Saturday, December 31, 2016
Thursday, December 29, 2016
Tuesday, December 27, 2016
Sunday, December 25, 2016
Saturday, December 24, 2016
Thursday, December 22, 2016
How to Designate an IP Address as Permitted Sender
If you have your own domain handling email, then chances are you may run into email issues. It is extremely important that you properly designate your IP Address as a permitted sender.
First, let’s test to see if your domain is a permitted sender.
Log into your domain’s email account, brant@example.com let’s say. Send an email to another email account that you have access to. Just to name a few… gmail, Yahoo!, or Hotmail.
The important part is for you to view headers of this email, often referred to as “Show Full Headers”.
You will see something that looks like this, but note the SPF softfail error:
—- Original message —–
X-Received: by 10.224.25.8 with SMTP id x8mr31561868qab.77.1382465370255;
Tue, 22 Oct 2013 11:09:30 -0700 (PDT)
Return-Path: brant@example.com
Received: from my3.example.com (my3.example.com. [64.131.70.223])
by mx.google.com with ESMTPS id k5si10380639qen.50.2013.10.22.11.09.30
for send@domain.com
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Tue, 22 Oct 2013 11:09:30 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning brant@example.com does not designate 64.131.70.223 as permitted sender) client-ip=64.131.70.223;
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning brant@example.com does not designate 64.131.70.223 as permitted sender) smtp.mail=brant@example.com
Tue, 22 Oct 2013 11:09:30 -0700 (PDT)
Return-Path: brant@example.com
Received: from my3.example.com (my3.example.com. [64.131.70.223])
by mx.google.com with ESMTPS id k5si10380639qen.50.2013.10.22.11.09.30
for send@domain.com
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Tue, 22 Oct 2013 11:09:30 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning brant@example.com does not designate 64.131.70.223 as permitted sender) client-ip=64.131.70.223;
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning brant@example.com does not designate 64.131.70.223 as permitted sender) smtp.mail=brant@example.com
If you see Received-SPF: pass in the header then you have nothing to worry about. However, as you can see from above, I have a softfail issue. You may also see some with “fail”.
The fix is actually pretty easy. Login to your registrar where you registered the domain. What we need to do is create a new TXT record and add that specific IP (64.131.70.223) as a permitted sender.
The record will look something like this:
TXT example.com “v=spf1 ip4:64.131.70.223 ~all”
Add this entry to your registrar and wait for the record to update across the web. You can test your TXT / SPF entry with this handy tool.
A few things to note here:
- Make sure you use the quotation marks around the whole thing. (Do not just copy and paste from here because WordPress sometimes uses a different characters for quotes.)
- The last part ~all designates a softfail for any non permitted senders. Softfail basically means that you haven’t finalized your email settings yet. These emails have a chance of getting through, even though they fail.
- Once you send another test email and confirm that you PASS, change the ~all to -all. This means that any emails not from your designated senders should fail.
Sounds great, but what happens when you use another email provider, like mailjet to send email on your behalf?
Your TXT entry will then look like this:
TXT example.com “v=spf1 ip4:64.131.70.223 include:spf.mailjet.com -all”
Setting up email can be a bit frustrating, so hopefully this helps speed things along.
Still confused? You may also find Eric’s article on setting up SPF records useful.
Wednesday, December 21, 2016
AND LET'S WAIT
HARDWARE:
The chip powering these two new graphics cards, called the GTX 200 chip, is an absolute monster of a processor. Nvidia proudly proclaims that it’s the biggest processor TSMC (Nvidia’s primary chip fabrication partner) has ever built. It’s not just a clocked-up or expanded version of the G92 chip powering Nvidia’s most recent high-end cards, but a totally new architecture.
https://www.extremetech.com/gaming/82928-brute-force-nvidias-geforce-gtx-280-and-260/2
I've read this, in order to understand NTRU scheme, darlings
The chip powering these two new graphics cards, called the GTX 200 chip, is an absolute monster of a processor. Nvidia proudly proclaims that it’s the biggest processor TSMC (Nvidia’s primary chip fabrication partner) has ever built. It’s not just a clocked-up or expanded version of the G92 chip powering Nvidia’s most recent high-end cards, but a totally new architecture.
https://www.extremetech.com/gaming/82928-brute-force-nvidias-geforce-gtx-280-and-260/2
I've read this, in order to understand NTRU scheme, darlings
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Capturing Packets in JavaScript with node_pcap
OK, I hear you. Capturing packets is hard and best left to kernel hackers, assembly language programmers, and black hat security researches. If you just want to make things for the web using node.js, why should you care?
Pulling packets off the network can show you what your computers are saying to each other without disrupting the flow of or changing any applications. Packet capture is a fantastic debugging tool that will remove a lot of the mystery from writing and running network programs. The point of
node_pcap
is to provide a good HTTP debugging tool and a framework for doing your own network analysis.
There are plenty of ways to do packet inspection these days, but none of them let you interact with your network traffic the way that node lets you write network programs: by writing a few event handlers in JavaScript.
node_pcap
not only let's you capture and process packets in JavaScript, but since it is built on node.js, data from the packets can be easily routed around to web browsers, databases, or whatever else you can think of.Example
Here's an example of capturing packets and sending them back to a web browser using WebSocket:
If you still aren't convinced, check out how easy it is to write a simple "network grep" type of program using
node_pcap
:
example.js
var pcap = require("pcap"),
pcap_session = pcap.createSession("", "tcp"),
matcher = /safari/i;
console.log("Listening on " + pcap_session.device_name);
pcap_session.on('packet', function (raw_packet) {
var packet = pcap.decode.packet(raw_packet),
data = packet.link.ip.tcp.data;
if (data && matcher.test(data.toString())) {
console.log(pcap.print.packet(packet));
console.log(data.toString());
}
});
This program will look at all TCP packets that flow past the default network interface and run the regular expression
matcher
against the data section of the packet. If it matches, the data section will be printed.
Still not convinced? I understand. This packet business can be astonishingly low level compared to the abstractions you are comfortable working with. If this doesn't seem awesome yet, it probably won't until you actually need it. When you can't figure out what your program is doing by just adding log messages, come back and check out what packet capture can do for you.
node_pcap
exposes packets as JavaScript objects, but it also comes with a few examples that are useful on their own. If you do nothing else, check out http_trace
and simple_capture
. Look at the source code and see how they work. It's really easy.Installation
Anyway, if you are still here, let's get this sucker installed. The first thing you'll need is
libpcap
. If you are on OSX 10.6, you already have it. If you are on a Linux system that uses apt-get
to install things, you can get it like this:sudo apt-get install libpcap-dev
If you are on some other kind of system, I don't know the exact command to install
libpcap-dev
, but it is a very common library that's widely available.
Once you have
libpcap
and node, you just need npm
. Install node_pcap
with npm
like this:npm install pcap
This will install the pcap libraries and three executable.
If you want to hack on the code, and I encourage you to do so, use
git
to clone the repository on github:git clone git://github.com/mranney/node_pcap.git
You'll still need to use
npm
to build and install the files where they need to go:mjr:~/work/node_pcap$ npm install .
To verify that things are working, run:
sudo simple_capture
It should look something like this:
mjr:~$ sudo simple_capture
libpcap version 1.0.0
* en0 10.51.2.125/255.255.255.0
fw0 no address
en1 no address
lo0 127.0.0.1/255.0.0.0
00:1c:23:b9:e8:b5 -> ff:ff:ff:ff:ff:ff 10.51.2.10 ARP request 10.51.2.4
00:1e:c9:45:e8:30 -> ff:ff:ff:ff:ff:ff 10.51.2.1 ARP request 10.51.2.45
00:1a:92:c4:32:d1 -> ff:ff:ff:ff:ff:ff 10.51.2.179 ARP request 10.51.2.126
Your traffic might not be ARP requests, but some packets should be flowing, and you should see one line per packet.
Opening the capture interface on most operating systems requires root access, so most of the time that you run a program using
node_pcap
you'll need to use sudo.http_trace
http_trace
is a tool that distills the packets involved in an HTTP session into higher level events. There are command line options to adjust the output and select different requests. Here's a simple example of looking for any requests that have "favicon" in the URL and showing request and response headers:
To see the full list of options do:
http_trace --help
With no arguments,
http_trace
will listen on the default interface for any IPv4 TCP traffic on any port. If it finds HTTP on any TCP connection, it'll start decoding it. You might be surprised by how many HTTP connections your computer is making that you didn't know about, especially if you run OSX. Fire it up and see what you find.Solving Problems
Here's why you need all of this. Let's say you have a node program that makes an outgoing connection, but the outgoing connection doesn't seem like it is working. This reason in this case is that a firewall rule is filtering the traffic. Here's how to detect it:
The
--tcp-verbose
option will expose events for TCP connection setup, close, and reset. It'll also let you know about SYN retries and packets retransmissions. SYN retry happens when a new TCP connection is getting set up, but the other side isn't responding. Retransmissions occur when packets are dropped by the network, and TCP on either end of the connection resends data that has already sent. If data is moving slowly, but you don't appear to be out of CPU, turn on --tcp-verbose
and see if you are getting retransmissions or SYN retries. If so, you can blame the network and not your node program.
Another common case is when the data going over the network isn't quite the data you were expecting. Here's a simple example using curl from the command line. Let's say you wanted to send some JSON to your local CouchDB, but CouchDB keeps rejecting it.
mjr:~$ curl -X POST 'http://localhost:5984/test' -H "Content-Type: application/json" -d {"foo": "bar"}
{"error":"bad_request","reason":"invalid UTF-8 JSON"}
That looks like pretty well-formed JSON, so what's going on here? Run
http_trace
with the --bodies option to dump the request and response body. Since this is a connection to localhost
, we need to explicitly listen on the loopback interface.
Here we can see that the request body was simply, "{foo:", which is clearly not valid JSON. The problem in this case is that the shell and curl couldn't figure out what part of the command line arguments to use for the POST body, and they got it wrong. This works if quoted properly:
mjr:~$ curl -X POST 'http://localhost:5984/test' -H "Content-Type: application/json" -d '{"foo": "bar"}'
{"ok":true,"id":"b4385e0de2e74df4cdbf21cf6c0009d0","rev":"1-4c6114c65e295552ab1019e2b046b10e"}
Understanding Higher Level Protocols
node_pcap
can piece back together a TCP session from individual packets as long as it sees them all go by. It will emit events at TCP connection setup, teardown, and reset.
On top of TCP, it can decode HTTP and WebSocket messages, emitting events for request, response, upgrade, data, etc.
It looks sort of like this:
You set up
node_pcap
to capture the packets you want, and then you can work with the captured data in JavaScript at whatever level is the most useful.Work in Progress
There are a lot of cases that
node_pcap
doesn't handle, and for these you'll need a more complete packet decoder like Wireshark. I'm trying to handle the common case of OSX/Linux, IPv4, TCP, HTTP, and WebSocket first, and then add support for other variants of the protocol stack.
If you like this kind of stuff and want to help expand the protocols that node_pcap understands, patches are certainly welcome.
I hope this software is useful and fun. Thanks for reading.
Monday, December 19, 2016
STARTING SERIOUSE...
part I
Load Balancing with Policy-Based Routing Configuration Example
Use Case: A customer has two lines, one is a cable link and another is a DSL link. The majority of traffic goes through the cable link since it has larger bandwidth, and the rest traffic goes through the DSL link. As lots of secure websites (such as bank, or online shopping) are sensitive to flip flop the source IP address, let traffic for https, ftp, video, and game go through the cable link.
• Configure a configurable port as the secondary WAN (WAN2). See Configure a secondary WAN.
• Connect the cable modem to the primary WAN port (WAN1) and connect the DSL modem to the secondary WAN port (WAN2).
• Enable the Weighted Dual WAN Settings and set the weighted value of WAN1 to 80% and the weighted value of WAN2 to 20%. See Dual WAN Settings.
• Enable the Policy-Based Routing feature and configure the Policy-Based Routing rules so that traffic for HTTPS, FTP, video, and game is directed to WAN1. See Configuring Policy-Based Routing.
• (Optional) Enable the Usage reports and the WAN Bandwidth reports so that you can view the network bandwidth usage. See Usage Reports, page 73 and WAN Bandwidth Reports, page 75.
Part II
- Configure the Open vSwitch agent. Add the following to /etc/neutron/plugins/ml2/ml2_conf.ini:
[ovs] local_ip = TUNNEL_INTERFACE_IP_ADDRESS bridge_mappings = external:br-ex [agent] enable_distributed_routing = True tunnel_types = vxlan l2_population = True [securitygroup] firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
Replace TUNNEL_INTERFACE_IP_ADDRESS with the IP address of the interface that handles VXLAN project networks. - Configure the L3 agent. Add the following to /etc/neutron/l3_agent.ini:
[DEFAULT] ha_vrrp_auth_password = password interface_driver = openvswitch external_network_bridge = agent_mode = dvr_snat
The external_network_bridge option intentionally contains no value.
part III
The stroke tool allows changes to the loglevel while the daemon is running, e.g.:
# ipsec stroke loglevel ike 2
To disable logging with
-1
, argument parsing in stroke has to be terminated first, e.g.:# ipsec stroke loglevel ike -- -1
Sunday, December 18, 2016
Friday, December 16, 2016
Hillary's Emails - Forensics 500
We suspect Hillary has been smuggling her emails over the border using some kind of underground passageway. Find out where she's hiding them and what secrets they contain
NOTE: alternate snapshot link here
All you're given at the start of this challenge is a pcap This challenge can be split up into 3ish parts
Part 1 - DNS Tunnel
"underground passageway" cough tunnel
The first part is dealing with the DNS traffic that makes up 99% of the pcap. Some quick googling should bring up a common tool used for DNS tunneling called
iodine
. Though not 100% necessary, one thing you can do here (thx cyberseed) is find out where the iodined
server is running. You can see hillary.clinton.io
everywhere in the pcap, so to find the server, do:$ dig hillary.clinton.io +trace
; <<>> DiG 9.10.3-P4-Ubuntu <<>> hillary.clinton.io +trace
;; global options: +cmd
. 12935 IN NS a.root-servers.net.
. 12935 IN NS b.root-servers.net.
...
[REDACTED]
...
hillary.clinton.io. 3600 IN NS email.clinton.io. # <<<<<<<<< RIGHT HERE
;; Received 83 bytes from 69.197.18.162#53(ns3.afraid.org) in 81 ms
;; connection timed out; no servers could be reached
So now we know the server is running at
email.clinton.io
, and you can nslookup
that to find its IP at 45.55.178.79
. Will come back to this later.
The goal right now is to decrypt the traffic so you can see what Hillary was doing. There's probably other ways to do that, but just googling it brings you to this ctf writeup by StalkR, which gets you most of the way there.
Note though that the script from that blog post had two issues with it:
- If there were any packets it failed to decompress, it would just quit (like 20 packets in)
- Easy workaround, when it fails, just discard whatever it tried to decompress and keep going
- There were a ton of
Popen
s for things that could be done in python, so I went ahead and made it so there were noPopen
s. This is by no means necessary, but it really speeds things up
And of course you had to change the tld it looks for
.hillary.clinton.io.
, which is all over the pcap.
Final script in
sol/extract_dns.py
, output:$ ./extract_dns.py
Successfully extracted 32502 packets into extracted.pcap
Part 2 - Decrypted Traffic
Now that you've gotten a pcap out of that pcap, you can find out what hillary was doing! This new pcap contains a bunch of attempts at logging into Hillary's private server. Most of them are random failures, like:
login: clinton
password: +vwF~-HM]
ACCESS DENIED!
And there are a couple of successes in there too:
login: Jeb
password: !
Welcome, Jeb
Another thing you'll notice is the obviously suspicious IP/port that all of these are connecting to. And by suspicious I mean that's the IP we found before for
email.clinton.io
. So you can try connecting to it:$ nc email.clinton.io 9999
+-----------------------------+
| !!! WARNING !!! |
| SYSTEM HAS BEEN LOCKED DOWN |
| NON-ADMIN USERS ARE |
| NOW DISABLED |
+-----------------------------+
login: aaa
password: aaa
aaa is not an admin!
Ok, so now we know that we need to find an admin login/pass. Looking back at all the login attempts, there were only 4 different usernames that were attempted, you could try all those out with a random password:
$ nc email.clinton.io 9999
login: trump
password: aaa
trump is not an admin!
$ nc email.clinton.io 9999
login: Jeb
password: aaa
Jeb is not an admin!
$ nc email.clinton.io 9999
login: bernie
password: aaa
bernie is not an admin!
$ nc email.clinton.io 9999
login: clinton
password: aaa
ACCESS DENIED!
So
clinton
is the admin (are you surprised?), but now we need the password. This is pretty easy as soon as you notice any of the successful logins in the pcap, they all contain something like Welcome, user
, so just search Welcome, clinton
in wireshark, and you'll come across this stream:login: clinton
password: IAmGoingToBeTheNextPresidentAndIWillDestroyTrump
Welcome, clinton
Now, to access your emails, enter the SUPER SECRET PASSWORD: uhhh....China?
+-------------------------+
|!!! INTRUDER DETECTED !!!|
| THE EMAILS HAVE |
| BEEN COMPROMISED |
| !!! WIPING DRIVES !!! |
| !!! WIPING DRIVES !!! |
| !!! WIPING DRIVES !!! |
|!!! ENTERING LOCKDOWN !!!|
+-------------------------+
Great, so now login:
$ nc email.clinton.io 9999
+-----------------------------+
| !!! WARNING !!! |
| SYSTEM HAS BEEN LOCKED DOWN |
| NON-ADMIN USERS ARE |
| NOW DISABLED |
+-----------------------------+
login: clinton
password: IAmGoingToBeTheNextPresidentAndIWillDestroyTrump
Welcome, clinton
+-----------------------------+
| !!! WARNING !!! |
| EMAILS HAVE BEEN WIPED |
| A SYSTEM SNAPSHOT WAS TAKEN |
| BEFORE THE INCIDENT |
| |
| =========================== |
| PRESS ENTER TO |
| DUMP SNAPSHOT |
+-----------------------------+
NOTE: due to connection issues with dumping the snapshot, this part was updated:
$ nc email.clinton.io 9999
+-----------------------------+
| !!! WARNING !!! |
| SYSTEM HAS BEEN LOCKED DOWN |
| NON-ADMIN USERS ARE |
| NOW DISABLED |
+-----------------------------+
login: clinton
password: IAmGoingToBeTheNextPresidentAndIWillDestroyTrump
Welcome, clinton
+-----------------------------+
| !!! WARNING !!! |
| EMAILS HAVE BEEN WIPED |
| A SYSTEM SNAPSHOT WAS TAKEN |
| BEFORE THE INCIDENT |
+-----------------------------+
Download the snapshot from http://email.clinton.io/[admin username]/[admin pass]/snapshot
$ wget http://email.clinton.io/clinton/IAmGoingToBeTheNextPresidentAndIWillDestroyTrump/snapshot
Step 3 - The Emails
So now you'll have a file that
file
says is a Microsoft Outlook email folder (>=2003)
. Look this up, and you'll find this is a type of MS Outlook archive (PST file). Now you could use one of those crap freeware pst viewers, but they're all a pain and can't even sort properly. A better approach would be either- Actually load it into outlook, probably the easiest way to sift through these. Oh did I mention there were a lot? Yeahhh there's like 24,000
- There's an alternative library called Redemption that you can use to read the emails using any language that can use windows COM libraries (It does seem to be geared more toward visual studio languages though).
(I also hear
readpst
can be used here, buuuut ¯\(ツ)/¯) My solution uses the latter. Basically the steps to figuring this part out are:- Sort and/or scroll through the emails a bit. There may be a lot of them, but with sorting it won't be long before you come across some suspicious emails from the address
cl1nt0nm4il3r@gmail.com
. There's your first filter, and now you're down to 33 emails. - 33? Seems awfully flag lengthy doesn't it? At this point you might start looking through the metadata for these emails.
- One field will seem immediately out of place: the creation/sent on date. They all seem to be random dates in the future, but if you look at only the years:
(in no particular order (yet...)) 2097, 2084, 2048, 2123, 2102, 2049, ...
If you just ignore the 2's, you'll notice these are just ascii! :OOO97, 84, 48, 123, 102, 49, ... 'a', 'T', '0', '{', 'f', '1', ...
- So what order do these need to be in? What else is in the email metadata that could be useful to sort by...the delivery date! They are all within a couple of days of each other, so the plan is to sort by those, and then hopefully get a flag out of the creation dates.
Here's my solution using
Redemption
:using System;
using System.IO;
using System.Linq;
using Redemption;
namespace Solution {
class Solve {
static void Main(string[] args) {
string path = Path.GetFullPath(@"..\..\..\snapshot.pst");
// Load the PST
RDOSession session = new RDOSession();
session.LogonPstStore(path);
// Grab everything in the inbox
RDOItems inbox = session.GetFolderFromPath("PRIVATE INBOX").Items;
// Filter out all emails from the flag mailer
RDOItems spoofed = inbox.Restrict("[SenderEmailAddress]='cl1nt0nm4il3r@gmail.com'");
// The flag is hidden in the send date (year),
// sorted by the delivery date
string flag = string.Concat(spoofed.OfType()
.OrderBy(m => m.ReceivedTime) // Sort by delivery date
.Select(m => m.SentOn.Year - 2000) // Get the flag ordinal values
.Select(c => (char) c)); // Convert to char
Console.Out.WriteLine(flag);
}
}
}
And then this finally prints out the flag:
flag{w1k1L3ak5_g0T_n0tH1ng_0n_m3}
https://github.com/RPISEC/HackTheVote/tree/master/forensics/hc_emails/sol
Subscribe to:
Posts (Atom)
Ukraine politics Intel ( BACK@WAR @EmbaixadaRusPt "this was is about money" they say Trump is n negociating bcz he had a stroke US intel is deep working in agreement since minerals r crucial who holds Power now?)
https://www.yahoo.com/news/ukraine-delays-critical-minerals-deal-130009574.html?fr=sycsrp_catchall