Monday, February 13th, 2006
Archive for February, 2006
WLAN im ICE
Tuesday, February 7th, 2006
md@hextatic ~$ ifconfig en1
en1: flags=8863 mtu 1500
inet 10.140.0.176 netmask 0xffffff80 broadcast 10.140.0.255
ether 00:11:xx:xx:xx:xx
media: autoselect status: active
supported media: autoselect
md@hextatic ~$ sudo nmap -A 10.140.0.0/16
Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2006-02-06 09:26 CET
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 1668 scanned ports on 10.140.0.129 are: closed
MAC Address: 00:13:80:7D:46:F7 (Cisco Systems)
Too many fingerprints match this host to give specific OS details
Interesting ports on 10.140.0.176:
[myself]
OS details: Apple Mac OS X 10.4.0 - 10.4.1 (Tiger)
Interesting ports on 10.140.32.129:
(The 1664 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE VERSION
53/tcp open domain ISC Bind 9.2.4
67/tcp closed dhcpserver
68/tcp closed dhcpclient
80/tcp closed http
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11
Uptime 13.109 days (since Tue Jan 24 07:20:44 2006)
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on 10.140.32.130:
(The 1667 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd
Device type: broadband router|general purpose
Running: FiberLine embedded, Linksys embedded, Linux 2.4.X|2.5.X|2.6.X
OS details: FiberLine Wireless DSL router, Linksys WAG54G Wireless Gateway, Linux 2.2.16, Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11, Linux 2.6.4 - 2.6.9, Linux 2.6.8 (ubuntu)
Uptime 13.109 days (since Tue Jan 24 07:20:32 2006)
Nmap finished: 65536 IP addresses (4 hosts up) scanned in 1855.362 seconds
md@hextatic ~$ curl -i http://10.140.32.130
HTTP/1.1 302 Found
Date: Mon, 06 Feb 2006 08:57:47 GMT
Server: Apache
Location: http://app.railnet.train/LP/WEB/index.html
Content-Length: 226
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://app.railnet.train/LP/WEB/index.html">here</a>.</p>
</body></html>
md@hextatic ~$ host app.railnet.train
app.railnet.train is an alias for application.railnet.train.
application.railnet.train has address 10.140.32.130
md@hextatic ~$ host -a -l railnet.train
Trying "railnet.train"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39338
;; flags: qr aa ra; QUERY: 1, ANSWER: 15, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;railnet.train. IN AXFR
;; ANSWER SECTION:
railnet.train. 86400 IN SOA ns.railnet.train.railnet.train. root.railnet.train. 200209101 10800 900 604800 86400
railnet.train. 86400 IN NS ns.railnet.train.
#acc.railnet.train. 86400 IN CNAME ns.railnet.train.
#gateway.railnet.train. 86400 IN A 10.140.32.131
#gateway304.railnet.train. 86400 IN CNAME gateway.railnet.train.
#gwa.railnet.train. 86400 IN CNAME gateway.railnet.train.
*.railnet.train. 86400 IN CNAME application.railnet.train.
access304.railnet.train. 86400 IN CNAME ns.railnet.train.
app.railnet.train. 86400 IN CNAME application.railnet.train.
application.railnet.train. 86400 IN A 10.140.32.130
application304.railnet.train. 86400 IN CNAME application.railnet.train.
ice.railnet.train. 86400 IN CNAME application.railnet.train.
localhost.railnet.train. 86400 IN A 127.0.0.1
ns.railnet.train. 86400 IN A 10.140.32.129
railnet.train. 86400 IN SOA ns.railnet.train.railnet.train. root.railnet.train. 200209101 10800 900 604800 86400
Received 414 bytes from 10.140.32.129#53 in 59 ms
md@hextatic ~$ host -a -l train
Trying "train.railnet.train"
; Transfer failed.
Trying "train"
Host train not found: 9(NOTAUTH)
; Transfer failed.
Undercover 1.5
Tuesday, February 7th, 2006Not that I’m really interested in Orbicule’s Undercover…
In fact I neither see the need for such a software since
it might give you a false sense for safety, nor that I’m
willing to pay almost 30 $ (or 25 €) for a software
that looks like written on a rainy afternoon.
It also scares me that undercover does not only seem to be
buggy, but to have conceptual design flaws. So, nevertheless,
I’m quite curious, because after our first review and some emails with
the author, he promised us for that password-issue:
This has been fixed as well. The binary no longer contains a human readable password.
I don’t agree. What he really means is:
The binary no longer contains the password as an ascii string.
If you wonder what the difference is, it’s using the command line tool strings versus not more than 5 minutes of reading the actual binary code.
After 5 minutes you find something like this:
[curlHandleObject setUsername: username password: [NSString stringWithFormat: @"%d", 0xc0de]]
Tunneling
Friday, February 3rd, 2006So you want to use IMAPS but your client is IMAP only. You can get arround that with a little bit of hackery. First install socat (sudo port install socat), then edit /etc/xinetd.conf and restart xinetd – sudo vi /etc/xinetd.conf; sudo killall -HUP inetd:
service imap
{
socket_type = stream
wait = no
nice = 10
user = md
bind = 127.0.0.1
server = /opt/local/bin/socat
server_args = - openssl:rumms.uni-mannheim.de:imaps,verify=0
instances = 4
log_on_success += DURATION HOST USERID
}
Now verify that xinetd is running,listening and acting sane:
md@hextatic ~$ ps ax | grep xinetd 44 ?? Ss 0:00.07 xinetd -dontfork -stayalive 12386 p5 R+ 0:00.01 grep xinetd md@hextatic ~$ sudo lsof -i -n | grep xinetd xinetd 44 root 5u IPv4 0x033e0e10 0t0 TCP 127.0.0.1:smtp xinetd 44 root 6u IPv4 0x033e0b20 0t0 TCP 127.0.0.1:socks xinetd 44 root 9u IPv4 0x05d10cc0 0t0 TCP 127.0.0.1:imap md@hextatic ~$ telnet 127.0.0.1 imap Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4REV1 LITERAL+ SASL-IR LOGIN-REFERRALS AUTH=PLAIN AUTH=LOGIN] rumms IMAP4rev1 2004.357 at Thu, 2 Feb 2006 23:28:31 +0100 (MET)
That’s it. Bute note that with this configuration you are still vulnerable to man in the middle attacks.