Re: OpenBSD as a pentester PC?
On Thursday, November 26, 2015, Chris Smith <ch...@nevermind.co.nz> wrote: > On Thu, Nov 26, 2015, at 10:23 PM, Mohammad BadieZadegan wrote: > > Hi every OpenBSD user, > > I have OpenBSD on my Notebook since 2 years ago and I don't want to > > switch > > other OS for my business pentest project. > > I need some pentest tools for my project like metasploit, fuzzers, ..etc > > but I could not find them on OpenBSD package list > > <http://ftp.openbsd.org/pub/OpenBSD/5.8/packages/i386/>! > > By default does OpenBSD support metasploit installing (or any attack > > tools) > > or defer them for security purpose? > > I want to have one OS on my note book for all purpose(business+home). > > Is that I must switch to other OS? (That I don't like at all!) > > Regards. > > > > -- > > [image: ( openbsd.pro 933k.ir )] <http://openbsd.pro> > > > > To be honest, some security tools can be so poorly written, or perform > unusual or dangerous operations in their daily usages, that they present > a difficult challenge to properly secure and port to other OS's. You > don't really want them on your "main" system. > > As a pentester myself, I usually end up with some very basic tools on my > host system (e.g. nmap, nc, hping etc...) and segregating all of the > other rubbish into a kali or debian virtual machine, which can then be > wiped or rolled back between jobs to ensure both system integrity, and > that jobs do not cross-pollinate data between them. > > In my opinion, the best way to advance OpenBSD's use in this area is to > support, test and develop its virtualisation capabilities. > > > I want to have one OS on my note book for all purpose(business+home) > > If you're doing this professionally, I really do not recommend this > without proper segregation. Especially if you're handling your customers > sensitive data or functionality (e.g. network connectivity). > > Cheers, > Chris. > > I do much the same, with two VMs, though. I use the OpenBSD VM for on-the-spot development more than general use. The other thing I've found OpenBSD great for as a pentester is quickly putting together small networks of virtual machines for either testing things or for one-off demonstrations. -- J. Stuart McMurray
Re: Logging Password change attempts
A setuid wrapper around passwd would prevent normal (non-root, non-sudo) users from running passwd directly: -r-sr-xr-x 1 auditor bin 10240 Oct 30 11:47 passwd -r-x-- 1 auditor bin 28376 Oct 30 11:46 passwd.orig The only catch is it can't be a shell script, which adds another (trivial) layer of complexity to its maintenance. The (very small) danger with monitoring /etc/master.passwd is that a user could change his password more than once while your logging code is logging the change.
Re: Question re dhclient.conf
On Monday, September 29, 2014, Duncan Patton a Campbell campb...@neotext.ca wrote: My purpose here is to allow dynamic dns updates via nsupdate from a dhcp clients where addresses are subject to change. I have a solution that will remain stable so long as the !command hook in hostname.if remains stable. This is not as good as the dhclient.conf script interface as it can't exclude calls that don't change the interface, but hey... # more /etc/hostname.nfe0 dhcp !/usr/local/sbin/dydns.sh $if more /usr/local/sbin/dydns.sh #!/bin/ksh #rdate to make sure we're sync'd with the dydns server echo $@ /tmp/ddns.log date /tmp/ddns.log /usr/sbin/rdate -o 192.168.1.22 export ADDR=`ifconfig $1 | grep inet | cut -d ' ' -f 2` echo server 192.168.1.22 zone indx.ca key u32.indx.ca 7U6+9Bqymcyn21vLHIlf9DWVIYvljkn/GIMqNhg3YpaSxUDoarpBPz/J Pm52kWD9GG1mpewiiKsYCcarWF2wUg== update delete u32.indx.ca. A update add u32.indx.ca. 86400 A $ADDR send | nsupdate exit 0 where key is the shared private key produced by the output of dnssec-keygen -a HMAC-MD5 -b 512 -n USER u32.indx.ca. found in the output file Ku32.indx.ca.+157+08659.private and added to /var/named/keys.conf on the named server in the form key u32.indx.ca { algorithm hmac-md5; secret 7U6+9Bqymcyn21vLHIlf9DWVIYvljkn/GIMqNhg3YpaSxUDoarpBPz/J Pm52kWD9GG1mpewiiKsYCcarWF2wUg==; }; and an entry to etc/named.conf zone indx.ca { ... allow-update { . . key u32.indx.ca ; . . }; }; Dhu On Mon, 29 Sep 2014 14:13:48 +0200 Bruno Flueckiger inform...@gmx.net javascript:; wrote: On 29.09.2014 13:39, Duncan Patton a Campbell wrote: On Mon, 29 Sep 2014 05:28:27 -0600 Duncan Patton a Campbell campb...@neotext.ca javascript:; wrote: /etc/dhclient.conf used to contain a script tosomfile ; option that could, amongst other things, be used to set a dynamic assigned dns address to a named server. This functionality has been removed and I am trying to figure out if there was some other mechanism to accomplish this but I can't find any refs to it in the changes between 5.1 and 5.5. Any info would be appreciated. Thanks, Dhu -- Ne obliviscaris, vix ea nostra voco. I found it in the 5.3 changes.. Removed dhclient-script(8) and dhclient.conf(5) script directive. Do all interface and route configuration via ioctl's and routing sockets. Unfortunately this mechanism was used for more than just routing. And without a dhclient-script to hack I don't see how a dynamic address can be updated vi the named/key mechanism. Dhu If your goal is to set entries in DNS for a machine which acts as DHCP client there are two other possibilities I know of: 1. Use a reservation in DHCP server together with fixed entries in DNS 2. Get ISC DHCP from ports and configure it to make dynamic updates to BIND Depending on your exact setup there may be other ways to achieve the same as you did with the script. Bruno -- Ne obliviscaris, vix ea nostra voco. Why not have the DHCP server update DNS? -- J. Stuart McMurray
Re: rc.local mystery executables
Before I blocked all of China, I saw something very similar on an ssh honeypot I run. Every few hours or so, I'd get the following: http://sprunge.us/OGfE Seemed totally automated. J. Stuart McMurray On Fri, Aug 15, 2014 at 1:51 PM, Josh Grosse j...@jggimi.homeip.net wrote: On 2014-08-15 12:38, Mihai Popescu wrote: On June 29, there was a 5.5-stable update to www/owncloud to release 6.0.4 to fix a security issue. The developers annoucement, from the webpage for this thingie ( i don't know what the hell this software is doing): -- Yeah, you were screwed! There are a number of security issues that have been fixed in that release -- if I read their web page correctly -- including one which that project perceives to be a high-risk issue: https://owncloud.org/security/advisory/?id=oc-sa-2014-018 There's also a big one, that earlier this month that project decided *not to fix*. I don't know anything about OwnCloud either, but this sort of issue is one that should probably be addressed. https://senderek.ie/archive/2014/owncloud_unencrypted_ private_key_exposure.php An attacker, who is able to read the PHP session files by exploiting another web application that is running on the ownCloud server, will be able to gather the unencrypted private key of every ownCloud user. All encrypted files that are stored in a user's home directory can be decrypted with this RSA private key, stored in the PHP session files in plain text. If the user's encrypted files are synced to other devices or shared with other servers - for hosting or backup - an attacker will be able to decrypt all user data that is being intercepted, even if the attacker has no longer access to the server's file system.
Re: openbsd and chromebooks
I tried putting it on an SD card on my acer c270. I don't have a dmesg at the moment. Wireless and the trackpad didn't work, but a cheapy USB wireless device did. The biggest problem was putting it on the SD card made disk IO really, really slow. The lack of 802.11n was also kinda a bummer. J. Stuart McMurray On Fri, Jul 25, 2014 at 11:40 AM, frantisek holop min...@obiit.org wrote: has anyone tried any of the existing chromebooks? any dmesgs? http://en.wikipedia.org/wiki/Chromebook#Chromebook_models -f -- tap here with hammer for a new monitor.
Re: openbsd and chromebooks
The other thing that kept me from putting OpenBSD on here is that dual-booting is kinda kooky and has security implications for the ChromeOS side. A better question: Anybody know of any small laptops (not necessarily chromebooks) that run OpenBSD well? J. Stuart McMurray On Fri, Jul 25, 2014 at 11:56 AM, frantisek holop min...@obiit.org wrote: hmm, on Fri, Jul 25, 2014 at 11:45:32AM -0400, Stuart McMurray said that I tried putting it on an SD card on my acer c270. I don't have a dmesg at the moment. Wireless and the trackpad didn't work, but a cheapy USB wireless device did. The biggest problem was putting it on the SD card made disk IO really, really slow. The lack of 802.11n was also kinda a bummer. well, there is no 802.11n in openbsd :) but i understand what you mean. the wifi is not supported on my current notebook either, so i am used to usb helpers. i am interested in the newest samsung chromebook. looks quite nice. -f -- in the country of the blind, the one-eyed man is king.
Re: Strange route entry from China
On Tuesday, May 13, 2014, Amit Kulkarni amitk...@gmail.com wrote: On Tue, May 13, 2014 at 3:27 PM, Johan Ryberg jo...@securit.sejavascript:; wrote: Hi, Please forgive my ignorance. I have a small lab and I noticed this IP in the routing table: 61.174.51.232, resolves to 232.51.174.61.dial.wz.zj.dynamic.163data.com.cn # route -n show Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default192.168.66.1 UGS739270 - 8 em0 61.174.51.232 192.168.66.1 UGHD 138722 - L 56 em0 127/8 127.0.0.1 UGRS 00 33144 8 lo0 127.0.0.1 127.0.0.1 UH 4 1244 33144 4 lo0 192.168.66/24 link#1 UC 10 - 4 em0 192.168.66.1 00:1b:17:bd:8d:11 UHLc 20 - 4 em0 224/4 127.0.0.1 URS00 33144 8 lo0 It came and disappeared quite fast. The box are a more or less stock OpenBSD 5.5 Is it normal that entries like this comes and goes? Labs are prime targets for scanning for vulnerable machines. And, 163data.com.cn is a large source of shady activity. -- J. Stuart McMurray
Re: Blocking traceroute
You don't even need socat. You could do it all with pf. Except for DNS, though, you'd have to block outbound DNS traffic to maintain anonymity. J. Stuart McMurray On Thu, Apr 18, 2013 at 10:17 PM, Juan Francisco Cantero Hurtado i...@juanfra.info wrote: On Thu, Apr 18, 2013 at 10:35:53PM -, fek...@tormail.org wrote: I want to create a Tor hidden server, which people SSH into over Tor. Users could discover the IP server by running traceroute. To stop this I have added a simple rule to pf.conf based off helping traceroute. Otherwise they could just build or run their own binary traceroute. block on em0 inet proto udp to port 33433 33626 This appears to work, but couldn't traceroute be built to use other UDP ports? Perhaps I should block all UDP ports, it is no big loss really. Is there anything else I should take into consideration when trying to prevent a server from being discovered? The server will be behind a NAT with only a LAN address. Tor is a TCP-only network. UDP will never work. Cheers. -- Juan Francisco Cantero Hurtado http://juanfra.info
Re: ARP and npppd
On Mon, Feb 18, 2013 at 09:37:27AM -0500, sven falempin wrote: On Mon, Feb 18, 2013 at 6:43 AM, Stuart Henderson s...@spacehopper.orgwrote: On 2013-02-18, Claudio Jeker cje...@diehard.n-r-g.com wrote: Even though L2TP has L2 in its name it is not built to create ethernet layer 2 tunnels. It is just tunneling PPP packets inside of UDP. So the only thing you can do is proxyarp (which npppd does not support natively) or route the traffic. Routing the traffic is probably the easiest way for this. Use a different subnet for the PPP-assigned addresses and add a static route on the gateway (and ideally on other machines which the PPP-connected devices will need to reach too, it may work without but you'll either be pushing a bunch of extra traffic via the gateway, or relying on ICMP redirects which may be disabled and at best are bleurgh ;) The proxy arp route is less nice but a few pointers if people want to try that; you can use arp(8) in base for it; see the '-f' option - or arpd (in ports) can cover a whole subnet without listing addresses separately. Alternatively there is the combination of pppd+xl2tpd; pppd does support proxy arp natively, though npppd is nicer and easier to configure, especially with IPsec). FWIW none of these can do IPv6 in the tunnels on OpenBSD, for that you could use gif, gre, openvpn or just plain ipsec. the OP is talking about iStuff client, this 'may' reduce the set of possibility, especially if he do not want to install an app. I have no clue how to bridge a gif on an iPhone ! -- - () ascii ribbon campaign - against html e-mail /\ Thanks everybody for the ideas an clarification. Routing would be nice, but not really practical with iThings. I ended up with a perl hack that monitors syslog to add and remove arp entries when npppd reports a connection, and another that cron fires off every few minutes to look at ifconfig's output and update the arp cache. It's working so far, but it's a bit of a hack. Thanks all for the help. Stuart
ARP and npppd
Hi all, I'm having a bit of trouble getting l2tp working from behind a firewall. Here's the setup: OpenBSD with isakmpd and npppd -- Home Router -- Internet -- Cell Network -- iPhone/Laptop Basically, the idea is to make a VPN for use when I'm travelling. I can connect just fine and put traffic on the network, but arp requests from other hosts on the network don't get sent back through the l2tp tunnel. If I manually add the ethernet address of the If I manually update the arp cache of another host on the network with the ethernet address of my npppd/isakmpd box and the IP assigned by npppd, traffic flows with no problem. Looking at the traffic of the nic on the npppd box, I see arp replies coming in. tcpdump on the pipex interface doesn't report the arp requests. Is there something special I need to do to send non-ip traffic through the vpn? Here are my config files: ipsec.conf: ike passive esp transport \ proto udp from mydomain.com (0.0.0.0/0) to any port 1701 \ main auth hmac-sha enc aes group modp1024 \ quick auth hmac-sha enc aes \ psk xxx npppd.conf: authentication LOCAL type local { users-file /etc/npppd/npppd-users } tunnel L2TP_ipv4 protocol l2tp { listen on 0.0.0.0 l2tp-accept-dialin yes } ipcp IPCP { pool-address 192.168.11.150-192.168.11.159 dns-servers 192.168.11.25 } interface pppx0 address 192.168.11.160 ipcp IPCP bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0 npppd-users: stuart:\ :password=foo: ifconfig's output: lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33152 priority: 0 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff00 re0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 76:7f:52:6e:91:0d priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::747f:52ff:fe6e:910d%re0 prefixlen 64 scopeid 0x1 inet6 2601:xxx prefixlen 64 autoconf pltime 14391 vltime 86391 inet6 2601:xxx prefixlen 64 autoconf autoconfprivacy pltime 6138 vltime 78138 inet 192.168.11.29 netmask 0xff00 broadcast 192.168.11.255 enc0: flags=0 priority: 0 groups: enc status: active pflog0: flags=141UP,RUNNING,PROMISC mtu 33152 priority: 0 groups: pflog pppx0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1360 description: stuart priority: 0 groups: pppx inet 192.168.11.160 -- 192.168.11.157 netmask 0x Thanks, Stuart
Re: ARP and npppd
On Sun, Feb 17, 2013 at 5:13 PM, Claudio Jeker cje...@diehard.n-r-g.comwrote: On Sun, Feb 17, 2013 at 10:32:33AM -0500, Stuart McMurray wrote: Hi all, I'm having a bit of trouble getting l2tp working from behind a firewall. Here's the setup: OpenBSD with isakmpd and npppd -- Home Router -- Internet -- Cell Network -- iPhone/Laptop Basically, the idea is to make a VPN for use when I'm travelling. I can connect just fine and put traffic on the network, but arp requests from other hosts on the network don't get sent back through the l2tp tunnel. If I manually add the ethernet address of the If I manually update the arp cache of another host on the network with the ethernet address of my npppd/isakmpd box and the IP assigned by npppd, traffic flows with no problem. Looking at the traffic of the nic on the npppd box, I see arp replies coming in. tcpdump on the pipex interface doesn't report the arp requests. Is there something special I need to do to send non-ip traffic through the vpn? npppd and L2TP VPN are not built to do L2 VPNs. To build something like that you would need to do proxy-arp on the npppd box and even then not everything will work since it is still a ppp connection running in the end. It may be better to use gif(4) over ipsec for this since that will allow you to do etherip and native L2 VPNs. On the client bridge the gif with vether(4) and on the server bridge it with your real ethernet device. npppd works great for L3 VPNs though... -- :wq Claudio If npppd's L2TP VPN isn't built for an L2 VPN (?), what's the appropriate daemon to set up an L2TP VPN in OpenBSD? Since the clients are going to be iOS (Apple, non Cisco) devices, bridging interfaces manually isn't a possibility.
Re: bootable OpenBSD USB stick from windows?
For Windows, VirtualBox is free and should do the trick. You'll probably need the extension pack. https://www.virtualbox.org/wiki/Downloads -Stuart On Tue, Feb 12, 2013 at 01:53:46PM +1300, m...@extensibl.com wrote: On Mon, Feb 11, 2013 at 10:51:29PM +, Heptas Torres wrote: Hello I have an old laptop with no CD-ROM but can boot from USB. Given that I only have access to a windows machine to burn an iso image, do you know of an easy way (e.g. some windows programa) to create a bootable OpenBSD USB stick which I can then use to install OpenBSD on my old laptop? -heptas Hi Heptas, Use vmware/qemu/any other similar software to install openbsd to your usb stick. install52.iso can be used to boot your virtual machine. Then copy everything in http://ftp.openbsd.org/pub/OpenBSD/5.2/amd64/ to, say, /5.2/amd64/ on the same usb drive. (Do not forget to choose the right architecture, version and mirror). Just that. You can use that drive as install media or as your primary working system, if you wish. To use it as install media, enter bsd.rd at the boot prompt. P.S. FAQ on the website and man pages are highly recommended and useful. Read them before you start experimenting with OpenBSD. Best regards, Alex
Re: bootable OpenBSD USB stick from windows?
Apparently Someone has written one http://www.chrysocome.net/dd On Mon, Feb 11, 2013 at 08:02:13PM -0500, brian wrote: On 2/11/2013 5:51 PM, Heptas Torres wrote: Hello I have an old laptop with no CD-ROM but can boot from USB. Given that I only have access to a windows machine to burn an iso image, do you know of an easy way (e.g. some windows programa) to create a bootable OpenBSD USB stick which I can then use to install OpenBSD on my old laptop? -heptas If windows has something like dd, maybe you can write the floppy image to your usb. -- Stuart McMurray