Live Capture to Multiple Files Using Wireshark

If you want to live capture a long session, maybe over the course of a couple of hours. You will want to perform this so that you can capture the traffic to multiple files, based on size or duration of time, this makes the results much easier for analysts to work with, transferring, etc.

I like to create a dedicated directory for the capture session. I usually place them in Capture or <ProjectName>Capture. Once the capture session is complete, you can select the interesting PCAP files out of the session and delete or archive the others.

Launch Wireshark application. Open Capture options, select the Output tab.

Select the checkbox Create a new file automatically… to be able to set your preferences for when to create the next file. You have the options of packets, size, duration, and multiple of time. There is also the option to use a ring buffer, which will remove the oldest file after the given number of files has been written.

If you have knowledge of when the session should stop you can also automatically set the capture to stop after packets, files, or specific multiple of time.

Click the Start button to start a capture session, writing the capture to the specified directory as multiple files.

Wait for or repeat the issue and stop the capture. Collect the files from the capture directory you created earlier.

Happy packet capturing!

Feb 18th, 2020 • Filed under Networking, Wireshark

USB Tether to iPhone from Linux

Once you connect your iPhone to the Linux host with a USB cable, you should get the usual Trust dialog, tap Trust, otherwise, the Linux host won’t be able to communicate with the iPhone via the USB cable.

After you trust the iPhone check the dmesg log for evidence of the iPhone being detected by the computer

[ 4670.866484] usb 1-2: new high-speed USB device number 6 using xhci_hcd
[ 4671.009493] usb 1-2: New USB device found, idVendor=05ac, idProduct=12a8, bcdDevice=11.02
[ 4671.009498] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 4671.009502] usb 1-2: Product: iPhone
[ 4671.009505] usb 1-2: Manufacturer: Apple Inc.
[ 4671.009508] usb 1-2: SerialNumber:
[ 4671.039802] audit: type=1130 audit(1574722083.595:53): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=usbmuxd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 4671.065013] ipheth 1-2:4.2: Apple iPhone USB Ethernet device attached
[ 4671.065133] usbcore: registered new interface driver ipheth
[ 4671.073395] ipheth 1-2:4.2 enp0s20f0u2c4i2: renamed from eth0
[ 4676.306473] ucsi_acpi USBC000:00: PPM NOT RESPONDING

Umm.. enp0s20f0u2c4i2, okay, eth0 would have been fine, but you know… Or you can run ip link to find it.

$ ip link
...
3: enp0s20f0u2c4i2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000    link/ether 3a:53:9c:09:4f:de brd ff:ff:ff:ff:ff:ff

Now that the iPhone is linked with the computer, time to grab an IP address.

$ sudo dhclient enp0s20f0u2c4i2

No errors from dhclient let’s check if we got our IP address.

$ ip addr
...
5: enp0s20f0u2c4i2:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
     link/ether 3a:53:9c:09:4f:de brd ff:ff:ff:ff:ff:ff
     inet 172.20.10.2/28 brd 172.20.10.15 scope global dynamic noprefixroute enp0s20f0u2c4i2
        valid_lft 84663sec preferred_lft 84663sec
     inet6 fe80::ac11:fcb6:de39:d9b5/64 scope link noprefixroute 
        valid_lft forever preferred_lft forever

Looks good. Let’s test connectivity with a simple ICMP Echo Request.

$ ping cormier.co
PING cormier.co (104.27.175.48) 56(84) bytes of data.
64 bytes from 104.27.175.48: icmp_seq=1 ttl=59 time=21.8 ms
64 bytes from 104.27.175.48: icmp_seq=2 ttl=59 time=27.6 ms  
64 bytes from 104.27.175.48: icmp_seq=3 ttl=59 time=28.5 ms  
64 bytes from 104.27.175.48: icmp_seq=4 ttl=59 time=22.4 ms^C
--- cormier.co ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms  
rtt min/avg/max/mdev = 21.831/25.060/28.464/2.973 ms

Dec 3rd, 2019 • Filed under Linux, Networking

Benefits of Your Own Domain

If you have ever changed email providers, you know the pain of updating your email address with all the service providers to the new address, a number that is only increasing by every passing day, rinse and repeat if you want to change again. This gets old quickly.

To avoid this change of address any time you want to change providers, you can purchase a domain and get full control. Making things like moving to a new email provider a few record changes and no email change, all references will continue working, just now handled by the new provider.

Having your own domain allows you the flexibility to…

  • Use domain-level services. Test them without destroying content, rules, or mailboxes as it all takes place outside the email solution
  • Move email providers without a change of email address
  • Easily add additional aliases or mailboxes, if your email provider account allows for this.
  • Use domain-level email security, like DKIM or DMARC. More on this later in the article.

Acquiring Domain

You can purchase (register) domains all most anywhere these days and host them even more places, like Cloudflare and other providers. Depending on the provider host with, you will have to learn how they manage the zone for your domain. Some have more complex interfaces than others, I prefer consoles with less, but use what you are comfortable with.

Hosting the domain at another provider usually requires domain verification through a DNS TXT record and an update to the SOA record to point to new provider DNS servers. Your DNS registrar should have instructions on how to host your domain with a third party.

I purchase my domain from Hover and host them with Cloudflare. Whom you purchase and host domains with is completely up to you, there are hundreds of companies to choose from.

Email Routing

Routing email with your domain will require a specific type of DNS record(s), Mail Exchange (MX). These records route inbound email for the domain.

At one time you could use custom domains for free at a lot of email providers, but now it’s usually a premium feature.

Once you add your domain to your email provider, usually through DNS or file verification. File verification would require you having set an A record for the base domain, and set it to a location you control, so you can upload a file with specific content, an S3 bucket for example.

My MX records for Proton Mail are:

cormier.co    mail exchanger = 10 mail.protonmail.ch

Email Security

Properly setting up Sender Policy Framework, Domain Keys, and Domain-based Message Authentication will mitigate email spoofing attacks involving your domain.

Sender Policy Framework (SPF)

Sender Policy Framework is a technology that specifies which IP addresses can send for a given domain. At times you might want a service to send emails for your domain, Mail Chimp or email security solutions like Proofpoint.

v=spf1 include:_spf.protonmail.ch mx ~all

DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail is used to sign outgoing email, it does this by affixing a digital signature, linked to your domain, to each outgoing email message. The recipient can verify this by looking up the public key through DNS.

v=DKIM1; k=rsa; p=MIGfMA0GCSqGS...

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Further extends on DKIM and SPF with policies, what to do if SPF and/or DKIM fails and the third check of alignment, DMARC checks the domain in the From field for aligning with other authenticated domains.

Like SPF and DKIM, DMARC uses the concept of a domain owner, the entity or entities that are authorized to make changes to a given domain.

SPF checks that the IP address of the sending server is authorized by the owner of the domain that appears in the SMTP MAIL FROM command. In addition to requiring that the SPF check pass, DMARC additionally checks that the envelope MAIL FROM (“5321.MailFrom”) aligns with From (“5322.From”) header field.

v=DMARC1; p=quarantine; rua=mailto:[email protected]

Verify

MXTools has all the necessary tools to verify if email security has been set up correctly and aid with troubleshooting.

Check SPF
Check DKIM
Check DMARC

Web Content (Optional)

It’s nice to have some type of web content at the root of your domain. For example, cormier.co, the A record points to a WordPress instance. So if someone pastes my domain into a browser, they end up at this blog.

This blog is hosted on a Linux instance, running WordPress, blah, blah, blah. Root DNS A record for my domain is a Cloudflare endpoint that proxies to my Linux instance.

 > cormier.co
   Server:        10.0.70.2
   Address:       10.0.70.2#53 
 Non-authoritative answer:
 Name:    cormier.co
 Address: 104.27.175.48
 >

You can point it anywhere, a public Amazon S3 bucket would work just as well as a WordPress instance.

Namespaces

If you use the same usernames across the different services your domain can be set up to use, you can unify the namespace, so [email protected] is your SSH username as well as your email address. This might not be a requirement for your situation, but it’s something I like to do to avoid multiple namespaces.

Happy computing!

Nov 17th, 2019 • Filed under Best Practices, DNS, S3

Consolidate Messaging

Do Not Disturb: The iOS Feature You Should be Using

Take control of that dopamine inducing device you carry everywhere with you, by silencing those notifications for when your attention is needed most.

Smartphones, the wonderful devices invented at the turn of the century and came into their own with iPhone and Android. Not to mention the billions of notifications from Nokia, Motorola, and BlackBerry devices from years prior.

Over the years the amount of time these smartphones steal time from us in the run of a day. From text messages, emails, phone calls (does anybody answer these?), and apps, all send notifications for your eyeballs.

To avoid this I have been using the Do Not Disturb (DND) feature of Apple’s iOS. This feature allows me to silence notifications on a schedule. It also allows my Favorites to reach me, so necessary contacts can reach me.

You can also setup Auto-Reply messages if you like to inform contacts that you have DND turned on. Notifying them that you are unable to respond at the moment, but will get back to them.

Once you have DND set to your liking, your day will be much smoother and you can check your notifications when you see fit. All the notifications will come in as normal, you just won’t see or hear them. But, still allow important Contacts through for emergencies.

Your consolidation of messaging has begun, enjoy the newfound silence, once easily obtainable in the pre-smartphone era.

Jul 9th, 2019 • Filed under Apple, iOS

Security Debunk: Security Challenge Questions

The security field has umpteen myths and quarks that people believe, giving them a false sense of security. One of the most common is security challenge-response questions.

This feature usually comes in the form of picking from a list of questions or supplying your own, and supply your answers.

In its basic form the challenge questions will be used as a poor mans two factor or as part of account recovery feature.

What is happening here?

People think that anybody but them would not be able to find or guess their the answers their personal questions. In reality this information is likely a click a way. Providing little to no additional security to your account, if anything making your account less secure, giving attackers an avenue to gain access to your account.

Attackers can obtain your information numerous ways, another breach if your information was among the millions of records stolen or leaked, social media, old account statements, etc.

Two Factor Authentication (2FA)

If you combine two components together you can improve your security posture greatly. A great example is bank ATM cards, this allows access to your bank account with position.

This would be a code from a virtual app, physical token, or text message to a mobile phone. My favorite physical token is Yubikey by Yubico. For virtual tokens I use LastPass Authenticator, but any 2FA app can be used, like Microsoft Authenticator or Authy.

Note: Text/SMS two factor methods have come under scrutiny recently do to attackers social engineering telco customer service agents to activate account on another SIM, aptly named SIM swap scam. This type of attack isn’t preventable by the user, as it’s an attack on the mobile carrier process not an attack on technology.

Tip

If you have to use security questions. Meaning there is no other service that provides what you want, consider choosing fake answers to your security questions. Answers that aren’t true will be harder to obtain or guess.

Happy secure surfing!

Jul 4th, 2019 • Filed under Access Control, Security