What is hacking and what is network engineering? We’re not sure where exactly to draw the lines, but [Artem]’s writeup of pivoting is distinctly written from the (paid) hacker’s perspective.
Once you’re inside a network, the question is what to do next. “Pivoting” is how you get from where you are currently to where you want to be, or even just find out what’s available. And that means using all of the networking tricks available. These aren’t just useful for breaking into other people’s networks, though. We’ve used half of these tools at one time or another just running things at home. The other half? Getting to know them would make a rainy-day project.
Is there anything that
socat can’t do? Maybe not, but there are other tools (
Rpivot) that will let you do it easier. You know how clients behind a NAT firewall can reach out, but can’t be reached from outside?
ssh -D will forward a port to the inside of the network. Need to get data out? There’s the old standby
iodine to route arbitrary data over DNS queries, but [Artem] says
dnscat2 works without root permissions. (And this code does the same on an ESP8266.)
Once you’ve set up proxies inside, the tremendously useful
proxychains will let you tunnel whatever you’d like across them. Python’s
pty shell makes things easier to use, and
tsh will get you a small shell on the inside, complete with file-transfer capabilities.
Again, this writeup is geared toward the pen-testing professional, but you might find any one of these tools useful in your own home network. We used to stream MP3s from home to work with some (ab)use of
ssh. We keep our home IoT devices inside our own network, and launching reverse-proxies lets us check up on things from far away without permanently leaving the doors open. One hacker’s encrypted tunnel is another man’s VPN. Once you know the tools, you’ll find plenty of uses for them. What’s your favorite?
Thanks [nootrope] for the indirect tip!
[KC Budd] wanted to make a car-tracking GPS unit, and he wanted it to be able to phone home. Adding in a GSM phone with a data plan would be too easy (and more expensive), so he opted for the hacker’s way: tunneling the data over DNS queries every time the device found an open WiFi hotspot. The result is a device that sends very little data, and sends it sporadically, but gets the messages out.
This system isn’t going to be reliable — you’re at the mercy of the open WiFi spots that are in the area. This certainly falls into an ethical grey zone, but there’s very little harm done. He’s sending a 16-byte payload, plus the DNS call overhead. It’s not like he’s downloading animated GIFs of cats playing keyboards or something. We’d be stoked to provide this service to even hundreds of devices per hour, for instance.
If you’re new here, the idea of tunneling data over DNS requests is as old as the hills, or older, and we’ve even covered this hack before in different clothes. But what [KC] adds to the mix is a one-stop code shop on his GitHub and a GPS application.
Why don’t we see this being applied more in your projects? Or are you all tunneling data over DNS and just won’t admit it in public? You can post anonymously in the comments!
The gist of the idea is to suspend an underwater tunnel from floating pontoons. By the time you finished reading that sentence, you probably already had a list of things in your head that seem to make this a terrible idea. After all, it does seem to combine the worst aspects of both underwater tunnels and bridges. But, the idea may actually be a good one, and it’s already being seriously considered in Norway.
Continue reading “It’s Not a Bridge, and Not a Tunnel. Or, Maybe it’s Both?”
With another hacker conference looming in front of us, it’s time to start thinking about hardware security. Hacker conventions have the most hostile network you’ll ever encounter. [Security4all] points out that 25C3 already has an extensive page on securing your hardware. It starts from the ground up with physical security, BIOS passwords, and locking down bootloaders. There’s a section on securing your actual OS and session. Finally, they cover network usage. It mentions using SSH for dynamic forwarding, which we feel is a skill everyone should have. We’ve used it not just for security, but for bypassing brainless bandwidth restrictions too. There’s also the more trick transparent version. Every piece of data you bring with you, you risk losing, so they actually recommend just wiping your iPhone and other devices before attending. It’s important to remember that it’s not just your own data at risk, but everyone/thing you communicate with as well.
ISPs have recently become very aggressive towards their customers. They’ve been blocking or altering traffic to prevent you from using specific programs or protocols. Google’s Senior Policy Director recently stated that they’re developing tools to allow people to detect ISP interference. A couple other groups have been building tools as well: The Network Neutrality Squad just released the second beta of their Network Measurement Agent. The tool currently detects spoofed packets by monitoring the round trip time of the connection; early reset packets will have lower than average RTT. If you want to go more in depth, the EFF has published a guide for using Wireshark to do the detection. We’ve even heard rumors of people building tools to tunnel a session inside of one that looks completely different.