Skip to content

Posts tagged ‘proxy’

11
Oct

WebKnock.org: An fwknop SPA web-interface

Vasilis Mavroudis has launched WebKnock.org, a web-based front end to the fwknop (Single Packet Authorization) client. It does not yet seem to support the full suite of fwknop features, but the WebKnock site allows you to send basic auth packets to your fwknop server in order to open firewall ports. This can definitely come in handy if you need access to a port on your server, and don’t have the fwknop client handy on the computer, Android or iPhone (coming soon).

Note that although WebKnock uses SSL to protect the HTTP session, you are required to supply your fwknop password. If logged or intercepted, your knock details could be used to open firewall ports or even run commands on your server (depending on how you’ve configured fwknop). While WebKnock may be useful in a bind, from a purely security standpoint I don’t recommend using it regularly due to this risk. If you do use it, you should consider changing your fwknop passphrase.

I hope that WebKnock is eventually open-sourced to allow both for the code to be reviewed, and for people to host their own instance of WebKnock. It would also be nice to see more fwknop features being added, including the ability to define a username, and open multiple ports at once (eg. by entering: tcp/22 udp/53 tcp/80). The ‘Allow IP’ field should also get pre-populated with the visitor’s IP address for convenience.

Source: Cipherdyne

27
Sep

CloudFlare Adds IPv6 Proxy Functionality

CloudFlare’s newly announced IPv6 support brings much more than just the ability to provide their caching and security features to IPv6-based websites. A few weeks ago CloudFlare co-founder Matthew Prince cryptically announced that they were working on a new groundbreaking feature. Whilst IPv6 is a great addition, IPv6 support alone is not what makes this new feature as cool as it is.

The main issue with IPv6 today is not the fact that ISP’s haven’t made the switch yet – this will be a fairly simple process – but rather that most websites themselves don’t yet support IPv6. This is one of the main reasons why ISPs don’t want to go full IPv6 – most content would be inaccessible to their customers. What CloudFlare have done is to make all current IPv4 CloudFlare-enabled sites accessible to IPv6-only clients, even if those websites don’t have IPv6 addresses. Because CloudFlare acts as a proxy, they simply add their own IPv6 address to the DNS of CloudFlare-enabled sites, allowing them to receive requests for those sites. Now all they have to do is serve up exactly the same cached content, and for everything else, proxy the request over onto IPv4. To make things even better, it works both ways, allowing IPv4-only clients to access IPv6-only websites, and vice-versa.

CloudFlare allows you can choose between two options: Full Mode which will enable IPv6 on all subdomains that are CloudFlare-enabled, or Safe Mode which will automatically create specific IPv6-only subdomains (e.g. www.ipv6.yoursite.com). You do not need to change any of your DNS settings. After it is up and running, you can test your IPv6 compatibility and get a badge for your site (mine’s at the bottom of the page).

I was able to take part in CloudFlare’s beta for this new feature and it works great. As you can see from the Security Generation host information below, on top of CloudFlare’s two IPv4 IPs, they’ve now added two IPv6 IPs.

securitygeneration.com has address 173.245.60.99
securitygeneration.com has address 199.27.135.32
securitygeneration.com has IPv6 address 2400:cb00:2048:1::adf5:3c63
securitygeneration.com has IPv6 address 2400:cb00:2048:1::c71b:8720

The IPv6 transition can now go ahead… Security Generation will be available when we get there ;)

As of today all CloudFlare members can now enable IPv6 support on the Settings page for the relevant domain(s). To enable ‘Automatic IPv6′ on your site, log in to CloudFlare.com > My websites > Settings (pull down menu) > CloudFlare Settings > Automatic IPv6: On.

Hit the jump to see CloudFlare’s funky new IPv6 infographic.

Read moreRead more

24
Nov

Intercepting Print Jobs with prn-2-me

Don’t let the name fool you, prn-2-me is pronounced “print-to-me”, and not “pr0n-to-me”. I was disappointed too… but not for long!

prn-2-me is a man-in-the-middle python script from Chris John Riley that creates a custom listener (on port 9100 by default) and acts like a printer. Its purpose is to handle incoming PCL and PostScript print jobs, save a copy on your computer, and then forward them on to the actual printer. With a bit of arpspoofing magic, you or an attacker could intercept the print jobs of an entire office.

Click to enlarge

In theory, this tool could be expanded to allow you to also modify print files before they are sent on to the actual printer. An attacker could substitute specific prints with his own to do all kinds of wonderful and damaging things. Maybe a bit of automagic image editing in python could overlay an image on every file before forwarding it to the printer? Hilarity ensues. (Chris note the feature request)

Chris says he’s planning on integrating this into Metasploit. I’m going to hold him to that!

Download: prn2me.py

css.php
WordPress Blog
WordPress Themes