Author: Stefan

Fun-Day Friday – Nintendo Entertainment System Classic

So today is the day that Nintendo releases the NES Classic. It’s a smaller console designed to look much like the original Nintendo Entertainment System. It has HDMI output, and 60 classic games built in. The majority of the titles were games I enjoyed as a child, so this is on my want list. Amazon will have these available starting at 4:00p.m. CST. They are turning off oneclick for this release to give everyone a fair chance at it. They will have limited stock. I went to the local soul sucking Wal-Mart to buy one in person, but there were only 6 units available. I was (un)lucky number 7. Since I have to work, I won’t be able to park my rear at any of the other facilities that would have them “at opening time,” so I’m stuck waiting for my chance at it on Amazon.

As for NaNoWriMo, I’m at a total of 18,062 words as of November 10. This is ahead of the curve. I’ve managed to hit the minimum “average” per day every day. My peak number was 2,127 words on November 8. I’m still on the fence about whether to share this story or not, when it’s done. I guess I’ll know at the end of November.

Is there something that stirs your own nostalgia? Things you enjoyed from your childhood that you would like to relive for a while? Share in the comments.

Thanks for reading!

Hacker-Tool Hump-Day – Hak5 LAN Turtle module – sshfs

There is a very nice program that allows you to use an ssh connection to “mount” a remote directory as if it is local. This program is called “sshfs,” and it sometimes makes things easier from the perspective of needing to copy a lot of files between systems, but not wanting to deal with the scp or sftp commands to do it. The Hak5 LAN Turtle has a module for this, and the primary purpose of this (most likely) is to assist in off loading large files to a remote location. You could use sshfs to remote mount a file system on another machine you control, then configure your ex-filtration tools to dump their payloads to that directory. In essence, the payload would never truly be written to the turtle in the end.

To use this, you need to go to the modules and choose “configure” as you would any module we’ve covered, thus far.

The configuration takes a “Host” a “Port” a “User” and a “Path” as options to be filled in. Since a “Password” is not among the options, you will need to do some preliminary work as well. The ssh keys would need to be generated and configured for the target user at that host.

The “Path” option can be left empty if you just want to use the target user’s home directory for the path.

Once everything is configured, use “Start” to make sure it works, and “Enable” if you want it to persist, as normal.

This module is quite nice consider the very limited space on the LAN Turtle, so play with it. I think you’ll enjoy the benefits.

Thanks for reading!

SSH Start to Finish Architecture – Forced Commands

Last week, we covered SSH Key options that can restrict how a private key is used to connect to a server. One of those options was the “command=” option, which allows restricting the key to calling only one command, regardless of the command issued as part of the ssh connection attempt. There are actually several ways to enforce this.

You can do the public key “command=” option we already covered. You can also use the sshd_config settings to apply a ForceCommand option. This is most useful for applying the same kind of forced command scenario we described last week via a “Match User” directive. It’s also useful for applying an sftp-only situation to a given user, so that the only thing the user can do is transfer files. The option would look like this, if that is your goal:

ForceCommand internal-sftp

The user’s shell needs to be a valid one for this to work, since the forced command is invoked via “ -c.” This means a shell of /bin/false or /bin/nologin is a no go. Since you are forcing a command, this should be less of a problem, though.

Finally, there is also a way to force this command with ssh-keygen options when signing a key via the certificate authority system for OpenSSH, but we will go into more detail on that when we get to the CA stuff.

The force command options don’t allow running the user’s ~/.ssh/rc, so that would not be a work around that the user could use to hack this system. ControlMaster overrides the public key force command if the option is set after a master session has already been established, so you may need to terminate all ssh connections for that user after making changes that enforce restrictions, moving forward.

A lot of people grumble about the force command options, because they believe that a single key is needed for each command that gets passed, but there is actually a means for handling that. There is an environment variable that gets set when an ssh session that wants to call a remote command is used to connect while force command is in use for a user. That environment variable is SSH_ORIGINAL_COMMAND, and it retains the command that was requested. This means you could have a wrapper script that is your forced command, have it check this environment variable for sanity (are all of the commands in the list provided in our whitelist, or not? If not, log a rejection and terminate. If so, log the call and execute.) The variable is unset if the user just tries to ssh in without calling a remote command, so be sure to check for that if you go this route. Assume if the variable is unset/empty that they tried to log in for an interactive session, and handle that however you feel is best. I would assume “log a rejection and terminate” is better, though, since an interactive session can’t be restricted properly without a restricted shell, that may still be jail broken if misconfigured. Your own needs may vary, though. Just be very thorough in your design, and be sure to sanitize all input before executing, and you should be fine.

Thanks for reading!

Fun-Day Friday – Book Review and Recap of Week One of NaNoWriMo

So, before I get to the book review, I wanted to recap that November is National Novel Writing Month. I’ve written three full days thus far, and the word count comes out to:
Day 1 – 1804
Day 2 – 1924
Day 3 – 1683

Remember that the average minimum for each day is 1667 words, so I’m ahead of the curve, so far. Hopefully, I can keep up the momentum.

As for the book review, it’s really a set-of-books review. Last time I did one of these, I mentioned the Montague Portal series. I’ve read the rest of the books in the series, and I wanted to share my thoughts on them.

All of these books except the first one (already reviewed) follow a single person named Aidan Redding. She is a security officer for Montague Corporation, and she gets progressively better at her job as the stories progress.

In “Sticky Supersaturation” the premise is that the universe is a two dimensional space, so the laws of physics make everything sticky to the touch, tastes are bland, and so on. The lab gets overrun by some horny chipmunks that devour antimatter, and it all goes downhill from there. The antics are memorable, and the story takes a couple of twists before Redding saves the day. Again, my only complaint is that it was too short.

In “Forever Falls” the universe is literally on a cliff face with a never ending waterfall. Redding investigates the death of one of the researchers, ends up in some sky diving death defying situations, fights to survive, and gets her suspect in the end. Mostly because the suspect believed she was dead, and couldn’t handle himself when she showed up to announce his part in the murder. She only lost part of a hand for her efforts, though she also got a bit wind burned. This one is longer, labeled a “novella” and is almost just the right length for these kinds of stories.

In “Hydrogen Sleets” the universe is just like our own. The laws of physics are the same. The problem is, it’s right at the beginning of its birth, so most of the universe is composed of free floating hydrogen that hasn’t decided to form stars or other matter, yet. A space station is built for the research, and she gets a try at a political stint. As a liaison officer, she has to deal with both her boss from Montague, and the civilian Congolese workers on board. Politics play a big role in some of the tensions, but she manages to navigate her way through the issues without too much trouble. I mean, what’s a damaged hand (again) and almost getting crushed by super gravity, plus a nice jagged jab in the side among friends? Yeah, it went something like that. She gets sent back for medical leave (again) at the end, but gets compliments and reprimands in spades for her efforts. This was labeled a novel, and while short for one, it was pretty much the perfect length.

I hope more Montague Portal stories are forthcoming, because the concept is divine. I highly recommend all of these if you haven’t read them yet. I wonder if it would be too difficult to develop a tabletop RPG around the series. Hmm. Food for thought.

Hacker-Tool Hump-Day – OpenSSL

We’re skipping the LAN Turtle module that would have been show cased this week in favor of a short post. On the bright side, I got 1804 words written for my first day of NaNoWriMo 2016. On the less than shiny side, I’m oncall this week at work, and I’m short on time for the Wednesday post. So let’s get to it.

Today’s topic is a tool that some people may not realize can be used in the same vein as telnet, netcat, and socat for connecting to ports and testing them with manual manipulation of whatever the plain text protocol might be (such as HTTP or IRC, for example.) It can also be used to stand up a temporary SSL enabled service for testing how clients behave, similarly to how a netcat listener might be used.

To test connectivity, use the “s_client” module with the “-connect” flag. The target of the -connect flag should be an IP or hostname with a port, and separated by a colon. For example:
openssl s_client -connect google.com:443

Once you connect, you should see some information about the certificate along with a status code to indicate what the problem is if the certificate doesn’t meet expectations. It will then sit and wait for you to send whatever commands you might like just like a telnet or netcat connection would do. It handles the actual SSL handshake for you.

The listening option is the “s_server” module with the “-accept” flag. The target of the -accept flag is just a port number. Of course, the listening service should probably also be given a certificate to use for the listening connection, so use the “-cert” flag to pass a certificate to this command for use on the listening socket. You can set up a listening socket without a cert by using the “-nocert” flag, but this is kind of pointless.

Again, the primary focus of this for most people will be the s_client module, so that SSL enabled ports can be probed for banners and such. Alternatively, shell scripts can be written that call this in order to automate certain kinds of connections with intentionally malformed requests to test how the server behaves, or to pass known vulnerable requests to the server, and so on.

Of course, it can also be used to look at the server’s certificate and settings in case there is a vulnerability there, such as a weak cipher list, for example. Perhaps the certificate is due to expire, soon. A man in the middle situation might be easier to set up during that window between certificate expiration and certificate renewal if the site owner allows the cert to fully expire before renewing. Possibilities are almost endless.

That’s all for now. Thanks for reading!

SSH Start to Finish Architecture – Public Key Options

Since we’ve introduced a few ways of doing tunneling, I thought now would be a good time to bring out some ways of restricting what a user can do in the event that they have access to a private key they shouldn’t.

We already talked about setting a pass phrase on the private key side, but there is still the chance that the user was able to brute force that, so let’s assume they have usable access to that private key. What options do we have for keeping things secure?

For starters, we can restrict which source IP/DNS names a user can come from using this key. If we modify the public key entry in the authorized_keys file to include a “from” directive before the key starts, we can provide a list of IP addresses/hostnames we expect to be coming from. This prevents an attack from the user’s workstation, for example. One caveat of this is, you can’t be coming through a source NAT, since that would reduce the effectiveness of this restriction. Everyone coming into the box from a source NAT VLAN or subnet would look like they are coming from the same place.

In order to set this directive, we will need to modify the public key by hand. It’s better to modify the public key before adding it to the authorized_keys file, but you can modify the authorized_keys file entry for this key, if you prefer.

To use this directive, we need to put the a “from” option with all of its values, comma separated, BEFORE the key starts. An example of how this might look follows:
from=”172.16.84.1,lanturtle,lanturtle.mydomain” ssh-rsa AAAA User_A@lanturtle

Now, let’s assume you also want to prevent proxying with this key. In order to restrict that, we need to set several options:
no-X11-forwarding – Prevents forwarding X11 sessions back to an X server via the SSH tunnel.
no-port-forwarding – Prevents port forwarding via TCP, TUN devices, and direct stdin proxying.
no-agent-forwarding – Prevents “forwarding” of the ssh-agent for handling the private key.

To add these to the example above, we would use a comma separated list of options like this:
from=”172.16.84.1,lanturtle,lanturtle.mydomain”,no-X11-forwarding,no-port-forwarding,no-agent-forwarding ssh-rsa AAAA User_A@lanturtle

We can further restrict this to only allowing this particular key to be used for running a specific command. Doing this ignores any commands passed by the user upon connection, and prevents the user from obtaining a full login shell (unless that’s the forced command.)
command=”/usr/local/bin/ssh-restricted-command.sh” (where “/usr/local/bin/ssh-restricted-command.sh” is the command you want it to run. Put the actual command you want to use, here.)
from=”172.16.84.1,lanturtle,lanturtle.mydomain”,no-X11-forwarding,no-port-forwarding,no-agent-forwarding,command=”/usr/local/bin/ssh-restricted-command.sh” ssh-rsa AAAA User_A@lanturtle

Finally, if we want to be sure that there isn’t a land mine waiting on the user’s .ssh/rc file, we can tell it to not read this by using the following option:
no-user-rc
from=”172.16.84.1,lanturtle,lanturtle.mydomain”,no-X11-forwarding,no-port-forwarding,no-agent-forwarding,no-user-rc,command=”/usr/local/bin/ssh-restricted-command.sh” ssh-rsa AAAA User_A@lanturtle

When we get into managing a certificate authority, you’ll find that these options can be set by ssh-keygen for certificate related keys, but the option names are slightly different. Unfortunately, using ssh-keygen to generate the initial public/private key with these options doesn’t work. It only works on certificates. Modifying the public key entry by hand does restrict this, however.

We will go into more detail about the forced command option (and setting one in sshd_config) next week.

Thanks for reading!

Fun-Day Friday – National Novel Writing Month (NaNoWriMo)

Since this is the last Friday before November gets here, I thought I should bring this up. November is “National Novel Writing Month.” That’s NaNoWriMo for short. I’ve attempted to participate in this event year after year, and always gotten sidetracked or overwhelmed before completing a novel. Except for last year. That’s the first year I’ve ever actually made it to the end and come out the other side with a finished first draft novel.

I’m considering making another attempt at it this year. In case some of you dear readers are also aware of this month and are chomping at the bits to take a stab at it, here’s what helped me last year.

1) I used a site called 750words.com to help me track my words per day. You should probably do something similar. It was the greatest factor in helping me finish. Remember that if you intend to write “the bare minimum every day” that comes out to an average of 1667 words each day.

2) I finally let go of perfectionism. You can’t “write” and “edit” at the same time. The goal is to just write. The months AFTER NaNoWriMo are for editing. What you write might be, (okay, let’s face it… probably WILL be) a turd, but you will have plenty of time to turn that crap into something useful (like fertilizer or compost) AFTER you produce it. Just focus on the writing, and don’t worry about mistakes.

3) If you’re struggling with plot, write a few random sentences in a note pad and let one of those give you a sudden change in direction for your plot. You don’t have to know the gory details, just the broad overview of where you want to go with the story. As long as you can keep a good pace (both writing, AND within the story itself,) things will work out in the end.

4) It’s hard. It will be tough to maintain the pace. That’s okay. Do it anyway. Stay up late, get up early, whatever you have to do to find some extra writing time, do it. BUT more importantly than this…

5) Write at the SAME time every day if you can. Setting a schedule for your writing forms habit. Habit leads to eventual success.

6) Finally, “have fun with it.” It’s okay that what you write may be terrible, but remember this: There are books with story lines that are almost guaranteed to be worse than your own, and people have paid to read them. (Just google “Thorfinn Viking Vampire” at some point, and look at the books that pop up.)

Hopefully, everyone will be feeling much much better by the end of this month, so that I can do this. If not, I may have to choose between NaNoWriMo and UnixSecLab. If I have to choose, the WriMo is going to lose.

Are you planning to try for NaNoWriMo this year? Leave a comment below, and keep us updated on your progress!

Hacker-Tool Hump-Day – LAN Turtle Modules – netcat-revshell

Since we’ve covered netcat in the past (briefly,) this is a good module to jump in on for today.

This module creates an outbound netcat connection to an already listening netcat remote listener, and presents a shell to that connection. It almost sounds backwards, but here’s the set up.

Before you configure this module, you need a shell account on a target box that also has netcat installed. For my example, the box is OpenBSD based, so the “netcat” is “nc” and has all of the flags I care about by default. We’ll call this “Server_B” since you’re connecting to this as a target. The first step is to get the IP address of the server. An “ifconfig -a” shows all of the interfaces, or an nslookup of the domain name should get this for you. If it has multiple interfaces configured, you can check the routing tables with “netstat -nr” and look for the default gateway to figure out which IP belongs on that subnet. Whatever the case, the LAN Turtle needs to be able to talk to that same network from its ethernet jack.

For our purposes, we’ll assume the IP was 192.168.0.7.

We also need an available port. “netstat -an | grep LISTEN” will show the ports already taken. For this example, 8080 is free, so we’ll use it.

To set this up, run the following netcat command:
nc -k -l -v 192.168.0.7 8080

Now switch to your LAN Turtle interface, and go to the Modules menu. Select the netcat-revshell module and go to “Configure” to toss the IP and PORT into the fields. After you back out, you can hit “Start” and you should see activity on the netcat listener you started on Server_B. In our example, we got this line:
Connection from 192.168.0.174 58624 received!

Remember that the listening netcat process was just presented a shell back into the LAN Turtle. You won’t see a prompt, because it’s not a proper login, so your environment isn’t set up. However, you should be able to type commands and get responses back. For example, “uname -a” returns this:
Linux turtle 3.10.49 #7 Thu Jul 16 05:05:51 PDT 2015 mips GNU/Linux

You can stop the reverse shell at any time from the Turtle, using the menu option. If you “Enable” this, it will make an attempt at creating that reverse shell on start up next time it is plugged in or rebooted. In other words, if you want this to persist, you’ll need to keep the netcat listener running on that target box all the time.

The benefits to having this are the speed and efficiency in setting it up for getting a shell back into the Turtle from the LAN side of the interface. For example, if you plugged the Turtle into a USB power adapter, but wanted to be able to get into it for further configuration and work, you would want this module or one like it to present that shell for you. It’s not fancy, but it gets the job done.

The Hak5 LAN Turtle is a versatile tool for any hacker (or system’s administrator) to have on hand.

SSH Start to Finish Architecture – Tunneling IP with TUN device

We’ve covered the various tunneling / proxy capabilities of OpenSSH for tunneling TCP and setting up port proxies, but the “-w” flag can let you forward IP traffic. This happens by way of creation of a temporary “tun” device upon SSH connection, which can be configured like any network interface by standard tools such as “ifconfig.” There is some post connection set up that has to happen, including modifying route table information, so treat this like a right and proper VPN solution. That’s what it is meant to be. A VPN solution built into the SSH client and server software. I will do a proper write up with lab and examples later. For now, know that the server has to have the “PermitTunnel” option set, and it must be set to a value other than “no,” which is the default value.

The options are:
point-to-point – This allows a Layer 3 tunnel device to be configured.
ethernet – This allows a Layer 2 tunnel device to be configured.
yes – This allows either device type to be configured.

When connecting to the server, you need to pass the “-w” flag and provide a tun device id. You can also provide the remote tun device id. If you provide no remote id, it defaults to “any” which provides the next available. You may also specify “any” for the local tun device id.

The following example sets up a specific “tun0” on both the local and remote side.
ssh -w 0:0 User_B@Server_B

The following will set up a “tun” device using the next available ID on both the local and remote sides.
ssh -w any:any User_B@Server_B

The following will do the same as the example above, but saves 4 characters worth of typing.
ssh -w any User_B@Server_B

Just setting these up will not be sufficient. You will also need to configure the routes/interface information, of course. You will also need to configure any bastion host (local firewall) traffic rules as well, if you’re running one. The best explanation for this I’ve found is here:
Daemon Forums

When I do this as a lab exercise, I will show all of the detailed configuration for both the server set up, and the client set up. I feel like I half dropped the ball on this post for not having the lab set up already, but I think I got enough of the general overview across that this should help anyone interested in trying this out at least get started. We’re all still a little under the weather in the house, so a proper lab will have to wait, but I promise it will be done for this series before I am through.

Thanks for reading!

Fun-Day Friday – Guild Wars 2 Halloween content

I spent more time at home this week than at work, due to the heavy coughing fits from my sinuses being flared up. This has been a light week on the content, because of it. My apologies, again.

Last Tuesday, Guild Wars 2 released the Halloween content for this year. They added a track to the world vs. world rewards, brought back the labyrinth, clock tower, and other goodies from years past, and introduced a few new weapon skins. I was very much hoping for a return of some way to obtain the backpack items from the first year content, but maybe they’ll do that next year.

My wife doesn’t play this game often, but the Halloween and Wintersday content are both content we enjoy, so I’ll be spending some in game time with her.

Halloween is my favorite holiday of the year, so this content always gets me excited. Hopefully, I’ll feel better soon so I can enjoy it more than just a grumble and a hazy stare’s worth.

Is there a game you enjoy playing? Online, board, card, etc? Share in the comments!