A paper on closing possible holes - Security Discussion

An interesting read :
Closing Open Holes
#JDevil#
With the spread of Hackers and Hacking incidents, the time has come, when not only system administrators of servers of big companies, but also people who connect to the Internet by dialing up into their ISP, have to worry about securing their system. It really does not make much difference whether you have a static IP or a dynamic one, if your system is connected to the Internet, then there is every chance of it being attacked.
This manual is aimed at discussing methods of system security analysis and will shed light on as to how to secure your standalone (also a system connected to a LAN) system.
Open Ports: A Threat to Security?
Now, which option is used to display all open connections on the local machine. It also returns the remote system to which we are connected to, the port numbers of the remote system we are connected to (and the local machine) and also the type and state of connection we have with the remote system.
For Example,
C:\windows>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP ankit:1031 dwarf.box.sk:ftp ESTABLISHED
TCP ankit:1036 dwarf.box.sk:ftp-data TIME_WAIT
TCP ankit:1043 banners.egroups.com:80 FIN_WAIT_2
TCP ankit:1045 mail2.mtnl.net.inop3 TIME_WAIT
TCP ankit:1052 zztop.boxnetwork.net:80 ESTABLISHED
TCP ankit:1053 mail2.mtnl.net.inop3 TIME_WAIT
UDP ankit:1025 *:*
UDP ankit:nbdatagram *:*
Now, let us take a single line from the above output and see what it stands for:
Proto Local Address Foreign Address State
TCP ankit:1031 dwarf.box.sk:ftp ESTABLISHED
Now, the above can be arranged as below:
Protocol: TCP (This can be Transmission Control Protocol or TCP, User Datagram Protocol or UDP or sometimes even, IP or Internet Protocol.)
Local System Name: ankit (This is the name of the local system that you set during the Windows setup.)
Local Port opened and being used by this connection: 1031
Remote System: dwarf.box.sk (This is the non-numerical form of the system to which we are connected.)
Remote Port: ftp (This is the port number of the remote system dwarf.box.sk to which we are connected.)
State of Connection: ESTABLISHED
Netstat? with the ? argument is normally used, to get a list of open ports on your own system i.e. on the local system. This can be particularly useful to check and see whether your system has a Trojan installed or not. Yes, most good Antiviral software are able to detect the presence of Trojans, but, we are hackers, and need to software to tell us, whether we are infected or not. Besides, it is more fun to do something manually than to simply click on the ?Scan? button and let some software do it.
The following is a list of Trojans and the port numbers which they use, if you Netstat yourself and find any of the following open, then you can be pretty sure, that you are infected.
Port 12345(TCP) Netbus
Port 31337(UDP) Back Orifice
For complete list, refer to the Tutorial on Trojans at: hackingtruths.box.sk/trojans.txt
----
Now, the above tutorial resulted in a number of people raising questions like: If the 'netstat -a' command shows open ports on my system, does this mean that anyone can connect to them? Or, How can I close these open ports? How do I know if an open port is a threat to my system's security of not? Well, the answer to all these question would be clear, once you read the below paragraph:
Now, the thing to understand here is that, Port numbers are divided into three ranges:
The Well Known Ports are those from 0 through 1023. This range or ports is bound to the services running on them. By this what I mean is that each port usually has a specific service running on it. You see there is an internationally accepted Port Numbers to Services rule, (refer RFC 1700 Here) which specifies as to on what port number a particular service runs. For Example, By Default or normally FTP runs on Port 21. So if you find that Port 21 is open on a particular system, then it usually means that that particular system uses the FTP Protocol to transfer files. However, please note that some smart system administrators delibrately i.e. to fool lamers run fake services on popular ports. For Example, a system might be running a fake FTP daemon on Port 21. Although you get the same interface like the FTP daemon banner, response numbers etc, however, it actually might be a software logging your prescence and sometimes even tracing you!!!
The Registered Ports are those from 1024 through 49151. This range of port numbers is not bound to any specific service. Actually, Networking utlites like your Browser, Email Client, FTP software opens a random port within this range and starts a communication with the remote server. A port number within this range is the reason why you are able to surf the net or check your email etc.
If you find that when you give the netstat -a command, then a number of ports within this range are open, then you should probably not worry. These ports are simply opened so that you can get your software applications to do what you want them to do. These ports are opened temporarily by various applications to perform tasks. They act as a buffer transfering packets (data) received to the application and vis-a-versa. Once you close the application, then you find that these ports are closed automatically. For Example, when you type www.hotmail.com in your browser, then your browser randomly chooses a Registered Port and uses it as a buffer to communicate with the various remote servers involved.
The Dynamic and/or Private Ports are those from 49152 through 65535. This range is rarely used, and is mostly used by trojans, however some application do tend to use such high range port numbers. For Example,Sun starts their RPC ports at 32768.
So this basically brings us to what to do if you find that Netstat gives you a couple of open ports on your system:
1. Check the Trojan Port List and check if the open port matches with any of the popular ones. If it does then get a trojan Removal and remove the trojan.
2. If it doesn't or if the Trojan Remover says: No trojan found, then see if the open port lies in the registered Ports range. If yes, then you have nothing to worry, so forget about it.
***********************
HACKING TRUTH: A common technique employed by a number of system administrators, is remapping ports. For example, normally the default port for HTTP is 80. However, the system administrator could also remap it to Port 8080. Now, if that is the case, then the homepage hosted at that server would be at:
http://domain.com:8080 instead of
http://domain.com:80
The idea behind Port Remapping is that instead of running a service on a well known port, where it can easily be exploited, it would be better to run it on a not so well known port, as the hacker, would find it more difficult to find that service. He would have to port scan high range of numbers to discover port remapping.
The ports used for remapping are usually pretty easy to remember. They are choosen keeping in mind the default port number at which the service being remapped should be running. For Example, POP by default runs on Port 110. However, if you were to remap it, you would choose any of the following: 1010, 11000, 1111 etc etc
Some sysadmins also like to choose Port numbers in the following manner: 1234,2345,3456,4567 and so on... Yet another reason as to why Port Remapping is done, is that on a Unix System to be able to listen to a port under 1024, you must have root previledges.
************************
Firewalls
Use of Firewalls is no longer confined to servers or websites or commerical companies. Even if you simply dial up into your ISP or use PPP (Point to Point Protocol) to surf the net, you simply cannot do without a firewall. So what exactly is a firewall?
Well, in non-geek language, a firewall is basically a shield which protects your system from the untrusted non-reliable systems connected to the Internet. It is a software which listens to all ports on your system for any attempts to open a connection and when it detects such an attempt, then it reacts according to the predefined set of rules. So basically, a firewall is something that protects the network(or systen) from the Internet. It is derived from the concept of firewalls used in vehicles which is a barrier made of fire resistant material protecting the vehicle in case of fire.
Now, for a better 'according to the bible' defination of a firewall: A firewall is best described as a software or hardware or both Hardware and Software packet filter that allows only selected packets to pass through from the Internet to your private internal network. A firewall is a system or a group of systems which guard a trusted network( The Internal Private Network from the untrusted network (The Internet.)
NOTE: This was a very brief desciption of what a firewall is, I would not be going into the details of their working in this manual.
Anyway,the term 'Firewalls', (which were generally used by companies for commerical purposes) has evolved into a new term called 'Personal Firewalls'. Now this term is basically used to refer to firewalls installed on a standalone system which may or may not be networked i.e. It usually connects to an ISP. Or in other words a personal firewall is a firewall used for personal use.
Now that you have a basic desciption as to what a firewall is, let us move on to why exactly you need to install a Firewall? Or, how can not installing a firewall pose a threat to the security of your system?
You see, when you are connected to the Internet, then you have millions of other untrusted systems connected to it as well. If somehow someone found out your IP address, then they could do probably anything to your system. They could exploit any vulnerability existing in your system, damage your data, and even use your system to hack into other computers.
Finding out someone'e IP Address is not very difficult. Anybody can find out your IP, through various Chat Services, Instant Messengers (ICQ, MSN, AOL etc), through a common ISP and numerous other ways. Infact finding out the IP Address of a specific person is not always the priority of some hackers.
What I mean to say by that is that there are a number of Scripts and utilities available which scan all IP addresses between a certain range for predefined common vulnerabilities. For Example, Systems with File Sharing Enabled or a system running an OS which is vulnerable to the Ping of Death attack etc etc As soon as a vulnerable system is found, then they use the IP to carry out the attacks.
The most common scanners look for systems with RAT's or Remote Administration Tools installed. They send a packet to common Trojan ports and display whether the victim's system has that Trojan installed or not. The 'Scan Range of IP Addresses' that these programs accept are quite wide and one can easily find a vulnerable system in the matter of minutes or even seconds.
Trojan Horses like Back Orifice provide remote access to your system and can set up a password sniffer. The combination of a back door and a sniffer is a dangerous one: The back door provides future remote access, while the sniffer may reveal important information about you like your other Passwords, Bank Details, Credit Card Numbers, Social Security Number etc If your home system is connected to a local LAN and the attacker manages to install a backdoor on it, then you probably have given the attacker the same access level to your internal network, as you have. This wouls also mean that you will have created a back door into your network that bypasses any firewall that may be guarding the front door.
You may argue with me that as you are using a dial up link to your ISP via PPP, the attacker would be able to access your machine only when you are online. Well, yes that is true, however, not completely true. Yes, it does make access to your system when you reconnect, difficult, as you have a dynamic Internet Protocol Address. But, although this provides a faint hope of protection, routine scanning of the range of IP's in which your IP lies, will more often than not reveal your current Dynamic IP and the back door will provide access to your system.
*******************
HACKING TRUTH: Microsoft Says: War Dialer programs automatically scan for modems by trying every phone number within an exchange. If the modem can only be used for dial-out connections, a War Dialer won't discover it. However, PPP changes the equation, as it provides bidirectional transportmaking any connected system visible to scanners?and attackers.
*******************
So how do I protect myself from such Scans and unsolicitated attacks? Well, this is where Personal Firewalls come in. They just like their name suggests, protect you from unsolicitated connection probes, scans, attacks.
They listen to all ports for any connection requests received (from both legitimate and fake hosts) and sent (by applications like Browser, Email Client etc.) As soon as such an instance is recorded, it pops up a warning asking you what to do or whether to allow the connection to initiate or not. This warning message also contains the IP which is trying to initiate the connection and also the Port Number to which it is trying to connect i.e. the Port to which the packet was sent. It also protects your system from Port Scans, DOS Attacks, Vulnerability attacks etc. So basically it acts as a shield or a buffer which does not allow your system to communicate with the untrusted systems directly.
Most Personal Firewalls have extensive logging facilities which allows you to track down the attackers. Some popular firewalls are:
ZoneAlarm: The easiest to setup and manage firewall. Get it for free at: www.zonelabs.com
Once you have installed a firewall on your system, you will often get a number of Warnings which might seem to be as if someone is trying to break into your system, however, they are actually bogus messages, which are caused by either your OS itself or due to the process called Allocation of Dynamic IP's. For a details description of these two, read on.
Many people complain that as soon as they dial into their ISP, their firewall says that such and such IP is probing Port X. What causes them?
Well, this is quite common. The cause is that somebody hung up just before you dialed in and your ISP assigned you the same IP address. You are now seeing the remains of communication with the previous person. This is most common when the person to which the IP was assigned earlier was using ICQ or chat programs, was connected to a Game Server or simply turned off his modem before his communication with remote servers was complete.
You might even get a message like: Such and Such IP is trying to initaite a Netbios Session on Port X. This again is extrememly common. The following is an explanation as to why it happens, which I picked up a couple of days ago: NetBIOS requests to UDP port 137 are the most common item you will see in your firewall reject logs. This comes about from a feature in Microsoft's Windows: when a program resolves an IP address into a name, it may send a NetBIOS query to IP address. This is part of the background radiation of the Internet, and is nothing to be concerned about.
What Causes them? On virtually all systems (UNIX, Macintosh, Windows), programs call the function 'gethostbyaddr()' with the desired address. This function will then do the appropriate lookup, and return the name. This function is part of the sockets API. The key thing to remember about gethostbyaddr() is that it is virtual. It doesn't specify how it resolves an address into a name. In practice, it will use all available mechanisms. If we look at UNIX, Windows, and Macintosh systems, we see the following techniques:
DNS in-addr.arpa PTR queries sent to the DNS server
NetBIOS NodeStatus queries sent to the IP address
lookups in the /etc/hosts file
AppleTalk over IP name query sent to the IP address
RPC query sent to the UNIX NIS server
NetBIOS lookup sent to the WINS server
Windows systems do the /etc/hosts, DNS, WINS, and NodeStatus techniques. In more excruciating detail, Microsoft has a generic system component called a naming service. All the protocol stacks in the system (NetBIOS, TCP/IP, Novel IPX, AppleTalk, Banyan, etc.) register the kinds of name resolutions they can perform. Some RPC products will likewise register an NIS naming service. When a program requests to resolve an address, this address gets passed onto the generic naming service. Windows will try each registered name resolution subsystem sequentially until it gets an answer.
(Side note: User's sometimes complained that accessing Windows servers is slow. This is caused by installing unneeded protocol stacks that must timeout first before the real protocol stack is queried for the server name.).
The order in which it performs these resolution steps for IP addresses can be configured under the Windows registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider.
Breaking Through Firewalls
Although Firewalls are meant to provide your complete protection from Port Scan probes etc there are several holes existing in popular firewalls, waiting to be exploited. In this issue, I will discuss a hole in ZoneAlarm Version 2.1.10 to 2.0.26, which allows the attacker to port scan the target system (Although normally it should stop such scans.)
If one uses port 67 as the source port of a TCP or UDP scan, ZoneAlarm will let the packet through and will not notify the user. This means, that one can TCP or UDP port scan a ZoneAlarm protected computer as if there were no firewall there IF one uses port 67 as the source port on the packets.
Exploit:
UDP Scan:
You can use NMap to port scan the host with the following command line:
nmap -g67 -P0 -p130-140 -sU 192.168.128.88
(Notice the -g67 which specifies source port).
TCP Scan:
You can use NMap to port scan the host with the following command line:
nmap -g67 -P0 -p130-140 -sS 192.168.128.88
(Notice the -g67 which specifies source port).
JDevil

Related

Closing open holes

An interesting read
Closing Open Holes
#JDevil#
With the spread of Hackers and Hacking incidents, the time has come, when not only system administrators of servers of big companies, but also people who connect to the Internet by dialing up into their ISP, have to worry about securing their system. It really does not make much difference whether you have a static IP or a dynamic one, if your system is connected to the Internet, then there is every chance of it being attacked.
This manual is aimed at discussing methods of system security analysis and will shed light on as to how to secure your standalone (also a system connected to a LAN) system.
Open Ports: A Threat to Security?
Now, which option is used to display all open connections on the local machine. It also returns the remote system to which we are connected to, the port numbers of the remote system we are connected to (and the local machine) and also the type and state of connection we have with the remote system.
For Example,
C:\windows>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP ankit:1031 dwarf.box.sk:ftp ESTABLISHED
TCP ankit:1036 dwarf.box.sk:ftp-data TIME_WAIT
TCP ankit:1043 banners.egroups.com:80 FIN_WAIT_2
TCP ankit:1045 mail2.mtnl.net.inop3 TIME_WAIT
TCP ankit:1052 zztop.boxnetwork.net:80 ESTABLISHED
TCP ankit:1053 mail2.mtnl.net.inop3 TIME_WAIT
UDP ankit:1025 *:*
UDP ankit:nbdatagram *:*
Now, let us take a single line from the above output and see what it stands for:
Proto Local Address Foreign Address State
TCP ankit:1031 dwarf.box.sk:ftp ESTABLISHED
Now, the above can be arranged as below:
Protocol: TCP (This can be Transmission Control Protocol or TCP, User Datagram Protocol or UDP or sometimes even, IP or Internet Protocol.)
Local System Name: ankit (This is the name of the local system that you set during the Windows setup.)
Local Port opened and being used by this connection: 1031
Remote System: dwarf.box.sk (This is the non-numerical form of the system to which we are connected.)
Remote Port: ftp (This is the port number of the remote system dwarf.box.sk to which we are connected.)
State of Connection: ESTABLISHED
Netstat? with the ? argument is normally used, to get a list of open ports on your own system i.e. on the local system. This can be particularly useful to check and see whether your system has a Trojan installed or not. Yes, most good Antiviral software are able to detect the presence of Trojans, but, we are hackers, and need to software to tell us, whether we are infected or not. Besides, it is more fun to do something manually than to simply click on the ?Scan? button and let some software do it.
The following is a list of Trojans and the port numbers which they use, if you Netstat yourself and find any of the following open, then you can be pretty sure, that you are infected.
Port 12345(TCP) Netbus
Port 31337(UDP) Back Orifice
For complete list, refer to the Tutorial on Trojans at: hackingtruths.box.sk/trojans.txt
----
Now, the above tutorial resulted in a number of people raising questions like: If the 'netstat -a' command shows open ports on my system, does this mean that anyone can connect to them? Or, How can I close these open ports? How do I know if an open port is a threat to my system's security of not? Well, the answer to all these question would be clear, once you read the below paragraph:
Now, the thing to understand here is that, Port numbers are divided into three ranges:
The Well Known Ports are those from 0 through 1023. This range or ports is bound to the services running on them. By this what I mean is that each port usually has a specific service running on it. You see there is an internationally accepted Port Numbers to Services rule, (refer RFC 1700 Here) which specifies as to on what port number a particular service runs. For Example, By Default or normally FTP runs on Port 21. So if you find that Port 21 is open on a particular system, then it usually means that that particular system uses the FTP Protocol to transfer files. However, please note that some smart system administrators delibrately i.e. to fool lamers run fake services on popular ports. For Example, a system might be running a fake FTP daemon on Port 21. Although you get the same interface like the FTP daemon banner, response numbers etc, however, it actually might be a software logging your prescence and sometimes even tracing you!!!
The Registered Ports are those from 1024 through 49151. This range of port numbers is not bound to any specific service. Actually, Networking utlites like your Browser, Email Client, FTP software opens a random port within this range and starts a communication with the remote server. A port number within this range is the reason why you are able to surf the net or check your email etc.
If you find that when you give the netstat -a command, then a number of ports within this range are open, then you should probably not worry. These ports are simply opened so that you can get your software applications to do what you want them to do. These ports are opened temporarily by various applications to perform tasks. They act as a buffer transfering packets (data) received to the application and vis-a-versa. Once you close the application, then you find that these ports are closed automatically. For Example, when you type www.hotmail.com in your browser, then your browser randomly chooses a Registered Port and uses it as a buffer to communicate with the various remote servers involved.
The Dynamic and/or Private Ports are those from 49152 through 65535. This range is rarely used, and is mostly used by trojans, however some application do tend to use such high range port numbers. For Example,Sun starts their RPC ports at 32768.
So this basically brings us to what to do if you find that Netstat gives you a couple of open ports on your system:
1. Check the Trojan Port List and check if the open port matches with any of the popular ones. If it does then get a trojan Removal and remove the trojan.
2. If it doesn't or if the Trojan Remover says: No trojan found, then see if the open port lies in the registered Ports range. If yes, then you have nothing to worry, so forget about it.
***********************
HACKING TRUTH: A common technique employed by a number of system administrators, is remapping ports. For example, normally the default port for HTTP is 80. However, the system administrator could also remap it to Port 8080. Now, if that is the case, then the homepage hosted at that server would be at:
http://domain.com:8080 instead of
http://domain.com:80
The idea behind Port Remapping is that instead of running a service on a well known port, where it can easily be exploited, it would be better to run it on a not so well known port, as the hacker, would find it more difficult to find that service. He would have to port scan high range of numbers to discover port remapping.
The ports used for remapping are usually pretty easy to remember. They are choosen keeping in mind the default port number at which the service being remapped should be running. For Example, POP by default runs on Port 110. However, if you were to remap it, you would choose any of the following: 1010, 11000, 1111 etc etc
Some sysadmins also like to choose Port numbers in the following manner: 1234,2345,3456,4567 and so on... Yet another reason as to why Port Remapping is done, is that on a Unix System to be able to listen to a port under 1024, you must have root previledges.
************************
Firewalls
Use of Firewalls is no longer confined to servers or websites or commerical companies. Even if you simply dial up into your ISP or use PPP (Point to Point Protocol) to surf the net, you simply cannot do without a firewall. So what exactly is a firewall?
Well, in non-geek language, a firewall is basically a shield which protects your system from the untrusted non-reliable systems connected to the Internet. It is a software which listens to all ports on your system for any attempts to open a connection and when it detects such an attempt, then it reacts according to the predefined set of rules. So basically, a firewall is something that protects the network(or systen) from the Internet. It is derived from the concept of firewalls used in vehicles which is a barrier made of fire resistant material protecting the vehicle in case of fire.
Now, for a better 'according to the bible' defination of a firewall: A firewall is best described as a software or hardware or both Hardware and Software packet filter that allows only selected packets to pass through from the Internet to your private internal network. A firewall is a system or a group of systems which guard a trusted network( The Internal Private Network from the untrusted network (The Internet.)
NOTE: This was a very brief desciption of what a firewall is, I would not be going into the details of their working in this manual.
Anyway,the term 'Firewalls', (which were generally used by companies for commerical purposes) has evolved into a new term called 'Personal Firewalls'. Now this term is basically used to refer to firewalls installed on a standalone system which may or may not be networked i.e. It usually connects to an ISP. Or in other words a personal firewall is a firewall used for personal use.
Now that you have a basic desciption as to what a firewall is, let us move on to why exactly you need to install a Firewall? Or, how can not installing a firewall pose a threat to the security of your system?
You see, when you are connected to the Internet, then you have millions of other untrusted systems connected to it as well. If somehow someone found out your IP address, then they could do probably anything to your system. They could exploit any vulnerability existing in your system, damage your data, and even use your system to hack into other computers.
Finding out someone'e IP Address is not very difficult. Anybody can find out your IP, through various Chat Services, Instant Messengers (ICQ, MSN, AOL etc), through a common ISP and numerous other ways. Infact finding out the IP Address of a specific person is not always the priority of some hackers.
What I mean to say by that is that there are a number of Scripts and utilities available which scan all IP addresses between a certain range for predefined common vulnerabilities. For Example, Systems with File Sharing Enabled or a system running an OS which is vulnerable to the Ping of Death attack etc etc As soon as a vulnerable system is found, then they use the IP to carry out the attacks.
The most common scanners look for systems with RAT's or Remote Administration Tools installed. They send a packet to common Trojan ports and display whether the victim's system has that Trojan installed or not. The 'Scan Range of IP Addresses' that these programs accept are quite wide and one can easily find a vulnerable system in the matter of minutes or even seconds.
Trojan Horses like Back Orifice provide remote access to your system and can set up a password sniffer. The combination of a back door and a sniffer is a dangerous one: The back door provides future remote access, while the sniffer may reveal important information about you like your other Passwords, Bank Details, Credit Card Numbers, Social Security Number etc If your home system is connected to a local LAN and the attacker manages to install a backdoor on it, then you probably have given the attacker the same access level to your internal network, as you have. This wouls also mean that you will have created a back door into your network that bypasses any firewall that may be guarding the front door.
You may argue with me that as you are using a dial up link to your ISP via PPP, the attacker would be able to access your machine only when you are online. Well, yes that is true, however, not completely true. Yes, it does make access to your system when you reconnect, difficult, as you have a dynamic Internet Protocol Address. But, although this provides a faint hope of protection, routine scanning of the range of IP's in which your IP lies, will more often than not reveal your current Dynamic IP and the back door will provide access to your system.
*******************
HACKING TRUTH: Microsoft Says: War Dialer programs automatically scan for modems by trying every phone number within an exchange. If the modem can only be used for dial-out connections, a War Dialer won't discover it. However, PPP changes the equation, as it provides bidirectional transportmaking any connected system visible to scanners?and attackers.
*******************
So how do I protect myself from such Scans and unsolicitated attacks? Well, this is where Personal Firewalls come in. They just like their name suggests, protect you from unsolicitated connection probes, scans, attacks.
They listen to all ports for any connection requests received (from both legitimate and fake hosts) and sent (by applications like Browser, Email Client etc.) As soon as such an instance is recorded, it pops up a warning asking you what to do or whether to allow the connection to initiate or not. This warning message also contains the IP which is trying to initiate the connection and also the Port Number to which it is trying to connect i.e. the Port to which the packet was sent. It also protects your system from Port Scans, DOS Attacks, Vulnerability attacks etc. So basically it acts as a shield or a buffer which does not allow your system to communicate with the untrusted systems directly.
Most Personal Firewalls have extensive logging facilities which allows you to track down the attackers. Some popular firewalls are:
ZoneAlarm: The easiest to setup and manage firewall. Get it for free at: www.zonelabs.com
Once you have installed a firewall on your system, you will often get a number of Warnings which might seem to be as if someone is trying to break into your system, however, they are actually bogus messages, which are caused by either your OS itself or due to the process called Allocation of Dynamic IP's. For a details description of these two, read on.
Many people complain that as soon as they dial into their ISP, their firewall says that such and such IP is probing Port X. What causes them?
Well, this is quite common. The cause is that somebody hung up just before you dialed in and your ISP assigned you the same IP address. You are now seeing the remains of communication with the previous person. This is most common when the person to which the IP was assigned earlier was using ICQ or chat programs, was connected to a Game Server or simply turned off his modem before his communication with remote servers was complete.
You might even get a message like: Such and Such IP is trying to initaite a Netbios Session on Port X. This again is extrememly common. The following is an explanation as to why it happens, which I picked up a couple of days ago: NetBIOS requests to UDP port 137 are the most common item you will see in your firewall reject logs. This comes about from a feature in Microsoft's Windows: when a program resolves an IP address into a name, it may send a NetBIOS query to IP address. This is part of the background radiation of the Internet, and is nothing to be concerned about.
What Causes them? On virtually all systems (UNIX, Macintosh, Windows), programs call the function 'gethostbyaddr()' with the desired address. This function will then do the appropriate lookup, and return the name. This function is part of the sockets API. The key thing to remember about gethostbyaddr() is that it is virtual. It doesn't specify how it resolves an address into a name. In practice, it will use all available mechanisms. If we look at UNIX, Windows, and Macintosh systems, we see the following techniques:
DNS in-addr.arpa PTR queries sent to the DNS server
NetBIOS NodeStatus queries sent to the IP address
lookups in the /etc/hosts file
AppleTalk over IP name query sent to the IP address
RPC query sent to the UNIX NIS server
NetBIOS lookup sent to the WINS server
Windows systems do the /etc/hosts, DNS, WINS, and NodeStatus techniques. In more excruciating detail, Microsoft has a generic system component called a naming service. All the protocol stacks in the system (NetBIOS, TCP/IP, Novel IPX, AppleTalk, Banyan, etc.) register the kinds of name resolutions they can perform. Some RPC products will likewise register an NIS naming service. When a program requests to resolve an address, this address gets passed onto the generic naming service. Windows will try each registered name resolution subsystem sequentially until it gets an answer.
(Side note: User's sometimes complained that accessing Windows servers is slow. This is caused by installing unneeded protocol stacks that must timeout first before the real protocol stack is queried for the server name.).
The order in which it performs these resolution steps for IP addresses can be configured under the Windows registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider.
Breaking Through Firewalls
Although Firewalls are meant to provide your complete protection from Port Scan probes etc there are several holes existing in popular firewalls, waiting to be exploited. In this issue, I will discuss a hole in ZoneAlarm Version 2.1.10 to 2.0.26, which allows the attacker to port scan the target system (Although normally it should stop such scans.)
If one uses port 67 as the source port of a TCP or UDP scan, ZoneAlarm will let the packet through and will not notify the user. This means, that one can TCP or UDP port scan a ZoneAlarm protected computer as if there were no firewall there IF one uses port 67 as the source port on the packets.
Exploit:
UDP Scan:
You can use NMap to port scan the host with the following command line:
nmap -g67 -P0 -p130-140 -sU 192.168.128.88
(Notice the -g67 which specifies source port).
TCP Scan:
You can use NMap to port scan the host with the following command line:
nmap -g67 -P0 -p130-140 -sS 192.168.128.88
(Notice the -g67 which specifies source port).
JDevil
Nice tutorial! Thanks!...But while having a look at the topic I had to smile... Vulnerabilities sounds better.
Lol exactly hahhahahah , thanks for the kind words
Sent from my SAMSUNG-SGH-I317 using xda app-developers app
Pretty amazing read, I'm impressed. What OS do you you on your home PC jeremyandroid? just curious?
js663k1 said:
Pretty amazing read, I'm impressed. What OS do you you on your home PC jeremyandroid? just curious?
Click to expand...
Click to collapse
Kali Linux, been a while bro, still got your badge I'm signature hahahha nice ,even though I havnt done anything in a long time but papers .

[Q] How do i analyse ssl network traffic in apps on uncommon ports?

I recently started looking into the data applications, especially the free ones send to the net.
I wanted to know if they leak personal data to their coders.
Therefore i decided to redirect connections through a proxy software on my computer.
I installed http://www.charlesproxy.com/ and added their ssl ca to the trusted certificates on my cellphone.
It was quite intresting to see what kind of requests certain apps make to the internet, especially when you look inside the ssl encrypted connections.
I then found out that some connections seemed to be missing from that analysis, not enough traffic showed up in the proxy compared to the network activity.
So i used https://play.google.com/store/apps/details?id=lv.n3o.shark and the resulting file was quite a few times bigger.
It contained connections to other ports than 80/443 which i saw in charles.
So my questions are: Does Android ignore the proxy for non http(s) requests?
How can i redirect EVERY request to my computer and strip the ssl from it to look inside?
I suspect some of the applications to use basic stuff like json, xmpp and xml but cannot proof it currently.
As a beginner, i might also be using the wrong tools.
You may be able to run tcpdump on your router to see what exactly your phone is connecting to, then see if it corresponds to your proxy traffic.
that does not help to look inside the ssl encrypted tunnel unfortunately

[Feature Request] unbound DNSSEC

Yes, I know, I'll likely be the one working on this having requested it.
Admittedly, there are a lot of usability issues with redirecting outbound DNS queries from the Android resolver to a local resolver. Most problematic are when the DHCP-specified DNS servers are to be trusted (such as on trusted WiFi or trusted VPN that has "private" address information).
Assuming that those could be worked through in some reasonable way (I haven't looked at what M offers for notification and the like, but am not terribly happy with the way that WiFi Privacy prompts when it finds an unknown MAC), I'd like to suggest that "we" look at unbound as it supplies DNSSEC, as well as being arguably more robust and secure than something like dnsmasq.
There has been some good work done on the executable port:
https://unbound.net/pipermail/unbound-users/2015-August/003976.html
https://github.com/smarek/android-unbound-dns
There will likely be additional complexities with Google dropping OpenSSL in favor of BoringSSL.
(The SSL library change will likely impact ssh and rsync on my phone, which I use for backup, so getting both of those to build again under M will be a higher priority for me)
I think the most challenging parts will be the UX on how to control it as well as getting the redirection to play nicely with widely used firewall tools out there such as AFWall.
I'll at least be thinking about that UX part. Without that, it won't have the utility to balance the cost.

[Closed] keweonDNS - now with improved Certificate (iOS, Mac & Android)

Please read this first! ​
The entire system is build up for demonstration and should show a new way to protect against Internet and Online threats. It should demonstrate that it is possible within the Internet to protect user, devices and there data.
The entire System is a pure & 100% DNS filter system without the usage of any kind of proxy. My goal is it to proof security is possible without using any kind of proxy.
A lot of sites using HTTPS communications within the Internet and therefore I offer a special self signed Root Certificate which block any existing domain on the blacklist with a valid HTTPS connection. Different sites using broken HTTPS Traffic to detect Adblock technologies and some sites might require the keweon Root Certificate. All HTTPS connections are only used to prevent browser and application errors within your Operation Systems.
From the technical point of few a root certificate and just a DNS server is never a threat for any users or any kind of data. The entire system is protected within various ways to prevent data stealing from users and devices.
For actual reasons and because of many discussions I want to inform you about threat possibilities:
1. DNS Server which are not DNS Server and they act as (transparent) Proxy are able to redirect the entire user traffic for Data Analysis or Data stealing.​
2. DNS Server which are not DNS Server and they act as (transparent) Proxy can easily redirect traffic to a Web Server and infect your system with this kind of online threats:
Botnets, Cryptoware, Fake Software, Malware, Miningware, Online Worms, Phishing, Ransomware, Remote Keyloggers, Rogue Security Software, Spyware, Trojans and Virus.
This kind of infections are possible via HTTP (via 80 or any other port) or HTTPS (via 443 or any other port) with or without a valid SSL Certificate. A single Let'sEncrypt can easily support this kind of Online Threats.​
3. DNS Server which are not DNS Server and they act as (transparent) Proxy can use all methods of attacks in Point 2 to act as Botnet or Cache Server to spread this kind of attacks by a simple HTTP infection and download additional payload via HTTP (via 80 or any other port) or HTTPS (via 443 or any other port) with a single Let'sEncrypt certificate.​
4. DNS Server which are not DNS Server and they act as (transparent) Proxy can use a self signed root certificate to steal passwords and logins when you install this. The keweon Root Certificate is designed to protect users and against HTTPS errors which will happens because of filter or blocking HTTPS traffic. When a keweonDNS Server is setup as a (transparent) Proxy it is possible to redirect the entire user traffic and get user login and passwords which is generally known as "MITM ATTACK".
Please take note that the usage of a Root Certificate from someone you don't know can cause serious problems when the Server is build up to target user. With a MITM Attack it is possible to get data, passwords and logon credentials.​
5. The entire keweonDNS Project is build and invented to protect users, there Data and its protecting against almost all Online threats. Various fuses are build into the entire environments many times.​
6. The keweon Servers do not any kind of Data collection. This is one of my core visions. Why I should build up a system which prevent data collection system and then I will do it by myself? There is also NO (!) Data Collection even on Servers OS Level.​
The entire keweonDNS System runs public with global access since 2014. At this point let me say thanks a lot to all users for there trust into me and the entire keweonDNS solution.
Thanks a lot to each single user!!
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
​
**************************************************************
Business inquires: Please see contact information section below.
***************************************************************
**************************************************************
Keweon quick start.
Read the available servers and certificate sections now if you already know what you are doing. New users please skip to the "About Keweon" section below and return to the DNS and Certificate sections later:
**************************************************************
**************************************************************
Available DNS servers (choose one primary and one secondary):
Main Servers:
IP: 176.9.62.58
IP: 176.9.62.62
or
IPv6: 2a01:4f8:150:8023::58
IPv6: 2a01:4f8:150:8023::62
Click to expand...
Click to collapse
Update November 28, 2018:
If you have installed the root certificate, I recommend that you use these two servers. This servers can be used without certificate but a lot of sites will not porpper work.
IPv4: 213.239.207.143
IPv6: 2a01:4f8:a0:8487::143
IPv4: 107.191.55.215
IPv6: 2001:19f0:6401:175d::215
Click to expand...
Click to collapse
These servers have special blocklist entries which blocks things such as graph.facebook.com, pixel.facebook.com, all amazon-adsystem.com domains and all the things which are normaly not possible to block without any impact to apps, websites and other things. Also, this blocks special domains for YouTube which prevents data transmission to them.
**************************************************************
Available Server List for keweon Privacy & Security
(Server Edition keweonDNS v.6.80.280.LL)
Australia / Sidney: (vServer)
k1ns-au-001.keweon.center
45.76.125.130
2001:19f0:5801:b45::130
France / Paris: (vServer)
k1ns-fr-001.keweon.center
45.77.62.37
2001:19f0:6801:95e::37
Germany / Frankfurt (vServer)
k1ns-de-001.keweon.center
104.207.131.11
2001:19f0:6c01:61f::11
India / Bangalore (vServer)
k1ns-in-001.keweon.center
IPv4: 139.59.33.236
IPv6: 2400:6180:100:d0::30d:5001
Japan / Tokio (vServer)
k1ns-jp-001.keweon.center
45.77.25.72
2001:19f0:7001:22a8::72
Netherland / Amsterdam (vServer)
k1ns-nl-001.keweon.center
45.77.138.206
2001:19f0:5001:d8d::206
Singapore / Singapore: (vServer)
k1ns-sp-001.keweon.center
45.76.151.221
2001:19f0:4400:4f31::221
UK / London (vServer)
k1ns-lon-001.keweon.center
45.32.183.39
2001:19f0:7402:a61::39
USA / Dallas (vServer)
k1ns-tx-001.keweon.center
45.76.57.41
2001:19f0:6401:9ed::41
USA / New Jersey (vServer)
k1ns-ny-001.keweon.center
45.77.144.132
2001:19f0:5:2962::132
USA / Silicon Valley (vServer)
k1ns-sv-001.keweon.center
45.32.140.26
2001:19f0:ac01:639::26
**************************************************************
**************************************************************
Keweon Root certificate (not required, but will suppress certificate errors):
http://pki.keweon.center
For Windows Systeme (MSI File) The certificate is working for IE, Edge and Chrome Browser.
>> CLICK HERE <<
MSI within a ZIP file:
>> CLICK HERE <<
For Android and iOS devices, also for Firefox and Mozilla Browser:
>> CLICK HERE <<
Certificate within a ZIP file:
>> CLICK HERE <<
For Admins to use it within Active Directory as REG file:
>> CLICK HERE <<
REG within a ZIP file:
>> CLICK HERE <<
If you want to have a "AllInOne Package" use this link please:
>> CLICK HERE <<
(End of Quick Start section)
**************************************************************
**************************************************************
About Keweon:
Keweon comes from the German words "KEine WErbung ONline"--translated to English it means "no advertising online."
Keweon is more than a generic adblock system. Keweon does:
 Advertising Blocking
 Adware Protection
 App Protection
 Bandwidth Protection for Mobile Phones
 Botnets Protection
 Cryptoware Protection
 Fake Online Shop Filter
 Fake Software Protection
 Malware Protection
 Miningware Protection
 Online Worms Protection
 Pharming Protection
 Phishing Protection
 Popup Blocker
 Privacy Protection
 Ransomware Protection
 Remote Keyloggers Protection
 Rogue Security Software Protection
 Spoofing Protection
 Spyware Protection
 Tracing Protection
 Tracking Protection
 Trojan Protection
 Virus Protection
 and a lot of other things
Things Keweon does not do or does not have:
 Acceptible advertising exceptions
 A Malware or virus scanner
 Data collection
Keweon will:
 Save bandwidth. Ads are blocked, not just hidden.
**************************************************************
**************************************************************
Basic instructions:
1. Take the DNS Servers
2. Install the keweon Adblock Root Certificate (recommended, not required)
3. Change your Internet Router or your Mobile Device to use the servers
4. Reboot (Router and PC)
**************************************************************
**************************************************************
Trusted apps for changing DNS on your device:
- Android: https://play.google.com/store/apps/details?id=com.frostnerd.dnschanger
- iOS/Apple: https://itunes.apple.com/us/app/dns-override-set-dns-for-wi-fi-and-cellular/id1060830093
- Chrome OS: Click on wifi icon, click on Network, scroll to Name Servers, and input DNS entries.
- Chrome browser help: https://www.xda-developers.com/fix-dns-ad-blocker-chrome/
**************************************************************
**************************************************************
FAQ:
1) Does my traffic runs trough the keweon System?
Not even one byte from you or your device will flow through my servers. Also the same with HTTPS things. Take a sniffer or wireshark or NirSoft Network Suites and you will be surprised. All HTTPS Ads traffic will be terminated with "0" bytes which will show to you that there is no sniffing or spying from my side.
2) Here are some questions from Telegram users which might be interesting for you.
http://downloads.keweon.center/keweon/keweon_questionnaire.pdf
3) If you have questions - please ask!
**************************************************************
**************************************************************
Contact information:
If you want to send blacklists (things that should be blocked) please send them to: [email protected]
If you want to send whitelists (things that shouldn't be blocked) please send them to: [email protected]
If you open a Website and this site looks kind of strange because of missing CSS & other things, then take the URL, copy to TXT and send this TXT to: [email protected]
Developer email: [email protected] (If you are a Company and if you want to test and use keweonDNS within a business environment I can offer you a faster connection within EMEA.
This is only possible if you have a public static IP Address. Dynamic Addresses are currently not possible for security reasons.)
**************************************************************
**************************************************************
New license terms because of the EU DSGVO/GDRP (25.05.2018):
Business and Corporate usage is not allowed without my written permission.
The usage of keweon within a private and personal environment and all released and public available files of the entire keweon System are subject of the License right of the WTFPL license.
Excluded from this license are all server technologies, the SSL technologies and in addition all source codes which personally belongs to me.
**************************************************************
How to use keweon?
It's very easy:
1. Take the DNS Servers
2. Install the keweon Adblock Root Certificate ( <<< THIS IS ONLY A RECOMMENDATION)
3. Change your Internet Router or your Mobile Device to it
4. Reboot (Router and PC)
5. Done! That's it.
6. See the Internet within a never seen way
In the meantime the keweon AdBlock Root Certificate has more than 4 Millions global downloads. This certificate is not required but for a few websites it is mandatory.
This certificate will only surpress the certificate errors. Not all of them because I'm still working on this.
On iOS Devices just open Safari. With Android use the default Browser and go to http://pki.keweon.center and after 3 sec. the download of the certificate will start. JUST THE DOWNLOAD!! You need to install it by yourself. More facts about the keweon Root Certificate will comming soon on the website.
Test the DNS Servers within this List and choose the one which is the fastest for you:
https://forum.xda-developers.com/android/software-hacking/keweon-privacy-online-security-t3681139#6
How to use it on Android devices:
Use an App of your choice or use this. I also use this app and from my point of view this is the worldwide best App to change the DNS settings on Android devices. No Root Access is required. The developer is from Germany and I have had a good contact to him. The app is free of charge and also free of advertising. The source code for this app is also available on GitHub. If you have troubles with it or want to have additonal features than contact the developer. He would be happy about every feedback.
https://play.google.com/store/apps/details?id=com.frostnerd.dnschanger
How to use it on iOS/Apple devices:
All my iOS Tester using this App. If you have a better one or you are able to translate the Android App to XCode - your welcome.
https://itunes.apple.com/us/app/dns-override-set-dns-for-wi-fi-and-cellular/id1060830093
You are using Chrome and the DNS thing is not working? (thanks a lot @NamitNayan for this info)
Google wants to prevent Adblocking via DNS. Therefore they have enabled an experimental Switch by default to prevent DNS blocking.
Take a look at here if it's not working >>> HERE <<< and fix the problem within seconds.
Technical Details
Public available DNS:
Take a look at this thread:
https://forum.xda-developers.com/showpost.php?p=73985083&postcount=6
Background System:
The current system needs 42 Server (!) in the Background that everything is working.
Actually the entire infrastructure is hosted on 5 different providers.
How does it work?
The entire System works with several Servers. Ubuntu, FreeBSD 11 and my own build Operation System based on UNIX is installed. The entire developement and all source codes are not public available. There is more than 14 yrs of work inside.
Current Blacklist size:
39.585.224 Domains (export to TXT)
Current Virus/Ransomware Blacklist size:
18.853.587 Domains (export to TXT)
Current Blacklist contains:
Tracker, Malware, Spyware, Adware, Advertising, Poison Websites Fake Software (Adobe Flash Updates which is in real Malware/Virus) & a few false/positive Sites.
To cover all HTTPS errors because a lot of Advertising Vendors display and spread this crap via https to the world I have created the keweon Root Certificate. Allmost every Malware and Spyware will be installed via HTTPS. The Root Certificate is only responsible to suppress all https error messages for all this Advertising and poison things.
Which Systems are working and acting with keweon?
The keweon System is tested on almost every Operation System and Devices (iOS, Android, Xbox, Playstation, Samsung TV, etc... ) It's currently running within 3 companies because I know the Admins there. You can use it within you private environment but please DO NOT USE it within a Business environment.
Why I can't use it within a Business environment?
There are 2 reasons for it.
1. I want that the entire system becomes free for private and personal usage and I already have requests from Companies and even from the Public Sector that they are interested about to use the System. As long as there are too many error within the System I don't have the option to sell this as an Business solution. That's the deal.
2. Private for free, Business needs to license it. Of cause, the current system needs to be a bigger and stable system..
Does my traffic runs trough the keweon System?
Not even one byte from you or your device will flows through my servers. Also the same with the HTTPS things. Take a sniffer or wireshark or NirSoft Network Suites and you will be surprised. All HTTPS Ads traffic will be terminated with "0" bytes which will show to you that there is no sniffing or spying from my side.
It would not make any sense that I drop all this crap traffic, blame to the advertising Industrie and I do exactly this things which I want to prevent?
Btw... This fact was also the problem why I have had no success with investors. They want that I enable data sniffing or user sniffing but I would rather throw away the entire system & developement than doing what they want.
I need your help and support
1. Support me with Black and White lists
It’s veryimportant to know that keweonDNS will NEVER (!) do a censorship of the Internet. If you want to have i.e. Facebook blocked via HOSTS file, it’s up to you. But this will never be done via keweonDNS. I have other plans with porn and violence but this is a stage with keweon kidsafe which is currently far, far away.
IMPORTANT:
Any list you want to send to me has to be send as an attachment within an EMail. I will give you a short example for this.
If you have a Raspberry PI and you have a real cute blacklist than copy all the addresses (or URL’s) into a TXT file and send it to me via mail. The same with some important whitelists. Don't care about the size.
Don’t copy the addresses or URL's into Subject or Body of this Mail because this will never arrive. I don’t want to track and check all the mails and for security reasons only attachments will be processed. Please make sure you only send ZIP files that contains the TXT file or send native TXT files. Everything else will be dropped for security reasons. Don’t care about double entries and it doesn’t matters if you send the same TXT file 5 or 10 times again and again.
Websites which contains errors or Whitelist needs to be processed within the same way. Send the TXT or ZiP – that’s it.
If you want to send blacklists please send them to: [email protected]
If you want to send whitelists please send them to: [email protected]
2. Support me with false/positive on keweonDNS
If you open a Site and this site stay blank than copy the URL into a TXT file and send it to me. You do not need to collect them. If you send me 50 or 100 Mails and each of them contains only 1 link or address this doesn't matters.
If you want to send URL’s or Links which are blocked and should be not blocked then send them to: [email protected]
If you open a Website and this site looks some kind of strange because of missing CSS & other pretty Website things than take the URL, copy to TXT and send this TXT to: [email protected]
3. Router Compatibility:
With a lot of SOHO Router it is possible to change the IPv6 and IPv4 default DNS Server Address. But there are are also a lot of Router outside where this is not possible.
If you can provide some instructions and screenshots within a PDF I will release this on the Webpage. I have the experience that the AVM FritzBox sometimes will work and sometimes not. That is related to the fact that the Provider support IPv6 and you are only able to change the IPv4 DNS Server Address. With the tiny tool "FBEDITOR" it should be possible to change also the default IPv6 DNS Server Address on AVM Boxes.
German Telekom Router are also a peace of crap. There you can change nothing except the Password and the WLAN key. The work arround by selecting "Different Provider" (anderer Anbieter) where you can set manualy the DNS Server will not work.
Unfortunately I only have CISCO, LINKSYS and ASUS Hardware running with i.e. DD-WRT. I appreciate if you can help me with creating instructions how to change DNS v4 & v6 settings on your Home/SOHO/Wireless Router. No rush on this because all this instructions will be released on the Website.
Million thanks in advance!
Important Links
Website:
http://www.keweon.de and http://www.keweon.com
Forum (in progress)
http://forum.keweon.com
http://board.keweon.com
http://forum.keweon.de
http://board.keweon.de
App URLs:
Android Apps:
Frostnerd (Daniel's) DNS Changer App​
Frostnerd (Daniel's) DoT and DoH (DNS over TLS and HTTPS) App (under developement)​
iPhone and other iOS devices Apps:
AppStore App - Free of charge DoH changer App​
keweon Root Certificate
http://pki.keweon.center​
For Windows Systeme (MSI File) The certificate is working for IE, Edge, Opera, Chrome which has no own certificate storage.​
MSI within a ZIP file​
For Android and iOS devices, also for Firefox and Mozilla Browser (just visit the site with the Browser)​
Certificate within a ZIP file​
For Admins to use it within Active Directory as REG file​
REG within a ZIP file​
If you want to have a "AllInOne Package" use this link please​
Additional Links
Change DNS Settings on DD-WRT with DNSMASQ within the right way​
How to set Firefox DoH Settings​
keweonDNS for Windows
Download the QuickSetDNS from NIRSOFT and use it on Windows to change your DNS settings.
Currently it's only working with IPv4. Link to NirSoft is HERE
Use the QuickSetDNS config to add all DNS servers and choose your favorite DNS Server. Unzip the file, copy it into the directory where you have extracted the download.
If you have any recommendations about additional links, let me know!
keweonDNS & installation Information
ALL keweonDNS Servers:
Version: DoT Server - DNS over TLS (updated 03/21/2019)
Used Certificate: Let'sEncrypt Certificate
Server Address: dot.asecdns.com
Port: 853 & 443
IP Addresses:
dot.asecdns.com (159.69.48.240 - HETTNER RZ Falkenstein)
dot.asecdns.com (116.203.117.199 - HETTNER RZ Nuernberg)
dot.asecdns.com (95.216.192.253 - HETTNER RZ Helsinki)
dot.asecdns.com (2a01:4f8:1c17:6e44::240 - HETTNER RZ Falkenstein)
dot.asecdns.com (2a01:4f8:c2c:491::199 - HETTNER RZ Nuernberg)
dot.asecdns.com (2a01:4f9:c010:3071::253 - HETTNER RZ Helsinki)
Version: DoH Server - DNS over HTTPS (updated 03/21/2019)
Used Certificate: Let'sEncrypt Certificate
Server Address: doh.asecdns.com/nebulo
Port: 443
IP Addresses:
doh.asecdns.com (159.69.49.250 - HETTNER RZ Falkenstein)
doh.asecdns.com (116.203.126.207 - HETTNER RZ Nuernberg)
doh.asecdns.com (95.216.165.29 - HETTNER RZ Helsinki)
doh.asecdns.com (2a01:4f8:1c17:6fc7::250 - HETTNER RZ Falkenstein)
doh.asecdns.com (2a01:4f8:c2c:e25::207 - HETTNER RZ Nuernberg)
doh.asecdns.com (2a01:4f9:c010:1cbd::29 - HETTNER RZ Helsinki)
Version: keweonDNS v.6.80.280.LL (updated 03/21/2019)
Australia / Sidney: (vServer)
k1ns-au-001.keweon.center
45.76.125.130
2001:19f0:5801:b45::130
France / Paris: (vServer)
k1ns-fr-001.keweon.center
45.77.62.37
2001:19f0:6801:95e::37
Germany / Frankfurt (vServer)
k1ns-de-001.keweon.center
104.207.131.11
2001:19f0:6c01:61f::11
India / Bangalore (vServer)
k1ns-in-001.keweon.center
IPv4: 139.59.33.236
IPv6: 2400:6180:100:d0::30d:5001
Japan / Tokio (vServer)
k1ns-jp-001.keweon.center
45.77.25.72
2001:19f0:7001:22a8::72
Netherland / Amsterdam (vServer)
k1ns-nl-001.keweon.center
45.77.138.206
2001:19f0:5001:d8d::206
Singapore / Singapore: (vServer)
k1ns-sp-001.keweon.center
45.76.151.221
2001:19f0:4400:4f31::221
UK / London (vServer)
k1ns-lon-001.keweon.center
45.32.183.39
2001:19f0:7402:a61::39
USA / Dallas (vServer)
k1ns-tx-001.keweon.center
45.76.57.41
2001:19f0:6401:9ed::41
USA / New Jersey (vServer)
k1ns-ny-001.keweon.center
45.77.144.132
2001:19f0:5:2962::132
USA / Silicon Valley (vServer)
k1ns-sv-001.keweon.center
45.32.140.26
2001:19f0:ac01:639::26
Physical Instance:
Germany / Falkenstein
k1-de-058-fsn.keweon.center (Physical)
176.9.62.58
2a01:4f8:150:8023::58
and
176.9.62.62
2a01:4f8:150:8023::62
DNS Server to use with keweon Adblock Root Certificate:
This Servers block in addition:
- pixel.facebook.com
- Amazon data collection and advertising
- more things which are normally not possible will coming soon step by step
Germany / Nuernberg
k1-de-143-nbg.keweon.center (Physical)
213.239.207.143
2a01:4f8:a0:8487::143
USA / Dallas - Texas
k1-ns2-us02.keweon.center (vServer)
107.191.55.215
2001:19f0:6401:175d::215
(Updated at 21. March 2019)
Works like a charm better than adaway just download a dns app just have to change the dns then your done
Works like a charm. Thank you. Is there any difference between this and using VPN-based adblocking apps? (importing our own blacklists into it)
ninjanmizuki said:
Works like a charm. Thank you. Is there any difference between this and using VPN-based adblocking apps? (importing our own blacklists into it)
Click to expand...
Click to collapse
This should be no Problem. But if you are using with the VPN App a different DNS Server than my system might not longer work. No clue about your VPN & DNS settings.
Please keep in mind, the last DNS Server rules. If you set my DNS Server and than u run a VPN App with a different DNS Server u will "overwrite" my DNS Server settings.
From the blacklist itself that should fit. Haven't had this bevor. ?
Send me PM if you have further questions.
Anyway, thanks a lot.
UPDATE:
The current Infrastructure will be upgraded to 10 GBit (!) DNS Server power and much more faster system.
Please notice that the DNS Server addresses will change during the next weeks.
After this upgrade you can spread the system to all of your friends.
Thanks a lot & more will comming soon on the website
...which is currently still under developement...
MrT69 said:
UPDATE:
The current Infrastructure will be upgraded to 10 GBit (!) DNS Server power and much more faster system.
Please notice that the DNS Server addresses will change during the next weeks.
After this upgrade you can spread the system to all of your friends.
Thanks a lot & more will comming soon on the website
...which is currently still under developement...
Click to expand...
Click to collapse
Working well, but I get 'invalid security certificate' error popup on most pages. Any way to eliminate?
If this URLs are wrong within the blacklist, do me a favor and send them to me to whitelist them.
Copy the URLs from the Browser into a TXT file and send this to. Keep in mind only attachments will arrive. It will help not if you type the addresses or URLs within the mail Body.
[email protected]
Doesn't matters if you send 100 Mails per Day because the will automatically processed during the night.
I'm happy for every wrong listed URL. Million thanks in advance for your feedback.
If this is affecting websites which are not false positive than you need to wait a few days. Currently I'm working to terminate all https crap from the advertising side. But therefore it is a must to have the keweon Root Certificate installed. Right now I need to terminate every https error manually.
It is incredible how many poison sites work with HTTPS so it was a need to develope a different solution than doing this always manually. The server installation is in progress but first I need to finalize the tests. Should be done until next weekend.
Update 1:
Please take a look at the second posting. The first 10Gbit DNS Server is online and working. Yeaaahhhhh!!!
Germany:
10Gbit DNS v4: 89.33.16.222
10Gbit DNS v6: 2a01:367:c1f2::448
Of cause it's a shared 10Gbit - but it's in Germany and damn fast. Next month the second 10Gbit in USA will be online. Installation is already in progress.
Update 2:
Today at 3:00 AM (Germany GMT+1) after the daily reboot procedure the entire HTTPS problem is solved.
If you have the keweon Root Certificate installed EVERY (!) HTTPS error is gone. I was developing this procedure since more than 2 yrs and during the last 3 months I have had no additional problems or errors.
The entire HTTPS crap will be terminated and to make sure that this is done from my site, every "keweon termination" is marked with a specific favicon. Sometimes it happens that a site still has a problem with the HTTPS errors even when everything is working on my site. This happens to HTTPS overlays or HTTPS calls with bad coded Java Scripts. If this error happens that you receive a Banner or Overlay with HTTPS error message than please reload the site and the error will never occurs again.
The problem is related to the programmers of the websites. Sometimes I have the feeling that some of them still use FRONTPAGE to develope websites. Anyway, just reload and that's it.
Now the big question - is this save?
Absolut! I will terminate only the evil traffic and within the tunnel there are no data. Let's assume I will do this with Paypal - what will happens?
When the URL's "PayPal and PayPalObjects" are on my blacklists than it is not possible at all for you to contact the website. Because of this it is also not possible to grab any input from your site because the login to PayPal would be not longer possible. Please feel so free and track the traffic. I even would help to investigate and help you to take a deeper look inside.
How is it possible?
Please understand that this is a very difficult thing to explain and on the other hand everything what I would release here in XDA is also visible to "the dark side" and they might have the option to do strike against this. Of cause, I will release more informations on the website which will be the next thing during the next 2 weeks. Currently 40 Servers within the Background only working for terminate this problem. Yes, this is a raised middlefinger to the entire & global ads industrie and I'm so damn proud of my solution.
Please remember: The keweon Root Certificate is still not required. If you have concerns than it is OK for me if you do not use it. If you would like to have a clean and "https error confirmation free" Internet than you should to install it. The certificate will be available at: http://pki.keweon.center - the download will start after 3 seconds and you need to install it.
Update 3:
This is the cutest news. Since one month a company was testing the solution and with the "Sophos" appliance it was possible to configure it within a way that the local installation of the "keweon Root Certificate" was not longer required.
I guess Sophos will not realy notice me but from today I can say that keweon official supports the "Sophos Appliance". The tutorial is in progress and as soon as this is finished I will release it. I hope I will get more instructions from your side how to mange this with other Systems. (CISCO, Checkpoint, PaloAlto and other heavy firewall and security systems)
I like this concept and want to keep testing. Here's my issue - for some reason, activating design change causes very slow loading speed. Same on WiFi or mobile. I have entries active for ipv4 and ipv6. For ipv4, the first set of numbers in post 2 won't work. Dns changer shows red line in entry field, (bad numbers). So, I'm using the second set, (starts with 51.254...). For ipv6, I'm using the first set. They work fine, but cause it to take 10-20 seconds to load a page. It seems like it gets better the more I browse, but still will take 5-10 seconds to load just about any page, and when I open up dns changer and hit 'stop', it is automatically faster, no more lag.
I wondered at first if it was a conflict with other tweaks and mods, (I have build prop tweaks, and AFWall app, etc), so I undid everything and tried again, but the same. I use Naked Browser almost exclusively, but tested with AOSP browser also, and no different.
Any ideas? Thanks
levone1 said:
I like this concept and want to keep testing. Here's my issue - for some reason, activating design change causes very slow loading speed. Same on WiFi or mobile. I have entries active for ipv4 and ipv6. For ipv4, the first set of numbers in post 2 won't work. Dns changer shows red line in entry field, (bad numbers). So, I'm using the second set, (starts with 51.254...). For ipv6, I'm using the first set. They work fine, but cause it to take 10-20 seconds to load a page. It seems like it gets better the more I browse, but still will take 5-10 seconds to load just about any page, and when I open up dns changer and hit 'stop', it is automatically faster, no more lag.
I wondered at first if it was a conflict with other tweaks and mods, (I have build prop tweaks, and AFWall app, etc), so I undid everything and tried again, but the same. I use Naked Browser almost exclusively, but tested with AOSP browser also, and no different.
Any ideas? Thanks
Click to expand...
Click to collapse
Thanks a lot for the feedback.
The problem is related to the latency of my current VPS. That was one of the main reason why I would need to find an Investor. The entire system needs to be run from a physical Host but this will need an Invest for 200.000 Euro per year. 20 GBit Server located within 16 Countries world wide. Would be so cute but they wanted that I collect data from users to sell this. I guess you can imagine what my answers was to this stupid idea.
Anyway... I guess I have an idea. First at all, which county/city you are located? If you don't want to make this public send me a short PM.
Thanks a lot for your support. I'm pretty sure I will find a solution ?
Btw... Anyone else with this problem? Send a short PM with your Country/City.
Thank you very much, it works very well.
I do have a small delay from 5 up to 15 seconds on an initial connection but after the webpage is loaded there is no more delay and often faster than without the dns.
For me its not a big issue, I did pm you with my country and city in case it may be if help for you.
MILLION TIMES THANKS TO ALL OF YOU
FOR YOUR SUPPORT & TRUST INTO KEWEON​
Today I received the first f/p blacklist settings and this will be in place tomorrow morning 03:00 AM GMT +1 (German Time). Good to see that the system is in use.
With the help and testing from a view users it seems the current DNS Servers are to slow. I will change the public front end infrastructure. I will anounce this bevore to prevent interruption.
But keep in mind!
I'M NOT GOOGLE OR ANY OTHER DNS PROVIDER WITH A BILLION EURO BUDGET!
Unfortunately I don't have the money to do what I want but I guess this is anyway the best solution which is currently available. I need to host everything on VPS which is from the technical point of view not the best solution because of a high latency. I'm working on this, still think about Investor or Crowdfunding or anthing like this. But first at all I want to have a usable system and a pretty website in place.
That will finally mean that the launch of the website is still in progress - sorry folks - but I guess it is more important that the system will be fast as possible and stable.
OFFER:
If someone of you is interested to take over the responsiblity/administration of the keweon forum - let me know. I'm fine with nearly 8 programming languages but this phpBB3 Board drives me crazy. This is not my world. I appreciate every help and support. My english is not longer the best and my wife would kill me if I would do this also because the technical support of the system needs already a lot of time.
Contact me via PM if you are interested.
MILLION TIMES THANKS AGAIN!​
New & faster Servers are online. Feel so free to use it, test it, share it to your friends and wherever you want.
Click here for current DNS Server List
Please test each of the server. Someone from US reportet that UK and NL DNS Server has a damn good performance within USA.
If someone of you have contact to ASIA please let me know what's about the Japan DNS Server.
@Rom DEVS
If you are interested to add the keweon Certificate by default to your ROM you're welcome.
This has the advantage that there is no need to assign a PIN to the device if you place the Certificate by default into the Certificate Store.
Btw, the website is already in progress and I hope you will visit it when it's done.
Really excited about this.
Looking into ways to change the dns on Android with root access, any ideas?
bond32 said:
Really excited about this.
Looking into ways to change the dns on Android with root access, any ideas?
Click to expand...
Click to collapse
Use this App. No Root required. The app is a fake VPN App.
This will mean it will also work in 3G/LTE Mode and it's Open Source available at Git Hub.
Not my App. But I also use this outside.
https://play.google.com/store/apps/details?id=com.frostnerd.dnschanger
Enjoy it!

Framework discussion

Hi all,
As part of a class I'm doing, we are required to post some content to a forum to engage in discussion on security:
.
Cross Site Scripting (XSS)
OWAPS describes Cross Site Scripting (XSS) where a website has been marked as a trusted website, which for some reason, can run malicious code or scripts through inputs such as forms. As the end user’s browser sees this site as trusted, it allows the malicious script or code to execute, which can give access to client side information before it is encrypted (such as usernames, passwords, session IDs, cookies, etc).
In PHP for example, a normal input box where a user would enter their name, would be able to enter the following:
When PHP prints this back out after submission, it will execute the script between the script tags (In this case, just a simple popup).
In this scenario, this can be solved by wrapping the input value with htmlentities:
This would print any script as literal text rather then executing it.
In Java,
XSS is still a major issue, both due to some sites not implementing simple work around such as htmlentities or htmlspecialchars, or for reasons where these cant be used. XSS affects PHP applications by as much as 86% - its PHPs biggest vulnerability.
In Java, the easiest method is to simply validate inputs and to encode special characters (<>[email protected]#$%^&*). Alternativley, OWASP have a XSS class which includes easy methods to best prevent against certain types of XSS.
Code Injection
Code injection is where using the sites scripting language, you can inject (rather, have the site pull) code from somewhere else.
For example, php can call one of its own pages like so:
however, if we replace the contact.php page with an external hosted script:
This will cause the enduser to execute that script. This all comes down to PHP validation which is coded within the PHP to ensure only valid respsonses are accepted.
This is unlike command injection. Command Injection is an attack which is designed to execute commands on the PHP hosted system (server). This can be done where most parameters are passed (headers, input boxes, etc) and will typically display any output on the returned webpage.
For example, to return a password for a certain user, you could use a command like:
Typically, to prevent such commands from executing, a whitelist of command can be made, whereby only those listed are allowed to be executed on the server. Alternativly, it is recommend where the application needs to invoke system side commands, to do this through local python scripts, rather then PHP calling the commands.
CRLF injection
CRLF injection comes from the elements CR (Carriage Return) and LF (Line Feed) – together (CRLF) this denotes a new line (done simply by pressing the enter button). If a website for example, allows you to upload a file, an attacker may name this file as follows:
This would result in a system command being carried out to delete everything in the /bin folder.
It also allows an attacker to write to the log file, by creating it own new line. If the logs are configured in such a way that they will email out any WARNINGS or ERRORS, an attacker may add these to a new log line repetitively, backing up the email and bandwidth.
The simple way around this is for JAVA to sanitise any input strings, either through substituting known commands, or through methods such as
SQL Injection
.NET SQL Injection allows an authorised SQL command to be sent to the SQL server and executed.
An SQL string may be built using inputs from a form. A possible example of this is:
Code:
SELECT email, passwd, login_id, full_name FROM members WHERE email = 'formemail';
where the red is the text from an input field.
However, we can modify this string which can allow some malicious stuff to happen:
Code:
SELECT email, passwd, login_id, full_name FROM members WHERE email = 'formemail'; DROP DATABASE members --';
Adding the red text to the email input box, would allow us to delete the whole table, or alternatively insert a new record into a table, or possible delete records, modify records (change passwords), or even delete whole tables.
To prevent this, you can limit the damage an SQL injection can do you using proper database permissions (deleting records, tables, etc), and to also use good sanitisation – look for -- or ; in any field and invalidate the data if it has these characters.
Directory Traversal
Directory traversal can also be referred to as a “dot dot slash” attack.
In php, a resource (page) can be called as follows:
However, it may be possible to get other files, not even part of the web directory using the following examples:
The easiest way to prevent this is to assign proper permission on the server itself. However, many web developers do not own the server, therefore, another layer of protection is fully qualify the file path, with the root being where the webpage sits.
Connection String Injection
Also known as connection string pollution, it is possible for an attacker to inject parameters into a connection string to a database. Typically a connection string is built by delimiting each value with a comma. In an injection attack, strings can be built using semi colons as a delimiter.
A typical connection string to a windows SQL server may look like the following:
Code:
Data source = SQL2005; initial catalog = db1; integrated security=no; user id=+’User_Value’+; Password=+’Password_Value’+;
However, if an attacker places a rouge windows SQL server on the internet, and then uses a connection string like follows:
Code:
Data source = SQL2005; initial catalog = db1; integrated security=no; user id=;Data Source=Rogue Server; Password=; Integrated Security=true;
This allows the target windows SQL server to connect to the rouge server using its own Windows credentials, exposing much data.
Backdoors
Backdoors can be common within applications and web applications and can occur across many types of frameworks, however, it’s the security around the knowledge of backdoors, and what they allow, which can be of concern. All modems, routers and some managed network infrastructure have administrator usernames and passwords. However, sometimes, the network vendor (CISCO, NETGEAR, etc) or ISP may choose to put a backdoor access onto these devices. This may be in case a user forgets their administrator credentials, for automatic firmware updates, or for remote troubleshooting. Some of these backdoors may allow for more settings then what is normally shown to an end user.
For example, some older Optus supplied modems had the hidden user: Admin, and a password of: Y3S0ptus. This was standard across thousands of supplied modems. The problem was, the end user had no way of changing the default setting for remote web access from Enabled to Disabled, which meant anyone that knew of their IP address or domain name, could now remote access their modem router, add port redirects, and now connect to devices within their LAN.
In the case of ISP provided modems, it might be safer to simply by something else, not supplied by the ISP.

Categories

Resources