I’ve been experimenting with using SSH as a VPN. That is to say not just tunnelling a single port but forwarding all traffic through the remote host like a router. I’ve pulled together instructions from here and here and have this: Enable root SSH with keys and allow tunnelling on the remote machine in /etc/ssh/sshd_config: PermitTunnel yes PermitRootLogin without-password Generate root SSH keys on the local machine and copy the public one to the remote machine: ssh-keygen -t rsa scp id_rsa.

I’ve built a default install of Fedora 13 64-Bit in a virtual machine for the purpose of figuring out what are the dependencies and workarounds required to compile VirtualBox OSE from Subversion. Install make, gcc etc; as root: yum groupinstall "Development Tools" "Development Libraries" Install 32-Bit build tools and some Qt4 libraries, Java etc; as root: yum install dev86 iasl qt4-devel pulseaudio-libs-devel glibc-devel.i686 libgcc.i686 texlive-texmf-latex java-1.6.0-openjdk-devel zlib-static glibc-static libstdc++.i686 libvncserver-devel libxslt-devel libIDL-devel SDL-devel libXmu-devel libstdc++-static Symlink the Fedora-packaged JVM to where Oracle expect it to be installed, as root: cd /usr/lib/jvm/ ln -s java-1.

I found a useful way of using GnuPG today when someone couldn’t decrypt a passworded zip file I sent them (probably using p7zip/infozip instead of “proper” unzip). You can use symmetric encryption with GnuPG, i.e. just a password rather than a keypair+passphrase, and you don’t have to exchange keys or sign things etc: gpg --symmetric myfile.pdf Then decrpyt with simply “gpg myfile.pdf”. I also fixed my NASL’s scripts with a bit of sed, this example replaces all the 50000 script_id()’s with 950000 ones:

I’ve just finished writing some new Nessus plugins, taking my NASL count to over 100 now. Just as I finished checking them into Git, Tenable decided to renumber the plugin ranges. Custom NASL’s were always given a range around 50000-53000, but now Tenable are up to 50321 themselves, so have decided on a new set of ranges: Passive: 1 – 10,000 Active: 10,001 – 900,000 Custom: 900,001 – 999,999 Compliance: 1,000,000+

I’ve been experimenting with bypassing firewalls today, based on results from this Nessus plugin. Essentially its down to misconfiguring a firewall to allow access based only on the source port. This way we can send packets to other destination ports through the firewall. I’ve managed to exploit it on Linux by setting up these weak iptables rules: iptables -A INPUT -p tcp --sport 53 -j ACCEPT iptables -A INPUT -p udp --sport 53 -j ACCEPT I also managed to exploit it on Cisco IOS using these weak ACL rules: