[Rack] Oddity on 75.101.62.88

Isis isis at patternsinthevoid.net
Mon Jun 18 05:15:09 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Rack.

I have spent the morning reverse engineering and analyzing this network
analysis tool Netalyzr. Because the thing required a JVM to run, I based my
analysis on the reversed source code instead of running it. Then I decided to
run it anyway to see how accurate it is.

The returned report contained the following funniness:

    Direct TCP connections to remote secure IMAP servers (port 585) succeed, but
    do not receive the expected content.

    The connection succeeded but came from a different IP address than we
    expected. Instead of the expected IP address, we received this request from
    75.101.62.88.

    Direct TCP connections to remote authenticated SMTP servers (port 587)
    succeed, but do not receive the expected content.

    The connection succeeded but came from a different IP address than we
    expected. Instead of the expected IP address, we received this request from
    75.101.62.88.

    Direct TCP connections to remote IMAP/SSL servers (port 993) succeed, but do
    not receive the expected content.

    The connection succeeded but came from a different IP address than we
    expected. Instead of the expected IP address, we received this request from
    75.101.62.88.

Which apparently used to be r00ter, but now it's:

    isis at wintermute:~$ nmap -A -v -Pn 75.101.62.88

    Starting Nmap 5.51.6 ( http://nmap.org ) at 2012-06-17 20:52 PDT
    NSE: Loaded 58 scripts for scanning.
    Initiating Parallel DNS resolution of 1 host. at 20:52
    Completed Parallel DNS resolution of 1 host. at 20:52, 0.02s elapsed
    Initiating Connect Scan at 20:52
    Scanning nat-sonicnet.noisebridge.net (75.101.62.88) [1000 ports]
    Discovered open port 53/tcp on 75.101.62.88
    Discovered open port 22/tcp on 75.101.62.88
    Completed Connect Scan at 20:52, 1.84s elapsed (1000 total ports)
    Initiating Service scan at 20:52
    Scanning 2 services on nat-sonicnet.noisebridge.net (75.101.62.88)
    Completed Service scan at 20:52, 0.09s elapsed (2 services on 1 host)
    NSE: Script scanning 75.101.62.88.
    Initiating NSE at 20:52
    Completed NSE at 20:52, 0.72s elapsed
    Nmap scan report for nat-sonicnet.noisebridge.net (75.101.62.88)
    Host is up (0.063s latency).
    Not shown: 998 closed ports
    PORT   STATE SERVICE    VERSION
    22/tcp open  ssh        OpenSSH 5.5p1 Debian 6 (protocol 2.0)
    | ssh-hostkey: 1024 c5:c8:8f:61:cb:69:cd:30:a1:29:1d:46:6b:a1:84:9c (DSA)
    |_2048 c6:64:6b:9a:e0:6f:21:d9:ae:7c:bc:3d:3b:0a:bb:13 (RSA)
    53/tcp open  tcpwrapped
    Service Info: OS: Linux

    Read data files from: /usr/share/nmap
    Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 2.95 seconds
    isis at wintermute:~$ ssh nat-sonicnet.noisebridge.net
    The authenticity of host 'nat-sonicnet.noisebridge.net (75.101.62.88)' can't be established.
    RSA key fingerprint is c6:64:6b:9a:e0:6f:21:d9:ae:7c:bc:3d:3b:0a:bb:13.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added 'nat-sonicnet.noisebridge.net,75.101.62.88' (RSA) to the list of known hosts.
    Welcome to Vyatta
    Permission denied (publickey).

So, then I try to pull the certificate from a mailserver to check it, and
nope. No certificate. Wireshark showed a bunch of TLSv1 Encrypted Alerts,
followed by wintermute sending a bunch of (apparently ignored) [RST, ACK]s,
and then a [FIN, ACK], and then the there's just a bunch more TLSv1 Encrypted
Alerts as if the mailserver never got the FIN:
    
    isis at wintermute:~$ openssl s_client -serverpref -msg -connect box658.bluehost.com:465 -starttls smtp -showcerts
    CONNECTED(00000003)
    didn't found starttls in server response, try anyway...
    >>> TLS 1.2  [length 013b]
        01 00 01 37 03 03 4f de b2 3f 49 03 04 f9 2e ac
        2f cd eb d4 02 35 fd e2 85 09 1b 81 af 3e f9 9d
        ef aa 84 ef f6 69 00 00 9e c0 30 c0 2c c0 28 c0
        24 c0 14 c0 0a c0 22 c0 21 00 a3 00 9f 00 6b 00
        6a 00 39 00 38 00 88 00 87 c0 32 c0 2e c0 2a c0
        26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 12 c0
        08 c0 1c c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0
        2f c0 2b c0 27 c0 23 c0 13 c0 09 c0 1f c0 1e 00
        a2 00 9e 00 67 00 40 00 33 00 32 00 9a 00 99 00
        45 00 44 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00
        9c 00 3c 00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0
        02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00
        08 00 06 00 03 00 ff 02 01 00 00 6f 00 0b 00 04
        03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19
        00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08
        00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13
        00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00
        00 0d 00 22 00 20 06 01 06 02 06 03 05 01 05 02
        05 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01
        02 02 02 03 01 01 00 0f 00 01 01
    139891794618024:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 355 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    ---

So, question: what is Vyatta, and why does it appear to be MITMing IMAPS
connections? Also, I asked other people around to try to connect to IMAPS
servers through GUIs with cert verification enabled, and Mischief set up tried
to google through Thunderbird and the connection failed.


<(A)3
isis agora lovecruft

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJP3rkDAAoJEKOttnos24s1EOIQAKRgMC07d11L1Ub0BKTXU/Bb
Xm0htqzM7M7cR5Ri1yuZ6Q6FzYof9+O5os3bzP/RApn/No9gVYfSk8BFXCJAqDwh
5Norb9AtYZ2dM/8EaF20Cye4OMHUnLowgJHZeav+GS02nf8qYnhLNMfu7p6RTD6j
N9lY0gvCpScv+SRCwhXSdcS2TjzhcwHHWPJrAEMfgnia0w/RjS/AZPYXkykixYlp
ojvRDfduz9Tywkbwx862Way+XDXiEMLvRWYMCVEA8vNgAXSMzv3WFJnmT/skweOY
SPv5xtdNX4hGGiSv6UKezxDpGlC7H3D7cM8eV88Gs5haDDPkMg4L7UzzLfQRySox
j8ecEC/9AJa/LvbyMtXXnOj68l5qTozg7DKEzUyR9rUR10TZKWZjCOHsBvW5VCRq
xoyGz1ox+hvXIzdEPxgxzcSkHXYWNfBF0Up1ZOYGoCTQ0QxBXNq6jJy3SgjyMhnK
GC73kPfTmPgaB9fKHnKnILFsmIK7FaErYEICyJQKhSXYqhv26opqtK+Uo/AB8cF/
FF0mksOPZdU6myaaHMIhXbWj95vu0dtMsuh6WGq3olo3f8hOfr55DojAE5bPVwT7
UCAJYP15+9a7TPb8RR2tIh4h92zipYVoRbd9oM1EkbpIcgEac5y8x7187u04LWll
VzSoGNCgknj6Xzqpnhex
=HBZI
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJP3rldAAoJEKOttnos24s1IV0QAJK7Xer0+ZEYNYbH7qgHy91I
4U/W7iJo2Kw5/uapIs6KrbxHFLWsDjFjdHjvm1b3T6LBdQ6ABDnNmGNXXTlnNmwk
bV4QvcHTjMFSGZVDH2WbUeXySlARRP2yxGnlWjKGAoHTMDPLIl64MosRMUUa+OgV
Y1UDI9HAAiERLnT1fA3UHmCzGLtmBjezkhRsQbfiihCA7xn6llxi3hwoCYZ6cEt7
VCl/STdgXLm8t3YaFID8DliNut7SCLzU2A2ur22V7xsvi6Iyg324LU4Ak4Rh2lI7
SumTtc5mUnzJ6sVwG/hz64EhRRnDn71XKzjs2nDeMtudjsPrNZikQ9quorJckci0
A06211pyJ0HlIcUZnB+5/O0ZMqtS36fQO1ByB/2z3e3rYo4aW0xD8+rev52shooU
RpyF5AAmACKWu9dM8Krt6Eu2TzS+mUNzG6AwveCVfBEb95gqaOlTso+vq/MPHoUc
t77AyNA6LzhbGvVREPdHxNaD0iCRc+VgsT5wQXaRsDtcrehEFX0fX86fGW26k0JX
YJgKWFykidCtfQwIl3gs1lDog9sFxFk3As58oCaMuEBvK0ujWj0Dc/xchsxj+Zeh
nA2daIuTa/MAep1lmQb8bdYXeEiAoGigkz8Se0fT36RkLXV5me6QYi1sl69M9SI3
/CtkgsvG3TW+K4AZnFQJ
=YnW1
-----END PGP SIGNATURE-----



More information about the Rack mailing list