Tor & disabling IPv6 in Linux

23 06 2012

Install & configure tor / privoxy & proxychains

– Add a new repo

vi /etc/apt/sources.list

deb http://deb.torproject.org/torproject.org lucid main

– Get the key

gpg –keyserver keys.gnupg.net –recv 886DDD89
gpg –export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add –

– Installapt-get update
apt-get install tor tor-geoipdb
apt-get install privoxy

– Check privoxy config to make sure listen address is 127.0.0.1:8118 & configure socks4a proxy

vi /etc/privoxy/config

listen-address 127.0.0.1:8118
forward-socks4a / 127.0.0.1:9050 .

– change keep-alive-timeout & socket-timeout to 600

keep-alive-timeout 600
socket-timeout 600

– Start privoxy

/etc/init.d/privoxy start

– Change your browser to point @ your proxy 127.0.0.1:8118
– Check that you connect over tor

https://check.torproject.org/

– Next up, install proxychains so you can use other tools over tor

apt-get install proxychains

– Verify the following line is in /etc/proxychains.conf

socks4 127.0.0.1 9050

– Remove tor & privoxy from startup (init when you need them)

update-rc.d -f tor remove
update-rc.d -f privoxy remove

– Start them up

service tor start
service privoxy start

– Check its working – “proxychains <command>”

root@bt:~# netstat -antp | grep LISTEN
tcp        0      0 127.0.0.1:8118          0.0.0.0:*               LISTEN      3569/privoxy
tcp        0      0 127.0.0.1:9050          0.0.0.0:*               LISTEN      3562/tor

root@bt:~# curl -s icanhazip.com
101.171.255.232

root@bt:~# proxychains curl -s icanhazip.com
|S-chain|-<>-127.0.0.1:9050-<><>-174.132.254.58:80-<><>-OK
31.172.30.1- Have fun, then shut em down when you are done

service privoxy stop
service tor stop

– There are many reasons you may not want IPv6 running on your machine (for example if you were using tor & didnt want IPv6 traffic to go directly to a target instead of via your IPv4 socks proxy)

root@bt:~# vi /etc/sysctl.conf

#disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

root@bt:~# sysctl -p

Advertisements




Telstra3G USB in Linux

23 06 2012

Telstra 3G USB Dongles are good for connectivity on the go.

http://www.zte.com.au/telstra/MF626i.htm
https://wiki.ubuntu.com/AustralianTeam/Projects/WirelessBroadbandInformation

root@bt:~# lsusb | grep ZTE
Bus 001 Device 005: ID 19d2:0031 ONDA Communication S.p.A. ZTE MF110/MF636

root@bt:~# dmesg | grep ttyUSB
[ 2306.101269] usb 1-4: GSM modem (1-port) converter now attached to ttyUSB0
[ 2306.101613] usb 1-4: GSM modem (1-port) converter now attached to ttyUSB1
[ 2306.102140] usb 1-4: GSM modem (1-port) converter now attached to ttyUSB2
[ 2306.102487] usb 1-4: GSM modem (1-port) converter now attached to ttyUSB3
root@bt:~#

There is a hard way using wvdial etc – or an easy way. I chose the easy way – a great little script called sakis3g

====================================

http://wiki.sakis3g.org/wiki/index.php?title=Sakis3G_script
http://www.sakis3g.org/#download

wget “http://www.sakis3g.org/versions/latest/i386/sakis3g.gz&#8221;
gunzip sakis3g.gz
chmod +x sakis3g
./sakis3g –interactive

====================================

root@bt:~/scripts# ./sakis3g connect USBINTERFACE=”3″ APN=”telstra.internet”

root@bt:~/scripts# ./sakis3g connect info
MF626s connected to Telstra (50501).
Connection Information

Interface: P-t-P (ppp0)

Connected since: 2012-06-11 20:52
Kilobytes received: 376
Kilobytes sent: 57

Network ID: 50501
Operator name: Telstra
APN: telstra.internet

Modem: MF626s
Modem type: USB
Kernel driver: option
Device: /dev/ttyUSB2

IP Address: 10.192.124.71
Subnet Mask: 255.255.255.255
Peer IP Address: 10.64.64.64
Default route(s): 10.64.64.64
====================================

root@bt:~/scripts# ./sakis3g disconnect
Disconnected.





Do you want to be Certyfied Ethical Hacker ?

19 06 2012

This one caught my eye on LinkedIn ………. I guess “Free IT Security Training” doesn’t really have an advertising budget … but really ?? does this give you confidence in the course ?

I thought perhaps it was a posting that someone using one of the leaked passwords – but then its actually linked to the same post on pentest magazine.

http://pentestmag.com/do-you-want-to-be-certyfied-ethical-hacker/





Raspberry Pi Console Server

16 06 2012

It occurred to me that the Raspberry Pi would make a great low cost, portable console server.

1. Plug in a USB -> Serial convertor & appropriate serial console cable to your device

http://www.jaycar.com.au/productView.asp?ID=XC4834

Check that it is detected

root@raspberrypi:~# dmesg

usb 1-1.2: new full speed USB device number 5 using dwc_otg
usb 1-1.2: New USB device found, idVendor=067b, idProduct=2303
usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 1-1.2: Product: USB-Serial Controller D
usb 1-1.2: Manufacturer: Prolific Technology Inc.
usbcore: registered new interface driver usbserial
USB Serial support registered for generic
usbcore: registered new interface driver usbserial_generic
usbserial: USB Serial Driver core
USB Serial support registered for pl2303
pl2303 1-1.2:1.0: pl2303 converter detected
usb 1-1.2: pl2303 converter now attached to ttyUSB0
usbcore: registered new interface driver pl2303
pl2303: Prolific PL2303 USB to serial adaptor driver

Install minicom to drive it

root@raspberrypi:~# apt-get install minicom

Hurrah – Portable console access 😀

root@raspberrypi:~# minicom -D /dev/ttyUSB0 -b 9600 -o
Welcome to minicom 2.4

OPTIONS: I18n
Compiled on Sep 7 2010, 01:26:06.
Port /dev/ttyUSB0

Press CTRL-A Z for help on special keys
FORTIBORDER login: admin
Password: ************
Welcome !

FORTIBORDER # get system status
Version: FortiWiFi-60CM v4.0,build0535,120511 (MR3 Patch 7)
Virus-DB: 15.00698(2012-06-15 03:29)
Extended DB: 14.00000(2011-08-24 17:09)
IPS-DB: 3.00201(2012-06-14 00:30)
FortiClient application signature package: 1.496(2012-06-08 08:51)
Serial-Number: FW60CM3GXXXXXXXX
BIOS version: 04000018
System Part-Number: P08962-03
Log hard disk: Available
Internal Switch mode: interface
Hostname: FORTIBORDER
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Distribution: International
Branch point: 535
Release Version Information: MR3 Patch 7
System time: Sat Jun 16 20:50:32 2012





My Raspberry Pi comes to life

16 06 2012

Like most of the rest of the world’s IT population, I got excited about the Pi & ordered one.

It has arrived & I have had a little bit of time to play with it & I am pretty impressed.

BUILD A CASE

The first thing to do was a case, I didnt want to short it out on anything & it just felt too fragile & vulnerable naked

I printed this one (http://www.raspberrypi.org/phpBB3/viewtopic.php?f=40&t=6500) on some card (manila folder) & folded it up

 

A larger selection can be found here: http://elinux.org/RPi_Cases

PREPARE A DISTRO

Next we need a Distro:

http://elinux.org/RaspberryPiBoardDistributions

For each image, just use dd in Linux **Be Careful – make sure you have the right device to write the image to. This would be the SD card, not your hard drive !!

dd if=.img of=/dev/sdb

I have been primarily playing with the Debian Squeeze distro

http://downloads.raspberrypi.org/images/debian/6/debian6-19-04-2012/debian6-19-04-2012.zip
User: pi / raspberry

Raspbian is based on Debian Wheezy, which is newer than Squeeze

http://www.raspbian.org/
User: root / raspbian

The developing Raspbmc (XBMC) looks very promising – I have watched a couple of movies with it, with no performance issues

http://wiki.xbmc.org/index.php?title=Raspbmc

http://www.raspbmc.com/2012/05/raspbmc-is-now-in-beta/

http://download.raspbmc.com/downloads/bin/ramdistribution/installer-testing.img.gz

Note: you need at least a 2GB SD card. Raspbmc will use the full size of your card.

**First boot needs internet (ethernet cable/ dhcp) – the installer prepares the sdcard, then raspbmc is downloaded & setup at first boot.

TIME FOR POWER

The Pi runs on 5v, connected via Micro USB http://elinux.org/RPi_Hardware_Basic_Setup#Power_Supply – which can be supplied by pretty much any phone charger / USB port these days. The only recommendation provided by the vendor is choose a supply that will provide 5v and ~700mA. They will apparently run “stable” on any voltage between  4.75 and 5.25 volts.

Many people have been using the iPhone / iPad chargers without any issues (me included). But as an experiment, I decided to see what they were putting out. The Pi has two test ports TP1 & TP2 – these are to check the voltage being supplied to the board. There are mutterings about voltages under 5volt providing unexpected behavior on some boards.

I found that my white iPhone/iPod power supply (Rated @ 5V 1A dropped to about 4.8v when the Pi is running with HDMI, SD Card & USB WiFi Dongle.

Apple (A1205) Drops to about 4.8V under load

My HTC charger (Rated @ 5V 1A)performed about the same – around 4.8v under load

HTC (TC P300) Drops to around 4.8V under load

Another generic branded “Switching power supply” that was also rated @ 5V 1A showed the same voltage drop to around 4.8V under load.

Enter the Samsung Galaxy Tab 5V 2A charger, this bad boy kept me running at 5V under load.

Samsung (ETA-P10X) Keeps pushing 5V under load

The general consensus is that a 5V 1A phone charger should be fine, but if you are planning on plugging things into the USB port (WiFi / Storage etc) then you would be probably best off getting a higher rated PSU. I am going to check out Jaycar for a regulated 5V 2A supply next. Your results may vary, I didnt experience any strange issues or performance problems when running of any of the listed PSUs – but possibly got more interface drops on the USB WiFi adapter (thats a subject for another blog post).

On the subject of power – having such a tiny / portable device is much more useful when you can take it with you away from a power point. From our local Aldi store, I picked up a “Tevion MPP 7400” This is a portable 7400mAh Li-Po Battery Pack. This little guy has two USB ports on it & will apparently provide up to 2.1A on one, or 1A each with both in use. Its primarily aimed at charging a smartphone on the go, but it works beautifully as a portable power supply for the Pi. I have not tested how long it will keep the Pi running, but I was playing on it for several hours without the pack dropping an LED on the power meter.

Battery Pack – providing 4.78V under load – just within the allowable range – so far no problems, but we will see how it goes.

Well, that’s it for now, my Pi lives and breathes (as much as a piece of electronic equipment can) – time to try out some more distros & “projects” with it.





IPv6 Static Address on Ubuntu

27 04 2012
So – I have blogged about how to enable IPv6 on your firewall & setup your tunnel, and how to manually add addresses to an ubuntu server, but what about the server you are sticking on the end of the tunnel permanently – you want it up every reboot.
I have an Ubuntu box sitting on 2001:470:489e::100. This hosts http://public6.blackundertone.com & also my mail host mail.blackundertone.com
Most modern distro’s will have IPv6 enabled out of the box & it will do its best to grab an address. I didnt want autoconfiguration to hand any old address to it (even with SLAAC using the MAC address) to this host – so I could properly setup inbound & outbound FW rules.
You can turn it off by entering the following in /etc/sysctl.conf & reboot
– Disable the autoconf / SLAAC capability for all interfaces

net.ipv6.conf.eth0.autoconf=0

– Ignore the RA messages from your router

net.ipv6.conf.eth0.accept_ra=0

If you just want to test it out – or dont want to reboot your machine

sudo sysctl -w net.ipv6.conf.eth0.autoconf=0
sudo sysctl -w net.ipv6.conf.eth0.accept_ra=0

–BEFORE with autoconfigured Global IPv6 address–
eth0      Link encap:Ethernet  HWaddr 00:50:56:a1:70:d1
          inet addr:10.0.1.100  Bcast:10.0.1.255  Mask:255.255.255.0
          inet6 addr: 2001:470:489e:0:250:56ff:fea1:70d1/64 Scope:Global
          inet6 addr: fe80::250:56ff:fea1:70d1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:56 errors:0 dropped:12 overruns:0 frame:0
          TX packets:47 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:6219 (6.2 KB)  TX bytes:7140 (7.1 KB)
–AFTER only link-local address remains–
eth0      Link encap:Ethernet  HWaddr 00:50:56:a1:70:d1
          inet addr:10.0.1.100  Bcast:10.0.1.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fea1:70d1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:254 errors:0 dropped:12 overruns:0 frame:0
          TX packets:237 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:24646 (24.6 KB)  TX bytes:33280 (33.2 KB)
Now – its simply another couple of lines in your /etc/network/interfaces file & a quick network restart
iface eth0 inet6 static
        address 2001:470:489e::100
        netmask 64
        gateway 2001:470:489e::1
and your shiny new STATIC ASSIGNED IPv6 address is active
eth0      Link encap:Ethernet  HWaddr 00:50:56:a1:70:d1
          inet addr:10.0.1.100  Bcast:10.0.1.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fea1:70d1/64 Scope:Link
          inet6 addr: 2001:470:489e::100/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:806 errors:0 dropped:116 overruns:0 frame:0
          TX packets:716 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:71814 (71.8 KB)  TX bytes:110482 (110.4 KB)
Apache & Postfix should already listen on any IPv6 addresses – so simply restart the services.




FortiGate IPv6 using tunnelbroker.net

22 04 2012
My previous IPv6 network was configured with Astaro – recently I have switched vendor to Fortinet (partly troubleshooting, partly cause I could). Using one of their FortiGate FWs – its been “fun” getting all the functions working that I had on the Astaro – one that was a bit more complex was the IPv6 config. It was pretty much point & click GUI driven on the Astaro, its a lot more CLI driven on the FortiGate.
Im using PPPoE without a static IP – so when my IPv4 ISP connection changes address, it will take out my IPv6 Tunnel – I will try to work out how this needs to be fixed later.

 

First step is to enable IPv6 in the GUI – most of the tunnel config is going to be done on the CLI, but with the GUI enabled, you can at least manage the addresses / policies easily.
config system global
  set gui-ipv6 enable
end

 

Configure up the tunnel – if you are using he.net (tunnelbroker.net), there is a shortcut you can take.
View your Tunnel Details on their admin page, make sure you set the correct “Client IPv4 Address” to match your current PPoE or other connection. Then click on the tab called “Example Configurations” which allows you to simply select your OS & it populates the changes needed with the correct IP addresses. In this case, FortiGate 4.x
config system sit-tunnel
    edit “HE”
        set destination 64.62.134.130
        set ip6 2001:470:66:288::2/64
        set source 121.216.247.8
    next
end
config router static6
    edit 1
        set device “HE”
    next
end
Once you have pasted that into the CLI on the FG, check the tunnel comes up & finish the config

Ping from the Fortigate to the tunnel broker

Fortigate # execute ping6 2001:470:66:288::1
PING 2001:470:66:288::1(2001:470:66:288::1) 56 data bytes
64 bytes from 2001:470:66:288::1: icmp_seq=1 ttl=64 time=159 ms
64 bytes from 2001:470:66:288::1: icmp_seq=2 ttl=64 time=158 ms
64 bytes from 2001:470:66:288::1: icmp_seq=3 ttl=64 time=157 ms
64 bytes from 2001:470:66:288::1: icmp_seq=4 ttl=64 time=158 ms
64 bytes from 2001:470:66:288::1: icmp_seq=5 ttl=64 time=158 ms— 2001:470:66:288::1 ping statistics —
5 packets transmitted, 5 received, 0% packet loss, time 4042ms
rtt min/avg/max/mdev = 157.156/158.424/159.138/0.802 msFortigate #

 

Configure IPv6 on one of your FW interfaces (In this case, my port3(DMZ) interface)
config system interface
     edit port3
            config ipv6
                set ip6-address 2001:470:489e::1/64
                set ip6-allowaccess ping
                set ip6-manage-flag enable
                set ip6-other-flag enable
                    config ip6-prefix-list
                        edit 2001:470:489e::/64
                            set autonomous-flag enable
                            set onlink-flag enable
                            set preferred-life-time 3600
                        next
                    end
                set ip6-send-adv enable
          end
     next
end
**NOTE “set ip6-send-adv enable” enables the router auto advertisement on that segment – so any hosts configured with stateless autoconfiguration (most late OS’s) will pickup an address.

 

Create a FW policy to allow ping traffic to & from your network for testing
config firewall address6
    edit “DMZ_v6”
        set ip6 2001:470:489e::/64
    next
end
config firewall policy6
    edit 1
        set srcintf port3
        set dstintf HE
            set srcaddr “DMZ_v6”
            set dstaddr “all”
        set action accept
        set schedule “always”
            set service “PING6”
        set logtraffic enable
    next
    edit 2
        set srcintf HE
        set dstintf port3
            set srcaddr “all”
            set dstaddr “DMZ_v6”
        set action accept
        set schedule “always”
            set service “PING6”
        set logtraffic enable
    next
end

 

Ping from another host or one of the many test websites

 

To the Firewall DMZ Interface
PING 2001:470:489e::1: 56 data bytes
64 bytes from 2001:470:489e::1: icmp_seq=0. time=339. ms
64 bytes from 2001:470:489e::1: icmp_seq=1. time=336. ms
64 bytes from 2001:470:489e::1: icmp_seq=2. time=335. ms
64 bytes from 2001:470:489e::1: icmp_seq=3. time=334. ms
64 bytes from 2001:470:489e::1: icmp_seq=4. time=334. ms
—-2001:470:489e::1 PING Statistics—-
5 packets transmitted, 5 packets received, 0% packet loss
round-trip (ms)  min/avg/max/stddev = 334./336./339./2.2

 

To another host on my DMZ (public6.blackundertone.com)
PING public6.blackundertone.com: 56 data bytes
64 bytes from mail.blackundertone.com (2001:470:489e::100): icmp_seq=0. time=354. ms
64 bytes from mail.blackundertone.com (2001:470:489e::100): icmp_seq=1. time=332. ms
64 bytes from mail.blackundertone.com (2001:470:489e::100): icmp_seq=2. time=333. ms
64 bytes from mail.blackundertone.com (2001:470:489e::100): icmp_seq=3. time=334. ms
64 bytes from mail.blackundertone.com (2001:470:489e::100): icmp_seq=4. time=334. ms
—-public6.blackundertone.com PING Statistics—-
5 packets transmitted, 5 packets received, 0% packet loss
round-trip (ms)  min/avg/max/stddev = 332./337./354./9.5

 

From a host on my DMZ out to IPv6 Internet site
C:\Users\ash>ping ipv6.google.com
Pinging ipv6.l.google.com [2001:4860:4001:801::1010] with 32 bytes of data:
Reply from 2001:4860:4001:801::1010: time=160ms
Reply from 2001:4860:4001:801::1010: time=160ms
Reply from 2001:4860:4001:801::1010: time=160ms
Reply from 2001:4860:4001:801::1010: time=159ms
Ping statistics for 2001:4860:4001:801::1010:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 159ms, Maximum = 160ms, Average = 159ms
C:\Users\ash>

Configure some FW policies to allow your internal hosts to browse the IPv6 internet (HTTP/HTTPS/PING6/DNS). You can now use the GUI on the FortiGate to configure your new IPv6 FW rules, just remember to use the “IPv6 Policy” menu, not the standard “Policy” page – as that is your IPv4 traffic.

 

A note on IPv6 DNS & the FortiGate
After some mucking around & frustration, it was clear that the FortiGate was not advertising DNS to stateless autoconfiguration clients. This meant that I had to configure the IPv6 DNS server manually – hardly a great solution (you can use the one from HE).
I found another couple of config items that seems to fix the issue (I added these to my config above)
    set ip6-manage-flag enable
    set ip6-other-flag enable
Documentation from Fortinet on this is not great, so I dont know the full impact of these, but it seems to do what I want, as long as your IPv4 DNS server is the Fortigate.
As you can see, I only have an IPv4 nameserver (The FortiGate), but both IPv4 & IPv6 DNS entries are happily being resolved.
ash@public:~$ dig aaaa ipv6.google.com
; <<>> DiG 9.7.3 <<>> aaaa ipv6.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25610
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ipv6.google.com.               IN      AAAA
;; ANSWER SECTION:
ipv6.google.com.        13160   IN      CNAME   ipv6.l.google.com.
ipv6.l.google.com.      273     IN      AAAA    2001:4860:4001:801::1013
;; Query time: 7 msec
;; SERVER: 10.0.1.254#53(10.0.1.254)
;; WHEN: Sun Apr 22 14:59:40 2012
;; MSG SIZE  rcvd: 82
ash@public:~$ cat /etc/resolv.conf
nameserver 10.0.1.254
Once you are done, visit somewhere like http://ipv6-test.com/ to check your workstation is using IPv6

 

Resources Used:
and the usual www.google.com