c0d3 :: j0rg3

A collection of tips, tricks and snips. A proud Blosxom weblog. All code. No cruft.

Tue, 07 Mar 2017

Privacy Part II: VPN/IPVanish - Install IPVanish on Kali Linux

Okay, so you’re running Whonix, Tails or, at least, TorBrowser.

What’s next? You may wish to consider using a VPN. In simple terms, it’s somewhat similar to what Tor offers. That is: you connect to the VPN and your connection passes through them such that the site that you are visiting will see the VPN’s IP address rather than yours. Of course, that means that you can chain them.

That is: (You)->VPN->Tor->Exit node->Web site

The reason that you might feel compelled to take this step is that a party which is able to see your traffic into and out of Tor could still identify you. The thinking is that the parties who wish to interfere with your privacy could be compelled to run Tor bridges, relays and exit nodes. If traffic from your IP address could be matched to requests coming from the Tor exit node then you could, effectively, be identified.

Some people hold that using a VPN to access Tor does not improve your anonymousness. I am not among them. In particular, you will find that IPVanish offers VPN service for under $7 per month and is popular among users of the Tor network. Which means that in addition to the fact that IPVanish is not logging your traffic, there’s an excellent chance that other users are going from IPVanish into Tor, helping to reduce the uniqueness of your traffic.

By the way, I’d suggest poking around the web a little bit. While their prices are already great you can find some even deeper discounts: https://signup.ipvanish.com/?aff=vpnfan-promo

IPVanish’s site offers instructions for installing the VPN in Ubuntu so we’re going to take a look at using IPVanish in Kali — including an interesting and unanticipated snag (and, of course, how to fix it).

Let’s grab the OpenVPN configuration:
wget http://www.ipvanish.com/software/configs/ca.ipvanish.com.crt; wget http://www.ipvanish.com/software/configs/ipvanish-US-New-York-nyc-a01.ovpn

We will need the OpenVPN package for Gnome:
apt install network-manager-openvpn-gnome

Click on the tray in the upper right corner, then the wrench/screwdriver icon:

Select the ‘Network’ folder icon:

We’re choosing ‘Wired’ (even though we’re using wlan0 interface):

We’re setting up a VPN, of course:

Import from file:

Choose the configuration file that we downloaded previously:

Enter ‘User name’ and ‘Password’:

We are connected!

Verified at IPVanish’s site: https://www.ipvanish.com/checkIP.php

And this is where I had anticipated the installation instructions would end.

I just wanted to check a few more things. And I would love to tell you that it was simply my thoroughness and unbridled CLI-fu that led to discover that I was still making ipv6 connections outside of the VPN. Seems that it wasn’t noticed by the test at IPVanish because they deal only in ipv4. I was able to prove my ipv6 address and geolocation by using: http://whatismyipaddress.com/

Further, we can establish that the test at IPVanish is not ipv6-compatible with a quick test.

The easy fix here is to disable ipv6 locally. It is plausible that this could cause unintended consequences and, to be thorough, it would be best to handle your VPN at the firewall. Having support for OpenVPN, you’ll be able to get this running with a huge variety of routing/firewall solutions. You can grab any number of tiny computers and build a professional-quality firewall solution with something like pfSense. Maybe we’ll take a look at getting that configured in a future post.

But, for now, let’s shut down ipv6 in a way that doesn’t involve any grandiose hand-waving magic (i.e., unexplained commands which probably should work) and then test to get confidence in our results.

Let’s use sysctl to find our ipv6 kernel bits and turn them off. Then we’ll load our configuration changes. As a safety, it wouldn’t be a bad idea to look in /etc/sysctl.conf to verify that there aren’t any ipv6 configs in there.

We’ll back up our config file then turn off everything ipv6 by listing everything with the words ‘ipv6’ and ‘disable’:
cp /etc/sysctl.conf /etc/$(date +%Y-%m-%d.%H-%M-%S).sysctl.conf.bak && \
sysctl -a | grep -i ipv6 | grep disable | sed 's/0/1/g' >> /etc/sysctl.conf && \
sysctl -p

To explain what we’re doing:
List all kernel flags; show uonly those containing the string ‘ipv6’; of those that remain, show only those that contain the string ‘disable’:
sysctl -a | grep -i ipv6 | grep disable
Replace the 0 values with 1, to turn ON the disabling, by piping output to:
sed 's/0/1/g'
That all gets stuck on the end of ‘sysctl.conf’ by redirecting stdout to append to the end of that file:
>> /etc/sysctl.conf
Then we reload with:
sysctl -p

Then as a final sanity-check we’ll make sure we can’t find any ipv6 packets sneaking about:
tcpdump -t -n -i wlan0 -s 256 -vv ip6

At this point, assuming our tcpdump doesn’t show any traffic, we should be ipv6-free with all of our ipv4 traffic shipped-off nicely through IPVanish!


Tags: , , , , , , , , , , , , ,
Permalink: 20170307.privacy.vpn.ipvanish

Sat, 18 Feb 2017

The making of a Docker: Part II - Wickr: with bonus analysis

Recently, I read a rather excited attention-catching piece about how Wickr is the super-secure version of Slack. Attention caught in part because I feel like Wickr has been around for a while. I’d not seen anyone raving about its security in places where I normally interact with those who are highly informed about such subjects.

Good is that it seems the folk at Wickr did a fine job of making sure valuable data aren’t left behind.
The bad: closed-source, not subject to independent review; crazy marketin’-fancy-talk without a thorough description of how it does what is claimed.
Any time I’m looking at a product or service that boasts security, I sort of expect to see a threat model.

[ Update: At the time I was working on this project, the folk at Wickr were, evidently, opening their source. That’s spectacular news! Check it out on Github. ]

This began as an exercise to provide another piece of security-ish software in a Docker container. Anyone who has used a live distro (e.g., Kali, TAILS) with any regularity knows the ritual of installing favorite tools at each boot, data stores on removable media.

For me, there is tremendous appeal in reducing that to something like:
git clone https://georgeglarson/wickr
cd docker-wickr
./install.sh
wickr

Let’s dig in!

Having created a number of Docker containers my workflow is to queue up the base OS and go through the steps needed to get the software running while keeping careful notes. In this case, I had originally tried to install Wickr on a current copy of Kali. It was already known that Wickr, based off of Ubuntu 14.04, needed an older unicode library. So we begin with Ubuntu 14.04.

Grab a copy of Wickr and see what’s required:
dpkg -I wickr-me_2.6.0_amd64.deb

new debian package, version 2.0.
size 78890218 bytes: control archive=4813 bytes.
558 bytes, 14 lines control
558 bytes, 14 lines control64
10808 bytes, 140 lines md5sums
Package: wickr-me
Architecture: amd64
Section: net
Priority: optional
Version: 2.6.0-4
Replaces: wickr
Conflicts: wickr
Depends: libsqlcipher0, libuuid1, libicu52, libavutil52|libavutil54, libc6, libssl1.0.0, libx264-142, libglib2.0-0, libpulse0, libxrender1, libgl1-mesa-glx
Recommends: libnotify-bin, gstreamer-plugins0.10-good, gstreamer-plugins0.10-bad, gstreamer-plugins0.10-ugly
Maintainer: Wickr Inc.
Installed-Size: 200000
Description: Secure Internet Chat and Media Exchange agent
Wickr is a secure communications client

Okay. The CLI should do most of the work for us, giving a formatted list of dependencies.
dpkg -I wickr-me_2.6.0_amd64.deb | grep -E "^ Depends: | Recommends: " | sed -e "s/ Depends: //" -e "s/ Recommends: //" -e "s/,//g" -e "s/ / \\\ \n/g"

libsqlcipher0 \
libuuid1 \
libicu52 \
libavutil54 \
libc6 \
libssl1.0.0 \
libx264-142 \
libglib2.0-0 \
libpulse0 \
libxrender1 \
libgl1-mesa-glx
libnotify-bin \
gstreamer-plugins0.10-good \
gstreamer-plugins0.10-bad \
gstreamer-plugins0.10-ugly \

Attempting to get those with apt-get reports that it cannot find the gstreamer bits.

Let’s find:
apt-cache search gstreamer | grep -i plugin | grep -E "good|bad|ugly"

gstreamer0.10-plugins-good - GStreamer plugins from the "good" set
...
gstreamer0.10-plugins-bad - GStreamer plugins from the "bad" set
...
gstreamer0.10-plugins-ugly - GStreamer plugins from the "ugly" set

So, there’s the format we need to get the gstreamer dependencies. We know that we’ll also want SSH and wget. That should be enough for our Dockerfile.

We’ll pull down Wickr:
wget https://dls.wickr.com/Downloads/wickr-me_2.6.0_amd64.deb

Then install:
dpkg -i wickr-me_2.6.0_amd64.deb

Okay! We are, in theory, ready to run Wickr. We’re about to see we aren’t yet there — but these sorts of problems are pretty commonplace.
wickr-me

wickr-me: error while loading shared libraries: libxslt.so.1: cannot open shared object file: No such file or directory

Huh! We need libxslt. Let’s fix that: apt-get install libxslt1-dev

Now we can run it.
wickr-me

This application failed to start because it could not find or load the Qt platform plugin "xcb".

Available platform plugins are: eglfs, linuxfb, minimal, minimalegl, offscreen, xcb.

Reinstalling the application may fix this problem.
Aborted (core dumped)

One more: apt-get install xcb

Okay. That really was the last one. Now we have a complete list of dependencies for our Dockerfile:
RUN apt-get update && apt-get install -y \
gstreamer0.10-plugins-good \
gstreamer0.10-plugins-bad \
gstreamer0.10-plugins-ugly \
libsqlcipher0 \
libuuid1 \
libicu52 \
libavutil52 \
libc6 \
libssl1.0.0 \
libx264-142 \
libglib2.0-0 \
libpulse0 \
libxrender1 \
libxslt1-dev \
libgl1-mesa-glx \
libnotify-bin \
ssh \
wget \
xcb \
&& apt-get clean \

We now have Wickr in a Docker container and, because we are the curious sort, need to peek into what’s happening.

A natural first step is to set Wireshark atop Wickr. At a glance, seems to be communicating with a single IP address (204.232.166.114) via HTTPS.

Unsurprsingly, the client communicates to the server whenever a message is sent. Further it appears to poll the same address periodically asking for new messages. We see that the address resolves to Rackspace in San Antonio, TX.

We can easily establish the link between this IP address, Rackspace and the application.

Well, that’s enough. Right?

Good!

Wait.

What?

We’re still a little curious.

Aren’t we?

I mean, what’s the big question here? What happens if there’s a man in the middle? Persons so eagerly connect to any free WIFI, it is clearly a plausible scenario. Well… One way to find out!

Here’s what we learned. Server-side, the application is written in PHP. The IP address is resolved by the URI ‘secex.info’.

When we send, it calls ‘postMessage.php’:

When we receive, ‘downloadMessage.php’:

And it calls ‘newMessageCheck.php’ to, y’know, check for new messages.

Other analyses have forensically examined artefacts left behind; there are published descriptions of the encryption methods used for the local database connection. We didn’t go into more aggressive efforts such as disassembly because we are too lazy for that jazz!

My opinion, we didn’t learn anything wildly unexpected. Overall, Wickr seems an okay solution for convenient encrypted messaging. That’s always the trade: convenience vs. security. Least we ended with a Docker container for the software!

Github | Docker


Tags: , , ,
Permalink: 20170218.making.a.docker.wickr

Sat, 25 Jan 2014

Network-aware Synergy client

My primary machines are *nix or BSD variants, though I certainly have some Windows-based rigs also. Today we’re going to share some love with Windows 7 and PowerShell.

One of my favorite utilities is Synergy. If you’re not already familiar it allows to you seamlessly move from the desktop of one computer to another with the same keyboard and mouse. It even supports the clipboard so you might copy text from a GNU/Linux box and paste it in a Windows’ window. Possibly, they have finished adding drag and drop to the newer versions. I am not sure because I run a relatively old version that is supported by all of the machines that I use regularly.

What’s the problem, then? The problem was that I was starting my Synergy client by hand. Even more disturbing, I was manually typing the IP address at work and at home, twice or more per weekday. This behavior became automated by my brain and continued for months unnoticed. But this is no kind of life for a geek such as myself, what with all this superfluous clicking and tapping!

Today, we set things right!

In my situation, the networks that I use happen to assign IP addresses from different subnets. If you’ve not the convenience of that situation then you might need to add something to the script. Parsing an ipconfig/ifconfig command, you could possibly use something like the Default Gateway or the Connection-specific DNS Suffix. Alternatively, you could check for the presence of some network share, a file on server or anything that would allow you to uniquely identify the surroundings.

As I imagined it, I wanted the script to accomplish the following things

  • see if Synergy is running (possibly from the last location), if so ask if we need to kill it and restart so we can identify a new server
  • attempt to locate where we are and connect to the correct Synergy server
  • if the location is not identified, ask whether to start the Synergy client

This is how I accomplished that task:

# [void] simply supresses the noise made loading 'System.Reflection.Assembly'
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")

# Define Synergy server IP addresses
$synergyServerWork = "192.168.111.11"
$synergyServerHome = "192.168.222.22"

# Define partial IP addresses that will indicate which server to use
$synergyWorkSubnets = "192.168.111", "192.168.115"
$synergyHomeSubnets = "192.168.222", "192.168.225"

# Path to Synergy Client (synergyc)
$synergyClientProgram = "C:\Program Files\Synergy\synergyc.exe"

# Path to Syngery launcher, for when we cannot identify the network
$synergyLauncherProgram = "C:\Program Files\Synergy\launcher.exe"

# Remove path and file extension to give us the process name
$processName = $synergyClientProgram.Substring( ($synergyClientProgram.lastindexof("\") + 1), ($synergyClientProgram.length - ($synergyClientProgram.lastindexof("\") + 5) ))

# Grab current IP address
$currentIPaddress = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]

# Find the subnet of current IP address
$location = $currentIPaddress.Substring(0,$currentIPaddress.lastindexof("."))


function BalloonTip ($message)
{
# Pop-up message from System Tray
$objNotifyIcon = New-Object System.Windows.Forms.NotifyIcon
$objNotifyIcon.Icon = [System.Drawing.Icon]::ExtractAssociatedIcon($synergyClientProgram)
$objNotifyIcon.BalloonTipText = $message
$objNotifyIcon.Visible = $True
$objNotifyIcon.ShowBalloonTip(15000)
}


#main

# If Synergy client is already running, do we need to restart it?
$running = Get-Process $processName -ErrorAction SilentlyContinue
if ($running) {
$answer = [System.Windows.Forms.MessageBox]::Show("Synergy is running.`nClose and start again?", "OHNOES", 4)
if ($answer -eq "YES") {
Stop-Process -name $processName
}
Else {
exit
}
}

# Do we recognize the current network?
if ($synergyWorkSubnets -contains $location) {
BalloonTip "IP: $($currentIPaddress)`nServer: $($synergyServerWork)`nConnecting to Synergy server at work."
& $synergyClientProgram $synergyServerWork
exit
}
ElseIf ($synergyHomeSubnets -contains $location) {
BalloonTip "IP: $($currentIPaddress)`nServer: $($synergyServerHome)`nConnecting to Synergy server at home."
& $synergyClientProgram $synergyServerHome
exit
}
Else {
$answer = [System.Windows.Forms.MessageBox]::Show("Network not recognized by IP address: {0}`n`nLaunch Synergy?" -f $unrecognized, "OHNOES", 4)
if ($answer -eq "YES") {
& $synergyLauncherProgram
}
}

Then I saved the script in "C:\Program Files\SynergyStart\", created a shortcut and used the Change Icon button to make the same as Synergy’s and made the Target:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden & 'C:\Program Files\SynergyStart\synergy.ps1'

Lastly, I copied the shortcut into the directory of things that run when the system starts up:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup

Now, Synergy connects to the needed server at home and work. If it can’t figure out where it is, it asks if it should run it at all.

As they say, a millisecond saved is a millisecond earned.

This post was very nearly published without a Linux equivalent. Nearly.

Same trick for bash/zsh: #!/bin/zsh

# Define Synergy server IP addresses
synergyServerWork="192.168.111.11"
synergyServerHome="192.168.222.22"

# Define partial IP addresses that will indicate which server to use
synergyWorkSubnets=("192.168.111" "192.168.115")
synergyHomeSubnets=("192.168.222" "192.168.225")

# Path to Synergy Client (synergyc)
synergyClientProgram="/usr/bin/synergyc"

# Path to QuickSyngery, for when we cannot identify the network
synergyLauncherProgram="/usr/bin/quicksynergy"

# Remove path and file extension to give us the process name
processName=`basename $synergyClientProgram`

# Grab current IP address, assumes '192' is in use. (e.g., 192.168.1.1)
currentIPaddress=`ip addr show | grep 192 | awk "{print $2}" | sed 's/inet //;s/\/.*//;s/ //g'`

# Find the subnet of current IP address
location=`echo $currentIPaddress | cut -d '.' -f 1,2,3`

for i in "${synergyWorkSubnets[@]}"
do
if [ "${i}" = "${location}" ]
then
break
fi
done

#main

# If Synergy client is already running, do we need to restart it?
running=`ps ax | grep -v grep | grep $processName`
if [ $running ]
then
if `zenity --question --ok-label="Yes" --cancel-label="No" --text="Synergy is running.\nClose and start again?"`
then
pkill $processName
else
exit
fi
fi

# Do we recognize the current network?
for i in "${synergyWorkSubnets[@]}"
do
if [ "${i}" = "${location}" ]
then
notify-send "IP:$currentIPaddress Server:$synergyServerWork [WORK]"
$synergyClientProgram $synergyServerWork
exit
fi
done

for i in "${synergyHomeSubnets[@]}"
do
if [ "${i}" = "${location}" ]
then
notify-send "IP:$currentIPaddress Server:$synergyServerWork [HOME]"
$synergyClientProgram $synergyServerHome
exit
fi
done

if `zenity --question --ok-label="Yes" --cancel-label="No" --text="Network not recognized by IP address: $currentIPaddress\nLaunch Synergy?"`
then
$synergyLauncherProgram
fi

To get it to run automatically, you might choose to call the script from /etc/init.d/rc.local.

Download here:
  PowerShell:
    synergy.ps1
  GNU/Linux:
    synergy.sh


Tags: , ,
Permalink: 20140125.network_aware_synergy_client