Thursday, November 14, 2013

[email] forward file not working

the solution (alternative) : set new alias and apply new setting.

ref: http://thepoch.com/tumblr/set-up-your-server-to-forward-root-emails-to-an.html

First, you edit /etc/aliases. On our CentOS 6.2 systems, it's the last line that's important. By default it's:
# Person who should get root's mail
#root:      marc
It's commented out, and set to forward to "marc". So, uncomment it by removing the "#" character in front of root. Then change "marc" to an email address you want to receive notifications. So now, it should look something like this:
# Person who should get root's mail
root:       notifications@example.com
Save the file. Now, in order for sendmail (or in CentOS 6.2's case, postfix) to see the new alias, you have to run the following in your terminal:
newaliases
If there's no output, then it should have worked.
Posted by at No comments:

Friday, November 01, 2013

check MITM attack

http://web.securityinnovation.com/appsec-weekly/blog/bid/63269/How-to-Test-for-Man-in-the-Middle-Vulnerabilities

Step 3: Start testing and exploring

Now that common MitM attack scenarios and  their causes and countermeasures have been reviewed, it is necessary to start using available network security tools to test for the presence of MitM vulnerabilities in your environment.
Test for MitM through ARP poisoning
Follow these steps to test for susceptibility to MitM attacks via ARP poisoning:
  1. Download and install Cain (http://www.oxid.it/cain.html) and Wireshark(http://www.wireshark.org/download.html) on the attacker’s box.
  2. Run Cain.
  3. Click Configure in the menu and select the network interface (it can be a wireless interface).
  4. Click the Sniffer tab and then the Hosts sub-tab.
  5. Start the sniffer and click the plus (+) sign.
  6. Select a range of IPs to scan their MAC addresses (include the target box in the range), and then click OK. Both the gateway’s and the victim’s IPs (and their MACs) should appear in the hosts list.
  7. Click the ARP poisoning sub-tab.
  8. Click on the plus (+) sign and add an ARP route from the victim to the gateway.
  9. Start the ARP poisoning attack by pressing the ARP button. As soon as the victim becomes active, its status changes from “idle” to “poisoning.” The lower pane will begin to show the packets being intercepted (see Figure 1).
  10. Start Wireshark and start capturing network traffic from the same interface selected in Cain.
Expected results: The first check you can conduct to see if the ARP poisoning attack was successful is to run the arp -acommand on the victim’s box (Windows or UNIX). After executing the attack, the entry for the gateway should be that of the attacker’s box, rather than the real MAC of the gateway. For instance, in Windows running arp -a before the attack gives this:
C:\>arp -a
Interface: 192.168.1.33 --- 0x8
 Internet Address      IP Address            Type
 192.168.1.1     00-13-49-5c-e3-de  dynamic
 192.168.1.255   ff-ff-ff-ff-ff-ff  static
 224.0.0.22      01-00-5e-00-00-16  static
After a successful attack, the gateway entry in the victim’s ARP cache will be different; it will equal to the attacker’s MAC:
C:\>arp -a
 
Interface: 192.168.1.33 --- 0x8
 Internet Address      IP Address            Type
 192.168.1.1     00-1b-77-b2-73-f2  dynamic
 192.168.1.255   ff-ff-ff-ff-ff-ff  static
 224.0.0.22      01-00-5e-00-00-16  static
A successful ARP poisoning attack will be visible both in Cain and Wireshark. In Cain, the lower pane of the Sniffer->ARP tab shows the packets being sniffed. You can use Wireshark to see the actual contents of the packets (see Figure 2).
Figure 1 - Using Cain to ARP poison a connection between a victim and a gateway
 
Figure 2 - Using Wireshark to read the contents of the sniffed packets
 
 
Note: For more information about ARP poisoning, refer to the How to Test for ARP Poisoning article.

Test for MitM through DHCP spoofing

Follow these steps  to test susceptibility to MitM attacks via DHCP spoofing (tested from a UNIX system):
  1. On the attacker’s system, run the ifconfig command and note the current IP address and network mask. Take note of the system’s DNS resolver IP as well. (On UNIX systems, DNS server information generally resides in the file /etc/resolv.conf.)
  2. Download and install Ettercap (http://ettercap.sourceforge.net/download.php) on the attacker’s system.
  3. Run Ettercap with the GUI option for simplicity: ettercap -G.
  4. Remove any targets from Ettercap (this is required for DHCP spoofing).
  5. Use the main menu to navigate to Mitm->DHCP Spoofing.
  6. Fill in DHCP spoofing server information, providing an IP pool with a range of 15 IPs, as shown in Figure 3.
  7. Click OK to start the attack.
  8. On the victim’s computer (Windows), use ipconfig /release to release the current DHCP lease.
  9. Execute ipconfig /renew to request a lease from the DHCP server; this triggers the attack.
  10. On the victim’s computer, attempt to connect to an FTP server and supply login credentials.
Expected result: The MitM attack succeeds if executing the ipconfig /renew command in step 8 sets the default gateway on the victim’s machine to the attacker’s IP address. In addition, if the attack succeeds, Ettercap (or other tools on the attacker’s machine) can capture the username and password provided in step 9, as well as any other IP traffic destined for the Internet or networks other than the local subnet.
Figure 3 - Using Ettercap to execute DHCP Spoofing attack
Posted by at No comments:

good DHCPd readings

http://www.cyberciti.biz/faq/howto-ubuntu-debian-squeeze-dhcp-server-setup-tutorial/
http://www.yolinux.com/TUTORIALS/DHCP-Server.html
http://www.linuxquestions.org/questions/linux-networking-3/linux-gateway-and-dhcp-50691/

How do I configure iptables to allow access to the DHCP server?

Edit your iptables scripts and add the following lines
 
## Make sure you use an appropriate network block,  ##
## and network mask, representing the machines on your ## 
## network which should operate as clients of the dhcp serve. ##
## Syntax: ##
## /sbin/iptables -A INPUT -s net/mask -i $LAN_IFACE -p udp --dport 67:68 --sport 67:68 -j ACCEPT ##
## Adjust rules as per your setup ##
 
/sbin/iptables -A INPUT -s 192.168.1.0/24 -i eth0 -p tcp --sport 68 --dport 67 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -i eth0 -p udp --sport 68 --dport 67 -j ACCEPT
 

A slightly different configuration for an internal subnet

The following is a special subnet that allows to pxe network booting using tftpd server at 192.168.0.5 (please note that you need to install and configure tftpd server separately):
 
subnet 192.168.0.0 netmask 255.255.255.0 {
  range 192.168.0.20 192.168.0.50;
  ## openbsd pxe boot file ##
  filename "openbsd/pxeboot";
 
  ## Debian 6 pxe boot file ##
  ## filename "debian6/pxelinux.0";
 
  ## Freebsd pxe boot file ##
  ## filename "freebsd/pxeboot";
 
  ## our boot server ##
  next-server 192.168.0.5; 
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.0.255;
  option routers 192.168.0.5;
}
 

How do I add BOOTP support?

Each BOOTP client must be explicitly declared in the dhcpd.conf file.
 
## bootp my headless home router ##
host router {
     hardware ethernet 08:00:2b:4c:59:23;
     fixed-address 192.168.0.21;
     filename "debian6/pxelinux.0";
}
Posted by at No comments:
Subscribe to: Posts (Atom)
Related Posts Plugin for WordPress, Blogger...