Posts | Tags | Archive

Gotcha with basic HTTP authentication in Python

When doing basic HTTP authentication in Python, make sure your authentication realm is surrounded by double, NOT single quotes.

Bad:

1
2
3
self.send_response(401)
self.send_header("WWW-Authenticate", "Basic realm='/'")
self.end_headers()

Good:

1
2
3
self.send_response(401)
self.send_header("WWW-Authenticate", "Basic realm=\"/\"")
self.end_headers()

The single quotes work with most browsers, curl, wget, and tons of other tools. However, when using Python to access the page (using urllib2.HTTPPasswordMgrWithDefaultRealm to manage authentication) single quotes don't trigger the "automatic retry with authentication" response, and instead just raise a 401 HTTPError.

Queen's University Resnet without IDA (Windows)

Storytime

So you're in your first year at Queen's University residence and you want to access the internet. Sounds reasonable. You plug in your Windows laptop, open your browser, and...nothing. Well, mostly nothing. A page that tells you that you've been quarantined and to please click here, download IDA, install it, and let it work it's magic.

Sounds easy right? What they don't tell you is that IDA holds ResNet access hostage until you've installed some garbage antivirus, downloaded all the new windows updates (IDA actually does this itself, it doesn't step back and let Windows Update do it's job), and a few other things. After all that, you enter your NetID and password, and it registers you. In theory.

What I ran into every single time I ran it with my laptop (running Windows XP at the time) was it failing to download something, throwing an error message and refusing to register me. I gave up after a few times and plugged in my other computer (Running the relatively obscure Windows XP x64). What I noticed is that I didn't get the typical quarantine page, I got a simple page that asked for a NetID and password. I entered my information and got a message stating I was good to go. I checked a few pages and they all seemed to work.

I plugged my laptop back in and tried to load a page. The same quarantine screen. Since the main way a webpage tells the difference between two operating systems is the user agent, I fired up Tamper Data and submitted a request with a blank one. I got the same page that asked for my NetID and password.

I assume this works because if the registration server decides (based on your user agent) that IDA won't run on your computer, instead of leaving you screwed, it'll give you an alternate way out. Since when you take away the user agent the server can't tell what kind of operating system you're running, they assume that IDA won't work on it and give you the simple "Enter your account details" prompt.

Register a computer without IDA

  1. Acquire unblocked internet (the queensu wireless is a good bet).
  2. Download and install Firefox and the Tamper Data addon.
  3. Disconnect from the internet and plug in to ResNet.
  4. In Firefox, click Tools, Tamper Data.
  5. In the window that pops up, click "Start Tamper".
  6. Try to load a website.
  7. A window will pop up asking you if you want to tamper with the request. Click the "Tamper" option.
  8. In the windows that pops up, delete everything in the "User-Agent" field and hit OK.
  9. Repeat steps 8 and 9 until the popups stop and the page loads.
  10. Click "Stop Tamper" and close the Tamper Data window.
  11. You should be on a page that tells you to enter your NetID and password, do so and hit OK.

Your computer should now be able to use ResNet normally.

Registering other devices

Your computer is registered via it's MAC address. This means that if you want to use ResNet with a device that can't run IDA, doesn't have a web browser, and is against IT policy *cough* wireless router *cough*, you can't. In theory.

The easy way of course, it to call up ITS and tell them your Xbox can't connect. They'll ask you for your Xbox's MAC address, you'll give them the router's MAC address, and they'll register it. Aside from lying to ITS being morally wrong, this works. However, I've heard complaints that devices registered via calling ITS have had their speed throttled. Throttling non-school-related devices on a school network makes sense, but I haven't seen any actual proof of this.

The better way of registering your other devices though, is to trick the registration server into thinking that your device is just a normal computer. Since computers are registered by their MAC addresses, you just need to register the MAC address of your device with the system.

The following steps will show you how to spoof your device's MAC address and register it from your computer.

  1. Find the MAC address of your device. It will probably be somewhere in the Advanced Options.
  2. Unplug your device from ResNet and plug in your computer.
  3. Open Control Panel, Network and Internet, Network Connections and note the name of your connection. Usually it's "Local Area Connection"
  4. Download and extract Macshift into a folder somewhere.
  5. Open a command prompt window in the Macshift folder.

  6. In the command prompt window type

    1
    macshift.exe -i "[connection name]" [device MAC address, no dashes]

    For example, if my device's MAC address was "00-11-22-33-44-55" and my connection name was "Local Area Connection", I would run

    1
    macshift.exe -i "Local Area Connection" 001122334455

  7. Wait until you have network access again and try to load a page. If everything went as planned, you should be seeing the ResNet quarantine page.

  8. Use the steps in the section above to register your computer again.

  9. Once you have ResNet access, go back to the command prompt and run

    1
    macshift.exe -i "[connection name]" -d

    This restores your MAC address back to it's original value.

Your device should now be able to use ResNet normally.

Disclaimer

All information above is provided for informational purposes only. I take no responsibility for the outcome of your actions. Furthermore, all information on IDA is based on experiences in 2009, It may have improved over time (ha).

Resolving Windows NetBIOS names in Linux

When accessing computers on a LAN, it's often useful to access them by name instead of IP. This is especially true when dealing with dynamic IP addresses.

In Windows, other Windows computer names are automatically resolved to an IP address. In most Linux distros however, this is not the case (by default).

To resolve Windows NetBIOS names in Linux, you'll need the winbind component of the Samba suite. Winbind allows a UNIX box to become a full member of an NT domain, giving the ability to resolve names from it.

Install winbind via your preferred package manager. For Debian and derivatives, the following should work. 

1
apt-get install winbind

Now that winbind is installed, the OS must be configured to use it when looking up hostnames. Open the file /etc/nsswitch.conf and add "wins" to the end of the line starting with "hosts:".

For example, the line in my file now looks like

1
hosts: files dns wins

Save the file and reboot to start the winbindd deamon.

To test if if worked, try pinging a computer on your LAN by name. For example:

1
2
3
4
5
$ ping windows-server
PING windows-server (192.168.0.107) 56(84) bytes of data.
64 bytes from 192.168.0.107: icmp_req=1 ttl=128 time=0.268 ms
64 bytes from 192.168.0.107: icmp_req=2 ttl=128 time=0.604 ms
64 bytes from 192.168.0.107: icmp_req=3 ttl=128 time=0.607 ms

© Carey Metcalfe. Built using Pelican. Theme is subtle by Carey Metcalfe. Based on svbhack by Giulio Fidente.