Category Archives: Security

Looking for clear text authentication with tcpdump

Posted on by
Reply

Login services not using encryption, is unfortunately still often seen in the wild. I started out in the IT business around 2000, and even back then, clear text authentication was bad, but still we see it today.

Examples of services using clear text authentication is: HTTP, FTP and telnet. Don’t ever authenticate using any of these protocols, unless you know exactly what you are doing.

Sometimes you may want to verify, if the password is actually sent in clear text, and one of the tools to use is tcpdump. Tcpdump is the default network analyse tool on most Linux distributions, and it’s very easy to get started with. Maybe you just want to know if your network changes is routing traffic to your server, you can use tcpdump to verify.

When sniffing for clear text passwords, we need to give the parameters -s 0 and -A and then we can give the destination port the service is listening on with dst port. So the full command would look like this:

tcpdump -s 0 -A dst port xxx

You can also specify the interface to listen on, by using the -i option. If your interface is enp0s31f6, then it would look like.

tcpdump -i enp0s31f6 -s 0 -A dst port xxx

Another option is the “and” and the “not” keyword. Imagine you are logged in with SSH, and looking for ssh traffic, but you don’t want to see your own traffic. The you can use and not host ${your own IP address}, like this

tcpdump -i enp0s31f6 dst port 22 and not host xx.xx.xx.xx

In the last example i have removed the -s 0 and the -A option, since i don’t need it just to see if traffic is getting to my server.

Lidt mere om SSH tunneler

Posted on by
Reply

Jeg har tidligere skrevet lidt om hvoran man kan bruge SSH tunnel til at lave portforwarding, det kan være en løsning hvis man f.eks. ikke vil åbne sin webserver op mod internettet.

Netop denne situation stod jeg i da min bror havde brug for et regnskabsprogram og jeg tilbød ham at installere en webserver med det danske gratis regnskabsprogram Saldi.

Jeg kender ikke til sikkerheden i webapplikationen, og jeg er ikke sikker på hvor tit jeg lige får opdateret denne server (det skulle helst være en “install and forget”) Derfor ville jeg ikke åbne op for det store internet.

Jeg valgte istedet at installere tunnelier fra bitvise på min brors PC, og herefter konfigurere den til at oprette en tunnel og starte en browser op, der peger på den side han skal ind på.

Det er der jo i forhold til min tidligere post ikke noget nyt i, det nye kommer her:

For at sikre mig at min bror ikke laver rav i den fra den bash shell han som default får når jeg opretter ham på mit system, ændrede jeg hans shell fra /bin/bash til /bin/false i /etc/passwd filen. Nu har han ikke mulighed for at logge ind med en shell, men han kan stadig forwarde porte.

Husk derfor også, at /bin/false skal bruges med omtanke, da den altså giver visse muligheder udover bare at blokere for login. Brug istedet /bin/nologin hvis du vil spærre helt af for en brugers mulighed for at logge ind/bruge portforwarding.

Læs evt. mere om det her: http://www.semicomplete.com/articles/ssh-security/

Mvh.