Retroshare over I2P

WARNING: This post is based in my personal opinion, I’m not trying to sell anything, and I’m not related to neither of the projects in any way.

It’s been a long time since I published something and it’s because I have been busy changing the blog to another server and testing several things like OSSEC that I will tell you about in future post.

Today I bring you a post that combines two softwares that I have liked for a long time but that I didn’t have a lot of chances to really use them without being simple tests. Those are I2P and Retroshare.

Neither of them is as well-known as Tor or other alternatives that we have seen even in the TV, sadly this means that the amount of help in the internet is quite limited. The purpose of this post is, precisely, try to help them be more known.

But, What are the advantages of messing with this?

At functional level? None. At the contrary, we are gonna have services that we already use daily but they are probably gonna me slower and have more downtime.

What we really win is privacy. I2P provides the first layer of anonymity helping us hide our IP and Retroshare gives us several decentralized services.

What makes Retroshare so interesting is its decentralized model where there are no servers to connect to obtain the different services, in this case, this services work in a secure way between different nodes connected between them.

To be able to connect two nodes a key exchange must be done, like in GPG, with this both users allow the nodes to connect to each other. Doesn’t matter if you add somebody, if the other person doesn’t add you the connection will not happen.

The major problem with this method is that our public IP is included in that key as Retroshare needs it to know where is our node and how to reach it. This was the major reason why I stopped using Retroshare, even being based in a trust model I wasn’t convinced with the idea of my IP being disclosed like that.

In version 0.6 Retroshare includes the possibility to run hidden nodes with integration for TOR and I2P, thanks to this instead of using our IP we can use onion or i2p addresses.

I should explain that if we run a node this way the normal nodes will be only able to reach our node if they have configured an exit towards this networks. I couldn’t test this too much due to the lack of nodes inside and outside of this networks but, with a small network of two nodes, my normal client wasn’t able to ready the hidden one and vice versa.

Then idea is to have several services (messenger, chat, file exchange, etc) that doesn’t depend on central servers (our information goes directly from one node to the other) and that they don’t need our public IP (use of I2P addresses).

Fortunately there is a quite some information about how to install both this softwares so I’m gonna skip that step, I only have to say that if  you use Debian 8 I recommend you install Retroshare using the packet they have in github or, if you want co compile it, check a ticket I open about the dependencies as the ones in the wiki are outdated. If you try to install it using the repositories you will see and error about a missing dependency, this has already been reported too and they are working on it.

Once we have I2P running and our Profile created in Retroshare let’s get started.

We will start configuring the tunnels we are gonna need in I2P so Retroshare has everything it needs when we configure our hidden node.

For this we will go to the router section “Local tunnels”, if you have I2P in local it should be: http://127.0.0.1:7657/i2ptunnelmgr

As the steps, even somehow hidden, are quite well explained in Retroshare:

Tunnel Wizard -> Client Tunnel -> SOCKS 4/4a/5 -> enter a name -> leave ‘Outproxies’ empty -> enter port (memorize!) [you may also want to set the reachability to 127.0.0.1] -> check ‘Auto Start’ -> finish!

You can change the port if you want but by default both I2P and Retroshare use port 4447.

This is the tunnel that we will use to access the I2P network and the other nodes, now we will go with the input tunnel.

In the same section:

Tunnel Wizard -> Server Tunnel -> Standard -> enter a name -> enter the address and port your RS is using (see Local Address above) -> check ‘Auto Start’ -> finish!

Same as in the previous case, the port by default in both software is the same, 44321, if you don’t want to change it just leave it like that.

Once the tunnel is running, in “Local tunnels”, we could see that a base32 address appears and that will be the address we use for our hidden node.

Now we move to Retroshare and in the first window where we choose with which profile we want to connect we click in “Manage profiles and nodes” and the we will see the following window:

new-node

Check “Advance options” and “Create hidden node” when it appears.

As you can see it ask us to identify the node with a name and the hidden address that will be the same I2P address we saved before while creating the input tunnel.

Once inside our new node go to the section “Networking” inside “Options”:

options-network

 

Here we can see that the node is running in hidden mode, in the tab “Hidden Service Configuration” we have more data:

hidden-service

 

In the first section we could see that, in my node’s case, Retroshare has outbound connection towards the I2P network but not to the TOR network; afaik there shouldn’t be any problem having any type of node connected to both networks at the same time, this will simply give you access to nodes in each of the networks. In this case we want a node that works only over I2P so it should be enough to have I2P in green.

In the next section we find the inbound configuration, as I’m still doing test I have deleted my I2P address for this node, if we click in “Test” Retroshare will try to reach our node over I2P as if it was any other one to check that everything is ok, if you see a green light like in the image, everything is perfect.

Now we just need to exchange keys with our friends now using our I2P address instead of our public IP and start enjoying Retroshare.

As you can see in the images Retroshare itself explains the steps to follow to configure everything, I have told you anything that you couldn’t find yourselves, but I thought that this information is somehow hidden and that somebody who didn’t know where to look (as it happened to me) it can give you some headaches.

Hope you enjoy it and that people gains interest in both I2P and Retroshare, both project look very interesting but probably because they could be a little bit complex to use it looks like they are not very welcome by the users. Hope this will change and people begin to use this kind of alternatives.

I would like to leave here the key for my test node that I have in I”P so you could test it but as we are speaking about privacy I don’t really like the idea of just leaving it here so, if somebody is interested just leave a comment and we can share keys.

Greeting and thanks for your visit.

 

Posted in i2p, retroshare | 4 Comments

Trivial over the network with Docker and Python

Ïn MundoHackerDay one of the miscellaneous challenges that we proposed was a little trivial where the players should obtain a certain number of correct answers to get the flag.

This idea surged from the trivial on the Pragyan CTF where you may reply to 50 random questions related to India. In that case each player got a set of 50 questions that didn’t change so you could just do trial and error, I decided to be a little bit bad and in this case the questions set is random each time.

Before somebody starts calling me names let me say that we where a little bit “lazy” as we only wrote 15 questions and you just needed to answer 10 so, I wasn’t that bad hehe

You can obtain the image directly from https://hub.docker.com/r/kalrong/trivial/ just doing:

docker pull kalrong/trivial

In case you may prefer to test it locally or check the sources you can go to the github repository where I have it stored and from where the build is automatically triggered in hub.docker: https://github.com/KALRONG/trivial

In case you try it with Docker remember to map the container’s port in case you want somebody else to connect.

This is the help of the trivial:

usage: trivial.py [-h] [-p PORT] [-q QUESTIONS] [-l LOG] [-f FLAG]
                  [-a ANSWERS]

optional arguments:
  -h, --help            show this help message and exit
  -p PORT, --port PORT  Specify which port to be used. Default: 8100
  -q QUESTIONS, --questions QUESTIONS
                        File containing the questions for the trivial.
                        Default: /root/questions
  -l LOG, --log LOG     Folder where the logs will be saved. Defauld: ./log/
  -f FLAG, --flag FLAG  Flag given at the end of the game to the winners.
                        Default: flag{Tr1v14L-RuL3z}
  -a ANSWERS, --answers ANSWERS
                        Number of correct answers before the flag is given.
                        Default: 1

Bot, the docker image and the repository, contain a file with an example questions so you can test it. In case that you run it directly on your machine note that by default the questions file is in /root , this is because I didn’t want to mess around in docker.As you can see in the help the trivial is quite configurable, you can change the port, the log path, questions path, the flag, etcI didn’t have time yet to add the option on how verbose the server is, right now it will give you real-time information in the shell and also create a log file for each ip. The idea is to be able to control what people is doing and see if there are problems with certain questions or, in the worst case, ban somebody.

Hope you enjoy this little tool and don’t forget to leave your suggestions, questions or problems you may find, they will be welcome.

See you around!

Posted in docker, python, tools | Leave a comment

How to install Kali Nethunter on Nexus and OnePlusOne

After getting back from Mundo Hacker Day 2016 is now the turn to continue with the blog, thanks to the guys from StackOverFlow who lent me a OnePlusOne (aka OPO) I had the chance to play a little with the Kali Nethunter, a mod for Android/CM from the guys of Offensive Security that transforms your device in a portable tool for pentesting.

Device Android Version Notes
Nexus 4 (mako) 5.1.1
CM 13.0
Nexus 5 (hammerhead) 5.1.1 or 6.0.1
CM 13.0
Nexus 5x (bullhead) 6.0.1
Nexus 6 (shamu) 5.1.1 or 6.0.1
Nexus 6P (angler) 6.0.1
Nexus 7 2012 (grouper) 5.1.1
Nexus 7 2013 (flo) 5.1.1 or 6.0.1
CM 13.0
Nexus 9 (flounder) 5.1.1 or 6.0.1
Nexus 10 (manta) 5.1.1
OnePlus One (oneplus1) CM 12.1 or 13.0 Recommended
OnePlus Two (oneplus2) CM 12.1 or 13.0
OnePlus X (oneplusx) CM 13.0
LG G5 (h830, h850) 6.0.1
Galaxy Note 3 (hlte) CM 12.1 or 13.0
TouchWiz 5.0
Galaxy S5 (klte) CM 12.1 or 13.0
TouchWiz 5.1 or 6.0
SHIELD tablet (shieldtablet)
SHIELD tablet K1
6.0.1
CM 13.0

In this table you can check the different devices and OS versions that Nethunter supports, as one of the thing that Nethunter modifies is the kernel it makes it quite difficult to port to other devices, in my case I’m checking to port it to my BQ M5.5 but I’m not really sure what the outcome will be.

Obtaining Nethunter

The first step will be to obtain Nethunter for our device, here we have two options, we can download the latest build from here or build it on our computer.

For this post I will explain the steps using the latest build that comes ready for Nexus and OPO. I’m gonna leave the build part for when I advance more in the BQ port.

Getting the device ready

Once we have got the Nethunter the next will get the device ready for the installation.

We should unlock our device and make sure that we have a compatible version installed as per the table in the beginning of this post.

To unlock our phone we will use the following command (I assume you have access to the device using ADB):

#Reboot in fastboot mode
adb reboot bootloader
#Check that the device is indeed in fastboot mode
fastboot devices
#Unlock the device
fastboot oem unlock
#Reboot
fastboot reboot

If everything was OK we should have our device ready to continue.

Optional: Install TWRP and SuperSu to make the manual installation.

Installing Nethunter

Here we have two installation methods, manual and automatic. After several tries I finally chose the automatic one.

In case that you want to do the manual installation you should install the optional software specified mentioned above and just install the ZIP from TWRP.

Even if there is a Windows installation method I will not speak about it as I didn’t have the chance to test and don’t want to give you false tips.

The Linux installation is quite simple, first we clone the NetHunter Linux Root Toolkit with git.

git clone https://github.com/offensive-security/nethunter-LRT

Here we have all the scripts needed for the installation but not the binaries required:

  1. If you want to also use this scripts to go back to Stock or a compatible version you will need to download the images in ZIP and put them in the folder stockImage/.
  2. We download TWRP from their web and we put it in the folder twrpImage/.
  3. Download SuperSu from XDA post and put it in the folder superSu/.

In case you want to use this scripts to go back to Stock or a compatible version there are two, one for Nexus and another one for OPO, both will delete everything in your device.

  • stockNexusFlash.sh : For Nexus devices.
  • stockOpoFlash.sh : For OPO devices, note that this script needs an argument, 16gb or 64gb, depending in your model.

Once ready to install we simply execute the following script, and if everything is ok, the script will indicate which steps are being run and we will also see it working on the device.

./twrpFlash.sh

If everything is OK after the device restarts you will see the Nethunter bootsplash image and you will be ready to use it.

Hope you enjoyed this post and it helps you, in future post I will try to show you different tools that come with Nethunter. For any problem or correct feel free to leave a comment and I will gladly help.

Best regards!

References: https://github.com/offensive-security/kali-nethunter/wiki

Posted in nethunter | 2 Comments

Docker, a “little” introduction

Lately I have being playing a lot with Docker, whatsoever, this blog is running on it, but What is Docker?

Docker is a software that allow us to run containers (think of them as VM’s for the moment) in a simple, light and fast way.

In the previous line I told you to think of a container as a VM, that’s not exactly true. A VM contains a full OS with everything that it required to boot as if it was a physical machine, this usually means that the disk usage is quite high from the beginning (Yeah, I know, you can make a super light installation not even bigger that a Gb). In Docker the containers only contain the required files (binaries, libraries, etc, etc) to work as the kernel is shared with the Host.

Docker also removes the hypervisor what makes it even lighter, and something I love, it can run inside a VM (only in Linux, Windows has a limitation that I will explain later on).

And, What does all this mean? To show you a real example, this is the disk usage of this blog currently on my Docker:

# docker ps -s
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                  NAMES                   SIZE
553c6bf413f1        wordpress           "/entrypoint.sh apach"   39 hours ago        Up 15 hours         0.0.0.0:8080->80/tcp   wordpress_wordpress_1   71.75 MB (virtual 592.3 MB)
c828665d7494        mariadb             "/docker-entrypoint.s"   39 hours ago        Up 39 hours         3306/tcp               wordpress_db_1          2 B (virtual 387.5 MB)

As you can see I use two containers, one for the wordpress (apache, php, etc) and the other one for mariadb, and I think the SIZE column speaks by itself.

Lets see what means each of the columns so you can start getting familiar with the different components of Docker.

CONTAINER ID

This is the ID that Docker assigns to the container and that we can use as unique referer.

IMAGE

Base image use to create the container. We can consider an image as the template for a container, it contains all the basic elements already installed to work. Once the container is created we can modify it as we like, notice that the image itself is not modified, just the changes made on the container. In this cases the wordpress image container an installation of wordpress ready to use and includes an apache server, if I wanted to run a different wordpress I will simply use the same image to create a new container and start from scratch.

COMMAND

This is the command that is executed when the container starts, in this case a script that takes care of starting all the necessary services.

CREATED & STATUS

How long since the container was created and its uptime.

PORTS

By default Docker generates a virtual network, similar to the VBox’s host-only, with which we can access the container ports only from the Host or from other containers. In this case the wordpress’s container maps port 80 of the container to the port 8080 of the Host what means that if we connect to the port 8080 of the Host the port 80 of the container will reply but, in the mariadb’s container, the port 3306 is not mapped meaning that it will be only accessible from the Host or, in this case, from the wordpress container.

NAMES

In addition to the ID the containers also could be referred by a name, if it’s not specified when the container is created Docker will assign it a random one formed by two-word, some could be quite funny.

Another thing that made me fall in love with Docker is small deployment time, creating a new container takes only a few seconds, and only the first time may take a while if the base image is not already downloaded.

A Docker usage example could be a metasploit image and another one with OpenVAS that I created and that allows me to run those application without installing anything else than Docker in the Host as all the dependencies are already inside of the images. This way if I need metasploit I just create a container with that image and I will be able to use it immediately.

Another option that Docker has is the option to create a Swarm, something like a cluster, using different machines and administrate all from a single one. This way the containers will run in different machines be them the ones we specify, be them the ones Docker decides. The only inconvenience of the Swarm is that the ports are not mapped to the administrator machine but to the one where the container is running, meaning that if we run a container in a remote machine we will need to connect to the port on that machine. About Swarm I will talk in future post and will explain you how to build a simple one.

Hope you enjoyed this “little” introduction to Docker, if you want to read more you can go to their website:  https://www.docker.com

Posted in docker | Leave a comment

CTF Mugardos 2015 Writeup – Forensic

Statement:

This cursed image 100 points

I know I put it somewhere, but where..

File for the challenge: https://mega.nz/#!YcBw2A4K!jUqgKnf5YZhmjZtpNEH7jM3h2rQ4KyvrOiBaLYmdWys

Key format:
– SHA256 of the key
– No spaces
– Uppercases, lowercases, numbers and special characters exactly as they appear in the file of the challenge

Solution:

In this challenge we are asked to download a tar.gz file that contains the file image.raw.

File command returns the following information:

forensic1

Looks like is a disk image, the next step would be to see what fdisk has to say:

forensic2

Looks like almost everything is swap and we have a 500Mb partition in ZFS format. The problem is that ZFS doesn’t allow file I/O so we can’t directly mount it, first, we need to use losetup to mount it so ZFS could recognize it.

For that we need to calculate the offset of that partition, knowing that block size is 512 bytes and that the partition starts at 4194432:

512 * 4194432 = 2147549184

Once we know the offset we execute losetup as follows:

forensic3

To proceed with the following steps we need to have installed and loaded the ZFS modules. In my case I had several version problems as the version used for the challenge was newer than the one in the repositories so I compiled the modules from the sources.

We use zpool to import the ZFS pool:

forensic4

Zpool warn us that the pool was used in another system previously so we need to force the import with the -f option and also use its name (Mugar2x3); and then we confirm that the pool was imported:

forensic5

With this the partition should be already mounted on our system’s root under the folder Mugar2x3. If this is not the case we can use the following command to mount it:

zfs mount Mugar2x3

We can see that it only contains several subfolders and a lot of files with the famous “Lorem ipsum”, but not a single picture that is what the challenge asks.

ZFS has the feature to generate snapshots to be able to recover old status of the file system, we take a look and we can see that there are several of them:

 

forensic6

The snapshots are sort from older to newer, in the case that we miss we need to destroy and import the pool again.

In this case, judging by the size, our best option was the snapshot 3, so we proceed to do a rollback to it:

 

forensic7

As we still have a lot of files in the middle I used the file command to locate the picture:

forensic8

We open the file and voila:

forensic9

We then calculate the SHA256 and we have solved the challenge.

Posted in ctf, writeups | Leave a comment

CTF Mugardos 2015 Writeup – Stego200

Statement:

AM 200 points

Now seriously, when it comes to listen to music, nothing better than the radio, or not?

Maybe we are too nostalgic.

Format of the answer:
– Uppercase and lowercase as they appear in the flag
– No spaces

Solution:

In this challenge they gave us an ogg file, nothing strange to the naked eye. Lets start openning it with Audacity:

estego1

We can see that the first two tracks are the original song but there is a third track, lets extract it and open it with Sonic Visualiser, app that has helped me a lot in the past with the typical text hidden in audio thanks to its layers:

stego3

As Im used to I add the spectrogram layer just in case there was some text and because I like it more, in this case we didn’t find any text but we were able to locate some audio in an specific part.

After thinking about several ways and doing several tests with software oriented to weatherfax that we already saw in other challenges I decided to try my luck with SSTV. For that we will play the audio with paplay while we set QSSTVE to listen, notice that you need to redirect the audio output to the input so QSSTV can receibe it, in my case using pulseaudio I did this using pavucontrol, in the input sections and the monitor mode interfaces.

Here we can see that QSSTV has recognized the signal as SSTV in Scottie 1 mode and begins to show the result:

stego4

When the audio finish to play we get the following image:

stego5

Calculate the SHA256 of the string “IWannaKnowPulpoKey” and we get the flag we need.

Posted in ctf, writeups | Leave a comment

CTF Mugardos 2015 Writeup – Crypto100

And lets reopen the blog with the first writeup of the CTF that took place in 2015 at the Kernel in Mugardos.

Statement:

When does the trope open? 100 points

When does the trope open? I wanna dance!

Format of the answer:
– SHA256 of the flag
– Lowercase
– No spaces

Solution:

In this challenge they provided the following image:

crypto100

My first impression was, ¿What the …? Thinking that maybe the organization didn’t copy/paste each stickmen I did several searches in google for fonts done with them. Found several ones but  an specific one matched exactly and on its detailed information said that it was based on a message shown in one of Sherlock Holmes novels.

Font: http://www.fontspace.com/martin-bergman/dancingmen

As the website already shown the alphabet with all the stickmens that we needed I directly translated each stickmen to its corresponding letter obtaining the following message:

jvxlif hlv jz ruvdrj tzwirdfj vjkf tfe rcxle dvkfuf tcrjztf tfdf trvjri jvir dltyf drj wfidrj gfi jz rtrjf cr tcrmv vj mzmrvcglcgf

A quick Caesar bruteforce showed that it was a Caesar with key 17. We got the following message:

seguro que si ademas ciframos esto con algun metodo clasico como caesar sera mucho mas formas por si acaso laclave es vivaelpulpo

In English it will be: “if we also cypher this with a classic method like Caesar it will be mucho more forms just in case the password is longliveoctopus”

Doing the SHA256 of the string “vivaelpulpo” it will show the flag we need.

Posted in ctf, writeups | Leave a comment

Hello World, again!

Finally back, in the end I decided to open the blog agan and I hope to add more content little by little, in the next few days I will probably add several things that are pending like some writeups that I did for the Kernel 2015’s CTF.

Hope you enjoy the new content (as the blog is quite ugly hehe)

Posted in Sin categoría | Leave a comment