[Rack] Oddity on 75.101.62.88
Danny O'Brien
danny at spesh.com
Mon Jun 18 05:38:29 UTC 2012
Someone with clue will be along shortly, I think r00ter's work got
subsumed into bikeshed, which is running Vyatta, which is a
Debian-based router OS. I suspect it's mangling the handshake somehow.
d.
On Sun, Jun 17, 2012 at 10:15 PM, Isis <isis at patternsinthevoid.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> - -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Rack.
>
> I have spent the morning reverse engineering and analyzing this network
> analysis tool Netalyzr. Because the thing required a JVM to run, I based my
> analysis on the reversed source code instead of running it. Then I decided to
> run it anyway to see how accurate it is.
>
> The returned report contained the following funniness:
>
> Direct TCP connections to remote secure IMAP servers (port 585) succeed, but
> do not receive the expected content.
>
> The connection succeeded but came from a different IP address than we
> expected. Instead of the expected IP address, we received this request from
> 75.101.62.88.
>
> Direct TCP connections to remote authenticated SMTP servers (port 587)
> succeed, but do not receive the expected content.
>
> The connection succeeded but came from a different IP address than we
> expected. Instead of the expected IP address, we received this request from
> 75.101.62.88.
>
> Direct TCP connections to remote IMAP/SSL servers (port 993) succeed, but do
> not receive the expected content.
>
> The connection succeeded but came from a different IP address than we
> expected. Instead of the expected IP address, we received this request from
> 75.101.62.88.
>
> Which apparently used to be r00ter, but now it's:
>
> isis at wintermute:~$ nmap -A -v -Pn 75.101.62.88
>
> Starting Nmap 5.51.6 ( http://nmap.org ) at 2012-06-17 20:52 PDT
> NSE: Loaded 58 scripts for scanning.
> Initiating Parallel DNS resolution of 1 host. at 20:52
> Completed Parallel DNS resolution of 1 host. at 20:52, 0.02s elapsed
> Initiating Connect Scan at 20:52
> Scanning nat-sonicnet.noisebridge.net (75.101.62.88) [1000 ports]
> Discovered open port 53/tcp on 75.101.62.88
> Discovered open port 22/tcp on 75.101.62.88
> Completed Connect Scan at 20:52, 1.84s elapsed (1000 total ports)
> Initiating Service scan at 20:52
> Scanning 2 services on nat-sonicnet.noisebridge.net (75.101.62.88)
> Completed Service scan at 20:52, 0.09s elapsed (2 services on 1 host)
> NSE: Script scanning 75.101.62.88.
> Initiating NSE at 20:52
> Completed NSE at 20:52, 0.72s elapsed
> Nmap scan report for nat-sonicnet.noisebridge.net (75.101.62.88)
> Host is up (0.063s latency).
> Not shown: 998 closed ports
> PORT STATE SERVICE VERSION
> 22/tcp open ssh OpenSSH 5.5p1 Debian 6 (protocol 2.0)
> | ssh-hostkey: 1024 c5:c8:8f:61:cb:69:cd:30:a1:29:1d:46:6b:a1:84:9c (DSA)
> |_2048 c6:64:6b:9a:e0:6f:21:d9:ae:7c:bc:3d:3b:0a:bb:13 (RSA)
> 53/tcp open tcpwrapped
> Service Info: OS: Linux
>
> Read data files from: /usr/share/nmap
> Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 2.95 seconds
> isis at wintermute:~$ ssh nat-sonicnet.noisebridge.net
> The authenticity of host 'nat-sonicnet.noisebridge.net (75.101.62.88)' can't be established.
> RSA key fingerprint is c6:64:6b:9a:e0:6f:21:d9:ae:7c:bc:3d:3b:0a:bb:13.
> Are you sure you want to continue connecting (yes/no)? yes
> Warning: Permanently added 'nat-sonicnet.noisebridge.net,75.101.62.88' (RSA) to the list of known hosts.
> Welcome to Vyatta
> Permission denied (publickey).
>
> So, then I try to pull the certificate from a mailserver to check it, and
> nope. No certificate. Wireshark showed a bunch of TLSv1 Encrypted Alerts,
> followed by wintermute sending a bunch of (apparently ignored) [RST, ACK]s,
> and then a [FIN, ACK], and then the there's just a bunch more TLSv1 Encrypted
> Alerts as if the mailserver never got the FIN:
>
> isis at wintermute:~$ openssl s_client -serverpref -msg -connect box658.bluehost.com:465 -starttls smtp -showcerts
> CONNECTED(00000003)
> didn't found starttls in server response, try anyway...
> >>> TLS 1.2 [length 013b]
> 01 00 01 37 03 03 4f de b2 3f 49 03 04 f9 2e ac
> 2f cd eb d4 02 35 fd e2 85 09 1b 81 af 3e f9 9d
> ef aa 84 ef f6 69 00 00 9e c0 30 c0 2c c0 28 c0
> 24 c0 14 c0 0a c0 22 c0 21 00 a3 00 9f 00 6b 00
> 6a 00 39 00 38 00 88 00 87 c0 32 c0 2e c0 2a c0
> 26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 12 c0
> 08 c0 1c c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0
> 2f c0 2b c0 27 c0 23 c0 13 c0 09 c0 1f c0 1e 00
> a2 00 9e 00 67 00 40 00 33 00 32 00 9a 00 99 00
> 45 00 44 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00
> 9c 00 3c 00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0
> 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00
> 08 00 06 00 03 00 ff 02 01 00 00 6f 00 0b 00 04
> 03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19
> 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08
> 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13
> 00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00
> 00 0d 00 22 00 20 06 01 06 02 06 03 05 01 05 02
> 05 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01
> 02 02 02 03 01 01 00 0f 00 01 01
> 139891794618024:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 355 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
>
> So, question: what is Vyatta, and why does it appear to be MITMing IMAPS
> connections? Also, I asked other people around to try to connect to IMAPS
> servers through GUIs with cert verification enabled, and Mischief set up tried
> to google through Thunderbird and the connection failed.
>
>
> <(A)3
> isis agora lovecruft
>
> - -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
>
> iQIcBAEBCAAGBQJP3rkDAAoJEKOttnos24s1EOIQAKRgMC07d11L1Ub0BKTXU/Bb
> Xm0htqzM7M7cR5Ri1yuZ6Q6FzYof9+O5os3bzP/RApn/No9gVYfSk8BFXCJAqDwh
> 5Norb9AtYZ2dM/8EaF20Cye4OMHUnLowgJHZeav+GS02nf8qYnhLNMfu7p6RTD6j
> N9lY0gvCpScv+SRCwhXSdcS2TjzhcwHHWPJrAEMfgnia0w/RjS/AZPYXkykixYlp
> ojvRDfduz9Tywkbwx862Way+XDXiEMLvRWYMCVEA8vNgAXSMzv3WFJnmT/skweOY
> SPv5xtdNX4hGGiSv6UKezxDpGlC7H3D7cM8eV88Gs5haDDPkMg4L7UzzLfQRySox
> j8ecEC/9AJa/LvbyMtXXnOj68l5qTozg7DKEzUyR9rUR10TZKWZjCOHsBvW5VCRq
> xoyGz1ox+hvXIzdEPxgxzcSkHXYWNfBF0Up1ZOYGoCTQ0QxBXNq6jJy3SgjyMhnK
> GC73kPfTmPgaB9fKHnKnILFsmIK7FaErYEICyJQKhSXYqhv26opqtK+Uo/AB8cF/
> FF0mksOPZdU6myaaHMIhXbWj95vu0dtMsuh6WGq3olo3f8hOfr55DojAE5bPVwT7
> UCAJYP15+9a7TPb8RR2tIh4h92zipYVoRbd9oM1EkbpIcgEac5y8x7187u04LWll
> VzSoGNCgknj6Xzqpnhex
> =HBZI
> - -----END PGP SIGNATURE-----
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
>
> iQIcBAEBCAAGBQJP3rldAAoJEKOttnos24s1IV0QAJK7Xer0+ZEYNYbH7qgHy91I
> 4U/W7iJo2Kw5/uapIs6KrbxHFLWsDjFjdHjvm1b3T6LBdQ6ABDnNmGNXXTlnNmwk
> bV4QvcHTjMFSGZVDH2WbUeXySlARRP2yxGnlWjKGAoHTMDPLIl64MosRMUUa+OgV
> Y1UDI9HAAiERLnT1fA3UHmCzGLtmBjezkhRsQbfiihCA7xn6llxi3hwoCYZ6cEt7
> VCl/STdgXLm8t3YaFID8DliNut7SCLzU2A2ur22V7xsvi6Iyg324LU4Ak4Rh2lI7
> SumTtc5mUnzJ6sVwG/hz64EhRRnDn71XKzjs2nDeMtudjsPrNZikQ9quorJckci0
> A06211pyJ0HlIcUZnB+5/O0ZMqtS36fQO1ByB/2z3e3rYo4aW0xD8+rev52shooU
> RpyF5AAmACKWu9dM8Krt6Eu2TzS+mUNzG6AwveCVfBEb95gqaOlTso+vq/MPHoUc
> t77AyNA6LzhbGvVREPdHxNaD0iCRc+VgsT5wQXaRsDtcrehEFX0fX86fGW26k0JX
> YJgKWFykidCtfQwIl3gs1lDog9sFxFk3As58oCaMuEBvK0ujWj0Dc/xchsxj+Zeh
> nA2daIuTa/MAep1lmQb8bdYXeEiAoGigkz8Se0fT36RkLXV5me6QYi1sl69M9SI3
> /CtkgsvG3TW+K4AZnFQJ
> =YnW1
> -----END PGP SIGNATURE-----
> _______________________________________________
> Rack mailing list
> Rack at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/rack
>
More information about the Rack
mailing list