Archive for the ‘Tools’ Category

Secure remote packet capture and analysis with Wireshark, netcat and SSH

Saturday, November 14th, 2009

I was looking for a reliable way to use Wireshark to monitor(sniff) traffic on several of my remote servers.  Sure there was using tcpdump and then transferring them over and bringing into Wireshark.  Not exactly real time or time saving.

I found some references but not many, and most did not cover the issue of sending pcaps back across insecure connections.  You can’t trust Uncle Sam (or anyone else for that matter) to not peek at your traffic as it passes through peering points.  Eat it, Mr. Fed.  Encryption rocks.

I solved this issue with some port forwarding and netcat.  SSH is incredibly resilient to connectivity interruptions and secure.

You’re going to need to have the following packages installed on both the server and your local workstation.  Use apt-get, yum, aptitude, whatever your distribution warrants.

  1. netcat (http://netcat.sourceforge.net/)
  2. ssh (http://www.openssh.com/)

Wireshark is only needed on your local workstation;

  1. Wireshark (http://www.wireshark.org/)

We have two machines, one the remote host, we’ll call this REMOTE and your local workstation will be LOCAL

At your LOCAL machine, use the following command to setup the necessary ports;

ssh -R 127.0.0.1:3000:127.0.0.1:3000 $REMOTE

Basically, we’re telling ssh to forward port 3000 on localhost on REMOTE to LOCAL at port 3000.  You can choose any combination of ports you desire.  Check the ssh man page for more information and a better explanation.

Open a new terminal window on LOCAL and enter the following;

nc -l 127.0.0.1 3000 | wireshark -k -i -

So what we’ve done here is create a listening socket on LOCAL’s localhost on port 3000 and we’re piping that output to wireshark, which we have told to begin capturing immediately ( -k ) and to use STDIN for input ( -i – ).   You should see wireshark startup, and present a message along the lines of “Waiting for capture to begin…” or something.  This is good.

Now we can wander back to REMOTE and issue the following command;

sudo /usr/sbin/tcpdump -i eth0 -w - not host $YOUR_IP | nc 127.0.0.1 3000

Finally, we fire up tcpdump, instructing tcpdump to listen for traffic on eth0, to write it’s output to STDOUT ( -w – ) and to ignore packets that are to or from $YOUR_IP.  We pipe that into netcat (nc) on localhost on port 3000.

At this point, Wireshark should begin to show signs of life.  If you didn’t do so hot then you should double check the commands and try again.

So in a nutshell, we’re using SSH to reverse port forward a port from the remote machine to your local machine, then start a listening socket using netcat, piping it’s output to Wireshark.  Back on the remote machine, tcpdump is started and the output piped to netcat to send over our SSH connection.  How cool is that?

One point I forgot to mention, remember that you will effectively be doubling your traffic for as long as you’re running tcpdump, as you are sending a copy of EVERY packet across the SSH tunnel to Wireshark, well, really only packets that meet your filter criteria, but I’m sure you get the point.

Tags: ,
Posted in Tools, Uncategorized | No Comments »

Resolving Sansa Media Player issues under Ubuntu 9.04

Saturday, April 25th, 2009

Even tho Ubuntu 9.04 (Jaunty Jackalope) was released only a few days ago, I’ve been running it without issue on most of my systems since alpha (What can I say, I like to live on the edge). Well, nearly without issue.

When plugging in my Sansa e260 into either my Thinkpad or desktop systems the Sansa would not mount in either mode.

Tailing /var/log/syslog/ (tail -f /var/log/syslog) revealed this;
Apr 25 10:04:34 hkb-jaunty kernel: [ 874.500098] usb 1-5: new high speed USB device using ehci_hcd and address 4
Apr 25 10:04:34 hkb-jaunty kernel: [ 874.556334] hub 1-0:1.0: unable to enumerate USB device on port 5
Apr 25 10:04:43 hkb-jaunty kernel: [ 882.804067] usb 1-5: new high speed USB device using ehci_hcd and address 5
Apr 25 10:04:43 hkb-jaunty kernel: [ 883.667500] usb 1-5: configuration #128 chosen from 1 choice
Apr 25 10:04:43 hkb-jaunty kernel: [ 883.689289] scsi7 : SCSI emulation for USB Mass Storage devices
Apr 25 10:04:43 hkb-jaunty kernel: [ 883.689653] usb-storage: device found at 5
Apr 25 10:04:43 hkb-jaunty kernel: [ 883.689657] usb-storage: waiting for device to settle before scanning

After some digging around, I found a bug report at https://bugs.launchpad.net/ubuntu/+bug/345916 points to the modification of a file under /usr/share/hal/fdi/preprobe/10osvendor/. Looks easy enough…

  1. Open a Terminal window (Accessories > Terminal)
  2. cd /usr/share/hal/fdi/preprobe/10osvendor/
  3. sudo cp 20-libgphoto2.fdi 20-libgphoto2.fdi.backup
  4. sudo nano 20-libgphoto2.fdi
  5. Remove all entries between line 6633 and line 6764
    You can use the shortcut Ctrl-k to cut lines.  Make sure the <match> tags are correctly nested and closed otherwise we’ll get all sorts of weird errors.
  6. Use Ctrl-x to save and exit nano

Now reconnect the Sansa.  If you’re still tailing syslog then you should see something like this;
Apr 25 10:10:25 hkb-jaunty kernel: [ 1225.396100] usb 1-5: new high speed USB device using ehci_hcd and address 6
Apr 25 10:10:25 hkb-jaunty kernel: [ 1225.452256] hub 1-0:1.0: unable to enumerate USB device on port 5
Apr 25 10:10:34 hkb-jaunty kernel: [ 1233.980091] usb 1-5: new high speed USB device using ehci_hcd and address 7
Apr 25 10:10:35 hkb-jaunty kernel: [ 1234.847610] usb 1-5: configuration #128 chosen from 1 choice
Apr 25 10:10:35 hkb-jaunty kernel: [ 1234.867573] scsi8 : SCSI emulation for USB Mass Storage devices
Apr 25 10:10:35 hkb-jaunty kernel: [ 1234.867934] usb-storage: device found at 7
Apr 25 10:10:35 hkb-jaunty kernel: [ 1234.867939] usb-storage: waiting for device to settle before scanning
Apr 25 10:10:40 hkb-jaunty kernel: [ 1239.864675] usb-storage: device scan complete
Apr 25 10:10:40 hkb-jaunty kernel: [ 1239.865794] scsi 8:0:0:0: Direct-Access SanDisk Sansa e260 PQ: 0 ANSI: 0
Apr 25 10:10:40 hkb-jaunty kernel: [ 1239.866774] scsi 8:0:0:1: Direct-Access SanDisk Sansa e260 PQ: 0 ANSI: 0
Apr 25 10:10:40 hkb-jaunty kernel: [ 1239.870983] sd 8:0:0:0: [sdb] 7854080 512-byte hardware sectors: (4.02 GB/3.74 GiB)
Apr 25 10:10:40 hkb-jaunty kernel: [ 1239.871834] sd 8:0:0:0: [sdb] Write Protect is off
Apr 25 10:10:40 hkb-jaunty kernel: [ 1239.871840] sd 8:0:0:0: [sdb] Mode Sense: 45 00 00 00
Apr 25 10:10:40 hkb-jaunty kernel: [ 1239.871846] sd 8:0:0:0: [sdb] Assuming drive cache: write through
Apr 25 10:10:40 hkb-jaunty kernel: [ 1239.874596] sd 8:0:0:0: [sdb] 7854080 512-byte hardware sectors: (4.02 GB/3.74 GiB)
Apr 25 10:10:40 hkb-jaunty kernel: [ 1239.875469] sd 8:0:0:0: [sdb] Write Protect is off
Apr 25 10:10:40 hkb-jaunty kernel: [ 1239.875474] sd 8:0:0:0: [sdb] Mode Sense: 45 00 00 00
Apr 25 10:10:40 hkb-jaunty kernel: [ 1239.875479] sd 8:0:0:0: [sdb] Assuming drive cache: write through
Apr 25 10:10:40 hkb-jaunty kernel: [ 1239.875485] sdb: sdb1 sdb2
Apr 25 10:10:40 hkb-jaunty kernel: [ 1239.880717] sd 8:0:0:0: [sdb] Attached SCSI removable disk
Apr 25 10:10:40 hkb-jaunty kernel: [ 1239.880842] sd 8:0:0:0: Attached scsi generic sg2 type 0
Apr 25 10:10:40 hkb-jaunty kernel: [ 1239.883016] sd 8:0:0:1: [sdc] Attached SCSI removable disk
Apr 25 10:10:40 hkb-jaunty kernel: [ 1239.883120] sd 8:0:0:1: Attached scsi generic sg3 type 0
Apr 25 10:10:40 hkb-jaunty hald: mounted /dev/sdb1 on behalf of uid 1000

After preforming updates, you might have to re-edit the 20-libgphoto2.fdi file, as your changes may be over written by newer packages.

As always, your mileage may vary.

Related Links:

Tags: , , ,
Posted in Tools, Uncategorized | No Comments »

Update: Encryption keys protected under 5th amendment…maybe not…

Wednesday, March 4th, 2009

Here’s an interesting turn of events related to my previous post regarding Encryption Keys and the Fifth Amendment.

It appears from this writeup at CNet, that a Vermont Judge has ordered the defendant to decrypt his encrypted Z drive to provide the government access to file they need to make a child pornography charge stick.

FTA:

Boucher was initially arrested when customs agents stopped him and searched his laptop when he and his father crossed the border from Canada on December 17, 2006. An officer opened the laptop, accessed the files without a password or passphrase, and allegedly discovered “thousands of images of adult pornography and animation depicting adult and child pornography.” Boucher was read his Miranda rights, waived them, and allegedly told the customs agents that he may have downloaded child pornography. But then–and this is key–the laptop was shut down after Boucher was arrested.

There’s a few things that I think we should take away from Mr. Boucher’s situation.  First off, please, always remember, DON’T TALK TO THE POLICE.  See my other post.  Second.  DON’T TALK TO THE FUCKING POLICE! The Police, DHS, FBI and the like are not here for your protection or to serve you, they exist solely to enforce the law in the name of the glorious United States government, and to (pay attention here) prosecute people for breaking those laws for the best of their abilities (and unlimited pockets, filled with American taxpayer dollars).  Why in the hell would you waive Miranda rights without legal representation present?  Are you trying to be sent to prison?  Furthermore, WTF would make anyone admit to possibly downloading child porn to “the man” who is IS ONLY INTERESTED IN CHARGING YOU WITH A CRIME!

I believe that forcing Mr. Boucher to reveal evidence to further implicate himself goes directly against the Fifth Amendment.  The burden of proof lies upon the state, and solely upon the state.  If they have enough evidence to stick charges, then stick away.  Forcing Mr. Boucher to provide the phrase to decrypt his data to enable the state to raise more charges against him is self incrimination, and every half-wit knows this and can see this plain as day.

Not that I condone child pornography.   I do not.  I believe that your hand cannot be forced into incriminating yourself, even if previously you had unknowing or knowingly done so.  I also believe in privacy, and the use of strong cryptography to protect oneself from “the man”.

Links:

Tags: ,
Posted in Tools, news | No Comments »

Video: LEGO Teletype

Thursday, January 8th, 2009

More information here: http://www.g7smy.co.uk/?lego/baudot

Tags: , ,
Posted in Other Random Stuff, Tools, video | No Comments »

The authors of tail, I salute you.

Wednesday, October 22nd, 2008

I’ve been working on a sick mailserver lately (qmail server is losing SMTP submitted mail – I think it’s a qmail-queue problem), I realized that I needed to watch a few logs at once, instead of tailing each log.  After checking out the tail manpage, I found that tail will watch several logs at once.

In a terminal.

[root@bender kurth]# tail -f /var/log/qmail/qmail-send/current /var/log/qmail/qmail-smtpd/current /var/log/qmail/qmail-smtpd-submission/current

And we get this for output;

==> /var/log/qmail/qmail-send/current < ==
@4000000048ff5ca51502325c delivery 3386: success: did_0+0+1/
@4000000048ff5ca515030934 status: local 0/10 remote 0/255
@4000000048ff5ca515040334 end msg 15925306
@4000000048ff5e8a002e9ba4 new msg 15925306
@4000000048ff5e8a002f3bcc info msg 15925306: bytes 4179 from qp 24060 uid 89
@4000000048ff5e8a0fed146c starting delivery 3387: msg 15925306 to local
@4000000048ff5e8a0fed2fc4 status: local 1/10 remote 0/255
@4000000048ff5e8a101cbf8c delivery 3387: success: did_0+0+1/
@4000000048ff5e8a101e0f7c status: local 0/10 remote 0/255
@4000000048ff5e8a101eabbc end msg 15925306

==> /var/log/qmail/qmail-smtpd/current < ==
@4000000048ff5ca4311d99cc tcpserver: status: 1/30
@4000000048ff5ca43120be7c tcpserver: pid 19706 from 205.206.231.27
@4000000048ff5ca4312de5ac tcpserver: ok 19706::25 :::46747
@4000000048ff5ca50f730a3c tcpserver: end 19706 status 0
@4000000048ff5ca50f730e24 tcpserver: status: 0/30
@4000000048ff5e891caf410c tcpserver: status: 1/30
@4000000048ff5e891caf48dc tcpserver: pid 24049 from 205.206.231.26
@4000000048ff5e891cbd3b2c tcpserver: ok 24049 ::25 outgoing.securityfocus.com:205.206.231.26::56816
@4000000048ff5e8a00327fbc tcpserver: end 24049 status 0
@4000000048ff5e8a003283a4 tcpserver: status: 0/30

==> /var/log/qmail/qmail-smtpd-submission/current < ==
@4000000048ff3cc1300451fc tcpserver: status: 2/30
@4000000048ff40cc18d05544 tcpserver: end 1662 status 256
@4000000048ff40cc18d05d14 tcpserver: status: 1/30
@4000000048ff415d11a04a7c tcpserver: end 3246 status 256
@4000000048ff415d11a05634 tcpserver: status: 0/30
@4000000048ff489c1491dc8c tcpserver: status: 1/30
@4000000048ff489c1493e414 tcpserver: pid 5723 from 69.157.169.108
@4000000048ff489c14942294 tcpserver: ok 5723 ::587 :::61919
@4000000048ff489d21ff3964 tcpserver: end 5723 status 0
@4000000048ff489d21ff451c tcpserver: status: 0/30

Awesome. Thanks Paul Rubin, David MacKenzie, Ian Lance Taylor, and Jim Meyering. (authors of tail, as indicated in the tail manpage). If I ever meet any of you IRL, the round is on me.

Posted in Tools | No Comments »

Network Tap construction and use.

Wednesday, October 22nd, 2008

The other day I found a few useful resources relating to tap construction and usage. According to Wikipedia a Network Tap is:

A network TAP is a hardware device which provides a way to access the data flowing across a computer network. Computer networks, including the Internet, are collections of devices, such as computers, routers, and switches, that are connected to each other. The connections can utilize different technologies, such as Ethernet, 802.11, FDDI, and ATM. In many cases, it is desirable for a third party to monitor the network traffic between two points in the network, point A and point B. If the network between points A and B consists of a physical cable, a network TAP may be the best way to accomplish this monitoring. The network TAP has at least three ports — an A port, a B port, and a monitor port. To place a TAP between points A and B, the network cable between point A and point B is replaced with a pair of cables, one going to the TAP’s A port, one going to the TAP’s B port. The TAP passes through all traffic between A and B, so A and B still think they are connected to each other, but the TAP also copies the traffic between A and B to its monitor port, enabling a third party to listen.

So, a tap allows for “eavesdropping” on network traffic, without being detected by other hosts, attackers or anything else connected to the segment. Very useful for IDS applications and for monitoring network traffic in general. In researching the construction of a passive tap, I stumbled across Diego González Gómez’s page describing the construction and use of receive-only cables and network taps. Super useful stuff.

Related Links:

Tags: , , ,
Posted in Tools | No Comments »

Super useful SSH option (Quick and dirty SOCKS Proxy with SSH)

Thursday, October 16th, 2008

Reading the ssh manpage with my morning tea, and I read this:


-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the configuration file.

IPv6 addresses can be specified with an alternative syntax: [bind_address/]port or by enclosing the address in square brackets. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of “localhost” indicates that the listening port be bound for local use only, while an empty address or ‘*’ indicates that the port should be available from all interfaces.


SOCKS proxy you say? Neat!

At a terminal:
hkb@voyagerone:~$ ssh -D 5050 kurth@my.proxy.host

You will be asked to login as normal, using your password or key and then placing you at your default shell.

Then modify your system proxy settings, or just your Firefox settings to use a SOCKS proxy on port 5050. You can use any port, as long as it’s above 1024, I just chose 5050.

I’ve noticed that doing this from within a firewalled network I noticed a significant speed increase in my surfing using the proxy then using without. YMMV.

EDIT:  Added Screenshots from Firefox.

Edit > Preferences > Network Tab > Settings

Firefox Preferences Window

Firefox Preferences Window

Your settings should look something like this.

Firefox Proxy Settings Window

Firefox Proxy Settings Window

Posted in Other Random Stuff, Tools, Uncategorized | No Comments »

Notes: Replacement for DNSstuff.com and DNSreport.com

Thursday, September 4th, 2008

Since DNSstuff.com has gone paid, I’ve been looking for replacement.  Getting ready to begin hacking one myself, I found this one, which is free and great.

IntoDNS

Posted in Tools | 1 Comment »

Installing Backtrack 3 to a harddrive

Saturday, August 30th, 2008

So it took me some googling, but I eventually found partial instructions over at http://www.remote-exploit.com. I found them lacking and omitting a few steps, like reconfiguring fstab before reboot. So, here are my notes.

I started with a clean drive, so you might have to manipulate your partition tables. I’m going to assume that you’re comfortable working with partition tables. If not, work on your google-fu.

Here’s the steps I took to install Backtrack 3 on to my laptop harddrive

  1. Boot system from Backtrack 3 CD.
  2. Once booted, open a terminal and type; cfdisk
  3. Re-configure your partitions. I made several; / , /boot, /var, /tmp, /home, swap. Be sure to set your / or /boot partition to be bootable.
  4. When your changes are complete, use the write option and type YES to confirm the changes.
  5. Reboot, booting from the Backtrack 3 CD again.
  6. When the system restarts, open a terminal and enter preform the following;
    bt~# mkswap /dev/sda5
    bt~# swapon /dev/sda5
    This formats and enables swap space. You’ll need this later
  7. Create directories needed to mount up the partitions you just created. I used the following;
    bt~# mkdir -p /mnt/backtrack/{boot,home,tmp,var}
  8. Now format and mount the partitions you created earlier in steps 1-4. I used the following commands;
    bt~# mkfs.ext3 /dev/sda6
    bt~# mount /dev/sda6 /mnt/backtrack/
    bt~# mkfs.ext3 /dev/sda7
    bt~# mount /dev/sda7/mnt/backtrack/var
    bt~# mkfs.ext3 /dev/sda8
    bt~# mount /dev/sda8 /mnt/backtrack/tmp
    bt~# mkfs.ext3 /dev/sda9
    bt~# mount /dev/sda9 /mnt/backtrack/home
  9. Once all targets are mounted, use the following command to copy the live cd to your harddrive;
    cp --preserve -R /{bin,dev,pentest,root,usr,etc,lib,opt,sbin}
  10. Create additional directories
    bt~# mkdir /mnt/backtrack/{mnt,proc,sys,tmp}
  11. Mount up /mnt/backtrack/dev
    bt~# mount --bind /dev /mnt/backtrack/dev
  12. Mount slash proc!
    bt~# mount -t proc proc /mnt/backtrack/proc
  13. Copy our Linux Kernel into place
    bt~# cp /boot/vmlinuz /mnt/backtrack/boot
  14. Use choot to your new Backtrack 3 installation.
    bt~# chroot /mnt/backtrack /bin/bash
  15. Edit /etc/lilo.conf
    bt~# nano /etc/lilo.conf
    and ensure both the boot and root reflect your local installation. I used options similar to the following;
    boot /dev/sda
    root /dev/sda5
  16. When your changes are complete, write the file and exit nano.
  17. Install lilo on /dev/sda
    bt~# lilo -v
  18. Almost done! Edit /etc/fstab to reflect your partition layout. It should be pretty simple to copy and modify existing entries. Check and double check. If this file is wrong, your system may not boot.
  19. Once done, exit your chrooted environment
    bt~# exit
  20. Reboot! Remove the CD from the drive. If everything has gone properly, your system should boot Backtrack 3. I had to login as root and use the startx command to start KDE.

YMMV.

Tags: ,
Posted in Notes, Tools, Uncategorized | No Comments »

Tools: SSH over Tor for secure and anonymous sessions

Monday, August 25th, 2008

I’ve seen it written about in a few places, but all seemed a little harder to understand then was really necessary.  So here you have it.  Use SSH over Tor to create secure, anonymous shell connections.

First, get and compile connect.c.

EDIT: If you’re running a .deb based distro, like Debian or Ubuntu, use;


kurth@bender:~$ sudo apt-get install connect-proxy

and you’re set! Otherwise use…

kurth@bender:~$ wget https://savannah.gnu.org/maintenance/connect.c --no-check-certificate
kurth@bender:~$ sudo gcc -o /usr/local/bin/connect connect.c
kurth@bender:~$ sudo chmod 755 /usr/local/bin/connect
kurth@bender:~$ sudo chown root:root /usr/local/bin/connect

Then fire up ssh with the following command..

kurth@bender:~$ ssh -2 -l kurth `tor-resolve kurthbemis.com localhost:9050` -o ProxyCommand="/usr/local/bin/connect -4 -S localhost:9050 %h %p"

Here’s the command breakdown;
The -2 forces SSH protocol Version 2 only, -l kurth specifies the login name to use.  Here’s a potential sticky spot.  Use the backtick(`) to capture the output of “tor-resolve kurthbemis.com localhost:9050″, will should be an IP only.  This prevents a DNS lookup being preformed by provider name servers, thus leaking the site you are attempting to connect to and defeating the use of Tor.  Finally the -o option provides the option “ProxyCommand” which connects via the connect.c program we compiled earlier to the local proxy.  The -4 and -S specify to use SOCKS version 4 and the -S SOCKS server, which in this case, is my own boxen, running privoxy and tor.

Have fun with secure, anonymous shell sessions!

PSA: If you use the Tor network on a daily basis, please consider running a Node (like yours truly) or making a monetary donation to the project.

Tags: ,
Posted in Tools | 2 Comments »

Information useful for reproducing for Lockwood v7 keys

Thursday, August 7th, 2008

Since I’ve taken an interest in Locksport, I’ve been finding items that I obtained over the past few years, that when I obtained them, I had no idea why I wanted them, but I knew I had to have them.  This is one of those items.

After returning from The Last HOPE, I discovered that I had something of rarity in my possession.  A Lockwood Dial Micrometer with key measuring instructions and measuring block.  I had purchased it in high-school (I’ve been out of high school for a number of years) from a fellow student who had a questionable past.  I think I heard that he was last spotted in prison, but I can’t confirm.  Regardless, I purchased it for the sum of twenty dollars.  Cool.

So this is what I have.  I apologize for the quality, but  I cannot seem to make my HP 5300c work properly with xSane under Ubuntu Intrepid Ibex.

If there’s interest, I’ll take precise measurements of the measuring block and post them.  Leave a comment or drop me a line.

Tags: ,
Posted in Tools | No Comments »