Sextortion – Blackmail and You

Aaron Security November 9, 2018November 9, 2018 0 Comment

One of my favorite malware scanners, MalwareBytes has published a really good article on “Sextortion and You”.

TLDR; If you get an email claiming they have xxx pics of you via your webcam or other media, they probably don’t. They may send you photos that you have made publicly available on Facebook or some other social media. They may also have some confidential information on you like an old password. More than likely some service you have used in the past was compromised and old data is available on the dark web.

Don’t fall for the blackmail scam!

Testing SNI Enabled Servers with cURL

Aaron Application Delivery, Troubleshooting August 27, 2018August 28, 2018 2 Comments

Curl is the “go to” tool for many application delivery engineers. The ability to easily send test payloads and see HTTP response headers quickly and easily makes this tool indispensable when troubleshooting or learning application delivery controllers.

When testing something like host headers on apache web servers, one often will include an HTTP host header with something like:

curl -H "Content-Type: application/json" -H "X-Auth: abc1234567890" -H "Host: www.foo.com" https://192.168.1.111

While the host header has long been an important piece of the equation, it is not sufficient for testing SNI enabled servers.

Server Name Indication (SNI), as you probably know, allows us to stretch the IPv4 space even further by allowing a site with a single IP address to serve up a number distinct and separate SSL certificates. In days of old, one would need a distinct IP address for each SSL certificated site or use Subject Alternate Names with a single IP address. From a hosting providers point of view, the latter option was unappealing as a provider might host two competitors and they would be served from the same SSL certificate. So while SAN does have some good use cases, it is often unsuitable depending on the business case involved and some other drawbacks that I will not get into here.

So SNI is rapidly becoming the defacto standard for implementing multiple SSL certificated sites using a minimal number of IPv4 addresses. We need a way to test them.

Case in point. I was troubleshooting health checks failing from a Microsoft ADFS front end system recently.

curl --header 'Host: adfs.mysite.com' https://192.168.1.100

The behavior from the server was to fail on the SSL handshake. Hmmmm. Strange. However, on the Windows device, when modifying the local hosts file and pointing adfs.mysite.com to 192.168.1.100 and trying this in a web browser, the site worked!

This is SNI in action. In this particular case, the ADFS site was not set up to serve a default certificate in the case that an SNI request was not presented. This meant that when a request came in with an invalid or missing SNI request, there was no default certificate to present to the client and we essentially had a web server that had no certificate bound to the service. As a result, any attempt at an SSL handshake would fail after the CLIENT HELLO.

So, we have seen that using the HOST header does not satisfy the SNI requirement. Not to fear, curl does have a solution for this. There is an option that is used if you want to test a host without the need to modify your DNS or host file.

--resolve [DOMAIN]:[PORT]:[IP]

The resolve option adds some interesting flexibility to our CURL testing.

You don’t need to edit your hosts file to resolve and use the domain name in your curl tests
You can use an alternate port for your HTTP request without putting the port in the URL
You can use the FQDN rather than just an IP address in your URL (Hint: SNI)

Let’s see how this changes our testing of the ADFS server:

curl --header 'Host: adfs.mysite.com' https://192.168.1.100
  curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 192.168.1.100:443

Here, we see the server basically tell us “there is no SSL certificate paired to the SNI name of ‘192.168.1.100’ “. Again, SNI is ignoring the host header, because the host header only gets sent as part of the HTTP call AFTER the SSL session has been established. Therefore, the host header is useless for SNI as during the SSL handshake, the server needs to determine WHICH ssl certificate to use to set up the session.

Instead, SNI is using the FQDN presented in the URL. This is a client behavior and is inserted into the SSL CLIENT HELLO payload as seen in the following screen shot from a Wireshark capture that I did of a curl request to my site.

curl https://www.hacksbrain.com

When making a curl request without an FQDN in the URL, the SNI extension is not sent as part of the CLIENT HELLO.

So, if the FQDN to the SNI enabled site resolves to a public IP address and one needs to test that site with curl from within the environment using the local IP address, one would need to edit the local hosts file to point that FQDN to the local IP address rather than let DNS resolve the FQDN to the public IP address. This can cause some problems with other parts of the application or a user might not have the needed permissions to edit the local host file.

Let’s see how the –resolve option changes this for us.

curl -k -I --resolve adfs.mysite.com:443:192.168.1.100 https://adfs.mysite.com/
HTTP/1.1 404 Not Found
Content-Length: 315
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Sun, 26 Aug 2018 21:19:24 GMT
Connection: close

Ah! This is a much different response than “OpenSSL SSL_connect: SSL_ERROR_SYSCALL”. The presence of an HTTP 404 response indicates that the SSL session was properly setup and that the HTTP request was sent through the SSL tunnel and an HTTP response was received from the SNI enabled web site.

So, add this handy curl option to your toolbox

--resolve fqdn:port:ipaddress

Because if you have not yet come across an SNI enabled server that you need to troubleshoot, rest assured, you will in the future!

FAA Certified Drone Pilot!

Aaron Drones, Photography & Film August 24, 2018August 24, 2018 0 Comment

Woodlawn Lake, San Antonio Texas by Aaron Hackney

Getting my FAA Part 107 certification (commonly called a “drone license” Ya, it’s not a license…) so that I can shoot video and stills and have my images and footage used commercially has been something on my radar for quite sometime! The requirements for becoming a pilot are listed here on the FAA website and can be a little daunting if you have never taken a federal certification exam.

In their Hey.film podcast, Griffin Hammond mentioned that he found the folks over at https://remotepilot101.com to have a good video training series. Since Griffin and Nick (also fellow ISU alumni) have not steered me wrong yet, I decided to give it a whirl (pun intended). I burned through the training very fast and I was impressed with remotepilot101’s instructor Jason Schappert’s teaching style and “straight to the point” methodologies. I would highly encourage anyone who is looking to certify in a short amount of time to sign up with him and tell them that I sent you. A side benefit is that the tuition is good for refresher sessions for when you have to re-certify 24 months after receiving your certificate.

How I went about studying for this was very similar to how I prepare for my professional certification exams in the Cyber Security and IT world. I followed the coursework to it’s completion and then tested my readiness using practice exams. When I missed a question on my practice exams, I would research the topic to ensure I understood the intent of the question forwards and backwards. This methodology has always been surefire for me in my career world and in my amateur radio FCC exams (K9HQ, Amateur Extra).

I walked into the exam very prepared and scored a 93%. And to be sure, my score was not due to my memorizing any of the test. Almost every concept on the exam was well covered in Jason’s video sessions.

I am now awaiting my FAA issued temporary certificate so that I can now take advantage of the new privileges available to me, like not being held to the “Notify the airport and air traffic control tower prior to flying within 5 miles of an airport” rule.

Most importantly, I feel like i walked away from the study course better equipped to fly in a SAFE manner that will not put any other aircraft at risk or cause any unnecessary dangers to others.

DRAW.IO – Finally a Suitable Visio Replacement

Aaron Networking, Operating Systems August 3, 2018August 3, 2018 2 Comments

Since completely moving to Mac platforms about 10 years ago, I have been searching for a suitable replacement for Microsoft Visio, the Microsoft acquisition that has been the tech industry standard for network and systems drawings. Read more

Troubleshooting Tricks for Orbi Networks

Aaron Networking, Operating Systems July 30, 2018July 31, 2018networking, orbi, routing, troubleshooting 0 Comment

I love a good troubleshooting challenge. But damn, this one had me stumped until I could pull back the covers of my Orbi system to discover the root cause.

Background:

I have a vmWare ESXi hypervisor in my home lab. The ESXi system is trunked up to a Ubiquiti router that is handling inter-vlan routing and has my Orbi base station set as the default gateway.

TLS 1.3 Ramifications

Aaron Networking, Security July 25, 2018July 31, 2018 1 Comment

TLS is DEAD! Long Live TLS!

As most of you are probably aware, TLS 1.3 (draft 28) was recently accepted by the Internet Engineering Task Force (IETF) as an official standard.

What ramifications will TLS 1.3 have on tried and true network operations like URL filtering or passively load balancing to specific servers based on hostname? Read more

Firepower FlexConfig – A Practical Example

Aaron DevOps, Networking July 24, 2018July 24, 2018 0 Comment

Managing Your Firepower Appliance

If you are running a Firepower NGFW appliance from Cisco, you have two options to manage the device:

Firepower Device Manager (FDM) – An on-box GUI and set of APIs to directly control a Firepower appliance.
Firepower Management Center (FMC) – A management station used to control a collection of Firepower appliances and collect, correlate, and report on events generated by the Firepower appliance.

(At least today) These two options to manage your Firepower appliance are mutually exclusive; you can use one or the other. This article is focused on using the FlexConfig feature in FDM. Read more

FTDv on VMware Error [SOLVED]

Aaron DevOps, Networking July 2, 2018July 24, 2018cisco, networking, security, virtualization 0 Comment

Problem

Upon a fresh install of FTDv (6.2.3) on VMWare ESXi, the FTD console reports the following error over and over and over:

Jul  2 15:22:58 ciscoasa init: Id "ftd1" respawning too fast: disabled for 5 minutes

Script an ASDM Session Part II

Aaron DevOps, Networking July 2, 2018July 20, 2018cisco, networking, security, virtualization 0 Comment

Happy July 2nd!

I have posted a new blog entry on the Cisco communities page. This is a continuation of my previous post “Script an ASDM Session Part I“. In part I, we examined how ASDM interacts with and controls the ASA. In part II, we dig into some sample code where we make programatic calls to the ASA masquerading as an ASDM client. Read more

← Previous

February 2019
M	T	W	T	F	S	S
« Nov
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28