Thursday, November 14, 2013

[email] forward file not working

the solution (alternative) : set new alias and apply new setting.

ref: http://thepoch.com/tumblr/set-up-your-server-to-forward-root-emails-to-an.html

First, you edit /etc/aliases. On our CentOS 6.2 systems, it's the last line that's important. By default it's:
# Person who should get root's mail
#root:      marc
It's commented out, and set to forward to "marc". So, uncomment it by removing the "#" character in front of root. Then change "marc" to an email address you want to receive notifications. So now, it should look something like this:
# Person who should get root's mail
root:       notifications@example.com
Save the file. Now, in order for sendmail (or in CentOS 6.2's case, postfix) to see the new alias, you have to run the following in your terminal:
newaliases
If there's no output, then it should have worked.
Posted by at No comments:

Friday, November 01, 2013

check MITM attack

http://web.securityinnovation.com/appsec-weekly/blog/bid/63269/How-to-Test-for-Man-in-the-Middle-Vulnerabilities

Step 3: Start testing and exploring

Now that common MitM attack scenarios and  their causes and countermeasures have been reviewed, it is necessary to start using available network security tools to test for the presence of MitM vulnerabilities in your environment.
Test for MitM through ARP poisoning
Follow these steps to test for susceptibility to MitM attacks via ARP poisoning:
  1. Download and install Cain (http://www.oxid.it/cain.html) and Wireshark(http://www.wireshark.org/download.html) on the attacker’s box.
  2. Run Cain.
  3. Click Configure in the menu and select the network interface (it can be a wireless interface).
  4. Click the Sniffer tab and then the Hosts sub-tab.
  5. Start the sniffer and click the plus (+) sign.
  6. Select a range of IPs to scan their MAC addresses (include the target box in the range), and then click OK. Both the gateway’s and the victim’s IPs (and their MACs) should appear in the hosts list.
  7. Click the ARP poisoning sub-tab.
  8. Click on the plus (+) sign and add an ARP route from the victim to the gateway.
  9. Start the ARP poisoning attack by pressing the ARP button. As soon as the victim becomes active, its status changes from “idle” to “poisoning.” The lower pane will begin to show the packets being intercepted (see Figure 1).
  10. Start Wireshark and start capturing network traffic from the same interface selected in Cain.
Expected results: The first check you can conduct to see if the ARP poisoning attack was successful is to run the arp -acommand on the victim’s box (Windows or UNIX). After executing the attack, the entry for the gateway should be that of the attacker’s box, rather than the real MAC of the gateway. For instance, in Windows running arp -a before the attack gives this:
C:\>arp -a
Interface: 192.168.1.33 --- 0x8
 Internet Address      IP Address            Type
 192.168.1.1     00-13-49-5c-e3-de  dynamic
 192.168.1.255   ff-ff-ff-ff-ff-ff  static
 224.0.0.22      01-00-5e-00-00-16  static
After a successful attack, the gateway entry in the victim’s ARP cache will be different; it will equal to the attacker’s MAC:
C:\>arp -a
 
Interface: 192.168.1.33 --- 0x8
 Internet Address      IP Address            Type
 192.168.1.1     00-1b-77-b2-73-f2  dynamic
 192.168.1.255   ff-ff-ff-ff-ff-ff  static
 224.0.0.22      01-00-5e-00-00-16  static
A successful ARP poisoning attack will be visible both in Cain and Wireshark. In Cain, the lower pane of the Sniffer->ARP tab shows the packets being sniffed. You can use Wireshark to see the actual contents of the packets (see Figure 2).
Figure 1 - Using Cain to ARP poison a connection between a victim and a gateway
 
Figure 2 - Using Wireshark to read the contents of the sniffed packets
 
 
Note: For more information about ARP poisoning, refer to the How to Test for ARP Poisoning article.

Test for MitM through DHCP spoofing

Follow these steps  to test susceptibility to MitM attacks via DHCP spoofing (tested from a UNIX system):
  1. On the attacker’s system, run the ifconfig command and note the current IP address and network mask. Take note of the system’s DNS resolver IP as well. (On UNIX systems, DNS server information generally resides in the file /etc/resolv.conf.)
  2. Download and install Ettercap (http://ettercap.sourceforge.net/download.php) on the attacker’s system.
  3. Run Ettercap with the GUI option for simplicity: ettercap -G.
  4. Remove any targets from Ettercap (this is required for DHCP spoofing).
  5. Use the main menu to navigate to Mitm->DHCP Spoofing.
  6. Fill in DHCP spoofing server information, providing an IP pool with a range of 15 IPs, as shown in Figure 3.
  7. Click OK to start the attack.
  8. On the victim’s computer (Windows), use ipconfig /release to release the current DHCP lease.
  9. Execute ipconfig /renew to request a lease from the DHCP server; this triggers the attack.
  10. On the victim’s computer, attempt to connect to an FTP server and supply login credentials.
Expected result: The MitM attack succeeds if executing the ipconfig /renew command in step 8 sets the default gateway on the victim’s machine to the attacker’s IP address. In addition, if the attack succeeds, Ettercap (or other tools on the attacker’s machine) can capture the username and password provided in step 9, as well as any other IP traffic destined for the Internet or networks other than the local subnet.
Figure 3 - Using Ettercap to execute DHCP Spoofing attack
Posted by at No comments:

good DHCPd readings

http://www.cyberciti.biz/faq/howto-ubuntu-debian-squeeze-dhcp-server-setup-tutorial/
http://www.yolinux.com/TUTORIALS/DHCP-Server.html
http://www.linuxquestions.org/questions/linux-networking-3/linux-gateway-and-dhcp-50691/

How do I configure iptables to allow access to the DHCP server?

Edit your iptables scripts and add the following lines
 
## Make sure you use an appropriate network block,  ##
## and network mask, representing the machines on your ## 
## network which should operate as clients of the dhcp serve. ##
## Syntax: ##
## /sbin/iptables -A INPUT -s net/mask -i $LAN_IFACE -p udp --dport 67:68 --sport 67:68 -j ACCEPT ##
## Adjust rules as per your setup ##
 
/sbin/iptables -A INPUT -s 192.168.1.0/24 -i eth0 -p tcp --sport 68 --dport 67 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -i eth0 -p udp --sport 68 --dport 67 -j ACCEPT
 

A slightly different configuration for an internal subnet

The following is a special subnet that allows to pxe network booting using tftpd server at 192.168.0.5 (please note that you need to install and configure tftpd server separately):
 
subnet 192.168.0.0 netmask 255.255.255.0 {
  range 192.168.0.20 192.168.0.50;
  ## openbsd pxe boot file ##
  filename "openbsd/pxeboot";
 
  ## Debian 6 pxe boot file ##
  ## filename "debian6/pxelinux.0";
 
  ## Freebsd pxe boot file ##
  ## filename "freebsd/pxeboot";
 
  ## our boot server ##
  next-server 192.168.0.5; 
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.0.255;
  option routers 192.168.0.5;
}
 

How do I add BOOTP support?

Each BOOTP client must be explicitly declared in the dhcpd.conf file.
 
## bootp my headless home router ##
host router {
     hardware ethernet 08:00:2b:4c:59:23;
     fixed-address 192.168.0.21;
     filename "debian6/pxelinux.0";
}
Posted by at No comments:

Friday, October 25, 2013

using linux as internet gateway

http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html

Example 1: Linux connected via PPP
This example uses a Linux computer connected to the internet using a dial-up line and modem (PPP). The Linux gateway is connected to the internal network using an ethernet card. The internal network consists of Windows PC's.
The Linux box must be configured for the private internal network and PPP for the dial-up connection. See the PPP tutorial to configure the dial-up connection. Use the ifconfig command to configure the private network. i.e. (as root)
   /sbin/ifconfig eth1 192.168.10.101 netmask 255.255.255.0 broadcast 192.168.10.255
This is often configured during install or can be configured using the Gnome tool neat (or the admin tool Linuxconf or netcfg for older Red Hat systems). System changes made with the ifconfig or route commands are NOT permanent and are lost upon system reboot. Permanent settings are held in configuration scripts executed during system boot. (i.e. /etc/sysconfig/...) See the YoLinux Networking tutorial for more information on assigning network addresses.
Run one of the following scripts on the Linux gateway computer:

iptables:

01iptables --flush                         # Flush all the rules in filter and nat tables
02iptables --table nat --flush
03iptables --delete-chain                  # Delete all chains that are not in default filter and nat table
04iptables --table nat --delete-chain
05 
06# Set up IP FORWARDing and Masquerading
07iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
08iptables --append FORWARD --in-interface eth0 -j ACCEPT         # Assuming one NIC to local LAN
09 
10echo 1 > /proc/sys/net/ipv4/ip_forward    # Enables packet forwarding by kernel

ipchains:

1#!/bin/sh
2ipchains -F forward                                # Flush all previous rules and settings
3ipchains -P forward DENY                           # Default set to deny packet forwarding
4ipchains -A forward -s 192.168.10.0/24 -j MASQ     # Use IP address of gateway for private network
5ipchains -A forward -i ppp0 -j MASQ                # Sets up external internet connection
6echo 1 > /proc/sys/net/ipv4/ip_forward             # Enables packet forwarding by kernel
A PPP connection as described by the YoLinux PPP tutorial will create the PPP network connection as the default route.
Example 2: Linux connected via DSL, Cable, T1
High speed connections to the internet result in an ethernet connection to the gateway. Thus the gateway is required to possess two ethernet Network Interface Cards (NICs), one for the connection to the private internal network and another to the public internet. The ethernet cards are named eth and are numbered uniquely from 0 upward.
Use the ifconfig command to configure both network interfaces.
1/sbin/ifconfig eth0 XXX.XXX.XXX.XXX netmask 255.255.255.0 broadcast XXX.XXX.XXX.255  # Internet
2/sbin/ifconfig eth1 192.168.10.101 netmask 255.255.255.0 broadcast 192.168.10.255    # Private LAN
Also see notes on adding a second NIC.
This is often configured during install or can be configured using the Gnome tool neat (or the admin tool Linuxconf or netcfg for older Red Hat systems). System changes made with the ifconfig or route commands are NOT permanent and are lost upon system reboot. Permanent settings are held in configuration scripts executed during system boot. (i.e. /etc/sysconfig/...) See the YoLinux Networking tutorial for more information on assigning network addresses.
Run the appropriate script on the linux computer where eth0 is connected to the internet and eth1 is connected to a private LAN:

iptables:

01# Delete and flush. Default table is "filter". Others like "nat" must be explicitly stated.
02iptables --flush            # Flush all the rules in filter and nat tables
03iptables --table nat --flush
04iptables --delete-chain     # Delete all chains that are not in default filter and nat table
05iptables --table nat --delete-chain
06 
07# Set up IP FORWARDing and Masquerading
08iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
09iptables --append FORWARD --in-interface eth1 -j ACCEPT
10 
11echo 1 > /proc/sys/net/ipv4/ip_forward             # Enables packet forwarding by kernel

ipchains:

view source
print?
1#!/bin/sh
2ipchains -F forward                                # Flush rules
3ipchains -P forward DENY                           # Default set to deny packet forwarding
4ipchains -A forward -s 192.168.10.0/24 -j MASQ     # Use IP address of gateway for private network
5ipchains -A forward -i eth1 -j MASQ                # Sets up external internet connection
6echo 1 > /proc/sys/net/ipv4/ip_forward
Posted by at No comments:
Subscribe to: Posts (Atom)
Related Posts Plugin for WordPress, Blogger...