diggler
-
Posts
68 -
Joined
-
Last visited
Posts posted by diggler
-
-
Definitely interested in using fwknop. It just looked like a bitch to implement correctly. Would definitely use it if there was a tutorial. Cheers..
-
From creators of fwknop:
"> After weeks of reading about port knocking, security and its
> implications I went on a hunt to find the best tool for implementing
> 'secure' port knocking. I came across your website and tool, fwknop at
> http://www.cipherdyne.org/fwknop/. From what I have read I think it's
> the best possible tool. Obviously you're biased, but perhaps there's
> other options you've grown fond of as well?
I would say that the most interesting competing implementation is Moxie
Marlinspike's "knockknock". However, fwknop makes several design
decisions that are at odds with those made by knockknock, so the
solution you choose probably depends on which of these design decisions
you agree with. Here are a few decisions made by fwknop that are direct
opposites of those made by knockknock:
- fwknop does not require a heavyweight interpreter like perl or python
to be installed on the server (or the client).
- fwknop does not require trusting an IP address in the network header
(it is possible to mount a MITM attack against any SPA implementation
that does trust the source IP in the header vs. an IP that is
encrypted within the SPA payload - the later is what fwknop does with
-a or -R on the fwknop client command line).
- fwknop does not require root access on the client side because it
doesn't manipulate raw packet headers - this brings SPA functionality
to devices like the iPhone and allows any normal user to use it.
- fwknop does not require specialized logging support on the server
side, and a consequence is that it easily supports multiple firewalls
(it currently supports iptables, ipfw, and pf).
- fwknop is able to run on embedded systems.
- fwknop is scalable to lots of users.
> I write to you today because I'm attempting to implement fwknop on VPS
> powered Ubuntu servers, ranging from 10.10 to 12.04, for securing SSH
> (port 443) and a HTTP web gui (http://x.x.x.x:5000). I found a 'how
> to' guide (http://ubuntuforums.org/showthread.php?t=1926699) but
> haven't came across much else.
>
> Am I correct in assuming that what fwknop does (not how it works) is
> it essentially opens up the remote server port for a set period of
> time to allow for the normal operation of the services?
Yes, that is a fair description of how fwknop works. I might add that:
1) The opened port is only open for the specific IP that is encrypted
within the SPA packet
2) There are tricky ways to leverage NAT on iptables firewalls such that
connections to one port can be translated into actually accessing other
ports, and this can apply to connections both to the system where
fwknopd is running or connections through to other systems too.
> Do you have any recommendations or "setup guides" that may help me in
> my quest to setup fwknop securely? Do you have any scripts, or other
> recommendations that may make the process easier?
I'm working on this - there is some information on my blog, but it needs
to be extended."
From Moxie:
"
> - fwknop does not require a heavyweight interpreter like perl or python
> to be installed on the server (or the client).
This is probably the biggest difference. It seems fwknop considers this
a bad thing, where as I consider it a good thing.
Basically, I see the purpose of port knocking as protection against
network services written in "unsafe" languages like C. So naturally, I
don't want to replace them with... another network service written in an
unsafe language, using an enormous library written in an unsafe language
(libpcap).
knockknock is designed to be extremely simple, and not dependent on any
complex native code. It's just a small python script that tails a log
file -- can't get much safer than that."
-
I'm trying to "hide" the fact that SSH + deluge are running when port scanned. I think my options are I can firewall the server, open SSH port and keep it visible, and get to the deluge by going to localhost:8112 after a ssh -D $someport. Or, I can use knockknock and hide SSH and Deluge but need to keep 1outbound+1inbound tcp port open for deluge xfers (or use knockknock-proxy).
- Server(s) running Ubuntu 10.10 --> 12.04
- knockknock --> http://www.thoughtcr...are/knockknock/
- SSH
- deluge-torrent.org/
1. Has anyone on the forums attempted to setup port knocking with knockknock before?
2. Am I correct in assuming that it would be wise to NOT use UFW to configure my firewall and instead rely strictly on iptables? I believe this to be true because knockknock will need custom iptable entries to work.
3. SSH seems simple to think through. Knock on one port and connect. All Inbound+Outbound traffic flows over one port after the connection is established -- easy enough.
4. I threw in an application like Deluge because I can't get my head around the firewall logic. "deluged" runs as a local daemon on the server. Once a Torrent is added it needs two ports to operate (1 Inbound + 1 Outbound). "deluge-web --fork" is a web gui to add/remove Torrents. It runs on a separate port (8112 by default), for a total of three.
My best guess is to create a knockknock rule for the web gui (8112) and leave deluge's inbound (5000) + outbound (6000) ports open and standard SSH knockknock rule.
OR should I use the knockknock-proxy?
Can anyone contribute/comment on how this should be setup?
THANKS
-
Hi Jason,
Interesting reply. Thanks. I have a couple of questions from your post:
- I have the TOR browser bundle installed
- Am I correct in assuming that TOR (browser bundle) listens on local port 9050 for exactly these types of proxy situations without the need to configure/modify the TOR browser bundle? What we're doing is telling SSH to route its traffic to local port 9050, where TOR is listening, then forward traffic through TOR 80 HTTP or 443 HTTPS
- Is it then possible for me to run other applications, like 'Chicken of the VNC' through TOR as well? Do you know how this would be done?
*I think I can use this piece of software to accomplish my goal: http://code.google.com/p/torsocks/
**I think my best bet is to launch TOR through BT5, use VNC, and proxy chains... http://bent.latency.net/bent/git/goto-san-connect-1.85/src/connect.html
-
Hi All,
Scenario/Background:
I'm on a boat. We use VSAT + two year old Cisco router. Router has been locked down. The only ports open are 80 (http), 443 (https), 25 (mail), 3389 (RDP).
When travelling I used to be able to use OpenVPN (udp), PPTP VPN (tcp), or a socksified (-D) SSH connection to tunnel my traffic. That's no longer the case.
I borked my VPS server trying to get around the above stated issue. It's left me in a bit of a pickle.
I can use TOR to get to my VPS's CPANEL (control panel). I have to use a service like TOR, because the CPANEL is on a non-standard web port (5454).
I can't reinstall the server though. To do that I need to VNC to the VPS. I use 'Chicken of the VNC' which doesn't support proxying, like a web browser.
I've looked at a few options, like NoVNC, etc which are browser based HTML5 implementations of a VNC client but they rely on a companion server which my VPS is not running.
Any ideas? (1A) Help!
*I'm asking a friend to remotely reconfigure my server, and to run SSH on port 443 so I'll have SSH access and web proxying ability, but it has led me to even more questions. I hope that the firewall doesn't filter to the Layer 7 networking stack, otherwise I might need a better solution. What are some ways to accomplish this? (2A) Below is what I've found so far. Please help me add to the list of possibilites.
Is there a software solution (Mac OS X or Ubuntu) that allows a user to specify which application uses the socksified SSH connection (ex ssh -D 8080 username@y.y.y.y) on the local machine? (3A) It woud be ideal if an application could force traffic over the SSH connection. Example, tell 'Chicken of the VNC', Adium, etc to route through SSH without having to set a proxy in their individual preferences (most don't even have the option/ability).
Future Solutions
1B.
#Ubuntu wiki says this might be a problem on some VPS's - https://help.ubuntu....y/IptablesHowTo
#execute on remote server
iptables -t nat -I PREROUTING -p tcp -m conntrack --ctstate NEW -s x.x.x.x -d y.y.y.y --dport 443 -j REDIRECT --to-port 22
or
#execute on remote server
iptables -t nat -I PREROUTING --src x.x.x.x --dst y.y.y.y -p tcp --dport 443 -j REDIRECT --to-ports 22
sudo iptables -t nat -L -n -v
#execute on local machine in Terminal
ssh -p 443 -D 8080 username@y.y.y.y
2B.
http://www.thoughtcr...tware/firemole/
3B.
http://dag.wieers.co...http-tunneling/
*anyone know of a more current way to do this? (4A) software doesn't look like it's been updated since 2009
4B.
sudo nano /etc/ssh/sshd_config
change the line "Port 22" to "Port 443"
to save --> hit ctrl+o, then ctrl+x
sudo restart ssh
*how does encrypted web traffic (https 443) still work if SSH is now using port 443 on the VPS? (5A)
-
-
that's what aireplay does with the aircrack-ng suite of tools. the only way to crack WPA2 is to capture the handshake after a deauth and bruteforce it.... just use reaver now :)
Hi guys.
Just got this idea last night, so I didn't have time to check if it is really possible. But here it is:
Device 1 - Is there a "this and this" -network aroud?
Jasager - Here I am, connect to me!
---At this point.
what if we make jasager ask's for a password for "this and this", would device1 give up the password?
In my own little head, I think you could get any password to any wifi, even wpa-psk or wpa2. Just deauth the target
and ask the password. Couldt it be this simple?
Tell me what you think?
-
Problem with a "roll your own", is many people aren't competent enough to setup a server properly. Especially to disable all logs + enable encryption + keep box secure by configuring everything correctly. If there was a server ISO that I could install which was pre-configured to be a riseup.net functionality clone but hosted by myself, and all I would need to do is forward the correct domain info, I would be doing that in a heartbeat....
FYI, Moxie M, endorses the guys and the riseup.net project. I regard his comments and recommendations highly.
I wish riseup.net would move their colo from NY and Seattle to some offshore island...
I like riseup.net more for their 3mbit up/down OpenVPN that you get with an account. Very secure (not anonymous), but they don't keep logs. Don't use it to DL.
It was said before, email is shit and even if you do roll your own solution and are secure the other parties likely will not be. Thats why I like OTR over anything ATM. There is also a new service which looks interesting at pidder.com (Germans always build the coolest stuff :)
I trust riseup.net about as much as I would trust HideMyAss. Lets face it. Unless you roll your own solution, you are at the mercy of the service you use, no matter who it is.
-
I look at it from a different perspective. I don't want companies crawling my content to advertise to me, or creating a profile about my behaviour. I also don't want my e-mail provider to know where I log in from, or have a record of that. I get lazy and don't always TOR / VPN / SSH -D / etc, so I like services like riseup.net who don't keep records. They also strip header info.
People in our circles should use adium / pidgin and stick to OTR.
Yeah, but there in lies the catch 22. Contact with any other person, website, etc, makes you trackable. This is something you do on your own, with no other involvement from others. If people know you help you set up your email, that removes the anonymity. Thats kind of the funny thing about Anonymous and LulzSec. They are all tied to one another in some manner, ie: irc, email, websites, servers, TOR nodes and TOR websites, etc. And when they turn on each other, they can easily vet one another.
-
I can issue enough invites to get people accounts at riseup.net; if interested pm me...
Getting anonymous anything is getting harder these days. It really becomes a tangled web.
It really depends on what your ultimate goal towards anonymity is, are you trying to stop people from reading the contents of your mail? or tracking you down...
If is domestic spying your worried about, get an email abroad in a place that is not as likely to cooperate with the US, like China, or Pakistan, and have it forwarded to a middle man, a friendly nation less likely to raise flags, convoluted, but possible. The government is probably less interested in packets from Denmark, than...North Korea.
Still not truly anonymous. Public Wifi?, from a few blocks away with an Alfa? Of course you changed your MAC Address, and disguised your hardware flags and OS identifiers on your operating system. Not that it would matter, you're running a Live linux distro, with Full disk encryption of course, with a 64 char password...
-
Good Evenin'...
Caveat: I realize that this practice may be "un-safe" because you won't have a record for auditing your server incase of a breach
However, I have a few reasons for why I'd like to do this. An example of an e-mail/VPN provider who currently offers these (potential) advantages (riseup.net)
For setting up Debian (Ubuntu) based VPS server's can anyone provide expertise on how to anonymize SSH, or how to 'do-not-track' who comes and goes on the server, from which ever services may be logging this type of information (SSH, logrotate, etc). ex) no log files, no ip logging, etc
ex) if I run a command like 'who -H' it will list the users and their IP addresses connected to the box and store the list of whose come and gone; also when logging in, it shows from what IP the last user logged in
Any other expertise you can provide would be greatly appreciated.
Thanks,
diggs
-
For the real noobies you could add the LAN's DHCP address 192.168.1.100 showing the ICS to 172.16.42.42 adress as well
Made it in google docs lol.
Problem being I made it public to my album, but I couldn't get a direct link from google so I could directly link to the picture like you used to be able to do. Unless I just don't see how to do it?
-
Thanks for the response, much appreciated. That script IS bad ass. Now on to the next puzzle : /
Impatience can kill sometimes, but glad you got it sorted it.
-
IT WORKED! I let the script run for an hour and that seemed to do the trick. I guess I was just impatient. So strange though, because I couldn't see the hard-drive seeking or doing much of anything. UNREAL!
Are you able to change it manually from chan 1 to chan 11?
-
Before I saw your post I tried that tutorial manually (I had found it previously searching) and I get the following error... any ideas?
http://forums.hak5.org/index.php?showtopic=25385&st=0&p=194722&fromsearch=1entry194722
-
this looks promising:
[uPDATE]
nope, still hangs :(
Has anyone used or tried the drivers "Compat-wireless-aircrack-oneiric-patched" from http://www.janoweb.n...l#axzz1kKMpFEZR ?
When I run the fragment attack, in the aircrack-ng GUI gerix-wifi-cracker(Ubuntu 11.10), I get the error:"mon0 is on channel -1, but the AP uses channel 11"
I follow these directions for installing compat drivers:http://www.aircrack-...compat-wireless, but receive thiserror at step "sudo make install".
Install hangs at these lines:
"make[1]: Leaving directory `/usr/src/linux-headers-3.0.0-15-generic'
Updating Ubuntu's initramfs for 3.0.0-15-generic under /boot/ ..."
Does anyone have any tutorials for making this work? Everything i've tried on various forums isn't doing the trick.Thanks guys...
-
Has anyone used or tried the drivers "Compat-wireless-aircrack-oneiric-patched" from http://www.janoweb.n...l#axzz1kKMpFEZR ?
When I run the fragment attack, in the aircrack-ng GUI gerix-wifi-cracker(Ubuntu 11.10), I get the error:"mon0 is on channel -1, but the AP uses channel 11"
I follow these directions for installing compat drivers:http://www.aircrack-...compat-wireless, but receive thiserror at step "sudo make install".
Install hangs at these lines:
"make[1]: Leaving directory `/usr/src/linux-headers-3.0.0-15-generic'
Updating Ubuntu's initramfs for 3.0.0-15-generic under /boot/ ..."
Does anyone have any tutorials for making this work? Everything i've tried on various forums isn't doing the trick.Thanks guys...
-
rm xstartup to defaults and now get:
root@bt:~/.vnc# cat bt:1.log Xvnc Free Edition 4.1.1 - built Apr 9 2010 18:47:36 Copyright (C) 2002-2005 RealVNC Ltd. See http://www.realvnc.com for information on VNC. Underlying X server release 40300000, The XFree86 Project, Inc Sun Jan 22 16:31:49 2012 vncext: VNC extension running! vncext: Listening for VNC connections on port 5901 vncext: Listening for HTTP connections on port 5801 vncext: created VNC server for screen 0 error opening security policy file /etc/X11/xserver/SecurityPolicy Could not init font path element /usr/X11R6/lib/X11/fonts/Type1/, removing from list! Could not init font path element /usr/X11R6/lib/X11/fonts/Speedo/, removing from list! Could not init font path element /usr/X11R6/lib/X11/fonts/misc/, removing from list! Could not init font path element /usr/X11R6/lib/X11/fonts/75dpi/, removing from list! Could not init font path element /usr/X11R6/lib/X11/fonts/100dpi/, removing from list! Could not init font path element /usr/share/fonts/X11/75dpi/, removing from list! Could not init font path element /usr/share/fonts/X11/100dpi/, removing from list! Option "--login" is no longer supported in this version of gnome-terminal; you might want to create a profile with the desired setting, and use the new '--profile' option Window manager warning: Log level 32: could not find XKB extension.
-
I get an grey screen with error pop up that says "could not acquire name on session bus" + My error log shows:
root@bt:~/.vnc# cat bt\:1.log Xvnc Free Edition 4.1.1 - built Apr 9 2010 18:47:36 Copyright (C) 2002-2005 RealVNC Ltd. See http://www.realvnc.com for information on VNC. Underlying X server release 40300000, The XFree86 Project, Inc Sun Jan 22 16:15:55 2012 vncext: VNC extension running! vncext: Listening for VNC connections on port 5901 vncext: Listening for HTTP connections on port 5801 vncext: created VNC server for screen 0 error opening security policy file /etc/X11/xserver/SecurityPolicy Could not init font path element /usr/X11R6/lib/X11/fonts/Type1/, removing from list! Could not init font path element /usr/X11R6/lib/X11/fonts/Speedo/, removing from list! Could not init font path element /usr/X11R6/lib/X11/fonts/misc/, removing from list! Could not init font path element /usr/X11R6/lib/X11/fonts/75dpi/, removing from list! Could not init font path element /usr/X11R6/lib/X11/fonts/100dpi/, removing from list! Could not init font path element /usr/share/fonts/X11/75dpi/, removing from list! Could not init font path element /usr/share/fonts/X11/100dpi/, removing from list! gnome-session[26212]: WARNING: Failed to acquire org.gnome.SessionManager
-
I am going nuts! I've spent 4hrs googling and still can't make it work :(
I'm simply trying to remote desktop from a macbookpro with chicken vnc to, backtrack5 r1 running vnc4server.
I get the well documented grey screen of death and no matter what I try it doesn't work.
Can someone please share a tutorial on how to do this (with any remote desktop type software).
Thank you in advance (you're saving what little hair I have left GAH!)
-
That's interesting... thanks, I'll definitely be giving that a try.
Just as an aside, I've seen BackTrack, and Ubuntu, run dhclient on all the network adapters, even if you specify a single one. Easiest way around this is to give all your devices a static address.
-
why is that silly?
You can just use require('file.htm'); inside of an index.php
here's my setup:
index.php:
<?php $hhost = $_SERVER['HTTP_HOST']; if (strstr($hhost, "facebook.com")) require('facebook.htm'); elseif (strstr($hhost, "twitter.com")) require('twitter.htm'); ?>Then it's just a matter of modifying the htm files to load the css/image files from ./twitterfiles/ subfolders or what have you.
It makes it more clean to have the files in subfolders and to not have to rely on senseless redirecting. The referrer page will still be held in the HTTP_HOST environment variable.
(Of course this is just a hypothetical, no one would really want to use a jasager with facebook.com or twitter.com, that's just silly)
-
I noticed that error with "mon0: unknown hardware address type 803" too but it was never put in monitor mode : /
Take your adapter out of monitor mode.
-
BT5R1 is not supposed to connect to any internet connections on any wired or wireless adapters except the lo (loopback) by default - for privacy when beginning a pen test. When I boot my netbook (with both wifi adapters physically connected 1 internal / 1 physical connected to usb) it auto connects and both adapters join the nearby open wifi networks. It's a real pain the ass.
I'd just like to get that behavior to stop.
And I'd really like to know why dhclient wlan0 and iwconfig aren't working manually.
Telot has the 'dhclient wlan0" grabbing an IP manually in his script but i can't get mine to do the same...
not sure what you mean by auto connects both adapters to OPEN wifi networks.
if you are trying to setup a pineapple ICS setup. Connect to the internet serving WiFi with wicd, and plug in the lan card to the pineapple with a cable and manually ifconfig the static ip to that.
Setup ip forwarding and away you go.
For deauthing, just the other interface or the pineapple itself.
Hello... I Am Your Best Friend.. Remember?
in Security
Posted · Edited by diggler
I thought this was a good read. Attached the ebook too. Enjoy...
http://en.wikipedia....Robert_Cialdini
http://www.amazon.co...i/dp/0688128165
https://dl.dropbox.com/u/18742874/Influence%20%287Summits%29.pdf