Suramya’s Blog

A lot of times when you connect to a wireless hotspot or a network there are restrictions in place which prevent you from accessing the web without some sort of authentication or restrict the kind of connections allowed. Usually that’s not a problem but at times you need to be able to bypass the restrictions.

In normal cases the firewalls in place usually allow outgoing connections to pass through but in some cases even outbound connections are blocked or you need to pay for access. In such cases you can use UDP Tunneling to bypass any restrictions.

Keep in mind that using such methods on a network will not endear you to your network administrator and if caught might cause you trouble. You might even end up in Jail. So don’t try to use this for anything illegal or to browse porn at work.

The way it works is that when you try to browse to a website your system sends a request to a name server on UDP Port 53. On a lot of hotspots/firewalls/proxies the system waits for the Name server to respond and when it gets a response it redirects you to a login page or redirects you to a web proxy. What allows us to do a UDP tunnel is the fact that all port 53 UDP traffic is allowed out to anywhere on the web, without any kind of authentication.

So if you have a VPN configured to connect over UDP port 53 instead of the default port 1194 then you should be able to bypass the restrictions.

Basically what you have to do is setup a OpenVPN server on a public server and then configure it to use port 53 instead of the default 1194. Once you do that you can configure your VPN client on a laptop to connect to the server on port 53. Once connected all new connections will go over the VPN connection and you should be able to browser the web without issues or blocks.

Thanks to Adam Palmer for the tip.

I think I am going to set up a VPN server on my desktop so when I am away from home and need web access I can use this technique to get access.

- Suramya

If you ever had to figure out how many systems are connected to a network and what IP’s they have then you will find this tip useful. It is also useful to identify any rouge machines on your network if you know how many systems are supposed to be there on that network. Like in case of my home network, where I know the exact no of machines.

There are multiple software out that, that allow you to do this. Some are free, some are very expensive. In my opinion the best one is nmap. It is free, fast and can be scripted.

To find all machines on my LAN (IP Range: 192.168.2.x) I just have to issue the following command:

nmap -sP 192.168.2.0/24

This gives an output like the following when I run it as a normal user:

suramya@Wyrm:~$ nmap -sP 192.168.2.0/24

Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-20 00:01 IST
Host 192.168.2.1 is up (0.0018s latency).
Host 192.168.2.5 is up (0.00018s latency).
Host 192.168.2.100 is up (0.00018s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.93 seconds

When I run the same command as root, it gives me additional information that looks like:

Wyrm:~# nmap -sP 192.168.2.0/24
Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-19 23:50 IST
Host 192.168.2.1 is up (0.0015s latency).
MAC Address: 00:XX:XX:XX:XX:XX (Cisco-Linksys)
Host 192.168.2.5 is up.
Host 192.168.2.100 is up (0.011s latency).
MAC Address: 00:XX:XX:XX:XX:XX (Intel)
Nmap done: 256 IP addresses (3 hosts up) scanned in 3.00 seconds

In this case, as you can see nmap also gives me the MAC address of the machine. 192.168.2.5 is the machine I ran the scan from so I didn’t get any information on that one.

If you want additional details on a system you can issue the following command to get the system to try and identify the OS and services running in detail.

nmap -A 192.168.2.5

It gives an output that looks something like:

Wyrm:~# nmap -A 192.168.2.5
Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-19 23:52 IST
Interesting ports on 192.168.2.5:
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 8 (protocol 2.0)
| ssh-hostkey: 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx (DSA)
|_ 2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx (RSA)
80/tcp open http Apache httpd 2.2.14 ((Debian))
|_ html-title: Index of /
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
631/tcp open ipp CUPS 1.4
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 – 2.6.28
Network Distance: 0 hops
Service Info: OS: Linux

Host script results:
additional information on the server

Hope you also find this useful.

- Suramya

Recently a Georgia mother and her two daughters logged onto Facebook from their mobile phones and wound up in a strangers’ accounts with full access to their private information. All of them were using AT&T as their data provider. On the face of it, it seems pretty scary.

How prevalent this flaw is and what other services are affected is something that is still unknown. As far as I can tell no technical details have been released to explain this issue either by Facebook or AT&T. So I am going to speculate on various ways this might have happened.

1. A flaw in Facebook caused the system to falsely authenticate users based on their IP address even without an authentication cookie present.

This could happen, however if this was the case a lot more people would have hit it by now especially on networks that have their IP address allocated dynamically.

So Probability of this being the reason: Very Low

2. AT&T is using a proxy caching server and the authentication cookies used by Facebook was stored on the proxy server.

If a proxy server was being used by AT&T then when a request went out to Facebook it would check for a valid session using the server’s IP address and then check for an authentication cookie on that server. If one existed the user would then be authenticated even though this time someone else was trying to access their Facebook account.

The problem in this case would be the incorrect configuration of their Proxy server by AT&T.

So Probability of this being the reason: Very High

3. Can’t think of any other reason… Though there could be a ton of other explanations. Just can’t think of any of them right now.

Caching servers are well and good but if they are not correctly configured they have the capacity of causing a lot of havoc and security issues. So I am off to read up more about proxies and caching servers and how to configure them correctly.

Source:

FOXNews.com – Network Flaw Causes Scary Web Error.

- Suramya

A lot of you must have heard about quantum computing(QC) and a lot of articles have been written by people on how Quantum Computers could break any crypto in a short time. (Even I have written about it)

So I found the following blog post a really good read. It discusses the possible future of QC in a very interesting fashion with emphasis on how it might affect the world of Cryptology. Check it out over here: Emergent Chaos: Quantum Progress

Thanks to: Schneier on Security for the link.

- Suramya

In Windows 2000 the ‘Run As’ option was introduced, the premise was that you would login as a regular user and if you needed to run a particular program as a different user or an administrator you would use it. Basically it duplicated the su functionality from the Unix/Linux world.

Now if for some reason you want to disable this feature, follow these steps:

For standalone Windows XP machines in a workgroup environment, you can disable Run As by hacking the Registry. Simply use Regedit.exe to locate the following key on each machine:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

Then create a new DWORD value named HideRunAsVerb and assign it a value of 1.

In a domain environment, you can disable RunAs using the Software Restriction Policies feature of Group Policy. To do this, open the appropriate GPO in the Group Policy Object Editor and locate the following node in the console tree:

Computer Configuration/Windows Settings/Security Settings/Software Restriction Policies

Right-click on this node and select New Software Restriction Policies, then right-click on Additional Rules and select New Path Rule. Now type the path to runas.exe and make sure the policy is set to disallowed.

If you prefer to apply this policy to specific users instead of computers, use a GPO linked to an OU where the user accounts reside and configuring Software Restriction Policies using User Configuration instead of Computer Configuration, such as:

User Configuration/Windows Settings/Security Settings/Software Restriction Policies

Source: Disabling the RunAs command

More detailed version: Disable RunAs

- Suramya

In linux if you want to know what files are being used, all you have to do is run the lsof command which shows a list of all open files and the processes that opened them. So if you want to figure out what program is using that insane amount of RAM you can run lsof and grep by the process ID to find it.

In windows however there is no such command so we have to use alternative methods. If you are trying to identify a TCP connection you can try running “netstat -bv” (Without the quotes). It will give you the executable behind process, something like:

TCP fury:2433 imap.perfora.net:imap ESTABLISHED 2724
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
C:\Program Files\Mozilla Thunderbird\nspr4.dll
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\kernel32.dll
[thunderbird.exe]

For Windows XP and 2000 systems you can also download Fport, which is a free tool that will show you what programs on your system are opening which ports.

Hope this helps.

- Suramya

Here’s a small list of sites that security related news/resources:

• InfoSec News
• CSO Security Feed (rss feed)
• RootSecure.net
• SecGeeks
• Aviv Raff on .net
• Symantec Security Weblog
• Security Garden

This list is not a comprehensive list. I may add more sites as and when I find them.

- Suramya

If you want to know who deleted a particular file in Windows 2003 all you need to do is enable auditing the folder you want to keep track of. Just right click on the folder, go to “sharing and security”, then “security” tab, at the bottom click on “advanced”. Select the auditing tab, click add, select the group or users to track, then pick what actions you want to track.

To track file deletion you would enable:

Create files/Write data Success/Fail
Create folders / append data Success/Fail
Delete Subfolders/Files Success/Fail
Delete Suceess/Fail

Once thats done Windows will log all the information in the security event log.

- Suramya

Under a new law that went into effect this month, it is now a crime to refuse to turn a decryption key over to the police. So lets say you have an encrypted file on your computer and you are traveling through UK, if the cops feel like it they can force you to hand over the decryption key. If you don’t comply you face a 5 year sentence in jail if the investigation relates to terrorism or national security, or up to two years in jail in other cases.

But what they don’t seem to have considered is that sometimes people do forget passwords and keys. Back in 2003 I went through a phase where I started encrypted all my data backups (MySQL database dumps etc) using PGP for a couple of months, which was all well and good. Then I had to upgrade my OS so I formated my computer managing to loose the decryption key which was stored in my PGP keyring. I do have a physical copy of the key but thats sitting in one of the boxes in storage. So if I went to UK and they asked me for the key I can’t give it to them because I really don’t have it. But if I tell them that I will end up in jail for 2 years if the judge refuses to believe me.

So I think I am staying away from UK for the time being.

Thanks to Schneier on Security for the news.

More information available at The Register

- Suramya

Found this good article on how to setup screen on Linux/Unix so that it automatically logs all activity made in the session. Screen is a utility that I use very often on my Linux box. Basically its a program that you start and it attaches to a specific console and if you ever get disconnected you don’t loose your work/position, all you have to do is log back in and reconnect to that screen. You can also connect to a system via ssh/telnet and start a program then disconnect from ssh then move to another location and reconnect to server and join the same session from there. I use it all the time when compiling stuff or downloading large files.

The main issue I had with screen was that it would only keep 20-30 lines in the history so if you wanted to scroll up to read the previous logs you couldn’t. Now this article explains how to set up logging so that you can do that. For the impatient here’s how you do it:

I wanted to automattically launch a screen session when somone logged in so if I happened to be on the server I could monitor them in real time. I also wanted a log of the session in case I wanted to look over it later or if I was not able to monitor the session live.

I ended up adding the following to my .bashrc

# — if $STARTED_SCREEN is set, don’t try it again, to avoid looping
# if screen fails for some reason.
if [[ “$PS1″ && “${STARTED_SCREEN:-No}” = No && “${SSH_TTY:-No}” != No ]]; then
STARTED_SCREEN=1 ; export STARTED_SCREEN
if [ -d $HOME/log/screen-logs ]; then
sleep 1
screen -RR && exit 0
# normally, execution of this rc script ends here…
echo “Screen failed! continuing with normal bash startup”
else
mkdir -p $HOME/log/screen-logs
fi
# [end of auto-screen snippet]

and add the following to your .screenrc

# support color X terminals
termcap xterm ‘XT:AF=E[3%dm:AB=E[4%dm:AX’
terminfo xterm ‘XT:AF=E[3%p1%dm:AB=E[4%p1%dm:AX’
termcapinfo xterm ‘XT:AF=E[3%p1%dm:AB=E[4%p1%dm:AX:hs:ts=E]2;:fs=07:ds=E]2;screen07′
termcap xtermc ‘XT:AF=E[3%dm:AB=E[4%dm:AX’
terminfo xtermc ‘XT:AF=E[3%p1%dm:AB=E[4%p1%dm:AX’
termcapinfo xtermc ‘XT:AF=E[3%p1%dm:AB=E[4%p1%dm:AX:hs:ts=E]2;:fs=07:ds=E]2;screen07′

# detach on hangup
autodetach on
# no startup msg
startup_message off
# always use a login shell
shell -$SHELL

# auto-log
logfile $HOME/log/screen-logs/%Y%m%d-%n.log
deflog on

Keep in mind that this is not a very secure setup. Anyone with any technical knowledge can edit the logs as they are located in the user’s home directory and are editable by them. So don’t rely on it extensively to keep a system secure.

Complete article is available here: Automatic session logging and monitoring with GNU screen for the paranoid.

Thanks,
Suramya