Talk from @mwl at BSDCAN 2022

https://www.youtube.com/watch?v=1n62VZj-CKI

OARC Reply Size Tester

dig +short rs.dns-oarc.net TXT

Host1 - good :)

# dig +short rs.dns-oarc.net TXT
rst.x4090.rs.dns-oarc.net.
rst.x4058.x4090.rs.dns-oarc.net.
rst.x4064.x4058.x4090.rs.dns-oarc.net.
"45.15.80.80 DNS reply size limit is at least 4090"
"45.15.80.80 sent EDNS buffer size 4096"

Host2 - bad :(

# dig +short rs.dns-oarc.net TXT
rst.x1196.rs.dns-oarc.net.
rst.x1206.x1196.rs.dns-oarc.net.
rst.x1204.x1206.x1196.rs.dns-oarc.net.
"74.63.25.240 DNS reply size limit is at least 1206"
"74.63.25.240 sent EDNS buffer size 1232"

sha256: 110b220f93eff767b7e4d488294b00ede4f4509258d0148704b145df79fa9821

Intro

I never used the Fulldisk Encryption Feature as there was no need for. It doesn’t make sense for Hosted VM’s, as you have to enter the Passphrase at every boot at the Console. So, it’s a pain and still possible to intercept on the Hosters Infrastructure. Disk Encryption does not make sense at home, as all my Devices remains at home (and hopefully never got stolen). It would make sense on a Notebook, but i’m more the Apple Fanboy when it comes to portable Machines. And there, we have FileVault which basically does the same. However, i’d like to give a try with a Test VM. There are plenty of instructions how to setup up, i just tried one and made some notes as usual.

Let’s give a try with Alpine Linux, OpenSSH and 2FA with Google Authenticator.

add Packages

apk add openssh openssh-server-pam google-authenticator openssh-doc google-authenticator-doc libqrencode

Configure GoogleAuth

touch /etc/pam.d/sshd
ln /etc/pam.d/sshd /etc/pam.d/sshd.pam

cat << 'EOF' >> /etc/pam.d/sshd.pam
account   include     base-account

auth      required    pam_env.so
auth      required    pam_nologin.so  successok
auth      required    /lib/security/pam_google_authenticator.so   echo_verification_code grace_period=57600 nullok
auth      required    pam_unix.so   md5 sha512
EOF

update sshd_config

cat << 'EOF' >> /etc/ssh/sshd_config
PasswordAuthentication no
AuthenticationMethods any
UsePAM yes
EOF

Restart SSHD

service sshd restart

Setup User

su - USERNAME
google-authenticator

Response

Intro

I stumbled across an old Cisco box in the basement. I thought i might have some fun (or frust?) with the aging Device. The Hardware still works fine, right ? And what about the Software ? Let’s give a try !

Hardware

show version

Cisco 1841 (revision 7.0) with 352256K/40960K bytes of memory.
Processor board ID FCZ1234757Y
6 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
125184K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

Software

dir flash

If you ever wanna run a Multiplayer OWASP Juice Shop CTF on your own, here are some Notes and Info for bloody beginners

References

• https://github.com/iteratec/multi-juicer/
• https://www.digitalocean.com/
• https://kubernetes.io/de/docs/concepts/overview/what-is-kubernetes/

Prerequisite

you’ve got

• a Digital Ocean Account (or some other Cloud Provider)
• a spare domain and set the NS of DigitalOcean
• Digital Ocean CMD Line Tools installed and configured
• helm tools (kubernetes package manager -> brew install helm)
• some budget (~2 CHF/Day)
• 30min for Setup

btw. all this commands should run on macOS. linux may needs some adjustments …

Area41

Looking Forward to the next Security Congress in Zurich https://www.area41.io . It’s sold out since a while, happy i got a early ticket :)

… and all the Talks are online … https://www.youtube.com/watch?v=Hs5olUBX2cg&list=PLv-PXy2JVviu32C4U6F8KHKcyL4s-i_Fo

sha256: 07f41198ed084963405456466b567179077366052c560295e9868a0046f0a714

How to enable Logging with Headers for Nginx

Assuming you have a running setup and you want to enable logging with headers for debug and learning purposes ?

Add Lua

doas pkg_add nginx-lua--

and you get …

doas pkg_info -L nginx-lua--
Information for inst:nginx-lua-1.20.1p0

Files:
/var/www/modules/ndk_http_module.so
/var/www/modules/ngx_http_lua_module.so

Enable Modules in /etc/nginx/nginx.conf

add two lines on Top

load_module "modules/ndk_http_module.so";
load_module "modules/ngx_http_lua_module.so";

Enhance Logging

add the following to the “http” Section

log_format log_req_resp   '$remote_addr - $remote_user [$time_local] '
                          '"$request" $status $body_bytes_sent '
                          '"$http_referer" "$http_user_agent" '
                          '$request_time req_header:"$req_header" '
                          'resp_header:"$resp_header"';

Enable Logging

add the following lines to your virtual Host Section

Environment

• OpenBSD 7.0
• Debian 11.2 with Strongswan
• IPv4 only
• IKE v1

ToDo

• IPv6 and Dualstack
• IKE v2

Debian

ipsec.conf

conn puffy
   authby      = secret
   ike         = aes256-sha256-modp2048
   keyexchange = ikev1
   ikelifetime = 1h
   keyingtries = 0
   left        = %defaultroute
   right       = 193.xx.xx.xx
   leftid      = 212.xx.xx.xx
   rightid     = 193.xx.xx.xx
   lifetime    = 1200s
   leftsubnet  = 10.11.1.8/30
   rightsubnet = 10.1.6.0/24
   esp         = aes256-sha256-modp2048
   dpddelay    = 30
   dpdtimeout  = 120
   dpdaction   = restart
   auto        = start

OpenBSD

/etc/sysctl.conf

net.inet.ip.forwarding=1
net.inet.gre.allow=1

Apply all Settings

for i in $(cat /etc/sysctl.conf); do sysctl $i;done

/etc/ipsec.conf

# Tunnel to Debian

local_gw    = "193.xx.xx.xx"
local_net   = "10.1.6.0/24"
remote_gw   = "212.xx.xx.xx"
remote_net  = "10.11.1.8/30"
key         = "DAS-SAG-ICH-DIR-NICHT-:)"

ike dynamic esp tunnel from $local_net to $remote_net peer $remote_gw \
main    auth $auth1   enc $enc1   group $group1   lifetime $time1 \
quick   auth $auth2   enc $enc2   group $group2   lifetime $time2 \
srcid $local_gw \
psk $key

ike dynamic esp tunnel from $remote_net to $local_net peer $local_gw \
main    auth $auth1   enc $enc1   group $group1   lifetime $time1 \
quick   auth $auth2   enc $enc2   group $group2   lifetime $time2 \
srcid $remote_gw \
psk $key

start/restart services

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K
rcctl restart ipsec isakmpd

Enc Interfaces

cat /etc/hostname.enc0
up

FW Rules

# Allow UDP Port 500 and 4500
pass in  on (egress) proto udp from 193.xx.xx.xx to 212.xx.xx.xx port {isakmp, ipsec-nat-t}
pass out on (egress) proto udp from 212.xx.xx.xx to 193.xx.xx.xx {isakmp, ipsec-nat-t}

# Allow ESP encapsulated IPsec traffic on the external interface
pass in  on (egress) proto esp from 193.xx.xx.xx to 212.xx.xx.xx
pass out on (egress) proto esp from 212.xx.xx.xx to 139.xx.xx.xx

# Allow IP in IP Traffic
pass in  on enc0 proto ipencap from 193.xx.xx.xx to 212.xx.xx.xx keep state (if-bound)
pass out on enc0 proto ipencap from 212.xx.xx.xx to 193.xx.xx.xx keep state (if-bound)

Start Services & Apply Setting

… or reboot the Box so all Settings gets applied

Stumbled upon something that I’ve missed for a long time: encrypting files with the ssh public key :)

Source

• https://github.com/FiloSottile/age

Install Package

OpenBSD (and most others *nix systems) got a package for age. Just install it.

doas pkg_add age

Asymmetric Encryption

Asymmetric Encryption encrypts and decrypts the data using two separate yet mathematically connected cryptographic keys. These keys are known as a ‘Public Key’ and a ‘Private Key’. Together, they’re called a ‘Public and Private Key Pair’

it’s time for some education and i decided to do a CAS CyberSecurity @OST (prev. HSR Rapperswil).

I expect to learn a lot in Attacking, Defense, Reverse Engineering and so on. Think i have already a “good basic” in many of these Topics. So, i expect the have an intersting Time in the next few Month. You can expect some posts here, or may i do another blog ?

-> started a new blog for the CAS