I know that I'm late to the party, but I'm super-thrilled that Netalyzr now has a downloadable CLI client. That makes me feel much safer than running Java in my browser.<br><br><div class="gmail_quote">On Sun, Jun 17, 2012 at 10:15 PM, Isis <span dir="ltr"><<a href="mailto:isis@patternsinthevoid.net" target="_blank">isis@patternsinthevoid.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
- -----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
Hello Rack.<br>
<br>
I have spent the morning reverse engineering and analyzing this network<br>
analysis tool Netalyzr. Because the thing required a JVM to run, I based my<br>
analysis on the reversed source code instead of running it. Then I decided to<br>
run it anyway to see how accurate it is.<br>
<br>
The returned report contained the following funniness:<br>
<br>
Direct TCP connections to remote secure IMAP servers (port 585) succeed, but<br>
do not receive the expected content.<br>
<br>
The connection succeeded but came from a different IP address than we<br>
expected. Instead of the expected IP address, we received this request from<br>
75.101.62.88.<br>
<br>
Direct TCP connections to remote authenticated SMTP servers (port 587)<br>
succeed, but do not receive the expected content.<br>
<br>
The connection succeeded but came from a different IP address than we<br>
expected. Instead of the expected IP address, we received this request from<br>
75.101.62.88.<br>
<br>
Direct TCP connections to remote IMAP/SSL servers (port 993) succeed, but do<br>
not receive the expected content.<br>
<br>
The connection succeeded but came from a different IP address than we<br>
expected. Instead of the expected IP address, we received this request from<br>
75.101.62.88.<br>
<br>
Which apparently used to be r00ter, but now it's:<br>
<br>
isis@wintermute:~$ nmap -A -v -Pn 75.101.62.88<br>
<br>
Starting Nmap 5.51.6 ( <a href="http://nmap.org" target="_blank">http://nmap.org</a> ) at 2012-06-17 20:52 PDT<br>
NSE: Loaded 58 scripts for scanning.<br>
Initiating Parallel DNS resolution of 1 host. at 20:52<br>
Completed Parallel DNS resolution of 1 host. at 20:52, 0.02s elapsed<br>
Initiating Connect Scan at 20:52<br>
Scanning <a href="http://nat-sonicnet.noisebridge.net" target="_blank">nat-sonicnet.noisebridge.net</a> (75.101.62.88) [1000 ports]<br>
Discovered open port 53/tcp on 75.101.62.88<br>
Discovered open port 22/tcp on 75.101.62.88<br>
Completed Connect Scan at 20:52, 1.84s elapsed (1000 total ports)<br>
Initiating Service scan at 20:52<br>
Scanning 2 services on <a href="http://nat-sonicnet.noisebridge.net" target="_blank">nat-sonicnet.noisebridge.net</a> (75.101.62.88)<br>
Completed Service scan at 20:52, 0.09s elapsed (2 services on 1 host)<br>
NSE: Script scanning 75.101.62.88.<br>
Initiating NSE at 20:52<br>
Completed NSE at 20:52, 0.72s elapsed<br>
Nmap scan report for <a href="http://nat-sonicnet.noisebridge.net" target="_blank">nat-sonicnet.noisebridge.net</a> (75.101.62.88)<br>
Host is up (0.063s latency).<br>
Not shown: 998 closed ports<br>
PORT STATE SERVICE VERSION<br>
22/tcp open ssh OpenSSH 5.5p1 Debian 6 (protocol 2.0)<br>
| ssh-hostkey: 1024 c5:c8:8f:61:cb:69:cd:30:a1:29:1d:46:6b:a1:84:9c (DSA)<br>
|_2048 c6:64:6b:9a:e0:6f:21:d9:ae:7c:bc:3d:3b:0a:bb:13 (RSA)<br>
53/tcp open tcpwrapped<br>
Service Info: OS: Linux<br>
<br>
Read data files from: /usr/share/nmap<br>
Service detection performed. Please report any incorrect results at <a href="http://nmap.org/submit/" target="_blank">http://nmap.org/submit/</a> .<br>
Nmap done: 1 IP address (1 host up) scanned in 2.95 seconds<br>
isis@wintermute:~$ ssh <a href="http://nat-sonicnet.noisebridge.net" target="_blank">nat-sonicnet.noisebridge.net</a><br>
The authenticity of host '<a href="http://nat-sonicnet.noisebridge.net" target="_blank">nat-sonicnet.noisebridge.net</a> (75.101.62.88)' can't be established.<br>
RSA key fingerprint is c6:64:6b:9a:e0:6f:21:d9:ae:7c:bc:3d:3b:0a:bb:13.<br>
Are you sure you want to continue connecting (yes/no)? yes<br>
Warning: Permanently added '<a href="http://nat-sonicnet.noisebridge.net" target="_blank">nat-sonicnet.noisebridge.net</a>,75.101.62.88' (RSA) to the list of known hosts.<br>
Welcome to Vyatta<br>
Permission denied (publickey).<br>
<br>
So, then I try to pull the certificate from a mailserver to check it, and<br>
nope. No certificate. Wireshark showed a bunch of TLSv1 Encrypted Alerts,<br>
followed by wintermute sending a bunch of (apparently ignored) [RST, ACK]s,<br>
and then a [FIN, ACK], and then the there's just a bunch more TLSv1 Encrypted<br>
Alerts as if the mailserver never got the FIN:<br>
<br>
isis@wintermute:~$ openssl s_client -serverpref -msg -connect <a href="http://box658.bluehost.com:465" target="_blank">box658.bluehost.com:465</a> -starttls smtp -showcerts<br>
CONNECTED(00000003)<br>
didn't found starttls in server response, try anyway...<br>
>>> TLS 1.2 [length 013b]<br>
01 00 01 37 03 03 4f de b2 3f 49 03 04 f9 2e ac<br>
2f cd eb d4 02 35 fd e2 85 09 1b 81 af 3e f9 9d<br>
ef aa 84 ef f6 69 00 00 9e c0 30 c0 2c c0 28 c0<br>
24 c0 14 c0 0a c0 22 c0 21 00 a3 00 9f 00 6b 00<br>
6a 00 39 00 38 00 88 00 87 c0 32 c0 2e c0 2a c0<br>
26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 12 c0<br>
08 c0 1c c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0<br>
2f c0 2b c0 27 c0 23 c0 13 c0 09 c0 1f c0 1e 00<br>
a2 00 9e 00 67 00 40 00 33 00 32 00 9a 00 99 00<br>
45 00 44 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00<br>
9c 00 3c 00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0<br>
02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00<br>
08 00 06 00 03 00 ff 02 01 00 00 6f 00 0b 00 04<br>
03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19<br>
00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08<br>
00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13<br>
00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00<br>
00 0d 00 22 00 20 06 01 06 02 06 03 05 01 05 02<br>
05 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01<br>
02 02 02 03 01 01 00 0f 00 01 01<br>
139891794618024:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:<br>
---<br>
no peer certificate available<br>
---<br>
No client certificate CA names sent<br>
---<br>
SSL handshake has read 0 bytes and written 355 bytes<br>
---<br>
New, (NONE), Cipher is (NONE)<br>
Secure Renegotiation IS NOT supported<br>
Compression: NONE<br>
Expansion: NONE<br>
---<br>
<br>
So, question: what is Vyatta, and why does it appear to be MITMing IMAPS<br>
connections? Also, I asked other people around to try to connect to IMAPS<br>
servers through GUIs with cert verification enabled, and Mischief set up tried<br>
to google through Thunderbird and the connection failed.<br>
<br>
<br>
<(A)3<br>
isis agora lovecruft<br>
<br>
- -----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.12 (GNU/Linux)<br>
<br>
iQIcBAEBCAAGBQJP3rkDAAoJEKOttnos24s1EOIQAKRgMC07d11L1Ub0BKTXU/Bb<br>
Xm0htqzM7M7cR5Ri1yuZ6Q6FzYof9+O5os3bzP/RApn/No9gVYfSk8BFXCJAqDwh<br>
5Norb9AtYZ2dM/8EaF20Cye4OMHUnLowgJHZeav+GS02nf8qYnhLNMfu7p6RTD6j<br>
N9lY0gvCpScv+SRCwhXSdcS2TjzhcwHHWPJrAEMfgnia0w/RjS/AZPYXkykixYlp<br>
ojvRDfduz9Tywkbwx862Way+XDXiEMLvRWYMCVEA8vNgAXSMzv3WFJnmT/skweOY<br>
SPv5xtdNX4hGGiSv6UKezxDpGlC7H3D7cM8eV88Gs5haDDPkMg4L7UzzLfQRySox<br>
j8ecEC/9AJa/LvbyMtXXnOj68l5qTozg7DKEzUyR9rUR10TZKWZjCOHsBvW5VCRq<br>
xoyGz1ox+hvXIzdEPxgxzcSkHXYWNfBF0Up1ZOYGoCTQ0QxBXNq6jJy3SgjyMhnK<br>
GC73kPfTmPgaB9fKHnKnILFsmIK7FaErYEICyJQKhSXYqhv26opqtK+Uo/AB8cF/<br>
FF0mksOPZdU6myaaHMIhXbWj95vu0dtMsuh6WGq3olo3f8hOfr55DojAE5bPVwT7<br>
UCAJYP15+9a7TPb8RR2tIh4h92zipYVoRbd9oM1EkbpIcgEac5y8x7187u04LWll<br>
VzSoGNCgknj6Xzqpnhex<br>
=HBZI<br>
- -----END PGP SIGNATURE-----<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.12 (GNU/Linux)<br>
<br>
iQIcBAEBCAAGBQJP3rldAAoJEKOttnos24s1IV0QAJK7Xer0+ZEYNYbH7qgHy91I<br>
4U/W7iJo2Kw5/uapIs6KrbxHFLWsDjFjdHjvm1b3T6LBdQ6ABDnNmGNXXTlnNmwk<br>
bV4QvcHTjMFSGZVDH2WbUeXySlARRP2yxGnlWjKGAoHTMDPLIl64MosRMUUa+OgV<br>
Y1UDI9HAAiERLnT1fA3UHmCzGLtmBjezkhRsQbfiihCA7xn6llxi3hwoCYZ6cEt7<br>
VCl/STdgXLm8t3YaFID8DliNut7SCLzU2A2ur22V7xsvi6Iyg324LU4Ak4Rh2lI7<br>
SumTtc5mUnzJ6sVwG/hz64EhRRnDn71XKzjs2nDeMtudjsPrNZikQ9quorJckci0<br>
A06211pyJ0HlIcUZnB+5/O0ZMqtS36fQO1ByB/2z3e3rYo4aW0xD8+rev52shooU<br>
RpyF5AAmACKWu9dM8Krt6Eu2TzS+mUNzG6AwveCVfBEb95gqaOlTso+vq/MPHoUc<br>
t77AyNA6LzhbGvVREPdHxNaD0iCRc+VgsT5wQXaRsDtcrehEFX0fX86fGW26k0JX<br>
YJgKWFykidCtfQwIl3gs1lDog9sFxFk3As58oCaMuEBvK0ujWj0Dc/xchsxj+Zeh<br>
nA2daIuTa/MAep1lmQb8bdYXeEiAoGigkz8Se0fT36RkLXV5me6QYi1sl69M9SI3<br>
/CtkgsvG3TW+K4AZnFQJ<br>
=YnW1<br>
-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
Rack mailing list<br>
<a href="mailto:Rack@lists.noisebridge.net">Rack@lists.noisebridge.net</a><br>
<a href="https://www.noisebridge.net/mailman/listinfo/rack" target="_blank">https://www.noisebridge.net/mailman/listinfo/rack</a><br>
</blockquote></div><br>