Jan 30, 2012

Inventorying your system with cfg2html

Cfg2html is a powerful tool available for Linux which performs an exhaustive inventory of the entire system, by creating a HTML or plain ASCII file which reflects all the features (both hardware and software) of the system, such as applications, kernel, modules and libraries, networking, filesystems and so on.

I am used to utilizating this tool each time that I install a Linux system, in order to write down a full record of it, and besides, I usually program a task to repeat this action periodically.

I am going to try out this tool (version 2.37) in this article on a CentOS 6.2 distribution (it is valid for any Linux system too), by downloading its source code and using the script included in the package. You also have the option of installing those scripts into the operating system (by means of the rpm package), but I am think that it is not necessary due to you can use directly the corresponding script.

[root@centos tmp]# wget http://www.cfg2html.com/cfg2html-linux-2.37-20111229_all.zip

[root@centos tmp]# unzip cfg2html-linux-2.37-20111229_all.zip

[root@centos tmp]# tar xvzf cfg2html-linux_2.37-1.tar.gz ; cd cfg2html-linux-2.37

After unpacking it, we may run the cfg2html-linux script to carry out the inventory.

[root@centos cfg2html-linux-2.37]# ./cfg2html-linux

--=[ http://come.to/cfg2html ]=-----------------------------------------------
Starting          cfg2html-linux version 2.37-2011-12-28
Path to Cfg2Html  ./cfg2html-linux
HTML Output File  ./centos.local.html
Text Output File  ./centos.local.txt
Partitions        ./centos.local.partitions.save
Errors logged to  ./centos.local.err
Started at        2012-01-30 21:31:19
WARNING           USE AT YOUR OWN RISK!!! :-))           <<<<<
--=[ http://come.to/cfg2html ]=-----------------------------------------------

Collecting:  Linux System CentOS release 6.2 (Final)  .................................
Collecting:  Cron and At  .....
Collecting:  Hardware  .................
Collecting:  Software  .......
Collecting:  Filesystems, Dump- and Swapconfiguration  ..........
Collecting:  Multipath Configuration  ........
Collecting:  LVM  ............
Collecting:  Network Settings  ................................
Collecting:  Kernel, Modules and Libraries  ...............
Collecting:  System Enhancements  .
Collecting:  Applications and Subsystems  .....

--=[ http://come.to/cfg2html ]=-----------------------------------------------

At the end of the collecting process, you will have an HTML and txt file with the result of the audit. Any problem occured during the gathering process, will be warn into the err file.

[root@centos cfg2html-linux-2.37]# ls -l centos.local.*
-rw-r--r--. 1 root root   8410 Jan 30 21:31 centos.local.err
-rw-r--r--. 1 root root 213406 Jan 30 21:31 centos.local.html
-rw-r--r--. 1 root root    259 Jan 30 21:31 centos.local.partitions.save
-rw-r--r--. 1 root root 182348 Jan 30 21:31 centos.local.txt

For example, next figure shows the HTML output.




Finally, also say that it is a good idea to create a crontab task so as to get these data for instance weekly and back up them.


Jan 22, 2012

Secure remote access to home through OpenVPN (III)

Let's end up the series of articles about my secure remote access to home through OpenVPN. In the first part, I had to get over the issue about the dynamic IP address used by my ADSL service. I overcame it by using a free dynamic DNS service: DNSdynamic. In the second one, I relied on easy-rsa in order to generate the suitable digital certificates.

Now, we are ready to set OpenVPN up in both sides of the connection: the client and server. First up, let's begin with the server by installing OpenVPN directly from the Ubuntu repositories. Then, we have to copy the appropiate certificates made up by easy-rsa into the openvpn directory, and finally, edit the OpenVPN configuration file for the server.

root@javi-pc:/home/javi/tmp/2.0# aptitude install openvpn

root@javi-pc:/home/javi/tmp/2.0/keys# cp ca.crt server.crt server.key dh1024.pem /etc/openvpn/

root@javi-pc:/home/javi# cat /etc/openvpn/server.conf
# Use a dynamic TUN device
dev tun

# Set virtual point-to-point IP addresses
ifconfig 10.0.0.1 10.0.0.2

# Use TCP for communicating with client
proto tcp-server

# Enable TLS and assume server role during TLS handshake
tls-server

# File containing Diffie Hellman parameters
dh /etc/openvpn/dh1024.pem

# Certificate authority (CA) file
ca /etc/openvpn/ca.crt

# Local peer's signed certificate
cert /etc/openvpn/server.crt

# Local peer's private key
key /etc/openvpn/server.key

# Use fast LZO compression
comp-lzo

# Ping remote every 10sg and restart after 60sg passed without sign of life from remote
keepalive 10 60

# Output logging messages to openvpn.log file
log /var/log/openvpn.log

# Set output verbosity to normal usage range
verb 3

Now we only have to start the OpenVPN daemon and afterwards, we will be able to appreciate that the service is running on TCP port 1194. A final task will be to open that port on the router and redirect all that traffic to the server.

root@javi-pc:/home/javi# /etc/init.d/openvpn start

root@javi-pc:/home/javi# netstat -natp | grep openvpn
tcp        0      0 0.0.0.0:1194            0.0.0.0:*               LISTEN    19781/openvpn

Let's undertake now the other side of the tunnel: the client. It will be necessary as well to install OpenVPN from the Ubuntu repositories and move into the openvpn directory the adequate digital certificates.

root@javi-laptop:~# aptitude install openvpn

root@javi-laptop:~# cat /etc/openvpn/client.conf
# Use a dynamic TUN device
dev tun

# Connect to server
remote test.dnsdynamic.com

# Set virtual point-to-point IP addresses
ifconfig 10.0.0.2 10.0.0.1

# Use TCP for communicating with server
proto tcp-client

# Enable TLS and assume client role during TLS handshake
tls-client

# Certificate designed as a server-only certificate
remote-cert-tls server

# Certificate authority (CA) file
ca /etc/openvpn/ca.crt

# Local peer's signed certificate
cert /etc/openvpn/client.crt

# Local peer's private key
key /etc/openvpn/client.key

# Use fast LZO compression
comp-lzo

# Ping remote every 10sg and restart after 60sg passed without sign of life from remote
keepalive 10 60

# Output logging messages to openvpn.log file
log /var/log/openvpn.log

# Set output verbosity to normal usage range
verb 3

Lastly, we must remove any link in the runlevel directory for the OpenVPN script, so as to launch it manually whenever we want.

root@javi-laptop:~# update-rc.d -f openvpn remove

root@javi-laptop:~# /etc/init.d/openvpn start


Jan 14, 2012

Shutting out ARP poisoning and spoofing with ArpON

Based on the series of articles that I wrote about ARP poisoning (I, II and III), I would like to put forward a great tool, ArpON (Arp handler inspectiON), aimed at protecting us against ARP poisoning, spoofing and routing, by preventing attacks as the Man in the Middle (MitM). It also avoids from derived attacks such as DNS and WEB spoofing, and session and SSL/TLS hijacking.

This is the typical program that I always install on any Linux computer, since it is essential in order to shut out any type of attack commented above. And furthermore, it is really meaningful when you get around and have to connect your laptop to some untrusted network, such as inside a library, pub, airport and so on.

ArpON uses two kinds of methods: DARPI (Dynamic Arp Inspection) and SARPI (Static Arp Inspection). With the second technique, you have to register into a configuration file, the MAC and IP address of each computer which you rely. This may be a hard task when you have got lots of devices in your network. In return, DARPI follows up all incoming and outgoing ARP packets.

In this article, I am going to set up DARPI on Ubuntu 11.10. I will install ArpON from the official repository (version 2.0). It is a pity because this version came out last year and I cannot understand why it has not been updated in the last release of Ubuntu. The current version which you can download from the ArpON web site is 2.7.

In PCs or laptops, I prefer to install it from the Ubuntu repositories, due to it will be automatically upgraded (in theory) with each new release of Ubuntu. Instead, on production servers, it pays off to compile it from its source code so as to have the latest version.

Ok, so we are going to install ArpON and put it into DARPI mode. In addition, ArpON will be automatically started during the boot.

root@victim:~# aptitude install arpon

root@victim:~# cat /etc/default/arpon
...
# For DARPI uncomment the following line
DAEMON_OPTS="-q -f /var/log/arpon/arpon.log -g -d"

# Modify to RUN="yes" when you are ready
RUN="yes"

root@victim:~# /etc/init.d/arpon start

First up, we are going to take a look at the ARP table of the victim (remember the involved computers were presented in the first article about ARP poisoning). As you can pick out, the dependable addresses are tagged as PERM (permanent).

root@victim:~# arp -a
? (192.168.1.150) at 00:80:5a:54:32:67 [ether] PERM on eth0
? (192.168.1.1) at 00:60:b3:50:ab:45 [ether] PERM on eth0
? (192.168.1.11) at 00:0c:29:18:36:e6 [ether] PERM on eth0

If we observe the log turned out by ArpON at the beginning, it first of all cleans up the ARP cache by removing all entries, in order to avoid that the table is poisoned.

root@victim:~# tail -f /var/log/arpon/arpon.log
  17:55:00 - Wait link connection on eth0...
  17:55:12 - DARPI on dev(eth0) inet(192.168.1.10) hw(0:c:29:69:81:47)
  17:55:12 - Deletes these Arp Cache entries:
  17:55:12 - 1)   192.168.1.150 ->  0:80:5a:54:32:67
  17:55:12 - 2)     192.168.1.1 ->  0:60:b3:50:ab:45
  17:55:12 - 3)    192.168.1.11 ->   0:c:29:18:36:e6
  17:55:12 - Cache entry timeout: 500 milliseconds.
  17:55:12 - Realtime Protect actived!
  17:55:46 - Request >> Add entry 192.168.1.150
  17:55:46 - Reply   << Refresh entry 192.168.1.150 -> 0:80:5a:54:32:67
  17:55:47 - Request >> Add entry 192.168.1.1
  17:55:47 - Reply   << Refresh entry 192.168.1.1 -> 0:60:b3:50:ab:45
  17:55:58 - Request << Delete entry 192.168.1.150 -> 0:80:5a:54:32:67
  17:55:58 - Reply   >> Send to 192.168.1.150 -> 0:80:5a:54:32:67
  17:55:58 - Request >> Add entry 192.168.1.150
  17:55:58 - Reply   << Refresh entry 192.168.1.150 -> 0:80:5a:54:32:67
...

To sum up the running of ArpON into DARPI mode, first point out that ArpON handles its own ARP table called DARPI cache, by applying several rules to different kinds of packets.

ARP request

For the outbound traffic (packets generated by us), ArpON lets them pass, by adding an entry with the target into the DARPI cache. For the inbound traffic (packets which come to us from the network), ArpON refuses the packet, by deleting the entry of the source address written down into the ARP cache, because that packet could be poisoned. Later, the kernel will send out an ARP request so as to make sure the origin.

ARP reply

For the outgoing traffic, ArpON just lets them pass. For the incoming traffic, ArpON verifies whether the source address matches an entry in the DARPI cache. If so, it lets the packet get in, by adding an entry into the ARP cache. Otherwise, it denies the packet, by removing the entry from the ARP cache.

To begin with the test, we are going to run a MitM attack between the router and the victim.

root@attacker:~# ettercap -TqM arp:remote /192.168.1.1/ /192.168.1.10/

If we review the ArpON log again, we can see that the poisoning attempts from the attacker are correctly rejected.

root@victim:~# tail -f /var/log/arpon/arpon.log
...
192.168.1.1 -> 0:c:29:20:9f:9b
  18:13:16 - Reply   << Delete entry
192.168.1.1 -> 0:c:29:20:9f:9b
  18:13:17 - Reply   << Delete entry
192.168.1.1 -> 0:c:29:20:9f:9b
  18:13:18 - Reply   << Delete entry
...

You may likewise check out this situation by activating the chk_poison plugin through the same ettercap.

root@attacker:~# ettercap -TqM arp:remote /192.168.1.1/ /192.168.1.10/
...
Plugin name (0 to quit): chk_poison
Activating chk_poison plugin...

chk_poison: Checking poisoning status...
chk_poison: No poisoning between 192.168.1.10 -> 192.168.1.1

Another way is to print the ARP cache again. As you can distinguish, a new entry relative to the attacker has been added, and the other ones keep in the same state.

root@victim:~# arp -a
? (192.168.1.11) at 00:0c:29:18:36:e6 [ether] PERM on eth0
? (192.168.1.20) at 00:0c:29:20:9f:9b [ether] PERM on eth0
? (192.168.1.1) at 00:60:b3:50:ab:45 [ether] PERM on eth0
? (192.168.1.150) at 00:80:5a:54:32:67 [ether] PERM on eth0


Jan 6, 2012

Secure remote access to home through OpenVPN (II)

Let's get started by running the vars script, in order to set the parameters (openssl.cnf file, size, country, city, email, etc.) used by the other scripts. In addition, we must execute the clean-all script as well, which takes care of preparing and initializing the keys directory, place where new certificates, requests, private keys, etc. are stored.

root@javi-pc:/home/javi/tmp/2.0# . ./vars

root@javi-pc:/home/javi/tmp/2.0# . ./clean-all

After getting ready the environment, the next step will be to create a CA (Certification Authority), that is to say, a root certificate and private key whereby we will be able to make and sign certificates later.

root@javi-pc:/home/javi/tmp/2.0# . ./build-ca
Generating a 1024 bit RSA private key
.++++++
...................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:SP
State or Province Name (full name) [CA]:Madrid
Locality Name (eg, city) [SanFrancisco]:Madrid
Organization Name (eg, company) [Fort-Funston]:openvpn
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:ca
Name [changeme]:
Email Address [mail@host.domain]:

Afterwards we have to generate the Diffie-Hellman parameters. This file is used in the server side for SSL/TLS connections.

root@javi-pc:/home/javi/tmp/2.0# . ./build-dh

Now we have the necessary infraestructure to be able to issue digital certificates. So let's get going by building the server certificate first of all. As in the case of the CA certificate, you will be asked for certain information which will be aggregated into the certificate (country, state, location, common name, email, etc.).

In order to avoid Man in the Middle attacks (MitM) where an authorized client tries to connect to another client by impersonating the server, we must make the server certificate through the build-key-server script and not build-key. This operation will designate the certificate as a server-only certificate, by setting the right attributes (nsCertType=server). This will cut off clients from connecting to any server which lacks the nsCertType=server ownership in its certificate, even if the certificate has been signed by a valid CA.

root@javi-pc:/home/javi/tmp/2.0# . ./build-key-server server
Generating a 1024 bit RSA private key
.....++++++
...............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:SP
State or Province Name (full name) [CA]:Madrid
Locality Name (eg, city) [SanFrancisco]:Madrid
Organization Name (eg, company) [Fort-Funston]:openvpn
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [server]:      
Name [changeme]:
Email Address [mail@host.domain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /home/javi/tmp/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'SP'
stateOrProvinceName   :PRINTABLE:'Madrid'
localityName          :PRINTABLE:'Madrid'
organizationName      :PRINTABLE:'openvpn'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Jan  3 00:27:23 2022 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

In the case of the client certificate, we will take the same previous steps but now, by using the build-key script.

root@javi-pc:/home/javi/tmp/2.0# . ./build-key client

And finally, let's take a look at all files created by means of this procedure.

root@javi-pc:/home/javi/tmp/2.0# tree keys
keys
├── 01.pem
├── 02.pem
├── ca.crt
├── ca.key
├── client.crt
├── client.csr
├── client.key
├── dh1024.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── serial
├── serial.old
├── server.crt
├── server.csr
└── server.key