A relatively recent technology, not too well known, unfortunately, since we should be aware of it, which is known as  CGNAT (Carrier Grade Network Address Translation) . CGN (Carrier-grade NAT) allows a public IP to serve multiple clients, providing private addressing. Know the problems





What is NAT?

Probably many will know NAT (Network Address Translation) . It is the mechanism, with which the majority of users connect to the Internet during the last years . The connection is made through a device, usually a router, that has a public IP address connected to the Internet.
The device that is connected to the Internet is the router, through the lines of your corresponding provider, and behind the router we set up a private address.
The mechanism that makes the private address of the devices that are in the network can access the Internet , is done by substituting the requests that leave the private IP addresses, substituting that private IP for the public IP of the router. 

Finally it arrives at the corresponding server, the response arrives and the router undoes the change so that the response reaches the machine that made it. 

Simple network scheme that we all have in our home:


NAT limitations

NAT is an important limitation in what is the use and perception of Internet users, since most think that the Internet is that. Originally the idea was that all the equipment was connected from end to end , that is, that all the equipment was accessible from anywhere in the world. 

So we would have had a much less centralized and controlled Internet than we have today . But at the time there was no other option than to opt for NAT, and it is what we have experienced in recent years that we use networks, mainly domestic, virtually all, and in many cases also corporate networks.

NAT types





In NAT, two different processes are distinguished:


  • SNAT (Source Network Address Translation) , is the mechanism through which customers have access to the Internet.
  • DNAT (Destination Network Address Translation) , through a configuration in the router, allows requests that reach certain ports of the same, to its public address, to be redirected to a specific equipment of the private network . This allows access, in a limited way, since it is only to certain ports, to equipment from the private network abroad, allowing us to have certain services within the private network. It is widely used in p2p networks in the domestic sphere, or else used in a non-domestic environment to mount web servers, mail servers or any service that wants to be mounted within the private network. This mechanism allows, with its limitations, to give something of greater functionality to computers in the network.

What is CG-NAT?

A few years ago, the CGNAT mechanism developed, due to the exhaustion of IPV4 addresses. With it, the IP address that is provided to the router is not a public IP , it is an IP of rank CGNAT, that is to say it is block 100.64.0.0/10, which makes the router does not have a public address and therefore is not accessible.



Actually that NAT does not affect the use that many end users make of the Internet, as they continue to access services such as Google, Facebook or any other. What happens is that instead of doing once, they do NAT twice, an aspect that in most cases is negligible, so users still think they have access to the Internet. 

It really is not an access like having a public address on the router, because it makes any DNAT mechanism absolutely impossible, so we can not redirect any port, since the IP address to which they are redirected is in turn a private address. Not exactly private as in NAT, but it is also inaccessible from the Internet, and therefore you can not have services inside, or web servers, or mail servers, or p2p servers, or any service that requires that a communication be established between a Internet team to a team in my local network. 

The router that makes the NAT of the public IP address is in the hands of the operator, therefore, forget about the typical "open ports to this PC to use this application", you simply can not open ports . Of course,you will not have the possibility to change the public IP address either , that is in the hands of the operator directly. 

If in your home you have a web server, an FTP server, an SSH server, a VPN server, if you have Nextcloud for example to synchronize your files wherever you are, or if you want to play games that need to open ports online, you simply can not do it , it will be impossible for you to host services. You will have a private IP address, and not a public IP, so you will no longer have point-to-point communication with the Internet, everything will pass through CGN.

Importance of knowing CGNAT

It is important that we are aware of this, that we are aware of the technologies that are being used, because this type of Internet access, which some Internet providers are selling to their users, is sold as an Internet access, and It is not exactly the same Internet access . 

Therefore the user should be perfectly informed and also administrations should take measures to limit it or inform consumers of what is being given to them. 


In fact, there is an initiative on the part of the European Union, with the idea of ​​forcing the Internet providers that CGNAT is a process simply to use, temporarily, up to the massive and extensive use of the double stack with IPv6, which is really the solution that arises and that would change a lot the use of Internet that users are currently doing. 

Adoption of IPv6 in Spain






Sources: 
https://openwebinars.net/blog/que-es-cgnat/



Broadly speaking, we can say that the fronting technique consists of obfuscating the data source of a site. 
This is something that has existed for a long time, but lately it has recovered its relevance due to the barriers that have been raised on the internet to censor, filter and prevent access to certain content, generally for political or ideological interests.
Fronting works in the application layer and allows users to access content that has been blocked by the most common techniques: IP blocking, DNS filtering and even packet inspection, since the header of these is that of a Authorized origin, and only the actual content is revealed once the connection has been authorized and established. It should be noted that the fronting only works on HTTPS protocol. 
There are many tutorials on the internet about how to use CDN (Content Delivery Network) in Amazon Web Services to provide content from different sources in case one of them is offline. However, we have not found explanations on how to do this when the data source does not come from a site hosted on AWS, that's why we decided to create this guide.

In our example we will use the following names: 



subdomain.domain.com : Our subdomain with which we will do the obfuscation 
www.otrodominio.com/routa/al/subdominio : The origin of the data that we will show in sub.domain.com 

The first thing that we must do is enable the fronting in the hosting of another domain.com , since in most it is disabled by default to avoid phishing. (Later we will make a guide to know if your domain is vulnerable to fronting by malicious users.) 
I can not tell you in detail how to enable fronting in your hosting, as it is different in each one. In any case, you can always check with the provider's support team.

Then we must go to AWS and create a CNAME for sub.domain.com . For now it does not matter where you point, since we 
'll change it later. We go to Route53, select our zone and create a new record with "Create Record Set":

Here we select as CNAME type, we put our subdomain as a name and as a source anything, for example, www.google.com :


Then we go to Cloudfront and create a new distribution:


We select the Web option and place the domain of the data source and the route, if there is one.
We place the alternative name that we chose for the data source and select the type of certificate. In this case, we chose a public one generated by Amazon for our domain:

We accept and while this is done, which will take about 20 minutes, we select the name of the cloudfront generated by this distribution. It is a name of type a1b2c3d4c5.cloudfront.net. 
We copy it and go back to the CNAME that we created before and replace whatever we have put (in this example it was www.google.com ) for this new domain. 

Finally, we connect by ssh to the AWS hosting with the method that we have configured (pem file of certificate, user and password, etc.) and, depending on the version of apache that we have installed, navigate to / etc / apache2 / and edit apache2. conf or go to / etc / apache2 / sites-available / and edit domain.com.conf (the name will be that of your domain) and add the following lines: 
 
<VirtualHost *: 80> 
        ServerName subdomain.domain.com 
        ServerAlias http://subdomain.domain.com
        ProxyPass / https://www.otrodomain.com/route/al/subdomain
        ProxyPassReverse / https://www.otrodomain.com / path / to / subdomain
</ VirtualHost> 
<VirtualHost *: 80> 
        ServerName subdomain.domain.com 
        ServerAlias https://subdomain.domain.com
        ProxyPass / https://www.otrodominio.com/ruta/al/subdominio
        ProxyPassReverse / https://www.otrodominio.com/ruta/al/subdominio
</ VirtualHost>
 
with this we make sure that whatever you enter the user request to subdomain.domain.com, arrive by https to anotherdomain.com/path/al/subdomain . 

Finally, once the CloudFront has finished creating the distribution (the status will change to deployed and it will no longer say in progress ), we can try the fronting by typing subdomain.domain.com/index.php or a path that is only found in www. .otherdomain.com / route / to / subdomain / , for example www.otrodomain.com/ruta/al/subdominio/otra/ruta/test.php . We put subdomain.domain.com/otra/ruta/test.php and voila!there is our content from anotherdomain.com and the URL that the browser shows us is subdomain.domain.com ! 


android-file-transfer-linux
Hello today I teach you how to install Android file transfer for linux in debian 9, it is a tool to transfer files, photos, etc. to our pc or vice versa.

Open the terminal or bash, install as root or sudo:
apt-get install build-essential cmake libqt4-dev ninja-build libfuse-dev libreadline-dev
We hope you install the bookstores ...
In another terminal or bash as a user we download from https://github.com/whoozle/android-file-transfer-linux the tool for this we must have git installed.
git clone https://github.com/whoozle/android-file-transfer-linux
Once the repository is cloned, we open the directory in the downloaded route.
cd android-file-transfer-linux

We have compiled ...
cmake install.cmake
make
./android-file-transfer
Or we can also create a small scritp with privileges that makes it easier for us to open the tool from any part of the terminal:

To create this script we open the terminal as root and place:



cd /usr/local/bin

We created a directory with name android-file-transfer
nano android-file-transfer

We put our script inside that directory ...
 
#!/bin/bash
echo Abriendo el IDE de android-file-transfer-linux
cd /home/jesseshl/android-file-transfer-linux/qt/
./android-file-transfer
Briefly explain this script which you can change, in the path cd / home / jesseshl / android-file-transfer-linux / qt / I'm giving you order to open that directory you must change to the path that has the tool installed ""

Then we give you privileges with:
 
chmod +x android-file-transfer
With this we can open the tool just by placing android-file-transfer from our terminal. You can also create a launcher in my case with xfce, adding a new element in the panel as we can see in the following image.
pitcher

The developer Jens "atom" Steube, of the HashCat cracking application ,  has found a new vulnerability in the wireless networks protected with WPA-WPA2 PSK (Pre-Shared Key) with fast  roaming activated , since they are vulnerable to a new method of attack . Unlike other attacks , no connected client is needed , since the router is attacked directly by obtaining the PMKID value Nor does it require full handshake (4 ways).




Previous WPA / WPA2 attacks required an attacker to wait patiently while listening on a wireless network until the user successfully logged in. Then they could capture the four-way greeting to "decipher" the key.

New vulnerability in WPA2-PSK 

The developers  discovered this attack quite accidentally  while they were looking for  possible attacks for WPA3 , which will be much more difficult to attack thanks to the use of  Simultaneous Authentication of Equals (SAE) , which makes it  immune to passive, active attacks, or attacks with dictionary. 

WPA2, stands for  WiFi Protected Access 2 , is considered as the system to protect wireless networks of maximum security. Recall that WPA2 is a security protocol for WiFi networks with 15 years old (published in 2004), and has its replacement in WPA3.

WPA and WPA2 differ little conceptually and differ mainly in the encryption algorithm they employ. While WPA bases the encryption of communications on the use of the TKIP [ Temporary Key Integrity Protocol ] algorithm , which is based on RC4 like WEP, WPA2 uses CCMP [ Counter-mode / CBC-MAC Protocol ] based on AES [ Advanced Encrytion] System ]. The second notable difference is found in the algorithm used to control the integrity of the message. While WPA uses a less elaborate version for the generation of the MIC code ( Message Integrity Code ), or code "Michael" , WPA2 implements an improved version of MIC.

WPA-PSK / WPA2-PSK and TKIP or AES use a pre-shared key (Pre-Shared Key = PSK) of 8 or more characters long, and a maximum of 63 characters. 

The key to the attack they have discovered is that, unlike previous ones, you do not need to capture the  4-way EAPOL handshake  (Extensible Authentication Protocol over LAN) as needed with KRACK . Instead, the attack will extract the RSN IE (Robust Security Network Information Element ) from a single EAPOL frame. The RSN IE is an optional field that contains the (PMK), which is generated by the router itself when a user tries to authenticate. The main advantages over other types of attacks already known are:



  • No more regular users are required, because the attacker communicates directly with the AP (also known as "no client" attack)
  • No more waiting for a complete 4-way handshake between the regular user and the AP
  • No more eventual retransmissions of EAPOL frames (which can lead to results that are impossible to decipher)
  • No more invalid passwords sent by the regular user
  • No more EAPOL frames lost when the regular user or the AP is too far away from the attacker
  • Fixing of nonce and replaycounter values ​​is not required (resulting in slightly higher speeds)
  • No more special output format (pcap, hccapx, etc.) - the final data will appear as a regular hexagonal encoded string 




Pairwise Master Key Identifier (PMKID)


The PMKID is calculated using HMAC-SHA1 where the key is PMK and the data part is the concatenation of a fixed string label "PMK name", the MAC address of the access point and the MAC address of the station.

PMK = PBKDF2 (HMAC-SHA1, PSK, SSID, 4096, 256)
PMKID = HMAC-SHA1-128 (PMK, "Name of PMK" | MAC_AP | MAC_STA)

In addition, obtaining the handshake is much easier by obtaining the Pairwise Master Key Identifier (PMK). They have also added a new method of hash resolution called hash-mode 16801, which allows to skip the PMK computing part , which is what until now made the cracking of WPA so slow. So, now it is much easier to obtain the hash, but to crack it is still as difficult (or easy) as always, depending on the means available. 

16801 mode waits for a list of precalculated PMKs, as hexadecimal encoded strings of length 64, as the list of input words. To precalculate the PMKs, you can use the hcxkeys tool. The hcxkeys tools require the ESSID, so you must request the ESSID of your client in advance. 

Discoverers do not know what is the scope of the vulnerability, nor how many devices and routers will work. What they do know is that it will work on any network that has roaming enabled  (802.11i / p / q / r) (the most modern routers). Many companies with WPA2 Enterprise use PSK, so their networks are now vulnerable to these new attacks. 
Mimikatz   (mimi katz) became an extremely effective attack tool against Windows clients, allowing to recover secure passwords, as well as password hashes in memory. Dubbed the Swiss Army knife of Windows credentialing tools as well as, Windows Credential Editor (WCE) of Hernán Ochoa .







Mimikatz, written for the first time by Frenchman Benjamin Delpy (akk gentilkiwi) in 2011, has greatly simplified and automated the collection of credentials in Windows systems. 

Mimikatz: cute cat


Mimikatz is an open source utility that allows you to view the credentials information of Windows lsass (Subsystem Service of the Local Security Authority) through its sekurlsa module that includes plain text passwords and Kerberos tickets that could then be used for attacks such as pass-the-hash and pass the ticket. Most antivirus tools will detect the presence of Mimikatz as a threat and eliminate it, but it may be interesting to test the security of the systems.

Mimikatz provides a large number of tools to collect and use Windows credentials on target systems, including recovery of clear text passwords, Lan Manager hashes and NTLM hashes, certificates and Kerberos tickets. The tools run with varying success in all versions of Windows from XP onwards, with somewhat limited functionality in Windows 8.1 and later.



It has also come to light as a component of two ransomware worms that have crossed Ukraine and have spread across Europe, Russia and the USA. US: Both NotPetya and BadRabbit ransomware used Mimikatz along with NSA-filtered tools to create automated attacks whose infections quickly saturated networks, with disastrous results. NotPetya alone led to the paralysis of thousands of computers at companies such as Maersk, Merck and FedEx, and is believed to have caused more than a billion dollars in damages.


WDigest


Mimikatz became for the first time a key asset for hackers thanks to its ability to exploit a dark Windows function called WDigest . That feature is designed to make it more convenient for corporate and government Windows users to test their identity to different applications on their network or on the web; It contains your authentication credentials in the memory and reuses them automatically, so you only have to enter your username and password once. While Windows keeps the copy of the user's password encrypted, it also saves a copy of the secret key to decrypt it in memory


In 2014, Microsoft responded to this security hole with a patch that allows system administrators to disable the " WDiges t" passwords so that they are not stored. This notice from Microsoft explains how to update a special registry entry.


HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ SecurityProviders \ WDigest




In Windows 8 and above, the default setting is to not store clear text passwords in lsass.



mimikatz comes in two flavors: x64 or Win32, depending on your version of Windows (32/64 bits). 
The flavor of Win32 can not access the 64-bit process memory (such as lsass), but it can open a 32-bit minidump in Windows 64 bits. Some operations need administrator privileges or system token, so consider the UAC of the Vista version. 


privilege :: debug 
inject :: process lsass.exe s 
ekurlsa.dll@getLogonPasswords 
sekurlsa :: logonpasswords

Modules of use of mimikatz with Metasploit



meterpreter > mimikatz_command -f fu ::
Module: 'fu' introuvable

Modules available: 
                - Standard
      crypto - Cryptographie et certificats
        hash - Hash
      system - Gestion système
     process - Manipulation des processus
      thread - Manipulation of threads
     service - Manipulation des services
   privilege - Manipulation des privilèges
      handle - Manipulation des handles
 impersonate - Manipulation tokens d'accès
     winmine - Manipulation du démineur
 minesweeper - Manipulation du démineur 7
       nogpo - Anti-gpo et patchs divers
     samdump - SAM Dump
      inject - Injecteur de librairies
          ts - Terminal Server
      divers - Fonctions diverses n'ayant pas encore assez de corps pour avoir leurs propres module
    sekurlsa - Dump des sessions courants for providers LSASS
         efs - Manipulations EFS


Modules of mimikatz





Technical characteristics (features)

  • Dump credentials from LSASS (Windows Local Security Account database)
  • MSV1.0: hashes & keys (dpapi)
  • Kerberos password, ekeys, tickets, & PIN
  • TsPkg (password)
  • WDigest (clear-text password)
  • LiveSSP (clear-text password)
  • SSP (clear-text password)
  • Generate Kerberos Golden Tickets (Kerberos TGT logon token ticket attack)
  • Generate Kerberos Silver Tickets (Kerberos TGS service ticket attack)
  • Export certificates and keys (even those not normally exportable).
  • Dump cached credentials
  • Stop event monitoring.
  • Bypass Microsoft AppLocker / Software Restriction Polcies
  • Patch Terminal Server
  • Basic GPO bypass
Yara rules for tool detection

LaZagne Project



The LaZagne project is an open source application used to recover many passwords stored on local computers. Many software products store access passwords using different techniques, from common plain text, through databases, APIs and proprietary algorithms. 

This tool was developed for the purpose of finding such passwords for the most commonly used software products. It currently supports 22 Windows programs and 12 Linux / Unix operating systems:



In the GitHub repository of the product there are more details about its use and alternatives to extend it.


An important precaution that we can take in our teams, to avoid the findings of programs like LaZagne is to clean up the traces of our activities, for example through a program like CCleaner (although it does not eliminate everything that LaZagne finds, if it does with everything related to the clues that remain of the use of Internet browsers for example).