Category Archives: Security

Stuff about information technology security.

Loki: A Python Infrastructure Protocol Suite

It’s been a while since I last posted, so I’m going back in time to write briefly about an awesome talk I attended at Black Hat 2010 in Las Vegas (last year, duh).

The toolkit is (poorly) named Loki. There are so many packages out there named Loki already, but I get where they were going with it.

It was written by three brilliant German fellows: Daniel Mende, Rene Graf and Enno Rey of ERNW. The primary focus is manipulating and exploiting infrastructure (layer 2/3) protocols, but of course these are all based on the entire protocol stack, so they have laid a nice framework that is way easier to use than other packet manipulation modules out there like Scapy, albeit more specialized. As of right now it has support for BGP, OSPF, ARP, ISIS, RIP, HSRP (v1 and v2), VRRP (v2 and v3), BFD, LDP, and MPLS. And it can spoof all of them!

Loki itself is pure Python, although it does have some system level dependencies. It centers mostly around loki.py, which is a GUI application that is its bread and butter. This app is effectively a router emulator that allows you to establish peerings and execute brute force attacks. For example all you need is a single BGP packet from the wire and you can then perform your brute-force agains the authentication key offline.

In some cases for protocols with no authentication such as VRRP–which is commonly used for providing redundant default gateways for Internet egress–you can push out another peer as a default gateway and take over that role with mind-blowing ease.

If you poke around you’ll see that they’ve encapsulated each protocol into its own module making almost of all of it reusable outside of the GUI. Additionally if you go to the main page of their site and scroll down to Tools, you’ll see a few other packages they’ve released.

For a more technical read, check out a recent blog post by Mike Poor.

Proxying SSH with SOCKS (HTTP was so 2007)

By writing this I am assuming you know what SOCKS is, and you know what SSH is. If you don’t, here is a picture of a monkey fucking a coconut to make this visit worth your while:

Could be a melon, but looks like a co-co-nut.

Could be a melon, but looks like a co-co-nut.

So, there comes a time in a man’s life when people at work on the inside network need to access things on the internet.  This is called “proxying”.  Yes, yes, I know; very fascinating.  These secure machines on the inside network don’t have access to the internet by design (See RFC 1918).  It’s the most basic layer of obfuscation (a 25 cent word we use a lot in the security world) and protection from bad internet traffic, not including firewalls and all that other exciting stuff.

Ok so we want to let our secure hosts on the inside proxy SSH to the internet via our SOCKS server.

Assumptions:

  • A Unix/Linux machine with the latest version of netcat installed (assumed to be found at /usr/bin/nc).  All modern operating systems have this.  Stop whining.
  • A SOCKS proxy listening on TCP port 1080.
  • A remote internet server listening for SSH connections on TCP port 22.
  • You know what ~ means.  (Hint:  It’s shorthand for your home directory.)
Do the damn thing:

Create an entry in ~/.ssh/config. If this file doesn’t exist, create it. If it does, add this shit to the bottom:

Host proxythatshit
    ProxyCommand /usr/bin/nc -X 5 -x proxy.whatever.com:1080 internet.com 22
Write, quit, and then test that shit! I am hoping that you gathered “proxythatshit” is the nickname we’re assigning this proxied connection to internet.com. By putting this stuff in the config file, it makes it easy to reuse.
% ssh proxythatshit
jathan@proxythatshit's password:
[jathan@internet.com]~%
Did you see that? It worked!! OMGZ!!JLk

A little breakdown:

ProxyCommand /usr/bin/nc -X 5 -x proxy.whatever.com:1080 internet.com 22

  • ProxyCommand: An OpenSSH directive that tells SSH how to proxy the connection
  • /usr/bin/nc: The path to the netcat binary and the ProxyCommand in question here.  Proxying is one of the many things netcat does.
  • -X 5: Tells netcat to use SOCKS version 5
  • -x proxy.whatever.com:1080: Tells netcat to proxy the connection using proxy.whatever.com on port 1080
  • internet.com 22: The name and port of the destination we’re trying to get to by way of the proxy
Why SOCKS?

You may be asking yourself, “Why not just use an HTTP proxy?”  Because HTTP proxies tend to be very picky about allowing you to proxy non-HTTP connections to destination ports other than the one you connected to.  In other words, if the proxy is listening on port 8080, good luck proxying a connection that isn’t HTTP (such as this SSH proxy thing) on anything other than port 80, 443, or 8080 it probably won’t work. If you’re using mod_proxy, it absolutely will not work.  Don’t ask me why.  It just doesn’t.  Squid might work, but it is a pain in the ass to setup.

There you have it.  Don’t blame me if you get fired because you were looking at a picture of a monkey fucking a coconut for the 52 seconds it took to read this.

CheckPoint Firewalls Can Suck My Whole Ass

Fuck CheckPoint, and fuck the people who both make them and buy them.  Yes, you!  Assholes!  Seriously?  It’s fucking 2009 and you’re still making a firewall product that requires motherfucking WINDOWS to configure?  No command-line interface at all?  The first time I used a CheckPoint firewall in NINETEEN NINETY SEVEN (12 years ago), it had the same limitations.  Back then it was passable, but now?  Now it’s just insulting.

The CheckPoints we have at work are to support 3rd parties and acquisitions.  We would never fucking actively use this bullshit.  NO fucking way.  Everything is color-coded and iconic, so I guess for enterprise donkeys who don’t know jack shit about security, maybe this is a plus.  But let’s be totally honest here:  It’s definitely not helping humanity progress.

MY PACKETS ARE GREEN, THAT MUST MEAN THEY ARE OK!

I am a Mac user, so to configure the CheckPoint firewalls we have at work I have to use Remote Desktop Connection into a Windows terminal server we have SPECIFICALLY for managing these firewalls.  So I TS into this machine, fire up the GUI-only Dashboard client, and then have to struggle thru managing firewall policies thru an archaic interface that literally has not changed in the twelve years since I first used it.

You’d think that would make me a pro, but no.  It just fucking pisses me off.  I can’t automate the shit, I can’t even dump the configuration files in a plain-text format.  No, that would be too motherfucking convenient.  No, no, no.  They’re stored in a proprietary binary format.  The absolute worst part is that everything has to be hand-entered line-by-line.  Click OK.  Are you sure?  Are you sure you’re sure?  YES DAMMIT JUST ADD THE FUCKING POLICY!

OH MY GOD I THINK I JUST MURDERED SOMEONE.

So if you’ve ever bought a CheckPoint firewall.  FUCK YOU.

If you make the CheckPoint firewalls.  FUCK YOU TOO.

FUCK FUCK FUCK FUCK FUCK

Gonna go smash my skull against the wall until the pain stops…

Creating read-only user accounts on ScreenOS

Need to create a read-only account on a NetScreen (ScreenOS 6.x or lower) firewall?

It’s simple:

netscreen(M)-> set admin user nocadmin password abc123 privilege read-only
And there you have it. Now let’s test it:
% ssh nocadmin@netscreen
nocadmin@netscreen's password:
For Authorized Use Only, Violators Will Be Prosecuted.
netscreen(M)->
It works! Notice the limited command set available:
netscreen(M)-> ?
exit                 exit command console
get                  get system information
mtrace               multicast traceroute from source to destination
ping                 ping other host
trace-route          trace route
netscreen(M)->
Now hop to it!