24 Feb 10 UDP Tunneling to avoid hotspot or firewall restrictions

UDP tunneling is an attack that is often overlooked when manufacturers design wireless hotspot and other firewall/proxy based devices.

When you try and resolve a domain name, you make a request to a name server on UDP port 53. The way that a lot of wireless hotspot, firewalls and proxies work, is that your DNS request is allowed out, you get the IP for the machine you’re looking for, and then your request to the IP is redirected to the wireless hotspot login page, or through a web proxy server.

The problem is, that all port 53 UDP traffic is allowed out to anywhere, without any kind of authentication. You can therefore install OpenVPN on a remote server which by default listens in on UDP port 1194. You can change this with one configuration option to 53, and then edit your client config to connect to the server on port 53 instead. Often, other TCP/UDP ports might be allowed out, and ICMP is also sometimes a possibility. It is possible to easily tunnel your data out over TCP, UDP or ICMP as a worst case.

This type of attack worked on 5 out of 6 different wireless hotspot systems to gain access without authentication.

The one that it didn’t work on, captured all outbound 53 UDP requests, and silently redirected them to it’s own local DNS server. This is simple enough to do, so I’m not sure why more manufacturers haven’t done the same. Using iptables:

${IPTABLES} -t nat -A PREROUTING -i eth0 -p udp -m udp –dport 53 -j REDIRECT –to-port 53

These are the same type of rules used to configure transparent proxying for Squid.

Tags: 53, firewall, hotspot, iptables, openvpn, squid, transparent proxying, udp, udp tunneling

10 Feb 10 netfilter/iptables split access with multiple ISPs

Quite a while back, I posted article http://www.adamsinfo.com/extending-tc-and-iproute2-linux-routing-split-access-multiple-uplinks-multiple-isps-iptables-masquerading/

The article focuses on using the standard iproute2 tool to allow the box to attempt to balance traffic over multiple uplinks with multiple default routes. While relatively easy to set up, it has a few problems:

1. Routes are cached, meaning that once the balancer has decided on a route to a certain IP for the first time, it will continue to use this route for a while.
2. There is no real control over which packets end up over which route, other than some basic metrics such as source IP and destination IP.
3. Certain long established TCP connections such as MSN or IRC die after the route cache expires and the packets begin being routed over the other connection. Logically, there should be a fix for this or theres a bug in my script, either way I gave up digging after a while, and just forced connections to given IPs over the same route each time.

I’ve recently decided to give this a go in netfilter purely. My environment is a router with a number of LAN devices, with eth0 being the LAN interface (192.168.1.0/24), while eth1 and eth2 are separate ISP links with public IPs.
(more…)

Tags: balancer, connmark, conntrack, dnat, icmp, iproute2, iptables, load balancing, mark, netfilter, snat, split access, tcp, udp

02 Sep 09 Security Consultant – Basic NMAP Usage

nmap is one of the most useful tools for a security consultant in a penetration testing environment. It has a massive range of options, and only the most basic will be considered in this tutorial.

It goes without saying, that nmap should only be run against IPs and ports that you yourself have gained authorization to test. Here goes:
(more…)

Tags: daemon, ethernet, firewall, frame, ftp, header, ids, IP, mangle, nmap, paket, pen test, pen testing, penetration testing, POP3, port, security, Security Consultant, security consulting, socket, tcp, timing, udp

15 Jan 09 PHP – fsockopen, TCP and UDP

PHP comes preloaded with a good socket handling function set. Using fsockopen to make HTTP connections however is in most cases obsoleted as the php-curl and set of curl functions covers more HTTP related stuff than you could ever need! fsockopen is available in both PHP4 and PHP5

Regardless, to cover the most basic usage of fsockopen, to establish a TCP connection to “mailserver” on port 110 (POP3):
(more…)

Tags: fsockopen, http, PHP, php4, php5, SSL, tcp, tls, udp

16 Sep 08 NetCat tutorial for Linux & Windows, HOWTO, nc

I wrote this article some time ago, but thought I’d publish it here for reference.

This text is dual licenced under the GFDL and GPL

There are two known versions of netcat. The version of netcat used here is the original Avian Research version. Not the newer GNU release

Discuss this page here

Contents:

- Netcat Basics - 1

- What is Netcat? - 1

- Netcat Syntax - 2

- Netcat Installation - 3

- What are the most basic uses? - 4

- Simple File Transfer - 4

- Tar - 5

- UDP - 6

(more…)

Tags: advanced uses, command prompt, command shell, cryptcat, inetd, internetworking, ipv6, Linux, nc, nc11nt, netcat, netcat installation, netcat syntax, networking, proxy, proxying, scanning, simple file transfer, socket, spoofing, syslogd, tar, tcp, udp, windows

15 Sep 08 Quick Linux and Windows OpenVPN HOWTO and tutorial, including VPN routing

OpenVPN is a popular Windows/Linux VPN Server/Client pair. I think there’s a separate GUI available for it if you’re so minded. This howto will cover command line usage only.

I’ll provide example configuration based on a Linux server and a Windows client, however the same applies pretty easily if you wanted to mix and match.

On debian, apt-get install openvpn. On any other linux distro, use your own package manager or alternatively download from source and compile.
(more…)

Tags: 10.8.0.1, 10.8.0.2, apt-get, client, compile, compression, daemon, daemonize, debian, default gateway, distro, established, forward, generate, interface, IP address, iptables, ip_forward, keepalive, Linux, linux server, masquerade, nat, openvpn, package manager, ping, related, remote, route, route add, route delete, route print, routing, secret key, server, source, tap, tcp, tcpdump, traffic, tun, udp, VPN, vpn client, vpn server, windows, windows client