Thursday, December 22, 2016


How to Designate an IP Address as Permitted Sender


If you have your own domain handling email, then chances are you may run into email issues.  It is extremely important that you properly designate your IP Address as a permitted sender.
First, let’s test to see if your domain is a permitted sender.
Log into your domain’s email account, brant@example.com let’s say.  Send an email to another email account that you have access to.  Just to name a few… gmail, Yahoo!, or Hotmail.
The important part is for you to view headers of this email, often referred to as “Show Full Headers”.
You will see something that looks like this, but note the SPF softfail error:
—- Original message —–
X-Received: by 10.224.25.8 with SMTP id x8mr31561868qab.77.1382465370255;
Tue, 22 Oct 2013 11:09:30 -0700 (PDT)
Return-Path: brant@example.com
Received: from my3.example.com (my3.example.com. [64.131.70.223])
by mx.google.com with ESMTPS id k5si10380639qen.50.2013.10.22.11.09.30
for send@domain.com
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Tue, 22 Oct 2013 11:09:30 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning  brant@example.com does not designate 64.131.70.223 as permitted sender) client-ip=64.131.70.223;
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning brant@example.com does not designate 64.131.70.223 as permitted sender) smtp.mail=brant@example.com

If you see Received-SPF: pass in the header then you have nothing to worry about.  However, as you can see from above, I have a softfail issue.  You may also see some with “fail”.
The fix is actually pretty easy.  Login to your registrar where you registered the domain.  What we need to do is create a new TXT record and add that specific IP (64.131.70.223) as a permitted sender.
The record will look something like this:
TXT    example.com    “v=spf1 ip4:64.131.70.223 ~all”
Add this entry to your registrar and wait for the record to update across the web.  You can test your TXT / SPF entry with this handy tool.
A few things to note here:
  • Make sure you use the quotation marks around the whole thing.  (Do not just copy and paste from here because WordPress sometimes uses a different characters for quotes.)
  • The last part ~all designates a softfail for any non permitted senders.  Softfail basically means that you haven’t finalized your email settings yet.  These emails have a chance of getting through, even though they fail.
  • Once you send another test email and confirm that you PASS, change the ~all to -all.  This means that any emails not from your designated senders should fail.
Sounds great, but what happens when you use another email provider, like mailjet to send email on your behalf?
Your TXT entry will then look like this:
TXT    example.com    “v=spf1 ip4:64.131.70.223 include:spf.mailjet.com -all”
Setting up email can be a bit frustrating, so hopefully this helps speed things along.
Still confused?  You may also find Eric’s article on setting up SPF records useful.

Wednesday, December 21, 2016

AND LET'S WAIT

HARDWARE:


The chip powering these two new graphics cards, called the GTX 200 chip, is an absolute monster of a processor. Nvidia proudly proclaims that it’s the biggest processor TSMC (Nvidia’s primary chip fabrication partner) has ever built. It’s not just a clocked-up or expanded version of the G92 chip powering Nvidia’s most recent high-end cards, but a totally new architecture.

https://www.extremetech.com/gaming/82928-brute-force-nvidias-geforce-gtx-280-and-260/2

I've read this, in order to understand NTRU scheme, darlings


Can a proxy server cache SSL GETs? If not, would response body encryption suffice?





Capturing Packets in JavaScript with node_pcap

OK, I hear you. Capturing packets is hard and best left to kernel hackers, assembly language programmers, and black hat security researches. If you just want to make things for the web using node.js, why should you care?
Pulling packets off the network can show you what your computers are saying to each other without disrupting the flow of or changing any applications. Packet capture is a fantastic debugging tool that will remove a lot of the mystery from writing and running network programs. The point of node_pcap is to provide a good HTTP debugging tool and a framework for doing your own network analysis.
There are plenty of ways to do packet inspection these days, but none of them let you interact with your network traffic the way that node lets you write network programs: by writing a few event handlers in JavaScript. node_pcap not only let's you capture and process packets in JavaScript, but since it is built on node.js, data from the packets can be easily routed around to web browsers, databases, or whatever else you can think of.

Example

Here's an example of capturing packets and sending them back to a web browser using WebSocket:
If you still aren't convinced, check out how easy it is to write a simple "network grep" type of program using node_pcap:
example.js
var pcap = require("pcap"),
    pcap_session = pcap.createSession("", "tcp"),
    matcher = /safari/i;

console.log("Listening on " + pcap_session.device_name);

pcap_session.on('packet', function (raw_packet) {
    var packet = pcap.decode.packet(raw_packet),
        data = packet.link.ip.tcp.data;

    if (data && matcher.test(data.toString())) {
        console.log(pcap.print.packet(packet));
        console.log(data.toString());
    }
});
This program will look at all TCP packets that flow past the default network interface and run the regular expression matcher against the data section of the packet. If it matches, the data section will be printed.
Still not convinced? I understand. This packet business can be astonishingly low level compared to the abstractions you are comfortable working with. If this doesn't seem awesome yet, it probably won't until you actually need it. When you can't figure out what your program is doing by just adding log messages, come back and check out what packet capture can do for you.
node_pcap exposes packets as JavaScript objects, but it also comes with a few examples that are useful on their own. If you do nothing else, check out http_trace and simple_capture. Look at the source code and see how they work. It's really easy.

Installation

Anyway, if you are still here, let's get this sucker installed. The first thing you'll need is libpcap. If you are on OSX 10.6, you already have it. If you are on a Linux system that uses apt-get to install things, you can get it like this:
sudo apt-get install libpcap-dev
If you are on some other kind of system, I don't know the exact command to install libpcap-dev, but it is a very common library that's widely available.
Once you have libpcap and node, you just need npm. Install node_pcap with npm like this:
npm install pcap
This will install the pcap libraries and three executable.
If you want to hack on the code, and I encourage you to do so, use git to clone the repository on github:
git clone git://github.com/mranney/node_pcap.git
You'll still need to use npm to build and install the files where they need to go:
mjr:~/work/node_pcap$ npm install .
To verify that things are working, run:
sudo simple_capture
It should look something like this:
mjr:~$ sudo simple_capture
libpcap version 1.0.0
* en0 10.51.2.125/255.255.255.0
fw0 no address
en1 no address
lo0 127.0.0.1/255.0.0.0
00:1c:23:b9:e8:b5 -> ff:ff:ff:ff:ff:ff 10.51.2.10 ARP request 10.51.2.4
00:1e:c9:45:e8:30 -> ff:ff:ff:ff:ff:ff 10.51.2.1 ARP request 10.51.2.45
00:1a:92:c4:32:d1 -> ff:ff:ff:ff:ff:ff 10.51.2.179 ARP request 10.51.2.126
Your traffic might not be ARP requests, but some packets should be flowing, and you should see one line per packet.
Opening the capture interface on most operating systems requires root access, so most of the time that you run a program using node_pcap you'll need to use sudo.

http_trace

http_trace is a tool that distills the packets involved in an HTTP session into higher level events. There are command line options to adjust the output and select different requests. Here's a simple example of looking for any requests that have "favicon" in the URL and showing request and response headers:
To see the full list of options do:
http_trace --help
With no arguments, http_trace will listen on the default interface for any IPv4 TCP traffic on any port. If it finds HTTP on any TCP connection, it'll start decoding it. You might be surprised by how many HTTP connections your computer is making that you didn't know about, especially if you run OSX. Fire it up and see what you find.

Solving Problems

Here's why you need all of this. Let's say you have a node program that makes an outgoing connection, but the outgoing connection doesn't seem like it is working. This reason in this case is that a firewall rule is filtering the traffic. Here's how to detect it:
The --tcp-verbose option will expose events for TCP connection setup, close, and reset. It'll also let you know about SYN retries and packets retransmissions. SYN retry happens when a new TCP connection is getting set up, but the other side isn't responding. Retransmissions occur when packets are dropped by the network, and TCP on either end of the connection resends data that has already sent. If data is moving slowly, but you don't appear to be out of CPU, turn on --tcp-verbose and see if you are getting retransmissions or SYN retries. If so, you can blame the network and not your node program.
Another common case is when the data going over the network isn't quite the data you were expecting. Here's a simple example using curl from the command line. Let's say you wanted to send some JSON to your local CouchDB, but CouchDB keeps rejecting it.
mjr:~$ curl -X POST 'http://localhost:5984/test' -H "Content-Type: application/json" -d {"foo": "bar"}
{"error":"bad_request","reason":"invalid UTF-8 JSON"}
That looks like pretty well-formed JSON, so what's going on here? Run http_trace with the --bodies option to dump the request and response body. Since this is a connection to localhost, we need to explicitly listen on the loopback interface.
Here we can see that the request body was simply, "{foo:", which is clearly not valid JSON. The problem in this case is that the shell and curl couldn't figure out what part of the command line arguments to use for the POST body, and they got it wrong. This works if quoted properly:
mjr:~$ curl -X POST 'http://localhost:5984/test' -H "Content-Type: application/json" -d '{"foo": "bar"}'
{"ok":true,"id":"b4385e0de2e74df4cdbf21cf6c0009d0","rev":"1-4c6114c65e295552ab1019e2b046b10e"}

Understanding Higher Level Protocols

node_pcap can piece back together a TCP session from individual packets as long as it sees them all go by. It will emit events at TCP connection setup, teardown, and reset.
On top of TCP, it can decode HTTP and WebSocket messages, emitting events for request, response, upgrade, data, etc.
It looks sort of like this:
You set up node_pcap to capture the packets you want, and then you can work with the captured data in JavaScript at whatever level is the most useful.

Work in Progress

There are a lot of cases that node_pcap doesn't handle, and for these you'll need a more complete packet decoder like Wireshark. I'm trying to handle the common case of OSX/Linux, IPv4, TCP, HTTP, and WebSocket first, and then add support for other variants of the protocol stack.
If you like this kind of stuff and want to help expand the protocols that node_pcap understands, patches are certainly welcome.
I hope this software is useful and fun. Thanks for reading.



Monday, December 19, 2016

STARTING SERIOUSE...

part I

Load Balancing with Policy-Based Routing Configuration Example

Use Case: A customer has two lines, one is a cable link and another is a DSL link. The majority of traffic goes through the cable link since it has larger bandwidth, and the rest traffic goes through the DSL link. As lots of secure websites (such as bank, or online shopping) are sensitive to flip flop the source IP address, let traffic for https, ftp, video, and game go through the cable link.
Solution: Complete the following configuration tasks:
 • Configure a configurable port as the secondary WAN (WAN2). See Configure a secondary WAN.
 • Connect the cable modem to the primary WAN port (WAN1) and connect the DSL modem to the secondary WAN port (WAN2).
 • Enable the Weighted Dual WAN Settings and set the weighted value of WAN1 to 80% and the weighted value of WAN2 to 20%. See Dual WAN Settings.
 • Enable the Policy-Based Routing feature and configure the Policy-Based Routing rules so that traffic for HTTPS, FTP, video, and game is directed to WAN1. See Configuring Policy-Based Routing.
 • (Optional) Enable the Usage reports and the WAN Bandwidth reports so that you can view the network bandwidth usage. See Usage Reports, page 73 and WAN Bandwidth Reports, page 75.



Part II


  1. Configure the Open vSwitch agent. Add the following to /etc/neutron/plugins/ml2/ml2_conf.ini:
    [ovs]
    local_ip = TUNNEL_INTERFACE_IP_ADDRESS
    bridge_mappings = external:br-ex
    
    [agent]
    enable_distributed_routing = True
    tunnel_types = vxlan
    l2_population = True
    
    [securitygroup]
    firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
    
    Replace TUNNEL_INTERFACE_IP_ADDRESS with the IP address of the interface that handles VXLAN project networks.
  2. Configure the L3 agent. Add the following to /etc/neutron/l3_agent.ini:
    [DEFAULT]
    ha_vrrp_auth_password = password
    interface_driver = openvswitch
    external_network_bridge =
    agent_mode = dvr_snat
    


    Note
    The external_network_bridge option intentionally contains no value.
part III

The stroke tool allows changes to the loglevel while the daemon is running, e.g.:
# ipsec stroke loglevel ike 2
To disable logging with -1, argument parsing in stroke has to be terminated first, e.g.:
# ipsec stroke loglevel ike -- -1

Friday, December 16, 2016

Hillary's Emails - Forensics 500

We suspect Hillary has been smuggling her emails over the border using some kind of underground passageway. Find out where she's hiding them and what secrets they contain
NOTE: alternate snapshot link here
All you're given at the start of this challenge is a pcap This challenge can be split up into 3ish parts

Part 1 - DNS Tunnel

"underground passageway" cough tunnel
The first part is dealing with the DNS traffic that makes up 99% of the pcap. Some quick googling should bring up a common tool used for DNS tunneling called iodine. Though not 100% necessary, one thing you can do here (thx cyberseed) is find out where the iodined server is running. You can see hillary.clinton.io everywhere in the pcap, so to find the server, do:
$ dig hillary.clinton.io +trace

; <<>> DiG 9.10.3-P4-Ubuntu <<>> hillary.clinton.io +trace
;; global options: +cmd
.                       12935   IN      NS      a.root-servers.net.
.                       12935   IN      NS      b.root-servers.net.
...
[REDACTED]
...

hillary.clinton.io.     3600    IN      NS      email.clinton.io. # <<<<<<<<< RIGHT HERE
;; Received 83 bytes from 69.197.18.162#53(ns3.afraid.org) in 81 ms

;; connection timed out; no servers could be reached
So now we know the server is running at email.clinton.io, and you can nslookup that to find its IP at 45.55.178.79. Will come back to this later.
The goal right now is to decrypt the traffic so you can see what Hillary was doing. There's probably other ways to do that, but just googling it brings you to this ctf writeup by StalkR, which gets you most of the way there.
Note though that the script from that blog post had two issues with it:
  • If there were any packets it failed to decompress, it would just quit (like 20 packets in)
    • Easy workaround, when it fails, just discard whatever it tried to decompress and keep going
  • There were a ton of Popens for things that could be done in python, so I went ahead and made it so there were no Popens. This is by no means necessary, but it really speeds things up
And of course you had to change the tld it looks for .hillary.clinton.io., which is all over the pcap.
Final script in sol/extract_dns.py, output:
$ ./extract_dns.py
Successfully extracted 32502 packets into extracted.pcap

Part 2 - Decrypted Traffic

Now that you've gotten a pcap out of that pcap, you can find out what hillary was doing! This new pcap contains a bunch of attempts at logging into Hillary's private server. Most of them are random failures, like:
login: clinton
password: +vwF~-HM]
ACCESS DENIED!
And there are a couple of successes in there too:
login: Jeb
password: !
Welcome, Jeb
Another thing you'll notice is the obviously suspicious IP/port that all of these are connecting to. And by suspicious I mean that's the IP we found before for email.clinton.io. So you can try connecting to it:
$ nc email.clinton.io 9999

+-----------------------------+
|       !!! WARNING !!!       |
| SYSTEM HAS BEEN LOCKED DOWN |
|     NON-ADMIN USERS ARE     |
|        NOW  DISABLED        |
+-----------------------------+

login: aaa
password: aaa
aaa is not an admin!
Ok, so now we know that we need to find an admin login/pass. Looking back at all the login attempts, there were only 4 different usernames that were attempted, you could try all those out with a random password:
$ nc email.clinton.io 9999
login: trump
password: aaa
trump is not an admin!

$ nc email.clinton.io 9999
login: Jeb
password: aaa
Jeb is not an admin!

$ nc email.clinton.io 9999
login: bernie
password: aaa
bernie is not an admin!

$ nc email.clinton.io 9999
login: clinton
password: aaa
ACCESS DENIED!
So clinton is the admin (are you surprised?), but now we need the password. This is pretty easy as soon as you notice any of the successful logins in the pcap, they all contain something like Welcome, user, so just search Welcome, clinton in wireshark, and you'll come across this stream:
login: clinton
password: IAmGoingToBeTheNextPresidentAndIWillDestroyTrump
Welcome, clinton
Now, to access your emails, enter the SUPER SECRET PASSWORD: uhhh....China?
+-------------------------+
|!!! INTRUDER DETECTED !!!|
|     THE EMAILS HAVE     |
|    BEEN  COMPROMISED    |
|  !!! WIPING DRIVES !!!  |
|  !!! WIPING DRIVES !!!  |
|  !!! WIPING DRIVES !!!  |
|!!! ENTERING LOCKDOWN !!!|
+-------------------------+
Great, so now login:
$ nc email.clinton.io 9999
+-----------------------------+
|       !!! WARNING !!!       |
| SYSTEM HAS BEEN LOCKED DOWN |
|     NON-ADMIN USERS ARE     |
|        NOW  DISABLED        |
+-----------------------------+

login: clinton
password: IAmGoingToBeTheNextPresidentAndIWillDestroyTrump
Welcome, clinton
+-----------------------------+
|       !!! WARNING !!!       |
|   EMAILS HAVE  BEEN WIPED   |
| A SYSTEM SNAPSHOT WAS TAKEN |
|     BEFORE THE INCIDENT     |
|                             |
| =========================== |
|       PRESS  ENTER TO       |
|        DUMP SNAPSHOT        |
+-----------------------------+

NOTE: due to connection issues with dumping the snapshot, this part was updated:

$ nc email.clinton.io 9999
+-----------------------------+
|       !!! WARNING !!!       |
| SYSTEM HAS BEEN LOCKED DOWN |
|     NON-ADMIN USERS ARE     |
|        NOW  DISABLED        |
+-----------------------------+

login: clinton
password: IAmGoingToBeTheNextPresidentAndIWillDestroyTrump
Welcome, clinton
+-----------------------------+
|       !!! WARNING !!!       |
|   EMAILS HAVE  BEEN WIPED   |
| A SYSTEM SNAPSHOT WAS TAKEN |
|     BEFORE THE INCIDENT     |
+-----------------------------+



Download the snapshot from http://email.clinton.io/[admin username]/[admin pass]/snapshot
$ wget http://email.clinton.io/clinton/IAmGoingToBeTheNextPresidentAndIWillDestroyTrump/snapshot

Step 3 - The Emails

So now you'll have a file that file says is a Microsoft Outlook email folder (>=2003). Look this up, and you'll find this is a type of MS Outlook archive (PST file). Now you could use one of those crap freeware pst viewers, but they're all a pain and can't even sort properly. A better approach would be either
  1. Actually load it into outlook, probably the easiest way to sift through these. Oh did I mention there were a lot? Yeahhh there's like 24,000
  2. There's an alternative library called Redemption that you can use to read the emails using any language that can use windows COM libraries (It does seem to be geared more toward visual studio languages though).
(I also hear readpst can be used here, buuuut ¯\(ツ)/¯) My solution uses the latter. Basically the steps to figuring this part out are:
  • Sort and/or scroll through the emails a bit. There may be a lot of them, but with sorting it won't be long before you come across some suspicious emails from the address cl1nt0nm4il3r@gmail.com. There's your first filter, and now you're down to 33 emails.
  • 33? Seems awfully flag lengthy doesn't it? At this point you might start looking through the metadata for these emails.
  • One field will seem immediately out of place: the creation/sent on date. They all seem to be random dates in the future, but if you look at only the years:
    (in no particular order (yet...))
    2097, 2084, 2048, 2123, 2102, 2049, ...
    
    If you just ignore the 2's, you'll notice these are just ascii! :OOO
    97, 84, 48, 123, 102, 49, ...
    'a', 'T', '0', '{', 'f', '1', ...
    
  • So what order do these need to be in? What else is in the email metadata that could be useful to sort by...the delivery date! They are all within a couple of days of each other, so the plan is to sort by those, and then hopefully get a flag out of the creation dates.
Here's my solution using Redemption:
using System;
using System.IO;
using System.Linq;
using Redemption;

namespace Solution {
    class Solve {
        static void Main(string[] args) {
            string path = Path.GetFullPath(@"..\..\..\snapshot.pst");

            // Load the PST
            RDOSession session = new RDOSession();
            session.LogonPstStore(path);

            // Grab everything in the inbox
            RDOItems inbox = session.GetFolderFromPath("PRIVATE INBOX").Items;

            // Filter out all emails from the flag mailer
            RDOItems spoofed = inbox.Restrict("[SenderEmailAddress]='cl1nt0nm4il3r@gmail.com'");

            // The flag is hidden in the send date (year),
            // sorted by the delivery date
            string flag = string.Concat(spoofed.OfType()
                                               .OrderBy(m => m.ReceivedTime) // Sort by delivery date
                                               .Select(m => m.SentOn.Year - 2000) // Get the flag ordinal values
                                               .Select(c => (char) c)); // Convert to char
            Console.Out.WriteLine(flag);
        }
    }
}
And then this finally prints out the flag:
flag{w1k1L3ak5_g0T_n0tH1ng_0n_m3}
https://github.com/RPISEC/HackTheVote/tree/master/forensics/hc_emails/sol