Unitymedia WifiSpot unter Linux / wpa_supplicant.conf

Hier eine funktionierende, getestete Config für Unitymedia WifiSpot unter Linux für eure /etc/wpa_supplicant.conf:

network={
ssid=”Unitymedia WifiSpot”
#bssid=xx:xx:xx:xx:xx:xx
key_mgmt=WPA-EAP
eap=PEAP
identity=”unitymedia/dein@mailadresse.de”
password=”PASSWORT”
}

Falls ihr eure Logindaten nicht wißt: Im Kundencenter unter „Meine Produkte“ / „Internet“ / „Einstellungen WifiSpot“ ein Passwort vergeben. Wenn es mehrere WifiSpots gibt, von denen nur einer stabil läuft, tragt seine MAC unter bssid ein. Ansonsten braucht ihr die Zeile nicht. Viel Spaß! 🙂

Posted in desktop, Info, Linux | Tagged , , , , , , , , | 2 Comments

D-Link DGS-1210 Vulnerabilities

We’ve used D-Link DGS-1210-48 at work for a while, and found some vulnerabilites by accident. We decommissioned all of them about two years ago, so it’s already overdue to publish this. Enjoy!

The first two are relevant (tested) for hardware revision A1, Firmware before V 2.03.001. See ftp://ftp2.dlink.com/PRODUCTS/DGS-1210-48/REVA/DGS-1210-48_RELEASENOTES_2.03.001_EN_WW.PDF

Searching throught some PDFs, this also seems relevant for DGS-3200 and DGS-1500. D-Link clearly has not a good security history. http://www.cvedetails.com/vendor/899/D-link.html, so I cannot recommand them from a security point of view at all, as it seem they don’t even have a proper testing process.

#1 Information/Config Leak

Just download the device Configuration directly from http://IP/config.bin

It took them 11 months to release a new firmware to fix this.

#2 Denial of Service

Just download the configuration (/config.bin) 23 times. It will crash due to a memory leak and reboot after a while.

#3 Time-based Security Tokens

The “gambit” value you get after logging into the web interface is not random, but time-based.

See for yourself, unix timestamp vs. “gambit”:

1328333368 jdfdkdbdadedbdjdjdjdcdkdadkdbgegngjgogkdlgfgjgogdh
1328333369 jdfdkdbdadedbdjdjdjdddkdadkdbgegngjgogkdlgfgjgogdh
1328333370 jdfdkdbdadedbdjdjdjdedkdadkdbgegngjgogkdlgfgjgogdh

This issue is not fixed AFAIR. It’s probably possible to calculate valid gambit tokens without a valid login, but I haven’t put much time into this.

#4 Directory Traversal via HTTP

This is not your usual ../../ traversal, but try this:

curl http://10.90.90.90/flash:iss.log

<134> Jan 1 00:00:00 2009:SYSTEM-6:Side Fan is in low speed.
<130> Jul 25 15:40:35 2012:SYSTEM-2:System started up
<134> Jul 25 15:40:49 2012:LinkStatus-6:Port 48 link up, 100Mbps FULL duplex

[…]

There are some more interesting files available. 😉

#5 Directory Traversal via TFTP

Found in 2015, not sure on which firmware version – no details here, enjoy looking. 😉

Posted in english, Security | Tagged , , , , , | Leave a comment

Windows 10 Installation USB-Stick unter Linux erstellen (UEFI/neueres BIOS)

Aktualisiert zuletzt am 23.11.2019 für Windows 10 1909. Die letzte von mir selbst verifizierte Version ist 1903, bitte sagt in den Kommentaren bescheid, ob 1909 auch funktioniert.

Um unter Linux für Windows 10 einen USB-Stick zur Installation erstellen, muss man etwas mehr tun, es gibt keine vorgefertigten Tools. Hier eine Kurzanleitung für Moderne PCs mit UEFI:

Gebt mir bitte in den Kommentaren Feedback, ob es funktioniert!

Zuerst die NEUE Methode, ab Windows 10 1809. Danke an zilla für den Hinweis auf Wimsplit.

Die NTFS-Methode von George99 funktionierte bei mir nicht, falls ihr sie erfolgreich testet, gebt bitte Feedback.

/dev/sda im Folgenden durch euren USB-Stick ersetzen.

# Partitionierung
DEVICE=/dev/sda

# Partitionierung auf dem USB Stick löschen
dd if=/dev/zero of=$DEVICE bs=1M count=1

# Installation der nötigen Tools um die wim Dateien zu splitten, denn vfat 
# kann keine Dateien > 4GB behandeln
sudo apt-get install wimtools
# Partitionen einrichten
fdisk ${DEVICE}
n
p
1
ENTER
ENTER
t
c
a
w

# Formatierung, mounten des Laufwerks
mkfs.vfat ${DEVICE}1
mkdir /mnt/usb
mount ${DEVICE}1 /mnt/usb

# Kopieren der Daten
mkdir Win10
mount -o loop Win10_1909_German_x64.iso Win10
rsync -avP --exclude='sources/install.wim' Win10/ /mnt/usb/
wimsplit Win10/sources/install.wim /mnt/usb/sources/install.swm 2500
# Aushängen der Laufwerke
umount /mnt/usb
umount Win10

Nun einfach davon booten. Ins BIOS kommt ihr meist, wenn ihr sofort nach dem Einschalten eures PCs ESC, F1, F2, F8, F11 oder F12 drückt. Viel Erfolg!

Alternativ bitte diese ALTE Methode verwenden, um Windows 10 1709 zu installieren. Danach Windows werkeln lassen, bis alle Updates drauf sind. Das ist etwas nervig, aber funktioniert definitiv – ganz ohne wimsplit.

# Partitionierung
DEVICE=/dev/sda

# Partitionierung auf dem USB Stick löschen
dd if=/dev/zero of=$DEVICE bs=1M count=1

# Partitionen einrichten
fdisk ${DEVICE}
n
p
1
ENTER
ENTER
t
c
a
w

# Formatierung, mounten des Laufwerks
mkfs.vfat ${DEVICE}1
mkdir /mnt/usb
mount ${DEVICE}1 /mnt/usb

# Kopieren der Daten
mkdir Win10
mount -o loop Win10_1709_German_x64.iso Win10
cp -a Win10/* /mnt/usb

# Aushängen der Laufwerke
umount /mnt/usb
umount Win10
Posted in Linux | Tagged , , , , , | 30 Comments

MACSEC unter Linux

Der Linux Kernel 4.6 unterstützt nun MACSEC nativ. Damit ist es möglich, auf Layer2 verschlüsselte Links zu realisieren. Sehr schön! 🙂

Präsentationsfolien: http://bit.ly/20ZBkpV

Posted in Info, Linux, Rechenzentrum, Security | Tagged , , | Leave a comment

Review of Open-E DSS v7

Initially, we were looking for a 10GE-iSCSI storage solution that would do synchronous or at least memory-synchronous mirroring of data to a second system and automatic failover. We planned to use the system as storage backend for a few dozens VMs, and wanted the storage to be highly available on a shared IP. Active-Active supported seemed pretty awesome too, and the system should allow seamless failover.

However, some vendors didn’t provide this option, others were too expensive and the project was an open bidding, so we had to be cheap. The only viable options seemed to be building something ourselves or buying Open-E from a distributor that would take care of the hardware part. They were also offering 24/7 support. It sounded pretty good, and our distributor was saying he did a couple of installations with it, so we went for it. The system consisted of:

Continue reading

Posted in english, Linux, Rant, Rechenzentrum, Security | Tagged , , , , , , , , | 9 Comments

Eindeutigkeit von IP-Adressen bei Unitymedia nicht gegeben

Bis vor wenigen Tagen konnte man bei Unitymedia anonym oder mit der Adresse eines anderen Internetteilnehmers im Internet surfen. Sofern man einen Linuxrechner mit dem von Unitymedia bereitgestellen Cisco-Router EPC3212 verbunden hatte (etwa als Firewall), ging das sehr leicht, und wird im Folgenden beschrieben. Linux-Grundkenntnisse werden vorausgesetzt. Da dies nicht mehr funktioniert, sehe ich kein Problem damit, hier eine Anleitung zu veröffentlichen. 🙂

Zuerst guckt man, welche IP und welches Subnetz man im Unitymedia-Netz derzeit nutzt:

Continue reading

Posted in Info, Security | Tagged , , , , | 1 Comment

DELL about SSH key authentication on PowerConnect M6220

A coworker asked DELL about SSH public key auth on PowerConnect M6220, because we wanted to automate something. Anyways, it’s pretty common to automate stuff nowadays, right?

Here is DELL’s reply on using a ssh with keys:

Von: xxx@Dell.com [mailto:xxx@Dell.com]
An: xxx
Cc: xxx@Dell.com
Betreff: Dell SR:xxxxxxxxx

Good morning Mr. xxx,

I’m the engineer to whom Mr. xxx has escalated the above mentioned
service request. I’m writing to you today to inform you that unfortunately
public key authentication isn’t supported in way  you’d like to on these
switches with version 5.x firmware. That is, you will either always end up
being asked for a password, in addition / even though you supply correct
private/public key during your ssh session negotiations, or you might end
up inadvertently opening a backdoor for unauthenticated users wishing to
use password authentication only.

Either way, it seems this will take quite some time to fix, so I suggest I
close this service request out now and will keep you informed about any
future developments on this issue.

Kind regards,
xxx, B.Sc. (Hons) in IS/IT

Enterprise Product Engineer, Networking & Linux & Security
Dell | Enterprise Support Services
Office Number (+353 1 xxx xxxx)
M-F (8:00 – 16:30 IST)
Certification: CCNP, RHCE & JNCIP-SEC
How am I doing? Email my manager xxx, xxx
<mailto:xxx@DELL.com>  with any feedback.

Uhm… what? Oo

Posted in english, fun, Rechenzentrum, Uncategorized | Tagged , , , , , , | 2 Comments

Why Oracle (and Java) sucks

We were investigating random crashes of a webapp, and it turned out to be a JAVA CORBA bug, so we  reported it to Oracle. Today, I got the following reply in my mail:

I own your service request *-*********** about a Java Corba problem.
Please understand that Java is a free product. Hence support (and bugfixes) can only be provided for Java SE contract customers.

Unfortunately, the Customer Support Identifier CSI#******** you entered does not entitle you to Oracle Java SE support. To submit a Service Request (SR) for Java SE when running your own or third party Java applications, a Java SE Support contract is required.

The bug you are referring is in state accepted indeed. There are no plans right now to fix it. Of course, if a contract customer requests a fix, then it will be fixed. Otherwise it might take quite some time until a fix becomes available.

[…]

Oracle Java Support starts at $10,000. Thank you very much, so leave the bug open and let other customers stumble upon it. Just yesterday I heard that armed US drones are using CORBA for communication, too… oh my.

Our approach might be using Nagios Eventhandlers to restart crashed application servers, as we got more than N+1 of those. Oracle’s mentality pisses me off…

Posted in english, Rant, Rechenzentrum, Uncategorized, web | Tagged , , , , , , , , , , | 7 Comments

Hidden Services

Nicht jede Software unterstützt das URL-Schema von Tor hidden services; in dem Falle kann man als hack einfach socat benutzen, hier im Beispiel wird ein IRC hidden service mit  irssi genutzt:

socat TCP4-LISTEN:4223,fork SOCKS4A:localhost:XYZ.onion:6667,socksport=9050

Dadurch wird der Port lokal gebunden und über den lokalen Tor Socks Port auf den Hidden Service umgeleitet. In irssi tippt kann man nun einfach:

/connect localhost 4223

Ich finde das einen schönen generischen Hack, den ich euch nicht vorenthalten wollte. 🙂

Posted in Linux | Tagged , , , , | Leave a comment

Defending against & having fun with WebLOIC

Lately, one of the websites under my protection was being DDoSed by a well-known trouble-making party whose name shall not be released and stay anonymous. Another party that is monitoring the web for threats against our websites notified me that a DDoS was currently being  started. It seemed that the attackers were spamming a link to an automatically starting WebLOIC via mail and tricked others with a variation of methods to open the URL so that they would automatically participate in the DDoS.

Let’s move to the technical side: it was a pretty small DDoS, with about 50MBit/s – we probably wouldn’t have noticed as it just looked like a normal traffic spike and did not endanger the availability of the website at all. We’ve handled much larger legitimate traffic spikes for that site already.

A quick investigation showed that WebLOIC was being used and was ‘hosted’ on a nopaste service. Requests looked like this:

GET /?id=1300380622178&msg=We%20Are%20Legion! HTTP/1.1
Host: XXXXXXXXX
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20100101 Firefox/8.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://xxxxxxxxx.html

Quickly checking out the referer gave me the sourcecode; the id consists of a timestamp and the request id. The ‘msg’ is a user-changable text, but ‘id’ is javascript-generated.

How to block it?
– Use a regular expression for the query string (very easy)
– Block users with a referer from that nopaste service (very easy, too)
– Block users that do more than X connections within a minute (easy if you have a decent firewall), side-effects might cause large NAT gateways from mobile providers to be blocked, but that’s better than being completely offline, right?

Where to block:
– block as early as possible: in your DPI firewall, web application firewall or loadbalancer
– *not* in every single webserver

Having Fun:
As the WebLOIC runs in the attacker’s browser, there are lots of possibilites:
– redirect attackers to a site known to be monitored by the FBI (explosives, terrorism etc.)
– CSRF, make them post something on a service like facebook or twitter (#iDDoS-site.tdl) and search for their posts. Kindly ask them to stop.
– redirect the attackers to do lots of google searches – they will quickly be blocked by google services
– send a gzip-encoded stream that consumes lots of cpu time and memory on their side, this might even crash the browser
– ‘reflect’ the DDoS to somewhere else (sending 301/302 redirects is pretty low-bandwidth for you)

So in total, WebLOIC was a good idea, but right now rather inefficient and its usage might have unwanted sideeffects… 😉

Posted in english, fun, Rechenzentrum, Security | Tagged , , | Leave a comment