I want to drop/block SSL packets between two machines (linux).
I can see the packets using ethereal and use iproute command (linux) to drop these packets.
Is this possible? If yes, what should I use with the iproute command?
Thanks.
You can't identify SSL packets at all by their contents, except for the first one in each direction. You could do it via the port number, as long as no form of START TLS was in use in the protocol, so it wouldn't work for SMTP, LDAP, etc. Otherwise you would have to follow entire TCP streams that start with a ClientHello.
Why do you want to do this?
Related
I am interested in observing how Telegram Messenger works. therefore I captured the first few packets of connection between an android Telegram client and Telegram servers via Wireshark software. The thing is, although there's no handshake to establish a SSL connection, since the port #443 is being used on the server side, the contents of the packets (which must be using TCP, according to Telegram FAQs) are unintelligible. The point is there's no SSL going on here, but since the port 443 is used Wireshark assumes that it's an SSL packet, and based on that assumption puts the TCP data into SSL data field. I read somewhere that they use a BLOB filter but I do not know how accurate that hypothesis is.
I don't know if there's any righteous conversion. I would appreciate any comment.
Hex and ascii dump of ssl data field
I'd like to use a server between two machines (with no static IP). The only IP known to me is the server's IP address. I'd like to build/use a system that listens to 2 different ports within the server and whatever is received from localhost:portA is sent to localhost:portB and vise versa. Consequently, both machines (with java apps) can communicate through the server in the middle.
Please what is the best solution to do this. I'm working on linux system and I thought of using an SSH java API (hudson / ganymed-ssh-2) to build a port forwarding server application.
Some issue:
1) determining the size of the data transmitted to buffer read or not to forward it to the other port.
2)The speed of reading/writing bytes.
If you can use ssh protocol you can tunnel local or remote ports (this need support on server side). You can also think about an OpenSSH VPN (take a look on ssh -w option, this will create a real VPN (TUN/TAP device is required). ).
You can use the the ssh program. Take a look at the -L and -R options specifically.
I'm participating in a computer security competition this weekend and I'm trying to make a script that will block an IP address for 5 minutes if I get port scanned. So I decided I could use NCAT and have it execute a iptables script if someone tries to connect to a port I am listening to. The problem is, I don't know how to get the IP address of the client that is connecting. Is this possible to do?
I don't want to use honeypots because they can be detected by many scanners, and any custom scripts I have, I have to write when I'm in the competition room. Can anyone help me out with this?
Thanks
Most portscans won't do a full tcp handshake, they will run a syn scan. So netcat would never recieve a connection. I recommend psad. On debian systems you can get it with:
aptitude install psad
Also, such a question should be asked at https://security.stackexchange.com/
I have observed a different behaviour between netcat and telnet when connecting to the public route server bgp-view.tvnetwork.hu and issuing the command show ip bgp.
Using Telnet the output (which is normally some tens of thousands lines long) is truncated and in order to view it all you have to press space or enter to continue (like the man pages). When I connect with netcat it just starts dumping all the output and after the first few hundred lines it hangs. Even if I state explicitly that I want to pause after the first 100 lines using the command terminal length 100 netcat doesn't change behaviour.
Do you have any idea why this happens and how it can be resolved?
My OS is ubuntu 10.4 and the route server runs Quagga (version 0.99.5). With other type of routers (cisco or juniper) that problem doesn't appear.
Thank you.
ps. I wanted to tag the question as route-server but I cannot create new tags :(
EDIT:
The problem is that netcat doesn't negotiate window size (see my answer bellow). Netcat's -t parameter is used to negotiate telnet options but it replies with negations (DON'T or WON'T) so the question is how to make netcat to negotiate telnet options. Maybe I'll post a new question for this matter.
I found a similar discrepancy with SSH 1.5, on juniper routers. When I was implementing a network topology tool, I had to use two different SSH libraries in Java to get things to work. I never completely diagnosed the problem, but it looked like there was an issue with how one of my libraries was handshaking, as opposed to how the ssh server on the router was expecting things to be done. For this case, my connections were just being dropped. I had to use four libraries to support three protocols : telnet, ssh 1.5 and ssh 2.0.
I would not be surprised at all if this is a router specific issue. Unfortunately, I don't have any useful suggestions for you other than to try a different library or program to accomplish your goals. If you feel like troubleshooting the actual issue, you could watch the packets go through.
Thanks,
-Brian-
OK, mystery solved with wireshark.
The problem was the negotiation of telnet options.
The server requests from the telnet client "Do Negotiate About Window Size" but the client wasn't negotiating and even with the -t option netcat replies "Won't Negotiate About Window Size".
I created a java telnet client with the apache commons library to negotiate about the window size using the WindowSizeOptionHandler() constructor and it works fine. Now I just have to find how to do it with netcat.
All,
It is possible to use IIS (or similar) to handle the ssl side of https communications. Is there something similar that can handle the ssl side of a TCP/IP message?
Basically I have a client device sending a non-http message over a TCP connection and want a server that can handle the crypto and certificate side of SSL for me and forward the plain text on to another server.
The openSSL s_server command seems correct but the documentation states "It's intended for testing purposes only" while I need something robust. Is the documentation out of date?
Thanks,
Patrick
You are after the stunnel program:
Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code.
I don't think the documentation is out of date. "For testing purposes only" is their release from liability.
It sounds like you want an SSL tunnel. You could setup a tunnel to the SSL server, send the packets through the tunnel, and then have that server forward the result on. There are lots of tutorials on using SSH to setup tunnels over SSL.