Category Archives: Internet

Wireguard, LEDE and some IPv6 fun

Today I upgrading my router to LEDE 17.01 and played a bit with IPv6 and WireGuard VPN tunnels. My Internet connection at home (connected via Cable to the Comcast network) has decent IPv6 support, which I wanted to enjoy also when on the road, using non-IPv6 networks. The first step is to setup a Wireguard tunnel, which I already did some months ago (Dan Lüdtke, author of the LEDE/OpenWrt web interface plugin for Wireguard has a good post on that). Update April: Dan has a new post which does not make use of the stacked approach. This is suitable for lots of regular setups. However, the IPv6 address setup with automatic network assignment described here is only supported by using stacked interfaces, hence this article keeps using that configuration). In my setup the Wireguard IPv4 network uses a network from the private range (192.168.2.0/24) to route IPv6 traffic. For IPv6 my goal was to assign a public subnet, so I can access the IPv6 network without any NAT directly through the tunnel. In IPv6 world, NAT is a technology which is not commonly used/considered deprecated anyway. Note that this how-to does not route the IPv4 traffic to the internet through the VPN tunnel, only IPv6 traffic.

First, a large enough IPv6 prefix needs to be available on the router in order to assign two independent IPv6 networks to my local LAN and the Wireguard VPN. One has to realize that in IPv6 world, subnets are by definition between /49 and /64. One cannot create a subnet /72 or similar since the last 64 bits are the host portion, reserved exclusively for host addresses. By default, LEDE requested a 64 bit IPv6-prefix from the provider, but this can be changed in the WAN6 network interface settings:

Read more »

Debug IPv6 issues on OpenWrt

IPv6 logo

My new provider IPv6 connectivity, however after connecting my OpenWrt based WNDR4300 (using Chaos Calmer 15.05-rc3) things unfortunately did not “just work”… This post summarize some hints how to debug IPv6 on OpenWrt.

First, make sure that the upstream (WAN) interface is configured according to the documentation in the OpenWrt Wiki. Using LuCI, you have to create a new interface (WAN6) which should c

If your ISP provides IPv6 support, it should “just work” at this point. However, what to do if not? Read more »

DNSSEC support in OpenWrt 15.05 Chaos Calmer

DNSSEC does not require any special support on the router, since the validation is typically done by the client itself. However, caching the DNSSEC records makes validation for clients faster, and a router in a trusted network can provide DNS replies which carry the ad flag (authenticated data).

Chaos Calmer comes with dnsmasq without DNSSEC validation support by default (DNSSEC is not enabled at compile time). However, one can use the dnsmasq-full package, which provides the DNSSEC features. Without DNSSEC compiled in or enabled, dnsmasq forwards the DNSSEC records properly, however it does not validate them and therefor the DNS replies do not contain the ad flag:

# dig debian.org. SOA +dnssec

; <<>> DiG 9.9.6-P1 <<>> debian.org. SOA +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62577
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 11
   ^^^^^^^^^^^^^^^ (no ad flag, dnsmasq did not authenticated the DNS response)

Read more »

Heartbleed test for OpenVPN

OpenVPN is affected by Heartbleed too

OpenVPN is affected by Heartbleed too

I guess you would not have landed here if you don’t read about Heartbleed. In case you really don’t know what its all about, catch up here. Since OpenVPN makes use of SSL/TLS (and most distributions use OpenSSL as the implementation of choice), OpenVPN is affected too (check the official page). Most test utilities out there can test HTTP and other protocols, however, I didn’t found a test which validates that a OpenVPN installation is safe. So I created one.

You can find the Python script over at Github. My version is an heavily altered version I found at Fox-It created by Jared Stafford and Yonathan Klijnsma.

Right now, the utility only supports UDP (which is used by default). The first arguments need to be the test server which then will be contacted and a TLS session initialized. The script then sends a invalid heartbeat request, which the server will respond to if he is vulnerable.

$ ./heartbleed_test_openvpn.py my.server.com
my.server.com|VULNERABLE

0000 18 03 01 10 13 02 10 00 48 65 61 72 74 62 6C 65 ........Heartble
0010 65 64 20 74 65 73 74 20 70 61 79 6C 6F 61 64 E2 ed test payload.
0020 0B 9E 38 34 EC 3D 66 2B 9C D5 63 00 00 68 C0 14 ..84.=f+..c..h..
0030 C0 0A 22 C0 C0 21 00 39 00 38 00 88 00 87 C0 0F ...".!.9.8......
0040 C0 05 00 35 00 84 C0 21 C4 08 1C 1C C0 1B 00 16 ...5............
0050 00 13 C0 0D C0 03 00 0A C0 13 C0 09 C0 1F C0 1E ................
0060 00 00 00 32                                     ...2

Read more »

Dissecting a Windows malware (Part 2)

Today I looked a bit closer at the response sent from chromeupdatecenter.com to the request of the malware. The malware connects to Port 8080, most likely because the “malware webservice” runs on another HTTP server instance (the headers state nginx, while the main page is supposedly running Apache on a Ubuntu server). I figured out that the first 22152 bytes contains a bitmap. This bitmap is later on saved to the users temporary path (on Windows 7 to C:\Users\$USERNAME\AppData\Local\Temp\32239.bmp).

Desktop wallpaper after infection

Desktop wallpaper after infection

The image length also matches the header “ACC”, which states 22152. Although, the length of a bitmap is also available from its header, which would make the server code a bit easier, maybe something for their next version 😉

However, after the bitmap, there are still 493 bytes left. This should be either the encryption key or the message in the AlertEncryptor.txt files…. Read more »

Dissecting a Windows malware

chromeupdatecenter.com Screenshot

Through a friend of my I got to this seemingly fresh malware named GoogleChromeUpdater.exe. The page (URL see at the end of the post) claims to distribute a important Chrome Update. However, the malware encrypt files and left an E-Mail address, the classic file kidnapping along with blackmailing.

Note: If you are infected by this malware your chances are bad to get back your data. The encryption key is likely only stored on the attackers server. Unless somebody breaks the encryption, you cannot restore your data. And of course, you should not feed criminals! 🙂

I could not resist and had to have a closer look at the malware…

Read more »

Deploy ownCloud from Source using Git

ownCloud Logo

ownCloud Logo

ownCloud is a great piece of open source software. It allows you to share files easily like Dropbox or Google Drive (including fancy drag and drop upload on newer browsers), but gives you the control of your data, since you can host an instance yourself!

My goal was to test the latest ownCloud 5 snapshot from Github. I do have SSH access on destination server, so my goal was to deploy it directly using Git. Be warned: The master branch from Github can (and will) contain bugs! But you get bleeding edge and you can help testing the software.  Read more »

IPv6 – The Basics

Since about three weeks I’m using IPv6 on my client. Since then I’ve learned some basics, which I would like to share.

Some facts:

  • 128-Bit long
  • Written with hexadecimal characters
  • Written in 16-Bit blocks (8 blocks, maximal 4 hexadecimal characters each)
  • Blocks separated using colons (:)
  • Double colon (::) means omitted blocks (replaced with 0)
  • Networks are using CIDR-Notiation for the network mask (e.g. /48)
As loopback address there is one address reserved, the very first (means all bits 0 except the last one):
::1

Read more »

IPv6 with OpenWRT and SixXS

WNDR3700v2 Package

WNDR3700v2 Package

Lately I wanted to try using IPv6. The first part I needed was an IPv6 capable router. Since I was always interested running Linux on my router I picked one which is ready to run OpenWRT on it. Netgear WNDR3700 seems to match my needs: Pretty common in the OpenWRT community, 16 MiB flash (4 MiB is the absolute minimum, 8 MiB should be fine for IPv6 use. More flash, more space to play with :-)). But take care: Lately Netgear made a new revision, v3, which is not compatible with OpenWRT, or at least no yet.

 

My provider says he is still working on implementing IPv6, he don’t know when it’s ready, but it should be in the next months… That’s way too long 🙂 So I decided using one of these tunneling solutions. Wikipedia has a list of tunnel brokers, I chose SixXS. After Signup you have to wait some hours until your account request is being processed. After the approval you get a username, password and 25 credits. These credits are needed to get a tunnel and your own subnet, for each of them you need 15 credits, which makes 30 for both. The first thing you do is requesting a tunnel. Some hours later, you should get a tunnel approval with your Tunnel Id. You can earn 5 credits by operating the tunnel a week. So after you have a tunnel, one has to wait another week to request a subnet. For me it took about two hours to get the account and another two hours to get the tunnel, so they are pretty fast! Read more »

Firefox like keyword search in Chrome

Recently I changed to Googles Chrome browser (to be exact, it’s the open source variant Chromium). Chrom/(e/ium) simply uses less resources, you will notice this when you have a lot of tabs open as I usually do 🙂

Right away I missed my configured keywords for Firefox keyword search. Chrome has that feature too. Here’s how you can add your custom search keywords in Chrome:

  1. Browse to the website you want to search with a keyword (for example http://en.wikipedia.org/)
  2. By clicking with the right mouse button in the URL bar you get a context menu
  3. Click on Edit Search Engines
  4. You get a three column table. Chrome detects the search parameter itself (alternatively you can add the usual “%s”)
  5. In the second column you can set your keyword (e.g. “we” for [w]ikipedia [e]nglish)
Now you can type “we Test” and you will land on the Wikipedia page about “Test”.