Her WoW password wasn't easy to guess by a long shot, and complex enough that I doubt it was brute forced.


Her system is up to date and protected with MSE, so I weeded through the various places that services can be stealthily launched from and found nothing suspicious. We then tried scanning with several other free tools such as MalwareBytes, Sophos Anti-Rootkit and others.

No sooner does she complain on the forums, she begins getting a massive influx of scam phishing. Most of these have forged mail headers, but originate from china or the UK and link to sites hosted in all the usual (shady) places. The email address she uses isn't published anywhere, at least in relation to World of Warcraft. Blizzard and Battle.Net are the only places that know that email address.

Blizzard's "official" way to help you secure your WoW account? Selling you a one-time-password keyfob along the lines of a SecurID, shown above. Given the fact that WoW is one of the least-sensitive accounts she logs into and that no other breaches have occurred, I'm kind of doubting that she was hit with something as sinister as a keystroke logger. What's more, is that looking at forum activity, it really does appear that there are a lot of these compromises taking place, and it really seems that WoW is often the only thing being compromised in these attacks.

I'm not one for elaborate conspiracy theories, but this whole thing stinks like a shill to sell keyfobs.