24 Feb 10 UDP Tunneling to avoid hotspot or firewall restrictions

UDP tunneling is an attack that is often overlooked when manufacturers design wireless hotspot and other firewall/proxy based devices.

When you try and resolve a domain name, you make a request to a name server on UDP port 53. The way that a lot of wireless hotspot, firewalls and proxies work, is that your DNS request is allowed out, you get the IP for the machine you’re looking for, and then your request to the IP is redirected to the wireless hotspot login page, or through a web proxy server.

The problem is, that all port 53 UDP traffic is allowed out to anywhere, without any kind of authentication. You can therefore install OpenVPN on a remote server which by default listens in on UDP port 1194. You can change this with one configuration option to 53, and then edit your client config to connect to the server on port 53 instead. Often, other TCP/UDP ports might be allowed out, and ICMP is also sometimes a possibility. It is possible to easily tunnel your data out over TCP, UDP or ICMP as a worst case.

This type of attack worked on 5 out of 6 different wireless hotspot systems to gain access without authentication.

The one that it didn’t work on, captured all outbound 53 UDP requests, and silently redirected them to it’s own local DNS server. This is simple enough to do, so I’m not sure why more manufacturers haven’t done the same. Using iptables:

${IPTABLES} -t nat -A PREROUTING -i eth0 -p udp -m udp –dport 53 -j REDIRECT –to-port 53

These are the same type of rules used to configure transparent proxying for Squid.

Tags: 53, firewall, hotspot, iptables, openvpn, squid, transparent proxying, udp, udp tunneling

10 Feb 10 Full NAT, DNAT and SNAT aka 1:1 NAT, 1 to 1 NAT

Full NAT, DNAT and SNAT aka 1:1 NAT, 1 to 1 NAT – this is used when you want to map a dedicated external IP on an external interface to another IP on a separate interface with everything routed between them.

Tags: dnat, iptables, nat, route, snat

10 Feb 10 netfilter/iptables split access with multiple ISPs

Quite a while back, I posted article http://www.adamsinfo.com/extending-tc-and-iproute2-linux-routing-split-access-multiple-uplinks-multiple-isps-iptables-masquerading/

The article focuses on using the standard iproute2 tool to allow the box to attempt to balance traffic over multiple uplinks with multiple default routes. While relatively easy to set up, it has a few problems:

1. Routes are cached, meaning that once the balancer has decided on a route to a certain IP for the first time, it will continue to use this route for a while.
2. There is no real control over which packets end up over which route, other than some basic metrics such as source IP and destination IP.
3. Certain long established TCP connections such as MSN or IRC die after the route cache expires and the packets begin being routed over the other connection. Logically, there should be a fix for this or theres a bug in my script, either way I gave up digging after a while, and just forced connections to given IPs over the same route each time.

I’ve recently decided to give this a go in netfilter purely. My environment is a router with a number of LAN devices, with eth0 being the LAN interface (192.168.1.0/24), while eth1 and eth2 are separate ISP links with public IPs.
(more…)

Tags: balancer, connmark, conntrack, dnat, icmp, iproute2, iptables, load balancing, mark, netfilter, snat, split access, tcp, udp

05 Feb 10 Linux LUKS Crypt HOWTO

Linux kernels now support encrypted filesystems. Setting one up should take 5 minutes, or 3 hours if you’re like me and can’t read.

Firstly, install the right tools: apt-get install cryptsetup

Make a new partition, and initialize it with: cryptsetup luksFormat /dev/sda3 mycrypto

Where /dev/sda3 is your newly created partition and ‘mycrypto’ is your name for the container.

You will be prompted to type YES in uppercase to confirm your understanding that your partition is about to be wiped. If, like me, you type ‘yes’ in lowercase, it will fail with “Command Failed.”. You’ll then spend hours checking for loaded kernel modules, log files, and trawling google for more information. The answer is to type ‘YES’ in uppercase as you’re told

Enter a passphrase, and you’re ready to go.

Next, ‘open’ the container. cryptsetup luksOpen /dev/sdb3 enter the passphrase, and you should at this point end up with a /dev/mapper/mycrypto

Format with your desired partition mkfs.ext3 /dev/mapper/mycrypto

Then, you can mount /dev/mapper/mycrypto as you would any other block device: mount /dev/mapper/mycrypto /mnt/my_mount_point

To close the container:
umount /dev/mapper/mycrypto
cryptsetup luksClose mycrypto

Easy

Tags: crypto, cryptsetup, Linux, luks, mount, umount

31 Jan 10 Linux Controlled Door Entry

Having recently moved to a new apartment, one of the first things that I decided to do was build an RC entry system

Here’s some pictures:

The black box at the top is a simple Velleman RC control kit and the black box below is a 240VAC->12VDC regulated converter.  The Velleman RC receiver has two relays, one connected to an electric strike lock and the other connected over the button input in the entryphone which unlocks the main door.

On the RC transmitter there are two buttons, and as they are currently connected, one opens the main door and one unlocks the electric strike on the apartment door, with a 5 second timer on each.

This works well so far and I have paired the transmitters with the receiver so that default unpaired transmitters will not activate the relays. A few weeks on, having already locked myself out once, the next step is to extend this project.

I intend to have the RC transmitter connected separately to some embedded linux board, probably the spare Alix and Phidgets boards I have from the robot I built a while ago. The linux board will signal over a separate frequency to this door entry system. The linux board will perform a variety of functions from logging entries to automated surveillance.  Additionally the linux board will have net access and possibly run asterisk. I can either SMS my way in or alternatively call in to asterisk and do some voice authentication. More to follow when I actually have time to get this done..

Tags: alix, asterisk, embedded linux, phidgets, rc transmitter, sms, velleman

19 Jan 10 Website Security Scan

Websites get hacked every day, customers details taken, and it’s usually REALLY EASY to do. As a security consultant,  I often get a call after a Google search turns up with my details as the guy to contact when this happens.

Shameless plug: Why not contact me BEFORE this happens for a FREE basic web scan.

Shameless plug over, why not consider some of the things that can be done to help prevent a website breach..
(more…)

Tags: Apache, backups, code, cookie, cross site scripting, htaccess, LAMP, logs, mod_security, MySQL, PHP, php security, rate limit, restrict limit, Security Consultant, session, sniffing, sql injection, website security scan, xss

15 Jan 10 Embedded Linux Programmer

As an embedded linux programmer, I’ve had the opportunity to work on a number of different platforms, MIPS being one of my favorites.

There are a few general limitations that you’ll find. You have limited CPU power available, you have very little RAM available, and for more advanced operations and optimizations, your CPU will generally have a limited function set.

The usual good programming practices apply, but are of much greater importance. Specifically, don’t allocate memory that you don’t need, and dont put the CPU under undue stress with unnecessary or badly optimized loops. Taking C syntax and some pseudo code;
(more…)

Tags: assembler, embedded, loop, mips, optimize, x86

14 Jan 10 PHP Security

As a PHP programmer, there are a couple of things you can do quickly and easily to increase the security of your PHP code installation.

Look into PHP’s “safe mode” feature, ESPECIALLY if you’re running a webserver that takes the general public can upload scripts to. Here you’ll find a list of the functions disabled or restricted by safe mode. It is not strictly PHP’s job to restrict these types of functions, however unless you really know what you’re doing, the list of functions restricted by safemode is a good starting point for building secure applications. These are generally functions that allow file and directory manipulation, and socket manipulation. If it’s not possible within your environment to disable them all, disable as many of these functions as possible.

Although not that common, if I’m writing an application that heavily relies on functions that manipulate directories or sockets, I’ll prefer to create a C daemon or similar to handle this side of things and simply use PHP to communicate with it. (more…)

Tags: cross site scripting, directory, error reporting, magic quotes, MySQL, mysql_real_escape_string, PHP, php security, safe mode, socket, sql injection, xss

01 Jan 10 Linux Consultant – Server Management, Basic Housekeeping

Server management is one of the most basic requirements in maintaining a healthy server/cluster, however, is often overlooked until something goes wrong.  In it’s most basic form, server management involves:

1. Checking log files for size and suspicious entries
2. Checking disk space usage
3. Checking memory usage
4. Checking for new packages (apt-get update; apt-get upgrade)
5. Check load and process list
6. Checking backups

(more…)

Tags: housekeeping, server management

25 Dec 09 SSHing from a compromised machine

Often, when working with compromised machines, as a security consultant, I find a malicious SSH binary. The malicious SSH binary generally logs all usernames, passwords and hosts connected to from the compromised machine, and usually in /tmp/. The attacker can then log back into the machine and collect this file at a later date.
(more…)

Tags: attacker, binary, hacker, libc, malicious, md5, Security Consultant, ssh