#!/zitstif.no-ip.org/

Those of us who understand some of the great weaknesses in IPv4, know that under certain circumstances (especially in local area networks), attackers can carry out some pretty devious tasks. Arp-spoofing (http://en.wikipedia.org/wiki/ARP_spoofing) can be used to intercept traffic and even modify it accordingly to the attacker’s will. Programs like arpspoof, cain&abel, and especially ettercap-ng, when abused, can be used for purloining credentials and potentially identities.

With this being true, I decided to write an implementation of a arp-spoofing detection program that is geared toward Ubuntu/Debian. The beauty of this program, is that instead of just creating logs that non-tech savvy users would most likely not glance at, this program alerts the end user via x-message. Granted, this x-message window can potentially get annoying, however this was intended. The end user needs to be alerted of if arp-spoofing is taking place, their information could be potentially at great risk.

The beauty behind arp-sentinel, is that it uses very low resources and is mainly intended for end users who run Ubuntu on a laptop, who use insecure hotspots for whatever purposes. Here’s a screen shot of ‘top’ being used under Ubuntu 9.10 on a virtual machine:

Nifty eh? Here’s also a screen shot of the warning message that is displayed:

Here’s the program in a tar file:

http://zitstif.no-ip.org/arp-sent/arp-sentinel.tar

MD5sum: 79c54891a7b235bf6a2f5d4c779771c3

Tested to work on Ubuntu 9.10.

Creating, running and deleting files with Device File names from PaulDotCom on Vimeo.

I just watched this little demonstration and I thought it was quite intriguing. Enjoy!

Learn more at: http://pauldotcom.com/2010/02/deleting-the-undeleteable.html

More to come!

Ever want to access the internet without authenticating at your local college? Have you found yourself accessing wifi points at airports that require you to pay ‘X’ amount of dollars for service? Well my cheap friend, I have a solution for you!

I will for warn you, that this method is a bit slow and it does require *nix on both ends. Also this is for educational purposes only!

Firstly, you need an accessible server that is running ssh on it, along with a nifty program called ‘dns2tcp’. There are some other similar programs like iodine and such that can do this for you, but this walk-through is focused on the usage of dns2tcp. Also, you need a DNS name, which you can freely get via no-ip.com or dyndns.

File:

http://www.hsc.fr/ressources/outils/dns2tcp/index.html.en

Guide:

http://www.wains.be/index.php/2009/04/24/howto-setting-up-dns2tcp/

I followed this guide quite closely, and it actually did not end up working for me. The guide suggests to start the daemon via:

sudo /etc/init.d/dns2tcpd start

However, this did not work for me. By using netstat, I found that dns2tcpd was not even listening. Instead, I ended up using ‘/usr/local/bin/dns2tcpd’. But before I continue, I’ll post my dns2tcpd config file:

listen = 0.0.0.0
port = 53
# If you change this value, also change the USER variable in /etc/default/dns2tcpd
user = nobody
chroot = /tmp
domain = yourdomain.org
ressources = ssh:127.0.0.1:22

Change accordingly, and yes, ‘ressources’ is suppose to be misspelled.

Here is the command that has worked for me and I’m currently using to make this post possible:

sudo nohup dns2tcpd -f /etc/dns2tcpd.conf &

Verify that you’ve forwarded a port on your router to port 53 on your server, or if your server is in the DMZ, you shouldn’t have to worry about doing this.

Now, in a remote location that has restricted access (via redirecting every HTTP request to a login page), test that you’re server is visible via DNS by using a command like ‘host’. We’ll use my DNS name for this example:

host zitstif.no-ip.org
zitstif.no-ip.org has address 75.41.5.12

If this works, there’s a good chance you’re in business. Then, the next test you want to do is:

dns2tcpc -z zitstif.no-ip.org 75.41.5.12
Available connection(s) :
        ssh

If you see results like this, then chances are, this will work. Next, we need to do some DNS tunneling:

dns2tcpc zitstif.no-ip.org 75.41.5.12 -l 4444 -r ssh

If dns2tcpc is listening on port 4444, you now should be able to ssh into it and this will redirect you to your home server.

ssh -D 1234 user@localhost -p 4444

Once you’ve authenticated then you’re set to now setup firefox or a browser that supports SOCKS 4/5, to connect to your loopback interface on port 1234.

One big reason why I made mention of this, is because Hak5 had an episode showing how to do basically the same thing but they stated you had to pay for your own DNS service / name. My method works, and it’s also cheaper.

I’m actually posting this for a friend per request:

==OpenSSH + Cygwin Installation==

Over the past year or so, when using Windows on a certain computer in my network, I decided that I wanted secure command line oriented access to my Windows computer. With this being said, telnet would have not been a viable solution to the problem, along with remote desktop. Knowing about cygwin, I was soon to perform some searches on google pertaining to the installation of OpenSSH via cygwin.

The web site presented below, is a wonderful resource for this situation:

http://pigtail.net/LRP/printsrv/cygwin-sshd.html

Follow this tutorial closely and you should have little to no problems getting openssh set up on a Windows computer.

Also if you’re planning on doing ssh tunneling from a remote location or logging into your computer remotely via ssh, make sure to forward port 22 (or whatever port you set ssh to listen on) to the Windows computer that is hosting SSH. You may also want to set the Windows computer as a static client on your network, so you don’t have to worry about the LAN IP address changing which could cause problems, but depending on your router, this isn’t always necessary. It seems that a lot of routers do ‘static DHCP leasing’. To make sure that the service is remotely accessible, go to www.nmap-online.com .

Click on ‘Custom scan’.

Then under the ‘Nmap options..’, clear the options they have set there for you by default, leave your IP address alone and put:

-P0 -sV -vv -n -T3 -p 22 (YOURIP)

Lastly, click on ‘I agree with the Terms of Service’ and click ‘Scan Now!’. If nmap-online’s results yield the port is open, then you’re in business! Otherwise, you most likely
have your software firewall blocking openssh or you didn’t set up port forwarding on your router correctly. Other causes could include your ISP blocking that port as well.

=========================

==Dynamic DNS the free way==

One solution for a free DNS name is to use www.no-ip.com. Sign up using your e-mail address and here’s a video with a kid who has an annoying voice that may help you:

If you have set this up correctly, you should be able to resolve your new DNS name from the command line using a tool like ‘nslookup’. The IP address that shows up for your new DNS name, should be your WAN IP.

=========================

==SSH tunneling via Putty==

Now, say if you want to have a sense of security in a remote location that may be a malicious network. One (not perfect) good solution for if you’re a Windows user is to do SSH tunnelling.

http://oldsite.precedence.co.uk/nc/putty.html

Once you have logged into your server and set up a dynamic port on your loop back interface (127.0.0.1), it is now time to configure your browser to use a SOCKS 5 proxy connection on your loop back interface. Under Firefox this looks like this:

To verify that you’re actually tunneling home, go to www.ipchicken.com and here you should see your Dynamic DNS’s IP address. Now, you don’t have to worry nearly as much about MITM attacks and sniffing. Web  pages won’t appear nearly as quickly, but as the old saying goes, ‘Better safe than sorry’.  I hope this helps you dear friend of mine! 🙂

Last but not least, if you want to see a video on SSH dynamic port forwarding / tunneling, Irongeek has a wonderful video (bare in mind you don’t necessarily need ‘keys’, that he speaks of, you can use password authentication instead):

http://www.irongeek.com/videos/sshdynamicportforwarding.swf

It seems that the hak5.org is ‘down’, but you can still view hak5 videos via:
http://revision3.com/hak5/

I have to admit, this has been a very interesting hak5 episode. Enjoy!

More to come.