October 24, 2014
It got fixed with Ubuntu 14.04 but 12.04 is still supported and many people are still using 12.04 and even with the OpenSSL package update (2014-10-02) TLS 1.2 is not enabled by default. Take a look at this bug report and the statement from Marc Deslauriers (Ubuntu Security Engineer):
That USN doesn’t re-enable TLSv1.2 by default for clients in Ubuntu 12.04. It simply fixes an issue if someone _forced_ TLSv1.2 to be enabled.
You’re asking why we got into that problem in the first place … Marc tells us also this:
Ubuntu 12.04 contains openssl 1.0.1, which supports TLS v1.2. Unfortunately, because of the large number of sites which incorrectly handled TLS v1.2 negotiation, we had to disable TLS v1.2 on the client.
So someone thought again he is smarter than the OpenSSL guys … but this was not the first time …. lets remember this “optimization” of OpenSSL by the Debian guys .. could they please clean up their mess and enable TLS 1.2 by default as in 14.04?
October 12, 2014
At the Black Hat conference this year researchers from Berlin-based Security Research Labs (SRLabs) showed an attack method they called “BadUSB“, which allowed them, with manipulated USB device firmwares (e.g. from a USB Stick), to simulate an keyboard. With this keyboard they executed commands on the victims computer without he/she knowing it. The victim just inserted a USB stick to copy some data …. but the new keyboard executes some commands in the background.
To protect yourself against such an attack the computer needs to configured in a way that it does not bind any newly added device as new keyboard without asking the user. For Linux there is a kernel feature starting with 2.6.13-rc3 ( = since 2005) which allows to bind and unbind drivers from devices manually from user space. More information can be found on this topic here and here. And this blog post from Christian Vogel shows how to use it against BadUSB. What is currently missing is a simple GUI program which allows you to allow/deny devices with on click.
On the Windows site there is already such a program. This freeware program is made by the German security vendor (e.g. anti virus software) G DATA and is called “G DATA USB KEYBOARD GUARD” and can be downloaded from here. After installing you’ll be prompted following screen if a new keyboard is inserted.
It would be nice if the various desktop environments on Linux add a similar feature … the kernel support is there already.
October 6, 2014
I found a small program called Lynis, which does a system check of your Linux and Unix System. From the homepage:
Lynis is an open source security auditing tool. Primary goal is to help users with auditing and hardening of Unix and Linux based systems. The software is very flexible and runs on almost every Unix based system (including Mac). Even the installation of the software itself is optional!
To test a system is really easy, just download the tar.gz from here and extract the tar as root (otherwise it will complain) and change into its directory and call
for the interactive mode (waits after each section) or
for the quick mode which only logs the results to the log file. In both cases the log is written to
For the following screenshots a I did setup a test system with some changes to show you some errors and warnings :-):
and at the end you get a summary with entries like this:
And you’ll get also a “Hardening index” which allows you to compare various systems against each other.
I you want to check multiple systems it it also possible to create an rpm file with the
lynis.spec file from the Lynis homepage. You should run this software every time you setup a new system to make sure that you didn’t leave the big whole open.
September 17, 2014
For some time now I wondered why I had such a high CPU load while watching e.g. YouTube videos, even if I’ve a Nvidia GeForce GTX 760 in my PC. Ok thats not the latest card, but normal HD video should be accelerated with it also. 20% CPU load on my modern CPU is too much for a simple YouTube video:
The solution is quite easy – the flash player has disabled the hardware acceleration by default. Following steps need to be done to enable it – as I only have an Nvidia card I was only able to test it for it, but looking around I found some tips for the other cards too.
- Check if you’ve
libvdpau1installed. On Ubuntu its done like this:
# dpkg -l | grep vdpau
ii libvdpau1:amd64 0.7-1 amd64 Video Decode and Presentation API for Unix (libraries)
- You need a fitting graphics card driver:
- Nvidia: Nouveau and Closed Source driver should work
- AMD Radeon: You need the Mesa projects drivers (r300g, r600g or radeonsi)
- Intel: You need also following library/packaged installed:
libvdpau-va-gl1(as Intel supports only the libva interface for video acceleration)
- You need (most likely) to create following file
/etc/adobe/mms.cfgwith following content. It is possible that the directory and file exists in this case add the lines:
- Now you need to make sure that the player is not running anymore:
# ps aux | grep plugin-containe
robert 8246 0.1 0.9 798312 153260 ? Sl Sep16 0:57 /usr/lib/firefox/plugin-container /usr/lib/flashplugin-installer/libflashplayer.so -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 7066 true plugin
# kill 8246
- Now open the YouTube page again you tried before and top should show following – under 10% CPU Load, thats better.
August 10, 2014
For readers with their own mail server (or if you want to check what your provider is doing) – verify that your mail server accepts encrypted communication and that PFS is enabled. Just click on this link and enter the domain name to test. Some big players goof there …. It should at least look like in the screen shot. DANE would be cool, but that’s not that easy at this point as you need a working DNSsec DNS server, which not all registrars provide. Sure you can host your own authoritative DNS servers but that is work …
ps: send also a mail to [email protected] to check if sending mails is also encrypted. It should look like this:
August 1, 2014
In the last days I encountered a problem with the DNS resolution by our Linux systems – must be there for a long time but it took a deep look into a different performance problem to get this one figured out. I did a simple wget to a HTTP site in the same data center and it took sometimes 5 seconds to get DNS name resolved to an IP address. As a network guy I launched tcpdump at once and did see following packets:
10:59:19.264987 IP LinuxClient.51463 > WindowsDnsServer.domain: 57223+ A? xxxx.penz.name. (35)
10:59:19.265056 IP LinuxClient.51463 > WindowsDnsServer.domain: 26702+ AAAA? xxxx.penz.name. (35)
10:59:19.265700 IP WindowsDnsServer.domain > LinuxClient.51463: 26702* 0/1/0 (103)
10:59:24.269981 IP LinuxClient.51463 > WindowsDnsServer.domain: 57223+ A? xxxx.penz.name. (35)
10:59:24.270303 IP WindowsDnsServer.domain > LinuxClient.51463: 57223* 1/0/0 A 10.10.xxx.xxx (51)
10:59:24.270370 IP LinuxClient.51463 > WindowsDnsServer.domain: 26702+ AAAA? xxxx.penz.name. (35)
10:59:24.270557 IP WindowsDnsServer.domain > LinuxClient.51463: 26702* 0/1/0 (103)
As you see the first A query gets not answered but the AAAA does. I changed to an other DNS server (first Windows 2008 R2 and the second Windows 2012 R2) but with the same results. I did tests with RHEL6/Centos6 and Ubuntu 14.04 .. no difference. As a next step I talked with the Windows guys to look at the Windows 2012 R2 DNS server. They did a packet capture and saw that the Windows server did not send that packet, but a DNS Debug log showed that the DNS server it self did answer it. I than called wget with the “–inet4-only” option, which made sure that only a A query was sent and I was not able to reproduce the problem. So it must be something with the second packet.
Getting a tip from a fellow network admin who said I should look at the source port of the packets I did so. The UDP source ports of the A and AAAA were the same and it looked like that the Linux system gets an answer if the A query is answered before the AAAA arrives on the Windows Server. The next step was to look for a way to change that behavior on the Linux side, which looked to me easier than to change something on the Windows site.
Following resolv.conf option looked promising:
single-request-reopen (since glibc 2.9)
The resolver uses the same socket for the A and AAAA requests. Some hardware mistakenly sends back only one reply. When that happens the client system will sit and wait for the second reply. Turning this option on changes this behavior so
that if two requests from the same port are not handled correctly it will close the socket and open a new one before sending the second request.
And yes – that was the solution. On every system I added
/etc/resolv.conf the problem went away. For systems which generate the
resolv.conf automatically (like Ubuntu 14.04), which you can check by
lrwxrwxrwx 1 root root 29 Mai 26 12:35 /etc/resolv.conf -> ../run/resolvconf/resolv.conf
you should add the line to
/etc/resolvconf/resolv.conf.d/base instead and call
sudo resolvconf -u afterwards.
All together this problem took me many hours to find and I didn’t find anything on the net .. so I thought a post may help other poor admins.
July 12, 2014
Sometimes you need to execute various commands on a Mikrotik automatically from a Server. Surely it is possible to store the password in the script, but there is a better way – it is called Public Key authentication for SSH. Basically a pair of files is generated and the public one is copied to the Mikrotik and the private key stays on the PC. If you encrypt this key on the PC (which is useful if not a script does use it but a person) you get a 2-factor authentication. An attacker needs that private file and the password to decrypt it to administer the router. There are two types supported by SSH RSA and DSA. RSA is more commonly used but Mikrotik does only support DSA so we need to create a DSA key pair.
The first step is to generate the key pair as the user on the Linux system which is than used to access it. If it is a script it maybe a separate user just for this purpose is a good idea.
$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/<user>/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_dsa.
Your public key has been saved in id_dsa.pub.
The key fingerprint is:
If you just press enter on the file question, the default one will be used. If you want to use some separate directory that’s fine, you just need to provide the location later at the ssh call. If you press just enter for the passphrase the private key will not be encrypted. Now we copy the public key (
.pub extension) to the Mikrotik:
scp /home/<user>/.ssh/id_dsa.pub [email protected]:
And after that we need to import the key. If we choose the user admin, which we use our self to login, no password login will be possible anymore for that user. So if you don’t like that you should create a special user for the script. As my script needs only to read stuff I’m okay with the group “read” and create a user like this:
/user add name=scriptUser group=read comment="user for our readonly scripts" disabled=no
Now we import that public key to the scriptUser with following command:
/user ssh-keys import public-key-file=id_dsa.pub user=scriptUser
We’re done .. just testing is open …. if you used not the default directory to store the key files you need to provide them via the
-i parameter, if its the default location you don’t need to provide it. This command logs into the router and gets you some basic data without entering a password.
$ ssh -i <pathTo/id_dsa> scriptUser@
xxx.xxx.xxx.xxx “/system resource print”
You should also try to login as this user without the key file (e.g. from an other computer) and it should not be possible.
June 29, 2014
Just got a Microsoft Outlook .msg file and I needed to convert it to something I could read on the console. Its quite simple to convert it to a normal MIME mail .. here for Ubuntu 14.04 but it should be as simple on other distributions:
sudo apt-get install libemail-outlook-message-perl libemail-localdelivery-perl
perl msgconvert.pl filename.msg
the result file name is
June 26, 2014
This article shows you how to intercept and analyze HTTPS traffic. This of course only works if you can add your CA to the client system or the client system does not check the key chain. But you would not believe how many clients, specially embedded devices and mobiles apps don’t check it. The software I use in this post is the Free version of the Burp Suite – from the homepage of the Burp Suite:
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
As it is written in Java it is really easy to install and run. Just these 3 commands
sudo apt-get install openjdk-7-jre
sudo java -jar -Xmx2g burpsuite_free_v1.6.jar
sudo for the Java process as it needs in my cases to listen on ports lower than 1024 and this requires root permissions. After entering the last command and accepting the EULA you get following window:
Now go to the Proxy | Intercept tab and click onto “Intercept is on” button to disabled it. Otherwise you’ll need to acknowledge every request.
The proxy is already running but only on localhost, we need it to listen on all to look at traffic from other devices.
And in this case I want to see the traffic to a specific host from my mobile, so I set Burp to port 443 and to invisible mode and define a redirect IP address (the original host IP address).
After this, you only need to set on my local DNS Server the wished host name to my desktop IP address and the traffic runs over it and if the client accepts the faked certificate you can look at the traffic. Which looks e.g. like this:
For other devices or requirements it is also possible to use Burp as a HTTP Proxy, just configured it on the client. ARP spoofing is also an idea…..
June 1, 2014
Trafr is a program from Mikrotik which receives mirrored traffic from Mikrotik RouterOS systems. The linked blog article shows how to use it with Wireshark. This blog article shows how to get it working if you have following problem:
drwxr-xr-x 2 root root 4096 Jun 1 13:59 ./
drwxr-xr-x 10 root root 4096 Jun 1 12:09 ../
-rw-r--r-- 1 root root 2629 Jun 1 13:53 trafr.tgz
root@nids:/usr/local/bin# tar xzf trafr.tgz
drwxr-xr-x 2 root root 4096 Jun 1 13:59 ./
drwxr-xr-x 10 root root 4096 Jun 1 12:09 ../
-rwxr-xr-x 1 1003 root 4764 Mär 17 2004 trafr*
-rw-r--r-- 1 root root 2629 Jun 1 13:53 trafr.tgz
-bash: ./trafr: No such file or directory
The problem is that the
trafr program is a 32 bit application and you’re trying this on a 64bit OS without 32bit compatibility libraries. To verify that you can use following command:
./trafr: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.0, stripped
On Ubuntu 14.04 you can that simple by doing following:
sudo dpkg --add-architecture i386
sudo apt-get update
sudo apt-get install libc6:i386
and you get
usage: trafr <file | -s> [ip_addr]
-s write output to stdout. pipe it into tcpdump for example:
./trafr -s | /usr/sbin/tcpdump -r -
ip_addr use to filter one source router by ip address
For older Ubuntu Version following helps (didn’t check at which version it changed):
apt-get install ia32-libs
For other distribution its similar. e.g. for CentOS6 or RHEL6 its
sudo yum install glibc.i686