Potentially Unsafe 2WIRE and Clear 4G Modems

Your modem is probably not safe. 

This was just something I ran across while scanning my own servers. I own an AT&T 2WIRE gateway/modem/router and a wireless Clear 4G modem for mobile use.  I have seen some questions regarding the open ports on forums, I thought I would dig deeper and provide a detailed analysis. AT&T customers using the standard 2WIRE modem/routers will find that port 443 (HTTPS) is open by default on the modem (to the internet) despite not being added in any port forwarding rule. I found no option or setting in the firmware to modify this or close the port.

Using a /24 subnet, I was able to discover port 443 open on 55 different hosts from the subnet. Extensive testing was done on my own device using default firmware. IP addresses are withheld.

2WIRE

FYI : In these instances I’m using the Nmap flags -sV to determine service and version info, the –script=banner flag to grab additional banner information from the service, the –open flag is handy for only returning hosts with the open port, and the -p for port number.

nmap -sV –script=banner –open xx.xx.xx.1/24 -p 443

Nmap scan report for x-x-x-4.lightspeed.hstntx.sbcglobal.net (x.x.x.4)
Host is up (0.041s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http mini_httpd 1.19 19dec2003

Nmap scan report for x-x-x-5.lightspeed.hstntx.sbcglobal.net (x.x.x.5)
Host is up (0.0077s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http mini_httpd 1.19 19dec2003

Nmap scan report for x-x-x-41.lightspeed.hstntx.sbcglobal.net (x.x.x.41)
Host is up (0.048s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http mini_httpd 1.19 19dec2003

All hosts appear to be running Mini_httpd 1.19 which is the latest and LAST version of the software. Several vulnerabilities are available for version 1.19.
Vulnerability Summary for CVE-2009-4490 : Mini_httpd 1.19 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window’s title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.

Sources
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4490
http://www.ush.it/team/ush/hack_httpd_escape/adv.txt

  • The host returned nothing when accessing it via web browser “Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection without sending any data.”  Several of the hosts, (not all of them) returned a 501 Not implemented response code with additional data in the Nmap scan, indicating the web server does not understand or support the current methods being sent to it.
  • Definition : “This error should be very rare in any Web browser. It is more likely if the client is not a Web browser – particularly if the Web server is old. In either case if the client has specified a valid request type, then the Web server is either responding incorrectly or simply needs to be upgraded.”

Host is up (0.080s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/sip mini_httpd/1.19/bhoc 23sep2004 (Status: 501 Not Implemented)
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
Port443-TCP:V=5.21%T=SSL%I=7%D=7/10%Time=51DDF5B6%P=x86_64-unknown-linux-gnu%r(GenericLines,1EA,”\(null\)\x20400\x20Bad\x20Request\r\nServer:\x20m
SF:ini_httpd/1\.19/bhoc\x2023sep2004\r\nDate:\x20Wed,\x2010\x20Jul\x202013
SF:\x2023:59:52\x20GMT\r\nCache-Control:\x20no-cache,no-store\r\nContent-T
SF:ype:\x20text/html;\x20charset=UTF-8\r\nConnection:\x20close\r\n\r\n
SF:L>\n<HEAD><TITLE>400\x20Bad\x20Request</TITLE></HEAD>\n<BODY\x20BGCOLOR
SF:=\”#cc9999\”\x20TEXT=\”#000000\”\x20LINK=\”#2020ff\”\x20VLINK=\”#4040cc
SF:\”>\n<H4>400\x20Bad\x20Request</H4>\nCan’t\x20parse\x20request\.\n<HR>\
SF:n<ADDRESS><A\x20HREF=\”http://www\.acme\.com/software/mini_httpd/\”>min
SF:i_httpd/1\.19/bhoc\x2023sep2004</A></ADDRESS>\n</BODY>\n</HTML>\n”)%r(H
SF:TTPOptions,203,”HTTP/1\.0\x20501\x20Not\x20Implemented\r\nServer:\x20mi
SF:ni_httpd/1\.19/bhoc\x2023sep2004\r\nDate:\x20Wed,\x2010\x20Jul\x202013\
SF:x2023:59:52\x20GMT\r\nCache-Control:\x20no-cache,no-store\r\nContent-Ty
SF:pe:\x20text/html;\x20charset=UTF-8\r\nConnection:\x20close\r\n\r\n<HTML
SF:>\n<HEAD><TITLE>501\x20Not\x20Implemented</TITLE></HEAD>\n<BODY\x20BGCO
SF:LOR=\”#cc9999\”\x20TEXT=\”#000000\”\x20LINK=\”#2020ff\”\x20VLINK=\”#404
SF:0cc\”>\n<H4>501\x20Not\x20Implemented</H4>\nThat\x20method\x20is\x20not
SF:\x20implemented\.\n<HR>\n<ADDRESS><A\x20HREF=\”http://www\.acme\.com/so
SF:ftware/mini_httpd/\”>mini_httpd/1\.19/bhoc\x2023sep2004\n
SF:\n\n”)%r(RTSPRequest,203,”RTSP/1\.0\x20501\x20Not\x20Impl
SF:emented\r\nServer:\x20mini_httpd/1\.19/bhoc\x2023sep2004\r\nDate:\x20We
SF:d,\x2010\x20Jul\x202013\x2023:59:52\x20GMT\r\nCache-Control:\x20no-cach
SF:e,no-store\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nConnectio
SF:n:\x20close\r\n\r\n\n501\x20Not\x20Implemented</<span class=”hiddenSpellError” pre=””>TITL</span>
SF:E></HEAD>\n<BODY\x20BGCOLOR=\”#cc9999\”\x20TEXT=\”#000000\”\x20LINK=\”#
SF:2020ff\”\x20VLINK=\”#4040cc\”>\n<H4>501\x20Not\x20Implemented</H4>\nTha
SF:t\x20method\x20is\x20not\x20implemented\.\n<HR>\n<ADDRESS><A\x20HREF=\”
SF:http://www\.acme\.com/software/mini_httpd/\”>mini_httpd/1\.19/bhoc\x202
SF:3sep2004\n\n\n”)%r(SIPOptions,202,”SIP/2\.0
SF:\x20501\x20Not\x20Implemented\r\nServer:\x20mini_httpd/1\.19/bhoc\x2023
SF:sep2004\r\nDate:\x20Thu,\x2011\x20Jul\x202013\x2000:00:42\x20GMT\r\nCac
SF:he-Control:\x20no-cache,no-store\r\nContent-Type:\x20text/html;\x20char
SF:set=UTF-8\r\nConnection:\x20close\r\n\r\n<HTML>\n<HEAD><TITLE>501\x20No
SF:t\x20Implemented</TITLE></HEAD>\n<BODY\x20BGCOLOR=\”#cc9999\”\x20TEXT=\
SF:”#000000\”\x20LINK=\”#2020ff\”\x20VLINK=\”#4040cc\”>\n<H4>501\x20Not\x2
SF:0Implemented</H4>\nThat\x20method\x20is\x20not\x20implemented\.\n<HR>\n
SF:<ADDRESS><A\x20HREF=\”http://www\.acme\.com/software/mini_httpd/\”>mini
SF:_httpd/1\.19/bhoc\x2023sep2004</A></ADDRESS>\n</BODY>\n</HTML>\n”);

The Vulnerability scan results returned 8 Medium Vulnerabilities and 2 Low, all for port 443 HTTPS.

Vulnerabilities By Plugin
15901 (1) – SSL Certificate Expiry
20007 (1) – SSL Version 2 (v2) Protocol Detection
26928 (1) – SSL Weak Cipher Suites Supported
42873 (1) – SSL Medium Strength Cipher Suites Supported
51192 (1) – SSL Certificate Cannot Be Trusted
57582 (1) – SSL Self-Signed Certificate
42880 (1) – SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection
65821 (1) – SSL RC4 Cipher Suites Supported
11219 (2) – Nessus SYN scanner
22964 (2) – Service Detection
10107 (1) – HTTP Server Type and Version
10287 (1) – Traceroute Information
10863 (1) – SSL Certificate Information
11936 (1) – OS Identification
12053 (1) – Host Fully Qualified Domain Name (FQDN) Resolution
19506 (1) – Nessus Scan Information
21643 (1) – SSL Cipher Suites Supported
24260 (1) – HyperText Transfer Protocol (HTTP) Information
25220 (1) – TCP/IP Timestamps Supported
31422 (1) – Reverse NAT/Intercepting Proxy Detection
45590 (1) – Common Platform Enumeration (CPE)
50845 (1) – OpenSSL Detection
54615 (1) – Device Type
56984 (1) – SSL / TLS Versions Supported
62563 (1) – SSL Compression Methods Supported

***************************************************************************************************************

Port 3479/tcp is also commonly found to be open. It may be used for several services including Remote Procedure Call and trojans.

“The 2Wire protocol associated with the system port 3749 is described as a modified XML based RPC which allows HomePortal devices to create a communication link with the datacenter. This communication foundation is used for receiving of contents, updates and programming of related devices. This protocol intends to mitigate communication issues that may hamper effective transmission interface. ”

nmap -sV –script=banner –open xx.xx.xx.6 -p 3479

3479/tcp open unknown
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3479-TCP:V=5.21%I=7%D=7/10%Time=51DDF5B0%P=x86_64-unknown-linux-gnu
SF:%r(GetRequest,CD,”HTTP/1\.0\x20404\x20Not\x20Found\r\nServer:\x202Wire\
SF:x20TR-069\r\nContent-Length:\x200\r\nAllow:\x20GET\r\nWWW-Authenticate:
SF:\x20d=10\x20\x20\x20set_mask=0x4101fe97\x20\x20\x20handle_evt=0x40a0448
SF:d\r\nDate:\x20Wed,\x2010\x20Jul\x202013\x2023:59:45\x20GMT\r\nConnectio
SF:n:\x20Close\r\n\r\n”)%r(FourOhFourRequest,CD,”HTTP/1\.0\x20404\x20Not\x
SF:20Found\r\nServer:\x202Wire\x20TR-069\r\nContent-Length:\x200\r\nAllow:
SF:\x20GET\r\nWWW-Authenticate:\x20d=10\x20\x20\x20set_mask=0x4101fe97\x20
SF:\x20\x20handle_evt=0x40a0448d\r\nDate:\x20Thu,\x2011\x20Jul\x202013\x20
SF:00:00:18\x20GMT\r\nConnection:\x20Close\r\n\r\n”);

Results from vulnerability scan inform us that the remote web server type is :2Wire TR-069 , Remote operating system : Linux Kernel 2.4, Linux Kernel 2.6. From the results we are able to obtain the type of modem in use ‘2WIRE’, the architecture  ‘x86_64-unknown-linux-gnu’, and the remote time ‘Date:\20Thu,\ 2011\20Jul\ 20201320,:00:00:18\20GMT’.

***************************************************************************************************************

 Clear 4G

Clear 4G customers were also found to have port 53 (DNS) and sometimes 49152, 49154 open. If there was a DNS server running, this would be acceptable. Again there is no option to close this port.The only DNS option in the firmware is to enable OpenDNS, which does not require you to run a DNS server.

nmap -sV –script=banner –open -p 53 x.x.x.1/24

Starting Nmap 5.21 ( http://nmap.org ) at 2013-07-10 18:12 CDT
NSE: Script Scanning completed.

Nmap scan report for  x-x-x-13.hou.clearwire-wmx.net (x.x.x.13)
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
53/tcp open tcpwrapped

Nmap scan report for  x-x-x-19.hou.clearwire-wmx.net (x.x.x.19)
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
53/tcp open tcpwrapped

Nmap scan report for x-x-x-24.hou.clearwire-wmx.net (x.x.x.24)
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
53/tcp open tcpwrapped

 

Port 53 appears to be open on all of the alive hosts indicating its open on every modem, while 49152 and 49154 are open less often and sometimes both open on the same host. Not really a big deal.

Port 49154 – Xsan Filesystem Access  http://www.speedguide.net/port.php?port=49154
Port 49152 – uTorrent, and Azureus/Vuze p2p torrent clients often use this port.  http://www.speedguide.net/port.php?port=49152

Conclusion? These modems are shipping with firmware that discloses system information, possibly running vulnerable software, I’m testing out a few things such as the Mini_httpd vulnerabilities against the 2WIRE, and will throw a few other things at both the Clear4G and AT&T modems to see if direct access is obtainable.  Several local vulnerabilities and authentication bypasses are available for these modems, however Remote Access is what it’s all about.  I will update this post with results when I have time. Additional information and comments are welcome. My only suggestion is if you are truly paranoid, use your own router and set the Gateway/Modem to Bridged-Mode.

Windows 10 telemetry network traffic analysis, part 1 (CheesusCrust)

This is from CheesusCrust on voat.co. I thought this needed to be mirrored before Google removed the cached copy. Here is the original thread in which the posting comment has been deleted. 

Windows 10 telemetry network traffic analysis, part 1: (v/technology)

submitted 7 days ago by CheesusCrust

Like many of you, I am concerned about the telemetry, spying and other surveillance features, known or unknown, of Windows 10. It has concerned me enough to push me to Linux Mint as my main operating system. Even so, I wanted to better understand Windows 10, but internet search results for a decent windows 10 traffic analysis leave a lot to be desired. As such, I decided to do my own investigating on what, exactly, Windows 10 is doing traffic-wise, and post the results. For this analysis, I wanted to simply analyse the network traffic of Windows 10 on a clean install, and just let it sit and run without using it.

What I have done for this analysis:

  1. I have installed DD-WRT on a router connected to the internet and configured remote logging to the Linux Mint laptop in #2.
  2. I have installed Linux Mint on a laptop, and setup rsyslog to accept remote logging from the DD-WRT router.
  3. I have installed Virtualbox on the Linux Mint laptop, and installed Windows 10 EnterprisePNGPNG on Virtualbox. I have chosen the customized installation option where I disabled three pages of tracking options.
  4. I have configured the DD-WRT router to drop and log all connection attempts via iptables through the DD-WRT router by Windows 10 Enterprise.
  5. Aside from installing Windows 10 Enterprise, and verifying the internet connection through ipconfig and ping yahoo.com, I have not used the Windows 10 installation at all (the basis for the first part of this analysis)
  6. Let Windows 10 Enterprise run overnight for about 8 hours (while I slept).
  7. I use perl to parse the data out of syslog files and insert said data into a Mysql database.
  8. I use perl to obtain route data from whois.radb.net, as well as nslookup PTR data, and insert that into the Mysql database.
  9. Lastly, I query and format the data for analyzing.

Here is the roughly 8-hour network traffic analysis of 5508 connection attempts of an unused, base install of Windows 10 Enterprise (NOTE: I did not remove any 192.168.1.x home network IP addresses from the analysis):

individual connection attempts by IP address,port, and protocol:

select distinct(ip_address),port,protocol,count(ip_address) as attempts from rejected_connections group by ip_address order by attempts desc;

ip_address port protocol attempts
94.245.121.253 3544 UDP 1619
65.55.44.108 443 TCP 764
192.168.1.1 53 UDP 630
192.168.1.255 137 UDP 602
65.52.108.92 443 TCP 271
64.4.54.254 443 TCP 242
65.55.252.43 443 TCP 189
65.52.108.29 443 TCP 158
207.46.101.29 80 TCP 107
207.46.7.252 80 TCP 96
64.4.54.253 443 TCP 83
204.79.197.200 443 TCP 63
23.74.8.99 80 TCP 45
23.74.8.80 80 TCP 45
65.52.108.103 443 TCP 29
134.170.165.251 443 TCP 27
23.67.60.73 80 TCP 21
65.52.108.27 80 TCP 21
157.56.96.58 443 TCP 19
134.170.51.247 443 TCP 18
23.67.60.97 80 TCP 18
134.170.165.253 443 TCP 18
65.55.138.126 443 TCP 18
131.253.40.53 443 TCP 16
134.170.58.118 443 TCP 15
131.253.61.100 80 TCP 14
104.73.92.149 80 TCP 14
157.56.96.123 443 TCP 14
157.56.77.139 443 TCP 13
65.55.138.111 443 TCP 12
40.117.145.132 443 TCP 12
131.253.40.59 80 TCP 12
23.210.63.75 80 TCP 12
65.55.113.13 80 TCP 11
134.170.51.246 443 TCP 9
134.170.58.190 443 TCP 9
191.232.80.58 443 TCP 9
207.46.114.58 443 TCP 9
23.193.225.197 80 TCP 9
134.170.115.62 443 TCP 9
104.73.160.51 80 TCP 9
104.73.160.16 80 TCP 9
23.210.5.16 80 TCP 8
157.56.77.138 443 TCP 8
131.253.61.84 80 TCP 8
23.217.138.11 80 TCP 8
23.193.230.88 443 TCP 7
198.41.214.183 80 TCP 6
13.107.3.128 443 TCP 6
198.41.215.186 80 TCP 6
198.41.214.186 80 TCP 6
198.41.214.184 80 TCP 6
104.73.143.160 443 TCP 6
157.55.240.220 443 TCP 6
198.41.215.185 80 TCP 6
72.21.81.200 80 TCP 6
23.193.251.132 80 TCP 6
23.193.236.70 443 TCP 5
72.21.91.8 80 TCP 5
23.217.138.25 80 TCP 4
131.253.61.96 443 TCP 4
131.253.61.82 443 TCP 3
23.102.17.214 443 TCP 3
23.101.156.198 443 TCP 3
23.74.9.198 80 TCP 3
104.73.153.9 443 TCP 3
23.74.9.217 80 TCP 3
23.9.123.27 80 TCP 3
94.245.121.254 3544 UDP 3
23.101.187.68 123 UDP 3
104.91.188.21 80 TCP 3
131.253.61.66 443 TCP 3
23.217.138.122 80 TCP 3
23.101.115.193 443 TCP 3
198.41.215.182 80 TCP 3
198.41.214.187 80 TCP 3
23.210.48.42 443 TCP 3
104.208.28.54 443 TCP 3
23.217.138.18 80 TCP 2
23.193.238.90 443 TCP 2
23.217.138.90 80 TCP 2
23.217.138.43 80 TCP 1
23.67.60.65 80 TCP 1
65.52.236.160 443 TCP 1
157.56.144.215 3544 UDP 1
23.96.212.225 443 TCP 1
157.56.144.216 3544 UDP 1
65.52.108.252 443 TCP 1
65.52.108.94 443 TCP 1
134.170.179.87 443 TCP 1
104.73.138.217 443 TCP 1
104.91.166.82 80 TCP 1
104.73.160.58 80 TCP 1
137.116.74.190 80 TCP 1
23.217.138.97 80 TCP 1

CheesusCrust [S] 57 points (+58|-1) 7 days ago

Extended data for each distinct connection attempt:

select distinct(t1.ip_address),nslookup,port,protocol,connection_attempts,route,origin,description from (select distinct(ip_address) as ip_address,port,protocol,count(ip_address) as connection_attempts from rejected_connections group by ip_address order by connection_attempts desc ) as t1 join (select distinct(ip_address) as ip_address,nslookup,route,origin,description from routing_data group by ip_address) as t2 where t1.ip_address=t2.ip_address order by connection_attempts desc;

ip_address nslookup port protocol connection_attempts route origin description
94.245.121.253 3544 UDP 1619 94.245.64.0/18 AS8075 MICROSOFT
65.55.44.108 443 TCP 764 65.52.0.0/14 AS8075 MICROSOFT
65.52.108.92 msnbot-65-52-108-92.search.msn.com 443 TCP 271 65.52.0.0/14 AS8075 MICROSOFT
64.4.54.254 443 TCP 242 64.4.0.0/18 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
65.55.252.43 msnbot-65-55-252-43.search.msn.com 443 TCP 189 65.52.0.0/14 AS8075 MICROSOFT
65.52.108.29 msnbot-65-52-108-29.search.msn.com 443 TCP 158 65.52.0.0/14 AS8075 MICROSOFT
207.46.101.29 80 TCP 107 207.46.0.0/16 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
207.46.7.252 80 TCP 96 207.46.0.0/16 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
64.4.54.253 443 TCP 83 64.4.0.0/18 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
204.79.197.200 a-0001.a-msedge.net 443 TCP 63 204.79.197.0/24 AS8151 Microsoft Corporation
23.74.8.99 a23-74-8-99.deploy.static.akamaitechnologies.com 80 TCP 45 23.74.8.0/23 AS20940 Akamai Technologies
23.74.8.80 a23-74-8-80.deploy.static.akamaitechnologies.com 80 TCP 45 23.74.8.0/23 AS20940 Akamai Technologies
65.52.108.103 443 TCP 29 65.52.0.0/14 AS8075 MICROSOFT
134.170.165.251 443 TCP 27 134.170.0.0/16 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
23.67.60.73 a23-67-60-73.deploy.static.akamaitechnologies.com 80 TCP 21 23.67.60.0/24 AS7922 Comcast Cable Communications, Inc.
65.52.108.27 msnbot-65-52-108-27.search.msn.com 80 TCP 21 65.52.0.0/14 AS8075 MICROSOFT
157.56.96.58 443 TCP 19 157.56.0.0/16 AS8075 MICROSOFT
134.170.51.247 443 TCP 18 134.170.0.0/16 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
23.67.60.97 a23-67-60-97.deploy.static.akamaitechnologies.com 80 TCP 18 23.67.60.0/24 AS7922 Comcast Cable Communications, Inc.
134.170.165.253 443 TCP 18 134.170.0.0/16 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
65.55.138.126 443 TCP 18 65.52.0.0/14 AS8075 MICROSOFT
131.253.40.53 443 TCP 16 131.253.32.0/20 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
134.170.58.118 443 TCP 15 134.170.0.0/16 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
131.253.61.100 80 TCP 14 131.253.61.0/24 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
104.73.92.149 a104-73-92-149.deploy.static.akamaitechnologies.com 80 TCP 14 104.64.0.0/10 AS31377 Akamai Technologies
157.56.96.123 443 TCP 14 157.56.0.0/16 AS8075 MICROSOFT
157.56.77.139 443 TCP 13 157.56.0.0/16 AS8075 MICROSOFT
65.55.138.111 443 TCP 12 65.52.0.0/14 AS8075 MICROSOFT
40.117.145.132 443 TCP 12 40.64.0.0/10 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
131.253.40.59 80 TCP 12 131.253.32.0/20 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
23.210.63.75 a23-210-63-75.deploy.static.akamaitechnologies.com 80 TCP 12 23.210.48.0/20 AS16625 Akamai Technologies
65.55.113.13 80 TCP 11 65.52.0.0/14 AS8075 MICROSOFT
134.170.51.246 443 TCP 9 134.170.0.0/16 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
134.170.58.190 443 TCP 9 134.170.0.0/16 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
191.232.80.58 443 TCP 9 191.232.0.0/13 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
207.46.114.58 443 TCP 9 207.46.0.0/16 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
23.193.225.197 a23-193-225-197.deploy.static.akamaitechnologies.com 80 TCP 9 23.193.224.0/20 AS20940 Akamai Technologies
134.170.115.62 443 TCP 9 134.170.0.0/16 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
104.73.160.51 a104-73-160-51.deploy.static.akamaitechnologies.com 80 TCP 9 104.64.0.0/10 AS31377 Akamai Technologies
104.73.160.16 a104-73-160-16.deploy.static.akamaitechnologies.com 80 TCP 9 104.64.0.0/10 AS31377 Akamai Technologies
23.210.5.16 a23-210-5-16.deploy.static.akamaitechnologies.com 80 TCP 8 23.208.0.0/14 AS31377 Akamai Technologies
157.56.77.138 443 TCP 8 157.56.0.0/16 AS8075 MICROSOFT
131.253.61.84 80 TCP 8 131.253.61.0/24 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
23.217.138.11 a23-217-138-11.deploy.static.akamaitechnologies.com 80 TCP 8 23.217.138.0/24 AS7922 Akamai Technologies
23.193.230.88 a23-193-230-88.deploy.static.akamaitechnologies.com 443 TCP 7 23.193.224.0/20 AS20940 Akamai Technologies
198.41.214.183 80 TCP 6 198.41.214.0/24 AS13335 CloudFlare, Inc.665 3rd Street Suite 200San Francisco, California 94107US
13.107.3.128 443 TCP 6 13.104.0.0/14 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
198.41.215.186 80 TCP 6 198.41.215.0/24 AS13335 CloudFlare, Inc.665 3rd Street Suite 200San Francisco, California 94107US
198.41.214.186 80 TCP 6 198.41.214.0/24 AS13335 CloudFlare, Inc.665 3rd Street Suite 200San Francisco, California 94107US
198.41.214.184 80 TCP 6 198.41.214.0/24 AS13335 CloudFlare, Inc.665 3rd Street Suite 200San Francisco, California 94107US
104.73.143.160 a104-73-143-160.deploy.static.akamaitechnologies.com 443 TCP 6 104.64.0.0/10 AS31377 Akamai Technologies
157.55.240.220 443 TCP 6 157.55.0.0/16 AS8075 MICROSOFT
198.41.215.185 80 TCP 6 198.41.215.0/24 AS13335 CloudFlare, Inc.665 3rd Street Suite 200San Francisco, California 94107US
72.21.81.200 80 TCP 6 72.21.81.0/24 AS15133 EdgeCast Networks, Inc.
23.193.236.70 a23-193-236-70.deploy.static.akamaitechnologies.com 443 TCP 5 23.193.224.0/20 AS20940 Akamai Technologies
72.21.91.8 80 TCP 5 72.21.91.0/24 AS15133 EdgeCast Networks, Inc.
23.217.138.25 a23-217-138-25.deploy.static.akamaitechnologies.com 80 TCP 4 23.217.138.0/24 AS7922 Akamai Technologies
131.253.61.96 443 TCP 4 131.253.61.0/24 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
131.253.61.82 443 TCP 3 131.253.61.0/24 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
23.101.156.198 443 TCP 3 23.100.0.0/15 AS8075 MICROSOFT
104.73.153.9 a104-73-153-9.deploy.static.akamaitechnologies.com 443 TCP 3 104.64.0.0/10 AS31377 Akamai Technologies
23.9.123.27 a23-9-123-27.deploy.static.akamaitechnologies.com 80 TCP 3 23.9.112.0/20 AS16625 Akamai Technologies
94.245.121.254 3544 UDP 3 94.245.64.0/18 AS8075 MICROSOFT
23.101.187.68 123 UDP 3 23.100.0.0/15 AS8075 MICROSOFT
104.91.188.21 a104-91-188-21.deploy.static.akamaitechnologies.com 80 TCP 3 104.91.176.0/20 AS20940 Akamai Technologies
131.253.61.66 443 TCP 3 131.253.61.0/24 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
23.217.138.122 a23-217-138-122.deploy.static.akamaitechnologies.com 80 TCP 3 23.217.138.0/24 AS7922 Akamai Technologies
23.101.115.193 443 TCP 3 23.100.0.0/15 AS8075 MICROSOFT
198.41.215.182 80 TCP 3 198.41.215.0/24 AS13335 CloudFlare, Inc.665 3rd Street Suite 200San Francisco, California 94107US
198.41.214.187 80 TCP 3 198.41.214.0/24 AS13335 CloudFlare, Inc.665 3rd Street Suite 200San Francisco, California 94107US
23.210.48.42 a23-210-48-42.deploy.static.akamaitechnologies.com 443 TCP 3 23.210.48.0/20 AS16625 Akamai Technologies
104.208.28.54 443 TCP 3 104.208.0.0/13 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
23.217.138.18 a23-217-138-18.deploy.static.akamaitechnologies.com 80 TCP 2 23.217.138.0/24 AS7922 Akamai Technologies
23.193.238.90 a23-193-238-90.deploy.static.akamaitechnologies.com 443 TCP 2 23.193.224.0/20 AS20940 Akamai Technologies
23.217.138.90 a23-217-138-90.deploy.static.akamaitechnologies.com 80 TCP 2 23.217.138.0/24 AS7922 Akamai Technologies
23.217.138.43 a23-217-138-43.deploy.static.akamaitechnologies.com 80 TCP 1 23.217.138.0/24 AS7922 Akamai Technologies
23.67.60.65 a23-67-60-65.deploy.static.akamaitechnologies.com 80 TCP 1 23.67.60.0/24 AS7922 Comcast Cable Communications, Inc.
65.52.236.160 443 TCP 1 65.52.0.0/14 AS8075 MICROSOFT
157.56.144.215 3544 UDP 1 157.56.0.0/16 AS8075 MICROSOFT
23.96.212.225 443 TCP 1 23.96.0.0/14 AS8075 MICROSOFT
157.56.144.216 3544 UDP 1 157.56.0.0/16 AS8075 MICROSOFT
65.52.108.252 443 TCP 1 65.52.0.0/14 AS8075 MICROSOFT
65.52.108.94 msnbot-65-52-108-94.search.msn.com 443 TCP 1 65.52.0.0/14 AS8075 MICROSOFT
134.170.179.87 443 TCP 1 134.170.0.0/16 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
104.73.138.217 a104-73-138-217.deploy.static.akamaitechnologies.com 443 TCP 1 104.64.0.0/10 AS31377 Akamai Technologies
104.91.166.82 a104-91-166-82.deploy.static.akamaitechnologies.com 80 TCP 1 104.91.166.0/23 AS20940 Akamai Technologies
104.73.160.58 a104-73-160-58.deploy.static.akamaitechnologies.com 80 TCP 1 104.64.0.0/10 AS31377 Akamai Technologies
137.116.74.190 80 TCP 1 137.116.0.0/15 AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
23.217.138.97 a23-217-138-97.deploy.static.akamaitechnologies.com 80 TCP 1 23.217.138.0/24 AS7922 Akamai Technologies

I plan on letting this setup run as is for awhile longer (hours? days? weeks?) to get a more complete snapshop of connection attempts before I move on to further analysis of Windows 10.

Large botnet on 85.17.139.12

Large botnet running on 85.17.139.12 irc.private-life.biz (Leaseweb)
A /list shows one room. This room had 2,300 users in it at one point. Also in use are #attackroom1 #attackroom2 #attackroom3
Looks to be the Athena bot. http://www.secret-zone.net/f122/athena-irc-bot-v2-3-5-cracked-enraged-5895/

The botmaster. Using a VPN service in the Ukraine.
madd3@rox-90564AD2.sat.poltava.ua
* [madd3] (madd3@private-life.biz): John Smith
* [madd3] #chatroom
* [madd3] irc.private-life.biz :Life Server
* [madd3] is a Network Administrator
* [madd3] is available for help.
* [madd3] idle 00:00:28, signon: Tue Sep 17 15:58:59
* [madd3] End of WHOIS list.

Sites being attacked :
https://just-dice.com/
http://blockchain.info
50.23.224.106 (sendgrid.com)
198.12.13.21 Voice.chati.us
[There were some other financial sites being attacked earlier as well]

Output from IRC Server
==========================================================
*** Looking up your hostname…
* *** Found your hostname
* Welcome to the ROXnet IRC Network user!user@nop.nop.vpn
* Your host is irc.private-life.biz, running version Unreal3.2.10.1
* This server was created Thu Aug 15 2013 at 05:06:01 CEST
* irc.private-life.biz Unreal3.2.10.1 iowghraAsORTVSxNCWqBzvdHtGpI lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGjZ
* UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32

TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 :are supported by this server
* WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+

CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTGZ NETWORK=ROXnet CASEMAPPING=ascii EXTBAN=~,qjncrRa ELIST=MNUCT

STATUSMSG=~&@%+ :are supported by this server
* EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP,STARTTLS :are supported by this server
* There are 1 users and 460 invisible on 1 servers
* 1 :operator(s) online
* 10 :unknown connection(s)
* 2 :channels formed
* I have 461 clients and 0 servers
* 461 20000 :Current local users 461, max 20000
* 461 2923 :Current global users 461, max 2923
==========================================================

Channel Users Topic
#chatroom 496 [+sntVCT]

DNSCrypt Install on Ubuntu 12.04

For Windows, DNSCrypt is a simple install from an executable file. For Linux, not so much. This guide is for installing DNSCrypt in Ubuntu 12.04 (x86_64). 

I found several instructions on how to get this software working properly with no single bullet proof method. I pieced together several parts from different instructions and came up with the most simple solution possible.

First off download the dnscrypt tarball from http://download.dnscrypt.org/dnscrypt-proxy/  I found version 1.3.0 to work better as I had some issues installing 1.3.1.

You will probably need the libsodium package too which can be downloaded here https://download.libsodium.org/libsodium/releases/  The latest version should work fine and this will be installed first.

I also recommend installing the build-essential packages in case you’re missing compilers.

apt-get install build-essential

Untar the libsodium package and install

tar -xvzf libsodium-0.4.2.tar.gz

cd libsodium-libsodium-0.4.2

sudo ./configure

make && make install

Do the same for the dnscrypt package

tar -xvzf dnscrypt-proxy-1.3.0.tar.gz

cd dnscrypt-proxy-1.3.0

sudo ./configure

make

make install

You will need to make some changes to your DNS settings in the Connection Manager. Open it and Edit Connections. Find your connection Wired/Wireless and go to the IPv4 settings tab. Change method to ‘Automatic (DHCP) addresses only‘ and enter the IP 127.0.0.2 in the DNS Servers box. In Ubuntu 12.04, a local DNS cache is running on 127.0.0.1 so .2 is required.

In a terminal, issue the command :

sudo dnscrypt-proxy -a 127.0.0.2 –edns-payload-size=4096 –pidfile=/run/dnscrypt-proxy.pid –user=dnscrypt

If successful, you should see something similar to the following. I’m using OpenDNS through my router so the 208.67.220.220 DNS server shows up.

[INFO] Generating a new key pair
[INFO] Done
[INFO] Server certificate #1234567890 received
[INFO] This certificate looks valid
[INFO] Server key fingerprint is ……….
[INFO] Proxying from 127.0.0.2:53 to 208.67.220.220:443

A simple tcpdump will tell you if everything is working properly. If DNS requests are going over 443 with encrypted UDP packets, everything should be working, if its still using 53 and you can see the hosts being queried, somethings wrong.

‘tcpdump -i eth0 port 443’

Output should be similar to this….

20:22:02.070686 IP ubuntu.local.40117 > resolver2.opendns.com.https: UDP, length 324

E..`: ..@..G
….C…….L..q6fnvWjB…….OY…e..+.1.-P..v’.p.$2d..>Tx7[….hV…-..[/Q.~<.=…..@.Tp.d!!..>$j…’…1….?.
..U…b>.<…w…y…h…RC….=lt>n.BT…&..
.c..I.T”…m5._|.C..0.U.GA…..$V..2…T&.U…..o…0HO.{..K.L.%.G…K.’……    .}.!…..$.Ex….S.geN……….a.T….0..L..n..\..4..,..H4.~z…..!..6xu..-.i…U..+z…….;.”.n..

Dirt3 PC Fix

Dirt3 for PC does not launch without some additional software sadly. I looked around the forums and answers were spread out as usual. Here’s the definite fix because no one seems to have it all in one location.

Assuming you have Steam installed and are signed in, and you have downloaded Dirt3

Start > run > services.msc

This will bring up the services management.  Ensure that ‘Background Intelligent Transfer Service‘ and ‘Windows Live ID Sign-In Assistant‘ services are Started and enabled to automatic. If you don’t have the Sign-In Assistant then see the next step.

Download the Windows Live Sign-in Assistant http://www.microsoft.com/en-us/download/details.aspx?id=15106  This is an older version, 6.5 that does not come with the Windows Live Messenger/Mail extras.

Download the Games for Windows Marketplace Client  http://www.xbox.com/en-US/live/pc/downloadclient

Launch Steam and then Dirt 3. The game should install some additional software and then launch successfully.

 

Additional Note :  If you are using Motion Joy with a PS3 remote, set the profile to Xbox 360 and it will work properly. 

Security News Feeds

Sharing some of my security RSS feeds.

SecNews RSS feeds

http://packetstormsecurity.org/news/

http://news.hitb.org/tags/security

http://slashdot.org/stories/security

http://nakedsecurity.sophos.com/

http://isc.sans.edu/rssfeed_full.xml

Misc Security

http://carnal0wnage.attackresearch.com/

http://www.darknet.org.uk

Exploits and Vulns

http://www.exploit-db.com/feed/

http://www.exploit-db.com/rss.xml

http://osvdb.org/feed/vulnerabilities/latest.rss

Will add more soon