2023-05-10 Repetitive SSH attempts are still on
I noticed in 2016 that putting services like ssh on a different port does not change much in the attacks and the last few days I noticed this is true as ever. I use fail2ban for sshd and other services that are prone to brute-force attempts. I've been using influxdb and grafana to visualize measurements and I use telegraf to gather a lot of system data. I recently enabled gathering fail2ban statistics and it's interesting to see the numbers of blocked addresses is very similar for the sshd on port 22 and the sshd on port 2022. It's not exactly the same number and interestingly not the same attackers but the numbers are within 5%. And yes the numbers are high enough to make the output of fail2ban-client status sshd several screenfulls of IP addresses.
2023-04-17 Refreshed my PGP key
My PGP key expired, but I reset the expiry date. I do this so I have to actively update the key every few years. Should I ever lose access to the private key, it will go away by itself. But this also means I have to ask the users of my key to refresh it by hand because the simple refresh doesn't "see" the update (even though this adds new signatures to the key). So please use the command to receive my key:
$ gpg --keyserver pgp.surf.nl --receive-keys 0x5BA9368BE6F334E4This updates the expiry date(s) and the uids. If you have my key and it looks expired and/or still has an old e-mail address with kzdoos in it please do this now. Complete data at pgp.surf.nl: Search results for '0x5BA9368BE6F334E4' where you can see all the details including the revoked bits. Those revoked bits won't show up in normal use.
My PGP key expired, but I reset the expiry date. I do this so I have to
actively update the key every few years. Should I ever lose access to the
private key, it will go away by itself.
But this also means I have to ask the users of my key to refresh it by hand
because the simple refresh doesn't "see" the update (even though this adds
new signatures to the key).
So please use the command to receive my key:
2023-04-14 Teaching courier-imapd-ssl to use up-to-date encryption
Read the rest of Teaching courier-imapd-ssl to use up-to-date encryptionA discussion on irc about how hard it is to set TLS options in some programs made me recall I still wanted courier-imap-ssl to give me the right SSL settings (Only TLS 1.2 and 1.3, and no weak algorithms). This has bothered me for a while but I couldn't find the right answers. Most documentation assumes courier-imap-ssl is compiled with OpenSSL. In Debian/Ubuntu/Devuan it is compiled with GnuTLS. Searching this time found me Bug #1808649 “TLS_CIPHER_LIST and TLS_PROTOCOL Ignored” : Bugs : courier package : Ubuntu which points at debian-server-tools/mail/courier-check at master · szepeviktor/debian-server-tools · GitHub which lists the right parameter TLS_PRIORITY. And that page has usable answers for up to TLS v1.2, with some reading of the output of gnutls-cli --list I can imagine TLS v1.3 settings. So with a minor adjustment to the given example to allow for TLS v1.3 I set this in /etc/courier/imapd-ssl:
##NAME: TLS_PRIORITY:0 # # GnuTLS setting only # # Set TLS protocol priority settings (GnuTLS only) # # DEFAULT: NORMAL:-CTYPE-OPENPGP # # This setting is also used to select the available ciphers. # # The actual list of available ciphers depend on the options GnuTLS was # compiled against. The possible ciphers are: # # AES256, 3DES, AES128, ARC128, ARC40, RC2, DES, NULL # # Also, the following aliases: # # HIGH -- all ciphers that use more than a 128 bit key size # MEDIUM -- all ciphers that use a 128 bit key size # LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher # is not included # ALL -- all ciphers except the NULL cipher # # See GnuTLS documentation, gnutls_priority_init(3) for additional # documentation. TLS_PRIORITY="NONE:+CHACHA20-POLY1305:+AES-128-GCM:+AES-256-GCM:+AES-128-CBC:+AES-256-CBC:+ECDHE-ECDSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+COMP-NULL:+VERS-TLS1.2:+VERS-TLS1.3:+SIGN-ALL:+CURVE-SECP521R1:+CURVE-SECP384R1:+CURVE-SECP256R1:+CTYPE-X509"And now things are good! All green in sslscan:SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 disabled TLSv1.1 disabled TLSv1.2 enabled TLSv1.3 enabled TLS Fallback SCSV: Server supports TLS Fallback SCSV TLS renegotiation: Session renegotiation not supported TLS Compression: Compression disabled Heartbleed: TLSv1.3 not vulnerable to heartbleed TLSv1.2 not vulnerable to heartbleed Supported Server Cipher(s): Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve P-256 DHE 256 Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve P-256 DHE 256 Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve P-256 DHE 256 Preferred TLSv1.2 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-ECDSA-CHACHA20-POLY1305 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-SHA256 Curve P-256 DHE 256 Server Key Exchange Group(s): TLSv1.3 128 bits secp256r1 (NIST P-256) TLSv1.3 192 bits secp384r1 (NIST P-384) TLSv1.3 260 bits secp521r1 (NIST P-521) TLSv1.2 128 bits secp256r1 (NIST P-256) TLSv1.2 192 bits secp384r1 (NIST P-384) TLSv1.2 260 bits secp521r1 (NIST P-521) SSL Certificate: Signature Algorithm: sha256WithRSAEncryption ECC Curve Name: secp384r1 ECC Key Strength: 192
A discussion on irc about how hard it is to set TLS options in some programs
made me recall I still wanted courier-imap-ssl to give me the right
SSL settings (Only TLS 1.2 and 1.3, and no weak algorithms). This has bothered
me for a while but I couldn't find the right answers. Most documentation
assumes courier-imap-ssl is compiled with OpenSSL. In Debian/Ubuntu/Devuan it
is compiled with GnuTLS.
Searching this time found me 2023-03-31 Trying to get into a Genexis Platinum-4410 router
I have been given a Genexis Platinum-4410 router with the reasoning that I like to play with embedded systems and test the security. Well, that is what I did.Read the rest of Trying to get into a Genexis Platinum-4410 routerHow far did I get
I have serial console, I have extracted filesystem images, and I can't get a shell on the router.The device
It's a router with 4+1 ethernet ports, wifi, two ports for analog telephones and a USB interface.Looking at it from the network
In this specific instance the 4 ethernet ports which are logically the 'inside' don't give me a link after the router has booted up. The 1 port which would be the 'outside' or 'WAN' port gives a link and acts as a DHCP client. The next step was to connect to the wifi network and play with the web interface. This like a custom web interface. Default credentials which match what is on the sticker on the underside of the router. The router doesn't have a telnet server listening for 'easy' access.Opening the case
Next step was to open the case and investigate the mainboard. Chips seen on the mainboard: Mindspeed J83100G System on a Chip (SoC), MXIC MX29GL256FHT2I-90Q flash memory, 2* Etrontech EM68B16CWQD-25H 512 mbit DRAM, Si32260-FM1 dual channel FXS (voip) chip and other electronics. The mainboard has lots of test points, but no clear UART interface. There is an edge connector which looks like a PCI Express connector but it isn't. I asked help about this: What is this connector, does it include UART on a Genexis Platinum-4410 ? : hardwarehacking because r/hardwarehacking on reddit has helped me before. This edge connector turned out the 'place to be' and with the standard tricks for finding the UART I soon had an idea. But nothing to stick a dupont wire on and no PCI express or cardedge breakout cable/board available. So I had to solder wires to the right lanes on the connector. I had permission to damage the router, so that was ok. Soldering within half a millimeter was really hard! This was the first time I actually used my soldering iron for hardware hacking. And a magnifying glass to actually see what I was soldering.
2023-03-05 An unrequested web vulnerability scan from Microsoft IPv4 space
It seems it is also possible to cause something in Microsoft IPv4 space to do a scan for web vulnerabilities. It's starting to become part of a pattern here! Noticed in the logs:20.220.235.164 - - [05/Mar/2023:15:05:57 +0100] "GET / HTTP/1.1" 200 39297 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" 20.220.235.164 - - [05/Mar/2023:15:05:59 +0100] "HEAD /api.zip HTTP/1.1" 404 694 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" 20.220.235.164 - - [05/Mar/2023:15:05:59 +0100] "HEAD /source.zip HTTP/1.1" 404 694 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" 20.220.235.164 - - [05/Mar/2023:15:05:59 +0100] "GET /server-status HTTP/1.1" 403 975 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" 20.220.235.164 - - [05/Mar/2023:15:05:59 +0100] "GET /.nginx.env HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.2 Safari/605.1.15" .. 20.220.235.164 - - [05/Mar/2023:15:08:55 +0100] "HEAD /status HTTP/1.1" 404 694 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" 20.220.235.164 - - [05/Mar/2023:15:08:55 +0100] "HEAD /callback HTTP/1.1" 404 694 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" 20.220.235.164 - - [05/Mar/2023:15:08:55 +0100] "HEAD /handler HTTP/1.1" 404 694 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" 20.220.235.164 - - [05/Mar/2023:15:08:55 +0100] "HEAD /plaid HTTP/1.1" 404 694 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" 20.220.235.164 - - [05/Mar/2023:15:08:56 +0100] "HEAD /plaid/item/webhook/ HTTP/1.1" 404 694 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"For a total of 751 attempts via http on one site, receiving a redirect to https and following that redirect. I wonder if I can determine which scanner was used from the pattern of URLs tried.
2023-02-24 An unrequested web vulnerability scan from cloudflare IPv4 space
I noticed a strange peak in web traffic today and when digging in to it found out it was a web vulnerability scan. What made me look further was the fact that the source IPv4 addresses were randomized over quite a range, so any automatic firewalling wouldn't block the attempts. This turned out to originate from cloudflare IPv4 space. Interesting how the source IP addresses clearly spread out (which would circumvent a lot of automatic web application firewalls).172.70.251.143 - - [24/Feb/2023:09:52:22 +0100] "GET /index.php?s=%2Fadmin%2Fthink%5Capp%2FinvokeMethod&method%5B0%5D=think%5Cview%5Cdriver%5CPhp&method%5B1%5D=display&vars%5B0%5D=%3C%3Fphp+echo+md5%28%271f3870be274f6c49b3e31a0c6728957f%27%29%3B HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 172.70.46.16 - - [24/Feb/2023:09:52:24 +0100] "GET /index.php?s=%2Fuser%2Fthink%5Capp%2Finvokefunction&function=call_user_func_array&vars%5B0%5D=md5&vars%5B1%5D%5B%5D=1f3870be274f6c49b3e31a0c6728957f HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 172.70.46.146 - - [24/Feb/2023:09:52:26 +0100] "GET /index.php?s=index%2Fuser%2F_empty HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 172.70.46.56 - - [24/Feb/2023:09:52:27 +0100] "GET /admin/auth/login HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 172.70.250.40 - - [24/Feb/2023:09:52:27 +0100] "GET /admin/public/login.html HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 172.70.250.41 - - [24/Feb/2023:09:52:28 +0100] "GET /index.php?s=%2Fadmin%2Fthink%5Capp%2FinvokeMethod&method%5B0%5D=think%5Cview%5Cdriver%5CPhp&method%5B1%5D=display&vars%5B0%5D=%3C%3Fphp+echo+md5%28%271f3870be274f6c49b3e31a0c6728957f%27%29%3B HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 172.70.46.56 - - [24/Feb/2023:09:52:28 +0100] "POST /_ignition/execute-solution HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 172.70.46.57 - - [24/Feb/2023:09:52:29 +0100] "GET /admin/auth/login HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 172.70.46.57 - - [24/Feb/2023:09:52:29 +0100] "GET /seller/login/reg HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 172.70.46.16 - - [24/Feb/2023:09:52:29 +0100] "GET /index.php?s=%2Fuser%2Fthink%5Capp%2FinvokeMethod&method%5B0%5D=think%5Cview%5Cdriver%5CPhp&method%5B1%5D=display&vars%5B0%5D=%3C%3Fphp+echo+md5%28%271f3870be274f6c49b3e31a0c6728957f%27%29%3B HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 172.70.247.24 - - [24/Feb/2023:09:52:31 +0100] "GET /index.php?s=%2Fadmin%2Fthink%5Capp%2Finvokefunction&function=call_user_func_array&vars%5B0%5D=md5&vars%5B1%5D%5B%5D=1f3870be274f6c49b3e31a0c6728957f HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 172.70.46.16 - - [24/Feb/2023:09:52:31 +0100] "GET /index.php?s=%2Fapi%2Fthink%5Capp%2Finvokefunction&function=call_user_func_array&vars%5B0%5D=md5&vars%5B1%5D%5B%5D=1f3870be274f6c49b3e31a0c6728957f HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 172.70.46.57 - - [24/Feb/2023:09:52:35 +0100] "GET /ch/upload/upload HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 172.70.46.16 - - [24/Feb/2023:09:52:35 +0100] "GET /index.php?s=index%2Fuser%2F_empty HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 172.70.46.132 - - [24/Feb/2023:09:52:36 +0100] "GET /admin/auth/login HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 172.70.46.146 - - [24/Feb/2023:09:52:36 +0100] "GET /admin/public/login.html HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 172.70.46.146 - - [24/Feb/2023:09:52:37 +0100] "GET /loginMe HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 172.70.46.57 - - [24/Feb/2023:09:52:39 +0100] "GET /_ignition/execute-solution HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 172.70.242.219 - - [24/Feb/2023:09:52:40 +0100] "GET /admin/auth/login HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 172.70.46.132 - - [24/Feb/2023:09:52:40 +0100] "GET /admin/other_cert/cert.php HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 172.70.46.17 - - [24/Feb/2023:09:52:41 +0100] "GET /index.php?case=admin&act=login&admin_dir=admin&site=default HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"I checked with someone who uses cloudflare for sites and these IPv4 addresses match how cloudflare proxies sites. My current theory is that someone set up a cloudflare proxy with my site as 'backend' and scanned the 'frontend' to make it harder for me to find the origin. At this moment the cloudflare abuse form doesn't work for me. I don't have a lot of trust in cloudflare doing things to stop abuse from cloudflare customers so I'm not going to jump through more hoops to get them to notice this, I expect a big dissapointment when I get an actual answer from them.
2023-02-03 Freeradius doesn't like the old LetsEncrypt chain
I was doing some testing with freeradius and suddenly nothing worked with the following error in debug mode:(7) eap_peap: ERROR: TLS Alert read:fatal:certificate expired (7) eap_peap: TLS_accept: Need to read more data: error (7) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expiredI checked the certificate and renewed it. The normal autorenewal processes had not run since the previous tests with radius and 802.1x authentication on wifi so that wasn't unexpected but this still didn't solve it: I kept getting the error message. After some deep searching why it worked before I saw I had requested that certificate in a different way where I had the chain with only ISRG Root X1 because sendmail gave me SSL verification failures after the DST Root CA expired. So I did the same as I did before: I configured dehydrated (my preferred ACME client) on the radius testmachine to use the LetsEncrypt issuer chain without the DST Root CA cross signature, with the following in /etc/dehydrated/config :# Preferred issuer chain (default: <unset> -> uses default chain) PREFERRED_CHAIN="ISRG Root X1"
2023-01-29 Grabbing the root filesystem image from the Cab.Link CLS-D4E2WX1
I wanted to grab the root filesystem image from the flash memory of the Cab.Link CLS-D4E2WX1 cable modem/router. The way to do this was the same as with Grabbing the firmware from the Corinex CXWC-HD200-WNeH and extracting the root filesystem although I decided to just dump the root filesystem image and not the entire flash memory. So the box was opened again, the usb serial interface connected to the uart pins on Cab.Link CLS-D4E2WX1 I found earlier and the boot stopped in the U-Boot process. First step was to determine where in the memory map the root filesystem image would be. This took a bit of calculation. From the bootup messages there are two important hints:Read the rest of Grabbing the root filesystem image from the Cab.Link CLS-D4E2WX17 cmdlinepart partitions found on MTD device ar7240-nor0 Creating 7 MTD partitions on "ar7240-nor0": 0x000000000000-0x000000040000 : "u-boot" 0x000000040000-0x000000050000 : "u-boot-env" 0x000000050000-0x000000670000 : "rootfs" 0x000000670000-0x0000007d0000 : "uImage" 0x0000007d0000-0x0000007e0000 : "SYSLOG" 0x0000007e0000-0x0000007f0000 : "NVRAM" 0x0000007f0000-0x000000800000 : "ART" ## Booting image at 9f670000 ...So the kernel image is booted from address 0x9f670000 and it's in the MTD partition at 0x000000670000. This makes the guess that the rootfs image from 0x000000050000 will live at memory location 0x9f050000 and has a size of 0x620000 so the approach is to dump 0x620000 bytes starting at that memory location. The command to do that in U-Boot:ar7240> md.b 0x9f050000 0x620000 9f050000: 68 73 71 73 04 03 00 00 07 25 98 52 00 00 02 00 hsqs.....%.R.... 9f050010: 27 00 00 00 02 00 11 00 c0 00 01 00 04 00 00 00 '...............This capture of data at 115200 bps took more than 20 minutes. But I have patience enough.... Ok, I went to do something else.
2023-01-05 Buttcoin phishing Bitvavo
Naast het gebruiken van bitcoin om mensen af te persen is er altijd ook de optie om in te breken op bitcoin accounts om de buttcoins van anderen te stelen.
Het voordeel van het niet gebruiken van banken voor geldzaken is dat je ook niet de mogelijkheid hebt om misdaad met geld te onderzoeken dus als je de buttcoins kan stelen kun je er mee wegkomen.Vandaag ontving ik een phishing mail die van 'Bitvavo' zou zijn, wat blijkbaar iets doet met buttcoins en andere cryptocurrencies. Verder hebben de criminelen goed opgelet bij phishing mails voor banken en gebruiken ze de standaard methodes van phishing: urgentie, voldoen aan regelgeving en een simpele handeling om toegang te krijgen tot je rekening. Met als toegevoegde stap de qrcode zodat je niet zomaar een url-analyzer af kan laten gaan op je mail en je de phishing site (dus de 'verificatiestappen') opent in je mobiele browser en minder makkelijk dingen kan controleren. Het spoor:En dat ziet er erg uit als een bitvavo login page.
- De qrcode scant naar http://lnkiy.in/VKwZG
- Redirect: https://360corporatetours.com/wp-admin/images/bit.php deze url ziet er uit als een gehackte wordpress site.
- Hier komt een html redirect naar: https://bitvavo.22497-4837.s2.webspace.re/
Update 2023-01-12
Ik heb ondertussen geleerd dat het prima mogelijk is om bitcoin te traceren, dit is de primaire activiteit van het bedrijf 'Chainalysis'. In de Darknet diaries podcast is dit uitgebreid besproken in de aflevering Welcome To Video - Darknet Diaries. De aflevering gaat over een groot onderzoek waarin bitcoin chain analysis het mogelijk maakte om verdachten op te sporen.
Naast het gebruiken van bitcoin om
2022-12-29 New hardware device to play with: Corinex HD200 CableLAN Wall Mount Adapter CXC-HD200-WMEe
Items with tag security before 2022-12-29My enthusiast stories about getting uart access on the previous cable router devices are causing more hardware to come my way to play with. This time two Corinex HD200 CableLAN Wall Mount Adapter CXC-HD200-WMEe units showed up. They are compact interfaces for ethernet-over-cable according to Corinex standards. The size and the status leds remind me a lot of devolo powerline units which I used years ago to get network in our garden shed. After voiding the warranty by breaking the sticker and unscrewing the two screws the case doesn't want to open yet. Some force is needed, plastic tabs in the corners kept it closed. I notice there is one very compact board with everything including the power supply. There is a clear demarcation on the board between the power supply area and the rest with slits in the board on parts of this line. Two other screws hold the board to the case and after removing those I can take it out. There are wires from the board to the power plug and a coax cable to the F connector for the coax cable. There is probably a main system on a chip (SoC) but it's hiding under a heatsink. Most components are surface mount devices (SMD). On the other side of the board I see a RTL8201EN ethernet chip near the RJ45 network connector. And an EM638165TS-6IG chip which turns out to be 64 Mbit of Synchronous DRAM. And a 25L3206E, 32 Mbit serial flash. For now I have no idea if this device has a UART somewhere. The only row of 4 small soldering pads didn't give me continuity to any part that I thought would be at the electric ground level so no idea whether that is the UART or not. Although there are two units they don't want to talk to each other over a coax cable with F connectors. The manuals I can find state clearly that they want to see a Corinex Ethernet over cable master device. The person that gave them to me has experience with these devices and their implementation of the standards and stated to me Corinex ethernet over cable devices only talk to Corinex ethernet over cable masters.