Tuesday, September 15, 2020

TT-RSS scrollbars

I like the night theme in TT-RSS. However, the width of the scrollbars are very thin. Attempting to use them are exceedingly annoying. Such is easily rectified.

The file to edit is tt-rss/themes/night.css. There are two entries that modify the width of the various scrollbars. Search for "scrollbar" and look for "width". The default width is 4px. Set it to something between 8 and 12 pixels, then refresh the web page.

Sunday, June 21, 2020

Demo-ing Dhaval Kapil's icmptunnel in Docker

A recent NCL competition included a challenge that frustrated a number of participantes, one that dealt with extraction of data from a PCAP, containing ICMP tunneling traffic (i.e., the PCAP file was provided, the goal was to extract the data to acquire the flag).

The local community college as a Cyber Club, which typically meets on Friday nights. Membership is made up of current ITN students and alumni. With the recent school closures and quarantines, the in-person meetings were cancelled. However, the "die hards" decided to move the meetings online, using Discord's voice and screen sharing capabilities. (We were already using Discord as a message server.)

There was enough frustration with the NCL challenge that four of us (from the group) attacked the problem in two parts: 1) Create an architecture in which our own PCAPs could be generated, and 2) write tools or processes that can extract/un-tunnel the data from the captured ICMP packets.

Solving problem #1 took a couple weeks, mostly due to selection of the ICMP tunnel software. There's three variants on Github. We selected Dhaval Kapil's ICMPtunnel utility (link below). Being the most stubborn in the group, I was the first to complete part 1. The configuration is easy, once you realize that English is probably not the author's first language (i.e., there are logic errors in the documentation).

I used Docker and OpenVSwitch to create the architecture (image below). To keep things simple (some people have no Docker or OpenVSwitch experience), I automated as much as possible (links much below), so that users would only need to run a couple scripts to create the architecture (one to build/pull images, another to deploy the containers and network).

The architecture simulates a network architecture where a client resides behind a firewall, which blocks "normal" traffic but allows ICMP echo requests and echo replies through the firewall. A "proxy" serves as the ICMP tunnel endpoint, which decapsulates the IP traffic from the ICMP traffic and forwards it on to the target web server.

Two others used VMs to simulate their architectures, using the same tunnel software. They were hung up on the same logic errors that had stumped my efforts. They were able to fix their architectures by looking at the Docker-based scripts.

This past Friday (yesterday), two of the others demo'd their tools (scripts) to extract content from ICMP PCAP files, produced by connecting a Wireshark sniffer into the architecture (my code includes the Wireshark container with a web interface, from LinuxServer (link below).

One Club member (DgtlCwby) has created a very tightly written Bash script, which controls tshark and walks through the process of extracting the data. It works, producing an output identical to the graphic pulled from the web server.

Another student produced a Python/Scapy script which also works. He expressed some concerns about the code, having built it from a number of online articles and wanting to improve it. This turned out to be a deep rabbit hole, into which the four of us fell, make suggestions for at least two hours past the normal "end" time. They were still tweaking the script when I bailed, to join another call.)

DgtlCwby has given me permission to generate an article based on his script, explaining each step, which is what I'll be doing in the coming days (we're all learning as we go).


Wednesday, January 1, 2020

Today's project (setting up a knockd lab for CTF training) isn't improving my opinion of Ubuntu packaging much. This isn't the first time in the past week that I've run across munged packages and old code.

The scenario for the lab is that rubber hose cryptography was employed against an evil hacker and produced the following:

  • the hacker's handle
  • his workstation password
  • a sequence numbers = 2222, 3333, 4444
  • and that an encryption key will be available on a certain port

The student will be tasked with finding the hidden server in the hacker's private network, figuring out how to open the port on the server, and obtaining the key from the open port. The unstated facts include that only nmap and netcat are available on the hacker's workstation.

In the first 30 minutes, I was able to design a Docker container that runs supervisord, knockd, socat, and an internal (to the container) version of iptables. In the subsequent hour, I'd tried various things to get knockd to properly run the close-port command. Even the configuration examples provided by the original authors didn't work. The "iptables -D" commands would work on the command line but not when called by knockd.

To make the story short, if you're using the Ubuntu knockd package, the close command will need to be wrapped in "bash -c 'the command'" before it'll work properly. I've added "patching" to my to-do list but it's near the bottom (won't be any time soon). At the top of the list is adding this instance to the OVS architecture, which resides behind a Guacamole instance, and adding a dynamic flag calculation for use in CTFd.

Saturday, December 28, 2019


Spent a good portion of the morning playing with xpra on Ubuntu 18.04. Initially, didn't like it much as Ubuntu's prepackaged binary is crap (lacks the HTML5 portion of the larger code base). After switching to the hosted repos, I was able to get it to execute. However, in the long run, it wasn't what I was seeking.

Thursday, December 5, 2019

What was I reading in November 2019

Another busy month. Worked on getting setting up easily deploy-able private architectures for students, using Docker, OVS, and some scripting. Mixed in some Guacamole and a touch of image mapping, and we have our first lab for the firewall class. Also spent the last of the 2018 Christmas money on classes (I'm now backlogged for 15 classes).


- Pwn2Own Tokyo 2019 - Day One Results
- Rage Against the Maschine - a discussion on reverse engineering of a specific piece of hardware
- Isolating the logic of an encrypted protocol with LIEF and kaitai - more reverse engineering
- Feature walk-through for the XAMN v4.4 forensics tool


- OpenAI has published the text-generating AI it said was too dangerous to share - Someone believes their own hype a bit too much, I think...
- Bypassing GitHub s OAuth flow
- One man's junk
- GitRoyalty - WTF?! If you drop opensource behind a paywall, it's not opensource anymore! This is dumb.
- Rethinking the inotify API as an offensive helper


- File Signatures - a must-have!
- CTF Resources - a work-in-progress


- We reduced our Docker images by 60 with no-install-recommends
- 5 Practical Examples of the dd Command in Linux - I revisited this while learning more about using binwalk to extract hidden files from other files.
- Extracting Kerberos Credentials from PCAP


- The Early History of Usenet, Part II: The Technological Setting
- Configuring Ansible
- Don't Blame the Internet for New Slang


- A Clever Way To Find Compiler Bugs


- AlphaStar: Grandmaster level in StarCraft II using multi-agent reinforcement learning
- Destroying x86_64 instruction decoders with differential fuzzing
- whitequark/unfork


- Study: There may be no such thing as objective reality - A bit too much on theory and philosophy. A discussion, where an experiment (e.g., Schrodinger’s Cat) relies too heavily on dependencies and/or limitations on the experiment. Most everyone can tell you if the cat is alive just by listening or picking up the box. Short version: a scientist's version of navel-gazing.

Above was generated by a homegrown bolt-on script for Wallabag, which is a free utility for capturing web content so that it can be read later.

Saturday, November 30, 2019

Moloch's network authentication

Looks like it's time to switch to "tech writer" for a few days. Finally figured out why Moloch (think web version of Wireshark) wasn't accepting the network authentication. Moloch is a very nice tool (especially for teaching environments) but the install docs are a bit short.

The "hidden detail" was in how the reverse proxy mangles specific header variables (what goes into the proxy config isn't what is delivered to Moloch). Had to write a variable dump script before that was noticeable.

In any case, TC4 IDS students now have a very nice way to view captured packets.

Wednesday, November 27, 2019

Fixing Moloch's Hunt function for anonymous users

For those working with Moloch in single-user (anonymous) mode (where the passwordSecret line in config.ini is commented out), you may have noticed that the "Hunt" option doesn't work out-of-the box. Moloch will complain about the anonymous user not existing.

The fix is the obvious work-around (i.e., create the anonymous user). This can be accomplished from the command line, via:

/data/moloch/bin/moloch_add_user.sh anonymous "anonymous" PaSsW0rD

You'll never need to log in as the anonymous user so make the password difficult and don't re-use the password from one of your other accounts.