US-CERT releases virtual appliance for MitM attacks

August 24, 2014

Some time ago I wrote a blog post on Burp as a MitM Proxy (Man-in-the-Middle) – now there is for some purposes an even easier way. The US-CERT has released the first version of a virtual appliance with the name Tapioca (Transparent Proxy Capture Appliance). With it, it is easy to check if programs don’t do certificates validation correctly. I really recommend to try it out! Some areas that are often good for a bad implementations are: mobile apps, hardware and embedded devices and generally stuff that needs a high domain specify know how and that often goes with less software engineering know how. ;-)

Check if your mailserver is encrypting SMTP to/from other mail servers

August 10, 2014

For  readers with their own mail server (or if you want to check what your provider is doing) – verify that your mail server accepts encrypted communication and that PFS is enabled.  Just click on this link and enter the domain name to test. Some big players goof there ….  It should at least look like in the screen shot. DANE would be cool, but that’s not that easy at this point as you need a working DNSsec DNS server, which not all registrars provide. Sure you can host your own authoritative DNS servers but that is work …

mail_tls

ps: send also a mail to [email protected] to check if sending mails is also encrypted. It should look like this:

mail_out

My first IPv6 problem – multihoming my home network without NAT

Today I ran into my first IPv6 problem … all was easy so far for some years .. just configured it and it worked … but this weekend I deployed a second Internet connection for my home. With IPv4 and masquerading the internal IP addresses to the one provider-given IP addresses I was able on the router to configure which traffic goes out over which provider. If one provider fails the route is withdrawn and all goes over the other link. But now comes IPv6 and it is not that easy anymore, as my router does not support IPv6 NAT. The problem is described in detail in this nice blog post by Ivan Pepelnjak.

My router is able to do VRF (Virtual Routing and Forwarding) also for IPv6 (at least the documentation says so .. didn’t try it so far). So the “best” option for me seems to advertise both subnets the providers gave me to the clients  and route source based to the providers. Without VRF I would be depended that the providers don’t do a RPF (Reverse Path Forwarding) check, which is also not a good idea. But this leads to the problem that the end device decides which uplink it uses, which is most likely not the one I would choose ….

An other idea was to use one of my servers in a data center to tunnel the traffic through. Basically running two IP tunnels from my router to the server (one via each provider) and using IP addresses that are routed from the Internet to the server. But this is also not a good solution.

Anyway I don’t have good solution so far, maybe one of my readers does.

 

Slow DNS resolving with Linux systems against Windows DNS server

August 1, 2014

In the last days I encountered a problem with the DNS resolution by our Linux systems – must be there for a long time but it took a deep look into a different performance problem to get this one figured out. I did a simple wget to a HTTP site in the same data center and it took sometimes 5 seconds to get DNS name resolved to an IP address. As a network guy I launched tcpdump at once and did see following packets:

10:59:19.264987 IP LinuxClient.51463 > WindowsDnsServer.domain: 57223+ A? xxxx.penz.name. (35)
10:59:19.265056 IP LinuxClient.51463 > WindowsDnsServer.domain: 26702+ AAAA? xxxx.penz.name. (35)
10:59:19.265700 IP WindowsDnsServer.domain > LinuxClient.51463: 26702* 0/1/0 (103)

10:59:24.269981 IP LinuxClient.51463 > WindowsDnsServer.domain: 57223+ A? xxxx.penz.name. (35)
10:59:24.270303 IP WindowsDnsServer.domain > LinuxClient.51463: 57223* 1/0/0 A 10.10.xxx.xxx (51)
10:59:24.270370 IP LinuxClient.51463 > WindowsDnsServer.domain: 26702+ AAAA? xxxx.penz.name. (35)
10:59:24.270557 IP WindowsDnsServer.domain > LinuxClient.51463: 26702* 0/1/0 (103)

As you see the first A query gets not answered but the AAAA does. I changed to an other DNS server (first Windows 2008 R2 and the second Windows 2012 R2)  but with the same results. I did tests with RHEL6/Centos6 and Ubuntu 14.04 .. no difference. As a next step I talked with the Windows guys to look at the Windows 2012 R2 DNS server. They did a packet capture and saw that the Windows server did not send that packet, but a DNS Debug log showed that the DNS server it self did answer it. I than called wget with the “–inet4-only” option, which made sure that only a A query was sent and I was not able to reproduce the problem. So it must be something with the second packet.

Getting a tip from a fellow network admin who said I should look at the source port of the packets I did so. The UDP source ports of the A and AAAA were the same and it looked like that the Linux system gets an answer if the A query is answered before the AAAA arrives on the Windows Server. The next step was to look for a way to change that behavior on the Linux side, which looked to me easier than to change something on the Windows site. ;-)

Following resolv.conf option looked promising:

single-request-reopen (since glibc 2.9)
The resolver uses the same socket for the A and AAAA requests. Some hardware mistakenly sends back only one reply. When that happens the client system will sit and wait for the second reply. Turning this option on changes this behavior so
that if two requests from the same port are not handled correctly it will close the socket and open a new one before sending the second request.

And yes – that was the solution. On every system I added

options single-request-reopen

to the /etc/resolv.conf the problem went away. For systems which generate the resolv.conf automatically (like Ubuntu 14.04), which you can check by

ll /etc/resolv.conf
lrwxrwxrwx 1 root root 29 Mai 26 12:35 /etc/resolv.conf -> ../run/resolvconf/resolv.conf

you should add the line to /etc/resolvconf/resolv.conf.d/base instead and call sudo resolvconf -u afterwards.

All together this problem took me many hours to find and I didn’t find anything on the net .. so I thought a post may help other poor admins. ;-)

Start securing your debit cards and why you should do it

July 18, 2014

Many people got new debit cards (called “Bankomatkarte in Austria) from the various bankings institutes in the last months and years. Many cards are PayPass enabled for wireless money transactions. PayPass is based on NFC, which is also integrated in some of the modern smart phones. The default setting is that five 25 Euro transactions can be done without entering a PIN. So a possible damage can be up to 125 Euro. You’ll verify if your debit card supports that standard by checking it has PayPass printed on it.

paypass

Picture: Maestro PayPass

But I’ve seen some cards with only this symbol (at least on the front side):

paypass2

Anyway in therapy the card needs to be within 10cm of the reader and therefore an attack is not that easy. But already at Defcon 20 in 2012 Eddie Lee presented the possible of a NFCProxy which allows to misuse a card. The attack setup looks like this:

nfcproxy

Picture: Eddie Lee @ Defcon 20

So this allows following attack vector. You’re standing in a crow or in a line and have your debit card in your back pocket. One of the attacker stands behind you …. and the other  can be e.g. hundred meters away (only limited by the delay and reach of the network connection). They will be able to get your money with much less risk than with pocket picketing. And to make it even better – you can download the App for Android as an .apk file, ready to install and use, from Sourceforge.

So now you know of the problem, what can you to mitigate that problem?

  1. If you don’t need that feature at all, try to talk to your bank to disable that function. Some will do it for free, others will charge you. Some banks allow to you to choose if you want one with or without at renewal of your card.
  2. You basically like the feature, but you would like to have more control over it – thats also possible:
    1. Search for RFID/NFC blocking sleeves for credit card or payment cards
    2. You can get also wallets with RFID/NFC blocking feature … but currently they look not that great .. at least the ones I found

 

 

Access Mikrotik Router OS via SSH Public Key authentication

July 12, 2014

Sometimes you need to execute various commands on a Mikrotik automatically from a Server. Surely it is possible to store the password in the script, but there is a better way – it is called Public Key authentication for SSH. Basically a pair of files is generated and the public one is copied to the Mikrotik and the private key stays on the PC. If you encrypt this key on the PC (which is useful if not a script does use  it but a person) you get a 2-factor authentication. An attacker needs that private file and the password to decrypt it to administer the router. There are two types supported by SSH RSA and DSA. RSA is more commonly used but Mikrotik does only support DSA so we need to create a DSA key pair.

The first step is to generate the key pair as the user on the Linux system which is than used to access it. If it is a script it maybe a separate user just for this purpose is a good idea.

$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/<user>/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_dsa.
Your public key has been saved in id_dsa.pub.
The key fingerprint is:
.....

If you just press enter on the file question, the default one will be used. If you want to use some separate directory that’s fine, you just need to provide the location later at the ssh call. If you press just enter for the passphrase the private key will not be encrypted. Now we copy the public key (.pub extension) to the Mikrotik:

scp /home/<user>/.ssh/id_dsa.pub [email protected]:

And after that we need to import the key. If we choose the user admin, which we use our self to login, no password login will be possible anymore for that user. So if you don’t like that you should create a special user for the script. As my script needs only to read stuff I’m okay with the group “read” and create a user like this:

/user add name=scriptUser group=read comment="user for our readonly scripts" disabled=no

Now we import that public key to the scriptUser with following command:

/user ssh-keys import public-key-file=id_dsa.pub user=scriptUser

We’re done .. just testing is open …. if you used not the default directory to store the key files you need to provide them via the -i parameter, if its the default location you don’t need to provide it. This command logs into the router and gets you some basic data without entering a password.

$ ssh -i <pathTo/id_dsa> scriptUser@xxx.xxx.xxx.xxx “/system resource print”

You should also try to login as this user without the key file (e.g. from an other computer) and it should not be possible.

How to configure SNMPv3 securely on Extreme Networks XOS

July 11, 2014

In two of the last posts I wrote about configuring SNMPv3 securely for Linux and Mikrotik RouterOS. This time I’ll show the configuration for Extreme Networks XOS. Its quite easy and supports more encryption algorithm and options than e.g. Mikrotiks RouterOS. To allow SNMPv3 access we only need these commands – as I use SNMP only for reading, I’ll create a readonly user:

config snmpv3 add user snmpv3ro authentication sha XXXXXXXXXX privacy aes XXXXXXXXXX
config snmpv3 add group snmpv3group user snmpv3ro sec-model usm
configure snmpv3 add access snmpv3group sec-model usm sec-level priv read-view defaultAdminView write-view None notify-view None

If we want to disable a previously configured SNMPv1 or v2c access type following:

disable snmp access snmp-v1v2c

If you want also SNMPv3 traps you need this command:

configure snmpv3 add target-addr snmpv3Target param snmpv3Params ipaddress transport-port 162 tag-list defaultNotify

Hint: You can/should also add from or vr entries depending on your switch config

Some addition ways so secure your SNMP:

  1. You can specify in which virtual router instance the SNMP is reachable with following commands:
    disable snmp access vr all
    enable snmp access vr vrMgmt

  2. And you can also configure ACLs which defines from which IP addresses it is possible to access the SNMP service with following command:configure snmp access-profile snmpACL readwrite

    You need to create following file first with vi snmpACL.pol:

    entry allow_subnet_1 {
    if match all {
    source-address 10.x.x.0/24;
    }
    then {
    permit;
    }
    entry allow_subnet_2 {
    if match all {
    source-address 10.y.y.0/24;
    }
    then {
    permit;
    }

Howto convert Outlook .msg files to normal MIME mails

June 29, 2014

Just got a Microsoft Outlook .msg file and I needed to convert it to something I could read on the console. Its quite simple to convert it to a normal MIME mail .. here for Ubuntu 14.04 but it should be as simple on other distributions:

sudo apt-get install libemail-outlook-message-perl libemail-localdelivery-perl
wget http://www.matijs.net/software/msgconv/msgconvert.pl
perl msgconvert.pl filename.msg

the result file name is filename.msg.mime.

Android Devices send many Multicast Packets per Second for Chromecast – How to disable it?

June 28, 2014

While tracing/sniffing for something, I mirrored all packets of my mobile phone to Wireshark and I was was really astonished  to see many multicast DNS requests (_googlecast._tcp.local) from my mobile …

googlecast

As you see, these are more than 15 packets per second, which leaded at once to following 3 thoughts:

  • That can’t be good for the battery
  • The mobile is sending this surely not only in my home network but also in hotspot networks … I don’t like that for security/privacy reasons (specially what happens if the phone gets an answer and maybe sends more info about itself)
  • I’m not using Chromecast anywhere

Which leaded at once to the question:

  • How can I disable this?

So I went on a search trough the Internet …. but I was not able to find a solution. So the question to the community .. has someone an idea how I can disable that?

ps: I found only one guy asking the same question in the xda developers forum

 

Howto install and use the Burp Suite as HTTPS Proxy on Ubuntu 14.04

June 26, 2014

This article shows you how to intercept and analyze HTTPS traffic. This of course only works if you can add your CA to the client system or the client system does not check the key chain. But you would not believe how many clients, specially embedded devices and mobiles apps don’t check it. The software I use in this post is the Free version of the Burp Suite – from the homepage of the Burp Suite:

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Installation

As it is written in Java it is really easy to install and run. Just these 3 commands

sudo apt-get install openjdk-7-jre
wget http://portswigger.net/burp/burpsuite_free_v1.6.jar
sudo java -jar -Xmx2g burpsuite_free_v1.6.jar

I use sudo for the Java process as it needs in my cases to listen on ports lower than 1024 and this requires root permissions. After entering the last command and accepting the EULA you get following window:

burp

Now go to the Proxy | Intercept tab and click onto “Intercept is on” button to disabled it. Otherwise you’ll need to acknowledge every request.

intercept

The proxy is already running but only on localhost, we need it to listen on all to look at traffic from other devices.

burp_interfaces

And in this case I want to see the traffic to a specific host from my mobile, so I set Burp to port 443 and to invisible mode and define a redirect IP address (the original host IP address).

burp_redirect

After this, you only need to set on my local DNS Server the wished host name to my desktop IP address and the traffic runs over it and if the client accepts the faked certificate you can look at the traffic. Which looks e.g. like this:

burp_history

For other devices or requirements it is also possible to use Burp as a HTTP Proxy, just configured it on the client. ARP spoofing is also an idea…..

 

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 21 queries. 0.175 seconds.