Network

Introduction I was recently playing around with DNSSEC and figured out that the root DNS zone . uses NSEC and not NSEC3 to prove the absence of a resource record. This looked interesting to me and triggered some ideas. So I did some experiments and here are the results. TL;Dr: The most interesting facts: The root DNS zone uses NSEC can be therefore be DNSSEC zone walked There are more than 1500 TLDs More than 90% of all TLDs haven DNSSEC configured The most used algorithm for signing DNS zones is RSA/SHA-256 53 TLDs also use NSEC and can therefore also be DNSSEC zone walked Note: The results may not be exactly accurate because it was not always verified if every query was always successful. ...

Introduction In pentests, you often need to create X.509 certificates (e.g. for TLS) or Certificate Authorities (CAs) to mimic secure environments during your tests. Manually generating these certificates with tools like openssl can be time-consuming and error-prone, especially when you’re in a hurry. Who remembers all these commands? Whether you’re setting up a fake webserver for data exchange, a proxy setup, a machine-in-the-middle (MITM) attack, testing secure connections, or creating your own CA chain, manually generate these certificates should not take much time. ...

Introduction WireGuard is a relatively new open-source software for creating VPN tunnels on the IP layer using state of the art cryptography. I attended a self-organized session by the creator and developer Jason Donenfeld at the 34c3 who explained how WireGuard works and how it can be used. I was quite impressed by it’s simplicity and gave it a try. It worked more or less out of the box. Now I created a more advanced setup for accessing my home network. ...

Einführung Jedes mal, wenn ich meine IP Adresse wissen will, gebe ich bei einer Suchmaschine “my ip address” ein und klicke auf eines der Ergebnisse. Dies ist nicht sehr elegant. Auf einem Server ohne Browser ist dies gar nicht möglich. Deshalb habe ich ein Script geschrieben, welches mir meine IP Adressen (IPv4 und IPv6) anzeigt. Script Das Script sieht folgenermassen aus: #!/usr/bin/env bash #IPURL="https://icanhazip.com/ip" IPURL="https://motd.ch/ip.php" print_usage(){ cat << EOI Displays IP addresses of the current host used for internet connections. Usage: myip [options] Options: -6 Show only IPv6 addresses (public ip address by default). -4 Show only IPv4 addresses (public ip address by default). -h Show usage help. -l Show local insted of public addresses. -g Show geolocation (using geoiplookup). No options produces a more verbose output. EOI } check_dependencies(){ local FAIL=0 for tool in "$@" do if ! hash "$tool" &> /dev/null then echo "The tool $tool does not exist." FAIL=1 fi done if [[ "$FAIL" == 1 ]] then exit 1 fi } print_public_ipv4_address(){ echo "$(curl -s -4 -L $IPURL || echo "")" } print_public_ipv6_address(){ echo "$(curl -s -6 -L $IPURL || echo "")" } print_public_ipv4_geolocation(){ geoiplookup "$PUBLIC_IPV4_ADDRESS" | awk -F": " '{printf($2)}' } print_public_ipv6_geolocation(){ geoiplookup6 "$PUBLIC_IPV6_ADDRESS" | awk -F": " '{printf($2)}' } print_local_ipv4_address(){ echo "$(curl -s -4 -L --write-out %{local_ip} $IPURL -o /dev/null || echo "")" } print_local_ipv6_address(){ echo "$(curl -s -6 -L --write-out %{local_ip} $IPURL -o /dev/null || echo "")" } main(){ while getopts 46ghlv name do case "$name" in 4) flag_4=1 ;; 6) flag_6=1 ;; g) flag_g=1 ;; h) print_usage exit ;; l) flag_l=1 ;; ?) print_usage >&2 exit 2 ;; esac done if [[ -n $flag_l && -n $flag_4 ]] then print_local_ipv4_address fi if [[ -n $flag_l && -n $flag_6 ]] then print_local_ipv6_address fi if [[ -z $flag_l && -n $flag_4 ]] then print_public_ipv4_address fi if [[ -z $flag_l && -n $flag_6 ]] then print_public_ipv6_address fi if [[ -z $flag_l && -z $flag_4 && -z $flag_6 ]] then PUBLIC_IPV4_ADDRESS=$(print_public_ipv4_address) PUBLIC_IPV6_ADDRESS=$(print_public_ipv6_address) echo -e "Public IPv4 address: ${PUBLIC_IPV4_ADDRESS:--}" echo -e "Public IPv6 address: ${PUBLIC_IPV6_ADDRESS:--}" LOCAL_IPV4_ADDRESS=$(print_local_ipv4_address) LOCAL_IPV6_ADDRESS=$(print_local_ipv6_address) echo -e "Local IPv4 address: ${LOCAL_IPV4_ADDRESS:--}" echo -e "Local IPv6 address: ${LOCAL_IPV6_ADDRESS:--}" echo "" if [[ -n "$PUBLIC_IPV4_ADDRESS" && -n "$LOCAL_IPV4_ADDRESS" ]] then if [[ "$PUBLIC_IPV4_ADDRESS" != "$LOCAL_IPV4_ADDRESS" ]] then echo "IPv4: NAT" else echo "IPv4: No NAT" fi fi if [[ -n "$PUBLIC_IPV6_ADDRESS" && -n "$LOCAL_IPV6_ADDRESS" ]] then if [[ "$PUBLIC_IPV6_ADDRESS" != "$LOCAL_IPV6_ADDRESS" ]] then echo "IPv6: NAT" else echo "IPv6: No NAT" fi fi if [[ -n "$flag_g" ]] then check_dependencies geoiplookup geoiplookup6 if [[ -n "$PUBLIC_IPV4_ADDRESS" ]] then PUBLIC_IPV4_GEOLOCATION="$(print_public_ipv4_geolocation)" echo "Geolocation IPv4: $PUBLIC_IPV4_GEOLOCATION" fi if [[ -n "$PUBLIC_IPV6_ADDRESS" ]] then PUBLIC_IPV6_GEOLOCATION="$(print_public_ipv6_geolocation)" echo "Geolocation IPv6: $PUBLIC_IPV4_GEOLOCATION" fi fi fi } main "$@" Die aktuellste Version davon gibt es auf GitHub in meinem Scripts Repository: myip. ...

Einführung Verbindet man sich zum ersten Mal per SSH mit einem Server, sieht man den Fingerabdruck des Servers. Diesen sollte man im Idealfall vergleichen und erst mit yes bestätigen, wenn man sich sicher ist, dass es sich um den richtigen Fingerprint handelt. Stimmt der Fingerabdruck nicht, könnte man Opfer einer Man in the Middle Attacke sein. Das Vergleichen der Fingerprints ist etwas mühsam und mittels fuzzying (beispielsweise mit dem Tool ffp) können sehr ähnliche Fingerprints erstellt werden, welche dem Menschen auf den ersten Blick gleich erscheinen. Man kann sich einfach vor gefälschten SSH Fingerprints schützen, indem man diese in einem DNSSEC signierten speziellen DNS Record hinterlegt. Hierfür gibt es den speziellen SSHFP Record. ...