WireGuard - Part Three (Troubleshooting)

Posted on Mon 12 June 2017 in Tech • Tagged with Tech, Security, WireGuard, Networking, Linux

This is part of my brief series on WireGuard. I'm pretty enamoured with WireGuard and the way it works, but there were a couple slightly curly bits that I needed to get my head around. This troubleshooting guide is a rough dump of the issues I had, and how I fixed them.

Gotten Stuck?

At this stage, there are actually a few ways that this can go wrong, even though we haven't done much. Think through all the bits:

  • Installed WireGuard at both ends
  • Set up your NAT rule on …

Continue reading

WireGuard - Part Two (VPN routing)

Posted on Sun 11 June 2017 in Tech • Tagged with Tech, Security, WireGuard, Networking, Linux

This is a continuation of my brief series on the new WireGuard VPN. Part One was about the simple building-blocks to get WireGuard working between two endpoints. Now that we've got a couple machines able to ping each other by IP address, we can carry on a bit deeper into the inter-LAN routing stuff.

Extending on from the IP addresses in Part One, instead of JUST connecting to the remote machine, I want to actually have access to everything on the whole 10.20.0.0/16 network; even the …


Continue reading

WireGuard - Part One (Installation)

Posted on Sat 03 June 2017 in Tech • Tagged with Tech, Security, WireGuard, Networking, Linux

WireGuard is the most excellent VPN stack around. It's really fast, the concept of Cryptokey Routing is awesome, and I love the speed and simplicity benefits that come from opionionated cryptography. The protocol is so simple - expressed in a mere 4k lines of code - that it's auditable by anyone.

But.

With my initial naive approach, I found myself using HTTPS, over ports forwarded over SSH tunnels, connected over WireGuard. Although it was straightforward to get WireGuard working between two endpoints, I ended up in nested-crypto hell.

So, this brief series …


Continue reading

RingZer0team CTF - Linux Sysadmin challenges

Posted on Sun 28 May 2017 in Security • Tagged with Security, Tech, RingZer0Team

There are a bunch of fantastic Capture The Flag security challenges on RingZer0Team.com. I've been working through some of these for a wee while now, and with the New Zealand Cyber Security Challenge coming up again soon, I thought I'd get back into some of them.

The Sysadmin Linux series of challenges is where you're trying to breach the security of a Linux system. I actually finished most of these last year, but I wanted to finish my last two. Of course, to get to the last two stages …


Continue reading

RingZer0team CTF - Challenge 148

Posted on Sat 27 May 2017 in Security • Tagged with Security, Tech, RingZer0Team, Python

There are a bunch of fantastic Capture The Flag security challenges on RingZer0Team.com. I've been working through some of these for a wee while now, and with the New Zealand Cyber Security Challenge coming up again soon, I thought I'd get back into some of them.

Challenge 148 ("Sysadmin Linux Level 2") is one of a series of challenges where you're trying to breach the security of a Linux system. I actually finished most of these last year, but I wanted to finish my last two. Of course, to …


Continue reading

RingZer0team CTF - Challenge 57

Posted on Fri 05 May 2017 in Security • Tagged with Security, Tech, RingZer0Team, Python

This is a continuation of my series on RingZer0Team.com.

Challenge 57 ("Hash Breaker Reloaded", under the Coding Challenges) is one of a series of challenges where you're simply presented with a hash - you need to return the plaintext value to the page within 3 seconds.

In contrast to Challenge 56, this challenge also includes a salt:

You have 3 seconds to break this hash
Send the answer back using https://ringzer0team.com/challenges/57/[clear_text]


----- BEGIN HASH -----
ab9507edbb2501b3c02e47c51af0178d68655980
----- END HASH -----

----- BEGIN SALT -----
c2ac9d8d004b4011d0864e76c7ebaaccfd18464bb8ff66bdbf19a703eb95a944
----- END SALT -----

The hash looks like …


Continue reading

RingZer0team CTF - Challenge 56

Posted on Tue 02 May 2017 in Security • Tagged with Security, Tech, RingZer0Team, Python

There are a bunch of fantastic Capture The Flag security challenges on RingZer0Team.com. I've been working through some of these for a wee while now, and with the New Zealand Cyber Security Challenge coming up again soon, I thought I'd get back into some of them.

Challenge 56 ("Hash Breaker", under the Coding Challenges) is one of a series of challenges where you're simply presented with a hash - you need to return the plaintext value to the page within 3 seconds.

Of course, this is impossible to do manually …


Continue reading

Making Lektor work with grsecurity

Posted on Sat 29 October 2016 in Tech • Tagged with Security, Tech, Linux

I started using grsecurity on my servers in 2015, and there's always a bit of tuning required.

I was recently playing with Lektor (before I swapped to Pelican), and I had a bit of trouble with my grsec kernel. In particular, Lektor and Pelican are both run within a virtualenv Python environment, and grsec eats it like popcorn in two different ways:

1) TPE (Trusted Path Execution) throws a wobbly:

[253241.370019] grsec: From {ssh-origin-ip}: denied untrusted exec (due to file in world-writable directory) of /tmp/#50 by /usr/local …


Continue reading

Updating the modem and radio firmware on a Samsung Galaxy 5 (G900I)

Posted on Thu 27 October 2016 in Tech • Tagged with Android, Security, Linux

A couple months ago, Check Point revealed their discovery of the Quadrooter vulnerability affecting the Qualcomm chipsets in oodles of Android phones.

I use --CyanogenMod-- LineageOS on a Samsung Galaxy S5, so thankfully I received patches for three of the four vulnerabilities in only a few days.

However, that last vulnerability was part of a proprietary binary blob for controlling the Qualcomm LTE chipset, only patchable by Samsung themselves. It took a while for the Samsung updates to roll out, and then I got distracted for a while, but I …


Continue reading

Using ECDSA certificates with Let's Encrypt

Posted on Thu 27 October 2016 in Tech • Tagged with Security, Linux, Tech

Let's Encrypt's Certbot will generate an RSA key by default. But we want to step into the new and exciting world of elliptic curve cryptography! Unfortunately Certbot doesn't really roll that way, so there are a couple hoops to jump through first.

A word of caution: this post has been written in retrospect, some time after I actually got ECDSA working. That means there are bound to be squiggly little steps that I've missed, and I certainly should have provided screenshots or snippets that I've missed. Sorry.

This post …


Continue reading