Kenapa kita perlukan outbound port test scanner ?

Assalamualaikum. dah lama tak menulis. kali ni nak cerita pasal outbound port test scanner.

di dalam situasi mana kita perlukan outbound port test scanner ni ? selalunya bila kita berada dalam network yg restricted. menghalang (content filtering) website dan sebagainya.










jadi mengunakan teknik ini, kita akan scan port yg dibenarkan untuk keluar dari network tersebut.

contoh adalah network restricted di ofis saya. didapati hanya port 21,80 dan 443 dibenarkan. rujuk scanner di bawah

scan ke portquiz.net





80 dan 443 melalui proxy dan melalui perlbagai jenis sekatan.

yg menarik adalah port 21. FTP. mari kita lihat sama ada port tersebut diproxy atau tidak.


C:\Users\hairi>telnet routermen.tn.my 21
Connecting To routermen.tn.my...







kita dapati port 21 dibenarkan secara direct.

[root@mail ~]# tcpdump -i bond0 port 21
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:08:23.231092 IP 203.153.80.58.54997 > routermen.tn.my.ftp: Flags [S], seq 2295775847, win 8192, options [mss 1260,nop,wscale 8,nop,nop,sackOK], length 0

maka kita ubah ssh untuk listen ke port 21 .

edit /etc/ssh/sshd_config

dan bubuh

# possible, but leave them commented.  Uncommented options change a
# default value.

Port 22
Port 21


skang anda dah boleh reverse tunnel ke port 21. hehe

Cisco ASA double Pipe inc search example

cisco asa double pipe  inc 

---- 1st inc DEMO-CUST3
---- 2nd inc xxx.165.13.32

DC1-A1-MASA-01/DEMO# show logging  | inc DEMO-CUST3.*xxx.165.13.32
Jun 15 2017 11:06:41 DC1-A1-MASA-01/DEMO : %ASA-7-106100: access-list DEMO-CUST3 permitted udp DEMO-CUST3/xxx.165.15.132(47347) -> DEMO-OUTSIDE/xxx.165.13.32(123) hit-cnt 1 first hit [0xe09ec6e9, 0x0]
DC1-A1-MASA-01/DEMO#

website2 sengal yg tehegeh2 nak duit suka block bacaan sekiranya kita ada adblocker

Korang mesti pernah kena kan. korang install ADblocker. mcm ABP . then bila masuk je website. tiba2 ada keluar amaran adblocker kena disable. kalau tak disable xleh baca website.















Berikut adalah caranya.

If you hit an "AdBlock wall" on a site asking to you disable adblock, right click it and hit "Inspect." You can usually hide or delete the "wall" and see the content.

HTTP GET vs HTTPS GET parameter

Korang mesti biasa guna telnet www.blabla.com 80 untuk test connection kan ?

telnet www.routermenhensem.com 80
GET /index.html HTTP/1.1
Host: www.routermenhensem.com

tapi kalau untuk SSL / HTTPS. caranya berbeza seperti berikut.

openssl s_client -connect www.routermenhensemlagi.com:443
[watch the ssl certificate details scroll by]
GET /index.html HTTP/1.1
Host: www.routermenhensemlagi.com

PS: untuk windows. korang kene install OPENSSL client. 

Cara mudah nak baca log squid proxy.

korang pernah kan view squid access log. pastu tak tau hujung pangkal pasal log tu. sebab waktu dia mcm ni.

^C[root@mail ~]# tail -f /var/log/squid/access.log
1478738828.951    180 192.168.0.6 TCP_MISS/304 345 GET http://w.usabilla.com/7e10fcc350b2.js? - DIRECT/52.62.87.45 -
1478738844.975    887 192.168.0.6 TCP_MISS/200 770 GET http://graph.facebook.com/? - DIRECT/31.13.74.1 application/json
1478739141.465      0 192.168.0.6 TCP_MISS/400 361 GET http://mail.routermen.tn.my:8080/squid-internal-dynamic/netdb - NONE/- -
1478739153.473      0 192.168.0.6 TCP_MEM_HIT/200 607 GET http://mail.routermen.tn.my:8080/squid-internal-periodic/store_digest - NONE/- application/cache-digest
1478739453.476      0 192.168.0.6 TCP_MEM_HIT/200 607 GET http://mail.routermen.tn.my:8080/squid-internal-periodic/store_digest - NONE/- application/cache-digest
1478742753.500      0 192.168.0.6 TCP_MEM_HIT/200 607 GET http://mail.routermen.tn.my:8080/squid-internal-periodic/store_digest - NONE/- application/cache-digest
1478743053.509      0 192.168.0.6 TCP_MEM_HIT/200 607 GET http://mail.routermen.tn.my:8080/squid-internal-periodic/store_digest - NONE/- application/cache-digest
1478746353.530      0 192.168.0.6 TCP_MEM_HIT/200 607 GET http://mail.routermen.tn.my:8080/squid-internal-periodic/store_digest - NONE/- application/cache-digest
1478746653.554      0 192.168.0.6 TCP_MEM_HIT/200 607 GET http://mail.routermen.tn.my:8080/squid-internal-periodic/store_digest - NONE/- application/cache-digest
1478746768.506      0 192.168.0.6 TCP_MISS/400 361 GET http://mail.routermen.tn.my:8080/squid-internal-dynamic/netdb - NONE/- -

mudah je . korang hanya perlu guna command seperti dibawah ni. baru la faham skit timestamp nye.


[root@mail ~]# tail -f /var/log/squid/access.log |  perl -p -e 's/^([0-9]*)/"[".localtime($1)."]"/e'
[Thu Nov 10 08:47:08 2016].951    180 192.168.0.6 TCP_MISS/304 345 GET http://w.usabilla.com/7e10fcc350b2.js? - DIRECT/52.62.87.45 -
[Thu Nov 10 08:47:24 2016].975    887 192.168.0.6 TCP_MISS/200 770 GET http://graph.facebook.com/? - DIRECT/31.13.74.1 application/json
[Thu Nov 10 08:52:21 2016].465      0 192.168.0.6 TCP_MISS/400 361 GET http://mail.routermen.tn.my:8080/squid-internal-dynamic/netdb - NONE/- -
[Thu Nov 10 08:52:33 2016].473      0 192.168.0.6 TCP_MEM_HIT/200 607 GET http://mail.routermen.tn.my:8080/squid-internal-periodic/store_digest - NONE/- application/cache-digest
[Thu Nov 10 08:57:33 2016].476      0 192.168.0.6 TCP_MEM_HIT/200 607 GET http://mail.routermen.tn.my:8080/squid-internal-periodic/store_digest - NONE/- application/cache-digest
[Thu Nov 10 09:52:33 2016].500      0 192.168.0.6 TCP_MEM_HIT/200 607 GET http://mail.routermen.tn.my:8080/squid-internal-periodic/store_digest - NONE/- application/cache-digest
[Thu Nov 10 09:57:33 2016].509      0 192.168.0.6 TCP_MEM_HIT/200 607 GET http://mail.routermen.tn.my:8080/squid-internal-periodic/store_digest - NONE/- application/cache-digest
[Thu Nov 10 10:52:33 2016].530      0 192.168.0.6 TCP_MEM_HIT/200 607 GET http://mail.routermen.tn.my:8080/squid-internal-periodic/store_digest - NONE/- application/cache-digest
[Thu Nov 10 10:57:33 2016].554      0 192.168.0.6 TCP_MEM_HIT/200 607 GET http://mail.routermen.tn.my:8080/squid-internal-periodic/store_digest - NONE/- application/cache-digest
[Thu Nov 10 10:59:28 2016].506      0 192.168.0.6 TCP_MISS/400 361 GET http://mail.routermen.tn.my:8080/squid-internal-dynamic/netdb - NONE/- -

korang boleh juga guna command mcm ni



[root@mail ~]# cat /var/log/squid/access.log | perl -p -e 's/^([0-9]*)/"[".localtime($1)."]"/e' | more
[Sun Nov  6 07:26:49 2016].816   3994 192.168.0.17 TCP_MISS/200 3487 CONNECT secure.informaction.com:443 - DIRECT/69.195.158.195 -
[Sun Nov  6 07:26:50 2016].122    293 192.168.0.17 TCP_MISS/000 0 POST http://ocsp.int-x3.letsencrypt.org/ - DIRECT/ocsp.int-x3.letsencrypt.org -
[Sun Nov  6 07:26:50 2016].198    231 192.168.0.17 TCP_MISS/200 952 POST http://ocsp.digicert.com/ - DIRECT/117.18.237.29 application/ocsp-response
[Sun Nov  6 07:26:50 2016].712    596 192.168.0.17 TCP_MISS/200 8356 GET http://api.mywot.com/0.4/update? - DIRECT/54.186.17.145 application/xml
[Sun Nov  6 07:26:51 2016].162    238 192.168.0.17 TCP_MISS/200 8356 GET http://api.mywot.com/0.4/update? - DIRECT/54.186.17.145 application/xml
[Sun Nov  6 07:26:51 2016].172    422 192.168.0.17 TCP_MISS/200 2268 POST http://ocsp2.globalsign.com/gsdomainvalsha2g2 - DIRECT/104.16.24.216 application/ocsp-respons
e
[Sun Nov  6 07:26:53 2016].420     60 192.168.0.17 TCP_MISS/200 952 POST http://ocsp.digicert.com/ - DIRECT/117.18.237.29 application/ocsp-response
[Sun Nov  6 07:26:57 2016].118    353 192.168.0.17 TCP_MISS/200 910 POST http://clients1.google.com/ocsp - DIRECT/216.58.196.46 application/ocsp-response
[Sun Nov  6 07:26:58 2016].254     62 192.168.0.17 TCP_MISS/200 952 POST http://ocsp.digicert.com/ - DIRECT/117.18.237.29 application/ocsp-response
[Sun Nov  6 07:27:03 2016].072     63 192.168.0.17 TCP_MISS/200 952 POST http://ocsp.digicert.com/ - DIRECT/117.18.237.29 application/ocsp-response
[Sun Nov  6 07:27:03 2016].098  15394 192.168.0.17 TCP_MISS/200 4192 CONNECT secure.mywot.com:443 - DIRECT/52.205.103.6 -
[Sun Nov  6 07:27:06 2016].480    235 192.168.0.17 TCP_MISS/200 1125 GET http://api.mywot.com/0.4/query? - DIRECT/54.186.17.145 application/xml
[Sun Nov  6 07:27:06 2016].676    255 192.168.0.17 TCP_MISS/200 17357 CONNECT s.ytimg.com:443 - DIRECT/216.58.196.46 -

mengawal akses ke host akamai atau dns roundrobin di firewall dengan DNS hijacking.

 memandangkan mengawal akses ke host2 yg mempunyai lebih dari 1 IP. contoh seperti AKAMAI yg ada lebih dari 4000 IP. amatlah sukar. Akamai adalah caching service yg digemari oleh ramai content provider besar2 seperti youtube dan facebook untuk memberikan kelajuan akses pada user serantau. jadi server2 akamai cache ni berada di merata2 tempat . maka sekiranya anda akses ke youtube.com anda akan dilunjurkan ke cache akamai yg berhampiran atau load yg paling optimum. bergantung pada algo DNS system mereka.

namun sekiranya anda adalah seorang security engineer yg ditugaskan untuk mengawal akses ke website2 sebegini. amatlah sukar untuk memblock sesetengah user dan kemudian membenarkan sesetengah user yg lain di firewall. ini kerana IP akamai cache akan berubah2 seperti yg diterangkan di atas.

disinilah kita mengunakan DNS Hijacking untuk memastikan host yg kita mahu hanya akan di resolve kepada 1 IP saja setiap masa.



mula2 add di dalam named.conf

zone "youtube.com" IN {
  type master;
  file "COMMON/db.youtube.com";
};


dan zone files /var/named/COMMON/db.youtube.com pula

$TTL    86400 ; 24 hours could have been written as 24h or 1d
; $TTL used for all RRs without explicit TTL value
$ORIGIN youtube.com.
@  1D  IN  SOA ns1.youtube.com. hostmaster.youtube.com. (
                  200203 ; serial
                  3H ; refresh
                  15 ; retry
                  1w ; expire
                  3h ; minimum
                 )
             IN  NS     ns1.youtube.com. ; in the domain
; server host definitions
ns1          IN  A      127.0.0.1  ;name server definition    
www          IN  A      74.125.135.91  ;web server definition


dah restart named. check log. sama ada ada error atau tidak. pastikan serial numbers tak sama untuk setiap zone files yer.

lepas tu kita test dulu

# dig @127.0.0.1 www.youtube.com  

; <<>> DiG 9.9.4-P1-RedHat-9.9.4-r4 <<>> @127.0.0.1 www.youtube.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- 46803="" br="" id:="" noerror="" opcode:="" query="" status:="">;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.youtube.com.               IN      A

;; ANSWER SECTION:
www.youtube.com.        86400   IN      A       74.125.135.91

;; AUTHORITY SECTION:
youtube.com.            86400   IN      NS      ns1.youtube.com.

;; ADDITIONAL SECTION:
ns1.youtube.com.        86400   IN      A       127.0.0.1

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 01 12:15:04 MYT 2014
;; MSG SIZE  rcvd: 94



lepastu kita kena redirect dns request dari LAN ke named dalam firewall sendiri.

 [ tembokapi root@tembokapi ~]# iptables -L LAN-NET -v
 7367  490K REDIRECT   udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:53


sekarang anda dapat block atau allow user ke port 443 youtube.com dengan mudah.




namun bagi penguna android. didapati user smartphone mengunakan dns lain untuk mencapai ke youtube apabila mengunakan aplikasi youtube.

so kita tambah lagi dalam zone file kita











cat /etc/named.conf

zone "googlevideo.com" IN {
  type master;
  file "COMMON/db.googlevideo.com";
};





dan zone files /var/named/COMMON/db.googlevideo.com pula



# more  /var/named/COMMON/db.googlevideo.com
$TTL    86400 ; 24 hours could have been written as 24h or 1d
; $TTL used for all RRs without explicit TTL value
$ORIGIN googlevideo.com.
@  1D  IN  SOA ns1.google.com. hostmaster.googlevideo.com. (
                              200203 ; serial
                              3H ; refresh
                              15 ; retry
                              1w ; expire
                              3h ; minimum
                             )
                     IN  NS     ns1.google.com. ; in the domain
; server host definitions
ns1              IN  A      127.0.0.1  ;name server definition    
*                IN  A      74.125.135.91  ;web server definition


kita mengunakan * sebagai wildcard. supaya semua url yg 

bila server dah melanyak

baru baru ni kawan aku fedup. server dia asyik melanyak ke internet. sampai google dns pun kene lanyak. dia nak fast workaround sementara dia figureout punca. disebabkan server tu production maka aku teringat iptables burstable. lanyak pakai UDP. mula2 aku try block pakai packet length sebab length dia same je size . tapi tak mau gak. so limit 50 packet sesaat burst 5.

cam ni rules nya

  327  iptables -N udp-flood
  328  iptables -A OUTPUT -p udp -j udp-flood
  329  iptables -A udp-flood -p udp -m limit --limit 50/s -j RETURN
  330  iptables -A udp-flood -j LOG --log-level 4 --log-prefix 'UDP-flood attempt: '
  331  iptables -A udp-flood -j DROP


alhamdulillah. workaround berjaya kekang attack tu ke internet.

[root@esm_database /]# iptables -L udp-flood -vn
Chain udp-flood (1 references)
 pkts bytes target     prot opt in     out     source               destination        
28495   29M RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 50/sec burst 5
 140M  142G DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          
[root@esm_database /]#



142GB tak sampai 3 minit. *poning den*