Tag Archives: security

Acmetool utility port for the FreeBSD

I am actively using Lets Encrypt certificates for my private and business projects. Initially i been using official Python client to obtain them, and it was all kind of possible problems. At some point i migrated to the Acmetool client which works perfectly and allows me to maintain hundreds of the certificates with a minimal efforts. This is feature list from the web site:

✅ Zero-downtime autorenewal
✅ Supports any webserver
✅ Fully automatable
✅ Single-file dependency-free binary
✅ Idempotent
✅ Fast setup

Only problem for me was lack of the FreeBSD port – yes, you can grab FreeBSD binaries from the author web site, install them somewhere to the /opt/, but its not a Jedi Path. So i had to create FreeBSD port, which after few months of aging was finally accepted to the tree. There are small changes in the port compared to the author build – paths are FreeBSD-style and builds should be repeatable (i hope, at least). As usual – feel free to send me PR-s, bugreports and suggestions.

Lets Encrypt!

Advertisements
Tagged , , ,

Using TK103A GPS tracker with traccar server

TK-103A tracker

Some time ago i decided to install on my car GPS tracker to get information about my routes, car location, etc. After quick research i found “Mini TK103A” tracker on the eBay, which is costs about 30$.

s-l1600

Device looks solid and can be configured by sms commands. Most important are “begin123456” (initialization), “admin123456 (adds numbers to the trusted list) and adminip (gprs settings). Full command list is provided in the documentation.

“USB” port

Tracker do have micro-USB socket, however it is not real USB, it is just serial port soldered on microusb plug. I been able to get information from it using USB-Serial TTL converter. It sends a lot of debug information on 115200/8N1 speed. Debugging information is useful when you configuring and testing the tracker.

04-26 15-63-40  EINT PWR CONNECT
04-26 15-63-40  motion_close
01-15 00-00-00  SENDDATA:0
01-15 00-00-00  NO SERVICE
01-15 00-00-00  T-card not ready!
01-15 00-00-00  FILE2222:
                         01-15 00-00-00:

01-15 00-00-00  password1=:123456
01-15 001-15 00-00-00  CENTER NUMER1:+420123123123
01-15 00-00-00  CENTER NUMER2:
01-15 00-00-00  CENTER NUMER3:
01-15 00-00-00  CENTER NUMER4:
01-15 00-00-00  CENTER NUMER5:
01-15 00-00-00  heartbeat time:3
01-15 00-00-00  SENDDATA:0
01-15 00-00-00  send Packet time:15
01-15 00-00-00  sms_gprs=1
01-15 00-00-00  time_zone:2,8,0
01-15 00-00-00  voice_temp:1
01-15 00-00-00  shave alarm:0,35
01-15 00-00-00  ACC:0
01-15 00-00-00  speed alarm:0,120
01-15 00-00-00  speed alarm time:5
01-15 00-00-00  s alarm time:5
01-15 00-00-00  move alarm=0
01-15 00-00-00  JT=0
01-15 00-00-00  JT TIME=3
01-15 00-00-00  TRACE :2
01-15 00-00-00  lang=1
01-15 00-00-00  APN=1
01-15 00-00-00  ���ϴ�ʱ��:1
01-15 00-00-00  powr=1
01-15 00-00-00  weilan:0
01-15 00-00-00  num:255
01-15 00-00-00  loud_spe=1
01-15 00-00-04  NO SERVICE
01-15 00-00-04  NO SERVICE
01-15 00-00-04  NO SERVICE
01-15 00-00-04  NO SERVICE
01-15 00-00-04  NO SERVICE
01-15 00-00-05  NO SERVICE
01-15 00-00-07  NETWORK NORMAL
01-15 00-00-07  NETWORK NORMAL
01-15 00-00-10  T-card not ready!
01-15 00-00-10  FILE2222:
                         01-15 00-00-10:

01-15 00-00-12   IMEI��:352887072123123
01-15 00-00-12   IP/PORT:1.2.3.4/9000
01-15 00-00-12   VER:MAUI.10A.W11.08.MP.V25 2015/09/11 12:38
01-15 00-00-12   ---------------------------------------------------
01-15 00-00-12   SIM CARD------------------OK!
01-15 00-00-12   GSM Signal----------------OK!
01-15 00-00-12   SOCKET----------------NG
01-15 00-00-12   G-Senser------------------OK!
01-15 00-00-12   GPS Location----------NG
01-15 00-00-12   PWR EINT--------------NG
01-15 00-00-12   ACC EINT--------------NG
01-15 00-00-12   SOS EINT--------------NG
01-15 00-00-12   BATTER/Vin-----------4.11/11.97
01-15 00-00-12   ---------------------------------------------------
01-15 00-00-12   GPS Location:86,Satellite:2-----------
01-15 00-00-12  num:255

I also found some references that this port can be used to reflash the tracker, however i never tried that.

Sending data to the server

After GPRS host/port configuration you can enable GPRS mode where all data will be sent to the remote server. I found that OpenSource TracCar software supports such devices and provides web+android interfaces. It was found that this specific tracker using GT06 binary protocol. Traccar supports it out of the box, you just have to choose correct port on the server/client. Traccar also supports data logging to the external database (MySQL, Pg, etc.), so it should be easy to integrate it with anything you need.

Some security considerations

All data from tracker to the monitoring system is sent unencrypted and can be easily decoded on transit if traffic is captured. This device also allows to add some “security alarm” features, including ignition and oil pump control. I personally feel that it is very dangerous and should not be used at all. I think such features are good example of the InternetOfShit coming 🙂

Tagged , , , ,

Lets encrypt!

Some time ago i subscribed to the Lets Encrypt beta participation program. Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit.
Yesterday i finally get an email, telling that my requested domains (smartmontools.org/www.smartmontools.org) are white-listed. So i decided to give it a try.

Installation

To use Lets Encrypt! service you will have to install ACME protocol client. ACME (Automatic Certificate Management Environment) is a protocol to automate all operations with PKI certificates. Current implementation is written on Python language and available on the github repository. You could find a lot of information about it usage in the online manual. I was trying to run it on the CentOS 6.7 and installation failed because of old (2.6) Python version. However, after some research, i been able to find a pull request with a patch for the 2.6 support. Hopefully it will go into mainline at some point, because py26 is still widely used. After this i been able to complete installation with letsencrypt-auto.

Usage

Lets Encrypt require you to verify that you own requested domain, as most other CA do. However with ACME this cold be done 100% automatically. There are different options on how to do this, initially i tried --standalone option. With it letsencrypt client creates standalone webserver for the authentication. However if you already have web server on port 80 you will have to stop it when client is running. It was working for me, but it requires short downtime, so i decided to look on other options. After all i found webroot authenticator, which allows to just create some files in the web root and later automatically removes them. To automate the process i created configuration file /etc/letsencrypt/cli.ini:

# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.

# Use a 2048 or 4096 bit RSA key
rsa-key-size = 2048

# Use production server
server =  https://acme-v01.api.letsencrypt.org/directory

# Uncomment and update to register with the specified e-mail address
email = nospam@example.com

# Uncomment to use a text interface instead of ncurses
text = True

# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = dvsni

# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
authenticator = webroot
webroot-path = /var/www/html/smartmontools/static

# automatically agree with license
agree-dev-preview = True

# renew certificate if it is already exists
renew-by-default = True

I also had to make sure that nginx can provide required files to the remote, so i added such lines in my nginx site configuration:

    location /.well-known/acme-challenge/ {
        alias /var/www/html/smartmontools/static/.well-known/acme-challenge/;
    }

To use certificates in nginx i added path to the new certificates and key to the configuration:

    ssl_certificate /etc/letsencrypt/live/smartmontools.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/smartmontools.org/privkey.pem;

Now to re-new my certificates i just need to run

./letsencrypt-auto -d smartmontools.org -d www.smartmontools.org certonly

command and it will do the job. Also dont forget to reload nginx service if certificates are already configured.

Notes

LetsEncrypt certificates will expire in a 90 days, so it is recommended to renew them every 60 days. Also it is very recommended to setup nagios check to send an alert if expiration time is less then one week. In the feature i would also try to use ACME client on the OpenWRT box, but hopefully there will be some more suitable alternative for the embedded hardware. Finally i would recommend to test your web server SSL configuration with SSL Server Test from SSL Labs.

Tagged , , ,

JVPN 0.6.1 released

JVPN is a Perl script to connect to the Juniper VPN with Host Checker enabled.
New version (0.6.1) adds ability to store password/token in configuration or to use external scripts to provide it. Also it adds ability to define custom URL and addressing issues with scripting support added in 0.6.0.
You can download it from JVPN post.

Tagged , , , , ,

Reading codes from RSA SecureID token

Why do I need this?

To access my VPN i need to use code from RSA Secure ID token. Sometime VPN disconnects and i need to enter token  again and again. It is annoying. Also i am afraid that once i will lost my token and it will take a lot of time to restore it.

So i decided to automate the process. There is no USB port on this token type, so only way to read digits is to “scan” LCD. I decided to do this with my old Logitech Webcam C200. This article shows how to do this. To backlight token i used IKEA lamp.

I used “cheese” tool to setup camera and token. Make sure that token is highlighted, numbers are big and readable.

Continue reading

Tagged , , , ,

jvpn – Perl script to connect to the Juniper VPN with Host Checker enabled

Overview

To access some company resources i need to use Network Connect  VPN from Juniper.  Network Connect is a software package that interfaces with its Secure Access hardware and provides a Virtual Private Network (VPN) solution. There are two software products that connect to Secure Access servers: Windows Secure Application Manager which, as you might guess, runs on Microsoft Windows; and Network Connect which runs on other platforms, in particular GNU/Linux. All  clients are closed source, without open source alternative.

I personally think that all closes source VPN clients should die one day – typically it is a perfect example of security by obscurity – internally they are using known algorithms and typically built with OpenSSL inside so there are no “secret” technologies. But closed source form will not allow to audit the code or to connect from non-supported OS (including non-x86 Linux, e.g. ARM). Also i`m  sure that code security level is very low – often such clients contains statically linked outdated libraries or input parameter validation is bad. In the worst case such clients including kernel modules (some s..t from Cisco) and then you forced to use only supported kernel. In Juniper case native Linux client requires Java + web browser installed. Also its built with JNI (Java Native Interface) so it will run only on 32-bit platforms. To run it on my Linux/x86_64 i installed 32 bit versions of the Firefox and Oracle  Java. It was very annoying to keep all this blobs in the RAM, so i decided to understand how it works and write some alternative.

How Network Connect works

After debugging with strace, java decompiler and tcpdump i got a clear view how Network Connect works:

  1. In the web browser client opening VPN page and entering Login/Password (in my case password generated from RSA Secure device)
  2. If authorization successful browser checks if VPN software is installed using Java applet. If it is not installed – ncLinux.jar file is downloaded and installation script is running. Client is installed to ~/.juniper_networks/network_connect. Also it will set SUID bit on ncsvc binary using su or sudo (password is prompted)
  3. Then optionally host checker (tncc.jar) client is running. This package validating if your system conforms policies configured on VPN host. In my case HC  is running but probably is not strict – i am able to logon to VPN from my home Linux.
  4. On next step Java Applet launcing NC.jar and passing some parameters to it. Most important one is DSID – dynamic session key, taken from the browser cookie.
  5. NC.jar will start Java (AWT based) GUI and console client (ncsvc) using JNI (code is inside libncui.so). I found that after ncsvc startup it listening on TCP port 4242 (127.0.0.1 address). Then Java GUI starts and connecting to the ncsvc (port 4242).
  6. After connecting Java GUI sending configuration to the ncsvc using non-documented protocol and ncsvc establishing remote connection. In configuration packet i found DSID, certificate md5 fingerprint, hostname and some other data.
  7. When connection is established Java GUI getting reply and communicating with ncsvc to get connection statistic (number of data transferred, VPN algorithm, etc.).
  8. On disconnect GUI sends special command to ncsvc process and it disconnecting from the remote host and doing some cleanup (e.g. reverting /etc/resolv.conf and /etc/hosts).

ncsvc client

Connection is established and maintained with ncsvc client. I found some information in the network (e.g. mad-scientist.us/juniper.html or www.joshhardman.net/juniper-network-connect-vpn-linux-64-bit/) on how to run it from command line, including some scripts. In my case all this scripts failed. If this scripts are working for you than you don`t need jvpn 🙂  Reason of fail was a Host Checker – related Juniper KB contains “Launch Network Connect only through the Internet browser on the supported Linux platforms” text. But i was not satisfied with this  and decided to emulate Java GUI to run client from command line, without web browser. Command line interface of ncsvc (see ncsvc -h) will not help in this case, because there is no possibility to pass DSID , and all other CLI options failing in my case. So i wrote a perl script – jvpn.pl, and hooray – i was able to establish connection.

jvpn.pl script – description

  • To use this script you need Perl (with some modules) and openssl binary. Also unzip is required if client is not installed.
  • jvpn.pl using configuration file jvpn.ini – before usage you will need to setup host name, login, password and realm. If you don`t know your realm – read HTML source for the login page – it will contain hidden “REALM” input element.
  • If ncsvc client is not installed – jvpn will download it to the current directory automatically from your VPN host
  • Then it logging in to the web site using your username/password and getting DSID. It handles some advanced scenarios like “active sessions found” and “additional code required” pages from VPN. It also getting md5 fingerprint of the SSL certificate using “openssl” binary.
  • If Host Checker support is enabled in configuration it is also download and starts tncc.jar to get host checker authentication from the server
  • After getting DSID it starts ncsvs and sending configuration commands to it using TCP protocol (port 4242). On this stage ncsvs establishing VPN connection. Then jvpn.pl entering statistic loop, like Java GUI.
  • On Ctrl+C jvpn.pl sending disconnect command to the ncsvs and also logging out from the VPN web site, to make sure that DSID is invalidated.

Screenshot

Download

Version 0.7.0 – samm.kiev.ua/jvpn/jvpn-0.7.0.tar.bz2. If you found some bugs or did some improvements – drop me a note.

Tagged , , , , , ,

Exploring Servis24 certificate card from the Česká spořitelna bank

Česká spořitelna is one of the the largest banks in Czech Republic. I am client of this bank for a long time and satisfied with their services. One of the services I am using is an internet-bank (Servis24).

It is web-based and works from Firefox without problem. Only issue for me was SMS confirmation for every transaction – i found that SMS delivery in roaming is not always reliable. Also i dislike password-based authentication. So I decided to order card for certificate.

Image

Continue reading

Tagged , , , , , , ,