HACKS:

Archive: Network Security

Page 2 of 2 << 1 2

October 19, 2007

UPnP: change a router's firewall rules from a client machine

Universal Plug and Play support is available on most modern wireless and DSL routers. Among other things, it allows client machines on the local network to remotely configure the router's port forwarding, typically without authenticated access.

Adrian Crenshaw has a nice screencast which shows how to detect UPnP capable devices on your network and how to use the PortForward utility in Windows to remotely configure port forwarding for routers on your LAN.

After looking at this, you'll probably come to the conclusion that, while convenient, unauthenticated UPnP is pretty dangerous. It allows someone who has momentary access to your network to easily reconfigure your router to punch holes through its NAT firewall. This could be somone on your wireless network, or it could be as simple as a malicious program that you accidentally execute on your own machine.

Fortunately, most routers allow you to disable UPnP, and you should probably take advantage of this and turn off UPnP on your devices now.

UPnP Port Forwarding and Security Screencast - Link
UPNPScan - Link
UPNP PortForward (exe, source and documentation) - Link

Posted by Jason Striegel | Oct 19, 2007 08:46 PM
Network Security, Windows | Permalink | Comments (0) | TrackBack | Digg It | Tag w/del.icio.us

September 29, 2007

Automate using your Mac on untrusted networks

When you're on an untrusted or unencrypted network, everything from what you browse to the email and IM messages you send can potentially be snooped by a third party. Sure, some sites use https and you can use ssh to connect to a remote server, but what if you want to jack in and enjoy the relative comfort of knowing _all_ of your applications are communicating over a secure channel?

For that, you need a secure proxy. By setting up a SOCKS proxy, you can have your applications route all of their network communications through a secure connection to a network you trust. Gina at Lifehacker put together a quick guide for setting this up, and once configured in OS X's System Preferences, most of the default apps like Safari will just start using your proxy and you're good to go.

A lot of your favorite applications--ie. Firefox and Adium--need to be manually configured to use the proxy, however, as they don't pull this information automatically from the system preferences. This is straightforward to do, but it means that every time you cruise over to the local coffee shop, you need to set up your proxy configuration in multiple places.

Albert Lee came up with a nice solution to this problem. An application profile manager called rooSwitch and some quick Actionscript is all you need to make a couple of command line scripts that will set up or tear down your proxy, as well as switching all of your application preferences.

If you save this script with a .command extension, then you can run it by double-clicking on the icon in the Finder like a regular application. When it runs, it will change the location, switch your profile, and start up the SSH tunnel. Enter your password and off you go!

I should mention that his script also introduced me to a useful mac command line utiliy called scselect. By typing scselect [locationname], you can switch your Mac's location straight from the command line.

Safer Surfing on Untrusted Networks (Mac Edition) - Link
How to configure an SSH SOCKS proxy @Lifehacker - Link
rooSwitch - Link

Posted by Jason Striegel | Sep 29, 2007 05:19 AM
Lifehacker, Mac, Network Security | Permalink | Comments (0) | TrackBack | Digg It | Tag w/del.icio.us

September 27, 2007

Packet Garden

Packet Garden is a network visualization tool that maps your network traffic into a 3D representation, sprouting little plants on a globe whenever a connection is made.

To do this, Packet Garden takes note of all the servers you visit, their geographical location and the kinds of data you access. Uploads make hills and downloads valleys, their location determined by numbers taken from internet address itself. The size of each hill or valley is based on how much data is sent or received. Plants are also grown for each protocol detected by the software; if you visit a website, an 'HTTP plant' is grown. If you share some files via eMule, a 'Peer to Peer plant' is grown, and so on.

Packet Garden is GNU licenced and written in Python, so you can give it a try on supported Linux, Windows, and Mac machines. It doesn't run on Intel macs, unfortunately. As far as I can tell, Soya3D (the 3D library it uses) is the culprit and has not been compiled under this architecture. Anyone want to take a stab at porting this? I'm not familiar with the package, but it might be as simple as installing all Soya's required libraries and running a python make script.

Packet Garden. Grow a world from network traffic - Link
Soya3D - Link

Posted by Jason Striegel | Sep 27, 2007 09:39 PM
Linux, Mac, Mapping, Network Security, Windows | Permalink | Comments (0) | TrackBack | Digg It | Tag w/del.icio.us

August 1, 2007

DNS rebinding: how an attacker can use your web browser to bypass a firewall

Artur Bergman wrote about an exploit vector called "DNS rebinding" over on O'Reilly Radar that's a must-read. Using DNS rebinding, an external website can use your browser's Javascript or Flash environment to act as a bridge between the external server and any IP on your internal network. This works even for unaddressable IPs such as those in the 10.0.0.0 range!

Normally, the security mechanisms in your browser restrict any communications to the same host that served the web page. So, if you visit badsite.com, the javascript in that page will only be able to communicate with badsite.com. Any code on that site that attempts to pull data from any other address will return an error, because it violates this "same origin" policy.

How DNS Rebinding Works
DNS rebinding allows an attacker to completely bypass the same origin policy. It does this by dynamically switching the target IP address for a host name the attacker controls. One scenario might work like this:

1. You connect to abcde.badsite.com, which resolves to IP 1.2.3.4 with a very short TTL
2. 1.2.3.4 delivers some Javascript code to your browser to execute in 15 seconds
3. The DNS server in control of *.badsite.com immediately points abcde.badsite.com to 10.0.0.1
4. 15 seconds later, the Javascript on your browser connects to abcde.badsite.com, in compliance with the same origin policy, and retrieves a web page from your internal server at 10.0.0.1
5. The DNS server resets abcde.badsite.com to 1.2.3.4 and after some period of time, your browser reconnects and sends 1.2.3.4 its findings

With Flash, It Gets Even Better
So far, with Javascript, a nefarious attacker now has the ability to scan and crawl websites on your internal network and report its findings back to the attacker's server. You could imagine this being triggered via a popup and then repositioned off the screen where it might go unnoticed for some time. This is a pretty big deal, no doubt, but with Flash 9's Socket functionality, it's only the tip of the iceberg.

Flash 9 adds a Socket library to the developer's toolkit. So instead of the limited web crawling payload, a small flash movie can be sent to the client which can do a full network scan of your internal network, send spam through your corporate SMTP server, or even serve as a general purpose VPN bridge right through your firewall.

Wow.

Defending Against DNS Rebinding
There have been a number of suggestions made as far as defending your network against this kind of attack, including disabling the Flash plugin, using a personal firewall to restrict browser access to ports 80 and 443, and making sure all your web sites have no default virtual host, but instead require a valid Host header.

It seems like the real moral of the story here, though, is not to be lured into using a Firewall and unaddressable IPs as your only line of defense. This means keeping machines patched, not using IP address-based authentication, and, in general, presuming that the attacker can obtain access to your internal network.

References:
Your Browser is a TCP/IP Relay - Link
Flash DNS Rebinding DEMO (scan a host on your network) - Link
Protecting Browsers from DNS Rebinding Attacks - Link

Posted by Jason Striegel | Aug 1, 2007 09:07 PM
Network Security | Permalink | Comments (0) | TrackBack | Digg It | Tag w/del.icio.us

June 1, 2007

UDP Hole Punching: how Skype gets through firewalls

When two machines running Skype need to communicate directly, but are both behind a NAT firewall, there's a clever trick that's employed to start a communication channel. It works like this:

First, both machines open a connection to a non-firewalled server. The server takes note of the source port (which may have been altered by the firewall) and sends this information to the other party to give it an idea of what port future connections might be coming from.

Client A then attempts to connect to a range of ports on client B's machine. All these requests will fail at client B's firewall, of course. However, in the process a side effect has occurred. Client A has told its own firewall to allow traffic from all of client B's scanned ports! Now, when client B attempts to connect to client A, assuming its outgoing port was previously scanned (which it likely will be), the request will get through to client A's machine.

If all else fails, both machines can use a central server to proxy their connection, but the UDP hole punching trick will typically allow two NAT firewalled machines to communicate directly, which means less latency and a significantly lighter load on the server.

Resources:
How Skype & Co. get round firewalls - Link
RFC3489 STUN - Simple Traversal of UDP through NAT - Link

Posted by Jason Striegel | Jun 1, 2007 08:41 PM
Network Security, Skype, VoIP | Permalink | Comments (5) | TrackBack | Digg It | Tag w/del.icio.us

March 29, 2007

Upside-Down-Ternet: Having Fun With Wireless Interlopers

I'm a big fan of open wireless access points. As long as my neighbors are respectful, I've got more downstream bandwidth than I really need most of the time. That said, I can understand the frustration with having a persistant freeloader, so I can really appreciate this hack which allows you to send a "knock it off" message, without having to close down your blessed open network.

The Upside-Down-Ternet works like this:

1. You set up a DHCP server to assign addresses from one IP netblock to known MAC addresses, and another "untrusted" netblock to unknown MACs.
2. The trusted netblock is routed normally, but the untrusted netblock gets all port 80 traffic forwarded to a transparent squid proxy using iptables.
3. The squid proxy filters all HTTP traffic, looking for URLs ending in jpg or gif.
4. If a jpg or gif is encountered, the image is flipped using morgrify and the untrusted user is sent the upside down image instead of the original.

This could be easily modified to default to giving normal access. You could then direct known abusers to the crippled network. Another option would be to provide "degraded" access using a blur or desaturate filter on images. This would allow people to make use of the free service, but would require them to ask permission to be on the trusted list before having full access.

How do you like to deal with wireless interlopers? What's your ideal wireless setup - one that balances security, ease of use for legitimate visitors or passers-by, and quality of service? Give us a shout in the comments!

Posted by Jason Striegel | Mar 29, 2007 08:19 PM
Network Security, Wireless | Permalink | Comments (3) | TrackBack | Digg It | Tag w/del.icio.us

March 13, 2007

Surf Anonymously Without a Trace

Our resident Windows hacker, Preston Gralla, has another great article up at Computerworld, this time about maintaining your online privacy in the face of increased snooping from the government, web sites, and private businesses (an expanded update to a hack of the same name that originally appeared in Windows XP Hacks, 2E).

Related:

• Windows XP Hacks, 2E
  
• Call for Hacks: Windows Tips for Everyone

Posted by | Mar 13, 2007 11:47 AM
Network Security, Web, Windows | Permalink | Comments (0) | TrackBack | Digg It | Tag w/del.icio.us

February 7, 2007

Malicious Hackers attack DNS Servers

Duane Wessels, one of the authors of Make Projects: Small Form Factor PCs, was quoted in a piece about the recent DNS server attacks:

The motive for the attacks was unclear, said Duane Wessels, a researcher at the Cooperative Association for Internet Data Analysis at the San Diego Supercomputing Center. "Maybe to show off or just be disruptive; it doesn't seem to be extortion or anything like that," Wessels said.

The goal of Hackszine is "to reclaim the term 'hacking' for the good guys--innovators who explore and experiment, unearth shortcuts, create useful tools, and come up with fun things to try on their own", and it confirms our faith in this when we see one of our hacker authors working on the side of the good guys.

Related

• RIPE NCC DNS Monitor (pictured) - Link
• Make Projects: Small Form Factor PCs PDF - Link

Posted by Brian Jepson | Feb 7, 2007 05:50 AM
Network Security | Permalink | Comments (0) | TrackBack | Digg It | Tag w/del.icio.us

February 6, 2007

Bypass Pay WiFi With Ping Tunnel

A lot of hotels, coffee shops, and airports are sporting pay-per-hour 802.11 service these days. In most cases, you'll be presented with what appears to be an open hotspot and a DHCP server will give you an IP address. When you open your web browser, though, a transparent proxy will deliver you a page that asks for you to enter a credit card number. Until you've paid, outgoing TCP traffic will be blocked.

More often than not, though, the network is configured to allow ICMP packets through unfiltered. If you find one of these lucky hotspots, you can ping google.com or another external server and you'll get a response back. You can use this feature to tunnel TCP traffic through an ICMP echo request to a proxy server that you've set up on an unrestricted network!

Ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ping requests and replies.

Setting: You're on the go, and stumble across an open wireless network. The network gives you an IP address, but won't let you send TCP or UDP packets out to the rest of the internet, for instance to check your mail. What to do? By chance, you discover that the network will allow you to ping any computer on the rest of the internet. With ptunnel, you can utilize this feature to check your mail, or do other things that require TCP.

To use Ptunnel, you'll need a server to run the proxy on. Your bandwidth will be a bit limited, but the software includes a simple authentication mechanism so that you can ensure you're the only one using your proxy. The way it works, it's more useful for connecting to your server via ssh than it is browsing the web. That said, it's pretty darn cool and awfully handy, especially if you need to check your mail and don't feel comfortable passing a credit card to a random wireless account server.

Download Ptunnel here and give it a shot - Link.
Nulldigital.net has a good writeup on configuration and usage - Link.

Related:

• WiFi Liberator
• Wireless Hacks, 2E

Posted by Jason Striegel | Feb 6, 2007 07:47 AM
Network Security, Wireless | Permalink | Comments (0) | TrackBack | Digg It | Tag w/del.icio.us

Page 2 of 2 << 1 2

Bloggers

Welcome to the Hacks Blog!