[Rack] Oddity on 75.101.62.88

Danny O'Brien danny at spesh.com
Sun Jun 17 22:38:29 PDT 2012


Someone with clue will be along shortly, I think r00ter's work got
subsumed into bikeshed, which is running Vyatta, which is a
Debian-based router OS. I suspect it's mangling the handshake somehow.

d.




On Sun, Jun 17, 2012 at 10:15 PM, Isis <isis at patternsinthevoid.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> - -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Rack.
>
> I have spent the morning reverse engineering and analyzing this network
> analysis tool Netalyzr. Because the thing required a JVM to run, I based my
> analysis on the reversed source code instead of running it. Then I decided to
> run it anyway to see how accurate it is.
>
> The returned report contained the following funniness:
>
>    Direct TCP connections to remote secure IMAP servers (port 585) succeed, but
>    do not receive the expected content.
>
>    The connection succeeded but came from a different IP address than we
>    expected. Instead of the expected IP address, we received this request from
>    75.101.62.88.
>
>    Direct TCP connections to remote authenticated SMTP servers (port 587)
>    succeed, but do not receive the expected content.
>
>    The connection succeeded but came from a different IP address than we
>    expected. Instead of the expected IP address, we received this request from
>    75.101.62.88.
>
>    Direct TCP connections to remote IMAP/SSL servers (port 993) succeed, but do
>    not receive the expected content.
>
>    The connection succeeded but came from a different IP address than we
>    expected. Instead of the expected IP address, we received this request from
>    75.101.62.88.
>
> Which apparently used to be r00ter, but now it's:
>
>    isis at wintermute:~$ nmap -A -v -Pn 75.101.62.88
>
>    Starting Nmap 5.51.6 ( http://nmap.org ) at 2012-06-17 20:52 PDT
>    NSE: Loaded 58 scripts for scanning.
>    Initiating Parallel DNS resolution of 1 host. at 20:52
>    Completed Parallel DNS resolution of 1 host. at 20:52, 0.02s elapsed
>    Initiating Connect Scan at 20:52
>    Scanning nat-sonicnet.noisebridge.net (75.101.62.88) [1000 ports]
>    Discovered open port 53/tcp on 75.101.62.88
>    Discovered open port 22/tcp on 75.101.62.88
>    Completed Connect Scan at 20:52, 1.84s elapsed (1000 total ports)
>    Initiating Service scan at 20:52
>    Scanning 2 services on nat-sonicnet.noisebridge.net (75.101.62.88)
>    Completed Service scan at 20:52, 0.09s elapsed (2 services on 1 host)
>    NSE: Script scanning 75.101.62.88.
>    Initiating NSE at 20:52
>    Completed NSE at 20:52, 0.72s elapsed
>    Nmap scan report for nat-sonicnet.noisebridge.net (75.101.62.88)
>    Host is up (0.063s latency).
>    Not shown: 998 closed ports
>    PORT   STATE SERVICE    VERSION
>    22/tcp open  ssh        OpenSSH 5.5p1 Debian 6 (protocol 2.0)
>    | ssh-hostkey: 1024 c5:c8:8f:61:cb:69:cd:30:a1:29:1d:46:6b:a1:84:9c (DSA)
>    |_2048 c6:64:6b:9a:e0:6f:21:d9:ae:7c:bc:3d:3b:0a:bb:13 (RSA)
>    53/tcp open  tcpwrapped
>    Service Info: OS: Linux
>
>    Read data files from: /usr/share/nmap
>    Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
>    Nmap done: 1 IP address (1 host up) scanned in 2.95 seconds
>    isis at wintermute:~$ ssh nat-sonicnet.noisebridge.net
>    The authenticity of host 'nat-sonicnet.noisebridge.net (75.101.62.88)' can't be established.
>    RSA key fingerprint is c6:64:6b:9a:e0:6f:21:d9:ae:7c:bc:3d:3b:0a:bb:13.
>    Are you sure you want to continue connecting (yes/no)? yes
>    Warning: Permanently added 'nat-sonicnet.noisebridge.net,75.101.62.88' (RSA) to the list of known hosts.
>    Welcome to Vyatta
>    Permission denied (publickey).
>
> So, then I try to pull the certificate from a mailserver to check it, and
> nope. No certificate. Wireshark showed a bunch of TLSv1 Encrypted Alerts,
> followed by wintermute sending a bunch of (apparently ignored) [RST, ACK]s,
> and then a [FIN, ACK], and then the there's just a bunch more TLSv1 Encrypted
> Alerts as if the mailserver never got the FIN:
>
>    isis at wintermute:~$ openssl s_client -serverpref -msg -connect box658.bluehost.com:465 -starttls smtp -showcerts
>    CONNECTED(00000003)
>    didn't found starttls in server response, try anyway...
>    >>> TLS 1.2  [length 013b]
>        01 00 01 37 03 03 4f de b2 3f 49 03 04 f9 2e ac
>        2f cd eb d4 02 35 fd e2 85 09 1b 81 af 3e f9 9d
>        ef aa 84 ef f6 69 00 00 9e c0 30 c0 2c c0 28 c0
>        24 c0 14 c0 0a c0 22 c0 21 00 a3 00 9f 00 6b 00
>        6a 00 39 00 38 00 88 00 87 c0 32 c0 2e c0 2a c0
>        26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 12 c0
>        08 c0 1c c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0
>        2f c0 2b c0 27 c0 23 c0 13 c0 09 c0 1f c0 1e 00
>        a2 00 9e 00 67 00 40 00 33 00 32 00 9a 00 99 00
>        45 00 44 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00
>        9c 00 3c 00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0
>        02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00
>        08 00 06 00 03 00 ff 02 01 00 00 6f 00 0b 00 04
>        03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19
>        00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08
>        00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13
>        00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00
>        00 0d 00 22 00 20 06 01 06 02 06 03 05 01 05 02
>        05 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01
>        02 02 02 03 01 01 00 0f 00 01 01
>    139891794618024:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
>    ---
>    no peer certificate available
>    ---
>    No client certificate CA names sent
>    ---
>    SSL handshake has read 0 bytes and written 355 bytes
>    ---
>    New, (NONE), Cipher is (NONE)
>    Secure Renegotiation IS NOT supported
>    Compression: NONE
>    Expansion: NONE
>    ---
>
> So, question: what is Vyatta, and why does it appear to be MITMing IMAPS
> connections? Also, I asked other people around to try to connect to IMAPS
> servers through GUIs with cert verification enabled, and Mischief set up tried
> to google through Thunderbird and the connection failed.
>
>
> <(A)3
> isis agora lovecruft
>
> - -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
>
> iQIcBAEBCAAGBQJP3rkDAAoJEKOttnos24s1EOIQAKRgMC07d11L1Ub0BKTXU/Bb
> Xm0htqzM7M7cR5Ri1yuZ6Q6FzYof9+O5os3bzP/RApn/No9gVYfSk8BFXCJAqDwh
> 5Norb9AtYZ2dM/8EaF20Cye4OMHUnLowgJHZeav+GS02nf8qYnhLNMfu7p6RTD6j
> N9lY0gvCpScv+SRCwhXSdcS2TjzhcwHHWPJrAEMfgnia0w/RjS/AZPYXkykixYlp
> ojvRDfduz9Tywkbwx862Way+XDXiEMLvRWYMCVEA8vNgAXSMzv3WFJnmT/skweOY
> SPv5xtdNX4hGGiSv6UKezxDpGlC7H3D7cM8eV88Gs5haDDPkMg4L7UzzLfQRySox
> j8ecEC/9AJa/LvbyMtXXnOj68l5qTozg7DKEzUyR9rUR10TZKWZjCOHsBvW5VCRq
> xoyGz1ox+hvXIzdEPxgxzcSkHXYWNfBF0Up1ZOYGoCTQ0QxBXNq6jJy3SgjyMhnK
> GC73kPfTmPgaB9fKHnKnILFsmIK7FaErYEICyJQKhSXYqhv26opqtK+Uo/AB8cF/
> FF0mksOPZdU6myaaHMIhXbWj95vu0dtMsuh6WGq3olo3f8hOfr55DojAE5bPVwT7
> UCAJYP15+9a7TPb8RR2tIh4h92zipYVoRbd9oM1EkbpIcgEac5y8x7187u04LWll
> VzSoGNCgknj6Xzqpnhex
> =HBZI
> - -----END PGP SIGNATURE-----
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
>
> iQIcBAEBCAAGBQJP3rldAAoJEKOttnos24s1IV0QAJK7Xer0+ZEYNYbH7qgHy91I
> 4U/W7iJo2Kw5/uapIs6KrbxHFLWsDjFjdHjvm1b3T6LBdQ6ABDnNmGNXXTlnNmwk
> bV4QvcHTjMFSGZVDH2WbUeXySlARRP2yxGnlWjKGAoHTMDPLIl64MosRMUUa+OgV
> Y1UDI9HAAiERLnT1fA3UHmCzGLtmBjezkhRsQbfiihCA7xn6llxi3hwoCYZ6cEt7
> VCl/STdgXLm8t3YaFID8DliNut7SCLzU2A2ur22V7xsvi6Iyg324LU4Ak4Rh2lI7
> SumTtc5mUnzJ6sVwG/hz64EhRRnDn71XKzjs2nDeMtudjsPrNZikQ9quorJckci0
> A06211pyJ0HlIcUZnB+5/O0ZMqtS36fQO1ByB/2z3e3rYo4aW0xD8+rev52shooU
> RpyF5AAmACKWu9dM8Krt6Eu2TzS+mUNzG6AwveCVfBEb95gqaOlTso+vq/MPHoUc
> t77AyNA6LzhbGvVREPdHxNaD0iCRc+VgsT5wQXaRsDtcrehEFX0fX86fGW26k0JX
> YJgKWFykidCtfQwIl3gs1lDog9sFxFk3As58oCaMuEBvK0ujWj0Dc/xchsxj+Zeh
> nA2daIuTa/MAep1lmQb8bdYXeEiAoGigkz8Se0fT36RkLXV5me6QYi1sl69M9SI3
> /CtkgsvG3TW+K4AZnFQJ
> =YnW1
> -----END PGP SIGNATURE-----
> _______________________________________________
> Rack mailing list
> Rack at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/rack
>


More information about the Rack mailing list