Sunday, January 25, 2015

DNS reverse proxy

I have a server with a single IPv4 and I want to run two DNS servers:
  • one to serve zones like - if you recall, I like PowerDNS;
  • another one for tunneling - I like dns2tcp (TCP level), another good one is iodine (IP level).
Problem: I looked a bit but none of the DNS server software I've seen support forwarding queries that aren't for them to another server. Basically what I need is a reverse proxy that looks at the DNS query, and route it based on the name. It's the same as an HTTP reverse proxy that looks at the Host field to proxy the request to another server. I tried to hack with resolvers and stub/forward zones but it didn't work.

So I made my own dns-reverse-proxy in just a few lines of Go, using a fully featured DNS library. It's running smoothly, if you have the same need feel free to use it!

Monday, October 13, 2014

Tiny ELF 32/64 with nasm

Sometimes I need to create a tiny ELF with some assembly code, because I'm restricted in size or just don't like the bloated binary produced by gcc and the linker. The classic reference about this is A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux. I often use their nasm listing as a template.

I was working with 64bit code the other day and realized there's no 64bit version of it, so here's one.

Saturday, January 04, 2014

IDA on Debian amd64 with python

Are you the lucky owner of an IDA Pro linux license? Since I had errors last time I set it up, here is a quick brain dump on setting up IDA Pro 6.5 on Debian sid with IDA python 2.7. It may even work for Ubuntu.

Wednesday, June 19, 2013

Defcon 21 quals - blackbox write-up

It was DEFCON 21 quals last week-end, with new organizers. It went well, good organization and good challenges. If you're curious about the results, here is a fancy top15 graph. Apparently it was too easy for PPP who finished all of the challenges... insane! :)

There were 5 categories:
  • 3dub: web-based challenges
  • 0x41414141: exploitation
  • \xff\xe4\xcc: shellcode
  • OMGACM: guerilla programming
  • gnireenigne: reverse engineering
I liked the exploitation ones with ARM under Linux/FreeBSD. Reverse was nice, shellcoding interesting but some painful, web was way too easy and OMGACM just annoying.
If you want to have a look, @JonathanSalwan saved some of the binaries on his repo.

Tuesday, June 04, 2013

Golang heap corruption during garbage collection

I've been playing with Go recently, it's an interesting programming language (I recommend the tour).

It is compiled, garbage-collected and memory safe.. as long as you don't find a bug in the runtime. Alex Reece (@awreece) from PPP recently blogged about a nice vulnerability, I found it interesting and started following more of the changes.

This one looked fun: runtime: fix heap corruption during GC (#5554), let's try to exploit it. The bug was not present in Go 1.0.3, present in Go 1.1 but will be fixed in Go 1.1.1 (to be released next week).

Friday, January 18, 2013

TOR relay and transparent routing

I assume you already know about TOR, The Onion Router for anonymity to protect your privacy.

TOR is a network so it can only work if there are nodes (relays). If you have a server, you can run one so consider it. Afraid of legal issues? You do not need to run an exit node, a relay is just fine: everything is encrypted.

This post will show you how easy it is to set up a TOR relay on Debian, how to nicely monitor it and how to use it as a transparent router.

Monday, May 14, 2012

USB rescue and secure boot disk

I think it's always good to carry a rescue operating system, like Ultimate Boot CD for Linux or UBCD for Windows. Personally I like Grml, debian-based, 32/64 bits and it can be installed on USB.

Booting from CD/USB is as simple as embedding syslinux, a kernel, an initrd and give it a filesystem. The filesystem can be stored on the CD/USB (usually as a squashfs file), but you can also point to a local filesystem. This way, you can have a fully encrypted local disk and boot (kernel+initrd) from CD/USB. And good news, this is not specific to Linux! If you use TrueCrypt on Windows, you can chain syslinux to grub4dos and boot from your TrueCrypt Rescue Disk ISO file.

Since TrueCrypt does not use the TPM (unlike BitLocker) and Linux solutions (e.g. TrustedGrub) are not yet ready, this simple workaround allows you to protect against tampering of the non-encrypted disk portions (mbr, /boot), because this part of the boot chain is on the USB key.

This post will describe how to set up a USB disk with grml32/64, grub4dos for TrueCrypt Rescue Disks, a Linux /boot and how to add other live CDs.

Monday, April 09, 2012

YubiText and 3-factor password authentication

As I said in the last post, I obtained YubiKey USB tokens and started to play with it. One of the programs I made is YubiText, it allows to input text when a YubiKey is plugged. For instance, one can use it as a way to type a password. This post will describe how it works and how I use it to have something I call 3-factor password authentication.

Thursday, April 05, 2012

YubiKey USB security token

I recently obtained YubiKeys from Yubico. It's a USB hardware token able to act as a keyboard device to input characters (a HID) and also has a little button. It supports different modes:
  • Yubico OTP Mode: Yubico implementation + server
  • OATH-HOTP Mode: standard HOTP as per RFC 4226
  • Static Password Mode: output the same static string
  • Challenge Response Mode: no HID, software challenges the token and gets a response

Monday, April 02, 2012

PPTP VPN and policy routing on user

The first part of this post describes how to use PPTP VPN on Linux, in command-line and not GUI. The second part, actually independent of VPN, describes how to set up policy routing for a user, in order to have all traffic from that user to go through a specific interface (e.g. the VPN interface).