Monday, April 28, 2008

SSH Tunneling

This is a quick blog post to let my mate Ollie know about a few ways that I use SSH and how it is useful.

Firstly, a SSH client connects to a SSH server, logs in with either a password or certificate and communicates over an encrypted tunnel. The beauty of SSH is that it is also easy to tunnel other types of traffic such as HTTP or VNC over the tunnel. This is useful for the following:

> Secure Administration of a remote server.
> Secure File transfer.
> Securing web traffic over a non-secure wired or wireless network.
> Bypassing of restrictions and filtering imposed on the local network.


> Privoxy
> Screen


At home I have installed SSH on a server and started the service (/etc/init.d/ssh start) listening on port 22 for SSH traffic. I have set port forwarding up on my firewall to allow traffic to hit the server on this port. Usually I will set up a non-standard port but for the sake of an easy explanation I'll leave it at port 22.

On that server I have also installed pivoxy (apt-get install privoxy), and started it (/etc/init.d/privoxy start). By default, Privoxy binds to , and I have also installed Screen. Screen is a program that allows you to have multiple terminal sessions open at once and leave them running after disconnecting from the SSH server.

Connecting To The Server

From my client I connect to the server by using the following command:

ssh synjunkie@ssh_server_ipaddress

After logging in I can issue commands as if I'm sitting at the server. After connecting I would start Screen by issuing the `screen` command. If I wanted to connect to a previous screen session I would use `screen -r`

You navigate through Screen by issuing commands through key-bindings. A few of the ones I find most useful are:

Ctrl+a c new window
Ctrl+a n next window
Ctrl+a p previous window
Ctrl+a " select window from list
Ctrl+a A set window title
Ctrl+a ? show key bindings/command names
Ctrl+a d detach screen from terminal

Screen is great because you can leave a scan going in one session, irc in another and say a traffic capture in another.

Tunneling Traffic

as well as connecting to the server I might want to tunnel some traffic over SSH to my home server and then back out.

For this I would issue the following command on my client and log in.

ssh -NL 8118:localhost:8118 synjunkie@ssh_server_ipaddress

After setting up the tunnel I would go into the proxy settings on my browser and point them to localhost port 8118.

I hope this illustrates a couple of good uses for SSH.

Tuesday, April 8, 2008

Data Recovery

Recently I was playing around with some old hard disk that I had formatted and I found that it was really easy to recover data from them even though the files had been deleted and the disk had been formatted.

The purpose of this post is to list methods of retrieving data and give a few tips on preventing data recovery if you are throwing away a computer / disk or selling it.

Firstly, when a file is deleted it is still on the disk. All that has happened is you have removed the pointer to it. When a disk is formatted all that you have done is remove the all the pointers. It's kind of like having a book and ripping out the index. The pages are still there but you don't know how to get to anything.

Data Recovery

A couple of the tools I have been playing with are Foremost and Photorec. PhotoRec is available on windows or Linux and I have found it to be quite good, however Foremost is what I have had most luck with.

Foremost will restore many types of files such as doc, jpg, zip, mpg, zip and many more. it's usage is simple too. I simply point it at a disk or an image file and tell it to either extract everything or just a particular filetype to a location.

foremost -v -o /home/syn/dump -t doc /dev/sdc

In the command above I have told foremost to use an output directory of /home/syn/dump and search for any docs on device /dev/sdc (note /dev/sdc is a hard disk connect by USB in this case). If I had left off the -t switch it would have looked for everything.

Data Deletion

After seeing how easy it was to retrieve deleted items I set about figuring out simple ways to prevent it.

I found that by overwriting the disk I could not get anything out of it using the tools I had. a simple way of overwriting a disk that was totally blank was by using DD with the command below:

dd if=/dev/zero of=/dev/sdc conv=notrunc

Or the same using dclfdd, but with dcfldd I got a progress bar.

But what about wiping free space on a disk that had data on or an OS. Well for that I used Truecrypt. I simply defragged the drive and filled the freespace with one huge Truecrypt file and then deleted it.

After re-running foremost and photorec I was unable to retrieve files that were retrievable before.

Hope this helps someone.


More Secure Web Browsing

Recently I had a conversation with my Dad about some things that can be done to be more secure whilst web browsing. I explained to him that a common attack vector is through the web browser and that a lot of the risks can be mitigated by using a different browser than Internet Explorer and by turning off scripting by default.

The purpose of this post is to give my Dad instruction on where to get and how to install the browser I recommend and which add-ons might help keep him more secure.

Before I begin, it would be useful to point out something which I think is as applicable here as it is within the realm of network monitoring. Prevention Always Fails. At some point you will get owned because your information or your computing resourse (think botnet) is worth something to somebody else. You can impliment as many safeguards as you want, but the fact is the Internet is a dangerous place and although these safeguards will raise the bar and might prevent many attacks being successful eventually something will fail, and when it does the next action you need to take is detection. Now, it's very difficult to know when your preventative methods have failed so my advice would be to assume they already have. By making this assumption I would then begin to use the detection tools, monitor bank statements, credit card statements and look at traffic leaving your network etc....

Anyway, now to getting the bar raised and becoming more secure online....

The Web Browser

Firstly I recommend using Firefox. Firefox is an open source browser that is fast and lightweight. Yes there have been vulnerabilities with Firefox but these have been patched quickly and Firefox updates itself automatically.

To download Firefox I recommend Googling "Mozilla Firefox" and downloading it directly from the Mozilla site. Once downloaded simply install using the default options.

The Add-ons

Once installed, you will want to install a couple of add-ons. Add-ons are little programs that add extra functionality to Firefox. They are simple to install and there are hundreds of them freely available. One word of warning through. As there are so many add-ons it is really easy to go over the top and install a whole load of them, and some add-ons may make your system less secure so just install what you need and maybe research them too.

The add-ons I recommend are:

  • NoScript
This turns off scripting by default and allows you to enable it selectively for trusted sites. Once a vulnerability is found with a computer an attacker will often try to exploit that by embedding code into a website to take advantage of that vulnerability and compromise your computer. Often the victim will be totally unaware that this has happened. As is most often the case everything that is done on the computer from that point on can be captured and silently sent back to the attacker. Think banking, think paypal, think amazon!!!

After installing NoScript all scripting will be off. This does break some pages and they will not display properly. If this is the case, right click the NoScript icon in the bottom right corner of your browser and select to temporarily allow scripting for the site you are on. The NoScript icon in the bottom of the screen changes depending on the settings you have selected. It's a good idea to enable and disable sites and make a mental note of how the icon has changed.

  • Customize Google
This script allows you to remove Google adds and force your browser to always use gmail over HTTPS. Check out the preferences in the add-on window or on the Tools menu.

  • Formfox
This add-on will give you information when you fill a form out about where that information is really going. By holding you cursor over a button before you submit a form it a pop-up window will tell you where it is going. Try it with a Google search!

To install new add-ons or enable / disable them once you are in Firefox, click on the tools menu and then select add-ons. From here you can select whether to enable or disable the add-on and adjust any settings for it or you can click the "Get Extensions" link to be taken to the site where you can download new add-ons. Once installed Firefox may prompt you to restart the browser.

You can also install Themes to change the look and feel of Firefox or install plugins if they are missing such as Flash, Adobe Acrobat Reader etc...

This blog post only touches on what Firefox can do. It is very extensible and feature packed. i don't know anyone who has gone back to Internet Explorer after using Firefox.

The one thing I will say is very few websites don't work well with Firefox, for example my bank doesn't. So I use I.E for that site only and do 99% of my browsing through Firefox with scripting off.

Hope this Helps.


01-05-08 - One last tip, but a really important one. As most browsers use tabs these days, it allows you to log into one site and then open a new tab and log into another. This is really bad practice as a site from one tab can run code to execute actions on the site on the other tab. So if you do banking or email remember to log out and close the tab before you do other stuff.